home *** CD-ROM | disk | FTP | other *** search
- Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!nycmny1-snh1.gtei.net!news.gtei.net!panix!news.panix.com!panix5.panix.com!not-for-mail
- From: jhawk@panix.com (John Hawkinson)
- Newsgroups: comp.dcom.sys.cisco,comp.protocols.tcp-ip,comp.dcom.servers,comp.answers,news.answers
- Subject: comp.dcom.sys.cisco Frequently Asked Questions (FAQ)
- Supersedes: <cisco_985853281@panix.com>
- Followup-To: comp.dcom.sys.cisco
- Date: 13 Apr 2001 03:08:01 -0400
- Organization: PANIX Public Access Internet and UNIX, NYC
- Lines: 1956
- Approved: news-answers-request@MIT.EDU
- Expires: 11 May 2001 07:08:01 GMT
- Message-ID: <cisco_987145681@panix.com>
- Reply-To: cisco-faq@panix.com (comp.dcom.sys.cisco FAQ responses)
- NNTP-Posting-Host: panix5.panix.com
- X-Trace: news.panix.com 987145642 15259 166.84.0.230 (13 Apr 2001 07:07:22 GMT)
- X-Complaints-To: abuse@panix.com
- NNTP-Posting-Date: 13 Apr 2001 07:07:22 GMT
- Summary: This FAQ consists of frequently asked questions about
- routers manufactured by cisco Systems, Inc. Additionally, it provides
- additional information on IP routing that may be useful in non-Cisco
- environments.
- Xref: senator-bedfellow.mit.edu comp.dcom.sys.cisco:188289 comp.protocols.tcp-ip:94633 comp.dcom.servers:7715 comp.answers:45001 news.answers:205247
-
- Archive-name: cisco-networking-faq
- Last-modified: $Date: 1996/04/28 05:55:19 $
- Version: $Revision: 1.10 $
-
- This FAQ is edited by John Hawkinson, <jhawk@panix.com>.
-
- Administrivia:
-
- Please contribute answers to the questions in the Todo section! If
- your answer is somewhat complicated, posting would probably be best
- (to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@panix.com.
- Please note that a LOT of these questions have been hanging around for
- some time, and if knowledgable people could take the time to answer a
- few of them, that'd help.
-
- This draft FAQ is in RFC1153 digest format, so you can follow each
- question with your newsreader. I suppose that question-numbers should
- be moved to the From: field. Note that Date: fields represent
- last-modification times for the questions.
-
- Since this FAQ was first developed, cisco has written up a lot of
- useful information on their web site, http://www.cisco.com. If you
- can't find what you're looking for here, please check there, too.
-
- Table of Contents
- =================
-
- 1. How can I contact cisco?
- 2. What is this newsgroup?
- 3. What does ``cisco'' stand for?
- 4. How do I save the configuration of a cisco?
- 5. Where can I get ancillary software for my cisco?
- 6. Is there a World-Wide-Web (www) information source?
- 7. How can I get my cisco to talk to a third party router over
- 8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?
- 9. How can I use debugging?
- 10. How can I use NTP (Network Time Protocol) with my cisco?
- 11. Sample cisco NTP Configurations
- 12. How do I avoid the annoying DNS lookup if I have misspelled a command?
- 13. Tracing bad routing information
- 14. How to use access lists
- 15. The cisco boot process
- 16. Where can I get cisco hardware?
- 17. Where can I get IETF documents (RFCs, STDs, etc.)?
- 18. Future features in cisco software
- 19. How do cisco routers rate performance-wise?
- 20. How are packets switched?
- 21. How does one interpret buffer statistics?
- 22. How should I restrict access to my router?
- 23. What can I do about source routing?
- 24. Is there a block of private IP addresses I can use?
- 25. Is DHCP supported?
- 26. Where can I get cisco documentation?
- 27. What's the latest software for the CSC/3?
- 28. What IP routing protocol should I use?
- 29. How do I interpret the output of ``show version''?
- 30. What is the maximum number of Frame Relay PVCs?
- 31. How much memory is necessary to telnet to a cisco router?
- 32. Where can I purchase flash RAM?
- 33. When are static routes redistributed?
- 34. When is the next hop of a route considered ``reachable''?
- 35. How do name and phone number of ``dialer map'' interfere?
- 36. What's the purpose of the network command?
- 37. What is VLSM?
- 38. What are some methods for conserving IP addresses for serial lines?
- 39. Why do some ip addresses get rejected?
- 40. How do 4xxx serial numbers correspond to models?
- 41. Where can I find more info on TACACS+
- 99. Acknowledgements.
-
- todo:
- =====
-
- * What is SNMP and how can I use it? What software is available and how do
- I use cisco enterprise MIBs? MIBs on ftpeng.cisco.com and CIO.cisco.com
- * Pointers to other net resources, like comp.protocols.tcp-ip, RFCs,
- the firewalls mailing list, etc (bgpd?[or is it cidrd now? :-)]).
- * Hints about confusing and not-well documented things like xtacacs...
- * Comments on interoperability issues WRT other vendors.
- * What's SMARTnet, why should I subscribe, how much does it cost,
- and what do I get?
- * What should I name my router, my interfaces, etc.?
- * Should we adjust the buffer parameters on the routers? What should
- be the indicator before tunning the buffer parameters? How should
- one fine tune the buffer parapeters?
- * What is CIDR and why do I care (or a more general acronym decoder) ?
- * How do I configure my cisco to use variable-length subnetting ?
- * Is there a block of private network numbers I can use
- within my organization only? When should I use them?
- How do I access them from outside?
- * What do I do if I have to partition a network number?
- * Questions and answers about access lists
- access-list reference list (lots of questions on that)
- * I forgot to mention that routing DECnet over X.25 is a problem.
- * Where PD network applications for SLIP/PPP are.
- * What is HSRP and how does it work? When is it available (10.0)
- (Hot Standby Routing Protocol)
- * Should I run 10.0, 10.2, 10.3, 11.1, or what?
- * What's the difference between IBGP and EBGP? Why should I run BGP?
-
- Actual content.
- ===============
-
- ------------------------------
-
- From: Question 1
- Date: 31 October 1994
- Subject: How can I contact cisco?
-
- Corporate address:
-
- cisco Systems
- 170 West Tasman Drive
- San Jose, CA 95134
-
- The following phone numbers are available:
-
- Technical Assistance Center (TAC) +1 800 553 2447
- (553 24HR)
- +1 800 553 6387
- +1 408 526 8209
- Customer Service (Documentation, Warranty & +1 800 553 6387
- Contract Services, Order Status
- Engineering +1 800 553 2447
- (553 24HR)
- On-site Services, Time & Materials Service +1 800 829 2447
- (829 24HR)
- Corporate number / general +1 408 526 4000
- Corporate FAX (NOT tech support) +1 408 526 4100
-
- The above 800 numbers are US/Canada only.
-
- cisco can also be contacted via e-mail:
-
- tac@cisco.com Technical Assistance Center
- tac-euro@cisco.com European TAC
- cs-rep@cisco.com Literature and administrative (?) requests
- cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''
-
- Please follow the directions available on CIO before doing this.
- cisco provides an on-line service for information about their routers
- and other products, called CIO (cisco Information Online). telnet to
- cio.cisco.com for more details.
-
- The collective experience of this FAQ indicates that it is far wiser to
- open a case using e-mail than FAXes, which may be mislaid, shredded,
- etc.
-
- For those of you still in the paperfull office (unlike the rest of us),
- cisco Systems' new corporate address is:
-
- 170 West Tasman Drive
- San Jose, CA 95134
-
- Mail to tac@cisco.com should include your service contract number, your name,
- telephone number, a brief one line problem/question description, and a
- case priority in the first 5 lines. For example:
-
- Cisco service contract number 92snt1234a
- First and last name Jane Doe
- Best number to contact you 415-555-1234
- Problem/question description Cannot see Appletalk zones
- Case Priority 3
-
- CASE PRIORITIES are defined as one of the following:
-
- Pri 1 Production network down, critical business impact
- Pri 2 Production net seriously degraded, serious impact
- Pri 3 Network degraded, noticeable impact to business
- Pri 4 General information, non production problems
-
- ------------------------------
-
- From: Question 2
- Date: 26 July 1994
- Subject: What is this newsgroup?
-
- comp.dcom.sys.cisco, which is gatewayed to the mailing list
- cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
- hardware, software, and related issues. Remember that you can also
- consult with cisco technical support.
