Routers for Sale [7:30650]

[Thomas Jreige]

I have 3 routers and Hub for Sale.  Just unwanted devices and need to sell.
All in working order and very willing to negotiate.
Please make an offer.  I am in sydney australia.

Thanks.

Thomas Jreige


Cisco 803 ISDN Router
IOS 12.1 IP Plus + IPSEC
12M Physical Memory
8M Flash

Cisco 2501
IOS 12.0 IP Plus
1 Ethernet / 2 Serial ports
16M Physical Memory
8M Flash

Cisco 2501
IOS 11.3 IP Plus + 40-bit DES Image
1 Ethernet / 2 Serial ports
4M Physical Memory
8M Flash

DTE - DCE Back to Back Serial Cable

Netgear EN108 Hub




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30650t=30650
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Routers for sale [7:30651]

[Thomas Jreige]

I have 3 routers and Hub for Sale.  Just unwanted devices and need to sell.
All in working order and very willing to negotiate.
Please make an offer.  I am in sydney australia.

Thanks.

Thomas Jreige


Cisco 803 ISDN Router
IOS 12.1 IP Plus + IPSEC
12M Physical Memory
8M Flash

Cisco 2501
IOS 12.0 IP Plus
1 Ethernet / 2 Serial ports
16M Physical Memory
8M Flash

Cisco 2501
IOS 11.3 IP Plus + 40-bit DES Image
1 Ethernet / 2 Serial ports
4M Physical Memory
8M Flash

DTE - DCE Back to Back Serial Cable

Netgear EN108 Hub




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30651t=30651
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30652]

[Gil_Shulman/[EMAIL PROTECTED]]

For quite a while CheckPoint is out performing every single Firewall in the
market a specially in the CheckPoint Next Generation Firewall version
and with the release of there SecureXL API.
It is important to remember that performance is not everything that need to
be compared while testing a Firewall.
I love the Cisco PIX but the CheckPoint NG is amazing.

Gil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30652t=30652
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[cheekin]

Hi,

When you make the ethernet interface passive, it means no igrp updates will
be sent out on the ethernet interface.  It doesn't stop the serial interface
from advertising network 12.0.0.0 .  Which explains why you can still ping
to the ethernet interface.  If for some reason you do not want network
12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use
distribute-list to filter out the route.

Regards,
cheekin

- Original Message -
From: 
To: 
Sent: Wednesday, January 02, 2002 15:03
Subject: Passive Interface Help [7:30648]


 Happy New Year!!

 I need a little help on what a passive
 interface is. From what I can gather, a passive
 interface does not advertise its route to its
 neighbor ? Now if that is the case, why can
 I still ping an interface that is set to passive.
 Please note: This is excluding directly connected
 routes.

 For example, I set my Cisco 2509 ethernet interface
 to passive. Why can I still ping the ethernet address
 from my neighboring router Cisco 4000 ? I am
 running IGRP. Why does the ethernet network show up in its routing table
for
 my Cisco 4000. From poking around with the passive interface command it
 seems that I can not ping my ethernet address only if I set the Serial
 interfaces to passive also.
 This seems odd. I thought if I made an ethernet interface passive, I
should
 not be able to ping it from a neighboring router or any other router since
 it is not being
 advertised.

 Below is a sample of me being able to ping serial 1 off
 my Cisco 2509 from my Cisco 4000. Serial 1 is not
 directly connected. Serial 1 is being advertised.




 Current configuration:
 !
 version 12.0
 service timestamps debug uptime
 service timestamps log uptime
 no service password-encryption
 !
 hostname Cisco2509
 !
 enable password router
 !
 ip subnet-zero
 ipx routing 0010.7be8.22f4
 !
 !
  !
  !
  !
  interface Ethernet0
  ip address 12.11.12.1 255.255.255.240
  no ip directed-broadcast
  delay 1000
 !
 interface Serial0
  ip address 172.16.18.1 255.255.255.240
  no ip directed-broadcast
  no ip mroute-cache
  ipx network 3
  no fair-queue
  clockrate 100
 !
 interface Serial1
  ip address 172.17.18.2 255.255.255.240
  no ip directed-broadcast
  clockrate 400
 !
 router igrp 1
  passive-interface Ethernet0
  passive-interface Serial0
  passive-interface Serial1
  offset-list 2 out 11000 Serial0
  network 12.0.0.0
  network 172.16.0.0
  network 172.17.0.0
 !
 ip classless
 !
 access-list 2 deny   12.11.12.1
 !
 !
 !
 !
 !
 line con 0
  transport input none
 line 1 8
 line aux 0
 line vty 0 4
  password cisco
  login
 !
 end

 Cisco2509#



 Cisco_4000ping 172.17.18.1

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds:
 !
 Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124 ms
 Cisco_4000ping 12.11.12.1

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds:
 .
 Success rate is 0 percent (0/5)
 Cisco_4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30653t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DVD 2 CDR 3656 [7:30654]

[[EMAIL PROTECTED]]

COPY ANY DVD MOVIE!!

With our revolutionary software you can copy virtually
any DVD Movie using your existing equipment! 

Conventional DVD copying equipment can cost thousands of $$$
Our revolutionary software cost less than the price of 3 DVD Movies! 

CLICK HERE FOR MORE INFO

If you wish to be removed simply Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30654t=30654
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Security specialisation - MCNS exam tips etc needed [7:30655]

[Andrew Larkins]

Hi all

Does anyone out there know where I can get some practise exams, dumps, web
based study guides etc for this exam. All help is appreciated

Regards

Andrew Larkins
BCom, CCNP, CCDA
Bytes Technology Networks
A Division of the Bytes Technology Group
A Member of the Altron Group
www.btgroup.co.za
visit the press office @ www.itweb.co.za/office/bytes

Tel :  +27 11 800 9336
Fax : +27 11 800 9496
Mobile : +27 83 656 7214
Email :  [EMAIL PROTECTED]
OR  [EMAIL PROTECTED]
   

This message may contain information which is confidential and subject to
legal privilege.  If you are not the intended recipient, you may not peruse,
use, disseminate, distribute or copy this message.  If you have received
this message in error, please notify the sender immediately by email,
facsimile or telephone and return and/or destroy the original message.

 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30655t=30655
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

per-user ACL [7:30656]

[Mehmet ILGAZ]

Does Anybody install filter for dial-up users at 5X00?

[GroupStudy.com removed an attachment of type image/gif which had a name of
image001.gif]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30656t=30656
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ccna exam info [7:30657]

[eli]

Hey group-

  I am interesting in taking the CCNA exam . I need web site information or
links witch give example tests , Brain dumps ,
study guides , lab practices  more ...

thank you all

HAPPY NEW YEAR

Eli Aviv




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30657t=30657
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30658]

[Tim O'Brien]

A couple of points, and I will then get off of my soapbox...

Checkpoint NG is STILL an application running on UNIX or NT, not a self
contained appliance. Personally I love Microsoft (let the flames begin!),
however, with the critical updates that I see getting installed on my 2000
and XP workstations I am POSITIVE that I would not want to trust my company
security to it. Another point.. Have you ever installed and configured a
Checkpoint firewall? You can have the PIX up and running with failover even
before you get the OS half installed on the new server that you need to buy
for it, thus raising the cost for an already more expensive solution in
man-hours and equipment. The PIX is also very interoperable with other
devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
3000VPN site-to-site with other offices or home offices with built in 56bit
DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client
available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last
point, Have you ever had to get support from Checkpoint??? enough said about
that one...

If you would like to discuss further contact me offline...

Tim

- Original Message -
From: [EMAIL PROTECTED]

To: 
Sent: Wednesday, January 02, 2002 4:05 AM
Subject: Re: OT - Firewall performance Comparisons - is it quitting time
[7:30652]


 For quite a while CheckPoint is out performing every single Firewall in
the
 market a specially in the CheckPoint Next Generation Firewall version
 and with the release of there SecureXL API.
 It is important to remember that performance is not everything that need
to
 be compared while testing a Firewall.
 I love the Cisco PIX but the CheckPoint NG is amazing.

 Gil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30658t=30658
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30659]

[Gil_Shulman/[EMAIL PROTECTED]]

Everything that you said is correct and I love that PIX and I have
installed it many times with the failover option for high availability,
never the less what about clustering, what about logging, and I don't mean
Syslog data or the 512 lines that the PDM offers with limited information,
I can go on and on about the pros and cons of using platforms like windows,
Solaris, Linux.
Don't forget the FreeBSD that the Nokia box is based upon which is tightly
integrated with the firewall, scalability is the name of the game.
I have a lot of experience with every product offered by CheckPoint and
there competitors like Cisco, Netscreen and all the other solutions.
The only Vendor that can give a good and complete security solution is
CheckPoint and if you want to talk about clients, check the functionality
of the CheckPoint SecuRemote client of the SecureClient by it self or
together with the SCV function.
I am not trying to prove the CheckPoint is better every case need a
differant solution depends on the people operating the system and the
companies specific need (I am an integrator).
Personally I believe that CheckPoint has the best security solution on the
market today even if I love Cisco's solutions.

Gil


   
   
Tim
O'Brien
   
cc:
Sent by: Subject: Re: OT - Firewall
performance Comparisons - is it quitting time [7:30658]
   
nobody@groups
   
tudy.com
   
   
   
   
   
01/02/2002
02:42
PM
   
Please
respond
to
Tim
O'Brien
   
   
   
   



A couple of points, and I will then get off of my soapbox...

Checkpoint NG is STILL an application running on UNIX or NT, not a self
contained appliance. Personally I love Microsoft (let the flames begin!),
however, with the critical updates that I see getting installed on my 2000
and XP workstations I am POSITIVE that I would not want to trust my company
security to it. Another point.. Have you ever installed and configured a
Checkpoint firewall? You can have the PIX up and running with failover even
before you get the OS half installed on the new server that you need to buy
for it, thus raising the cost for an already more expensive solution in
man-hours and equipment. The PIX is also very interoperable with other
devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
3000VPN site-to-site with other offices or home offices with built in 56bit
DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN
client
available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last
point, Have you ever had to get support from Checkpoint??? enough said
about
that one...

If you would like to discuss further contact me offline...

Tim

- Original Message -
From: [EMAIL PROTECTED]

To:
Sent: Wednesday, January 02, 2002 4:05 AM
Subject: Re: OT - Firewall performance Comparisons - is it quitting time
[7:30652]


 For quite a while CheckPoint is out performing every single Firewall in
the
 market a specially in the CheckPoint Next Generation Firewall version
 and with the release of there SecureXL API.
 It is important to remember that performance is not everything that need
to
 be compared while testing a Firewall.
 I love the Cisco PIX but the CheckPoint NG is amazing.

 Gil
**

The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager
or  the
sender immediately and do not disclose the contents to any one or make
copies.

** eSafe scanned this email for viruses, vandals and malicious content **
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30659t=30659
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccna exam info [7:30657]

[Phil Barker]

If its braindumps your after your in the wrong place.
For study guides try www.certificationzone.com.

The archives on groupstudy.com will give you all the
info you need !!!

Phil.
 --- eli  wrote:  Hey group-
 
   I am interesting in taking the CCNA exam . I need
 web site information or
 links witch give example tests , Brain dumps ,
 study guides , lab practices  more ...
 
 thank you all
 
 HAPPY NEW YEAR
 
 Eli Aviv
[EMAIL PROTECTED] 

__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30660t=30657
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccna exam info [7:30657]

[Steven A. Ridder]

Try Wendel Odom's CCNA Exam Certification Guide.  Please try to config a
router a few times if you haven't yet before you take the CCNA.  It will
make your knowledge more concrete.

For practice tests, try Boson.com, examcram.com, etc.   Cisco even has some
tests that have the real questions on them (they look real to me).

I'm not afraid to show someone how to cheat on a test, as I belive the net
is open and exists to share information, for good or bad, and even if you
saw all the tasks on a CCIE lab, you're not going to pass without knowing
all your stuff.

There used to be braindumps on http://leuthard.ch/mcse/640-407.shtml but
they were 3 years old by now.  I beleive you can try the discussion boards
on cramsession.com for more braindumps on all the test up to the CCIE lab.
I have even seen CCIE lab braindumps from as recently as Dec. 28, 2001.

eli  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hey group-

   I am interesting in taking the CCNA exam . I need web site information
or
 links witch give example tests , Brain dumps ,
 study guides , lab practices  more ...

 thank you all

 HAPPY NEW YEAR

 Eli Aviv




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30661t=30657
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Someone at Cisco was just telling me about a guy who came in from Korea to
take the CCIE lab and during lunch, he called TAC on one of the problems.
The TAC tech recognized the problem as a lab problem from his CCIE test,
called down to the lab instructors to see if that person was taking the lab,
and sure enough he was.  He was busted and sent back home.  I don't agree
with what he did, but I find it amusing none the less.


Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thanks.


 Priscilla Oppenheimer  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Yes, it's in IEEE 802.3. It's in Clause 28 of the IEEE 802.3 2000
Edition.
  It might have been in earlier versions too.
 
  Priscilla
 
  At 02:31 PM 12/31/01, Steven A. Ridder wrote:
  Is there any standardization for autonegotiation like 802.x or
something.
 I
  have never heard of anything like it, and maybe that's half the
problem?
  
  
  Priscilla Oppenheimer  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Auto-negotiation is infamous for not working as advertised! ;-) It's
 not
just Cisco equipment.
   
There is definitely a problem when introducing older 10BaseT
equipment
  into
the equation, which it sounds like Ole did. Perhaps one of the more
hardware, physical-layer type engineers remembers more of the
details
  than
I do, but from what I understand the 100-Mbps fast link pulses used
 for
auto-negotiation produce enough signal in the frequency band of the
  10-Mbps
link pulses such that the 10-Mbps chip thinks it sees a signal and
  doesn't
re-negotiate or drop or establish link integrity as it should.
   
It's definitely strange that STP noticed a problem when other
  applications
didn't. I'll have to ponder that one..
   
Priscilla
   
   
At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
It's been more than once when I've encountered
 autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen
 problems
when both interfaces were 10/100 and both hard-coded to 100/full
and
 the
link wouldn't come up.  This may a chink in the Cisco armor as I
 rarely
encounter issues with autonegotiation/autosense with other
equipment
 but
when I install a new Cisco network, one thing I ALWAYS have to do
is
 go
through the 10/100 ports of every switch and look for duplex (and
  sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase)
[7:30446]


It's unfortunate that sometimes when things break, they don't
perform
 in
expected ways. Rather it truly was an Autosense problem or not, who
  knows.
But it brings up a chance to talk about Autosense. I've had it bite
 me
  more
than once. I've had problems with Autosense that didn't show up
until
  months
after installation. It doesn't matter if its Cisco to Cisco or
Cisco
 to
another vendor, I've had to lock down ports at certain speeds and
 modes
  to
solve problems on several occasions. Just to pass along some
 experience,
  you
may always be better off hard setting your options. Nice
persistence
 Mr.
Jensen, it's cool to stick with something until you can make it
work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase)
[7:30446]


An interesting read, particularly since I am reviewing Kennedy
 clark's
  cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920
 configuration.

I am somewhat surprised at both the phenomenon and the concludion.
  Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all
  offices,
does that mean that your port negotiations were set to auto
 everywhere
  else?
both on the routers and on the local switches? if so, I would
expect
 to
  see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another
 part
  of
the bridged network, one that was being picked up by STP and
 interpreted
  as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of
 the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE
 port
  on
the router would go into blocking. I can see that hapening on the
 serial
port for reasons that have been discussed on this group in the
past.
 I
  can't
come up with a rationale as to why hard setting of speed and duplex
  would
make a difference. I suppose one MIGHT 

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Thanks.


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Yes, it's in IEEE 802.3. It's in Clause 28 of the IEEE 802.3 2000 Edition.
 It might have been in earlier versions too.

 Priscilla

 At 02:31 PM 12/31/01, Steven A. Ridder wrote:
 Is there any standardization for autonegotiation like 802.x or something.
I
 have never heard of anything like it, and maybe that's half the problem?
 
 
 Priscilla Oppenheimer  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Auto-negotiation is infamous for not working as advertised! ;-) It's
not
   just Cisco equipment.
  
   There is definitely a problem when introducing older 10BaseT equipment
 into
   the equation, which it sounds like Ole did. Perhaps one of the more
   hardware, physical-layer type engineers remembers more of the details
 than
   I do, but from what I understand the 100-Mbps fast link pulses used
for
   auto-negotiation produce enough signal in the frequency band of the
 10-Mbps
   link pulses such that the 10-Mbps chip thinks it sees a signal and
 doesn't
   re-negotiate or drop or establish link integrity as it should.
  
   It's definitely strange that STP noticed a problem when other
 applications
   didn't. I'll have to ponder that one..
  
   Priscilla
  
  
   At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
   It's been more than once when I've encountered
autonegotiation/autosense
   issues between a Cisco router and Cisco switch.  I've even seen
problems
   when both interfaces were 10/100 and both hard-coded to 100/full and
the
   link wouldn't come up.  This may a chink in the Cisco armor as I
rarely
   encounter issues with autonegotiation/autosense with other equipment
but
   when I install a new Cisco network, one thing I ALWAYS have to do is
go
   through the 10/100 ports of every switch and look for duplex (and
 sometimes
   speed) mismatches.  Crazy...
   
   Rik
   
   -Original Message-
   From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
   Sent: Saturday, December 29, 2001 11:02 PM
   To: [EMAIL PROTECTED]
   Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]
   
   
   It's unfortunate that sometimes when things break, they don't perform
in
   expected ways. Rather it truly was an Autosense problem or not, who
 knows.
   But it brings up a chance to talk about Autosense. I've had it bite
me
 more
   than once. I've had problems with Autosense that didn't show up until
 months
   after installation. It doesn't matter if its Cisco to Cisco or Cisco
to
   another vendor, I've had to lock down ports at certain speeds and
modes
 to
   solve problems on several occasions. Just to pass along some
experience,
 you
   may always be better off hard setting your options. Nice persistence
Mr.
   Jensen, it's cool to stick with something until you can make it work.
   
   Chris
   
   -Original Message-
   From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
   Sent: Saturday, December 29, 2001 6:14 PM
   To: [EMAIL PROTECTED]
   Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]
   
   
   An interesting read, particularly since I am reviewing Kennedy
clark's
 cisco
   Lan Switching book prior to reviewing Cat5K and Cat 3920
configuration.
   
   I am somewhat surprised at both the phenomenon and the concludion.
 Spanning
   tree blocks for particular reasons.
   
   when you concluded that your configurations were identical at all
 offices,
   does that mean that your port negotiations were set to auto
everywhere
 else?
   both on the routers and on the local switches? if so, I would expect
to
 see
   similar problems elsewhere.
   
   is it possible that there was a duplicate mac someplace in another
part
 of
   the bridged network, one that was being picked up by STP and
interpreted
 as
   a loop? You mention changing macs of interfaces as part of your
   experimentation. Are you certain that this process was not part of
the
   solution?
   
   To be frank, I'm hard pressed to come up with a reason why the FE
port
 on
   the router would go into blocking. I can see that hapening on the
serial
   port for reasons that have been discussed on this group in the past.
I
 can't
   come up with a rationale as to why hard setting of speed and duplex
 would
   make a difference. I suppose one MIGHT conclude that if the port is
in
 full
   duplex, the STP process MIGHT see a loop occuring over the two
different
   wire pairs. that's about the only wild rationale I can come up with.
And
   that one is really stretching the point / bug / whatever.
   
