From owner-nanog@merit.edu Mon Jul 26 14:38:49 2004 From: Randy Bush <randy@psg.com> Date: Mon, 26 Jul 2004 08:54:38 -1000 To: "Robert E. Seastrom" <rs@seastrom.com> Cc: nanog@nanog.org Subject: Re: 2511 line break
rs@valhalla [6] % telnet scrapheap 2003 Trying 10.1.1.25 Connected to 10.1.1.25. Escape character is '^]'.
User Access Verification
Password: Password OK
installhost console login: installhost console login: telnet> send break Type 'go' to resume ok telnet> quit Connection closed. rs@valhalla [7] %
i am seriously shocked by the number of folk in this forum who not only seem to use telnet over the internet, but seem willing to advertise it.
I am seriously shocked by the number of folk in this forum who not only seem to be unaware that 'Net 10' is not part of the Internet, but seem willing to advertize it. *grin*
rs@valhalla [6] % telnet scrapheap 2003 Trying 10.1.1.25 Connected to 10.1.1.25. Escape character is '^]'.
User Access Verification
Password: Password OK
installhost console login: installhost console login: telnet> send break Type 'go' to resume ok telnet> quit Connection closed. rs@valhalla [7] %
i am seriously shocked by the number of folk in this forum who not only seem to use telnet over the internet, but seem willing to advertise it.
I am seriously shocked by the number of folk in this forum who not only seem to be unaware that 'Net 10' is not part of the Internet, but seem willing to advertize it.
*grin*
if there is an ssh enabled ios (i presume thats an cisco 2511), then you could do an flash and mem upgrade before login. *evilgrin* also telnet is sometimes the last chance over "full" lines (encryption likes packetloss) bye, Ingo
On 27 Jul 2004, at 08:10, Ingo Flaschberger wrote:
if there is an ssh enabled ios (i presume thats an cisco 2511), then you could do an flash and mem upgrade before login.
There are ssh loads for the 2511, because I've downloaded them and loaded them onto 2511s before. There are no ssh loads for the 2511 that allow you to actually use ssh with a non-null cypher without triggering watchdog timers on the router though, last time I checked. The 2511's small brain is easily overwhelmed. I don't have any 2511s in my network right now, but (unless I'm mistaken) ssh isn't an option for remote access to those routers. Joe
I don't have any 2511s in my network right now, but (unless I'm mistaken) ssh isn't an option for remote access to those routers.
i assure you that you are, in this case, mistaken. see appended. when composing my original post, i did not even consider that one would use anything but ssh to access a router over the net. randy --- Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-K4P-L), Version 12.0(21)S1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Tue 19-Feb-02 14:48 by nmasa Image text-base: 0x0303C018, data-base: 0x00001000 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE BOOTLDR: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1) oob0 uptime is 7 weeks, 2 days, 6 hours, 37 minutes System returned to ROM by power-on System restarted at 21:58:28 UTC Sat Jun 5 2004 System image file is "flash:/c2500-k4p-l.120-21.S1" cisco 2511 (68030) processor (revision D) with 16384K/2048K bytes of memory. Processor board ID 02313690, with hardware revision 00000000 X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 16 terminal line(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102
Randy,
when composing my original post, i did not even consider that one would use anything but ssh to access a router over the net.
Based on your inability to configure NTP and send a break to a 2500, most of us would naturally be led to believe you cannot configure SSH on a Cisco either. =)
Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-K4P-L), Version 12.0(21)S1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Yes, you've demonstrated you can download and install an IOS image with crypto. Now, try using your router for basic tasks, like serial console, while processing 3DES/Blowfish crypto without the poor Motorola 68k CPU surging to 100% utilization and becoming really untsable really quickly. As they say in home country: "bueno es hablar, pero mejor es callar". ---Rico
On 27 Jul 2004, at 10:13, Joe Abley wrote:
On 27 Jul 2004, at 08:10, Ingo Flaschberger wrote:
if there is an ssh enabled ios (i presume thats an cisco 2511), then you could do an flash and mem upgrade before login.
There are ssh loads for the 2511, because I've downloaded them and loaded them onto 2511s before. There are no ssh loads for the 2511 that allow you to actually use ssh with a non-null cypher without triggering watchdog timers on the router though, last time I checked. The 2511's small brain is easily overwhelmed.
I found a 2511. Turns out that the small brain *is* easily overwhelmed, but not so much that it can't handle single ssh connects, at least to return a prompt to a client. I get these on the console: 31w6d: %SYS-3-CPUHOG: Task ran for 2008 msec (0/0), process = SSH Process, PC = 3814BB4. -Traceback= 31F59FC 3814BBC 3871260 3871DDE 386BDE0 386BC52 386218A 385CF34 385EAB0 385E2F2 3867DE8 3867128 387BC42 3878936 3879E0A 31w6d: %SYS-3-CPUHOG: Task ran for 2008 msec (0/0), process = SSH Process, PC = 3814BB4. -Traceback= 31F59FC 3814BBC 3871260 3871DDE 386BDE0 386BC52 386218A 385CF34 385EAB0 385E2F2 3867DE8 3867128 387BC42 3878936 3879E0A but the ssh client session does actually complete, and I can type commands. This is on a 2511 which is doing precisely nothing else -- no routing protocols, just a single async port connected to the console on a FreeBSD box. So, it *is* possible to use ssh to connect to a 2511, at least a 2511 with absolutely nothing else to do. Whether or not this will be useful will depend on how busy your router is. Joe Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-K4P-L), Version 12.0(25.4)S, EARLY DEPLOYMENT MAINTENANCE INTERIM SOFTWARE TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Mon 30-Jun-03 19:57 by nmasa Image text-base: 0x0304D258, data-base: 0x00001000 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE BOOTLDR: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1) xxxxxxx uptime is 31 weeks, 6 days, 23 hours, 7 minutes System returned to ROM by reload System image file is "flash:/c2500-k4p-l.120-25.4.S" cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory. Processor board ID 03004308, with hardware revision 00000000 X.25 software, Version 3.0.0. 2 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102
So, it *is* possible to use ssh to connect to a 2511, at least a 2511 with absolutely nothing else to do. Whether or not this will be useful will depend on how busy your router is.
