Câu hỏi kỹ thuật về mạng cisco thuờng gặp

  • 119 trang
  • file .pdf
From: Question 1
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present,
various factions within the company have adopted a capital ``C'', while fierce traditionalists
(as well as some others) continue to use the lowercase variant, as does the cisco Systems
logo. This FAQ has chosen to use the lowercase variant throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the early
days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were
trying to come up with a name they did many searches for non similar names, and always
came up
with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn't
taken (although SYSCO may be confusingly similar sounding). There was an East Coast
company which later was using the ``CISCO'' name (I think they sold in the IBM
marketplace) they ended up having to not use the CISCO abberviation. Today many people
spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in
publications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. This
winter we will celebrate our 10th year.
[This text was written in July of 1994 -jhawk]
From: Question 2
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the server for your router to write
to, and then use the write network command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#copy running-config tftp
Remote host []?
Name of configuration file to write [myrouter-confg]? myconfig
Write file foobar on host [confirm] y
From: Question 3
Subject: How can I get my cisco to talk to a third party router over a serial link?
You need to tell your cisco to use the same link-level protocol as the other router; by
default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all link-
level protocols use at some level/layer or another. To make your cisco operate with most
other routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
If you're still having trouble, you might wish to turn on serial interface debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
From: Question 4
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of
``encapsulation frame-relay'') on your serial interface that's running frame relay if your
frame relay network contains a diverse set of manufacturers' routers. The keyword ``ietf''
specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default,
RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice
sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only a
few routers in your frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the frame-relay map command:
frame-relay map ip 56 broadcast ietf
(ietf stands for Internet Engineering Task Force, the body which evaluates Standards-track
RFCs; this keyword is a misnomer as both RFC1294 and RFC1490 are ietf-approved,
however 1490 is most recent and is a Draft Standard (DS), whereas 1294 is a Proposed
Standard (one step beneath a DS), and is effectively obsolete).
From: Question 5
Subject: How can I use debugging?
The ``terminal monitor'' command directs your cisco to send debugging output to the
current session. It's necessary to turn this on each time you telnet to your router to view
debugging information. After that, you must specify the specific types of debugging you
wish to turn on; please note that these stay on or off until changed, or until the router
reboots, so remember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap logging enabled on your
cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to, 69 message lines logged
If you have syslog going to a host somewhere and you then set about a nice long debug
session from a term your box is doing double work and sending every debug message to
your syslog server. Additionally, if you turn on something that provides copious debugging
output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off debugging. This is easy
enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging can load your router.
The console has a higher priority than a vty so don't debug from the console; instead,
disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little too vigorous with
debugging and the box is starting to sink, quickly run, don't walk to your console and kill
the session on the vty. If you are on the console your debugging has top prioority and then
the only way out is the power switch. This of course makes remote debugging a real sweaty
palms adventure especially on a crowded box.
From: Question 6
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
Use the command
No ip domain-lookup
From: Question 7
Subject: How to use access lists
Where in the router are access lists applied?
In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases
of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming
interfaces in earlier releases. There are also special cases involving console access.
Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are
activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the
INTERFACE major command. Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in a router (e.g., telnets
from the console port) is not subject to
| |
| Routing |
|^ v Access |
|^ v Lists |
|^ v ^ v|
|^ v ^ v|
A----------->|-| |>>>>Access >>----------->B
|1 Group 2 |
<------------| |<-----------
| |
| |
Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on
incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is
applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general,
incoming filtering can only be done for ``system'' rather than user traffic.
Rules of thumb in defining access lists.
First, define what you want to do and in which directions. An informal drawing is a good
first step. As opposed to the usual connectivity drawings among routers, it's often
convenient to draw unidirectional links between routers.
Second, informally write out your filtering rules. In general, it is best to go from most
specific to least specific. Modify the order of writing things to minimize the number of rules
Third, determine which rules need to be on which routers.
Explicitly consider the direction of flow, and the possible existence of additional paths that
could inadvertently bypass a filter.
Can a cisco router be a ``true'' firewall?
This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _Practical
UNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside''
application process run, with application-level code linking the two. For example, a
firewall might provide FTP access to the outside world, but it would not also provide direct
FTP service to the inside world. To place a file on the FTP external server, a designated
user would explicitly log onto the FTP server, transfer a file to the server, and log off. The
firewall prevents direct FTP connectivity between the inside and outside networks; only
indirect, application-level connectivity is allowed. Firewalls of this sort are complemented
by chokes, which filter on network addresses and/or port numbers. Cisco routers cannot do
application-level control with access control lists. Other authors do not distinguish between
chokes and filters. Using the loose definition that a firewall is anything that selectively
blocks access from the inside to the outside, routers can be firewalls.
