More Packet "Tell Us a Secret" Contest Winners Share Their Experience

The reader tips presented here represent the winning entries from the tech tips submitted between April 26th and the July 26th "Tell Us a Secret" contest deadlines. Our thanks to all who participated with a special thanks to Mike Timm, technical engineering consultant at Cisco, who volunteered his time to help select and validate the winning submissions. With all due respect to Mike, our lawyers would like to remind our readers that while every effort has been made to verify the winning submissions, Packet magazine and Cisco Systems cannot guarantee the accuracy or completeness of these tips or be held responsible for their use. -- Editors.

Best Practices

T I P :

Document everything. Update your network diagrams as soon as you make the network change. You may be called back into the office at 3 a.m. to troubleshoot a serious network outage, and if someone else didn't update their network diagrams, you'll be "troubleshooting in the dark."

-- Lowell Burton, Vanderbilt University Medical Center, Nashville, Tennessee

T I P :

Before debugging, I enter the undebug all command first in case I receive a lot of debugging data. Then when debugging starts, all I do is press the Up arrow twice to stop the debugging command.

-- Mark Gardon, MCI WorldCom, Piscataway, New Jersey

T I P :

I was working as a network engineer in Karachi, Pakistan, and had just Telneted to a router -- using the IP address that the customer gave me -- to upgrade its flash. It took unusually long to get the backup config from the router, but I continued the upgrade and was about to erase the old flash file when the customer raced in to tell me he had given me the wrong IP address. I was about to erase the flash of a router in Singapore! The moral of the story: Never perform any routing upgrades through Telnet; console in so you can be sure you are working on the correct device.

-- Atif Malik, Wichita State Unversity, Wichita, Kansas

T I P :

To save time during daily administrative duties, make more use of the |include statement. For example, rather than scrolling through pages of TCP/IP and MAC addresses, use the include command to find what you are looking for just as you would use grep in UNIX.

     show ip arp | include 192.168.7.7

Or, if you want to show just the route entries from the running-config, issue the following:

     show run | include route

-- John Hoekstra, Honda of Canada Mfg., Alliston, Ontario, Canada

Editor's Note: There are many other options and ways to benefit from this command. Find more information.

T I P :

Our secret is to always put the serial number of each device in the Banner MOTD, and the circuit IDs in the serial interface descriptions. That way, when working remotely from home, telneted into the device, we don't have to go to some other source for that information should we need to contact a provider or the Cisco Technical Assistance Center (TAC).

-- Chris Cerny, Community Hospitals Indianapolis, Indiana

T I P :

If you want the router to receive routing information such as routing updates but without sending any routing information out to other neighbors or autonomous systems in a large-scale Enhanced Interior Gateway Routing Protocol (EIGRP) system, use the configuration command distribute-list out interface [xxx] instead of passive-interface.

-- Hong Bing Ye, North Eagle Technology, Inc., Bejing, China

Editor's Note: For more information, visit the Cisco TAC.

T I P :

When configuring a point-to-point Frame Relay network, try to use the same number for the interface as you use for the DLCI number. This makes locating and configuring the interface much easier and is more intuitive for other management resources. For example, if the Frame Relay DLCI is 115, try making your subinterface interface serial 2/0.115.

-- Chad Smith, Alfa Mutual Insurance Company, Montgomery, Alabama

Connectivity

T I P :

Simple but true: Always pull an extra foot or two when pulling long runs of Cat-5 or Cat-6 cabling. There's nothing worse than doing the same job twice -- not to mention having to find a run the length of the mistake you just made.

-- Tim Palumbo, CompuConsultCorp, Mokena, Illinois

T I P :

One of my favorite tricks is to wire two Cisco 2500s back-to-back using AUX ports. The ports are connected using a standard "rolled" RJ-45 cable that comes with the router. With this configuration I can test Open Shortest Path First (OSPF) demand circuits, DDR, and dial backup. This is very desirable because I don't have two standard telephone lines at home. It can also be used to tie two routers together if you don't have DCE cable. The configuration is available on Cisco.com.

-- Robert Brown, Greyhound Lines, Inc., Dallas, Texas

T I P :

As a Cisco Networking Academy™ instructor, I find that students tend to miswire the DTE/DCE connections when they initially start working on the routers in second semester training. The show controller S0 or S1 command is handy when checking a student's wiring because it saves me the time and effort of sorting through the physical cabling.

-- Charles Pettey, Bell County Regional Cisco Networking Academy, Pineville, Kentucky

Network Management

T I P :

We all know that you can console into devices using a Microsoft PocketPC and a little creative cabling. I decided to take this a step further. Knowing that CiscoWorks2000 harvests changed config files from my network equipment on a nightly basis, I did a little creative scripting. The idea is outlined online.

-- Chris "Bix" Marshall, Denison University, Granville, Ohio

T I P :

Our data centers are monitored 24x7x365 by our control center (CC) staff. Events that require network configuration changes can be very time sensitive, yet it can be difficult for our CC staff to remember the steps required because they do not perform them very often. To reduce the time it takes (not to mention the calls to our network admins and engineers in the middle of the night) I implemented barcode procedures for routine processes.

For example, a client may need to be switched to another data center in the event of a problem. To do this, it may take a couple of route changes on a couple of routers. All of the commands to do this, including the login process, were divided into steps and the commands themselves were printed in a barcode format. A light pen was installed at one of the consoles in the control center. CC operators now only need to identify the situation and open the "scan procedure book" to the appropriate section and begin scanning the barcodes in order. The first barcode telnets to the IP address of the device. The second barcode enters the access password. The third barcode enters the enable command, and so on.

Scanning the commands makes config changes the fastest they've ever been. We also have written descriptions next to the barcodes so the CC operator can learn what it is they're doing with each command they scan -- something scripts can't offer.

