Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

comp.dcom.sys.cisco FAQ Version 2.20 (Last Modified 5/29/02)


[ Usenet FAQs | Web FAQs | Documents | RFC Index | Sex offenders ]
NEW IN VERSION 2.20
0.1 Where can I obtain the FAQ:
118. Where can I find a list of undocumented IOS commands?
119. Where can I find information on securing or hardening Cisco routers?
120. How can I connect two Cisco routers back to back through the AUX ports?
121. How do I use Secure Shell (SSH) on Cisco devices?
122. Can I use a /31 address space for my serial point-to-point interfaces?
123. How do i see log messages on the router console?
124. What is my overhead of using IPSec
125. What is the pinout for the DB9 to RJ45 connector?
126. Should I use a T1, Cable modem or DSL for Internet connections?
127. How do I change the time length of 15 mins that is used when
displaying the Show ISDN history command?
128. Why do I see "double" characters when I telnet into my router?
129. How do I see power-supply failures via SNMP?
130. How do I change the timer for tx/rxload when doing "show int" command?
131. How do I setup SLIP on my Cisco terminal servers?
132. How do I setup FR End-to-End keepalives?
133. What basic information do I need to setup a T1 from my ISP?
134. How do I setup NAT and Port forwarding?
135. Where can I buy some Back-to-Back serial cables?
136. How can I policy-route router generated packets?
137. Is there another way to upload my IOS w/o a tftp server?
138. What does the keyword EXTENDABLE mean when doing NAT?
139. Where can I get some third party icons for my Visio program?
140. Can you help me interpret the output fomr "Looking Glass" (BGP?)
141. When using Tunnel with an interface that has an ACL, what happens?
142. Do I need a Xover cable when using 1000Base-T?
143. How dow I break the "Rule of Ten" for BGP Load balancing?
144. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
145. Should I turn off console loggin??

See reader questions & answers on this topic! - Help others by sharing your knowledge
This FAQ is edited by Hansang Bae, <hbae@thrupoint.net>.

Administrivia:
The new section starts from  Question 39 and up (inclusive).  The old section
was from the original FAQ which I did not maintain.

Please contribute answers to the questions in the Todo section! If
your answer is somewhat complicated, posting would probably be best
(to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@nyc.rr.com.
Please note that a LOT of these questions have been hanging around for
some time, and if knowledgable people could take the time to answer a
few of them, that'd help.

Since this FAQ was first developed, cisco has written up a lot of
useful information on their web site, http://www.cisco.com.  If you
can't find what you're looking for here, please check there, too.


Table of Contents

0.    Hall of Fame for Revision 2.0 and above:  See end of the FAQ:
0.1   Where can I obtain the FAQ:
1.    How can I contact cisco?
2.    What is this newsgroup?
3.    What does ``cisco'' stand for?
4.    How do I save the configuration of a cisco?
5.    Where can I get ancillary software for my cisco?
6.    Is there a World-Wide-Web (www) information source?
7.    How can I get my cisco to talk to a third party router over
8.    How can I get my cisco to talk to a 3rd-party router over Frame Relay?
9.    How can I use debugging?
10.   How can I use NTP (Network Time Protocol) with my cisco?
11.   Sample cisco NTP Configurations
12.   How do I avoid the annoying DNS lookup if I have misspelled a command?
13.   Tracing bad routing information
14.   How to use access lists
15.   The cisco boot process
16.   Where can I get cisco hardware?
17.   Where can I get IETF documents (RFCs, STDs, etc.)?
18.   Future features in cisco software
19.   How do cisco routers rate performance-wise?
20.   How are packets switched?
21.   How does one interpret buffer statistics?
22.   How should I restrict access to my router?
23.   What can I do about source routing?
24.   Is there a block of private IP addresses I can use?
25.   Is DHCP supported?
26.   Where can I get cisco documentation?
27.   What's the latest software for the CSC/3?
28.   What IP routing protocol should I use?
29.   How do I interpret the output of ``show version''?
30.   What is the maximum number of Frame Relay PVCs?
31.   How much memory is necessary to telnet to a cisco router?
32.   Where can I purchase flash RAM?
33.   When are static routes redistributed?
34.   When is the next hop of a route considered ``reachable''?
35.   How do name and phone number of ``dialer map'' interfere?
36.   What's the purpose of the network command?
37.   What is VLSM?
38.   What are some methods for conserving IP addresses for serial lines?

******************************************************************************
New questions/answers for revision 2.00 starts from here!
******************************************************************************

39.   Flash upgrade issues for Cisco 2500 series routers
40.   How do I prevent my switch ports from going into ErrDisable state?
41.   How do I configure a router to act as a Frame-Relay Switch?
42.   What are the different types of memory used by Cisco Routers?
43.   How do I load the Documentation CD (UniverseCD) on Windows 2000?
44.   How dow I load a large image on a 2500 *lab* router?
45.   Daisy-chaining reverse telnet Aux-to-Console ports
46.   What Windows chatter could bring up and ISDN line?
47.   How do I make NTP packets so it's only interesting on router bootup?
48.   How do I setup Lock & Key ACL?
49.   How do I telnet to a specific VTY line/
50.   Is there a better (free) tftp server than the one by Cisco?
51.   How do I use the Cisco Documentation CD (UniverseCD) under Linux?
52.   How do I NAT on a single Cisco 2503 Ethernet interface
53.   How do I hide a summarized OSPF router from one ABR to another?
54.   What is the pinout for the Console port on a 2518?
55.   How do I find the "real" IOS name when the file is in DOS format?
56.   How do I setup Windows 2000 and IPSec to PIX FIrewall
57.   How do I use tftpdnld via Ethernet port on a 2600?
58.   How do I setup MultiLinkPPP?
59.   How much memory is taken up by BGP routes?
60.   What is the difference between a CiscoPro model and a regular one?
61.   How do I stop my router from looking for cisconet.cfg or network-config?
62.   How do I setup DHCP service on my router?
63.   How do I configure a trasparent proxy redirecting on CISCO router?
64.   How do I use the PCMCIA slot in my 2500 router?
65.   What cable do I use on 1900 switch with a DB9 Console connector?
66.   How do I use a route-map to limit redistribution in OSPF?
67.   How do I connect 675 DSL units back to back?
68.   How do I format the PCMCIA card on a 3600?
69.   How do I read Token Ring Mac and RIF?
70.   How are Ethernet MAC addresses transmitted?
71.   Why are the 46th and the 47th bit significant in Ethernet MAC address?
72.   Why can't I upload an IOS image on to my flash on my 2500 router?
73.   How do I configure my router so it becomes a DHCP CLIENT?
74.   Does my Cisco terminal server send a BREAK signal on reboot?
75.   How do I access the Console port on an AccessPro (AP-EC) card?
76.   How do you setup a simple Priority Queuing?
77.   What are the pro's and con's of using two ISP/BGP providers?
78.   How do I tell the difference between the differen 2900 XL switches?
79.   How do I suppress the transmission of PPP frames from when dialing in?
80.   Where can I get mzmaker to compress my IOS?
81.   What is the meaning of in/out in reference to an access-list?
82.   How do I remove the /32 - host - route when a PPP link comes up?
83.   How do I forward DHCP broadcasts to my DHCP server?
84.   How do I use the ip-helper command to facilitate DHCP use?
85.   How do I send L2 traffic through a tunnel?
86.   How do I sort my IP Addresses using Unix tools??
87.   Why is measuring collisions meaningless endeavour?
88.   How do I stop password-recovery on my routers?
89.   How do I setup a Multilink PPP?
90.   How do I setup ppp callback with dialer-pool?
91.   My configs are too large.  What can I do?
92.   What does Frame-relay LMI and Encapsulation really do/mean?
93.   How do I make a T1 Cross-over cable?
94.   Can I use a router to simulate BRI switch? (Also see question 101)
95.   How do I use Policy Based Routing?
96.   How do I setup a VPN tunnel using pre-shared keys?
97.   Why does one packet always get dropped on the last hop of traceroute?
98.   How to setup NAT'ing based on outgoing interface to two different ISPs.
99.   How do I use IPX over DDR?
100.  How can I automatically ping a range of IP addresses in Wintel world?
      See also question 115.
101.  Sample config of using VIC BRI interfaces as an ISDN switch.
102.  How do I do X25 over ISDN D channel?
103.  What can I do to remove SAP Type 640 on my routers?
104.  What kind of memory does the 2500 use?
105.  How do I make an Ethernet Cross-over cable?
106.  How do I use NBAR to block NIMDA?
107.  What is a FECN/BECN and does it mean anything?
108.  How do I stop logging (and generating snmp trap) for up/down interfaces?
109.  How do I setup the variables to do tftpdnld in rommon?
110.  How do I get the memory-usage on the Vip-Card
111.  What is the order of operation in terms how a packet is processed?
112.  What are the differnt T1 jack type codes?
113.  How do I show just one interface's configuration?
114.  How can I search CCO for IS-IS related information?
115.  How can I script a network reachability test?  See also question 100.
116.  How can I access the console port on my MSFC in my 6500?
117.  How do I access my MSFC/Router in my 6509?
118.  Where can I find a list of undocumented IOS commands?
119.  Where can I find information on securing or hardening Cisco routers?
120.  How can I connect two Cisco routers back to back through the AUX ports?
121.  How do I use Secure Shell (SSH) on Cisco devices?
122.  Can I use a /31 address space for my serial point-to-point interfaces?
133.  How do i see log messages on the router console?
134.  What is my overhead of using IPSec
135.  What is the pinout for the DB9 to RJ45 connector?
136.  Should I use a T1, Cable modem or DSL for Internet connections?
137.  How do I change the time length of 15 mins that is used when
      displaying the Show ISDN history command?
138.  Why do I see "double" characters when I telnet into my router?
139.  How do I see power-supply failures via SNMP?
140.  How do I change the timer for tx/rxload when doing "show int" command?
141.  How do I setup SLIP on my Cisco terminal servers?
142.  How do I setup FR End-to-End keepalives?
143.  What basic information do I need to setup a T1 from my ISP?
144.  How do I setup NAT and Port forwarding?
145.  Where can I buy some Back-to-Back serial cables?
146.  How can I policy-route router generated packets?
147.  Is there another way to upload my IOS w/o a tftp server?
148.  What does the keyword EXTENDABLE mean when doing NAT?
149.  Where can I get some third party icons for my Visio program?
150.  Can you help me interpret the output fomr "Looking Glass" (BGP?)
151.  When using Tunnel with an interface that has an ACL, what happens?
152.  Do I need a Xover cable when using 1000Base-T?
153.  How dow I break the "Rule of Ten" for BGP Load balancing?
154.  How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?



todo:
[Update the Todo section.  How ironic!]

Actual content.

**************************************************************************

From: Question 0.1
Date: 10 February 2002
Subject: Where can I obtain/View the FAQ
Answer by: N/A

A.    You can use any Usenet (Newsgroup) reader to read comp.dcom.sys.cisco
      or alt.certification.cisco
B.    http://www.networkingunlimited.com/CiscoFAQ.html
C.    http://www.evolutiontechnical.com/cisco-faq/index.htm
D.    http://mrubino.com:8080/cdsc-faq



**************************************************************************

From: Question 1
Date: 31 October 1994
Subject: How can I contact cisco?

Corporate address:

                cisco Systems
                170 West Tasman Drive
                San Jose, CA 95134

The following phone numbers are available:

  Technical Assistance Center (TAC)                     +1 800 553 2447
                                                              (553 24HR)
                                                        +1 800 553 6387
                                                        +1 408 526 8209
  Customer Service (Documentation, Warranty &           +1 800 553 6387
      Contract Services, Order Status
  Engineering                                           +1 800 553 2447
                                                              (553 24HR)
  On-site Services, Time & Materials Service            +1 800 829 2447
                                                              (829 24HR)
  Corporate number / general                            +1 408 526 4000
  Corporate FAX (NOT tech support)                      +1 408 526 4100

The above 800 numbers are US/Canada only.

cisco can also be contacted via e-mail:

        tac@cisco.com           Technical Assistance Center
        tac-euro@cisco.com      European TAC
        cs-rep@cisco.com        Literature and administrative (?) requests
        cs@cisco.com            *UNRELIABLE*, special-interest, ``non-support''

Please follow the directions available on CIO before doing this.
cisco provides an on-line service for information about their routers
and other products, called CIO (cisco Information Online).  telnet to
cio.cisco.com for more details.

The collective experience of this FAQ indicates that it is far wiser to
open a case using e-mail than FAXes, which may be mislaid, shredded,
etc.

For those of you still in the paperfull office (unlike the rest of us),
cisco Systems' new corporate address is:

        170 West Tasman Drive
        San Jose, CA 95134

Mail to tac@cisco.com should include your service contract number, your name,
telephone number, a brief one line problem/question description, and a
case  priority in the  first 5 lines. For example:

        Cisco service contract number       92snt1234a
        First and last name                 Jane Doe
        Best number to contact you          415-555-1234
        Problem/question description        Cannot see Appletalk zones
        Case Priority                       3

CASE PRIORITIES are defined as one of the following:

Pri 1           Production network down, critical business impact
Pri 2           Production net seriously degraded, serious impact
Pri 3           Network degraded, noticeable impact to business
Pri 4           General information, non production problems

**************************************************************************

From: Question 2
Date: 26 July 1994
Subject: What is this newsgroup?

comp.dcom.sys.cisco, which is gatewayed to the mailing list
cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
hardware, software, and related issues. Remember that you can also
consult with cisco technical support.

This newsgroup is not an official cisco support channel, and should
not be relied upon for answers, particularly answers from cisco
Systems employees.

Until recently, the mailing list was gatewayed into the newsgroup,
one-way. It is possible that this arrangement may resume at somet time
in the future.

**************************************************************************

From: Question 3
Date: 31 October 1994
Subject: What does ``cisco'' stand for?

cisco folklore time:

At one point in time, the first letter in cisco Systems was a
lowercase ``c''. At present, various factions within the company have
adopted a capital ``C'', while fierce traditionalists (as well as some
others) continue to use the lowercase variant, as does the cisco
Systems logo. This FAQ has chosen to use the lowercase variant
throughout.

cisco is not C.I.S.C.O. but is short for San Francisco, so the story
goes.  Back in the early days when the founders Len Bosack and Sandy
Lerner and appropriate legal entities were trying to come up with a
name they did many searches for non similar names, and always came up
with a name which was denied. Eventually someone suggested ``cisco''
and the name wasn't taken (although SYSCO may be confusingly similar
sounding). There was an East Coast company which later was using the
``CISCO'' name (I think they sold in the IBM marketplace) they ended
up having to not use the CISCO abberviation.  Today many people spell
cisco with a capital ``C'', citing problems in getting the lowercase
``c'' right in publications, etc. This lead to at least one amusing
article headlined ``Cisco grows up''. This winter we will celebrate
our 10th year.

[This text was written in July of 1994 -jhawk]

**************************************************************************

From: Question 4
Date: 31 October 1994
Subject: How do I save the configuration of a cisco?

If you have a tftp server available, you can create a file on the
server for your router to write to, and then use the write network
command. From a typical unix system:

        mytftpserver$ touch /var/spool/tftpboot/myconfig
        mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig

        myrouter#write net
        Remote host [10.7.0.63]? 10.7.0.2
        Name of configuration file to write [myrouter-confg]? myconfig
        Write file foobar on host 10.7.0.2? [confirm] y

Additionally, there's a Macintosh TFTP server available:

        ftp://nic.switch.ch/software/mac/peterlewis/

Additionally, you can also use expect, available from:

        ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
        ftp://ftp.cme.nist.gov/expect/

or, in shar form from ftpeng.cisco.com.

Expect allows you to write a script which telnets to the router and
performs a ``write terminal'' command, or any other arbitrary set of
command(s), using a structured scripting language (Tcl).

**************************************************************************

From: Question 5
Date: 5 July 1994
Subject: Where can I get ancillary software for my cisco?

Try ftping to

        ftp://ftpeng.cisco.com/pub

It's a hodgepodge collection of useful stuff, some maintained and some
not. Some is also available from

        ftp://cio.cisco.com

Vikas Aggarwal has a very customised tacacsd:

A new version of xtacacsd is available via anonymous FTP from:

        ftp://ftp.navya.com/pub/vikas/


**************************************************************************

From: Question 6
Date: 28 April 1996
Subject: Is there a World-Wide-Web (www) information source?

You can try the WWW page for this FAQ:

        http://www.panix.com/cisco-faq/

or the cisco Educational Archive (CEA) home page:

        http://sunsite.unc.edu/cisco/cisco-home.html

or the cisco Information Online (CIO) home page:

        http://www.cisco.com/


**************************************************************************

From: Question 7
Date: 5 July 1994
Subject: How can I get my cisco to talk to a third party router over
a serial link?

You need to tell your cisco to use the same link-level protocol as the
other router; by default, ciscos use a rather bare variant of HDLC
(High-level Data Link Control) all link-level protocols use at some
level/layer or another. To make your cisco operate with most other
routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:

        sewer-cgs#conf t

        Enter configuration commands, one per line.
        Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
        interface serial 1
        encapsulation ppp
        ^Z

        sewer-cgs#sh int s 1

        Serial 1 is administratively down, line protocol is down
         Hardware is MCI Serial
         MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
         Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]

If you're still having trouble, you might wish to turn on serial interface
debugging:

        sewer-cgs#ter mon
        sewer-cgs#debug serial-interface

**************************************************************************

From: Question 8
Date: 27 July 1994
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?

You should tell your cisco to use ``encapsulation frame-relay ietf''
(instead of ``encapsulation frame-relay'') on your serial interface
that's running frame relay if your frame relay network contains a
diverse set of manufacturers' routers. The keyword ``ietf'' specifies
that your cisco will use RFC1294-compliant encapsulation, rather than
the default, RFC1490-compliant encapsulation (other products, notably
Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
by 1490, namely padding of the nlpid).  If only a few routers in your
frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the
frame-relay map command:

        frame-relay map ip 10.1.2.3 56 broadcast ietf
                                                 ^^^^

(ietf stands for Internet Engineering Task Force, the body which
evaluates Standards-track RFCs; this keyword is a misnomer as both
RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
beneath a DS), and is effectively obsolete).

**************************************************************************

From: Question 9
Date: 26 July 1994
Subject: How can I use debugging?


The ``terminal monitor'' command directs your cisco to send debugging
output to the current session. It's necessary to turn this on each time
you telnet to your router to view debugging information. After that,
you must specify the specific types of debugging you wish to turn on;
please note that these stay on or off until changed, or until the
router reboots, so remember to turn them off when you're done.

Debugging messages are also logged to a host if you have trap logging
enabled on your cisco. You can check this like so:


        sl-panix-1>sh logging
        Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
            Console logging: level debugging, 66 messages logged
            Monitor logging: level debugging, 0 messages logged
            Trap logging: level debugging, 69 message lines logged
                Logging to 198.7.0.2, 69 message lines logged
        sl-panix-1>

If you have syslog going to a host somewhere and you then set about a
nice long debug session from a term your box is doing double work and
sending every debug message to your syslog server. Additionally, if you
turn on something that provides copious debugging output, be careful
that you don't overflow your disk (``debug ip-rip'' is notorious for
this).

One solution to this is to only log severity ``info'' and higher:

        sl-panix-1#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        logging trap info

The other solution is to just be careful and remember to turn off
debugging. This is easy enough with:

        sl-panix-1#undebug all

If you have a heavily loaded box, you should be aware that debugging
can load your router.  The console has a higher priority than a vty so
don't debug from the console; instead, disable console logging:

        cix-west.cix.net#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        no logging console

Then always debug from a vty.  If the box is busy and you are a little
too vigorous with debugging and the box is starting to sink, quickly
run, don't walk to your console and kill the session on the vty.  If
you are on the console your debugging has top prioority and then the
only way out is the power switch.  This of course makes remote
debugging a real sweaty palms adventure especially on a crowded box.
Caveat debugger!

Also, if you for some reason forget what the available debug commands
are and don't have a manual handy, remember that's what on-line help
is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
9.21 and above, that gives you general categories, and you can check
for more specific options by specifying the category: ``debug ip ?''.

As a warning, the ``logging buffered'' feature causes all debug
streams to be redirected to an in-memory buffer, so be careful using
that.

Lastly, if you're not sure what debugging criteria you need, you can
try ``debug all''. BE CAREFUL!  It is way useful, but only in a very
controlled environment, where you can turn off absolutely everything
you're not interested in.  Saves a lot of thinking.  Turning it on on
a busy box can quickly cause meltdown.

**************************************************************************

From: Question 10
Date: 5 July 1994
Subject: How can I use NTP (Network Time Protocol) with my cisco?

>What level of software is required for NTP support in
>a cisco router?

9.21 or above.

>Which cisco routers support NTP?

It is a software feature exclusively. Anything that supports
9.21 or 10 will run NTP (when running that s/w).

>How do I set it up?

The basic hook is:
        ntp server <host> [version n]
or
        ntp peer <host> [version n]

depending on whether you want a client/server or peer relationship.
There's a bunch of other stuff available for MD5 authentication,
broadcast, access control, etc.  You can also use the
context-sensitive help feature to puzzle it out; try ``ntp ?'' in
config mode.

You'll also want to play with the SHOW NTP * router commands.  Here
are two examples.

EXAMPLE 1:

router# show ntp assoc

      address         ref clock     st  when  poll reach  delay  offset    disp
+~128.9.2.129      .WWVB.            1   109   512  377    97.8   -2.69    26.7
*~132.249.16.1     .GOES.            1   309   512  357    55.4   -1.34    27.5
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

EXAMPLE 2:

router#show ntp stat
Clock is synchronized, stratum 2, reference is 132.249.16.1
nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
clock offset is -1.34 msec, root delay is 55.40 msec
root dispersion is 41.29 msec, peer dispersion is 28.96 msec

For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.

For broader NTP info, see ftp://louie.udel.edu:pub/ntp/.  The file
clock.txt in that directory has info about various public NTP servers.
There is also information on radio time receivers that can be
connected to an NTP server (this is handy on private networks, if you
have an entire campus to get chiming, or if you become a hard core
chimer).