IP Specific
Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID?
No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in one direction but not
the other?
Remember that Internet applications flow from client port to server port. Denying traffic
from port 23, for example, blocks flow from the client to the server.
| |
A----------->| |----------->B
|1 2|
<------------| |<-----------
| |
If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked
A's ability to telnet to B, but not B's ability to telnet to A. A second filter at interface A
would be needed to block telnet in both directions. Assume that we only have the filter at
interface 2. Telnets to A from B will not be affected because the filter at 2 does not check
incoming traffic.
With the arrival of in-bound access lists in 9.21, it should be noted that both inbound and
access lists are about equally efficient, in case any of you were wondering. It's worth
remembering that there are some kinds of problems that packet-filtering firewalls are not
best suited for. There's reasonably good information in:
Network (in)security through packet filtering"
From: Question 8
Subject: The cisco boot process
What really happens when a cisco router boots, from boot start to live interfaces?
First it boots the ROM os version. It reads the config. Now, it realizes that you want to
netboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and re-
reads the config. Manly, yes, but we like it too....
[[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it,
if necessary, and THEN loads on top of itself. Note that this is important because it tells
you what the memory requirements are for netbooting: RAM for ROM image (if it's a run
from RAM image), plus dynamic data structures, plus RAM for netbooted image. ]]
The four ways to boot and what happens (sort of):
I (from bootstrap mode)
The ROM monitor is running. The I command causes the ROM monitor to walk all of the
hardware in the bus and reset it with a brute force hammer. If the bits in the config register
say to auto-boot, then goto B
B (from bootstrap mode)
Load the OS from ROM. If a name is given, tell that image to start silently and then load a
new image. If the boot system command is given, then start silently and load a new image.
Does some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
From: Question 09
Subject: How should I restrict access to my router?
Many admins are concerned about unauthorized access to their routers from malicious
people on the Internet; one way to prevent this is to restrict access to your router on the
basis of IP address.
Many people do this, however it should be noted that a significant number of network
service providers allow unrestricted access to their routers to allow others to debug,
examine routes, etc. If you're comfortable doing this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access list (numbered from 1-
100) -- enter ``sh access-list'' to see those numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit, wildcard bits
Next, enter the IP addresses you wish to allow access to your router from; remember that
access lists contain an implicit "deny everything" at the end, so there is no need to include
that. In this case, 30 is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit
(This permits all IP addreses in the network, i.e. 172.30.*.*). Enter multiple lines
for multiple addresses; be sure that you don't restrict the address you may be telnetting to
the router from.
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply
the access list to. In this example, I want lines 2 through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/0
8 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Apply the access list to the relevant lines:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12. It's important to restrict access to the aux
port (line 1) if you have a device (such as a CSU/DSU) plugged into it.a)
Be sure to save your configuration with ``copy run start”
Please note that access lists for incoming telnet connections do NOT cause your router to
perform significant CPU work, unlike access lists on interfaces.
From: Question 10
Subject: What can I do about source routing?
What *is* source routing?
Soure routing is an IP option which allows the originator of a packet to specify what path
that packet will take, and what path return packets sent back to the originator will take.
Source routing is useful when the default route that a connection will take fails or is
suboptimal for some reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.
Unfortunately, source routing is often abused by malicious users on the Internet (and
elsewhere), and used to make a machine (A), think it is talking to a different machine (B),
when it is really talking to a third machine (C). This means that C has control over B's ip
address for some purposes.
The proper way to fix this is to configure machine A to ignore source-routed packets where
appropriate. This can be done for most unix variants by installing a package such as Wietse
Venema, ,'s tcp_wrapper:
For some operating systems, a kernel patch is required to make this work correctly (notably
SunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 which
turns all source routing off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a last resort is to disable it at
your router. This will make you unable to use ``traceroute -g'' or ``telnet
@hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP
options, the first of which is a type of source routing), but may be necessary for some. If so,
you can do this with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding
of source-routed packets through the router, for all interfaces, as well as source-routed
packets to the router (the last is unfortunate for the purposes of ``traceroute -g'').
From: Question 11
Subject: Is there a block of private IP addresses I can use?
In any event, RFC 1918 documents the allocation of the following addresses for use by
``private internets'': - - -
Most importantly, it is vital that nothing using these addresses should ever connect to the
global Internet, or have plans to do so. Please read the above RFCs before considering
implementing such a policy.
As an additional note, some Internet providers provide network-management services,
statistics gathering, etc. It is unlikely (if at all possible) that they would be willing to
perform those services if you choose to utilize private address space.
