Nov 10, 2007

SolarWinds Named to Software Magazine’s 25th Annual Software 500

SolarWinds Named to Software Magazine’s 25th Annual Software 500Software Magazine Ranks SolarWinds as one of the World’s Largest Software CompaniesAustin, TX — Oct. 16, 2007 — SolarWinds today announced its inclusion on the Software Magazine’s Software 500 ranking of the world’s largest software and service providers, now in its 25th year. SolarWinds was ranked 276th, with software revenue of $37.9 million.

“The 2007 Software 500 results show that growth in the software and services industry was healthy from 2006 to 2007, the ranking year. The industry continues to be dynamic with more than 98 new companies on the list this year for the first time,” says John P. Desmond, editor of Software Magazine and Softwaremag.com. “The top four business sectors this year are System Integration Services/IT Consulting, Application Development, Financial Applications and Security Tools/Systems. It may be the case that the difficulty companies have in developing and keeping their own IT skilled workers, is driving demand for services firms.

“The Software 500 helps CIOs, senior IT managers and IT staff research and create the short list of business partners,” Desmond says. “It is a quick reference of vendor viability. That is content of value.”

Some 37 percent of the 2006 Software 500 companies are privately held.

The Software 500 is a revenue-based ranking of the world’s largest software and services suppliers targeting medium to large enterprises, their IT professionals, software developers and business managers involved in software and services purchasing.

Go to www.myswmag.com to subscribe to digital Software Magazine and be among the first to see the 2007 Software 500. It is being released first in the digital publication. The online Software 500 on Softwaremag.com, to be posted at a later date, is searchable by primary business sector.

The ranking is based on total worldwide software and services revenue for 2006. This includes revenues from software licenses, maintenance and support, training and software-related services and consulting. Suppliers are not ranked on their total corporate revenue, since many have other lines of business, such as hardware. The financial information was gathered by a survey prepared by King Content Co. and posted at www.Softwaremag.com, as well as from public documents.

About Digital Software Magazine, the Software Decision Journal, and Softwaremag.com
Digital Software Magazine, the Software Decision Journal, has been a brand name in the high-tech industry for nearly 30 years. Softwaremag.com, its Web counterpart, is the online catalog to enterprise software and the home of the Software 500 ranking of the world’s largest software and services companies, now in its 25th year. Software Magazine and Softwaremag.com are owned and operated by King Content Co.

About SolarWinds
SolarWinds is a leading provider of Windows-based network management, network monitoring and network discovery software. SolarWinds products are geared to mid-market customers (100 to 5,000 employees) who need a scalable, easy-to-use network management solution for 250 to 10,000 managed elements at an affordable price point providing quick time to value. More than 40,000 customers spanning, mid-market businesses, government agencies and education institutions have chosen SolarWinds to reduce network downtime, monitor network performance, manage network compliance and change and improve staff efficiency. For more information, please visit www.solarwinds.com.

SolarWinds is a registered trademark of SolarWinds. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

Media & Analyst Contact
Susan Torrey
pr@solarwinds.net
650-492-1921

Nov 9, 2007

Understanding and Configuring PPP CHAP Authentication

Introduction
The Challenge Handshake Authentication Protocol (CHAP) (defined in RFC 1994 ) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP:

After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.

The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)).

The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

This authentication method depends on a "secret" known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication.

For more information on the advantages and disadvantages of CHAP, refer to RFC 1994 .

Requirements
Readers of this document should have knowledge of these topics:

How to enable PPP on the interface through the encapsulation ppp command.

The debug ppp negotiation command output. Refer to Understanding debug ppp negotiation Output for more information.

Ability to troubleshoot when the Link Control Protocol (LCP) phase is not in the open state. This is because, the PPP authentication phase does not begin until the LCP phase is complete and is in the open state. If the debug ppp negotiation command does not indicate that LCP is open, you need to troubleshoot this issue before you proceed.

Note: This document does not address MS-CHAP (Version 1 or Version 2). For more information on MS-CHAP, refer to the MS-CHAP Support and MSCHAP Version 2 documents.

