Problem with RSA ACE SERVER (aka SecureID) authentication for [7:69995]

[d tran]

All,
I am trying to get the RSA ACE Server to authenticate VPN remote 
users that terminate VPN connection to my Pix firewall.  So far it is
not working and here is my scenario:
 
Pix FW: 
Outside IP:  12.1.1.100 (netmask /21)
Inside IP:  172.161.254 (netmask /24)
DMZ IP:  172.18.1.254 (netmask /24)
 
The IP address of the RSA ACE-Server is 172.18.1.2.  Here is the 
configuration on my pix firewall.  By the way, I am using Pix OS 6.3(1):
 
ip local pool test 172.30.1.1-172.30.1.254
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server ACE-SERVER protocol radius
aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set set2 esp-des esp-sha-hmac
crypto ipsec transform-set set3 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3
crypto map outside 20 ipsec-isakmp dynamic vpnremote
crypto map outside client configuration address respond
crypto map outside client authentication ACE-SERVER
 outside interface outside
isakmp enable outside
isakmp key *** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup default address-pool test
vpngroup default dns-server 129.174.1.8
vpngroup default wins-server 129.174.1.8
vpngroup default default-domain test.com
vpngroup default split-tunnel 100
vpngroup default split-dns test.com
vpngroup default idle-time 1800
 
The problem is that whenever the pix sends an "access-request" to the
RSA ACE Server, the ACE Server sends back an "access-reject" to the 
pix.  It seems like the ACE Server thinks that the pix is an 
"unauthorized" host to communicate with the ACE Server.  Now, I 
add the pix as an "Agent Hosts" on the ACE Server (Is this similar to
the clients.conf to FreeRadius?) and it still wouldn't work.  Radius is 
also running on the ACE Server so I know that the communication is 
there.  Furthermore, the is NO blocking of communication between the
Pix and the ACE Server. Can someone with experience with ACE Server
help me out with this problem?  It has been a frustrating week.  
 
I am running ACE Server version 5.1 on both Windows 2000 Server.
 
D


-
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69995&t=69995
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[M.C. van den Bovenkamp]

koh jef wrote:

> is there any way/s to configure mulitple VLANs in a single switch port?

Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on 
what switch you're using.

Most switches can't do it, but some can; Cisco's 2900 series can, for 
instance.

Regards,

Marco.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69997&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:69996]

[Richard Campbell]

Hey...  thanks..  finally I got response from my PIX515, but it just hang at 
securing communication channel stage (see below) and it doesn't authenticate 
the users.  What config should I add to point it to my authentication server 
192.168.1.201?  For your info, my VPN client is installed at Win95 and my 
authentication server is a W2K server.

Initializing the connection...
Contacting the gateway at 100.100.100.101...
Negotiating security policies...
Securing communication channel...

I remember in VPN3000 server, I need to specify the authentication server 
for VPN group, but why in PIX515 sample on the net, why it doesn't have this 
entry

