Cisco IOS in a Nutshell by James Boney The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification This page was updated September 2, 2004. UNCONFIRMED errors and comments from readers: ?2? after 2nd paragraph; It would have been helpful if at this point it was explained how to make the initial connection to the router using the console port and rs-232 cable, eg. setting the speed to 9600/8/none/1. I know this info is listed later on p. 35 but it would have been helpful to have it in the getting started section - because without it, you can't get started! (11) Third row from bottom of table 2-1; The "mc8310" identifier should be "mc3810" for the "Ardent Multiservice Cisco 3810" platform. [15] item 3. Load the new IOS; Line 2 Is: #config-reg 0x2102 Should be: #config-reg 0x2142 {36} Near bottom, VTY configuration example; Router(config-line)#exec-timeout 0 30 Set the timeout to 30 minutes This sets the timeout to 30 *SECONDS*. For 30 minutes: Router(config-line)#exec-timeout 30 0 Set the timeout to 30 minutes [36] router config at bottom of page; Without the "login" command users will not be able to logon via telnet even if a password is set. {49} Middle of the page; The "ip source-route" command is not an interface configuration command and should not be included in this list of ineterface based commands. Later on in the book it is properly describe as a global command... Example: hostname boston ! enable secret 5 $1$SyZt$gO1Ou0sJHspLe0lfe2w7Z. ! ip subnet-zero no ip source-route [51] Table 5-3; Table 5-3 shows three possible Ethernet encapsulation types, but "isol" is incorrect. Example: boston#conf t Enter configuration commands, one per line. End with CNTL/Z. boston(config)#int e 0 boston(config-if)#encapsulation snap boston(config-if)#encapsulation isol ^ % Invalid input detected at '^' marker. boston(config-if)#encapsulation arpa boston(config-if)#end Looks like the router will accept "iso" nut not "isol". [55] Middle of the page; The following statement is incorrect "HDLC ... is proprietary to Cisco". HDLC is in fact an open standard developed by International Organization for Standardization(ISO). It falls under the ISO standards ISO 3309 and ISO 4335. Cisco does use a proprietary version of HDLC, but still uses the standards based framing (just changes the packet contents). (61-62) Table 5.-5; Request complete definitions in table 5-5. The following are missing "ARP type:" "Queueing strategy" "throttles" "dribble condition" "babbles" "interface resets" "deferred" "lost carrier" "no carrier" "output buffer failures" "output buffers swapped out" http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/inter_r/irshowin.htm#xtocid190849 Thanks for a handy reference guide... {99} 2nd set of code and again in 4th set of code; In the section "Emulating a Packet Sniffer", the command syntax is incorrect: debug ip packet list 110 Should read: debug ip packet 110 Again, the "undebug ip packet list 110" should read "undebug ip packet 110" Example: Router#debug ip packet list 110 ^ % Invalid input detected at '^' marker. Router#debug ip packet 110 IP packet debugging is on for access list 110 Router# Notice the the router rejects the command with the keyword "list" in it but accepts the command without it. The undebug syntax is exactly the same... {115} Very first line of the page.; The output from the "show ip route" that's shown at the top of the page is incorrect. The router is reporting that the Gateway of last resort is not set, even though the last line of the command output shows a default route that's flagged with an asterisk "*". Clearly the Gateway of last resort is set... [116] 3rd line of code; passive-interface serial0 should read: passive-interface ethernet0 [119] 14th line from the bottom in Revisiting the example; passive-interface serial0 should read: passive-interface ethernet0 [119] 5th line from the bottom; !Define access list 10 should read: !Define access list 11 [147] paragraph "show ip eigrp topology"; The text before the example output should be "If the reported distance is LESS than the feasible distance, the path becomes the feasible successor for the route" [152] Top of the page, heading called "Type 6"; The book incorrectly names Type 6 LSAs as NSSA LSA. Truth is that NSSA use type-7 LSAs. Example, here is a snippet from RFC-1587: 3.3 Type-7 LSAs: NSSA External Link-State Advertisements External routes are imported into NSSAs as type-7 LSAs by the NSSA's AS boundary routers. An NSSA AS boundary routers is a router which has an interface associated with the NSSA and is exchanging routing information with routers belonging to another AS. As with type-5 LSAs a separate type-7 LSA is originated for each destination network. To support NSSA areas, the link-state database must therefore be expanded to contain a type-7 LSA. Type 7-LSAs are identical to type-5 LSAs except for the following (see section 12.3.4 "AS external links" in the OSPF specification). 