   In any case, thanks for the good read.
   
   Chuck
   
   
   Ole Drews Jensen  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 After a fun evening last night, I have decided not to trust the
   autosensing
 on ethernet interfaces anymore.

 I was at a branch office where the users could not access the
 corporate network. The router, a 1720 setup 

RE: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Auto-negotiation is infamous for not working as advertised! ;-) It's not
just Cisco equipment.

There is definitely a problem when introducing older 10BaseT equipment into
the equation, which it sounds like Ole did. Perhaps one of the more
hardware, physical-layer type engineers remembers more of the details than
I do, but from what I understand the 100-Mbps fast link pulses used for
auto-negotiation produce enough signal in the frequency band of the 10-Mbps
link pulses such that the 10-Mbps chip thinks it sees a signal and doesn't
re-negotiate or drop or establish link integrity as it should.

It's definitely strange that STP noticed a problem when other applications
didn't. I'll have to ponder that one..

Priscilla


At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
It's been more than once when I've encountered autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen problems
when both interfaces were 10/100 and both hard-coded to 100/full and the
link wouldn't come up.  This may a chink in the Cisco armor as I rarely
encounter issues with autonegotiation/autosense with other equipment but
when I install a new Cisco network, one thing I ALWAYS have to do is go
through the 10/100 ports of every switch and look for duplex (and sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]


It's unfortunate that sometimes when things break, they don't perform in
expected ways. Rather it truly was an Autosense problem or not, who knows.
But it brings up a chance to talk about Autosense. I've had it bite me more
than once. I've had problems with Autosense that didn't show up until months
after installation. It doesn't matter if its Cisco to Cisco or Cisco to
another vendor, I've had to lock down ports at certain speeds and modes to
solve problems on several occasions. Just to pass along some experience, you
may always be better off hard setting your options. Nice persistence Mr.
Jensen, it's cool to stick with something until you can make it work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]


An interesting read, particularly since I am reviewing Kennedy clark's cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.

I am somewhat surprised at both the phenomenon and the concludion. Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all offices,
does that mean that your port negotiations were set to auto everywhere else?
both on the routers and on the local switches? if so, I would expect to see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another part of
the bridged network, one that was being picked up by STP and interpreted as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE port on
the router would go into blocking. I can see that hapening on the serial
port for reasons that have been discussed on this group in the past. I can't
come up with a rationale as to why hard setting of speed and duplex would
make a difference. I suppose one MIGHT conclude that if the port is in full
duplex, the STP process MIGHT see a loop occuring over the two different
wire pairs. that's about the only wild rationale I can come up with. And
that one is really stretching the point / bug / whatever.

In any case, thanks for the good read.

Chuck


Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  After a fun evening last night, I have decided not to trust the
autosensing
  on ethernet interfaces anymore.
 
  I was at a branch office where the users could not access the
  corporate network. The router, a 1720 setup as a bridge with the same
  IP address for the FastEthernet as the Serial subinterface, both
  configured for bridge-group 1. It was connected to a 2620 at the
  corporate office via a Fractional Frame Relay connection.
 
  I changed the switch out with an old spare hub I had lying around, and
  connected only one workstation from the local network. After starting
  the router up, I could ping the local workstation, and I could ping
  devices on the corporate network, so both my FastEthernet and Serial
  interfaces were working fine. However, I could not ping anything on
  the corporate network from my workstation, nor could I from a telnet
  connection to my corporate router ping the workstation, so traffic was
  not being passed through
between
  the interfaces.
 
  That looked like a typical routing 

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Is there any standardization for autonegotiation like 802.x or something.  I
have never heard of anything like it, and maybe that's half the problem?


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Auto-negotiation is infamous for not working as advertised! ;-) It's not
 just Cisco equipment.

 There is definitely a problem when introducing older 10BaseT equipment
into
 the equation, which it sounds like Ole did. Perhaps one of the more
 hardware, physical-layer type engineers remembers more of the details than
 I do, but from what I understand the 100-Mbps fast link pulses used for
 auto-negotiation produce enough signal in the frequency band of the
10-Mbps
 link pulses such that the 10-Mbps chip thinks it sees a signal and doesn't
 re-negotiate or drop or establish link integrity as it should.

 It's definitely strange that STP noticed a problem when other applications
 didn't. I'll have to ponder that one..

 Priscilla


 At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
 It's been more than once when I've encountered autonegotiation/autosense
 issues between a Cisco router and Cisco switch.  I've even seen problems
 when both interfaces were 10/100 and both hard-coded to 100/full and the
 link wouldn't come up.  This may a chink in the Cisco armor as I rarely
 encounter issues with autonegotiation/autosense with other equipment but
 when I install a new Cisco network, one thing I ALWAYS have to do is go
 through the 10/100 ports of every switch and look for duplex (and
sometimes
 speed) mismatches.  Crazy...
 
 Rik
 
 -Original Message-
 From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, December 29, 2001 11:02 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]
 
 
 It's unfortunate that sometimes when things break, they don't perform in
 expected ways. Rather it truly was an Autosense problem or not, who
knows.
 But it brings up a chance to talk about Autosense. I've had it bite me
more
 than once. I've had problems with Autosense that didn't show up until
months
 after installation. It doesn't matter if its Cisco to Cisco or Cisco to
 another vendor, I've had to lock down ports at certain speeds and modes
to
 solve problems on several occasions. Just to pass along some experience,
you
 may always be better off hard setting your options. Nice persistence Mr.
 Jensen, it's cool to stick with something until you can make it work.
 
 Chris
 
 -Original Message-
 From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, December 29, 2001 6:14 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]
 
 
 An interesting read, particularly since I am reviewing Kennedy clark's
cisco
 Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.
 
 I am somewhat surprised at both the phenomenon and the concludion.
Spanning
 tree blocks for particular reasons.
 
 when you concluded that your configurations were identical at all
offices,
 does that mean that your port negotiations were set to auto everywhere
else?
 both on the routers and on the local switches? if so, I would expect to
see
 similar problems elsewhere.
 
 is it possible that there was a duplicate mac someplace in another part
of
 the bridged network, one that was being picked up by STP and interpreted
as
 a loop? You mention changing macs of interfaces as part of your
 experimentation. Are you certain that this process was not part of the
 solution?
 
 To be frank, I'm hard pressed to come up with a reason why the FE port on
 the router would go into blocking. I can see that hapening on the serial
 port for reasons that have been discussed on this group in the past. I
can't
 come up with a rationale as to why hard setting of speed and duplex would
 make a difference. I suppose one MIGHT conclude that if the port is in
full
 duplex, the STP process MIGHT see a loop occuring over the two different
 wire pairs. that's about the only wild rationale I can come up with. And
 that one is really stretching the point / bug / whatever.
 
 In any case, thanks for the good read.
 
 Chuck
 
 
 Ole Drews Jensen  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   After a fun evening last night, I have decided not to trust the
 autosensing
   on ethernet interfaces anymore.
  
   I was at a branch office where the users could not access the
   corporate network. The router, a 1720 setup as a bridge with the same
   IP address for the FastEthernet as the Serial subinterface, both
   configured for bridge-group 1. It was connected to a 2620 at the
   corporate office via a Fractional Frame Relay connection.
  
   I changed the switch out with an old spare hub I had lying around, and
   connected only one workstation from the local network. After starting
   the router up, I could ping the local workstation, and I could ping
   devices on the corporate network, so both my 

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Yes, it's in IEEE 802.3. It's in Clause 28 of the IEEE 802.3 2000 Edition.
It might have been in earlier versions too.

Priscilla

At 02:31 PM 12/31/01, Steven A. Ridder wrote:
Is there any standardization for autonegotiation like 802.x or something.  I
have never heard of anything like it, and maybe that's half the problem?


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Auto-negotiation is infamous for not working as advertised! ;-) It's not
  just Cisco equipment.
 
  There is definitely a problem when introducing older 10BaseT equipment
into
  the equation, which it sounds like Ole did. Perhaps one of the more
  hardware, physical-layer type engineers remembers more of the details
than
  I do, but from what I understand the 100-Mbps fast link pulses used for
  auto-negotiation produce enough signal in the frequency band of the
10-Mbps
  link pulses such that the 10-Mbps chip thinks it sees a signal and
doesn't
  re-negotiate or drop or establish link integrity as it should.
 
  It's definitely strange that STP noticed a problem when other
applications
  didn't. I'll have to ponder that one..
 
  Priscilla
 
 
  At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
  It's been more than once when I've encountered autonegotiation/autosense
  issues between a Cisco router and Cisco switch.  I've even seen problems
  when both interfaces were 10/100 and both hard-coded to 100/full and the
  link wouldn't come up.  This may a chink in the Cisco armor as I rarely
  encounter issues with autonegotiation/autosense with other equipment but
  when I install a new Cisco network, one thing I ALWAYS have to do is go
  through the 10/100 ports of every switch and look for duplex (and
sometimes
  speed) mismatches.  Crazy...
  
  Rik
  
  -Original Message-
  From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
  Sent: Saturday, December 29, 2001 11:02 PM
  To: [EMAIL PROTECTED]
  Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]
  
  
  It's unfortunate that sometimes when things break, they don't perform in
  expected ways. Rather it truly was an Autosense problem or not, who
knows.
  But it brings up a chance to talk about Autosense. I've had it bite me
more
  than once. I've had problems with Autosense that didn't show up until
months
  after installation. It doesn't matter if its Cisco to Cisco or Cisco to
  another vendor, I've had to lock down ports at certain speeds and modes
to
  solve problems on several occasions. Just to pass along some experience,
you
  may always be better off hard setting your options. Nice persistence Mr.
  Jensen, it's cool to stick with something until you can make it work.
  
  Chris
  
  -Original Message-
  From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
  Sent: Saturday, December 29, 2001 6:14 PM
  To: [EMAIL PROTECTED]
  Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]
  
  
  An interesting read, particularly since I am reviewing Kennedy clark's
cisco
  Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.
  
  I am somewhat surprised at both the phenomenon and the concludion.
Spanning
  tree blocks for particular reasons.
  
  when you concluded that your configurations were identical at all
offices,
  does that mean that your port negotiations were set to auto everywhere
else?
  both on the routers and on the local switches? if so, I would expect to
see
  similar problems elsewhere.
  
  is it possible that there was a duplicate mac someplace in another part
of
  the bridged network, one that was being picked up by STP and interpreted
as
  a loop? You mention changing macs of interfaces as part of your
  experimentation. Are you certain that this process was not part of the
  solution?
  
  To be frank, I'm hard pressed to come up with a reason why the FE port
on
  the router would go into blocking. I can see that hapening on the serial
  port for reasons that have been discussed on this group in the past. I
can't
  come up with a rationale as to why hard setting of speed and duplex
would
  make a difference. I suppose one MIGHT conclude that if the port is in
full
  duplex, the STP process MIGHT see a loop occuring over the two different
  wire pairs. that's about the only wild rationale I can come up with. And
  that one is really stretching the point / bug / whatever.
  
  In any case, thanks for the good read.
  
  Chuck
  
  
  Ole Drews Jensen  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
After a fun evening last night, I have decided not to trust the
  autosensing
on ethernet interfaces anymore.
   
I was at a branch office where the users could not access the
corporate network. The router, a 1720 setup as a bridge with the same
IP address for the FastEthernet as the Serial subinterface, both
configured for bridge-group 1. It was connected to a 2620 at the
corporate office via a Fractional Frame Relay 

MSFC [7:30668]

[[EMAIL PROTECTED]]

I have a 6509 switch with 2 MSFC's.  I would like to know if I can or should
I have the same config on both MSFC's.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30668t=30668
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

It's been more than once when I've encountered autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen problems
when both interfaces were 10/100 and both hard-coded to 100/full and the
link wouldn't come up.  This may a chink in the Cisco armor as I rarely
encounter issues with autonegotiation/autosense with other equipment but
when I install a new Cisco network, one thing I ALWAYS have to do is go
through the 10/100 ports of every switch and look for duplex (and sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]


It's unfortunate that sometimes when things break, they don't perform in
expected ways. Rather it truly was an Autosense problem or not, who knows.
But it brings up a chance to talk about Autosense. I've had it bite me more
than once. I've had problems with Autosense that didn't show up until months
after installation. It doesn't matter if its Cisco to Cisco or Cisco to
another vendor, I've had to lock down ports at certain speeds and modes to
solve problems on several occasions. Just to pass along some experience, you
may always be better off hard setting your options. Nice persistence Mr.
Jensen, it's cool to stick with something until you can make it work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]


An interesting read, particularly since I am reviewing Kennedy clark's cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.

I am somewhat surprised at both the phenomenon and the concludion. Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all offices,
does that mean that your port negotiations were set to auto everywhere else?
both on the routers and on the local switches? if so, I would expect to see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another part of
the bridged network, one that was being picked up by STP and interpreted as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE port on
the router would go into blocking. I can see that hapening on the serial
port for reasons that have been discussed on this group in the past. I can't
come up with a rationale as to why hard setting of speed and duplex would
make a difference. I suppose one MIGHT conclude that if the port is in full
duplex, the STP process MIGHT see a loop occuring over the two different
wire pairs. that's about the only wild rationale I can come up with. And
that one is really stretching the point / bug / whatever.

In any case, thanks for the good read.

Chuck


Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 After a fun evening last night, I have decided not to trust the
autosensing
 on ethernet interfaces anymore.

 I was at a branch office where the users could not access the
 corporate network. The router, a 1720 setup as a bridge with the same
 IP address for the FastEthernet as the Serial subinterface, both
 configured for bridge-group 1. It was connected to a 2620 at the
 corporate office via a Fractional Frame Relay connection.

 I changed the switch out with an old spare hub I had lying around, and
 connected only one workstation from the local network. After starting
 the router up, I could ping the local workstation, and I could ping
 devices on the corporate network, so both my FastEthernet and Serial
 interfaces were working fine. However, I could not ping anything on
 the corporate network from my workstation, nor could I from a telnet
 connection to my corporate router ping the workstation, so traffic was
 not being passed through
between
 the interfaces.

 That looked like a typical routing problem, but the only problem was
 that
I
 was not routing, I was bridging, so ?

 I did a show bridge 1 group and saw that the FastEthernet was in a
 blocking state by the spanning tree, so something was wrong here. I
cleared
 the arp table on the router and on all other routers and switches. I
 tried to assign a different mac address to the FE interface. I tried a
 different workstation. No matter what I did, it kept being in a
 blocking state.

 I went in and did a bridge-group 1 spanning-disabled on the
 interface,
and
 it changed to forwarding state, but I could still not pass traffic
through.

 This is when I called TAC, but after I guided them through to a telnet
 connection to my routers, they decided after three hours that
 something weird was going on with the router, and they 

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Is there any standardization for autonegotiation like 802.x or something.  I
have never heard of anything like it, and maybe that's half the problem?


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Auto-negotiation is infamous for not working as advertised! ;-) It's not
 just Cisco equipment.

 There is definitely a problem when introducing older 10BaseT equipment
into
 the equation, which it sounds like Ole did. Perhaps one of the more
 hardware, physical-layer type engineers remembers more of the details than
 I do, but from what I understand the 100-Mbps fast link pulses used for
 auto-negotiation produce enough signal in the frequency band of the
10-Mbps
 link pulses such that the 10-Mbps chip thinks it sees a signal and doesn't
 re-negotiate or drop or establish link integrity as it should.

 It's definitely strange that STP noticed a problem when other applications
 didn't. I'll have to ponder that one..

 Priscilla


 At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
 It's been more than once when I've encountered autonegotiation/autosense
 issues between a Cisco router and Cisco switch.  I've even seen problems
 when both interfaces were 10/100 and both hard-coded to 100/full and the
 link wouldn't come up.  This may a chink in the Cisco armor as I rarely
 encounter issues with autonegotiation/autosense with other equipment but
 when I install a new Cisco network, one thing I ALWAYS have to do is go
 through the 10/100 ports of every switch and look for duplex (and
sometimes
 speed) mismatches.  Crazy...
 
 Rik
 
 -Original Message-
 From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, December 29, 2001 11:02 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]
 
 
 It's unfortunate that sometimes when things break, they don't perform in
 expected ways. Rather it truly was an Autosense problem or not, who
knows.
 But it brings up a chance to talk about Autosense. I've had it bite me
more
 than once. I've had problems with Autosense that didn't show up until
months
 after installation. It doesn't matter if its Cisco to Cisco or Cisco to
 another vendor, I've had to lock down ports at certain speeds and modes
to
 solve problems on several occasions. Just to pass along some experience,
you
 may always be better off hard setting your options. Nice persistence Mr.
 Jensen, it's cool to stick with something until you can make it work.
 
 Chris
 
 -Original Message-
 From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, December 29, 2001 6:14 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]
 
 
 An interesting read, particularly since I am reviewing Kennedy clark's
cisco
 Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.
 
 I am somewhat surprised at both the phenomenon and the concludion.
Spanning
 tree blocks for particular reasons.
 
 when you concluded that your configurations were identical at all
offices,
 does that mean that your port negotiations were set to auto everywhere
else?
 both on the routers and on the local switches? if so, I would expect to
see
 similar problems elsewhere.
 
 is it possible that there was a duplicate mac someplace in another part
of
 the bridged network, one that was being picked up by STP and interpreted
as
 a loop? You mention changing macs of interfaces as part of your
 experimentation. Are you certain that this process was not part of the
 solution?
 
 To be frank, I'm hard pressed to come up with a reason why the FE port on
 the router would go into blocking. I can see that hapening on the serial
 port for reasons that have been discussed on this group in the past. I
can't
 come up with a rationale as to why hard setting of speed and duplex would
 make a difference. I suppose one MIGHT conclude that if the port is in
full
 duplex, the STP process MIGHT see a loop occuring over the two different
 wire pairs. that's about the only wild rationale I can come up with. And
 that one is really stretching the point / bug / whatever.
 
 In any case, thanks for the good read.
 
 Chuck
 
 
 Ole Drews Jensen  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   After a fun evening last night, I have decided not to trust the
 autosensing
   on ethernet interfaces anymore.
  
   I was at a branch office where the users could not access the
   corporate network. The router, a 1720 setup as a bridge with the same
   IP address for the FastEthernet as the Serial subinterface, both
   configured for bridge-group 1. It was connected to a 2620 at the
   corporate office via a Fractional Frame Relay connection.
  
   I changed the switch out with an old spare hub I had lying around, and
   connected only one workstation from the local network. After starting
   the router up, I could ping the local workstation, and I could ping
   devices on the corporate network, so both my 

RE: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Auto-negotiation is infamous for not working as advertised! ;-) It's not
just Cisco equipment.

There is definitely a problem when introducing older 10BaseT equipment into
the equation, which it sounds like Ole did. Perhaps one of the more
hardware, physical-layer type engineers remembers more of the details than
I do, but from what I understand the 100-Mbps fast link pulses used for
auto-negotiation produce enough signal in the frequency band of the 10-Mbps
link pulses such that the 10-Mbps chip thinks it sees a signal and doesn't
re-negotiate or drop or establish link integrity as it should.

It's definitely strange that STP noticed a problem when other applications
didn't. I'll have to ponder that one..

