Slashdot Mirror

Cisco is always hiring - and we have a large
population of *nix geeks - Linux is very popular
internally and of course there are tons of sun boxes...

Do you really need 100 Mbps between your home network and the one or two machines on the DMZ? Do you regularly pass huge files between the two? Or are you just a bandwidth snob who doesn't understand that it really doesn't matter when your connection looks like 100M-->10M-->512k-->internet

The cheapest you can find on the market with 100Mbps is going to run you about US$2k, and the most expensive you can get is a cisco pix.

Even a dual 100Mbps NIC linux router will not be able to maintain a high packet rate between the two interfaces, even with a 500 Mhz pentium III powering it. There are just some limitations you will have to accept. Just go for the best priced 10Mbps you can get, and accept the slightly longer transfer times when you make a full dump of your website.

In my place, I've got an outside network consisting of DSL and cable, with two routers and a pix 515. The outside net is 10BaseT, because the total bandwidth to the internet is only about4.5 Mbps. My pix has 6 interfaces: in, out, and 4 DMZ each with a fully routable subnet. The inside is 100Mbps, because that is what we run in this house. But to the DMZs and outside, its all 10Mbps because it doesn't buy us anything to the outside world.

the AC

I've actually wrote a broadcast-oriented ftp around 6 or 7 years ago; it's currently used by a Fortune 500 company to xmit large chunks of data to 3000 locations, simultaneously. This is in a satellite WAN environment.

As for multicast: this is something I've been looking into lately. For those interested, a few pointers: Cisco has a few articles RFC draft, which has expired.

For a general discussion of IP Multicast, check out IPMulticast.com, especially the tech section which discuss reliable multicast protocols.

I should mention that there is a lot of work going into multicast protocols these days, for various reasons, and that, generally, multicast protocols aren't very generally applicable. Some, for instance, are useful for gaming, were the data is time sensitive, but the reliability of data transport doesn't have to be perfect. Data transport is obviously more important for an ftp-like system. Besides the more traditional use of UDP as a protocol base, some folks are implementing their own protocols on top of raw IP.

For a vendor's perspective on a product/implementation, check out Talarian, which has a reliable multicast product. [ You can even get code, if you register ] Note: this relies on the PGM protocol.

Check out Vaccine for an effort to create a multicast distro image distribution tool.

I've actually wrote a broadcast-oriented ftp around 6 or 7 years ago; it's currently used by a Fortune 500 company to xmit large chunks of data to 3000 locations, simultaneously. This is in a satellite WAN environment.

As for multicast: this is something I've been looking into lately. For those interested, a few pointers: Cisco has a few articles RFC draft, which has expired.

For a general discussion of IP Multicast, check out IPMulticast.com, especially the tech section which discuss reliable multicast protocols.

I should mention that there is a lot of work going into multicast protocols these days, for various reasons, and that, generally, multicast protocols aren't very generally applicable. Some, for instance, are useful for gaming, were the data is time sensitive, but the reliability of data transport doesn't have to be perfect. Data transport is obviously more important for an ftp-like system. Besides the more traditional use of UDP as a protocol base, some folks are implementing their own protocols on top of raw IP.

For a vendor's perspective on a product/implementation, check out Talarian, which has a reliable multicast product. [ You can even get code, if you register ] Note: this relies on the PGM protocol.

Check out Vaccine for an effort to create a multicast distro image distribution tool.

Any old Cisco IOS based box will do the trick. Start with this link to get basic transparent bridging information.

If you look further down, you'll see "Ethernet Bridging Example" with Figure 40 in it, where they route IP and DECNet, and bridge everything else. Well, if you remove IP and DECNet, it works too.

Of course, the request was for a cheap box. IOS based boxes are far from the cheapest, particularly on the low end. A 1605 would be about the cheapest thing for the job. Most any "router" on the low end that also supports bridging will do the job, bridging over a WAN is pretty easy.

That said, why not just route?