1. The type field in the LSA header is 7. 2. Type-7 LSAs are only flooded within the NSSA. The flooding of type-7 LSAs follow the same rules as the flooding of type 1-4 LSAs. 3. Type-7 LSAs are kept within the NSSA's LSDB (are area specific) whereas because type-5 LSAs are flooded to all type-5 capable areas, type-5 LSAs global scope in the router's LSDB. 4. At the area border router, selected type-7 LSAs are translated into type 5-LSAs and flooded into the backbone. [152] Top of the page; A type-6 OSPF LSA carries Multicast specific information for MOSPF. The definition in the book is incorrect. {152} Bottom of the page under the heading Area types.; The book fails to mention one other type of Area that Cisco supports, called a "Totally-Sutbby Not-So-Stubby-Area". Basically, the "no-summary" option can be added to the "area nssa" command to block type-3 and type-4 LSAs into a NSSA area. Example: router ospf 55 network 10.0.0.0 0.0.0.255 area 0 network 172.25.0.0 0.0.255.255 area 100 area 100 nssa no-summary [157] The configuration examples in the middle of the page.; There are two serious flaws with the virtual-link example. First, router1 and router2 both have their Loopback0 interface assigned to the same subnet (this is wrong). Example: Router1 inteface Loopback0 ip address 10.10.7.4 255.255.255.0 Router2 inteface Loopback0 ip address 10.10.7.5 255.255.255.0 Secondly, neither router is distributing their loopback subnet within OSPF. (i.e. there is no network statement for the loopback0 subnets) If the routers don't advertise their loopback0 address, which would become their router-ID and their virtual-link end point, then the example would fail. Both issues would have to be corrected before the example would work correctly... {170} first command example; The example is supposed to illustrate the advertisement of a 10.10.2.0/23 network, however the subnet mask in the example is not the correct subnet mask for a /23 network. Based on the example commands, the author is advertising a /19 network. To properly advertise the /23 network, it should read: network 10.10.2.0 mask 255.255.254.0 ^ The error occurs at the carrat where the author has a "2" instead of the correct "5". [194] Example configuration at the bottom of the page; In the example the eigrp timers are adjusted on interface serial 0 but they use the wrong EIGRP AS number. Example from the book: interface Serail1 ip hello-interval eigrp 1 5 ip hold-time eigrp 1 15 ! router eigrp 100 Both of the EIGRP interface timing commands use AS 1 whereas the router is configured to use AS 100. Also, the timers picked are incorrect. The default timers for an normal point-to- point EIGRP interface are hello 5 sec, hold 15 secs. If the author wants to speed up dialling, then the timers should be adjusted downwards (eg. hello 3 sec, and hold 9 sec for instance). {195} Example at the top of the page; The following access-list entry is incorrect: access-list 101 permit deny eigrp any any Should be: access-list 101 deny eigrp any any Looks like a typo, since an ACL can either permit or deny but not both... [196] The last line fo the confguration example.; The dialer list is configured incorrectly. dialer-list 1 list 110 The example above, taken from the book, shows the incorrect syntax. Should be: dialer-list 1 protocol ip list 101 Example: Router(config)#dialer-list 1 ? protocol Permit or Deny based on protocols Router(config)# {198} lines 12, 15, 18 of the listing, and line 1 in the first paragraph; The "rotary-group" command is used in the listing, and mentioned in the paragraph, but the correct command seems to be "dialer rotary-group." For confirmation, see the entry for "dialer rotary-group" in chapter 15 (there is no entry for "rotary-group"), and the following from the Cisco website: For "dialer