With the increasing popularity and reliability of address translation gateways, this practice
is becoming more widely accepted. Cisco has acquired Network Translation, who
manufacture such a product. It is now available as the Cisco Private Internet Exchange.
With it, you can use any addressing you want on your private internet, and the gateway will
insure that the invalid
addresses are converted before making out onto the global Internet. It also makes a good
firewall. Information on this product is available at
From: Question 12
Subject: How do I interpret the output of ``show version''?
Typing ``show version'' or ``show hardware'' yields a response like:
prospect-gw.near.net>sh version
Cisco Internetwork Operating System Software
IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]
System-type (imagename) Version major.minor(release.interim)[who] Desc
System-type: type of system the software is designed to run on.
imagename: The name of the image. This is different (slightly) for
run-from-rom, run-from-flash, and run-from-ram images, and also
for subset images which both were and will be more common.
"Version": text changes slightly. For example, if an engineer gives you
a special version of software to try out a bug fix, this will say
experimental version.
Major: Major version number. Changes (in theory) when there have been
major feature additions and changes to the softare.
Minor: minor version number. Smaller but still signficant feature added.
(in reality, cisco is not very sure what the difference between
"major" and "minor" is, and sometimes politics gets in the way,
but either of these "incrementing" indicates feature additions.)
EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is
the base, 9.14 adds specical feature for low end systems, 9.17
added special features specific the high end (cisco-7000) This
was an experiment that we are trying not to repeat.
release: increments (1 2 3 4 ...) for each maintenance release of released
software. Increments for every compile in some other places.
interim: increments on every build of the "release tree", which happens
weekly for each release, but is only made into a generically
shipping maintenance release every 7 to 8 weeks or so.
[who]: who built it. Has "fc 1" or similar for released software.
has something like [billw 101] for test software built Bill
Westfield ([email protected]).
Desc: additional description.
The idea is that the image name and version number UNIQUELY identify
a set of sources and debugging information somewhere back at cisco,
should anything go wrong.
Copyright (c) 1986-1995 by cisco Systems, Inc.
Compiled Thu 09-Mar-95 23:54 by tli
Image text-base: 0x00001000, data-base: 0x00463EB0
Copyright, compilation date (and by whom), as well as the
starting address of the image.
ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE
ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)
The version of ROM bootstrap software, and the version of IOS
in ROM.
prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes
System restarted by reload
How long the router has been up, and why it restarted.
System image file is "sse-current", booted via flash
How the router was booted.
RP (68040) processor with 16384K bytes of memory.
Type of processor.
G.703/E1 software, Version 1.0.
X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
Bridging software.
ISDN software, Version 1.0.
Various software options compiled in.
1 Silicon Switch Processor.
2 EIP controllers (8 Ethernet).
2 FSIP controllers (16 Serial).
1 MIP controller (1 T1).
8 Ethernet/IEEE 802.3 interfaces.
16 Serial network interfaces.
128K bytes of non-volatile configuration memory.
4096K bytes of flash memory sized on embedded flash.
Hardware configuration.
Configuration register is 0x102
Lastly, the "configuration register", which may be set via
software in current releases...
From: Question 13
Subject: When are static routes redistributed?
In the simple case, any static route *in the routing table* is redistributed if the ``redistribute
static'' command is used, and some filter (set with either ``route-map'' or ``distribute-list
out'') doesn't filter it out.
Whether the static route gets into routing table depends on:
Whether the next hop address is reachable (if you use static route pointing to a next hop)
OR Whether the interface is up (if you use static route pointing to an interface).
If one of these is true, an attempt is made to add the route to the routing table; whether that
succeeds depends on the administrative distance of the route -- a lower administrative
distance (the route is "closer") than a preexisting route will cause the preexisting route to be
From: Question 14
Subject: When is the next hop of a route considered ``reachable''?
When a static route is added, or during an important event (eg: interface up/down
transition), the next hop for a route is looked up from the routing table (i.e. recursive
routing). As a consequence, if a route which is depended upon for evaluation of the next
hop of a static route goes away, a mechanism is required to remove that (now-invalid) static
route. Scanning all static routes each time the routing table changes is too expensive, so
instead, a period timer is used. One a minute, static routes are added and removed from the
routing table based on the routes they depend upon. It should be noted that a particular static
route will be reevaluated when its interface transitions up or down.
From: Question 15
Subject: How do name and phone number of ``dialer map'' interfere?
How do name and phone number of `dialer map' interfere?
We use the telephone number first actually. If the caller id matches the telephone number
to call, then you don't need the 'name' parameter with a phone number. I realized that the
above is ambiguous, so let's do this. You have:
dialer map ip x.x.x.x name