-
- This newsgroup is not an official cisco support channel, and should
- not be relied upon for answers, particularly answers from cisco
- Systems employees.
-
- Until recently, the mailing list was gatewayed into the newsgroup,
- one-way. It is possible that this arrangement may resume at somet time
- in the future.
-
- ------------------------------
-
- From: Question 3
- Date: 31 October 1994
- Subject: What does ``cisco'' stand for?
-
- cisco folklore time:
-
- At one point in time, the first letter in cisco Systems was a
- lowercase ``c''. At present, various factions within the company have
- adopted a capital ``C'', while fierce traditionalists (as well as some
- others) continue to use the lowercase variant, as does the cisco
- Systems logo. This FAQ has chosen to use the lowercase variant
- throughout.
-
- cisco is not C.I.S.C.O. but is short for San Francisco, so the story
- goes. Back in the early days when the founders Len Bosack and Sandy
- Lerner and appropriate legal entities were trying to come up with a
- name they did many searches for non similar names, and always came up
- with a name which was denied. Eventually someone suggested ``cisco''
- and the name wasn't taken (although SYSCO may be confusingly similar
- sounding). There was an East Coast company which later was using the
- ``CISCO'' name (I think they sold in the IBM marketplace) they ended
- up having to not use the CISCO abberviation. Today many people spell
- cisco with a capital ``C'', citing problems in getting the lowercase
- ``c'' right in publications, etc. This lead to at least one amusing
- article headlined ``Cisco grows up''. This winter we will celebrate
- our 10th year.
-
- [This text was written in July of 1994 -jhawk]
-
- ------------------------------
-
- From: Question 4
- Date: 31 October 1994
- Subject: How do I save the configuration of a cisco?
-
- If you have a tftp server available, you can create a file on the
- server for your router to write to, and then use the write network
- command. From a typical unix system:
-
- mytftpserver$ touch /var/spool/tftpboot/myconfig
- mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
-
- myrouter#write net
- Remote host [10.7.0.63]? 10.7.0.2
- Name of configuration file to write [myrouter-confg]? myconfig
- Write file foobar on host 10.7.0.2? [confirm] y
-
- Additionally, there's a Macintosh TFTP server available:
-
- ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx
-
- Additionally, you can also use expect, available from:
-
- ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
- ftp://ftp.cme.nist.gov/expect/expect.tar.gz
-
- or, in shar form from ftpeng.cisco.com.
-
- Expect allows you to write a script which telnets to the router and
- performs a ``write terminal'' command, or any other arbitrary set of
- command(s), using a structured scripting language (Tcl).
-
- ------------------------------
-
- From: Question 5
- Date: 5 July 1994
- Subject: Where can I get ancillary software for my cisco?
-
- Try ftping to
-
- ftp://ftpeng.cisco.com/pub
-
- It's a hodgepodge collection of useful stuff, some maintained and some
- not. Some is also available from
-
- ftp://cio.cisco.com
-
- Vikas Aggarwal has a very customised tacacsd:
-
- A new version of xtacacsd is available via anonymous FTP from:
-
- ftp://ftp.navya.com/pub/vikas/xtacacsd-3.5.shar.gz
-
-
- ------------------------------
-
- From: Question 6
- Date: 28 April 1996
- Subject: Is there a World-Wide-Web (www) information source?
-
- You can try the WWW page for this FAQ:
-
- http://www.panix.com/cisco-faq/
-
- or the cisco Educational Archive (CEA) home page:
-
- http://sunsite.unc.edu/cisco/cisco-home.html
-
- or the cisco Information Online (CIO) home page:
-
- http://www.cisco.com/
-
-
- ------------------------------
-
- From: Question 7
- Date: 5 July 1994
- Subject: How can I get my cisco to talk to a third party router over
- a serial link?
-
- You need to tell your cisco to use the same link-level protocol as the
- other router; by default, ciscos use a rather bare variant of HDLC
- (High-level Data Link Control) all link-level protocols use at some
- level/layer or another. To make your cisco operate with most other
- routers, you need to change the encapsulation from HDLC to PPP on the
- relevant interfaces. For instance:
-
- sewer-cgs#conf t
-
- Enter configuration commands, one per line.
- Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
- interface serial 1
- encapsulation ppp
- ^Z
-
- sewer-cgs#sh int s 1
-
- Serial 1 is administratively down, line protocol is down
- Hardware is MCI Serial
- MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
- Encapsulation PPP, loopback not set, keepalive set (10 sec)
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^
- [...]
-
- If you're still having trouble, you might wish to turn on serial interface
- debugging:
-
- sewer-cgs#ter mon
- sewer-cgs#debug serial-interface
-
- ------------------------------
-
- From: Question 8
- Date: 27 July 1994
- Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
-
- You should tell your cisco to use ``encapsulation frame-relay ietf''
- (instead of ``encapsulation frame-relay'') on your serial interface
- that's running frame relay if your frame relay network contains a
- diverse set of manufacturers' routers. The keyword ``ietf'' specifies
- that your cisco will use RFC1294-compliant encapsulation, rather than
- the default, RFC1490-compliant encapsulation (other products, notably
- Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
- by 1490, namely padding of the nlpid). If only a few routers in your
- frame relay cloud require this, then you can use the default
- encapsulation on everything and specify the exceptions with the
- frame-relay map command:
-
- frame-relay map ip 10.1.2.3 56 broadcast ietf
- ^^^^
-
- (ietf stands for Internet Engineering Task Force, the body which
- evaluates Standards-track RFCs; this keyword is a misnomer as both
- RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
- is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
- beneath a DS), and is effectively obsolete).
-
- ------------------------------
-
- From: Question 9
- Date: 26 July 1994
- Subject: How can I use debugging?
-
-
- The ``terminal monitor'' command directs your cisco to send debugging
- output to the current session. It's necessary to turn this on each time
- you telnet to your router to view debugging information. After that,
- you must specify the specific types of debugging you wish to turn on;
- please note that these stay on or off until changed, or until the
- router reboots, so remember to turn them off when you're done.
-
- Debugging messages are also logged to a host if you have trap logging
- enabled on your cisco. You can check this like so:
-
-
- sl-panix-1>sh logging
- Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
- Console logging: level debugging, 66 messages logged
- Monitor logging: level debugging, 0 messages logged
- Trap logging: level debugging, 69 message lines logged
- Logging to 198.7.0.2, 69 message lines logged
- sl-panix-1>
-
- If you have syslog going to a host somewhere and you then set about a
- nice long debug session from a term your box is doing double work and
- sending every debug message to your syslog server. Additionally, if you
- turn on something that provides copious debugging output, be careful
- that you don't overflow your disk (``debug ip-rip'' is notorious for
- this).
-
- One solution to this is to only log severity ``info'' and higher:
-
- sl-panix-1#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- logging trap info
-
- The other solution is to just be careful and remember to turn off
- debugging. This is easy enough with:
-
- sl-panix-1#undebug all
-
- If you have a heavily loaded box, you should be aware that debugging
- can load your router. The console has a higher priority than a vty so
- don't debug from the console; instead, disable console logging:
-
- cix-west.cix.net#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- no logging console
-
- Then always debug from a vty. If the box is busy and you are a little
- too vigorous with debugging and the box is starting to sink, quickly
- run, don't walk to your console and kill the session on the vty. If
- you are on the console your debugging has top prioority and then the
- only way out is the power switch. This of course makes remote
- debugging a real sweaty palms adventure especially on a crowded box.
- Caveat debugger!
-
- Also, if you for some reason forget what the available debug commands
- are and don't have a manual handy, remember that's what on-line help
- is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
- 9.21 and above, that gives you general categories, and you can check
- for more specific options by specifying the category: ``debug ip ?''.
-
- As a warning, the ``logging buffered'' feature causes all debug
- streams to be redirected to an in-memory buffer, so be careful using
- that.
-
- Lastly, if you're not sure what debugging criteria you need, you can
- try ``debug all''. BE CAREFUL! It is way useful, but only in a very
- controlled environment, where you can turn off absolutely everything
- you're not interested in. Saves a lot of thinking. Turning it on on
- a busy box can quickly cause meltdown.
-
- ------------------------------
-
- From: Question 10
- Date: 5 July 1994
- Subject: How can I use NTP (Network Time Protocol) with my cisco?
-
- >What level of software is required for NTP support in
- >a cisco router?
-
- 9.21 or above.
-
- >Which cisco routers support NTP?
