HuuHoa
28-02-2005, 03:06 PM
From: Question 30
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
To describe how to use the Local Security Policy MMC in W2K would take a
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication. Since I have to embed
this key into the script I use it makes the configuration open and thus
vulnerable. However, you should be able to tweak the configuration from this
to meet your own security needs. The W2K IPSec client supports certificates
as well as preshared keys so a "secure" version of this config is
attainable.
The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you would like to re-write it in the old DOS batch file format, please do so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com. The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program that you have to use has it's own documentation which you should read. For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work. The config assumes that the PIX
has NAT enabled.
Ok, enough blabber, here it is... I hope it is helpful!
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
Quick Network Schematic:
[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->
[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN
(10.0.X.X)] --> [Inside Router (10.0.0.1)]
The PIX firewall commands needed are:
sysopt connection permit-ipsec
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside
isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800
isakmp enable outside
The Perl script I wrote is as follows. I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec tunnel
using my current ISP assigned IP Address.
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
$localipaddress, $VPNHostIP='192.168.0.1';
#The following section of code discerns the IP address of host provided
#in the command line arguements. The default is the localhost.
#NOTE: The code section is smart and gives you a routable IP (if available)
and not just 127.0.0.1
# This section is pretty much identical to the one found on the PERL
documentation site.
# I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
# I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'
@ARGV = ('localhost') unless @ARGV;
for $host ( @ARGV ) {
unless ($h = gethost($host)) {
warn "$0: no such host: $host\n";
next;
}
printf "\n%s is %s%s\n",
$host,
lc($h->name) eq lc($host) ? "" : "*really* ",
$h->name;
print "\taliases are ", join(", ", @{$h->aliases}), "\n"
if @{$h->aliases};
if ( @{$h->addr_list} > 1 ) {
my $i;
for $addr ( @{$h->addr_list} ) {
printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
}
} else {
#my modification is on the next line.
printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
}
if ($h = gethostbyaddr($h->addr)) {
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s!\n", $h->name;
$host = $h->name;
redo;
}
}
}
#This next section is a very modified version of the Ping example on the
Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
$cmdstring='Net Start "IPSec Policy Agent"';
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
#The ipsecpol command line utility can be found on Microsoft's Website.
# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
# or
#
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe
#MS requires two ipsecpol commands be issued in order to setup a tunnel.
#One for the inbound traffic and one for the outbound traffic.
# For this Tunnel I used the following settings:
# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.
# The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
# The security method list '-s' is for DES-MD5-1
# The security negotiation setting '-n' is for ESP[DES,MD5]
# We are using QuickMode key exchange '-1k' rekeys after 10 quick modes
'10q'
# We are using perfect forward secrecy '-1p'
# For authentication we are using a preshared key '-a'
# NOTE: the preshared key must be enclosed in double quotes
# See the documentation of the utility for further details.
print "\nSetup IPSec Tunnel";
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement must contain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the network and see
if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{
print "Success\n";
sleep(1);
} else {
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
print "No\nTry redialing your ISP";
sleep(3);
}
$p->close();
#end listing
************************************************** ************************
From: Question 32
Subject: How do I use tftpdnld via Ethernet port on a 2600?
Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up
to put the router into ROMMON.
rommon 1 > IP_ADDRESS=172.15.19.11
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=172.16.19.1
rommon 4 > TFTP_SERVER=172.15.20.10
rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz
rommon 6 > tftpdnld
************************************************** ************************
From: Question 33
Subject: How do I setup MultiLinkPPP?
multilink PPP without virtual template
int Multilink1
description multilink bundle
ip unnumbered Loopback0
ppp multilink
multilink-group 1
!
int Ser0
description first T1 line
encaps ppp
ppp multi
multilink-group 1
!
int Ser1
description second T1 line
encaps ppp
ppp multi
multilink-group 1
Again, recent software necessary: at least 12.0T or 12.1
or one of the ISP branches (12.0S).
************************************************** ************************
From: Question 34
Subject: How much memory is taken up by BGP routes?
As a reference, please see the following from
http://www.cisco.com/warp/public/459/
I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip: How Much Memory Does Each BGP Route Consume?
Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in
the BGP table and another 240 bytes in the IP routing table. Each BGP path
takes about 110 bytes.
************************************************** ************************
From: Question 35
Subject: How do I stop my router from looking for cisconet.cfg or
network-config?
Look up "service config" in the manual (available on www.cisco.com if
you do not have a local copy). Turn it off using the command "no service
config" in configuration mode.
************************************************** ************************
From: Question 36
Subject: How do I setup DHCP service on my router?
Here is my 1601 performing as a DHCP server config...
