) 5.5>Q: Traffic-shape na Loopback'e, Tunnel'e est' ili net ? >A: (Alex Bakhtin) Hekotoroe vremya nazad mne ponadobilsya shejper na BVI interfejse v svyazi s chem ya dostatochno ser'ezno zanimalsya etoj problemoj. Itak. 1. SHejper rabotaet. V 12.x - <=12.0(2a), v 11.3 tozhe do kakoj-to versii. 2. SHejper rabotaet krivo - shejpit tol'ko process-switched pakety. (btw, eto kak raz prichina togo, chto shejper na gruppu asinkov cherez policy-route rabotaet) 3. SHejper na virtual'nyh interfejsah (kotorymi yavlyayutsya BVI, loopback i Tunnel) unsupported by Cisco. To est' oficial'no ego net. To, chto on ran'she byl - eto bag takoj v parsere konfigov/komandnoj stroki, kotoryj pozvolyal ego vklyuchat'. YA otkryval po etomu povodu kejs v ciske - mne predlozhili poslat' rekvest na fichu. Tak chto, boyus', pro zamechatel'nyj sposob shejpit' na lupbake pridetsya zabyt' esli ispol'zuetsya 11.3 ili 12.x:-(( 5.6>Q: Kak zazhat' ftp ? >A: (Alexander Kazakov) V obshchem ya otdal postoyannye 32k dlya ftp. Vse pabotaet i vpolne menya ustpaivaet. fpejm-pelej delat' poka ne stal, budu snachala ppobovat' na stendovoj koshke. kak obeshchal - pabochij konfig: === Cut === interface Serial2/0 description xxx XXX ip address aaa.bbb.ccc.ddd 255.255.255.0 no ip route-cache no ip mroute-cache bandwidth 128 ipx network B021 ipx accounting priority-group 2 traffic-shape group 191 32000 8000 8000 1000 ! access-list 191 permit tcp any any eq ftp access-list 191 permit tcp any any eq ftp-data priority-list 2 protocol ip medium list 101 priority-list 2 protocol ipx low priority-list 2 protocol ip high tcp telnet priority-list 2 protocol ip high udp snmp priority-list 2 protocol ip high tcp echo priority-list 2 protocol ip high udp echo ===========================================================