The ``ntp clock-period'' command is added automagically to jump-start
the NTP frequency compensation when the box is rebooted.  This is
essentially a representation of the frequency of the crystal used as
the local timebase, and may take several days to calculate otherwise.
(Do a ``write mem'' after a week or so to save a good value.)

Caveat of obsolecence: Note that the CS-500 will not be able to
achieve quite the same level of accuracy as other platforms, since its
hardware clock resolution is roughly 242Hz instead of the 1MHz
available on other platforms.  In practice this shouldn't matter for
anyone other than true time geeks.

**************************************************************************


From: Question 11
Date: 5 July 1994
Subject: Sample cisco NTP Configurations

You will need to substitute your own NTP peers, timezones, and GMT
offsets into the examples below, of course.  Example 1 is in US Central
Time Zone, while example 3 is in US Pacific Time Zone.  Both account
for normal US Daylight Savings Time practices.

EXAMPLE 1 (Charley Kline):
...
clock timezone CST -6
clock summer-time CDT recurring
ntp source eth 0
ntp peer <host1>
ntp peer <host2>
ntp peer <host3>
...


EXAMPLE 2 (Tony Li):
...
ntp source Ethernet0/0
ntp update-calendar
ntp peer <host1>
ntp peer <host2> prefer
...


EXAMPLE 3 (Dave Katz):
...
service timestamps debug datetime localtime
service timestamps log datetime localtime
clock timezone PST -8
clock summer-time PDT recurring
interface Ethernet0
ip address <mumble>
ntp broadcast
ntp clock-period 17180319
ntp source Ethernet0
ntp server <host1>
ntp server <host2>
ntp server <host3>

COMMENTS ON EXAMPLE 3:
        The config file is commented with date and time (and user id,
if TACACS is enabled) when the system thinks the clock is accurate.
I've enabled timestamping of debug and syslog messages.  I send NTP
broadcast packets out onto the local ethernet.  I'm in Pacific
Standard Time, with U.S. standard daylight saving time rules.  I use
the IP address of the ethernet as the source for all NTP packets.


**************************************************************************

From: Question 12
Date: 5 July 1994
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?

By default, all lines are configured to automatically try a telnet
connection if the first word in a input line is not recognized as a
valid command.  You can disable this by setting ``transport preferred
none'' on every line (con, aux and vty). For instance:


        sl-panix-1#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        line vty 0 10
        transport preferred none


You can see the number of vty's currently configuered with ``show lines''

Also, you can suspend connect attempts with ^^ followed by ``x'', ie
shift-cntrl-6 x.

[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
helps. I think this is the default -jhawk ]

**************************************************************************

From: Question 13
Date: 31 Oct 1994
Subject: Tracing bad routing information

or: How do I find out which non-cisco systems on my networks generate IP-RIP
   information without letting them mess up my routing tables.

Here you could work with a default administrative distance.
Administrative distance is the basis upon which the cisco prefers
routing information of one protocol over another. In this example:

        router rip
        network 192.125.254.0
        distance 255
        distance 120 192.125.254.17     ! list all valid RIP suppliers
        [...]

the value 255 has the implicit meaning of not putting this information
into the routing table. Therefore, setting an administrative distance
of 255 means that all RIP suppliers are by default accepted but their
information is not put into the routing table. The administrative
distance for the router 192.125.244.17 has been reset to the default
(for RIP) of 120, causing its routes to be accepted into the routing table.

Then you can look them up with ``show ip protocols'' and restore the
original administrative distance for the ones you want to fill in the
routing table.

The same results can be acheived with an ip access-list, but with
that, ``show ip protocols'' will only show the valid ones. But often
it is more useful to see which systems were generating routing
information at all.

This trick works for other routing protocols as well, but please select
the proper adminstrative distance (rather than 120) for the protocol
you're using.

**************************************************************************

From: Question 14
Date: 5 July 1994
Subject: How to use access lists

[The following is wholesale included; at some point it'll
probably be editted a bit and reformatted... -jhawk ]

                    Frequently Asked Questions
                    contributed by Howard C. Berkowitz
                    PSC International
                    hcb@world.std.com
                       @clark.net   [probably will be my permanent
                                     personal account]
                    PSC's domain is in mid-setup

Where in the router are access lists applied?


    In general, Basic access lists are executed as filters on
outgoing interfaces.  Newer releases of the cisco code, such as
9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic,
can be filtered on incoming interfaces in earlier releases.
There are also special cases involving console access.

Rules, written as ACCESS-LIST statements, are global for the entire
cisco box; they are activated on individual outgoing interfaces by
ACCESS-GROUP subcommands of the INTERFACE major command.
    Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in
a router (e.g., telnets from the console port) is not subject to
filtering.

             +-------------------+
             |     GLOBAL        |
             |                   |
             | Routing           |
             | ^  v       Access |
             | ^  v       Lists  |
             +-^--v--------^---v-+
             | ^  v        ^   v |
             | ^  v        ^   v |
A----------->|-|  |>>>>Access  >>----------->B
             |1        Group   2 |
<------------|                   |<-----------
             |                   |
             |                   |
             +-------------------+

    Some types of ``filter,'' using ``filter'' as a broader class than
ACCESS-LIST, can operate on incoming traffic.  For example, the INPUT-
SAP-FILTER used for Novell networks is applied to Service Advertisement
Packets (SAP) seen at incoming interfaces.  In general, incoming
filtering can only be done for ``system'' rather than user traffic.

Rules of thumb in defining access lists.

    First, define what you want to do and in which directions.  An
informal drawing is a good first step.  As opposed to the usual
connectivity drawings among routers, it's often convenient to draw
unidirectional links between routers.
    Second, informally write out your filtering rules.  In general, it
is best to go from most specific to least specific. Modify the order of
writing things to minimize the number of rules needed.
    Third, determine which rules need to be on which routers.
Explicitly consider the direction of flow, and the possible existence of
additional paths that could inadvertently bypass a filter.

Can a cisco router be a ``true'' firewall?

    This depends on the definition of firewall.  Some writers (e.g.,
Gene Spafford in _Practical UNIX Security_) define a firewall as a
host on which an ``inside'' and/or an ``outside'' application process run,
with application-level code linking the two.  For example, a firewall
might provide FTP access to the outside world, but it would not also
provide direct FTP service to the inside world.  To place a file on
the FTP external server, a designated user would explicitly log onto
the FTP server, transfer a file to the server, and log off.  The
firewall prevents direct FTP connectivity between the inside and
outside networks; only indirect, application-level connectivity is
allowed.
   Firewalls of this sort are complemented by chokes, which filter on
network addresses and/or port numbers.  Cisco routers cannot do
application-level control with access control lists.
   Other authors do not distinguish between chokes and filters.  Using
the loose definition that a firewall is anything that selectively blocks
access from the inside to the outside, routers can be firewalls.


IP Specific
-----------

Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?

    No.  Operand filtering only works for TCP and UDP port numbers.

How can I prevent traffic for a certain Internet application to flow in
one direction but not the other?

    Remember that Internet applications flow from client port to server
port.  Denying traffic from port 23, for example, blocks flow from the
client to the server.

             +-------------------+
             |                   |
A----------->|                   |----------->B
             |1                 2|
<------------|                   |<-----------
             |                   |
             +-------------------+

    If we deny traffic to Port 23 of address B by placing a filter at
interface 2, we have blocked A's ability to telnet to B, but not B's
ability to telnet to A.  A second filter at interface A would be needed
to block telnet in both directions.
    Assume that we only have the filter at interface 2.  Telnets to A
from B will not be affected because the filter at 2 does not check
incoming traffic.
-------

With the arrival of in-bound access lists in 9.21, it should be noted
that both inbound and access lists are about equally efficient, in
case any of you were wondering.


It's worth remembering that there are some kinds of problems
that packet-filtering firewalls are not best suited for. There's
reasonably good information in:

	"Network (in)security through packet filtering"
	ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z


**************************************************************************

From: Question 15
Date: 26 July 1994
Subject: The cisco boot process

What really happens when a cisco router boots, from boot start to live
interfaces?

First it boots the ROM os version.  It reads the config.  Now, it
realizes that you want to netboot.  It loads the netbooted copy in on
top of itself.  It then re-initializes the box and re-reads the
config.  Manly, yes, but we like it too....

[[ Ummm... in particular it loads the netbooted copy in as WELL as
itself, decompresses it, if necessary, and THEN loads on top of
itself.  Note that this is important because it tells you what the
memory requirements are for netbooting: RAM for ROM image (if it's a
run from RAM image), plus dynamic data structures, plus RAM for
netbooted image. ]]

The four ways to boot and what happens (sort of):

           I (from bootstrap mode)

The ROM monitor is running.  The I command causes the ROM monitor to
walk all of the hardware in the bus and reset it with a brute force
hammer.  If the bits in the config register say to auto-boot, then
goto B

           B (from bootstrap mode)

Load the OS from ROM.  If a name is given, tell that image to start
silently and then load a new image.  If the boot system command is
given, then start silently and load a new image.

           powercycle

Does some delay stuff to let the power settle.  Goto I.

           reload (from the EXEC)
Goto I.


**************************************************************************

From: Question 16
Date: 18 July 1994
Subject: Where can I get cisco hardware?

Try calling 800-553-NETS and asking for your local sales office.
That's probably the best plan.

**************************************************************************

From: Question 17
Date: 18 April 1995
Subject: Where can I get IETF documents (RFCs, STDs, etc.)?

                   Where and how to get new RFCs


RFCs may be obtained via EMAIL or FTP from many RFC Repositories.  The
Primary Repositories will have the RFC available when it is first
announced, as will many Secondary Repositories.  Some Secondary
Repositories may take a few days to make available the most recent
RFCs.

Primary Repositories:


RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,
NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,
FTP.CONCERT.NET, or FTP.SESQUI.NET.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Secondary Repositories:



Sweden
------
        Host:           sunic.sunet.se
        Directory:      rfc

        Host:           chalmers.se
        Directory:      rfc


Germany
-------
        Site:           EUnet Germany
        Host:           ftp.Germany.EU.net
        Directory:      pub/documents/rfc


France
------
        Site:           Institut National de la Recherche en Informatique
                        et Automatique (INRIA)
        Address:        info-server@inria.fr
        Notes:          RFCs are available via email to the above
                        address.  Info Server manager is Mireille
                        Yamajako (yamajako@inria.fr).


Netherlands
-----------
        Site:           EUnet
        Host:           mcsun.eu.net
        Directory:      rfc
        Notes:          RFCs in compressed format.


France
------
        Site:           Centre d'Informatique Scientifique et Medicale
                        (CISM)
        Contact:        ftpmaint@univ-lyon1.fr
        Host:           ftp.univ-lyon1.fr
        Directories:    pub/rfc/*       Classified by hundreds
                        pub/mirrors/rfc Mirror of Internic
        Notes:          Files compressed with gzip. Online
                        decompression done by the FTP server.


Finland
-------
        Site:           FUNET
        Host:           funet.fi
        Directory:      rfc
        Notes:          RFCs in compressed format.  Also provides
                        email access by sending mail to
                        archive-server@funet.fi.


Norway
------
        Host:           ugle.unit.no
        Directory:      pub/rfc


Denmark
-------
        Site:           University of Copenhagen
        Host:           ftp.denet.dk
        Directory:      rfc


Australia and Pacific Rim
-------------------------

        Site:           munnari
        Contact:        Robert Elz <kre@cs.mu.OZ.AU>
        Host:           munnari.oz.au
        Directory:      rfc
                        rfc's in compressed format rfcNNNN.Z
                        postscript rfc's rfcNNNN.ps.Z


United States
-------------

        Site:           cerfnet
        Contact:        help@cerf.net
        Host:           nic.cerf.net
        Directory:      netinfo/rfc

        Site:           NASA NAIC
        Contact:        rfc-updates@naic.nasa.gov
        Host:           naic.nasa.gov
        Directory:      files/rfc

        Site:           NIC.DDN.MIL (DOD users only)
        Contact:        NIC@nic.ddn.mil
        Host:           NIC.DDN.MIL
        Directory:      rfc/rfcnnnn.txt
        Note:           DOD users only may obtain RFC's via FTP
                        from NIC.DDN.MIL.  Internet users should NOT
                        use this source due to inadequate connectivity.

        Site:           uunet
        Contact:        James Revell <revell@uunet.uu.net>
        Host:           ftp.uu.net
        Directory:      inet/rfc


UUNET Archive
-------------

     UUNET archive, which includes the RFC's, various IETF documents,
     and other information regarding the internet, is available to the
     public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
     will be available via an anonymous kermit server soon.  Get the
     file /archive/inet/ls-lR.Z for a listing of these documents.

     Any site in the US running UUCP may call +1 900 GOT SRCS and use
     the login "uucp".  There is no password.  The phone company will
     bill you at $0.50 per minute for the call.  The 900 number only
     works from within the US.

**************************************************************************

From: Question 18
Date: 22 April 1996
Subject: Future features in cisco software

[This could be more fleshed out (still!)]

Kerberos and RADIUS in 11.1
RIP version 2 in 11.1 (allows VSM, etc.)
Policy-based routing (routing based on source address or interface, or just
about anything else you want) in 11.0 *released*
PPP Multilink in 11.0(3) *released*
Frame Relay payload compression in 11.0(4) *released*
IPX Per-Host load balancing in 11.1

**************************************************************************

From: Question 19
Date: 27 July 1994
Subject: How do cisco routers rate performance-wise?

People often ask about performance of the cisco routers and are shyed
away from answering their questions because we don't know where to send
them.

Scott Bradner keeps the results of his performance tests on the
Internet.  You can find them for ftp on the system hsdndev.harvard.edu
in the /pub/ndtl.  There is a README file in that directory that
explains what is available.  In addition, cisco has just started
publishing a piece of literature called ``The Harvard Benchmark Test
Results: Summary of cisco Systems Performance''.  The only number I
can find on the doc is Lit. #700901.  Don't know if you can order it
by this number, but at least there's a title to go on.

**************************************************************************

From: Question 20
Date: 22 April 1996
Subject: How are packets switched?

There are 3 basic types of switching (in order of increasing performance).

        process switching
        fast switching
        autonomous switching

Process and fast switching support inbound and outbound, simple and
extended, access lists. Of course, for fast switching, such lists only
restrict traffic on the particular fast-switched interface.

Autonomous switching is done in the switch processor, a microcoded device that
is capable of switching IP, IPX, and bridging packets in the 100kpps range.
This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+.
Encapsulation support is rather limited (Ethernet, HDLC, HSSI...).

The cisco 7000 also supports:

        silicon switching

Silicon switching is done in the silicon switching engine (creative, eh? ;-).

The silicon switch processor (SSP) is the board which combines both the
switch processor and a silicon switching engine.

The SSP supports simple and extended outbound access lists in 10.3 and later.
The SSP supports simple and extended inbound access lists in 11.1 and later.

The cisco 75xx series supports:

	"optimal" switching (cruddy name, eh?)
	"flow" switching
	"distributed" switching

* "optimal" switching (cruddy name, eh?)

The 7500 platform does not have a separate SP or SSP card, rather the RISC
processor on the "integrated route/switch processor card (IRSP)" handles
switching directly, similar to the 4000 series routers.  There are several
hardware and software enhancements made though to increase the throughput to
a level that is several times above what you would normally get from "fast"
switching.  Everything that "fast" switching supports is supported in
"optimal" switching.

* "flow" switching

Basicly the "optimal" switching method, however things have been front-ended
with an additional small "flow" cache.  This flow cache contains information
about source/destination addresses & ports which allow the router to make more
informed queueing decisions and process access lists faster.  This is a win in
routers that would tend to carry a reasonably small number of flows at any one
time, such as what you would expect in a corporate network or in a smaller
internet service provider network.  It's unclear if there are any advantages
in a large internet backbone.

* "distributed" switching

cisco has announced a new type of interface-processor card, called a "VIP"
available in the 7500 platform that is intelligent enough to switch packets
with no intervention on the part of the IRSP card.  This once again separates
switching from routing, as in the earlier CBUS/SP/SSP design.


The first packet of every session or connection is always Process Switched.
The route table is consulted (this resides in DRAM on the CPU) and the
"result" is cached in the system memory cache. If the protocol can only be
process switched, then it will continue this way and interrupt the CPU for a
route table lookup each time. [comment: Process Switching is brutally slow
compared to other switching methods. Some features (usually new features do
this for the first few software releases) force every packet to be process
switched. If you can't avoid process-switching every packet, at least get a
router with a fast CPU, such as the 75xx, 4500, and 4700. The 4700 is
currently the fastest at process-switching packets, with the 4500 and 75xx
tied for second. The 75xx can optimum-switch, however, so it's a lot faster
than either of the 4x00s, if you can use it).

The second and subsequent packets of each session are capable of being Fast
Switched (more session types are becoming fast-switchable), and will consult
only the route-cache. This still involves a memory lookup on the board, but
the packet can be transferred from the source card directly to the
destination card without requiring full storage on the CSC [the CSC refers
to the CPU card, basically].



There are some undocumented commands that are useful for obtaining
per-interface statistics on what sort of switching was performed.

For instance:

frobozz-magic-robot>sh int atm4/0 switch
ATM4/0
         Throttle count:          0
     Protocol       Path    Pkts In   Chars In   Pkts Out  Chars Out
           IP    Process     104851    7669968     116378   11180988
            Cache misses      35826
                    Fast          0          0          0          0
               Auton/SSE          0          0          0          0
frobozz-magic-robot>sh int atm4/0 stat
ATM4/0
          Switching path    Pkts In   Chars In   Pkts Out  Chars Out
               Processor     105024    7679155     116422   11184108
         Route cache/FIB          0          0          0          0
       Distributed cache          0          0          0          0
                   Total     105024    7679155     116422   11184108

**************************************************************************

From: Question 21
Date: 31 October 1994
Subject: How does one interpret buffer statistics?

Buffer statistics may be obtained with:

        mit2-gw.near.net>sh buffers
        Buffer elements:
             433 in free list (500 max allowed)
             82320311 hits, 0 misses, 0 created
        Small buffers, 104 bytes (total 202, permanent 120):
             185 in free list (20 min, 250 max allowed)
             34289219 hits, 4297 misses, 1307 trims, 1389 created
        Middle buffers, 600 bytes (total 104, permanent 90):
             102 in free list (10 min, 200 max allowed)
             6829533 hits, 1432 misses, 483 trims, 497 created
        Big buffers, 1524 bytes (total 90, permanent 90):
             90 in free list (5 min, 300 max allowed)
             3403884 hits, 56 misses, 1 trims, 1 created
        Large buffers, 5024 bytes (total 5, permanent 5):
             5 in free list (0 min, 30 max allowed)
             49984 hits, 13 misses, 20 trims, 20 created
        Huge buffers, 18024 bytes (total 0, permanent 0):
             0 in free list (0 min, 4 max allowed)
             0 hits, 0 misses, 0 trims, 0 created

        5683 failures (0 no memory)

You can interpret them:

Total   Number of buffers of that size that exist.

Free    Number of free buffers.

Max     Maximum size that the free list can grow to before we start
        throwing them away.

Hit     Buffer got used.

Miss    Someone requested a buffer and we had to go carve it up out of
        free memory.  If we couldn't because we were at interrupt
        level, it's also an allocation failure.  If we couldn't
        because we were out of memory, then it's also a ``no memory''
        failure.

Trim    There are more free buffers on the free list than there need
        to be and we threw some away.

Create  Number of buffers we created after a miss.

**************************************************************************

From: Question 22
Date: 22 April 1996
Subject: How should I restrict access to my router?

Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.

Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.

        yourrouter#sh access-list
        Standard IP access list 5
            permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:

        yourrouter#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
        yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:

        yourrouter#sh line
         Tty Typ    Tx/Rx    A Modem  Roty AccO AccI  Uses    Noise   Overruns
           0 CTY             -    -      -    -    -     0        0        0/0
           1 AUX  9600/9600  -    -      -    -    -     1  3287605        1/0
        *  2 VTY  9600/9600  -    -      -    -    7    55        0        0/0
           3 VTY  9600/9600  -    -      -    -    7     4        0        0/0
           4 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           5 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           6 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           7 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           8 VTY  9600/9600  -    -      -    -    7     0        0        0/0
           9 VTY  9600/9600  -    -      -    -    7     0        0        0/0
          10 VTY  9600/9600  -    -      -    -    7     0        0        0/0
          11 VTY  9600/9600  -    -      -    -    -     0        0        0/0
          12 VTY  9600/9600  -    -      -    -    -     0        0        0/0


Apply the access list to the relevant lines:

        yourrouter#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        yourrouter(config)#line 2 12
        yourrouter(config-line)# access-class 30 in
        yourrouter(config-line)# ^Z

(This apply access list 30 to lines 2 through 12. It's important to
restrict access to the aux port (line 1) if you have a device (such
as a CSU/DSU) plugged into it.a)

Be sure to save your configuration with ``write mem''.

Please note that access lists for incoming telnet connections do NOT
cause your router to perform significant CPU work, unlike access lists
on interfaces.

**************************************************************************

From: Question 23
Date: 1 November 1994
Subject: What can I do about source routing?

What *is* source routing?

Soure routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for some
reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.

Unfortunately, source routing is often abused by malicious users on
the Internet (and elsewhere), and used to make a machine (A), think
it is talking to a different machine (B), when it is really talking to
a third machine (C). This means that C has control over B's ip address
for some purposes.

The proper way to fix this is to configure machine A to ignore
source-routed packets where appropriate. This can be done for most
unix variants by installing a package such as Wietse Venema,
<wietse@wzv.win.tue.nl>,'s tcp_wrapper:

        ftp://cert.org:pub/tools/

For some operating systems, a kernel patch is required to make this
work correctly (notably SunOS 4.1.3). Also, there is an unofficial
kernel patch available for SunOS 4.1.3 which turns all source routing
off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.

