100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
-
Upload
hung-nguyen -
Category
Documents
-
view
232 -
download
0
Transcript of 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
1/132
100 CU HI K THUT VMNG CISCO THUNG GP
............, Thng .... nm .......
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
2/132
100 CU HI K THUT V MNG CISCO THUNG GP
**************************************************************************
From: Question 1
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a lowercase``c''. At present, various factions within the company have adopted acapital ``C'', while fierce traditionalists (as well as some others) continueto use the lowercase variant, as does the cisco Systems logo. This FAQhas chosen to use the lowercase variant throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes.Back in the early days when the founders Len Bosack and Sandy Lernerand appropriate legal entities were trying to come up with a name they
did many searches for non similar names, and always came upwith a name which was denied. Eventually someone suggested ``cisco''and the name wasn't taken (although SYSCO may be confusingly similarsounding). There was an East Coast company which later was using the``CISCO'' name (I think they sold in the IBM marketplace) they ended uphaving to not use the CISCO abberviation. Today many people spellcisco with a capital ``C'', citing problems in getting the lowercase ``c''right in publications, etc. This lead to at least one amusing articleheadlined ``Cisco grows up''. This winter we will celebrate our 10th year.
[This text was written in July of 1994 -jhawk]**************************************************************************
From: Question 2
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
3/132
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the server foryour router to write to, and then use the write network command. From atypical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#copy running-config tftp
Remote host [10.7.0.63]? 10.7.0.2
Name of configuration file to write [myrouter-confg]? myconfig
Write file foobar on host 10.7.0.2? [confirm] y
**************************************************************************
From: Question 3
Subject: How can I get my cisco to talk to a third party router over aserial link?
You need to tell your cisco to use the same link-level protocol as theother router; by default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all link-level protocols use at some level/layer oranother. To make your cisco operate with most other routers, you needto change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
4/132
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
If you're still having trouble, you might wish to turn on serial interfacedebugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
**************************************************************************
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
5/132
From: Question 4
Subject: How can I get my cisco to talk to a 3rd-party router over FrameRelay?
You should tell your cisco to use ``encapsulation frame-relay ietf''(instead of ``encapsulation frame-relay'') on your serial interface that'srunning frame relay if your frame relay network contains a diverse set ofmanufacturers' routers. The keyword ``ietf'' specifies that your cisco willuse RFC1294-compliant encapsulation, rather than the default, RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a
practice sanctioned by 1294 but deemed verbotten by 1490, namelypadding of the nlpid). If only a few routers in your frame relay cloudrequire this, then you can use the default encapsulation on everythingand specify the exceptions with the frame-relay map command:
frame-relay map ip 10.1.2.3 56 broadcast ietf
^^^^
(ietf stands for Internet Engineering Task Force, the body whichevaluates Standards-track RFCs; this keyword is a misnomer as bothRFC1294 and RFC1490 are ietf-approved, however 1490 is most recent andis a Draft Standard (DS), whereas 1294 is a Proposed Standard (one stepbeneath a DS), and is effectively obsolete).
**************************************************************************
From: Question 5
Subject: How can I use debugging?
The ``terminal monitor'' command directs your cisco to send debuggingoutput to the current session. It's necessary to turn this on each time you
http://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.htmlhttp://www.faqs.org/rfcs/rfc1490.htmlhttp://www.faqs.org/rfcs/rfc1294.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
6/132
telnet to your router to view debugging information. After that, you mustspecify the specific types of debugging you wish to turn on; please notethat these stay on or off until changed, or until the router reboots, soremember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap loggingenabled on your cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about anice long debug session from a term your box is doing double work andsending every debug message to your syslog server. Additionally, if youturn on something that provides copious debugging output, be carefulthat you don't overflow your disk (``debug ip-rip'' is notorious for this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
7/132
debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debuggingcan load your router. The console has a higher priority than a vty sodon't debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little toovigorous with debugging and the box is starting to sink, quickly run,don't walk to your console and kill the session on the vty. If you are onthe console your debugging has top prioority and then the only way outis the power switch. This of course makes remote debugging a realsweaty palms adventure especially on a crowded box.
**************************************************************************
From: Question 6
Subject: How do I avoid the annoying DNS lookup if I have misspelled acommand?
Use the command
No ip domain-lookup
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
8/132
**************************************************************************
From: Question 7
Subject: How to use access lists
Where in the router are access lists applied?
In general, Basic access lists are executed as filters on outgoinginterfaces. Newer releases of the cisco code, such as 9.21 and 10, do
have increased ability to filter on incoming ports. Certain special cases,such as broadcasts and bridged traffic, can be filtered on incominginterfaces in earlier releases. There are also special cases involvingconsole access.
Rules, written as ACCESS-LIST statements, are global for the entire ciscobox; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters areapplied after traffic has entered on an incoming interface and gone
through a routing process; traffic that originates in a router (e.g., telnetsfrom the console port) is not subject to
filtering.
+-------------------+
| GLOBAL |
| |
| Routing |
| ^ v Access |
| ^ v Lists |
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
9/132
+-^--v--------^---v-+
| ^ v ^ v |
| ^ v ^ v |A----------->|-| |>>>>Access >>----------->B
|1 Group 2 |
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
10/132
Can a cisco router be a ``true'' firewall?
This depends on the definition of firewall. Some writers (e.g., GeneSpafford in _Practical UNIX Security_) define a firewall as a host on whichan ``inside'' and/or an ``outside'' application process run, withapplication-level code linking the two. For example, a firewall mightprovide FTP access to the outside world, but it would not also providedirect FTP service to the inside world. To place a file on the FTP externalserver, a designated user would explicitly log onto the FTP server,transfer a file to the server, and log off. The firewall prevents direct FTPconnectivity between the inside and outside networks; only indirect,application-level connectivity is allowed. Firewalls of this sort arecomplemented by chokes, which filter on network addresses and/or port
numbers. Cisco routers cannot do application-level control with accesscontrol lists. Other authors do not distinguish between chokes andfilters. Using the loose definition that a firewall is anything thatselectively blocks access from the inside to the outside, routers can befirewalls.
IP Specific
-----------
Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in onedirection but not the other?
Remember that Internet applications flow from client port to server port.Denying traffic from port 23, for example, blocks flow from the client tothe server.
+-------------------+
| |
A----------->| |----------->B
|1 2|
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
11/132
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
12/132
[[ Ummm... in particular it loads the netbooted copy in as WELL as itself,decompresses it, if necessary, and THEN loads on top of itself. Note that
this is important because it tells you what the memory requirements arefor netbooting: RAM for ROM image (if it's a run from RAM image), plusdynamic data structures, plus RAM for netbooted image. ]]
The four ways to boot and what happens (sort of):
I (from bootstrap mode)
The ROM monitor is running. The I command causes the ROM monitor to
walk all of the hardware in the bus and reset it with a brute forcehammer. If the bits in the config register say to auto-boot, then goto B
B (from bootstrap mode)
Load the OS from ROM. If a name is given, tell that image to startsilently and then load a new image. If the boot system command isgiven, then start silently and load a new image.
powercycleDoes some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
*************************************************************************
*
From: Question 09
Subject: How should I restrict access to my router?