What this patent is really about is Cisco's NAT pool technology. Basically it gives the external side of the firewall several external IP addresses rather then just one as seen with most firewalls today. I know that Cisco uses this technology with their PIX Firewall boxes. But I don't know if they use this with any of their other firewalls. -Sean

Adaptive Security Algorithm or (ASA) is the marketing name for the stateful packet filtering that the Cisco PIX Firewall does. Nothing more, nothing less. Info at Cisco on ASA can be found here.

Cisco does NAT pretty well, thank you. and with the right access lists can do all the things that you are describing.

I work for a high speed wireless ISP in Toronto, Ontario, Canada named Maxlink. We offer a range of services, from 0-4mbps uncommited upto 10mbps commited rates. We also offer IP-VPN as well as other network services which are forthcoming.

This is all done using a combination of Cisco routers/switches for layer 3 stuff, and Newbridge switches for the layer 2 stuff. We use 46020 to mange the layer 2 stuff, and HP openview for the layer 3.

All our customer sites have an antenna on the roof, which is connected to an NIU. The NIU handles all of the RF stuff. The NIU is connected to a Cisco 2924 by an OC-3. A port on the switch is connected to a Cicso 1605r in the users space by a 10mb connection. The users then come off that with their connection to whatever they need.

The transmitting stations (BTSs) are located on the top of medium sized buildings spread throughout our 5 markets (Vancouver, Calgary, Toronto, Ottawa, Montreal). By the time we are done the expansion, we will have >60 BTS. Each of the BTSs can cover an area between 2 and 4.5 km out depending on the weather in the area. Vancouver, for example, has a lot of rain, but it's very small drops, and has a range for 4km. Toronto, however, has very heavy rain drops, and it's range is only 2.5km. (thats rain fade). Because of the frequency we use (28ghz), we are effected a lot more by weather than something like radio/etc.

The BTS's are connected via OC-3 links to our 'core' where the data is sent off to the internet or through the internal network as required. We are a startup, so there is still a lot of development in the network, but we are currently hosting over 150 customers.

The technology is also VERY line of sight - 1 or 2 degrees off is enough to drop the NIU off the network. Because of this, and a few other things, security is garunteed because as soon as line of sight is broken, which is needed to get the signal, the site drops and the bts stops sending anything other than a "ping" to try and connect. There is no way to 'snoop' because you have to have line of sight, as well as know a bunch of information about the network to break the (admitedly light) encryption.

If you are interested in more info, you can email me and I'll see what I can do. If you are interested in our service, visit the web site :) :) (we do email, web, dns and voice services also) :) (shameless plug).



We emerge from our mother's womb an unformatted diskette; our culture formats us.

If you are looking for software to create a cluster, there are several, depending upong what type of cluster you are trying to create. If you are creating a service-based cluster, check out TurboLinux Cluster Server, Linux Virtual Servers, PolyServe Understudy, and Legato. There are many others available, including hardware solutions from Cisco, F5, and Alteon. I'm not too familiar with Beowulf-type clusters.

If you are looking for software to manage groups of systems, that's a whole different story. You might look into Enlighten DSM, Tivoli, or OpenNMS. I'm sure there's a lot of competition in that field as well, but I don't have any experience with those products.

Another load balancing issues comes from loading a helper app that loads a URL (like RealPlayer). The helper app may not use the AOL proxy servers, so it'll appear as a different IP address than the web client, and it probably won't support cookies.

Cisco has details on dealing with the "AOL problem" on its web site.

Also, don't pass very long query strings around--they'll chop 'em.

This seems different to me then a SQL server password which you can by default connect to over the network (unless blocked by a firewall or ACL) without a password and execute code (or at least drop system tables...)

RE:
>3) You know what -- cisco equipment has a blank password by default! Oh no! Every single Cisco router and switch has a built in vulerability! Quick, call the press.

>4) Anyone who is qualified to configure a SQL server knows this is just part of the install. Just like Cisco equipment.