If disabling source routing on all your clients is not posssible, a
last resort is to disable it at your router. This will make you unable
to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
of which use LSRR (Loose Source Record Route, 2 IP options, the first
of which is a type of source routing), but may be necessary for some.
If so, you can do this with

        foo-e-0#conf t
        Enter configuration commands, one per line.  End with CNTL/Z.
        foo-e-0(config)#no ip source-route
        foo-e-0(config)#^Z

It is somewhat unfortunate that you cannot be selective about this; it
disables all forwarding of source-routed packets through the router,
for all interfaces, as well as source-routed packets to the router
(the last is unfortunate for the purposes of ``traceroute -g'').

**************************************************************************

From: Question 24
Date: 22 April 1996
Subject: Is there a block of private IP addresses I can use?

Yes there is, however whether you wish to do so is an issue of
some debate.

You could consult:

1627 Network 10 Considered Harmful (Some Practices Shouldn't be
     Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
     (Format: TXT 823 bytes)

1918 Address Allocation for Private Internets. Y. Rekhter, B.
     Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996.
     (Format: TXT"270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005)

In any event, RFC 1918 documents the allocation of the following
addresses for use by ``private internets'':

        10.0.0.0        -   10.255.255.255
        172.16.0.0      -   172.31.255.255
        192.168.0.0     -   192.168.255.255

Most importantly, it is vital that nothing using these addresses
should ever connect to the global Internet, or have plans to do so.
Please read the above RFCs before considering implementing such
a policy.

As an additional note, some Internet providers provide network-management
services, statistics gathering, etc. It is unlikely (if at all possible)
that they would be willing to perform those services if you choose to
utilize private address space.


With the increasing popularity and reliability of address translation
gateways, this practice is becoming more widely accepted. Cisco has acquired
Network Translation, who manufacture such a product. It is now available as
the Cisco Private Internet Exchange. With it, you can use any addressing you
want on your private internet, and the gateway will insure that the invalid
addresses are converted before making out onto the global Internet. It also
makes a good firewall. Information on this product is available at
http://www.cisco.com/warp/public/751/pix/index.html

**************************************************************************

From: Question 25
Date: 18 April 1995
Subject: Is DHCP supported?

DHCP, the Dynamic Host Configuration Protocol (RFC1533), is essentially
a more extended and flexible version of BOOTP, which allows configuration
parameters and other control information to be carried to hosts.

Forwarding of DHCP packets (to a DHCP server elsewhere in the network) is
supported in 9.21(4) and 10.0(3), as well as later releases.

**************************************************************************

From: Question 26
Date: 18 April 1995
Subject: Where can I get cisco documentation?

Cisco no longer distributes printed documentation with their routers;
instead, they distribute a CDROM.

Paper documentation may be purchased, however if you purchase a
support contract, documentation is free.

Cisco documentation is also available on the web -- if you have
a fast Internet conneciton this may be more useful
than the CD. Try:

	http://www.cisco.com/univercd/data/doc/product.htm

**************************************************************************

From: Question 27
Date: 18 April 1995
Subject: What's the latest software for the CSC/3?

The last supported release on the CSC/3 is 9.1(15). cisco
does not plan to release further software for the CSC/3.

**************************************************************************

From: Question 28
Date: 19 May 1995
Subject: What IP routing protocol should I use?

This is a really complicated question, and a full answer
is beyond the scope of this document. Here are the beginnings
of an answer.

Note that Hello is no longer shipped with cisco routers, and that EGP has been
declared Historical (and thus obsolete) by the IETF. Don't use them.


Protocol        RIP     HELLO  IGRP   OSPF    EIGRP  IS-IS  EGP     BGP4
------------------------------------------------------------------------
Type            IGP     IGP    IGP    IGP     IGP    IGP    EGP     EGP
Algorithm       DV      DV     DV     SPF     DUAL   SPF    DV      PV
Metrics         Hopcnt  Delay  Speed  Arb.    Speed  Arb.   Policy  Policy
Convergence     Slow    Unstb  Mdt    Fast    Fast   Fast   Slow    Fast
Standard?       IETF    No     No     IETF    No     ISO    Hist.   IETF
Complexity      Simple  Simple Simple Complx  Complx Complx Simple  Complx
Multipath?      Yes     Yes    Yes    Yes     Yes    Yes    Yes     [*]
Var-netmask?    No      No     No     Yes     Yes    Yes    No      YES

Notes
-----

IGP  interior gateway protocol, used to build routing tables within an AS.
EGP  exterior gateway protocol, used to communicate reachability
information between AS's.


Algorithms
----------
DUAL  DV with diffusing update algorithm (Garcia-Luna-Aceves et al)
DV    Distance Vector (Bellman-Ford)
PV    "Path Vector"
SPF    Shortest-path-first (Dijkstra)

Metrics
-------

A metric is how the protocol measures the network to determine the
"best" path.

"Speed" refers typically to link speed, not available bandwidth.
"Arb." indicates that the metrics are arbitrary and configurable.

HELLO tried to use available bandwidth by monitoring round-trip delay,
but was not generally successful at this.

Metrics are not directly exchangable when redistributing routing
information from one protocol to another. IGRP and EIGRP use
compatible and automatically convertable metrics.

Convergence
-----------

Qualitatively, convergence measures how fast routers using this
protocol will adapt to changes in the topology of the network.

"Unstb" indicates a protocol which in general never decided on a
stable configuration but continually oscillated between alternatives.

Complexity
----------

An observation of how complex the protocol is to implement.

Multipath
---------

Multipath indicates whether the protocol support and transport
multiple equal- or different- cost pathways across between endpoints?

[*] indicates that BGP4 supports multipath for IBGP (Internal BGP, a
full mesh of all border routers within an AS), but not for EBGP
(External BGP).

Variable netmask (Var-netmask)
**************************************************************************

Indicates whether the protocol allows for and transports different
masks for the subnets of a routed network.

**************************************************************************

From: Question 29
Date: 18 April 1995
Subject: How do I interpret the output of ``show version''?

Typing ``show version'' or ``show hardware'' yields a response like:

        prospect-gw.near.net>sh version
        Cisco Internetwork Operating System Software
        IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]

System-type (imagename) Version major.minor(release.interim)[who] Desc

System-type:  type of system the software is designed to run on.
imagename:  The name of the image.  This is different (slightly) for
        run-from-rom, run-from-flash, and run-from-ram images, and also
        for subset images which both were and will be more common.
"Version": text changes slightly.  For example, if an engineer gives you
        a special version of software to try out a bug fix, this will say
        experimental version.
Major: Major version number.  Changes (in theory) when there have been
        major feature additions and  changes to the softare.
Minor: minor version number.  Smaller but still signficant feature added.
        (in reality, cisco is not very sure what the difference between
         "major" and "minor" is, and sometimes politics gets in the way,
        but either of these "incrementing" indicates feature additions.)
        EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar.  9.1 is
        the base, 9.14 adds specical feature for low end systems, 9.17
        added special features specific the high end (cisco-7000)  This
        was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
        software.  Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
        weekly for each release, but is only made into a generically
        shipping maintenance release every 7 to 8 weeks or so.
[who]:  who built it.  Has "fc 1" or similar for released software.
        has something like [billw 101] for test software built Bill
        Westfield (billw@cisco.com).
Desc:   additional description.

The idea is that the image name and version number UNIQUELY identify
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.

        Copyright (c) 1986-1995 by cisco Systems, Inc.
        Compiled Thu 09-Mar-95 23:54 by tli
        Image text-base: 0x00001000, data-base: 0x00463EB0

Copyright, compilation date (and by whom), as well as the
starting address of the image.

        ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
        ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)

The version of ROM bootstrap software, and the version of IOS
in ROM.

        prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes
        System restarted by reload

How long the router has been up, and why it restarted.

        System image file is "sse-current", booted via flash

How the router was booted.

        RP (68040) processor with 16384K bytes of memory.

Type of processor.

        G.703/E1 software, Version 1.0.
        X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
        Bridging software.
        ISDN software, Version 1.0.

Various software options compiled in.

        1 Silicon Switch Processor.
        2 EIP controllers (8 Ethernet).
        2 FSIP controllers (16 Serial).
        1 MIP controller (1 T1).
        8 Ethernet/IEEE 802.3 interfaces.
        16 Serial network interfaces.
        128K bytes of non-volatile configuration memory.
        4096K bytes of flash memory sized on embedded flash.

Hardware configuration.

        Configuration register is 0x102

Lastly, the "configuration register", which may be set via
software in current releases...

**************************************************************************

From: Question 30
Date: 22 April 1996
Subject: What is the maximum number of Frame Relay PVCs?

This is covered fairly thoroughly in Product Info/Product
Bulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256,
available on CIO.

Via the web (requires CIO username and pasword)
        http://cio.cisco.com/warp/customer/417/38.html

An excerpt:

(Virtual Interfaces)

   It should be noted that in the IOS (Internetworking Operating System)
   10.0 software there is a limit of 256 Virtual and physical
   interfaces. Hence, if each DLCI is given its own virtual interface,
   the router is limited to 256 DLCIs. This restriction is expected to be
   removed in a future release.

   In most scenarios, it is not necessary that each DLCI have its own
   Virtual Interface. In particular, IP has the facility which allows
   disabling of split-horizon routing and hence does not require Virtual
   Interfaces to support partial mesh topologies.

(Appendix 1: How many DLCIs Can Cisco Support on an Interface?)

   This question is similar to the question of how many PCs can you put
   on an Ethernet. In general, you can put a lot more than you should
   given performance and availability constraints.

   When dimensioning a router in a large network, the following issues
   should be considered:

   DLCI Address Space: The only hard limits are the roughly 1000 DLCI
   limit due to the 10 bit DLCI address space in the Frame Relay frame
   header.

   LMI Status Update: The LMI protocol requires that all status reports
   fit into a single packet and generally limits the number of DLCIs to
   less than 800.


  Max DLCIs (approx)  (MTU -20)/5,
        where MTU is the MTU size in bytes on the Frame Relay link.


   Broadcast Replication: When sending, the router must replicate the
   packet on each DLCI and this causes congestion on the access link. The
   Broadcast Queue reduces this problem. In general, the network should
   designed to keep the routing update load to below 20 percent of the
   access lines speed. It is also important that memory requirements for
   the Broadcast Queue be considered. A good technique to reduce this
   restriction is the use of default route or extending the update
   timers.

   Broadcast Receipt: When receiving, the router must receive updates
   from the network. The issue here is that the upstream switch can be
   overloaded and drop packets. When routing updates are dropped, routing
   instability occurs. Again, the receiving routing update load should be
   kept to less than 20 percent of the access link speed and preferably
   lower. Where very high speed links are used, a limit of 128 Kbit/s
   worth of routing updates is recommended.

   Routing Stability: When using a link state protocol to reduce the
   update traffic, the dimensioning should be done assuming the periodic
   update process and the worst case for Link State Updates (i.e.,
   assuming link and power instability). Dimensioning should not be based
   on the Hello traffic. As a rule of thumb, dimension assuming a
   distance vector protocol, but assume that extra bandwidth is available
   for user data.

   User Data Traffic: Clearly, the number of DLCIs is dependent on the
   traffic on each DLCI and the performance requirements to be met. In
   general, Frame Relay accesses should be run at lower loads than
   router-to-router links since the prioritisation capabilities are not
   as strong in many cases and in general the marginal costs of
   increasing access link speed are lower than with dedicated lines.

   Many of the issues covered here are included in the Internet Design
   Guide manual that Cisco provides.

Update:

The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
something like 1024 per router or some even more ludicrous number. There are
still lots of reasons you never want to do that. ;-)
The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
something like 1024 per router or some even more ludicrous number. There are
still lots of reasons you never want to do that. ;-)


**************************************************************************

From: Question 31
Date: 18 April 1995
Subject: How much memory is necessary to telnet to a cisco router?

In order to login to a cisco router, it needs to have at least 64k
of contiguous free memory.

**************************************************************************

From: Question 32
Date: 18 April 1995
Subject: Where can I purchase flash RAM?

There are two varieties:

        MEM-1X8F                8meg
        MEM-2X8F                16meg

*******************************     2500       ********************************
*******************************   8M Flash     ********************************
PRODUCT#        QTY
--------        ---
MEM-1X8F         1
MEM-2X8F         2

Part Number: 16-0975-01
Description: IC,FEPROM,  2Mx32,100ns,SIM80     SC: P  REV: A0 S/UM: EA P/UM: EA
                                  VENDOR
       ITM MANUFACTURER'S PART     CODE         MANUFACTURER'S NAME
       --- -------------------- ----------
**************************************************************************
   1-    1 SM732C2000B-10       KITTING01  SMART MODULE


Smart Modular is located in Freemont, California.


For small orders, Smart Modular recommends you contact:

	PC Complete
	800-849-4622.

They carry both	Flash RAM and DRAM.

**************************************************************************

From: Question 32
Date: 19 May 1995
Subject: When are static routes redistributed?

In the simple case, any static route *in the routing table* is
redistributed if the ``redistribute static'' command is used, and some
filter (set with either ``route-map'' or ``distribute-list out'')
doesn't filter it out.

Whether the static route gets into routing table depends on:

	Whether the next hop address is reachable (if you use
	static route pointing to a next hop)
OR
	Whether the interface is up (if you use static route
	pointing to an interface).

If one of these is true, an attempt is made to add the route to the
routing table; whether that succeeds depends on the administrative
distance of the route -- a lower administrative distance (the route
is "closer") than a preexisting route will cause the preexisting route
to be overwritten.

**************************************************************************

From: Question 33
Date: 19 May 1995
Subject: When is the next hop of a route considered ``reachable''?

When a static route is added, or during an important event (eg:
interface up/down transition), the next hop for a route is looked up
from the routing table (i.e. recursive routing).

As a consequence, if a route which is depended upon for evaluation
of the next hop of a static route goes away, a mechanism is required
to remove that (now-invalid) static route.

Scanning all static routes each time the routing table changes is
too expensive, so instead, a period timer is used. One a minute, static
routes are added and removed from the routing table based on the routes
they depend upon.

It should be noted that a particular static route will be reevaluated
when its interface transitions up or down.

**************************************************************************

From: Question 35
Date: 22 April 1996
Subject: How do name and phone number of ``dialer map'' interfere?

How do name and phone number of `dialer map' interfere?

We use the telephone number first actually.  If the
caller id matches the telephone number to call, then you don't need the
'name' parameter with a phone number.

I realized that the above is ambiguous, so let's do this.  You have:

  dialer map ip x.x.x.x name <param1> <phone-num>

<param1> is used for incoming authentication.  It can be either the hostname,
for PAP and CHAP, or it can be a number as returned by caller id.  If this
is not there, and it is an imcoming call, and there is caller id, we will
compare against <phone-num> to see if that matches.

Not sure I've been clear here.

**************************************************************************

From: Question 36
Date: 22 April 1996
Subject: What's the purpose of the network command?

>*  what is the real purpose of the network subcommand of
>   router commands?  When do I not want to include a network
>   I know about?

The real purpose of the 'network' sub-command of the router commands is to
indicate what networks that this router is connected to are to be
advertised in the indicated routing protocol or protocol domain. For
example, if OSPF and EIGRP are configured, some subnets may be advertised
in one and some in the other. The network command enables one to do this.

An example of such a case is a secure subnet. Imagine the case where a set
of subnets are permitted to communicate within a campus, but one of the
buildings is intended to be inaccessible from the outside. By placing the
secure subnet in its own network number and not advertising the number, the
subnet is enabled to communicate with other subnets on the same router, but
is unreachable from any other router, barring static routes. This can be
extended by using a different routing protocol or routing protocol domain
for the secure network; subnets on the various routers within the secure
domain are mutually reachable, and routes from the non-secure domain may be
leaked into the secure domain, but the secure domain is invisible to the
outside world.

**************************************************************************

From: Question 37
Date: 22 April 1996
Subject: What is VLSM?

A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing
resources to subnets according to their individual need rather than some
general network-wide rule. Of the IP routing protocols supported by Cisco,
OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.

Historically, EGP depended on the IP address class definitions, and
actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP
addresses (32 bit numbers); RIP and IGRP exchanged network and subnet
numbers in 32 bit fields, the distinction between network number, subnet
number, and host number being a matter of convention and not exchanged in
the routing protocols. More recent protocols (see VLSM) carry either a
prefix length (number of contiguous bits in the address) or subnet mask
with each address, indicating what portion of the 32 bit field is the
address being routed on.

A simple example of a network using variable length subnet masks is found
in Cisco engineering. There are several switches in the engineering
buildings, configured with FDDI and Ethernet interfaces and numbered in
order to support 62 hosts on each switched subnet; in actuality, perhaps
15-30 hosts (printers, workstations, disk servers) are physically attached
to each. However, many engineers also have ISDN or Frame Relay links to
home, and a small subnet there. These home offices typically have a router
or two and an X terminal or workstation; they may have a PC or Macintosh as
well. As such, they are usually configured to support 6 hosts, and a few
are configured for 14. The point to point links are generally unnumbered.

Using "one size fits all" addressing schemes, such as are found in RIP or
IGRP, the home offices would have to be configured to support 62 hosts
each; using numbers on the point to point links would further compound the
address bloat.

One configures the router for Variable Length Subnet Masking by configuring
the router to use a protocol (such as OSPF or EIGRP) that supports this,
and configuring the subnet masks of the various interfaces in the 'ip
address' interface sub-command. To use supernets, one must further
configure the use of 'ip classless' routes.

**************************************************************************

From: Question 38
Date: 22 April 1996
Subject: What are some methods for conserving IP addresses for serial lines?

VLSM and unnumbered point to point interfaces are the obvious ways.

The 'ip unnumbered' subcommand indicates another interface or sub-interface
whose address is used as the IP source address on messages that the router
originates on the unnumbered interface, such as telnet or routing messages.
By doing this, the router is reachable for management purposes (via the
address of the one numbered interface) but consumes no IP addresses at all
for its unnumbered links.



*******************************************************************************
*******************************************************************************
Start of rev 2.00 section!
*******************************************************************************
*******************************************************************************



**************************************************************************

From: Question 39
Date: 02 February 2002
Subject: Flash upgrade issues for Cisco 2500 series routers
Answer by: Terry Kennedy <terry@gate.tmk.com>


> When I remove the original flash and replace it with ether one or both of
> the new flash chips, I get the following error on boot upand the router ends
> up in boot mode.:
> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash


  This has to be the most common FAQ for this group. You have non-Intel
flash chips on your new SIMMs and boot ROMs that are too old to know about
the different access method for the flash chips you have.

  You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from
Cisco, or exchange the flash SIMMs for ones using Intel chips. Note that
Intel no longer makes those chips, which is why everybody has this prob-
lem.

**************************************************************************

From: Question 40
Date: 02 February 2002
Subject: How do I prevent my switch ports from going into ErrDisable state?
Answer by: "bt" <@speakeasy.org>

The 2 commands that are in the newer CatOS (5.4+) to automatically recover from
errdisable are:

* set errdisable-timeout enable <reason>
* set errdisable-timeout interval <seconds>

the <reason> can be 1) bpdu-guard, 2) channel-misconfig, 3) duplex-mismatch,
4) udld  5) other and 6) all.
The <seconds> defaults to 300 seconds, you could make that more aggressive,
down to 30.

if you want, you can disable the errordetection as well:

* set errordetection portcounters disable

by default it's on for portcounters and disabled for memory and inband
management.

But please keep in mind that you need to fix the problem.  The ports are going
into ErrDisable mode for a reason!

**************************************************************************

From: Question 41
Date: 02 February 2002
Subject: How do I configure a router to act as a Frame-Relay Switch?
Answer by: From: "BM" <bmorgan@dont.spam.me.ieee.org>


config t
1
frame-relay switching
!
interface Serial0
 no ip address
 no keepalive
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 !  In the config below, the 102 is the DLCI that will be
 !  presented to the router connected to this - S0 -
 !  interface.  201 is the DLCI that is mapped to S1
 frame-relay route 102 interface Serial1 201
 frame-relay route 103 interface Serial2 301

interface Serial1
 no ip address
 no keepalive
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 frame-relay route 201 interface Serial0 102
 frame-relay route 203 interface Serial2 302

interface Serial2
 no ip address
 no keepalive
 encapsulation frame-relay
 clockrate 64000
 frame-relay intf-type dce
 frame-relay route 301 interface Serial0 103
 frame-relay route 302 interface Serial1 203


                 ________              ______
                |  FR SW |_S2______S0_| R3   |
                |_______ |            |______|
               S0 /        \ S1
                 /          \
                /            \
         S0  __/___          _\_S0__
            |  R1 |         |   R2  |
            |_____|         |_______|

R1 S0, R2 S0 and R3 S0 will be on the same subnet.  You can treat it as p2mp.
I put all the DCE ends of the cables on the Frame Switch, so clock rate is
defined there.  However, this is not a requirement.  The FR Switch router
does not need to have the DCE end.  Regardless of the gender of the cable,
however, the "frame-relay intf-type dce" is required.  I defined the DLCIs
as  Source Router + 0 + Destination Router.  So if the circuit goes from
R1 to R3 it's DLCI 103.  From R3 to R1 it's DLCI 301.  You get the idea.

**************************************************************************

From: Question 42
Date: 02 February 2002
Subject: What are the different types of memory used by Cisco Routers?
Answer by: Michael Shorts <mshorts@cisco.com>


The 2500 Series and 7204 VXR have the same types of memory, but they are
implemented in different physical packages:

ROMMON - This is the initial bootstrap for the router.

Boot Helper - This is a subset of IOS that is used to update software or
network boot. The 2500 implements the ROMMON and boot helper in a set of two
ROMs. The 7204VXR has ROMMON in a ROM and boot helper in a piece of flash
memory on the I/O controller called boot flash.

Main memory - This is used to hold routing tables, and IOS variables. In the
7204 VXR, IOS itself is also resident in main memory. The 2500 Series
usually runs the IOS directly in flash.

Shared memory - This is the memory that holds packet buffers. On the 2500
Series, this is part of the same physical memory as main memory. On the 7204
VXR, it's separate memory.

Flash memory - This memory holds the IOS image. On the 2500 Series, there
are two flash SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA
slots on the I/O controller which can take a 128 MB flash disk.