Configure CHAP
The procedure to configure CHAP is fairly straightforward. For example, assume that you have two routers, left and right, connected across a network, as shown in figure 1.

Figure 1 – Two Routers Connected Across a Network



To configure CHAP authentication, complete these steps:

On the interface, issue the encapsulation ppp command.

Enable the use of CHAP authentication on both routers with the ppp authentication chap command.

Configure the usernames and passwords. To do so, issue the username username password password command, where username is the hostname of the peer. Ensure that:

Passwords are identical at both ends.

The router name and password are exactly the same, because they are case-sensitive.

Note: By default, the router uses its hostname to identify itself to the peer. However, this CHAP username can be changed through the ppp chap hostname command. Refer to PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands for more information.

One-Way and Two-Way Authentication
CHAP is defined as a one-way authentication method. However, you use CHAP in both directions to create a two-way authentication. Hence, with two-way CHAP, a separate three-way handshake is initiated by each side.

In the Cisco CHAP implementation, by default, the called party must authenticate the calling party (unless authentication is completely turned off). Therefore, a one-way authentication initiated by the called party is the minimum possible authentication. However, the calling party can also verify the identity of the called party, and this results in a two-way authentication.

One-way authentication is often required when you connect to non-Cisco devices.

For one-way authentication, configure the ppp authentication chap callin command on the calling router.

Transactional Example
The diagrams in this section show the series of events that occur during a CHAP authentication between two routers. These do not represent the actual messages seen in the debug ppp negotiation command output. For more information, refer to Understanding debug ppp negotiation Output.

Call
Figure 2 – The Call Comes In


Figure 2 shows these steps:

The call comes in to 3640-1. The incoming interface is configured with the ppp authentication chap command.

LCP negotiates CHAP and MD5. For more information on how to determine this, refer to Understanding the debug ppp negotiation Output.

A CHAP challenge from 3640-1 to the calling router is required on this call.

Challenge
Figure 3 – A CHAP Challenge Packet is Built


Figure 3 illustrates these steps in the CHAP authentication between the two routers:

A CHAP challenge packet is built with these characteristics:

01 = challenge packet type identifier.

ID = sequential number that identifies the challenge.

random = a reasonably random number generated by the router.

3640-1 = the authentication name of the challenger.

The ID and random values are kept on the called router.

The challenge packet is sent to the calling router. A list of outstanding challenges is maintained.

Response
Figure 4 – Receipt and MD5 Processing of the Challenge Packet from the Peer


Figure 4 illustrates the how the challenge packet is received from the peer, and processed (MD5). The router processes the incoming CHAP challenge packet in this way:

The ID value is fed into the MD5 hash generator.

The random value is fed into the MD5 hash generator.

The name 3640-1 is used to look up the password. The router looks for an entry that matches the username in the challenge. In this example, it looks for:

username 3640-1 password pc1The password is fed into the MD5 hash generator.

The result is the one-way MD5-hashed CHAP challenge that is sent back in the CHAP response.

Response (continued)
Figure 5 – The CHAP Response Packet Sent to the Authenticator is Built.


Figure 5 illustrates how the CHAP response packet sent to the authenticator is built. This diagram shows these steps:

The response packet is assembled from these components:

02 = CHAP response packet type identifier.

ID = copied from the challenge packet.

hash = the output from the MD5 hash generator (the hashed information from the challenge packet).

766-1 = the authentication name of this device. This is needed for the peer to look up the username and password entry needed to verify identity (this is explained in more detail in the Verify CHAP section).

The response packet is then sent to the challenger.

Verify CHAP
This section provides tips on how to verify your configuration.

Figure 6 – The Challenger Processes the Response Packet


Figure 6 shows how the challenger processes the response packet. Here are the steps involved when the CHAP response packet is processed (on the authenticator):

The ID is used to find the original challenge packet.

The ID is fed into the MD5 hash generator.

The original challenge random value is fed into the MD5 hash generator.

The name 766-1 is used to look up the password from one of these sources:

Local username and password database.

RADIUS or TACACS+ server.

The password is fed into the MD5 hash generator.