- philos

Ahhhh, another wireless person.

I, too, used to live in a household with no phone lines. All of us used cell phones exclusively, and suffered through all kinds of Denials of Services because we weren't wired.

If it weren't for the electric bill and local taxes, we wouldn't have had any documentation of proof of residence. Many services here require you to be in good standing with the phone company, it is sort of a cheap way of doing a background credit check on potential customers, since phone service is one of the first services to go when a person gets into money trouble.

Its amazing how many new devices now count on copper-fed dial tone, at a time when more and more people are cutting themselves free of the copper loop. Especially in Europe, where a cell phone doesn't really cost more than a land line for casual use. Approximately 10% of young people in Europe this year leaving university and setting up in a new household aren't bothering to get telephone service, which is worrying the old telcos and thrilling the cell phone providers.

The only reason I have copper dialtone in my house is that I have sDSL for a permanent internet connection. It would be nice to see true internet appliances on the market soon, with 10BaseT connectors on the back. I'm wired for it. Others are wiring homes right now.

the AC

These engines have been tuned, over the years, to do relativly high performance destination based IP lookups on packets. As an example, a Cisco 12000 Gigabit Ethernet line card can do about 800 megabits worth of forwarding. You notice how this is less than the full line rate for the card?

Adding ACL's can chew up processing time that could otherwise be used to forward traffic. In a typical Cisco router, each ACL line is examined sequentially. Just a one line ACL can signifigantly impact packet forwarding performance. Ten lines long, and you'll probably see 30% reduction in packets per second.

Now, there's new technology on the way but as with most things it's slow in comming. There's some software improvements on Cisco's these days in the 12.0(S) trains that allow for "compiled ACL's". These use a FSA (finite state autonoma) to compile an ACL into a, essentially, "regular expression". It requires only one pass of the packet for any length long ACL. Lookup times are always deterministic. I think the break even point is a three line ACL over regular ACL's.

Next in line is the addition of hardware based IP lookup engines and hardware based TCAM pattern matchers for filter list lookups. The new cisco Three Port Gigabit Ethernet line card for the 12000 is like this. However, packet forwarding performance is still around 2.5Mp/s, meaning you can really only use two ports at full guarenteed line rate. See the latest Cisco Release Notes for information about the new line cards.

As a comparision, big routers handeling big web sites these days can do aggregate of about 5-7 million packets/second. This means ACL's are just right out for most of these routers with the current generation of line cards/technology.

So, the simple explination is, most big web sites and their network providers know damn well what ACL's work best in what DoS's. But to put them on all the time means killing top end performance. So they only put them on when an attack is under way, and those are pretty easy to spot. :)

I think you really want to use:
access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
For more info, see here.

The Cisco ACLs are really nice, and with some planning, you can make them really short and compact, which will make things faster. Somebody mentioned in another thread that with ACLs, it's really quality over quantity.

itachi

By the way, although it's true that there's some performance impact from filtering, it's not nearly as much as the ISP folklore (and a lot of the posters here) would have you believe. I've turned on filtering on very heavily loaded routers and had it work fine.

I don't see why the FBI can't continue to simply tap the phone lines...

That's more or less what the United Kingdom is suggesting. The FBI approach seems to be much less invasive.

The problem is that except for my pathetic dial-up line, most internet traffic goes on dedicated data lines, not over the public standard telephone network (PSTN). Sure, they can tap the telephone switches and have equipment in place to do this, but they do not have similar equipment in all the data networks.

Telephone networks are increasingly becoming obsolete by IP telephones and IP switching equipment. This is likely to worry FBI, and I guess that in all fairness it should (America did approve of telephony tapping). I don't know what the right answers are...

---

"Where do you come from?"

I don't see why the FBI can't continue to simply tap the phone lines...

That's more or less what the United Kingdom is suggesting. The FBI approach seems to be much less invasive.