>From: Andrew Larkins 
>
>from what I remember about this, they will try each policy until a match is
>amde, otherwise the connection terminates
>
>-Original Message-
>From: Richard Campbell [mailto:[EMAIL PROTECTED]
>
>hey..  I have a PIX 515 and have a PIX to PIX connection to London and NY
>using pre-shared key des, hash sha and dh group 1 and I am going to let
>VPN3000 client 3.X connect to here as here and I created another isakmp
>policy 20, with hash md5, dh group 2 as shown below.  Can u take a look
>whether the config is correct?
>
>And my question is I have 2 isakmp policies here, how does the PIX-PIX and
>VPN 3000 3.X client know which isakmp policy to take?
>
>crypto ipsec transform-set newset esp-des
>crypto dynamic-map dynmap 30 set transform-set newset
>crypto map newmap 10 ipsec-isakmp
>crypto map newmap 10 match address 101
>crypto map newmap 10 set peer nyapix
>crypto map newmap 10 set transform-set newset
>crypto map newmap 20 ipsec-isakmp
>crypto map newmap 20 match address 102
>crypto map newmap 20 set peer ldnpix
>crypto map newmap 20 set transform-set newset
>crypto map newmap 30 ipsec-isakmp dynamic dynmap
>crypto map newmap interface outside
>isakmp enable outside
>isakmp key  address ldnpix netmask 255.255.255.255
>isakmp key  address nyapix netmask 255.255.255.255
>isakmp identity address
>isakmp policy 10 authentication pre-share
>isakmp policy 10 encryption des
>isakmp policy 10 hash sha
>isakmp policy 10 group 1
>isakmp policy 10 lifetime 86400
>
>isakmp policy 20 authentication pre-share
>isakmp policy 20 encryption des
>isakmp policy 20 hash md5
>isakmp policy 20 group 2
>isakmp policy 20 lifetime 86400
>
>vpngroup CLIENTS address-pool REMOTEIPPOOLS
>vpngroup CLIENTS dns-server 192.168.1.201
>vpngroup CLIENTS wins-server 192.168.1.201
>vpngroup CLIENTS default-domain xyz.com
>vpngroup CLIENTS idle-time 1800
>vpngroup CLIENTS password 
>
>_
>Protect your PC - get McAfee.com VirusScan Online
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69996&t=69996
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX to concentrator Problem ......Urgent [7:69988]

[Steve Wilson]

Check your network lists on the concentrator. They need to as explicit as
possible. If you supernet any contiguous networks, ensure that you do not
accidentally include a network that is really down another tunnel. 
Cheers,
Steve Wilson CCNP CCDA
Network Engineer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: 02 June 2003 12:55
To: [EMAIL PROTECTED]
Subject: PIX to concentrator Problem ..Urgent [7:69988]

Hi All,
We are using site-site Tunnel formed between PIX firewall at one remote
location to Cisco VPN concentrator connected
at central side. On the central side their are number  of subnets that all
been added to the network list on  both PIX & VPN concentrator to enable
remote site to access all the subnets on the central site. Problem is that 
while Tunnel is  running it suddenly drops all packets for one particular
subet on the central site. I have tried all possible means of
troubleshooting & but nothing seems to work. Pls help me out with any ideas
if possible.



Thanks 
Bharat 



DISCLAIMER:
This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6&t=69988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Peri Sophos]

Put the port in trunk mode  then multiple vlans can go in and out of
the port.

-Original Message-
From: koh jef [mailto:[EMAIL PROTECTED]
Sent: 02 June 2003 02:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]


hi ppl,

is there any way/s to configure mulitple VLANs in a single switch port?

thanks!!

regards,

jef
NOTICE - This message contains privileged and confidential 
information intended only for the use of the addressee 
named above. Any review, retransmission, dissemination, 
copying, disclosure or other use of, or taking of any 
action in reliance upon, this information by person or 
entities other than the intended recipient is prohibited. 
If you have received this message in error, please notify 
the sender by return email and delete this message. 
This message should not be copied or used for any purpose 
other than intended, nor should it be disclosed to any 
other person. Any views expressed in this message are those 
of the individual sender, except where the sender specifically
 states them to be the view of Investec Group, its 
subsidiaries or associates. The Investec Group is not 
liable for the security of information sent by e-mail at 
your request, nor for the proper and complete transmission 
of the information contained in the communication nor for 
any delay in its receipt. Please note that the recipient 
must scan this e-mail and any attached files for viruses 
and the like. The Investec Group accepts no liability of 
whatever nature for any loss, liability, damage or expense 
resulting directly or indirectly from the access of any files 
which are attached to this message.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX & Router [7:70001]

[Skarphedinsson Arni V.]

I have a router connected to a vlan trunk one for internet access, and one
for a remote branch,but then I have a pix that all my users connect throuhg,
and does the NAT, but then of course the users in the remote branch that
connect directly to the border router, cant access the internet as that
router just routes them to the internet, but I would like for it to go
through the pix, first inn, than nat, out, is this possible, i.e. as the PIX
can not generaly send traffic out the same interface as it recives it.

best regards,


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70001&t=70001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Vikram JeetSingh]

Sure there are!


