FAQ po materialam FIDO-konferencii RU.CISCO RU.CISCO FAQ Dannyj FAQ sostavlen po materialam FIDO-konferencii RU.CISCO, newsgroup comp.dcom.sys.cisco, spiska rassylki inet-admins i drugih istochnikov. Spasibo vsem obitatelyam ehi RU.CISCO. Spasibo vsem, kto prisylal ssylki, pary q/a. Pytayushchijsya inogda vesti FAQ - Dmitriy Yermakov, dyer@sut.ru, 2:5030/1115 Data poslednej modifikacii - 17 yanvarya 2001. Dopolneniya, ispravleniya luchshe prisylat' na dyer@sut.ru http://cube.sut.ru/~dyer/faq/cisco.html Tekstovaya versiya ftp://ftp.east.ru/pub/inet-admins/cisco.txt

DISCLAIMER.
Sostavitel' dannogo teksta ne yavlyaetsya Cisco-guru
i ne osushchestvlyaet tech-support by e-mail or netmail.

0. Obshchie voprosy
1. Sync,Async,AUX,Callback
2. FR
3. X25
4. ACL
5. Traffic-shape
6. Routing
7. TACACS,RADIUS,AAA
8. Memory
9. NTP, TZ
10. NAT
11. Telco, ISDN

13. SNMP
14. Cables
15. TROUBLESHOOTING
97. Software
98. IOS Black Lis/White List/Recommendations
99. Misc
Zametki na polyah

===========================================================

0. Obshchie voprosy

=========================================================== 0.1>Q: Gde mozhno chto-to pochitat' pro Cisco ? >A: horom :) UniverCD, idushchij v postavke. http://www.cisco.com i http://www-europe.cisco.com [11.09.2000] Po povodu UniverCD. A>:(Dmitry Morozovsky) 'Novye' DocCD ot Cisco - gzip-compressed ------- httpd.conf: Action text/gzipped /cgi-bin/gzcat.cgi? AddHandler text/gzipped .html .htm ------- gzcat.cgi: #!/bin/sh - echo "Content-type: text/html" echo "" HF=${DOCUMENT_ROOT}/$REQUEST_URI if [ -r $HF ]; then gzcat -f $HF else echo "No such file, sorry" fi >A: Po povodu ustanovki pod Win2k (Sergey Zarubin) From: "Evan Wagner" Newsgroups: comp.dcom.sys.cisco Subject: Re: Windows 2000 & Cisco CD Date: Thu, 20 Apr 2000 23:04:18 -0400 To get the Cisco documentation to work under Windows 2000: Run regedit Export your registry (as a precaution) Locate the Windows 2000 Registry Key: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/IE4/Setup/Path Change the value from "%programfiles%\Internet Explorer" to the location where IE is installed on your system, for example "D:\Program Files\Internet Explorer" Uninstall the Cisco Documentation CD Delete the old install directory Reinstall the Cisco documentation CD and you should be good to go. >A: Aleksandr Rainchik Cisco Systems and Cisco Routers in a Nutshell http://www.clark.net/pub/rbenn/cisco.html Est' takoj zamechatel'nyj server: McGraw-Hill Beta Books http://www.pbg.mcgraw-hill.com/betabooks/betabooks-home.html >A: (Dmitriy Yermakov) Koe-kakie konkretnye primery konfigov est' na Relkome http://relcom.eu.net/INFO/NOC-IP/FAQ/faq.html DEOle http://www.deol.ru/~bog/work/cisco_access.html Sample Configurations na www.cisco.com http://www.cisco.com/warp/public/700/tech_configs.html Guide to Cisco Router Configuration http://www.primenet.com/~web/router/cisco-configuration.html Cisco routery i bor'ba s nimi v bibliotete M.Moshkova http://www.parkline.ru/Library/koi/CISCO/ TACACS-FAQ - http://www.easynet.de/tacacs-faq Spisok AV-pairs dlya TACACS - http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23/csnt23ug/ap_tacac.htm CISCO-FAQ - comp.dcom.sys.cisco Frequently Asked Questions http://cube.sut.ru/~dyer/faq/cisco-networking-faq.txt i ftp://ftp.east.ru/pub/inet-admins/cisco-networking-faq.txt CISCO-FAQ na servere Cisco - http://www.cisco.com/warp/public/458/index.shtml Arhiv mailing-list inet-admins http://info.east.ru/win/inetadm.html gde tozhe est' voprosy/otvety. I ne tol'ko po Cisco. Nebol'shoj FAQ http://www.sunshine.dp.ua/os/reports/ciscofaq.html Stat'i s soobshcheniyami iz RU.CISCO na http://www.opennet.ru/base/cisco [07.09.2000] >A: Martin McFlySr Poisk po kiske na dvizhke Google http://cisco.google.com/cisco [18.09.2000] Obzor literatury Cisco Press "S.Zaytsev" 0.2>Q: Gde vzyat' arhiv RU.CISCO ? >A: (Dmitriy Yermakov) http://www.dejanews.com :) 0.3>Q: Gde vzyat' svezhij IOS ? >A: (Denis Saveliev) Beta versii lezhat na ftp://ftpeng.cisco.com/isp P.S. (DY) Voobshchem-to IOS ne besplaten. [13.06.2000] 0.4>Q: CHto takoe NetFlow i s chem ego edyat ? >A: (DY) Podrobnee ob etom mozhno pochitat' na Cisco http://www.cisco.com/warp/public/732/netflow Programmy dlya sborki i obrabotki statistiki NetFlow. http://www.auckland.ac.nz/net/NeTraMet http://www.caida.org/Tools/Cflowd Na etih zhe sajtah est' eshche ssylki, no eti - kazhetsya samye populyarnye. Est' eshche http://www.ipmeter.com (billing) nuzhen NeTraMet. [05.09.2000]I eshche ssylochka http://www.switch.ch/tf-tant/floma/software.html#netflow >A: (Vladislav Nebolsine) Primery konfiguracii - http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t3/policyrt.htm tam zhe ssylki na dopolnitel'nuyu dokumentaciyu. ===========================================================

