�FAQ FIDO- RU.CISCO�
�RU.CISCO FAQ�
FAQ FIDO- RU.CISCO,
newsgroup comp.dcom.sys.cisco, inet-admins
.
RU.CISCO.
, , q/a.
FAQ - Dmitriy Yermakov, dyer@sut.ru, 2:5030/1115
- 17 2001.
, dyer@sut.ru
http://cube.sut.ru/~dyer/faq/cisco.html
ftp://ftp.east.ru/pub/inet-admins/cisco.txt
DISCLAIMER.
Cisco-
tech-support by e-mail or netmail.
0.
1. Sync,Async,AUX,Callback
2. FR
3. X25
4. ACL
5. Traffic-shape
6. Routing
7. TACACS,RADIUS,AAA
8. Memory
9. NTP, TZ
10. NAT
11. Telco, ISDN
13. SNMP
14. Cables
15. TROUBLESHOOTING
97. Software
98. IOS Black Lis/White List/Recommendations
99. Misc
===========================================================
===========================================================
0.1>Q: - Cisco ?
>A: :)
UniverCD, .
http://www.cisco.com
http://www-europe.cisco.com
[11.09.2000] UniverCD.
A>:(Dmitry Morozovsky) '' DocCD Cisco - gzip-compressed
------- httpd.conf:
Action text/gzipped /cgi-bin/gzcat.cgi?
AddHandler text/gzipped .html .htm
------- gzcat.cgi:
#!/bin/sh -
echo "Content-type: text/html"
echo ""
HF=${DOCUMENT_ROOT}/$REQUEST_URI
if [ -r $HF ]; then
gzcat -f $HF
else
echo "No such file, sorry"
fi
>A: Win2k (Sergey Zarubin)
From: "Evan Wagner"
Newsgroups: comp.dcom.sys.cisco
Subject: Re: Windows 2000 & Cisco CD
Date: Thu, 20 Apr 2000 23:04:18 -0400
To get the Cisco documentation to work under Windows 2000:
Run regedit
Export your registry (as a precaution)
Locate the Windows 2000 Registry Key:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/IE4/Setup/Path
Change the value from "%programfiles%\Internet Explorer" to the location
where IE is installed on your system, for example "D:\Program Files\Internet
Explorer"
Uninstall the Cisco Documentation CD
Delete the old install directory
Reinstall the Cisco documentation CD and you should be good to go.
>A:
Cisco Systems and Cisco Routers in a Nutshell
http://www.clark.net/pub/rbenn/cisco.html
: McGraw-Hill Beta Books
http://www.pbg.mcgraw-hill.com/betabooks/betabooks-home.html
>A: (Dmitriy Yermakov)
-
http://relcom.eu.net/INFO/NOC-IP/FAQ/faq.html
DEOle
http://www.deol.ru/~bog/work/cisco_access.html
Sample Configurations www.cisco.com
http://www.cisco.com/warp/public/700/tech_configs.html
Guide to Cisco Router Configuration
http://www.primenet.com/~web/router/cisco-configuration.html
Cisco .
http://www.parkline.ru/Library/koi/CISCO/
TACACS-FAQ - http://www.easynet.de/tacacs-faq
AV-pairs TACACS - http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23/csnt23ug/ap_tacac.htm
CISCO-FAQ - comp.dcom.sys.cisco Frequently Asked Questions
http://cube.sut.ru/~dyer/faq/cisco-networking-faq.txt
ftp://ftp.east.ru/pub/inet-admins/cisco-networking-faq.txt
CISCO-FAQ Cisco - http://www.cisco.com/warp/public/458/index.shtml
mailing-list inet-admins http://info.east.ru/win/inetadm.html /. Cisco.
FAQ http://www.sunshine.dp.ua/os/reports/ciscofaq.html
RU.CISCO http://www.opennet.ru/base/cisco
[07.09.2000] >A: Martin McFlySr
Google http://cisco.google.com/cisco
[18.09.2000] Cisco Press "S.Zaytsev"
0.2>Q: RU.CISCO ?
