Amiga Plus 1995 #2

home *** CD-ROM | disk | FTP | other *** search

/ Amiga Plus 1995 #2 / Amiga Plus CD - 1995 - No. 2.iso / internet / faq / englisch / comp.dcom.sys.cisco < prev next >

Wrap

Text File | 1995-04-11 | 52.0 KB | 1,438 lines

Archive-name: cisco-networking-faq Last-modified: 1 November 1994 Version: 1.0 This FAQ is edited by John Hawkinson, <jhawk@panix.com>. I've been rather remiss in FAQ maintenance and editing from July, through October, but hopefully this should now be remedied. New stuff (please look this over): 20. How are packets switched? 21. How does one interpret buffer statistics? 22. How should I restrict access to my router? 23. What can I do about source routing? 24. Is there a block of private IP addresses I can use? Old administrivia: There should eventually be an html version of this FAQ available. Question should also be numbered, and perhaps divided into subcategories for large things (like ntp...); also, they need to be sorted. Please contribute answers to the questions in the Todo section! If your answer is somewhat complicated, posting would probably be best (to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@panix.com. Please note that a LOT of these questions have been hanging around for some time, and if knowledgable people (including myself) could take the time to answer a few of them, that'd help. This draft FAQ is in RFC1153 digest format, so you can follow each question with your newsreader. I suppose that question-numbers should be moved to the From: field. Note that Date: fields represent last-modification times for the questions. Table of Contents ================= 1. How can I contact cisco? 2. What is this newsgroup? 3. What does ``cisco'' stand for? 4. How do I save the configuration of a cisco? 5. Where can I get ancillary software for my cisco? 6. Is there a World-Wide-Web (www) information source? 7. How can I get my cisco to talk to a third party router over 8. How can I get my cisco to talk to a 3rd-party router over Frame Relay? 9. How can I use debugging? 10. How can I use NTP (Network Time Protocol) with my cisco? 11. Sample Cisco NTP Configurations 12. How do I avoid the annoying DNS lookup if I have misspelled a command? 13. Tracing bad routing information 14. How to use access lists 15. The cisco boot process 16. Where can I get Cisco hardware? 17. Where can I get IETF documents (RFCs, STDs, etc.)? 18. Future features in cisco software 19. How do cisco routers rate performance-wise? 20. How are packets switched? 21. How does one interpret buffer statistics? 22. How should I restrict access to my router? 23. What can I do about source routing? 24. Is there a block of private IP addresses I can use? 25. Acknowledgements. todo: ===== * How to configure TACACS * What is SNMP and how can I use it? What software is available and how do I use Cisco enterprise MIBs? MIBs on ftp.cisco.com and CIO.cisco.com * Pointers to other s/w that's particularly useful in this sort of routing environment (like Charley Kline's VLSM program). * Pointers to other net resources, like comp.protocols.tcp-ip, RFCs, the firewalls mailing list, etc (bgpd?[or is it cidrd now? :-)]). * Hints about confusing and not-well documented things like xtacacs... * Comments on interoperability issues WRT other vendors. * What's SMARTnet, why should I subscribe, how much does it cost, and what do I get? * What should I name my router, my interfaces, etc.? * Should we adjust the buffer parameters on the routers? What should be the indicator before tunning the buffer parameters? How should one fine tune the buffer parapeters? * what routing protocol should I use? * what is the real purpose of the network subcommand of router commands? When do I not want to include a network I know about? * What is a VLSM and why would I want one? What supports them? * What is CIDR and why do I care (or a more general acronym decoder) ? * How do I configure my Cisco to use variable-length subnetting ? * What are some methods for conserving IP addresses for serial lines? * Is there a block of private network numbers I can use within my organization only? When should I use them? How do I access them from outside? * What do I do if I have to partition a network number? * Questions and answers about access lists access-list reference list (lots of questions on that) * I forgot to mention that routing DECnet over X.25 is a problem. * Where PD network applications for SLIP/PPP are. * What is HSRP and how does it work? When is it available (10.0) (Hot Standby Routing Protocol) * Should I run 9.1, 9.21, 10.0, 10.2, or what? Actual content. =============== ------------------------------ From: Question 1 Date: 31 October 1994 Subject: How can I contact cisco? Corporate address: cisco Systems 170 West Tasman Drive San Jose, CA 95134 The following phone numbers are available: Technical Assistance Center (TAC) +1 800 553 2447 (553 24HR) +1 800 553 6387 +1 408 526 8209 Customer Service (Documentation, Warranty & +1 800 553 6387 Contract Services, Order Status Engineering +1 800 553 2447 (553 24HR) On-site Services, Time & Materials Service +1 800 829 2447 (829 24HR) Corporate number / general +1 408 526 4000 Corporate FAX (NOT tech support) +1 408 526 4100 The above 800 numbers are US/Canada only. cisco can also be contacted via e-mail: tac@cisco.com Technical Assistance Center tac-euro@cisco.com European TAC cs-rep@cisco.com Literature and administrative (?) requests cs@cisco.com *UNRELIABLE*, special-interest, ``non-support'' Please follow the directions available on CIO before doing this. cisco provides an on-line service for information about their routers and other products, called CIO (cisco Information