Last-modified: 1 November 1994
Version: 1.0
This FAQ is edited by John Hawkinson, . I've been
rather remiss in FAQ maintenance and editing from July, through
October, but hopefully this should now be remedied.
New stuff (please look this over):
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
Old administrivia:
There should eventually be an html version of this FAQ
available. Question should also be numbered, and perhaps divided into
subcategories for large things (like ntp...); also, they need to be
sorted.
Please contribute answers to the questions in the Todo section! If your
answer is somewhat complicated, posting would probably be best (to
comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@panix.com.
Please note that a LOT of these questions have been hanging around
for some time, and if knowledgable people (including myself)
could take the time to answer a few of them, that'd help.
This draft FAQ is in RFC1153 digest format, so you can follow each
question with your newsreader. I suppose that question-numbers should
be moved to the From: field. Note that Date: fields represent
last-modification times for the questions.
Table of Contents
=================
1. How can I contact cisco?
2. What is this newsgroup?
3. What does ``cisco'' stand for?
4. How do I save the configuration of a cisco?
5. Where can I get ancillary software for my cisco?
6. Is there a World-Wide-Web (www) information source?
7. How can I get my cisco to talk to a third party router over
8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?
9. How can I use debugging?
10. How can I use NTP (Network Time Protocol) with my cisco?
11. Sample Cisco NTP Configurations
12. How do I avoid the annoying DNS lookup if I have misspelled a command?
13. Tracing bad routing information
14. How to use access lists
15. The cisco boot process
16. Where can I get Cisco hardware?
17. Where can I get IETF documents (RFCs, STDs, etc.)?
18. Future features in cisco software
19. How do cisco routers rate performance-wise?
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
25. Acknowledgements.
todo:
=====
* How to configure TACACS
* What is SNMP and how can I use it? What software is available and how do
I use Cisco enterprise MIBs? MIBs on ftp.cisco.com and CIO.cisco.com
* Pointers to other s/w that's particularly useful in this sort
of routing environment (like Charley Kline's VLSM program).
* Pointers to other net resources, like comp.protocols.tcp-ip, RFCs,
the firewalls mailing list, etc (bgpd?[or is it cidrd now? :-)]).
* Hints about confusing and not-well documented things like xtacacs...
* Comments on interoperability issues WRT other vendors.
* What's SMARTnet, why should I subscribe, how much does it cost,
and what do I get?
* What should I name my router, my interfaces, etc.?
* Should we adjust the buffer parameters on the routers? What should
be the indicator before tunning the buffer parameters? How should
one fine tune the buffer parapeters?
* what routing protocol should I use?
* what is the real purpose of the network subcommand of
router commands? When do I not want to include a network
I know about?
* What is a VLSM and why would I want one? What supports
them?
* What is CIDR and why do I care (or a more general acronym decoder) ?
* How do I configure my Cisco to use variable-length subnetting ?
* What are some methods for conserving IP addresses for
serial lines?
* Is there a block of private network numbers I can use
within my organization only? When should I use them?
How do I access them from outside?
* What do I do if I have to partition a network number?
* Questions and answers about access lists
access-list reference list (lots of questions on that)
* I forgot to mention that routing DECnet over X.25 is a problem.
* Where PD network applications for SLIP/PPP are.
* What is HSRP and how does it work? When is it available (10.0)
(Hot Standby Routing Protocol)
* Should I run 9.1, 9.21, 10.0, 10.2, or what?
Actual content.
===============
------------------------------
From: Question 1
Date: 31 October 1994
Subject: How can I contact cisco?
Corporate address:
cisco Systems
170 West Tasman Drive
San Jose, CA 95134
The following phone numbers are available:
Technical Assistance Center (TAC) +1 800 553 2447
(553 24HR)
+1 800 553 6387
+1 408 526 8209
Customer Service (Documentation, Warranty & +1 800 553 6387
Contract Services, Order Status
Engineering +1 800 553 2447
(553 24HR)
On-site Services, Time & Materials Service +1 800 829 2447
(829 24HR)
Corporate number / general +1 408 526 4000
Corporate FAX (NOT tech support) +1 408 526 4100
The above 800 numbers are US/Canada only.
cisco can also be contacted via e-mail:
tac@cisco.com Technical Assistance Center
tac-euro@cisco.com European TAC
cs-rep@cisco.com Literature and administrative (?) requests
cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''
Please follow the directions available on CIO before doing this.
cisco provides an on-line service for information about their routers
and other products, called CIO (cisco Information Online). telnet to
cio.cisco.com for more details.
The collective experience of this FAQ indicates that it is far wiser to
open a case using e-mail than FAXes, which may be mislaid, shredded,
etc.
For those of you still in the paperfull office (unlike the rest of us),
cisco Systems' new corporate address is:
170 West Tasman Drive
San Jose, CA 95134
------------------------------
From: Question 2
Date: 26 July 1994
Subject: What is this newsgroup?
comp.dcom.sys.cisco, which is gatewayed to the mailing list
cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
hardware, software, and related issues. Remember that you can also
consult with cisco technical support.
This newsgroup is not an official cisco support channel, and should
not be relied upon for answers, particularly answers from cisco
Systems employees.
Until recently, the mailing list was gatewayed into the newsgroup,
one-way. It is possible that this arrangement may resume at somet time
in the future.
------------------------------
From: Question 3
Date: 31 October 1994
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a
lowercase ``c''. At present, various factions within the company have
adopted a capital ``C'', while fierce traditionalists (as well as some
others) continue to use the lowercase variant, as does the cisco
Systems logo. This FAQ has chosen to use the lowercase variant
throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story
goes. Back in the early days when the founders Len Bosack and Sandy
Lerner and appropriate legal entities were trying to come up with a
name they did many searches for non similar names, and always came up
with a name which was denied. Eventually someone suggested ``cisco''
and the name wasn't taken (although SYSCO may be confusingly similar
sounding). There was an East Coast company which later was using the
``CISCO'' name (I think they sold in the IBM marketplace) they ended
up having to not use the CISCO abberviation. Today many people spell
cisco with a capital ``C'', citing problems in getting the lowercase
``c'' right in publications, etc. This lead to at least one amusing
article headlined ``Cisco grows up''. This winter we will celebrate
our 10th year.
[This text was written in July of 1994 -jh]
------------------------------
From: Question 4
Date: 31 October 1994
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the
server for your router to write to, and then use the write network
command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#write net
Remote host [10.7.0.63]? 10.7.0.2
Name of configuration file to write [myrouter-confg]? foobar
Write file foobar on host 10.7.0.2? [confirm] y
Additionally, there's a Macintosh TFTP server available:
ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx
Additionally, you can also use expect, available from:
ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
ftp://ftp.cme.nist.gov/expect/expect.tar.gz
or, in shar form from ftp.cisco.com.
Expect allows you to write a script which telnets to the router and
performs a ``write terminal'' command, or any other arbitrary set of
command(s), using a structured scripting language (Tcl).
------------------------------
From: Question 5
Date: 5 July 1994
Subject: Where can I get ancillary software for my cisco?
Try ftping to
ftp://ftp.cisco.com/pub
It's a hodgepodge collection of useful stuff, some maintained and some
not. Some is also available from
ftp://cio.cisco.com
Vikas Aggarwal has a very customised tacacsd:
A new version of xtacacsd is available via anonymous FTP from
'ftp.navya.com' (128.121.50.145) under pub/vikas/xtacacsd.shar.
This version should also be available from ftp.cisco.com soon.
------------------------------
From: Question 6
Date: 26 July 1994
Subject: Is there a World-Wide-Web (www) information source?
You can try the www homepage of this FAQ:
http://www.panix.com/cisco-faq [still not there yet]
or the cisco Educational Archive (CEA) home page:
http://sunsite.unc.edu/cisco/cisco-home.html
or the cisco Information Online (CIO) home page:
http://www.cisco.com/
------------------------------
From: Question 7
Date: 5 July 1994
Subject: How can I get my cisco to talk to a third party router over
a serial link?
You need to tell your cisco to use the same link-level protocol as the
other router; by default, ciscos use a rather bare variant of HDLC
(High-level Data Link Control) all link-level protocols use at some
level/layer or another. To make your cisco operate with most other
routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
If you're still having trouble, you might wish to turn on serial interface
debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
------------------------------
From: Question 8
Date: 27 July 1994
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
You should tell your cisco to use ``encapsulation frame-relay ietf''
(instead of ``encapsulation frame-relay'') on your serial interface
that's running frame relay if your frame relay network contains a
diverse set of manufacturers' routers. The keyword ``ietf'' specifies
that your cisco will use RFC1294-compliant encapsulation, rather than
the default, RFC1490-compliant encapsulation (other products, notably
Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
by 1490, namely padding of the nlpid). If only a few routers in your
frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the
frame-relay map command:
frame-relay map ip 10.1.2.3 56 broadcast ietf
^^^^
(ietf stands for Internet Engineering Task Force, the body which
evaluates Standards-track RFCs; this keyword is a misnomer as both
RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
beneath a DS), and is effectively obsolete).
------------------------------
From: Question 9
Date: 26 July 1994
Subject: How can I use debugging?
The ``terminal monitor'' command directs your cisco to send debugging
output to the current session. It's necessary to turn this on each time
you telnet to your router to view debugging information. After that,
you must specify the specific types of debugging you wish to turn on;
please note that these stay on or off until changed, or until the
router reboots, so remember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap logging
enabled on your cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about a
nice long debug session from a term your box is doing double work and
sending every debug message to your syslog server. Additionally, if you
turn on something that provides copious debugging output, be careful
that you don't overflow your disk (``debug ip-rip'' is notorious for
this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off
debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging
can load your router. The console has a higher priority than a vty so
don't debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little
too vigorous with debugging and the box is starting to sink, quickly
run, don't walk to your console and kill the session on the vty. If
you are on the console your debugging has top prioority and then the
only way out is the power switch. This of course makes remote
debugging a real sweaty palms adventure especially on a crowded box.
