int fa0/0 ip addr blah ip nat outside int fa0/1 ip addr blah ip nat outside ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah ip nat pool Cable Cable_Valid_range_here prefix-length blah These uses below are allowed to use the NAT service. access-list 1 permit 10.0.0.0 0.255.255.255 route-map ISP1 perm 10 match ip addr 1 match interface fa0/0 route-map Cable perm 10 match ip addr 1 match interfa fa0/1 ****************************************************************** ******** From: Question 64 Subject: Sample config of using VIC BRI interfaces as an ISDN switch. Enter this under stupid router tricks (it's got to be more expensive than an ISDN emulator, but not if you've got the parts lying around). Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work too), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x R1 S/T crossover cable Switch S/T crossover R2 These configs let you do ISDN BRI dialup between two routers, using a third router as an ISDN switch. Call setup is flakey but otherwise it seems to work once the call is up. Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too) isdn switch-type basic-net3 x25 routing interface Loopback0 ip address 10.0.0.1 255.255.255.255 whatever interface BRI1/0 description to R1 no ip address isdn switch-type basic-net3 isdn overlap-receiving isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn x25 dchannel isdn skipsend-idverify Basic X.25 over D channel, so you can run pad commands For always on, see the Cisco docs interface BRI1/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5552000 clns mtu 1514 interface BRI1/1 description to R2 no ip address isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify interface BRI1/1:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551000 clns mtu 1514 x25 route 5551111 interface BRI1/1:0 x25 route 5552222 interface BRI1/0:0 voice-port 1/0/0 voice-port 1/0/1 dial-peer voice 1 pots incoming called-number 6045551111 destination-pattern 6045552222 direct-inward-dial port 1/0/0 dial-peer voice 2 pots incoming called-number 6045552222 destination-pattern 6045551111 direct-inward-dial port 1/0/1 dial-peer voice 10 voip destination-pattern 6045552222 session target ipv4:10.0.0.1 codec clear-channel dial-peer voice 20 voip destination-pattern 6045551111 session target ipv4:10.0.0.1 codec clear-channel R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2) isdn switch-type basic-net3 interface BRI0/0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp dialer string 6045552222 class DOV dialer-group 1 isdn switch-type basic-net3 isdn incoming-voice data isdn calling-number 6045551111 isdn x25 dchannel interface BRI0/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551111 map-class dialer DOV dialer voice-call dialer-list 1 protocol ip permit ****************************************************************** ******** From: Question 65 Subject: What kind of memory does the 2500 use? Parity. 70ns, 72-pin FPM w/ tin leads. ****************************************************************** ******** From: Question 66 Subject: How do I make an Ethernet Cross-over cable? Try this as a crossover cable. 1 to 3 2 to 6 3 to 1 6 to 2 4 to 7 5 to 8 7 to 4 8 to 5 Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX, you are swapping the Green Pair with the Orange Pair, but not so commonly, you have a 100 BaseT4 cross-over cable (which just happens to also be a 1000 BaseT cross- over cable), not only do you swap over the Green and Orange Pair, but you also swap over the Blue and Brown Pair. The silly part is that in Cisco's Documentation, it show the schematic on a traditional cross-over cable, but you will see the pin-outs of the 1000BaseT Interface. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/hig /hgcable.htm#xtocid42327 I have just made comment to Cisco About this. ****************************************************************** ******** From: Question 67 Subject: How do I use NBAR to block NIMDA? See: http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml > Here's my working config (with thanks to John Kaberna and Chris > Martin) on a 2610 router: > > > ip cef > > class-map match-any http-hacks > match protocol http url "*default.ida*" > match protocol http url "*x.ida*" > match protocol http url "*.ida*" > match protocol http url "*cmd.exe*" > match protocol http url "*root.exe*" > match protocol http url "*_vti_bin*" > match protocol http url "*_mem_bin*" > match protocol http mime "*readme.exe*" > match protocol http mime "*readme.eml*" > > policy-map mark-inbound-http-hacks > class http-hacks > set ip dscp 1 > > interface Serial0/0 > ip access-group 101 in > service-policy input mark-inbound-http-hacks > > interface Ethernet0/0 > ip access-group 101 out > > access-list 101 deny ip any any dscp 1 log > access-lst 101 permit ip any any ****************************************************************** ******** From: Question 68 Subject: What is a FECN/BECN and does it mean anything? First, when you use FR, it is not over a host to router connection. FR is going to be router to ingress-FR-switch through cloud to egress-FR-switch to destination- router. With that in mind, what you have to worry about with exceeding your CIR is the ingress FR switch. FECN and BECNs are different mechanisms which I will explain in a minute. Let me explain the algorithm that FR switches use to police your bandwidth usage. It is a token/credit system that is implemented on the *ingress* FR switch (so the ingress switch is the traffic cop). Keep in mind that everything that I am about to describe occurs entirely within the FR switch, so when I say that you are given tokens to transmit, I mean that in the software of the FR switch these tokens are kept track of, not that the FR switch transmits tokens to your router to use for each frame. I'm going to start with a simple scenario in which you only have a CIR and an EIR of 0. Anyway, every second (which is the default interval, or Tc for those that want the real term) you get Bc tokens which is essentially permission to transmit that many tokens worth of data over the time of that second. Bc tokens decrement against the CIR, which is to say that Bc tokens are used to regulate the CIR not the EIR (I will describe Be tokens later). At the end of the second you are given more tokens for use during the next second. Every time the FR switch receives data from the router, it subtracts tokens. What happens if you run out of tokens is that every frame will be discarded until the next interval at which point you get more tokens. If it receives a frame marked with a DE bit, it should discard it automatically. However, most people don't buy FR service with a EIR of zero. In this case where you have a CIR and an EIR, the token credit system is a little more . direct-inward-dial port 1/0/0 dial-peer voice 2 pots incoming called-number 6045552222 destination-pattern 6045551111 direct-inward-dial port 1/0/1 dial-peer voice 10 voip destination-pattern. > policy-map mark-inbound-http-hacks > class http-hacks > set ip dscp 1 > > interface Serial0/0 > ip access-group 101 in > service-policy input mark-inbound-http-hacks. switch-type basic-net3 interface BRI0/0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp dialer string 6045552222 class DOV dialer-group 1 isdn switch-type basic-net3 isdn incoming-voice