HuuHoa
05-03-2005, 07:48 AM
From: Question 51
Subject: How do I stop password-recovery on my routers?
"Password-recovery" might not be the best description. The feature locks out all access to the ROMMON.
You can do this on a 2600/3600 with the global configuration command "no service password-recovery". The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T. All ROMMON versions on the 2600 support this feature.
************************************************** ************************
From: Question 52
Subject: How can I prevent SYN-Flood attack using CAR?
We are talking about all different kinds of floods (ICMP, SYN, UDP, etc) throughout this post. Actually he did say that Sprint can filter on their end. I included in a different post the link to configure CAR to limit SYN attacks using web traffic as an example. Your solution looks like it would work too as their are multiple ways to configure traffic shaping.
Configure rate limiting for SYN packets. Refer to the following example:
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
In the above example, replace:
45000000 with the maximum link bandwidth
1000000 with a value that is between 50% and 30% of the SYN flood rate burst
normal and burst max rates with accurate values
Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.
WARNING: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before deploying this measure.
If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host. One such package is IP Filter. This can be found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples for implementation details.
************************************************** ************************
From: Question 53
Subject: How do I setup a Multilink PPP?
You have to create a virtual-template interface with ip address information PPP then create an virtual-access interface whith that address
!
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Loopback0 or ip address
no ip mroute-cache
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
************************************************** ************************
From: Question 54
Subject: How do I setup ppp callback with dialer-pool?
This is a real hard stuff to do ppp callback with dialer-pool, there a some command are missing in your config, look at my example.... (also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)
!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface Dialer1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
encapsulation ppp
dialer remote-name router1
dialer pool 1
dialer enable-timeout 2
dialer string 749410 class test1
dialer-group 1
ppp authentication chap
!
!
map-class dialer test1
dialer callback-server username
dialer-list 1 protocol ip permit
************************************************** ************************
From: Question 55
Subject: My configs are too large. What can I do?
The IOS configuration in the 2600 Series is stored in a 32 KB EEPROM. The ROMMON reserves 3 KB, leaving 29 KB for the IOS.You can use the "service compress-config" command to compress the configuration in the EEPROM. You can also load the configuration file from a TFTP server.
************************************************** ************************
From: Question 56
Subject: What does Frame-relay LMI and Encapsulation really do/mean?
I think there is some confusion here about frame relay "encapsulation" and frame relay "lmi" (heartbeat/keepalives). Frame relay encapsulation is indeed significant end-to-end through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation inserts an ethernet "type field" immediately after the 2 byte frame header which contains the DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID codes (Network Layer Protocol Identifiers) which are common in the OSI environment.
NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID (CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI field (organizationally unique identifier) followed by an ethernet type code (8137 for example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137 will be offset further into the frame, and not found immediately after the 2 byte frame header.
This encapsulation must be understood by the communicating routers at either edge of the 'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is strictly a DTE-DTE issue.
LMI is a link intergrity and PVC status verification protocol that IS locally significant between the router and the network interface. This protocol comes in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively referred to as "LMI." It is possible to run one version of LMI on the East User-Network Interface (UNI) and another version on the West UNI, as these protocols simply identify the status of the UNI link and the PVCs found on that link. Encapsulation, however, must match between the DTEs. It is interesting to note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco encapsulation while the other router uses "IETF." The ability to communicate with Cisco routers using different encapsulation schemes gives the "appearance" that the encapsulation is locally significant. In fact, this (cisco) ability to
communicate is made possible by the smarts cisco builds into its implementation.
When any other vendor's DTE is involved, communications will fail if the "encapsulation" on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any vendor that has this capability other than cisco....)
Hex protocol traces are available if any one would like to see.....
************************************************** ************************
From: Question 58
Subject: How do I make a T1 Cross-over cable?
For *T1* I've used the following pinouts for crossovers:
T1/E1 crossover (for PRI and CAS back-to-back connection):
RJ-45 ----- RJ-45
1 ----- 4
2 ----- 5
4 ----- 1
5 ----- 2
RJ-45 ----- DB-15
1 ----- 1
2 ----- 9
4 ----- 3
5 ----- 11
DB-15 ----- DB-15
1 ----- 3
3 ----- 1
9 ----- 11
11 ----- 9
For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I guess you need to have pins 3 and 6 (shield/ground) connected.
