comp.dcom.sys.cisco FAQ Version 2.20 (Last Modified 5/29/02)
| There are reader questions on this topic! Help others by sharing your knowledge |
From: Hansang Bae <hbae@nyc.rr.com> Newsgroups: comp.dcom.sys.cisco, alt.certification.cisco Subject: comp.dcom.sys.cisco FAQ Version 2.20 (Last Modified 5/29/02) Message-ID: <MPG.17a016fe14127eaa989c36@news-server.nyc.rr.com> Keywords: comp.dcom.sys.cisco FAQ Reply-To: Hansang Bae <hbae@nyc.rr.com> Sender: Hansang Bae <hbae@nyc.rr.com> Summary: This is the FAQ for the comp.dcom.sys.cisco newsgroup Archive-name: computer/system/cisco/faq Posting-Frequency: monthly Last-modified: May 29, 2002 Version: 2.20 Date: Thu, 18 Jul 2002 05:02:12 GMT NEW IN VERSION 2.20 0.1 Where can I obtain the FAQ: 118. Where can I find a list of undocumented IOS commands? 119. Where can I find information on securing or hardening Cisco routers? 120. How can I connect two Cisco routers back to back through the AUX ports? 121. How do I use Secure Shell (SSH) on Cisco devices? 122. Can I use a /31 address space for my serial point-to-point interfaces? 123. How do i see log messages on the router console? 124. What is my overhead of using IPSec 125. What is the pinout for the DB9 to RJ45 connector? 126. Should I use a T1, Cable modem or DSL for Internet connections? 127. How do I change the time length of 15 mins that is used when displaying the Show ISDN history command? 128. Why do I see "double" characters when I telnet into my router? 129. How do I see power-supply failures via SNMP? 130. How do I change the timer for tx/rxload when doing "show int" command? 131. How do I setup SLIP on my Cisco terminal servers? 132. How do I setup FR End-to-End keepalives? 133. What basic information do I need to setup a T1 from my ISP? 134. How do I setup NAT and Port forwarding? 135. Where can I buy some Back-to-Back serial cables? 136. How can I policy-route router generated packets? 137. Is there another way to upload my IOS w/o a tftp server? 138. What does the keyword EXTENDABLE mean when doing NAT? 139. Where can I get some third party icons for my Visio program? 140. Can you help me interpret the output fomr "Looking Glass" (BGP?) 141. When using Tunnel with an interface that has an ACL, what happens? 142. Do I need a Xover cable when using 1000Base-T? 143. How dow I break the "Rule of Ten" for BGP Load balancing? 144. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP? 145. Should I turn off console loggin?? This FAQ is edited by Hansang Bae, <hbae@thrupoint.net>. Administrivia: The new section starts from Question 39 and up (inclusive). The old section was from the original FAQ which I did not maintain. Please contribute answers to the questions in the Todo section! If your answer is somewhat complicated, posting would probably be best (to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@nyc.rr.com. Please note that a LOT of these questions have been hanging around for some time, and if knowledgable people could take the time to answer a few of them, that'd help. Since this FAQ was first developed, cisco has written up a lot of useful information on their web site, http://www.cisco.com. If you can't find what you're looking for here, please check there, too. Table of Contents 0. Hall of Fame for Revision 2.0 and above: See end of the FAQ: 0.1 Where can I obtain the FAQ: 1. How can I contact cisco? 2. What is this newsgroup? 3. What does ``cisco'' stand for? 4. How do I save the configuration of a cisco? 5. Where can I get ancillary software for my cisco? 6. Is there a World-Wide-Web (www) information source? 7. How can I get my cisco to talk to a third party router over 8. How can I get my cisco to talk to a 3rd-party router over Frame Relay? 9. How can I use debugging? 10. How can I use NTP (Network Time Protocol) with my cisco? 11. Sample cisco NTP Configurations 12. How do I avoid the annoying DNS lookup if I have misspelled a command? 13. Tracing bad routing information 14. How to use access lists 15. The cisco boot process 16. Where can I get cisco hardware? 17. Where can I get IETF documents (RFCs, STDs, etc.)? 18. Future features in cisco software 19. How do cisco routers rate performance-wise? 20. How are packets switched? 21. How does one interpret buffer statistics? 22. How should I restrict access to my router? 23. What can I do about source routing? 24. Is there a block of private IP addresses I can use? 25. Is DHCP supported? 26. Where can I get cisco documentation? 27. What's the latest software for the CSC/3? 28. What IP routing protocol should I use? 29. How do I interpret the output of ``show version''? 30. What is the maximum number of Frame Relay PVCs? 31. How much memory is necessary to telnet to a cisco router? 32. Where can I purchase flash RAM? 33. When are static routes redistributed? 34. When is the next hop of a route considered ``reachable''? 35. How do name and phone number of ``dialer map'' interfere? 36. What's the purpose of the network command? 37. What is VLSM? 38. What are some methods for conserving IP addresses for serial lines? ****************************************************************************** New questions/answers for revision 2.00 starts from here! ****************************************************************************** 39. Flash upgrade issues for Cisco 2500 series routers 40. How do I prevent my switch ports from going into ErrDisable state? 41. How do I configure a router to act as a Frame-Relay Switch? 42. What are the different types of memory used by Cisco Routers? 43. How do I load the Documentation CD (UniverseCD) on Windows 2000? 44. How dow I load a large image on a 2500 *lab* router? 45. Daisy-chaining reverse telnet Aux-to-Console ports 46. What Windows chatter could bring up and ISDN line? 47. How do I make NTP packets so it's only interesting on router bootup? 48. How do I setup Lock & Key ACL? 49. How do I telnet to a specific VTY line/ 50. Is there a better (free) tftp server than the one by Cisco? 51. How do I use the Cisco Documentation CD (UniverseCD) under Linux? 52. How do I NAT on a single Cisco 2503 Ethernet interface 53. How do I hide a summarized OSPF router from one ABR to another? 54. What is the pinout for the Console port on a 2518? 55. How do I find the "real" IOS name when the file is in DOS format? 56. How do I setup Windows 2000 and IPSec to PIX FIrewall 57. How do I use tftpdnld via Ethernet port on a 2600? 58. How do I setup MultiLinkPPP? 59. How much memory is taken up by BGP routes? 60. What is the difference between a CiscoPro model and a regular one? 61. How do I stop my router from looking for cisconet.cfg or network-config? 62. How do I setup DHCP service on my router? 63. How do I configure a trasparent proxy redirecting on CISCO router? 64. How do I use the PCMCIA slot in my 2500 router? 65. What cable do I use on 1900 switch with a DB9 Console connector? 66. How do I use a route-map to limit redistribution in OSPF? 67. How do I connect 675 DSL units back to back? 68. How do I format the PCMCIA card on a 3600? 69. How do I read Token Ring Mac and RIF? 70. How are Ethernet MAC addresses transmitted? 71. Why are the 46th and the 47th bit significant in Ethernet MAC address? 72. Why can't I upload an IOS image on to my flash on my 2500 router? 73. How do I configure my router so it becomes a DHCP CLIENT? 74. Does my Cisco terminal server send a BREAK signal on reboot? 75. How do I access the Console port on an AccessPro (AP-EC) card? 76. How do you setup a simple Priority Queuing? 77. What are the pro's and con's of using two ISP/BGP providers? 78. How do I tell the difference between the differen 2900 XL switches? 79. How do I suppress the transmission of PPP frames from when dialing in? 80. Where can I get mzmaker to compress my IOS? 81. What is the meaning of in/out in reference to an access-list? 82. How do I remove the /32 - host - route when a PPP link comes up? 83. How do I forward DHCP broadcasts to my DHCP server? 84. How do I use the ip-helper command to facilitate DHCP use? 85. How do I send L2 traffic through a tunnel? 86. How do I sort my IP Addresses using Unix tools?? 87. Why is measuring collisions meaningless endeavour? 88. How do I stop password-recovery on my routers? 89. How do I setup a Multilink PPP? 90. How do I setup ppp callback with dialer-pool? 91. My configs are too large. What can I do? 92. What does Frame-relay LMI and Encapsulation really do/mean? 93. How do I make a T1 Cross-over cable? 94. Can I use a router to simulate BRI switch? (Also see question 101) 95. How do I use Policy Based Routing? 96. How do I setup a VPN tunnel using pre-shared keys? 97. Why does one packet always get dropped on the last hop of traceroute? 98. How to setup NAT'ing based on outgoing interface to two different ISPs. 99. How do I use IPX over DDR? 100. How can I automatically ping a range of IP addresses in Wintel world? See also question 115. 101. Sample config of using VIC BRI interfaces as an ISDN switch. 102. How do I do X25 over ISDN D channel? 103. What can I do to remove SAP Type 640 on my routers? 104. What kind of memory does the 2500 use? 105. How do I make an Ethernet Cross-over cable? 106. How do I use NBAR to block NIMDA? 107. What is a FECN/BECN and does it mean anything? 108. How do I stop logging (and generating snmp trap) for up/down interfaces? 109. How do I setup the variables to do tftpdnld in rommon? 110. How do I get the memory-usage on the Vip-Card 111. What is the order of operation in terms how a packet is processed? 112. What are the differnt T1 jack type codes? 113. How do I show just one interface's configuration? 114. How can I search CCO for IS-IS related information? 115. How can I script a network reachability test? See also question 100. 116. How can I access the console port on my MSFC in my 6500? 117. How do I access my MSFC/Router in my 6509? 118. Where can I find a list of undocumented IOS commands? 119. Where can I find information on securing or hardening Cisco routers? 120. How can I connect two Cisco routers back to back through the AUX ports? 121. How do I use Secure Shell (SSH) on Cisco devices? 122. Can I use a /31 address space for my serial point-to-point interfaces? 133. How do i see log messages on the router console? 134. What is my overhead of using IPSec 135. What is the pinout for the DB9 to RJ45 connector? 136. Should I use a T1, Cable modem or DSL for Internet connections? 137. How do I change the time length of 15 mins that is used when displaying the Show ISDN history command? 138. Why do I see "double" characters when I telnet into my router? 139. How do I see power-supply failures via SNMP? 140. How do I change the timer for tx/rxload when doing "show int" command? 141. How do I setup SLIP on my Cisco terminal servers? 142. How do I setup FR End-to-End keepalives? 143. What basic information do I need to setup a T1 from my ISP? 144. How do I setup NAT and Port forwarding? 145. Where can I buy some Back-to-Back serial cables? 146. How can I policy-route router generated packets? 147. Is there another way to upload my IOS w/o a tftp server? 148. What does the keyword EXTENDABLE mean when doing NAT? 149. Where can I get some third party icons for my Visio program? 150. Can you help me interpret the output fomr "Looking Glass" (BGP?) 151. When using Tunnel with an interface that has an ACL, what happens? 152. Do I need a Xover cable when using 1000Base-T? 153. How dow I break the "Rule of Ten" for BGP Load balancing? 154. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP? todo: [Update the Todo section. How ironic!] Actual content. ************************************************************************** From: Question 0.1 Date: 10 February 2002 Subject: Where can I obtain/View the FAQ Answer by: N/A A. You can use any Usenet (Newsgroup) reader to read comp.dcom.sys.cisco or alt.certification.cisco B. http://www.networkingunlimited.com/CiscoFAQ.html C. http://www.evolutiontechnical.com/cisco-faq/index.htm D. http://mrubino.com:8080/cdsc-faq ************************************************************************** From: Question 1 Date: 31 October 1994 Subject: How can I contact cisco? Corporate address: cisco Systems 170 West Tasman Drive San Jose, CA 95134 The following phone numbers are available: Technical Assistance Center (TAC) +1 800 553 2447 (553 24HR) +1 800 553 6387 +1 408 526 8209 Customer Service (Documentation, Warranty & +1 800 553 6387 Contract Services, Order Status Engineering +1 800 553 2447 (553 24HR) On-site Services, Time & Materials Service +1 800 829 2447 (829 24HR) Corporate number / general +1 408 526 4000 Corporate FAX (NOT tech support) +1 408 526 4100 The above 800 numbers are US/Canada only. cisco can also be contacted via e-mail: tac@cisco.com Technical Assistance Center tac-euro@cisco.com European TAC cs-rep@cisco.com Literature and administrative (?) requests cs@cisco.com *UNRELIABLE*, special-interest, ``non-support'' Please follow the directions available on CIO before doing this. cisco provides an on-line service for information about their routers and other products, called CIO (cisco Information Online). telnet to cio.cisco.com for more details. The collective experience of this FAQ indicates that it is far wiser to open a case using e-mail than FAXes, which may be mislaid, shredded, etc. For those of you still in the paperfull office (unlike the rest of us), cisco Systems' new corporate address is: 170 West Tasman Drive San Jose, CA 95134 Mail to tac@cisco.com should include your service contract number, your name, telephone number, a brief one line problem/question description, and a case priority in the first 5 lines. For example: Cisco service contract number 92snt1234a First and last name Jane Doe Best number to contact you 415-555-1234 Problem/question description Cannot see Appletalk zones Case Priority 3 CASE PRIORITIES are defined as one of the following: Pri 1 Production network down, critical business impact Pri 2 Production net seriously degraded, serious