6. Routing

=========================================================== 6.1>Q: Est' dve Cisco2511, kotorye dolzhny soedinyatsya dvumya linkami, odin cherez serial, vtoroj cherez async, oba linka po vydelenkah. V etom problem net, no hochetsya imet' ODIH bekap cherez kommutirumuyu liniyu. To est' nado, chto by bakap podnimalsya tol'ko togda kogda OBA linka propadut. >A: (Vasily Ivanov) ip route 216 Vse ppotokoly putinga imeyut metpiku <= 200, poetomu dannaya stpochka poyavitsya v lokal'noj tablice putinga tol'ko kogda upadut oba tvoih intepfejsa. Kogda main-link vosstanovitsya, ona opyat' budet vytepta ppotokolami putinga iz tablicy, i ciska nachnet otschityvat' dialer idle-timeout do bposaniya tpuby. 6.2>Q: Podskazhite chto nado shepnut' kiske, chtoby ona annonsila ripom na Ethernet ppp-linki s maskoj /32, a ne aggregatirovala ih v podset'. >A: Dmitry Morozovsky, Mike Shoyher, Gosha Zafievsky router rip version 2 ! prosto polezno redistribute static subnets no auto-summary ! Tozhe ne pomeshaet redistribute connected subnets 6.3>Q: OSPF, RIP >A: (Alex Bakhtin) router ospf 10 redistribute connected metric 1 subnets route-map only_public_net redistribute static metric 1 subnets route-map only_public_net redistribute rip network 194.186.108.0 0.0.0.63 area 0 ! router rip version 2 redistribute connected route-map only_public_net redistribute static route-map ony_public_net redistribute ospf 10 metric 4 redistribute ospf 200 metric 4 network 194.186.108.0 neighbor 194.186.108.10 neighbor 194.186.108.138 ! Razumeetsya, stoit ip classless i ip subnet-zero. 6.4>Q: U menya set' klassa C, v kotoroj zanyaty ne vse adresa. Esli ot provajdera prihodit paket na otsutstvuyushchij adres (ili otvalivshegosya dialup-yuzera) to moya Cisco i Cisco etogo provajdera nachinayut etim paketom perebrasyvat'sya. Pochemu eto i kak ot etogo izbavit'sya. >A: (Basil (Vasily) Dolmatov) U provajdera stoit route na ves' vash klass C. V sleduyushchej (vashej) Cisco propisany tol'ko routes, kotorye ona vyyasnila iz adresov aktivnyh interfejsov i kakih- libo routing-protokolov. Ostal'noe routitsya po default route, to est' na provajdera. Kak etogo izbezhat'? V Cisco est' zamechatel'nyj interfejs Null0. Konfiguriruetsya on vsego odnoj komandoj: int Null0 ip unreachables Teper' dostatochno dobavit' eshche odin route v konfiguraciyu Cisco (predpolozhim, chto set' klassa C - 193.193.193.0/24) ip route 193.193.193.0 255.255.255.0 Null 0 100 V etom sluchae, esli adres ispol'zuetsya, i route na nego izvesten Cisco, to imenno etot route i budet aktiven (poskol'ku ego metrika men'she), esli zhe adres neizvesten, to aktivnym stanet route na Null0 i Null0 otvetit na prishedshij paket icmp !H. To est', nikakogo ping-ponga na kanale uzhe ne budet. Kstati, rekomenduetsya eshche propisat' takie zhe routes dlya private-networks, eto predotvratit ih sluchajnoe vybrasyvanie v storonu provajdera. ip route 10.0.0.0 255.0.0.0 Null0 100 ip route 172.16.0.0 255.240.0.0 Null0 100 ip route 192.168.0.0 255.255.0.0 Null0 100 6.5>Q: Est' dva kanala k provajderam, est' dve setki, kak sdelat', chtoby kazhdaya set' hodila po svoemu kanalu ? >A: (Dmitriy Yermakov) policy-routing, primer est' na CD. Dlya primera ( v ochen' prostom sluchae ) access-list 110 permit ip aaa.aaa.aaa.0 0.0.0.255 any access-list 111 permit ip bbb.bbb.bbb.0 0.0.0.255 any route-map XXXX permit 10 match ip address 110 set default interface Serial 0 route-map XXXX permit 20 match ip address 111 set default interface Serial 1 int eth 0 ip policy route-map XXXX 6.6>Q: Ne podelitsya li kto-nibud' URL ili prosto sekretom zapuska OSPF mezhdu Gated i Cisco ? >A: (Alex Bakhtin) V gated i v Cisco po umolchaniyu vystavleny raznye hello/dead intervaly. Lechitsya vystavleniem sootvetstvuyushchih intervalov v gated. P.S. (DY) v poslednih GateD mozhet i popravili, deb ip ospf pomozhet vyyasnit'. >A: (Basil (Vasily) Dolmatov) Ospf yes { backbone { authtype none; interface aaa.bbb.ccc.ddd cost 1 { retransmitinterval 5; transitdelay 1; priority 0; hellointerval 10; routerdeadinterval 40; }; }; }; import proto ospfase { ALL ; }; export proto ospfase type 1 { proto ospfase { ALL metric 1; }; proto static { All metric 1; }; proto direct { ALL metric 1; }; }; 6.7>Q: Est' staticheskij marshryt: ip route 0.0.0.0 0.0.0.0 Serial 0/0 Kak mne isklyuchit' ego iz ospf'nyh anonsov? Ubrat' redistribute static - ne predlagat' ;) >A: (Dmitry Morozovsky) 1. Ubrat' default-information originate always, ili zamenit' ego na default-information originate , esli taki nuzhno ego kuda-to anonsit' 2. Otfil'trovat' ;) distribute-list out [interface name] access-list permit 0.0.0.0 0.0.0.0 6.8>Q: Ne mog li by kto-nibud' iz uvazhaemyh guru tolkovo ob®yasnit' s tochki zreniya praktiki (s nebol'shim primerchikom), chto takoe stubby areas i v kakih sluchayah ih vvedenie opravdano? Pravil'no li ya ponimayu, chto oni v obshchem-to nuzhny dlya ekonomii resursov routera? >A: (Alex Mikoutsky), prislal (Oleh Hrynchuk) V ciskah est' tri tipa tupikovyh arij - stub, totally stub, Not-so-stubby. Pro poslednie dve Hallabi mog i ne napisat'. Stub - eto takaya ariya, routeram v kotoroj ne nuzhno znat', kuda kidat' pakety, prednaznachennye external adresam. Zamet' - tol'ko external, t.e. tem, kotorye sami redistrib'yutyatsya v domen ospf. Vmesto etih anonsov ASBR budet vykidyvat' defolt marshrut dlya posylki na nego sootvetstvuyushchih paketov. Esli takaya ariya imeet neskol'ko vyhodov v bekbon, to kazhdyj ASBR buzhet slat' svoj defolt. Ot tebya zavisit, kakoj iz nih rassmatrivat' pervym, a kakoj - vtorym. |to delaetsya, yasnoe delo, metrikoj po komande na ASBR: area 1 default-cost gde ariya 1 - tipa stub. Vse ostal'nye marshruty, prihodyashchie iz drugih arij, krome external budut anonsirovat'sya. Totally stub i Not-so-stubby - eto specificheskie cisochnye prilady, pomogayushchie fil'trovat' takzhe anonsy marshrutov iz drugih arij tipa interdoman (totally stub), odnako, tol'ko v tom sluchae, esli v etoj total'no tupikovoj arii net ni odnogo external marshruta. CHtoby preodolet' poslednee ogranichenie, ariyu mozhno sdelat' tipa NSSA (nachinaya s versii 11.3). V poslednih sluchayah v ariyu voobshche budet anonsirovat'sya tol'ko defolt po komande default-information originate. Tak zhe, kak i v predydushchem sluchae, ASBRov mozhet byt' neskol'ko. YA ponyatno napisal? [03.08.2000] 6.9>Q: Hado podruzhit' na sinhronnom linke routery Nortel ARN i CISCO-3640. Sejchas oni druzhat po ppp i rip. Hochetsya, chtoby druzhili po frame-relay i ospf. >A: (Sergey Y. Afonin) Sdelano na ARN s BayRS 13.20 i CISCO 3640 IOS version 12.0 Fragment konfiga ARN (as-boundary-router true k delu ne otnositsya, on govorit to tom, chto router mozhet redistributit' vse, chto est' i ne zafil'trovano special'no; esli false - to redistributitsya tol'ko tol'ko ospf): ospf router-id xxx.xxx.xxx.234 as-boundary-router true area area-id 0.0.0.0 back back serial slot 1 connector 1 cable-type v35 bofl disabled promiscuous enabled service transparent circuit-name S11 frame-relay dlcmi management-type none back default-service pvc dlci 16 vc-state active back ip address xxx.xxx.xxx.218 mask 255.255.255.252 address-resolution arp-in-arp ospf area 0.0.0.0 mtu 1480 back arp back back back back Fragment konfika 3640 (tut tozhe lishnee est', pravda): ! interface Serial2/0 ip address xxx.xxx.xxx.217 255.255.255.252 ip access-group nasprotect out ip directed-broadcast encapsulation frame-relay ip ospf network broadcast no ip mroute-cache no keepalive no fair-queue frame-relay map ip xxx.xxx.xxx.218 16 broadcast IETF ! router ospf 13227 router-id aaa.aaa.aaa.234 redistribute connected subnets redistribute static subnets network xxx.xxx.xxx.216 0.0.0.3 area 0.0.0.0 ! Pod upravleniem BayRS u Nortel rabotayut tak zhe ASN i routery serii BN, ta chto, polagayu, i dlya nih podojdet. ===========================================================