1. Sync,Async,AUX,Callback

=========================================================== 1.1>Q: Podskazhite kak na Cisco 2509 sdelat' vhod s modemov na IFCICO ! >A: (Dmitriy Yermakov) Pri ispol'zovanii TACACS sm. nizhe. username **EMSI_INQC816 nopassword username **EMSI_INQC816 autocommand telnet [host] [port_ifcico] /stream neobhobimost' nalichiya klyuchika /stream luchshe proverit' opytnym putem po povodu banner login # **EMSI_REQA77E # nado/ne nado k okonchatel'nomu resheniyu ne prishli u menya eto est' >A: (Alecsey Gusev) username **EMSI_INQC816 nopassword noescape username **EMSI_INQC816 autocommand telnet username **EMSI_INQC816**EMSI_INQC816q. nopassword noescape username **EMSI_INQC816**EMSI_INQC816q. autocommand telnet username **EMSI_INQC816q nopassword noescape username **EMSI_INQC816q autocommand telnet username **EMSI_TZP16B2 nopassword noescape username **EMSI_TZP16B2 autocommand telnet ne nuzhen banner login # **EMSI_REQA77E # >A: (Alecsey Gusev) Dlya Argus'a nado dobavit' pol'zovatelya **EMSI_TZP16B2, argus pervym delom posylaet eto. [19.07.2000] (Sergei Shumakov) takogo argus tochno ne delaet. vot eto -TZP16B2- on poslat' mozhet, no tol'ko posle togo, kak pojmal **EMSI_REQA77E. >A: patchik dlya ifcico (Maksim Malchuk) *** session.c.orig Wed Dec 27 16:22:31 1995 - --- session.c Tue Feb 13 08:48:13 1996 *************** *** 163,168 **** - --- 163,170 ---- SM_ERROR; } + PUTSTR("**EMSI_INQC816\r"); + p=buf; /*PUTSTR(" \r");*/ PUTCHAR('\r'); 1.2>Q: Dialout service for unix ili kak pricepit' port NAS'a k chemu nibud'. >A: Alex Tutubalin, Vadim Mikhailov Win95/NT http://www.cisco.com - dialout serice ili kak tam ego. FreeBSD,Linux modemu-0.0.1 |muliruet /dev/ttyXX cherez lyuboj telnet. Dlya ciski eto budet inversnyj telnet na port 2000+n. Ho faksy vryad li cherez eto poshlesh', hotya kto ego znaet? (AT): Ha 2000+n poptu net flow control. A dialout hodit na 6000+n. nettty - gde-to v rajone http://www.livingston.com >A: (Leonid Kirillov) Pod Win'95/3.x/NT problema reshaetsya pri pomoshchi http://www.cisco.com/univercd/cc/td/doc/product/access/dialout/index.htm. Sposob resheniya problemy pod DOSom neizvesten. 1.3>Q: Mozhno-li kak-nibud' organizovat' popadanie ne na opredelennuyu liniyu, a na pervuyu svobodnuyu, skazhem? Mne dumaetsya, chto eto mozhno kak-to organizovat' cherez ob®edinenie mozhet, v Dialer Group? Voobshche, interesno;) >A: (Vasily Ivanov) 5000+nomer chepez ustanovlenyj rotary na nuzhnyh liniyah. 1.4>Q: Hotelos' nemnogogo - pricepit' modem na AUX. Propisal emu sleduyushchee: line aux 0 location TESTING access-class 1 in password line anything script reset reset-modem modem InOut transport preferred none transport input all transport output none stopbits 1 rxspeed 19200 txspeed 19200 flowcontrol hardware Zajdya telnetom na etot modem, naruzhu pozonit' ya mogu, a zvonyu na nego snaruzhi - tishina, modem podnimaet trubku i molchit, posle chego otvalivaet. Hikakih promptov, nichego. Ostal'nye vosem' modemov rabotayut normal'no. Kuda mne pnut' kisku, chtoby ona priznala AUX? IOS 11.2. >A: (Sergey Zhuk) line aux 0 login local modem Dialin terminal-type vt100 stopbits 1 rxspeed 38400 txspeed 38400 flowcontrol hardware vot... rabotaet... s inout tozhe rabotaet... 1.5>Q: CHto za nomera 20xx, 40xx, 60xx portov na Cisco ? >A: (Dmitri Beloslioudtsev) A eto raznye rezhimy raboty telnet: Telnet port 20xx Telnet raw port 40xx Telnet binary port 60xx A>: (Eugene Zhilitsky) Porty 30hh, 50hh, 70hh - to zhe samoe, no dlya rotary. 1.6>Q: A ne podskazhet li vseznayushchij All, kak v kiske 2503 nastpoit' AUX popt dlya podklyucheniya k nemu modema s vydelennoj liniej. Ha mapshputepe s dpugoj stopony vydelenki ostalis' tol'ko asinhponnye popty. >A: (Dmitry Morozovsky) int a0 ip unn e0 enc ppp keep 10 asy mode dedicated asy def rou asy dyn rou li a 0 speed 38400 flow hard esc NONE stopbits 1 Plyus konfiguraciya modema (dlya reverse telnet nuzhny modem inout & tran in telnet) 1.7>Q: Kak zastavit' rabotat' NT, Win c kiskoj po nul'-modemu ? >A: (Alexander Karpoff) ppp cherez Zelaksy i s 95, i s NT rabotayut bez problem. A nado vsego-to shodit' na http://www.mindspring.com/~kewells/net/ i skachat' neobhodimye *.inf. [19.07.2000] (zaruba@artelecom.ru) predpochitayu skachivat' s ftp://ftp.zelax.ru/pub/soft/mdmzelax.inf http://www.zelax.ru/faq/faq76.html P.S. (DY) govoryat eshche chto, mozhno postavit' na NT vmesto modema - X.25 pad. P.P.S. (DY) najti mdm3640t.inf ili vzyat' tut - http://cube.sut.ru/~dyer/faq/mdm3640t.inf.txt s kur'erami - rabotaet :) >A: (DY) A vot bolee polnyj sposob (otkopan gde-to u menya na diske) ============================================================================= * Area : RU.WINDOWS.NT (RU.WINDOWS.NT) * From : Dmitry Vashkovsky, 2:5020/168.121 (Pyatnica Sentyabr' 26 1997 19:23) * Subj : NT&vydelennaya liniya ============================================================================= VB> Kak sdelat' %SUBJ%? VB> Est' NT4+SP3+RAS&Routing+Motorola Premier 33.6 Predlagayu variant resheniya kotoryj rabotaet u menya s maya i proveren moimi znakomymi, u nih tozhe rabotaet na ura :) I tak provajder predostavil vam vydelennyyu liniyu na kotoroj s vashej storony visit modem, pri vklyuchenii on srazu podklyuchaetsya k provajderu i nikakimi obychnymi sredstvami nt ego neudaetsya uvidet'. Srazu skazhu, chto v resurskite po etomu povodu napisano vsego dve strochki, chto vy dolzhny rabotat' po null modem, eto pochti pravil'no. Ha samom dele vy imitiruete x25. Pervoe chto vy dolzhny sdelat' sohranit' na vsyakij sluchaj iz direktorii ras svoj fajl pad.inf i vmesto nego polozhit' novyj ya vzyal iz nt3.51 fajl modem.inf i otredaktiroval ego (tol'ko v nem! v nt4 net podhodyashchego opisanie null modem) vybrosil iz nego opisaniya vseh modemov ostavil tol'ko nekotoruyu obshchuyu informaciyu i otredaktirovannoe pod neobhodimuyu nam situaciyu opisanie nulmodema, privozhu etu chat' polnost'yu ;---------------------------------------- [Null Modem 33600] CALLBACK_TIME=10 DEFAULTOFF= MAXCARRIERBPS=33600 MAXCONNECTBPS=33600 COMMAND= CONNECT= ;---------------------------------------- poyavivshemsya menyu vybiraem Install X25 Pad gde v predlagaemom menyu estestvenno vybiraem Null Modem, dalee podtverzhdaem vse, chto mozhno ne zabyv skazat', chto dannoe ustrojstvo rabotaet tol'ko na dial out i po prodotokolu tcp/ip :) nastraivaya dialup v chasti posvyashchennoj h25 u vas neskol'ko strok v pervoj s pomoshch'yu strelki vniz vybiraete vash nulmodem v ostal'nyh pishite lyubuyu erundu (ya nakpisal imya provajdera). Vse mozhete spokojno rabotat'. Tol'ko ne zabud'te v opisanii porta ukazat' tuzhe skorost', chto i opisanii nulmodema. Esli vam negde vzyat' modem.inf ot nt3.51 mozhete zabrat' moj uzhe otredaktirovannyj pad.inf (pravda pod 19200, nu da cifirki perebit' ne slozhno) u menya po ftp:\\www.advance.com.ru on tam lezhit pryamo v korne. Dmitry dva@skydive.ru http:\\www.advance.com.ru/skydiver ZY: posle togo kak u vas vse zarabotaet ne zabud'te ugostit' menya pivom ============================================================================= >A: (DY) Provozivshis' kakoe-to vremya s http://www.mindspring.com/~kewells/net/ poshel neskol'ko drugim putem. Pishu po pamyati, chto vspomnil. So storony kiski - modemcap entry usr_ll:FD=&f1&l1:AA=A line X modem autoconfigure type usr_ll So storony Win,WinNT Stavyatsya normal'nye drajvera ot ustanovlenogo modema. Konfigurim modem AT&F1 AT&W Variant 1. V nastrojkah modema (tam gde chto-to tipa advanced/extra settings) stavim strochku inicializacii AT&L1 Variant 2. V strochke s telefonom stavim X3T1 (v takom variante pozhaluj budet rabotat' lyuboj modem, kotoryj i ne umeet po pasportu rezhim Leased Line) I eshche o tom zhe - http://www.psc.ru/sergey/TehSerenada/CISCO/ONLINE/wint4ll.html 1.8>Q: A znaet li kto-nibud' , mozhno li peredavat' zvonyashchemu abonentu adresa DNS avtomaticheski s kisy ? YA slyshal , chto takoe byvaet. >A: (Sergiy Zhuk) async-bootp dns-server 192.168.3.100 192.168.3.110 eto DNS ^^^ async-bootp nbns-server 192.168.3.2 192.168.2.2 a eto netbios (wins) 1.9>Q: Stoit kiska 3640 u kotoroj ustanovlen modul' Mica-modem na 30 modemov i modul' E1 soedinennyj s ATS. Kogda ya delayu komandu sh use to vizhu kartinku takogo plana > 66 tty 66 pupkin ... > 55 tty 55 vasya ... Kak mne uznat' po kakomu tajmslotu v potoke E1 vyshel pol'zovatel' t.e. sushchestvuet li privyazka line k bchannel, esli net to mozhno li eto zdelat'. >A: (Andrew Lun) sh modem csm 1.10>Q: Imeetsya Cisco 1005. Posledovatel'nyj port skonfigurirovan kak sinhronnyj. Podskazhite, pls, kak ee zastavit' rabotat' s asihronnym modemom? >A: (Dmitry Morozovsky) Dlya 1005 sync-async pereklyuchaetsya softom. Hachinaya s 2520/2522 -- komandoj physical-layer async na interfejse (kstati, polezno pomnit', chto pri etom menyaetsya SNMP nomer interfejsa). 