rotary-group": http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/dial_r/dia_d1g.htm#1019346 For "rotary-group": http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/dial_r/dia_p1g.htm#1107745 [220] Fifth line from the bottom of the page; The IP address should be 192.168.1.1, not 198.168.1.1. (217) 1st line; The IP address should be 10.10.1.4 and not 10.1.1.4. {217} Last line of the first router configuration; The assumption is : In this example, we have one public IP address (172.168.1.2) that is shared by all our hosts on the 10.10.1.0/24 private network: The configuration gives : ! Access list for our pool, which is used to select which IP addresses ! should be translated access-list 20 permit 10.10.0.0 0.0.255.255 Even if it does work in practical if the subnet is 10.10.1.0/24, then the access-list should be : access-list 20 permit 10.10.1.0 0.0.0.255. [219] Second Paragraph under "Tunnels"; The second IP address assigned by the ISP should be 192.168.2.1, not 192.168.10.2.1 (which isn't even a valid IP address.) [220] First line under "interface serial0"; The IP address should be 192.168.1.1, not 198.168.1.1. [221] Fifth line from the top of the page; The IP address should be 192.168.2.1, not 198.168.2.1. [221] Tenth line from the top of the page; The subnet mask should be 255.255.255.0, not 255.255.255.255. [233] The line before the second paragraph; In the "Protect VTYs with an Access List" paragraph, the last line of the example (Users and Authentication) looks like it's part o f the it but, in fact it should be the title of the next paragraph, isn't it? [237] Last sentence in the "Ping the Broadcast Adress" ; The author states that "show ip arp" "This commmand lists all the machines from which the router has seen packets in the last 30 minutes" The above statement is wrong. The default timeout for an ARP entry is 4 hours as the author correctly notes on page 262. In fact the entries in "show ip arp" will only timeout if the device responding to the arp is removed from the network. Just prior to an arp entry timeout the router performs a unicast arp to refresh the entry. This behavior can be observed with the "clear arp" in conjunction with "debug arp" r2#sh ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 181.16.12.1 7 aabb.cc00.1500 ARPA Ethernet0/0 Internet 181.16.12.2 - aa00.0400.0204 ARPA Ethernet0/0 Internet 181.16.24.4 7 aabb.cc00.1802 ARPA Ethernet1/0 Internet 181.16.24.2 - aa00.0400.0204 ARPA Ethernet1/0 r2#debug arp ARP packet debugging is on r2#clear arp r2# *Mar 3 18:05:50.623: IP ARP: sent req src 181.16.12.2 aa00.0400.0204, dst 181.16.12.1 aabb.cc00.1500 Ethernet0/0 *Mar 3 18:05:50.623: IP ARP: sent req src 181.16.24.2 aa00.0400.0204, dst 181.16.24.4 aabb.cc00.1802 Ethernet1/0 *Mar 3 18:05:50.623: IP ARP: sent rep src 181.16.12.2 aa00.0400.0204, dst 181.16.12.2 ffff.ffff.ffff Ethernet0/0 *Mar 3 18:05:50.623: IP ARP: sent rep src 181.16.24.2 aa00.0400.0204, dst 181.16.24.2 ffff.ffff.ffff Ethernet1/0 *Mar 3 18:05:50.683: IP ARP: rcvd rep src 181.16.12.1 aabb.cc00.1500, dst 181.16.12.2 Ethernet0/0 *Mar 3 18:05:50.683: IP ARP: creating entry for IP address: 181.16.12.1,hw: aabb.cc00.1500 *Mar 3 18:05:50.683: IP ARP: rcvd rep src 181.16.24.4 aabb.cc00.1802, dst 181.16.24.2 Ethernet1/0 *Mar 3 18:05:50.683: IP ARP: creating entry for IP address: 181.16.24.4,hw: aabb.cc00.1802 r2#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 181.16.12.1 0 aabb.cc00.1500 ARPA Ethernet0/0 Internet 181.16.12.2 - aa00.0400.0204 ARPA Ethernet0/0 Internet 181.16.24.4 0 aabb.cc00.1802 ARPA Ethernet1/0 Internet 181.16.24.2 - aa00.0400.0204 ARPA Ethernet1/0 {251} Under the heading "access-list"; One important keyword is left out of the standard access-list discussion and that keyword is log. Since 12.0, standard access-lists also support the keyword "log". Example: Router:67#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 1 permit any ? log Log matches against this entry {253} Bottom of page; The book fails to list several access-list keywords such as, ack, dscp, fin, fragments, log-input, psh, rst, syn, time-range, and urg. {329} The description for the "encasulation" command.; The possible values for the encapsulation command talk only about serial encapsulation but include some, but not all, ethernet encapsulations. For example: isl and dot1q are both Ethernet trunking encapsulation types and don't belong with serial