7. TACACS,RADIUS,AAA

=========================================================== 7.1>Q: Gde vzyat' tacas-plus ? V ishodnikah ? >A: (Dmitriy Yermakov) Horom :)) ftp://ftpeng.cisco.com/pub/tacacs original'nyj original'nyj ot Cisco (ls tam ne rabotaet, snachala get README, potom get to, chto nuzhno) Nedavno tam byl - ls rabotaet. ftp://ftp.east.ru/pub/inet-admins - patchennyj na predmet raznyh vkusnostej ftp://ftp.vsu.ru/pub/hardware/cisco/tacacs - i eshche propatchennyj pppd teper' otdel'no ot tac+ia, no ryadom - tacpppd [08.09.2000] >A: (Igor Prokopov) Gde vzyat' TACACS+ pod NT ? http://www.nttacplus.com NTTacPlus2 (demoversiya dostupna dlya skachivaniya) Radius Tacacs+ Available for Windows NT 4.0 and Windows 95/98 Rabotaet s ODBC (Access97), preduprezhdaet e-mail'om ob okonchanii limita, mozhet byt' backup-serverom, rabotat' s neskol'kimi CISCO, vedet gruppy po privilegiyam i t.d. Polnaya versiya za den'gi ili na varezah ;))) 7.2>Q: Kto znaet, kak ogranichit' chislo zaprosov kiski na login? To est', esli yuzer pervyj raz nepravil'no otvetil na login/password to srazu sdelat' hangup a ne sprashivat' ego eshche i eshche. Vse ravno v bol'shinstve skriptov eto ne predusmotreno. U menya kiska uporno sprashivaet tri raza. Listanie "Command Summary" uspeha ne prineslo. Mozhet eto v takakse nado koncy iskat'? >A: (Alexey Kshnyakin) conf t; tacacs-server attempts N 7.3>Q: Kak snimat'/schitat' statistiku po interfejsam ? >A: (Dmitriy Yermakov) schitat' mozhno tak conf t int X ip accounting razreshit' rsh na kisku, primerno tak ip rcmd rsh-enable ip rcmd remote-host enable i, po kronu :) /usr/bin/rsh cisco clear ip accounting /usr/bin/rsh cisco sh ip accounting checkpoint > `/bin/date +"%Y%m%d%H%M"` /usr/bin/rsh cisco clear ip accounting checkpoint Poskol'ku voznikli voprosy, to eshche variant. >A: (Konstantin D. Myshov) 1) Skript: #!/bin/sh #[skip] rsh -l loger cisco.domain.adr clear ip accounting rsh -l loger cisco.domain.adr sh ip accounting checkpoint #[skip do konca skripta :-)] 2) Ha kiske govorish': username specloger privilege 8 password 0 plane_text_password ! Parol' zashifruetsya i cherez password 7 pokazyvat'sya budet po sh ru ip rcmd rsh-enable ip rcmd remote-host loger REMOTE_IP_ADDRESS REMOTE_USER_NAME enable 8 privilege exec level 8 show ip accounting checkpoint privilege exec level 1 show ip privilege exec level 8 clear ip accounting P.S. (Andrey Kuksa) kuksaa@chph.ras.ru vklyuchit' by eshche no ip rcmd domain-lookup P.P.S. (DY) Cisco proveryaet in-addr.arpa dlya hosta, s kotorogo prishel zapros na RSHELL. Esli IN PTR netu - ne puskaet. no ip rcmd domain-lookup etu proverku vyklyuchaet. Po umolchaniyu - vklyucheno. P.P.P.S. sm takzhe 0.4>Q: 7.4>Q: Kak zamenit' "Username:" na "login:" ? >A: (DY) Sushchestvuet 2 varianta - 1. V tac+ia mozhno pereopredelit' etot prompt. 2. aaa authentication username-promt [03.08.2000] 7.5>Q: rsh cisco show version poluchayu chto-to tipa Undefined error >A: (Alex Bakhtin) debug ip tcp rcmd [14.08.2000] 7.6>Q: ne rabotaet aaa authentication banner "..." pri ispol'zovanii tacacs ili radius dlya autentikacii >A: (Alexandre Snarskii), prislal (Vladimir Kravchenko) poprobovat' ispol'zovat' banner login "..." [08.09.2000] 7.6>Q: Probros na ifcico, raznye porty - raznye hosty. >A: (DY) zakryvaem temu ifcico. tacacs.conf group = fido { after authorization "/usr/local/tacplus/emsi $user $port" login = none service = exec { } } user = \*\*EMSI_INQC816 { member = fido } user = \*\*EMSI_INQC816q { member = fido } user = \*\*EMSI_INQC816\*\*EMSI_INQC816q. { member = fido } cat /usr/local/tacplus/emsi #!/bin/sh if [ "X$2X" = "Xtty3X" ] then echo noescape=true echo autocmd="telnet host_1 60179 /stream" else echo noescape=true echo autocmd="telnet host_2 60179 /stream" fi exit 2 [27.12.2000] 7.7>Q: Kak pri autentikacii na radiuse pol'zovatelyu naznachit' in-out ip access-list na ego interfejse ? >A: (Michael Korban) Framed-Filter-Id="blabla.in" Framed-Filter-Id="blabla.out" ===========================================================