The hash value received in the response packet is then compared with the calculated MD5 hash value. CHAP authentication succeeds if the calculated and the received hash values are equal.

Result
Figure 7 – Success Message is Sent to the Calling Router


Figure 7 illustrates the success message sent to the calling router. It involves these steps:

If authentication is successful, a CHAP success packet is built from these components:

03 = CHAP success message type.

ID = copied from the response packet.

“Welcome in” is simply a text message that provides a user-readable explanation.

If authentication fails, a CHAP failure packet is built from these components:

04 = CHAP failure message type.

ID = copied from the response packet.

“Authentication failure” or other text message, that provides a user-readable explanation.

The success or failure packet is then sent to the calling router.

Note: This example depicts a one-way authentication. In a two-way authentication, this entire process is repeated. However the calling router initiates the initial challenge.

Nov 8, 2007

【遊記】2007年10月新加坡出差

今晚因為咳嗽嚴重終於被我同事拖去看了醫生,吃了藥之後看來是沒法再撐過午夜就要見周公,所以趁著睡前最後一段時間把我上個月到新加坡出差當學生的照片分享出來,也許對還沒有去過新加坡的人有用處,日後有空再加上個人經歷及美食感想!



新加坡美食及夜景探索之第一日




新加坡美食及夜景探索之第二日




新加坡美食及夜景探索之第三日




新加坡美食及夜景探索之第四日




新加坡美食及夜景探索之第五日




新加坡美食及夜景探索之第六日


Nov 6, 2007

Configuring Lock-and-Key Security (Dynamic Access Lists)

Benefits of Lock-and-Key
Lock-and-key provides the same benefits as standard and static extended access lists (these benefits are discussed in the chapter "Access Control Lists: Overview and Guidelines"). However, lock-and-key also has the following security benefits over standard and static extended access lists:
  • Lock-and-key uses a challenge mechanism to authenticate individual users.
  • Lock-and-key provides simpler management in large internetworks.
  • In many cases, lock-and-key reduces the amount of router processing required for access lists.
  • Lock-and-key reduces the opportunity for network break-ins by network hackers.
With lock-and-key, you can specify which users are permitted access to which source and destination hosts. These users must pass a user authentication process before they are permitted access to their designated hosts. Lock-and-key creates dynamic user access through a firewall, without compromising other configured security restrictions.

When to Use Lock-and-Key
Two examples of when you might use lock-and-key follow:

  • When you want a specific remote user (or group of remote users) to be able to access a host within your network, connecting from their remote hosts via the Internet. Lock-and-key authenticates the user, then permits limited access through your firewall router for the individual's host or subnet, for a finite period of time.
  • When you want a subset of hosts on a local network to access a host on a remote network protected by a firewall. With lock-and-key, you can enable access to the remote host only for the desired set of local user's hosts. Lock-and-key require the users to authenticate through a TACACS+ server, or other security server, before allowing their hosts to access the remote hosts.


How Lock-and-Key Works
The following process describes the lock-and-key access operation:

  1. A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user connects via the virtual terminal port on the router.
  2. The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server such as a TACACS+ or RADIUS server.
  3. When the user passes authentication, they are logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.)
  4. The user exchanges data through the firewall.
  5. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The configured timeout can either be an idle timeout or an absolute timeout.

Prerequisites to Configuring Lock-and-Key
Lock-and-key uses IP extended access lists. You must have a solid understanding of how access lists are used to filter traffic, before you attempt to configure lock-and-key. Access lists are described in the chapter "Access Control Lists: Overview and Guidelines."


Lock-and-key employs user authentication and authorization as implemented in Cisco's authentication, authorization, and accounting (AAA) paradigm. You must understand how to configure AAA user authentication and authorization before you configure lock-and-key. User authentication and authorization is explained in the "Authentication, Authorization, and Accounting (AAA)" part of this document.


Lock-and-key uses the autocommand command, which you should understand. This command is described in the "Modem Support and Asynchronous Device Commands" chapter of the Cisco IOS Dial Technologies Command Reference.