impact Pri 3 Network degraded, noticeable impact to business Pri 4 General information, non production problems ************************************************************************** From: Question 2 Date: 26 July 1994 Subject: What is this newsgroup? comp.dcom.sys.cisco, which is gatewayed to the mailing list cisco@spot.colorado.edu, is a newsgroup for discussion of cisco hardware, software, and related issues. Remember that you can also consult with cisco technical support. This newsgroup is not an official cisco support channel, and should not be relied upon for answers, particularly answers from cisco Systems employees. Until recently, the mailing list was gatewayed into the newsgroup, one-way. It is possible that this arrangement may resume at somet time in the future. ************************************************************************** From: Question 3 Date: 31 October 1994 Subject: What does ``cisco'' stand for? cisco folklore time: At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present, various factions within the company have adopted a capital ``C'', while fierce traditionalists (as well as some others) continue to use the lowercase variant, as does the cisco Systems logo. This FAQ has chosen to use the lowercase variant throughout. cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the early days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were trying to come up with a name they did many searches for non similar names, and always came up with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn't taken (although SYSCO may be confusingly similar sounding). There was an East Coast company which later was using the ``CISCO'' name (I think they sold in the IBM marketplace) they ended up having to not use the CISCO abberviation. Today many people spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in publications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. This winter we will celebrate our 10th year. [This text was written in July of 1994 -jhawk] ************************************************************************** From: Question 4 Date: 31 October 1994 Subject: How do I save the configuration of a cisco? If you have a tftp server available, you can create a file on the server for your router to write to, and then use the write network command. From a typical unix system: mytftpserver$ touch /var/spool/tftpboot/myconfig mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig myrouter#write net Remote host [10.7.0.63]? 10.7.0.2 Name of configuration file to write [myrouter-confg]? myconfig Write file foobar on host 10.7.0.2? [confirm] y Additionally, there's a Macintosh TFTP server available: ftp://nic.switch.ch/software/mac/peterlewis/ Additionally, you can also use expect, available from: ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz ftp://ftp.cme.nist.gov/expect/ or, in shar form from ftpeng.cisco.com. Expect allows you to write a script which telnets to the router and performs a ``write terminal'' command, or any other arbitrary set of command(s), using a structured scripting language (Tcl). ************************************************************************** From: Question 5 Date: 5 July 1994 Subject: Where can I get ancillary software for my cisco? Try ftping to ftp://ftpeng.cisco.com/pub It's a hodgepodge collection of useful stuff, some maintained and some not. Some is also available from ftp://cio.cisco.com Vikas Aggarwal has a very customised tacacsd: A new version of xtacacsd is available via anonymous FTP from: ftp://ftp.navya.com/pub/vikas/ ************************************************************************** From: Question 6 Date: 28 April 1996 Subject: Is there a World-Wide-Web (www) information source? You can try the WWW page for this FAQ: http://www.panix.com/cisco-faq/ or the cisco Educational Archive (CEA) home page: http://sunsite.unc.edu/cisco/cisco-home.html or the cisco Information Online (CIO) home page: http://www.cisco.com/ ************************************************************************** From: Question 7 Date: 5 July 1994 Subject: How can I get my cisco to talk to a third party router over a serial link? You need to tell your cisco to use the same link-level protocol as the other router; by default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all link-level protocols use at some level/layer or another. To make your cisco operate with most other routers, you need to change the encapsulation from HDLC to PPP on the relevant interfaces. For instance: sewer-cgs#conf t Enter configuration commands, one per line. Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z interface serial 1 encapsulation ppp ^Z sewer-cgs#sh int s 1 Serial 1 is administratively down, line protocol is down Hardware is MCI Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) ^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] If you're still having trouble, you might wish to turn on serial interface debugging: sewer-cgs#ter mon sewer-cgs#debug serial-interface ************************************************************************** From: Question 8 Date: 27 July 1994 Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay? You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of ``encapsulation frame-relay'') on your serial interface that's running frame relay if your frame relay network contains a diverse set of manufacturers' routers. The keyword ``ietf'' specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default, RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only a few routers in your frame relay cloud require this, then you can use the default encapsulation on everything and specify the exceptions with the frame-relay map command: frame-relay map ip 10.1.2.3 56 broadcast ietf ^^^^ (ietf stands for Internet Engineering Task Force, the body which evaluates Standards-track RFCs; this keyword is a misnomer as both RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step beneath a DS), and is effectively obsolete). ************************************************************************** From: Question 9 Date: 26 July 1994 Subject: How can I use debugging? The ``terminal monitor'' command directs your cisco to send debugging output to the current session. It's necessary to turn this on each time you telnet to your router to view debugging information. After that, you must specify the specific types of debugging you wish to turn on; please note that these stay on or off until changed, or until the router reboots, so remember to turn them off when you're done. Debugging messages are also logged to a host if you have trap logging enabled on your cisco. You can check this like so: sl-panix-1>sh logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 66 messages logged Monitor logging: level debugging, 0 messages logged Trap logging: level debugging, 69 message lines logged Logging to 198.7.0.2, 69 message lines logged sl-panix-1> If you have syslog going to a host somewhere and you then set about a nice long debug session from a term your box is doing double work and sending every debug message to your syslog server. Additionally, if you turn on something that provides copious debugging output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this). One solution to this is to only log severity ``info'' and higher: sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. logging trap info The other solution is to just be careful and remember to turn off debugging. This is easy enough with: sl-panix-1#undebug all If you have a heavily loaded box, you should be aware that debugging can load your router. The console has a higher priority than a vty so don't debug from the console; instead, disable console logging: cix-west.cix.net#conf t Enter configuration commands, one per line. End with CNTL/Z. no logging console Then always debug from a vty. If the box is busy and you are a little too vigorous with debugging and the box is starting to sink, quickly run, don't walk to your console and kill the session on the vty. If you are on the console your debugging has top prioority and then the only way out is the power switch. This of course makes remote debugging a real sweaty palms adventure especially on a crowded box. Caveat debugger! Also, if you for some reason forget what the available debug commands are and don't have a manual handy, remember that's what on-line help is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under 9.21 and above, that gives you general categories, and you can check for more specific options by specifying the category: ``debug ip ?''. As a warning, the ``logging buffered'' feature causes all debug streams to be redirected to an in-memory buffer, so be careful using that. Lastly, if you're not sure what debugging criteria you need, you can try ``debug all''. BE CAREFUL! It is way useful, but only in a very controlled environment, where you can turn off absolutely everything you're not interested in. Saves a lot of thinking. Turning it on on a busy box can quickly cause meltdown. ************************************************************************** From: Question 10 Date: 5 July 1994 Subject: How can I use NTP (Network Time Protocol) with my cisco? >What level of software is required for NTP support in >a cisco router? 9.21 or above. >Which cisco routers support NTP? It is a software feature exclusively. Anything that supports 9.21 or 10 will run NTP (when running that s/w). >How do I set it up? The basic hook is: ntp server <host> [version n] or ntp peer <host> [version n] depending on whether you want a client/server or peer relationship. There's a bunch of other stuff available for MD5 authentication, broadcast, access control, etc. You can also use the context-sensitive help feature to puzzle it out; try ``ntp ?'' in config mode. You'll also want to play with the SHOW NTP * router commands. Here are two examples. EXAMPLE 1: router# show ntp assoc address ref clock st when poll reach delay offset disp +~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7 *~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured EXAMPLE 2: router#show ntp stat Clock is synchronized, stratum 2, reference is 132.249.16.1 nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19 reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994) clock offset is -1.34 msec, root delay is 55.40 msec root dispersion is 41.29 msec, peer dispersion is 28.96 msec For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco. For broader NTP info, see ftp://louie.udel.edu:pub/ntp/. The file clock.txt in that directory has info about various public NTP servers. There is also information on radio time receivers that can be connected to an NTP server (this is handy on private networks, if you have an entire campus to get chiming, or if you become a hard core chimer). The ``ntp clock-period'' command is added automagically to jump-start the NTP frequency compensation when the box is rebooted. This is essentially a representation of the frequency of the crystal used as the local timebase, and may take several days to calculate otherwise. (Do a ``write mem'' after a week or so to save a good value.) Caveat of obsolecence: Note that the CS-500 will not be able to achieve quite the same level of accuracy as other platforms, since its hardware clock resolution is roughly 242Hz instead of the 1MHz available on other platforms. In practice this shouldn't matter for anyone other than true time geeks. ************************************************************************** From: Question 11 Date: 5 July 1994 Subject: Sample cisco NTP Configurations You will need to substitute your own NTP peers, timezones, and GMT offsets into the examples below, of course. Example 1 is in US Central Time Zone, while example 3 is in US Pacific Time Zone. Both account for normal US Daylight Savings Time practices. EXAMPLE 1 (Charley Kline): ... clock timezone CST -6 clock summer-time CDT recurring ntp source eth 0 ntp peer <host1> ntp peer <host2> ntp peer <host3> ... EXAMPLE 2 (Tony Li): ... ntp source Ethernet0/0 ntp update-calendar ntp peer <host1> ntp peer <host2> prefer ... EXAMPLE 3 (Dave Katz): ... service timestamps debug datetime localtime service timestamps log datetime localtime clock timezone PST -8 clock summer-time PDT recurring interface Ethernet0 ip address <mumble> ntp broadcast ntp clock-period 17180319 ntp source Ethernet0 ntp server <host1> ntp server <host2> ntp server <host3> COMMENTS ON EXAMPLE 3: The config file is commented with date and time (and user id, if TACACS is enabled) when the system thinks the clock is accurate. I've enabled timestamping of debug and syslog messages. I send NTP broadcast packets out onto the local ethernet. I'm in Pacific Standard Time, with U.S. standard daylight saving time rules. I use the IP address of the ethernet as the source for all NTP packets. ************************************************************************** From: Question 12 Date: 5 July 1994 Subject: How do I avoid the annoying DNS lookup if I have misspelled a command? By default, all lines are configured to automatically try a telnet connection if the first word in a input line is not recognized as a valid command. You can disable this by setting ``transport preferred none'' on every line (con, aux and vty). For instance: sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. line vty 0 10 transport preferred none You can see the number of vty's currently configuered with ``show lines'' Also, you can suspend connect attempts with ^^ followed by ``x'', ie shift-cntrl-6 x. [It has been suggested that ``no ip ipname-lookup'' to turn off IEN116 helps. I think this is the default -jhawk ] ************************************************************************** From: Question 13 Date: 31 Oct 1994 Subject: Tracing bad routing information or: How do I find out which non-cisco systems on my networks generate IP-RIP information without letting them mess up my routing tables. Here you could work with a default administrative distance. Administrative distance is the basis upon which the cisco prefers routing information of one protocol over another. In this example: router rip network 192.125.254.0 distance 255 distance 120 192.125.254.17 ! list all valid RIP suppliers [...] the value 255 has the implicit meaning of not putting this information into the routing table. Therefore, setting an administrative distance of 255 means that all RIP suppliers are by default accepted but their information is not put into the routing table. The administrative distance for the router 192.125.244.17 has been reset to the default (for RIP) of 120, causing its routes to be accepted into the routing table. Then you can look them up with ``show ip protocols'' and restore the original administrative distance for the ones you want to fill in the routing table. The same results can be acheived with an ip access-list, but with that, ``show ip protocols'' will only show the valid ones. But often it is more useful to see which systems were generating routing information at all. This trick works for other routing protocols as well, but please select the proper adminstrative distance (rather than 120) for the protocol you're using. ************************************************************************** From: Question 14 Date: 5 July 1994 Subject: How to use access lists [The following is wholesale included; at some point it'll probably be editted a bit and reformatted... -jhawk ] Frequently Asked Questions contributed by Howard C. Berkowitz PSC International hcb@world.std.com @clark.net [probably will be my permanent personal account] PSC's domain is in mid-setup Where in the router are access lists applied? In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports. Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases. There are also special cases involving console access. Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering. +-------------------+ | GLOBAL | | | | Routing | | ^ v Access | | ^ v Lists | +-^--v--------^---v-+ | ^ v ^ v | | ^ v ^ v | A----------->|-| |>>>>Access >>----------->B |1 Group 2 | <------------| |<----------- | | | | +-------------------+ Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general, incoming filtering can only be done for ``system'' rather than user traffic. Rules of thumb in defining access lists. First, define what you want to do and in which directions. An informal drawing is a good first step. As opposed to the usual connectivity drawings among routers, it's often convenient to draw unidirectional links between routers. Second, informally write out your filtering rules. In general, it is best to go from most specific to least specific. Modify the order of writing things to minimize the number of rules needed. Third, determine which rules need to be on which routers. Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter. Can a cisco router be a ``true'' firewall? This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _Practical UNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside'' application process run, with application-level code linking the two. For example, a firewall might provide FTP access to the outside world, but it would not also provide direct FTP service to the inside world. To place a file on the FTP external server, a designated user would explicitly log onto the FTP server, transfer a file to the server, and log off. The firewall prevents direct FTP connectivity between the inside and outside networks; only indirect, application-level connectivity is allowed. Firewalls of this sort are complemented by chokes, which filter on network addresses and/or port numbers. Cisco routers cannot do application-level control with access control lists. Other authors do not distinguish between chokes and filters. Using the loose definition that a firewall is anything that selectively blocks access from the inside to the outside, routers can be firewalls. IP Specific ----------- Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID? No. Operand filtering only works for TCP and UDP port numbers. How can I prevent traffic for a certain Internet application to flow in one direction but not the other? Remember that Internet applications flow from client port to server port. Denying traffic from port 23, for example, blocks flow from the client to the server. +-------------------+ | | A----------->| |----------->B |1 2| <------------| |<----------- | | +-------------------+ If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked A's ability to telnet to B, but not B's ability to telnet to A. A second filter at interface A would be needed to block telnet in both directions. Assume that we only have the filter at interface 2. Telnets to A from B will not be affected because the filter at 2 does not check incoming traffic. ------- With the arrival of in-bound access lists in 9.21, it should be noted that both inbound and access lists are about equally efficient, in case any of you were wondering. It's worth remembering that there are some kinds of problems that packet-filtering firewalls are not best suited for. There's reasonably good information in: "Network (in)security through packet filtering" ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z ************************************************************************** From: Question 15 Date: 26 July 1994 Subject: The cisco boot process What really happens when a cisco router boots, from boot start to live interfaces? First it boots the ROM os version. It reads the config. Now, it realizes that you want to netboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and re-reads the config. Manly, yes, but we like it too.... [[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it, if necessary, and THEN loads on top of itself. Note that this is important because it tells you what the memory requirements are for netbooting: RAM for ROM image (if it's a run from RAM image), plus dynamic data structures, plus RAM for netbooted image. ]] The four ways to boot and what happens (sort of): I (from bootstrap mode) The ROM monitor is running. The I command causes the ROM monitor to walk all of the hardware in the bus and reset it with a brute force hammer. If the bits in the config register say to auto-boot, then goto B B (from bootstrap mode) Load the OS from ROM. If a name is given, tell that image to start silently and then load a new image. If the boot system command is given, then start silently and load a new image. powercycle Does some delay stuff to let the power settle. Goto I. reload (from the EXEC) Goto I. ************************************************************************** From: Question 16 Date: 18 July 1994 Subject: Where can I get cisco hardware? Try calling 800-553-NETS and asking for your local sales office. That's probably the best plan. ************************************************************************** From: Question 17 Date: 18 April 1995 Subject: Where can I get IETF documents (RFCs, STDs, etc.)? Where and how to get new RFCs RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The Primary Repositories will have the RFC available when it is first announced, as will many Secondary Repositories. Some Secondary Repositories may take a few days to make available the most recent RFCs. Primary Repositories: RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET, NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK, FTP.CONCERT.NET, or FTP.SESQUI.NET. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Secondary Repositories: Sweden ------ Host: sunic.sunet.se Directory: rfc Host: chalmers.se Directory: rfc Germany ------- Site: EUnet Germany Host: ftp.Germany.EU.net Directory: pub/documents/rfc France ------ Site: Institut National de la Recherche en Informatique et Automatique (INRIA) Address: info-server@inria.fr Notes: RFCs are available via email to the above address. Info Server manager is Mireille Yamajako (yamajako@inria.fr). Netherlands ----------- Site: EUnet Host: mcsun.eu.net Directory: rfc Notes: RFCs in compressed format. France ------ Site: Centre d'Informatique Scientifique et Medicale (CISM) Contact: ftpmaint@univ-lyon1.fr Host: ftp.univ-lyon1.fr Directories: pub/rfc/* Classified by hundreds pub/mirrors/rfc Mirror of Internic Notes: Files compressed with gzip. Online decompression done by the FTP server. Finland ------- Site: FUNET Host: funet.fi Directory: rfc Notes: RFCs in compressed format. Also provides email access by sending mail to archive-server@funet.fi. Norway ------ Host: ugle.unit.no Directory: pub/rfc Denmark ------- Site: University of Copenhagen Host: ftp.denet.dk Directory: rfc Australia and Pacific Rim ------------------------- Site: munnari Contact: Robert Elz <kre@cs.mu.OZ.AU> Host: munnari.oz.au Directory: rfc rfc's in compressed format rfcNNNN.Z postscript rfc's rfcNNNN.ps.Z United States ------------- Site: cerfnet Contact: help@cerf.net Host: nic.cerf.net Directory: netinfo/rfc Site: NASA NAIC Contact: rfc-updates@naic.nasa.gov Host: naic.nasa.gov Directory: files/rfc Site: NIC.DDN.MIL (DOD users only) Contact: NIC@nic.ddn.mil Host: NIC.DDN.MIL Directory: rfc/rfcnnnn.txt Note: DOD users only may obtain RFC's via FTP from NIC.DDN.MIL. Internet users should NOT use this source due to inadequate connectivity. Site: uunet Contact: James Revell <revell@uunet.uu.net> Host: ftp.uu.net Directory: inet/rfc UUNET Archive ------------- UUNET archive, which includes the RFC's, various IETF documents, and other information regarding the internet, is available to the public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and will be available via an anonymous kermit server soon. Get the file /archive/inet/ls-lR.Z for a listing of these documents. Any site in the US running UUCP may call +1 900 GOT SRCS and use the login "uucp". There is no password. The phone company will bill you at $0.50 per minute for the call. The 900 number only works from within the US. ************************************************************************** From: Question 18 Date: 22 April 1996 Subject: Future features in cisco software [This could be more fleshed out (still!)] Kerberos and RADIUS in 11.1 RIP version 2 in 11.1 (allows VSM, etc.) Policy-based routing (routing based on source address or interface, or just about anything else you want) in 11.0 *released* PPP Multilink in 11.0(3) *released* Frame Relay payload compression in 11.0(4) *released* IPX Per-Host load balancing in 11.1 ************************************************************************** From: Question 19 Date: 27 July 1994 Subject: How do cisco routers rate performance-wise? People often ask about performance of the cisco routers and are shyed away from answering their questions because we don't know where to send them. Scott Bradner keeps the results of his performance tests on the Internet. You can find them for ftp on the system hsdndev.harvard.edu in the /pub/ndtl. There is a README file in that directory that explains what is available. In addition, cisco has just started publishing a piece of literature called ``The Harvard Benchmark Test Results: Summary of cisco Systems Performance''. The only number I can find on the doc is Lit. #700901. Don't know if you can order it by this number, but at least there's a title to go on. ************************************************************************** From: Question 20 Date: 22 April 1996 Subject: How are packets switched? There are 3 basic types of switching (in order of increasing performance). process switching fast switching autonomous switching Process and fast switching support inbound and outbound, simple and extended, access lists. Of course, for fast switching, such lists only restrict traffic on the particular fast-switched interface. Autonomous switching is done in the switch processor, a microcoded device that is capable of switching IP, IPX, and bridging packets in the 100kpps range. This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+. Encapsulation support is rather limited (Ethernet, HDLC, HSSI...). The cisco 7000 also supports: silicon switching Silicon switching is done in the silicon switching engine (creative, eh? ;-). The silicon switch processor (SSP) is the board which combines both the switch processor and a silicon switching engine. The SSP supports simple and extended outbound access lists in 10.3 and later. The SSP supports simple and extended inbound access lists in 11.1 and later. The cisco 75xx series supports: "optimal" switching (cruddy name, eh?) "flow" switching "distributed" switching * "optimal" switching (cruddy name, eh?) The 7500 platform does not have a separate SP or SSP card, rather the RISC processor on the "integrated route/switch processor card (IRSP)" handles switching directly, similar to the 4000 series routers. There are several hardware and software enhancements made though to increase the throughput to a level that is several times above what you would normally get from "fast" switching. Everything that "fast" switching supports is supported in "optimal" switching. * "flow" switching Basicly the "optimal" switching method, however things have been front-ended with an additional small "flow" cache. This flow cache contains information about source/destination addresses & ports which allow the router to make more informed queueing decisions and process access lists faster. This is a win in routers that would tend to carry a reasonably small number of flows at any one time, such as what you would expect in a corporate network or in a smaller internet service provider network. It's unclear if there are any advantages in a large internet backbone. * "distributed" switching cisco has announced a new type of interface-processor card, called a "VIP" available in the 7500 platform that is intelligent enough to switch packets with no intervention on the part of the IRSP card. This once again separates switching from routing, as in the earlier CBUS/SP/SSP