One is Multi Port and second, trunks.

Search on CCO for details.

Vikram

-Original Message-
From: koh jef [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 5:43 PM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]


hi ppl,

is there any way/s to configure mulitple VLANs in a single switch port?

thanks!!

regards,

jef




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69998&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[MADMAN]

You don't say what type of switch so I'll assume a 2900/3500

   switchport mode multi

   Dave

koh jef wrote:
> hi ppl,
> 
> is there any way/s to configure mulitple VLANs in a single switch port?
> 
> thanks!!
> 
> regards,
> 
> jef
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

"Government can do something for the people only in proportion as it
can do something to the people." -- Thomas Jefferson




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70003&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Michael Montiverdi]

Hi,
I believe it depends on the switch, like Marco said. I have a Catalyst
3548XL and I can setup multiple vlans on one port.

Thanks,
Michael Montiverdi
 
 
 

-Original Message-
From: M.C. van den Bovenkamp [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 9:15 AM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]

koh jef wrote:

> is there any way/s to configure mulitple VLANs in a single switch
port?

Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on

what switch you're using.

Most switches can't do it, but some can; Cisco's 2900 series can, for 
instance.

Regards,

Marco.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70002&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall 6.2.2 Inside network can not reach [7:69779]

[Mark W. Odette II]

Richard- 
As I had said in my last post, in analyzing his syntax, it appears he's
trying to do Destination NAT and DNS Doctoring at the same time, for which
it obviously doesn't work.

I couldn't tell you if line 2 is auto-reversing what line 1 does by the
PIX's operating code, but you are correct that only one line is needed.
>From what I gathered of the documentation, he also needed to do a second
Alias statement against the DMZ interface, or he needed to do a Static
statement utilizing the DNS keyword; example:
"static (dmz,outside) pub.lic.ip.addr dmz.host.ip.addr dns netmask
255.255.255.255 0 0"

I don't have a 3-interface pix to test these possible solutions on, so I
can't say for certain that I'm correct. :(

-Mark
-Original Message-
From: Richard Botham [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 7:12 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]

Charles/Mark,

No infinate wisdom i'm afraid - just my #0.2.

Is it because the statements below effectively do nothing due to the fact
the statement 2 undoes what statement one has just done ?
[or have i missed the point.]

1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 
2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 

I would have thought that you would only need the statement one - why do you
need to reverse what you did in statement one fro the hosts on the inside
net ?

regards
Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70004&t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Looking for a CCIE R&S studypartner in Holland [7:70005]

[Iwan Hoogendoorn]

Hello i am looking for someone who is allso preparing for CCIE LAB in The
Netherlands...

I live in Rotterdam...
If someone is interested to be my study partner...please let me know...
EMAIL = [EMAIL PROTECTED]
TEL  = +31647954616

Thank you! 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70005&t=70005
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Prolonged Batchlers Vs. CCNP ? [7:69483]

[Carroll Kong]

> This sort of thinking is why I've decided to skip the CCNP and just work on
> the CCIE.  As long as Cisco keeps it insanely difficult with the lab exam
> being the majority of the work required it will be valuable.
> 
> -- 
>John A. Kilpatrick

Go for it!  Skip the CCNP and aim for the CCIE  (or heck, skip the 
CCNA too).  It is a bit hard, but come on, this stuff is not rocket 
science.  Practice practice, and if you are a fast learned, decent 
typer, fast thinker, you can do it.

But, do learn Cisco's methodologies for troubleshooting and 
Ciscoisms.  Also, learn the basic layout of how the documentation is. 
 Think fast, and implement fast and you got it.  ;)

Of course much easier said than done.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70008&t=69483
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[Troy Leliard]

Ofcourse you can only use the mswitchport mode multi if you dont have a
trunk already... if you do you get the error

Command rejected: One or more ports is already configured as a trunk port.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70006&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RFP response--- How to?-Help****** [7:70007]

[J B]

This question is for people with network management experience.
I have to do a lot of things lately, and one of those things looks like is
project management.  The problem is that I'm not a project manager.  How do
you normally respond to RFP from clients.  I think I understand what an RFP
is, however I'm not sure in how to respond to it.
Any help will be appreciated.
JB  


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70007&t=70007
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Router Configuration Backups?? [7:70009]

[Stevo]

Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70009&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccnp foundation 640-841, [7:69984]

[Darbi Yanitzi]

Not recently, but I took it a long time ago. Study the blueprint on Cisco's
website.