Lock-and-Key Configuration Guidelines

Dynamic Access Lists
Use the following guidelines for configuring dynamic access lists:

  • Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined.
  • Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.
  • Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
  • Configure Telnet as the protocol so that users must open a Telnet session into the router to be authenticated before they can gain access through the router.
  • Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure an idle timeout, the idle timeout value should be equal to the WAN idle timeout value.
  • If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.
  • If you realize that a job will run past the ACL's absolute timer, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes. This command allows you to open a new Telnet session into the router to re-authentication yourself using lock-and-key.
  • The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access list or output access list. All other attributes, such as port, are inherited from the main dynamic access list.
  • Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
  • Temporary access list entries are never written to NVRAM.
  • To manually clear or to display dynamic access lists, refer to the section " Maintaining Lock-and-Key" later in this chapter.

Lock-and-Key Authentication
There are three possible methods to configure an authentication query process. These three methods are described in this section.

Method 1—Configuring a Security Server
Use a network access security server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.
Router(config-line)# login tacacs

Method 2—Configuring the username Command
Use the username command. This method is more effective because authentication is determined on a user basis.
Router(config)# username name {nopassword password {mutual-password encryption-type
encryption-password}}

Method 3—Configuring the password and login Commands
Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.
Router(config-line)# password password
Router(config-line)# login local

The autocommand Command
Use the following guidelines for configuring the autocommand command:

  • If you use a TACACS+ server to authenticate the user, you should configure the autocommand command on the TACACS+ server as a per-user autocommand. If you use local authentication, use the autocommand command on the line.
  • Configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access list entry in the dynamic access list.
  • If you did not previously define an idle timeout with the autocommand access-enable command, you must define an absolute timeout now with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure both idle and absolute timeouts, the absolute timeout value must be greater than the idle timeout value.

Verifying Lock-and-Key Configuration
You can verify that lock-and-key is successfully configured on the router by asking a user to test the connection. The user should be at a host that is permitted in the dynamic access list, and the user should have AAA authentication and authorization configured.
To test the connection, the user should Telnet to the router, allow the Telnet session to close, and then attempt to access a host on the other side of the router. This host must be one that is permitted by the dynamic access list. The user should access the host with an application that uses the IP protocol.
The following sample display illustrates what end-users might see if they are successfully authenticated. Notice that the Telnet connection is closed immediately after the password is entered and authenticated. The temporary access list entry is then created, and the host that initiated the Telnet session now has access inside the firewall.
Router% telnet corporate

Trying 172.21.52.1 ...

Connected to corporate.example.com.

Escape character is `^]'.

User Access Verification

Password:Connection closed by foreign host.

You can then use the show access-lists command at the router to view the dynamic access lists, which should include an additional entry permitting the user access through the router.

Lock-and-Key with Local Authentication Example
This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface.
interface ethernet0

ip address 172.18.23.9 255.255.255.0

ip access-group 101 in

access-list 101 permit tcp any host 172.18.21.2 eq telnet

access-list 101 dynamic mytestlist timeout 120 permit ip any any

line vty 0

login local

autocommand access-enable timeout 5

The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered.
In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the mytestlist ACL is 120 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 120 minutes (the maximum absolute time). The session is closed after 120 minutes, whether or not anyone is using it.
In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.

Lock-and-Key with TACACS+ Authentication Example
The following example shows how to configure lock-and-key access, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco".
aaa authentication login default group tacacs+ enable

aaa accounting exec stop-only group tacacs+

aaa accounting network stop-only group tacacs+

enable password ciscotac

!

isdn switch-type basic-dms100

!

interface ethernet0

ip address 172.18.23.9 255.255.255.0

!

interface BRI0

ip address 172.18.21.1 255.255.255.0

encapsulation ppp

dialer idle-timeout 3600

dialer wait-for-carrier-time 100

dialer map ip 172.18.21.2 name diana

dialer-group 1

isdn spid1 2036333715291

isdn spid2 2036339371566

ppp authentication chap

ip access-group 102 in

!

access-list 102 permit tcp any host 172.18.21.2 eq telnet

access-list 102 dynamic testlist timeout 5 permit ip any any

!