Online). telnet to cio.cisco.com for more details. The collective experience of this FAQ indicates that it is far wiser to open a case using e-mail than FAXes, which may be mislaid, shredded, etc. For those of you still in the paperfull office (unlike the rest of us), cisco Systems' new corporate address is: 170 West Tasman Drive San Jose, CA 95134 ------------------------------ From: Question 2 Date: 26 July 1994 Subject: What is this newsgroup? comp.dcom.sys.cisco, which is gatewayed to the mailing list cisco@spot.colorado.edu, is a newsgroup for discussion of cisco hardware, software, and related issues. Remember that you can also consult with cisco technical support. This newsgroup is not an official cisco support channel, and should not be relied upon for answers, particularly answers from cisco Systems employees. Until recently, the mailing list was gatewayed into the newsgroup, one-way. It is possible that this arrangement may resume at somet time in the future. ------------------------------ From: Question 3 Date: 31 October 1994 Subject: What does ``cisco'' stand for? cisco folklore time: At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present, various factions within the company have adopted a capital ``C'', while fierce traditionalists (as well as some others) continue to use the lowercase variant, as does the cisco Systems logo. This FAQ has chosen to use the lowercase variant throughout. cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the early days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were trying to come up with a name they did many searches for non similar names, and always came up with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn't taken (although SYSCO may be confusingly similar sounding). There was an East Coast company which later was using the ``CISCO'' name (I think they sold in the IBM marketplace) they ended up having to not use the CISCO abberviation. Today many people spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in publications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. This winter we will celebrate our 10th year. [This text was written in July of 1994 -jh] ------------------------------ From: Question 4 Date: 31 October 1994 Subject: How do I save the configuration of a cisco? If you have a tftp server available, you can create a file on the server for your router to write to, and then use the write network command. From a typical unix system: mytftpserver$ touch /var/spool/tftpboot/myconfig mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig myrouter#write net Remote host [10.7.0.63]? 10.7.0.2 Name of configuration file to write [myrouter-confg]? foobar Write file foobar on host 10.7.0.2? [confirm] y Additionally, there's a Macintosh TFTP server available: ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx Additionally, you can also use expect, available from: ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz ftp://ftp.cme.nist.gov/expect/expect.tar.gz or, in shar form from ftp.cisco.com. Expect allows you to write a script which telnets to the router and performs a ``write terminal'' command, or any other arbitrary set of command(s), using a structured scripting language (Tcl). ------------------------------ From: Question 5 Date: 5 July 1994 Subject: Where can I get ancillary software for my cisco? Try ftping to ftp://ftp.cisco.com/pub It's a hodgepodge collection of useful stuff, some maintained and some not. Some is also available from ftp://cio.cisco.com Vikas Aggarwal has a very customised tacacsd: A new version of xtacacsd is available via anonymous FTP from 'ftp.navya.com' (128.121.50.145) under pub/vikas/xtacacsd.shar. This version should also be available from ftp.cisco.com soon. ------------------------------ From: Question 6 Date: 26 July 1994 Subject: Is there a World-Wide-Web (www) information source? You can try the www homepage of this FAQ: http://www.panix.com/cisco-faq [still not there yet] or the cisco Educational Archive (CEA) home page: http://sunsite.unc.edu/cisco/cisco-home.html or the cisco Information Online (CIO) home page: http://www.cisco.com/ ------------------------------ From: Question 7 Date: 5 July 1994 Subject: How can I get my cisco to talk to a third party router over a serial link? You need to tell your cisco to use the same link-level protocol as the other router; by default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all link-level protocols use at some level/layer or another. To make your cisco operate with most other routers, you need to change the encapsulation from HDLC to PPP on the relevant interfaces. For instance: sewer-cgs#conf t Enter configuration commands, one per line. Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z interface serial 1 encapsulation ppp ^Z sewer-cgs#sh int s 1 Serial 1 is administratively down, line protocol is down Hardware is MCI Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ [...] If you're still having trouble, you might wish to turn on serial interface debugging: sewer-cgs#ter mon sewer-cgs#debug serial-interface ------------------------------ From: Question 8 Date: 27 July 1994 Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay? You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of ``encapsulation frame-relay'') on your serial interface that's running frame relay if your frame relay network contains a diverse set of manufacturers' routers. The keyword ``ietf'' specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default, RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only a few routers in your frame relay cloud require this, then you can use the default encapsulation on everything