>A: (Dmitriy Yermakov)
http://www.dejanews.com :)
0.3>Q: IOS ?
>A: (Denis Saveliev)
ftp://ftpeng.cisco.com/isp
P.S. (DY) - IOS .
[13.06.2000] 0.4>Q: NetFlow ?
>A: (DY)
Cisco http://www.cisco.com/warp/public/732/netflow
NetFlow.
http://www.auckland.ac.nz/net/NeTraMet
http://www.caida.org/Tools/Cflowd
, - .
http://www.ipmeter.com
() NeTraMet.
[05.09.2000] http://www.switch.ch/tf-tant/floma/software.html#netflow
>A: (Vladislav Nebolsine)
-
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/policyrt.htm
.
===========================================================
===========================================================
1.1>Q: Cisco 2509 IFCICO !
>A: (Dmitriy Yermakov)
TACACS . .
username **EMSI_INQC816 nopassword
username **EMSI_INQC816 autocommand telnet [host] [port_ifcico] /stream
/stream
banner login # **EMSI_REQA77E #
/
>A: (Alecsey Gusev)
username **EMSI_INQC816 nopassword noescape
username **EMSI_INQC816 autocommand telnet
username **EMSI_INQC816**EMSI_INQC816q. nopassword noescape
username **EMSI_INQC816**EMSI_INQC816q. autocommand telnet
username **EMSI_INQC816q nopassword noescape
username **EMSI_INQC816q autocommand telnet
username **EMSI_TZP16B2 nopassword noescape
username **EMSI_TZP16B2 autocommand telnet
banner login # **EMSI_REQA77E #
>A: (Alecsey Gusev)
Argus'a **EMSI_TZP16B2,
argus .
[19.07.2000] (Sergei Shumakov) .
-TZP16B2-
, , **EMSI_REQA77E.
>A: ifcico (Maksim Malchuk)
*** session.c.orig Wed Dec 27 16:22:31 1995
- --- session.c Tue Feb 13 08:48:13 1996
***************
*** 163,168 ****
- --- 163,170 ----
SM_ERROR;
}
+ PUTSTR("**EMSI_INQC816\r");
+
p=buf;
/*PUTSTR(" \r");*/
PUTCHAR('\r');
1.2>Q: Dialout service for unix NAS'a .
>A: Alex Tutubalin, Vadim Mikhailov
Win95/NT
http://www.cisco.com - dialout serice .
FreeBSD,Linux
modemu-0.0.1 /dev/ttyXX .
2000+n.
H , ?
(AT): H 2000+n p flow control. dialout 6000+n.
nettty - - http://www.livingston.com
>A: (Leonid Kirillov)
Win'95/3.x/NT
http://www.cisco.com/univercd/cc/td/doc/product/access/dialout/index.htm.
.
1.3>Q: - - ,
, ? , -
, Dialer Group? , ;)
>A: (Vasily Ivanov)
5000+
p rotary .
1.4>Q: - AUX. :
line aux 0
location TESTING
access-class 1 in
password line anything
script reset reset-modem
modem InOut
transport preferred none
transport input all
transport output none
stopbits 1
rxspeed 19200
txspeed 19200
flowcontrol hardware
, ,
- , ,
. H , .
.
, AUX? IOS 11.2.
>A: (Sergey Zhuk)
line aux 0
login local
modem Dialin
terminal-type vt100
stopbits 1
rxspeed 38400
txspeed 38400
flowcontrol hardware
... ...
inout ...
1.5>Q: 20xx, 40xx, 60xx Cisco ?
>A: (Dmitri Beloslioudtsev)
telnet:
Telnet port 20xx
Telnet raw port 40xx
Telnet binary port 60xx
A>: (Eugene Zhilitsky)
30, 50, 70 - , rotary.
1.6>Q: All, 2503 p AUX
p . H
ppp p p p
p.