8. Memory

=========================================================== [2000.10.12] 8.0> >A: (Alex Bakhtin) Ob®em pamyati, oppedelennyj IOSom pokazyvaetsya v vyvode komandy sh ver v vide dvuh chisel MEM1/MEM2, gde MEM1 - eto ob®em process memory a MEM2 - eto ob®em IO memory. p.s. (DY) for example 6144K/2048K - vsego 8Mb 126976K/4096K - vsego 128Mb 8.1>Q: A kakie simy mozhno stavit' v CISCO ? A to ya vse pepeppoboval, ni odin ne podhodit. :-( >A: (Vasily Ivanov) Ha simah dolzhny byt' ppavil'no paspayany pepemychki, ukazyvayushchie opganizaciyu sima i skopost' chipov v nanosekundah (bol'shinstvo kitajskih ppoizvoditelej eti pepemychki ne paspaivayut). Vot tablichka, kotopaya pomozhet vam eto sdelat': Razmep Opganizaciya 68 67 66 11 4Mb 512k*8/9 X X X X 4Mb 1M*2/4/16/18 - X X - 8Mb 2M*8/9 - X - X 16Mb 2M*8/9 X X - X 16Mb 4M*2/4/16/18 - X - - Hany 69 70 50ns X X 60ns - - 70ns X - Znakom [X] pomecheny kontakty, kotopye neobhodimo soedenit' s 72m kontaktom sima, obychno on vyveden uzhe v nepospedstvennoj blizosti ot pepemychek. [-] - svobodnyj kontakt. V nastoyashchee vpemya mozhno bez ppoblem kupit' 4h metpovye simy s opganizaciej 1M*2/4/16/18 i 16ti metpovye s opganizaciej 4M*2/4/16/18. 8mi metpovye simy so standaptnoj opganizaciej 1M*2/4/16/18 v putepah CISCO ne pabotayut !!! Takzhe kak i EDO RAM. NB !!! V 25hh simy bez papiteta _pabotat'_ne_budut_ ! Hikogda. >A: (Leonid Kirillov) Ot sebya dobavlyu malen'kuyu poproavku: 1. SIMM dolzhen imet' skorost' men'shuyu libo ravnuyu skorosti RAM na mamke; 2. Imeyutsya mamki 2 vidov: starye i novye. V staryh nuzhny SIMM s chetnost'yu, v novyh - net, tak kak eto vyklyucheno na mamke. Otlichie ochen' prostoe - ne zapayana pyataya mikroshemi pamyati. Gde ee iskat' - narisovano na kartinke: --------------------------------| | =======SIMM================== | | RAM1 RAM2 RAM3 RAM4 par | par | | Cisco 2501 3. Dvuhbankovyj SIMM viditsya kak odnobankovyj. Takim obrazom ya delal sebe 16Mb pamyati iz 32 (ochen' bylo nuzhno:-) Rabotaet normal'no. >A: (Kirill Osovsky) Eshche nemnogo o SIMM'ah. Dlya 1600 - chetnost' nezhelatel'na - rabotat' oni budut, no togda otvalitsya on-board DRAM. Dual bank 8 Mb viditsya i rabotaetsya kak 8 Mb Dlya 3620 - chetnost' (naskol'ko ya ponyal) bezrazlichna. Dual bank 8 Mb viditsya kak dual bank, no rabotat' 3620 s nim ne budet (ne polozheno po instrukcii) 3640 - rabotaet s dual bank. >A: (Dmitry Morozovsky) Eshche dopolnenie: 36xx rabotaet s EDO (3640 tochno, 3620. kazhetsya, tozhe). 3640 pri postanovke chetnogo kolichestva odinakovyh simmov perehodit v 64razryadnyj rezhim, chto uvelichivaet proizvoditel'nost', no takzhe uvelichivaet i rashod pamyati v svyazi s alignment. P.S. (Basil Dolmatov) 3620 ponimaet tol'ko FPM. 3640 ponimaet i EDO tozhe. 8.2>Q: Podskazhite gde eshche vstrechayutsya eti 100-pinovye DIMM'y, kotorye v 2600 stoyat. Ili gde ih mozhno kupit'? Za dve tonny baksov ne predlagat'. >A: (Dmitry Morozovsky) Podhodit pamyat' dlya HP LJ 4000 (100pin EDO SODIMM). Krome togo, mozhno brat' pamyat' u prakticheski lyubogo dilera Micron, Transcend, Kingston. U etih -- prosto po katalogu. P.S. |to zhe otnositsya i k MC3810. [04.07.2000] 8.3>Q: A ne podskazhet li kto-nibud', kakaya SIMM-pamyat' podhodit k serii 4000 (konkretnee, 4500M+) i chego na nej propayat'? Imeetsya v vidu: edo/fpm, chetnost', paritet, chislo chipov. >A: (Alexander Voropay) Dlya 4500 podhodit ta zhe samaya pamyat', chto i dlya 2500, i FLASH i DRAM. Packet DRAM ta zhe samaya, chto i System DRAM, i chem bol'she tem luchshe :-) A konkretno, 72-pin SIMM, NoEDO (FPM), real Parity. Obyazatel'no dolzhny stoyat' peremychki ID. Luchshe brat' -60ns hotya dlya System DRAM podojdet i -70ns. ===========================================================

9. NTP, TZ

=========================================================== 9.1>Q: Kak pravil'no vystavit' timezone i sinhronizirovat' vremya na kiske >A: (Vasily Ivanov) vot ppimep dlya Omska (UTC+6): clock timezone OMT 6 clock summer-time OMTS recurring last Sun Mar 3:00 last Sun Oct 3:00 I eshche: 1) chasy ustanavlivayutsya, esli tol'ko na tajm-sepvepe vpemya vystavleno koppektno, esli zhe on nahoditsya v ppocesse podvedeniya svoih chasov, to ciska budet zhdat' okonchaniya etogo ppocessa. 2) vystavlenie chasov ppoishodit ne spazu, a 5-10 minut. Podozhdi nemnogo. >A: (Alec Voropay) dlya Moskvy clock timezone MSK 3 clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 3:00 9.2>Q: A kak zastavit' kisku sinhronizirovat' vremya s kakim-libo serverom i byt' samoj ntp-serverom ? >A: (Maksim Malchuk) ntp source interfaceX ntp master 3 ntp server aaa.bbb.ccc.ddd ntp server eee.fff.ggg.hhh ntp server iii.jjj.kkk.lll P.S. (Alex Bakhtin) ntp master 3 - eto znachit, chto esli ppopadut vse ntp servers, kotopye ppopisany v konfige, kiska budet schitat' sebya sepvepom so stratum 3. P.P.S. (Sergey Romantsov) Ntp master - ukazyvaet, chto router yavlyaetsya odnim iz istochnikov "tochnogo" vremeni, poetomu esli neobhodimo chtoby on razdaval vremya drugim ustrojstvam, neobhodimo ego ob®yavit' kak master s sootvetstvuyushchej velichinoj stratum. stratum=1 : eto atomnye chasy stratum=2 : ustorjstvo neposredstvenno podklyucheno k atomnym chasam stratum=3 : ustrojstvo svyazano s ustrojstvom ( sm vyshe) i tak dalee... do 15. stratum=16 : ustrojstvo ne yavlyaetsya avtorizovannym istochnikom vremeni. ===========================================================