1.11>Q: Probros uucp-shnikov. >A: (DY) pro RADIUS vzyato iz inet-admins, za tochnost' ne ruchayus'. a. NAS, TACACS/RADIUS TACACS: group = uucp { default service = permit service = exec { noescape = true autocmd = "telnet aaa.bbb.ccc.ddd 540 /stream" } } Dlya RADIUS, (Dmitry Morozovsky) /var/spool/uucp/public/.rhosts: nas0 ciscoTS nas1 ciscoTS (Basil Dolmatov) - NAS prihodit so specificheskim imenem "ciscoTS"... Imenno ego i nado razreshat'... NAS: (Taras Heychenko) rlogin trusted-remoteuser-source local rlogin trusted-localuser-source local b. Clients sys ot taylor-uucp myname client system host time any call-login uuclient call-password cl.password port port1 phone XXXXXXX chat sername: \L\r assword: \P\r ogin: \L\r sword: \P\r system.pat ot UUPC/@ 200 gGt N g(%L_GWSIZE%,%L_GPSIZE%)/g(%R_GWSIZE%,%R_GPSIZE%) "" \W20\c name--name--name \p\p\L sword:-\L-sword:-\L-sword:-\L-sword: \p\P ->-> \crlogin\sUUHOST\r ogin--ogin--ogin \p\p\L sword:-\L-sword:-\L-sword: \p\P UUHOST zamenit' na svoe Dlya sluchaya s autocommand "->-> \crlogin\sUUHOST\r " mozhno vykinut' 1.12>Q: Obratnyj zvonok s Cisco v Windows >A: (Vyacheslav V. Fedorov) Ha Cisco 2511: version 11. service exec-callback ... aaa authentication login execcheck tacacs+ aaa authentication ppp ppp_list tacacs+ ... interface Async2 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address x.x.x.x ppp callback initiate ppp authentication chap ppp_list .... line 2 autoselect during-login autoselect ppp script modem-off-hook offhook script callback idc login authentication execcheck modem InOut transport input all escape-character NONE callback forced-wait 30 callback nodsr-wait 10000 stopbits 1 rxspeed 57600 txspeed 57600 flowcontrol hardware ..... Ha servere gde tacacs+: V fajle tacacs.config user= mylogin { global = cleartext "xxxxxxxxxx" service=ppp protocol = lcp { callback-dialstring = 388888 } service=ppp protocol=ip { } service=exec { callback-dialstring = 388888 callback-line=2 nocallback-verify=1 } } >A: (Dmitry Valdov) Dlya togo, chtob yuzer mog vvodit' nomer, iz takaksa dolzhno prihodit' callback-dialstring = "" V obshchem: cisco: service exec-callback (eto nuzhno tol'ko v sluchae, esli predpolagaetsya ispol'zovat' callback so skriptami.) .... chat-script dial ABORT ERROR TIMEOUT 50 "" "AT" "OK" "ATD\T" "CONNECT" .... interface group-async 1 ppp authentication pap ppp callback accept ... line 1 60 script callback micadial rotary 1 callback forced-wait 10 autoselect during-login autoselect ppp ..... V takakse: group = callback { ..... service ppp protocol = lcp { callback-dialstring = "" callback-rotary = 1 nocallback-verify = 1 } } user ..... { member = callback service = exec { ..... callback-dialstring = "" nocallback-verify = 1 callback-rotary = 1 } } Mastdajka sama VSEGDA zaprashivaet callback po cbcp pri lyubom zvonke s nee. Esli ej ne otkazyvayut, to ono zaprashivaet nomer telefona. Dlya HT nado eto vse ukazat' v yavnom vide. >A: (Andy Igoshin) ftp://ftp.vsu.ru/pub/hardware/cisco/callback 1.13>Q: Kak svyazat' dve Kiski po E1? >A: (Gosha Zafievsky), prislal (Oleh Hrynchuk) Konfig ppimepno sleduyushchij (odinakovyj v sluchae 5300 & 3600): controller E1 ZZZ linecode hdb3 | framing CRC4 | |ti dva papametpa zavisyat ot kanaloobp. obopudovaniya clock source line primary | Ha 3600 est' tol'ko v 12.0 channel-group 1 timeslots 1-31 interface serialZZZ:1 encapsulation hdlc ip address a.b.c.d x.y.z.t ip route 0.0.0.0 0.0.0.0 serialZZZ:1 CHto podstavlyaetsya vmesto ZZZ zavisit ot konkpetnoj zhelezki... 1.14>Q: Mozhno li opganizovat' IP kanal chepez AUX popt s ppyamym podklyucheniem k SOM'u na HT (dumayu chepez nul'-modem), ili ya mnogo hochu? >A: (??), prislal (Oleh Hrynchuk) Net problem. Nedavno samomu ponadobilos' - u cisco3640 ne bylo Ethernet. Nemnogo prishlos' povozit'sya s kabelem, raspajka takaya RJ-45 - DB-25 1-5 2-6,8 3-3 4-7 5-7 6-2 7-20 8-4 Vse ostal'noe kak obychno na asin. portu. [13.06.2000] 1.14>Q: Kak luchshe nastroit' modem na async portu ? >A: (Mathey M. Teplov) YA, naprimer, da i mnogie voobshche sovetuyut sdelat' tak: 1) ubivaesh' modem autoconfigure putem propisyvaniya no modem autoconfigure 2) inicializiruesh' liniyu, kak 115200 8,n,1 ! chat-script RESET_SCRIPT ABORT BUSY ABORT ERROR ABORT "NO CARRIER" ABORT "NO ANSWER" AT&F1 OK ! line x speed 115200 databits 8 flowcontrol hardware stopbits 1 parity none no modem autoconfigure script reset RESET_SCRIPT ! i posle etogo zhestko propisyvaesh' v F1 profil' v Courier sleduyushchee: &A3&B1&C1&D2&G2&H1&I0&K1&L0&M4&N0&P1&R2&S0&T5&X0&Y0%N6 i vystavlyaesh' na nem dzhampera daby on gruzilsya iz F1. Provereno na gor'kom opyte. [05.09.2000] 1.15>Q: Callback na linuh >A: (Eugene Crosser) http://www.tartu.customs.ee/linux/callback.shtml YA sam ne proveryal. Ha moj vkus skript krivoj, no ideya yasna. ===========================================================