design. The first packet of every session or connection is always Process Switched. The route table is consulted (this resides in DRAM on the CPU) and the "result" is cached in the system memory cache. If the protocol can only be process switched, then it will continue this way and interrupt the CPU for a route table lookup each time. [comment: Process Switching is brutally slow compared to other switching methods. Some features (usually new features do this for the first few software releases) force every packet to be process switched. If you can't avoid process-switching every packet, at least get a router with a fast CPU, such as the 75xx, 4500, and 4700. The 4700 is currently the fastest at process-switching packets, with the 4500 and 75xx tied for second. The 75xx can optimum-switch, however, so it's a lot faster than either of the 4x00s, if you can use it). The second and subsequent packets of each session are capable of being Fast Switched (more session types are becoming fast-switchable), and will consult only the route-cache. This still involves a memory lookup on the board, but the packet can be transferred from the source card directly to the destination card without requiring full storage on the CSC [the CSC refers to the CPU card, basically]. There are some undocumented commands that are useful for obtaining per-interface statistics on what sort of switching was performed. For instance: frobozz-magic-robot>sh int atm4/0 switch ATM4/0 Throttle count: 0 Protocol Path Pkts In Chars In Pkts Out Chars Out IP Process 104851 7669968 116378 11180988 Cache misses 35826 Fast 0 0 0 0 Auton/SSE 0 0 0 0 frobozz-magic-robot>sh int atm4/0 stat ATM4/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 105024 7679155 116422 11184108 Route cache/FIB 0 0 0 0 Distributed cache 0 0 0 0 Total 105024 7679155 116422 11184108 ************************************************************************** From: Question 21 Date: 31 October 1994 Subject: How does one interpret buffer statistics? Buffer statistics may be obtained with: mit2-gw.near.net>sh buffers Buffer elements: 433 in free list (500 max allowed) 82320311 hits, 0 misses, 0 created Small buffers, 104 bytes (total 202, permanent 120): 185 in free list (20 min, 250 max allowed) 34289219 hits, 4297 misses, 1307 trims, 1389 created Middle buffers, 600 bytes (total 104, permanent 90): 102 in free list (10 min, 200 max allowed) 6829533 hits, 1432 misses, 483 trims, 497 created Big buffers, 1524 bytes (total 90, permanent 90): 90 in free list (5 min, 300 max allowed) 3403884 hits, 56 misses, 1 trims, 1 created Large buffers, 5024 bytes (total 5, permanent 5): 5 in free list (0 min, 30 max allowed) 49984 hits, 13 misses, 20 trims, 20 created Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 5683 failures (0 no memory) You can interpret them: Total Number of buffers of that size that exist. Free Number of free buffers. Max Maximum size that the free list can grow to before we start throwing them away. Hit Buffer got used. Miss Someone requested a buffer and we had to go carve it up out of free memory. If we couldn't because we were at interrupt level, it's also an allocation failure. If we couldn't because we were out of memory, then it's also a ``no memory'' failure. Trim There are more free buffers on the free list than there need to be and we threw some away. Create Number of buffers we created after a miss. ************************************************************************** From: Question 22 Date: 22 April 1996 Subject: How should I restrict access to my router? Many admins are concerned about unauthorized access to their routers from malicious people on the Internet; one way to prevent this is to restrict access to your router on the basis of IP address. Many people do this, however it should be noted that a significant number of network service providers allow unrestricted access to their routers to allow others to debug, examine routes, etc. If you're comfortable doing this, so much the better, and we thank you! If you wish to restrict access to your router, select a free IP access list (numbered from 1-100) -- enter ``sh access-list'' to see those numbers in use. yourrouter#sh access-list Standard IP access list 5 permit 192.94.207.0, wildcard bits 0.0.0.255 Next, enter the IP addresses you wish to allow access to your router from; remember that access lists contain an implicit "deny everything" at the end, so there is no need to include that. In this case, 30 is free: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255 yourrouter(config)#^Z (This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple lines for multiple addresses; be sure that you don't restrict the address you may be telnetting to the router from. Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply the access list to. In this example, I want lines 2 through 12: yourrouter#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns 0 CTY - - - - - 0 0 0/0 1 AUX 9600/9600 - - - - - 1 3287605 1/0 * 2 VTY 9600/9600 - - - - 7 55 0 0/0 3 VTY 9600/9600 - - - - 7 4 0 0/0 4 VTY 9600/9600 - - - - 7 0 0 0/0 5 VTY 9600/9600 - - - - 7 0 0 0/0 6 VTY 9600/9600 - - - - 7 0 0 0/0 7 VTY 9600/9600 - - - - 7 0 0 0/0 8 VTY 9600/9600 - - - - 7 0 0 0/0 9 VTY 9600/9600 - - - - 7 0 0 0/0 10 VTY 9600/9600 - - - - 7 0 0 0/0 11 VTY 9600/9600 - - - - - 0 0 0/0 12 VTY 9600/9600 - - - - - 0 0 0/0 Apply the access list to the relevant lines: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#line 2 12 yourrouter(config-line)# access-class 30 in yourrouter(config-line)# ^Z (This apply access list 30 to lines 2 through 12. It's important to restrict access to the aux port (line 1) if you have a device (such as a CSU/DSU) plugged into it.a) Be sure to save your configuration with ``write mem''. Please note that access lists for incoming telnet connections do NOT cause your router to perform significant CPU work, unlike access lists on interfaces. ************************************************************************** From: Question 23 Date: 1 November 1994 Subject: What can I do about source routing? What *is* source routing? Soure routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes. For more information on source routing, see RFC791. Unfortunately, source routing is often abused by malicious users on the Internet (and elsewhere), and used to make a machine (A), think it is talking to a different machine (B), when it is really talking to a third machine (C). This means that C has control over B's ip address for some purposes. The proper way to fix this is to configure machine A to ignore source-routed packets where appropriate. This can be done for most unix variants by installing a package such as Wietse Venema, <wietse@wzv.win.tue.nl>,'s tcp_wrapper: ftp://cert.org:pub/tools/ For some operating systems, a kernel patch is required to make this work correctly (notably SunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 which turns all source routing off; I'm not sure where this is available, but I believe it was posted to the firewalls list by Brad Powell soimetime in mid-1994. If disabling source routing on all your clients is not posssible, a last resort is to disable it at your router. This will make you unable to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP options, the first of which is a type of source routing), but may be necessary for some. If so, you can do this with foo-e-0#conf t Enter configuration commands, one per line. End with CNTL/Z. foo-e-0(config)#no ip source-route foo-e-0(config)#^Z It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding of source-routed packets through the router, for all interfaces, as well as source-routed packets to the router (the last is unfortunate for the purposes of ``traceroute -g''). ************************************************************************** From: Question 24 Date: 22 April 1996 Subject: Is there a block of private IP addresses I can use? Yes there is, however whether you wish to do so is an issue of some debate. You could consult: 1627 Network 10 Considered Harmful (Some Practices Shouldn't be Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994. (Format: TXT 823 bytes) 1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996. (Format: TXT"270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005) In any event, RFC 1918 documents the allocation of the following addresses for use by ``private internets'': 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Most importantly, it is vital that nothing using these addresses should ever connect to the global Internet, or have plans to do so. Please read the above RFCs before considering implementing such a policy. As an additional note, some Internet providers provide network-management services, statistics gathering, etc. It is unlikely (if at all possible) that they would be willing to perform those services if you choose to utilize private address space. With the increasing popularity and reliability of address translation gateways, this practice is becoming more widely accepted. Cisco has acquired Network Translation, who manufacture such a product. It is now available as the Cisco Private Internet Exchange. With it, you can use any addressing you want on your private internet, and the gateway will insure that the invalid addresses are converted before making out onto the global Internet. It also makes a good firewall. Information on this product is available at http://www.cisco.com/warp/public/751/pix/index.html ************************************************************************** From: Question 25 Date: 18 April 1995 Subject: Is DHCP supported? DHCP, the Dynamic Host Configuration Protocol (RFC1533), is essentially a more extended and flexible version of BOOTP, which allows configuration parameters and other control information to be carried to hosts. Forwarding of DHCP packets (to a DHCP server elsewhere in the network) is supported in 9.21(4) and 10.0(3), as well as later releases. ************************************************************************** From: Question 26 Date: 18 April 1995 Subject: Where can I get cisco documentation? Cisco no longer distributes printed documentation with their routers; instead, they distribute a CDROM. Paper documentation may be purchased, however if you purchase a support contract, documentation is free. Cisco documentation is also available on the web -- if you have a fast Internet conneciton this may be more useful than the CD. Try: http://www.cisco.com/univercd/data/doc/product.htm ************************************************************************** From: Question 27 Date: 18 April 1995 Subject: What's the latest software for the CSC/3? The last supported release on the CSC/3 is 9.1(15). cisco does not plan to release further software for the CSC/3. ************************************************************************** From: Question 28 Date: 19 May 1995 Subject: What IP routing protocol should I use? This is a really complicated question, and a full answer is beyond the scope of this document. Here are the beginnings of an answer. Note that Hello is no longer shipped with cisco routers, and that EGP has been declared Historical (and thus obsolete) by the IETF. Don't use them. Protocol RIP HELLO IGRP OSPF EIGRP IS-IS EGP BGP4 ------------------------------------------------------------------------ Type IGP IGP IGP IGP IGP IGP EGP EGP Algorithm DV DV DV SPF DUAL SPF DV PV Metrics Hopcnt Delay Speed Arb. Speed Arb. Policy Policy Convergence Slow Unstb Mdt Fast Fast Fast Slow Fast Standard? IETF No No IETF No ISO Hist. IETF Complexity Simple Simple Simple Complx Complx Complx Simple Complx Multipath? Yes Yes Yes Yes Yes Yes Yes [*] Var-netmask? No No No Yes Yes Yes No YES Notes ----- IGP interior gateway protocol, used to build routing tables within an AS. EGP exterior gateway protocol, used to communicate reachability information between AS's. Algorithms ---------- DUAL DV with diffusing update algorithm (Garcia-Luna-Aceves et al) DV Distance Vector (Bellman-Ford) PV "Path Vector" SPF Shortest-path-first (Dijkstra) Metrics ------- A metric is how the protocol measures the network to determine the "best" path. "Speed" refers typically to link speed, not available bandwidth. "Arb." indicates that the metrics are arbitrary and configurable. HELLO tried to use available bandwidth by monitoring round-trip delay, but was not generally successful at this. Metrics are not directly exchangable when redistributing routing information from one protocol to another. IGRP and EIGRP use compatible and automatically convertable metrics. Convergence ----------- Qualitatively, convergence measures how fast routers using this protocol will adapt to changes in the topology of the network. "Unstb" indicates a protocol which in general never decided on a stable configuration but continually oscillated between alternatives. Complexity ---------- An observation of how complex the protocol is to implement. Multipath --------- Multipath indicates whether the protocol support and transport multiple equal- or different- cost pathways across between endpoints? [*] indicates that BGP4 supports multipath for IBGP (Internal BGP, a full mesh of all border routers within an AS), but not for EBGP (External BGP). Variable netmask (Var-netmask) ************************************************************************** Indicates whether the protocol allows for and transports different masks for the subnets of a routed network. ************************************************************************** From: Question 29 Date: 18 April 1995 Subject: How do I interpret the output of ``show version''? Typing ``show version'' or ``show hardware'' yields a response like: prospect-gw.near.net>sh version Cisco Internetwork Operating System Software IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113] System-type (imagename) Version major.minor(release.interim)[who] Desc System-type: type of system the software is designed to run on. imagename: The name of the image. This is different (slightly) for run-from-rom, run-from-flash, and run-from-ram images, and also for subset images which both were and will be more common. "Version": text changes slightly. For example, if an engineer gives you a special version of software to try out a bug fix, this will say experimental version. Major: Major version number. Changes (in theory) when there have been major feature additions and changes to the softare. Minor: minor version number. Smaller but still signficant feature added. (in reality, cisco is not very sure what the difference between "major" and "minor" is, and sometimes politics gets in the way, but either of these "incrementing" indicates feature additions.) EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is the base, 9.14 adds specical feature for low end systems, 9.17 added special features specific the high end (cisco-7000) This was an experiment that we are trying not to repeat. release: increments (1 2 3 4 ...) for each maintenance release of released software. Increments for every compile in some other places. interim: increments on every build of the "release tree", which happens weekly for each release, but is only made into a generically shipping maintenance release every 7 to 8 weeks or so. [who]: who built it. Has "fc 1" or similar for released software. has something like [billw 101] for test software built Bill Westfield (billw@cisco.com). Desc: additional description. The idea is that the image name and version number UNIQUELY identify a set of sources and debugging information somewhere back at cisco, should anything go wrong. Copyright (c) 1986-1995 by cisco Systems, Inc. Compiled Thu 09-Mar-95 23:54 by tli Image text-base: 0x00001000, data-base: 0x00463EB0 Copyright, compilation date (and by whom), as well as the starting address of the image. ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1) The version of ROM bootstrap software, and the version of IOS in ROM. prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes System restarted by reload How long the router has been up, and why it restarted. System image file is "sse-current", booted via flash How the router was booted. RP (68040) processor with 16384K bytes of memory. Type of processor. G.703/E1 software, Version 1.0. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. Bridging software. ISDN software, Version 1.0. Various software options compiled in. 1 Silicon Switch Processor. 2 EIP controllers (8 Ethernet). 2 FSIP controllers (16 Serial). 1 MIP controller (1 T1). 8 Ethernet/IEEE 802.3 interfaces. 16 Serial network interfaces. 128K bytes of non-volatile configuration memory. 4096K bytes of flash memory sized on embedded flash. Hardware configuration. Configuration register is 0x102 Lastly, the "configuration register", which may be set via software in current releases... ************************************************************************** From: Question 30 Date: 22 April 1996 Subject: What is the maximum number of Frame Relay PVCs? This is covered fairly thoroughly in Product Info/Product Bulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256, available on CIO. Via the web (requires CIO username and pasword) http://cio.cisco.com/warp/customer/417/38.html An excerpt: (Virtual Interfaces) It should be noted that in the IOS (Internetworking Operating System) 10.0 software there is a limit of 256 Virtual and physical interfaces. Hence, if each DLCI is given its own virtual interface, the router is limited to 256 DLCIs. This restriction is expected to be removed in a future release. In most scenarios, it is not necessary that each DLCI have its own Virtual Interface. In particular, IP has the facility which allows disabling of split-horizon routing and hence does not require Virtual Interfaces to support partial mesh topologies. (Appendix 1: How many DLCIs Can Cisco Support on an Interface?) This question is similar to the question of how many PCs can you put on an Ethernet. In general, you can put a lot more than you should given performance and availability constraints. When dimensioning a router in a large network, the following issues should be considered: DLCI Address Space: The only hard limits are the roughly 1000 DLCI limit due to the 10 bit DLCI address space in the Frame Relay frame header. LMI Status Update: The LMI protocol requires that all status reports fit into a single packet and generally limits the number of DLCIs to less than 800. Max DLCIs (approx) (MTU -20)/5, where MTU is the MTU size in bytes on the Frame Relay link. Broadcast Replication: When sending, the router must replicate the packet on each DLCI and this causes congestion on the access link. The Broadcast Queue reduces this problem. In general, the network should designed to keep the routing update load to below 20 percent of the access lines speed. It is also important that memory requirements for the Broadcast Queue be considered. A good technique to reduce this restriction is the use of default route or extending the update timers. Broadcast Receipt: When receiving, the router must receive updates from the network. The issue here is that the upstream switch can be overloaded and drop packets. When routing updates are dropped, routing instability occurs. Again, the receiving routing update load should be kept to less than 20 percent of the access link speed and preferably lower. Where very high speed links are used, a limit of 128 Kbit/s worth of routing updates is recommended. Routing Stability: When using a link state protocol to reduce the update traffic, the dimensioning should be done assuming the periodic update process and the worst case for Link State Updates (i.e., assuming link and power instability). Dimensioning should not be based on the Hello traffic. As a rule of thumb, dimension assuming a distance vector protocol, but assume that extra bandwidth is available for user data. User Data Traffic: Clearly, the number of DLCIs is dependent on the traffic on each DLCI and the performance requirements to be met. In general, Frame Relay accesses should be run at lower loads than router-to-router links since the prioritisation capabilities are not as strong in many cases and in general the marginal costs of increasing access link speed are lower than with dedicated lines. Many of the issues covered here are included in the Internet Design Guide manual that Cisco provides. Update: The limit of 256 PVCs goes away in IOS 11.1. I think the number is now something like 1024 per router or some even more ludicrous number. There are still lots of reasons you never want to do that. ;-) The limit of 256 PVCs goes away in IOS 11.1. I think the number is now something like 1024 per router or some even more ludicrous number. There are still lots of reasons you never want to do that. ;-) ************************************************************************** From: Question 31 Date: 18 April 1995 Subject: How much memory is necessary to telnet to a cisco router? In order to login to a cisco router, it needs to have at least 64k of contiguous free memory. ************************************************************************** From: Question 32 Date: 18 April 1995 Subject: Where can I purchase flash RAM? There are two varieties: MEM-1X8F 8meg MEM-2X8F 16meg ******************************* 2500 ******************************** ******************************* 8M Flash ******************************** PRODUCT# QTY -------- --- MEM-1X8F 1 MEM-2X8F 2 Part Number: 16-0975-01 Description: IC,FEPROM, 2Mx32,100ns,SIM80 SC: P REV: A0 S/UM: EA P/UM: EA VENDOR ITM MANUFACTURER'S PART CODE MANUFACTURER'S NAME --- -------------------- ---------- ************************************************************************** 1- 1 SM732C2000B-10 KITTING01 SMART MODULE Smart Modular is located in Freemont, California. For small orders, Smart Modular recommends you contact: PC Complete 800-849-4622. They carry both Flash RAM and DRAM. ************************************************************************** From: Question 32 Date: 19 May 1995 Subject: When are static routes redistributed? In the simple case, any static route *in the routing table* is redistributed if the ``redistribute static'' command is used, and some filter (set with either ``route-map'' or ``distribute-list out'') doesn't filter it out. Whether the static route gets into routing table depends on: Whether the next hop address is reachable (if you use static route pointing to a next hop) OR Whether the interface is up (if you use static route pointing to an interface). If one of these is true, an attempt is made to add the route to the routing table; whether that succeeds depends on the administrative distance of the route -- a lower administrative distance (the route is "closer") than a preexisting route will cause the preexisting route to be overwritten. ************************************************************************** From: Question 33 Date: 19 May 1995 Subject: When is the next hop of a route considered ``reachable''? When a static route is added, or during an important event (eg: interface up/down transition), the next hop for a route is looked up from the routing table (i.e. recursive routing). As a consequence, if a route which is depended upon for evaluation of the next hop of a static route goes away, a mechanism is required to remove that (now-invalid) static route. Scanning all static routes each time the routing table changes is too expensive, so instead, a period timer is used. One a minute, static routes are added and removed from the routing table based on the routes they depend upon. It should be noted that a particular static route will be reevaluated when its interface transitions up or down. ************************************************************************** From: Question 35 Date: 22 April 1996 Subject: How do name and phone number of ``dialer map'' interfere? How do name and phone number of `dialer map' interfere? We use the telephone number first actually. If the caller id matches the telephone number to call, then you don't need the 'name' parameter with a phone number. I realized that the above is ambiguous, so let's do this. You have: dialer map ip x.x.x.x name <param1> <phone-num> <param1> is used for incoming authentication. It can be either the hostname, for PAP and CHAP, or it can be a number as returned by caller id. If this is not there, and it is an imcoming call, and there is caller id, we will compare against <phone-num> to see if that matches. Not sure I've been clear here. ************************************************************************** From: Question 36 Date: 22 April 1996 Subject: What's the purpose of the network command? >* what is the real purpose of the network subcommand of > router commands? When do I not want to include a network > I know about? The real purpose of the 'network' sub-command of the router commands is to indicate what networks that this router is connected to are to be advertised in the indicated routing protocol or protocol domain. For example, if OSPF and EIGRP are configured, some subnets may be advertised in one and some in the other. The network command enables one to do this. An example of such a case is a secure subnet. Imagine the case where a set of subnets are permitted to communicate within a campus, but one of the buildings is intended to be inaccessible from the outside. By placing the secure subnet in its own network number and not advertising the number, the subnet is enabled to communicate with other subnets on the same router, but is unreachable from any other router, barring static routes. This can be extended by using a different routing protocol or routing protocol domain for the secure network; subnets on the various routers within the secure domain are mutually reachable, and routes from the non-secure domain may be leaked into the secure domain, but the secure domain is invisible to the outside world. ************************************************************************** From: Question 37 Date: 22 April 1996 Subject: What is VLSM? A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing resources to subnets according to their individual need rather than some general network-wide rule. Of the IP routing protocols supported by Cisco, OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes. Historically, EGP depended on the IP address class definitions, and actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP addresses (32 bit numbers); RIP and IGRP exchanged network and subnet numbers in 32 bit fields, the distinction between network number, subnet number, and host number being a matter of convention and not exchanged in the routing protocols. More recent protocols (see VLSM) carry either a prefix length (number of contiguous bits in the address) or subnet mask with each address, indicating what portion of the 32 bit field is the address being routed on. A simple example of a network using variable length subnet masks is found in Cisco engineering. There are several switches in the engineering buildings, configured with FDDI and Ethernet interfaces and numbered in order to support 62 hosts on each switched subnet; in actuality, perhaps 15-30 hosts (printers, workstations, disk servers) are physically attached to each. However, many engineers also have ISDN or Frame Relay links to home, and a small subnet there. These home offices typically have a router or two and an X terminal or workstation; they may have a PC or Macintosh as well. As such, they are usually configured to support 6 hosts, and a few are configured for 14. The point to point links are generally unnumbered. Using "one size fits all" addressing schemes, such as are found in RIP or IGRP, the home offices would have to be configured to support 62 hosts each; using numbers on the point to point links would further compound the address bloat. One configures the router for Variable Length