Caveat debugger!
Also, if you for some reason forget what the available debug commands
are and don't have a manual handy, remember that's what on-line help
is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
9.21 and above, that gives you general categories, and you can check
for more specific options by specifying the category: ``debug ip ?''.
As a warning, the ``logging buffered'' feature causes all debug
streams to be redirected to an in-memory buffer, so be careful using
that.
Lastly, if you're not sure what debugging criteria you need, you can
try ``debug all''. BE CAREFUL! It is way useful, but only in a very
controlled environment, where you can turn off absolutely everything
you're not interested in. Saves a lot of thinking. Turning it on on
a busy box can quickly cause meltdown.
------------------------------
From: Question 10
Date: 5 July 1994
Subject: How can I use NTP (Network Time Protocol) with my cisco?
>What level of software is required for NTP support in
>a Cisco router?
9.21 or above.
>Which Cisco routers support NTP?
It is a software feature exclusively. Anything that supports
9.21 or 10 will run NTP (when running that s/w).
>How do I set it up?
The basic hook is:
ntp server [version n]
or
ntp peer [version n]
depending on whether you want a client/server or peer relationship.
There's a bunch of other stuff available for MD5 authentication,
broadcast, access control, etc. You can also use the
context-sensitive help feature to puzzle it out; try ``ntp ?'' in
config mode.
You'll also want to play with the SHOW NTP * router commands. Here
are two examples.
EXAMPLE 1:
router# show ntp assoc
address ref clock st when poll reach delay offset disp
+~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7
*~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
EXAMPLE 2:
router#show ntp stat
Clock is synchronized, stratum 2, reference is 132.249.16.1
nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
clock offset is -1.34 msec, root delay is 55.40 msec
root dispersion is 41.29 msec, peer dispersion is 28.96 msec
For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.
For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file
clock.txt in that directory has info about various public NTP servers.
There is also information on radio time receivers that can be
connected to an NTP server (this is handy on private networks, if you
have an entire campus to get chiming, or if you become a hard core
chimer).
The ``ntp clock-period'' command is added automagically to jump-start
the NTP frequency compensation when the box is rebooted. This is
essentially a representation of the frequency of the crystal used as
the local timebase, and may take several days to calculate otherwise.
(Do a ``write mem'' after a week or so to save a good value.)
Caveat: Note that the CS-500 will not be able to achieve quite the same
level of accuracy as other platforms, since its hardware clock
resolution is roughly 242Hz instead of the 1MHz available on other
platforms. In practice this shouldn't matter for anyone other than
true time geeks.
----------------------------------------------------------------------
From: Question 11
Date: 5 July 1994
Subject: Sample Cisco NTP Configurations
You will need to substitute your own NTP peers, timezones, and GMT
offsets into the examples below, of course. Example 1 is in US Central
Time Zone, while example 3 is in US Pacific Time Zone. Both account
for normal US Daylight Savings Time practices.
EXAMPLE 1 (Charley Kline):
...
clock timezone CST -6
clock summer-time CDT recurring
ntp source eth 0
ntp peer
ntp peer
ntp peer
...
EXAMPLE 2 (Tony Li):
...
ntp source Ethernet0/0
ntp update-calendar
ntp peer
ntp peer prefer
...
EXAMPLE 3 (Dave Katz):
...
service timestamps debug datetime localtime
service timestamps log datetime localtime
clock timezone PST -8
clock summer-time PDT recurring
interface Ethernet0
ip address
ntp broadcast
ntp clock-period 17180319
ntp source Ethernet0
ntp server
ntp server
ntp server
COMMENTS ON EXAMPLE 3:
The config file is commented with date and time (and user id,
if TACACS is enabled) when the system thinks the clock is accurate.
I've enabled timestamping of debug and syslog messages. I send NTP
broadcast packets out onto the local ethernet. I'm in Pacific
Standard Time, with U.S. standard daylight saving time rules. I use
the IP address of the ethernet as the source for all NTP packets.
------------------------------
From: Question 12
Date: 5 July 1994
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
By default, all lines are configured to automatically try a telnet
connection if the first word in a input line is not recognized as a
valid command. You can disable this by setting ``transport preferred
none'' on every line (con, aux and vty). For instance:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
line vty 0 10
transport preferred none
You can see the number of vty's currently configuered with ``show lines''
Also, you can suspend connect attempts with ^^ followed by ``x'', ie
shift-cntrl-6 x.
[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
helps. I think this is the default -jh ]
------------------------------
From: Question 13
Date: 31 Oct 1994
Subject: Tracing bad routing information
or: How do I find out which non-Cisco systems on my networks generate IP-RIP
information without letting them mess up my routing tables.
Here you could work with a default administrative distance.
Administrative distance is the basis upon which the cisco prefers
routing information of one protocol over another. In this example:
router rip
network 192.125.254.0
distance 255
distance 120 192.125.254.17 ! list all valid RIP suppliers
[...]
the value 255 has the implicit meaning of not putting this information
into the routing table. Therefore, setting an administrative distance
of 255 means that all RIP suppliers are by default accepted but their
information is not put into the routing table. The administrative
distance for the router 192.125.244.17 has been reset to the default
(for RIP) of 120, causing its routes to be accepted into the routing table.
Then you can look them up with ``show ip protocols'' and restore the
original administrative distance for the ones you want to fill in the
routing table.
The same results can be acheived with an ip access-list, but with
that, ``show ip protocols'' will only show the valid ones. But often
it is more useful to see which systems were generating routing
information at all.
This trick works for other routing protocols as well, but please select
the proper adminstrative distance (rather than 120) for the protocol
you're using.
------------------------------
From: Question 14
Date: 5 July 1994
Subject: How to use access lists
[The following is wholesale included; at some point it'll
probably be editted a bit and reformatted... -jh]
Frequently Asked Questions
contributed by Howard C. Berkowitz
PSC International
hcb@world.std.com
@clark.net [probably will be my permanent
personal account]
PSC's domain is in mid-setup
Where in the router are access lists applied?
In general, Basic access lists are executed as filters on
outgoing interfaces. Newer releases of the Cisco code, such as
9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic,
can be filtered on incoming interfaces in earlier releases.
There are also special cases involving console access.
Rules, written as ACCESS-LIST statements, are global for the entire
Cisco box; they are activated on individual outgoing interfaces by
ACCESS-GROUP subcommands of the INTERFACE major command.
Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in
a router (e.g., telnets from the console port) is not subject to
filtering.
+-------------------+
| GLOBAL |
| |
| Routing |
| ^ v Access |
| ^ v Lists |
+-^--v--------^---v-+
| ^ v ^ v |
| ^ v ^ v |
A----------->|-| |>>>>Access >>----------->B
|1 Group 2 |
<------------| |<-----------
| |
| |
+-------------------+
Some types of ``filter,'' using ``filter'' as a broader class than
ACCESS-LIST, can operate on incoming traffic. For example, the INPUT-
SAP-FILTER used for Novell networks is applied to Service Advertisement
Packets (SAP) seen at incoming interfaces. In general, incoming
filtering can only be done for ``system'' rather than user traffic.
Rules of thumb in defining access lists.
First, define what you want to do and in which directions. An
informal drawing is a good first step. As opposed to the usual
connectivity drawings among routers, it's often convenient to draw
unidirectional links between routers.
Second, informally write out your filtering rules. In general, it
is best to go from most specific to least specific. Modify the order of
writing things to minimize the number of rules needed.
Third, determine which rules need to be on which routers.
Explicitly consider the direction of flow, and the possible existence of
additional paths that could inadvertently bypass a filter.
Can a Cisco router be a ``true'' firewall?
This depends on the definition of firewall. Some writers (e.g.,
Gene Spafford in _Practical UNIX Security_) define a firewall as a
host on which an ``inside'' and/or an ``outside'' application process run,
with application-level code linking the two. For example, a firewall
might provide FTP access to the outside world, but it would not also
provide direct FTP service to the inside world. To place a file on
the FTP external server, a designated user would explicitly log onto
the FTP server, transfer a file to the server, and log off. The
firewall prevents direct FTP connectivity between the inside and
outside networks; only indirect, application-level connectivity is
allowed.
Firewalls of this sort are complemented by chokes, which filter on
network addresses and/or port numbers. Cisco routers cannot do
application-level control with access control lists.
Other authors do not distinguish between chokes and filters. Using
the loose definition that a firewall is anything that selectively blocks
access from the inside to the outside, routers can be firewalls.
IP Specific
-----------
Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?
No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in
one direction but not the other?
Remember that Internet applications flow from client port to server
port. Denying traffic from port 23, for example, blocks flow from the
client to the server.
+-------------------+
| |
A----------->| |----------->B
|1 2|
<------------| |<-----------
| |
+-------------------+
If we deny traffic to Port 23 of address B by placing a filter at
interface 2, we have blocked A's ability to telnet to B, but not B's
ability to telnet to A. A second filter at interface A would be needed
to block telnet in both directions.
Assume that we only have the filter at interface 2. Telnets to A
from B will not be affected because the filter at 2 does not check
incoming traffic.
-------
With the arrival of in-bound access lists in 9.21, it should be noted
that both inbound and access lists are about equally efficient, in
case any of you were wondering.
------------------------------
From: Question 15
Date: 26 July 1994
Subject: The cisco boot process
What really happens when a Cisco router boots, from boot start to live
interfaces?
First it boots the ROM os version. It reads the config. Now, it
realizes that you want to netboot. It loads the netbooted copy in on
top of itself. It then re-initializes the box and re-reads the
config. Manly, yes, but we like it too....