Priscilla


At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
It's been more than once when I've encountered autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen problems
when both interfaces were 10/100 and both hard-coded to 100/full and the
link wouldn't come up.  This may a chink in the Cisco armor as I rarely
encounter issues with autonegotiation/autosense with other equipment but
when I install a new Cisco network, one thing I ALWAYS have to do is go
through the 10/100 ports of every switch and look for duplex (and sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]


It's unfortunate that sometimes when things break, they don't perform in
expected ways. Rather it truly was an Autosense problem or not, who knows.
But it brings up a chance to talk about Autosense. I've had it bite me more
than once. I've had problems with Autosense that didn't show up until months
after installation. It doesn't matter if its Cisco to Cisco or Cisco to
another vendor, I've had to lock down ports at certain speeds and modes to
solve problems on several occasions. Just to pass along some experience, you
may always be better off hard setting your options. Nice persistence Mr.
Jensen, it's cool to stick with something until you can make it work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]


An interesting read, particularly since I am reviewing Kennedy clark's cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.

I am somewhat surprised at both the phenomenon and the concludion. Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all offices,
does that mean that your port negotiations were set to auto everywhere else?
both on the routers and on the local switches? if so, I would expect to see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another part of
the bridged network, one that was being picked up by STP and interpreted as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE port on
the router would go into blocking. I can see that hapening on the serial
port for reasons that have been discussed on this group in the past. I can't
come up with a rationale as to why hard setting of speed and duplex would
make a difference. I suppose one MIGHT conclude that if the port is in full
duplex, the STP process MIGHT see a loop occuring over the two different
wire pairs. that's about the only wild rationale I can come up with. And
that one is really stretching the point / bug / whatever.

In any case, thanks for the good read.

Chuck


Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  After a fun evening last night, I have decided not to trust the
autosensing
  on ethernet interfaces anymore.
 
  I was at a branch office where the users could not access the
  corporate network. The router, a 1720 setup as a bridge with the same
  IP address for the FastEthernet as the Serial subinterface, both
  configured for bridge-group 1. It was connected to a 2620 at the
  corporate office via a Fractional Frame Relay connection.
 
  I changed the switch out with an old spare hub I had lying around, and
  connected only one workstation from the local network. After starting
  the router up, I could ping the local workstation, and I could ping
  devices on the corporate network, so both my FastEthernet and Serial
  interfaces were working fine. However, I could not ping anything on
  the corporate network from my workstation, nor could I from a telnet
  connection to my corporate router ping the workstation, so traffic was
  not being passed through
between
  the interfaces.
 
  That looked like a typical routing 

Re: Autosense this ... (add to your knowledgebase) [7:30446]

[[EMAIL PROTECTED]]

Someone at Cisco was just telling me about a guy who came in from Korea to
take the CCIE lab and during lunch, he called TAC on one of the problems.
The TAC tech recognized the problem as a lab problem from his CCIE test,
called down to the lab instructors to see if that person was taking the lab,
and sure enough he was.  He was busted and sent back home.  I don't agree
with what he did, but I find it amusing none the less.


Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thanks.


 Priscilla Oppenheimer  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Yes, it's in IEEE 802.3. It's in Clause 28 of the IEEE 802.3 2000
Edition.
  It might have been in earlier versions too.
 
  Priscilla
 
  At 02:31 PM 12/31/01, Steven A. Ridder wrote:
  Is there any standardization for autonegotiation like 802.x or
something.
 I
  have never heard of anything like it, and maybe that's half the
problem?
  
  
  Priscilla Oppenheimer  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Auto-negotiation is infamous for not working as advertised! ;-) It's
 not
just Cisco equipment.
   
There is definitely a problem when introducing older 10BaseT
equipment
  into
the equation, which it sounds like Ole did. Perhaps one of the more
hardware, physical-layer type engineers remembers more of the
details
  than
I do, but from what I understand the 100-Mbps fast link pulses used
 for
auto-negotiation produce enough signal in the frequency band of the
  10-Mbps
link pulses such that the 10-Mbps chip thinks it sees a signal and
  doesn't
re-negotiate or drop or establish link integrity as it should.
   
It's definitely strange that STP noticed a problem when other
  applications
didn't. I'll have to ponder that one..
   
Priscilla
   
   
At 10:26 AM 12/31/01, [EMAIL PROTECTED] wrote:
It's been more than once when I've encountered
 autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen
 problems
when both interfaces were 10/100 and both hard-coded to 100/full
and
 the
link wouldn't come up.  This may a chink in the Cisco armor as I
 rarely
encounter issues with autonegotiation/autosense with other
equipment
 but
when I install a new Cisco network, one thing I ALWAYS have to do
is
 go
through the 10/100 ports of every switch and look for duplex (and
  sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase)
[7:30446]


It's unfortunate that sometimes when things break, they don't
perform
 in
expected ways. Rather it truly was an Autosense problem or not, who
  knows.
But it brings up a chance to talk about Autosense. I've had it bite
 me
  more
than once. I've had problems with Autosense that didn't show up
until
  months
after installation. It doesn't matter if its Cisco to Cisco or
Cisco
 to
another vendor, I've had to lock down ports at certain speeds and
 modes
  to
solve problems on several occasions. Just to pass along some
 experience,
  you
may always be better off hard setting your options. Nice
persistence
 Mr.
Jensen, it's cool to stick with something until you can make it
work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase)
[7:30446]


An interesting read, particularly since I am reviewing Kennedy
 clark's
  cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920
 configuration.

I am somewhat surprised at both the phenomenon and the concludion.
  Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all
  offices,
does that mean that your port negotiations were set to auto
 everywhere
  else?
both on the routers and on the local switches? if so, I would
expect
 to
  see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another
 part
  of
the bridged network, one that was being picked up by STP and
 interpreted
  as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of
 the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE
 port
  on
the router would go into blocking. I can see that hapening on the
 serial
port for reasons that have been discussed on this group in the
past.
 I
  can't
come up with a rationale as to why hard setting of speed and duplex
  would
make a difference. I suppose one MIGHT 

NAT syntax under subinterface. [7:30672]

[Larry Brown]

If you have a serial0.1 interface and are using this for ip nat outside, 
what is the correct syntax in defining your PAT or pool of addresses?

1. ip nat inside source list 1 interface serial0.1 overload

2. ip nat inside source list 1 interface serial0:1 overload ?

Or does it not matter at all?

__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30672t=30672
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MSFC [7:30668]

[MADMAN]

You have three choices.  

1 Treat the two MSFC's as two individual routers
2 Config-sync, basically you configure the routers individually but from
the active router
3 SRM, single router mode, you have a single router config, one active
one standby.

  of coarse this is ASSuming your running hybrid mode

  In Native mode the box is just a big router and if you have two MSFCs
one is active the other standby.

 see

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_6_3/confg_gd/redund.htm

Dave

[EMAIL PROTECTED] wrote:
 
 I have a 6509 switch with 2 MSFC's.  I would like to know if I can or
should
 I have the same config on both MSFC's.
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30673t=30668
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCNP Exam [7:30674]

[Kenny Au Yeung]

Hi all,

I have passed Remote Access exam today , there are 77 Questions with 2 hour
time.
There are appox. 10  questions on typing command but you need not memorize
the command because there are list of choices to be selected.

I plan to take CIT next month, is there any useful information that could be
supplied to me ?

Best Regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30674t=30674
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30675]

[Carroll Kong]

Funky Unix exploits tend to only happen when people for some odd 
reason, decide to open up public services on those machines.  The same 
problem exists with NT, but usually it has silly libraries sploits as well.
 Any decent security admin can lock down any box running any 
OS.  The problem I would fear of using an OS based vs appliance based is 
making sure they cannot do more damage with it.  A hacked unix box can do 
oodles more damage than a hacked windows box.  Of course, you can lockdown 
the amount of binaries on the machine to make it very hard to continue 
attacking.  These are super hardened boxes.  Disabling services, any good 
admin can do in his sleep.  Hardening the box by removing specific binaries 
is a bit more difficult.  Have you checked the Nokia 440s or 330s 
appliance like boxes?  They run a BSD variant (IIRC), and are quite 
secure OS wise.  Yes, checkpoint runs on them as well.  Now, Checkpoint's 
security issues, that's a different story.  You will find most of the 
security holes in checkpoint are because of checkpoint itself, not the 
OS.  As for running it under NT, all I can say to the man who suggested it 
is, What are you thinking?.
 On the side, Pix has flaws too.  To be fair, I do not think there 
has been any firewall product released without a security exploit either in 
it's rule handling or in it's management interface.
 I think checkpoint can interoperate between some other devices as 
well.  So this is not a big deal.
 Supposedly, skip checkpoint specific tech support and get it from 
Nokia.  Nokia surprisingly has better checkpoint guys than checkpoint 
themselves.
 I agree that anything command line based can be configured far 
faster.  I think we all know the reason why people still go with 
checkpoint.  For some odd reason, some companies either believe that having 
an easier to use firewall will allow for a more secure network.  (insert 
your laughter here).  Or they believe that command line firewalls are too 
hard to use.  (insert more laughter)  Sigh.  My take on it.  If you do not 
understand firewalling theory, you will not understand it with or without a 
GUI.  Syntax aside, but that's trivial.  Ask any programmer who can make 
this analogy.  The key is understanding fundamentals, not understanding 
mouse clicks.
 Finally, I am not arguing for or against the Pix or 
Checkpoint.  Personally, I find they both have glaring problems that I am 
shocked to find.  They also have their own specific advantages.  However, I 
find some of your points are not necessarily valid.

At 07:42 AM 1/2/02 -0500, Tim O'Brien wrote:
A couple of points, and I will then get off of my soapbox...

Checkpoint NG is STILL an application running on UNIX or NT, not a self
contained appliance. Personally I love Microsoft (let the flames begin!),
however, with the critical updates that I see getting installed on my 2000
and XP workstations I am POSITIVE that I would not want to trust my company
security to it. Another point.. Have you ever installed and configured a
Checkpoint firewall? You can have the PIX up and running with failover even
before you get the OS half installed on the new server that you need to buy
for it, thus raising the cost for an already more expensive solution in
man-hours and equipment. The PIX is also very interoperable with other
devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
3000VPN site-to-site with other offices or home offices with built in 56bit
DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client
available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last
point, Have you ever had to get support from Checkpoint??? enough said about
that one...

If you would like to discuss further contact me offline...

Tim

- Original Message -
From: [EMAIL PROTECTED]

To:
Sent: Wednesday, January 02, 2002 4:05 AM
Subject: Re: OT - Firewall performance Comparisons - is it quitting time
[7:30652]


  For quite a while CheckPoint is out performing every single Firewall in
the
  market a specially in the CheckPoint Next Generation Firewall version
  and with the release of there SecureXL API.
  It is important to remember that performance is not everything that need
to
  be compared while testing a Firewall.
  I love the Cisco PIX but the CheckPoint NG is amazing.
 
  Gil
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30675t=30675
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCNPR640-519 test [7:30677]

[John Gesualdi]

I need to re certify for CCNP this comming June 2002.  Has anyone taken
the (CCNPR640-519) test?  How did you prepare for this test? I don't see
any specific study books for this.
Thanks


--


John A. Gesualdi,CCNP, CCDP, MCSE 2000
[EMAIL PROTECTED]
The Providence Journal Company
Phone (401)277-8133
Pager (401)785-6938




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30677t=30677
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[John Neiberger]

The passive-interface command stops routing updates from exiting that
interface or--in the case of EIGRP, OSPF, and IS-IS--it stop hello
packets from exiting which keeps neighbor relationships from forming.

This command won't keep a connected network from showing up in your
routing table.  If you are connected to another router via ethernet, the
ethernet network is directly connected and does not need to be
advertised by a routing protocol to show up in your routing table.

To test this, add a loopback address on the remote router that is in
the same major network as the ethernet address.  You shouldn't be able
to ping that because your local router should not be aware of it.  

HTH,
John

 [EMAIL PROTECTED]  1/2/02 12:03:49
AM 
Happy New Year!!

I need a little help on what a passive
interface is. From what I can gather, a passive
interface does not advertise its route to its
neighbor ? Now if that is the case, why can 
I still ping an interface that is set to passive.
Please note: This is excluding directly connected
routes. 

For example, I set my Cisco 2509 ethernet interface
to passive. Why can I still ping the ethernet address 
from my neighboring router Cisco 4000 ? I am
running IGRP. Why does the ethernet network show up in its routing
table for
my Cisco 4000. From poking around with the passive interface command
it
seems that I can not ping my ethernet address only if I set the Serial
interfaces to passive also.
This seems odd. I thought if I made an ethernet interface passive, I
should
not be able to ping it from a neighboring router or any other router
since
it is not being
advertised.

Below is a sample of me being able to ping serial 1 off
my Cisco 2509 from my Cisco 4000. Serial 1 is not
directly connected. Serial 1 is being advertised. 




Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco2509
!
enable password router
!
ip subnet-zero
ipx routing 0010.7be8.22f4
!
!
 !
 !
 !
 interface Ethernet0
 ip address 12.11.12.1 255.255.255.240
 no ip directed-broadcast
 delay 1000
!
interface Serial0
 ip address 172.16.18.1 255.255.255.240
 no ip directed-broadcast
 no ip mroute-cache
 ipx network 3
 no fair-queue
 clockrate 100
!
interface Serial1
 ip address 172.17.18.2 255.255.255.240
 no ip directed-broadcast
 clockrate 400
!
router igrp 1
 passive-interface Ethernet0
 passive-interface Serial0
 passive-interface Serial1
 offset-list 2 out 11000 Serial0
 network 12.0.0.0
 network 172.16.0.0
 network 172.17.0.0
!
ip classless
!
access-list 2 deny   12.11.12.1
!
!
!
!
!
line con 0
 transport input none
line 1 8
line aux 0
line vty 0 4
 password cisco
 login
!
end

Cisco2509#



Cisco_4000ping 172.17.18.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124
ms
Cisco_4000ping 12.11.12.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)
Cisco_4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30676t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco LRE ( Long Reach Ethernet ) [7:30678]

[[EMAIL PROTECTED]]

I actually saw a quite humorous demo of this on an IP Telephony
seminar in mid october. The network cabling was made up of
a pair of car battery cables (including clamps and all) linked to
two huge rolls of barbed wire, old band cable (the white, semi-
transparent  twowire thingys used as radio and tv antennaes once
upon a time) and other non-category 5 cable plus a number
of nails, spikes and screws to attach everything.

 Over this they did the IP Telephony  demo with three IP phones
of various models and the IP phone software etc.

The most fun was seeing all the jaws dropping and hearing (quite)
a few versions of Wht the...

EoBW - Ethernet over Barbed Wire :-)

**
 Tony Stohne

 Relacom AB
 
 email: [EMAIL PROTECTED]

 tel:   +46 70 58 34 504
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30678t=30678
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NAT problems. [7:30679]

[Larry Brown]

I set up nat with basic statements  

ip nat inside (fast 0)
ip nat outside (serial 0.1)
ip nat inside soure list 1 interface serial0.1 overload
access-list 1 permit 10.0.0.0 0.0.0.255 (This is the only access-list on the
box)

If I do a show ip nat translations I can see internal  external local and
global
mappings but only for icmp (when the user pings something) and udp - no tcp 
connections.  So, NATPAT is working.  The problem is Internet Explorer
times out.
Can I totally rule out NAT?  Anyone had this type of problem?

 



__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30679t=30679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT syntax under subinterface. [7:30672]

[Barrios, Gabriel]

this  is the small document  that may help  you a lot
regards,


Gabriel Barrios
INVENSYS PROCESS SYSTEMS VENEZUELA 
T: 58-212-2675868 ext. 105
F: 58-212-2670964
M: 58-416-8.235171
C: [EMAIL PROTECTED]


-Original Message-
From: Larry Brown [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 10:30 AM
To: [EMAIL PROTECTED]
Subject: NAT syntax under subinterface. [7:30672]


If you have a serial0.1 interface and are using this for ip nat outside, 
what is the correct syntax in defining your PAT or pool of addresses?

1. ip nat inside source list 1 interface serial0.1 overload

2. ip nat inside source list 1 interface serial0:1 overload ?

Or does it not matter at all?

__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Cisco - Sample Configuration Using the ip nat outside source
list Command.mht]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30680t=30672
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

dialer interface: dial string and time-range [7:30681]

[Chris Read]

With reference to archive entry:

RE: Fail over to 2 ISDN Provider. [7:9899] posted 06/26/2001

I am trying to configure a VPN edge router (801/12.0.7T as it happens). The
router has been assigned a static, public IP address for the dialer
interface.
It is running an encrypted tunnel to another public IP address, as well as
NAT
between the internet and the internal ethernet interface.

I need to optimise the dialing, such that different numbers are dialed at
different times of the day.

The example quoted above will not work, as the policy routing only applies to
the e0 interface, and not to the packets generated by the tunnel.

My thoughts are as follows:-

1) Use loopback0 as the fixed IP address. Use 2 dialer interfaces with ip
unnumbered loopback0 and  dialer-groups using access lists with time-range.
How does the routing process cope with this?

2) Use loopback0 as the fixed IP address. Use policy routing on loopback0 to
2
dialer interfaces. Can policy routing be applied to loopback interfaces ??

3) Use 2 dialer interfaces, each with ip address negotiated, but with
different dialer-group and dialer string statements. Then use 2 equal cost
static routes. I suspect that this will result in 50% packet loss, as both
interfaces spoof as being up. Does Cisco do anything clever here?

4) Use 2 dialer interfaces etc. as before. Use 2 static routes with high
metric(AD) as floating statics. Run another routing protocol. Redistribute
static routes into the routing protocol, using a distribute-list with an
access-list containing time-range statements to perform the filtering.

I will try these in my lab this evening. Any thoughts or comments?