as i said in my original post, i am using the 2511 as the terminal server for a bunch of out-of-band console ports. works great. a lot of folk have been doing the same for a long time. ssh to the 2511 and then async out to the broken devices. and you can put a modem on the con or aux for an other path way in. i was not recommending using it as a router. though this one is participating in my very local (one rack) ospf mesh. randy
In message <Pine.LNX.4.60.0407270423300.1665@volatile.cableone.at>, Ingo Flasch berger writes:
also telnet is sometimes the last chance over "full" lines (encryption likes packetloss)
This doesn't make much sense. ssh and telnet both run over TCP; TCP handles any lost packets. If you're talking about IPsec, it was engineered to make each packet cryptographically independent. The only possible issue is that ssh packets are somewhat longer, thus rendering them slightly more expensive to transmit and slightly more liable to random bit errors. But the latter is very unlikely -- you were talking about congestion -- and the effect of the former is minimal compared to the speed of any likely line. --Steve Bellovin, http://www.research.att.com/~smb
Steven M. Bellovin wrote:
random bit errors. But the latter is very unlikely -- you were talking about congestion -- and the effect of the former is minimal compared to the speed of any likely line.
Some people run queuing algorithms based on packet size on narrow links. Pete
On Tue, 27 Jul 2004 14:00:44 +0300, Petri Helenius said:
Some people run queuing algorithms based on packet size on narrow links.
Well... if you're queueing biggest-packet-first, yes, the ssh can get starved indefinitely if there's enough web browsers downloading pages or P2P traffic. If you're queueing smallest-first and there's enough even-smaller packets to starve an ssh session, you probably have bigger problems... Yes, it *could* make connecting to shoot that port that's spewing ICMP at line rates a bit challenging, but you knew that when you chose the queueing algorithm, right?
Valdis.Kletnieks@vt.edu wrote:
Yes, it *could* make connecting to shoot that port that's spewing ICMP at line rates a bit challenging, but you knew that when you chose the queueing algorithm, right?
There is also an infinite supply of idiots and mediocre network engineers. Breaking up stuff is easier than making it robust which is the reason why only protocols that are really resistant to abuse prevail. Pete
There is also an infinite supply of idiots and mediocre network engineers. Breaking up stuff is easier than making it robust
Ettore Bugatti, maker of the finest cars of his day, was once asked why his cars had less than perfect brakes. He replied something like, "Any fool can make a car stop. It takes a genius to make a car go."
* randy@psg.com (Randy Bush) [Tue 27 Jul 2004, 21:22 CEST]:
Ettore Bugatti, maker of the finest cars of his day, was once asked why his cars had less than perfect brakes. He replied something like, "Any fool can make a car stop. It takes a genius to make a car go."
Luckily, these days engineers of the automotive persuasion believe more in a holistic approach to car design -- Niels.
On Tue, 27 Jul 2004 09:22:25 -1000 Randy Bush <randy@psg.com> wrote:
There is also an infinite supply of idiots and mediocre network engineers. Breaking up stuff is easier than making it robust
Ettore Bugatti, maker of the finest cars of his day, was once asked why his cars had less than perfect brakes. He replied something like, "Any fool can make a car stop. It takes a genius to make a car go."
interesting. back when i was doing a lot of performance driving stuff (mostly bmw club race track schools), i made the following observation: you can tell someone has become an intermediate driver because they start regularly trashing their brakes. you can tell someone has become an advanced driver when they learn how to go even faster while not trashing their brakes. cheers, richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
On Tue, 27 Jul 2004, Richard Welty wrote:
you can tell someone has become an intermediate driver because they start regularly trashing their brakes.
you can tell someone has become an advanced driver when they learn how to go even faster while not trashing their brakes.
brakes?? ohhhh thats what that other pedal is for..
** Reply to message from "Stephen J. Wilcox" <steve@telecomplete.co.uk> on Wed, 28 Jul 2004 00:50:19 +0100 (BST)
On Tue, 27 Jul 2004, Richard Welty wrote:
you can tell someone has become an intermediate driver because they start regularly trashing their brakes.
you can tell someone has become an advanced driver when they learn how to go even faster while not trashing their brakes.
brakes?? ohhhh thats what that other pedal is for..
Nahhhh - that's the clutch. -- Jeff Shultz A railfan pulls up to a RR crossing hoping that there will be a train.
On Tue, 27 Jul 2004, Jeff Shultz wrote:
** Reply to message from "Stephen J. Wilcox" <steve@telecomplete.co.uk> on Wed, 28 Jul 2004 00:50:19 +0100 (BST)
On Tue, 27 Jul 2004, Richard Welty wrote:
you can tell someone has become an intermediate driver because they start regularly trashing their brakes.
you can tell someone has become an advanced driver when they learn how to go even faster while not trashing their brakes.
brakes?? ohhhh thats what that other pedal is for..
Nahhhh - that's the clutch.
Who needs brakes? That's what first gear is for. -j
participants (13)
-
Ingo Flaschberger -
jdisher@parad.net -
Jeff Shultz -
Joe Abley -
Niels Bakker -
Petri Helenius -
Randy Bush -
Ricardo "Rick" Gonzalez -
Richard Welty -
Robert Bonomi -
Stephen J. Wilcox -
Steven M. Bellovin -
Valdis.Kletnieks@vt.edu