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
13/132
Many admins are concerned about unauthorized access to their routersfrom malicious people on the Internet; one way to prevent this is torestrict access to your router on the basis of IP address.
Many people do this, however it should be noted that a significantnumber of network service providers allow unrestricted access to theirrouters to allow others to debug, examine routes, etc. If you'recomfortable doing this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access list(numbered from 1-100) -- enter ``sh access-list'' to see those numbers in
use.yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything" atthe end, so there is no need to include that. In this case, 30 is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).Enter multiple lines for multiple addresses; be sure that you don't restrictthe address you may be telnetting to the router from.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
14/132
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) thatyou wish to apply the access list to. In this example, I want lines 2
through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/08 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Apply the access list to the relevant lines:
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
15/132
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12. It's important to restrict
access to the aux port (line 1) if you have a device (such as a CSU/DSU)plugged into it.a)
Be sure to save your configuration with ``copy run start
Please note that access lists for incoming telnet connections do NOTcause your router to perform significant CPU work, unlike access lists oninterfaces.
**************************************************************************
From: Question 10
Subject: What can I do about source routing?
What *is* source routing?
Soure routing is an IP option which allows the originator of a packet tospecify what path that packet will take, and what path return packetssent back to the originator will take. Source routing is useful when thedefault route that a connection will take fails or is suboptimal for somereason, or for network diagnostic purposes. For more information onsource routing, see RFC791.
http://groups.google.com/groups?group=it.ahttp://www.faqs.org/rfcs/rfc791.htmlhttp://groups.google.com/groups?group=it.ahttp://www.faqs.org/rfcs/rfc791.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
16/132
Unfortunately, source routing is often abused by malicious users on theInternet (and elsewhere), and used to make a machine (A), think it is
talking to a different machine (B), when it is really talking to a thirdmachine (C). This means that C has control over B's ip address for somepurposes.
The proper way to fix this is to configure machine A to ignore source-routed packets where appropriate. This can be done for most unixvariants by installing a package such as Wietse Venema,,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers
For some operating systems, a kernel patch is required to make thiswork correctly (notably SunOS 4.1.3). Also, there is an unofficial kernelpatch available for SunOS 4.1.3 which turns all source routing off; I'm notsure where this is available, but I believe it was posted to the firewallslist by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a last resort
is to disable it at your router. This will make you unable to use``traceroute -g'' or ``telnet @hostname1:hostname2'', both of which useLSRR (Loose Source Record Route, 2 IP options, the first of which is atype of source routing), but may be necessary for some. If so, you can dothis with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
foo-e-0(config)#^Z
It is somewhat unfortunate that you cannot be selective about this; itdisables all forwarding of source-routed packets through the router, forall interfaces, as well as source-routed packets to the router (the last is
mailto:[email protected]:[email protected] -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
17/132
unfortunate for the purposes of ``traceroute -g'').
**************************************************************************
From: Question 11
Subject: Is there a block of private IP addresses I can use?
In any event, RFC 1918 documents the allocation of the followingaddresses for use by ``private internets'':
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Most importantly, it is vital that nothing using these addresses shouldever connect to the global Internet, or have plans to do so. Please readthe above RFCs before considering implementing such a policy.
As an additional note, some Internet providers provide network-management services, statistics gathering, etc. It is unlikely (if at allpossible) that they would be willing to perform those services if youchoose to utilize private address space.
With the increasing popularity and reliability of address translationgateways, this practice is becoming more widely accepted. Cisco has
acquired Network Translation, who manufacture such a product. It is nowavailable as the Cisco Private Internet Exchange. With it, you can useany addressing you want on your private internet, and the gateway willinsure that the invalid
addresses are converted before making out onto the global Internet. Italso makes a good firewall. Information on this product is available at
http://www.faqs.org/rfcs/rfc1918.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
18/132
http://www.cisco.com/warp/public/751/pix/index.html
**************************************************************************
**************************************************************************
From: Question 12
Subject: How do I interpret the output of ``show version''?
Typing ``show version'' or ``show hardware'' yields a response like:
prospect-gw.near.net>sh version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst113]
System-type (imagename) Version major.minor(release.interim)[who]Desc
System-type: type of system the software is designed to run on.
imagename: The name of the image. This is different (slightly) for
run-from-rom, run-from-flash, and run-from-ram images, and alsofor subset images which both were and will be more common.
"Version": text changes slightly. For example, if an engineer gives you
a special version of software to try out a bug fix, this will say
http://www.cisco.com/warp/public/751/pix/index.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
19/132
experimental version.
Major: Major version number. Changes (in theory) when there have been
major feature additions and changes to the softare.
Minor: minor version number. Smaller but still signficant feature added.
(in reality, cisco is not very sure what the difference between
"major" and "minor" is, and sometimes politics gets in the way,
but either of these "incrementing" indicates feature additions.)
EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
the base, 9.14 adds specical feature for low end systems, 9.17
added special features specific the high end (cisco-7000) This
was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
software. Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
weekly for each release, but is only made into a generically
shipping maintenance release every 7 to 8 weeks or so.
[who]: who built it. Has "fc 1" or similar for released software.
has something like [billw 101] for test software built Bill
Westfield ([email protected]).Desc: additional description.
The idea is that the image name and version number UNIQUELY identify
mailto:[email protected] -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
20/132
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Thu 09-Mar-95 23:54 by tli
Image text-base: 0x00001000, data-base: 0x00463EB0
Copyright, compilation date (and by whom), as well as the
starting address of the image.
ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)
The version of ROM bootstrap software, and the version of IOS
in ROM.
prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38minutes
System restarted by reload
How long the router has been up, and why it restarted.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
21/132
System image file is "sse-current", booted via flash
How the router was booted.
RP (68040) processor with 16384K bytes of memory.
Type of processor.
G.703/E1 software, Version 1.0.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
Bridging software.
ISDN software, Version 1.0.
Various software options compiled in.
1 Silicon Switch Processor.
2 EIP controllers (8 Ethernet).
2 FSIP controllers (16 Serial).
1 MIP controller (1 T1).8 Ethernet/IEEE 802.3 interfaces.
16 Serial network interfaces.
128K bytes of non-volatile configuration memory.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
22/132
4096K bytes of flash memory sized on embedded flash.
Hardware configuration.
Configuration register is 0x102
Lastly, the "configuration register", which may be set via
software in current releases...
**************************************************************************
From: Question 13
Subject: When are static routes redistributed?
In the simple case, any static route *in the routing table* is redistributedif the ``redistribute static'' command is used, and some filter (set witheither ``route-map'' or ``distribute-list out'') doesn't filter it out.
Whether the static route gets into routing table depends on:
Whether the next hop address is reachable (if you use static routepointing to a next hop)
OR Whether the interface is up (if you use static route pointing to aninterface).