Chris Read




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30681t=30681
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30682]

[David Tran]

Having work with both Cisco PIX and Checkpoint Firewall running Nokia
platforms, even though I am NOT an expert in both, let me make a few
comments:

1) Checkpoint Firewall, even though it is an application, if you run
Checkpoint
on Nokia Platforms which uses IPSO (netBSD kernel-like), it is very robust,
powerful and secure.  The Nokia platform is a NAP, just like Cisco PIX.  Let
me also add that the BSD platform is the most secure platform is the most
secure
platform one can find.  Now, if someone is stupid running Firewall on a
general-
purpose platform such as Solaris and NT, then he/she should not be in the
Firewall
business in the first place,

2) Configure Checkpoint/IPSO on Nokia platform is very easy. I use
Perl/Expect scripts
to setup the nokia ipso box.  This task takes less than 10 minutes and very
robust.
As far as checkpoint is concerns, the point-and-click makes it very easy,

3) If you are working in an Enterprise environment and you have a few PIXes
to manage,
that might not be so bad.  However, if you have at least twenty PIXes to
manage, good
luck.  There is no good management software for PIXes at the moment.  Don't
talk to me
about the CSPM crap running on Windows platforms.  May be Cisco will
incorporate
PIX support in the next release of its Hosting Solution Engine.  On the
other hand,
Checkpoint MDS is second to none.   It allows you to manage up to 200
Checkpoint
per MDS,

4) You can create VPN between Checkpoint and other vendors such as
Netscreen,
PIX and other vendors out there and tunnel PPTP and L2TP VPN clients as
well.
Again, if you are using PPTP as VPN then you should NOT be a Firewall
Engineer
in the first place,

5) With Cisco PIX, you can not use RSA key authentication, only password is
supported.
Furthermore, since we are talking about security, PIX uses tftp to
upload/download
configuration file (clear text).  Now tell me if that is good security
practices.  Furthemore,
if you read security bulletin lately, there are lot of holes in version 1 of
Secure Shell which
PIX supports (Pix does NOT support version 2).  With Nokia platforms, you
can
Secure Copy (scp) to upload/download configuration.  The new version of
Nokia even
supports DSA and SSH version 2 which is very secure,

4) Cisco PIX is pretty much a packet-filtering firewall to me (I don't care
what anyone
might say otherwise).  It is using the same access-list just like Cisco
routers.  It does have
some stateful inspection capabilities but not as much as Checkpoint.  If
you are looking
for a firewall with sheer performance in term of packet-filtering and
limited 'stateful'
inspection, then PIX might be the right choice.  I like the PIX-535 model a
lot in term
of performance,

5) Yes, support from Checkpoint sucks.  Support from Cisco is much better,

6) One thing I like about the PIXes is that it takes about 2 minutes to
restore PIX firewall
if one happens to crash (due to hardware).  It takes about 10 mins to do so
with
Nokia/Checkpoint,

7) PIX Firewall version 6.0(1) and 6.1(1) and pdm1.1(2) have quite a few
security
holes especially with the Secure Shell and Secure Socket Layer (SSL) for its
Pix
Device Manager (PDM).

I am saying that PIX is a bad product and Nokia/Checkpoint is a good one.
If you
are familiar with Unix, you will like Nokia/Checkpoint.  On the other hand,
if you are
already familiar with routers/switches and come from a Windows background,
then you will like Cisco PIX.

Contact me off-line if you want to discuss this further.

- Original Message -
From: Tim O'Brien 
To: 
Sent: Wednesday, January 02, 2002 7:42 AM
Subject: Re: OT - Firewall performance Comparisons - is it quitting time
[7:30658]


 A couple of points, and I will then get off of my soapbox...

 Checkpoint NG is STILL an application running on UNIX or NT, not a self
 contained appliance. Personally I love Microsoft (let the flames begin!),
 however, with the critical updates that I see getting installed on my 2000
 and XP workstations I am POSITIVE that I would not want to trust my
company
 security to it. Another point.. Have you ever installed and configured a
 Checkpoint firewall? You can have the PIX up and running with failover
even
 before you get the OS half installed on the new server that you need to
buy
 for it, thus raising the cost for an already more expensive solution in
 man-hours and equipment. The PIX is also very interoperable with other
 devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
 3000VPN site-to-site with other offices or home offices with built in
56bit
 DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN
client
 available). You can tunnel in Microsoft PPTP or L2TP sessions. And one
last
 point, Have you ever had to get support from Checkpoint??? enough said
about
 that one...

 If you would like to discuss further contact me offline...

 Tim

 - Original Message -
 From: [EMAIL PROTECTED]

 To:
 Sent: Wednesday, January 02, 2002 4:05 AM
 

Re: NAT problems. [7:30679]

[MADMAN]

I rarely totally rule out anything, it'll come back and bite ya in the
arse but I would definately verify your IE setup.  If you want to verify
TCP telnet to something like route-views.oregon-ix.net

  Dave

Larry Brown wrote:
 
 I set up nat with basic statements
 
 ip nat inside (fast 0)
 ip nat outside (serial 0.1)
 ip nat inside soure list 1 interface serial0.1 overload
 access-list 1 permit 10.0.0.0 0.0.0.255 (This is the only access-list on
the
 box)
 
 If I do a show ip nat translations I can see internal  external local and
 global
 mappings but only for icmp (when the user pings something) and udp - no tcp
 connections.  So, NATPAT is working.  The problem is Internet Explorer
 times out.
 Can I totally rule out NAT?  Anyone had this type of problem?
 
 
 
 __
 Do You Yahoo!?
 Send your FREE holiday greetings online!
 http://greetings.yahoo.com
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30683t=30679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT problems. [7:30679]

[Lange, Eric]

Could be DNS problem.  Try going to http://198.133.219.25/

This is Cisco.com.

Probably not a NAT/PAT issue.

Regards,
Eric

-Original Message-
From: Larry Brown [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 9:44 AM
To: [EMAIL PROTECTED]
Subject: NAT problems. [7:30679]


I set up nat with basic statements  

ip nat inside (fast 0)
ip nat outside (serial 0.1)
ip nat inside soure list 1 interface serial0.1 overload
access-list 1 permit 10.0.0.0 0.0.0.255 (This is the only access-list on the
box)

If I do a show ip nat translations I can see internal  external local and
global
mappings but only for icmp (when the user pings something) and udp - no tcp 
connections.  So, NATPAT is working.  The problem is Internet Explorer
times out.
Can I totally rule out NAT?  Anyone had this type of problem?

 



__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30684t=30679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: E1 Terms [7:30645]

[Barrios, Gabriel]

So far my memory  goes...i remember this :


a)  Multichannel E1  Normal E1
A:A sum  of differents  speeds to have the total  you are paying for.  It is
similiar  to the Letter B.

b)  Fractional E1   Channelized E1
B:With the  30 channels.  You have a portion of the 30 channels  this  means
that you have 256Kbps  or  a ?fraction? of the 2 MB. it all depends  on how
much you want to spend.

c)  Clear Channel  unchannelized E1
C:Clear channel=  without compression .Without  channels in it.
All BW available.
 
Line  CHSpeed

E1  30  2.048
E2  120 8.448
E3  480 34.368
E4  1.920   139.264

T1  24  1.544
T2  96  6.312
T3  672 44.736
T4  4.032   274.176 

i expect this may help a little...:-)

Regards,
Gabriel

Gabriel Barrios
INVENSYS PROCESS SYSTEMS VENEZUELA 
T: 58-212-2675868 ext. 105
F: 58-212-2670964
M: 58-416-8.235171
C: [EMAIL PROTECTED]


-Original Message-
From: amarjeet singh [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 1:25 AM
To: [EMAIL PROTECTED]
Subject: RE: E1 Terms [7:30645]


Dear group,
 I am confused for some of the terms related to E1 lines. Can some
one tell me the differences between these  terms.

a)  Multichannel E1  Normal E1
b)  Fractional E1   Channelized E1
c)  Clear Channel  unchannelized E1



Thanx in advance

Amar




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30685t=30645
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Solaris braindumps/exam MC/ material/ web link wanted, I have [7:30688]

[WW]

Solaris braindumps/exam MC/ material/ web link  wanted,  I use
CCNP/CCNA/MCSE2000 for trade




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30688t=30688
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

test [7:30686]

[WW]

test




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30686t=30686
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Solaris braindumps/exam MC/ material/ web link wanted, I have [7:30687]

[WW]

Interested email me




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30687t=30687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Sniffing my broadband connection to my ISP ??? [7:30689]

[Phil Barker]

Hi Group,
 I have been sniffing my broadband connection to
my ISP today and have a few questions.

 My main gripe is that I'm being sent around 100
Arp requests per minute, which obviously I cannot
resolve. These ARP requests are all originating from
my default G/W at the ISP trying to resolve MAC
addresses of various users. Can anyone confirm if this
is usual or unusual. I cannot see this being correct
since if I set my router up to be one of these IP
addresses I can resolve it to my MAC address Eth 0
int' or any other mac-address for that matter.

 They also send me DHCP requests, IGMP requests
for group 224.0.0.1 (Which I wish I could join) but
cannot and lots of their private address information
via the above mentioned ARP's.

 I also captured an attemt at an inbound TCP
connection on a dynamic port which my router RST,
thankfully. 

 Are they wasting my B/W ?

Thanx,

Phil

 

 

__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30689t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[c1sc0k1d]

Cable modem is a shared medium and you do not have the bandwidth on your
segment to yourself.  You could compare it to ethernet for practical
purposes.

The k1d




Phil Barker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Group,
  I have been sniffing my broadband connection to
 my ISP today and have a few questions.

  My main gripe is that I'm being sent around 100
 Arp requests per minute, which obviously I cannot
 resolve. These ARP requests are all originating from
 my default G/W at the ISP trying to resolve MAC
 addresses of various users. Can anyone confirm if this
 is usual or unusual. I cannot see this being correct
 since if I set my router up to be one of these IP
 addresses I can resolve it to my MAC address Eth 0
 int' or any other mac-address for that matter.

  They also send me DHCP requests, IGMP requests
 for group 224.0.0.1 (Which I wish I could join) but
 cannot and lots of their private address information
 via the above mentioned ARP's.

  I also captured an attemt at an inbound TCP
 connection on a dynamic port which my router RST,
 thankfully.

  Are they wasting my B/W ?

 Thanx,

 Phil





 __
 Do You Yahoo!?
 Everything you'll ever need on one web page
 from News and Sport to Email and Music Charts
 http://uk.my.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30690t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DHCP, WK2 and default gateway PROBLEM [7:29732]

[Evans, TJ]

Just my $.02 ... secondary addresses cover this quite well!!
, and then again as we phased providers out ... 


Thanks!
TJ

 -Original Message-
From:   Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, December 19, 2001 11:26 PM
To: [EMAIL PROTECTED]
Subject:Re: DHCP, WK2 and default gateway PROBLEMMM + [7:29732]

The default gateway has to be on the same subnet as the clients that use 
it, as you probably know.

What is the default gateway? Is it a Cisco router? You could give it a 
secondary address on the new 192.168.40.0. network. Then use that address 
for the clients on the 192.168.40.0 subnet as their default gateway.

Another thought: what is the subnet mask? I'm assuming it's 255.255.255.0. 
You could change it temporarily to 255.255.0.0 while doing the changeover. 
That way 192.168.50.0 and 192.168.40.0 are on the same subnet. Clients with 
addresses that start with 192.168.40.0 could still use 192.168.50.7 as 
their default gateway.

Priscilla

At 10:43 PM 12/19/01, Juan Blanco wrote:
Team,
 I am working in a project for a company that has almost 600 users 
 with
static ip. What I have to do is move everyone to a dynamic ip environment,
without affecting the current network functionality. The problem that I am
having is when I created my new scope in wk2 I am not able to provide the
default gateway to my clients because the DG is not the same network like
the one in the scope

DHCP server(w2k) which is not able to provide my default
 My scope = 192.168.40.50 .. 100
New segment ip is 192.168.40
DG for the segment is the DG for the others users in the same segment
MY DG = 192.168.50.7

How will I be able to define two IP address to the same interface in which
both IP address can be define as the DG

Thanks,

JB


Priscilla Oppenheimer
http://www.priscilla.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30691t=29732
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Epilog to SPEED DUPLEX settings [7:30692]

[Ole Drews Jensen]

As an epilog to my recent e-mail warning about using the AUTO feature of
SPEED and/or DUPLEX settings on LAN interfaces, I would like to give you a
little extra information:

I looked at all the interfaces on my 3548 switch today, and found that the
interface that was connected to a 2620 and the interface that was connected
to a 2924 was both in 100 mbps half duplex detected by the auto feature.
This was the case even thought both the 2620 and the 2924 was manually set
to 100 mbps full duplex.

This was the case also on an interface connected to a 3COM 100 mbps HUB that
I have connected in a room as a test. The Cisco 3548 auto sence feature on
that interface had placed it in 100/half.

So, the lesson to learn here is that even though both devices are Cisco, you
cannot trust the auto sense feature. I will now go the slow but safe way,
and manually configure all my LAN interfaces on all my equipment.

So, place a big sticker on all your network equipment: NO AUTO SETTINGS.

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30692t=30692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco LRE ( Long Reach Ethernet ) [7:30553]

[David L. Blair]

Most local Cisco office have been demo'ing LRE for a few months now.  My
local office has a demostration kit consisting of a piece of plywood with 3
foot lenths of the following wires connected together: Cat5, Cat3, House
Grade wiring used for outlets, and Barbed Wire used in barnyard around the
country.  Interesting!!!


David L. Blair

Chuck Larrieu  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Is it slow at work today or what?

 I was browsing CCO and ran across something called long reach ethernet

 http://newsroom.cisco.com/dlls/ts_122701.html

 http://www.cisco.com/warp/public/779/servpro/solutions/long_ethernet/

 lots more.

 Interesting product and market. Interesting, because on the surface, it
 doesn't seem like it would be less expensive than re-wiring, but if one
 looks at someplace like a hotel, where ripping walls out to string a new
 wiring infrastructure would be exceedingly disruptive, it makes sense.

 Anyone looked into this? done it? this appears to be a very new product to
 Cisco. the web docs are dated within the last few weeks.

 Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30693t=30553
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

question about VPN-IPSEC and NAT [7:30694]

[Leonardo Borda]

Hello,

I have in my organization a cisco router 2600 running NAT and IPSEC56. I
want to configure two access-lists. One for inbound access and another one
for outbound access and apply it in the same serial line.
Does anyone know what are the ports I have to permit to work that job
successfull as much inbound as outbound?

I had success in configuring internet access and it4s working fine but
over IPSEC my users from the other side of VPN can not access my exchange
server using VPN. but they can ping it...

thanks.

  Leonardo Borda.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30694t=30694
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[CCIEn2002]

Thank you for the info. Now I am a little confused still on
the passive interface. If it prevents routing updates
from being sent out, why would one want a
passive interface. From my understanding, a
passive interface would not advertise is routing
updates to its neighbor. If that is the case, I am perplexed
on why I can ping a passive interface that is being advertised
thru a routing protocol. In my case, my neighbor router
is seeing an IGRP update for the Ethernet network.

Why would you make the Ethernet passive if you can still
ping it and see its routing update from a neighboring router
via the show ip route ?
This is where I get confused by the definition of passive.

Any help..I am a rookie as you can see

David


- Original Message -
From: cheekin 
To: ; 
Sent: Wednesday, January 02, 2002 4:43 AM
Subject: Re: Passive Interface Help [7:30648]


 Hi,

 When you make the ethernet interface passive, it means no igrp updates
will
 be sent out on the ethernet interface.  It doesn't stop the serial
interface
 from advertising network 12.0.0.0 .  Which explains why you can still ping
 to the ethernet interface.  If for some reason you do not want network
 12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use
 distribute-list to filter out the route.

 Regards,
 cheekin

 - Original Message -
 From: 
 To: 
 Sent: Wednesday, January 02, 2002 15:03
 Subject: Passive Interface Help [7:30648]


  Happy New Year!!
 
  I need a little help on what a passive
  interface is. From what I can gather, a passive
  interface does not advertise its route to its
  neighbor ? Now if that is the case, why can
  I still ping an interface that is set to passive.
  Please note: This is excluding directly connected
  routes.
 
  For example, I set my Cisco 2509 ethernet interface
  to passive. Why can I still ping the ethernet address
  from my neighboring router Cisco 4000 ? I am
  running IGRP. Why does the ethernet network show up in its routing table
 for
  my Cisco 4000. From poking around with the passive interface command it
  seems that I can not ping my ethernet address only if I set the Serial
  interfaces to passive also.
  This seems odd. I thought if I made an ethernet interface passive, I
 should
  not be able to ping it from a neighboring router or any other router
since
  it is not being
  advertised.
 
  Below is a sample of me being able to ping serial 1 off
  my Cisco 2509 from my Cisco 4000. Serial 1 is not
  directly connected. Serial 1 is being advertised.
 
 
 
 
  Current configuration:
  !
  version 12.0
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  !
  hostname Cisco2509
  !
  enable password router
  !
  ip subnet-zero
  ipx routing 0010.7be8.22f4
  !
  !
   !
   !
   !
   interface Ethernet0
   ip address 12.11.12.1 255.255.255.240
   no ip directed-broadcast
   delay 1000
  !
  interface Serial0
   ip address 172.16.18.1 255.255.255.240
   no ip directed-broadcast
   no ip mroute-cache
   ipx network 3
   no fair-queue
   clockrate 100
  !
  interface Serial1
   ip address 172.17.18.2 255.255.255.240
   no ip directed-broadcast
   clockrate 400
  !
  router igrp 1
   passive-interface Ethernet0
   passive-interface Serial0
   passive-interface Serial1
   offset-list 2 out 11000 Serial0
   network 12.0.0.0
   network 172.16.0.0
   network 172.17.0.0
  !
  ip classless
  !
  access-list 2 deny   12.11.12.1
  !
  !
  !
  !
  !
  line con 0
   transport input none
  line 1 8
  line aux 0
  line vty 0 4
   password cisco
   login
  !
  end
 
  Cisco2509#
 
 
 
  Cisco_4000ping 172.17.18.1
 
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 2 seconds:
  !
  Success rate is 100 percent (5/5), round-trip min/avg/max = 120/120/124
ms
  Cisco_4000ping 12.11.12.1
 
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 12.11.12.1, timeout is 2 seconds:
  .
  Success rate is 0 percent (0/5)
  Cisco_4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30695t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: question about VPN-IPSEC and NAT [7:30694]

[Lange, Eric]

IP protocol 50 and UDP port 500.  If you are doing AH you also need ip
protocol 51.

-Eric

-Original Message-
From: Leonardo Borda [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 12:55 PM
To: [EMAIL PROTECTED]
Subject: question about VPN-IPSEC and NAT [7:30694]


Hello,

I have in my organization a cisco router 2600 running NAT and IPSEC56. I
want to configure two access-lists. One for inbound access and another one
for outbound access and apply it in the same serial line.
Does anyone know what are the ports I have to permit to work that job
successfull as much inbound as outbound?

I had success in configuring internet access and it4s working fine but
over IPSEC my users from the other side of VPN can not access my exchange
server using VPN. but they can ping it...

thanks.

  Leonardo Borda.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30696t=30694
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[Chuck Larrieu]

All part of traffic control. Why waste bandwidth for updates that are not
required.

example:

OSPF domainrouter--IGRP domain

the OSPF domain does not require direct knowledge of the IGRP domain, so why
send IGRP updates out the interface into the OSPF domain? or visa versa.

also, as a matter of basic security design, suppose you have:

bunch of usersethernet_interface-router--routing_domain

one might consider preventing routing advertisements into the user ethernet
domain as a precaution against users who may be running routing protocols on
their workstations and creating havoc as a result.

I worked on a VPN/RLAN project for a major technology company a few months
back. The company had several thousand users on this network, most of whom
were engineers. The company had ongoing problems with these engineers
testing equipment and services and creating situations where the engineering
work caused major problems on their production network. So they opted for
static routing to the end user, and suppression of all routing
advertisements out any of the VPN tunnels and RLAN connections.

Make sense?

Chuck


CCIEn2002  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thank you for the info. Now I am a little confused still on
 the passive interface. If it prevents routing updates
 from being sent out, why would one want a
 passive interface. From my understanding, a
 passive interface would not advertise is routing
 updates to its neighbor. If that is the case, I am perplexed
 on why I can ping a passive interface that is being advertised
 thru a routing protocol. In my case, my neighbor router
 is seeing an IGRP update for the Ethernet network.

 Why would you make the Ethernet passive if you can still
 ping it and see its routing update from a neighboring router
 via the show ip route ?
 This is where I get confused by the definition of passive.