!

ip route 172.18.250.0 255.255.255.0 172.18.21.2

priority-list 1 interface BRI0 high

tacacs-server host 172.18.23.21

tacacs-server host 172.18.23.14

tacacs-server key test1

tftp-server rom alias all

!

dialer-list 1 protocol ip permit

!

line con 0

password cisco

line aux 0

line VTY 0 4

autocommand access-enable timeout 5

password cisco

!

IP Access List Entry Sequence Numbering

Benefits
The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.

This feature allows users to add sequence numbers to access list entries and resequence them. When a user adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.

Sequence Numbering Behavior




  • For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum number, the following message is displayed:

Exceeded maximum sequence number.

  • If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.
  • If the user enters an entry that matches an already existing entry (except for the sequence number), then no changes are made.
  • If the user enters a sequence number that is already present, the following error message is generated:

Duplicate sequence number.

  • If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.
  • Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card (LC) are in synchronization at all times.
  • Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering.
  • This feature works with named standard and extended IP access lists. Because the name of an access list can be designated as a number, numbers are acceptable.


How to Use Sequence Numbers in an IP Access List

Sequencing Access-List Entries and Revising the Access List
This task shows how to assign sequence numbers to entries in a named IP access list and how to add or delete an entry to or from an access list. It is assumed a user wants to revise an access list. The context of this task is the following:


  • A user need not resequence access lists for no reason; resequencing in general is optional. The resequencing step in this task is shown as required because that is one purpose of this feature and this task demonstrates the feature.
  • Step 5 happens to be a permit statement and Step 6 happens to be a deny statement, but they need not be in that order.


SUMMARY STEPS
1. enable

2. configure terminal

3. ip access-list resequence access-list-name starting-sequence-number increment

4. ip access-list {standard extended} access-list-name

5. sequence-number permit source source-wildcard

or

sequence-number permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

6. sequence-number deny source source-wildcard

or

sequence-number deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

7. Repeat Step 5 and/or Step 6 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry.

8. end

9. show ip access-lists access-list-name

Configuration Examples for IP Access List Entry Sequence Numbering

Resequencing Entries in an Access List: Example

The following example shows access list resequencing. The starting value is 1, and increment value is 2. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483647.

When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the access list.

Router# show access-list 150


Extended IP access list 150
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
50 Dynamic test permit ip any any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
90 permit ip host 10.3.3.3 any
100 permit ip any any


Router(config)# ip access-list extended 150
Router(config)# ip access-list resequence 150 1 2
Router(config)# end


Router# show access-list 150


Extended IP access list 150
1 permit ip host 10.3.3.3 host 172.16.5.34
3 permit icmp any any
5 permit tcp any host 10.3.3.3
7 permit ip host 10.4.4.4 any
9 Dynamic test permit ip any any
11 permit ip host 172.16.2.2 host 10.3.3.12
13 permit ip host 10.3.3.3 any log
15 permit tcp host 10.3.3.3 host 10.1.2.2
17 permit ip host 10.3.3.3 any
19 permit ip any any

Adding Entries with Sequence Numbers: Example
In the following example, an new entry is added to a specified access list:

Router# show ip access-list


Standard IP access list tryon
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255


Router(config)# ip access-list standard tryon


Router(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255


Router# show ip access-list


Standard IP access list tryon
2 permit 10.4.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.0.255
10 permit 10.0.0.0, wildcard bits 0.0.0.255
15 permit 10.5.5.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.0.255

Entry without Sequence Number: Example
The following example shows how an entry with no specified sequence number is added to the end of an access list. When an entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing access list.