Cheers
""Hinwoto""  wrote in message
news:[EMAIL PROTECTED]
> hi guys,..
>
> Has anybody taken this foundation exam 640-841 recently ?
> Any advise.. please ..appreciate it.
> Gonna give a shot ..
>
> cheers
> hin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70013&t=69984
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIM-SM Join Messages. [7:70014]

[[EMAIL PROTECTED]]

Hello,

I have two questions here on the above.

Are PIM joins sent multicast or unicast.  Some docs says it's unicast, but I
see it as multicast in my trace.

Also, If a flow maintains state for a period of time, do PIM-Join messages
get sent periodically to the RP or root of the source, if so how often?

Many thx
Ken



For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70014&t=70014
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multicasting Problem [7:69987]

[Darbi Yanitzi]

Do CGMP.

 wrote in message
news:[EMAIL PROTECTED]
> Hi All,
> We need to enable multicasting support accross our network. Their are two
> technologies available to limit the multicast
> packets on the switch: 1) RGMP 2)CGMP. My routers support both these
> technologies. Just wanted to know from the
> group if any body has used any of these & which is better of the two.
> &  also let me know of any common problems in anyone of them
>
> Thanks in advance,
> Bharat
>
>
>
> DISCLAIMER:
> This message contains privileged and confidential information and is
> intended only for the individual named.If you are not the intended
recipient
> you should not disseminate,distribute,store,print, copy or deliver this
> message.Please notify the sender immediately by e-mail if you have
received
> this e-mail by mistake and delete this e-mail from your system.E-mail
> transmission cannot be guaranteed to be secure or error-free as
information
> could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
> contain viruses.The sender therefore does not accept liability for any
> errors or omissions in the contents of this message which arise as a
result
> of e-mail transmission. If verification is required please request a
> hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70012&t=69987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX & Router [7:70001]

[Darbi Yanitzi]

No, you can not do that.

""Skarphedinsson Arni V.""  wrote in message
news:[EMAIL PROTECTED]
> I have a router connected to a vlan trunk one for internet access, and one
> for a remote branch,but then I have a pix that all my users connect
throuhg,
> and does the NAT, but then of course the users in the remote branch that
> connect directly to the border router, cant access the internet as that
> router just routes them to the internet, but I would like for it to go
> through the pix, first inn, than nat, out, is this possible, i.e. as the
PIX
> can not generaly send traffic out the same interface as it recives it.
>
> best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70011&t=70001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Pistone, Mike]

CiscoWorks2000 will do all that and more, but that might be overkill for
you.   
What you want can be acomplished with a few perl scripts and a few hours of
programming.




___
Mike Pistone
NASA - Russian Services Group
Marshall Space Flight Center
Huntsville, AL 35806
Ph: (256) 544-2915
Em: [EMAIL PROTECTED]



-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 11:37 AM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]


Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70015&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP Recertification [7:69911]

[mailsub1]

Congratulations! I just passed today (first time VERY lucky ;), and I
have to agree that it is a crazy exam. A couple of the questions were so
badly worded that I didn't understand them. 

I just thought that I'd add a few extra pointers for the unlucky ones
who still have to take the exam. There are some newer questions (e.g.
quite a few on BGP), although nothing on IS-IS. However, a lot of the
questions are very old - for example when did you last hear of Stratacom
or configured a 700 series router (or for that matter used appletalk)!

This was probably the worst Cisco exam EVER, and I just hope it is
better in 3 years time.

Now I just have to take CSI for my CCSP before my summer vacation.

Good luck!