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
23/132
If one of these is true, an attempt is made to add the route to the routingtable; whether that succeeds depends on the administrative distance ofthe route -- a lower administrative distance (the route is "closer") than apreexisting route will cause the preexisting route to be overwritten.
**************************************************************************
From: Question 14
Subject: When is the next hop of a route considered ``reachable''?
When a static route is added, or during an important event (eg: interfaceup/down transition), the next hop for a route is looked up from therouting table (i.e. recursive routing). As a consequence, if a route whichis depended upon for evaluation of the next hop of a static route goesaway, a mechanism is required to remove that (now-invalid) static route.Scanning all static routes each time the routing table changes is tooexpensive, so instead, a period timer is used. One a minute, static routesare added and removed from the routing table based on the routes theydepend upon. It should be noted that a particular static route will be
reevaluated when its interface transitions up or down.*************************************************************************
From: Question 15
Subject: How do name and phone number of ``dialer map'' interfere?
How do name and phone number of `dialer map' interfere?
We use the telephone number first actually. If the caller id matches thetelephone number to call, then you don't need the 'name' parameterwith a phone number. I realized that the above is ambiguous, so let's dothis. You have:
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
24/132
dialer map ip x.x.x.x name
is used for incoming authentication. It can be either the
hostname, for PAP and CHAP, or it can be a number as returned by callerid. If this is not there, and it is an imcoming call, and there is caller id,we will compare against to see if that matches.
**************************************************************************
From: Question 16
Subject: What's the purpose of the network command?
>* what is the real purpose of the network subcommand of
> router commands? When do I not want to include a network
> I know about?
The real purpose of the 'network' sub-command of the router commandsis to indicate what networks that this router is connected to are to beadvertised in the indicated routing protocol or protocol domain. For
example, if OSPF and EIGRP are configured, some subnets may beadvertised in one and some in the other. The network command enablesone to do this.
An example of such a case is a secure subnet. Imagine the case where aset of subnets are permitted to communicate within a campus, but oneof the buildings is intended to be inaccessible from the outside. Byplacing the secure subnet in its own network number and not advertisingthe number, the subnet is enabled to communicate with other subnets
on the same router, but is unreachable from any other router, barringstatic routes. This can be extended by using a different routing protocolor routing protocol domain for the secure network; subnets on thevarious routers within the secure domain are mutually reachable, androutes from the non-secure domain may be leaked into the securedomain, but the secure domain is invisible to the outside world.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
25/132
*************************************************************************
*From: Question 17
Subject: What is VLSM?
A Variable Length Subnet Mask (VLSM) is a means of allocating IPaddressing resources to subnets according to their individual need ratherthan some general network-wide rule. Of the IP routing protocols
supported by Cisco, OSPF, Dual IS-IS, BGP-4, and EIGRP support"classless" or VLSM routes.
Historically, EGP depended on the IP address class definitions, andactually exchanged network numbers (8, 16, or 24 bit fields) rather thanIP addresses (32 bit numbers); RIP and IGRP exchanged network andsubnet numbers in 32 bit fields, the distinction between network number,subnet number, and host number being a matter of convention and notexchanged inthe routing protocols. More recent protocols (see VLSM)
carry either a prefix length (number of contiguous bits in the address) orsubnet mask with each address, indicating what portion of the 32 bitfield is the address being routed on.
A simple example of a network using variable length subnet masks isfound in Cisco engineering. There are several switches in the engineeringbuildings, configured with FDDI and Ethernet interfaces and numbered inorder to support 62 hosts on each switched subnet; in actuality, perhaps15-30 hosts (printers, workstations, disk servers) are physically attached
to each. However, many engineers also have ISDN or Frame Relay linksto home, and a small subnet there. These home offices typically have arouter or two and an X terminal or workstation; they may have a PC orMacintosh as well. As such, they are usually configured to support 6hosts, and a few are configured for 14. The point to point links aregenerally unnumbered.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
26/132
Using "one size fits all" addressing schemes, such as are found in RIP orIGRP, the home offices would have to be configured to support 62 hostseach; using numbers on the point to point links would further compoundthe address bloat.
One configures the router for Variable Length Subnet Masking byconfiguring the router to use a protocol (such as OSPF or EIGRP) thatsupports this, and configuring the subnet masks of the various interfacesin the 'ip address' interface sub-command. To use supernets, one mustfurther
configure the use of 'ip classless' routes.
**************************************************************************
From: Question 18
Subject: What are some methods for conserving IP addresses for seriallines?
VLSM and unnumbered point to point interfaces are the obvious ways.The 'ip unnumbered' subcommand indicates another interface or sub-interface whose address is used as the IP source address on messagesthat the router originates on the unnumbered interface, such as telnet orrouting messages. By doing this, the router is reachable for managementpurposes (via the
address of the one numbered interface) but consumes no IP addresses atall for its unnumbered links.
**************************************************************************
From: Question 19
Subject: Flash upgrade issues for Cisco 2500 series routers
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
27/132
> When I remove the original flash and replace it with ether one or both
of> the new flash chips, I get the following error on boot upand the routerends
> up in boot mode.:
> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in Systemflash
This has to be the most common FAQ for this group. You have non-Intelflash chips on your new SIMMs and boot ROMs that are too old to knowabout the different access method for the flash chips you have.
You need to either get the (free, call TAC) BOOT-2500= ROM upgradefrom Cisco, or exchange the flash SIMMs for ones using Intel chips. Notethat Intel no longer makes those chips, which is why everybody has thisprob-lem.
*************************************************************************
*
From: Question 21
Subject: How do I configure a router to act as a Frame-Relay Switch?
config t
1
frame-relay switching
!
interface Serial0
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
28/132
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
! In the config below, the 102 is the DLCI that will be
! presented to the router connected to this - S0 -
! interface. 201 is the DLCI that is mapped to S1
frame-relay route 102 interface Serial1 201
frame-relay route 103 interface Serial2 301
interface Serial1
no ip address
no keepalive
encapsulation frame-relay
clockrate 64000
frame-relay intf-type dce
frame-relay route 201 interface Serial0 102
frame-relay route 203 interface Serial2 302
interface Serial2
no ip address
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
29/132
no keepalive
encapsulation frame-relay
clockrate 64000frame-relay intf-type dce
frame-relay route 301 interface Serial0 103
frame-relay route 302 interface Serial1 203
________ ______
| FR SW |_S2______S0_| R3 |
|_______ | |______|
S0 / \ S1
/ \
/ \
S0 __/___ _\_S0__| R1 | | R2 |
|_____| |_______|
R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it asp2mp. I put all the DCE ends of the cables on the Frame Switch, so clockrate is defined there. However, this is not a requirement. The FR Switch
router does not need to have the DCE end. Regardless of the gender ofthe cable, however, the "frame-relay intf-type dce" is required. I definedthe DLCIs as Source Router + 0 + Destination Router. So if the circuitgoes from R1 to R3 it's DLCI 103. From R3 to R1 it's DLCI 301.