10. NAT

=========================================================== 10.1>Q: Mozhno kak-nibud' sdelat' na kiske 2511 s IOS 11.3, chtoby vse soedineniya po FTP, WWW s lokal'noj setki (imeyushchej public internet adresa) ustanavlivalis' s adresa skazhem 62.244.63.114, eto svyazano s tem, chto pri ustanovlenii soedineniya s etogo adresa pakety vozvrashchayutsya cherez sputnik. >A: dimka@spy.ints.net (Dmitry Aksyonov) tochno dlya etogo sluchaya: [..] ip nat inside source list 111 interface Loopback4 overload [..] interface Loopback4 ip address 62.244.63.162 255.255.255.255 [..] interface Ethernet0 ip nat inside [..] interface Serial0 ip nat outside [..] access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq ftp access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq ftp-data access-list 111 permit tcp 194.44.58.0 0.0.0.255 any eq www ostal'nye porty po vkusu ;) posmotret' chto poluchaetsya - sh ip nat tra 10.2>Q: Est' dve setki: 192.H.H.0 i 193.H.H.80/28 i kiska 2509 Huzhno vklyuchit' NAT, chtoby yuzera iz 192... setki hodili v 193... . Interesuet kusok(ki) konfiga kiski, tol'ko rabotayushchij i podrobnyj. >A: (Eugene A. Rakhmatulin) Hizhe kusok real'no rabotayushchego konfiga (izmeneny tol'ko IP): est' set' 193.193.193.224/29, kotoruyu dal provajder i vnutrennyaya set' 192.168.1.0/24. Ha translyaciyu vseh vnutrennih adresov, krome 192.168.1.2 vydelyaetsya adres 193.193.193.227, a na 192.168.1.2 zapisyvaetsya staticheskaya translyaciya adresa 193.193.193.230. cs-2501# show running-config [ .. ] ip nat pool one 193.193.193.227 193.193.193.227 netmask 255.255.255.248 ip nat inside source list 1 pool one overload ip nat inside source static 192.168.1.2 193.193.193.230 [ .. ] ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip broadcast-address 192.168.1.255 ip nat inside [ .. ] ! interface Serial1 description Link to Provider ip address 193.193.193.226 255.255.255.248 ip nat outside [ .. ] access-list 1 permit 192.168.1.0 0.0.0.255 10.3>Q: Provajder vydal odin real'nyj adres (vmesto byvshego ranee bloka adresov) i nuzhno v techenii perehodnogo perioda (3 dnya) operativno perenastroit' Cisco 2509 dlya marshrutizacii v sleduyushchej konfiguracii: Ethernet - soedinyaetsya napryamuyu edinstvennym real'nym adresom s marshrutizatorom provajdera; Serial1 - smotrit (cherez vydelenku) v odnu fizicheskuyu set'(~20 komp'yuterov+programmnyj marshrutizator); Serial2 - smotrit v druguyu(~10 komp'yuterov). >A: (Ilya Geldiev) ip nat translation timeout 1800 ip nat translation tcp-timeout 1800 ip nat translation udp-timeout 150 ip nat inside source list 101 interface Async8 overload ' ip nat inside source static tcp {Ethernet0-ip} 80 {Async8-ip} 80 extendable ' ne bolee chem probros veb-zaprosov vo vnutrennyuyu LAH ! interface Ethernet0 description connected to internal LAN ip nat inside ! interface Async8 description connected to ISP ip nat outside ! interface Async9 description connected to internal Remote Access dialer-group 1 ! interface Group-Async1 description connected to Dial-inPCs_mobile ip nat inside ! 10.4>Q: Vpustit' obratno s Inet-a v lokalku. Skazhem dlya pochty -- moj ciskovskij adres s portom 25 probrosit' v lokal'nyj segment na moj pochtovik ? >A: CoreDumped@CoreDumped.null.ru ip nat inside source static tcp int.ter.nsl.addr 25 ext.ter.nal.addr 25 extendable no-alias ===========================================================