The problem is that except for my pathetic dial-up line, most internet traffic goes on dedicated data lines, not over the public standard telephone network (PSTN). Sure, they can tap the telephone switches and have equipment in place to do this, but they do not have similar equipment in all the data networks.

Telephone networks are increasingly becoming obsolete by IP telephones and IP switching equipment. This is likely to worry FBI, and I guess that in all fairness it should (America did approve of telephony tapping). I don't know what the right answers are...

---

"Where do you come from?"

A lot of the big guns out there are busy developing infrastructure that will allow reliable Voice over IP, real-time video conferencing and other delay-sensitive apps to work reliably.

Cisco's Packet magazine had an article on this a while back (it was the cover story on the last issue). I'm sure there are dozens if not hundreds of other articles on this too.

You will see Voice over IP a lot more in the next few years, simply because it's cheaper to implement than traditional, circuit-switched telephony. It's not a bad thing, really, because the telcos are going to have to make it work 100% of the time. That's the #1 concern. People have been getting dialtones all across this continent for 50 years now. It's simply not acceptable that suddenly you only get 9 out of 10 dialtones. It's got to be 100% or it won't fly.

--

Some links:
Sun http://www.sun.com/software/solaris/ipv6/
IBM http://domino.ngi.ibm.com/patrick /pages/ipv6.html
Cisco http://www.cisco.com/warp /public/784/packet/july98/9.html
W3C W3c site and mailing list search
IETF http://www.ietf.org/html.charter s/nat-charter.html
___

Of course, people actually downloading the whole human genome probable wouldn't worry about this, but couldn't they use a better compression format than .zip? I bet using bzip2 or rar would shave a couple of hundred MBs off of that 753MB file. Also, the differences in compression techniques would be interesting to see on a large group of files mainly consisting of G, A, C, and T. -- demiurge You find a file that appears important and obliterate it from memory!!! Score one for the downtrodden hacker!

• G -- 00
• A -- 01
• T -- 10
• C -- 11

This would only work for the .fa files, but .fa files can contain "N"s also. If you just want to browse the Genome, look through the pieces directory. .

I was curious how long it would take for the makers of NAS products to implement v.92--looks like availability is scarce:

Cisco claims support on their AS5400 product line:
http: //www.cisco.com/warp/public/cc/cisco/mkt/ios/rel/1 21/prodlit/1095_pp.htm

I couldn't find anything on Lucent's website (Portmaster 3 & Portmaster 4 products).

I couldn't find anything on 3Com's website (USR Total Control Products).

Anyone work with any of these products and know of any published timelines or press releases on ETAs for working software?

Actually Cisco is able to MUX 128 channels in a fibre, with 10GigE coming around the corner it's beginning to sound interesting :)

Take a look at this and this, which is a live demo of the products involved (even though they're only pulling OC192 in that demo)

Actually Cisco is able to MUX 128 channels in a fibre, with 10GigE coming around the corner it's beginning to sound interesting :)

Take a look at this and this, which is a live demo of the products involved (even though they're only pulling OC192 in that demo)

It's actually Aironet. Now owned by Cisco. No I don't work for them.

"Once the TITAN A.E. file reaches the Atlanta theater, it will be stored on a QuVIS Inc. server and projected using a Barco/Texas Instruments DLP Cinema digital projector. Sigma Designs Group has built a state-of-the-art Tørus Compound Curve Screen and Eastern AcousticWorks has provided a customized digital audio sound system for the event."

Groovy, eh?

Cisco provides a demo of their CCNA course.
It looks like a combination of the First and Second year of the Cisco Netacademy which I'm taking now. About $800 per semester (total of four) gets you an 8 hour class on Sunday for 10 weeks (same course provided to High Schools that participate but for free). I get a chance to work hands-on with routers so I think its worth the price so far, but waking up 7:00am on Sunday is a bitch.

Cisco has a smegload of documentation online. It's mostly product-specific, but some very good general information can also be found.