-
- It is a software feature exclusively. Anything that supports
- 9.21 or 10 will run NTP (when running that s/w).
-
- >How do I set it up?
-
- The basic hook is:
- ntp server <host> [version n]
- or
- ntp peer <host> [version n]
-
- depending on whether you want a client/server or peer relationship.
- There's a bunch of other stuff available for MD5 authentication,
- broadcast, access control, etc. You can also use the
- context-sensitive help feature to puzzle it out; try ``ntp ?'' in
- config mode.
-
- You'll also want to play with the SHOW NTP * router commands. Here
- are two examples.
-
- EXAMPLE 1:
-
- router# show ntp assoc
-
- address ref clock st when poll reach delay offset disp
- +~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7
- *~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5
- * master (synced), # master (unsynced), + selected, - candidate, ~ configured
-
- EXAMPLE 2:
-
- router#show ntp stat
- Clock is synchronized, stratum 2, reference is 132.249.16.1
- nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
- reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
- clock offset is -1.34 msec, root delay is 55.40 msec
- root dispersion is 41.29 msec, peer dispersion is 28.96 msec
-
- For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.
-
- For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file
- clock.txt in that directory has info about various public NTP servers.
- There is also information on radio time receivers that can be
- connected to an NTP server (this is handy on private networks, if you
- have an entire campus to get chiming, or if you become a hard core
- chimer).
-
- The ``ntp clock-period'' command is added automagically to jump-start
- the NTP frequency compensation when the box is rebooted. This is
- essentially a representation of the frequency of the crystal used as
- the local timebase, and may take several days to calculate otherwise.
- (Do a ``write mem'' after a week or so to save a good value.)
-
- Caveat of obsolecence: Note that the CS-500 will not be able to
- achieve quite the same level of accuracy as other platforms, since its
- hardware clock resolution is roughly 242Hz instead of the 1MHz
- available on other platforms. In practice this shouldn't matter for
- anyone other than true time geeks.
-
- ----------------------------------------------------------------------
-
- From: Question 11
- Date: 5 July 1994
- Subject: Sample cisco NTP Configurations
-
- You will need to substitute your own NTP peers, timezones, and GMT
- offsets into the examples below, of course. Example 1 is in US Central
- Time Zone, while example 3 is in US Pacific Time Zone. Both account
- for normal US Daylight Savings Time practices.
-
- EXAMPLE 1 (Charley Kline):
- ...
- clock timezone CST -6
- clock summer-time CDT recurring
- ntp source eth 0
- ntp peer <host1>
- ntp peer <host2>
- ntp peer <host3>
- ...
-
-
- EXAMPLE 2 (Tony Li):
- ...
- ntp source Ethernet0/0
- ntp update-calendar
- ntp peer <host1>
- ntp peer <host2> prefer
- ...
-
-
- EXAMPLE 3 (Dave Katz):
- ...
- service timestamps debug datetime localtime
- service timestamps log datetime localtime
- clock timezone PST -8
- clock summer-time PDT recurring
- interface Ethernet0
- ip address <mumble>
- ntp broadcast
- ntp clock-period 17180319
- ntp source Ethernet0
- ntp server <host1>
- ntp server <host2>
- ntp server <host3>
-
- COMMENTS ON EXAMPLE 3:
- The config file is commented with date and time (and user id,
- if TACACS is enabled) when the system thinks the clock is accurate.
- I've enabled timestamping of debug and syslog messages. I send NTP
- broadcast packets out onto the local ethernet. I'm in Pacific
- Standard Time, with U.S. standard daylight saving time rules. I use
- the IP address of the ethernet as the source for all NTP packets.
-
-
- ------------------------------
-
- From: Question 12
- Date: 5 July 1994
- Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
-
- By default, all lines are configured to automatically try a telnet
- connection if the first word in a input line is not recognized as a
- valid command. You can disable this by setting ``transport preferred
- none'' on every line (con, aux and vty). For instance:
-
-
- sl-panix-1#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- line vty 0 10
- transport preferred none
-
-
- You can see the number of vty's currently configuered with ``show lines''
-
- Also, you can suspend connect attempts with ^^ followed by ``x'', ie
- shift-cntrl-6 x.
-
- [It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
- helps. I think this is the default -jhawk ]
-
- ------------------------------
-
- From: Question 13
- Date: 31 Oct 1994
- Subject: Tracing bad routing information
-
- or: How do I find out which non-cisco systems on my networks generate IP-RIP
- information without letting them mess up my routing tables.
-
- Here you could work with a default administrative distance.
- Administrative distance is the basis upon which the cisco prefers
- routing information of one protocol over another. In this example:
-
- router rip
- network 192.125.254.0
- distance 255
- distance 120 192.125.254.17 ! list all valid RIP suppliers
- [...]
-
- the value 255 has the implicit meaning of not putting this information
- into the routing table. Therefore, setting an administrative distance
- of 255 means that all RIP suppliers are by default accepted but their
- information is not put into the routing table. The administrative
- distance for the router 192.125.244.17 has been reset to the default
- (for RIP) of 120, causing its routes to be accepted into the routing table.
-
- Then you can look them up with ``show ip protocols'' and restore the
- original administrative distance for the ones you want to fill in the
- routing table.
-
- The same results can be acheived with an ip access-list, but with
- that, ``show ip protocols'' will only show the valid ones. But often
- it is more useful to see which systems were generating routing
- information at all.
-
- This trick works for other routing protocols as well, but please select
- the proper adminstrative distance (rather than 120) for the protocol
- you're using.
-
- ------------------------------
-
- From: Question 14
- Date: 5 July 1994
- Subject: How to use access lists
-
- [The following is wholesale included; at some point it'll
- probably be editted a bit and reformatted... -jhawk ]
-
- Frequently Asked Questions
- contributed by Howard C. Berkowitz
- PSC International
- hcb@world.std.com
- @clark.net [probably will be my permanent
- personal account]
- PSC's domain is in mid-setup
-
- Where in the router are access lists applied?
-
-
- In general, Basic access lists are executed as filters on
- outgoing interfaces. Newer releases of the cisco code, such as
- 9.21 and 10, do have increased ability to filter on incoming ports.
- Certain special cases, such as broadcasts and bridged traffic,
- can be filtered on incoming interfaces in earlier releases.
- There are also special cases involving console access.
-
- Rules, written as ACCESS-LIST statements, are global for the entire
- cisco box; they are activated on individual outgoing interfaces by
- ACCESS-GROUP subcommands of the INTERFACE major command.
- Filters are applied after traffic has entered on an incoming
- interface and gone through a routing process; traffic that originates in
- a router (e.g., telnets from the console port) is not subject to
- filtering.
-
- +-------------------+
- | GLOBAL |
- | |
- | Routing |
- | ^ v Access |
- | ^ v Lists |
- +-^--v--------^---v-+
- | ^ v ^ v |
- | ^ v ^ v |
- A----------->|-| |>>>>Access >>----------->B
- |1 Group 2 |
- <------------| |<-----------
- | |
- | |
- +-------------------+
-
- Some types of ``filter,'' using ``filter'' as a broader class than
- ACCESS-LIST, can operate on incoming traffic. For example, the INPUT-
- SAP-FILTER used for Novell networks is applied to Service Advertisement
- Packets (SAP) seen at incoming interfaces. In general, incoming
- filtering can only be done for ``system'' rather than user traffic.
-
- Rules of thumb in defining access lists.
-
- First, define what you want to do and in which directions. An
- informal drawing is a good first step. As opposed to the usual
- connectivity drawings among routers, it's often convenient to draw
- unidirectional links between routers.
- Second, informally write out your filtering rules. In general, it
- is best to go from most specific to least specific. Modify the order of
- writing things to minimize the number of rules needed.
- Third, determine which rules need to be on which routers.
- Explicitly consider the direction of flow, and the possible existence of
- additional paths that could inadvertently bypass a filter.
-
- Can a cisco router be a ``true'' firewall?
-
- This depends on the definition of firewall. Some writers (e.g.,
- Gene Spafford in _Practical UNIX Security_) define a firewall as a
- host on which an ``inside'' and/or an ``outside'' application process run,
- with application-level code linking the two. For example, a firewall
- might provide FTP access to the outside world, but it would not also
- provide direct FTP service to the inside world. To place a file on
- the FTP external server, a designated user would explicitly log onto
- the FTP server, transfer a file to the server, and log off. The
- firewall prevents direct FTP connectivity between the inside and
- outside networks; only indirect, application-level connectivity is
- allowed.