Subnet Masking by configuring the router to use a protocol (such as OSPF or EIGRP) that supports this, and configuring the subnet masks of the various interfaces in the 'ip address' interface sub-command. To use supernets, one must further configure the use of 'ip classless' routes. ************************************************************************** From: Question 38 Date: 22 April 1996 Subject: What are some methods for conserving IP addresses for serial lines? VLSM and unnumbered point to point interfaces are the obvious ways. The 'ip unnumbered' subcommand indicates another interface or sub-interface whose address is used as the IP source address on messages that the router originates on the unnumbered interface, such as telnet or routing messages. By doing this, the router is reachable for management purposes (via the address of the one numbered interface) but consumes no IP addresses at all for its unnumbered links. ******************************************************************************* ******************************************************************************* Start of rev 2.00 section! ******************************************************************************* ******************************************************************************* ************************************************************************** From: Question 39 Date: 02 February 2002 Subject: Flash upgrade issues for Cisco 2500 series routers Answer by: Terry Kennedy <terry@gate.tmk.com> > When I remove the original flash and replace it with ether one or both of > the new flash chips, I get the following error on boot upand the router ends > up in boot mode.: > ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash This has to be the most common FAQ for this group. You have non-Intel flash chips on your new SIMMs and boot ROMs that are too old to know about the different access method for the flash chips you have. You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from Cisco, or exchange the flash SIMMs for ones using Intel chips. Note that Intel no longer makes those chips, which is why everybody has this prob- lem. ************************************************************************** From: Question 40 Date: 02 February 2002 Subject: How do I prevent my switch ports from going into ErrDisable state? Answer by: "bt" <@speakeasy.org> The 2 commands that are in the newer CatOS (5.4+) to automatically recover from errdisable are: * set errdisable-timeout enable <reason> * set errdisable-timeout interval <seconds> the <reason> can be 1) bpdu-guard, 2) channel-misconfig, 3) duplex-mismatch, 4) udld 5) other and 6) all. The <seconds> defaults to 300 seconds, you could make that more aggressive, down to 30. if you want, you can disable the errordetection as well: * set errordetection portcounters disable by default it's on for portcounters and disabled for memory and inband management. But please keep in mind that you need to fix the problem. The ports are going into ErrDisable mode for a reason! ************************************************************************** From: Question 41 Date: 02 February 2002 Subject: How do I configure a router to act as a Frame-Relay Switch? Answer by: From: "BM" <bmorgan@dont.spam.me.ieee.org> config t 1 frame-relay switching ! interface Serial0 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce ! In the config below, the 102 is the DLCI that will be ! presented to the router connected to this - S0 - ! interface. 201 is the DLCI that is mapped to S1 frame-relay route 102 interface Serial1 201 frame-relay route 103 interface Serial2 301 interface Serial1 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 201 interface Serial0 102 frame-relay route 203 interface Serial2 302 interface Serial2 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 301 interface Serial0 103 frame-relay route 302 interface Serial1 203 ________ ______ | FR SW |_S2______S0_| R3 | |_______ | |______| S0 / \ S1 / \ / \ S0 __/___ _\_S0__ | R1 | | R2 | |_____| |_______| R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp. I put all the DCE ends of the cables on the Frame Switch, so clock rate is defined there. However, this is not a requirement. The FR Switch router does not need to have the DCE end. Regardless of the gender of the cable, however, the "frame-relay intf-type dce" is required. I defined the DLCIs as Source Router + 0 + Destination Router. So if the circuit goes from R1 to R3 it's DLCI 103. From R3 to R1 it's DLCI 301. You get the idea. ************************************************************************** From: Question 42 Date: 02 February 2002 Subject: What are the different types of memory used by Cisco Routers? Answer by: Michael Shorts <mshorts@cisco.com> The 2500 Series and 7204 VXR have the same types of memory, but they are implemented in different physical packages: ROMMON - This is the initial bootstrap for the router. Boot Helper - This is a subset of IOS that is used to update software or network boot. The 2500 implements the ROMMON and boot helper in a set of two ROMs. The 7204VXR has ROMMON in a ROM and boot helper in a piece of flash memory on the I/O controller called boot flash. Main memory - This is used to hold routing tables, and IOS variables. In the 7204 VXR, IOS itself is also resident in main memory. The 2500 Series usually runs the IOS directly in flash. Shared memory - This is the memory that holds packet buffers. On the 2500 Series, this is part of the same physical memory as main memory. On the 7204 VXR, it's separate memory. Flash memory - This memory holds the IOS image. On the 2500 Series, there are two flash SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA slots on the I/O controller which can take a 128 MB flash disk. Configuration memory (NVRAM) - This is the memory that holds the IOS configuration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is 128 KB battery backed up SRAM on the I/O controller. ************************************************************************** From: Question 43 Date: 02 February 2002 Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000? Answer by: "Alberto Colmenero" <san@mobilix.dk> Doc CD Content appears garbled: The Doc CD content is compressed - it requires Verity to decompress it. This is why Verity is used on the Doc CD. What has happened is you've tried to directly open up index.html off the CD into your browser, and this is not possible todo. The CD must be accessed through the Verity Web Publisher through: http://127.0.0.1:8080/home/home.htm This is the startup address that is launched when you click on "Launch CD." Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do not work on Windows 2000 out of the box. They will cause "Search.exe" to crash when run under Win2k. There is a fix that sometimes works for these CDs at: http://www.cisco.com/warp/public/620/ioscd.html. This fix MUST be done BEFORE you install the CD. If the CD has already been installed, then uninstall it, delete c:\cisco, make this registry change, then re-install the Doc CD.(both the Browser Software Installer and The Documentation CD (I have tried this on My labtop which is running windows 2000 and it worked fine but I had to delete c:\Cisco first and Lunch the Browers software Installer CD (1) first then the Document CD(2) (my version of CD was Nov 1999) (I have already sent this one to you did you delete c:\Cisco and lunch both CDs) Other fixs are shown The Doc CD starts up to about:blank There are two alternate fixes for this: 1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm for the address, and then add it to your favorites. - or - 2. This is a 4-step fix: A. Ensure that search.exe is not running. B. Edit the installed search.ini (c:\CISCO\search.ini). C. Change the line 'Browser=c:\program files\internet explorer\iexplore.exe' to 'Browser=msie' D. Launch the CD. Nothing happens when I click Launch CD The usual cause for this is that you've installed a post-July 2000 Documentation CD over the top of a previous Doc CD. The fix for this is to: 1. Uninstall the Doc CD from the control panel->add/remove programs. 2. Delete c:\cisco 3. Reinstall the Doc CD. Finally to reorder a CD The Cisco Documentation CD is also available online at: http://www.cisco.com/univercd/home/home.htm ************************************************************************** From: Question 44 Date: 02 February 2002 Subject: How dow I load a large image on a 2500 *lab* router? Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones) For production work (support by Cisco required) you need 16M Flash to run 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0 Enterprise is small enough (about 10M) to run from RAM (upgrading to 16M of RAM is MUCH cheaper than upgrading to 16M of flash) using a compressed image in the 8M of flash you do have. 12.1 Enterprise is 14M so it must be run from flash (otherwise there is not enough RAM remaining to even complete loading of the OS). Check the release notes on www.cisco.com for the IOS release you want to use. If the actual size of the IOS plus the minimum recommended RAM totals less than 16MB, you can run compressed or boot from TFTP without expanding flash. Check deja-news on google if you are unclear on how to run a compressed image on the 2500, it is a frequent request and hopefully will turn up in the renovated FAQ when Hansang gets a chance to publish it. ************************************************************************** From: Question 45 Date: 02 February 2002 Subject: daisy-chaining reverse telnet console-aux ports Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> > I've hooked 4 routers together in a lab and I'm daisy-chaining them > aux --> console and using reverse telnet to get to them... > > However when I get to the fourth router and do a CTRL-SHFT-6 X, > I get back to the first router. If I kill the AUX line, then initiate the > reverse telnet again, I fall through router 2 and 3 to 4 again... > Is there an easy way to fall back one router at a time? > or should I not bother to do this? You have two options. One is to use a different escape character on the second (third, fourth etc) console (and/or vty) conf t line con 0 /* or vyt 0 4 */ escape-character 23 This will let you use CTRL-W then X to break out reverse telnet. Or You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the third session, etc. ************************************************************************** From: Question 46 Date: 02 February 2002 Subject: What Windows chatter could bring up and ISDN line? Answer by: "Phillip Remaker" <remaker@cisco.com> > ...we get multiple spurious dial-ups after every intended one. > The first unwanted one occurs about 20 minutes after the intended one, > and the subsequent unwanted ones about every 20 minutes after that. > All last exactly 200 seconds, which is the configured router hangup > time. > Does anyone have any idea what might be causing these? Yep. See http://support.microsoft.com/support/kb/articles/Q135/3/60.asp for all of the periodic packet transmissions associated with Windows Networking. Dialer access lists will not help you, since identifying information is too deep inside the packet and therefor indistinguishable from real traffic 8-(. ************************************************************************** From: Question 47 Date: 02 February 2002 Subject: How do I make NTP packets so it's only interesting on router bootup? Answer by: Paul J Murphy <paul@murph.org> ! access-list 101 permit udp any any eq ntp time-range sntp-dial access-list 101 deny udp any any eq ntp access-list 101 permit ip any any dialer-list 1 protocol ip list 101 ! time-range sntp-dial absolute end 00:00 01 January 2000 ! The time there doesn't really matter as long as it is later than the epoch time for the device in question, and earlier than the current time. 01/01/2000 was just the arbitrary choice I made last time I configured that. With that config, NTP will bring up the line if and only if the clock on the Cisco has not already been set. For an unattended installation which may not dial up very frequently, it may be worth using a time-range which allows dialling once per day to keep the clock reasonably well synced. If your usage pattern results in the line coming up frequently, that is an unnecessary step. Constructing an appropriate time-range statement is left as an exercise for the reader. If it's a small single user LAN, it's considered polite to avoid the stratum-1 servers. Most ISPs should provide NTP servers for customer use, eg try ntp.<isp>.net, timehost.<isp>.net, ntp0.<isp>.net, ntp1.<isp>.net, etc. Apart from not overloading valuable global resources, using a NTP server local to your ISP will probably provide a more stable time service due to lower latency between the client and server. See also http://www.get-time.org/ for the UK government NTP initiative (Greenwich Electronic Time). ************************************************************************** From: Question 48 Date: 02 February 2002 Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my ACL if someone authenticates to my router? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> username foobar password cisco ! int s0 ip address 1.1.1.1 255.255.0.0 ip access-group 101 in ! /* or port 22 for ssh */ access-list 101 permit tcp any host 1.1.1.1 eq telnet access-list 101 dynamic foobar permit ip any any ! line vty 0 2 login local autocommand access-enable host timeout 5 line vty 3 4 login local rotary 1 The first access list allows telnet into the router. Your users will telnet into router and authenticate with username foobar and password "cisco" The router will then immediately disconnect the telnet session. When they successfully authenticate, an access list with their source IP will be added to the dynamic list. Basically, if they authenticate correctly, they can come in to the inside network. After 5 mins of inactivty the entry will be deleted from the access list. The vty 3 and 4 are using the rotary command so that you can telnet to your router with the command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4). This way, you can telnet into the router and actually manage it. A very subtle but VERY important point. If you forget this, you'll be making a trip to use the console port. ************************************************************************** From: Question 49 Date: 02 February 2002 Subject: How do I telnet to a specific VTY line? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> See "rotary" example in question 48. ************************************************************************** From: Question 50 Date: 02 February 2002 Subject: Is there a better (free) tftp server than the one by Cisco? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> 3CDv2r10.zip file located at: http://support.3com.com/software/utilities_for_windows_32_bit.htm ************************************************************************** From: Question 51 Date: 02 February 2002 Subject: How do I use the Cisco Documentation CD (UniverseCD) under Linux? Answer by: Vincent C Jones VCJones@NetworkingUnlimited.com Another option is to suffer like us Linux users and forego the ability to search the CD (but hey, for that you can go online). The technique below works fine if your platform can run an Apache web server. Note the update for more recent CD's which use bzip2 rather than gzip compression. Using Apache/1.3.3, I use these configuration directives: -----CUT HERE----- Alias /cisco/ /cisco-cdrom-mount-point/ <Directory /cisco-cdrom-mount-point> Options Indexes AllowOverride None order deny,allow deny from all allow from localhost </Directory> <Location /cisco/cc/> AddEncoding x-gzip htm pdf </Location> -----CUT HERE----- and then, you should be able to acces all compressed contents! Start with 'http://localhost/cisco/home/home.htm'. All the trick is to make Apache tell netscape (or ie, or lynx) that contents must be gunziped (HTTP/1.1 Mime-Encoding header). **************************************************************************--- Update added July 15, 2000 by Dr Vincent C Jones, PE: Starting July 2000 or so, the encoding switched to bzip2. So change the apache entries to "x-bzip" and add bzip entries if required to /opt/netscape/Netscape.ad as shown below *encodingFilters: \ x-compress : : .Z : uncompress -c \n\ compress : : .Z : uncompress -c \n\ x-bzip : : .bz,.bz2 : bzip2 -cdq \n\ bzip : : .bz,.bz2 : bzip2 -cdq \n\ x-gzip : : .z,.gz : gzip -cdq \n\ gzip : : .z,.gz : gzip -cdq \n ================================================================= Using Apache/1.3.3, I use these configuration directives: -----CUT HERE----- Alias /cisco/ /cisco-cdrom-mount-point/ <Directory /cisco-cdrom-mount-point> Options Indexes AllowOverride None order deny,allow deny from all allow from localhost </Directory> <Location /cisco/cc/> AddEncoding x-gzip htm pdf </Location> -----CUT HERE----- and then, you should be able to acces all compressed contents! Start with 'http://localhost/cisco/home/home.htm'. All the trick is to make Apache tell netscape (or ie, or lynx) that contents must be gunziped (HTTP/1.1 Mime-Encoding header). ************************************************************************** Update added July 15, 2000 by Dr Vincent C Jones, PE: Starting July 2000 or so, the encoding switched to bzip2. So change the apache entries to "x-bzip" and add bzip entries if required to /opt/netscape/Netscape.ad as shown below. *encodingFilters: \ x-compress : : .Z : uncompress -c \n\ compress : : .Z : uncompress -c \n\ x-bzip : : .bz,.bz2 : bzip2 -cdq \n\ bzip : : .bz,.bz2 : bzip2 -cdq \n\ x-gzip : : .z,.gz : gzip -cdq \n\ gzip : : .z,.gz : gzip -cdq \n ************************************************************************** Update added June 10, 2001 by Dr Vincent C Jones, PE: Newer versions of Netscape do not use a Netscape.ad file. Instead, the changes can be made to ~/.Xdefaults. Note that these changes CANNOT be added from Netscape using edit/preferences. ************************************************************************** From: Question 52 Date: 02 February 2002 Subject: How do I NAT on a single Cisco 2503 Ethernet interface Answer by: "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl> interface Loopback0 ip address 10.0.255.1 255.255.255.0 ip nat inside ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 secondary ip address xxx.yyy.zzz.ttt 255.255.255.248 ip nat outside ip policy route-map LOOPNAT ! ip nat inside source list 1 interface Ethernet0 overload ! access-list 1 permit 10.0.0.0 0.255.255.255 ! route-map LOOPNAT permit 10 match ip address 1 set interface Loopback0 ! ------------------------ Note that Lo0 interface may have any ip address. ************************************************************************** From: Question 53 Date: 02 February 2002 Subject: How do I hide a summarized OSPF router from one ABR to another? Answer by: Alex Bakhtin <bakhtin@amt.ru> area 1 range x.x.x.x x.x.x.x not-advertise ************************************************************************** From: Question 54 Date: 02 February 2002 Subject: What is the pinout for the Console port on a 2518? Answer by: Michael Shorts (mshorts@cisco.com) The CISCO2518 has a console port on the hub card which is a different pinout than the standard Cisco console (the hub card is an OEM from another company) The pinout is: Management Console Pinout RJ-45 pin Description Direction DB-25 pin 1 TxD output 3 2 GND - 7 3 RTS output 5 4 CTS input 4 5 DTR output 6 6 DSR input 20 7 shield - - 8 RxD input 2 Note that the console port does not support RTS/CTS hardware flow control. ************************************************************************** From: Question 55 Date: 02 February 2002 Subject: How do I find the "real" IOS name when the file is in DOS format? Answer by: Terry Kennedy <terry@gate.tmk.com> Given: > -rw-rw-r-- 1 jomo sol3 8465736 May 30 08:49 aaa1324.bin > -rw-rw-r-- 1 jomo sol3 7891164 May 30 08:49 aaa1325.bin > -rw-rw-r-- 1 jomo sol3 7347200 May 30 10:46 aaa1326.bin Try "strings aaa1234.bin". You should see something like: Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(9), RELEASE SOFTWARE (fc1) near the end, mixed in with all the other junk. If these are compressed (mz-style) images, you'll have to unzip them first. Ignore the warning that says something like: (9:44) gate:/tmp# unzip c5300-j-mz.120-8.bin Archive: c5300-j-mz.120-8.bin warning [c5300-j-mz.120-8.bin]: 19376 extra bytes at beginning or within zipfile (attempting to process anyway) inflating: C5300-J-.BIN and then grep the resulting file. ************************************************************************** From: Question 56 Date: 02 February 2002 Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall Answer by: "Steven Griffin" <segjr@gte.net> To describe how to use the Local Security Policy MMC in W2K would take a long time. So, the config I will share with you is the 'dial-up' one I mentioned before. In this posting I will detail the bare minimum needed to get a W2K client working with a PIX firewall running v6.01 software. For simplicity I use a preshared key for authentication. Since I have to embed this key into the script I use it makes the configuration open and thus vulnerable. However, you should be able to tweak the configuration from this to meet your own security needs. The W2K IPSec client supports certificates as well as preshared keys so a "secure" version of this config is attainable. The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you would like to re-write it in the old DOS batch file format, please do so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com. The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program that you have to use has it's own documentation which you should read. For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work. The config assumes that the PIX has NAT enabled. Ok, enough blabber, here it is... I hope it is helpful! For the purposes of this 'demo' config. The PIX Firewall will have 192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X network. The inside router will be 10.0.0.1 Quick Network Schematic: [W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] ---> [Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN (10.0.X.X)] --> [Inside Router (10.0.0.1)] The PIX firewall commands needed are: sysopt connection permit-ipsec sysopt connection permit-l2tp sysopt ipsec pl-compatible crypto ipsec transform-set W2K esp-des esp-md5-hmac crypto ipsec transform-set W2K mode transport crypto dynamic-map W2KDynamic 11 set transform-set W2K crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic crypto map W2K-Map interface outside isakmp identity address isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0 isakmp policy 11 authentication pre-share isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 1 isakmp policy 11 lifetime 28800 isakmp enable outside The Perl script I wrote is as follows. I execute this script everytime I establish a connection with my dial-up ISP. It then sets up the IPSec tunnel using my current ISP assigned IP Address. #begin listing # IPSecInit.pl # Written by: Steven Griffin Jr. # Date: 6 June, 2001. # Note: The basis of this code came from the PERL documentation site. # The original snippets came from the links below. # http://www.perldoc.com/perl5.6/lib/Net/hostent.html # http://www.perldoc.com/perl5.6/lib/Net/Ping.html # I should put this in POD format at somepoint but I am in a hurry right now. use Net::hostent; use Socket; #Two Variables: One for the local IP Address and one for the VPN Server #This script assumes that the VPN Server has a static IP $localipaddress, $VPNHostIP='192.168.0.1'; #The following section of code discerns the IP address of host provided #in the command line arguements. The default is the localhost. #NOTE: The code section is smart and gives you a routable IP (if available) and not just 127.0.0.1 # This section is pretty much identical to the one found on the PERL documentation site. # I just added an assignment of the discerned ipaddress to the $localipaddress variable. # I also changed the @ARGV assignment to 'localhost' instead of 'netscape.com' @ARGV = ('localhost') unless @ARGV; for $host ( @ARGV ) { unless ($h = gethost($host)) { warn "$0: no such host: $host\n"; next; } printf "\n%s is %s%s\n", $host, lc($h->name) eq lc($host) ? "" : "*really* ", $h->name; print "\taliases are ", join(", ", @{$h->aliases}), "\n" if @{$h->aliases}; if ( @{$h->addr_list} > 1 ) { my $i; for $addr ( @{$h->addr_list} ) { printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr); } } else { #my modification is on the next line. printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr); } if ($h = gethostbyaddr($h->addr)) { if (lc($h->name) ne lc($host)) { printf "\tThat addr reverses to host %s!\n", $h->name; $host = $h->name; redo; } } } #This next section is a very modified version of the Ping example on the Perl Documentation Website. #Now that we know our IP address, we can setup the IPSec tunnel. #First we try and ping our VPN server. use Net::Ping; $p = Net::Ping->new("icmp"); print "\nCan I see my firewall? "; if ($p->ping($VPNHostIP) ) { print "Yes\nAttempting to initialize IPSec Connection"; #Now that we can see our server, lets stop and start the W2K IPSec Policy Agent. #This deletes any 'dynamic' IPSec policies that may have been in effect before. print "\nResetting IPSec Policy Agent"; $cmdstring='Net Stop "IPSec Policy Agent"'; system($cmdstring); $cmdstring='Net Start "IPSec Policy Agent"'; system($cmdstring); #Now we issue the ipsecpol command to setup the tunnel to our VPN Server. #The ipsecpol command line utility can be found on Microsoft's Website. # http://www.microsoft.com/downloads/release.asp?ReleaseID=29167 # or # http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5 /EN-US/ipsecpol_setup.exe #MS requires two ipsecpol commands be issued in order to setup a tunnel. #One for the inbound traffic and one for the outbound traffic. # For this Tunnel I used the following settings: # The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP Address. # The tunnel setting '-t' is either My IP Address or the VPN Server's IP Address. # The security method list '-s' is for DES-MD5-1 # The security negotiation setting '-n' is for ESP[DES,MD5] # We are using QuickMode key exchange '-1k' rekeys after 10 quick modes '10q' # We are using perfect forward secrecy '-1p' # For authentication we are using a preshared key '-a' # NOTE: the preshared key must be enclosed in double quotes # See the documentation of the utility for further details. print "\nSetup IPSec Tunnel"; #This sets-up the inbound leg of the tunnel. We are filtering all traffic inbound from 10.0.X.X to our IP address. #The critical part of this statement is that the -t arguement must contain our local IP. $cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t '.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s",$cmdstring; system($cmdstring); #This sets-up the outbound leg of the tunnel. We are filtering all traffic outbound to 10.0.X.X from our IP address. #The critical part of this statement is that the -t arguement must contain the VPN Server's IP Address. $cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t '.