>A: (Dmitry Morozovsky)
int a0
ip unn e0
enc ppp
keep 10
asy mode dedicated
asy def rou
asy dyn rou
li a 0
speed 38400
flow hard
esc NONE
stopbits 1
( reverse telnet modem inout & tran in
telnet)
1.7>Q: NT, Win c - ?
>A: (Alexander Karpoff)
ppp 95, NT .
- http://www.mindspring.com/~kewells/net/
*.inf.
[19.07.2000] (zaruba@artelecom.ru)
ftp://ftp.zelax.ru/pub/soft/mdmzelax.inf
http://www.zelax.ru/faq/faq76.html
P.S. (DY) , NT - X.25 pad.
P.P.S. (DY) mdm3640t.inf - http://cube.sut.ru/~dyer/faq/mdm3640t.inf.txt - :)
>A: (DY) ( - )
=============================================================================
* Area : RU.WINDOWS.NT (RU.WINDOWS.NT)
* From : Dmitry Vashkovsky, 2:5020/168.121 ( 26 1997 19:23)
* Subj : NT&
=============================================================================
VB> %SUBJ%?
VB> NT4+SP3+RAS&Routing+Motorola Premier 33.6
, :)
,
nt . ,
,
null modem, . H x25.
ras
pad.inf nt3.51 modem.inf
( ! nt4 null modem)
,
;----------------------------------------
[Null Modem 33600]
CALLBACK_TIME=10
DEFAULTOFF=
MAXCARRIERBPS=33600
MAXCONNECTBPS=33600
COMMAND=
CONNECT=
;----------------------------------------
Install X25 Pad
Null Modem, , ,
dial out tcp/ip :)
dialup 25
(
). .
, .
modem.inf nt3.51 pad.inf
( 19200, )
ftp:\\www.advance.com.ru .
Dmitry dva@skydive.ru http:\\www.advance.com.ru/skydiver
:
=============================================================================
>A: (DY)
- http://www.mindspring.com/~kewells/net/
.
, .
-
modemcap entry usr_ll:FD=&f1&l1:AA=A
line X
modem autoconfigure type usr_ll
Win,WinNT
.
AT&F1
AT&W
1.
( - advanced/extra settings)
AT&L1
2.
X3T1
( ,
Leased Line)
- http://www.psc.ru/sergey/TehSerenada/CISCO/ONLINE/wint4ll.html
1.8>Q: - ,
DNS ? , .
>A: (Sergiy Zhuk)
async-bootp dns-server 192.168.3.100 192.168.3.110
DNS ^^^
async-bootp nbns-server 192.168.3.2 192.168.2.2
netbios (wins)
1.9>Q: 3640 Mica-modem 30
1 . sh use
> 66 tty 66 pupkin ...
> 55 tty 55 vasya ...
1 ..
line bchannel, .
>A: (Andrew Lun)
sh modem csm
1.10>Q: Cisco 1005.
. , pls, ?
>A: (Dmitry Morozovsky)
1005 sync-async .
H 2520/2522 -- physical-layer async
(, , SNMP ).
1.11>Q: uucp-.
>A: (DY) RADIUS inet-admins, .
a. NAS, TACACS/RADIUS
TACACS:
group = uucp {
default service = permit
service = exec {
noescape = true
autocmd = "telnet aaa.bbb.ccc.ddd 540 /stream"
}
}
RADIUS, (Dmitry Morozovsky)
/var/spool/uucp/public/.rhosts:
nas0 ciscoTS
nas1 ciscoTS
(Basil Dolmatov) - NAS "ciscoTS"...
...
