100 câu hỏi về mạng Cisco thường gặp

100 câu hỏi về mạng Cisco thường gặp

*************************************************************************

*

From: Question 1

Subject: What does ``cisco'' stand for?

cisco folklore time:

At one point in time, the first letter in cisco Systems was a lowercase ``c'' At present, various factions within the company have adopted a capital ``C'', while fierce traditionalists (as well as some others) continue to use the lowercase variant, as does the cisco Systems logo This FAQ has chosen to use the lowercase variant throughout

cisco is not C.I.S.C.O but is short for San Francisco, so the story goes Back in the early days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were trying to come up with a name they did many searches for non similar names, and always came up

with a name which was denied Eventually someone suggested ``cisco'' and the name wasn't taken (although SYSCO may be confusingly similar sounding) There was an East Coast company which later was using the ``CISCO'' name (I think they sold in the IBM

marketplace) they ended up having to not use the CISCO abberviation Today many people spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in

publications, etc This lead to at least one amusing article headlined ``Cisco grows up'' This winter we will celebrate our 10th year

[This text was written in July of 1994 -jhawk]

If you have a tftp server available, you can create a file on the server for your router to write

to, and then use the write network command From a typical unix system:

mytftpserver$ touch /var/spool/tftpboot/myconfig

mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig

myrouter#copy running-config tftp

Remote host [10.7.0.63]? 10.7.0.2

Name of configuration file to write [myrouter-confg]? myconfig

Write file foobar on host 10.7.0.2? [confirm] y

*************************************************************************

*

From: Question 3

Subject: How can I get my cisco to talk to a third party router over a serial link?

You need to tell your cisco to use the same link-level protocol as the other router; by

default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all level protocols use at some level/layer or another To make your cisco operate with most other routers, you need to change the encapsulation from HDLC to PPP on the

link-relevant interfaces For instance:

sewer-cgs#conf t

Enter configuration commands, one per line

Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z

interface serial 1

encapsulation ppp

^Z

sewer-cgs#sh int s 1

Serial 1 is administratively down, line protocol is down

Hardware is MCI Serial

MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255

Encapsulation PPP, loopback not set, keepalive set (10 sec)

You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of

``encapsulation frame-relay'') on your serial interface that's running frame relay if your frame relay network contains a diverse set of manufacturers' routers The keyword ``ietf'' specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default, RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid) If only a few routers in your frame relay cloud require this, then you can use the default

encapsulation on everything and specify the exceptions with the frame-relay map command:

frame-relay map ip 10.1.2.3 56 broadcast ietf

Subject: How can I use debugging?

The ``terminal monitor'' command directs your cisco to send debugging output to the current session It's necessary to turn this on each time you telnet to your router to view debugging information After that, you must specify the specific types of debugging you wish to turn on; please note that these stay on or off until changed, or until the router

reboots, so remember to turn them off when you're done

Debugging messages are also logged to a host if you have trap logging enabled on your cisco You can check this like so:

sl-panix-1>sh logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)

Console logging: level debugging, 66 messages logged

Monitor logging: level debugging, 0 messages logged

Trap logging: level debugging, 69 message lines logged

Logging to 198.7.0.2, 69 message lines logged

sl-panix-1>

If you have syslog going to a host somewhere and you then set about a nice long debug session from a term your box is doing double work and sending every debug message to your syslog server Additionally, if you turn on something that provides copious debugging output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this).One solution to this is to only log severity ``info'' and higher:

sl-panix-1#conf t

Enter configuration commands, one per line End with CNTL/Z

logging trap info

The other solution is to just be careful and remember to turn off debugging This is easy enough with:

*

From: Question 6

Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?

Use the command

No ip domain-lookup

*************************************************************************

*

From: Question 7

Subject: How to use access lists

Where in the router are access lists applied?

In general, Basic access lists are executed as filters on outgoing interfaces Newer releases

of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases There are also special cases involving console access.

Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to

+ -+

Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on incoming traffic For example, the INPUT- SAP-FILTER used for Novell networks is applied to Service Advertisement Packets (SAP) seen at incoming interfaces In general, incoming filtering can only be done for ``system'' rather than user traffic

Rules of thumb in defining access lists

First, define what you want to do and in which directions An informal drawing is a good first step As opposed to the usual connectivity drawings among routers, it's often

convenient to draw unidirectional links between routers

Second, informally write out your filtering rules In general, it is best to go from most specific to least specific Modify the order of writing things to minimize the number of rules needed

Third, determine which rules need to be on which routers

Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter

Can a cisco router be a ``true'' firewall?

This depends on the definition of firewall Some writers (e.g., Gene Spafford in _Practical UNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside'' application process run, with application-level code linking the two For example, a

firewall might provide FTP access to the outside world, but it would not also provide direct FTP service to the inside world To place a file on the FTP external server, a designated user would explicitly log onto the FTP server, transfer a file to the server, and log off The firewall prevents direct FTP connectivity between the inside and outside networks; only indirect, application-level connectivity is allowed Firewalls of this sort are complemented

by chokes, which filter on network addresses and/or port numbers Cisco routers cannot do application-level control with access control lists Other authors do not distinguish between chokes and filters Using the loose definition that a firewall is anything that selectively blocks access from the inside to the outside, routers can be firewalls

IP Specific

-Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID? No Operand filtering only works for TCP and UDP port numbers How can I prevent traffic for a certain Internet application to flow in one direction but not the other? Remember that Internet applications flow from client port to server port Denying traffic from port 23, for example, blocks flow from the client to the server + -+

| |

A ->| | ->B |1 2|

< -|

| |

+ -+

If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked A's ability to telnet to B, but not B's ability to telnet to A A second filter at interface A would be needed to block telnet in both directions Assume that we only have the filter at interface 2 Telnets to A from B will not be affected because the filter at 2 does not check incoming traffic

-With the arrival of in-bound access lists in 9.21, it should be noted that both inbound and access lists are about equally efficient, in case any of you were wondering It's worth remembering that there are some kinds of problems that packet-filtering firewalls are not best suited for There's reasonably good information in:

Network (in)security through packet filtering"

ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z

*

From: Question 8

Subject: The cisco boot process

What really happens when a cisco router boots, from boot start to live interfaces?

First it boots the ROM os version It reads the config Now, it realizes that you want to netboot It loads the netbooted copy in on top of itself It then re-initializes the box and re-reads the config Manly, yes, but we like it too

[[ Ummm in particular it loads the netbooted copy in as WELL as itself, decompresses it,

if necessary, and THEN loads on top of itself Note that this is important because it tells you what the memory requirements are for netbooting: RAM for ROM image (if it's a run from RAM image), plus dynamic data structures, plus RAM for netbooted image ]]

The four ways to boot and what happens (sort of):

I (from bootstrap mode)

The ROM monitor is running The I command causes the ROM monitor to walk all of the hardware in the bus and reset it with a brute force hammer If the bits in the config register say to auto-boot, then goto B

B (from bootstrap mode)

Load the OS from ROM If a name is given, tell that image to start silently and then load a new image If the boot system command is given, then start silently and load a new image powercycle

Does some delay stuff to let the power settle Goto I

reload (from the EXEC)

Goto I.

*************************************************************************

*

From: Question 09

Subject: How should I restrict access to my router?