I don't suppose I should be pointing people to Juniper's web site, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-picinstall/html/pinout5.html
************************************************** ************************
From: Question 59
Subject: Can I use a router to simulate BRI switch?
In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between routers: configure one side to be network side (isdn protocol-emulate network) and the other to be user side (default; isdn protocol-emulate user). The supported switchtypes are primary-net5 and primary-ni.
As the original posting had alluded, we have SOME support for network-side BRI - but this is only on certain VIC cards due to hardware restrictions -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121x/121xi/121xi_3/dt_brint.htm
************************************************** ************************
From: Question 60
Subject: How do I use Policy Based Routing?
Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it makes sense. The decision to hand off the packet has to be made as it's coming into the router and not on the egress interface.
!Determine who's eligible to be policy routed
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Figure out where you want to send the pkts based on the source IP
!
route-map RouteMeBaby permit 10
!To whom shoud this policy apply to?
match ip address 1
!
!Where should you redirect it to? Should use both. If one is
!omitted, the value will be retrived from the routing table -
!which may or may not be what you wanted
!
set ip next-hop ROUTER_2's_SERIAL_IP
set interface s0
!
interface E0
ip addr blah blah blah
ip policy route-map RouteMeBaby
! If your IOS supports it, enable fast switching for PBR
ip route-cache policy
*IF* fast switching is supported (may be 11.3 an up or it could be 12.0
and up... do a
sho ip cache policy
if not, do a
sho ip policy
Subject: How do I stop password-recovery on my routers?
"Password-recovery" might not be the best description. The feature locks out all access to the ROMMON.
You can do this on a 2600/3600 with the global configuration command "no service password-recovery". The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T. All ROMMON versions on the 2600 support this feature.
************************************************** ************************
From: Question 52
Subject: How can I prevent SYN-Flood attack using CAR?
We are talking about all different kinds of floods (ICMP, SYN, UDP, etc) throughout this post. Actually he did say that Sprint can filter on their end. I included in a different post the link to configure CAR to limit SYN attacks using web traffic as an example. Your solution looks like it would work too as their are multiple ways to configure traffic shaping.
Configure rate limiting for SYN packets. Refer to the following example:
interface {int}
rate-limit output access-group 153 45000000 100000 100000 conform-action
transmit exceed-action drop
rate-limit output access-group 152 1000000 100000 100000 conform-action
transmit exceed-action drop
access-list 152 permit tcp any host eq www
access-list 153 permit tcp any host eq www established
In the above example, replace:
45000000 with the maximum link bandwidth
1000000 with a value that is between 50% and 30% of the SYN flood rate burst
normal and burst max rates with accurate values
Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.
WARNING: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before deploying this measure.
If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host. One such package is IP Filter. This can be found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples for implementation details.
************************************************** ************************
From: Question 53
Subject: How do I setup a Multilink PPP?
You have to create a virtual-template interface with ip address information PPP then create an virtual-access interface whith that address
!
multilink virtual-template 1
!
interface Virtual-Template1
ip unnumbered Loopback0 or ip address
no ip mroute-cache
ppp multilink
!
interface Serial0
no ip address
encapsulation ppp
no fair-queue
ppp multilink
!
interface Serial1
no ip address
encapsulation ppp
no fair-queue
ppp multilink
************************************************** ************************
From: Question 54
Subject: How do I setup ppp callback with dialer-pool?
This is a real hard stuff to do ppp callback with dialer-pool, there a some command are missing in your config, look at my example.... (also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)
!
username router1 callback-dialstring 749410 password 0 ect
!
interface BRI0/0
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface BRI0/1
no ip address
no ip directed-broadcast
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp callback accept
ppp authentication chap
!
interface Dialer1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
encapsulation ppp
dialer remote-name router1
dialer pool 1
dialer enable-timeout 2
dialer string 749410 class test1
dialer-group 1
ppp authentication chap
!