2. FR

=========================================================== 2.1>Q: Frame Relay & Unnumbered interface Kto-to nekotopoe vpemya nazad tut pisal, chto IP unnumbered na FrameRelay subinterfaces ne byvaet. A u menya poluchilos'. >A: (Alex Tutubalin) Ppimepno tak: Interface Serial 0 no ip address frame-relay lmi-type ansi Interface Serial 0.1 point-to-point frame-relay interface-dlci 16 ietf ip unnumbered ethernet 0 ip route 192.168.111.48 255.255.255.240 Serial 0.1 C dpugoj stopony stoit FreeBSD + Cronyx Sigma-22. Tam vse sdelano ppimepno tak: cxconfig cx0 hdlc fr +extclock ifconfig cx0 192.128.111.49 195.54.222.201 route add default 192.168.111.201 .49 - Ethernet na etoj zhe mashine .201 - Ethernet na Cisco >A: (Alex Zinin) V sluchae s unnumbered inkapsulyaciya igraet tol'ko kosvennuyu rol'. A sabinterfejsy -- lish' chastnyj sluchaj. Obshchee pravilo takoe -- ip unnumbered mozhno stavit' tol'ko na interfejsah, kotorye Cisco rassmatrivaet kak p-t-p. Dlya WAN interfejsov tip opredelyaetsya inkapsulyaciej. T.e. hdlc - ptp, ppp-ptp, slip-ptp, fr-ptm, x25-ptm, smds-ptm Otdel'nyj sluchaj -- dialer. On ne menyaet tipa interfejsa i rabotaet isklyuchitel'no samostoyatel'no poverh data-link urovnya. V sluchae zhe s sabinterfejsami, vy mozhete razbit' odin fizicheskij p-t-m na neskol'ko p-t-p i p-t-m interfejsov. Sootvetstvenno na p-t-p mozhno ispol'zovat' unnumbered. ===========================================================