The static pool is how I use DHCP to assign the same IP to the same PCeach time, essentially a static IP address assignment. The only other requirement would be that on the interface DHCP requests will be received, if you have an inbound ACL, bootp must be permitted.
ip dhcp excluded-address 192.168.3.1 192.168.3.9
!
ip dhcp pool dhcp-pool
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
netbios-node-type b-node
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
!
ip dhcp pool static-pool
host 192.168.3.2 255.255.255.0
client-identifier 0100.00c5.0cbd.7e
client-name main_pc
default-router 192.168.3.1
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
************************************************** ************************
From: Question 37
Subject: How do I configure a trasparent proxy redirecting on CISCO router?
>It is possible to configure an trasparent proxy redirecting on CISCO router?
>I would like to redirect all www requests from specific IP addresses to
>other IP address and other port.
A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure about switching ports simultaneously with the same route map, but you could fix this with 'ipfw' or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on the interface. WCCP is another option.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
************************************************** ************************
From: Question 38
Subject: How do I use a route-map to limit redistribution in OSPF?
! /* match only 172.16.10.x and 172.16.11.0 subnets */
!
access-list 1 permit 172.16.10.0 0.0.1.255
!
!
! /* use access-list 1 to determine what gets matched */
!
route-map LoopbacksOnly permit 10
match ip address 1
!
!
! /* redistribute connected networks, any and all subnets, */
! /* and seed it as E2 type. Note that throughout your */
! /* OSPF domain, your loopbacks will have a metric of 20 */
! /* 20 is the default metric when you redistribute into */
! /* OSPF. Except for BGP routes which get a metric of 1. */
! /* Also use the route-map LoopbacksOnly to selectively */
! /* redistribute only the ones we want to redistribute. */
!
router ospf 200
redistribute connected subnets metric-type E2 route-map LooopbacksOnly
************************************************** ************************
From: Question 39
Subject: How do I connect 675 DSL units back to back?
Well I found out that you can hookup other DSL boxes back to back...here is
part of an email I found on it:
you need:
'dsl equipment-type CO' on one side and
'dsl equipment-type CPE' on the other
Here is a working example from the lab:
(The distance limitation should be the same
as the one found in the docs)
also, you can run 'debug dsl-phy' a new
command to look at the trainup.
(CO side, an 828)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CO
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
!
(CPE side, a SOHO78)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.1 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
To describe how to use the Local Security Policy MMC in W2K would take a
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication. Since I have to embed
this key into the script I use it makes the configuration open and thus
vulnerable. However, you should be able to tweak the configuration from this
to meet your own security needs. The W2K IPSec client supports certificates
as well as preshared keys so a "secure" version of this config is
attainable.
The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you would like to re-write it in the old DOS batch file format, please do so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com. The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program that you have to use has it's own documentation which you should read. For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work. The config assumes that the PIX
has NAT enabled.
Ok, enough blabber, here it is... I hope it is helpful!
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
Quick Network Schematic:
[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->
[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN
(10.0.X.X)] --> [Inside Router (10.0.0.1)]
The PIX firewall commands needed are:
sysopt connection permit-ipsec
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside
isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800
isakmp enable outside
The Perl script I wrote is as follows. I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec tunnel
using my current ISP assigned IP Address.
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
# http://www.perldoc.com/perl5.6/lib/Net/hostent.html
# http://www.perldoc.com/perl5.6/lib/Net/Ping.html
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
$localipaddress, $VPNHostIP='192.168.0.1';
#The following section of code discerns the IP address of host provided
#in the command line arguements. The default is the localhost.
#NOTE: The code section is smart and gives you a routable IP (if available)
and not just 127.0.0.1
# This section is pretty much identical to the one found on the PERL
documentation site.
# I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
# I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'
@ARGV = ('localhost') unless @ARGV;
for $host ( @ARGV ) {
unless ($h = gethost($host)) {
warn "$0: no such host: $host\n";
next;
}
printf "\n%s is %s%s\n",
$host,
lc($h->name) eq lc($host) ? "" : "*really* ",
$h->name;
print "\taliases are ", join(", ", @{$h->aliases}), "\n"
if @{$h->aliases};
if ( @{$h->addr_list} > 1 ) {
my $i;
for $addr ( @{$h->addr_list} ) {
printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
}
} else {
#my modification is on the next line.
printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
}
if ($h = gethostbyaddr($h->addr)) {
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s!\n", $h->name;
$host = $h->name;
redo;
}
}
}
#This next section is a very modified version of the Ping example on the
Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
$cmdstring='Net Start "IPSec Policy Agent"';
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
#The ipsecpol command line utility can be found on Microsoft's Website.
# http://www.microsoft.com/downloads/release.asp?ReleaseID=29167
# or
#
http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5
/EN-US/ipsecpol_setup.exe
#MS requires two ipsecpol commands be issued in order to setup a tunnel.
#One for the inbound traffic and one for the outbound traffic.
# For this Tunnel I used the following settings:
# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.