and specify the exceptions with the frame-relay map command: frame-relay map ip 10.1.2.3 56 broadcast ietf ^^^^ (ietf stands for Internet Engineering Task Force, the body which evaluates Standards-track RFCs; this keyword is a misnomer as both RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step beneath a DS), and is effectively obsolete). ------------------------------ From: Question 9 Date: 26 July 1994 Subject: How can I use debugging? The ``terminal monitor'' command directs your cisco to send debugging output to the current session. It's necessary to turn this on each time you telnet to your router to view debugging information. After that, you must specify the specific types of debugging you wish to turn on; please note that these stay on or off until changed, or until the router reboots, so remember to turn them off when you're done. Debugging messages are also logged to a host if you have trap logging enabled on your cisco. You can check this like so: sl-panix-1>sh logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 66 messages logged Monitor logging: level debugging, 0 messages logged Trap logging: level debugging, 69 message lines logged Logging to 198.7.0.2, 69 message lines logged sl-panix-1> If you have syslog going to a host somewhere and you then set about a nice long debug session from a term your box is doing double work and sending every debug message to your syslog server. Additionally, if you turn on something that provides copious debugging output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this). One solution to this is to only log severity ``info'' and higher: sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. logging trap info The other solution is to just be careful and remember to turn off debugging. This is easy enough with: sl-panix-1#undebug all If you have a heavily loaded box, you should be aware that debugging can load your router. The console has a higher priority than a vty so don't debug from the console; instead, disable console logging: cix-west.cix.net#conf t Enter configuration commands, one per line. End with CNTL/Z. no logging console Then always debug from a vty. If the box is busy and you are a little too vigorous with debugging and the box is starting to sink, quickly run, don't walk to your console and kill the session on the vty. If you are on the console your debugging has top prioority and then the only way out is the power switch. This of course makes remote debugging a real sweaty palms adventure especially on a crowded box. Caveat debugger! Also, if you for some reason forget what the available debug commands are and don't have a manual handy, remember that's what on-line help is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under 9.21 and above, that gives you general categories, and you can check for more specific options by specifying the category: ``debug ip ?''. As a warning, the ``logging buffered'' feature causes all debug streams to be redirected to an in-memory buffer, so be careful using that. Lastly, if you're not sure what debugging criteria you need, you can try ``debug all''. BE CAREFUL! It is way useful, but only in a very controlled environment, where you can turn off absolutely everything you're not interested in. Saves a lot of thinking. Turning it on on a busy box can quickly cause meltdown. ------------------------------ From: Question 10 Date: 5 July 1994 Subject: How can I use NTP (Network Time Protocol) with my cisco? >What level of software is required for NTP support in >a Cisco router? 9.21 or above. >Which Cisco routers support NTP? It is a software feature exclusively. Anything that supports 9.21 or 10 will run NTP (when running that s/w). >How do I set it up? The basic hook is: ntp server <host> [version n] or ntp peer <host> [version n] depending on whether you want a client/server or peer relationship. There's a bunch of other stuff available for MD5 authentication, broadcast, access control, etc. You can also use the context-sensitive help feature to puzzle it out; try ``ntp ?'' in config mode. You'll also want to play with the SHOW NTP * router commands. Here are two examples. EXAMPLE 1: router# show ntp assoc address ref clock st when poll reach delay offset disp +~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7 *~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured EXAMPLE 2: router#show ntp stat Clock is synchronized, stratum 2, reference is 132.249.16.1 nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19 reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994) clock offset is -1.34 msec, root delay is 55.40 msec root dispersion is 41.29 msec, peer dispersion is 28.96 msec For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco. For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file clock.txt in that directory has info about various public NTP servers. There is also information on radio time receivers that can be connected to an NTP server (this is handy on private networks, if you have an entire campus to get chiming, or if you become a hard core chimer). The ``ntp clock-period'' command is added automagically to jump-start the NTP frequency compensation when the box is rebooted. This is essentially a representation of the frequency of the crystal used as the local timebase, and may take several days to calculate otherwise. (Do a ``write mem'' after a week or so to save a good value.) Caveat: Note that the CS-500 will not be able to achieve quite the same level of accuracy as other platforms, since its hardware clock resolution is roughly 242Hz instead of the 1MHz available on other platforms. In practice this shouldn't matter for anyone other than true