 Any help..I am a rookie as you can see

 David


 - Original Message -
 From: cheekin
 To: ;
 Sent: Wednesday, January 02, 2002 4:43 AM
 Subject: Re: Passive Interface Help [7:30648]


  Hi,
 
  When you make the ethernet interface passive, it means no igrp updates
 will
  be sent out on the ethernet interface.  It doesn't stop the serial
 interface
  from advertising network 12.0.0.0 .  Which explains why you can still
ping
  to the ethernet interface.  If for some reason you do not want network
  12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or use
  distribute-list to filter out the route.
 
  Regards,
  cheekin
 
  - Original Message -
  From:
  To:
  Sent: Wednesday, January 02, 2002 15:03
  Subject: Passive Interface Help [7:30648]
 
 
   Happy New Year!!
  
   I need a little help on what a passive
   interface is. From what I can gather, a passive
   interface does not advertise its route to its
   neighbor ? Now if that is the case, why can
   I still ping an interface that is set to passive.
   Please note: This is excluding directly connected
   routes.
  
   For example, I set my Cisco 2509 ethernet interface
   to passive. Why can I still ping the ethernet address
   from my neighboring router Cisco 4000 ? I am
   running IGRP. Why does the ethernet network show up in its routing
table
  for
   my Cisco 4000. From poking around with the passive interface command
it
   seems that I can not ping my ethernet address only if I set the Serial
   interfaces to passive also.
   This seems odd. I thought if I made an ethernet interface passive, I
  should
   not be able to ping it from a neighboring router or any other router
 since
   it is not being
   advertised.
  
   Below is a sample of me being able to ping serial 1 off
   my Cisco 2509 from my Cisco 4000. Serial 1 is not
   directly connected. Serial 1 is being advertised.
  
  
  
  
   Current configuration:
   !
   version 12.0
   service timestamps debug uptime
   service timestamps log uptime
   no service password-encryption
   !
   hostname Cisco2509
   !
   enable password router
   !
   ip subnet-zero
   ipx routing 0010.7be8.22f4
   !
   !
!
!
!
interface Ethernet0
ip address 12.11.12.1 255.255.255.240
no ip directed-broadcast
delay 1000
   !
   interface Serial0
ip address 172.16.18.1 255.255.255.240
no ip directed-broadcast
no ip mroute-cache
ipx network 3
no fair-queue
clockrate 100
   !
   interface Serial1
ip address 172.17.18.2 255.255.255.240
no ip directed-broadcast
clockrate 400
   !
   router igrp 1
passive-interface Ethernet0
passive-interface Serial0
passive-interface Serial1
offset-list 2 out 11000 Serial0
network 12.0.0.0
network 172.16.0.0
network 172.17.0.0
   !
   ip classless
   !
   access-list 2 deny   12.11.12.1
   !
   !
   !
   !
   !
   line con 0
transport input none
   line 1 8
   line aux 0
   line vty 0 4
password cisco
login
   !
   end
  
   Cisco2509#
  
  
  
   Cisco_4000ping 

Re: Re: Passive Interface Help [7:30648]

[John Neiberger]

As I mentioned in my first reply, the passive-interface command 
operates a little differently depending on the protocol you're 
using.  For protocols that need to establish neighbors--such as 
EIGRP, OSPF, and IS-IS--this command stops those relationships 
from forming so no routes will ever be exchanged.

In RIP and IGRP, no neighbor relationship is formed.  The 
passive-interface command simply stops the router from sending 
updates out that interface but it will *not* stop updates from 
coming in on that interface.  This can be a handy feature if 
you only want to receive routes but not send them.

If you are receiving IGRP routes that you don't want to 
receive, then you need to make sure that you apply this command 
to both sides of the connection.

HTH,
John



Get your own 800 number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag


 On Wed, 2 Jan 2002, CCIEn2002 ([EMAIL PROTECTED]) 
wrote:

 Thank you for the info. Now I am a little confused still on
 the passive interface. If it prevents routing updates
 from being sent out, why would one want a
 passive interface. From my understanding, a
 passive interface would not advertise is routing
 updates to its neighbor. If that is the case, I am perplexed
 on why I can ping a passive interface that is being advertised
 thru a routing protocol. In my case, my neighbor router
 is seeing an IGRP update for the Ethernet network.
 
 Why would you make the Ethernet passive if you can still
 ping it and see its routing update from a neighboring router
 via the show ip route ?
 This is where I get confused by the definition of passive.
 
 Any help..I am a rookie as you can see
 
 David
 
 
 - Original Message -
 From: cheekin 
 To: ; 
 Sent: Wednesday, January 02, 2002 4:43 AM
 Subject: Re: Passive Interface Help [7:30648]
 
 
  Hi,
 
  When you make the ethernet interface passive, it means no 
igrp updates
 will
  be sent out on the ethernet interface.  It doesn't stop the 
serial
 interface
  from advertising network 12.0.0.0 .  Which explains why you 
can still
 ping
  to the ethernet interface.  If for some reason you do not 
want network
  12.0.0.0 to be advertised, remove the network 12.0.0.0 
statement or
 use
  distribute-list to filter out the route.
 
  Regards,
  cheekin
 
  - Original Message -
  From: 
  To: 
  Sent: Wednesday, January 02, 2002 15:03
  Subject: Passive Interface Help [7:30648]
 
 
   Happy New Year!!
  
   I need a little help on what a passive
   interface is. From what I can gather, a passive
   interface does not advertise its route to its
   neighbor ? Now if that is the case, why can
   I still ping an interface that is set to passive.
   Please note: This is excluding directly connected
   routes.
  
   For example, I set my Cisco 2509 ethernet interface
   to passive. Why can I still ping the ethernet address
   from my neighboring router Cisco 4000 ? I am
   running IGRP. Why does the ethernet network show up in 
its routing
 table
  for
   my Cisco 4000. From poking around with the passive 
interface command
 it
   seems that I can not ping my ethernet address only if I 
set the
 Serial
   interfaces to passive also.
   This seems odd. I thought if I made an ethernet interface 
passive, I
  should
   not be able to ping it from a neighboring router or any 
other router
 since
   it is not being
   advertised.
  
   Below is a sample of me being able to ping serial 1 off
   my Cisco 2509 from my Cisco 4000. Serial 1 is not
   directly connected. Serial 1 is being advertised.
  
  
  
  
   Current configuration:
   !
   version 12.0
   service timestamps debug uptime
   service timestamps log uptime
   no service password-encryption
   !
   hostname Cisco2509
   !
   enable password router
   !
   ip subnet-zero
   ipx routing 0010.7be8.22f4
   !
   !
!
!
!
interface Ethernet0
ip address 12.11.12.1 255.255.255.240
no ip directed-broadcast
delay 1000
   !
   interface Serial0
ip address 172.16.18.1 255.255.255.240
no ip directed-broadcast
no ip mroute-cache
ipx network 3
no fair-queue
clockrate 100
   !
   interface Serial1
ip address 172.17.18.2 255.255.255.240
no ip directed-broadcast
clockrate 400
   !
   router igrp 1
passive-interface Ethernet0
passive-interface Serial0
passive-interface Serial1
offset-list 2 out 11000 Serial0
network 12.0.0.0
network 172.16.0.0
network 172.17.0.0
   !
   ip classless
   !
   access-list 2 deny   12.11.12.1
   !
   !
   !
   !
   !
   line con 0
transport input none
   line 1 8
   line aux 0
   line vty 0 4
password cisco
login
   !
   end
  
   Cisco2509#
  
  
  
   Cisco_4000ping 172.17.18.1
  
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.17.18.1, timeout is 
2 seconds:
   !
   Success rate is 100 percent (5/5), round-trip min/avg/max 
=
 120/120/124
 

Re: Passive Interface Help [7:30648]

[matt shiite]

Are these routers directly connected?  If so, that
explains why you would still be able to ping. Did you
try to use loopback interfaces and see if those routes
are being announced?

ms


--- CCIEn2002  wrote:
 Thank you for the info. Now I am a little confused
 still on
 the passive interface. If it prevents routing
 updates
 from being sent out, why would one want a
 passive interface. From my understanding, a
 passive interface would not advertise is routing
 updates to its neighbor. If that is the case, I am
 perplexed
 on why I can ping a passive interface that is being
 advertised
 thru a routing protocol. In my case, my neighbor
 router
 is seeing an IGRP update for the Ethernet network.
 
 Why would you make the Ethernet passive if you can
 still
 ping it and see its routing update from a
 neighboring router
 via the show ip route ?
 This is where I get confused by the definition of
 passive.
 
 Any help..I am a rookie as you can see
 
 David
 
 
 - Original Message -
 From: cheekin 
 To: ; 
 Sent: Wednesday, January 02, 2002 4:43 AM
 Subject: Re: Passive Interface Help [7:30648]
 
 
  Hi,
 
  When you make the ethernet interface passive, it
 means no igrp updates
 will
  be sent out on the ethernet interface.  It doesn't
 stop the serial
 interface
  from advertising network 12.0.0.0 .  Which
 explains why you can still ping
  to the ethernet interface.  If for some reason you
 do not want network
  12.0.0.0 to be advertised, remove the network
 12.0.0.0 statement or use
  distribute-list to filter out the route.
 
  Regards,
  cheekin
 
  - Original Message -
  From: 
  To: 
  Sent: Wednesday, January 02, 2002 15:03
  Subject: Passive Interface Help [7:30648]
 
 
   Happy New Year!!
  
   I need a little help on what a passive
   interface is. From what I can gather, a passive
   interface does not advertise its route to its
   neighbor ? Now if that is the case, why can
   I still ping an interface that is set to
 passive.
   Please note: This is excluding directly
 connected
   routes.
  
   For example, I set my Cisco 2509 ethernet
 interface
   to passive. Why can I still ping the ethernet
 address
   from my neighboring router Cisco 4000 ? I am
   running IGRP. Why does the ethernet network show
 up in its routing table
  for
   my Cisco 4000. From poking around with the
 passive interface command it
   seems that I can not ping my ethernet address
 only if I set the Serial
   interfaces to passive also.
   This seems odd. I thought if I made an ethernet
 interface passive, I
  should
   not be able to ping it from a neighboring router
 or any other router
 since
   it is not being
   advertised.
  
   Below is a sample of me being able to ping
 serial 1 off
   my Cisco 2509 from my Cisco 4000. Serial 1 is
 not
   directly connected. Serial 1 is being
 advertised.
  
  
  
  
   Current configuration:
   !
   version 12.0
   service timestamps debug uptime
   service timestamps log uptime
   no service password-encryption
   !
   hostname Cisco2509
   !
   enable password router
   !
   ip subnet-zero
   ipx routing 0010.7be8.22f4
   !
   !
!
!
!
interface Ethernet0
ip address 12.11.12.1 255.255.255.240
no ip directed-broadcast
delay 1000
   !
   interface Serial0
ip address 172.16.18.1 255.255.255.240
no ip directed-broadcast
no ip mroute-cache
ipx network 3
no fair-queue
clockrate 100
   !
   interface Serial1
ip address 172.17.18.2 255.255.255.240
no ip directed-broadcast
clockrate 400
   !
   router igrp 1
passive-interface Ethernet0
passive-interface Serial0
passive-interface Serial1
offset-list 2 out 11000 Serial0
network 12.0.0.0
network 172.16.0.0
network 172.17.0.0
   !
   ip classless
   !
   access-list 2 deny   12.11.12.1
   !
   !
   !
   !
   !
   line con 0
transport input none
   line 1 8
   line aux 0
   line vty 0 4
password cisco
login
   !
   end
  
   Cisco2509#
  
  
  
   Cisco_4000ping 172.17.18.1
  
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 172.17.18.1,
 timeout is 2 seconds:
   !
   Success rate is 100 percent (5/5), round-trip
 min/avg/max = 120/120/124
 ms
   Cisco_4000ping 12.11.12.1
  
   Type escape sequence to abort.
   Sending 5, 100-byte ICMP Echos to 12.11.12.1,
 timeout is 2 seconds:
   .
   Success rate is 0 percent (0/5)
   Cisco_4000
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30699t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[Chuck Larrieu]

I should also mention that in the ISP environment, this is particularly
useful and particularly necessary. According to my reading, ISP's will
habitually place all interfaces to the customer side as passive ( for the
ISP IGP ) and will then specifically activate interfaces where route and
routing protocol advertising should occur.

All of the examples surrounding the passive-interface default command (
available in IOS 12.0 and higher ) that I have seen on CCO specifically
reference ISP requirements.

Essentially, why advertise internal routes and updates out every dial up and
DSL connection? Why do your average Joe customers require this? So save
their bandwidth for the things they really want - transferring megabytes of
pictures via e-mail ;-

Chuck


Chuck Larrieu  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 All part of traffic control. Why waste bandwidth for updates that are not
 required.

 example:

 OSPF domainrouter--IGRP domain

 the OSPF domain does not require direct knowledge of the IGRP domain, so
why
 send IGRP updates out the interface into the OSPF domain? or visa versa.

 also, as a matter of basic security design, suppose you have:

 bunch of usersethernet_interface-router--routing_domain

 one might consider preventing routing advertisements into the user
ethernet
 domain as a precaution against users who may be running routing protocols
on
 their workstations and creating havoc as a result.

 I worked on a VPN/RLAN project for a major technology company a few months
 back. The company had several thousand users on this network, most of whom
 were engineers. The company had ongoing problems with these engineers
 testing equipment and services and creating situations where the
engineering
 work caused major problems on their production network. So they opted for
 static routing to the end user, and suppression of all routing
 advertisements out any of the VPN tunnels and RLAN connections.

 Make sense?

 Chuck


 CCIEn2002  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Thank you for the info. Now I am a little confused still on
  the passive interface. If it prevents routing updates
  from being sent out, why would one want a
  passive interface. From my understanding, a
  passive interface would not advertise is routing
  updates to its neighbor. If that is the case, I am perplexed
  on why I can ping a passive interface that is being advertised
  thru a routing protocol. In my case, my neighbor router
  is seeing an IGRP update for the Ethernet network.
 
  Why would you make the Ethernet passive if you can still
  ping it and see its routing update from a neighboring router
  via the show ip route ?
  This is where I get confused by the definition of passive.
 
  Any help..I am a rookie as you can see
 
  David
 
 
  - Original Message -
  From: cheekin
  To: ;
  Sent: Wednesday, January 02, 2002 4:43 AM
  Subject: Re: Passive Interface Help [7:30648]
 
 
   Hi,
  
   When you make the ethernet interface passive, it means no igrp updates
  will
   be sent out on the ethernet interface.  It doesn't stop the serial
  interface
   from advertising network 12.0.0.0 .  Which explains why you can still
 ping
   to the ethernet interface.  If for some reason you do not want network
   12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or
use
   distribute-list to filter out the route.
  
   Regards,
   cheekin
  
   - Original Message -
   From:
   To:
   Sent: Wednesday, January 02, 2002 15:03
   Subject: Passive Interface Help [7:30648]
  
  
Happy New Year!!
   
I need a little help on what a passive
interface is. From what I can gather, a passive
interface does not advertise its route to its
neighbor ? Now if that is the case, why can
I still ping an interface that is set to passive.
Please note: This is excluding directly connected
routes.
   
For example, I set my Cisco 2509 ethernet interface
to passive. Why can I still ping the ethernet address
from my neighboring router Cisco 4000 ? I am
running IGRP. Why does the ethernet network show up in its routing
 table
   for
my Cisco 4000. From poking around with the passive interface command
 it
seems that I can not ping my ethernet address only if I set the
Serial
interfaces to passive also.
This seems odd. I thought if I made an ethernet interface passive, I
   should
not be able to ping it from a neighboring router or any other router
  since
it is not being
advertised.
   
Below is a sample of me being able to ping serial 1 off
my Cisco 2509 from my Cisco 4000. Serial 1 is not
directly connected. Serial 1 is being advertised.
   
   
   
   
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cisco2509
!
enable password router
   

OT: SCO System V/386 [7:30701]

[Richard Tufaro]

Hey guys/gals I know this is really OT but I thought I would throw it out
there to see if anyone has any ideas. Iv got a SCO V/386 System and
apparently the thing is old that no one remembers the password to itOR
is even with the company anymore. Is there a way that I can boot with a
floppy into a low level of the OS to extract and passwd file and crack it
offline? Anyone know of a program that does this? Any help would be
appreciated. Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30701t=30701
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cheap lab equipment [7:30702]

[Dan Lockwood]

Does anyone have recommendations for purchasing cisco lab equipment?  I
thought I saw a post about a terminal server for ~$650 recently, but can
not find it now.  Any suggestions?

Dan Lockwood




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30702t=30702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT problems. [7:30679]

[Steven A. Ridder]

I agree.  I can say with 100% certainty that it's not NAT/PAT if you have
those exact configs in the router.  It's IE.



Lange, Eric  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Could be DNS problem.  Try going to http://198.133.219.25/

 This is Cisco.com.

 Probably not a NAT/PAT issue.

 Regards,
 Eric

 -Original Message-
 From: Larry Brown [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 02, 2002 9:44 AM
 To: [EMAIL PROTECTED]
 Subject: NAT problems. [7:30679]


 I set up nat with basic statements

 ip nat inside (fast 0)
 ip nat outside (serial 0.1)
 ip nat inside soure list 1 interface serial0.1 overload
 access-list 1 permit 10.0.0.0 0.0.0.255 (This is the only access-list on
the
 box)

 If I do a show ip nat translations I can see internal  external local and
 global
 mappings but only for icmp (when the user pings something) and udp - no
tcp
 connections.  So, NATPAT is working.  The problem is Internet Explorer
 times out.
 Can I totally rule out NAT?  Anyone had this type of problem?





 __
 Do You Yahoo!?
 Send your FREE holiday greetings online!
 http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30703t=30679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SCO System V/386 [7:30701]

[Sean Knox]

Google is your friend:

http://www.google.com/search?hl=enq=lost+root+password+%2BSCO

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 12:12 PM
To: [EMAIL PROTECTED]
Subject: OT: SCO System V/386 [7:30701]


Hey guys/gals I know this is really OT but I thought I would throw it out
there to see if anyone has any ideas. Iv got a SCO V/386 System and
apparently the thing is old that no one remembers the password to itOR
is even with the company anymore. Is there a way that I can boot with a
floppy into a low level of the OS to extract and passwd file and crack it
offline? Anyone know of a program that does this? Any help would be
appreciated. Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30704t=30701
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Practical Studies by Cisco Press [7:30243]

[Feargal Ledwidge]

I haven't read the book yet  but I used to work with the author and
happily recommend anything that he puts his name to.

Knowing the amount of time he put into the book, I'd say that $70 is a steal
!

Feargal

Feargal Ledwidge
[EMAIL PROTECTED]
Manager of Network  Systems Administration
TeraGlobal Communications


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 27, 2001 6:44 PM
To: [EMAIL PROTECTED]
Subject: Re: CCIE Practical Studies by Cisco Press [7:30243]


I hope that we can get someone to do an in-depth review of the book and let
us know if it's worth it to add to the library :-)

-junovtv
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30705t=30243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cheap lab equipment [7:30702]

[Shawn]

Network hardware is selling 2509's for $595. I purchased one a month
ago, and it works great. Also comes with a warranty. Here's the link

http://www.networkhardware.com/shopping_weekly.html

Shawn
- Original Message -
From: Dan Lockwood 
To: 
Sent: Wednesday, January 02, 2002 3:22 PM
Subject: Cheap lab equipment [7:30702]


 Does anyone have recommendations for purchasing cisco lab equipment?  I
 thought I saw a post about a terminal server for ~$650 recently, but can
 not find it now.  Any suggestions?