-- Scott Hermanson, Kingland Systems, Clear Lake, Iowa

T I P :

Have you ever wondered which MIBs are compiled with a certain IOS® image? Try the show subsys | include mib command. Find the latest on MIB support online.

-- Sachin Gaikwad

Tunneling

T I P :

Why would you ever build a tunnel without encryption over a nonsecure network such as the Internet? You can use WAN connections for applications in which text-based protocols are not used for communications. The risk associated with an unencrypted transmission is often offset by the difficulty associated with decoding the data or the business-critical nature of the data itself.

For example:

1) Tunneling voice data. The latency added by the encryption could severely degrade the quality of the voice call. The risk associated with no encryption is limited by the attacker's knowledge of the codec utilized for compression. Note: noncompressed voice traffic (G.711) can be easily decoded by applications such as VOMIT.

2) Tunneling data that is already encrypted by an application such as an administrator session using Secure Shell (SSH) or Secure Sockets Layer (SSL). These applications could be used to remotely manage devices.

In general, tunneling non-IP protocols such as NetBEUI and IPX is not recommended. Some applications, such as file shares, transmit the username in clear text with passwords that are weakly hashed (SMB and CIFS) -- creating the possibility of a brute force attack from anyone who can capture a packet.

-- Craig Durgan, Denmac Systems, Inc. Northbrook, Illinois

T I P :

A router can sometimes be a termination point for Generic Routing Encapsulation (GRE) tunnels. In the light of mobile data applications (i.e., GPRS), GRE tunneling is a typical method of encapsulation for splitting customers' data.

When configuring GRE tunnels on a Cisco router (GRE is the default setting on a tunnel interface), IP address consumption can reach very high amounts (as /30 addresses are required to address tunnels). Example of a classical tunnel configuration:

interface Tunnel1
ip address 172.17.32.73 255.255.255.252
no ip directed-broadcast
tunnel source 172.17.32.65
tunnel destination 192.168.22.17

In this sample configuration, 172.17.32.65 is the physical address (Frame Relay subinterface).

To spare addresses you can use loopback addresses. The above configuration would become:

interface Loopback1
ip address 172.17.32.73 255.255.255.255
no ip directed-broadcast
interface Tunnel1
ip unnumbered Loopback1
no ip directed-broadcast
tunnel source 172.17.32.65
tunnel destination 192.168.22.17

You can address additional tunnels addresses with the same loopback or with another one if needed. In all cases, /32 addresses are used instead of /30. If the same loopback is used, this way of configuring can lead to a tremendous ip subnets spare. This has been configured for GPRS access to customers' intranets.

-- Yves Leys, Mobistar, Brussels, Belgium

Voice

T I P :

In a voice-over-IP (VoIP) environment where you have multiple routes between the source and destination, avoid process switching on router interfaces between the two. This causes per-packet load balancing, which could lead to the voice packets arriving out of order or increasing delay and jitter. In any event, voice quality will suffer.

-- Scot Cowan, NextiraOne, Houston, Texas

Editor's Note: Process switching should probably be avoided in most situations because of its poorer performance in contrast to other methods.

T I P :

When building a virtual private network (VPN) for a client transporting both voice and data, you should use only customer premises equipment (CPE) that can fragment the frames -- even the CPE that won't be handling voice over Frame Relay directly. That's because long, unfragmented frames sent to the voice CPE could cause a delay and negatively affect voice quality.

-- Sergio Milametto, KPMG Consulting, Sao Paulo, Brazil

Wireless LAN

T I P :

We use two IEEE 802.11b wireless LAN connections for our VoIP installation because one could not support all 100 of our users. Our problem was how to aggregate the bandwidth without losing voice quality. We tried using routing protocols such as EIGRP and OSPF. We also tried EtherChannel -- which was somewhat better than the routing protocols. The problem with both solutions is that neither is aware of the voice traffic.

One WLAN could be congested while the other one is almost unused. Load sharing the traffic isn't the best solution because quality variance is likely when the packets of one voice call are moving over two different 802.11b connections. Our solution was to build two "one-way roads" using static routing. One connection carries only the traffic from the remote site to the campus, while the other carries only the traffic from the campus to the remote site. In this way, every voice call uses both connections equally and provides us with the best voice quality over 802.11b.

-- Markus Feiler, Uniklinikum Ulm, Ulm, Germany

T I P :

We were evaluating the capability of connecting a wireless access point to another access point in a circling aircraft at a small municipal airport. Occasionally, a perfectly good wireless network link would go down for about three minutes -- no explanation. We were baffled. One afternoon, after another drop in connectivity, one of our engineers entered with a freshly popped bag of popcorn. Then it occurred to us: the microwave! He had just used the old microwave oven near our base access point. The microwave radiates in the same ISM band as our access point. This explained the mystery of the dropping link.

-- Mike McVay, Northrop Grumman Information, San Dieto, California

T I P :

To reduce the impact of electrical discharges when installing outdoor wireless bridges, such as the Cisco Aironet(R) 352 Bridge, make sure the following two connections are made:

1) Use a media converter from the Ethernet port and connect the bridge to the network using fiber. The fiber will not conduct extraneous RF interference that may build up through the bridge, its antenna, or its components.

2) Purchase and install an antenna grounding ring to an approved electrical ground that is not connected to a component rack. Too many times I've seen the grounding ring grounded down to the same racks that house the routers, switches, and servers.

-- Jay Perrotte, Consultant, Ravena, New York

Reader Feedback: Tell us what you think.

Return to the Fourth Quarter 2002 Table of Contents

Download a PDF of this article. (Or download a PDF of this issue of Packet.)