Mark.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jeff sicuranza
Sent: 31. mam 2003 06:09
To: [EMAIL PROTECTED]
Subject: CCDP Recertification [7:69911]

Well fellas I passed the CCDP recert today. Man what a messed up test.
The
exam objectives on CCO(for all tests) are not what are on this exam.
This
exam is basically version 1 Routing, Switching, Remote access and CID
version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
design questions that did not make sense, type in questions(which is to
be
expected) and old hardware that is probably not even supported anymore,
like
700s and 1600s. I made many comments during the exam that these
questions
are no longer relevant especially for a CCDP update recert. It was all
old
stuff. I mean old stuff that was not too relevant then, specific 1600s
and
700s issues, come on now..

I studied based on the info. from the CCO site, so for Routing,
Switching
and Remote access for the CCNP recert., which was updated, but it was my
experience that carried me on this one. I did go over my old Sybex and
Cisco
Press ver. 1 CID books this week just in case, so that helped too.

I thought halfway through I was failing for all of the older 700/1600,
desktop protocols and x25/atm crap was driving me nuts. Since I have
been in
computer technology since 84 I was able to pass. A lot of the questions
were hands on fill in the blank types so that helped me also. Funny
though,
I did better on this exam(averaging in the 80% range for every topic
except
CID) and got in the high 800s than I did on the CCNP recert.(Considering

the CCO CCNP topics matched the exam). I only studied a week and a half
for
both and took them two days apart. What I learned in the CCNP recert
exam,
that I posted earlier here, did not apply on the CCDP recert. exam to my
dismay so I was bummed out during the exam. In this case my old hands on
experience rules.

So, for those of you fellas preparing for the CCDP recert. your old
books(even version 1 CCDP stuff) is fine.

Now to decide if I want to take a second stab at my ccie lab seat.

Good luck to all

/JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70017&t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Kevin Stone]

A number of perl scripts(I don't have links handy but check the
archives) or Kiwi CatTools will back up the configs and let you know if
they have changed.  You can also use syslog to get notification of when
it was changed.

-Kevin


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Stevo
> Sent: Monday, June 02, 2003 12:37 PM
> To: [EMAIL PROTECTED]
> Subject: Router Configuration Backups?? [7:70009]
> 
> Hey Group,
> 
> I have a number of routers that don't get their configs 
> backed up on a regular basis... does anyone have (or know of) 
> any software products out there that will do the backups for 
> me...  or even better still, let me know if a config is 
> changed by someone??
> 
> Thanks
> 
> --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70016&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Router Configuration Backups?? [7:70009]

[Vincent Tocco]

We use Pancho, it's a perl script that downloads the configs via snmp. 
Just setup a cron job on a unix box..
http://www.panchoproject.org/

After you setup that, you can run diff on the files to see if anything 
changed.. Maybe every night?


-Vince

Stevo wrote:
> Hey Group,
> 
> I have a number of routers that don't get their configs backed up on a
> regular basis... does anyone have (or know of) any software products out
> there that will do the backups for me...  or even better still, let me know
> if a config is changed by someone??
> 
> Thanks
> 
> --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70019&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Lupi, Guy]

Kiwi CatTools works very well for configuration backups and is inexpensive
(it might be free, I don't recall).

http://www.kiwisyslog.com/

-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]

Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70021&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP Recertification [7:69911]

[jsicuran]

Yes, the CCDP recert exam is old and messed up. The CCNP recert exam was
updated for content over the last three years so it has bgp, hands on
simulation and ISIS. IT will get better and tougher if the CCNP recert is
any hint. Look at the current changes to the DP program. It will be more
difficult if you have to recert in three years...

Congrats also, good luck on the CSI..

/JS

-Original Message-
From: mailsub1 [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 3:00 PM
To: 'jeff sicuranza'; [EMAIL PROTECTED]
Subject: RE: CCDP Recertification [7:69911]


Congratulations! I just passed today (first time VERY lucky ;), and I
have to agree that it is a crazy exam. A couple of the questions were so
badly worded that I didn't understand them.