[[ Ummm... in particular it loads the netbooted copy in as WELL as
itself, decompresses it, if necessary, and THEN loads on top of
itself. Note that this is important because it tells you what the
memory requirements are for netbooting: RAM for ROM image (if it's a
run from RAM image), plus dynamic data structures, plus RAM for
netbooted image. ]]
The four ways to boot and what happens (sort of):
I (from bootstrap mode)
The ROM monitor is running. The I command causes the ROM monitor to
walk all of the hardware in the bus and reset it with a brute force
hammer. If the bits in the config register say to auto-boot, then
goto B
B (from bootstrap mode)
Load the OS from ROM. If a name is given, tell that image to start
silently and then load a new image. If the boot system command is
given, then start silently and load a new image.
powercycle
Does some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
------------------------------
From: Question 16
Date: 26 July 1994
Subject: Where can I get Cisco hardware?
[ It is with great relucatance that I list any one vendor. I would
appreciate some commentary as to whether doing so is a good idea. Also,
other vendors would be a good thing. -jh
You might try:
Comstar, Inc.
5250 W. 74th Street
Minneapolis, MN 55439
P: 612-835-5502
F: 612-835-1927
Mr. Bill Lunger
------------------------------
From: Question 17
Date: 26 July 1994
Subject: Where can I get IETF documents (RFCs, STDs, etc.)?
Where and how to get new RFCs
=============================
RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The
Primary Repositories will have the RFC available when it is first
announced, as will many Secondary Repositories. Some Secondary
Repositories may take a few days to make available the most recent
RFCs.
Primary Repositories:
RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,
NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,
FTP.CONCERT.NET, or FTP.SESQUI.NET.
1. DS.INTERNIC.NET - InterNIC Directory and Database Services
RFC's may be obtained from DS.INTERNIC.NET via FTP, WAIS, and
electronic mail. Through FTP, RFC's are stored as rfc/rfcnnnn.txt or
rfc/rfcnnnn.ps where 'nnnn' is the RFC number. Login as "anonymous"
and provide your e-mail address as the password. Through WAIS, you
may use either your local WAIS client or telnet to DS.INTERNIC.NET and
login as "wais" (no password required) to access a WAIS client. Help
information and a tutorial for using WAIS are available online. The
WAIS database to search is "rfcs".
Directory and Database Services also provides a mail server
interface. Send a mail message to mailserv@ds.internic.net and
include any of the following commands in the message body:
document-by-name rfcnnnn where 'nnnn' is the RFC number
The text version is sent.
file /ftp/rfc/rfcnnnn.yyy where 'nnnn' is the RFC number.
and 'yyy' is 'txt' or 'ps'.
help to get information on how to use
the mailserver.
The InterNIC Directory and Database Services Collection of Resource
Listings, Internet Documents such as RFCs, FYIs, STDs, and Internet
Drafts, and Publically Accessible Databases are also now available via
Gopher. All our collections are waisindexed and can be searched from
the Gopher menu.
To access the InterNIC Gopher Servers, please connect to
"internic.net" port 70.
contact: admin@ds.internic.net
2. NIS.NSF.NET
To obtain RFCs from NIS.NSF.NET via FTP, login with username
"anonymous" and password "guest"; then connect to the directory of
RFCs with cd /internet/documents/rfc. The file name is of the form
rfcnnnn.txt (where "nnnn" refers to the RFC number).
For sites without FTP capability, electronic mail query is available
from NIS.NSF.NET. Address the request to NIS-INFO@NIS.NSF.NET and
leave the subject field of the message blank. The first text line of
the message must be "send rfcnnnn.txt" with nnnn the RFC number.
contact: rfc-mgr@merit.edu
3. NISC.JVNC.NET
RFCs can also be obtained via FTP from NISC.JVNC.NET, with the
pathname rfc/RFCnnnn.TXT.v (where "nnnn" refers to the number of the
RFC and "v" refers to the version number of the RFC).
JvNCnet also provides a mail service for those sites which cannot use
FTP. Address the request to SENDRFC@JVNC.NET and in the subject field
of the message indicate the RFC number, as in "Subject: RFCnnnn" where
nnnn is the RFC number. Please note that RFCs whose number are less
than 1000 need not place a "0". (For example, RFC932 is fine.) No
text in the body of the message is needed.
contact: Becker@NISC.JVNC.NET
4. FTP.ISI.EDU
RFCs can be obtained via FTP from FTP.ISI.EDU, with the pathname
in-notes/rfcnnnn.txt (where "nnnn" refers to the number of the RFC).
Login with FTP username "anonymous" and password "guest".
RFCs can also be obtained via electronic mail from ISI.EDU by using
the RFC-INFO service. Address the request to "rfc-info@isi.edu" with
a message body of:
Retrieve: RFC
Doc-ID: RFCnnnn
(Where "nnnn" refers to the number of the RFC (always use 4 digits -
the DOC-ID of RFC 822 is "RFC0822")). The RFC-INFO@ISI.EDU server
provides other ways of selecting RFCs based on keywords and such; for
more information send a message to "rfc-info@isi.edu" with the message
body "help: help".
contact: RFC-Manager@ISI.EDU
5. WUARCHIVE.WUSTL.EDU
RFCs can also be obtained via FTP from WUARCHIVE.WUSTL.EDU, with the
pathname info/rfc/rfcnnnn.txt.Z (where "nnnn" refers to the number of the
RFC and "Z" indicates that the document is in compressed form).
At WUARCHIVE.WUSTL.EDU the RFCs are in an "archive" file system and
various archives can be mounted as part of an NFS file system.
Please contact Chris Myers (chris@wugate.wustl.edu) if you want to
mount this file system in your NFS.
contact: chris@wugate.wustl.edu
6. SRC.DOC.IC.AC.UK
RFCs can be obtained via FTP from SRC.DOC.IC.AC.UK with the pathname
rfc/rfcnnnn.txt.Z or rfc/rfcnnnn.ps.Z (where "nnnn" refers to the
number of the RFC). Login with FTP username "anonymous" and password
"your-email-address". To obtain the RFC Index, use the pathname
rfc/rfc-index.txt.Z. (The trailing .Z indicates that the document is
in compressed form.)
SRC.DOC.IC.AC.UK also provides an automatic mail service for those
sites in the UK which cannot use FTP. Address the request to
info-server@doc.ic.ac.uk with a Subject: line of "wanted" and a
message body of:
request sources
topic path rfc/rfcnnnn.txt.Z
request end
(Where "nnnn" refers to the number of the RFC.) Multiple requests may
be included in the same message by giving multiple "topic path"
commands on separate lines. To request the RFC Index, the command
should read: topic path rfc/rfc-index.txt.Z
The archive is also available using NIFTP and the ISO FTAM system.
contact: ukuug-soft@doc.ic.ac.uk
7. FTP.CONCERT.NET
To obtain RFCs from FTP.CONCERT.NET via FTP, login with username
"anonymous" and your internet e-mail address as password. The RFCs
can be found in the directory /rfc, with file names of the form:
rfcNNNN.txt or rfcNNNN.ps where NNNN refers to the RFC number.
This repository is also accessible via WAIS and the Internet Gopher.
contact: rfc-mgr@concert.net
8. FTP.SESQUI.NET
RFCs can be obtained via FTP from FTP.SESQUI.NET, with the pathname
pub/rfc/rfcnnnn.xxx (where "nnnn" refers to the number of the RFC and
xxx indicates the document form, txt for ASCII and ps for Postscript).
At FTP.SESQUI.NET the RFCs are in an "archive" file system and
various archives can be mounted as part of an NFS file system.
Please contact RFC-maintainer (rfc-maint@sesqui.net) if you want to
mount this file system in your NFS.
contact: rfc-maint@sesqui.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Secondary Repositories:
Sweden
------
Host: sunic.sunet.se
Directory: rfc
Host: chalmers.se
Directory: rfc
Germany
-------
Site: EUnet Germany
Host: ftp.Germany.EU.net
Directory: pub/documents/rfc
France
------
Site: Institut National de la Recherche en Informatique
et Automatique (INRIA)
Address: info-server@inria.fr
Notes: RFCs are available via email to the above
address. Info Server manager is Mireille
Yamajako (yamajako@inria.fr).
Netherlands
-----------
Site: EUnet
Host: mcsun.eu.net
Directory: rfc
Notes: RFCs in compressed format.
France
------
Site: Centre d'Informatique Scientifique et Medicale
(CISM)
Contact: ftpmaint@univ-lyon1.fr
Host: ftp.univ-lyon1.fr
Directories: pub/rfc/* Classified by hundreds
pub/mirrors/rfc Mirror of Internic
Notes: Files compressed with gzip. Online
decompression done by the FTP server.
Finland
-------
Site: FUNET
Host: funet.fi
Directory: rfc
Notes: RFCs in compressed format. Also provides
email access by sending mail to
archive-server@funet.fi.
Norway
------
Host: ugle.unit.no
Directory: pub/rfc
Denmark
-------
Site: University of Copenhagen
Host: ftp.denet.dk
Directory: rfc
Australia and Pacific Rim
-------------------------
Site: munnari
Contact: Robert Elz
Host: munnari.oz.au
Directory: rfc
rfc's in compressed format rfcNNNN.Z
postscript rfc's rfcNNNN.ps.Z
United States
-------------
Site: cerfnet
Contact: help@cerf.net
Host: nic.cerf.net
Directory: netinfo/rfc
Site: NASA NAIC
Contact: rfc-updates@naic.nasa.gov
Host: naic.nasa.gov
Directory: files/rfc
Site: NIC.DDN.MIL (DOD users only)
Contact: NIC@nic.ddn.mil
Host: NIC.DDN.MIL
Directory: rfc/rfcnnnn.txt
Note: DOD users only may obtain RFC's via FTP
from NIC.DDN.MIL. Internet users should NOT
use this source due to inadequate connectivity.
Site: uunet
Contact: James Revell
Host: ftp.uu.net
Directory: inet/rfc
UUNET Archive
-------------
UUNET archive, which includes the RFC's, various IETF documents,
and other information regarding the internet, is available to the
public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
will be available via an anonymous kermit server soon. Get the
file /archive/inet/ls-lR.Z for a listing of these documents.