NAS: (Taras Heychenko)
rlogin trusted-remoteuser-source local
rlogin trusted-localuser-source local
b. Clients
sys taylor-uucp
myname client
system host
time any
call-login uuclient
call-password cl.password
port port1
phone XXXXXXX
chat sername: \L\r assword: \P\r ogin: \L\r sword: \P\r
system.pat UUPC/@
200 gGt N g(%L_GWSIZE%,%L_GPSIZE%)/g(%R_GWSIZE%,%R_GPSIZE%) ""
\W20\c name--name--name \p\p\L sword:-\L-sword:-\L-sword:-\L-sword: \p\P
->-> \crlogin\sUUHOST\r ogin--ogin--ogin \p\p\L sword:-\L-sword:-\L-sword: \p\P
UUHOST
autocommand "->-> \crlogin\sUUHOST\r "
1.12>Q: Cisco Windows
>A: (Vyacheslav V. Fedorov)
H Cisco 2511:
version 11.
service exec-callback
...
aaa authentication login execcheck tacacs+
aaa authentication ppp ppp_list tacacs+
...
interface Async2
ip unnumbered Ethernet0
ip tcp header-compression passive
encapsulation ppp
async mode interactive
peer default ip address x.x.x.x
ppp callback initiate
ppp authentication chap ppp_list
....
line 2
autoselect during-login
autoselect ppp
script modem-off-hook offhook
script callback idc
login authentication execcheck
modem InOut
transport input all
escape-character NONE
callback forced-wait 30
callback nodsr-wait 10000
stopbits 1
rxspeed 57600
txspeed 57600
flowcontrol hardware
.....
H tacacs+:
tacacs.config
user= mylogin {
global = cleartext "xxxxxxxxxx"
service=ppp protocol = lcp {
callback-dialstring = 388888
}
service=ppp protocol=ip {
}
service=exec {
callback-dialstring = 388888
callback-line=2
nocallback-verify=1
}
}
>A: (Dmitry Valdov)
, ,
callback-dialstring = ""
:
cisco:
service exec-callback ( ,
callback .)
....
chat-script dial ABORT ERROR TIMEOUT 50 "" "AT" "OK" "ATD\T" "CONNECT"
....
interface group-async 1
ppp authentication pap
ppp callback accept
...
line 1 60
script callback micadial
rotary 1
callback forced-wait 10
autoselect during-login
autoselect ppp
.....
:
group = callback {
.....
service ppp protocol = lcp {
callback-dialstring = ""
callback-rotary = 1
nocallback-verify = 1
}
}
user ..... {
member = callback service = exec {
.....
callback-dialstring = "" nocallback-verify = 1 callback-rotary = 1
}
}
callback cbcp .
, . H
.
>A: (Andy Igoshin)
ftp://ftp.vsu.ru/pub/hardware/cisco/callback
1.13>Q: 1?
>A: (Gosha Zafievsky), (Oleh Hrynchuk)
pp ( 5300 & 3600):
controller E1 ZZZ
linecode hdb3 |
framing CRC4 | pp p. p
clock source line primary | H 3600 12.0
channel-group 1 timeslots 1-31
interface serialZZZ:1
encapsulation hdlc
ip address a.b.c.d x.y.z.t
ip route 0.0.0.0 0.0.0.0 serialZZZ:1
ZZZ p ...
1.14>Q: M p IP p AUX p p
' H ( p -), ?
>A: (??), (Oleh Hrynchuk)
. - cisco3640 Ethernet.
,
RJ-45 - DB-25
1-5
2-6,8
3-3
4-7
5-7
6-2
7-20
8-4
. .
[13.06.2000] 1.14>Q: async ?
>A: (Mathey M. Teplov)
, , :
1) modem autoconfigure no modem autoconfigure
2) , 115200 8,n,1
!
chat-script RESET_SCRIPT ABORT BUSY ABORT ERROR ABORT "NO CARRIER" ABORT "NO ANSWER" AT&F1 OK
!
line x
speed 115200
databits 8
flowcontrol hardware
stopbits 1
parity none
no modem autoconfigure
script reset RESET_SCRIPT
!
F1 Courier :
&A3&B1&C1&D2&G2&H1&I0&K1&L0&M4&N0&P1&R2&S0&T5&X0&Y0%N6
F1.
.
[05.09.2000] 1.15>Q: Callback
>A: (Eugene Crosser)
http://www.tartu.customs.ee/linux/callback.shtml
. H , .