I just thought that I'd add a few extra pointers for the unlucky ones
who still have to take the exam. There are some newer questions (e.g.
quite a few on BGP), although nothing on IS-IS. However, a lot of the
questions are very old - for example when did you last hear of Stratacom
or configured a 700 series router (or for that matter used appletalk)!

This was probably the worst Cisco exam EVER, and I just hope it is
better in 3 years time.

Now I just have to take CSI for my CCSP before my summer vacation.

Good luck!

Mark.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jeff sicuranza
Sent: 31. mam 2003 06:09
To: [EMAIL PROTECTED]
Subject: CCDP Recertification [7:69911]

Well fellas I passed the CCDP recert today. Man what a messed up test.
The
exam objectives on CCO(for all tests) are not what are on this exam.
This
exam is basically version 1 Routing, Switching, Remote access and CID
version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
design questions that did not make sense, type in questions(which is to
be
expected) and old hardware that is probably not even supported anymore,
like
700s and 1600s. I made many comments during the exam that these
questions
are no longer relevant especially for a CCDP update recert. It was all
old
stuff. I mean old stuff that was not too relevant then, specific 1600s
and
700s issues, come on now..

I studied based on the info. from the CCO site, so for Routing,
Switching
and Remote access for the CCNP recert., which was updated, but it was my
experience that carried me on this one. I did go over my old Sybex and
Cisco
Press ver. 1 CID books this week just in case, so that helped too.

I thought halfway through I was failing for all of the older 700/1600,
desktop protocols and x25/atm crap was driving me nuts. Since I have
been in
computer technology since 84 I was able to pass. A lot of the questions
were hands on fill in the blank types so that helped me also. Funny
though,
I did better on this exam(averaging in the 80% range for every topic
except
CID) and got in the high 800s than I did on the CCNP recert.(Considering

the CCO CCNP topics matched the exam). I only studied a week and a half
for
both and took them two days apart. What I learned in the CCNP recert
exam,
that I posted earlier here, did not apply on the CCDP recert. exam to my
dismay so I was bummed out during the exam. In this case my old hands on
experience rules.

So, for those of you fellas preparing for the CCDP recert. your old
books(even version 1 CCDP stuff) is fine.

Now to decide if I want to take a second stab at my ccie lab seat.

Good luck to all

/JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70018&t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

LLQ on Ethernet subinterfaces [7:70020]

[neil K]

Can somebody tell me how to configure LLQ on Ethernet subinterfaces
connected to two VLAN's.
Will appreciate it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70020&t=70020
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX access-list [7:70022]

[jmullins1]

I'm trying to allow inbound UDP traffic from the DMZ web server to the
inside BDC.  I'm getting the following:

2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19:
%PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on
interface dmz

I have the following entries in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139

When I perform a show access-list, I don't see any hit counts.  I do have a
static translation for the public to private IP for the BDC, but that
shouldn't matter.  I'm not sure if I even need to allow this, but it shows
up in my KIWI syslog.  Could someone please tell me what's missing to stop
the deny inbound?  Thanks.
Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70022&t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF over FR [7:70025]

[Catherine Wu]

I am testing Hub-Spoke for OSPF over FR,

I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and
3.3.3.3 in the routing table, 

RouterA#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
3.3.3.3   1   FULL/  -00:01:4110.1.1.6
Serial0/0.2
2.2.2.2   1   FULL/  -00:01:3910.1.1.2
Serial0/0.1
RouterB#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
1.1.1.1   1   FULL/BDR00:01:3810.1.1.1Serial0/0
RouterC#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
1.1.1.1   1   FULL/BDR00:01:3410.1.1.5Serial0/0

RouterA#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
   * - candidate default, U - per-user static route, o - ODR
   P - periodic downloaded static route

Gateway of last resort is not set

 1.0.0.0/32 is subnetted, 1 subnets
C   1.1.1.1 is directly connected, Loopback0
 10.0.0.0/30 is subnetted, 2 subnets
C   10.1.1.0 is directly connected, Serial0/0.1
C   10.1.1.4 is directly connected, Serial0/0.2

Please help.