Any site in the US running UUCP may call +1 900 GOT SRCS and use
the login "uucp". There is no password. The phone company will
bill you at $0.50 per minute for the call. The 900 number only
works from within the US.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Requests for special distribution of RFCs should be addressed to
either the author of the RFC in question, to NIC@INTERNIC.NET.
Submissions for Requests for Comments should be sent to
RFC-EDITOR@ISI.EDU. Please consult "Instructions to RFC Authors",
RFC 1543, for further information.
Requests to be added to or deleted from the RFC distribution list should
be sent to RFC-REQUEST@NIC.DDN.MIL.
Changes to this file "rfc-retrieval.txt" should be sent to
RFC-MANAGER@ISI.EDU.
------------------------------
From: Question 18
Date: 27 July 1994
Subject: Future features in cisco software
[This could be more fleshed out, but Philip sent these in. -jh]
IPXWAN support added in 10.0
BGP4 support added in 10.0
Kerberos not yet available
------------------------------
From: Question 19
Date: 27 July 1994
Subject: How do cisco routers rate performance-wise?
People often ask about performance of the cisco routers and are shyed
away from answering their questions because we don't know where to send
them.
Scott Bradner keeps the results of his performance tests on the
Internet. You can find them for ftp on the system hsdndev.harvard.edu
in the /pub/ndtl. There is a README file in that directory that
explains what is available. In addition, cisco has just started
publishing a piece of literature called ``The Harvard Benchmark Test
Results: Summary of Cisco Systems Performance''. The only number I
can find on the doc is Lit. #700901. Don't know if you can order it
by this number, but at least there's a title to go on.
------------------------------
From: Question 20
Date: 31 October 1994
Subject: How are packets switched?
There are 4 types of switching (in order of increasing performance).
process switching
fast switching
autonomous switching
silicon switching
Autonomous switching is done in the switch processor.
Silicon switching is done in the silicon switching engine (creative,
eh? ;-).
The silicon switch processor (SSP) is the board which combines both the
switch processor and a silicon switching engine.
Process and fast switching support inbound and outbound, simple and
extended, access lists.
The SSP supports simple outbound access lists.
------------------------------
From: Question 21
Date: 31 October 1994
Subject: How does one interpret buffer statistics?
Buffer statistics may be obtained with:
mit2-gw.near.net>sh buffers
Buffer elements:
433 in free list (500 max allowed)
82320311 hits, 0 misses, 0 created
Small buffers, 104 bytes (total 202, permanent 120):
185 in free list (20 min, 250 max allowed)
34289219 hits, 4297 misses, 1307 trims, 1389 created
Middle buffers, 600 bytes (total 104, permanent 90):
102 in free list (10 min, 200 max allowed)
6829533 hits, 1432 misses, 483 trims, 497 created
Big buffers, 1524 bytes (total 90, permanent 90):
90 in free list (5 min, 300 max allowed)
3403884 hits, 56 misses, 1 trims, 1 created
Large buffers, 5024 bytes (total 5, permanent 5):
5 in free list (0 min, 30 max allowed)
49984 hits, 13 misses, 20 trims, 20 created
Huge buffers, 18024 bytes (total 0, permanent 0):
0 in free list (0 min, 4 max allowed)
0 hits, 0 misses, 0 trims, 0 created
5683 failures (0 no memory)
You can interpret them:
Total Number of buffers of that size that exist.
Free Number of free buffers.
Max Maximum size that the free list can grow to before we start
throwing them away.
Hit Buffer got used.
Miss Someone requested a buffer and we had to go carve it up out of
free memory. If we couldn't because we were at interrupt
level, it's also an allocation failure. If we couldn't
because we were out of memory, then it's also a ``no memory''
failure.
Trim There are more free buffers on the free list than there need
to be and we threw some away.
Create Number of buffers we created after a miss.
------------------------------
From: Question 22
Date: 1 November 1994
Subject: How should I restrict access to my router?
Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.
Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/0
8 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Apply the access list to the relevant lines:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12.)
Be sure to save your configuration with ``write mem''.
Please note that access lists for incoming telnet connections do NOT
cause your router to perform significant CPU work, unlike access lists
on interfaces.
------------------------------
From: Question 23
Date: 1 November 1994
Subject: What can I do about source routing?
What *is* source routing?
Soure routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for some
reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.
Unfortunately, source routing is often abused by malicious users on
the Internet (and elsewhere), and used to make a machine (A), think
it is talking to a different machine (B), when it is really talking to
a third machine (C). This means that C has control over B's ip address
for some purposes.
The proper way to fix this is to configure machine A to ignore
source-routed packets where appropriate. This can be done for most
unix variants by installing a package such as Wietse Venema,
,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers
For some operating systems, a kernel patch is required to make this
work correctly (notably SunOS 4.1.3). Also, there is an unofficial
kernel patch available for SunOS 4.1.3 which turns all source routing
off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a
last resort is to disable it at your router. This will make you unable
to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
of which use LSRR (Loose Source Record Route, 2 IP options, the first
of which is a type of source routing), but may be necessary for some.
If so, you can do this with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
foo-e-0(config)#^Z
It is somewhat unfortunate that you cannot be selective about this; it
disables all forwarding of source-routed packets through the router,
for all interfaces, as well as source-routed packets to the router
(the last is unfortunate for the purposes of ``traceroute -g'').
------------------------------
From: Question 24
Date: 1 November 1994
Subject: Is there a block of private IP addresses I can use?
Yes there is, however whether you wish to do so is an issue of
some debate.
There are two RFCs which discuss this issue, and present opposing
views:
1597 Address Allocation for Private Internets. Y. Rekhter, B.
Moskowitz, D. Karrenberg & G. de Groot. March 1994. (Format:
TXT=17430 bytes)
1627 Network 10 Considered Harmful (Some Practices Shouldn't be
Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
(Format: TXT=18823 bytes)
Neither one of these RFCs is anything more than a set of informational
guidelines; they are *not* words to live by (remember that RFC stands
for Request For Comments). Nevertheless, both comment cogently on this
issue, a full discussion of which is outside the scope of this
document. If you're seriously considering using private IP addresses,
please read them both (see question 17, ``Where can I get IETF
documents'') to find them.
Additionally, it is likely that a third RFC will be coming out shortly
that discusses both sides of the issue; watch this space for details.
In any event, RFC 1597 documents the allocation of the following
addresses for use by ``private internets'':
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Most importantly, it is vital that nothing using these addresses
should ever connect to the global Internet, or have plans to do so.
Please read the above RFCs before considering implementing such
a policy.
------------------------------
From: Question 25
Date: 5 July 1994
Subject: Acknowledgements.
The following people contributed to this FAQ, and their contributions
are greatly appreciated, both questions and answers (in alpha order):
"Ronnie B. Kon"
Alain Martineau
Charley Kline
Dave Katz
Howard C. Berkowitz, PSC International,
Jim Forster
John Wright
Pete Siemsen
Phillip Remaker
Ran Atkinson
Sanjay Rungta~
Sean McGrath
Steve Cunningham
atkinson@sundance.itd.nrl.navy.mil (Ran Atkinson)
buk@taz.de ($ Burkhard Kohl)
jerry@ksu.ksu.edu (Jerry Anderson)
jhawk@panix.com (John Hawkinson)
john@cisco.com (John Wright)
john@gulfa.ods.gulfnet.kw (John Temples)
peter@ulisse.rhein-main.de (Peter Radig)
tli@cisco.com (Tony Li)
tom@park.uvsc.edu (Thomas R. Kimpton)
warner@cats.ucsc.edu (Jim Warner)
Version: 1.0
This FAQ is edited by John Hawkinson, . I've been
rather remiss in FAQ maintenance and editing from July, through
October, but hopefully this should now be remedied.
New stuff (please look this over):
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
Old administrivia:
There should eventually be an html version of this FAQ
available. Question should also be numbered, and perhaps divided into
subcategories for large things (like ntp...); also, they need to be
sorted.
Please contribute answers to the questions in the Todo section! If your
answer is somewhat complicated, posting would probably be best (to
comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@panix.com.
Please note that a LOT of these questions have been hanging around
for some time, and if knowledgable people (including myself)
could take the time to answer a few of them, that'd help.
This draft FAQ is in RFC1153 digest format, so you can follow each
question with your newsreader. I suppose that question-numbers should
be moved to the From: field. Note that Date: fields represent
last-modification times for the questions.
Table of Contents
=================
1. How can I contact cisco?
2. What is this newsgroup?
3. What does ``cisco'' stand for?
4. How do I save the configuration of a cisco?
5. Where can I get ancillary software for my cisco?
6. Is there a World-Wide-Web (www) information source?
7. How can I get my cisco to talk to a third party router over
8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?
9. How can I use debugging?
10. How can I use NTP (Network Time Protocol) with my cisco?
11. Sample Cisco NTP Configurations
12. How do I avoid the annoying DNS lookup if I have misspelled a command?
13. Tracing bad routing information
14. How to use access lists
15. The cisco boot process
16. Where can I get Cisco hardware?
17. Where can I get IETF documents (RFCs, STDs, etc.)?
18. Future features in cisco software
19. How do cisco routers rate performance-wise?
20. How are packets switched?
21. How does one interpret buffer statistics?
22. How should I restrict access to my router?
23. What can I do about source routing?
24. Is there a block of private IP addresses I can use?
25. Acknowledgements.
todo:
=====
* How to configure TACACS
* What is SNMP and how can I use it? What software is available and how do
I use Cisco enterprise MIBs? MIBs on ftp.cisco.com and CIO.cisco.com
* Pointers to other s/w that's particularly useful in this sort
of routing environment (like Charley Kline's VLSM program).
* Pointers to other net resources, like comp.protocols.tcp-ip, RFCs,
the firewalls mailing list, etc (bgpd?[or is it cidrd now? :-)]).
* Hints about confusing and not-well documented things like xtacacs...
* Comments on interoperability issues WRT other vendors.