Configuration memory (NVRAM) - This is the memory that holds the IOS
configuration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is
128 KB battery backed up SRAM on the I/O controller.

**************************************************************************

From: Question 43
Date: 02 February 2002
Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?
Answer by: "Alberto Colmenero" <san@mobilix.dk>


Doc CD Content appears garbled:
The Doc CD content is compressed - it requires Verity to decompress it. This
is why Verity is used on the Doc CD. What has happened is you've tried to
directly open up index.html off the CD into your browser, and this is not
possible todo. The CD must be accessed through the Verity Web Publisher
through:
http://127.0.0.1:8080/home/home.htm
This is the startup address that is launched when you click on "Launch CD."


Windows 2000 and Doc CD:
Pre-July 2000 Documentation CDs do not work on Windows 2000 out of the box.
They will cause "Search.exe" to crash when run under Win2k.

There is a fix that sometimes works for these CDs at:
http://www.cisco.com/warp/public/620/ioscd.html.
 This fix MUST be done BEFORE you install the CD. If the
CD has already been installed, then uninstall it, delete c:\cisco,
make this registry change, then re-install the Doc CD.(both the Browser
Software Installer and The Documentation CD
(I have tried this on My labtop which is running windows 2000 and it worked
fine but I had to delete c:\Cisco first and Lunch the Browers software
Installer CD (1) first then the Document CD(2) (my version of CD was Nov
1999)

(I have already sent this one to you did you delete c:\Cisco and lunch both
CDs)

Other fixs are shown

The Doc CD starts up to about:blank
There are two alternate fixes for this:

1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm
for the address, and then add it to your favorites.
-
or
-
2. This is a 4-step fix:
A. Ensure that search.exe is not running.
B. Edit the installed search.ini (c:\CISCO\search.ini).
C. Change the line 'Browser=c:\program files\internet explorer\iexplore.exe'
to 'Browser=msie'
D. Launch the CD.



Nothing happens when I click Launch CD
The usual cause for this is that you've installed a post-July 2000
Documentation CD over the top of a previous Doc CD.
The fix for this is to:
1. Uninstall the Doc CD from the control panel->add/remove programs.
2. Delete c:\cisco
3. Reinstall the Doc CD.


Finally to reorder a CD
The Cisco Documentation CD is also available online at:
http://www.cisco.com/univercd/home/home.htm

**************************************************************************

From: Question 44
Date: 02 February 2002
Subject:  How dow I load a large image on a 2500 *lab* router?
Answer by:  vcjones@NetworkingUnlimited.com (Vincent C Jones)

For production work (support by Cisco required) you need 16M Flash
to run 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0
Enterprise is small enough (about 10M) to run from RAM (upgrading to
16M of RAM is MUCH cheaper than upgrading to 16M of flash) using a
compressed image in the 8M of flash you do have.

12.1 Enterprise is 14M so it must be run from flash (otherwise there is
not enough RAM remaining to even complete loading of the OS).

Check the release notes on www.cisco.com for the IOS release you want to
use. If the actual size of the IOS plus the minimum recommended RAM
totals less than 16MB, you can run compressed or boot from TFTP without
expanding flash.  Check deja-news on google if you are unclear on how to
run a compressed image on the 2500, it is a frequent request and
hopefully will turn up in the renovated FAQ when Hansang gets a chance
to publish it.


**************************************************************************

From: Question 45
Date: 02 February 2002
Subject: daisy-chaining reverse telnet console-aux ports
Answer by:  Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> I've hooked 4 routers together in a lab and I'm daisy-chaining them
> aux --> console and using reverse telnet to get to them...
>
> However when I get to the fourth router and do a CTRL-SHFT-6 X,
> I get back to the first router.  If I kill the AUX line, then initiate the
> reverse telnet again, I fall through router 2 and 3 to 4 again...
> Is there an easy way to fall back one router at a time?
> or should I not bother to do this?


You have two options.  One is to use a different escape character on the
second (third, fourth etc) console (and/or vty)

conf t
  line con 0  /* or vyt 0 4 */
  escape-character 23

This will let you use CTRL-W then X to break out reverse telnet.

Or

You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second
session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the
third session, etc.


**************************************************************************

From: Question 46
Date: 02 February 2002
Subject: What Windows chatter could bring up and ISDN line?
Answer by: "Phillip Remaker" <remaker@cisco.com>

> ...we get multiple spurious dial-ups after every intended one.
> The first unwanted one occurs about 20 minutes after the intended one,
> and the subsequent unwanted ones about every 20 minutes after that.
> All last exactly 200 seconds, which is the configured router hangup
> time.
> Does anyone have any idea what might be causing these?

Yep.  See http://support.microsoft.com/support/kb/articles/Q135/3/60.asp
for all of the periodic packet transmissions associated with Windows
Networking.

Dialer access lists will not help you, since identifying information is too
deep inside the packet and therefor indistinguishable from real traffic 8-(.


**************************************************************************

From: Question 47
Date: 02 February 2002
Subject: How do I make NTP packets so it's only interesting on router bootup?
Answer by: Paul J Murphy <paul@murph.org>

!
access-list 101 permit udp any any eq ntp time-range sntp-dial
access-list 101 deny   udp any any eq ntp
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
time-range sntp-dial
 absolute end 00:00 01 January 2000
!

The time there doesn't really matter as long as it is later than the
epoch time for the device in question, and earlier than the current
time. 01/01/2000 was just the arbitrary choice I made last time I
configured that.

With that config, NTP will bring up the line if and only if the clock
on the Cisco has not already been set.

For an unattended installation which may not dial up very frequently,
it may be worth using a time-range which allows dialling once per day
to keep the clock reasonably well synced. If your usage pattern
results in the line coming up frequently, that is an unnecessary
step. Constructing an appropriate time-range statement is left as an
exercise for the reader.

If it's a small single user LAN, it's considered polite to avoid the
stratum-1 servers. Most ISPs should provide NTP servers for customer
use, eg try ntp.<isp>.net, timehost.<isp>.net, ntp0.<isp>.net,
ntp1.<isp>.net, etc. Apart from not overloading valuable global
resources, using a NTP server local to your ISP will probably provide
a more stable time service due to lower latency between the client and
server.

See also http://www.get-time.org/ for the UK government NTP initiative
(Greenwich Electronic Time).


**************************************************************************

From: Question 48
Date: 02 February 2002
Subject: How do I setup Lock & Key ACL?  Or punch temporary holes in my
         ACL if someone authenticates to my router?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


username foobar password cisco
!
int s0
   ip address 1.1.1.1 255.255.0.0
   ip access-group 101 in
!                                        /* or port 22 for ssh */
access-list 101 permit tcp any host 1.1.1.1 eq telnet
access-list 101 dynamic foobar permit ip any any
!
line vty 0 2
  login local
  autocommand access-enable host timeout 5
line vty 3 4
  login local
  rotary 1

The first access list allows telnet into the router.   Your users will
telnet into router and authenticate with username foobar and password
"cisco"

The router will then immediately disconnect the telnet session.  When
they successfully authenticate, an access list with their source IP will
be added to the dynamic list.  Basically, if they authenticate correctly,
they can come in to the inside network.  After 5 mins of inactivty the
entry will be deleted from the access list.

The vty 3 and 4 are using the rotary command so that you can telnet to
your router with the command:  "telnet 1.1.1.1 3001"  This takes you to
vty 3 (or 4).  This way, you can telnet into the router and actually
manage it.  A very subtle but VERY important point.  If you forget this,
you'll be making a trip to use the console port.


**************************************************************************

From: Question 49
Date: 02 February 2002
Subject: How do I telnet to a specific VTY line?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See "rotary" example in question 48.



**************************************************************************

From: Question 50
Date: 02 February 2002
Subject: Is there a better (free) tftp server than the one by Cisco?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

3CDv2r10.zip file located at:
http://support.3com.com/software/utilities_for_windows_32_bit.htm


**************************************************************************

From: Question 51
Date: 02 February 2002
Subject: How do I use the Cisco Documentation CD (UniverseCD) under Linux?
Answer by: Vincent C Jones VCJones@NetworkingUnlimited.com

Another option is to suffer like us Linux users and forego the
ability to search the CD (but hey, for that you can go online). The
technique below works fine if your platform can run an Apache web
server. Note the update for more recent CD's which use bzip2 rather
than gzip compression.


Using Apache/1.3.3, I use these configuration directives:

-----CUT HERE-----

Alias /cisco/ /cisco-cdrom-mount-point/

<Directory /cisco-cdrom-mount-point>
Options Indexes
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory>

<Location /cisco/cc/>
AddEncoding x-gzip htm pdf
</Location>

-----CUT HERE-----

and then, you should be able to acces all compressed contents!
Start with 'http://localhost/cisco/home/home.htm'.

All the trick is to make Apache tell netscape (or ie, or lynx)
that contents must be gunziped (HTTP/1.1 Mime-Encoding header).

**************************************************************************---

Update added July 15, 2000 by Dr Vincent C Jones, PE:

Starting July 2000 or so, the encoding switched to bzip2. So change
the apache entries to "x-bzip" and add bzip entries if required to
/opt/netscape/Netscape.ad as shown below

*encodingFilters:                 \
    x-compress :  : .Z       : uncompress -c    \n\
    compress   :  : .Z       : uncompress -c    \n\
    x-bzip     :  : .bz,.bz2 : bzip2 -cdq    \n\
    bzip       :  : .bz,.bz2 : bzip2 -cdq    \n\
    x-gzip     :  : .z,.gz   : gzip -cdq    \n\
    gzip       :  : .z,.gz   : gzip -cdq    \n

=================================================================





Using Apache/1.3.3, I use these configuration directives:

-----CUT HERE-----

Alias /cisco/ /cisco-cdrom-mount-point/

<Directory /cisco-cdrom-mount-point>
Options Indexes
AllowOverride None
order deny,allow
deny from all
allow from localhost
</Directory>

<Location /cisco/cc/>
AddEncoding x-gzip htm pdf
</Location>

-----CUT HERE-----

and then, you should be able to acces all compressed contents!
Start with 'http://localhost/cisco/home/home.htm'.

All the trick is to make Apache tell netscape (or ie, or lynx)
that contents must be gunziped (HTTP/1.1 Mime-Encoding header).



**************************************************************************

Update added July 15, 2000 by Dr Vincent C Jones, PE:

Starting July 2000 or so, the encoding switched to bzip2. So change
the apache entries to "x-bzip" and add bzip entries if required to
/opt/netscape/Netscape.ad as shown below.

*encodingFilters:                 \
    x-compress :  : .Z       : uncompress -c    \n\
    compress   :  : .Z       : uncompress -c    \n\
    x-bzip     :  : .bz,.bz2 : bzip2 -cdq    \n\
    bzip       :  : .bz,.bz2 : bzip2 -cdq    \n\
    x-gzip     :  : .z,.gz   : gzip -cdq    \n\
    gzip       :  : .z,.gz   : gzip -cdq    \n

**************************************************************************

Update added June 10, 2001 by Dr Vincent C Jones, PE:

Newer versions of Netscape do not use a Netscape.ad file. Instead, the
changes can be made to ~/.Xdefaults. Note that these changes CANNOT be
added from Netscape using edit/preferences.



**************************************************************************

From: Question 52
Date: 02 February 2002
Subject: How do I NAT on a single Cisco 2503 Ethernet interface
Answer by: "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl>

interface Loopback0
 ip address 10.0.255.1 255.255.255.0
 ip nat inside
!
interface Ethernet0
 ip address 10.0.0.1 255.255.255.0 secondary
 ip address xxx.yyy.zzz.ttt 255.255.255.248
 ip nat outside
 ip policy route-map LOOPNAT
!
ip nat inside source list 1 interface Ethernet0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map LOOPNAT permit 10
 match ip address 1
 set interface Loopback0
!
------------------------
Note that Lo0 interface may have any ip address.



**************************************************************************

From: Question 53
Date: 02 February 2002
Subject: How do I hide a summarized OSPF router from one ABR to another?
Answer by: Alex Bakhtin <bakhtin@amt.ru>

area 1 range x.x.x.x x.x.x.x not-advertise



**************************************************************************

From: Question 54
Date: 02 February 2002
Subject: What is the pinout for the Console port on a 2518?
Answer by: Michael Shorts (mshorts@cisco.com)



The CISCO2518 has a console port on the hub card which is a different pinout
than the standard Cisco console (the hub card is an OEM from another company)

The pinout is:

Management Console Pinout
 RJ-45 pin
          Description
                    Direction
                             DB-25 pin
 1
          TxD
                    output
                             3
 2
          GND
                    -
                             7
 3
          RTS
                    output
                             5
 4
          CTS
                    input
                             4
 5
          DTR
                    output
                             6
 6
          DSR
                    input
                             20
 7
          shield
                    -
                             -
 8
          RxD
                    input
                             2

Note that the console port does not support RTS/CTS hardware flow control.




**************************************************************************

From: Question 55
Date: 02 February 2002
Subject: How do I find the "real" IOS name when the file is in DOS format?
Answer by: Terry Kennedy <terry@gate.tmk.com>




Given:
> -rw-rw-r--  1 jomo  sol3  8465736 May 30 08:49 aaa1324.bin
> -rw-rw-r--  1 jomo  sol3  7891164 May 30 08:49 aaa1325.bin
> -rw-rw-r--  1 jomo  sol3  7347200 May 30 10:46 aaa1326.bin

  Try "strings aaa1234.bin". You should see something like:

  Cisco Internetwork Operating System Software
  IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(9), RELEASE SOFTWARE (fc1)

  near the end, mixed in with all the other junk. If these are compressed
(mz-style) images, you'll have to unzip them first. Ignore the warning that
says something like:

(9:44) gate:/tmp# unzip c5300-j-mz.120-8.bin
Archive:  c5300-j-mz.120-8.bin
warning [c5300-j-mz.120-8.bin]:  19376 extra bytes at beginning or within
zipfile
  (attempting to process anyway)
  inflating: C5300-J-.BIN

  and then grep the resulting file.





**************************************************************************

From: Question 56
Date: 02 February 2002
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
Answer by: "Steven Griffin" <segjr@gte.net>


To describe how to use the Local Security Policy MMC in W2K would take a
long time.  So, the config I will share with you is the 'dial-up' one I
mentioned before.  In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication.  Since I have to embed
this key into the script I use it makes the configuration open and thus
vulnerable. However, you should be able to tweak the configuration from this
to meet your own security needs.  The W2K IPSec client supports certificates
as well as preshared keys so a "secure" version of this config is
attainable.

The configuration script I eked (it isn't beautiful code) out is actually
written in Perl.  If you would like to re-write it in the old DOS batch file
format, please do so.  Otherwise, you should find a copy of Perl for NT/W2K.
I use the version found at http://www.activestate.com. The Perl script I
show here is documented as to what it does.  The MS ipsecpol.exe program
that you have to use has it's own documentation which you should read.  For
the PIX I give you only the crypto, isakmp, and sysopt commands you need to
issue to your PIX to make this config work.  The config assumes that the PIX
has NAT enabled.

Ok, enough blabber, here it is... I hope it is helpful!

For the purposes of this 'demo' config.  The PIX Firewall will have
192.168.0.1 as it's outside IP.  The inside network will be the 10.0.X.X
network.  The inside router will be 10.0.0.1

Quick Network Schematic:

[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->
[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN
(10.0.X.X)] --> [Inside Router (10.0.0.1)]

The PIX firewall commands needed are:

sysopt connection permit-ipsec
sysopt connection permit-l2tp
sysopt ipsec pl-compatible

crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside

isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800
isakmp enable outside

The Perl script I wrote is as follows.  I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec tunnel
using my current ISP assigned IP Address.

#begin listing

# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.

# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.

 use Net::hostent;
 use Socket;

 #Two Variables: One for the local IP Address and one for the VPN Server
 #This script assumes that the VPN Server has a static IP

 $localipaddress, $VPNHostIP='192.168.0.1';

 #The following section of code discerns the IP address of host provided
 #in the command line arguements.  The default is the localhost.
 #NOTE: The code section is smart and gives you a routable IP (if available)
and not just 127.0.0.1
 # This section is pretty much identical to the one found on the PERL
documentation site.
 # I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
 # I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'

   @ARGV = ('localhost') unless @ARGV;
 for $host ( @ARGV ) {
    unless ($h = gethost($host)) {
 warn "$0: no such host: $host\n";
 next;
    }
    printf "\n%s is %s%s\n",
     $host,
     lc($h->name) eq lc($host) ? "" : "*really* ",
     $h->name;
    print "\taliases are ", join(", ", @{$h->aliases}), "\n"
  if @{$h->aliases};
    if ( @{$h->addr_list} > 1 ) {
 my $i;
 for $addr ( @{$h->addr_list} ) {
     printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
 }
    } else {
    #my modification is on the next line.
 printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
    }
    if ($h = gethostbyaddr($h->addr)) {

 if (lc($h->name) ne lc($host)) {
     printf "\tThat addr reverses to host %s!\n", $h->name;
     $host = $h->name;
     redo;
 }
    }
 }

 #This next section is a very modified version of the Ping example on the
Perl Documentation Website.

 #Now that we know our IP address, we can setup the IPSec tunnel.
 #First we try and ping our VPN server.
 use Net::Ping;
 $p = Net::Ping->new("icmp");
 print "\nCan I see my firewall? ";
  if ($p->ping($VPNHostIP) )
 {
  print "Yes\nAttempting to initialize IPSec Connection";

  #Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
  #This deletes any 'dynamic' IPSec policies that may have been in effect
before.
  print "\nResetting IPSec Policy Agent";
  $cmdstring='Net Stop "IPSec Policy Agent"';
  system($cmdstring);
  $cmdstring='Net Start "IPSec Policy Agent"';
  system($cmdstring);

  #Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
  #The ipsecpol command line utility can be found on Microsoft's Website.
  # http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
  # or
  #
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe

  #MS requires two ipsecpol commands be issued in order to setup a tunnel.
  #One for the inbound traffic and one for the outbound traffic.
  # For this Tunnel I used the following settings:
  #  The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.
  #  The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
  #  The security method list '-s' is for DES-MD5-1
  #  The security negotiation setting '-n' is for ESP[DES,MD5]
  #  We are using QuickMode key exchange '-1k' rekeys after 10 quick modes
'10q'
  #  We are using perfect forward secrecy '-1p'
  #  For authentication we are using a preshared key '-a'
  #    NOTE: the preshared key must be enclosed in double quotes
  # See the documentation of the utility for further details.
  print "\nSetup IPSec Tunnel";

  #This sets-up the inbound leg of the tunnel.  We are filtering all traffic
inbound from 10.0.X.X to our IP address.
  #The critical part of this statement is that the -t arguement must contain
our local IP.
  $cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
  printf "\n%s",$cmdstring;
  system($cmdstring);

  #This sets-up the outbound leg of the tunnel.  We are filtering all
traffic outbound to 10.0.X.X from our IP address.
  #The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
  $cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
  printf "\n%s\n",$cmdstring;
  system($cmdstring);

  #Now that we have issued our commands.  We should test the network and see
if we can see inside it.
  #The internal router is the easiest target.  Here it is 10.0.0.1.

  #We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
  # until you actually try and send traffic to a IPSec filtered IP address.
  #Now we do another ping and tell the user what happened.
  print "\nTrying to ping internal network: ";
  $p->ping("10.0.0.1");
  if ($p->ping("10.0.0.1"))
    {
      print "Success\n";
      sleep(1);
    } else {
      print "Failure\n";
      sleep(1);
    }
 } else {
  # If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
  print "No\nTry redialing your ISP";
  sleep(3);
 }
 $p->close();
 #end listing



**************************************************************************

From: Question 57
Date: 02 February 2002
Subject: How do I use tftpdnld via Ethernet port on a 2600?
Answer by: "Joel" <joelyung@yeah.net>


Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up
to put the router into ROMMON.

rommon 1 > IP_ADDRESS=172.15.19.11
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=172.16.19.1
rommon 4 > TFTP_SERVER=172.15.20.10
rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz
rommon 6 > tftpdnld


**************************************************************************

From: Question 58
Date: 02 February 2002
Subject: How do I setup MultiLinkPPP?
Answer by: "Patrick M. Hausen" <hausen@nospam.de>

multilink PPP without virtual template

 int Multilink1
  description multilink bundle
  ip unnumbered Loopback0
  ppp multilink
  multilink-group 1
!
 int Ser0
  description first T1 line
  encaps ppp
  ppp multi
  multilink-group 1
!
 int Ser1
  description second T1 line
  encaps ppp
  ppp multi
  multilink-group 1

Again, recent software necessary: at least 12.0T or 12.1
or one of the ISP branches (12.0S).


**************************************************************************

From: Question 59
Date: 02 February 2002
Subject: How much memory is taken up by BGP routes?
Answer by: "Laron Swapp" <laron.d.swapp@intel.com>


As a reference, please see the following from
http://www.cisco.com/warp/public/459/
I'd like to drill down another level to decide why each entry contains 240
bytes!  Tech Tip: How Much Memory Does Each BGP Route Consume?

Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in
the BGP table and another 240 bytes in the IP routing table. Each BGP path
takes about 110 bytes.


**************************************************************************

From: Question 60
Date: 02 February 2002
Subject: What is the difference between a CiscoPro model and a regular one?
Answer by: Michael Shorts <mshorts@cisco.com>

It depends on the model. With some models, it's just a different paint
color. Other models have a special key that restricts the software
images that can be used (for those, there is a "cookie programming"
utility to turn it into a "regular" unit).


**************************************************************************

From: Question 61
Date: 02 February 2002
Subject: How do I stop my router from looking for cisconet.cfg or
         network-config?
Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)

Look up "service config" in the manual (available on www.cisco.com if
you do not have a local copy). Turn it off using the command "no service
config" in configuration mode.