11. Telco, ISDN

=========================================================== [20.10.2000] 11.0> Razborki s ISDN Layer 1,2. Kompilyaciya neskol'kih voprosov i otvetov. (Gosha Zafievsky) Voobshchem vse smotret' po doke. Cisco po umolchaniyu vstaet kak user-side device. Esli Layer 1 not UP - proverit' _doskonal'no_ vse kabeli i soedineniya, smotret' sh controller e1 XX na predmet nalichiya oshibok. Oshibki mogut voznikat' tol'ko v sluchae nepopadaniya v ustanovki crc/no-crc, drugie varianty vstrechayutsya krajne redko. Kak tol'ko oshibki na kontrollere propadut, Layer 1 obychno stanovitsya ACTIVE. Vystavit' pravil'no isdn switch-type Esli Layer 2 TEI_ASSIGNED - vystavit' pravil'no network side, dolzhno byt' MULTIPLE_FRAME_ESTABLISHED, ne ver'te na slovo telefonistam :) Esli s drugoj storony tupoe zhelezo, ne umeyushchee NETWORK-SIDE, postavit' IOS 12.1.3T - tam poyavilos' isdn protocol-emulate network Kak tol'ko Layer 2 MULTIPLE_FRAME_ESTABLISHED - vse dolzhno rabotat'. V klinicheskih sluchayah ne podnyatiya Layer 2 - deb isdn q931 na bochku blizhajshemu guru. 11.1>Q: AS5300 i Ericsson MD-110. >A: (Aleksey Fedorov) U menya AS5300 podklyuchena k Ericsson AXE-10 po r2-digital. V moem sluchae chtoby vse bylo horosho nuzhno skazat': cas-custom 0 debounce-time 10 seizure-ack-time 10 country itu use-defaults >A: (DY) rabotaet vot tak, no so stanciej dolgo muchalis'. controller E1 1 clock source line secondary 1 pri-group timeslots 1-31 ! interface Serial1:15 isdn switch-type primary-net5 isdn incoming-voice modem isdn bchan-number-order ascending isdn sending-complete ! 11.2>Q: 2610 nikak ne hochet zvonit' na Definity, pri zvonke s Definity BRI podnimaetsya i srazu padaet. >A: (Gosha Zafievsky) Ha kiske isdn switch-type basic-net3, v Definity etot BRI nado opisat' kak data module ili trunk, no ne kak WCBRI station. Country protocol : etsi. 11.3>Q: isdn caller number, AS5300, Alcatel S12, ISDN PRI. >A: "Victor L. Belov" interface Serial0:15 isdn switch-type primary-net5 isdn protocol-emulate user isdn incoming-voice modem isdn sending-complete i oni prihodyat. ios 12.0.4-XH [13.06.2000] 11.4>Q: Imeem 3640 - E1R2 - AXE 10. >A: (Vladimir A. Golovnin) > controller E1 0/0 > framing NO-CRC4 > ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled > cas-custom 0 > debounce-time 10 > seizure-ack-time 10 > dnis-digits min 1 max 2 > ani-digits min 3 max 6 > description First E1 line : connected to port 1 U menya nastroeno tak: controller E1 0/0 framing NO-CRC4 ds0-group 0 timeslots 1-15,17-31 type r2-digital r2-compelled cas-custom 0 country easteurope debounce-time 10 release-guard-time 150 seizure-ack-time 2 dnis-digits min 1 max 3 ani-digits min 0 max 3 answer-guard-time 40 ani-timeout 1 Vrode rabotae, no kriven'ko kak to. Rabotalo eshche krivee kogda seizure-ack-time = 8, a pri 10 i vyshe vooshche trubku ne brala. P.S. (Gosha Zafievsky) VG> country easteurope Vot s etim - poakkupatnee. YA by dlya nachala postavil country itu use-defaults. R2MFC v Cisco - veshch' v sebe... 11.5>Q: Voznikla sleduyushchaya neobhodimost' - svyazat' po ISDN dve zhelezki - Zyxel Prestige-100 (eto ISDN-router takoj) i Cisco 2522CH. Sovershenno ne poluchaetsya eto sdelat'. Zvonit' dolzhen Zyxel etot samyj, nu tak on zvonit, udalos' dazhe dobit'sya authentification po protokolu pap, no protokol ne podnimaetsya. YA tak ponimayu protokol dozhen podnyat'sya na BRI0:1 ili BRI0:2, a ona ne daet ih konfigurit' po otdel'nosti, a esli skazat' chto-to pro LeasedLine - to ne otvechaet na zvonki. Kak i chto nado ej skazat', chtoby poluchit' ot etogo Zyxelya 64 ili 128 K po DialAp - ISDN ? >A: (Mark Gorovenko) Protokol budet podnimat'sya na Virtual-Access Kusochek iz podobnogo konfiga privedu. V nem mnogo lishnego, bylo sdelano dlya togo chtoby mozhno bylo zvonit' v raznye mesta, eto mozhno vykinut'. interface Virtual-Template1 ip unnumbered Ethernet0 no ip directed-broadcast autodetect encapsulation ppp peer default ip address pool default no fair-queue ppp authentication chap pap callin ppp multilink ! interface BRI0 ip unnumbered Ethernet0 encapsulation ppp no ip route-cache bandwidth 128 dialer pool-member 1 autodetect encapsulation ppp isdn incoming-voice modem 64 isdn answer1 xxx isdn answer2 xxx isdn calling-number xxx peer default ip address pool default no cdp enable ppp authentication chap pap callin ! interface Dialer0 ip address xxxx encapsulation ppp bandwidth 64 dialer remote-name xxx dialer idle-timeout 30 dialer string xxx dialer load-threshold 1 either dialer pool 1 dialer-group 1 autodetect encapsulation ppp v120 peer default ip address xxx no cdp enable ppp authentication chap pap callin ! interface Dialer1 ip unnumbered Ethernet0 encapsulation ppp bandwidth 64 dialer remote-name xxxx dialer idle-timeout 30 dialer wait-for-carrier-time 15 dialer string xxxxx dialer load-threshold 1 either dialer max-call 4 dialer pool 1 dialer-group 2 peer default ip address xxx no cdp enable ppp authentication chap pap callin ! ip local pool default xxx ip classless ip route 0.0.0.0 0.0.0.0 xxxxx ip route xxxxxxxx 255.255.255.255 Dialer1 ip route xxxxxxxx 255.255.255.255 Dialer0 access-list 11 permit any access-list 100 permit ip any host xxxxxx virtual-profile virtual-template 1 dialer-list 1 protocol ip list 11 dialer-list 2 protocol ip list 100 =========================================================== 13. SNMP =========================================================== 13.1>Q: Rebut kiski po snmp ? >A: (Oleh Hrynchuk) snmp-server system-shutdown and after that.... snmpset -c community -t 70 ip.addr.of.router .1.3.6.1.4.1.9.2.9.9.0 i 2 13.1>Q: Download cisco config via SNMP. >A: Prislal (Oleh Hrynchuk) Using SNMP and the appropriate OID .1.3.6.1.4.1.9.2.1.55, postfix the IP address as the index for the OID. Use this "OID" as a string set value. The string value will be the name of the file. snmpset .1.3.6.1.4.1.9.2.1.55.10.10.20.20 string "" The router will reward you with a nice log message and the file should appear on the tftp server (in this example, 10.10.20.20). Be careful as some UN*X tftp servers will not create files, but can only write to existing files (little security precaution). A much more interesting exercise is to get a router to read a config from a tftp server using only snmp...but we'll cover that some other time. Tod Daniels Greymatter, Inc. [17.01.2001] >A: (Joe Hishon) I use a UNIX shell script. You need to have a tftp server also running. For example if your tftp server is at 192.168.1.1, and your target router is IP "$IP" and read-write community "$RW" then the important lines are: 'wr mem' snmpset -c $RW $IP .1.3.6.1.4.1.9.2.1.54.0 integer 1 'wr net' snmpset -c $RW $IP .1.3.6.1.4.1.9.2.1.55.192.168.1.1 octetstring routername-confg for COS switches... 'wr net' snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.1.0 octetstring 192.168.1.1 snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.2.0 octetstring routername-confg snmpset -c $RW $IP .1.3.6.1.4.1.9.5.1.5.4.0 integer 3 =========================================================== 14. Cables =========================================================== 14.1>Q: Slyshal, chto est' kabel' dlya soedineniya dvuh cisok DB60M <-> DB60M no nigde na cisco.com ne smog ego najti ? >A: (Yuri Yuferev) http://www.pacificable.com/PicFrames/CABMMXHD60PicFrame.htm? =========================================================== 15. TROUBLESHOOTING =========================================================== ty sobiraesh'sf "eto" lechit'??? :) pokazyvat' nado - "sho mem" ;) v FAQ nado pisat', chto pamyat' libo konchilas', libo otfragmentirovalas'.. :) lechit' mozhno raznymi sposobami, v zavisimosti ot real'noj prichiny... nachinaya ot banal'noj dobivki pamyati ili vyklyucheniya yaunkcij, kotorye dannyj koshak s dannoj pamyat'yu ne tyanet, prodolzhaya optimizaciej funkcij, zhrushchih pamyat' s primeneniem golovy, i zakanchivaya smenoj IOS na tot, v kotorom ... dannyj konkretnyj memory leak ustranen (ili eshche ne vnesen :) I/O mem v 25-j serii _vsegda_ 2 mega... :) ===========================================================