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s\n",$cmdstring; system($cmdstring); #Now that we have issued our commands. We should test the network and see if we can see inside it. #The internal router is the easiest target. Here it is 10.0.0.1. #We first do a ping just so that the IPSec tunnel with negotiate. W2K does not setup the tunnel # until you actually try and send traffic to a IPSec filtered IP address. #Now we do another ping and tell the user what happened. print "\nTrying to ping internal network: "; $p->ping("10.0.0.1"); if ($p->ping("10.0.0.1")) { print "Success\n"; sleep(1); } else { print "Failure\n"; sleep(1); } } else { # If we reach this point, we could not see our VPN Server's external IP address from our ISP. print "No\nTry redialing your ISP"; sleep(3); } $p->close(); #end listing ************************************************************************** From: Question 57 Date: 02 February 2002 Subject: How do I use tftpdnld via Ethernet port on a 2600? Answer by: "Joel" <joelyung@yeah.net> Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON. rommon 1 > IP_ADDRESS=172.15.19.11 rommon 2 > IP_SUBNET_MASK=255.255.255.0 rommon 3 > DEFAULT_GATEWAY=172.16.19.1 rommon 4 > TFTP_SERVER=172.15.20.10 rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz rommon 6 > tftpdnld ************************************************************************** From: Question 58 Date: 02 February 2002 Subject: How do I setup MultiLinkPPP? Answer by: "Patrick M. Hausen" <hausen@nospam.de> multilink PPP without virtual template int Multilink1 description multilink bundle ip unnumbered Loopback0 ppp multilink multilink-group 1 ! int Ser0 description first T1 line encaps ppp ppp multi multilink-group 1 ! int Ser1 description second T1 line encaps ppp ppp multi multilink-group 1 Again, recent software necessary: at least 12.0T or 12.1 or one of the ISP branches (12.0S). ************************************************************************** From: Question 59 Date: 02 February 2002 Subject: How much memory is taken up by BGP routes? Answer by: "Laron Swapp" <laron.d.swapp@intel.com> As a reference, please see the following from http://www.cisco.com/warp/public/459/ I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip: How Much Memory Does Each BGP Route Consume? Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in the BGP table and another 240 bytes in the IP routing table. Each BGP path takes about 110 bytes. ************************************************************************** From: Question 60 Date: 02 February 2002 Subject: What is the difference between a CiscoPro model and a regular one? Answer by: Michael Shorts <mshorts@cisco.com> It depends on the model. With some models, it's just a different paint color. Other models have a special key that restricts the software images that can be used (for those, there is a "cookie programming" utility to turn it into a "regular" unit). ************************************************************************** From: Question 61 Date: 02 February 2002 Subject: How do I stop my router from looking for cisconet.cfg or network-config? Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones) Look up "service config" in the manual (available on www.cisco.com if you do not have a local copy). Turn it off using the command "no service config" in configuration mode. ************************************************************************** From: Question 62 Date: 02 February 2002 Subject: How do I setup DHCP service on my router? Answer by: Dave Phelps <tippenring@nospam.bigfoot.com> Here is my 1601 performing as a DHCP server config... The static pool is how I use DHCP to assign the same IP to the same PC each time, essentially a static IP address assignment. The only other requirement would be that on the interface DHCP requests will be received, if you have an inbound ACL, bootp must be permitted. ip dhcp excluded-address 192.168.3.1 192.168.3.9 ! ip dhcp pool dhcp-pool network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 netbios-node-type b-node dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee ! ip dhcp pool static-pool host 192.168.3.2 255.255.255.0 client-identifier 0100.00c5.0cbd.7e client-name main_pc default-router 192.168.3.1 dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee ************************************************************************** From: Question 63 Date: 02 February 2002 Subject: How do I configure a trasparent proxy redirecting on CISCO router? Answer by: alan@internal.wj.com (Alan Strassberg) >It is possible to configure an trasparent proxy redirecting on CISCO router? >I would like to redirect all www requests from specific IP addresses to >other IP address and other port. A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure about switching ports simultaneously with the same route map, but you could fix this with 'ipfw' or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on the interface. WCCP is another option. http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5 ************************************************************************** From: Question 64 Date: 02 February 2002 Subject: How do I use the PCMCIA slot in my 2500 router? Answer by: "Josh Duffek" <joshd@cisco.com> That slot is not used anymore. It was used about four years ago to load boot helper code or feature set upgrades. ************************************************************************** From: Question 65 Date: 02 February 2002 Subject: What cable do I use on 1900 switch with a DB9 Console connector? Answer by: "aros.net" <nelson@aros.net> Hi, Thanks for the help. Just so anyone searching the achieves will find the answer, for an old catalyst 1900 switch a db9 female to db9 female null modem cable works great and solved my console connection problem. For the search engines the terminal program was returning. ATQ0H0 and ATQ0Z0 on a old cisco catalyst 1900 switch. ************************************************************************** From: Question 40 Date: 02 February 2002 Subject: How do I use a route-map to limit redistribution in OSPF? Answer by: hbae_@_nyc.rr.com.REMOVE_ (Hansang Bae) ! /* match only 172.16.10.x and 172.16.11.0 subnets */ ! access-list 1 permit 172.16.10.0 0.0.1.255 ! ! ! /* use access-list 1 to determine what gets matched */ ! route-map LoopbacksOnly permit 10 match ip address 1 ! ! ! /* redistribute connected networks, any and all subnets, */ ! /* and seed it as E2 type. Note that throughout your */ ! /* OSPF domain, your loopbacks will have a metric of 20 */ ! /* 20 is the default metric when you redistribute into */ ! /* OSPF. Except for BGP routes which get a metric of 1. */ ! /* Also use the route-map LoopbacksOnly to selectively */ ! /* redistribute only the ones we want to redistribute. */ ! router ospf 200 redistribute connected subnets metric-type E2 route-map LooopbacksOnly ************************************************************************** From: Question 68 Date: 02 February 2002 Subject: How do I connect 675 DSL units back to back? Answer by: "Josh Duffek" <joshd@cisco.com> Well I found out that you can hookup other DSL boxes back to back...here is part of an email I found on it: you need: 'dsl equipment-type CO' on one side and 'dsl equipment-type CPE' on the other Here is a working example from the lab: (The distance limitation should be the same as the one found in the docs) also, you can run 'debug dsl-phy' a new command to look at the trainup. (CO side, an 828) ! interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CO dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface ATM0.1 point-to-point ip address 1.1.1.2 255.255.255.0 pvc 1/33 encapsulation aal5snap ! ! (CPE side, a SOHO78) ! interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface ATM0.1 point-to-point ip address 1.1.1.1 255.255.255.0 pvc 1/33 encapsulation aal5snap ! ************************************************************************** From: Question 68 Date: 02 February 2002 Subject: How do I format the PCMCIA card on a 3600? Answer by: "Brian" <nondogmatist@hotmail.com> Thanks guys. The "erase slot0" turned the trick. I appreciate the help. ************************************************************************** From: Question 69 Date: 02 February 2002 Subject: How do I read Token Ring Mac and RIF? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> > Of the following Token Ring Source MAC addresses, which one indicates to > receiving hosts that RIF is present. > A.0007.7816.fe58 > B.1007.7816.fe54 > C.7007.7816.fe54 > D.8007.7816.fe58 > E.3007.7816.fe54 > > The correct answer is D and here is the explanation: "When a RIF is present, > the first bit of the source MAC addresse is set to 1. Therefore, any address > that begins with 8 through f denotes that a RIF will follow the source MAC > address." > > Here is my analysis: > 8:1000 9:1001 a:1010 b:1011 c:1100 d:1101 e:1110 f:1111 > > Fine, we see that the first bit is set to 1 and a RIF will follows. My > confusion is this: Is 8007.7816.fe58 is actually a MAC address that is seen > on the other side? I thought we suppose to swap the MAC address if > configured with RSRB or SRT? You swap the bits in the MAC because Ethernet is canonical and TR is non- canonical. There would be no translation in TR to TR. And by definition, if the otherside saw the item D as the address, it would have to be TR as there are no RIFs in Ethernet world. > What kind of concept behind changing this first > bit of MAC address? Say like I have a MAC 2678 and I like to set the first > bit to 1, so it change to what, 8,9,a,b,c,d,e, or f? I know the few first > bits of MAC represent certain vendor identity, but by changing the first bit > in MAC, is it something kind of odd? What about ARP or RARP service to this > changing? and all and all. Help please. In Etherenet, the 47th place bit (first one from the left if the MAC was written in binary) represents whether this is a Group or Individual mac address. All group addresses (including the broadcast) will have this set to a binary 1. The 46th place bit (second one from the left if the MAC was written in binary) represents the Globally Unique or Locally Assigned bit. If you change your MAC, it should set the 46th bit. (of course many drivers do not do this these days). The part that can get confusing is that Most Significant *BYTE* is transmitted first. But within that byte, the Least significant *BIT* is transmitted first. For those of you who dealt with ODI drivers in DOS days, whenever you loaded up the LSL.com, it said ....LSB Mode.... That signified that it was running in Least Significant Bit mode. Just a bit of trivia for you trivial buffs. Here's a concrete example: Let's say my MAC address on this machine is: 08-10-A4-C5-B3-4D How would this get transmitted? Well, we know that 08 will go first (it's the most significant *byte*), then 10, then A4 etc. So when 08 gets transmitted, remember that it's the LSBit that hits the wire first... so 08 in binary is: 00001000 So the transmission order is 0, 0, 0, 1, 0,0,0,0. I'll skip the 10 since it's equally uninteresting. Moving on to A4 A4 in binary is: 10100100. So the transmission order is 0, 0, 1, 0,0,1,0,1 ************************************************************************** From: Question 70 Date: 02 February 2002 Subject: How are Ethernet MAC addresses transmitted? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> See quesiton 69. ************************************************************************** From: Question 71 Date: 02 February 2002 Subject: Why are the 46th and the 47th bit significant in Ethernet MAC address? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> See quesiton 69. ************************************************************************** From: Question 72 Date: 02 February 2002 Subject: Why can't I upload an IOS image on to my flash on my 2500 router? Answer by: Michael Shorts <mshorts@cisco.com> > i took one from another 2500, same label E28F008SA and unfortunalely, > same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg > 0x2101 The flash in your system is not recognized by the boot ROM. You can upgrade your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel). ************************************************************************** From: Question 73 Date: 02 February 2002 Subject: How do I configure my router so it becomes a DHCP CLIENT? Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_> If you have 12.1(2)T or better and you need: C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx, C7x00, C8500, and C12000 UBR900, UBR7200 MC3810 The interface command is "ip address dhcp" ************************************************************************** From: Question 74 Date: 02 February 2002 Subject: Does my Cisco terminal server send a BREAK signal on reboot? Answer by: Aaron@Cisco.COM (Aaron Leonard) 2611's or 2511's? The NM-A async modules do NOT exhibit the break-on-poweroff problem. See http://www.conserver.com/consoles/breakinfo.html for an independent report. ************************************************************************** From: Question 75 Date: 02 February 2002 Subject: How do I access the Console port on an AccessPro (AP-EC) card? Answer by: levinm@iserv.net (Martin H. Levin) I have had similar problems accessing the console on the AccessPro card. I read somewhere that the AccessPro has a problem with Windows, which during the boot probes the serial ports looking for the mouse. My answer to ths has been to put the card in an old 486 and use dos with an old terminal program to access the AP-EC card. It works! I have two AP-EC cards in the same machine, which I have initially configured using com ports 1 and 2 and switch the terminal program from com1 to com2 and back as I need to set up the two cards. Once set up the console on each card can be reached through the aux port. The problem with the Windows has been handy, since this setup doesn't allow for entry into monitor when the password is lost (or you get a bad secrets message). After much effort and reading the Windows problem message, I took the card out of the DOS machine, put it into a Windows machine and sure enough the damn thing went into monitor mode and I has able to recover/reset the password. ************************************************************************** From: Question 76 Date: 02 February 2002 Subject: How do you setup a simple Priority Queuing? Answer by: Richard Gallagher <rgallagh@cisco.com> I would take a look at priority queuing, see the link below: http://www.cisco.com/univercd/cc/td/doc/produc