* What's SMARTnet, why should I subscribe, how much does it cost,
and what do I get?
* What should I name my router, my interfaces, etc.?
* Should we adjust the buffer parameters on the routers? What should
be the indicator before tunning the buffer parameters? How should
one fine tune the buffer parapeters?
* what routing protocol should I use?
* what is the real purpose of the network subcommand of
router commands? When do I not want to include a network
I know about?
* What is a VLSM and why would I want one? What supports
them?
* What is CIDR and why do I care (or a more general acronym decoder) ?
* How do I configure my Cisco to use variable-length subnetting ?
* What are some methods for conserving IP addresses for
serial lines?
* Is there a block of private network numbers I can use
within my organization only? When should I use them?
How do I access them from outside?
* What do I do if I have to partition a network number?
* Questions and answers about access lists
access-list reference list (lots of questions on that)
* I forgot to mention that routing DECnet over X.25 is a problem.
* Where PD network applications for SLIP/PPP are.
* What is HSRP and how does it work? When is it available (10.0)
(Hot Standby Routing Protocol)
* Should I run 9.1, 9.21, 10.0, 10.2, or what?
Actual content.
===============
------------------------------
From: Question 1
Date: 31 October 1994
Subject: How can I contact cisco?
Corporate address:
cisco Systems
170 West Tasman Drive
San Jose, CA 95134
The following phone numbers are available:
Technical Assistance Center (TAC) +1 800 553 2447
(553 24HR)
+1 800 553 6387
+1 408 526 8209
Customer Service (Documentation, Warranty & +1 800 553 6387
Contract Services, Order Status
Engineering +1 800 553 2447
(553 24HR)
On-site Services, Time & Materials Service +1 800 829 2447
(829 24HR)
Corporate number / general +1 408 526 4000
Corporate FAX (NOT tech support) +1 408 526 4100
The above 800 numbers are US/Canada only.
cisco can also be contacted via e-mail:
tac@cisco.com Technical Assistance Center
tac-euro@cisco.com European TAC
cs-rep@cisco.com Literature and administrative (?) requests
cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''
Please follow the directions available on CIO before doing this.
cisco provides an on-line service for information about their routers
and other products, called CIO (cisco Information Online). telnet to
cio.cisco.com for more details.
The collective experience of this FAQ indicates that it is far wiser to
open a case using e-mail than FAXes, which may be mislaid, shredded,
etc.
For those of you still in the paperfull office (unlike the rest of us),
cisco Systems' new corporate address is:
170 West Tasman Drive
San Jose, CA 95134
------------------------------
From: Question 2
Date: 26 July 1994
Subject: What is this newsgroup?
comp.dcom.sys.cisco, which is gatewayed to the mailing list
cisco@spot.colorado.edu, is a newsgroup for discussion of cisco
hardware, software, and related issues. Remember that you can also
consult with cisco technical support.
This newsgroup is not an official cisco support channel, and should
not be relied upon for answers, particularly answers from cisco
Systems employees.
Until recently, the mailing list was gatewayed into the newsgroup,
one-way. It is possible that this arrangement may resume at somet time
in the future.
------------------------------
From: Question 3
Date: 31 October 1994
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a
lowercase ``c''. At present, various factions within the company have
adopted a capital ``C'', while fierce traditionalists (as well as some
others) continue to use the lowercase variant, as does the cisco
Systems logo. This FAQ has chosen to use the lowercase variant
throughout.
cisco is not C.I.S.C.O. but is short for San Francisco, so the story
goes. Back in the early days when the founders Len Bosack and Sandy
Lerner and appropriate legal entities were trying to come up with a
name they did many searches for non similar names, and always came up
with a name which was denied. Eventually someone suggested ``cisco''
and the name wasn't taken (although SYSCO may be confusingly similar
sounding). There was an East Coast company which later was using the
``CISCO'' name (I think they sold in the IBM marketplace) they ended
up having to not use the CISCO abberviation. Today many people spell
cisco with a capital ``C'', citing problems in getting the lowercase
``c'' right in publications, etc. This lead to at least one amusing
article headlined ``Cisco grows up''. This winter we will celebrate
our 10th year.
[This text was written in July of 1994 -jh]
------------------------------
From: Question 4
Date: 31 October 1994
Subject: How do I save the configuration of a cisco?
If you have a tftp server available, you can create a file on the
server for your router to write to, and then use the write network
command. From a typical unix system:
mytftpserver$ touch /var/spool/tftpboot/myconfig
mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig
myrouter#write net
Remote host [10.7.0.63]? 10.7.0.2
Name of configuration file to write [myrouter-confg]? foobar
Write file foobar on host 10.7.0.2? [confirm] y
Additionally, there's a Macintosh TFTP server available:
ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx
Additionally, you can also use expect, available from:
ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz
ftp://ftp.cme.nist.gov/expect/expect.tar.gz
or, in shar form from ftp.cisco.com.
Expect allows you to write a script which telnets to the router and
performs a ``write terminal'' command, or any other arbitrary set of
command(s), using a structured scripting language (Tcl).
------------------------------
From: Question 5
Date: 5 July 1994
Subject: Where can I get ancillary software for my cisco?
Try ftping to
ftp://ftp.cisco.com/pub
It's a hodgepodge collection of useful stuff, some maintained and some
not. Some is also available from
ftp://cio.cisco.com
Vikas Aggarwal has a very customised tacacsd:
A new version of xtacacsd is available via anonymous FTP from
'ftp.navya.com' (128.121.50.145) under pub/vikas/xtacacsd.shar.
This version should also be available from ftp.cisco.com soon.
------------------------------
From: Question 6
Date: 26 July 1994
Subject: Is there a World-Wide-Web (www) information source?
You can try the www homepage of this FAQ:
http://www.panix.com/cisco-faq [still not there yet]
or the cisco Educational Archive (CEA) home page:
http://sunsite.unc.edu/cisco/cisco-home.html
or the cisco Information Online (CIO) home page:
http://www.cisco.com/
------------------------------
From: Question 7
Date: 5 July 1994
Subject: How can I get my cisco to talk to a third party router over
a serial link?
You need to tell your cisco to use the same link-level protocol as the
other router; by default, ciscos use a rather bare variant of HDLC
(High-level Data Link Control) all link-level protocols use at some
level/layer or another. To make your cisco operate with most other
routers, you need to change the encapsulation from HDLC to PPP on the
relevant interfaces. For instance:
sewer-cgs#conf t
Enter configuration commands, one per line.
Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z
interface serial 1
encapsulation ppp
^Z
sewer-cgs#sh int s 1
Serial 1 is administratively down, line protocol is down
Hardware is MCI Serial
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
[...]
If you're still having trouble, you might wish to turn on serial interface
debugging:
sewer-cgs#ter mon
sewer-cgs#debug serial-interface
------------------------------
From: Question 8
Date: 27 July 1994
Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?
You should tell your cisco to use ``encapsulation frame-relay ietf''
(instead of ``encapsulation frame-relay'') on your serial interface
that's running frame relay if your frame relay network contains a
diverse set of manufacturers' routers. The keyword ``ietf'' specifies
that your cisco will use RFC1294-compliant encapsulation, rather than
the default, RFC1490-compliant encapsulation (other products, notably
Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten
by 1490, namely padding of the nlpid). If only a few routers in your
frame relay cloud require this, then you can use the default
encapsulation on everything and specify the exceptions with the
frame-relay map command:
frame-relay map ip 10.1.2.3 56 broadcast ietf
^^^^
(ietf stands for Internet Engineering Task Force, the body which
evaluates Standards-track RFCs; this keyword is a misnomer as both
RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and
is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step
beneath a DS), and is effectively obsolete).
------------------------------
From: Question 9
Date: 26 July 1994
Subject: How can I use debugging?
The ``terminal monitor'' command directs your cisco to send debugging
output to the current session. It's necessary to turn this on each time
you telnet to your router to view debugging information. After that,
you must specify the specific types of debugging you wish to turn on;
please note that these stay on or off until changed, or until the
router reboots, so remember to turn them off when you're done.
Debugging messages are also logged to a host if you have trap logging
enabled on your cisco. You can check this like so:
sl-panix-1>sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 66 messages logged
Monitor logging: level debugging, 0 messages logged
Trap logging: level debugging, 69 message lines logged
Logging to 198.7.0.2, 69 message lines logged
sl-panix-1>
If you have syslog going to a host somewhere and you then set about a
nice long debug session from a term your box is doing double work and
sending every debug message to your syslog server. Additionally, if you
turn on something that provides copious debugging output, be careful
that you don't overflow your disk (``debug ip-rip'' is notorious for
this).
One solution to this is to only log severity ``info'' and higher:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
logging trap info
The other solution is to just be careful and remember to turn off
debugging. This is easy enough with:
sl-panix-1#undebug all
If you have a heavily loaded box, you should be aware that debugging
can load your router. The console has a higher priority than a vty so
don't debug from the console; instead, disable console logging:
cix-west.cix.net#conf t
Enter configuration commands, one per line. End with CNTL/Z.
no logging console
Then always debug from a vty. If the box is busy and you are a little
too vigorous with debugging and the box is starting to sink, quickly
run, don't walk to your console and kill the session on the vty. If
you are on the console your debugging has top prioority and then the
only way out is the power switch. This of course makes remote
debugging a real sweaty palms adventure especially on a crowded box.
Caveat debugger!
Also, if you for some reason forget what the available debug commands
are and don't have a manual handy, remember that's what on-line help
is for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under
9.21 and above, that gives you general categories, and you can check
for more specific options by specifying the category: ``debug ip ?''.
As a warning, the ``logging buffered'' feature causes all debug
streams to be redirected to an in-memory buffer, so be careful using
that.
Lastly, if you're not sure what debugging criteria you need, you can
try ``debug all''. BE CAREFUL! It is way useful, but only in a very
controlled environment, where you can turn off absolutely everything
you're not interested in. Saves a lot of thinking. Turning it on on
a busy box can quickly cause meltdown.