time geeks. ---------------------------------------------------------------------- From: Question 11 Date: 5 July 1994 Subject: Sample Cisco NTP Configurations You will need to substitute your own NTP peers, timezones, and GMT offsets into the examples below, of course. Example 1 is in US Central Time Zone, while example 3 is in US Pacific Time Zone. Both account for normal US Daylight Savings Time practices. EXAMPLE 1 (Charley Kline): ... clock timezone CST -6 clock summer-time CDT recurring ntp source eth 0 ntp peer <host1> ntp peer <host2> ntp peer <host3> ... EXAMPLE 2 (Tony Li): ... ntp source Ethernet0/0 ntp update-calendar ntp peer <host1> ntp peer <host2> prefer ... EXAMPLE 3 (Dave Katz): ... service timestamps debug datetime localtime service timestamps log datetime localtime clock timezone PST -8 clock summer-time PDT recurring interface Ethernet0 ip address <mumble> ntp broadcast ntp clock-period 17180319 ntp source Ethernet0 ntp server <host1> ntp server <host2> ntp server <host3> COMMENTS ON EXAMPLE 3: The config file is commented with date and time (and user id, if TACACS is enabled) when the system thinks the clock is accurate. I've enabled timestamping of debug and syslog messages. I send NTP broadcast packets out onto the local ethernet. I'm in Pacific Standard Time, with U.S. standard daylight saving time rules. I use the IP address of the ethernet as the source for all NTP packets. ------------------------------ From: Question 12 Date: 5 July 1994 Subject: How do I avoid the annoying DNS lookup if I have misspelled a command? By default, all lines are configured to automatically try a telnet connection if the first word in a input line is not recognized as a valid command. You can disable this by setting ``transport preferred none'' on every line (con, aux and vty). For instance: sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. line vty 0 10 transport preferred none You can see the number of vty's currently configuered with ``show lines'' Also, you can suspend connect attempts with ^^ followed by ``x'', ie shift-cntrl-6 x. [It has been suggested that ``no ip ipname-lookup'' to turn off IEN116 helps. I think this is the default -jh ] ------------------------------ From: Question 13 Date: 31 Oct 1994 Subject: Tracing bad routing information or: How do I find out which non-Cisco systems on my networks generate IP-RIP information without letting them mess up my routing tables. Here you could work with a default administrative distance. Administrative distance is the basis upon which the cisco prefers routing information of one protocol over another. In this example: router rip network 192.125.254.0 distance 255 distance 120 192.125.254.17 ! list all valid RIP suppliers [...] the value 255 has the implicit meaning of not putting this information into the routing table. Therefore, setting an administrative distance of 255 means that all RIP suppliers are by default accepted but their information is not put into the routing table. The administrative distance for the router 192.125.244.17 has been reset to the default (for RIP) of 120, causing its routes to be accepted into the routing table. Then you can look them up with ``show ip protocols'' and restore the original administrative distance for the ones you want to fill in the routing table. The same results can be acheived with an ip access-list, but with that, ``show ip protocols'' will only show the valid ones. But often it is more useful to see which systems were generating routing information at all. This trick works for other routing protocols as well, but please select the proper adminstrative distance (rather than 120) for the protocol you're using. ------------------------------ From: Question 14 Date: 5 July 1994 Subject: How to use access lists [The following is wholesale included; at some point it'll probably be editted a bit and reformatted... -jh] Frequently Asked Questions contributed by Howard C. Berkowitz PSC International hcb@world.std.com @clark.net [probably will be my permanent personal account] PSC's domain is in mid-setup Where in the router are access lists applied? In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases of the Cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports. Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases. There are also special cases involving console access. Rules, written as ACCESS-LIST statements, are global for the entire Cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering. +-------------------+ | GLOBAL | | | | Routing | | ^ v Access | | ^ v Lists | +-^--v--------^---v-+ | ^ v ^ v | | ^ v ^ v | A----------->|-| |>>>>Access >>----------->B |1 Group 2 | <------------| |<----------- | | | | +-------------------+ Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general, incoming filtering can only be done for ``system'' rather than user traffic. Rules of thumb in defining access lists. First, define what you want to do and in which directions. An informal drawing is a good first step. As opposed to the usual connectivity drawings among routers, it's often convenient to draw unidirectional links between routers. Second, informally write out your filtering rules. In general, it is best to go from most specific to least specific. Modify the order of writing things to minimize the number of rules needed. Third, determine which rules need to be on which routers. Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter. Can a Cisco router be a ``true'' firewall? This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _Practical UNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside'' application process run, with application-level code linking the two. For example, a firewall might provide FTP access to the outside world, but it would not also provide direct FTP service to the inside world. To place a file on the FTP external server, a designated user would explicitly log onto the FTP server, transfer a file to the server, and log off. The firewall prevents direct FTP connectivity between the inside and outside networks; only indirect, application-level connectivity is allowed. Firewalls of this sort are complemented by chokes, which filter on network addresses and/or port numbers. Cisco routers cannot do application-level control with access control lists. Other authors do not distinguish between chokes and filters. Using the loose definition that a firewall is anything that selectively blocks access from the inside to the outside, routers can be firewalls. IP Specific ----------- Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID? No. Operand filtering only works for TCP and UDP port numbers. How can I prevent traffic for a certain Internet application to flow in one direction but not the other? Remember that Internet applications flow from client port to server port. Denying traffic from port 23, for example, blocks flow from the client to the server. +-------------------+ | | A----------->| |----------->B |1 2| <------------| |<----------- | | +-------------------+ If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked A's ability to telnet to B, but not B's ability to telnet to A. A second filter at interface A would be needed to block telnet in both directions. Assume that we only have the filter at interface 2. Telnets to A from B will not be affected because the filter at 2 does not check incoming traffic. ------- With the arrival of in-bound access lists in 9.21, it should be noted that both inbound and access lists are about equally efficient, in case any of you were wondering. ------------------------------ From: Question 15 Date: 26 July 1994 Subject: The cisco boot process What really happens when a Cisco router boots, from boot start to live interfaces? First it boots the ROM os version. It reads the config. Now, it realizes that you want to netboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and re-reads the config. Manly, yes, but we like it too.... [[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it, if necessary, and THEN loads on top of itself. Note that this is important because it tells you what the memory requirements are for netbooting: RAM for ROM image (if it's a run from RAM image), plus dynamic data structures, plus RAM for netbooted image. ]] The four ways to boot and what happens (sort of): I (from bootstrap mode) The ROM monitor is running. The I command causes the ROM monitor to walk all of the hardware in the bus and reset it with a brute force hammer. If the bits in the config register say to auto-boot, then goto B B (from bootstrap mode) Load the OS from ROM. If a name is given, tell that image to start silently and then load a new image. If the boot system command is given, then start silently and load a new image. powercycle Does some delay stuff to let the power settle. Goto I. reload (from the EXEC) Goto I. ------------------------------ From: Question 16 Date: 26 July 1994 Subject: Where can I get Cisco hardware? [ It is with great relucatance that I list any one vendor. I would appreciate some commentary as to whether doing so is a good idea. Also, other vendors would be a good thing. -jh You might try: Comstar, Inc. 5250 W. 74th Street Minneapolis, MN 55439 P: 612-835-5502 F: 612-835-1927 Mr. Bill Lunger ------------------------------ From: Question 17 Date: 26 July 1994 Subject: Where can I get IETF documents (RFCs, STDs, etc.)? Where and how to get new RFCs ============================= RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The Primary Repositories will have the RFC available when it is first announced, as will many Secondary Repositories. Some Secondary Repositories may take a few days to make available the most recent RFCs. Primary Repositories: RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET, NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK, FTP.CONCERT.NET, or FTP.SESQUI.NET. 1. DS.INTERNIC.NET - InterNIC Directory and Database Services RFC's may be obtained from DS.INTERNIC.NET via FTP, WAIS, and electronic mail. Through FTP, RFC's are stored as rfc/rfcnnnn.txt or rfc/rfcnnnn.ps where 'nnnn' is the RFC number. Login as "anonymous" and provide your e-mail address as the password. Through WAIS, you may use either your local WAIS client or telnet to DS.INTERNIC.NET and login as "wais" (no password required) to access a WAIS client. Help information and a tutorial for using WAIS are available online. The WAIS database to search is "rfcs". Directory and Database Services also provides a mail server interface. Send a mail message to mailserv@ds.internic.net and include any of the following commands in the message body: document-by-name rfcnnnn where 'nnnn' is the RFC number The text version is sent. file /ftp/rfc/rfcnnnn.yyy where 'nnnn' is the RFC number. and 'yyy' is 'txt' or 'ps'. help to get information on how to use the mailserver. The InterNIC Directory and Database Services Collection of Resource Listings, Internet Documents such as RFCs, FYIs, STDs, and Internet Drafts, and Publically Accessible Databases are also now available via Gopher. All our collections are waisindexed and can be searched from the Gopher menu. To access the InterNIC Gopher Servers, please connect to "internic.net" port 70. contact: admin@ds.internic.net 2. NIS.NSF.NET To obtain RFCs from NIS.NSF.NET via FTP, login with username "anonymous" and password "guest"; then