Thanks 

Catherine

RouterA
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
 no sh
!
interface Serial0/0.1 point-to-point
 ip address 10.1.1.1 255.255.255.252
 ip ospf hello-interval 30
 frame-relay interface-dlci 101
!
interface Serial0/0.2 point-to-point
 ip address 10.1.1.5 255.255.255.252
 ip ospf hello-interval 30
 frame-relay interface-dlci 102
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 1
 network 10.1.1.0 0.0.0.3 area 0
 network 10.1.1.4 0.0.0.3 area 0

RouterB
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.252
 encapsulation frame-relay
 frame-relay map ip 10.1.1.1 110 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 no sh
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.1.1.0 0.0.0.3 area 0
 neighbor 10.1.1.1 
!
RouterC
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 10.1.1.6 255.255.255.252
 encapsulation frame-relay
 frame-relay map ip 10.1.1.5 120 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 no sh
!
router ospf 1
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 3
 network 10.1.1.4 0.0.0.3 area 0
 neighbor 10.1.1.5 

[GroupStudy removed an attachment of type application/ms-tnef which had a
name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70025&t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Wilmes, Rusty]

i believe solarwinds can alert you if the config changes.  I don't think it
will schedule the config backups.

-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 9:37 AM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]


Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70024&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list [7:70022]

[Elijah Savage]

This is possible because you are using win2k now and if that is the case
for AD stuff you need to open port 445 also.

-Original Message-
From: jmullins1 [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list [7:70022]

I'm trying to allow inbound UDP traffic from the DMZ web server to the
inside BDC.  I'm getting the following:

2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19:
%PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on
interface dmz

I have the following entries in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139

When I perform a show access-list, I don't see any hit counts.  I do
have a
static translation for the public to private IP for the BDC, but that
shouldn't matter.  I'm not sure if I even need to allow this, but it
shows
up in my KIWI syslog.  Could someone please tell me what's missing to
stop
the deny inbound?  Thanks.
Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70026&t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: appletalk stuff [7:69961]

[Priscilla Oppenheimer]

It's funny that we are seeing this message after seeing all those complaints
about the CCDP recert exam including AppleTalk! :-)

=?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote:
> 
> Does anyone have an idea on that:
> we use 7200 in the center of a big bay-networks routers
> we use ipx , ip and appletalk
> ip , ipx works fine in FR/PPP links and OSPF etc..
> apple talk zones and routing are shown ok on the macintosh
> machines

All zones are showing up on the Macs? That's a good sign. 

Routing wouldn't show up on the Macs, but do all routes show up on the
routers?

Most AppleTalk problems are related to routing, not finding services. To
avoid problems with split horizon, be sure to use Frame Relay subinterfaces.

> there is appletalk services advertised on PPP links

AppleTalk services are never advertised. Users look for them.

> but they are not advertised on FR links
> routing is RTMP , zones are ok on FR links
> just the macintosh servers does not show up on FR !!

Do you mean that servers don't show up when users who are across the Frame
Relay network try to find them? That is indeed strange.

> no access-lists of any kind

Hmmm. It does seem like an access list problem, though

It also sounds like it could be a duplicate network number. If this is a new
or updated design, it's pretty common to mistakenly reuse an AppleTalk cable
range, or have overlapping ranges. Other than misconfigured access lists,
that's the only time I've ever seen such a strange result as what you're
seeing, if I understand what you're seeing (zones and routes OK, but users
can't find services).

If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole
other story. I think Mac OS X uses Service Location Protocol, which is
multicast based and requires IGMP and an IP multicast routing protocol to be
working correctly.

Is this a new problem? What changed? What version of Mac OS are the users
using? Is this pure AppleTalk or AppleTalk over TCP/IP?

I might be willing to help if you could send more info on what's happening,
version numbers, config, etc.

Priscilla


> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70027&t=69961
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCDP Recertification [7:69911]

[Kevin Wigle]

There are also Appletalk and 700 routers on the CCNP re-cert.

I decided to review the 700 documentation on CCO.

The 700 is not listed on the router list.

Fortunately searching on the 700 brought me to the right docs, although most
of the links say, end of sale, etc.