# The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
# The security method list '-s' is for DES-MD5-1
# The security negotiation setting '-n' is for ESP[DES,MD5]
# We are using QuickMode key exchange '-1k' rekeys after 10 quick modes
'10q'
# We are using perfect forward secrecy '-1p'
# For authentication we are using a preshared key '-a'
# NOTE: the preshared key must be enclosed in double quotes
# See the documentation of the utility for further details.
print "\nSetup IPSec Tunnel";
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement must contain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the network and see
if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{
print "Success\n";
sleep(1);
} else {
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.
print "No\nTry redialing your ISP";
sleep(3);
}
$p->close();
#end listing
************************************************** ************************
From: Question 32
Subject: How do I use tftpdnld via Ethernet port on a 2600?
Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up
to put the router into ROMMON.
rommon 1 > IP_ADDRESS=172.15.19.11
rommon 2 > IP_SUBNET_MASK=255.255.255.0
rommon 3 > DEFAULT_GATEWAY=172.16.19.1
rommon 4 > TFTP_SERVER=172.15.20.10
rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz
rommon 6 > tftpdnld
************************************************** ************************
From: Question 33
Subject: How do I setup MultiLinkPPP?
multilink PPP without virtual template
int Multilink1
description multilink bundle
ip unnumbered Loopback0
ppp multilink
multilink-group 1
!
int Ser0
description first T1 line
encaps ppp
ppp multi
multilink-group 1
!
int Ser1
description second T1 line
encaps ppp
ppp multi
multilink-group 1
Again, recent software necessary: at least 12.0T or 12.1
or one of the ISP branches (12.0S).
************************************************** ************************
From: Question 34
Subject: How much memory is taken up by BGP routes?
As a reference, please see the following from
http://www.cisco.com/warp/public/459/
I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip: How Much Memory Does Each BGP Route Consume?
Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in
the BGP table and another 240 bytes in the IP routing table. Each BGP path
takes about 110 bytes.
************************************************** ************************
From: Question 35
Subject: How do I stop my router from looking for cisconet.cfg or
network-config?
Look up "service config" in the manual (available on www.cisco.com if
you do not have a local copy). Turn it off using the command "no service
config" in configuration mode.
************************************************** ************************
From: Question 36
Subject: How do I setup DHCP service on my router?
Here is my 1601 performing as a DHCP server config...
The static pool is how I use DHCP to assign the same IP to the same PCeach time, essentially a static IP address assignment. The only other requirement would be that on the interface DHCP requests will be received, if you have an inbound ACL, bootp must be permitted.
ip dhcp excluded-address 192.168.3.1 192.168.3.9
!
ip dhcp pool dhcp-pool
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
netbios-node-type b-node
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
!
ip dhcp pool static-pool
host 192.168.3.2 255.255.255.0
client-identifier 0100.00c5.0cbd.7e
client-name main_pc
default-router 192.168.3.1
dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee
************************************************** ************************
From: Question 37
Subject: How do I configure a trasparent proxy redirecting on CISCO router?
>It is possible to configure an trasparent proxy redirecting on CISCO router?
>I would like to redirect all www requests from specific IP addresses to
>other IP address and other port.
A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure about switching ports simultaneously with the same route map, but you could fix this with 'ipfw' or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on the interface. WCCP is another option.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5
************************************************** ************************
From: Question 38
Subject: How do I use a route-map to limit redistribution in OSPF?
! /* match only 172.16.10.x and 172.16.11.0 subnets */
!
access-list 1 permit 172.16.10.0 0.0.1.255
!
!
! /* use access-list 1 to determine what gets matched */
!
route-map LoopbacksOnly permit 10
match ip address 1
!
!
! /* redistribute connected networks, any and all subnets, */
! /* and seed it as E2 type. Note that throughout your */
! /* OSPF domain, your loopbacks will have a metric of 20 */
! /* 20 is the default metric when you redistribute into */
! /* OSPF. Except for BGP routes which get a metric of 1. */
! /* Also use the route-map LoopbacksOnly to selectively */
! /* redistribute only the ones we want to redistribute. */
!
router ospf 200
redistribute connected subnets metric-type E2 route-map LooopbacksOnly
************************************************** ************************
From: Question 39
Subject: How do I connect 675 DSL units back to back?
Well I found out that you can hookup other DSL boxes back to back...here is
part of an email I found on it:
you need:
'dsl equipment-type CO' on one side and
'dsl equipment-type CPE' on the other
Here is a working example from the lab:
(The distance limitation should be the same
as the one found in the docs)
also, you can run 'debug dsl-phy' a new
command to look at the trainup.
(CO side, an 828)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CO
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
pvc 1/33
encapsulation aal5snap
!
!
(CPE side, a SOHO78)
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl equipment-type CPE
dsl operating-mode GSHDSL symmetric annex A
dsl linerate AUTO
!
interface ATM0.1 point-to-point
ip address 1.1.1.1 255.255.255.0
pvc 1/33
encapsulation aal5snap
!