- Firewalls of this sort are complemented by chokes, which filter on
- network addresses and/or port numbers. Cisco routers cannot do
- application-level control with access control lists.
- Other authors do not distinguish between chokes and filters. Using
- the loose definition that a firewall is anything that selectively blocks
- access from the inside to the outside, routers can be firewalls.
-
-
- IP Specific
- -----------
-
- Can the ``operand'' field be used with a protocol keyword of IP to filter
- on protocol ID?
-
- No. Operand filtering only works for TCP and UDP port numbers.
-
- How can I prevent traffic for a certain Internet application to flow in
- one direction but not the other?
-
- Remember that Internet applications flow from client port to server
- port. Denying traffic from port 23, for example, blocks flow from the
- client to the server.
-
- +-------------------+
- | |
- A----------->| |----------->B
- |1 2|
- <------------| |<-----------
- | |
- +-------------------+
-
- If we deny traffic to Port 23 of address B by placing a filter at
- interface 2, we have blocked A's ability to telnet to B, but not B's
- ability to telnet to A. A second filter at interface A would be needed
- to block telnet in both directions.
- Assume that we only have the filter at interface 2. Telnets to A
- from B will not be affected because the filter at 2 does not check
- incoming traffic.
- -------
-
- With the arrival of in-bound access lists in 9.21, it should be noted
- that both inbound and access lists are about equally efficient, in
- case any of you were wondering.
-
-
- It's worth remembering that there are some kinds of problems
- that packet-filtering firewalls are not best suited for. There's
- reasonably good information in:
-
- "Network (in)security through packet filtering"
- ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z
-
-
- ------------------------------
-
- From: Question 15
- Date: 26 July 1994
- Subject: The cisco boot process
-
- What really happens when a cisco router boots, from boot start to live
- interfaces?
-
- First it boots the ROM os version. It reads the config. Now, it
- realizes that you want to netboot. It loads the netbooted copy in on
- top of itself. It then re-initializes the box and re-reads the
- config. Manly, yes, but we like it too....
-
- [[ Ummm... in particular it loads the netbooted copy in as WELL as
- itself, decompresses it, if necessary, and THEN loads on top of
- itself. Note that this is important because it tells you what the
- memory requirements are for netbooting: RAM for ROM image (if it's a
- run from RAM image), plus dynamic data structures, plus RAM for
- netbooted image. ]]
-
- The four ways to boot and what happens (sort of):
-
- I (from bootstrap mode)
-
- The ROM monitor is running. The I command causes the ROM monitor to
- walk all of the hardware in the bus and reset it with a brute force
- hammer. If the bits in the config register say to auto-boot, then
- goto B
-
- B (from bootstrap mode)
-
- Load the OS from ROM. If a name is given, tell that image to start
- silently and then load a new image. If the boot system command is
- given, then start silently and load a new image.
-
- powercycle
-
- Does some delay stuff to let the power settle. Goto I.
-
- reload (from the EXEC)
- Goto I.
-
-
- ------------------------------
-
- From: Question 16
- Date: 18 July 1994
- Subject: Where can I get cisco hardware?
-
- Try calling 800-553-NETS and asking for your local sales office.
- That's probably the best plan.
-
- ------------------------------
-
- From: Question 17
- Date: 18 April 1995
- Subject: Where can I get IETF documents (RFCs, STDs, etc.)?
-
- Where and how to get new RFCs
- =============================
-
- RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The
- Primary Repositories will have the RFC available when it is first
- announced, as will many Secondary Repositories. Some Secondary
- Repositories may take a few days to make available the most recent
- RFCs.
-
- Primary Repositories:
-
-
- RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,
- NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,
- FTP.CONCERT.NET, or FTP.SESQUI.NET.
-
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
- Secondary Repositories:
-
-
-
- Sweden
- ------
- Host: sunic.sunet.se
- Directory: rfc
-
- Host: chalmers.se
- Directory: rfc
-
-
- Germany
- -------
- Site: EUnet Germany
- Host: ftp.Germany.EU.net
- Directory: pub/documents/rfc
-
-
- France
- ------
- Site: Institut National de la Recherche en Informatique
- et Automatique (INRIA)
- Address: info-server@inria.fr
- Notes: RFCs are available via email to the above
- address. Info Server manager is Mireille
- Yamajako (yamajako@inria.fr).
-
-
- Netherlands
- -----------
- Site: EUnet
- Host: mcsun.eu.net
- Directory: rfc
- Notes: RFCs in compressed format.
-
-
- France
- ------
- Site: Centre d'Informatique Scientifique et Medicale
- (CISM)
- Contact: ftpmaint@univ-lyon1.fr
- Host: ftp.univ-lyon1.fr
- Directories: pub/rfc/* Classified by hundreds
- pub/mirrors/rfc Mirror of Internic
- Notes: Files compressed with gzip. Online
- decompression done by the FTP server.
-
-
- Finland
- -------
- Site: FUNET
- Host: funet.fi
- Directory: rfc
- Notes: RFCs in compressed format. Also provides
- email access by sending mail to
- archive-server@funet.fi.
-
-
- Norway
- ------
- Host: ugle.unit.no
- Directory: pub/rfc
-
-
- Denmark
- -------
- Site: University of Copenhagen
- Host: ftp.denet.dk
- Directory: rfc
-
-
- Australia and Pacific Rim
- -------------------------
-
- Site: munnari
- Contact: Robert Elz <kre@cs.mu.OZ.AU>
- Host: munnari.oz.au
- Directory: rfc
- rfc's in compressed format rfcNNNN.Z
- postscript rfc's rfcNNNN.ps.Z
-
-
- United States
- -------------
-
- Site: cerfnet
- Contact: help@cerf.net
- Host: nic.cerf.net
- Directory: netinfo/rfc
-
- Site: NASA NAIC
- Contact: rfc-updates@naic.nasa.gov
- Host: naic.nasa.gov
- Directory: files/rfc
-
- Site: NIC.DDN.MIL (DOD users only)
- Contact: NIC@nic.ddn.mil
- Host: NIC.DDN.MIL
- Directory: rfc/rfcnnnn.txt
- Note: DOD users only may obtain RFC's via FTP
- from NIC.DDN.MIL. Internet users should NOT
- use this source due to inadequate connectivity.
-
- Site: uunet
- Contact: James Revell <revell@uunet.uu.net>
- Host: ftp.uu.net
- Directory: inet/rfc
-
-
- UUNET Archive
- -------------
-
- UUNET archive, which includes the RFC's, various IETF documents,
- and other information regarding the internet, is available to the
- public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
- will be available via an anonymous kermit server soon. Get the
- file /archive/inet/ls-lR.Z for a listing of these documents.
-
- Any site in the US running UUCP may call +1 900 GOT SRCS and use
- the login "uucp". There is no password. The phone company will
- bill you at $0.50 per minute for the call. The 900 number only
- works from within the US.
-
- ------------------------------
-
- From: Question 18
- Date: 22 April 1996
- Subject: Future features in cisco software
-
- [This could be more fleshed out (still!)]
-
- Kerberos and RADIUS in 11.1
- RIP version 2 in 11.1 (allows VSM, etc.)
- Policy-based routing (routing based on source address or interface, or just
- about anything else you want) in 11.0 *released*
- PPP Multilink in 11.0(3) *released*
- Frame Relay payload compression in 11.0(4) *released*
- IPX Per-Host load balancing in 11.1
-
- ------------------------------
-
- From: Question 19
- Date: 27 July 1994
- Subject: How do cisco routers rate performance-wise?
-
- People often ask about performance of the cisco routers and are shyed
- away from answering their questions because we don't know where to send
- them.
-
- Scott Bradner keeps the results of his performance tests on the
- Internet. You can find them for ftp on the system hsdndev.harvard.edu
- in the /pub/ndtl. There is a README file in that directory that
- explains what is available. In addition, cisco has just started
- publishing a piece of literature called ``The Harvard Benchmark Test
- Results: Summary of cisco Systems Performance''. The only number I
- can find on the doc is Lit. #700901. Don't know if you can order it
- by this number, but at least there's a title to go on.
-
- ------------------------------
-
- From: Question 20
- Date: 22 April 1996
- Subject: How are packets switched?
-
- There are 3 basic types of switching (in order of increasing performance).
-
- process switching
- fast switching
- autonomous switching
-
- Process and fast switching support inbound and outbound, simple and
- extended, access lists. Of course, for fast switching, such lists only
- restrict traffic on the particular fast-switched interface.