===========================================================
===========================================================
2.1>Q: Frame Relay & Unnumbered interface
- p p , IP unnumbered
FrameRelay subinterfaces . .
>A: (Alex Tutubalin)
pp :
Interface Serial 0
no ip address
frame-relay lmi-type ansi
Interface Serial 0.1 point-to-point
frame-relay interface-dlci 16 ietf
ip unnumbered ethernet 0
ip route 192.168.111.48 255.255.255.240 Serial 0.1
C p p FreeBSD + Cronyx Sigma-22.
pp :
cxconfig cx0 hdlc fr +extclock
ifconfig cx0 192.128.111.49 195.54.222.201
route add default 192.168.111.201
.49 - Ethernet
.201 - Ethernet Cisco
>A: (Alex Zinin)
unnumbered
. -- .
-- ip unnumbered
, Cisco p-t-p.
WAN .
.. hdlc - ptp, ppp-ptp, slip-ptp, fr-ptm, x25-ptm, smds-ptm
-- dialer.
data-link
.
,
p-t-m p-t-p p-t-m .
p-t-p unnumbered.
===========================================================
===========================================================
- Eugene Zhilitsky, .
3.1>Q:
[DOS-COM1]--a1[Cisco2509]--[Cisco2522]-- -[?]--[UNIX-APP]
H Cisco2522 TCP X.25, 2509
telnet . H, H
, .
binary stream, telnet /stream
.
x29 profile aaaa 2:0 3:0 4:100 7:21 11:14, .
>A: (Eugene Zhilitsky)
4:100 - , 100*0.05=5 !
1. stream.
2. x29 profile aaa 1:0 2:0 3:2 4:5 5:0 8:0 9:0 10:0 12:0 15:0 22:0
3:2 - "", ^M ,
( ). 3:0.
3. (a1[Cisco2509]), :
escape-character NONE
telnet transparent
4. , - noesc.
5. H vty, :
escape-character NONE
telnet transparent
6. :
terminal-type download
RU.CISCO ( :-(.
H :-))))) .
3.2>Q: 25?
>A: : labp (hdlc) 25
, DTE/DCE -
__. , ,
(lapb) __,
- __.
3.3>Q: , 25-box' " ",
. ?
>A: 256
. H, 25-box' :
- 4
H Two-way VC - 1
Two-way VC - 16
:
x25 ltc 1025
x25 htc 1040
3.4>Q: 25-, ,
Username: ( exec). ?
>A: 25 x25
address Serial. Call User Data (cud)
. , , 25
.
3.5>Q: - .
>A: x25 address Serial.
. ,
.
25 , ,
, .
3.6>Q: ! . H ,
Call User Data (cud) ,
cud exec.
>A:
x25 routing
x25 route alias Serial
3.7>Q: H y p Cisco <--> Eicon X.25.
p Cisco.
PPP Frame Relay y, X.25 . .
>A: (john gladkih)
direct connection?
interface Serial1
description x.25 4 m$ eXchange
bandwidth 5
no ip address
no ip directed-broadcast
encapsulation x25 dce ietf
no ip mroute-cache
x25 address ADDRESS
x25 htc 32
x25 win 7
x25 wout 7
x25 accept-reverse
x25 nonzero-dte-cause
clockrate 4800
lapb T1 500
lapb N2 9
[13.06.2000] 3.8>Q: "" translate
translate x25 03 cud 4411 profile NUL ppp ............
>A: (Vasily Ivanov)
p, .. p p
p p. p .
p translate x25 12345 virtual-template 1.
p p http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcpt.htm
[05.09.2000] 3.9>Q: pad
xot x.25
facilities xot . ?