Here' s the answer to your question.

The fundamental difference between a LAN switch and a router is that the LAN switch operates at Layer 2 of the OSI model and the router operates at Layer 3. This difference affects the way that LAN switches and routers respond to network traffic.

Because routers implement Layer 2 functionality and switches are beginning to implement Layer 3 functionality, the functions of a LAN swith and a router are merging.

This reminds me of the OSI Seven-Layer Burrito. Unfortunately, it appears to have vanished from the internet. c'est la vie.

Cisco has a smegload of documentation online. It's mostly product-specific, but some very good general information can also be found.

Here' s the answer to your question.

The fundamental difference between a LAN switch and a router is that the LAN switch operates at Layer 2 of the OSI model and the router operates at Layer 3. This difference affects the way that LAN switches and routers respond to network traffic.

Because routers implement Layer 2 functionality and switches are beginning to implement Layer 3 functionality, the functions of a LAN swith and a router are merging.

This reminds me of the OSI Seven-Layer Burrito. Unfortunately, it appears to have vanished from the internet. c'est la vie.

One of the things that I have found is that OS level failover doesn't always work or will have odd problems. If you are looking for Enterprise level uptime then hobbling together a solution such as this is not for you. The company I work for uses a cisco localdirector to do the work for it. What's great about this sort of solution is that a localdirector will round robin, do failover, and such a dizzying array of things that it's wonderous. I would suggest you look into this solution or one similar

The MSFC, the multi-layer switch feature card does the routing. There is a PFC (policy feature card) which will provide QoS, Load-Balancing, access lists, etc. There is no RSM for the 6509. Check Cisco's site for reference. The MSFC/PFC combination will forward 15Mpps if the routed traffic goes through the hardware. If there's some exception that doesn't allow it to get routed by the ASIC then the traffic will go through a software router that will do 200Kpps, the software router is equivalent to a 75xx series router in terms of speed.

http://www.cisco.com/warp/public/779/edu/academy/c urriculum/demo/curriculumde mo.html

I'm in the CCNA training program and they're offering the first two lessons off their website for free. Really good info and nice looking flash.

Actually, Cisco calls its 675 a "modem":

"The Cisco 675 is an Asymmetric Digital Subscriber Line (ADSL) modem"

http://www.cisco.com/univercd/cc/td/doc/product/ds l_prod/c600s/c675/c675inop/0467501 .htm

That's good enough to establish "common usage" for me. :-)

kb

Cisco kit (routers, switches etc) runs an operating system called IOS (Internetworking Operating System) currently at version 12. Check it out here if you're interested.

At a guess, I'd say it's done inside of the routers (Zhongguo Dianxing uses and recommends Cisco). Regretfully, when I was meeting with the techs at China Telecom, I was asking about boring questions regarding bandwidth availability, and didn't think to bug them about the Great Firewall.

j.

For case 1, let's assume complete a complete linux front to back solution, with as much free (or mostly free) software as possible:

Needed Software Components:

1. Favourite Distro of Linux
2. MySQL or Postgres Database (personal pref is for MySQL... not going to get into the pros and cons here...)
3. Dynaminc Web-Scripting Language (PHP, Perl, whatever... personal pref for this kind of thing is PHP... again, I'm not debating at the moment...)
4. Linux Vitrual Server Project - very solid load-balancing from my experience. Don't know how it compares with the appliances on the market... but it's still solid.
5. HA/Redundancy software (Linux HA project isn't quite there... but they're getting close... there are some commercial packages available - one that's free for non-profit use - http://www.high-availability.com

Hardware:

NB: For maximum up-time I recommend systems with redundant hardware (backup power supplies, dual NICs, and RAID arrays)