Many admins are concerned about unauthorized access to their routers from malicious people on the Internet; one way to prevent this is to restrict access to your router on the basis of IP address

Many people do this, however it should be noted that a significant number of network service providers allow unrestricted access to their routers to allow others to debug,

examine routes, etc If you're comfortable doing this, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP access list (numbered from 100) enter ``sh access-list'' to see those numbers in use

yourrouter#sh access-list

Standard IP access list 5

permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your router from; remember that access lists contain an implicit "deny everything" at the end, so there is no need to include that In this case, 30 is free:

yourrouter#conf t

Enter configuration commands, one per line End with CNTL/Z.

yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255

yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e 172.30.*.*) Enter multiple lines for multiple addresses; be sure that you don't restrict the address you may be telnetting to the router from

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply the access list to In this example, I want lines 2 through 12:

Be sure to save your configuration with ``copy run start”

Please note that access lists for incoming telnet connections do NOT cause your router to perform significant CPU work, unlike access lists on interfaces

*************************************************************************

*

From: Question 10

Subject: What can I do about source routing?

What *is* source routing?

Soure routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take Source routing is useful when the default route that a connection will take fails or is

suboptimal for some reason, or for network diagnostic purposes For more information on source routing, see RFC791

Unfortunately, source routing is often abused by malicious users on the Internet (and elsewhere), and used to make a machine (A), think it is talking to a different machine (B), when it is really talking to a third machine (C) This means that C has control over B's ip address for some purposes

The proper way to fix this is to configure machine A to ignore source-routed packets where appropriate This can be done for most unix variants by installing a package such as Wietse Venema, <wietse@wzv.win.tue.nl>,'s tcp_wrapper:

ftp://cert.org:pub/tools/tcp_wrappers

For some operating systems, a kernel patch is required to make this work correctly (notably SunOS 4.1.3) Also, there is an unofficial kernel patch available for SunOS 4.1.3 which turns all source routing off; I'm not sure where this is available, but I believe it was posted

to the firewalls list by Brad Powell soimetime in mid-1994

If disabling source routing on all your clients is not posssible, a last resort is to disable it at your router This will make you unable to use ``traceroute -g'' or ``telnet

@hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP options, the first of which is a type of source routing), but may be necessary for some If so, you can do this with

foo-e-0#conf t

Enter configuration commands, one per line End with CNTL/Z

foo-e-0(config)#no ip source-route

foo-e-0(config)#^Z

It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding

of source-routed packets through the router, for all interfaces, as well as source-routed packets to the router (the last is unfortunate for the purposes of ``traceroute -g'')

*************************************************************************

*

From: Question 11

Subject: Is there a block of private IP addresses I can use?

In any event, RFC 1918 documents the allocation of the following addresses for use by

As an additional note, some Internet providers provide network-management services, statistics gathering, etc It is unlikely (if at all possible) that they would be willing to

perform those services if you choose to utilize private address space

With the increasing popularity and reliability of address translation gateways, this practice

is becoming more widely accepted Cisco has acquired Network Translation, who

manufacture such a product It is now available as the Cisco Private Internet Exchange With it, you can use any addressing you want on your private internet, and the gateway will insure that the invalid

addresses are converted before making out onto the global Internet It also makes a good

firewall Information on this product is available at

Subject: How do I interpret the output of ``show version''?

Typing ``show version'' or ``show hardware'' yields a response like:

prospect-gw.near.net>sh version

Cisco Internetwork Operating System Software

IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]

System-type (imagename) Version major.minor(release.interim)[who] Desc

System-type: type of system the software is designed to run on

imagename: The name of the image This is different (slightly) for

run-from-rom, run-from-flash, and run-from-ram images, and also

for subset images which both were and will be more common

"Version": text changes slightly For example, if an engineer gives you

a special version of software to try out a bug fix, this will say

EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar 9.1 is

the base, 9.14 adds specical feature for low end systems, 9.17

added special features specific the high end (cisco-7000) This was an experiment that we are trying not to repeat

release: increments (1 2 3 4 ) for each maintenance release of released software Increments for every compile in some other places

interim: increments on every build of the "release tree", which happens weekly for each release, but is only made into a generically

shipping maintenance release every 7 to 8 weeks or so

[who]: who built it Has "fc 1" or similar for released software

has something like [billw 101] for test software built Bill

Westfield (billw@cisco.com)

Desc: additional description

The idea is that the image name and version number UNIQUELY identify

a set of sources and debugging information somewhere back at cisco,

should anything go wrong

Copyright (c) 1986-1995 by cisco Systems, Inc

Compiled Thu 09-Mar-95 23:54 by tli

Image text-base: 0x00001000, data-base: 0x00463EB0

Copyright, compilation date (and by whom), as well as the

starting address of the image

ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE

ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)

The version of ROM bootstrap software, and the version of IOS

in ROM

prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes System restarted by reload

How long the router has been up, and why it restarted

System image file is "sse-current", booted via flash

How the router was booted.