. 12.1 ;) (
annex-g? 12.1 )
>A: (john gladkih)
ok. annex-g, x25 switch:
service pad to-xot
service pad from-xot
service tcp-keepalives-in
service tcp-keepalives-out
!
frame-relay switching
!
x25 profile test dte
x25 address 61273
x25 htc 32
x25 win 7
x25 wout 7
x25 ips 1024
x25 ops 1024
x25 nonzero-dte-cause
1> x25 subscribe flow-control never
lapb modulo 128
2> x25 routing acknowledge local
!
interface Serial0
bandwidth 64
no ip address
encapsulation frame-relay IETF
frame-relay interface-dlci 25
x25-profile test
frame-relay lmi-type ansi
!
x25 route ^6127305 xot 10.10.0.21 xot-keepalive-period 10
3> x25 route .* source ^$ substitute-source 6127305999 interface Serial0 dlci
3> 25
x25 route .* interface Serial0 dlci 25
1> flow-control
.
2> .
3> pad call xot c src address src
6127305999
xot :
x25 route ^612.* xot 10.10.0.118 xot-keepalive-period 10
xot-keepalive-period .
===========================================================
===========================================================
4.1>Q: access-lists .
.
aaa.bbb.ccc.ddd, naa.nbb.ncc.ndd - .
wba.wbb.wbc.wbd - wildcard bits
!!! access-list netmask, wildcard bits.
, -
WB=255-NM
, netmask 255.255.255.0 access-list
0.0.0.255
! deny all RFC1597 & default
no access-list 101
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
! deny ip spoofing
access-list 101 deny ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any
! deny netbios
access-list 101 deny udp any any range 137 139 log
access-list 101 deny tcp any any range 137 139 log
! deny Back-Orifice
access-list 101 deny udp any any eq 31337 log
! deny telnet
access-list 101 deny tcp any any eq telnet log
! deny unix r-commands and printer, NFS, X11, syslog. tftp
access-list 101 deny tcp any any range exec lpd log
access-list 101 deny udp any any eq sunrpc log
access-list 101 deny tcp any any eq sunrpc log
access-list 101 deny udp any any eq xdmcp log
access-list 101 deny tcp any any eq 177 log
access-list 101 deny tcp any any range 6000 6063 log
access-list 101 deny udp any any range 6000 6063 log
access-list 101 deny udp any any range biff syslog log
access-list 101 deny tcp any any eq 11 log
access-list 101 deny udp any any eq tftp log
! permit all
access-list 101 permit ip any any
no access-list 102
access-list 102 permit ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any
access-list 102 deny ip any any
int XXX
ip access-group 101 in
ip access-group 102 out
4.2>Q: , , access-list' (
-
http e-mail) Cisco - 1601 .
>A: (Alex Bakhtin)
. -:
1. , .
2. , .
FAQ, , ,
. H
, ,
. ,
,
. ,
- IMHO.
access-list, __ ,
.
.
H , ,
. :
! ! ! ! !
!www !mail!ftp!binkd! -
! ! ! ! !
! ! ! ! ! ""
------------!----!----!---!-----!----------------------------------------
www.qq.ru ! X ! ! ! !
relay.qq.ru ! ! X ! ! !
ftp.qq.ru ! ! ! X ! !
any ! ! ! ! X !
/
,
.
. :
a. . host
10.0.1.1/32 __ subnet
10.0.1.0/24. -
any.
b. , a. , -
( www, relay ftp
, any),
,
.
, www ,
-
ftp.
, , ,
( ;-))
access-list.
.
ip access-list extended Firewall
permit tcp any host www.qq.ru eq www
permit tcp any host relay.qq.ru eq smtp
permit tcp any host ftp.qq.ru eq ftp
permit tcp any any eq 24554
deny ip any
any. , access-list .
, access-list?
deny ip any any log
,
-, //syslog
, . , ,
(
), access-list.
:
%SEC-6-IPACCESSLOGP: list firewall denied tcp xxx.xxx.xx.xx(1418) ->
%xxx.xxx.xxx.xx(23), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(4000) ->
%xxx.xxx.xxx.xx(1038), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1041), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1044), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) ->
%xxx.xxx.xxx.xx(1047), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) ->
%xxx.xxx.xxx.xx(33456), 1 packet
%SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) ->
%xxx.xxx.xxx.xx(33458), 1 packet
;) H ___
domain - dns . active ftp -
. access-, ,
, , ;) ,
established. ; - .