**************************************************************************

From: Question 62
Date: 02 February 2002
Subject: How do I setup DHCP service on my router?
Answer by: Dave Phelps <tippenring@nospam.bigfoot.com>

Here is my 1601 performing as a DHCP server config...
The static pool is how I use DHCP to assign the same IP to the same PC
each time, essentially a static IP address assignment. The only other
requirement would be that on the interface DHCP requests will be
received, if you have an inbound ACL, bootp must be permitted.

ip dhcp excluded-address 192.168.3.1 192.168.3.9
!
ip dhcp pool dhcp-pool
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   netbios-node-type b-node
   dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
!
ip dhcp pool static-pool
   host 192.168.3.2 255.255.255.0
   client-identifier 0100.00c5.0cbd.7e
   client-name main_pc
   default-router 192.168.3.1
    dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee



**************************************************************************

From: Question 63
Date: 02 February 2002
Subject: How do I configure a trasparent proxy redirecting on CISCO router?
Answer by: alan@internal.wj.com (Alan Strassberg)


>It is possible to configure an trasparent proxy redirecting on CISCO router?
>I would like to redirect all www requests from specific IP addresses to
>other IP address and other port.

	A route-map does the IP redirection nicely, I've used it for
	http and smtp. Not sure about switching ports simultaneously
	with the same route map, but you could fix this with 'ipfw'
	or similar on the host. Be sure you have 'ip route-cache policy'
	enabled to save CPU on the interface. WCCP is another option.

	http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5


**************************************************************************

From: Question 64
Date: 02 February 2002
Subject: How do I use the PCMCIA slot in my 2500 router?
Answer by: "Josh Duffek" <joshd@cisco.com>


That slot is not used anymore.  It was used about four years ago to load
boot helper code or feature set upgrades.


**************************************************************************

From: Question 65
Date: 02 February 2002
Subject: What cable do I use on 1900 switch with a DB9 Console connector?
Answer by: "aros.net" <nelson@aros.net>

Hi,  Thanks for the help.  Just so anyone searching the achieves will find
the answer, for an old catalyst 1900 switch a db9 female to db9 female null
modem cable works great and solved my console connection problem.

For the search engines the terminal program was returning.  ATQ0H0 and
ATQ0Z0  on a old cisco catalyst 1900 switch.


**************************************************************************

From: Question 40
Date: 02 February 2002
Subject: How do I use a route-map to limit redistribution in OSPF?
Answer by: hbae_@_nyc.rr.com.REMOVE_ (Hansang Bae)


!  /*  match only 172.16.10.x and 172.16.11.0 subnets */
!
access-list 1 permit 172.16.10.0 0.0.1.255
!
!
!  /* use access-list 1 to determine what gets matched */
!
route-map LoopbacksOnly permit 10
   match ip address 1
!
!
!  /* redistribute connected networks, any and all subnets,   */
!  /* and seed it as E2 type. Note that throughout your       */
!  /* OSPF domain, your loopbacks will have a metric of 20    */
!  /* 20 is the default metric when you redistribute into     */
!  /* OSPF.  Except for BGP routes which get a metric of 1.   */
!  /* Also use the route-map LoopbacksOnly to selectively     */
!  /* redistribute only the ones we want to redistribute.     */
!
router ospf 200
   redistribute connected subnets metric-type E2 route-map LooopbacksOnly



**************************************************************************

From: Question 68
Date: 02 February 2002
Subject: How do I connect 675 DSL units back to back?
Answer by: "Josh Duffek" <joshd@cisco.com>

Well I found out that you can hookup other DSL boxes back to back...here is
part of an email I found on it:

you need:
'dsl equipment-type CO' on one side and
'dsl equipment-type CPE' on the other

Here is a working example from the lab:

(The distance limitation should be the same
as the one found in the docs)

also, you can run 'debug dsl-phy' a new
command to look at the trainup.

(CO side, an 828)

!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl equipment-type CO
 dsl operating-mode GSHDSL symmetric annex A
 dsl linerate AUTO
!
interface ATM0.1 point-to-point
 ip address 1.1.1.2 255.255.255.0
 pvc 1/33
  encapsulation aal5snap
 !
!

(CPE side, a SOHO78)

!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex A
 dsl linerate AUTO
!
interface ATM0.1 point-to-point
 ip address 1.1.1.1 255.255.255.0
 pvc 1/33
  encapsulation aal5snap
 !



**************************************************************************

From: Question 68
Date: 02 February 2002
Subject: How do I format the PCMCIA card on a 3600?
Answer by: "Brian" <nondogmatist@hotmail.com>

Thanks guys. The "erase slot0" turned the trick. I appreciate the help.



**************************************************************************

From: Question 69
Date: 02 February 2002
Subject: How do I read Token Ring Mac and RIF?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


> Of the following Token Ring Source MAC addresses, which one indicates to
> receiving hosts that RIF is present.
> A.0007.7816.fe58
> B.1007.7816.fe54
> C.7007.7816.fe54
> D.8007.7816.fe58
> E.3007.7816.fe54
>
> The correct answer is D and here is the explanation: "When a RIF is present,
> the first bit of the source MAC addresse is set to 1. Therefore, any address
> that begins with 8 through f denotes that a RIF will follow the source MAC
> address."
>
> Here is my analysis:
> 8:1000  9:1001  a:1010  b:1011  c:1100  d:1101   e:1110   f:1111
>
> Fine, we see that the first bit is set to 1 and a RIF will follows. My
> confusion is this: Is 8007.7816.fe58 is actually a MAC address that is seen
> on the other side? I thought we suppose to swap the MAC address if
> configured with RSRB or SRT?


You swap the bits in the MAC because Ethernet is canonical and TR is non-
canonical.  There would be no translation in TR to TR.  And by
definition, if the otherside saw the item D as the address, it would have
to be TR as there are no RIFs in Ethernet world.


> What kind of concept behind changing this first
> bit of MAC address? Say like I have a MAC 2678 and I like to set the first
> bit to 1, so it change to what, 8,9,a,b,c,d,e, or f? I know the few first
> bits of MAC represent certain vendor identity, but by changing the first bit
> in MAC, is it something kind of odd? What about ARP or RARP service to this
> changing? and all and all. Help please.


In Etherenet, the 47th place bit (first one from the left if the MAC was
written in binary) represents whether this is a Group or Individual mac
address.  All group addresses (including the broadcast) will have this
set to a binary 1.   The 46th place bit (second one from the left if the
MAC was written in binary) represents the Globally Unique or Locally
Assigned bit.

If you change your MAC, it should set the 46th bit.  (of course many
drivers do not do this these days).

The part that can get confusing is that Most Significant *BYTE* is
transmitted first.  But within that byte, the Least significant *BIT* is
transmitted first.  For those of you who dealt with ODI drivers in DOS
days, whenever you loaded up the LSL.com, it said ....LSB Mode.... That
signified that it was running in Least Significant Bit mode.  Just a bit
of trivia for you trivial buffs.

Here's a concrete example:

Let's say my MAC address on this machine is:  08-10-A4-C5-B3-4D

How would this get transmitted?  Well, we know that 08 will go first
(it's the most significant *byte*), then 10, then A4 etc.  So when 08
gets transmitted, remember that it's the LSBit that hits the wire
first... so

08 in binary is:  00001000
So the transmission order is 0, 0, 0, 1, 0,0,0,0.

I'll skip the 10 since it's equally uninteresting.  Moving on to A4

A4 in binary is:  10100100.
So  the transmission order is 0, 0, 1, 0,0,1,0,1



**************************************************************************

From: Question 70
Date: 02 February 2002
Subject: How are Ethernet MAC addresses transmitted?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See quesiton 69.


**************************************************************************

From: Question 71
Date: 02 February 2002
Subject: Why are the 46th and the 47th bit significant in Ethernet MAC address?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See quesiton 69.



**************************************************************************

From: Question 72
Date: 02 February 2002
Subject: Why can't I upload an IOS image on to my flash on my 2500 router?
Answer by: Michael Shorts <mshorts@cisco.com>

> i took one from another 2500, same label E28F008SA and unfortunalely,
> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg
> 0x2101


The flash in your system is not recognized by the boot ROM. You can upgrade
your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel).



**************************************************************************

From: Question 73
Date: 02 February 2002
Subject: How do I configure my router so it becomes a DHCP CLIENT?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

If you have 12.1(2)T or better and you need:
C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx,
C7x00, C8500, and C12000

UBR900, UBR7200

MC3810

The interface command is "ip address dhcp"



**************************************************************************

From: Question 74
Date: 02 February 2002
Subject: Does my Cisco terminal server send a BREAK signal on reboot?
Answer by: Aaron@Cisco.COM (Aaron Leonard)


2611's or 2511's?  The NM-A async modules do NOT exhibit the break-on-poweroff
problem.  See http://www.conserver.com/consoles/breakinfo.html
for an independent report.



**************************************************************************

From: Question 75
Date: 02 February 2002
Subject: How do I access the Console port on an AccessPro (AP-EC) card?
Answer by: levinm@iserv.net (Martin H. Levin)

I have had similar problems accessing the console on the AccessPro
card.  I read somewhere that the AccessPro has a problem with Windows,
which during the boot probes the serial ports looking for the mouse.
My answer to ths has been to put the card in an old 486 and use dos
with an old terminal program to access the AP-EC card.  It works!  I
have two AP-EC cards in the same machine, which I have initially
configured using com ports 1 and 2 and switch the terminal program
from com1 to com2 and back as I need to set up the two cards.  Once
set up the console on each card can be reached through the aux port.

The problem with the Windows has been handy, since this setup doesn't
allow for entry into monitor when the password is lost (or you get a
bad secrets message).  After much effort and reading the Windows
problem message, I took the card out of the DOS machine, put it into a
Windows machine and sure enough the damn thing went into monitor mode
and I has able to recover/reset the password.



**************************************************************************

From: Question 76
Date: 02 February 2002
Subject: How do you setup a simple Priority Queuing?
Answer by: Richard Gallagher <rgallagh@cisco.com>


I would take a look at priority queuing, see the link below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/qos_c/qcprt2/qcdpq.htm

A simple config for your case would be:

priority-list 1 protocol ip high tcp telnet
priority-list 1 default medium

interface Ethernet1
 ip address 10.1.1.1 255.0.0.0
 no ip directed-broadcast
 priority-group 1



**************************************************************************

From: Question 77
Date: 02 February 2002
Subject: What are the pro's and con's of using two ISP/BGP providers?
Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)

>Why would you use BGP with 2 Internet T1 vs using equal cost
>static routing? What's the pros and cons? Thank you.

This question (or variations on it) get hashed out fairly routinely on
this newsgroup, hopefully Hansang will be able to include a brief
discussion in the FAQ even though it is not a Cisco specific problem.

The answer in a nutshell is: It depends.

If each T1 goes to a different ISP, then you must use BGP to have the
same public address regardless of route taken.

If each T1 goes to the same ISP and load sharing and ease of
setup/management is more important than availability, then go with
static routes.

If the T1 links do not support end-to-end keepalives, go with BGP to
avoid black holes.

If the T1 links go to different POPs of the same ISP, use BGP and
indicator routes to detect ISP segmentation.

If the T1 links go to geographically diverse POPs, then BGP with full or
local routes may improve routing efficiency.

For more detail, see the blurb I wrote for O'Reilly on the topic at
http://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html
(for those reading this out of the archives at a future date, a
more detailed version of this paper will be appearing as a White
Paper on my web site, but it will not be there until late Summer).
Chapter 8 of my book walks you through all the alternatives from
two T1s between a single router at your site and a single router
at the ISP, to two T1's between separate routers at your site to
two different ISPs. For how to get the most out of BGP, including
load sharing and efficiency considerations (my book only considers
availability), read Halabi's book.

If none of the above makes sense to you, hire a competent consultant
to walk you through the alternatives and their tradeoffs.


Note to Hansang: Feel free to extract/reuse whatever you need from
the O'Reilly blurb mentioned above, I own the copyright and will be
glad to give "reprint permission" to the FAQ as long as Networking
Unlimited gets proper credit.

***** The O'Reilly article follows: *****

by Vincent Jones 05/11/2001

Many organizations depend upon Internet connectivity to support critical
applications. One popular approach for improving Internet connectivity is to
connect to more than one Internet service provider (ISP), a technique called
multi-homing.

Multi-homing can be very effective for ensuring continuous connectivity --
eliminating the ISP as a single point of failure -- and it can be cost
effective as well. However, your multi-homing strategy must be carefully
planned to ensure that you actually improve connectivity for your company, not
degrade it.

THE CONCEPT OF PHYSICAL DIVERSITY
First, I want to discuss the network components that can affect overall
connectivity. Because most network failures are due to problems in the WAN
links, it does little good to connect to a second ISP if both ISP links are
carried over the same communications circuit. Even if independent circuits are
used -- if they are not physically diverse they will still be subject to common
failure events such as construction work inside your building or digging in the
street outside.

Providing complete physical diversity can be difficult and expensive, but the
requirement is not limited to ISP connections. All critical network links for
internal communications should also be diversified. Assuming an otherwise well-
designed internal network, the easiest way to achieve physical diversity in
your ISP connections is to connect from two different locations that are
already well-connected to each other. But they must be far enough apart that
they don't share any common communications facilities to either ISP.

REDIRECTING TRAFFIC USING THE BORDER GATEWAY PROTOCOL
Once physical connectivity is in place, you need to make it useful. Taking
advantage of redundant links requires two conditions to always be present.
First, you must be able to detect when a link has failed. Second, you must have
a mechanism for redirecting traffic that would normally flow across a failed
link to take a different path that is still functional. In a multi-homing
environment, both tasks are normally achieved by running Border Gateway
Protocol (BGP) between your routers and those of the ISPs.

BGP is often assumed to mean complex configurations on expensive, high-end
routers to handle the huge routing tables required to fully describe the
Internet. However, depending upon the specific application requirements and the
degree of load-balancing you want across all available links, it may be
practical to implement multi-homing using the smallest routers you have
available that are capable of handling the traffic load.

In other words, implementing multi-homing doesn't have to be an all-or-nothing
choice. There are choices you can make along the way based upon the equipment
you have available and the level of connectivity you need to provide.

DETERMINING LEVEL OF CONNECTIVITY REQUIRED
At one extreme, when your goal is to simply to provide internal users with
access to the Internet, you don't need to run BGP at all. As long as the link
layer protocol supports the exchange of keep-alive messages from router to
router, link failure will be detected by the link layer protocol. Floating
static routes can then reliably direct all outbound traffic to a working ISP
link.

Network Address Translation (NAT) is then used to send outbound packets with a
source IP address associated by the ISP with that outbound link. Return traffic
will automatically come back via the same working link because that link is the
only link servicing that address range.

Of course this approach will not work if you are providing services to the
outside world, as the addresses associated with the failed link will disappear.
Similarly, connections that were established over the link that failed will
need to be reconnected. However, for many applications this impact is minor.

For example, a typical web surfer would merely need to hit the "page refresh"
button. This approach is also sufficient to provide high-availability virtual
private networks (VPN) across the Internet if you use a routing protocol such
as OSPF to detect and route around failed IPSec tunnels.


The other extreme would be when you need to support a common IP address range
using both ISPs. Then you need to run BGP. This will normally be the case any
time your applications include providing services to Internet users, such as
access to a common database. You will need to arrange for both ISPs to accept
your BGP advertisements of your IP address prefixes. Then your ISPs need to
advertise those address prefixes to the rest of the Internet.

Getting your address prefixes advertised is usually not a problem. You do,
however, have to use care in your configuration to ensure that you do not
inadvertently advertise any other address prefixes. In particular, you must
ensure that you do not advertise yourself as a path between the two ISPs. This
could cause your links to be consumed by transit traffic of no interest to you.
More challenging is setting up your advertisements so that incoming traffic is
reasonably balanced between the ISP links. Achieving that can be difficult at
best, and nearly impossible at worse.

CHOOSE THE RIGHT ROUTE FOR YOU
The final decision is determining which routes to accept from each ISP. This
can range from merely accepting a default route (used to detect if the link is
up or down) to accepting all routes (so called "running defaultless"). The
former is usually insufficient, because it does not protect you from an ISP
which has an internal failure cutting them off from the rest of the Internet.
The latter requires using "carrier-class" routers with lots of memory installed
(and therefore more expensive). Fortunately, there are some "in-between"
choices.

Rather than using a simple default route, you can use a conditional default
route to protect against ISP failure behind the ISP's router that serves you. A
conditional default route is a default route that is defined by a router only
if a specific address is already in that router's routing table. Each ISP is
only used for a default route if it is advertising one or more routes that
indicate it is receiving advertisements from the rest of the Internet. That
way, you will always use a default route which promises to be useful.

Another option is to have the ISP send you just its local routes. That way, you
can optimize your outbound routing to avoid sending packets that could be
locally delivered to the wrong ISP, adding to delivery delays. Care must be
taken when using this option, however, because some ISPs have so many local
routes that there is no cost benefit in the size of the routers required to
handle them compared to running defaultless.

Options can also be combined. In many cases, taking local routes and a
conditional default route will provide all the availability benefits of running
defaultless, while still allowing the use of low-cost routers. As is always the
case in networking, a good understanding of the requirements and the available
capabilities is essential to maximizing cost-effectiveness.



**************************************************************************

From: Question 78
Date: 02 February 2002
Subject: How do I tell the difference between the differen 2900 XL switches?
Answer by: Terry Kennedy <terry@gate.tmk.com>

> There are two versions of the Catalyst 2900 switch - the
> 2900 XL and the 2900 M XL.  The 'M' model has two
> spots above the ethernet ports for the GBIC modules
> to slide into.  The 'M' is about twice the height of the
> non-M switch.

  And it's even more confusing than that. Older 2900XL M-series had 16
ports and less memory and can't run current software, so it is likely
that the Gigabit Ethernet modules wouldn't work in those units.

  A handy way to tell if a 2900XL can run current software is to look
at the port numbers next to the LED's on the base unit. If the numbers
are yellow, it can run current software. If they're white or just etched
in the plastic without any color, the switch is stuck running the older
software. Note that you have to look at the ports on the base unit - it
is possible to have a V-series expansion module with yellow numbers in-
stalled in an older M-series switch.



**************************************************************************

From: Question 79
Date: 02 February 2002
Subject: How do I suppress the transmission of PPP frames from when dialing in?
Answer by: Aaron@Cisco.COM (Aaron Leonard)

As far as suppressing the transmission of PPP frames from
the 3640 side ... you can do it this way:

interface group-async1 ! or whatever interface you're using
  ppp direction callin ! hidden command
  ppp lcp delay 60
  ppp lcp fast-start

This will cause PPP to refrain from sending frames for 60s
after the interface comes up ... then when it receives a
frame from the peer, it will start LCP.


**************************************************************************

From: Question 80
Date: 02 February 2002
Subject: What kind of memory can I use to upgrade my 2500 series router?
Answer by: Terry Kennedy <terry@gate.tmk.com>

The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the
flash is the generic Cisco flash. If you have older boot ROMs, you'll want
to make sure you get Intel chips or the ROMs won't recognize them. Or you
could upgrade the ROMs - Cisco part number BOOT-2500=, allegedly free.

> Any suggestions for a decent memory supplier for this?

  I used to use Kingston when I had 25xx's. But MemoryX seems to be less
expensive these days: (http://www.memoryx.net/routers.html)



**************************************************************************

From: Question 80
Date: 02 February 2002
Subject: Where can I get mzmaker to compress my IOS?
Answer by: "MikeN" <miken@mail.ikano.com>

http://www.mcseco-op.com/mzmaker.htm



**************************************************************************

From: Question 81
Date: 02 February 2002
Subject:  What is the meaning of in/out in reference to an access-list?
Answer by: rodd@panix.com (Rod Dorman)



>Can anyone point me to a good description of the difference between "in"
>and "out" in applying an access list to an interface?  Even the good
>books seem to only devote a sentence to the difference between them.

The simplest explanition I've seen is: Crawl into your router and look
towards the interface.  If the packets are going away from you they're
outbound.  If they're hitting you in the forehead their inbound.




**************************************************************************

From: Question 82
Date: 02 February 2002
Subject: How do I remove the /32 - host - route when a PPP link comes up?
Answer by: Richard Gallagher <rgallagh@cisco.com>


To get rid of this host route, try the following command on both ends of the
link:

no peer neighbor-route


**************************************************************************

From: Question 83
Date: 02 February 2002
Subject: How do I  forward DHCP broadcasts to my DHCP server?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> We are a Canadian company with an American office.  We have a Cisco router
> at each office connected via a T1 line.  We have a DHCP server at our
> Canadian office, and we would like it to also delgate IPs to our american
> office.  Is this possible?  If so, what must be done?


You have some choices.

1)  Run DHCP on the remote router.  This will prevent the dhcp requests
from coming across the WAN.  The downside is that only certain IOSes
support running dhcp and is a bit more work for the router.

2)  You can enable bootp forwarding or dhcp relaying.  This can be
accomplished by using "ip helper-address DHCP_SERVER_IP_HERE" interface
command.  But using helper-address turns on a lot of unnecessary UDP
forwarding so you need to lock it down first.

So:

conf t
 no ip forward-protocol udp tftp
 no ip forward-protocol udp dns
 no ip forward-protocol udp time
 no ip forward-protocol udp netbios-ns
 no ip forward-protocol udp netbios-dgm
 no ip forward-protocol udp tacacs
 ip forward-protocol udp bootpc
!
interface ethernet0/0
  ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE




**************************************************************************

From: Question 84
Date: 02 February 2002
Subject: How do I use the ip-helper command to facilitate DHCP use?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See Question 83 (answer #2)


**************************************************************************

From: Question 84
Date: 02 February 2002
Subject: How do I send L2 traffic through a tunnel?
Answer by: mortimer_mouse@mailandnews.com (Mortimer Mouse)

>  Thanks for answering my post, the current problem I have is I need to send
> Layer2 type traffic through a tunnel ... is this possible ?

Sure.  See...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c
/icdlogin.htm#xtocid292793

>  I enabled bridging on both routers and created a bridge group and that
> seems to work fine I can see my netbeui traffic passing ....
>  The problem is I have to be able to encapsulate netbeui or any other Layer2
> type protocol and encapsulate within a IP packet.