------------------------------
From: Question 10
Date: 5 July 1994
Subject: How can I use NTP (Network Time Protocol) with my cisco?
>What level of software is required for NTP support in
>a Cisco router?
9.21 or above.
>Which Cisco routers support NTP?
It is a software feature exclusively. Anything that supports
9.21 or 10 will run NTP (when running that s/w).
>How do I set it up?
The basic hook is:
ntp server [version n]
or
ntp peer [version n]
depending on whether you want a client/server or peer relationship.
There's a bunch of other stuff available for MD5 authentication,
broadcast, access control, etc. You can also use the
context-sensitive help feature to puzzle it out; try ``ntp ?'' in
config mode.
You'll also want to play with the SHOW NTP * router commands. Here
are two examples.
EXAMPLE 1:
router# show ntp assoc
address ref clock st when poll reach delay offset disp
+~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7
*~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
EXAMPLE 2:
router#show ntp stat
Clock is synchronized, stratum 2, reference is 132.249.16.1
nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19
reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)
clock offset is -1.34 msec, root delay is 55.40 msec
root dispersion is 41.29 msec, peer dispersion is 28.96 msec
For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.
For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The file
clock.txt in that directory has info about various public NTP servers.
There is also information on radio time receivers that can be
connected to an NTP server (this is handy on private networks, if you
have an entire campus to get chiming, or if you become a hard core
chimer).
The ``ntp clock-period'' command is added automagically to jump-start
the NTP frequency compensation when the box is rebooted. This is
essentially a representation of the frequency of the crystal used as
the local timebase, and may take several days to calculate otherwise.
(Do a ``write mem'' after a week or so to save a good value.)
Caveat: Note that the CS-500 will not be able to achieve quite the same
level of accuracy as other platforms, since its hardware clock
resolution is roughly 242Hz instead of the 1MHz available on other
platforms. In practice this shouldn't matter for anyone other than
true time geeks.
----------------------------------------------------------------------
From: Question 11
Date: 5 July 1994
Subject: Sample Cisco NTP Configurations
You will need to substitute your own NTP peers, timezones, and GMT
offsets into the examples below, of course. Example 1 is in US Central
Time Zone, while example 3 is in US Pacific Time Zone. Both account
for normal US Daylight Savings Time practices.
EXAMPLE 1 (Charley Kline):
...
clock timezone CST -6
clock summer-time CDT recurring
ntp source eth 0
ntp peer
ntp peer
ntp peer
...
EXAMPLE 2 (Tony Li):
...
ntp source Ethernet0/0
ntp update-calendar
ntp peer
ntp peer prefer
...
EXAMPLE 3 (Dave Katz):
...
service timestamps debug datetime localtime
service timestamps log datetime localtime
clock timezone PST -8
clock summer-time PDT recurring
interface Ethernet0
ip address
ntp broadcast
ntp clock-period 17180319
ntp source Ethernet0
ntp server
ntp server
ntp server
COMMENTS ON EXAMPLE 3:
The config file is commented with date and time (and user id,
if TACACS is enabled) when the system thinks the clock is accurate.
I've enabled timestamping of debug and syslog messages. I send NTP
broadcast packets out onto the local ethernet. I'm in Pacific
Standard Time, with U.S. standard daylight saving time rules. I use
the IP address of the ethernet as the source for all NTP packets.
------------------------------
From: Question 12
Date: 5 July 1994
Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?
By default, all lines are configured to automatically try a telnet
connection if the first word in a input line is not recognized as a
valid command. You can disable this by setting ``transport preferred
none'' on every line (con, aux and vty). For instance:
sl-panix-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
line vty 0 10
transport preferred none
You can see the number of vty's currently configuered with ``show lines''
Also, you can suspend connect attempts with ^^ followed by ``x'', ie
shift-cntrl-6 x.
[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116
helps. I think this is the default -jh ]
------------------------------
From: Question 13
Date: 31 Oct 1994
Subject: Tracing bad routing information
or: How do I find out which non-Cisco systems on my networks generate IP-RIP
information without letting them mess up my routing tables.
Here you could work with a default administrative distance.
Administrative distance is the basis upon which the cisco prefers
routing information of one protocol over another. In this example:
router rip
network 192.125.254.0
distance 255
distance 120 192.125.254.17 ! list all valid RIP suppliers
[...]
the value 255 has the implicit meaning of not putting this information
into the routing table. Therefore, setting an administrative distance
of 255 means that all RIP suppliers are by default accepted but their
information is not put into the routing table. The administrative
distance for the router 192.125.244.17 has been reset to the default
(for RIP) of 120, causing its routes to be accepted into the routing table.
Then you can look them up with ``show ip protocols'' and restore the
original administrative distance for the ones you want to fill in the
routing table.
The same results can be acheived with an ip access-list, but with
that, ``show ip protocols'' will only show the valid ones. But often
it is more useful to see which systems were generating routing
information at all.
This trick works for other routing protocols as well, but please select
the proper adminstrative distance (rather than 120) for the protocol
you're using.
------------------------------
From: Question 14
Date: 5 July 1994
Subject: How to use access lists
[The following is wholesale included; at some point it'll
probably be editted a bit and reformatted... -jh]
Frequently Asked Questions
contributed by Howard C. Berkowitz
PSC International
hcb@world.std.com
@clark.net [probably will be my permanent
personal account]
PSC's domain is in mid-setup
Where in the router are access lists applied?
In general, Basic access lists are executed as filters on
outgoing interfaces. Newer releases of the Cisco code, such as
9.21 and 10, do have increased ability to filter on incoming ports.
Certain special cases, such as broadcasts and bridged traffic,
can be filtered on incoming interfaces in earlier releases.
There are also special cases involving console access.
Rules, written as ACCESS-LIST statements, are global for the entire
Cisco box; they are activated on individual outgoing interfaces by
ACCESS-GROUP subcommands of the INTERFACE major command.
Filters are applied after traffic has entered on an incoming
interface and gone through a routing process; traffic that originates in
a router (e.g., telnets from the console port) is not subject to
filtering.
+-------------------+
| GLOBAL |
| |
| Routing |
| ^ v Access |
| ^ v Lists |
+-^--v--------^---v-+
| ^ v ^ v |
| ^ v ^ v |
A----------->|-| |>>>>Access >>----------->B
|1 Group 2 |
<------------| |<-----------
| |
| |
+-------------------+
Some types of ``filter,'' using ``filter'' as a broader class than
ACCESS-LIST, can operate on incoming traffic. For example, the INPUT-
SAP-FILTER used for Novell networks is applied to Service Advertisement
Packets (SAP) seen at incoming interfaces. In general, incoming
filtering can only be done for ``system'' rather than user traffic.
Rules of thumb in defining access lists.
First, define what you want to do and in which directions. An
informal drawing is a good first step. As opposed to the usual
connectivity drawings among routers, it's often convenient to draw
unidirectional links between routers.
Second, informally write out your filtering rules. In general, it
is best to go from most specific to least specific. Modify the order of
writing things to minimize the number of rules needed.
Third, determine which rules need to be on which routers.
Explicitly consider the direction of flow, and the possible existence of
additional paths that could inadvertently bypass a filter.
Can a Cisco router be a ``true'' firewall?
This depends on the definition of firewall. Some writers (e.g.,
Gene Spafford in _Practical UNIX Security_) define a firewall as a
host on which an ``inside'' and/or an ``outside'' application process run,
with application-level code linking the two. For example, a firewall
might provide FTP access to the outside world, but it would not also
provide direct FTP service to the inside world. To place a file on
the FTP external server, a designated user would explicitly log onto
the FTP server, transfer a file to the server, and log off. The
firewall prevents direct FTP connectivity between the inside and
outside networks; only indirect, application-level connectivity is
allowed.
Firewalls of this sort are complemented by chokes, which filter on
network addresses and/or port numbers. Cisco routers cannot do
application-level control with access control lists.
Other authors do not distinguish between chokes and filters. Using
the loose definition that a firewall is anything that selectively blocks
access from the inside to the outside, routers can be firewalls.
IP Specific
-----------
Can the ``operand'' field be used with a protocol keyword of IP to filter
on protocol ID?
No. Operand filtering only works for TCP and UDP port numbers.
How can I prevent traffic for a certain Internet application to flow in
one direction but not the other?
Remember that Internet applications flow from client port to server
port. Denying traffic from port 23, for example, blocks flow from the
client to the server.
+-------------------+
| |
A----------->| |----------->B
|1 2|
<------------| |<-----------
| |
+-------------------+
If we deny traffic to Port 23 of address B by placing a filter at
interface 2, we have blocked A's ability to telnet to B, but not B's
ability to telnet to A. A second filter at interface A would be needed
to block telnet in both directions.
Assume that we only have the filter at interface 2. Telnets to A
from B will not be affected because the filter at 2 does not check
incoming traffic.
-------
With the arrival of in-bound access lists in 9.21, it should be noted
that both inbound and access lists are about equally efficient, in
case any of you were wondering.
------------------------------
From: Question 15
Date: 26 July 1994
Subject: The cisco boot process
What really happens when a Cisco router boots, from boot start to live
interfaces?
First it boots the ROM os version. It reads the config. Now, it
realizes that you want to netboot. It loads the netbooted copy in on
top of itself. It then re-initializes the box and re-reads the
config. Manly, yes, but we like it too....
[[ Ummm... in particular it loads the netbooted copy in as WELL as
itself, decompresses it, if necessary, and THEN loads on top of
itself. Note that this is important because it tells you what the
memory requirements are for netbooting: RAM for ROM image (if it's a
run from RAM image), plus dynamic data structures, plus RAM for
netbooted image. ]]
The four ways to boot and what happens (sort of):
I (from bootstrap mode)
The ROM monitor is running. The I command causes the ROM monitor to
walk all of the hardware in the bus and reset it with a brute force
hammer. If the bits in the config register say to auto-boot, then
goto B
B (from bootstrap mode)
Load the OS from ROM. If a name is given, tell that image to start
silently and then load a new image. If the boot system command is
given, then start silently and load a new image.
powercycle
Does some delay stuff to let the power settle. Goto I.
reload (from the EXEC)
Goto I.