===================
ip access-list extended firewall
permit tcp any any eq smtp ; smtp
permit tcp any any eq domain ; dns
permit udp any any eq domain ;
permit tcp any any eq 22 ; ssh
permit tcp any host fido.qq.ru eq 24554 ; binkd
permit tcp any any established ;
permit tcp any host www.qq.ru eq www ; www-
permit tcp any host images.qq.ru eq www
permit tcp any host www.qq.ru range 8100 8104 ;
permit tcp any host images.qq.ru range 8100 8104
permit udp any any eq ntp ; ntp
permit tcp any any range 40000 44999 ; :-((
permit tcp any any eq ident
permit icmp any any
permit tcp any eq ftp-data any gt 1024; active-ftp
deny ip any any log
===================
4.3>Q: transparent-proxy ?
>A: (DY)
http://squid.nlanr.net/Squid/FAQ/FAQ-17.html
4.4>Q: Dynamic ACL.
>A: (Oleh Hrynchuk)
You can use timed access-lists in IOS 12.x
You will need the router to synch to a clock source
for accuracy though..
for example:
int ser0/0
ip access-group 101 in
!
access-list 101 remark --FOR THE QUAKE 3 PLAYERS AT THE OFFICE--
access-list 101 permit udp any any range 27850 27999 time-range lunchtime
access-list 101 deny any any
!
time-range lunchtime
periodic weekdays 12:00 to 14:00
periodic weekend 00:00 to 23:59
!
ntp source loopback0
ntp server
!
[13.06.2000] 4.5>Q:
?
>A: (Gosha Zafievsky)
access-list 11 permit host 192.168.1.1
line vty 0 4
access-class 11 in
===========================================================
===========================================================
5.1>Q: ftp- ?
>A: (Vasily Ivanov)
Active-FTP
access-list 115 permit tcp host 123.123.123.123 eq ftp-data any gt 1023
Passive-FTP
access-list 115 permit tcp host 123.123.123.123 any eq ftp
5.2>Q: traffic-shape tun ?
>A: (DY)
4000.
interface Tunnel1
ip address xxx.xxx.xxx.xxx 255.255.255.252
tunnel source aaa.aaa.aaa.aaa
tunnel destination bbb.bbb.bbb.bbb
!
interface Ethernet0
ip address aaa.aaa.aaa.aaa 255.255.255.224 secondary
traffic-shape group 122 32000 8000 8000 1000
!
no access-list 122
access-list 122 permit ip host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb
access-list 122 deny ip any any
P.S. Vyacheslav Furist
access-list 122 permit gre host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb
5.3>Q: ?
>A: "Boris Mikhailov"
policyroute, .
11.2(- 12~13) traffic-shap
( ).
access-list 180 p, p
interface Loopback1
ip address 192.168.11.1 255.255.255.255
traffic-shape rate 64000
!
interface Serial0
ip policy route-map incoming-packets
!
access-list 180 permit ip any 192.168.1.0 0.0.0.255
!
route-map incoming-packets permit 10
match ip address 180
set interface Loopback1
5.4>Q: Bandwith, queue
>A: (Alex Bakhtin)
,
custom queuing, byte-count. queue length
. . , queue-list:
c4000-m#sh queueing custom
Current custom queue configuration:
List Queue Args
1 1 byte-count 6000
1 2 byte-count 3000
1 3 byte-count 4500
1500. , bandwith
. , ,
- ,
. , 17 -
1. 1500 0 ( )
2. 6000 1
3. 3000 2
4. 4500 3
5. 1500 4
.....
17. 1500 16
, 4
- . ,
S=1500(q0)+6000(q1)+3000(q2)+4500(q3)+1500(q4)=16500
, Q0
B0=1500/16500~=9% BW
B1~=36% BW
B2~=18% BW
B3~=28% BW
B4~=9% BW
. , bandwith
byte-count, indirectly,
.
, ,
. , byte-count
, -
. , -
.
,
;