RP (68040) processor with 16384K bytes of memory

Type of processor

G.703/E1 software, Version 1.0

X.25 software, Version 2.0, NET2, BFE and GOSIP compliant Bridging software

ISDN software, Version 1.0

Various software options compiled in

1 Silicon Switch Processor

2 EIP controllers (8 Ethernet)

2 FSIP controllers (16 Serial)

1 MIP controller (1 T1)

8 Ethernet/IEEE 802.3 interfaces

16 Serial network interfaces

128K bytes of non-volatile configuration memory

4096K bytes of flash memory sized on embedded flash

Hardware configuration.

Configuration register is 0x102

Lastly, the "configuration register", which may be set via

software in current releases

*************************************************************************

*

From: Question 13

Subject: When are static routes redistributed?

In the simple case, any static route *in the routing table* is redistributed if the ``redistribute static'' command is used, and some filter (set with either ``route-map'' or ``distribute-list out'') doesn't filter it out

Whether the static route gets into routing table depends on:

Whether the next hop address is reachable (if you use static route pointing to a next hop)

OR Whether the interface is up (if you use static route pointing to an interface)

If one of these is true, an attempt is made to add the route to the routing table; whether that succeeds depends on the administrative distance of the route a lower administrative distance (the route is "closer") than a preexisting route will cause the preexisting route to be

*************************************************************************

*

From: Question 14

Subject: When is the next hop of a route considered ``reachable''?

When a static route is added, or during an important event (eg: interface up/down

transition), the next hop for a route is looked up from the routing table (i.e recursive

routing) As a consequence, if a route which is depended upon for evaluation of the next hop of a static route goes away, a mechanism is required to remove that (now-invalid) static route Scanning all static routes each time the routing table changes is too expensive, so instead, a period timer is used One a minute, static routes are added and removed from the routing table based on the routes they depend upon It should be noted that a particular static route will be reevaluated when its interface transitions up or down

*************************************************************************From: Question 15

Subject: How do name and phone number of ``dialer map'' interfere?

How do name and phone number of `dialer map' interfere?

We use the telephone number first actually If the caller id matches the telephone number

to call, then you don't need the 'name' parameter with a phone number I realized that the above is ambiguous, so let's do this You have:

dialer map ip x.x.x.x name <param1> <phone-num>

<param1> is used for incoming authentication It can be either the hostname, for PAP and CHAP, or it can be a number as returned by caller id If this is not there, and it is an

imcoming call, and there is caller id, we will compare against <phone-num> to see if that matches

*************************************************************************

From: Question 16

Subject: What's the purpose of the network command?

>* what is the real purpose of the network subcommand of

> router commands? When do I not want to include a network

*************************************************************************

*

From: Question 17

Subject: What is VLSM?

A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing resources

to subnets according to their individual need rather than some general network-wide rule

Of the IP routing protocols supported by Cisco, OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.