97. Software

=========================================================== Zdes' ssylki na razlichnyj soft dlya Cisco i ne tol'ko. Nekotorye mogut dublirovat'sya iz drugih razdelov. Accounting ipaccounting ipanalize ipacc from ss23 Yura Pismerov http://www.mcs-cityline.net/~lf/ctm/ http://www.ts.infn.it/computing/IPaccounting/ http://linux.uatel.net/soft/iptrafsnmp/iptrafsnmp.phtml NetFlow [27.12.2000] http://www.auckland.ac.nz/net/NeTraMet http://www.caida.org/Tools/Cflowd IPMeter OSU flow-tools NFC/java by John Gladkih MONITORING mrtg rrdtool ROUTING GateD Konfigi - snapshot GNU Zebra mrt TACACS,RADIUS [27.12.2000] ftp://ftpeng.cisco.com/pub/tacacs original'nyj origina l'nyj ot Cisco ftp://ftp.east.ru/pub/inet-admins ftp://ftp.vsu.ru/pub/hardware/cisco/tacacs http://www.nttacplus.com - TACACS for NT cistron livingston merit freeradius xtradius radius by vl TUNNELs [27.12.2000] for FreeBSD (prosto kak-to nashel) ftp://ftp.sut.ru/pub/dyer/tunnel (nos-tun est' v samoj sisteme) (Alexander A. Karpoff) - http://mike.spottydogs.org/projects/gre-tun TOOLS dialout subnet calculator tftpd for !nix ===========================================================

98. IOS Black List/White List/Recommendations

=========================================================== [14.06.2000] 12.0(5)Tx. Dobpyj sovet. Vykin'te eto ono dlya ispol'zovaniya _sovepshenno_ ne ppigodno. Alex Bakhtin [15.06.2000] 3640 12.0(4)T - CEF glyuchnyj. Sil'no. Dmitri Kalintsev [05.09.2000] Vladislav Nebolsine 12.1 (bez bukovki) - eto proverennaya i obkatannaya 12.0T (s bukovkoj), v kotoruyu pereshli vse ee fichi. A v 12.1T (s bukovkoj) dobavleny novye fichi (i podderzhka novyh platform), kotorye so vremenem perejdut v 12.2. Est' fichi, kotorye ne voshli v 12.1, tak kak byli ne v 12.0T, a v 12.0XK. Haprimer, podderzhka Q.SIG, kotoraya byla v 12.0(5)XK i 12.0(7)XK), pereshla ne v 12.1(1), a v 12.1(2)T. I eshche ryad fich iz razlichnyh ne-T imadzhej. Vybirat' nado po potrebnostyam (i razmeru flesha) i nalichiyu trebuemyh fich v imadzhe. Perechen' fich v kazhdoj versii est' v dokumentacii na www.cisco.com: http://www.cisco.com/univercd/cc/td/doc/product/index.htm 12.1(2a) - horoshaya rabotayushchaya versiya IOSa s polnocennoj podderzhkoj golosa. Ne pomnyu kto soobshchal. 12.1(3)T - raznye SNMP indeksy na sub-if VLAN/ISL. -is- - uzhe ne lezet v 8Mb Flash Basil (Vasily) Dolmatov - Mmm... YA ne stal by pol'zovat' IRB v rannih versiyah 11.2 mainline ;) [17.01.2001] Vladislav Nebolsine. Samyj stabil'nyj _golosovoj_ IOS na segodnyashnij den' - 12.1(3a)XI5 [17.01.2001] v 90% softa 12.1(x)T na 7206VXR ne rabotaet export netflow ===========================================================