**************************************************************************
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
30/132
From: Question 22
Subject: What are the different types of memory used by Cisco Routers?
The 2500 Series and 7204 VXR have the same types of memory, butthey are implemented in different physical packages:
ROMMON - This is the initial bootstrap for the router.
Boot Helper - This is a subset of IOS that is used to update software ornetwork boot. The 2500 implements the ROMMON and boot helper in a
set of two ROMs. The 7204VXR has ROMMON in a ROM and boot helperin a piece of flash memory on the I/O controller called boot flash.
Main memory - This is used to hold routing tables, and IOS variables. Inthe 7204 VXR, IOS itself is also resident in main memory. The 2500Series usually runs the IOS directly in flash.
Shared memory - This is the memory that holds packet buffers. On the2500 Series, this is part of the same physical memory as main memory.On the 7204 VXR, it's separate memory.
Flash memory - This memory holds the IOS image. On the 2500 Series,there are two flash SIMM sockets (max 16 MB). On the 7204VXR, thereare PCMCIA slots on the I/O controller which can take a 128 MB flashdisk.
Configuration memory (NVRAM) - This is the memory that holds the IOSconfiguration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXRit is 128 KB battery backed up SRAM on the I/O controller.
**************************************************************************
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
31/132
From: Question 23
Subject: How do I load the Documentation CD (UniverseCD) on Windows2000?
Doc CD Content appears garbled:
The Doc CD content is compressed - it requires Verity to decompress it.This is why Verity is used on the Doc CD. What has happened is you'vetried to directly open up index.html off the CD into your browser, and thisis not possible todo. The CD must be accessed through the Verity WebPublisher through:
http://127.0.0.1:8080/home/home.htm
This is the startup address that is launched when you click on "LaunchCD."
Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do notwork on Windows 2000 out of the box. They will cause "Search.exe" tocrash when run under Win2k.
There is a fix that sometimes works for these CDs at:http://www.cisco.com/warp/public/620/ioscd.html.
This fix MUST be done BEFORE you install the CD. If the CD has alreadybeen installed, then uninstall it, delete c:\cisco, make this registrychange, then re-install the Doc CD.(both the Browser Software Installerand The Documentation CD
(I have tried this on My labtop which is running windows 2000 and itworked fine but I had to delete c:\Cisco first and Lunch the Browers
software Installer CD (1) first then the Document CD(2) (my version ofCD was Nov 1999)
(I have already sent this one to you did you delete c:\Cisco and lunchboth CDs)
http://127.0.0.1:8080/home/home.htmhttp://www.cisco.com/warp/public/620/ioscd.htmlhttp://127.0.0.1:8080/home/home.htm -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
32/132
Other fixs are shown
The Doc CD starts up to about:blank
There are two alternate fixes for this:
1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm forthe address, and then add it to your favorites.
-
or
-
2. This is a 4-step fix:
A. Ensure that search.exe is not running.
B. Edit the installed search.ini (c:\CISCO\search.ini).
C. Change the line 'Browser=c:\program files\internetexplorer\iexplore.exe'
to 'Browser=msie'
D. Launch the CD.
Nothing happens when I click Launch CD
The usual cause for this is that you've installed a post-July 2000
Documentation CD over the top of a previous Doc CD.
The fix for this is to:1. Uninstall the Doc CD from the control panel->add/remove programs.
2. Delete c:\cisco
3. Reinstall the Doc CD.
http://www.cisco.com/univercd/home/home.htmhttp://www.cisco.com/univercd/home/home.htm -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
33/132
Finally to reorder a CD
The Cisco Documentation CD is also available online at:
http://www.cisco.com/univercd/home/home.htm
**************************************************************************
From: Question 24
Subject: How dow I load a large image on a 2500 *lab* router?
For production work (support by Cisco required) you need 16M Flash torun 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0Enterprise is small enough (about 10M) to run from RAM (upgrading to16M of RAM is MUCH cheaper than upgrading to 16M of flash) using acompressed image in the 8M of flash you do have.
12.1 Enterprise is 14M so it must be run from flash (otherwise there isnot enough RAM remaining to even complete loading of the OS).
Check the release notes on www.cisco.com for the IOS release you wantto use. If the actual size of the IOS plus the minimum recommended RAMtotals less than 16MB, you can run compressed or boot from TFTPwithout expanding flash. Check deja-news on google if you are unclearon how to run a compressed image on the 2500, it is a frequent requestand hopefully will turn up in the renovated FAQ when Hansang gets achance to publish it.
**************************************************************************
From: Question 25
Subject: daisy-chaining reverse telnet console-aux ports
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
34/132
> I've hooked 4 routers together in a lab and I'm daisy-chaining them
> aux --> console and using reverse telnet to get to them...>
> However when I get to the fourth router and do a CTRL-SHFT-6 X,
> I get back to the first router. If I kill the AUX line, then initiate the
> reverse telnet again, I fall through router 2 and 3 to 4 again...
> Is there an easy way to fall back one router at a time?
> or should I not bother to do this?
You have two options. One is to use a different escape character on thesecond (third, fourth etc) console (and/or vty)
conf t
line con 0 /* or vyt 0 4 */
escape-character 23
This will let you use CTRL-W then X to break out reverse telnet.
Or
You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second
session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come backto the
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
35/132
third session, etc.
**************************************************************************
From: Question 26
Subject: How do I setup Lock & Key ACL? Or punch temporary holes inmy ACL if someone authenticates to my router?
username foobar password cisco
!
int s0
ip address 1.1.1.1 255.255.0.0
ip access-group 101 in
! /* or port 22 for ssh */
access-list 101 permit tcp any host 1.1.1.1 eq telnet
access-list 101 dynamic foobar permit ip any any
!
line vty 0 2
login local
autocommand access-enable host timeout 5
line vty 3 4
login local
rotary 1
The first access list allows telnet into the router. Your users will telnet
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
36/132
into router and authenticate with username foobar and password "cisco"
The router will then immediately disconnect the telnet session. Whenthey successfully authenticate, an access list with their source IP will beadded to the dynamic list. Basically, if they authenticate correctly, theycan come in to the inside network. After 5 mins of inactivty the entry willbe deleted from the access list.
The vty 3 and 4 are using the rotary command so that you can telnet toyour router with the command: "telnet 1.1.1.1 3001" This takes you to
vty 3 (or 4). This way, you can telnet into the router and actuallymanage it. A very subtle but VERY important point. If you forget this,you'll be making a trip to use the console port.
*************************************************************************
From: Question 27
Subject: How do I telnet to a specific VTY line?
See "rotary" example in question 48.
**************************************************************************
From: Question 28
Subject: Is there a better (free) tftp server than the one by Cisco?