Historically, EGP depended on the IP address class definitions, and actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP addresses (32 bit numbers); RIP and IGRP exchanged network and subnet numbers in 32 bit fields, the distinction between network number, subnet number, and host number being a matter of convention and not exchanged inthe routing protocols More recent protocols (see VLSM) carry either a prefix length (number of contiguous bits in the address) or subnet mask with each address,

indicating what portion of the 32 bit field is the address being routed on

A simple example of a network using variable length subnet masks is found in Cisco

engineering There are several switches in the engineering buildings, configured with FDDI and Ethernet interfaces and numbered in order to support 62 hosts on each switched subnet;

in actuality, perhaps 15-30 hosts (printers, workstations, disk servers) are physically

attached to each However, many engineers also have ISDN or Frame Relay links to home, and a small subnet there These home offices typically have a router or two and an X

terminal or workstation; they may have a PC or Macintosh as well As such, they are

usually configured to support 6 hosts, and a few are configured for 14 The point to point links are generally unnumbered

Using "one size fits all" addressing schemes, such as are found in RIP or IGRP, the home offices would have to be configured to support 62 hosts each; using numbers on the point to point links would further compound the address bloat

One configures the router for Variable Length Subnet Masking by configuring the router to use a protocol (such as OSPF or EIGRP) that supports this, and configuring the subnet masks of the various interfaces in the 'ip address' interface sub-command To use supernets, one must further

configure the use of 'ip classless' routes

*************************************************************************

*

From: Question 18

Subject: What are some methods for conserving IP addresses for serial lines?

VLSM and unnumbered point to point interfaces are the obvious ways The 'ip unnumbered' subcommand indicates another interface or sub-interface whose address is used as the IP source address on messages that the router originates on the unnumbered interface, such as telnet or routing messages By doing this, the router is reachable for management purposes (via the

address of the one numbered interface) but consumes no IP addresses at all for its

unnumbered links

*************************************************************************

*

From: Question 19

Subject: Flash upgrade issues for Cisco 2500 series routers

> When I remove the original flash and replace it with ether one or both of

> the new flash chips, I get the following error on boot upand the router ends

> up in boot mode.:

> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash

This has to be the most common FAQ for this group You have non-Intel flash chips on your new SIMMs and boot ROMs that are too old to know about the different access

method for the flash chips you have

You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from Cisco, or exchange the flash SIMMs for ones using Intel chips Note that Intel no longer makes those chips, which is why everybody has this prob-lem

*************************************************************************

*

From: Question 21

Subject: How do I configure a router to act as a Frame-Relay Switch?

frame-relay intf-type dce

! In the config below, the 102 is the DLCI that will be

! presented to the router connected to this S0

! interface 201 is the DLCI that is mapped to S1

frame-relay route 102 interface Serial1 201

frame-relay route 103 interface Serial2 301

interface Serial1

no ip address

no keepalive

encapsulation frame-relay

clockrate 64000

frame-relay intf-type dce

frame-relay route 201 interface Serial0 102 frame-relay route 203 interface Serial2 302

frame-relay intf-type dce

frame-relay route 301 interface Serial0 103 frame-relay route 302 interface Serial1 203

| FR SW |_S2 S0_| R3 | | _ | | |

| _| | _|

R1 S0, R2 S0 and R3 S0 will be on the same subnet You can treat it as p2mp I put all the DCE ends of the cables on the Frame Switch, so clock rate is defined there However, this

is not a requirement The FR Switch router does not need to have the DCE end Regardless

of the gender of the cable, however, the "frame-relay intf-type dce" is required I defined the DLCIs as Source Router + 0 + Destination Router So if the circuit goes from R1 to R3 it's DLCI 103 From R3 to R1 it's DLCI 301

*************************************************************************

*

From: Question 22

Subject: What are the different types of memory used by Cisco Routers?