-
- Autonomous switching is done in the switch processor, a microcoded device that
- is capable of switching IP, IPX, and bridging packets in the 100kpps range.
- This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+.
- Encapsulation support is rather limited (Ethernet, HDLC, HSSI...).
-
- The cisco 7000 also supports:
-
- silicon switching
-
- Silicon switching is done in the silicon switching engine (creative, eh? ;-).
-
- The silicon switch processor (SSP) is the board which combines both the
- switch processor and a silicon switching engine.
-
- The SSP supports simple and extended outbound access lists in 10.3 and later.
- The SSP supports simple and extended inbound access lists in 11.1 and later.
-
- The cisco 75xx series supports:
-
- "optimal" switching (cruddy name, eh?)
- "flow" switching
- "distributed" switching
-
- * "optimal" switching (cruddy name, eh?)
-
- The 7500 platform does not have a separate SP or SSP card, rather the RISC
- processor on the "integrated route/switch processor card (IRSP)" handles
- switching directly, similar to the 4000 series routers. There are several
- hardware and software enhancements made though to increase the throughput to
- a level that is several times above what you would normally get from "fast"
- switching. Everything that "fast" switching supports is supported in
- "optimal" switching.
-
- * "flow" switching
-
- Basicly the "optimal" switching method, however things have been front-ended
- with an additional small "flow" cache. This flow cache contains information
- about source/destination addresses & ports which allow the router to make more
- informed queueing decisions and process access lists faster. This is a win in
- routers that would tend to carry a reasonably small number of flows at any one
- time, such as what you would expect in a corporate network or in a smaller
- internet service provider network. It's unclear if there are any advantages
- in a large internet backbone.
-
- * "distributed" switching
-
- cisco has announced a new type of interface-processor card, called a "VIP"
- available in the 7500 platform that is intelligent enough to switch packets
- with no intervention on the part of the IRSP card. This once again separates
- switching from routing, as in the earlier CBUS/SP/SSP design.
-
-
- The first packet of every session or connection is always Process Switched.
- The route table is consulted (this resides in DRAM on the CPU) and the
- "result" is cached in the system memory cache. If the protocol can only be
- process switched, then it will continue this way and interrupt the CPU for a
- route table lookup each time. [comment: Process Switching is brutally slow
- compared to other switching methods. Some features (usually new features do
- this for the first few software releases) force every packet to be process
- switched. If you can't avoid process-switching every packet, at least get a
- router with a fast CPU, such as the 75xx, 4500, and 4700. The 4700 is
- currently the fastest at process-switching packets, with the 4500 and 75xx
- tied for second. The 75xx can optimum-switch, however, so it's a lot faster
- than either of the 4x00s, if you can use it).
-
- The second and subsequent packets of each session are capable of being Fast
- Switched (more session types are becoming fast-switchable), and will consult
- only the route-cache. This still involves a memory lookup on the board, but
- the packet can be transferred from the source card directly to the
- destination card without requiring full storage on the CSC [the CSC refers
- to the CPU card, basically].
-
-
-
- There are some undocumented commands that are useful for obtaining
- per-interface statistics on what sort of switching was performed.
-
- For instance:
-
- frobozz-magic-robot>sh int atm4/0 switch
- ATM4/0
- Throttle count: 0
- Protocol Path Pkts In Chars In Pkts Out Chars Out
- IP Process 104851 7669968 116378 11180988
- Cache misses 35826
- Fast 0 0 0 0
- Auton/SSE 0 0 0 0
- frobozz-magic-robot>sh int atm4/0 stat
- ATM4/0
- Switching path Pkts In Chars In Pkts Out Chars Out
- Processor 105024 7679155 116422 11184108
- Route cache/FIB 0 0 0 0
- Distributed cache 0 0 0 0
- Total 105024 7679155 116422 11184108
-
- ------------------------------
-
- From: Question 21
- Date: 31 October 1994
- Subject: How does one interpret buffer statistics?
-
- Buffer statistics may be obtained with:
-
- mit2-gw.near.net>sh buffers
- Buffer elements:
- 433 in free list (500 max allowed)
- 82320311 hits, 0 misses, 0 created
- Small buffers, 104 bytes (total 202, permanent 120):
- 185 in free list (20 min, 250 max allowed)
- 34289219 hits, 4297 misses, 1307 trims, 1389 created
- Middle buffers, 600 bytes (total 104, permanent 90):
- 102 in free list (10 min, 200 max allowed)
- 6829533 hits, 1432 misses, 483 trims, 497 created
- Big buffers, 1524 bytes (total 90, permanent 90):
- 90 in free list (5 min, 300 max allowed)
- 3403884 hits, 56 misses, 1 trims, 1 created
- Large buffers, 5024 bytes (total 5, permanent 5):
- 5 in free list (0 min, 30 max allowed)
- 49984 hits, 13 misses, 20 trims, 20 created
- Huge buffers, 18024 bytes (total 0, permanent 0):
- 0 in free list (0 min, 4 max allowed)
- 0 hits, 0 misses, 0 trims, 0 created
-
- 5683 failures (0 no memory)
-
- You can interpret them:
-
- Total Number of buffers of that size that exist.
-
- Free Number of free buffers.
-
- Max Maximum size that the free list can grow to before we start
- throwing them away.
-
- Hit Buffer got used.
-
- Miss Someone requested a buffer and we had to go carve it up out of
- free memory. If we couldn't because we were at interrupt
- level, it's also an allocation failure. If we couldn't
- because we were out of memory, then it's also a ``no memory''
- failure.
-
- Trim There are more free buffers on the free list than there need
- to be and we threw some away.
-
- Create Number of buffers we created after a miss.
-
- ------------------------------
-
- From: Question 22
- Date: 22 April 1996
- Subject: How should I restrict access to my router?
-
- Many admins are concerned about unauthorized access to their routers
- from malicious people on the Internet; one way to prevent this
- is to restrict access to your router on the basis of IP address.
-
- Many people do this, however it should be noted that a significant number
- of network service providers allow unrestricted access to their routers
- to allow others to debug, examine routes, etc. If you're comfortable doing
- this, so much the better, and we thank you!
-
- If you wish to restrict access to your router, select a free IP access
- list (numbered from 1-100) -- enter ``sh access-list'' to see those
- numbers in use.
-
- yourrouter#sh access-list
- Standard IP access list 5
- permit 192.94.207.0, wildcard bits 0.0.0.255
-
- Next, enter the IP addresses you wish to allow access to your router
- from; remember that access lists contain an implicit "deny everything"
- at the end, so there is no need to include that. In this case, 30
- is free:
-
- yourrouter#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
- yourrouter(config)#^Z
-
- (This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
- Enter multiple lines for multiple addresses; be sure that you don't
- restrict the address you may be telnetting to the router from.
-
- Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
- that you wish to apply the access list to. In this example, I want
- lines 2 through 12:
-
- yourrouter#sh line
- Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
- 0 CTY - - - - - 0 0 0/0
- 1 AUX 9600/9600 - - - - - 1 3287605 1/0
- * 2 VTY 9600/9600 - - - - 7 55 0 0/0
- 3 VTY 9600/9600 - - - - 7 4 0 0/0
- 4 VTY 9600/9600 - - - - 7 0 0 0/0
- 5 VTY 9600/9600 - - - - 7 0 0 0/0
- 6 VTY 9600/9600 - - - - 7 0 0 0/0
- 7 VTY 9600/9600 - - - - 7 0 0 0/0
- 8 VTY 9600/9600 - - - - 7 0 0 0/0
- 9 VTY 9600/9600 - - - - 7 0 0 0/0
- 10 VTY 9600/9600 - - - - 7 0 0 0/0
- 11 VTY 9600/9600 - - - - - 0 0 0/0
- 12 VTY 9600/9600 - - - - - 0 0 0/0
-
-
- Apply the access list to the relevant lines:
-
- yourrouter#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- yourrouter(config)#line 2 12
- yourrouter(config-line)# access-class 30 in
- yourrouter(config-line)# ^Z
-
- (This apply access list 30 to lines 2 through 12. It's important to
- restrict access to the aux port (line 1) if you have a device (such
- as a CSU/DSU) plugged into it.a)
-
- Be sure to save your configuration with ``write mem''.
-
- Please note that access lists for incoming telnet connections do NOT
- cause your router to perform significant CPU work, unlike access lists
- on interfaces.
-
- ------------------------------
-
- From: Question 23
- Date: 1 November 1994
- Subject: What can I do about source routing?