3CDv2r10.zip file located at:
http://support.3com.com/software/utilities_for_windows_32_bit.htm
**************************************************************************
http://support.3com.com/software/utilities_for_windows_32_bit.htm -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
37/132
From: Question 28
Subject: How do I NAT on a single Cisco 2503 Ethernet interface
interface Loopback0
ip address 10.0.255.1 255.255.255.0
ip nat inside
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0 secondary
ip address xxx.yyy.zzz.ttt 255.255.255.248
ip nat outside
ip policy route-map LOOPNAT
!
ip nat inside source list 1 interface Ethernet0 overload
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
route-map LOOPNAT permit 10
match ip address 1set interface Loopback0
!
------------------------
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
38/132
Note that Lo0 interface may have any ip address.
**************************************************************************
From: Question 29
Subject: How do I hide a summarized OSPF router from one ABR toanother?
area 1 range x.x.x.x x.x.x.x not-advertise
**************************************************************************
From: Question 30
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
To describe how to use the Local Security Policy MMC in W2K would takea
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum neededto
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication. Since I have toembed
this key into the script I use it makes the configuration open and thusvulnerable. However, you should be able to tweak the configuration fromthis
to meet your own security needs. The W2K IPSec client supportscertificates
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
39/132
as well as preshared keys so a "secure" version of this config is
attainable.
The configuration script I eked (it isn't beautiful code) out is actuallywritten in Perl. If you would like to re-write it in the old DOS batch fileformat, please do so. Otherwise, you should find a copy of Perl forNT/W2K. I use the version found at http://www.activestate.com. The Perlscript I show here is documented as to what it does. The MSipsecpol.exe program that you have to use has it's own documentationwhich you should read. For the PIX I give you only the crypto, isakmp,and sysopt commands you need to issue to your PIX to make this configwork. The config assumes that the PIX
has NAT enabled.
Ok, enough blabber, here it is... I hope it is helpful!
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
Quick Network Schematic:
[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN
(10.0.X.X)] --> [Inside Router (10.0.0.1)]
http://www.activestate.com/ -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
40/132
The PIX firewall commands needed are:
sysopt connection permit-ipsecsysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside
isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800
isakmp enable outside
The Perl script I wrote is as follows. I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
41/132
tunnel
using my current ISP assigned IP Address.
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
http://www.perldoc.com/perl5.6/lib/Net/hostent.htmlhttp://www.perldoc.com/perl5.6/lib/Net/Ping.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
42/132
$localipaddress, $VPNHostIP='192.168.0.1';
#The following section of code discerns the IP address of host provided
#in the command line arguements. The default is the localhost.
#NOTE: The code section is smart and gives you a routable IP (ifavailable)
and not just 127.0.0.1
# This section is pretty much identical to the one found on the PERL
documentation site.
# I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
# I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'
@ARGV = ('localhost') unless @ARGV;
for $host ( @ARGV ) {
unless ($h = gethost($host)) {
warn "$0: no such host: $host\n";
next;
}
printf "\n%s is %s%s\n",
$host,
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
43/132
lc($h->name) eq lc($host) ? "" : "*really* ",
$h->name;
print "\taliases are ", join(", ", @{$h->aliases}), "\n"
if @{$h->aliases};
if ( @{$h->addr_list} > 1 ) {
my $i;
for $addr ( @{$h->addr_list} ) {
printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
}
} else {
#my modification is on the next line.
printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
}
if ($h = gethostbyaddr($h->addr)) {
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s!\n", $h->name;
$host = $h->name;
redo;}
}
}
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
44/132
#This next section is a very modified version of the Ping example on the
Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSecPolicy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
$cmdstring='Net Start "IPSec Policy Agent"';
http://www.microsoft.com/downloads/release.asp?ReleaseID=29167http://www.microsoft.com/downloads/release.asp?ReleaseID=29167 -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
45/132
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPNServer.
#The ipsecpol command line utility can be found on Microsoft'sWebsite.
# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
# or
#http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe
#MS requires two ipsecpol commands be issued in order to setup atunnel.
#One for the inbound traffic and one for the outbound traffic.
# For this Tunnel I used the following settings:
# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.
# The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
# The security method list '-s' is for DES-MD5-1
# The security negotiation setting '-n' is for ESP[DES,MD5]
# We are using QuickMode key exchange '-1k' rekeys after 10 quickmodes
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5 -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
46/132
'10q'
# We are using perfect forward secrecy '-1p'
# For authentication we are using a preshared key '-a'
# NOTE: the preshared key must be enclosed in double quotes
# See the documentation of the utility for further details.
print "\nSetup IPSec Tunnel";
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement mustcontain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -aPRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement mustcontain
the VPN Server's IP Address.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
47/132
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the networkand see
if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2Kdoes
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{print "Success\n";
sleep(1);
} else {
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
48/132
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
print "No\nTry redialing your ISP";
sleep(3);
}
$p->close();
#end listing
**************************************************************************
From: Question 32Subject: How do I use tftpdnld via Ethernet port on a 2600?
Press Ctrl+Break on the terminal keyboard within 60 seconds of thepower-up
to put the router into ROMMON.
rommon 1 > IP_ADDRESS=172.15.19.11
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=172.16.19.1
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
49/132
rommon 4 > TFTP_SERVER=172.15.20.10
rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz
rommon 6 > tftpdnld
**************************************************************************
From: Question 33
Subject: How do I setup MultiLinkPPP?
multilink PPP without virtual template
int Multilink1
description multilink bundle
ip unnumbered Loopback0
ppp multilink
multilink-group 1
!
int Ser0
description first T1 line
encaps ppp
ppp multi
multilink-group 1
!
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
50/132
int Ser1
description second T1 line
encaps ppp
ppp multi
multilink-group 1
Again, recent software necessary: at least 12.0T or 12.1
or one of the ISP branches (12.0S).
**************************************************************************
From: Question 34
Subject: How much memory is taken up by BGP routes?
As a reference, please see the following from
http://www.cisco.com/warp/public/459/
I'd like to drill down another level to decide why each entry contains 240bytes! Tech Tip: How Much Memory Does Each BGP Route Consume?
Each Border Gateway Protocol (BGP) entry takes about 240 bytes ofmemory in
the BGP table and another 240 bytes in the IP routing table. Each BGPpath
takes about 110 bytes.
*************************************************************************
http://www.cisco.com/warp/public/459/ -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
51/132
*
From: Question 35
Subject: How do I stop my router from looking for cisconet.cfg or
network-config?
Look up "service config" in the manual (available on www.cisco.com if
you do not have a local copy). Turn it off using the command "no service
config" in configuration mode.
**************************************************************************
From: Question 36
Subject: How do I setup DHCP service on my router?
Here is my 1601 performing as a DHCP server config...The static pool is how I use DHCP to assign the same IP to the samePCeach time, essentially a static IP address assignment. The only otherrequirement would be that on the interface DHCP requests will bereceived, if you have an inbound ACL, bootp must be permitted.
ip dhcp excluded-address 192.168.3.1 192.168.3.9
!ip dhcp pool dhcp-pool
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
52/132
netbios-node-type b-node
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
!ip dhcp pool static-pool
host 192.168.3.2 255.255.255.0
client-identifier 0100.00c5.0cbd.7e
client-name main_pc
default-router 192.168.3.1
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
**************************************************************************
From: Question 37
Subject: How do I configure a trasparent proxy redirecting on CISCO
router?