connect to the directory of RFCs with cd /internet/documents/rfc. The file name is of the form rfcnnnn.txt (where "nnnn" refers to the RFC number). For sites without FTP capability, electronic mail query is available from NIS.NSF.NET. Address the request to NIS-INFO@NIS.NSF.NET and leave the subject field of the message blank. The first text line of the message must be "send rfcnnnn.txt" with nnnn the RFC number. contact: rfc-mgr@merit.edu 3. NISC.JVNC.NET RFCs can also be obtained via FTP from NISC.JVNC.NET, with the pathname rfc/RFCnnnn.TXT.v (where "nnnn" refers to the number of the RFC and "v" refers to the version number of the RFC). JvNCnet also provides a mail service for those sites which cannot use FTP. Address the request to SENDRFC@JVNC.NET and in the subject field of the message indicate the RFC number, as in "Subject: RFCnnnn" where nnnn is the RFC number. Please note that RFCs whose number are less than 1000 need not place a "0". (For example, RFC932 is fine.) No text in the body of the message is needed. contact: Becker@NISC.JVNC.NET 4. FTP.ISI.EDU RFCs can be obtained via FTP from FTP.ISI.EDU, with the pathname in-notes/rfcnnnn.txt (where "nnnn" refers to the number of the RFC). Login with FTP username "anonymous" and password "guest". RFCs can also be obtained via electronic mail from ISI.EDU by using the RFC-INFO service. Address the request to "rfc-info@isi.edu" with a message body of: Retrieve: RFC Doc-ID: RFCnnnn (Where "nnnn" refers to the number of the RFC (always use 4 digits - the DOC-ID of RFC 822 is "RFC0822")). The RFC-INFO@ISI.EDU server provides other ways of selecting RFCs based on keywords and such; for more information send a message to "rfc-info@isi.edu" with the message body "help: help". contact: RFC-Manager@ISI.EDU 5. WUARCHIVE.WUSTL.EDU RFCs can also be obtained via FTP from WUARCHIVE.WUSTL.EDU, with the pathname info/rfc/rfcnnnn.txt.Z (where "nnnn" refers to the number of the RFC and "Z" indicates that the document is in compressed form). At WUARCHIVE.WUSTL.EDU the RFCs are in an "archive" file system and various archives can be mounted as part of an NFS file system. Please contact Chris Myers (chris@wugate.wustl.edu) if you want to mount this file system in your NFS. contact: chris@wugate.wustl.edu 6. SRC.DOC.IC.AC.UK RFCs can be obtained via FTP from SRC.DOC.IC.AC.UK with the pathname rfc/rfcnnnn.txt.Z or rfc/rfcnnnn.ps.Z (where "nnnn" refers to the number of the RFC). Login with FTP username "anonymous" and password "your-email-address". To obtain the RFC Index, use the pathname rfc/rfc-index.txt.Z. (The trailing .Z indicates that the document is in compressed form.) SRC.DOC.IC.AC.UK also provides an automatic mail service for those sites in the UK which cannot use FTP. Address the request to info-server@doc.ic.ac.uk with a Subject: line of "wanted" and a message body of: request sources topic path rfc/rfcnnnn.txt.Z request end (Where "nnnn" refers to the number of the RFC.) Multiple requests may be included in the same message by giving multiple "topic path" commands on separate lines. To request the RFC Index, the command should read: topic path rfc/rfc-index.txt.Z The archive is also available using NIFTP and the ISO FTAM system. contact: ukuug-soft@doc.ic.ac.uk 7. FTP.CONCERT.NET To obtain RFCs from FTP.CONCERT.NET via FTP, login with username "anonymous" and your internet e-mail address as password. The RFCs can be found in the directory /rfc, with file names of the form: rfcNNNN.txt or rfcNNNN.ps where NNNN refers to the RFC number. This repository is also accessible via WAIS and the Internet Gopher. contact: rfc-mgr@concert.net 8. FTP.SESQUI.NET RFCs can be obtained via FTP from FTP.SESQUI.NET, with the pathname pub/rfc/rfcnnnn.xxx (where "nnnn" refers to the number of the RFC and xxx indicates the document form, txt for ASCII and ps for Postscript). At FTP.SESQUI.NET the RFCs are in an "archive" file system and various archives can be mounted as part of an NFS file system. Please contact RFC-maintainer (rfc-maint@sesqui.net) if you want to mount this file system in your NFS. contact: rfc-maint@sesqui.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Secondary Repositories: Sweden ------ Host: sunic.sunet.se Directory: rfc Host: chalmers.se Directory: rfc Germany ------- Site: EUnet Germany Host: ftp.Germany.EU.net Directory: pub/documents/rfc France ------ Site: Institut National de la Recherche en Informatique et Automatique (INRIA) Address: info-server@inria.fr Notes: RFCs are available via email to the above address. Info Server manager is Mireille Yamajako (yamajako@inria.fr). Netherlands ----------- Site: EUnet Host: mcsun.eu.net Directory: rfc Notes: RFCs in compressed format. France ------ Site: Centre d'Informatique Scientifique et Medicale (CISM) Contact: ftpmaint@univ-lyon1.fr Host: ftp.univ-lyon1.fr Directories: pub/rfc/* Classified by hundreds pub/mirrors/rfc Mirror of Internic Notes: Files compressed with gzip. Online decompression done by the FTP server. Finland ------- Site: FUNET Host: funet.fi Directory: rfc Notes: RFCs in compressed format. Also provides email access by sending mail to archive-server@funet.fi. Norway ------ Host: ugle.unit.no Directory: pub/rfc Denmark ------- Site: University of Copenhagen Host: ftp.denet.dk Directory: rfc Australia and Pacific Rim ------------------------- Site: munnari Contact: Robert Elz <kre@cs.mu.OZ.AU> Host: munnari.oz.au Directory: rfc rfc's in compressed format rfcNNNN.Z postscript rfc's rfcNNNN.ps.Z United States ------------- Site: cerfnet Contact: help@cerf.net Host: nic.cerf.net Directory: netinfo/rfc Site: NASA NAIC Contact: rfc-updates@naic.nasa.gov Host: naic.nasa.gov Directory: files/rfc Site: NIC.DDN.MIL (DOD users only) Contact: NIC@nic.ddn.mil Host: NIC.DDN.MIL Directory: rfc/rfcnnnn.txt Note: DOD users only may obtain RFC's via FTP from NIC.DDN.MIL. Internet users should NOT use this source due to inadequate connectivity. Site: uunet Contact: James Revell <revell@uunet.uu.net> Host: ftp.uu.net Directory: inet/rfc UUNET Archive ------------- UUNET archive, which includes the RFC's, various IETF documents, and other information regarding the internet, is available to the public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and will be available via an anonymous kermit server soon. Get the file /archive/inet/ls-lR.Z for a listing of these documents. Any site in the US running UUCP may call +1 900 GOT SRCS and use the login "uucp". There is no password. The phone company will bill you at $0.50 per minute for the call. The 900 number only works from within the US. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Requests for special distribution of RFCs should be addressed to either the author of the RFC in question, to NIC@INTERNIC.NET. Submissions for Requests for Comments should be sent to RFC-EDITOR@ISI.EDU. Please consult "Instructions to RFC Authors", RFC 1543, for further information. Requests to be added to or deleted from the RFC distribution list should be sent to RFC-REQUEST@NIC.DDN.MIL. Changes to this file "rfc-retrieval.txt" should be sent to RFC-MANAGER@ISI.EDU. ------------------------------ From: Question 18 Date: 27 July 1994 Subject: Future features in cisco software [This could be more fleshed out, but Philip sent these in. -jh] IPXWAN support added in 10.0 BGP4 support added in 10.0 Kerberos not yet available ------------------------------ From: Question 19 Date: 27 July 1994 Subject: How do cisco routers rate performance-wise? People often ask about performance of the cisco routers and are shyed away from answering their questions because we don't know where to send them. Scott Bradner keeps the results of his performance tests on the Internet. You can find them for ftp on the system hsdndev.harvard.edu in the /pub/ndtl. There is a README file in that directory that explains what is available. In addition, cisco has just started publishing a piece of literature called ``The Harvard Benchmark Test Results: Summary of Cisco Systems Performance''. The only number I can find on the doc is Lit. #700901. Don't know if you can order it by this number, but at least there's a title to go on. ------------------------------ From: Question 20 Date: 31 October 1994 Subject: How are packets switched? There are 4 types of switching (in order of increasing performance). process switching fast switching autonomous switching silicon switching Autonomous switching is done in the switch processor. Silicon switching is done in the silicon switching engine (creative, eh? ;-). The silicon switch processor (SSP) is the board which combines both the switch processor and a silicon switching engine. Process and fast switching support inbound and outbound, simple and extended, access lists. The SSP supports simple outbound access lists. ------------------------------ From: Question 21 Date: 31 October 1994 Subject: How does one interpret buffer statistics? Buffer statistics may be obtained with: mit2-gw.near.net>sh buffers Buffer elements: 433 in free list (500 max allowed) 82320311 hits, 0 misses, 0 created Small buffers, 104 bytes (total 202, permanent 120): 185 in free list (20 min, 250 max allowed) 34289219 hits, 4297 misses, 1307 trims, 1389 created Middle buffers, 600 bytes (total 104, permanent 90): 102 in free list (10 min, 200 max allowed) 6829533 hits, 1432 misses, 483 trims, 497 created Big buffers, 1524 bytes (total 90, permanent 90): 90 in free list (5 min, 300 max allowed) 3403884 hits, 56 misses, 1 trims, 1 created Large buffers, 5024 bytes (total 5, permanent 5): 5 in free list (0 min, 30 max allowed) 49984 hits, 13 misses, 20 trims, 20 created Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 5683 failures (0 no memory) You can interpret them: Total Number of buffers of that size that exist. Free Number of free buffers. Max Maximum size that the free list can grow to before we start throwing them away. Hit Buffer got used. Miss Someone requested a buffer and we had to go carve it up out of free memory. If we couldn't because we were at interrupt level, it's also an allocation failure. If we couldn't because we were out of memory, then it's also a ``no memory'' failure. Trim There are more free buffers on the free list than there need to be and we threw some away. Create Number of buffers we created after a miss. ------------------------------ From: Question 22 Date: 1 November 1994 Subject: How should I restrict access to my router? Many admins are concerned about unauthorized access to their routers from malicious people on the Internet; one way to prevent this is to restrict access to your router on the basis of IP address. Many people do this, however it should be noted that a significant number of network service providers allow unrestricted access to their routers to allow others to debug, examine routes, etc. If you're comfortable doing this, so much the better, and we thank you! If you wish to restrict access to your router, select a free IP access list (numbered from 1-100) -- enter ``sh access-list'' to see those numbers in use. yourrouter#sh access-list Standard IP access list 5 permit 192.94.207.0, wildcard bits 0.0.0.255 Next, enter the IP addresses you wish to allow access to your router from; remember that access lists contain an implicit "deny everything" at the end, so there is no need to include that. In this case, 30 is free: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255 yourrouter(config)#^Z (This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple lines for multiple addresses; be sure that you don't restrict the address you may be telnetting to the router from. Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply the access list to. In this example, I want lines 2 through 12: yourrouter#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns 0 CTY - - - - - 0 0 0/0 1 AUX 9600/9600 - - - - - 1 3287605 1/0 * 2 VTY 9600/9600 - - - - 7 55 0 0/0 3 VTY 9600/9600 - - - - 7 4 0 0/0 4 VTY 9600/9600 - - - - 7 0 0 0/0 5 VTY 9600/9600 - - - - 7 0 0 0/0 6 VTY 9600/9600 - - - - 7 0 0 0/0 7 VTY 9600/9600 - - - - 7 0 0 0/0 8 VTY 9600/9600 - - - - 7 0 0 0/0 9 VTY 9600/9600 - - - - 7 0 0 0/0 10 VTY 9600/9600 - - - - 7 0 0 0/0 11 VTY 9600/9600 - - - - - 0 0 0/0 12 VTY 9600/9600 - - - - - 0 0 0/0 Apply the access list to the relevant lines: yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#line 2 12 yourrouter(config-line)# access-class 30 in yourrouter(config-line)# ^Z (This apply access list 30 to lines 2 through 12.) Be sure to save your configuration with ``write mem''. Please note that access lists for incoming telnet connections do NOT cause your router to perform significant CPU work, unlike access lists on interfaces. ------------------------------ From: Question 23 Date: 1 November 1994 Subject: What can I do about source routing? What *is* source routing? Soure routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes. For more information on source routing, see RFC791. Unfortunately, source routing is often abused by malicious users on the Internet (and elsewhere), and used to make a machine (A), think it is talking to a different machine (B), when it is really talking to a third machine (C). This means that C has control over B's ip address for some purposes. The proper way to fix this is to configure machine A to ignore source-routed packets where appropriate. This can be done for most unix variants by installing a package such as Wietse Venema, <wietse@wzv.win.tue.nl>,'s tcp_wrapper: ftp://cert.org:pub/tools/tcp_wrappers For some operating systems, a kernel patch is required to make this work correctly (notably SunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 which turns all source routing off; I'm not sure where this is available, but I believe it was posted to the firewalls list by Brad Powell soimetime in mid-1994. If disabling source routing on all your clients is not posssible, a last resort is to disable it at your router. This will make you unable to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP options, the first of which is a type of source routing), but may be necessary for some. If so, you can do this with foo-e-0#conf t Enter configuration commands, one per line. End with CNTL/Z. foo-e-0(config)#no ip source-route foo-e-0(config)#^Z It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding of source-routed packets through the router, for all interfaces, as well as source-routed packets to the router (the last is unfortunate for the purposes of ``traceroute -g''). ------------------------------ From: Question 24 Date: 1 November 1994 Subject: Is there a block of private IP addresses I can use? Yes there is, however whether you wish to do so is an issue of some debate. There are two RFCs which discuss this issue, and present opposing views: 1597 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg & G. de Groot. March 1994. (Format: TXT=17430 bytes) 1627 Network 10 Considered Harmful (Some Practices Shouldn't be Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994. (Format: TXT=18823 bytes) Neither one of these RFCs is anything more than a set of informational guidelines; they are *not* words to live by (remember that RFC stands for Request For Comments). Nevertheless, both comment cogently on this issue, a full discussion of which is outside the scope of this document. If you're seriously considering using private IP addresses, please read them both (see question 17, ``Where can I get IETF documents'') to find them. Additionally, it is likely that a third RFC will be coming out shortly that discusses both sides of the issue; watch this space for details. In any event, RFC 1597 documents the allocation of the following addresses for use by ``private internets'': 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Most importantly, it is vital that nothing using these addresses should ever connect to the global Internet, or have plans to do so. Please read the above RFCs before considering implementing such a policy. ------------------------------ From: Question 25 Date: 5 July 1994 Subject: Acknowledgements. The following people contributed to this FAQ, and their contributions are greatly appreciated, both questions and answers (in alpha order): "Ronnie B. Kon" <ronnie@cisco.com> Alain Martineau <amartineau@MacMartineau.ccr.hydro.qc.ca> Charley Kline <cvk@uiuc.edu> Dave Katz <dkatz@cisco.com> Howard C. Berkowitz, PSC International, <hcb@world.std.com> Jim Forster <forster@cisco.com> John Wright Pete Siemsen <siemsen@skat.usc.edu> Phillip Remaker <remaker@cisco.com> Ran Atkinson <atkinson@sundance.itd.nrl.navy.mil> Sanjay Rungta~ <srungta@sedona.intel.com> Sean McGrath <SEAN@oak.his.ucsf.EDU> Steve Cunningham <steve@vf.ge.com> atkinson@sundance.itd.nrl.navy.mil (Ran Atkinson) buk@taz.de ($ Burkhard Kohl) jerry@ksu.ksu.edu (Jerry Anderson) jhawk@panix.com (John Hawkinson) john@cisco.com (John Wright) john@gulfa.ods.gulfnet.kw (John Temples) peter@ulisse.rhein-main.de (Peter Radig) tli@cisco.com (Tony Li) tom@park.uvsc.edu (Thomas R. Kimpton) warner@cats.ucsc.edu (Jim Warner)