-
- What *is* source routing?
-
- Soure routing is an IP option which allows the originator of a packet
- to specify what path that packet will take, and what path return packets
- sent back to the originator will take. Source routing is useful when the
- default route that a connection will take fails or is suboptimal for some
- reason, or for network diagnostic purposes. For more information on
- source routing, see RFC791.
-
- Unfortunately, source routing is often abused by malicious users on
- the Internet (and elsewhere), and used to make a machine (A), think
- it is talking to a different machine (B), when it is really talking to
- a third machine (C). This means that C has control over B's ip address
- for some purposes.
-
- The proper way to fix this is to configure machine A to ignore
- source-routed packets where appropriate. This can be done for most
- unix variants by installing a package such as Wietse Venema,
- <wietse@wzv.win.tue.nl>,'s tcp_wrapper:
-
- ftp://cert.org:pub/tools/tcp_wrappers
-
- For some operating systems, a kernel patch is required to make this
- work correctly (notably SunOS 4.1.3). Also, there is an unofficial
- kernel patch available for SunOS 4.1.3 which turns all source routing
- off; I'm not sure where this is available, but I believe it was posted
- to the firewalls list by Brad Powell soimetime in mid-1994.
-
- If disabling source routing on all your clients is not posssible, a
- last resort is to disable it at your router. This will make you unable
- to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
- of which use LSRR (Loose Source Record Route, 2 IP options, the first
- of which is a type of source routing), but may be necessary for some.
- If so, you can do this with
-
- foo-e-0#conf t
- Enter configuration commands, one per line. End with CNTL/Z.
- foo-e-0(config)#no ip source-route
- foo-e-0(config)#^Z
-
- It is somewhat unfortunate that you cannot be selective about this; it
- disables all forwarding of source-routed packets through the router,
- for all interfaces, as well as source-routed packets to the router
- (the last is unfortunate for the purposes of ``traceroute -g'').
-
- ------------------------------
-
- From: Question 24
- Date: 22 April 1996
- Subject: Is there a block of private IP addresses I can use?
-
- Yes there is, however whether you wish to do so is an issue of
- some debate.
-
- You could consult:
-
- 1627 Network 10 Considered Harmful (Some Practices Shouldn't be
- Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
- (Format: TXT=18823 bytes)
-
- 1918 Address Allocation for Private Internets. Y. Rekhter, B.
- Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996.
- (Format: TXT=22270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005)
-
- In any event, RFC 1918 documents the allocation of the following
- addresses for use by ``private internets'':
-
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
-
- Most importantly, it is vital that nothing using these addresses
- should ever connect to the global Internet, or have plans to do so.
- Please read the above RFCs before considering implementing such
- a policy.
-
- As an additional note, some Internet providers provide network-management
- services, statistics gathering, etc. It is unlikely (if at all possible)
- that they would be willing to perform those services if you choose to
- utilize private address space.
-
-
- With the increasing popularity and reliability of address translation
- gateways, this practice is becoming more widely accepted. Cisco has acquired
- Network Translation, who manufacture such a product. It is now available as
- the Cisco Private Internet Exchange. With it, you can use any addressing you
- want on your private internet, and the gateway will insure that the invalid
- addresses are converted before making out onto the global Internet. It also
- makes a good firewall. Information on this product is available at
- http://www.cisco.com/warp/public/751/pix/index.html
-
- ------------------------------
-
- From: Question 25
- Date: 18 April 1995
- Subject: Is DHCP supported?
-
- DHCP, the Dynamic Host Configuration Protocol (RFC1533), is essentially
- a more extended and flexible version of BOOTP, which allows configuration
- parameters and other control information to be carried to hosts.
-
- Forwarding of DHCP packets (to a DHCP server elsewhere in the network) is
- supported in 9.21(4) and 10.0(3), as well as later releases.
-
- ------------------------------
-
- From: Question 26
- Date: 18 April 1995
- Subject: Where can I get cisco documentation?
-
- Cisco no longer distributes printed documentation with their routers;
- instead, they distribute a CDROM.
-
- Paper documentation may be purchased, however if you purchase a
- support contract, documentation is free.
-
- Cisco documentation is also available on the web -- if you have
- a fast Internet conneciton this may be more useful
- than the CD. Try:
-
- http://www.cisco.com/univercd/data/doc/product.htm
-
- ------------------------------
-
- From: Question 27
- Date: 18 April 1995
- Subject: What's the latest software for the CSC/3?
-
- The last supported release on the CSC/3 is 9.1(15). cisco
- does not plan to release further software for the CSC/3.
-
- ------------------------------
-
- From: Question 28
- Date: 19 May 1995
- Subject: What IP routing protocol should I use?
-
- This is a really complicated question, and a full answer
- is beyond the scope of this document. Here are the beginnings
- of an answer.
-
- Note that Hello is no longer shipped with cisco routers, and that EGP has been
- declared Historical (and thus obsolete) by the IETF. Don't use them.
-
-
- Protocol RIP HELLO IGRP OSPF EIGRP IS-IS EGP BGP4
- --------------------------------------------------------------------------
- Type IGP IGP IGP IGP IGP IGP EGP EGP
- Algorithm DV DV DV SPF DUAL SPF DV PV
- Metrics Hopcnt Delay Speed Arb. Speed Arb. Policy Policy
- Convergence Slow Unstb Mdt Fast Fast Fast Slow Fast
- Standard? IETF No No IETF No ISO Hist. IETF
- Complexity Simple Simple Simple Complx Complx Complx Simple Complx
- Multipath? Yes Yes Yes Yes Yes Yes Yes [*]
- Var-netmask? No No No Yes Yes Yes No YES
-
- Notes
- -----
-
- IGP = interior gateway protocol, used to build routing tables within an AS.
- EGP = exterior gateway protocol, used to communicate reachability
- information between AS's.
-
-
- Algorithms
- ----------
- DUAL = DV with diffusing update algorithm (Garcia-Luna-Aceves et al)
- DV = Distance Vector (Bellman-Ford)
- PV = "Path Vector"
- SPF = Shortest-path-first (Dijkstra)
-
- Metrics
- -------
-
- A metric is how the protocol measures the network to determine the
- "best" path.
-
- "Speed" refers typically to link speed, not available bandwidth.
- "Arb." indicates that the metrics are arbitrary and configurable.
-
- HELLO tried to use available bandwidth by monitoring round-trip delay,
- but was not generally successful at this.
-
- Metrics are not directly exchangable when redistributing routing
- information from one protocol to another. IGRP and EIGRP use
- compatible and automatically convertable metrics.
-
- Convergence
- -----------
-
- Qualitatively, convergence measures how fast routers using this
- protocol will adapt to changes in the topology of the network.
-
- "Unstb" indicates a protocol which in general never decided on a
- stable configuration but continually oscillated between alternatives.
-
- Complexity
- ----------
-
- An observation of how complex the protocol is to implement.
-
- Multipath
- ---------
-
- Multipath indicates whether the protocol support and transport
- multiple equal- or different- cost pathways across between endpoints?
-
- [*] indicates that BGP4 supports multipath for IBGP (Internal BGP, a
- full mesh of all border routers within an AS), but not for EBGP
- (External BGP).
-
- Variable netmask (Var-netmask)
- ------------------------------
-
- Indicates whether the protocol allows for and transports different
- masks for the subnets of a routed network.
-
- ------------------------------
-
- From: Question 29
- Date: 18 April 1995
- Subject: How do I interpret the output of ``show version''?
-
- Typing ``show version'' or ``show hardware'' yields a response like:
-
- prospect-gw.near.net>sh version
- Cisco Internetwork Operating System Software
- IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]
-
- System-type (imagename) Version major.minor(release.interim)[who] Desc
-
- System-type: type of system the software is designed to run on.
- imagename: The name of the image. This is different (slightly) for
- run-from-rom, run-from-flash, and run-from-ram images, and also
- for subset images which both were and will be more common.
- "Version": text changes slightly. For example, if an engineer gives you
- a special version of software to try out a bug fix, this will say
- experimental version.
- Major: Major version number. Changes (in theory) when there have been
- major feature additions and changes to the softare.
- Minor: minor version number. Smaller but still signficant feature added.
- (in reality, cisco is not very sure what the difference between
- "major" and "minor" is, and sometimes politics gets in the way,
- but either of these "incrementing" indicates feature additions.)
- EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
- the base, 9.14 adds specical feature for low end systems, 9.17
- added special features specific the high end (cisco-7000) This
- was an experiment that we are trying not to repeat.
- release: increments (1 2 3 4 ...) for each maintenance release of released
- software. Increments for every compile in some other places.
- interim: increments on every build of the "release tree", which happens
- weekly for each release, but is only made into a generically
- shipping maintenance release every 7 to 8 weeks or so.
- [who]: who built it. Has "fc 1" or similar for released software.
- has something like [billw 101] for test software built Bill
- Westfield (billw@cisco.com).
- Desc: additional description.
-
- The idea is that the image name and version number UNIQUELY identify
- a set of sources and debugging information somewhere back at cisco,
- should anything go wrong.
-
- Copyright (c) 1986-1995 by cisco Systems, Inc.
- Compiled Thu 09-Mar-95 23:54 by tli
- Image text-base: 0x00001000, data-base: 0x00463EB0
-
- Copyright, compilation date (and by whom), as well as the
- starting address of the image.
-
- ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
- ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)
-
- The version of ROM bootstrap software, and the version of IOS
- in ROM.
-
- prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes
- System restarted by reload
-
- How long the router has been up, and why it restarted.
-
- System image file is "sse-current", booted via flash
-
- How the router was booted.
-
- RP (68040) processor with 16384K bytes of memory.
-
- Type of processor.
-
- G.703/E1 software, Version 1.0.
- X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
- Bridging software.
- ISDN software, Version 1.0.
-
- Various software options compiled in.
-
- 1 Silicon Switch Processor.
- 2 EIP controllers (8 Ethernet).
- 2 FSIP controllers (16 Serial).
- 1 MIP controller (1 T1).
- 8 Ethernet/IEEE 802.3 interfaces.
- 16 Serial network interfaces.
- 128K bytes of non-volatile configuration memory.
- 4096K bytes of flash memory sized on embedded flash.
-
- Hardware configuration.
-
- Configuration register is 0x102
-
- Lastly, the "configuration register", which may be set via
- software in current releases...
-
- ------------------------------
-
- From: Question 30
- Date: 22 April 1996
- Subject: What is the maximum number of Frame Relay PVCs?
-
- This is covered fairly thoroughly in Product Info/Product
- Bulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256,
- available on CIO.
-
- Via the web (requires CIO username and pasword)
- http://cio.cisco.com/warp/customer/417/38.html
-
- An excerpt:
-
- (Virtual Interfaces)
-
- It should be noted that in the IOS (Internetworking Operating System)
- 10.0 software there is a limit of 256 Virtual and physical
- interfaces. Hence, if each DLCI is given its own virtual interface,
- the router is limited to 256 DLCIs. This restriction is expected to be
- removed in a future release.
-
- In most scenarios, it is not necessary that each DLCI have its own
- Virtual Interface. In particular, IP has the facility which allows
- disabling of split-horizon routing and hence does not require Virtual
- Interfaces to support partial mesh topologies.
-
- (Appendix 1: How many DLCIs Can Cisco Support on an Interface?)
-
- This question is similar to the question of how many PCs can you put
- on an Ethernet. In general, you can put a lot more than you should
- given performance and availability constraints.
-
- When dimensioning a router in a large network, the following issues
- should be considered:
-
- DLCI Address Space: The only hard limits are the roughly 1000 DLCI
- limit due to the 10 bit DLCI address space in the Frame Relay frame
- header.
-
- LMI Status Update: The LMI protocol requires that all status reports
- fit into a single packet and generally limits the number of DLCIs to
- less than 800.
-
-
- Max DLCIs (approx) = (MTU -20)/5,
- where MTU is the MTU size in bytes on the Frame Relay link.
-
-
- Broadcast Replication: When sending, the router must replicate the
- packet on each DLCI and this causes congestion on the access link. The
- Broadcast Queue reduces this problem. In general, the network should
- designed to keep the routing update load to below 20 percent of the
- access lines speed. It is also important that memory requirements for
- the Broadcast Queue be considered. A good technique to reduce this
- restriction is the use of default route or extending the update
- timers.
-
- Broadcast Receipt: When receiving, the router must receive updates
- from the network. The issue here is that the upstream switch can be
- overloaded and drop packets. When routing updates are dropped, routing
- instability occurs. Again, the receiving routing update load should be
- kept to less than 20 percent of the access link speed and preferably
- lower. Where very high speed links are used, a limit of 128 Kbit/s
- worth of routing updates is recommended.
-
- Routing Stability: When using a link state protocol to reduce the
- update traffic, the dimensioning should be done assuming the periodic
- update process and the worst case for Link State Updates (i.e.,
- assuming link and power instability). Dimensioning should not be based
- on the Hello traffic. As a rule of thumb, dimension assuming a
- distance vector protocol, but assume that extra bandwidth is available
- for user data.
-
- User Data Traffic: Clearly, the number of DLCIs is dependent on the
- traffic on each DLCI and the performance requirements to be met. In
- general, Frame Relay accesses should be run at lower loads than
- router-to-router links since the prioritisation capabilities are not
- as strong in many cases and in general the marginal costs of
- increasing access link speed are lower than with dedicated lines.
-
- Many of the issues covered here are included in the Internet Design
- Guide manual that Cisco provides.
-
- Update:
-
- The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
- something like 1024 per router or some even more ludicrous number. There are
- still lots of reasons you never want to do that. ;-)
- The limit of 256 PVCs goes away in IOS 11.1. I think the number is now
- something like 1024 per router or some even more ludicrous number. There are
- still lots of reasons you never want to do that. ;-)
-
-
- ------------------------------
-
- From: Question 31
- Date: 18 April 1995
- Subject: How much memory is necessary to telnet to a cisco router?
-
- In order to login to a cisco router, it needs to have at least 64k
- of contiguous free memory.
-
- ------------------------------
-
- From: Question 32
- Date: 18 April 1995
- Subject: Where can I purchase flash RAM?
-
- There are two varieties:
-
- MEM-1X8F 8meg
- MEM-2X8F 16meg
-
- *******************************************************************************
- ******************************* 2500 ********************************
- ******************************* 8M Flash ********************************
- *******************************************************************************
- PRODUCT# QTY
- -------- ---
- MEM-1X8F 1
- MEM-2X8F 2
-
- Part Number: 16-0975-01
- Description: IC,FEPROM, 2Mx32,100ns,SIM80 SC: P REV: A0 S/UM: EA P/UM: EA
- -------------------------------------------------------------------------------
- VENDOR
- ITM MANUFACTURER'S PART CODE MANUFACTURER'S NAME
- --- -------------------- ---------- ------------------------------
- 1- 1 SM732C2000B-10 KITTING01 SMART MODULE
-
-
- Smart Modular is located in Freemont, California.
-
-
- For small orders, Smart Modular recommends you contact:
-
- PC Complete
- 800-849-4622.
-
- They carry both Flash RAM and DRAM.
-
- ------------------------------
-
- From: Question 32
- Date: 19 May 1995
- Subject: When are static routes redistributed?
-
- In the simple case, any static route *in the routing table* is
- redistributed if the ``redistribute static'' command is used, and some
- filter (set with either ``route-map'' or ``distribute-list out'')
- doesn't filter it out.
-
- Whether the static route gets into routing table depends on:
-
- Whether the next hop address is reachable (if you use
- static route pointing to a next hop)
- OR
- Whether the interface is up (if you use static route
- pointing to an interface).
-
- If one of these is true, an attempt is made to add the route to the
- routing table; whether that succeeds depends on the administrative
- distance of the route -- a lower administrative distance (the route
- is "closer") than a preexisting route will cause the preexisting route
- to be overwritten.
-
- ------------------------------
-
- From: Question 33
- Date: 19 May 1995
- Subject: When is the next hop of a route considered ``reachable''?
-
- When a static route is added, or during an important event (eg:
- interface up/down transition), the next hop for a route is looked up
- from the routing table (i.e. recursive routing).
-
- As a consequence, if a route which is depended upon for evaluation
- of the next hop of a static route goes away, a mechanism is required
- to remove that (now-invalid) static route.
-
- Scanning all static routes each time the routing table changes is
- too expensive, so instead, a period timer is used. One a minute, static
- routes are added and removed from the routing table based on the routes
- they depend upon.
-
- It should be noted that a particular static route will be reevaluated
- when its interface transitions up or down.
-
- ------------------------------
-
- From: Question 35
- Date: 22 April 1996
- Subject: How do name and phone number of ``dialer map'' interfere?