>It is possible to configure an trasparent proxy redirecting on CISCOrouter?
>I would like to redirect all www requests from specific IP addresses to
>other IP address and other port.
A route-map does the IP redirection nicely, I've used it for http and smtp.Not sure about switching ports simultaneously with the same route map,but you could fix this with 'ipfw' or similar on the host. Be sure you have'ip route-cache policy' enabled to save CPU on the interface. WCCP isanother option.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5 -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
53/132
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
*************************************************************************
*From: Question 38
Subject: How do I use a route-map to limit redistribution in OSPF?
! /* match only 172.16.10.x and 172.16.11.0 subnets */
!
access-list 1 permit 172.16.10.0 0.0.1.255
!
!
! /* use access-list 1 to determine what gets matched */
!
route-map LoopbacksOnly permit 10
match ip address 1
!
!
! /* redistribute connected networks, any and all subnets, */
! /* and seed it as E2 type. Note that throughout your */
! /* OSPF domain, your loopbacks will have a metric of 20 */
! /* 20 is the default metric when you redistribute into */
! /* OSPF. Except for BGP routes which get a metric of 1. */
! /* Also use the route-map LoopbacksOnly to selectively */
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
54/132
! /* redistribute only the ones we want to redistribute. */
!
router ospf 200
redistribute connected subnets metric-type E2 route-mapLooopbacksOnly
**************************************************************************
From: Question 39
Subject: How do I connect 675 DSL units back to back?
Well I found out that you can hookup other DSL boxes back toback...here is
part of an email I found on it:
you need:
'dsl equipment-type CO' on one side and
'dsl equipment-type CPE' on the other
Here is a working example from the lab:
(The distance limitation should be the same
as the one found in the docs)
also, you can run 'debug dsl-phy' a new
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
55/132
command to look at the trainup.
(CO side, an 828)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CO
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
!
(CPE side, a SOHO78)
!
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
56/132
interface ATM0
no ip address
no atm ilmi-keepalivedsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.1 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
**************************************************************************
From: Question 40
Subject: Why can't I upload an IOS image on to my flash on my 2500router?
> i took one from another 2500, same label E28F008SA andunfortunalely,
> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg
> 0x2101
The flash in your system is not recognized by the boot ROM. You canupgrade
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
57/132
your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible(Intel).
**************************************************************************
From: Question 41
Subject: How do I configure my router so it becomes a DHCP CLIENT?
If you have 12.1(2)T or better and you need:
C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00,C64xx,
C7x00, C8500, and C12000
UBR900, UBR7200
MC3810
The interface command is "ip address dhcp"**************************************************************************
From: Question 42
Subject: How do you setup a simple Priority Queuing?
I would take a look at priority queuing, see the link below:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr
/qos_c/qcprt2/qcdpq.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
58/132
A simple config for your case would be:
priority-list 1 protocol ip high tcp telnet
priority-list 1 default medium
interface Ethernet1
ip address 10.1.1.1 255.0.0.0
no ip directed-broadcast
priority-group 1
**************************************************************************
From: Question 43
Subject: What are the pro's and con's of using two ISP/BGP providers?
>Why would you use BGP with 2 Internet T1 vs using equal cost
>static routing? What's the pros and cons? Thank you.
The answer in a nutshell is: It depends.
If each T1 goes to a different ISP, then you must use BGP to have thesame public address regardless of route taken.
If each T1 goes to the same ISP and load sharing and ease of
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
59/132
setup/management is more important than availability, then go withstatic routes.
If the T1 links do not support end-to-end keepalives, go with BGP toavoid black holes.
If the T1 links go to different POPs of the same ISP, use BGP and indicatorroutes to detect ISP segmentation.
If the T1 links go to geographically diverse POPs, then BGP with full orlocal routes may improve routing efficiency.
For more detail, see the blurbhttp://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html
(for those reading this out of the archives at a future date, a moredetailed version of this paper will be appearing as a White Paper on my
web site, but it will not be there until late Summer). Chapter 8 of mybook walks you through all the alternatives from two T1s between asingle router at your site and a single router at the ISP, to two T1'sbetween separate routers at your site to two different ISPs. For how toget the most out of BGP, including load sharing and efficiencyconsiderations (my book only considers
availability), read Halabi's book.
If none of the above makes sense to you, hire a competent consultant towalk you through the alternatives and their tradeoffs.
***** The O'Reilly article follows: *****
http://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
60/132
by Vincent Jones 05/11/2001
Many organizations depend upon Internet connectivity to support criticalapplications. One popular approach for improving Internet connectivity isto connect to more than one Internet service provider (ISP), a techniquecalled multi-homing.
Multi-homing can be very effective for ensuring continuous connectivity-- eliminating the ISP as a single point of failure -- and it can be costeffective as well. However, your multi-homing strategy must be carefullyplanned to ensure that you actually improve connectivity for yourcompany, not degrade it.
THE CONCEPT OF PHYSICAL DIVERSITY
First, I want to discuss the network components that can affect overallconnectivity. Because most network failures are due to problems in the
WAN links, it does little good to connect to a second ISP if both ISP linksare carried over the same communications circuit. Even if independentcircuits are used -- if they are not physically diverse they will still besubject to common failure events such as construction work inside yourbuilding or digging in the street outside.
Providing complete physical diversity can be difficult and expensive, butthe requirement is not limited to ISP connections. All critical networklinks for internal communications should also be diversified. Assuming an
otherwise well- designed internal network, the easiest way to achievephysical diversity in your ISP connections is to connect from two differentlocations that are already well-connected to each other. But they mustbe far enough apart that they don't share any common communicationsfacilities to either ISP.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
61/132
REDIRECTING TRAFFIC USING THE BORDER GATEWAY PROTOCOL
Once physical connectivity is in place, you need to make it useful. Takingadvantage of redundant links requires two conditions to always bepresent. First, you must be able to detect when a link has failed. Second,you must have a mechanism for redirecting traffic that would normallyflow across a failed link to take a different path that is still functional. In amulti-homing environment, both tasks are normally achieved by runningBorder Gateway Protocol (BGP) between your routers and those of theISPs.
BGP is often assumed to mean complex configurations on expensive,high-end routers to handle the huge routing tables required to fullydescribe the Internet. However, depending upon the specific applicationrequirements and the degree of load-balancing you want across allavailable links, it may be practical to implement multi-homing using thesmallest routers you have available that are capable of handling thetraffic load.
In other words, implementing multi-homing doesn't have to be an all-or-nothing choice. There are choices you can make along the way based
upon the equipment you have available and the level of connectivity youneed to provide.