The 2500 Series and 7204 VXR have the same types of memory, but they are implemented

in different physical packages:

ROMMON - This is the initial bootstrap for the router

Boot Helper - This is a subset of IOS that is used to update software or network boot The

2500 implements the ROMMON and boot helper in a set of two ROMs The 7204VXR has ROMMON in a ROM and boot helper in a piece of flash memory on the I/O controller called boot flash

Main memory - This is used to hold routing tables, and IOS variables In the 7204 VXR, IOS itself is also resident in main memory The 2500 Series usually runs the IOS directly in flash

Shared memory - This is the memory that holds packet buffers On the 2500 Series, this is part of the same physical memory as main memory On the 7204 VXR, it's separate

memory

Flash memory - This memory holds the IOS image On the 2500 Series, there are two flash SIMM sockets (max 16 MB) On the 7204VXR, there are PCMCIA slots on the I/O

controller which can take a 128 MB flash disk

Configuration memory (NVRAM) - This is the memory that holds the IOS configuration In the 2500 Series, it's a 32 KB EEPROM On the 7204VXR it is 128 KB battery backed up SRAM on the I/O controller

*************************************************************************

*

From: Question 23

Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?

Doc CD Content appears garbled:

The Doc CD content is compressed - it requires Verity to decompress it This is why Verity

is used on the Doc CD What has happened is you've tried to directly open up index.html off the CD into your browser, and this is not possible todo The CD must be accessed through the Verity Web Publisher through:

http://127.0.0.1:8080/home/home.htm

This is the startup address that is launched when you click on "Launch CD."

Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do not work on Windows

2000 out of the box They will cause "Search.exe" to crash when run under Win2k

There is a fix that sometimes works for these CDs at:

http://www.cisco.com/warp/public/620/ioscd.html.

This fix MUST be done BEFORE you install the CD If the CD has already been installed, then uninstall it, delete c:\cisco, make this registry change, then re-install the Doc CD.(both the Browser Software Installer and The Documentation CD

(I have tried this on My labtop which is running windows 2000 and it worked fine but I had

to delete c:\Cisco first and Lunch the Browers software Installer CD (1) first then the Document CD(2) (my version of CD was Nov 1999)

(I have already sent this one to you did you delete c:\Cisco and lunch both CDs)

Other fixs are shown

The Doc CD starts up to about:blank

There are two alternate fixes for this:

1 After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm for the address, and then add it to your favorites

-or

-2 This is a 4-step fix:

A Ensure that search.exe is not running

B Edit the installed search.ini (c:\CISCO\search.ini)

C Change the line 'Browser=c:\program files\internet explorer\iexplore.exe'

to 'Browser=msie'

D Launch the CD

Nothing happens when I click Launch CD

The usual cause for this is that you've installed a post-July 2000

Documentation CD over the top of a previous Doc CD

The fix for this is to:

1 Uninstall the Doc CD from the control panel->add/remove programs.

Subject: How dow I load a large image on a 2500 *lab* router?

For production work (support by Cisco required) you need 16M Flash to run 12.0 or 12.1 Enterprise If you don't need Cisco support, 12.0 Enterprise is small enough (about 10M) to run from RAM (upgrading to 16M of RAM is MUCH cheaper than upgrading to 16M of flash) using a compressed image in the 8M of flash you do have

12.1 Enterprise is 14M so it must be run from flash (otherwise there is not enough RAM remaining to even complete loading of the OS)

Check the release notes on www.cisco.com for the IOS release you want to use If the actual size of the IOS plus the minimum recommended RAM totals less than 16MB, you can run compressed or boot from TFTP without expanding flash Check deja-news on google if you are unclear on how to run a compressed image on the 2500, it is a frequent request and hopefully will turn up in the renovated FAQ when Hansang gets a chance to publish it

*************************************************************************

*

From: Question 25

Subject: daisy-chaining reverse telnet console-aux ports

> I've hooked 4 routers together in a lab and I'm daisy-chaining them

> aux > console and using reverse telnet to get to them

>

> However when I get to the fourth router and do a CTRL-SHFT-6 X,

> I get back to the first router If I kill the AUX line, then initiate the

> reverse telnet again, I fall through router 2 and 3 to 4 again

> Is there an easy way to fall back one router at a time?

> or should I not bother to do this?