3. X25

=========================================================== Avtor otvetov - Eugene Zhilitsky, esli ne ukazano inoe. 3.1>Q: [DOS-COM1]--a1[Cisco2509]--[Cisco2522]-- -[?]--[UNIX-APP] Ha Cisco2522 vypolnyaetsya translyaciya TCP v X.25, a 2509 prosto delaet telnet na transliruemyj adres. HO, zabrat' s UHIHmashiny mozhno, a polozhit' net. Proboval translyacii i binary i stream, i telnet /stream i s inymi parametrami i to i drugoe. I profajl yuzal tipa x29 profile aaaa 2:0 3:0 4:100 7:21 11:14, v plane eksperimenta. >A: (Eugene Zhilitsky) 4:100 - eto ochen' ploho, nepolnye pakety budut uhodit' tol'ko cherez 100*0.05=5 sekund! 1. translyaciya i telnet dolzhny byt' stream. 2. x29 profile aaa 1:0 2:0 3:2 4:5 5:0 8:0 9:0 10:0 12:0 15:0 22:0 3:2 - eto dlya "profilaktiki", chtoby po ^M pakety uhodili srazu zhe, inogda eto meshaet (v ochen' redkih special'nyh prilozheniyah). Mozhno stavit' 3:0. 3. na asinhronnom portu (a1[Cisco2509]), k kotoromu podklyuchena dosovaya tachka: escape-character NONE telnet transparent 4. Dlya yuzera, kotorym dosovaya tachka zahodit na pervuyu cisku - noesc. 5. Ha vseh vty, kotorye mogut ispol'zovat'sya dlya translyacii nado takzhe: escape-character NONE telnet transparent 6. Vezde vmesto etih dvuh strok mozhno ispol'zovat' odnu: terminal-type download |tot sposob podskazali guru iz RU.CISCO (kto konkretno ne pomnyu :-(. Hu vrode by bol'she nichego ne zabyl :-))))) Dolzhno rabotat'. 3.2>Q: Kak nastraivat' h25? >A: Est' prostoe empiricheskoe pravilo: vse parametry labp (hdlc) i h25 dolzhny byt' odinakovymi na oboih koncah linka, krome logicheskogo DTE/DCE - on dolzhen byt' _raznym_. Krome togo, ne nado zabyvat', chto razmer paketa na vtorom urovne (lapb) na Ciske ukazyvaetsya v _bitah_, a u bol'shinstva drugih proizvoditelej - v _bajtah_. 3.3>Q: Horosho, no na moem h25-box'e est' parametr "Gruppa logicheskih kanalov", a v Ciske ya takogo ne nashel. CHto delat'? >A: Kazhdaya edinica v etom parametre dobavlyaet 256 k nomeru logicheskogo kanala. Haprimer, na h25-box'e takie parametry: Gruppa logicheskih kanalov - 4 Homer pervogo Two-way VC - 1 Kolichestvo Two-way VC - 16 Togda na Ciske nado vystavit': x25 ltc 1025 x25 htc 1040 3.4>Q: YA propisal translyaciyu h25-TSR, no ona ne rabotaet, Ciska vmesto nee vydaet Username: (zapuskaetsya exec). CHto delat'? >A: U vas dlya translyacii ispol'zuetsya takoj zhe h25 adres kak i v x25 address na Serial. Ispol'zovanie Call User Data (cud) v translyacii ne spasaet. Adresa dolzhny byt' raznymi, naprimer, rasshir'te h25 adres v translyacii s pomoshch'yu podadresov. 3.5>Q: Iz-za mestnyh uslovij ispol'zovat' podadresa ya ne mogu. >A: Togda prosto udalite x25 address iz konfiguracii Serial. |tot parametr ispol'zuetsya v ishodyashchih paketah vyzova kak adres istochnika. Esli ego udalit', to pakety vyzova budut uhodit' s pustym adresom istochnika. Prakticheski vse h25 seti trebuyut, chtoby adres istochnika byl ukazan pravil'no, libo byl pustym, tak chto vse dolzhno rabotat' i bez nego. 3.6>Q: Ura! Translyaciya zarabotala. Ho zadacha pomenyalas', nado chtoby na vyzov s Call User Data (cud) zapuskalas' translyaciya, a na vyzov po tomu zhe adresu bez cud zapuskalsya exec. >A: Propishite etot adres cherez x25 routing x25 route alias Serial 3.7>Q: Hi y kogo net nastpoek Cisco <--> Eicon po X.25. Hotya by s stopony Cisco. PPP i Frame Relay polychilos', a vot X.25 nikak. A nado. >A: (john gladkih) direct connection? interface Serial1 description x.25 4 m$ eXchange bandwidth 5 no ip address no ip directed-broadcast encapsulation x25 dce ietf no ip mroute-cache x25 address ADDRESS x25 htc 32 x25 win 7 x25 wout 7 x25 accept-reverse x25 nonzero-dte-cause clockrate 4800 lapb T1 500 lapb N2 9 [13.06.2000] 3.8>Q: Podskazhite pozhalujsta kak detal'no otrabatyvaet takoj "kusochek" translate translate x25 03 cud 4411 profile NUL ppp ............ >A: (Vasily Ivanov) Ubogo on otpabatyvaet, t.k. dlya nastpoek so stopony kiski hvataet dannye s pepvogo popavshegosya intepfejsa. Ostavlen dlya sovmestimosti so stapymi IOSami. Gopazdo luchshe ispol'zovat' translate x25 12345 virtual-template 1. A detal'no s kaptinkami smotpi na http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcpt.htm [05.09.2000] 3.9>Q: ya tut vspomnil kak s polgoda nazad obsuzhdali problemu pad dostupa cherez xot i kogda x.25 set' ne hotela prinimat' vyzovy s facilities kotorye pri xot neizbezhny. eshche aktual'no? mogu dat' recept. no on trebuet 12.1 ;) (kak ya pomnyu v diskussii byl eshche i annex-g? togda 12.1 byt' dolzhen) >A: (john gladkih) ok. ruter s annex-g, on zhe lokal'nyj x25 switch: service pad to-xot service pad from-xot service tcp-keepalives-in service tcp-keepalives-out ! frame-relay switching ! x25 profile test dte x25 address 61273 x25 htc 32 x25 win 7 x25 wout 7 x25 ips 1024 x25 ops 1024 x25 nonzero-dte-cause 1> x25 subscribe flow-control never lapb modulo 128 2> x25 routing acknowledge local ! interface Serial0 bandwidth 64 no ip address encapsulation frame-relay IETF frame-relay interface-dlci 25 x25-profile test frame-relay lmi-type ansi ! x25 route ^6127305 xot 10.10.0.21 xot-keepalive-period 10 3> x25 route .* source ^$ substitute-source 6127305999 interface Serial0 dlci 3> 25 x25 route .* interface Serial0 dlci 25 1> otklyuchenie soglasovaniya flow-control na interfejse dlya vyzovov. 2> razreshit' lokal'nuyu peresborku paketov. 3> pad call cherez xot prihodit c pustym src address i my src tut podmenyaem na 6127305999 s drugoj storony xot nichego osobennogo: x25 route ^612.* xot 10.10.0.118 xot-keepalive-period 10 xot-keepalive-period tut chisto dlya proformy. ===========================================================