DETERMINING LEVEL OF CONNECTIVITY REQUIRED
At one extreme, when your goal is to simply to provide internal userswith
access to the Internet, you don't need to run BGP at all. As long as the
link layer protocol supports the exchange of keep-alive messages fromrouter to router, link failure will be detected by the link layer protocol.Floating
static routes can then reliably direct all outbound traffic to a working ISP
link.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
62/132
Network Address Translation (NAT) is then used to send outboundpackets with a
source IP address associated by the ISP with that outbound link. Returntraffic
will automatically come back via the same working link because that linkis the
only link servicing that address range.
Of course this approach will not work if you are providing services to theoutside world, as the addresses associated with the failed link willdisappear. Similarly, connections that were established over the link thatfailed will need to be reconnected. However, for many applications thisimpact is minor.
For example, a typical web surfer would merely need to hit the "pagerefresh" button. This approach is also sufficient to provide high-availability virtual private networks (VPN) across the Internet if you use a
routing protocol such as OSPF to detect and route around failed IPSectunnels.
The other extreme would be when you need to support a common IPaddress range
using both ISPs. Then you need to run BGP. This will normally be the caseany time your applications include providing services to Internet users,such as access to a common database. You will need to arrange for both
ISPs to accept your BGP advertisements of your IP address prefixes. Thenyour ISPs need to advertise those address prefixes to the rest of theInternet.
Getting your address prefixes advertised is usually not a problem. Youdo, however, have to use care in your configuration to ensure that you
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
63/132
do not inadvertently advertise any other address prefixes. In particular,you must ensure that you do not advertise yourself as a path betweenthe two ISPs. This could cause your links to be consumed by transittraffic of no interest to you. More challenging is setting up youradvertisements so that incoming traffic is reasonably balanced betweenthe ISP links. Achieving that can be difficult at best, and nearlyimpossible at worse.
CHOOSE THE RIGHT ROUTE FOR YOU
The final decision is determining which routes to accept from each ISP.This can range from merely accepting a default route (used to detect ifthe link is up or down) to accepting all routes (so called "runningdefaultless"). The former is usually insufficient, because it does notprotect you from an ISP which has an internal failure cutting them offfrom the rest of the Internet. The latter requires using "carrier-class"routers with lots of memory installed (and therefore more expensive).Fortunately, there are some "in-between" choices.
Rather than using a simple default route, you can use a conditionaldefault
route to protect against ISP failure behind the ISP's router that servesyou. A
conditional default route is a default route that is defined by a routeronly if a specific address is already in that router's routing table. Each ISPis only used for a default route if it is advertising one or more routes thatindicate it is receiving advertisements from the rest of the Internet. Thatway, you will always use a default route which promises to be useful.
Another option is to have the ISP send you just its local routes. That way,you can optimize your outbound routing to avoid sending packets thatcould be locally delivered to the wrong ISP, adding to delivery delays.Care must be taken when using this option, however, because some ISPshave so many local routes that there is no cost benefit in the size of therouters required to handle them compared to running defaultless.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
64/132
Options can also be combined. In many cases, taking local routes and a
conditional default route will provide all the availability benefits ofrunning defaultless, while still allowing the use of low-cost routers. As isalways the case in networking, a good understanding of therequirements and the available capabilities is essential to maximizingcost-effectiveness.
**************************************************************************
From: Question 44
Subject: What kind of memory can I use to upgrade my 2500 seriesrouter?
The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the flashis the generic Cisco flash. If you have older boot ROMs, you'll want tomake sure you get Intel chips or the ROMs won't recognize them. Or youcould upgrade the ROMs - Cisco part number BOOT-2500=, allegedlyfree.
> Any suggestions for a decent memory supplier for this?
I used to use Kingston when I had 25xx's. But MemoryX seems to beless expensive these days: (http://www.memoryx.net/routers.html)
**************************************************************************
From: Question 45
Subject: Where can I get mzmaker to compress my IOS?
http://www.memoryx.net/routers.htmlhttp://www.memoryx.net/routers.htmlhttp://www.memoryx.net/routers.htmlhttp://www.mcseco-op.com/mzmaker.htm -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
65/132
http://www.mcseco-op.com/mzmaker.htm
**************************************************************************
From: Question 46
Subject: What is the meaning of in/out in reference to an access-list?
>Can anyone point me to a good description of the difference between
"in">and "out" in applying an access list to an interface? Even the good
>books seem to only devote a sentence to the difference between them.
The simplest explanition I've seen is: Crawl into your router and looktowards the interface. If the packets are going away from you they'reoutbound. If they're hitting you in the forehead their inbound.
**************************************************************************
From: Question 47
Subject: How do I remove the /32 - host - route when a PPP link comesup?
To get rid of this host route, try the following command on both ends ofthe
link:
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
66/132
no peer neighbor-route
**************************************************************************
From: Question 48
Subject: How do I forward DHCP broadcasts to my DHCP server?
> We are a Canadian company with an American office. We have aCisco router
> at each office connected via a T1 line. We have a DHCP server at our
> Canadian office, and we would like it to also delgate IPs to ouramerican
> office. Is this possible? If so, what must be done?
You have some choices.
1) Run DHCP on the remote router. This will prevent the dhcp requestsfrom coming across the WAN. The downside is that only certain IOSessupport running dhcp and is a bit more work for the router.
2) You can enable bootp forwarding or dhcp relaying. This can be
accomplished by using "ip helper-address DHCP_SERVER_IP_HERE"interface command. But using helper-address turns on a lot ofunnecessary UDP forwarding so you need to lock it down first.
So:
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
67/132
conf t
no ip forward-protocol udp tftp
no ip forward-protocol udp dns
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacsip forward-protocol udp bootpc
!
interface ethernet0/0
ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE
*************************************************************************
*From: Question 49
Subject: How do I send L2 traffic through a tunnel?
> Thanks for answering my post, the current problem I have is I need tosend
> Layer2 type traffic through a tunnel ... is this possible ?
Sure. See...
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_chttp://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
68/132
/icdlogin.htm#xtocid292793
> I enabled bridging on both routers and created a bridge group andthat
> seems to work fine I can see my netbeui traffic passing ....
> The problem is I have to be able to encapsulate netbeui or any otherLayer2
> type protocol and encapsulate within a IP packet.
The usual way to do this is using a GRE tunnel between two routers, andconfiguring an additional loopback interface on each router as the sourceinterface for the tunnel traffic, as below. Here, each router has a bridgegroup defined which allows certain traffic only as stated in the 200-seriesACL onto the loopback interface. In this case it's LAT only - you will needto check the LSAP protocol number(s) for netbios/netbeui as I can'tremember these off-hand. Once the traffic is forwarded from the LAN
interface onto the loopback, it is encapsulated into IP GRE and forwardedto the far router.
--------------------------
/ \
Tunnel0| |Tunnel0
| |
LAN--------Router A-------WAN Cloud-------Router B--------LANEth0 Ser0 Ser0 Eth0
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
69/132
Router A
--------
int e0
ip address 192.168.100.254 255.255.255.0
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel 0
tunnel source interface loopback0
tunnel destination 192.168.200.254
access-list 200 permit 0x6000 0x600f
Router B
--------
int e0
ip address 192.168.200.254 255.255.255.0
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
70/132
bridge-group 1
int loop0
no ip address
bridge-group 1
bridge-group 1 output-type-list 200
int tunnel0
tunnel source interface loopback0
tunnel destination 192.168.100.254
access-list 200 permit 0x6000 0x600f
*************************************************************************
*
From: Question 50
Subject: Why is measuring collisions meaningless endeavour?