The usual way to do this is using a GRE tunnel between two routers,
and configuring an additional loopback interface on each router as the
source interface for the tunnel traffic, as below.  Here, each router
has a bridge group defined which allows certain traffic only as stated
in the 200-series ACL onto the loopback interface. In this case it's
LAT only - you will need to check the LSAP protocol number(s) for
netbios/netbeui as I can't remember these off-hand.  Once the traffic
is forwarded from the LAN interface onto the loopback, it is
encapsulated into IP GRE and forwarded to the far router.

                 --------------------------
               /                            \
       Tunnel0|                              |Tunnel0
              |                              |
LAN--------Router A-------WAN Cloud-------Router B--------LAN
        Eth0      Ser0                 Ser0      Eth0


Router A
--------

int e0
 ip address 192.168.100.254 255.255.255.0
 bridge-group 1

int loop0
 no ip address
 bridge-group 1
 bridge-group 1 output-type-list 200

int tunnel 0
 tunnel source interface loopback0
 tunnel destination 192.168.200.254

access-list 200 permit 0x6000 0x600f

Router B
--------

int e0
 ip address 192.168.200.254 255.255.255.0
 bridge-group 1

int loop0
 no ip address
 bridge-group 1
 bridge-group 1 output-type-list 200

int tunnel0
 tunnel source interface loopback0
 tunnel destination 192.168.100.254

access-list 200 permit 0x6000 0x600f




**************************************************************************

From: Question 86
Date: 02 February 2002
Subject: How do I sort my IP Addresses using Unix tools?
Answer by: Paul Koch <paul.koch@statscout.com>


> The subject says it all.  Am looking for an Excel 2000, or less, macro to
> sort IP addresses. The problem is Excel sort doesn't "understand"
> 192.028..005.001 vs. 192.28.5.1.

Do you have to use Excel. Yuck!
A random thought. If your data could have the address also in hex or decimal
in another column, then a sort would be simple.

Simple under Unix :-)

   cat datafile | sort -t "." -n +0 +1 +2 +3

  or even just

   cat datafile | sort -t "." -n


**************************************************************************

From: Question 87
Date: 02 February 2002
Subject: Why is measuring collisions meaningless endeavour?
Answer by: rich@richseifert.com (Rich Seifert)


> A more useful calculation would be to multiply collisions by
> 704 and then divide that by 10000000 * t, to show the total overhead
> percentage used by collision detection.  704 is the number of
> bit-times consumed by a collision - 96 bittimes of interframe gap,
> 512 bits of collision, an additional 96 bittimes of interframe gap,
> next packet is ready to transmit.

First of all, you shouldn't count the interframe gap twice. The collision
event uses an interframe gap, but the next one actually belongs to the next
frame; it would be there whether or not a collision occured.

More important, 511 bit times is the MAXIMUM time consumed by a collision
in the absolute worst-case. This requires a network with maximum
extent--longest possible cables, maximum repeaters, etc.--and devices with
absolute worst-case timing parameters. In most small networks (e.g., a
single 10BASE-T hub), nearly all collisions occur during the preamble, and
the time consumed by the collision is just 96+64+32=192 bit-times
(IFG+Preamble+Jam).

Unless you know the precise instant in which each collision occurs, you
cannot calculate the bandwidth "lost" to collisions.

(By the way, the maximum collision fragment is 511 bits, not 512--at 512
bits, it becomes a valid frame.)

In addition, while some Ethernet controllers do return a collision count as
part of the transmit status for each frame, many do not provide the
SNMP/RMON driver with the exact number of collisions. Instead, the status
indicates one of:

*  OK (no deferral required, no collisions encountered)
*  Deferred (deferral required, but no collisions encountered)
*  1 collision (one collision encountered, with or without deferral)
*  >1 collision (more than one collision encountered, with or without deferral)
*  Excessive collisions (16 collisions encountered)
*  Late collision (collision encountered after 511 bits transmitted)

With this type of controller, you cannot distinguish a frame that
encountered two collisions from one that encountered fifteen. so it is hard
to estimate the bandwidth "lost" due to collisions.

Finally, I will reiterate my position that collision rates are a virtually
useless metric for determining network performance. (See my earlier post on
this subject.)
Seifert's Law of Networking #21: Measurements of unimportant parameters are
meaningless.


-- Note added by Hansang Bae --
In the WORST case scenario (i.e. the stations are at the maximum
distance apart) a collision will take up to 84 byte-times to resolve
itself. 64 bytes (minimum Ethernet size+FCS), 8 bytes for the preamble,
and 12 bytes for the IFG.

84bytes is 672bits. It takes .1 microsecond to transmit one bit
(10Mb/s =10,000,000bits/sec = 10,000bits/millisecond =10bits/microsecond
= 1 bit/0.1microsecond)  So the total time spent on one collision event
is 67.2 microsecond (672bits * .1 microsecond)  Now consider getting 100
collisions per second. So 100 X 67.2microsecond is 6,720 microsecond or
6.72 millisecond. 6.72ms/1sec comes out to .672% (6.72ms/1sec =
.00672, in percentage, that's .672%) That means that 99.328% of the
channel is still available for data.

Here's another way to look at it. For every successful transmission,
there was an equal number of collisions. This is 1:1 ratio or 100%
collision rate. Or equivalently, 50% of the frames that goes out the NIC
are collisions.

Assume that we are talking about an FTP transfer. Typically, FTP will use
the 1518 max size and there will be an ACK (Acknowledgement) for every
two packets. So you would see two 1518 frames and one ACK for both. So in
a collision free world, we would see 2 frames of 1518 bytes and one ACK
of 64 bytes. Throw in the preamble/SFD and the IFG to the mix and you get
2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.

Now if we have 3 collisions (one collision for each successful frame)
then you have to add another 3*84 (three frames taking up 84byte times -
see #5 above). This comes out to 3,144 + (3*84) = 3,396. So the ratio is
3,140/3,396 = .9246 or 92.46%.

That means even with 100% collision rate, we only lose about 7.53% of the
bandwidth. Hardly anything to worry about!  In the real world, you can
expect 33% collision rate for an FTP session. Also for smaller size
frames, the % of wasted bandwidth would be much greater. But then again,
only large transfers tax Ethernet networks.



**************************************************************************

From: Question 88
Date: 02 February 2002
Subject: How do I stop password-recovery on my routers?
Answer by: Michael Shorts <mshorts@cisco.com>

"Password-recovery" might not be the best description. The feature locks out
all access to the ROMMON.

You can do this on a 2600/3600 with the global configuration command "no
service password-recovery".

The feature is indeed tied to the ROMMON. You must have a minimum ROMMON
version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T.
All ROMMON versions on the 2600 support this feature.


**************************************************************************

From: Question 89
Date: 02 February 2002
Subject: How can I prevent SYN-Flood attack using CAR?
Answer by: "John Kaberna" <jkaberna@nospam.netcginc.com>


We are talking about all different kinds of floods (ICMP, SYN, UDP, etc)
throughout this post.  Actually he did say that Sprint can filter on their
end.  I included in a different post the link to configure CAR to limit SYN
attacks using web traffic as an example.  Your solution looks like it would
work too as their are multiple ways to configure traffic shaping.

Configure rate limiting for SYN packets.
Refer to the following example:

interface {int}
 rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
 rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop

access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established

In the above example, replace:


45000000 with the maximum link bandwidth
1000000 with a value that is between 50% and 30% of the SYN flood rate burst
normal and burst max rates with accurate values
Note that if you set the burst rate greater than 30%, many legitimate SYNs
may be dropped. To get an idea of where to set the burst rate, use the show
interfaces rate-limit command to display the conformed and exceeded rates
for the interface. Your objective is to rate-limit the SYNs as little as
necessary to get things working again.

WARNING: It is recommended that you first measure amount of SYN packets
during normal state (before attacks occur) and use those values to limit.
Review the numbers carefully before deploying this measure.

If an SYN attack is aimed against a particular host, consider installing an
IP filtering package on that host. One such package is IP Filter. This can
be found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples
for implementation details.


**************************************************************************

From: Question 89
Date: 02 February 2002
Subject: How do I setup a Multilink PPP?
Answer by: domesjoe@ljusdal.net


You have to create a virtual-template interface with ip address information
PPP then create an virtual-access interface whith that address

!
multilink virtual-template 1
!
interface Virtual-Template1
 ip unnumbered Loopback0 or ip address
 no ip mroute-cache
 ppp multilink
!
interface Serial0
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
!
interface Serial1
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink


**************************************************************************

From: Question 90
Date: 02 February 2002
Subject: How do I setup ppp callback with dialer-pool?
Answer by: news@tvolk.de (Thomas Volk)

This is a real hard stuff to do ppp callback with dialer-pool, there a
some command are missing in your config, look at my example....
(also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)


!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 ppp callback accept
 ppp authentication chap
!
interface BRI0/1
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-net3
 ppp callback accept
 ppp authentication chap
!
interface Dialer1
 ip unnumbered FastEthernet0/0
 no ip directed-broadcast
 encapsulation ppp
 dialer remote-name router1
 dialer pool 1
 dialer enable-timeout 2
 dialer string 749410 class test1
 dialer-group 1
 ppp authentication chap
!
!
map-class dialer test1
 dialer callback-server username
dialer-list 1 protocol ip permit


**************************************************************************

From: Question 91
Date: 02 February 2002
Subject: My configs are too large.  What can I do?
Answer by: Michael Shorts <mshorts@cisco.com>


The IOS configuration in the 2600 Series is stored in a 32 KB  EEPROM. The
ROMMON reserves 3 KB, leaving 29 KB for the IOS.

You can use the "service compress-config" command to compress the configuration
in the EEPROM. You can also load the configuration file from a TFTP server.


**************************************************************************

From: Question 92
Date: 02 February 2002
Subject: What does Frame-relay LMI and Encapsulation really do/mean?
Answer by: John Agosta <jagosta@interaccess.com>


I think there is some confusion here about frame relay "encapsulation"
and frame relay "lmi" (heartbeat/keepalives).

Frame relay encapsulation is indeed significant end-to-end through the
"cloud" between communicating DTE (router) equipment.

Cisco encapsulation inserts an ethernet "type field" immediately after the 2
byte frame header which contains the DLCI, FECN, BECN, and DE fields.

IETF (RFC 1490) encapsulation does not use ethernet type fields to identify
the payload of the frame. Instead, IETF calls for the use of NLPID codes
(Network Layer Protocol Identifiers) which are common in the OSI environment.

NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP)
The NLPID (CC, in the case of IP) will follow an Unnumbered Information UI
control field, 03.

If the payload does not have an NLPID assigned to it, (like IPX) then IETF
suggests that an OUI field (organizationally unique identifier) followed by an
ethernet type code (8137 for example, if IPX) will be used. Much like an 802.3
frame with SNAP, the type code of 8137 will be offset further into the frame,
and not found immediately after the 2 byte frame header.

This encapsulation must be understood by the communicating routers at either
edge of the 'cloud.'  The cloud itself does not care what type of
"encapsulation" is being used. It is strictly a DTE-DTE issue.

LMI is a link intergrity and PVC status verification protocol that IS locally
significant between the router and the network interface. This protocol comes
 in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617
Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively
referred to as "LMI."  It is possible to run one version of LMI on the East
 User-Network Interface (UNI) and another version on the West UNI, as these
protocols simply identify the status of the UNI link and the PVCs found on that
link.

Encapsulation, however, must match between the DTEs.

It is interesting to note, however, that Cisco routers are smart enough to
interpret the 'encapsulation' type being used on incoming frames.
If both DTEs are Cisco routers, one router 'can' use Cisco encapsulation
while the other router uses "IETF."  The ability to communicate with Cisco
routers using different encapsulation schemes gives the "appearance" that the
encapsulation is locally significant. In fact, this (cisco) ability to
communicate is made possible by the smarts cisco builds into its
implementation.

When any other vendor's DTE is involved, communications will fail if the
"encapsulation" on both DTEs is not identical. Even if one of the routers is a
cisco.

(Unless, of course, the other vendor saw fit to build in the smarts that cisco
has done. But I am not aware of any vendor that has this capability other than
cisco....)

Hex protocol traces are available if any one would like to see.....
Hope this sheds some light.....



**************************************************************************

From: Question 93
Date: 02 February 2002
Subject: How do I make a T1 Cross-over cable?
Answer by: Aaron@Cisco.COM (Aaron Leonard)

For *T1* I've used the following pinouts for
crossovers:

T1/E1 crossover (for PRI and CAS back-to-back connection):

RJ-45 ----- RJ-45
   1  -----  4
   2  -----  5
   4  -----  1
   5  -----  2

RJ-45 ----- DB-15
   1  -----   1
   2  -----   9
   4  -----   3
   5  -----  11

DB-15 ----- DB-15
   1  -----   3
   3  -----   1
   9  -----  11
  11  -----   9


For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same
as for T1, except that I guess you need to have pins 3 and 6
(shield/ground) connected.

I don't suppose I should be pointing people to Juniper's web
site, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-
picinstall/html/pinout5.html


**************************************************************************

From: Question 94
Date: 02 February 2002
Subject: Can I use a router to simulate BRI switch?
Answer by: Aaron@Cisco.COM (Aaron Leonard)

In current IOS (12.1(3)T and above, I think), you can configure PRIs
back-to-back between routers: configure one side to be network side
(isdn protocol-emulate network) and the other to be user side (default;
isdn protocol-emulate user).  The supported switchtypes are primary-net5
and primary-ni.

As the original posting had alluded, we have SOME support
for network-side BRI - but this is only on certain VIC
cards due to hardware restrictions -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft
       /121limit/121x/121xi/121xi_3/dt_brint.htm





**************************************************************************

From: Question 95
Date: 02 February 2002
Subject: How do I use Policy Based Routing?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Keep in mind that Policy routing works on the INBOUND interface.  If you think
about it, it makes sense.  The decision to hand off the packet has to be made
as it's coming into the router and not on the egress interface.


!Determine who's eligible to be policy routed
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Figure out where you want to send the pkts based on the source IP
!
route-map RouteMeBaby permit 10
  !To whom shoud this policy apply to?
  match ip address 1
  !
  !Where should you redirect it to?  Should use both.  If one is
  !omitted, the value will be retrived from the routing table -
  !which may or may not be what you wanted
  !
  set ip next-hop ROUTER_2's_SERIAL_IP
  set interface s0
!
interface E0
  ip addr blah blah blah
  ip policy route-map RouteMeBaby
  !  If your IOS supports it, enable fast switching for PBR
  ip route-cache policy


*IF* fast switching is supported (may be 11.3 an up or it could be 12.0
and up... do a

sho ip cache policy

if not, do a

sho ip policy



**************************************************************************

From: Question 96
Date: 02 February 2002
Subject: How do I setup a VPN tunnel using pre-shared keys?
Answer by: "Ian M" <ian.mulvihill.no.spam@computer.org>


Dror-John is right.  There is a LOT to know about when you get into
encryption, and like any other branch of this industry knowing the hows &
whys will help your configs and troubleshooting enormously.

The CCO IPSec Product Support page has a wealth of useful info and examples.
www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSec

RFCs 2401-2412 are not too taxing either.  I've added below a very basic
example using pre-shared keys, DES encryption and SHA-1 hashing algorithm.
Site 1 is 10.0.1.0/24, site 2 10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (&
assumes you have sub-i/fs).  Names and things in capitals.



Router1(config)#
!
crypto isakmp policy 1
! Define your ISAKMP policy settings
 group 2
! 'group' defines the modulus for Diffie-Hellman calculation.
! Default is group 1, less CPU work, but less secure.
 authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.2
! Your shared key, and what peer i/f it's used for.
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
! Define what happens to the traffic. AH & ESP are two IPSec protocols.
!
crypto map TO_SITE_2 10 ipsec-isakmp
! Define crypto-map
 set peer 10.0.4.2
! The other side
 set transform-set TS1
! Which transform-set to use
 match address 150
! What traffic to include
!
interface Serial1/0.0
 ip address 10.0.4.1 255.255.255.252
 crypto map TO_SITE_2
! Apply the crypto-map to the i/f
!
access-list 150 permit ip 10.0.1.0 0.0.0.255 any
! Include traffic coming from here.  I've said anything going out, for
! there may be places beyond Site 2, but Cisco says this can cause
! problems for multicast traffic.  This also assumes no traffic will be
! going to Site 2 from somewhere else _through_ Site 1.  Perhaps
! best to err on the more specific side.  However it is a good idea
! to not include your serial i/fs, so you can still get at the far router
! if there's a problem.

Router2(config)#
!
crypto isakmp policy 1
 group 2
 authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.1
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
!
crypto map TO_SITE_1 10 ipsec-isakmp
 set peer 10.0.4.1
 set transform-set TS1
match address 150
!
interface Serial1/0.0
 ip address 10.0.4.2 255.255.255.252
 crypto map TO_SITE_1
!
access-list 150 permit ip 10.0.2.0 0.0.0.255 any


**************************************************************************

From: Question 97
Date: 02 February 2002
Subject: Why does one packet always get dropped on the last hop of traceroute?
Answer by: Aaron@Cisco.COM (Aaron Leonard)


And the winner is ... Max.  Inspired by (I think) sec. 4.3.2.8 in
RFC-1812, we rate-limit our ICMP message generation to 1/sec/destination.
This can be adjusted by the "ip icmp rate-limit unreachable" command.

More interesting than simply causing an oddity for traceroute,
ICMP rate-limiting can cause intermittent PMTUD blackholes
(or I should say perhaps "PMTUD brownholes".)  If you're doing
PMTUD (as alas anyone running Windows defaults to), then you
might want to ease the rate limit on DF unreachables.


**************************************************************************

From: Question 98
Date: 02 February 2002
Subject: How to setup NATing based on outgoing interface to two different ISPs.
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


>                ISP1                    CableModem
>                  \                        /
>                    \                    /
>                     --------------
>                      Cisco 2621
>                              |
           ---------------------------------
>              |                     |
>          Firewall           Mail Server
>                |
> --------------------
> Company LAN


> > We just installed a T1 to the Internet to co-exist with our Cablemodem.  I
> am looking at ways to implement this.  We currently have a Cisco 2621 with
> the T1 connection and a Linux Box Masqing cablemodem Internet access now.
> My question is, what would be the best way to implement this?
>
> I proposed we connect the Cablemodem into the 2621 (FEthernet interface)
> next to the T1 connection (separate ISP's btw) and NAT.


That will work.  But you need to use route-maps to match the outgoing
interface (or next-hop) when you define your NAT pool.  In  a nutshell:

int fa0/0
  ip addr blah
  ip nat outside
!
int fa0/1
   ip addr blah
   ip nat outside
!
ip nat poop ISP1 ISP1_Valid_range_here  prefix-length blah
ip nat pool Cable Cable_Valid_range_here  prefix-length blah
!
! These uses below are allowed to use the NAT service.
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map ISP1 perm 10
 match ip addr 1
 match interface fa0/0
!
route-map Cable perm 10
 match ip addr 1
 match interfa fa0/1



**************************************************************************

From: Question 99
Date: 02 February 2002
Subject: How do I use IPX over DDR?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


> i have a special problem with ipx. i want to connect a remote ipx
> segement over an DDV with two dedicated routers, the backup is DDR
> 128kbit/s line also with to dedicated routers.
> now my problem how can i change the ipx rip update information for the
> remote ipx segment. in ip rip there is a possibility to take a command
> like offset-list.
> any ideas?

You can use floating static default routes along with an access list to
deny the chatty traffic.  For example:

int bri0
 ipx watchdog-spoof
 ipx spx-spoof
 !
 !  Turn off IPX route-cache so the above spoofs will work
 no ipx route-cache
 !
!Define what should kick up this BRI line
!
dialer-group 1
!
! /* other pertinent config here */
!
!
!  Make IPX RIP uninteresting
access-list 901 deny any any all any rip
!
!  Make SAP uninteresting
access-list 901 deny any any all any sap
!
!  Make NetWare Serialization packets uninteresting
access-list 901 deny any any all any 457
!
!  Everything else can kick up the line
access-list 901 permit any any all any all
!
dialer-list 1 protocol ipx list 901


**************************************************************************

From: Question 100
Date: 02 February 2002
Subject: How can I automatically ping a range of IP addresses in Wintel world?
Answer by: "Gregg Branham" <greggb@altusnet.com>


Suppose your subnet is 192.l68.100.X.

FOR /L %%i IN (1,1,254) DO ping 192.168.100.%%i


An even better way to do this would be to use NBTSTAT to collect NetBIOS
names and MAC address at the same time:
echo header info here >> output.txt
FOR /L %%i IN (1,1,254) DO nbtstat -A 192.168.100.%%i >> output.txt



**************************************************************************

From: Question 101
Date: 02 February 2002
Subject: Sample config of using VIC BRI interfaces as an ISDN switch.
Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>

Enter this under stupid router tricks (it's got to be more expensive than an
ISDN emulator, but not if you've got the parts lying around).

Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work
too), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x

R1----S/T crossover cable----Switch----S/T crossover----R2

These configs let you do ISDN BRI dialup between two routers,
using a third router as an ISDN switch. Call setup is flakey but otherwise
it seems to work once the call is up.

Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)

!
isdn switch-type basic-net3
x25 routing
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255 ! whatever
!
interface BRI1/0
 description to R1
 no ip address
 isdn switch-type basic-net3
 isdn overlap-receiving
 isdn protocol-emulate network
 isdn layer1-emulate network
 isdn incoming-voice voice
 isdn x25 dchannel
 isdn skipsend-idverify
!
! Basic X.25 over D channel, so you can run pad commands
! For always on, see the Cisco docs
!
interface BRI1/0:0
 no ip address
 ip mtu 1514
 no ip mroute-cache
 x25 address 5552000
 clns mtu 1514
!
interface BRI1/1
 description to R2
 no ip address
 isdn switch-type basic-net3
 isdn protocol-emulate network
 isdn layer1-emulate network
 isdn incoming-voice voice
 isdn skipsend-idverify
!
interface BRI1/1:0
 no ip address
 ip mtu 1514
 no ip mroute-cache
 x25 address 5551000
 clns mtu 1514
!
x25 route 5551111 interface BRI1/1:0
x25 route 5552222 interface BRI1/0:0
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer voice 1 pots
 incoming called-number 6045551111
 destination-pattern 6045552222
 direct-inward-dial
 port 1/0/0
!
dial-peer voice 2 pots
 incoming called-number 6045552222
 destination-pattern 6045551111
 direct-inward-dial
 port 1/0/1
!
dial-peer voice 10 voip
 destination-pattern 6045552222
 session target ipv4:10.0.0.1
 codec clear-channel
!
dial-peer voice 20 voip
 destination-pattern 6045551111
 session target ipv4:10.0.0.1
 codec clear-channel
!