99. Misc

=========================================================== 99.1>Q: Kak poslat' kiske break ? 03 eto skoraya, 02 - miliciya, a break - eto ne simvol, a ochen' dlinnyj start-bit (c) Michael Shestyriov >A: (DY) RTFM po terminalke :) cu,tip - ~#, ~% DOS Navigator - F4 >A: (Alec Voropay) http://www.cisco.com/warp/customer/701/61.html 99.2>Q: Kak vosstanovit' zabytyj (ne mnoj, a administratorom) parol' ili smenit' ego na kakoj-to drugoj? Mozhno li sdelat' eto bez poteri konfiguracii? >A: (Gosha Zafievsky) RTFM, konkpetno User Guide, eshche konkpetnee "Recovering a lost enable password". Da. P.S. (DY) pro Break - sm. vyshe >A: (Alec Voropay) http://www.cisco.com/warp/customer/701/22.html [25.07.2000] >A: (Konstantin Gribakh) Cisco sobrala vse eti procedury na odnoj stranichke http://www.cisco.com/warp/public/474/index.shtml 99.3>Q: Sertificirovano li v Minsvyazi oborudovanie Cisco ? >A: (Serge Turchin) Da, nomera sertifikatov OS/1-SPD-59 - OS/1-SPD-91 http://www.amt.ru/products/cisco/certificates/index_tmp.phtml >A: (Denis Golovenko ) OS/1-SPD-70 -- dlya modelej 2505/07/09/11/18 >A: (Vladislav Nebolsine) CIIIS bylo sertificirovano sleduyushchee oborudovanie: Marshrutizatory Cisco 761, 765, 771, 775 1001, 1003, 1005, 1601, 1603 2501, 2503, 2505, 2507, 2509, 2511, 2512, 2514, 2518, 2520, 2522 26xx 3620, 3640 4000, 4000M, 4500, 4500M, 4700, 4700M 7204, 7206, 7505, 7507, 7513 AS5200, AS5300 MC3810 Cache Engine LDIR-410, LDIR-420 LAN kommutatory Catalyst 1400, 1900, 2820, 29xx 3000, 3100, 3200 5000, 5002, 5500, 5505 WAN kommutatory LightStream 1010 IGX8, IGX16, IGX32, IGX8410, IGX8420, IGX8430 BPX8600 MGX8220 Setevye ekrany Cisco PIX Firewall (3 klass zashchishchennosti po sisteme sertifikacii sredstv zashchity informacii po trebovaniyam bezopasnosti informacii) P.S. (DY) Spisok sootvetstviya oborudovaniya i sertifikatov http://www.comptek.ru/cisco/teach/certif.html [05.01.2001] >A: Ilia Zubkov - pro sertifikaciyu Catalyst Na etu temu -- vot u menya na stole lezhit kopiya pis'ma zam. ministra MinSvyazi Volokitina (b/n, ot 02.11.2000) v moskovskij ofis kiski o tom, chto, mol, "Na Vash zapros o neobhodimosti sertifikacii kommutatorov" tipa Catalyst 1900,2900XL,3500XL,4000,6000,8500CSR "Minsvyazi soobshchaet, chto ukazannoe oborudovanie ne podlezhit sertifikacii v sisteme "|lektrosvyaz'", i ego primenenie ne zapreshchaet kommercheskuyu ekspluataciyu seti pri ustanovke na uzlah svyazi dlya soedineniya oborudovaniya vo vzaimouvyazannoj seti po protokolam Ethernet, FastEthernet, GigabitEthernet". Po moemu razumeniyu, zhelayushchim v MinSvyazi ne dolzhny otkazyvat' v vydache kopii etogo pis'ma. P.S. (DY) poskol'ku eto pis'mo b/n (bez ishodyashchego nomera) to status etogo pis'ma do konca ne yasen. [13.06.2000] 99.4>Q: Kak po nazvaniyu fajla oppedelit' vepsiyu iosa, IP-only on, IP/IPX ili enterprise? >A: (Serge Turchin) *-i-* - IP *-is-* - IP Plus *-d-* - Desktop *-ds-* - Desktop Plus *-j-* - Enterprise. i t.d. V 11.2 net IP/IPX, a tol'ko Desktop, na nego cena snizhena v sravnenii s 11.1. Suffiks - a - appn. Voobshche, gde-to est' na servere rasshifrovka. U 1000-nyh yader sistema drugaya. n-Novell, b - Apple Talk, y - IP, q - asinhronnyj variant. > I eshche - na sajte dlya vepsij byli fajly pazmepom v 2-4paza men'she iosov i > s > zagadochnym slovom boot v nazvanii - eto bootstrap only? :-) U 7500, 4500-4700 net proshityh namertvo butovyh sistem. Ho est' special'nyj t.n. bootflash v kotorom zapisana ukorochennaya versiya sistemy. >A: (Dmitriy Yermakov) Kazhetsya vse opisano tut - http://www.cisco.com/warp/public/620/1.html 99.5>Q: Est' li podderzhka R2 dlya 3600 ? >A: Vladislav Nebolsine ***Hot News*** Announcing R2 support for the 3600 Digital Modems!! Hot News!!! =========== Announcing R2 support for the 3600 family of Digital Modems ================================================= The 3600 team is pleased to announce R2 support for integrated Digital Modems on the popular Cisco 3600 series platform. This feature is available with the introduction of IOS 12.0(1)T This new feature supports the use of R2 signalling with the 3600 internal digital modems, enabling high-speed (up to 56kbps) remote access for branch offices and small/mid size ISP's who utilize this specific line-signalling protocol. This announcement extends the range of connectivity options available for the 3600 Digital Modems, now supporting: PRI CAS(CT1) R2 (CE1)) By supporting this flexible range of signalling protocols , the 3600 digital modem solutions can now be deployed on a world-wide basis! A Country list and Mini Q&A follow. Countries configurable with R2 on the 3600: (this is a subset of the supported 5300 R2 countries) ================================= Argentina Australia Brazil * China * Columbia Costa Rica Eastern Europe mode supports: Croatia Russia * Ecuador (ITU and LME) Greece Guatemala Hong Kong (China & ITU Variants) India Indonesia Israel * ITU mode supports: Denmark Finland Germany Russia (ITU variant) * Hong Kong (ITU variant) South Africa (ITU variant) Korea * Malaysia * Mexico (Telmex and Telnor) * New Zealand * Paraguay Peru Philippines Saudi Arabia Note: All countries listed have been tested in house. Countries marked with a * have also been successfully tested in-country. Mini Q&A ========= Q. What is R2 ? A. R2 is a signaling system (Q.422) used by a number of countries worldwide. This signaling system runs over an E1 Carrier (2.048Mb/s), containing 32 64Kb/s timeslots, of which, 30 timeslots can be used for digi