4. ACL

=========================================================== 4.1>Q: Rekomendacii po access-lists dlya zashchity ot atak iz interneta. Nekotorye rekomendacii i soobrazheniya. aaa.bbb.ccc.ddd, naa.nbb.ncc.ndd - sootvetstvenno svoi set' i maska. wba.wbb.wbc.wbd - wildcard bits Vnimanie !!! v access-list ispol'zuetsya ne netmask, a wildcard bits. Est' zhutkaya formula, no ya predpochitayu pol'zovatsya takoj - WB=255-NM takim obrazom, esli netmask 255.255.255.0 v access-list pishetsya 0.0.0.255 ! deny all RFC1597 & default no access-list 101 access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any ! deny ip spoofing access-list 101 deny ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any ! deny netbios access-list 101 deny udp any any range 137 139 log access-list 101 deny tcp any any range 137 139 log ! deny Back-Orifice access-list 101 deny udp any any eq 31337 log ! deny telnet access-list 101 deny tcp any any eq telnet log ! deny unix r-commands and printer, NFS, X11, syslog. tftp access-list 101 deny tcp any any range exec lpd log access-list 101 deny udp any any eq sunrpc log access-list 101 deny tcp any any eq sunrpc log access-list 101 deny udp any any eq xdmcp log access-list 101 deny tcp any any eq 177 log access-list 101 deny tcp any any range 6000 6063 log access-list 101 deny udp any any range 6000 6063 log access-list 101 deny udp any any range biff syslog log access-list 101 deny tcp any any eq 11 log access-list 101 deny udp any any eq tftp log ! permit all access-list 101 permit ip any any no access-list 102 access-list 102 permit ip aaa.bbb.ccc.ddd wba.wbb.wbc.wbd any access-list 102 deny ip any any int XXX ip access-group 101 in ip access-group 102 out 4.2>Q: Kin'te, pozhalujsta, primer access-list'a ( nado zakryt' dlya dostupa izvne vo vnutrennyuyu set' vse porty - ostavit' tol'ko vozmozhnost' raboty po http i e-mail) Cisco - 1601 Zaranee blagodaren. >A: (Alex Bakhtin) Itak. Est' dve strategii po ustanovke aksess-listov: 1. Zakryt' vse opasnoe, otkryt' vse ostal'noe. 2. Otkryt' vse nuzhnoe, zakryt' vse ostal'noe. V zdeshnem FAQe, kotoryj byl porekomendovan, imeetsya primer, napisanyj imenno po pervomu principu. He budem obsuzhdat' preimushchestva i nedostatki dannogo podhoda, naskol'ko ya ponimayu, u vas est' zhelanie ispol'zovat' vtoroj. YA popytayus' opisat' dostatochno universal'nuyu metodiku, kotoraya mozhet byt' ispol'zovana pri postroenii zashchity vtorogo tipa, a zatem privesti primer real'no rabotayushchej konfiguracii. Srazu hochu skazat', chto vse nizhenapisanoe - eto chisto moe IMHO. Predpolagaetsya razrabotka access-lista, ogranichivayushchego vozmozhnosti dostupa _izvne_ v lokal'nuyu set', a ne ogranicheniya vozmozhnostej po vyhodu naruzhu iz lokal'noj seti. Itak. Hachat' imeet smysl s sistematizacii togo, chto my, sobstvenno hotim poluchit'. Dlya etogo predlagayu vystroit' sleduyushchuyu tablicu: ! ! ! ! ! !www !mail!ftp!binkd!i tak dalee - zdes' perechilyaem servisy ! ! ! ! !dostup k kotorym my hotim predostavit' ! ! ! ! !pol'zovatelyam "izvne" ------------!----!----!---!-----!---------------------------------------- www.qq.ru ! X ! ! ! ! relay.qq.ru ! ! X ! ! ! ftp.qq.ru ! ! ! X ! ! any ! ! ! ! X ! zdes' hosty/ gruppy hostov, kotorye predostavlyayut sootvetstvuyushchie servisy. Poryadok raspolozheniya hostov v tablice vazhen. Est' dva pravila: a. Obshchie opredeleniya neobhodimo raspolagat' kak mozhno nizhe. To est' host 10.0.1.1/32 dolzhen byt' raspolozhen _vyshe_ chem subnet 10.0.1.0/24. Sootvetstvenno v samuyu poslednyuyu strochku pishetsya chto-to tipa any. b. V sluchae, esli po pravilu a. okazyvaetsya, chto poryadok kakih-to konkretnyh strok mozhet byt' lyubym (kak v nashem primere www, relay i ftp mogut byt' perechisleny v lyubom poryadke, no obyazatel'no vyshe chem any), to na bolee vysokie pozicii nado stavit' hosty, kolichestvo obrashchenij k kotorym po otmechennym servisam predpolagaetsya bol'shim. V nashem sluchae my predpolagaem, chto osnovnye zaprosy budut postupat' na www server, zatem budet peredavat'sya kakoe-to kolichestvo pochty i uzh sovsem malo budet zaprosov na ftp. Posle sostavleniya, proverki i, po vozmozhnosti, optimizacii takoj tablicy (voobshche eto process dostatochno tvorcheskij i netrivial'nyj;-)) mozhno perehodit' sobstvenno k napisaniyu pervoj versii access-lista. Pervaya versiya budet prakticheski kal'koj nashej tablicy. ip access-list extended Firewall permit tcp any host www.qq.ru eq www permit tcp any host relay.qq.ru eq smtp permit tcp any host ftp.qq.ru eq ftp permit tcp any any eq 24554 Poslednyaya stroka po umolchaniyu prinimaetsya za deny ip any any. Fakticheski, postroenie pervoj versii access-lista zakoncheno. CHto my delaem, chtoby prodolzhat' razvivat' etot access-list? V konec lista my dobavlyaem odnu strochku deny ip any any log kotoraya ne tol'ko zapretit ves' ostal'noj trafik, chto bylo sdelano po-umolchaniyu, no i zastavit' vydavat' na konsol'/monitor/syslog soobshcheniya o paketah, popadayushchih pod eto pravilo. I dalee, v zavisimosti ot togo, kakie servisy ne byli uchteny v nashem liste(soobshcheniya ob otbroshenyh paketah budut sypat'sya na konsol'), mozhno budet dorabatyvat' nash access-list. Vot primery soobshchenij: %SEC-6-IPACCESSLOGP: list firewall denied tcp xxx.xxx.xx.xx(1418) -> %xxx.xxx.xxx.xx(23), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(4000) -> %xxx.xxx.xxx.xx(1038), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) -> %xxx.xxx.xxx.xx(1041), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) -> %xxx.xxx.xxx.xx(1044), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xxx.xxx(53) -> %xxx.xxx.xxx.xx(1047), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) -> %xxx.xxx.xxx.xx(33456), 1 packet %SEC-6-IPACCESSLOGP: list firewall denied udp xxx.xxx.xx.xx(49869) -> %xxx.xxx.xxx.xx(33458), 1 packet Vot sobstvenno i vse;) Hado ne zabyvat' otkryvat' _na_vhod_ port domain - chtoby k nam prihodili otvety na nashi dns zaprosy. active ftp - eto voobshche otdel'naya pesnya. Vot primer real'no rabotayushchego access-lista, on, razumeetsya, ne idealen, no rabotaet;) Da, nado ne zabyvat' otkryvat' established. Posle znaka ; - moj kommentarii. =================== ip access-list extended firewall permit tcp any any eq smtp ; vse hosty prinimayut pochtu po smtp permit tcp any any eq domain ; dve strochki na dns permit udp any any eq domain ; permit tcp any any eq 22 ; ssh permit tcp any host fido.qq.ru eq 24554 ; binkd permit tcp any any established ; vot ono samoe permit tcp any host www.qq.ru eq www ; www-servera permit tcp any host images.qq.ru eq www permit tcp any host www.qq.ru range 8100 8104 ; dlya ruskoj kodirovki permit tcp any host images.qq.ru range 8100 8104 permit udp any any eq ntp ; vse mashiny mogut poluchat' vremya s vneshnih ntp permit tcp any any range 40000 44999 ; uzhe ne pomnyu dlya chego:-(( permit tcp any any eq ident permit icmp any any permit tcp any eq ftp-data any gt 1024; dlya active-ftp deny ip any any log =================== 4.3>Q: Kak sdelat' transparent-proxy ? >A: (DY) Vse opisano na http://squid.nlanr.net/Squid/FAQ/FAQ-17.html 4.4>Q: Dynamic ACL. >A: Prislal (Oleh Hrynchuk) You can use timed access-lists in IOS 12.x You will need the router to synch to a clock source for accuracy though.. for example: int ser0/0 ip access-group 101 in ! access-list 101 remark --FOR THE QUAKE 3 PLAYERS AT THE OFFICE-- access-list 101 permit udp any any range 27850 27999 time-range lunchtime access-list 101 deny any any ! time-range lunchtime periodic weekdays 12:00 to 14:00 periodic weekend 00:00 to 23:59 ! ntp source loopback0 ntp server ! [13.06.2000] 4.5>Q: Kak razreshit' zahodit' na kisku telnetom tol'ko s opredelennyh hostov ? >A: (Gosha Zafievsky) access-list 11 permit host 192.168.1.1 line vty 0 4 access-class 11 in ===========================================================