------------------------------
From: Question 16
Date: 26 July 1994
Subject: Where can I get Cisco hardware?
[ It is with great relucatance that I list any one vendor. I would
appreciate some commentary as to whether doing so is a good idea. Also,
other vendors would be a good thing. -jh
You might try:
Comstar, Inc.
5250 W. 74th Street
Minneapolis, MN 55439
P: 612-835-5502
F: 612-835-1927
Mr. Bill Lunger
------------------------------
From: Question 17
Date: 26 July 1994
Subject: Where can I get IETF documents (RFCs, STDs, etc.)?
Where and how to get new RFCs
=============================
RFCs may be obtained via EMAIL or FTP from many RFC Repositories. The
Primary Repositories will have the RFC available when it is first
announced, as will many Secondary Repositories. Some Secondary
Repositories may take a few days to make available the most recent
RFCs.
Primary Repositories:
RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,
NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,
FTP.CONCERT.NET, or FTP.SESQUI.NET.
1. DS.INTERNIC.NET - InterNIC Directory and Database Services
RFC's may be obtained from DS.INTERNIC.NET via FTP, WAIS, and
electronic mail. Through FTP, RFC's are stored as rfc/rfcnnnn.txt or
rfc/rfcnnnn.ps where 'nnnn' is the RFC number. Login as "anonymous"
and provide your e-mail address as the password. Through WAIS, you
may use either your local WAIS client or telnet to DS.INTERNIC.NET and
login as "wais" (no password required) to access a WAIS client. Help
information and a tutorial for using WAIS are available online. The
WAIS database to search is "rfcs".
Directory and Database Services also provides a mail server
interface. Send a mail message to mailserv@ds.internic.net and
include any of the following commands in the message body:
document-by-name rfcnnnn where 'nnnn' is the RFC number
The text version is sent.
file /ftp/rfc/rfcnnnn.yyy where 'nnnn' is the RFC number.
and 'yyy' is 'txt' or 'ps'.
help to get information on how to use
the mailserver.
The InterNIC Directory and Database Services Collection of Resource
Listings, Internet Documents such as RFCs, FYIs, STDs, and Internet
Drafts, and Publically Accessible Databases are also now available via
Gopher. All our collections are waisindexed and can be searched from
the Gopher menu.
To access the InterNIC Gopher Servers, please connect to
"internic.net" port 70.
contact: admin@ds.internic.net
2. NIS.NSF.NET
To obtain RFCs from NIS.NSF.NET via FTP, login with username
"anonymous" and password "guest"; then connect to the directory of
RFCs with cd /internet/documents/rfc. The file name is of the form
rfcnnnn.txt (where "nnnn" refers to the RFC number).
For sites without FTP capability, electronic mail query is available
from NIS.NSF.NET. Address the request to NIS-INFO@NIS.NSF.NET and
leave the subject field of the message blank. The first text line of
the message must be "send rfcnnnn.txt" with nnnn the RFC number.
contact: rfc-mgr@merit.edu
3. NISC.JVNC.NET
RFCs can also be obtained via FTP from NISC.JVNC.NET, with the
pathname rfc/RFCnnnn.TXT.v (where "nnnn" refers to the number of the
RFC and "v" refers to the version number of the RFC).
JvNCnet also provides a mail service for those sites which cannot use
FTP. Address the request to SENDRFC@JVNC.NET and in the subject field
of the message indicate the RFC number, as in "Subject: RFCnnnn" where
nnnn is the RFC number. Please note that RFCs whose number are less
than 1000 need not place a "0". (For example, RFC932 is fine.) No
text in the body of the message is needed.
contact: Becker@NISC.JVNC.NET
4. FTP.ISI.EDU
RFCs can be obtained via FTP from FTP.ISI.EDU, with the pathname
in-notes/rfcnnnn.txt (where "nnnn" refers to the number of the RFC).
Login with FTP username "anonymous" and password "guest".
RFCs can also be obtained via electronic mail from ISI.EDU by using
the RFC-INFO service. Address the request to "rfc-info@isi.edu" with
a message body of:
Retrieve: RFC
Doc-ID: RFCnnnn
(Where "nnnn" refers to the number of the RFC (always use 4 digits -
the DOC-ID of RFC 822 is "RFC0822")). The RFC-INFO@ISI.EDU server
provides other ways of selecting RFCs based on keywords and such; for
more information send a message to "rfc-info@isi.edu" with the message
body "help: help".
contact: RFC-Manager@ISI.EDU
5. WUARCHIVE.WUSTL.EDU
RFCs can also be obtained via FTP from WUARCHIVE.WUSTL.EDU, with the
pathname info/rfc/rfcnnnn.txt.Z (where "nnnn" refers to the number of the
RFC and "Z" indicates that the document is in compressed form).
At WUARCHIVE.WUSTL.EDU the RFCs are in an "archive" file system and
various archives can be mounted as part of an NFS file system.
Please contact Chris Myers (chris@wugate.wustl.edu) if you want to
mount this file system in your NFS.
contact: chris@wugate.wustl.edu
6. SRC.DOC.IC.AC.UK
RFCs can be obtained via FTP from SRC.DOC.IC.AC.UK with the pathname
rfc/rfcnnnn.txt.Z or rfc/rfcnnnn.ps.Z (where "nnnn" refers to the
number of the RFC). Login with FTP username "anonymous" and password
"your-email-address". To obtain the RFC Index, use the pathname
rfc/rfc-index.txt.Z. (The trailing .Z indicates that the document is
in compressed form.)
SRC.DOC.IC.AC.UK also provides an automatic mail service for those
sites in the UK which cannot use FTP. Address the request to
info-server@doc.ic.ac.uk with a Subject: line of "wanted" and a
message body of:
request sources
topic path rfc/rfcnnnn.txt.Z
request end
(Where "nnnn" refers to the number of the RFC.) Multiple requests may
be included in the same message by giving multiple "topic path"
commands on separate lines. To request the RFC Index, the command
should read: topic path rfc/rfc-index.txt.Z
The archive is also available using NIFTP and the ISO FTAM system.
contact: ukuug-soft@doc.ic.ac.uk
7. FTP.CONCERT.NET
To obtain RFCs from FTP.CONCERT.NET via FTP, login with username
"anonymous" and your internet e-mail address as password. The RFCs
can be found in the directory /rfc, with file names of the form:
rfcNNNN.txt or rfcNNNN.ps where NNNN refers to the RFC number.
This repository is also accessible via WAIS and the Internet Gopher.
contact: rfc-mgr@concert.net
8. FTP.SESQUI.NET
RFCs can be obtained via FTP from FTP.SESQUI.NET, with the pathname
pub/rfc/rfcnnnn.xxx (where "nnnn" refers to the number of the RFC and
xxx indicates the document form, txt for ASCII and ps for Postscript).
At FTP.SESQUI.NET the RFCs are in an "archive" file system and
various archives can be mounted as part of an NFS file system.
Please contact RFC-maintainer (rfc-maint@sesqui.net) if you want to
mount this file system in your NFS.
contact: rfc-maint@sesqui.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Secondary Repositories:
Sweden
------
Host: sunic.sunet.se
Directory: rfc
Host: chalmers.se
Directory: rfc
Germany
-------
Site: EUnet Germany
Host: ftp.Germany.EU.net
Directory: pub/documents/rfc
France
------
Site: Institut National de la Recherche en Informatique
et Automatique (INRIA)
Address: info-server@inria.fr
Notes: RFCs are available via email to the above
address. Info Server manager is Mireille
Yamajako (yamajako@inria.fr).
Netherlands
-----------
Site: EUnet
Host: mcsun.eu.net
Directory: rfc
Notes: RFCs in compressed format.
France
------
Site: Centre d'Informatique Scientifique et Medicale
(CISM)
Contact: ftpmaint@univ-lyon1.fr
Host: ftp.univ-lyon1.fr
Directories: pub/rfc/* Classified by hundreds
pub/mirrors/rfc Mirror of Internic
Notes: Files compressed with gzip. Online
decompression done by the FTP server.
Finland
-------
Site: FUNET
Host: funet.fi
Directory: rfc
Notes: RFCs in compressed format. Also provides
email access by sending mail to
archive-server@funet.fi.
Norway
------
Host: ugle.unit.no
Directory: pub/rfc
Denmark
-------
Site: University of Copenhagen
Host: ftp.denet.dk
Directory: rfc
Australia and Pacific Rim
-------------------------
Site: munnari
Contact: Robert Elz
Host: munnari.oz.au
Directory: rfc
rfc's in compressed format rfcNNNN.Z
postscript rfc's rfcNNNN.ps.Z
United States
-------------
Site: cerfnet
Contact: help@cerf.net
Host: nic.cerf.net
Directory: netinfo/rfc
Site: NASA NAIC
Contact: rfc-updates@naic.nasa.gov
Host: naic.nasa.gov
Directory: files/rfc
Site: NIC.DDN.MIL (DOD users only)
Contact: NIC@nic.ddn.mil
Host: NIC.DDN.MIL
Directory: rfc/rfcnnnn.txt
Note: DOD users only may obtain RFC's via FTP
from NIC.DDN.MIL. Internet users should NOT
use this source due to inadequate connectivity.
Site: uunet
Contact: James Revell
Host: ftp.uu.net
Directory: inet/rfc
UUNET Archive
-------------
UUNET archive, which includes the RFC's, various IETF documents,
and other information regarding the internet, is available to the
public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and
will be available via an anonymous kermit server soon. Get the
file /archive/inet/ls-lR.Z for a listing of these documents.
Any site in the US running UUCP may call +1 900 GOT SRCS and use
the login "uucp". There is no password. The phone company will
bill you at $0.50 per minute for the call. The 900 number only
works from within the US.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Requests for special distribution of RFCs should be addressed to
either the author of the RFC in question, to NIC@INTERNIC.NET.