-
- How do name and phone number of `dialer map' interfere?
-
- We use the telephone number first actually. If the
- caller id matches the telephone number to call, then you don't need the
- 'name' parameter with a phone number.
-
- I realized that the above is ambiguous, so let's do this. You have:
-
- dialer map ip x.x.x.x name <param1> <phone-num>
-
- <param1> is used for incoming authentication. It can be either the hostname,
- for PAP and CHAP, or it can be a number as returned by caller id. If this
- is not there, and it is an imcoming call, and there is caller id, we will
- compare against <phone-num> to see if that matches.
-
- Not sure I've been clear here.
-
- ------------------------------
-
- From: Question 36
- Date: 22 April 1996
- Subject: What's the purpose of the network command?
-
- >* what is the real purpose of the network subcommand of
- > router commands? When do I not want to include a network
- > I know about?
-
- The real purpose of the 'network' sub-command of the router commands is to
- indicate what networks that this router is connected to are to be
- advertised in the indicated routing protocol or protocol domain. For
- example, if OSPF and EIGRP are configured, some subnets may be advertised
- in one and some in the other. The network command enables one to do this.
-
- An example of such a case is a secure subnet. Imagine the case where a set
- of subnets are permitted to communicate within a campus, but one of the
- buildings is intended to be inaccessible from the outside. By placing the
- secure subnet in its own network number and not advertising the number, the
- subnet is enabled to communicate with other subnets on the same router, but
- is unreachable from any other router, barring static routes. This can be
- extended by using a different routing protocol or routing protocol domain
- for the secure network; subnets on the various routers within the secure
- domain are mutually reachable, and routes from the non-secure domain may be
- leaked into the secure domain, but the secure domain is invisible to the
- outside world.
-
- ------------------------------
-
- From: Question 37
- Date: 22 April 1996
- Subject: What is VLSM?
-
- A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing
- resources to subnets according to their individual need rather than some
- general network-wide rule. Of the IP routing protocols supported by Cisco,
- OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.
-
- Historically, EGP depended on the IP address class definitions, and
- actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP
- addresses (32 bit numbers); RIP and IGRP exchanged network and subnet
- numbers in 32 bit fields, the distinction between network number, subnet
- number, and host number being a matter of convention and not exchanged in
- the routing protocols. More recent protocols (see VLSM) carry either a
- prefix length (number of contiguous bits in the address) or subnet mask
- with each address, indicating what portion of the 32 bit field is the
- address being routed on.
-
- A simple example of a network using variable length subnet masks is found
- in Cisco engineering. There are several switches in the engineering
- buildings, configured with FDDI and Ethernet interfaces and numbered in
- order to support 62 hosts on each switched subnet; in actuality, perhaps
- 15-30 hosts (printers, workstations, disk servers) are physically attached
- to each. However, many engineers also have ISDN or Frame Relay links to
- home, and a small subnet there. These home offices typically have a router
- or two and an X terminal or workstation; they may have a PC or Macintosh as
- well. As such, they are usually configured to support 6 hosts, and a few
- are configured for 14. The point to point links are generally unnumbered.
-
- Using "one size fits all" addressing schemes, such as are found in RIP or
- IGRP, the home offices would have to be configured to support 62 hosts
- each; using numbers on the point to point links would further compound the
- address bloat.
-
- One configures the router for Variable Length Subnet Masking by configuring
- the router to use a protocol (such as OSPF or EIGRP) that supports this,
- and configuring the subnet masks of the various interfaces in the 'ip
- address' interface sub-command. To use supernets, one must further
- configure the use of 'ip classless' routes.
-
- ------------------------------
-
- From: Question 38
- Date: 22 April 1996
- Subject: What are some methods for conserving IP addresses for serial lines?
-
- VLSM and unnumbered point to point interfaces are the obvious ways.
-
- The 'ip unnumbered' subcommand indicates another interface or sub-interface
- whose address is used as the IP source address on messages that the router
- originates on the unnumbered interface, such as telnet or routing messages.
- By doing this, the router is reachable for management purposes (via the
- address of the one numbered interface) but consumes no IP addresses at all
- for its unnumbered links.
-
- When a serial ip interface connects several sites, as an SMDS link might,
- then the use of an appropriate subnet mask (and a routing protocol that can
- make good use of the information) will minimize address consumption.
-
- ------------------------------
-
- From: Question 39
- Date: 23 April 1996
- Subject: Why do some ip addresses get rejected?
-
- How come my cisco router doesn't accept an address like:
- "ip address 192.111.107.1 255.255.255.240"
- or "ip address 171.69.0.1 255.255.0.0"
-
- When "subnetting" of IP networks was first sanctioned by the IETF, the first
- and last subnets (the all zeros subnet and all ones subnet) were reserved for
- rather obscure uses and because of the confusion that would be caused with
- routing protocols that don't carry net mask information. It was technically
- illegal to place hosts or routers on those two subnets.
-
- Several hosts and most other vendor's router products have problems operating
- with the reserved subnets, so their use is discouraged. However, in 1995,
- the IETF removed the restrictions on the use of these reserved subnets as part
- of the classless routing effort.
-
- If you would like to use the reserved subnets, simply add the line
- "ip subnet-zero" to your cisco configuration.
-
- You might consider adding "ip subnet-zero" to all your configurations as a
- metter of course, to avoid being bitten by this in the future.
-
- ------------------------------
-
- From: Question 40
- Date: 27 April 1996
- Subject: How do 4xxx serial numbers correspond to models?
-
- show version serial # Label
- -------------------------------------------------------
- 4000 Rev A0 440xxxxx C4000
- 4000M Rev B0 445xxxxx C4000
- 4500 450xxxxx C4500
- 4500M 455xxxxx C4500
- 4700 470xxxxx C4700
-
- ------------------------------
-
- From: Question 41
- Date: 28 April 1996
- Subject: Where can I find more info on TACACS+
-
- In addition to sundry cisco documentation and ftp-able
- info, there exists a TACACS+ mailing list.
-
- For more information, see http://www.disaster.com/tacplus/.
-
- ------------------------------
-
- From: Question 99
- Date: 19 May 1995
- Subject: Acknowledgements.
-
- The following people contributed to this FAQ, and their contributions
- are greatly appreciated, both questions and answers (in alpha order):
-
- Arpakorn Boonkongchuen <aboonkon@cisco.com>
- Robert Kiessling <Robert.Kiessling@rrze.uni-erlangen.de>
- "Ronnie B. Kon" <ronnie@cisco.com>
- Alain Martineau <amartineau@MacMartineau.ccr.hydro.qc.ca>
- Barton.Bruce@camb.com (Barton F. Bruce / CCA)
- Bill Miskovetz <misko@cisco.com>
- Charley Kline <cvk@uiuc.edu>
- Dave Katz <dkatz@cisco.com>
- Eriks Rugelis <eriks@YorkU.CA>
- Howard C. Berkowitz, PSC International, <hcb@world.std.com>
- Jim Forster <forster@cisco.com>
- John Wright
- Pete Siemsen <siemsen@skat.usc.edu>
- Phillip Remaker <remaker@cisco.com>
- Ran Atkinson <atkinson@itd.nrl.navy.mil>
- Robert Kiessling <Robert.Kiessling@rrze.uni-erlangen.de>
- Sanjay Rungta~ <srungta@sedona.intel.com>
- Sean McGrath <SEAN@oak.his.ucsf.EDU>
- Srinivas Vegesna <svegesna@cisco.com>
- Steve Cunningham <steve@vf.ge.com>
- Warren Lavallee <warren@zion.ltw.org>
- William "Chops" Westfield <billw@cisco.com>
- atkinson@sundance.itd.nrl.navy.mil (Ran Atkinson)
- bpinsky@cisco.com (Bruce Pinsky)
- buk@taz.de ($ Burkhard Kohl)
- fred@cisco.com (Fred Baker)
- jerry@ksu.ksu.edu (Jerry Anderson)
- jhawk@panix.com (John Hawkinson)
- john@cisco.com (John Wright)
- john@gulfa.ods.gulfnet.kw (John Temples)
- paul@hawksbill.sprintmrn.com (Paul Ferguson)
- peter@ulisse.rhein-main.de (Peter Radig)
- tli@cisco.com (Tony Li)
- tom@park.uvsc.edu (Thomas R. Kimpton)
- vikas@Tudor.Com (Vikas Aggarwal)
- warner@cats.ucsc.edu (Jim Warner)
-
-