Router(config)# ip access-list standard 1


Router(config-std-nacl)# permit 1.1.1.1 0.0.0.255
Router(config-std-nacl)# permit 2.2.2.2 0.0.0.255
Router(config-std-nacl)# permit 3.3.3.3 0.0.0.255


Router# show access-list
Standard IP access list 1
10 permit 0.0.0.0, wildcard bits 0.0.0.255
20 permit 0.0.0.0, wildcard bits 0.0.0.255
30 permit 0.0.0.0, wildcard bits 0.0.0.255


Router(config)# ip access-list standard 1
Router(config-std-nacl)# permit 4.4.4.4 0.0.0.255
Router(config-std-nacl)# end


Router# show access-list


Standard IP access list 1
10 permit 0.0.0.0, wildcard bits 0.0.0.255
20 permit 0.0.0.0, wildcard bits 0.0.0.255
30 permit 0.0.0.0, wildcard bits 0.0.0.255
40 permit 0.4.0.0, wildcard bits 0.0.0.255

阿里巴巴香港掛牌~開盤漲2倍 超額認購258倍

大陸最大電子商務網站阿里巴巴(1688),今天(6)在香港掛牌上市,估計最高募集金額將超過台幣2860億,不僅可望成為港股港股有史以來募集資金最高的網路股,也是繼網路搜尋龍頭Google2004年上市之後,最受矚目的網路企業上市案。

創下港交所有史以來,唯一一家在星期二掛牌上市的公司,就是他,全大陸最大的入口網站阿里巴巴,上市第一天氣勢不同凡響,開盤價達到每股126元台幣,比起發行價56.7元,漲幅超過二倍,一躍登上香港科技股龍頭寶座。

馬雲表示,今天很滿意阿里巴巴的股價表現,他說,從今早股價表現可以看出,當初招股的定價是合理的,他也希望可與股東、員工共同創造更多的財富。

挾著大陸第一互聯網,以及台灣首富郭台銘也投資的光環,阿里巴巴首度公開招股表現不俗,光是香港部分,就超額認購258倍,凍結資金更創下1兆8900億台幣,刷新中國互聯網企業,境外公開發售融資紀錄。

投資人瘋狂捧場,總市值達到2864億台幣,阿里巴巴上市後,集資金額更可望超過google,成為全球最大規模,首度公開釋股案,集結全球的資本目光阿里巴巴上市招股,讓7年前風靡一時的科網股狂潮,再度席捲香港!

Nov 5, 2007

MTU(Maximum Transmission Unit) is not factored into the EIGRP metric calculation

自從我成為Cisco講師以來,一直有一個無解的問題在我腦海中,那就是EIGRP Metric的計算公式與課本中所提到相關EIGRP會考慮到的相關參數一直無法搭配上去。

課本教材裏(不論是ICND 2.3 or BSCI 3.0)都提到了EIGRP Metric有五個參數(Bandwidth, Delay, Reliability, Load, MTU),其中預設會使用的參數是Bandwidth & Delay(因為在EIGRP Metric計算公式中預設K1=K3=1,K2=K4=K5=0),因此其他的參數在預設情況之下並不會納入考量。

以下就是EIGRP的Metric計算公式:

metric = [K1 * bandwidth + (K2 * bandwidth) / (256 - load) + K3 * delay] * [K5 / (reliability + K4)]

因此問題就浮現了…在這個公式運算中根本沒有看到MTU這個參數的存在,但是翻遍Cisco Documents & Course Material就是找不到任何一段正式的說明直接表示MTU雖然屬於EIGRP Metric交換的一部份但是在EIGRP Metric的計算過程中並未加入計算。

今晚我在準備新版ICND2 1.0的教材時,終於看到了一段話:

"Note: Although MTU is exchanged in EIGRP packets between neighbor routers, MTU is not factored into the EIGRP metric calcaulation."

除此之外,我覺得CCNA這次的大改版其實在內容上相較於CCNP 3.0改版來說在內容是比較紮實的...尤其是ICND1,所談論的領域大幅地增加(有好也有壞,因為談得愈多就愈不深入…),不過在許多文字敘述上及觀點的糾正有很多改進(如: show vtp status中VTP Version常常讓人誤解的意思/VTP Domain Name會自動學習的特色/設備之間改口建議使用FIX手動設定SPEED/Duplex的註解..)都有助於導正學生因為文字上的說明不清而誤解意義。

PS:EIGRP計算metric中的Delay,所使用的單位比較特別,是將milisecond(1 sec = 1000milisecond = 1,000,000 microsecond)換算成microseconds再除以10(in tens of microseconds),請各位注意。