 Dan Lockwood




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30706t=30702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[Priscilla Oppenheimer]

For that matter, why advertise routes on any leaf network that only has 
end nodes? In the IP world, most end nodes (workstations) don't care about 
routing updates. (It could be argued that it would be better if they did so 
you wouldn't need kludges like HSRP, but in fact, most workstation 
operating systems don't understand routing updates.)

Priscilla

At 03:06 PM 1/2/02, Chuck Larrieu wrote:
I should also mention that in the ISP environment, this is particularly
useful and particularly necessary. According to my reading, ISP's will
habitually place all interfaces to the customer side as passive ( for the
ISP IGP ) and will then specifically activate interfaces where route and
routing protocol advertising should occur.

All of the examples surrounding the passive-interface default command (
available in IOS 12.0 and higher ) that I have seen on CCO specifically
reference ISP requirements.

Essentially, why advertise internal routes and updates out every dial up and
DSL connection? Why do your average Joe customers require this? So save
their bandwidth for the things they really want - transferring megabytes of
pictures via e-mail ;-

Chuck


Chuck Larrieu  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  All part of traffic control. Why waste bandwidth for updates that are not
  required.
 
  example:
 
  OSPF domainrouter--IGRP domain
 
  the OSPF domain does not require direct knowledge of the IGRP domain, so
why
  send IGRP updates out the interface into the OSPF domain? or visa versa.
 
  also, as a matter of basic security design, suppose you have:
 
  bunch of usersethernet_interface-router--routing_domain
 
  one might consider preventing routing advertisements into the user
ethernet
  domain as a precaution against users who may be running routing protocols
on
  their workstations and creating havoc as a result.
 
  I worked on a VPN/RLAN project for a major technology company a few
months
  back. The company had several thousand users on this network, most of
whom
  were engineers. The company had ongoing problems with these engineers
  testing equipment and services and creating situations where the
engineering
  work caused major problems on their production network. So they opted for
  static routing to the end user, and suppression of all routing
  advertisements out any of the VPN tunnels and RLAN connections.
 
  Make sense?
 
  Chuck
 
 
  CCIEn2002  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Thank you for the info. Now I am a little confused still on
   the passive interface. If it prevents routing updates
   from being sent out, why would one want a
   passive interface. From my understanding, a
   passive interface would not advertise is routing
   updates to its neighbor. If that is the case, I am perplexed
   on why I can ping a passive interface that is being advertised
   thru a routing protocol. In my case, my neighbor router
   is seeing an IGRP update for the Ethernet network.
  
   Why would you make the Ethernet passive if you can still
   ping it and see its routing update from a neighboring router
   via the show ip route ?
   This is where I get confused by the definition of passive.
  
   Any help..I am a rookie as you can see
  
   David
  
  
   - Original Message -
   From: cheekin
   To: ;
   Sent: Wednesday, January 02, 2002 4:43 AM
   Subject: Re: Passive Interface Help [7:30648]
  
  
Hi,
   
When you make the ethernet interface passive, it means no igrp
updates
   will
be sent out on the ethernet interface.  It doesn't stop the serial
   interface
from advertising network 12.0.0.0 .  Which explains why you can still
  ping
to the ethernet interface.  If for some reason you do not want
network
12.0.0.0 to be advertised, remove the network 12.0.0.0 statement or
use
distribute-list to filter out the route.
   
Regards,
cheekin
   
- Original Message -
From:
To:
Sent: Wednesday, January 02, 2002 15:03
Subject: Passive Interface Help [7:30648]
   
   
 Happy New Year!!

 I need a little help on what a passive
 interface is. From what I can gather, a passive
 interface does not advertise its route to its
 neighbor ? Now if that is the case, why can
 I still ping an interface that is set to passive.
 Please note: This is excluding directly connected
 routes.

 For example, I set my Cisco 2509 ethernet interface
 to passive. Why can I still ping the ethernet address
 from my neighboring router Cisco 4000 ? I am
 running IGRP. Why does the ethernet network show up in its routing
  table
for
 my Cisco 4000. From poking around with the passive interface
command
  it
 seems that I can not ping my ethernet address only if I set the
Serial
 interfaces to passive also.
 This seems odd. I thought if I made an ethernet interface passive,
I
should
 not be able to 

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Priscilla Oppenheimer]

It sounds like you are sharing the broadcast domain with a bunch of other 
stations. The network is bridging on the edge. I think this is normal for 
cable modem systems. Is that what you are on?

Priscilla

At 12:23 PM 1/2/02, Phil Barker wrote:
Hi Group,
  I have been sniffing my broadband connection to
my ISP today and have a few questions.

  My main gripe is that I'm being sent around 100
Arp requests per minute, which obviously I cannot
resolve. These ARP requests are all originating from
my default G/W at the ISP trying to resolve MAC
addresses of various users. Can anyone confirm if this
is usual or unusual. I cannot see this being correct
since if I set my router up to be one of these IP
addresses I can resolve it to my MAC address Eth 0
int' or any other mac-address for that matter.

  They also send me DHCP requests, IGMP requests
for group 224.0.0.1 (Which I wish I could join) but
cannot and lots of their private address information
via the above mentioned ARP's.

  I also captured an attemt at an inbound TCP
connection on a dynamic port which my router RST,
thankfully.

  Are they wasting my B/W ?

Thanx,

Phil





__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30708t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: RIF RC Field Question [7:30637]

[Priscilla Oppenheimer]

The Length field in the RC field indicates the total length of the RIF. 
Length values will be even values between 2 and 30 inclusive.

Source-route bridging is documented in Annex C of IEEE 802.1D MAC Bridges. 
You can get it for free now from IEEE. There's no need to rely on the 
sloppy work of authors who pump out multiple books per year. ;-)

Get the IEEE docs here:

http://standards.ieee.org/getieee802/

Priscilla


At 08:04 PM 1/1/02, Jason wrote:
All,

Is the length field in the RC of a RIF the total size of the RIF or the
total size of the RD?

According to the Rossi paper it is the total length of the RIF.

 Pg 5 Bits 12-8 (next 5) bits descrige the total length of the RIF
represented in bytes

 Example from the Rossi paper :  0830 00a1 014f 01e0 (Page 5)

However, in the Lammle/Swartz Study guide it is the total length of the RD.

 Pg 694 The Length field is the number of bytes used by the route
descriptors.

 Example from the Study Guide : 0490 020b 1000 (answer C question
20)

Any and all help would be appreciated.

Thanks
js


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30709t=30637
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: DSL with PPPoE [7:30710]

[Ole Drews Jensen]

Just a quick note about my DSL connection with Southwestern Bell.

I have read some e-mails in the past about using a SMC router for PPPoE
instead of the (crappy) software that comes with the DSL modem (Enternet).

I went ahead and installed the SMC Barricade broadband router, and it only
took me about 10 minutes to get the router up and configured with my DSL
modem and the Enternet software removed.

I now have a constant connection to the Internet, so when I turn on my PC, I
do not have to login to anything - the Internet is available and ready right
away.

This SMC router can be purchased for $79.- and among the features I like
are:

- PPPoE
- 4 port LAN connection, so you don't have to use a hub/switch for multiple
PC's
- Build-in print server with DB25 jack
- Build-in com port for use with modem backup dial
- Build-in firewall features
- Build-in NAT feature

I was hoping to do this with a Cisco router, but you just can't compete with
the price.

Watch for word wrap:

http://shopper.cnet.com/shopping/resellers/1,10231,0-7085-311-2319870,00.htm
l

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30710t=30710
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Aeropoint - Cisco CSS 11000 Content switch [7:30711]

[Byron]

Hello-

Can anyone share any successes stories and problem areas with the Cisco CSS
11000 Content Services Switch?  We're about to begin a migration of dual
Local Directors (supporting large ASP model web farm) moving to the CSS
11000.  We're upgrading due to bugs and instability we've experienced with
the LDs.  Would very much appreciate any experiences with the CSS 11000
product.

thx kindly.Byron


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30711t=30711
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Erick B.]

Hi,

Just to expand on this... 

The 224.0.0.1 multicast query you're seeing is coming
from the cable modem I bet. I have a Surfboard 3100
cable modem and it sends out IGMP queries on 224.0.0.1
frequently. I'm not sure why the cable modem is doing
multicast and haven't really looked into it. I think
it may only be local to the LAN interface toward your
PC but not 100% positive. You can use your web browser
to view the log and status of the SB3100 cable modem
by the way, you can see the IP in the sniffer trace. 

If the ARP requests are originating from the ISP
default-gateway (first hop router for you) then maybe
they have proxy arp enabled. 

The DHCP requests could be from other users on your
segment, or maybe forwarded to a DHCP server on your
segment from another segment. 

Also, since you're on a shared segment with others
they may have set up their own networks, etc with
their own address space, etc that you might see
packets from. 

Erick

--- Priscilla Oppenheimer  wrote:
 It sounds like you are sharing the broadcast domain
 with a bunch of other 
 stations. The network is bridging on the edge. I
 think this is normal for 
 cable modem systems. Is that what you are on?
 
 Priscilla
 
 At 12:23 PM 1/2/02, Phil Barker wrote:
 Hi Group,
   I have been sniffing my broadband connection
 to
 my ISP today and have a few questions.
 
   My main gripe is that I'm being sent around
 100
 Arp requests per minute, which obviously I cannot
 resolve. These ARP requests are all originating
 from
 my default G/W at the ISP trying to resolve MAC
 addresses of various users. Can anyone confirm if
 this
 is usual or unusual. I cannot see this being
 correct
 since if I set my router up to be one of these IP
 addresses I can resolve it to my MAC address Eth 0
 int' or any other mac-address for that matter.
 
   They also send me DHCP requests, IGMP
 requests
 for group 224.0.0.1 (Which I wish I could join) but
 cannot and lots of their private address
 information
 via the above mentioned ARP's.
 
   I also captured an attemt at an inbound TCP
 connection on a dynamic port which my router RST,
 thankfully.
 
   Are they wasting my B/W ?
 
 Thanx,
 
 Phil
 
 
 
 
 
 __
 Do You Yahoo!?
 Everything you'll ever need on one web page
 from News and Sport to Email and Music Charts
 http://uk.my.yahoo.com
 
 
 Priscilla Oppenheimer
 http://www.priscilla.com
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30712t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Configuration Register Question [7:30713]

[Kaminski, Shawn G]

I was working on a 2611 router and noticed that the configuration register
was set to 0x3962 !!! I tried to change it to 0x2102 but says it will change
to 0x3922 at the next reload. Just curious if anyone has seen this before
and what it means. When I looked at CCO I noticed that they didn't have any
information on 0x3000, only 0x1000, 0x2000, 0x4000, and 0x8000.

Shawn K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30713t=30713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aeropoint - Cisco CSS 11000 Content switch [7:30711]

[John Neiberger]

We've got one of the original Arrowpoint CSS 100 switches and I love it.
 They're pretty easy to configure and very reliable.

However, we're going to be redesigning that portion of our network and
we're seriously considering moving to the competing product by F5.  They
have a new model that is just coming out called the Big IP 3000 that is
exactly what we need.  Pricey, but I've heard nothing but great things
about them.

As far as the Cisco stuff goes, I'm sure you'd be happy with it.  I
definitely love the one we have.

HTH,
John

 Byron  1/2/02 3:16:04 PM 
Hello-

Can anyone share any successes stories and problem areas with the Cisco
CSS
11000 Content Services Switch?  We're about to begin a migration of
dual
Local Directors (supporting large ASP model web farm) moving to the
CSS
11000.  We're upgrading due to bugs and instability we've experienced
with
the LDs.  Would very much appreciate any experiences with the CSS
11000
product.

thx kindly.Byron


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30714t=30711
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re : Configuration Register Question [7:30715]

[nick shah]

check this url out..

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis4000/4000m/4000sig/vconfig.htm#41058

It has some good info on standard and so called non-std. config. register 
info.

hth
Nick



_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30715t=30715
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[MADMAN]

Kludge!!!  I'd rather refer to these features as job security :-)

  Dave

Priscilla Oppenheimer wrote:
 
 For that matter, why advertise routes on any leaf network that only has
 end nodes? In the IP world, most end nodes (workstations) don't care about
 routing updates. (It could be argued that it would be better if they did so
 you wouldn't need kludges like HSRP, but in fact, most workstation
 operating systems don't understand routing updates.)
 
 Priscilla

David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30716t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Priscilla Oppenheimer]

Having proxy ARP enabled on the router would cause the router to send ARP 
replies not requests.

The fact that he sees ARP requests isn't surprising. He's on a shared 
network. On a shared network you see all the ARP requests from your local 
router to devices on your network.

Priscilla

At 05:24 PM 1/2/02, Erick B. wrote:
Hi,

Just to expand on this...

The 224.0.0.1 multicast query you're seeing is coming
from the cable modem I bet. I have a Surfboard 3100
cable modem and it sends out IGMP queries on 224.0.0.1
frequently. I'm not sure why the cable modem is doing
multicast and haven't really looked into it. I think
it may only be local to the LAN interface toward your
PC but not 100% positive. You can use your web browser
to view the log and status of the SB3100 cable modem
by the way, you can see the IP in the sniffer trace.

If the ARP requests are originating from the ISP
default-gateway (first hop router for you) then maybe
they have proxy arp enabled.

The DHCP requests could be from other users on your
segment, or maybe forwarded to a DHCP server on your
segment from another segment.

Also, since you're on a shared segment with others
they may have set up their own networks, etc with
their own address space, etc that you might see
packets from.

Erick

--- Priscilla Oppenheimer  wrote:
  It sounds like you are sharing the broadcast domain
  with a bunch of other
  stations. The network is bridging on the edge. I
  think this is normal for
  cable modem systems. Is that what you are on?
 
  Priscilla
 
  At 12:23 PM 1/2/02, Phil Barker wrote:
  Hi Group,
I have been sniffing my broadband connection
  to
  my ISP today and have a few questions.
  
My main gripe is that I'm being sent around
  100
  Arp requests per minute, which obviously I cannot
  resolve. These ARP requests are all originating
  from
  my default G/W at the ISP trying to resolve MAC
  addresses of various users. Can anyone confirm if
  this
  is usual or unusual. I cannot see this being
  correct
  since if I set my router up to be one of these IP
  addresses I can resolve it to my MAC address Eth 0
  int' or any other mac-address for that matter.
  
They also send me DHCP requests, IGMP
  requests
  for group 224.0.0.1 (Which I wish I could join) but
  cannot and lots of their private address
  information
  via the above mentioned ARP's.
  
I also captured an attemt at an inbound TCP
  connection on a dynamic port which my router RST,
  thankfully.
  
Are they wasting my B/W ?
  
  Thanx,
  
  Phil
  
  
  
  
  
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts
  http://uk.my.yahoo.com
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30717t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Configuration Register Question [7:30713]

[Rajesh Kumar]

It means the baud rate to was set to 38400 bps the other end to which it is
connected to
- either a PC configured using Hyperterminal or a Terminal server.

Let me know if you need anything.

Thanks
Rajesh


Kaminski, Shawn G wrote:

 I was working on a 2611 router and noticed that the configuration register
 was set to 0x3962 !!! I tried to change it to 0x2102 but says it will
change
 to 0x3922 at the next reload. Just curious if anyone has seen this before
 and what it means. When I looked at CCO I noticed that they didn't have any
 information on 0x3000, only 0x1000, 0x2000, 0x4000, and 0x8000.

 Shawn K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30718t=30713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aeropoint - Cisco CSS 11000 Content switch [7:30711]

[Brant Stevens]

Personally, I hate the CSS...  many issues, especially if you use it to
distribute load for applications other than HTTP; SQL comes to mind...  Not
to mention that in my experience, Cisco support doesn't seem to know the box
too well...

I'm a big Foundry fan...  BigIP is also a very solid product line...

-Brant
- Original Message -
From: John Neiberger 
To: 
Sent: Wednesday, January 02, 2002 5:39 PM
Subject: Re: Aeropoint - Cisco CSS 11000 Content switch [7:30711]


 We've got one of the original Arrowpoint CSS 100 switches and I love it.
  They're pretty easy to configure and very reliable.

 However, we're going to be redesigning that portion of our network and
 we're seriously considering moving to the competing product by F5.  They
 have a new model that is just coming out called the Big IP 3000 that is
 exactly what we need.  Pricey, but I've heard nothing but great things
 about them.

 As far as the Cisco stuff goes, I'm sure you'd be happy with it.  I
 definitely love the one we have.

 HTH,
 John

  Byron  1/2/02 3:16:04 PM 
 Hello-

 Can anyone share any successes stories and problem areas with the Cisco
 CSS
 11000 Content Services Switch?  We're about to begin a migration of
 dual
 Local Directors (supporting large ASP model web farm) moving to the
 CSS
 11000.  We're upgrading due to bugs and instability we've experienced
 with
 the LDs.  Would very much appreciate any experiences with the CSS
 11000
 product.

 thx kindly.Byron


 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30719t=30711
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Michael Damkot]

Erick, you are seeing 224.0.0.1 Multicast Queries because 224.0.0.1 is
reserved for all systems on segment.  This is the IP that the IGMP queries
are going out to allowing the Router to determine if it needs to request
upstream for any Multicast Streams. It is pretty common to see that..

Mike


Erick B.  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 Just to expand on this...

 The 224.0.0.1 multicast query you're seeing is coming
 from the cable modem I bet. I have a Surfboard 3100
 cable modem and it sends out IGMP queries on 224.0.0.1
 frequently. I'm not sure why the cable modem is doing
 multicast and haven't really looked into it. I think
 it may only be local to the LAN interface toward your
 PC but not 100% positive. You can use your web browser
 to view the log and status of the SB3100 cable modem
 by the way, you can see the IP in the sniffer trace.

 If the ARP requests are originating from the ISP
 default-gateway (first hop router for you) then maybe
 they have proxy arp enabled.

 The DHCP requests could be from other users on your
 segment, or maybe forwarded to a DHCP server on your
 segment from another segment.

 Also, since you're on a shared segment with others
 they may have set up their own networks, etc with
 their own address space, etc that you might see
 packets from.

 Erick

 --- Priscilla Oppenheimer  wrote:
  It sounds like you are sharing the broadcast domain
  with a bunch of other
  stations. The network is bridging on the edge. I
  think this is normal for
  cable modem systems. Is that what you are on?
 
  Priscilla
 
  At 12:23 PM 1/2/02, Phil Barker wrote:
  Hi Group,
I have been sniffing my broadband connection
  to
  my ISP today and have a few questions.
  
My main gripe is that I'm being sent around
  100
  Arp requests per minute, which obviously I cannot
  resolve. These ARP requests are all originating
  from
  my default G/W at the ISP trying to resolve MAC
  addresses of various users. Can anyone confirm if
  this
  is usual or unusual. I cannot see this being
  correct
  since if I set my router up to be one of these IP
  addresses I can resolve it to my MAC address Eth 0
  int' or any other mac-address for that matter.
  