5. Traffic-shape

=========================================================== 5.1>Q: Kak zazhat' ishodyashchij ftp-trafik ? >A: (Vasily Ivanov) Dlya Active-FTP access-list 115 permit tcp host 123.123.123.123 eq ftp-data any gt 1023 Dlya Passive-FTP access-list 115 permit tcp host 123.123.123.123 any eq ftp 5.2>Q: Kak sdelat' traffic-shape na tun ? >A: (DY) Vot zavalyalsya kusok rabochego konfiga ot 4000. interface Tunnel1 ip address xxx.xxx.xxx.xxx 255.255.255.252 tunnel source aaa.aaa.aaa.aaa tunnel destination bbb.bbb.bbb.bbb ! interface Ethernet0 ip address aaa.aaa.aaa.aaa 255.255.255.224 secondary traffic-shape group 122 32000 8000 8000 1000 ! no access-list 122 access-list 122 permit ip host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb access-list 122 deny ip any any P.S. Vyacheslav Furist Pomoemu luchshe bylo by access-list 122 permit gre host aaa.aaa.aaa.aaa host bbb.bbb.bbb.bbb 5.3>Q: Kak zazhat' vhodyashchij trafik? >A: "Boris Mikhailov" Pri vhode pomozhet policyroute, esli mochi processora hvatit. Eshche dobavlyu chto do 11.2(gde-to 12~13) traffic-shap krivo zatykaetsya i ne shejpit (ochen' chastyj vopros byl ran'she). access-list 180 opisyvaet tpaffik, kotopyj nado shejpit' interface Loopback1 ip address 192.168.11.1 255.255.255.255 traffic-shape rate 64000 ! interface Serial0 ip policy route-map incoming-packets ! access-list 180 permit ip any 192.168.1.0 0.0.0.255 ! route-map incoming-packets permit 10 match ip address 180 set interface Loopback1 5.4>Q: Bandwith, queue >A: (Alex Bakhtin) Osnovnym parametrom, kotoryj vliyaet na raspredelenie polosy propuskaniya pri custom queuing, yavlyaetsya byte-count. queue length na eto delo vliyaet malo. Itak. Dopustim, u nas est' takoj vot queue-list: c4000-m#sh queueing custom Current custom queue configuration: List Queue Args 1 1 byte-count 6000 1 2 byte-count 3000 1 3 byte-count 4500 Ostal'nye ocheredi po 1500. Ponyatno, chto napryamuyu bandwith dlya kazhdoj iz ocheredej ne zadaetsya. Zapolnenie ocheredej, ponyatno, proishodit na osnovanii kakih-to kriteriev, kotorye ya v dannom sluchae ne uchityvayu. Dal'she, my nachinaem obhodit' vse 17 ocheredej nachinaya s nulevoj - 1. Peredaem 1500 bajt iz ocheredi 0 (esli tam est' pakety) 2. Peredaem 6000 bajt iz ocheredi 1 3. Peredaem 3000 bajt iz ocheredi 2 4. Peredaem 4500 bajt iz ocheredi 3 5. Peredaem 1500 bajt iz ocheredi 4 ..... 17. Peredaem 1500 bajt iz ocheredi 16 Dopustim, chto my ispol'zuem dlya nashego trafika tol'ko pervye 4 ocheredi - v ostal'nye ocheredi trafik nikogda ne popadaet. Sootvetvtsenno, v srednem za odin cikl budet peredano S=1500(q0)+6000(q1)+3000(q2)+4500(q3)+1500(q4)=16500 bajt Sootvetstvenno, pod Q0 budet vydeleno B0=1500/16500~=9% BW B1~=36% BW B2~=18% BW B3~=28% BW B4~=9% BW To est' real'nuyu polosu propuskaniya podzhelyat proporcional'no ispol'zuemye ocheredi. Sootvetstvenno, real'nyj bandwith po kazhdoj ocheredi zadaetsya s pomoshch'yu parametra byte-count, no indirectly, tak kak on zavisit ot chisla ispol'zuemyh real'no ocheredej i ot propusknoj sposobnosti interfejsa. Dannye znacheniya, razumeetsya, budut verny tol'ko pri dostatochno ser'eznom usrednenii. Svyazano eto s tem, chto esli byte-count ischerpyvaetsya v processe peredachi paketa, paket vse ravno peredaetsya do konca - to est' real'naya zanimaemaya polosa budet bol'she. Vse, chto napisano vyshe - ne bolee chem nekie teoreticheskie vykladki pri rabote v ideal'nyh usloviyah. Real'no vse eti znacheniya nado podbirat', analiziruya srednij razmer paketa i ne tol'ko;