Submissions for Requests for Comments should be sent to
RFC-EDITOR@ISI.EDU. Please consult "Instructions to RFC Authors",
RFC 1543, for further information.
Requests to be added to or deleted from the RFC distribution list should
be sent to RFC-REQUEST@NIC.DDN.MIL.
Changes to this file "rfc-retrieval.txt" should be sent to
RFC-MANAGER@ISI.EDU.
------------------------------
From: Question 18
Date: 27 July 1994
Subject: Future features in cisco software
[This could be more fleshed out, but Philip sent these in. -jh]
IPXWAN support added in 10.0
BGP4 support added in 10.0
Kerberos not yet available
------------------------------
From: Question 19
Date: 27 July 1994
Subject: How do cisco routers rate performance-wise?
People often ask about performance of the cisco routers and are shyed
away from answering their questions because we don't know where to send
them.
Scott Bradner keeps the results of his performance tests on the
Internet. You can find them for ftp on the system hsdndev.harvard.edu
in the /pub/ndtl. There is a README file in that directory that
explains what is available. In addition, cisco has just started
publishing a piece of literature called ``The Harvard Benchmark Test
Results: Summary of Cisco Systems Performance''. The only number I
can find on the doc is Lit. #700901. Don't know if you can order it
by this number, but at least there's a title to go on.
------------------------------
From: Question 20
Date: 31 October 1994
Subject: How are packets switched?
There are 4 types of switching (in order of increasing performance).
process switching
fast switching
autonomous switching
silicon switching
Autonomous switching is done in the switch processor.
Silicon switching is done in the silicon switching engine (creative,
eh? ;-).
The silicon switch processor (SSP) is the board which combines both the
switch processor and a silicon switching engine.
Process and fast switching support inbound and outbound, simple and
extended, access lists.
The SSP supports simple outbound access lists.
------------------------------
From: Question 21
Date: 31 October 1994
Subject: How does one interpret buffer statistics?
Buffer statistics may be obtained with:
mit2-gw.near.net>sh buffers
Buffer elements:
433 in free list (500 max allowed)
82320311 hits, 0 misses, 0 created
Small buffers, 104 bytes (total 202, permanent 120):
185 in free list (20 min, 250 max allowed)
34289219 hits, 4297 misses, 1307 trims, 1389 created
Middle buffers, 600 bytes (total 104, permanent 90):
102 in free list (10 min, 200 max allowed)
6829533 hits, 1432 misses, 483 trims, 497 created
Big buffers, 1524 bytes (total 90, permanent 90):
90 in free list (5 min, 300 max allowed)
3403884 hits, 56 misses, 1 trims, 1 created
Large buffers, 5024 bytes (total 5, permanent 5):
5 in free list (0 min, 30 max allowed)
49984 hits, 13 misses, 20 trims, 20 created
Huge buffers, 18024 bytes (total 0, permanent 0):
0 in free list (0 min, 4 max allowed)
0 hits, 0 misses, 0 trims, 0 created
5683 failures (0 no memory)
You can interpret them:
Total Number of buffers of that size that exist.
Free Number of free buffers.
Max Maximum size that the free list can grow to before we start
throwing them away.
Hit Buffer got used.
Miss Someone requested a buffer and we had to go carve it up out of
free memory. If we couldn't because we were at interrupt
level, it's also an allocation failure. If we couldn't
because we were out of memory, then it's also a ``no memory''
failure.
Trim There are more free buffers on the free list than there need
to be and we threw some away.
Create Number of buffers we created after a miss.
------------------------------
From: Question 22
Date: 1 November 1994
Subject: How should I restrict access to my router?
Many admins are concerned about unauthorized access to their routers
from malicious people on the Internet; one way to prevent this
is to restrict access to your router on the basis of IP address.
Many people do this, however it should be noted that a significant number
of network service providers allow unrestricted access to their routers
to allow others to debug, examine routes, etc. If you're comfortable doing
this, so much the better, and we thank you!
If you wish to restrict access to your router, select a free IP access
list (numbered from 1-100) -- enter ``sh access-list'' to see those
numbers in use.
yourrouter#sh access-list
Standard IP access list 5
permit 192.94.207.0, wildcard bits 0.0.0.255
Next, enter the IP addresses you wish to allow access to your router
from; remember that access lists contain an implicit "deny everything"
at the end, so there is no need to include that. In this case, 30
is free:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255
yourrouter(config)#^Z
(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).
Enter multiple lines for multiple addresses; be sure that you don't
restrict the address you may be telnetting to the router from.
Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)
that you wish to apply the access list to. In this example, I want
lines 2 through 12:
yourrouter#sh line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns
0 CTY - - - - - 0 0 0/0
1 AUX 9600/9600 - - - - - 1 3287605 1/0
* 2 VTY 9600/9600 - - - - 7 55 0 0/0
3 VTY 9600/9600 - - - - 7 4 0 0/0
4 VTY 9600/9600 - - - - 7 0 0 0/0
5 VTY 9600/9600 - - - - 7 0 0 0/0
6 VTY 9600/9600 - - - - 7 0 0 0/0
7 VTY 9600/9600 - - - - 7 0 0 0/0
8 VTY 9600/9600 - - - - 7 0 0 0/0
9 VTY 9600/9600 - - - - 7 0 0 0/0
10 VTY 9600/9600 - - - - 7 0 0 0/0
11 VTY 9600/9600 - - - - - 0 0 0/0
12 VTY 9600/9600 - - - - - 0 0 0/0
Apply the access list to the relevant lines:
yourrouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
yourrouter(config)#line 2 12
yourrouter(config-line)# access-class 30 in
yourrouter(config-line)# ^Z
(This apply access list 30 to lines 2 through 12.)
Be sure to save your configuration with ``write mem''.
Please note that access lists for incoming telnet connections do NOT
cause your router to perform significant CPU work, unlike access lists
on interfaces.
------------------------------
From: Question 23
Date: 1 November 1994
Subject: What can I do about source routing?
What *is* source routing?
Soure routing is an IP option which allows the originator of a packet
to specify what path that packet will take, and what path return packets
sent back to the originator will take. Source routing is useful when the
default route that a connection will take fails or is suboptimal for some
reason, or for network diagnostic purposes. For more information on
source routing, see RFC791.
Unfortunately, source routing is often abused by malicious users on
the Internet (and elsewhere), and used to make a machine (A), think
it is talking to a different machine (B), when it is really talking to
a third machine (C). This means that C has control over B's ip address
for some purposes.
The proper way to fix this is to configure machine A to ignore
source-routed packets where appropriate. This can be done for most
unix variants by installing a package such as Wietse Venema,
,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers
For some operating systems, a kernel patch is required to make this
work correctly (notably SunOS 4.1.3). Also, there is an unofficial
kernel patch available for SunOS 4.1.3 which turns all source routing
off; I'm not sure where this is available, but I believe it was posted
to the firewalls list by Brad Powell soimetime in mid-1994.
If disabling source routing on all your clients is not posssible, a
last resort is to disable it at your router. This will make you unable
to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both
of which use LSRR (Loose Source Record Route, 2 IP options, the first
of which is a type of source routing), but may be necessary for some.
If so, you can do this with
foo-e-0#conf t
Enter configuration commands, one per line. End with CNTL/Z.
foo-e-0(config)#no ip source-route
foo-e-0(config)#^Z
It is somewhat unfortunate that you cannot be selective about this; it
disables all forwarding of source-routed packets through the router,
for all interfaces, as well as source-routed packets to the router
(the last is unfortunate for the purposes of ``traceroute -g'').
------------------------------
From: Question 24
Date: 1 November 1994
Subject: Is there a block of private IP addresses I can use?
Yes there is, however whether you wish to do so is an issue of
some debate.
There are two RFCs which discuss this issue, and present opposing
views:
1597 Address Allocation for Private Internets. Y. Rekhter, B.
Moskowitz, D. Karrenberg & G. de Groot. March 1994. (Format:
TXT=17430 bytes)
1627 Network 10 Considered Harmful (Some Practices Shouldn't be
Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994.
(Format: TXT=18823 bytes)
Neither one of these RFCs is anything more than a set of informational
guidelines; they are *not* words to live by (remember that RFC stands
for Request For Comments). Nevertheless, both comment cogently on this
issue, a full discussion of which is outside the scope of this
document. If you're seriously considering using private IP addresses,
please read them both (see question 17, ``Where can I get IETF
documents'') to find them.
Additionally, it is likely that a third RFC will be coming out shortly
that discusses both sides of the issue; watch this space for details.
In any event, RFC 1597 documents the allocation of the following
addresses for use by ``private internets'':
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Most importantly, it is vital that nothing using these addresses
should ever connect to the global Internet, or have plans to do so.
Please read the above RFCs before considering implementing such
a policy.
------------------------------
From: Question 25
Date: 5 July 1994
Subject: Acknowledgements.
The following people contributed to this FAQ, and their contributions
are greatly appreciated, both questions and answers (in alpha order):
"Ronnie B. Kon"
Alain Martineau
Charley Kline
Dave Katz
Howard C. Berkowitz, PSC International,
Jim Forster
John Wright
Pete Siemsen
Phillip Remaker
Ran Atkinson
Sanjay Rungta~
Sean McGrath
Steve Cunningham
atkinson@sundance.itd.nrl.navy.mil (Ran Atkinson)
buk@taz.de ($ Burkhard Kohl)
jerry@ksu.ksu.edu (Jerry Anderson)
jhawk@panix.com (John Hawkinson)
john@cisco.com (John Wright)
john@gulfa.ods.gulfnet.kw (John Temples)
peter@ulisse.rhein-main.de (Peter Radig)
tli@cisco.com (Tony Li)
tom@park.uvsc.edu (Thomas R. Kimpton)
warner@cats.ucsc.edu (Jim Warner)