R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2)

!
isdn switch-type basic-net3
!
interface BRI0/0
 ip address 1.1.1.1 255.255.255.0
 encapsulation ppp
 dialer string 6045552222 class DOV
 dialer-group 1
 isdn switch-type basic-net3
 isdn incoming-voice data
 isdn calling-number 6045551111
 isdn x25 dchannel
!
interface BRI0/0:0
 no ip address
 ip mtu 1514
 no ip mroute-cache
 x25 address 5551111
!
map-class dialer DOV
 dialer voice-call
dialer-list 1 protocol ip permit
!


**************************************************************************

From: Question 102
Date: 02 February 2002
Subject: How do I do X25 over ISDN D channel?
Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>


See Question 101.



**************************************************************************

From: Question 103
Date: 02 February 2002
Subject: What can I do to remove SAP Type 640 on my routers?
Answer by: rtrgod@yahoo.com (Lee)

Check out these links for how to turn off the 640 SAP:
http://support.microsoft.com/support/kb/articles/Q142/5/33.asp
http://support.microsoft.com/support/kb/articles/Q171/3/07.ASP

IMHO the 640 SAPs were M$'s way to mess with Novell.  If you have two
MS workstations configured with the same name then all the Novell
consoles get flooded with 'server xxx was <net.node> is <net.node>'
msgs (or some such.  It's been a long time since we've had that
problem :-)

MS will generate 64E SAPs also :-(  I block them all.  ie.
access-list 1006 deny FFFFFFFF 640
access-list 1006 deny FFFFFFFF 64E
access-list 1006 permit FFFFFFFF 0

access-list 1030 deny FFFFFFFF 30C
access-list 1030 deny FFFFFFFF 45A
access-list 1030 deny FFFFFFFF 535
access-list 1030 deny FFFFFFFF 640
access-list 1030 deny FFFFFFFF 64E
access-list 1030 permit FFFFFFFF

interface <user subnet>
  ipx input-sap-filter 1006
interface <WAN link>
  ipx output-sap-filter 1030
  ! local area printing only


(which is why I really believe MS was trying to screw Novell.  I've
been filtering them out for years and have not had a single complaint
from the users)


**************************************************************************

From: Question 104
Date: 02 February 2002
Subject: What kind of memory does the 2500 use?
Answer by: Terry Kennedy <terry@gate.tmk.com>


  Parity. 70ns, 72-pin FPM w/ tin leads.


**************************************************************************

From: Question 105
Date: 02 February 2002
Subject: How do I make an Ethernet Cross-over cable?
Answer by: "Lindsay Druett" <lindsay@hnpl.net>


Try this as a crossover cable.

1 to 3
2 to 6
3 to 1
6 to 2
4 to 7
5 to 8
7 to 4
8 to 5

Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX,
you are swapping the Green Pair with the Orange Pair, but not so commonly,
you have a 100 BaseT4 cross-over cable (which just happens to also be a 1000
BaseT cross-over cable), not only do you swap over the Green and Orange
Pair, but you also swap over the Blue and Brown Pair.

The silly part is that in Cisco's Documentation, it show the schematic on a
traditional cross-over cable, but you will see the pin-outs of the 1000
BaseT Interface.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/hig
       /hgcable.htm#xtocid42327

I have just made comment to Cisco About this.



**************************************************************************

From: Question 106
Date: 02 February 2002
Subject: How do I use NBAR to block NIMDA?
Answer by: "Brad Ellis" <bradat@nospam.com> wrote in message

See:  http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml

> Here's my working config (with thanks to John Kaberna and Chris
> Martin) on a 2610 router:
>
>
> ip cef
>
> class-map match-any http-hacks
>   match protocol http url "*default.ida*"
>   match protocol http url "*x.ida*"
>   match protocol http url "*.ida*"
>   match protocol http url "*cmd.exe*"
>   match protocol http url "*root.exe*"
>   match protocol http url "*_vti_bin*"
>   match protocol http url "*_mem_bin*"
>   match protocol http mime "*readme.exe*"
>   match protocol http mime "*readme.eml*"
>
> policy-map mark-inbound-http-hacks
>   class http-hacks
>    set ip dscp 1
>
> interface Serial0/0
>  ip access-group 101 in
>  service-policy input mark-inbound-http-hacks
>
> interface Ethernet0/0
>  ip access-group 101 out
>
> access-list 101 deny   ip any any dscp 1 log
> access-lst 101 permit ip any any


**************************************************************************

From: Question 107
Date: 02 February 2002
Subject: What is a FECN/BECN and does it mean anything?
Answer by: Bernie <Bernie@weekend.com>

First, when you use FR, it is not over a host to router connection.
FR is going to be router to ingress-FR-switch through cloud to
egress-FR-switch to destination-router.  With that in mind, what you
have to worry about with exceeding your CIR is the ingress FR switch.
FECN and BECNs are different mechanisms which I will explain in a
minute.

Let me explain the algorithm that FR switches use to police your
bandwidth usage.  It is a token/credit system that is implemented on
the *ingress* FR switch (so the ingress switch is the traffic cop).
Keep in mind that everything that I am about to describe occurs
entirely within the FR switch, so when I say that you are given tokens
to transmit, I mean that in the software of the FR switch these tokens
are kept track of, not that the FR switch transmits tokens to your
router to use for each frame.  I'm going to start with a simple
scenario in which you only have a CIR and an EIR of 0.  Anyway, every
second (which is the default interval, or Tc for those that want the
real term) you get Bc tokens which is essentially permission to
transmit that many tokens worth of data over the time of that second.
Bc tokens decrement against the CIR, which is to say that Bc tokens
are used to regulate the CIR not the EIR (I will describe Be tokens
later).  At the end of the second you are given more tokens for use
during the next second.  Every time the FR switch receives data from
the router, it subtracts tokens.  What happens if you run out of
tokens is that every frame will be discarded until the next interval
at which point you get more tokens.  If it receives a frame marked
with a DE bit, it should discard it automatically.

However, most people don't buy FR service with a EIR of zero.  In this
case where you have a CIR and an EIR, the token credit system is a
little more complex.  Every time interval (Tc) you get Bc tokens and
Be tokens.  In the case that you are not setting the DE on any frames,
data received by the FR switch decrements credits from the Bc pool
until exhausted.  Suppose the FR switch now receives a frame but there
are no Bc tokens left (you will get more Bc tokens in the next time
interval) at the time.  The FR switch will check for a Be token, and
if you have one, it will mark the DE field and transmit the frame
across the network and decrement tokens from the Be pool.  Keep in
mind that the Be pool represents your burst capabilities over and
above the CIR.  IOW, Be tokens keep track of the EIR and Bc tokens
keep track of the CIR.  Suppose the Be pool is exhausted and the Bc
pool is exhausted and another frame arrives.  It is dropped, period.
At the next time interval you will get more Bc and Be tokens to use.

What happens if you mark your own DE frames?  Well, when the ingress
FR switch receives a non DE-marked frame, it will subtract against the
Bc token pool.  If it receives a DE-marked frame, it will subtract
against the Be token pool.  If it receives a non DE-marked frame but
there are no Bc tokens left, the FR switch will mark it DE, transmit
it and subtract Be tokens.  If it receives any frame (regardless of DE
or non DE-marked) and there are no Bc or Be tokens left, the frame is
dropped.  So really the use of marking your own DE frames simply
allows you to be the master of your own destiny by categorizing your
own data intelligently instead of letting the FR switch do it based
simply on the order of arrival.  And the reason you want to mark your
own packets has to do with how the network handles congestion (see
below where I talk about BECN, etc.)

A couple of points are worth making.  First, you cannot accumulate
tokens over time.  There is a maximum amount which is the value of the
committed burst (Bc) and this value has a mathematical relationship
with the CIR (CIR = Bc/Tc also EIR = Be/Tc).  In almost all cases Tc
is set to 1 second, so the result is that CIR = Bc and EIR = Be.  So
if you have the maximum number of tokens in your Bc token pool (max
amount = Bc), and you send no frames for the next hour, you will still
only have Bc amount of tokens when you send the next frame.  Second,
the above description is not 100% accurate so don't use it to teach a
class of newbie students.  I simplified a number of things for the
sake of getting the concepts across, and in the process I sacrificed
the accuracy of some of the information.  For instance, you don't get
a lump of tokens all at once as I described--in reality, your tokens
replenish gradually over the Tc interval.  Third, you only need a
single token (which represents a byte of data) to transmit a frame.
So if you are out of Bc tokens and you only have one Be token left,
even if you send a 1500 byte frame, it will still be transmitted as DE
and the last token will be subtracted.


Ok, so how does the FR network handle DE or non-DE frames?
Different vendors of FR switches may be designed to operate
differently, but I believe the following is the normal behavior.  If a
node within the cloud starts to experience *mild* congestion, it
starts setting the FECN, BECN, or both bits on frames traversing the
node.  Routers connected to the FR cloud that receive BECN bits should
slow their transmission by buffering frames and sending them slightly
later.  Routers that receive FECN bits might (if there is a way)
signal the sending router to slow transmission by buffering its
frames.  If a node starts experiencing moderate congestion, it will
start dropping frames marked DE.  At heavy and severe congestion
levels, the node will start dropping other traffic as well.  Depending
on vendor, there may be many levels of priority traffic (i.e. gold vs.
bronze customers) to determine exactly which frames to drop before
others when experiencing heavy and severe levels of congestion.


>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2
>> Mbps data (internet surfing, email, etc) and I'm not using Discard
>> Eligible(because I wouldn't know how to set that up anyway)
>>
>> Hear is my guesswork. The routers may try to send more than 256kbps. The
>> switches will start sending FECN's and BECN's.

They shouldn't start generating FECNs and BECNs unless some FR switch
along the path is overloaded, and this (in theory) shouldn't happen
since you are well below your CIR.  IOW, the network should be
engineered to be able to handle everyone's CIR on a statistical basis.
If this were to happen on a regular basis, I would configure my router
to ignore BECNs/FECNs because I am paying for a CIR of 512k, and I'll
be darned if I'll let my NSP force my routers to throttle back when I
am only using half of my CIR.  They are "committing" to 512k, so I
want my 512k, not "256k if the network feels like it".

>> The routers will slow down sending rates. If a user is sending data to
>> a router faster than it can route, what will it do? Does TCP Window sizes
>> and acknowledgements between the PC's limit the rate at which the router
>> will receive data, so that it is unlikely ever to be too busy?

Remember that TCP windowing is an end-to-end mechanism, so routers in
between aren't part of the equation.  PC's rarely send data *to* a
router, but rather *through* a router.  So if a user is sending data
through a router faster than it can route, the buffers in the router
fill up, overflow, and packets get dropped, resulting in
retransmissions, and therefore the starting over of the TCP windowing
size.

>> If data is dropped by the router using DE, will the TCP resend process
>> between the PC's be the normal recovery process?

Routers don't drop DE frames.  That is a FR switch function, not a
router function.  But, yes, ultimately TCP is the process by which
lost packets will be retransmitted.



**************************************************************************

From: Question 108
Date: 02 February 2002
Subject: How do I stop logging (generating snmp trap) for up/down interfaces?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


Use the interface commands:

 no logging event link-status
 no snmp trap link-status


**************************************************************************

From: Question 109
Date: 02 February 2002
Subject: How do I setup the variables to do tftpdnld in rommon?
Answer by: "Niloupi" <niloupi@NOSPAM.sympatico.ca>

You can use tftp, if available ... if not no luck ... xmodem using console
or another flash. and I think you can upgrade boot rom to support the
command tftpdlnd but not sure about it:

IP_ADDRESS=10.1.1.16
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.1.1.2
TFTP_SERVER=10.1.1.2
TFTP_FILE=ios.bin
FE_SPEED_MODE=0
TFTP_VERBOSE=1
tftpdnld -d

**************************************************************************

From: Question 110
Date: 02 February 2002
Subject: How do I get the memory-usage on the Vip-Card
Answer by: Christophe Fillot <cf@utc.fr>


You can log into the VIP by using "if-con <vip-slot>"
undocumented command, and do a "show memory":

7500_UTC#if-con 0
Console or Debug [C]:   <===== Press enter here
Entering CONSOLE for VIP2 R5K 0
Type "^C^C^C" or "if-quit" to end this session

VIP-Slot0#
VIP-Slot0#sh mem
               Head   Total(b)    Used(b)    Free(b)  Lowest(b)
Largest(b)
Processor  607C34E0   25414648   15390076   10024572   10024572    9957660
      PCI  30000000    4194312    4194168        144        144         92

If you want more details on dCEF memory usage on a VIP, you can do a
"sh ip cef sum".


**************************************************************************

From: Question 111
Date: 02 February 2002
Subject: What is the order of operation in terms how a packet is processed?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


From the book "Inside Cisco IOS Architechture":
1)  compression/decompression
2)  Encryption
3)  Inbound ACL
4)  Unicast revese path checking
5)  Input rate limiting
6)  Broadcast handling (ip helpers)
7)  Decrement TTL
8)  Inspect sybstem (FW features)
9)  Outside to Inside NAT
10) Handle router alert flags in the IP header
11) Search for outbound interface in the routing table
12) Policy routing
13) Handel web cache redirects
14) Inside to Outside NAT
15) Encryption
16) Output ACL
17) Final Inspect check
18) TCP Intercept processing.


**************************************************************************

From: Question 40
Date: 02 February 2002
Subject: What are the differnt T1 jack type codes?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

RJ48-BLAH  where BLAH ==
"C"  Identifies a surface or flushmounted jack.
"W"  Identifies a wallmounted jack.
"S"  Identifies a single-line jack.
"M"  Identifies a multi-line jack.
"X"  Identifies a complex multi-line or series-type jack.

"X" variety can automatically loop up the line if you pull out the cable
so it's usually call a "smartjack"



**************************************************************************

From: Question 113
Date: 02 February 2002
Subject: How do I show just one interface's configuration?
Answer by: "harry" <ccie@blueyonder.co.uk>


My all time favourite "trick" is "show run int xx"" where x is the interface
in question



**************************************************************************

From: Question 114
Date: 02 February 2002
Subject: How can I search CCO for IS-IS related information?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Searching the CCO for IS-IS is a bit of a pain since you have two stop
words and a hypen!  So search the CCO for:

+is-+is



**************************************************************************

From: Question 115
Date: 02 February 2002
Subject: How can I script a network reachability test?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Today a trouble ticket was elevated to our design team.  It seems a bunch
of users are locking up while using Outlook with OpenMail servers.  Not
sure if it was network, Outlook, OpenMail server, or combination of the
above.  Since the users were somewhat senior level folks, it was not
realistic to have to jot down detailed notes about when it happened etc.

Since the PCs were all Wintel based, I wrote this in a hurry to include in
their "START" menu.  Not being able to use Unix tools pretty much tied my
hands, and I didn't put in a lot of error checking, but hey, I only had
about 30 minutes to whip this up.

Although it's a bit simple hope you find it somewhat useful.

------ BEGIN BATCH FILE ----
TITLE  TESTING THE NETWORK
@echo off
cls
echo.
echo.
echo.
echo.
echo.
echo  **********************************************************
echo  **********************************************************
echo  **********************************************************
echo  *                                                        *
echo  *                                                        *
echo  *    Running network test........                        *
echo  *    This windows will close automatically when          *
echo  *    the testing has been completed.                     *
echo  *                                                        *
echo  *    Please call XYZ at XYZ if you have any questions    *
echo  *                                                        *
echo  *                                                        *
echo  **********************************************************
echo  **********************************************************
echo  **********************************************************
:
:  Create a temp folder for our use and start with some flower
:  box delimeters
:
if not exist c:\mailte$t md c:\mailte$t
echo ***************************************>> c:\mailte$t\%username%.txt
echo ***************************************>> c:\mailte$t\%username%.txt
:
: Pipe in some blank lines and date time stamp.
echo.  >> c:\mailte$t\%username%.txt
echo.|date | find /i "current" >> c:\mailte$t\%username%.txt
echo.|time | find /i "current" >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
:  Start a trace route w/o Rev-DNS lookups to our servers.
:  The server name is given as a command line argument.
echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txt
tracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: ping with max sized ICMP packets
echo PINGING to %1 >>c:\mailte$t\%username%.txt
:
:!!!unwrap the next two lines!!!
ping -L 1472 %1.blah.foobar.com | find /i "Reply from"
                         >>c:\mailte$t\%username%.txt
:
echo. >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
:    Now ftp it  to the 2.104 server using the script file
:    C:\ftpcmd.txt
:
ftp -s:c:\ftpcmd.txt x.x.2.104
exit


Contents of ftpcmd.txt file:
cisco
cisco1
put c:\mailte$t\*.txt
bye
exit

Basically, it's
username
password
ftp command
ftp command
etc. etc.


**************************************************************************

From: Question 116
Date: 02 February 2002
Subject: How can I access the console port on my MSFC in my 6500?
Answer by: "Brian V" <harleydavidson1.diespammer@mediaone.nospam.net>





Yes, I've done it many times. I believe the cable is a plain ole ethernet
cable, no need to make anything special, just make sure you have a regular
patch cable. You'll actually need two of them. One for your laptops nic
card (so you can tftp the new image). One for the console connection. Theres
actually 2 rj45 ports on the sup board. Ones for the pfc and one for the
msfc. I have to rebuild a couple of data centers this morning that has a
couple 6509's in it.

It's the jack labeled P7, it's the one to the far right of the motherboard.
It uses a straight thru, plain ole ethernet cable.  There only two jacks
inside, so it's pretty straight forward. If you want the pics, ping me
offline and I'll email em to you.

**************************************************************************

From: Question 117
Date: 02 February 2002
Subject: How do I access my MSFC/Router in my 6509?
Answer by: Roberto Piersante (rp67@libero.it)


From supervisor1 reset module 15, then "switch console" and send a break:

switch(enable) reset 15
Unsaved configuration on module 15 will be lost
Do you want to continue (y/n) [n]? y
2000 Jun 23 06:36:59 %SYS-5-MOD_RESET:Module 15 reset from Console//
Resetting module 15...
switch(enable) switch console
Trying Router-15...
Connected to Router-15.
Type ^C^C^C to switch back...
/* (A break-sequence has been sent here) */

monitor: command "boot" aborted due to user interrupt
rommon 1 >
Also look this link:
http://www.cisco.com/warp/public/474/pswdrec_6000MSFC.html


**************************************************************************

From: Question 118
Date: 10 February 2002
Subject:  Where can I find a list of undocumented IOS commands?
Answer by: "ozzig" <billybellend2000@yahoo.MYPANTScom>

http://www.boerland.com/dotu/



**************************************************************************

From: Question 119
Date: 10 February 2002
Subject: Where can I find information on securing or hardening Cisco routers?
Answer by: "James R. Quinn" <jquinn@jquinn.org>

Cisco Router Hardening Step-by-Step
http://rr.sans.org/firewall/router2.php

Improving Security on Cisco Routers:
http://www.cisco.com/warp/public/707/21.html

Cisco PSIRT Advisories
http://www.cisco.com/warp/public/707/advisory.html

Cisco's Security Technical Tips
http://www.cisco.com/warp/public/707/index.shtml

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
http://www.cisco.com/warp/public/707/newsflash.html

Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html

Denial of Service (DoS) Attack Resources
http://www.denialinfo.com/



**************************************************************************

From: Question 120
Date: 10 February 2002
Subject: How can I connect two Cisco routers back to back through the AUX
ports?
Answer by: "James R. Quinn" <jquinn@jquinn.org>


Connecting Routers Back-to-Back Through the AUX Ports
http://www.cisco.com/warp/public/793/access_dial/auxback.html

Configuring AUX-to-AUX Port Async Backup with Dialer Watch
http://www.cisco.com/warp/public/471/aux-aux-watch.html

Using the AUX Port on Cisco Routers for IP/IPX Router Communications
http://www.networkingunlimited.com/white006.html


**************************************************************************

From: Question 121
Date: 02 February 2002
Subject: How do I use Secure Shell (SSH) on Cisco devices?
Answer by: "James R. Quinn" <jquinn@jquinn.org>


Configuring Secure Shell (SSH) on Cisco IOS Routers
http://www.cisco.com/warp/public/707/ssh.shtml

How to Configure SSH on Catalyst Switches Running CatOS
http://www.cisco.com/warp/public/707/ssh_cat_switches.html



**************************************************************************

From: Question 122
Date: 10 February 2002
Subject: Can I use a /31 address space for my serial point-to-point interfaces?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

It depends.  If you have 12.2.x release of IOS, you can use /31 address.
For example:
interface Serial5/1
  ip address 192.168.1.1 255.255.255.254

See the following for more information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t
       /122t2/ft31addr.htm



**************************************************************************

From: Question 123
Date: 29 May 2002
Subject: How do i see log messages on the router console?
Answer by: "Phillip Remaker" <remaker@cisco.com>

Log messages are broken into 7 levels, and they can go to 3 places:

- Console (console logging)
- Monitor (any line configured with "monitor" or with the "terninal monitor"
exec command)
- trap (syslog)

The command to turn up log messages is "logging (place) (level)"

In your case, you probably want

logging console informational

for minumum messages or

logging console debug

for debugging messages.

Tip: console logging is disabled by default because the console serial port
makes 1 interrupt per character, and has the highest prioriy of any
interrupt on the box.  If you want to do console logging, you should
probably also rate limit the messages, since an uncontrolled flood of
messages to the console can literally cause the box to slow to a crawl and
fail.