encapsulation types. On the other hand, the author could list the other ethernet type encapsulation types such as ARPA and SNAP, but he didn't... [378] Top of the page; The description of Passive FTP is incorrect. The statement "With passive FTP, the file transfer occurs on the same port as the initial [control] connection" is simply not true. Passive FTP uses separate ports to transfer data then the initial control session. A normal FTP data session initiates from the server's port 20 back to the client (port 1024+) which can confuse Firewalls. However, on a passive FTP session the data session originate from the client to the server in the same direction as the original control session. Even though the sessions initiate in the same direction they use different port numbers (generally 1024+ to 1024+)... [402] Bottom of the page, Section named "ip ospf network"; The book omitted the most common type of OSPF network, "point-to-point". Example: boston(config-subif)#ip ospf network ? broadcast Specify OSPF broadcast multi-access network non-broadcast Specify OSPF NBMA network point-to-multipoint Specify OSPF point-to-multipoint network point-to-point Specify OSPF point-to-point network {402} Section called ip ospf name-lookup; The ip ospf name-lookup command is not a line based configuration command. It is a global configuration command. Example: router ospf 55 log-adjacency-changes area 0 authentication message-digest network 172.16.0.0 0.0.255.255 area 0 network 172.25.1.0 0.0.0.255 area 0 network 172.25.2.0 0.0.0.255 area 100 network 172.25.25.0 0.0.0.255 area 0 ! ip classless no ip http server ip ospf name-lookup (410) entry following "ip proxy-arp" and before "ip rarp-server"; Appears to be missing an entry for "ip radius source-interface" command. {457} Near the top of the page, the first example.; The "media-tpe" example is incorrect. An Ethernet interface cannot hve a media-type setting of 100baset. A FastEthernet interface can have a setting of 100baset but you can't force a 10M ethernet interface to run at 100M (I wish I could). {490} Heading "Privilege level (line)" ; Cisco Routers support 16 privilege levels, 0-15. The book says 1-15. By default, the router comes with three predefined user-levels, 0,1, & 15, although 0 isn't assigned at first. Example: boston(config-line)#privilege level ? <0-15> Default privilege level for line {492} Very top of the page; The default prompt on a Cisco Router is "%h%p" and not "%h". [502] top of the page; Missing description of "scheduler allocate" configuration setting. Normally, this is configured as "no scheduler allocate" to use the default CPU scheduling (allows 5% of CPU time for low-priority tasks). [537] Bottom of page, "standby timers" section.; The default timers for HSRP are incorrect. The book quotes, "hello seconds, 1; hold seconds, 3" when in actual fact the default timers are Hello 3 seconds and holdtime 10 seconds. Example: Router:66#sh stand FastEthernet0/0.2 - Group 0 Local state is Listen, priority 100 Hellotime 3 sec, holdtime 10 sec Virtual IP address is 172.26.2.22 configured Active router is unknown Standby router is unknown 0 state changes, last state change never [540] Middle of page; Regarding the command "tacacs-server attempts", the author incorrectly identifies the meaning of this command. This command does not modify the number of attempts to reach the tacacs server before deciding the server is unavailable. Instead, it modifies the number of incorrect login attempts the router will allow (while using TACACS) before it terminates the session. Example: Router1(config)#tacacs-server ? attempts Number of login attempts via TACACS {548} Second section; In the timers spf section, the book incorrectly identifies BGP as using the shortest path first calculation. The correct protocol would be OSPF. "...and the time BGP starts the SPF calculation." {548} Bottom of page; Cisco replaced the "trace" command with "traceroute" in version 11 of IOS. [551] "transport" Section; ssh is missing from the valid list of protocols. {555} Bottom of the page.; There is at least one missing keyword for the command "username" and it is privilege. The keyword privilege is important because it can be used to assign privilege levels to users. Example: boston(config)#username ijbrown privilege ? <0-15> User privilege level boston(config)#username ijbrown privilege 12 boston(config)#