> A more useful calculation would be to multiply collisions by
> 704 and then divide that by 10000000 * t, to show the total overhead
> percentage used by collision detection. 704 is the number of
> bit-times consumed by a collision - 96 bittimes of interframe gap,
> 512 bits of collision, an additional 96 bittimes of interframe gap,
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
71/132
> next packet is ready to transmit.
First of all, you shouldn't count the interframe gap twice. The collisionevent uses an interframe gap, but the next one actually belongs to thenext frame; it would be there whether or not a collision occured.
More important, 511 bit times is the MAXIMUM time consumed by acollision in the absolute worst-case. This requires a network withmaximum extent--longest possible cables, maximum repeaters, etc.--anddevices with absolute worst-case timing parameters. In most smallnetworks (e.g., a single 10BASE-T hub), nearly all collisions occur during
the preamble, and the time consumed by the collision is just96+64+32=192 bit-times (IFG+Preamble+Jam).
Unless you know the precise instant in which each collision occurs, youcannot calculate the bandwidth "lost" to collisions.
(By the way, the maximum collision fragment is 511 bits, not 512--at 512
bits, it becomes a valid frame.)
In addition, while some Ethernet controllers do return a collision count aspart of the transmit status for each frame, many do not provide theSNMP/RMON driver with the exact number of collisions. Instead, thestatus indicates one of:
* OK (no deferral required, no collisions encountered)
* Deferred (deferral required, but no collisions encountered)
* 1 collision (one collision encountered, with or without deferral)
* >1 collision (more than one collision encountered, with or withoutdeferral)
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
72/132
* Excessive collisions (16 collisions encountered)
* Late collision (collision encountered after 511 bits transmitted)
With this type of controller, you cannot distinguish a frame thatencountered two collisions from one that encountered fifteen. so it ishard to estimate the bandwidth "lost" due to collisions.
Finally, I will reiterate my position that collision rates are a virtuallyuseless metric for determining network performance. (See my earlierpost on this subject.)
Seifert's Law of Networking #21: Measurements of unimportantparameters are
meaningless.
-- Note added by Hansang Bae --
In the WORST case scenario (i.e. the stations are at the maximum
distance apart) a collision will take up to 84 byte-times to resolve itself.64 bytes (minimum Ethernet size+FCS), 8 bytes for the preamble, and12 bytes for the IFG.
84bytes is 672bits. It takes .1 microsecond to transmit one bit (10Mb/s=10,000,000bits/sec = 10,000bits/millisecond =10bits/microsecond = 1bit/0.1microsecond) So the total time spent on one collision event is67.2 microsecond (672bits * .1 microsecond) Now consider getting 100collisions per second. So 100 X 67.2microsecond is 6,720 microsecond or
6.72 millisecond. 6.72ms/1sec comes out to .672% (6.72ms/1sec = .00672, in percentage, that's .672%) That means that 99.328% of thechannel is still available for data.
Here's another way to look at it. For every successful transmission, therewas an equal number of collisions. This is 1:1 ratio or 100% collision rate.
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
73/132
Or equivalently, 50% of the frames that goes out the NIC are collisions.
Assume that we are talking about an FTP transfer. Typically, FTP will usethe 1518 max size and there will be an ACK (Acknowledgement) forevery two packets. So you would see two 1518 frames and one ACK forboth. So in a collision free world, we would see 2 frames of 1518 bytesand one ACK of 64 bytes. Throw in the preamble/SFD and the IFG to themix and you get 2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.
Now if we have 3 collisions (one collision for each successful frame) thenyou have to add another 3*84 (three frames taking up 84byte times - see
#5 above). This comes out to 3,144 + (3*84) = 3,396. So the ratio is3,140/3,396 = .9246 or 92.46%.
That means even with 100% collision rate, we only lose about 7.53% ofthe bandwidth. Hardly anything to worry about! In the real world, youcan expect 33% collision rate for an FTP session. Also for smaller sizeframes, the % of wasted bandwidth would be much greater. But thenagain, only large transfers tax Ethernet networks.
**************************************************************************
From: Question 51
Subject: How do I stop password-recovery on my routers?
"Password-recovery" might not be the best description. The feature locksout all access to the ROMMON.
You can do this on a 2600/3600 with the global configuration command"no service password-recovery".
The feature is indeed tied to the ROMMON. You must have a minimumROMMON version 11.1(17)AA on the 3600, as well as minimum IOS
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
74/132
11.2(12)P or 11.3(3)T.
All ROMMON versions on the 2600 support this feature.
**************************************************************************
From: Question 52
Subject: How can I prevent SYN-Flood attack using CAR?
We are talking about all different kinds of floods (ICMP, SYN, UDP, etc)throughout this post. Actually he did say that Sprint can filter on theirend. I included in a different post the link to configure CAR to limit SYNattacks using web traffic as an example. Your solution looks like it wouldwork too as their are multiple ways to configure traffic shaping.
Configure rate limiting for SYN packets. Refer to the following example:
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
75/132
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
In the above example, replace:
45000000 with the maximum link bandwidth
1000000 with a value that is between 50% and 30% of the SYN flood rateburst
normal and burst max rates with accurate values
Note that if you set the burst rate greater than 30%, many legitimateSYNs may be dropped. To get an idea of where to set the burst rate, usethe show interfaces rate-limit command to display the conformed andexceeded rates for the interface. Your objective is to rate-limit the SYNsas little as necessary to get things working again.
WARNING: It is recommended that you first measure amount of SYNpackets during normal state (before attacks occur) and use those valuesto limit. Review the numbers carefully before deploying this measure.
If an SYN attack is aimed against a particular host, consider installing anIP filtering package on that host. One such package is IP Filter. This canbe found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples forimplementation details.
**************************************************************************
From: Question 53
Subject: How do I setup a Multilink PPP?
http://coombs.anu.edu.au/ipfilter/ -
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
76/132
You have to create a virtual-template interface with ip addressinformation PPP then create an virtual-access interface whith thataddress
!
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Loopback0 or ip address
no ip mroute-cache
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
!
interface Serial1no ip address
encapsulation ppp
no fair-queue
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
77/132
ppp multilink
**************************************************************************
From: Question 54
Subject: How do I setup ppp callback with dialer-pool?
This is a real hard stuff to do ppp callback with dialer-pool, there a some
command are missing in your config, look at my example.... (also see:www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)
!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface BRI0/1
-
7/28/2019 100 Cau Hoi Ky Thuat Ve Mang Cisco Thuong Gap 8513
78/132
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface Dialer1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
encapsulation ppp
dialer remote-name router1
dialer pool 1
dialer enable-timeout 2