They also send me DHCP requests, IGMP
  requests
  for group 224.0.0.1 (Which I wish I could join) but
  cannot and lots of their private address
  information
  via the above mentioned ARP's.
  
I also captured an attemt at an inbound TCP
  connection on a dynamic port which my router RST,
  thankfully.
  
Are they wasting my B/W ?
  
  Thanx,
  
  Phil
  
  
  
  
  
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts
  http://uk.my.yahoo.com
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com
 [EMAIL PROTECTED]


 __
 Do You Yahoo!?
 Send your FREE holiday greetings online!
 http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30720t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Configuration Register Question [7:30713]

[Berry Mobley]

Boson's Config Register Calculater (free at www.boson.com) says that your 
console linespeed is 115200 instead of 9600.  Console port speed is set 
with the higher bits.

Berry

At 05:38 PM 1/2/2002 -0500, you wrote:
I was working on a 2611 router and noticed that the configuration register
was set to 0x3962 !!! I tried to change it to 0x2102 but says it will change
to 0x3922 at the next reload. Just curious if anyone has seen this before
and what it means. When I looked at CCO I noticed that they didn't have any
information on 0x3000, only 0x1000, 0x2000, 0x4000, and 0x8000.

Shawn K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30721t=30713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sniffing my broadband connection to my ISP ??? [7:30689]

[Jim Brown]

Priscilla,

Wouldn't proxy ARP generate an ARP request and an ARP reply if the source
and target networks were directly connected to the router?


-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 02, 2002 3:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689]


Having proxy ARP enabled on the router would cause the router to send ARP 
replies not requests.

The fact that he sees ARP requests isn't surprising. He's on a shared 
network. On a shared network you see all the ARP requests from your local 
router to devices on your network.

Priscilla

At 05:24 PM 1/2/02, Erick B. wrote:
Hi,

Just to expand on this...

The 224.0.0.1 multicast query you're seeing is coming
from the cable modem I bet. I have a Surfboard 3100
cable modem and it sends out IGMP queries on 224.0.0.1 frequently. I'm 
not sure why the cable modem is doing multicast and haven't really 
looked into it. I think it may only be local to the LAN interface 
toward your PC but not 100% positive. You can use your web browser
to view the log and status of the SB3100 cable modem
by the way, you can see the IP in the sniffer trace.

If the ARP requests are originating from the ISP default-gateway (first 
hop router for you) then maybe they have proxy arp enabled.

The DHCP requests could be from other users on your
segment, or maybe forwarded to a DHCP server on your
segment from another segment.

Also, since you're on a shared segment with others
they may have set up their own networks, etc with
their own address space, etc that you might see
packets from.

Erick

--- Priscilla Oppenheimer  wrote:
  It sounds like you are sharing the broadcast domain
  with a bunch of other
  stations. The network is bridging on the edge. I
  think this is normal for
  cable modem systems. Is that what you are on?
 
  Priscilla
 
  At 12:23 PM 1/2/02, Phil Barker wrote:
  Hi Group,
I have been sniffing my broadband connection
  to
  my ISP today and have a few questions.
  
My main gripe is that I'm being sent around
  100
  Arp requests per minute, which obviously I cannot
  resolve. These ARP requests are all originating
  from
  my default G/W at the ISP trying to resolve MAC
  addresses of various users. Can anyone confirm if
  this
  is usual or unusual. I cannot see this being
  correct
  since if I set my router up to be one of these IP addresses I can 
  resolve it to my MAC address Eth 0 int' or any other mac-address 
  for that matter.
  
They also send me DHCP requests, IGMP
  requests
  for group 224.0.0.1 (Which I wish I could join) but
  cannot and lots of their private address
  information
  via the above mentioned ARP's.
  
I also captured an attemt at an inbound TCP connection on a 
  dynamic port which my router RST, thankfully.
  
Are they wasting my B/W ?
  
  Thanx,
  
  Phil
  
  
  
  
  
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts 
  http://uk.my.yahoo.com
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online! http://greetings.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30722t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Problem with VPN over PPPoE ADSL [7:30723]

[Bruce Williams]

I have a customer with an ADSL line which uses PPPoE. They are able to
establish a VPN tunnel over the DSL line, but they are only able to ping
through the tunnel. TCP, UDP and other higher protocols will not work. I
heard that there is an issue with doing VPNs over PPPoE ADSL. Does anyone
know what the issue is and if there is a solution?

Bruce Williams
mailto:[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30723t=30723
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: SSL Accelerators [7:30724]

[John Neiberger]

We are looking at buying some new load balancing switches and new cache
engines and somewhere in that mix we want to add SSL acceleration.  One
vendor that we're looking at sells load balancing switches with SSL
acceleration built-in.  Of course, they really like their way of doing
this.  The other vendor has a cache engine with SSL acceleration and
they say there is a significant performance increase by caching content
in SSL-ready format.

Do any of you have any thoughts here?  The first vendor is F5 and I
really like the looks of their Big IP series.  The second vendor is
Stratacache and I really don't know much about them despite having
talked to them about this.  :-)

Any tips?

Thanks,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30724t=30724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Steven A. Ridder]

As everyone else has said, this is normal for a shared access netowrk.  Look
for routing protocol updates and other things as well .  On ATT's
cable-modem network you can see the ospf hello updates, who the DR and BDR
is and other things.  It can be fun.  Try dsniff or some other program and
you can see all the traffic on that network  :)  Be careful though because
you will probably get slammed and don't forget to reroute the traffic back
out or else someone will know something is wrong.



Phil Barker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Group,
  I have been sniffing my broadband connection to
 my ISP today and have a few questions.

  My main gripe is that I'm being sent around 100
 Arp requests per minute, which obviously I cannot
 resolve. These ARP requests are all originating from
 my default G/W at the ISP trying to resolve MAC
 addresses of various users. Can anyone confirm if this
 is usual or unusual. I cannot see this being correct
 since if I set my router up to be one of these IP
 addresses I can resolve it to my MAC address Eth 0
 int' or any other mac-address for that matter.

  They also send me DHCP requests, IGMP requests
 for group 224.0.0.1 (Which I wish I could join) but
 cannot and lots of their private address information
 via the above mentioned ARP's.

  I also captured an attemt at an inbound TCP
 connection on a dynamic port which my router RST,
 thankfully.

  Are they wasting my B/W ?

 Thanx,

 Phil





 __
 Do You Yahoo!?
 Everything you'll ever need on one web page
 from News and Sport to Email and Music Charts
 http://uk.my.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30725t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Configuration Register Question [7:30713]

[Kaminski, Shawn G]

Thanks for all the replies. Berry, thanks for the link to the Config
Register Calculator! You were correct regarding the console linespeed. It
was set at 115200. I changed it before the holidays but forgot that I had
done this when I got back to the office today! Changed it back to 9600 and
all is well!

Shawn K. 

-Original Message-
From: Berry Mobley [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 02, 2002 6:37 PM
To: Kaminski Shawn G; [EMAIL PROTECTED]
Subject: Re: Configuration Register Question [7:30713]


Boson's Config Register Calculater (free at www.boson.com) says that your 
console linespeed is 115200 instead of 9600.  Console port speed is set 
with the higher bits.

Berry

At 05:38 PM 1/2/2002 -0500, you wrote:
I was working on a 2611 router and noticed that the configuration 
register was set to 0x3962 !!! I tried to change it to 0x2102 but says 
it will change to 0x3922 at the next reload. Just curious if anyone has 
seen this before and what it means. When I looked at CCO I noticed that 
they didn't have any information on 0x3000, only 0x1000, 0x2000, 
0x4000, and 0x8000.

Shawn K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30726t=30713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Configuration Register Question [7:30713]

[Steven A. Ridder]

I need to do more studying on this topic, so forgive me for asking, but why
does the conf. reg change according to line console speed??  I thought the
confreg was just a setting telling the router whare to boot from?  Does it
do more?


Kaminski, Shawn G  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thanks for all the replies. Berry, thanks for the link to the Config
 Register Calculator! You were correct regarding the console linespeed. It
 was set at 115200. I changed it before the holidays but forgot that I had
 done this when I got back to the office today! Changed it back to 9600 and
 all is well!

 Shawn K.

 -Original Message-
 From: Berry Mobley [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 02, 2002 6:37 PM
 To: Kaminski Shawn G; [EMAIL PROTECTED]
 Subject: Re: Configuration Register Question [7:30713]


 Boson's Config Register Calculater (free at www.boson.com) says that your
 console linespeed is 115200 instead of 9600.  Console port speed is set
 with the higher bits.

 Berry

 At 05:38 PM 1/2/2002 -0500, you wrote:
 I was working on a 2611 router and noticed that the configuration
 register was set to 0x3962 !!! I tried to change it to 0x2102 but says
 it will change to 0x3922 at the next reload. Just curious if anyone has
 seen this before and what it means. When I looked at CCO I noticed that
 they didn't have any information on 0x3000, only 0x1000, 0x2000,
 0x4000, and 0x8000.
 
 Shawn K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30727t=30713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ISL Trunking [7:30728]

[Ali, Abbas]

Is it possible to remove default Vlans 1, 1002-1005 from ISL trunking?  I am
setting up a ISL trunking between Catalyst 2924 and 3640 router.

I am running IOS on Catalyst XL 2924 and only want certain vlan on my link.
IOS does it, but then it also inserts default vlan 1 and 1002-1005
automatically.  The IOS accepts the remove command to remove vlans from the
current list, but will not remove default vlans.  

Ali




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30728t=30728
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: SSL Accelerators [7:30724]

[Darrell Newcomb]

Check out the Click Array products.(www.clickarray.com)  Though one of
the younger vendors in this space they have a very good engineering
team.  I should note I've not used any of their products nor am I
affiliated with the company.  I've just had involved conversations and
know some of the employees.  The decisions and their basis tend to be
very sound.

John Neiberger wrote:
 
 We are looking at buying some new load balancing switches and new cache
 engines and somewhere in that mix we want to add SSL acceleration.  One
 vendor that we're looking at sells load balancing switches with SSL
 acceleration built-in.  Of course, they really like their way of doing
 this.  The other vendor has a cache engine with SSL acceleration and
 they say there is a significant performance increase by caching content
 in SSL-ready format.
 
 Do any of you have any thoughts here?  The first vendor is F5 and I
 really like the looks of their Big IP series.  The second vendor is
 Stratacache and I really don't know much about them despite having
 talked to them about this.  :-)
 
 Any tips?
 
 Thanks,
 John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30729t=30724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE prep [7:30730]

[Michael Lea]

FYI -- To those out there that are looking for cheap rack rentals.  Rack
rental are for 8 hour increments so you do no pay for a full 24 hours when
you only may need 8-16 hours of rack time

Here is the link:

www.ccrouters.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30730t=30730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sniffing my broadband connection to my ISP ??? [7:30689]

[Priscilla Oppenheimer]

At 04:37 PM 1/2/02, Jim Brown wrote:
Priscilla,

Wouldn't proxy ARP generate an ARP request and an ARP reply if the source
and target networks were directly connected to the router?

No. Proxy ARP causes the router to generate ARP replies. It has no effect 
on ARP requests.

ARP requests are generated by normal ARP when a node tries to find the MAC 
address of another station. They are generated by end stations and by the 
router. The router has to find the MAC address just like any other station 
does.

He is sniffing on the broadband connection which presumably is shared by 
all hosts in his area (sometimes called a node in cable modem designs). 
He can see their ARPs and he can see the router's ARPs.

Proxy ARP allows devices to communicate with devices on the other side of 
the router without having to know that the router is there. In this case, 
end stations send ARP requests for local and non-local devices. For 
non-local addresses, the router responds with its own MAC address.

Priscilla



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 3:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Sniffing my broadband connection to my ISP ??? [7:30689]


Having proxy ARP enabled on the router would cause the router to send ARP
replies not requests.

The fact that he sees ARP requests isn't surprising. He's on a shared
network. On a shared network you see all the ARP requests from your local
router to devices on your network.

Priscilla

At 05:24 PM 1/2/02, Erick B. wrote:
 Hi,
 
 Just to expand on this...
 
 The 224.0.0.1 multicast query you're seeing is coming
 from the cable modem I bet. I have a Surfboard 3100
 cable modem and it sends out IGMP queries on 224.0.0.1 frequently. I'm
 not sure why the cable modem is doing multicast and haven't really
 looked into it. I think it may only be local to the LAN interface
 toward your PC but not 100% positive. You can use your web browser
 to view the log and status of the SB3100 cable modem
 by the way, you can see the IP in the sniffer trace.
 
 If the ARP requests are originating from the ISP default-gateway (first
 hop router for you) then maybe they have proxy arp enabled.
 
 The DHCP requests could be from other users on your
 segment, or maybe forwarded to a DHCP server on your
 segment from another segment.
 
 Also, since you're on a shared segment with others
 they may have set up their own networks, etc with
 their own address space, etc that you might see
 packets from.
 
 Erick
 
 --- Priscilla Oppenheimer  wrote:
   It sounds like you are sharing the broadcast domain
   with a bunch of other
   stations. The network is bridging on the edge. I
   think this is normal for
   cable modem systems. Is that what you are on?
  
   Priscilla
  
   At 12:23 PM 1/2/02, Phil Barker wrote:
   Hi Group,
 I have been sniffing my broadband connection
   to
   my ISP today and have a few questions.
   
 My main gripe is that I'm being sent around
   100
   Arp requests per minute, which obviously I cannot
   resolve. These ARP requests are all originating
   from
   my default G/W at the ISP trying to resolve MAC
   addresses of various users. Can anyone confirm if
   this
   is usual or unusual. I cannot see this being
   correct
   since if I set my router up to be one of these IP addresses I can
   resolve it to my MAC address Eth 0 int' or any other mac-address
   for that matter.
   
 They also send me DHCP requests, IGMP
   requests
   for group 224.0.0.1 (Which I wish I could join) but
   cannot and lots of their private address
   information
   via the above mentioned ARP's.
   
 I also captured an attemt at an inbound TCP connection on a
   dynamic port which my router RST, thankfully.
   
 Are they wasting my B/W ?
   
   Thanx,
   
   Phil
   
   
   
   
   
   __
   Do You Yahoo!?
   Everything you'll ever need on one web page
   from News and Sport to Email and Music Charts
   http://uk.my.yahoo.com
   
  
   Priscilla Oppenheimer
   http://www.priscilla.com
 [EMAIL PROTECTED]
 
 
 __
 Do You Yahoo!?
 Send your FREE holiday greetings online! http://greetings.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30731t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Priscilla Oppenheimer]

At 06:42 PM 1/2/02, Steven A. Ridder wrote:
As everyone else has said, this is normal for a shared access netowrk.  Look
for routing protocol updates and other things as well .  On ATT's
cable-modem network you can see the ospf hello updates, who the DR and BDR
is and other things.

Yep, that's true.

So now we have synergy between this thread and the Passive Interface 
thread! I like that! ;-)

Making the cable interface a passive interface seems like a good idea for 
many reasons, including security and not just bandwidth usage. (The 
bandwidth used by Hellos has gotta be pretty minimal!)

It can be fun.

A lot of people report seeing other broadcasts too, including NetBIOS, 
AppleTalk, etc. It's kind of scary.

Try dsniff or some other program and
you can see all the traffic on that network  :)  Be careful though because
you will probably get slammed and don't forget to reroute the traffic back
out or else someone will know something is wrong.

What's dsniff? What does that let you see? And what's this about having to 
reroute? Can you tell us more? THANKS

Priscilla




Phil Barker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi Group,
   I have been sniffing my broadband connection to
  my ISP today and have a few questions.
 
   My main gripe is that I'm being sent around 100
  Arp requests per minute, which obviously I cannot
  resolve. These ARP requests are all originating from
  my default G/W at the ISP trying to resolve MAC
  addresses of various users. Can anyone confirm if this
  is usual or unusual. I cannot see this being correct
  since if I set my router up to be one of these IP
  addresses I can resolve it to my MAC address Eth 0
  int' or any other mac-address for that matter.
 
   They also send me DHCP requests, IGMP requests
  for group 224.0.0.1 (Which I wish I could join) but
  cannot and lots of their private address information
  via the above mentioned ARP's.
 
   I also captured an attemt at an inbound TCP
  connection on a dynamic port which my router RST,
  thankfully.
 
   Are they wasting my B/W ?
 
  Thanx,
 
  Phil
 
 
 
 
 
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts
  http://uk.my.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30732t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SSL Accelerators [7:30724]

[Gaz]

Not providing many/any answers here I'm afraid - just asking more questions.
Is SSL that suitable for caching? I would have thought that most SSL traffic
would be unique (Session ID's/transaction info etc).
That's not a cocky question, I really don't know. I suppose there will be
static content within the SSL pages.

I've used Intel SSL accelerators which seem to perform pretty well. We also
do a fair bit of load balancing with Foundry Networks kit (Server Irons/Big
Irons) and they're pretty nippy and pretty cheap compared to Cisco, and have
the advantage that their CLI is very close to Cisco.
I suppose it depends what scale you're doing it on.

From what I've seen of the Cisco CSS (Arrowpoint kit) they seem to offer
greater functionality/flexibility than Foundry, but not seen much of them
working in anger yet.

Be interesting to hear what Stratacache really mean by caching content in
SSL-ready format.


Gaz

John Neiberger  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 We are looking at buying some new load balancing switches and new cache
 engines and somewhere in that mix we want to add SSL acceleration.  One
 vendor that we're looking at sells load balancing switches with SSL
 acceleration built-in.  Of course, they really like their way of doing
 this.  The other vendor has a cache engine with SSL acceleration and
 they say there is a significant performance increase by caching content
 in SSL-ready format.

 Do any of you have any thoughts here?  The first vendor is F5 and I
 really like the looks of their Big IP series.  The second vendor is
 Stratacache and I really don't know much about them despite having
 talked to them about this.  :-)

 Any tips?

 Thanks,
 John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30733t=30724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem with VPN over PPPoE ADSL [7:30723]

[Brian Whalen]

a wild guess, packet frag issues?  Try to ping with larger packets to test
this..

Brian Sonic Whalen
Success = Preparation + Opportunity


On Wed, 2 Jan 2002, Bruce Williams wrote:

 I have a customer with an ADSL line which uses PPPoE. They are able to
 establish a VPN tunnel over the DSL line, but they are only able to ping
 through the tunnel. TCP, UDP and other higher protocols will not work. I
 heard that there is an issue with doing VPNs over PPPoE ADSL. Does anyone
 know what the issue is and if there is a solution?

 Bruce Williams
 mailto:[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30734t=30723
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE prep [7:30730]

[Brad Ellis]

GROUPSTUDY MEMBERS:  PLEASE DO NOT CONFUSE THIS SITE WITH CCBOOTCAMP.  They
are NOT affiliated with us in any way.

Michael, couple things:

Your first post to the group (or at least in the past two months) and your
spamming your site, not good.