!
map-class dialer test1
dialer callback-server username
dialer-list 1 protocol ip permit
************************************************** ************************
From: Question 55
Subject: My configs are too large. What can I do?
The IOS configuration in the 2600 Series is stored in a 32 KB EEPROM. The ROMMON reserves 3 KB, leaving 29 KB for the IOS.You can use the "service compress-config" command to compress the configuration in the EEPROM. You can also load the configuration file from a TFTP server.
************************************************** ************************
From: Question 56
Subject: What does Frame-relay LMI and Encapsulation really do/mean?
I think there is some confusion here about frame relay "encapsulation" and frame relay "lmi" (heartbeat/keepalives). Frame relay encapsulation is indeed significant end-to-end through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation inserts an ethernet "type field" immediately after the 2 byte frame header which contains the DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID codes (Network Layer Protocol Identifiers) which are common in the OSI environment.
NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID (CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI field (organizationally unique identifier) followed by an ethernet type code (8137 for example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137 will be offset further into the frame, and not found immediately after the 2 byte frame header.
This encapsulation must be understood by the communicating routers at either edge of the 'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is strictly a DTE-DTE issue.
LMI is a link intergrity and PVC status verification protocol that IS locally significant between the router and the network interface. This protocol comes in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively referred to as "LMI." It is possible to run one version of LMI on the East User-Network Interface (UNI) and another version on the West UNI, as these protocols simply identify the status of the UNI link and the PVCs found on that link. Encapsulation, however, must match between the DTEs. It is interesting to note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco encapsulation while the other router uses "IETF." The ability to communicate with Cisco routers using different encapsulation schemes gives the "appearance" that the encapsulation is locally significant. In fact, this (cisco) ability to
communicate is made possible by the smarts cisco builds into its implementation.
When any other vendor's DTE is involved, communications will fail if the "encapsulation" on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any vendor that has this capability other than cisco....)
Hex protocol traces are available if any one would like to see.....
************************************************** ************************
From: Question 58
Subject: How do I make a T1 Cross-over cable?
For *T1* I've used the following pinouts for crossovers:
T1/E1 crossover (for PRI and CAS back-to-back connection):
RJ-45 ----- RJ-45
1 ----- 4
2 ----- 5
4 ----- 1
5 ----- 2
RJ-45 ----- DB-15
1 ----- 1
2 ----- 9
4 ----- 3
5 ----- 11
DB-15 ----- DB-15
1 ----- 3
3 ----- 1
9 ----- 11
11 ----- 9
For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I guess you need to have pins 3 and 6 (shield/ground) connected.
I don't suppose I should be pointing people to Juniper's web site, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-picinstall/html/pinout5.html
************************************************** ************************
From: Question 59
Subject: Can I use a router to simulate BRI switch?
In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between routers: configure one side to be network side (isdn protocol-emulate network) and the other to be user side (default; isdn protocol-emulate user). The supported switchtypes are primary-net5 and primary-ni.
As the original posting had alluded, we have SOME support for network-side BRI - but this is only on certain VIC cards due to hardware restrictions -
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121x/121xi/121xi_3/dt_brint.htm
************************************************** ************************
From: Question 60
Subject: How do I use Policy Based Routing?
Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it makes sense. The decision to hand off the packet has to be made as it's coming into the router and not on the egress interface.
!Determine who's eligible to be policy routed
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Figure out where you want to send the pkts based on the source IP
!
route-map RouteMeBaby permit 10
!To whom shoud this policy apply to?
match ip address 1
!
!Where should you redirect it to? Should use both. If one is
!omitted, the value will be retrived from the routing table -
!which may or may not be what you wanted
!
set ip next-hop ROUTER_2's_SERIAL_IP
set interface s0
!
interface E0
ip addr blah blah blah
ip policy route-map RouteMeBaby
! If your IOS supports it, enable fast switching for PBR
ip route-cache policy
*IF* fast switching is supported (may be 11.3 an up or it could be 12.0
and up... do a
sho ip cache policy
if not, do a
sho ip policy