In most cases, it is a better idea to telnet to the box, and debug using
'monitor' logging and "terminal monitor" on the vty.



**************************************************************************

From: Question 124
Date: 29 May 2002
Subject: What is my overhead of using IPSec
Answer by: alan@internal.wj.com (Alan Strassberg)


IPSec Overhead  [ from another net posting ]
esp-des = 24 bytes
esp-3des = 24 bytes
ah-sha-hmac = 24 bytes
ah-md5-hmac = 24 bytes
esp-md5-hmac = 12 bytes
esp-sha-hmac = 12 bytes
standard header = 20 bytes

esp-des/esp-md5-hmac = 56 bytes
esp-3des/esp-sha-hmac = 56 bytes
esp-des/ah-sha-hmac = 68 bytes
esp-des/ah-md5-hmac = 68 bytes
esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes

other gre = 24 bytes

	For example I use ESP over AH with a GRE tunnel in tunnel mode.
20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer)

	My MTU is 1500 - 66 = 1434

					alan




**************************************************************************

From: Question 125
Date: 29 May 2002
Subject: What is the pinout for the DB9 to RJ45 connector?
Answer by: "ferg" <ferg@somewhere.com>

ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this
is what I found:

DB9    RJ45
1    -  nothing
2    -    6
3    -    3
4    -    2
5    -    4&5 together
6    -    7
7    -    1
8    -    8
9    -   nothing


**************************************************************************

From: Question 126
Date: 29 May 2002
Subject: Should I use a T1, Cable modem or DSL for Internet connections?
Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)


This question comes up often enough it probably should be in the
FAQ. Each has its advantages and each has its weaknesses. Which is
best will depend upon the specific business requirements and how the
network is used.

T1/E1 - Providers tend to treat T1's as serious business products. They
tend to be better managed and service response to outages is usually
quick. Data rate is a constant, if you order 1.544Mbps, you get 1.544
Mbps in both directions. (Note: fractional T1 may be available with
asymmetric capacity provisioned).

DSL - Providers consider this a "consumer grade" offering. Users
experience has been more frequent outages. More important, response
to failures that do occur tends to be slow, particularly if the local
telco providing the copper is competing with the DSL provider. ADSL
provides asymmetric data rates, but "business grade" offerings,
such as IDSL and SDSL provide the same data rates both upstream and
downstream. High data rates are only available to users close to the
telephone central office.

Cable - Shared medium subject to fluctuating bandwidth availability.
Reliability will depend upon the local cable company, and can vary
widely. On average, tends to be about as available as DSL. Only
available in areas wired for cable TV, which could limit availability
in business parks and other non-residencial areas. Also only available
where the cable franchise has chosen to offer the service.

Other Considerations (feel free to add ones I've missed)

Provisioning of redundant connectivity for servers offered to the
public versus internal users browsing the Internet versus VPNs for
cost savings all have very different requirements and solutions
suitable for one may not work with the others.

BGP support for multihoming is typically only available on T1
links. But then again, if you're only surfing or VPNing there are
easier ways to get redundancy that do not require BGP.

In most markets, you can buy a lot of ISDN backup for the price
difference between DSL/Cable and T1.

Many DSL/Cable providers will block VPN and inbound traffic to your
servers unless you purchase their premium "business" service. Make
sure the conditions of service are compatible with your needs.

DSL is rarely good backup for T1 because both share the same single
points of failure in the telco local loop provisioning. Cable can
provide more diversity as a backup, but may still be sharing common
single points of failure such as power poles.



**************************************************************************

From: Question 127
Date: 29 May 2002
Subject: How do I change the time length of 15 mins that is used when
         displaying the Show ISDN history command?
Answer by: John Zwaanswijk

  You can try the command isdn-mib retain-timer



**************************************************************************

From: Question 128
Date: 29 May 2002
Subject: Why do I see "double" characters when I telnet into my router?
Answer by: Barry Margolin <barmar@genuity.net>

>I have a 2500 router, and it's display double commands as shown below.
>cclloocckk  rraattee  6644000000
>what can I do to fix it. Thanks.

Looks to me like you have local echoing configured on your terminal
emulator.  Turn it off and let the router do all the echoing.


**************************************************************************

From: Question 129
Date: 29 May 2002
Subject: How do I see power-supply failures via SNMP?
Answer by: "Hennen, David" <David.Hennen@gtech.com>


you need two commands

set snmp trap enable chassis
set snmp trap (ip address of snmp host) (public community string)

the first one tells the switch to send traps on chassis events, like a power
supply failing.  the second tells the switch where to send the trap


**************************************************************************

From: Question 130
Date: 29 May 2002
Subject: How do I change the timer for tx/rxload when doing "show int" command?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


Interface command:  load-interval  IN_SECONDS


**************************************************************************

From: Question 131
Date: 29 May 2002
Subject: How do I setup SLIP on my Cisco terminal servers?
Answer by: Aaron@Cisco.COM (Aaron Leonard)


Here's an example:

interface async 1
  encapsulation slip ! the default
  ip unnumbered ether0
  peer default ip address 10.1.2.3
  async mode interactive

line 1
  speed 19200 ! or whatever
  flowcontrol hardware ! or whatever - but not software!
  stopbits 1
  modem dialin ! assuming that the DTE's DTR is wired to our DSR

**************************************************************************

From: Question 132
Date: 29 May 2002
Subject: How do I setup FR End-to-End keepalives?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>



I believe so.  Just so we're clear (to the original poster) bandwidth on
demand is the ability to kick up a line when you reach a certain threshold.
floating static can't be used since the lower admin-distance route will
never get a chance to float up.

FR e-t-e can be setup as follows:

int s0/0
 blah
 frame-relay class end-to-end-keepalive
 blah
!
map-class frame-relay end-to-end-keepalive
 frame-relay end-to-end keepalive mode bidirectional


**************************************************************************

From: Question 133
Date: 29 May 2002
Subject: What basic information do I need to setup a T1 from my ISP?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


Tell them "I'm going to use B8ZS and ESF and I'll provide the clocking"

> What must I decide for myself?
IP address and encapsulation type (ppp or hdlc - the default)

> What commands are going to get me operational?


On the router that will provide the clocking (only one side needs to provide
clocking)

enable
conf t
 interface s0/0    ! or wherever you have the WIC1-DSU-T1
   !  Have this router provide the clocking.  Alternative is to take it
   !  from the line on both sides and have the Telco provide the clocking.
   !
   service-module t1 clock source internal
   !
   !Use ESF framing as opposed to Superframe (D4)  ESF is the default,
   !
    service-module t1 framing esf
   !
   !Use B8ZS (Binary 8, zero substitution as opposed to
   ! AMI - Alternate Mark Inversion.  B8ZS is the default.
   !
    service-module t1 linecode b8zs
   !
    use ppp when connecting to a non-cisco router. HDLC is the default
   !
    encapsulation ppp
   !
    ip addres 192.168.1.1 255.255.255.0
    no shut


On the other side, leave out the
"service-module t1 clock source"  and use
"service-module t1 clock source line"  instead.


**************************************************************************

From: Question 134
Date: 29 May 2002
Subject: How do I setup NAT and Port forwarding?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>


int e0/0
  desc   This is the inside address using RFC address
  ip addr 10.1.1.1 255.255.255.0
  ip nat inside
!
int s0/0
  desc   This goes to the ISP using assigned address x.x.x.1/30
  ip address x.x.x.1 255.255.255.252
  ip nat outside
!
! Next line determines who will get to use the NAT
! Anyone coming from 10.1.1.0 address will be NATed.
access-list 1 permit 10.1.1.0 0.0.0.255
!
! Next line assumes that you want to use one IP for everyone
! and use the port address translation.  In your case, you could
! actually use one to one translation.
!
ip nat inside source list 1 interface serial0/0 overload
!
!Set up a static translation so you can telnet into your server
!Assume your server is at 10.1.1.5
!
ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23
!
!or forward http traffic to your 10.1.1.4 server
!
ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80


**************************************************************************

From: Question 135
Date: 29 May 2002
Subject: Where can I buy some Back-to-Back serial cables?
Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)

www.pacificcable.com
www.anthonypanda.com


**************************************************************************

From: Question 136
Date: 29 May 2002
Subject: How can I policy-route router generated packets?
Answer by: "Erick B." <erickbe@yahoo.com>


You need a 'ip local policy route-map ROUTE_MAP_NAME if you want
traffic sourced from the router to go through policy (ie: pings).


**************************************************************************

From: Question 137
Date: 29 May 2002
Subject: Is there another way to upload my IOS w/o a tftp server?
Answer by: "Paul Lalonde" <plalonde2@cogeco.ca>


Here's what I do when I need to upgrade a router's IOS and I don't have LAN
or sync serial access to it for TFTP purposes.

1. Plug the following code into the router to configure it for PPP on the
AUX port:

interface Async1
 ip address 192.168.255.254 255.255.255.252
 encapsulation ppp
 no ip route-cache
 async default routing
 async mode dedicated
!
ip default-gateway 192.168.255.253
!
line con 0
line aux 0
 no exec
 exec-timeout 0 0
 modem InOut
 transport input all
 stopbits 1
 rxspeed 38400
 txspeed 38400
 flowcontrol hardware

2. Configure a "dialup networking" entry on my Windows PC using the
NULL-MODEM driver available from the following Cisco URL:

http://www.cisco.com/warp/public/471/103.html

Configure the dialup networking entry to use 192.168.255.253 as the IP
address of the dialing interface.

3. Start up the TFTP server on my Windows PC.

4. Connect to the router from my Windows PC using the dialup networking
entry.

5. Open up the router console and use regular TFTP commands to pull the
image across.

Depending on what family of router you have (2500, 2600) your AUX port will
accommodate up to 38400 (older families) or 115200 (newer families).



**************************************************************************

From: Question 138
Date: 29 May 2002
Subject: What does the keyword EXTENDABLE mean when doing NAT?
Answer by: Josh Duffek (jduffek@cisco.com)

From: http://www.cisco.com/warp/public/701/60.html

"Extendable" static translations:

     The extendable keyword allows the user to configure several ambiguous
static translations, where an ambiguous translations are translations with
the same
     local or global address.

     ip nat inside source static <localaddr> <globaladdr> extendable

     Some customers want to use more than one service provider and
translate into each provider's address space. You can use route-maps to
base the selection
     of global address pool on output interface as well as an access-list
match. Following is an example:

     ip nat pool provider1-space ...
     ip nat pool provider2-space ...
     ip nat inside source route-map provider1-map pool provider1-space
     ip nat inside source route-map provider2-map pool provider2-space
     !
     route-map provider1-map permit 10
      match ip address 1
      match interface Serial0/0
     !
     route-map provider2-map permit 10
      match ip address 1
      match interface Serial0/1
      .
      .
      .

     Once that is working, they might also want to define static mappings
for a particular host using each provider's address space. The software
does not allow two static translations with the same local address, though, because 
it is ambiguous from the inside. The router will accept these static
translations and resolve the ambiguity by creating full translations (all addresses 
and ports) if the static translations are marked as "extendable". For a new 
outside-to-inside flow, the appropriate static entry will act as a template for a 
full translation. For a new inside-to-outside flow, the dynamic route-map rules 
will be used to create a full translation.


**************************************************************************

From: Question 139
Date: 29 May 2002
Subject: Where can I get some third party icons for my Visio program?
Answer by: "Mike Gortych" <mgortych@ntplx.com>


Check out www.altimatech.com they sell a product called netzoom that has a
great cisco library that they keep up to date, they even take requests!


**************************************************************************

From: Question 140
Date: 29 May 2002
Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?)
Answer by: Barry Margolin <barmar@genuity.net>

>I am learning BGP.
>I notice a lot of our engineers where I work use looking glass at
>www.traceroute.org to get answers to a lot of their questions.
>Unfortunately it's hard to get them to give me a seminar.
>Looking glass isn't covered in my cisco press books.
>I am having a hard time grasping when I would need to use looking
>glass.
>and particularly how to use it.
>
>I put in an ameritrade address and it gives me the following.
>
>Query: bgp
>Addr: 64.236.2.194
>BGP routing table entry for 64.236.0.0/16, version 89281795
>Paths: (2 available, best #2)
>  Not advertised to any peer
>  1668
>    66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194)
>      Origin IGP, metric 4294967294, localpref 105, valid, internal
>      Community: 2548:177 2548:209 2548:666 3706:115
>  1668
>    66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166)
>      Origin IGP, metric 4294967294, localpref 105, valid, internal,
>best
>      Community: 2548:177 2548:317 2548:666 3706:164
>
>
>What peer problems would arise where I may need this information?
>especially considering I would need to have a peer address to put in
>in the first place.

This is usually used to confirm that a route is being advertised by the
proper ISP.  You don't put peer addresses in, you put destination network
addresses in.

>I see there are communities. not sure who the community members are or
>what the parameters contained in the community attribs are. Any way to
>find out?

Most communities don't have standard meanings.  Each AS assigns meanings to
the communities that it cares about.  By convention, communities are formed
by concatenating the ASN that's using the community with a second number
that the AS network administrators assign, so the communities shown above
are meaningful to AS 2548 and AS 3706.  Communities are often used by ISPs
to allow their customers to influence routing parameters; for instance, the
customer can often send communities that control what localpref the ISP
assigns to the routes.

>Any good hints/web-links on how to use or get the most out of the
>looking glass site would be appreciated.

There's nothing really special about the looking glass, it's just showing
you the output of "show ip bgp" (and other router commands).  It's no
different from doing it on your own routers, but the looking glass lets you
do it from outside your network, so you can tell whether a problem is
specific to your network or more widespread.



>Thank you for that enlightening input.
>
>This time I queried.
>Query: bgp
>Addr: 216.202.0.0
>It is a Genuity address.
>
>Here is the output below.
>Could someone explain
>"  Advertised to non peer-group peers:
>    198.32.187.122 " this belongs to : Exchange Point Blocks (NET-EP-)

That's a BGP neighbor of the looking glass router, which the router will
share this route with.

>Also Genuity actually owns AS number "1" (Very prestigious).
>from the first entry
>"4.24.7.77 (metric 345601) from 165.117.1.127"
> it looks like Genuity 4.24.x.x is learning this from Digex
>165.117.1.127
>Why would Genuity learn their own address from Digex.

No, it means that *this* router (Digex's router at MAE-EAST) learned the
route from 165.117.1.127.  Since Digex doesn't connect to Genuity at
MAE-EAST (tier 1 ISPs use private peering amongst each other, we only use
the public exchanges to connect with smaller ISPs), it has to learn Genuity
routes via the Digex backbone.

>Also could I assume that just because there is no path with AOL in it
>that AOL doesn't have a path to them?

No.  The looking glass is just showing the routes from Digex to the
destination.  Why would traffic from Digex to Genuity go through AOL?


**************************************************************************

From: Question 141
Date: 29 May 2002
Subject: When using Tunnel with an interface that has an ACL, what happens?
Answer by: Barry Margolin <barmar@genuity.net>


>I'm doing an IP tunnel between 2 routers with the command
>interface tunnel which has the ethernet0 source.
>Is the access-list applied on the ethernet0 inbound although filter the
>tunnel traffic ?

Yes.  When traffic arrives, it will first be processed by the ethernet
interface's inbound access list.  If it is permitted in, the router will
then de-encapsulate the tunnel traffic, and it will be processed by the
tunnel interface's inbound access list.


**************************************************************************

From: Question 142
Date: 29 May 2002
Subject: Do I need a Xover cable when using 1000Base-T?
Answer by: rich@richseifert.com (Rich Seifert)

> It guess it depends on the 1000baseT NICs.  On mine, I've used both a
> crossover cable and a stright thru cable just fine to connect two NICs.
> They autonegotiate
>

Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn't
designed to work without it. Second, most 1000BASE-T equipment implements a
function that detects whether the cable is straight-through or crossover,
and automatically configures itself to work either way. (During the startup
training, it can tell how the pairs are connected, and connect each pair to
the appropriate decoder module.)


**************************************************************************

From: Question 143
Date: 29 May 2002
Subject: How dow I break the "Rule of Ten" for BGP Load balancing?
Answer by: "Cajun" <cajun@cyberspace.org>


That's not true. BGP WILL join two lines AND load balance across them. The
trick is, you have to make every single one of the "Rule of Ten" rules
equal; which is not a difficult thing to do. Weights, MED's, Local Prefence,
AS-Path, etc, will all most likely be identical, provided both T1's come
from the same provider (yes, I know he said they're different providers.)
You can load-balance with BGP across two links, provided the links terminate
on the same router on both end. With everything else being equal, BGP will
snag on the last rule, using the IP address of the interfaces to decide
which path to take. All you have to do is break that last rule and you're
home free.

Here's how you do it:
1) Place static routes on each router pointing across each link to get to
the other's loopback address.
2) Set up your neighbor statements with each other's loopback address.
3) Put in a neighbor statement with an update-source of your loopback
address.
4) Enter another neighbor statement with ebgp-multihop.

BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no
choice but to enter two routes into the routing table, which will load
balance.


**************************************************************************

From: Question 144
Date: 29 May 2002
Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
Answer by: Barry Margolin <barmar@genuity.net>


router bgp #####
 no sync
 ! advertise your address block
 network 1.2.3.a mask 255.255.255.224
 neighbor x.x.x.x remote-as x
 neighbor x.x.x.x filter-list 1 out
 neighbor x.x.x.x distribute-list 1 in
 neighbor y.y.y.y remote-as y
 neighbor y.y.y.y filter-list 1 out
 neighbor y.y.y.y distribute-list 1 in
 ! IBGP between the two routers
 neighbor 1.2.3.b remote-as #####

! Only advertise locally-originated routes, not transit routes
ip as-path access-list 1 permit ^$

! Only accept a default route
access-list 1 permit 0.0.0.0


**************************************************************************

From: Question 145
Date: 29 May 2002
Subject: Should I turn off console loggin??
Answer by: "Phillip Remaker" <remaker@cisco.com>

crashinfo reads from the log buffer, not the console itself.  If you want to
have console messages included in crashinfo, you may turn on logging console
BUT you also want to  be sure logging buffered is on.  Once logging buffered
is on, console messages do not go to the physical console port and the
interrupt problem is circumvented.


> My question is if it is good default practice to turn off console
> logging or not?

You should turn it off unless you are using logging buffered.  It is off by
default in modern IOS versions.

>And on router (e.g. 7200 and 2600) that have console
> logging disable, would it reduce the useful info on crashinfo file when
> the router crashed?

Yes.  But again, it will only save information from 'logging buffered.'  So
if you want the information, you can turn on logging console, but only if
you also use logging buffered....







**************************************************************************
**************************************************************************
                   HALL OF FAME FOR VERSION 2.0 AND ABOVE
**************************************************************************
**************************************************************************


1X    "Alberto Colmenero" <san@mobilix.dk>
1X    "aros.net" <nelson@aros.net>
1X    "BM" <bmorgan@dont.spam.me.ieee.org>
1X    "Brad Ellis" <bradat@nospam.com> wrote in message
1X    "Brian V" <harleydavidson1.diespammer@mediaone.nospam.net>
1X    "Brian" <nondogmatist@hotmail.com>
1X    "bt" <@speakeasy.org>
1X    "Gregg Branham" <greggb@altusnet.com>
1X    "harry" <ccie@blueyonder.co.uk>
1X    "Ian M" <ian.mulvihill.no.spam@computer.org>
1X    "Joel" <joelyung@yeah.net>
1X    "John Kaberna" <jkaberna@nospam.netcginc.com>
1X    "Laron Swapp" <laron.d.swapp@intel.com>
1X    "Lindsay Druett" <lindsay@hnpl.net>
1X    "MikeN" <miken@mail.ikano.com>
1X    "Niloupi" <niloupi@NOSPAM.sympatico.ca>
1X    "Patrick M. Hausen" <hausen@nospam.de>
1X    "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl>
1X    "Steven Griffin" <segjr@gte.net>
1X    Alex Bakhtin <bakhtin@amt.ru>
1X    Bernie <Bernie@weekend.com>
1X    Christophe Fillot <cf@utc.fr>
1X    Dave Phelps <tippenring@nospam.bigfoot.com>
1X    domesjoe@ljusdal.net
1X    John Agosta <jagosta@interaccess.com>
1X    levinm@iserv.net (Martin H. Levin)
1X    mortimer_mouse@mailandnews.com (Mortimer Mouse)
1X    news@tvolk.de (Thomas Volk)
1X    Paul J Murphy <paul@murph.org>
1X    Paul Koch <paul.koch@statscout.com>
1X    Roberto Piersante (rp67@libero.it)
1X    rodd@panix.com (Rod Dorman)
1X    rtrgod@yahoo.com (Lee)
1X    "ozzig" <billybellend2000@yahoo.MYPANTScom>
1X    "ferg" <ferg@somewhere.com>
1X    John Zwaanswijk
1X    "Hennen, David" <David.Hennen@gtech.com>
1X    "Erick B." <erickbe@yahoo.com>
1X    "Paul Lalonde" <plalonde2@cogeco.ca>
1X    "Mike Gortych" <mgortych@ntplx.com>
1X    "Cajun" <cajun@cyberspace.org>

2X    alan@internal.wj.com (Alan Strassberg)
2X    Richard Gallagher <rgallagh@cisco.com>
2X    "John Paul Morrison" <johnpaulmorrison@Hotmail.com>
2X    rich@richseifert.com (Rich Seifert)


3X    "Josh Duffek" <joshd@cisco.com>
3X    "James R. Quinn" <jquinn@jquinn.org>
3X    "Phillip Remaker" <remaker@cisco.com>

4X    Barry Margolin <barmar@genuity.net>

5X    Terry Kennedy <terry@gate.tmk.com>
5X    vcjones@NetworkingUnlimited.com (Vincent C Jones)

6X    Aaron@Cisco.COM (Aaron Leonard)
6X    Michael Shorts (mshorts@cisco.com)

25X   Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

User Contributions:

Comment about this article, ask questions, or add new information about this topic:


[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Hansang Bae <hbae@nyc.rr.com>





Last Update March 27 2014 @ 02:11 PM