1. Firewall/Load-balancer - preferably using HA/Redundancy software on two machines... Mirrored (RAID 1, right?) boot/system hot-plug drives are a good idea.
2. Web-farm - up to X systems (where X+1 breaks your budget... ;) ) load balanced with Virtual Server Project. For a reasonably heavy duty method of doing this relatively cheaply, see Cubix and their "density" series... up to 8 servers in a single box... with hot plug everything. RAID isn't as necessary here... as the systems themselves are effective your RAID...
3. Database system - again preferably an HA/Redundancy cluster for maximum availability. I recommend a mirrored boot/system disk again, with a RAID 5 array (or RAID 5+5 - mirrored RAID arrays) for speed and maximum availability... highest RPM drives you can afford can help here a lot for speed, too.
4. 100 BaseT Switch for maximum through-put. Personal preference is for Cisco but your budget dollars may vary.
5. I've mentioned RAID a couple of times... you can get SCSI and IDE raid these days (SCSI being more common)... the cheapest/fastest one I've see is from Raidzone - very nice, check them out (up to 15 - 40 GIG hot-plug IDE drives in one array, with a very high through-put). You can also do software RAID, taking a performance hit, but saving coin...

Case 2 assumes that you don't mind using some commercial stuff... and have a bigger budget:

1. Replace Virtual Server with an appliance. (Alteon, F5 and Cisco all make good products... presently my preference is with F5's BigIP.
2. Replace in born Linux firewall with Checkpoint's firewall-1 running under linux - or an appliance firewall, a Cisco PIX is very nice, and has very high though-put. The Nokia appliance running Checkpoint and a BSD bastardisation is quite nice.

Yesterday, Cisco announced
it will create "the the first end-to-end, all optical network to deliver Internet access service...." They talk about providing 100x T1 speed for each customer for the price of a T1. Yikes.

Cisco has a document up on their website that might interest everyone.

Here's a quote:

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well.

I think it would be nice to know what kind of software company. (i.e.: CAD, Games, Office/Productivity, development tools, etc.)

The buisiness strategies of a company are going to be heavily dependant on what they are selling, and who they are selling it to. I know from some (bad) expierence that selling to gamers (i.e.: individuals) is very different from the Corporate/Enterprise Managment types.

And unless you have something totally groundbreaking, I would stick to unoccupied/emerging markets. (Unless you think you can do a better job, such is the case of Ixia Communications who has (IMHO) better products than the local monopoly NetCom Systems). But I should also make the point that some monopolies are better left alone unless you truely know what you are doing (specifically Microsoft, less specifically Cisco).

Perhaps it's 12 and 6 GHz instead of MHz?

If it is GHz, it's still incredible that they can go 30 miles with it and/or (which is it? :) do non-line-of-sight connections.

Radio waves bounce off of buildings really well, the signal is still quite intact, the only problem is you get multiple signals due to multiple bounce paths to you, each one slightly delayed by a different amount (speed of light isn't so fast anymore once you deal with picosecond waves).

Looking at the technical specs it appears they not only worked around this problem but somehow used it to their advantage.

Technical specs at http://www.cisco.com/w arp/public/cc/cisco/mkt/servprod/wt2700/

Most ISPs use access servers from companies like Cisco and Bay. Access servers are (usually) rack-mountable cases with a bunch of modem hardware in one small box. (see Cisco's Access servers page for info about access servers.

any ISP that offers 56Kbps will definetly have one of these access servers.

This is basically comercialisation of the Linux Virtual Server Project... it's a load balancer - much like Cisco's LocalDirector...

Now if you want real clustering, help with the Linux High-Availability Howto or go look at HP/UX's MC/ServiceGuard - or if you are forced to play with toys, MS makes NT Enterprise...

GEEK!

Cisco has had a DNS/DHCP server implementation for a long time
The new "Network Registrar" comes in Solaris and NT (4) flavours.

It has a policy based DHCP server and dynamic DNS functionality.

It basically allows the administrator to map a hostname to a MAC address, independent of the IP Address (hence the need for dynamicaly updating the hostname's IP). I can see only a few instances where this might be required. For 95% of the cases, why not just put a static IP in the DHCP server for a particular host. Saves lots of problems.