You have two options One is to use a different escape character on the second (third, fourth etc) console (and/or vty)

session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to thethird session, etc.

access-list 101 permit tcp any host 1.1.1.1 eq telnet

access-list 101 dynamic foobar permit ip any any

The first access list allows telnet into the router Your users will telnet into router and authenticate with username foobar and password "cisco"

The router will then immediately disconnect the telnet session When they successfully authenticate, an access list with their source IP will be added to the dynamic list Basically,

if they authenticate correctly, they can come in to the inside network After 5 mins of inactivty the entry will be deleted from the access list

The vty 3 and 4 are using the rotary command so that you can telnet to your router with the command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4) This way, you can telnet into the router and actually manage it A very subtle but VERY important point If you forget this, you'll be making a trip to use the console port

*************************************************************************From: Question 27

Subject: How do I telnet to a specific VTY line?

See "rotary" example in question 48

*************************************************************************

*

From: Question 28

Subject: Is there a better (free) tftp server than the one by Cisco?

3CDv2r10.zip file located at:

http://support.3com.com/software/utilities_for_windows_32_bit.htm

*************************************************************************

*

-Note that Lo0 interface may have any ip address.

*************************************************************************

*

From: Question 29

Subject: How do I hide a summarized OSPF router from one ABR to another?

area 1 range x.x.x.x x.x.x.x not-advertise

*************************************************************************

*

From: Question 30

Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall

To describe how to use the Local Security Policy MMC in W2K would take a

long time So, the config I will share with you is the 'dial-up' one I

mentioned before In this posting I will detail the bare minimum needed to

get a W2K client working with a PIX firewall running v6.01 software For

simplicity I use a preshared key for authentication Since I have to embed

this key into the script I use it makes the configuration open and thus

vulnerable However, you should be able to tweak the configuration from this

to meet your own security needs The W2K IPSec client supports certificates

as well as preshared keys so a "secure" version of this config is

attainable

The configuration script I eked (it isn't beautiful code) out is actually written in Perl If you

would like to re-write it in the old DOS batch file format, please do so Otherwise, you should find a copy of Perl for NT/W2K I use the version found at http://www.activestate.com The Perl script I show here is documented as to what it does The MS ipsecpol.exe program that you have to use has it's own documentation which you should read For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work The config assumes that the PIX

has NAT enabled

Ok, enough blabber, here it is I hope it is helpful!

For the purposes of this 'demo' config The PIX Firewall will have

192.168.0.1 as it's outside IP The inside network will be the 10.0.X.X

network The inside router will be 10.0.0.1

Quick Network Schematic:

[W2K] > [Dial-Up WAN adapter (DHCP assigned address)] ->

[Internet] >[PIX Firewall(192.168.0.1)] -> [Internal LAN

(10.0.X.X)] > [Inside Router (10.0.0.1)]

The PIX firewall commands needed are:

sysopt connection permit-ipsec

sysopt connection permit-l2tp

sysopt ipsec pl-compatible

crypto ipsec transform-set W2K esp-des esp-md5-hmac

crypto ipsec transform-set W2K mode transport

crypto dynamic-map W2KDynamic 11 set transform-set W2K

crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic

crypto map W2K-Map interface outside

isakmp identity address

isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 28800

isakmp enable outside

The Perl script I wrote is as follows I execute this script everytime Iestablish a connection with my dial-up ISP It then sets up the IPSec tunnelusing my current ISP assigned IP Address

#begin listing

# IPSecInit.pl

# Written by: Steven Griffin Jr

# Date: 6 June, 2001

# Note: The basis of this code came from the PERL documentation site

# The original snippets came from the links below

and not just 127.0.0.1

# This section is pretty much identical to the one found on the PERLdocumentation site

# I just added an assignment of the discerned ipaddress to the

$localipaddress variable

# I also changed the @ARGV assignment to 'localhost' instead of'netscape.com'

@ARGV = ('localhost') unless @ARGV;

for $host ( @ARGV ) {

for $addr ( @{$h->addr_list} ) {

printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);

}

} else {

#my modification is on the next line

printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr); }