Why would anyone want to pay $100 for 16 hours of racktime without ATM when
they can get the same type of gear for $80 (rack2) for a full 24 hours from
us?  Just curious.

thanks,
-Brad Ellis
CCIE#5796 (RS / Security)
Network Learning Inc
[EMAIL PROTECTED]
used Cisco gear:  www.optsys.net
CCIE Labs, racks, and classes:  http://www.ccbootcamp.com/quicklinks.html

Michael Lea  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 FYI -- To those out there that are looking for cheap rack rentals.  Rack
 rental are for 8 hour increments so you do no pay for a full 24 hours when
 you only may need 8-16 hours of rack time

 Here is the link:




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30735t=30730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SSL Accelerators [7:30724]

[matt shiite]

Personnally I have used the Alteon series
loadbalancers with their ISD ssl accelerator.  I can't
complain...they have worked like a champ. Just another
option for ya  :)


ms
--- Gaz  wrote:
 Not providing many/any answers here I'm afraid -
 just asking more questions.
 Is SSL that suitable for caching? I would have
 thought that most SSL traffic
 would be unique (Session ID's/transaction info etc).
 That's not a cocky question, I really don't know. I
 suppose there will be
 static content within the SSL pages.
 
 I've used Intel SSL accelerators which seem to
 perform pretty well. We also
 do a fair bit of load balancing with Foundry
 Networks kit (Server Irons/Big
 Irons) and they're pretty nippy and pretty cheap
 compared to Cisco, and have
 the advantage that their CLI is very close to Cisco.
 I suppose it depends what scale you're doing it on.
 
 From what I've seen of the Cisco CSS (Arrowpoint
 kit) they seem to offer
 greater functionality/flexibility than Foundry, but
 not seen much of them
 working in anger yet.
 
 Be interesting to hear what Stratacache really mean
 by caching content in
 SSL-ready format.
 
 
 Gaz
 
 John Neiberger  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  We are looking at buying some new load balancing
 switches and new cache
  engines and somewhere in that mix we want to add
 SSL acceleration.  One
  vendor that we're looking at sells load balancing
 switches with SSL
  acceleration built-in.  Of course, they really
 like their way of doing
  this.  The other vendor has a cache engine with
 SSL acceleration and
  they say there is a significant performance
 increase by caching content
  in SSL-ready format.
 
  Do any of you have any thoughts here?  The first
 vendor is F5 and I
  really like the looks of their Big IP series.  The
 second vendor is
  Stratacache and I really don't know much about
 them despite having
  talked to them about this.  :-)
 
  Any tips?
 
  Thanks,
  John
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30737t=30724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Steven A. Ridder]

Dsniff uses icmp default gateway redirects (the ICMP message that tells
hosts that a differnt router has a better path to the destination network).
This will automatically make the user's PC redirect all traffic to your PC
dynamically (the client never knows about it), because he thinks you are a
router and that you'd be a better default gateway.  You just have to have a
multihomed PC because you still need to forward the traffic to the
destination, otherwise you'll get caught.

It's a pretty good hacking tool and has been ported from *nix to Windows for
years.  Makes switches just like hubs again.  Use this with L0phtCrack and
you can get NT PW's, etc..


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 At 06:42 PM 1/2/02, Steven A. Ridder wrote:
 As everyone else has said, this is normal for a shared access netowrk.
Look
 for routing protocol updates and other things as well .  On ATT's
 cable-modem network you can see the ospf hello updates, who the DR and
BDR
 is and other things.

 Yep, that's true.

 So now we have synergy between this thread and the Passive Interface
 thread! I like that! ;-)

 Making the cable interface a passive interface seems like a good idea for
 many reasons, including security and not just bandwidth usage. (The
 bandwidth used by Hellos has gotta be pretty minimal!)

 It can be fun.

 A lot of people report seeing other broadcasts too, including NetBIOS,
 AppleTalk, etc. It's kind of scary.

 Try dsniff or some other program and
 you can see all the traffic on that network  :)  Be careful though
because
 you will probably get slammed and don't forget to reroute the traffic
back
 out or else someone will know something is wrong.

 What's dsniff? What does that let you see? And what's this about having to
 reroute? Can you tell us more? THANKS

 Priscilla




 Phil Barker  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hi Group,
I have been sniffing my broadband connection to
   my ISP today and have a few questions.
  
My main gripe is that I'm being sent around 100
   Arp requests per minute, which obviously I cannot
   resolve. These ARP requests are all originating from
   my default G/W at the ISP trying to resolve MAC
   addresses of various users. Can anyone confirm if this
   is usual or unusual. I cannot see this being correct
   since if I set my router up to be one of these IP
   addresses I can resolve it to my MAC address Eth 0
   int' or any other mac-address for that matter.
  
They also send me DHCP requests, IGMP requests
   for group 224.0.0.1 (Which I wish I could join) but
   cannot and lots of their private address information
   via the above mentioned ARP's.
  
I also captured an attemt at an inbound TCP
   connection on a dynamic port which my router RST,
   thankfully.
  
Are they wasting my B/W ?
  
   Thanx,
  
   Phil
  
  
  
  
  
   __
   Do You Yahoo!?
   Everything you'll ever need on one web page
   from News and Sport to Email and Music Charts
   http://uk.my.yahoo.com
 

 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30736t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISL Trunking [7:30728]

[Darren Crawford]

You can clear the trunks for anything 2-1005 and 1025-4096 (6000 series)
but I don't believe it will allow you to do that with the default VLAN.

HTH

Darren

At 06:59 PM 1/2/2002 -0500, Ali, Abbas wrote:
Is it possible to remove default Vlans 1, 1002-1005 from ISL trunking?  I am
setting up a ISL trunking between Catalyst 2924 and 3640 router.

I am running IOS on Catalyst XL 2924 and only want certain vlan on my link.
IOS does it, but then it also inserts default vlan 1 and 1002-1005
automatically.  The IOS accepts the remove command to remove vlans from the
current list, but will not remove default vlans.  

Ali
x$:0`0:$xx$:0`0:$xx$:0`0:$xx$:

Lucent Technologies
NetworkCare Professional Services
http//www.lucent.com/netcare/
Darren S. Crawford - CCNP, CCDP, CCIE TBA

Northwest Region - Sacramento Office
Voicemail (916) 859-5200 x310
Pager (800) 467-1467
mailto:[EMAIL PROTECTED]

x$:0`0:$xx$:0`0:$xx$:0`0:$xx$: 

You always have time for things you put first - Tucker Resources




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30739t=30728
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Need advice [7:30742]

[Stephane Wantou Siantou]

Hi everybody,

I am a network engineer (CCNP) who has just lost his job.  I am wondering
if I should start preparing for the CCIE.  Are CCIEs still able to find
jobs?  I look forward to your inputs.
Thanks
Stephane




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30742t=30742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SSL Accelerators [7:30724]

[Bullock, Jason]

tell you what the f5 bigip still works very nice...  





-Original Message-
From: matt shiite [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 07:44 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL Accelerators [7:30724]


Personnally I have used the Alteon series

loadbalancers with their ISD ssl accelerator.  I can't

complain...they have worked like a champ. Just another

option for ya  :)





ms

--- Gaz  wrote:

 Not providing many/any answers here I'm afraid -

 just asking more questions.

 Is SSL that suitable for caching? I would have

 thought that most SSL traffic

 would be unique (Session ID's/transaction info etc).

 That's not a cocky question, I really don't know. I

 suppose there will be

 static content within the SSL pages.

 

 I've used Intel SSL accelerators which seem to

 perform pretty well. We also

 do a fair bit of load balancing with Foundry

 Networks kit (Server Irons/Big

 Irons) and they're pretty nippy and pretty cheap

 compared to Cisco, and have

 the advantage that their CLI is very close to Cisco.

 I suppose it depends what scale you're doing it on.

 

 From what I've seen of the Cisco CSS (Arrowpoint

 kit) they seem to offer

 greater functionality/flexibility than Foundry, but

 not seen much of them

 working in anger yet.

 

 Be interesting to hear what Stratacache really mean

 by caching content in

 SSL-ready format.

 

 

 Gaz

 

 John Neiberger  wrote in message

 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

  We are looking at buying some new load balancing

 switches and new cache

  engines and somewhere in that mix we want to add

 SSL acceleration.  One

  vendor that we're looking at sells load balancing

 switches with SSL

  acceleration built-in.  Of course, they really

 like their way of doing

  this.  The other vendor has a cache engine with

 SSL acceleration and

  they say there is a significant performance

 increase by caching content

  in SSL-ready format.

 

  Do any of you have any thoughts here?  The first

 vendor is F5 and I

  really like the looks of their Big IP series.  The

 second vendor is

  Stratacache and I really don't know much about

 them despite having

  talked to them about this.  :-)

 

  Any tips?

 

  Thanks,

  John

[EMAIL PROTECTED]





__

Do You Yahoo!?

Send your FREE holiday greetings online!

http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30741t=30724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE prep [7:30730]

[Chuck Larrieu]

the idea of 24 hour rack rental can be attractive. especially for doing
those full blown practice labs.

OTOH,  smaller increments make sense for a lot of reasons as well. Suppose I
want to spend the last couple of weeks before the test doing certain
specific things - voice, ATM, Cat configuration, for example? A couple of 8
hour sessions ( or less ) might be just the thing.

Also, Brad, at present your racks require how much lead time to schedule?
Last time I looked, it was weeks to months. One other place I looked it was
days to a couple of weeks. I don't know at what point it makes it worth
yours or any competitor's operation to add more racks, and I am not sure
what the tolerance is for long lead times to get access. Supply and demand
meet impatience. :-

I will say that in my experience, it has always been easy to reach someone
in your office to check out various things, or to do voice testing. This is
not always true elsewhere.

JMHO

Chuck


Brad Ellis  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 GROUPSTUDY MEMBERS:  PLEASE DO NOT CONFUSE THIS SITE WITH CCBOOTCAMP.
They
 are NOT affiliated with us in any way.

 Michael, couple things:

 Your first post to the group (or at least in the past two months) and your
 spamming your site, not good.

 Why would anyone want to pay $100 for 16 hours of racktime without ATM
when
 they can get the same type of gear for $80 (rack2) for a full 24 hours
from
 us?  Just curious.

 thanks,
 -Brad Ellis
 CCIE#5796 (RS / Security)
 Network Learning Inc
 [EMAIL PROTECTED]
 used Cisco gear:  www.optsys.net
 CCIE Labs, racks, and classes:  http://www.ccbootcamp.com/quicklinks.html

 Michael Lea  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  FYI -- To those out there that are looking for cheap rack rentals.  Rack
  rental are for 8 hour increments so you do no pay for a full 24 hours
when
  you only may need 8-16 hours of rack time
 
  Here is the link:




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30740t=30730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffing my broadband connection to my ISP ??? [7:30689]

[Priscilla Oppenheimer]

I read up on it. It appears to have been developed for beneficial purposes 
but is also a hacker tool. The written material says its a set of tools 
actually The relevant one uses ARP, not ICMP. (There was no mention of ICMP 
being used.) It sends an ARP reply for the IP address of the default 
gateway. Actually it can send an ARP reply for anything. There's no need to 
be multihomed, but IP forwarding must be enabled or you'll get caught, as 
you say, (plus you wouldn't see anything because the target would loose its 
connections).

Priscilla

At 07:43 PM 1/2/02, Steven A. Ridder wrote:
Dsniff uses icmp default gateway redirects (the ICMP message that tells
hosts that a differnt router has a better path to the destination network).
This will automatically make the user's PC redirect all traffic to your PC
dynamically (the client never knows about it), because he thinks you are a
router and that you'd be a better default gateway.  You just have to have a
multihomed PC because you still need to forward the traffic to the
destination, otherwise you'll get caught.

It's a pretty good hacking tool and has been ported from *nix to Windows for
years.  Makes switches just like hubs again.  Use this with L0phtCrack and
you can get NT PW's, etc..


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  At 06:42 PM 1/2/02, Steven A. Ridder wrote:
  As everyone else has said, this is normal for a shared access netowrk.
Look
  for routing protocol updates and other things as well .  On ATT's
  cable-modem network you can see the ospf hello updates, who the DR and
BDR
  is and other things.
 
  Yep, that's true.
 
  So now we have synergy between this thread and the Passive Interface
  thread! I like that! ;-)
 
  Making the cable interface a passive interface seems like a good idea for
  many reasons, including security and not just bandwidth usage. (The
  bandwidth used by Hellos has gotta be pretty minimal!)
 
  It can be fun.
 
  A lot of people report seeing other broadcasts too, including NetBIOS,
  AppleTalk, etc. It's kind of scary.
 
  Try dsniff or some other program and
  you can see all the traffic on that network  :)  Be careful though
because
  you will probably get slammed and don't forget to reroute the traffic
back
  out or else someone will know something is wrong.
 
  What's dsniff? What does that let you see? And what's this about having
to
  reroute? Can you tell us more? THANKS
 
  Priscilla
 
 
 
 
  Phil Barker  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi Group,
 I have been sniffing my broadband connection to
my ISP today and have a few questions.
   
 My main gripe is that I'm being sent around 100
Arp requests per minute, which obviously I cannot
resolve. These ARP requests are all originating from
my default G/W at the ISP trying to resolve MAC
addresses of various users. Can anyone confirm if this
is usual or unusual. I cannot see this being correct
since if I set my router up to be one of these IP
addresses I can resolve it to my MAC address Eth 0
int' or any other mac-address for that matter.
   
 They also send me DHCP requests, IGMP requests
for group 224.0.0.1 (Which I wish I could join) but
cannot and lots of their private address information
via the above mentioned ARP's.
   
 I also captured an attemt at an inbound TCP
connection on a dynamic port which my router RST,
thankfully.
   
 Are they wasting my B/W ?
   
Thanx,
   
Phil
   
   
   
   
   
__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30743t=30689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Protocol type codes and SAP's [7:30744]

[Lupi, Guy]

Can anyone explain the ethernet and token ring protocol type codes for me?
I know you can filter DLSw and SRB using them but I don't really understand
what they are, I found a table containing all the popular ones.  IBM SNA is
80D5, does that mean that all SNA traffic has this type code, and that if
you denied it in an access list all SNA traffic would be denied?   Also,
SAP's follow the format 0x, each of the 0s representing one byte of
data, the first 2 digits after the x are the DSAP, the last 2 are the SSAP,
is this correct?  I would really appreciate it if someone could point me to
where I could find some good information on this type of stuff.  I would
hate to just memorize the common values without knowing why and how they
work.  Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30744t=30744
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: question about VPN-IPSEC and NAT [7:30694]

[Jeff Smith]

This is a remote access vpn situation?  If you can ping the server then we 
can assume that the tunnel was set up correctly and it is not a situation 
where IPSec protocols are being blocked.  Try playing with the IPSec over 
NAT setting on the client itself.


From: Leonardo Borda 
Reply-To: Leonardo Borda 
To: [EMAIL PROTECTED]
Subject: question about VPN-IPSEC and NAT [7:30694]
Date: Wed, 2 Jan 2002 13:55:14 -0500

Hello,

 I have in my organization a cisco router 2600 running NAT and IPSEC56. 
I
want to configure two access-lists. One for inbound access and another one
for outbound access and apply it in the same serial line.
 Does anyone know what are the ports I have to permit to work that job
successfull as much inbound as outbound?

 I had success in configuring internet access and it4s working fine but
over IPSEC my users from the other side of VPN can not access my exchange
server using VPN. but they can ping it...

 thanks.

   Leonardo Borda.
_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30745t=30694
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Routers for Sale [7:30747]

[Thomas Jreige]

I am in Sydney Australia - Number is +61 417224884



Web site is http://www.geocities.com/thomasjreige

Email is [EMAIL PROTECTED]





Items for Sale !!



Equipment

Cisco 803 ISDN Router
 Cisco IOS 12.1 IP Plus + IPSec Software Image

 4 port hub + 1 BRI Interface + 2 POTS

 12M RAM + 8M Flash

 $700 ono



Cisco 2501 Router
 Cisco IOS 12.0 IP Plus Software Image

 1 Ethernet + 2 Serial + 1 Aux

 16M RAM + 8M Flash

 $1200 ono



Cisco 2501 Router
 Cisco IOS 11.3 40-bit DES Software Image

 1 Ethernet + 2 Serial + 1 Aux

 4MB RAM + 8MB Flash

 $900 ono



Cisco DTE - DCE Back-to-Back Serial Cable

 $200 ono



Netgear EN108 Hub
 $100 ono



Books - Make an offer


Mastering HTML 4.0

Exam Cram - CCNP Switching

Cisco Press - Cisco IOS 12.0 Dial Solutions

Cisco Press - Cisco IOS 12.0 Solutions for Network Protocols Volume 2 IP

Mastering Linux 6.0 Premium Edition

Sybex CCNP LAN Switching Exam Notes

Sybex CCDA Exam Notes

Exam Cram - CCNP Routing

Caslow - Cisco Certification, Bridges, Routers and Switches for CCIE's

Cisco Press - Designing Cisco Networks

Cisco Press - CCNP Building Cisco Scalable Switched Networks

McGraw Hill - Building Scalable Cisco Networks

Mastering Perl 5

The Cabling Handbook

Multiprotocol Network Design and Troubleshooting

Linux - A network solution for your office




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30747t=30747
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

setting SPAN on Cat 1900 [7:30746]

[Chong Chun Wei (Central)]

Dear all,

Is is possible to set SPAN on a catalyst 1900? If yes, how?
Thankyou.

Cheers,
Alvin Chong
IT-NCS
Mobile: 016- 3304503
Fixed:   03 - 7211595




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30746t=30746
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Error message on 4000 router [7:30748]

[mindiani mindiani]

I just bought a 4000-m router for practice and I keep getting the folling 
error messages whille booting up. It really slows down the bootup process. 
How can I get rid of these error messages.



Warning: flash:null does not exist.  Command retained.
Warning: flash:flash does not exist.  Command retained.
%Error opening tftp://255.255.255.255/network-confg (Timed out)
%Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)
%Error opening tftp://255.255.255.255/test-confg (Timed out)
%Error opening tftp://255.255.255.255/test.cfg (Timed out)


_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30748t=30748
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: setting SPAN on Cat 1900 [7:30746]

[Priscilla Oppenheimer]

The Catalyst 1900 doesn't call it SPAN but you can do the same 
functionality with the monitor-port command. You should first enter the 
command to enable the monitoring feature and then configure two parameters 
- the port where the analyzer resides and the ports that will be monitored.

Good luck!

Priscilla

At 09:49 PM 1/2/02, Chong Chun Wei (Central) wrote:
Dear all,

Is is possible to set SPAN on a catalyst 1900? If yes, how?
Thankyou.

Cheers,
Alvin Chong
IT-NCS
Mobile: 016- 3304503
Fixed:   03 - 7211595


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30749t=30746
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passive Interface Help [7:30648]

[Tom Lisa]

Dave,

If you want job security, become a tenured professor.  Low pay but lots
of security! :)

Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco Regional Networking Academy

MADMAN wrote:

  Kludge!!!  I'd rather refer to these features as job security :-)

Dave

  Priscilla Oppenheimer wrote:
  
   For that matter, why advertise routes on any leaf network that
  only has
   end nodes? In the IP world, most end nodes (workstations) don't
  care about
   routing updates. (It could be argued that it would be better if
  they did so
   you wouldn't need kludges like HSRP, but in fact, most workstation
   operating systems don't understand routing updates.)
  
   Priscilla

  David Madland
  Sr. Network Engineer
  CCIE# 2016
  Qwest Communications Int. Inc.
  [EMAIL PROTECTED]
  612-664-3367

  Emotion should reflect reason not guide it
  [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30750t=30648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]