I guess Microsoft not only invented the internet, they pioneered DDNS with Windows 2000 as well! (*cough*)
--
Let's not all suck at the same time please

IOS isn't exactly an embedded toaster OS.

[These links are long. If they get broken, go to www.cisco.com and search for "Committed Access Rate".]

Some of the more interesting versions of the Cisco IOS (the 11.1CA and CC tree I think, and v12 if you're feeling brave) will perform incoming and outgoing traffic shaping. The closest to what you'd like is probably Committed Access Rate.

It can be applied directly to an interface to limit all IP traffic, or you can define an access list so that it will limit all traffic that matches a particular protocol, QOS flag... or your customer's IP subnet.

This last option is useful to limit a customer's access to the internet at large while still giving them full speed access to, say, your local mail or FTP server. You perform the limit on your connection to the rest of the world, using a different rate limit for each customer.

The v12.0 documentation is linked above, or check this CCO search.

Dave

--

[These links are long. If they get broken, go to www.cisco.com and search for "Committed Access Rate".]

Some of the more interesting versions of the Cisco IOS (the 11.1CA and CC tree I think, and v12 if you're feeling brave) will perform incoming and outgoing traffic shaping. The closest to what you'd like is probably Committed Access Rate.

It can be applied directly to an interface to limit all IP traffic, or you can define an access list so that it will limit all traffic that matches a particular protocol, QOS flag... or your customer's IP subnet.

This last option is useful to limit a customer's access to the internet at large while still giving them full speed access to, say, your local mail or FTP server. You perform the limit on your connection to the rest of the world, using a different rate limit for each customer.

The v12.0 documentation is linked above, or check this CCO search.

Dave

--

[These links are long. If they get broken, go to www.cisco.com and search for "Committed Access Rate".]

Some of the more interesting versions of the Cisco IOS (the 11.1CA and CC tree I think, and v12 if you're feeling brave) will perform incoming and outgoing traffic shaping. The closest to what you'd like is probably Committed Access Rate.

It can be applied directly to an interface to limit all IP traffic, or you can define an access list so that it will limit all traffic that matches a particular protocol, QOS flag... or your customer's IP subnet.

This last option is useful to limit a customer's access to the internet at large while still giving them full speed access to, say, your local mail or FTP server. You perform the limit on your connection to the rest of the world, using a different rate limit for each customer.

The v12.0 documentation is linked above, or check this CCO search.

Dave

--

All vendor/consortium links I'm afraid...

• 3Com, "Gigabit Ethernet Comes of Age" http://www.3com.co m/technology/tech_net/white_papers/503003.html
• 3Com, "ATM LAN Emulation", http://www.3com.com/nsc/500617.html
• ATM Forum, http://www.atmforum.com
• Gigabit Ethernet Alliance, http://www.gigabit-ethernet.org
• Cisco ATM switching overview, http://www.cisco .com/univercd/cc/td/doc/cisintwk/ito_doc/55755.htm
• Cisco Introduction to Gigabit Ethernet, http://w ww.cisco.com/warp/public/cc/cisco/mkt/switch/gig/t ech/gigbt_tc.htm

All vendor/consortium links I'm afraid...

• 3Com, "Gigabit Ethernet Comes of Age" http://www.3com.co m/technology/tech_net/white_papers/503003.html
• 3Com, "ATM LAN Emulation", http://www.3com.com/nsc/500617.html
• ATM Forum, http://www.atmforum.com
• Gigabit Ethernet Alliance, http://www.gigabit-ethernet.org
• Cisco ATM switching overview, http://www.cisco .com/univercd/cc/td/doc/cisintwk/ito_doc/55755.htm
• Cisco Introduction to Gigabit Ethernet, http://w ww.cisco.com/warp/public/cc/cisco/mkt/switch/gig/t ech/gigbt_tc.htm