Kevin Wigle

- Original Message -
From: "mailsub1" 
To: 
Sent: Monday, June 02, 2003 3:00 PM
Subject: RE: CCDP Recertification [7:69911]


> Congratulations! I just passed today (first time VERY lucky ;), and I
> have to agree that it is a crazy exam. A couple of the questions were so
> badly worded that I didn't understand them.
>
> I just thought that I'd add a few extra pointers for the unlucky ones
> who still have to take the exam. There are some newer questions (e.g.
> quite a few on BGP), although nothing on IS-IS. However, a lot of the
> questions are very old - for example when did you last hear of Stratacom
> or configured a 700 series router (or for that matter used appletalk)!
>
> This was probably the worst Cisco exam EVER, and I just hope it is
> better in 3 years time.
>
> Now I just have to take CSI for my CCSP before my summer vacation.
>
> Good luck!
>
> Mark.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> jeff sicuranza
> Sent: 31. mam 2003 06:09
> To: [EMAIL PROTECTED]
> Subject: CCDP Recertification [7:69911]
>
> Well fellas I passed the CCDP recert today. Man what a messed up test.
> The
> exam objectives on CCO(for all tests) are not what are on this exam.
> This
> exam is basically version 1 Routing, Switching, Remote access and CID
> version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
> smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
> design questions that did not make sense, type in questions(which is to
> be
> expected) and old hardware that is probably not even supported anymore,
> like
> 700s and 1600s. I made many comments during the exam that these
> questions
> are no longer relevant especially for a CCDP update recert. It was all
> old
> stuff. I mean old stuff that was not too relevant then, specific 1600s
> and
> 700s issues, come on now..
>
> I studied based on the info. from the CCO site, so for Routing,
> Switching
> and Remote access for the CCNP recert., which was updated, but it was my
> experience that carried me on this one. I did go over my old Sybex and
> Cisco
> Press ver. 1 CID books this week just in case, so that helped too.
>
> I thought halfway through I was failing for all of the older 700/1600,
> desktop protocols and x25/atm crap was driving me nuts. Since I have
> been in
> computer technology since 84 I was able to pass. A lot of the questions
> were hands on fill in the blank types so that helped me also. Funny
> though,
> I did better on this exam(averaging in the 80% range for every topic
> except
> CID) and got in the high 800s than I did on the CCNP recert.(Considering
>
> the CCO CCNP topics matched the exam). I only studied a week and a half
> for
> both and took them two days apart. What I learned in the CCNP recert
> exam,
> that I posted earlier here, did not apply on the CCDP recert. exam to my
> dismay so I was bummed out during the exam. In this case my old hands on
> experience rules.
>
> So, for those of you fellas preparing for the CCDP recert. your old
> books(even version 1 CCDP stuff) is fine.
>
> Now to decide if I want to take a second stab at my ccie lab seat.
>
> Good luck to all
>
> /JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70031&t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Virtual MAC and Port Security [7:70030]

[David Vital]

I have several Servers that are going to be doing NIC pooling.  So I'm
supposed to see a virtual MAC address instead of the actual physical address
of the NIC's.  I run the NICs from one server to different switches for
fault tolerance.  If I have several 6500 series switches how can I set it up
for Port Security?  I know I can set up the ports to handle several MAC's
but if they are running the same virtual MAC what's the answer?

David


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70030&t=70030
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: [CISCO] OSPF over FR [7:70025]

[Patrick Aland]

Have you run any debug's (debug ip ospf events, etc) and are the routes
showing in the ospf database (sh ip ospf data) and just not in the
routing table?

If so check out:
http://www.cisco.com/warp/public/104/24.html



On Mon, Jun 02, 2003 at 09:51:48PM +, Catherine Wu wrote:


-- 

 Patrick Aland  [EMAIL PROTECTED]
 Network Administrator  Voice: 386.822.7217
 Stetson University Fax: 386.822.7367





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70033&t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[koh jef]

thanks guys, wat abt 4xxx, 5xxx, 6xxx series? well i m not talking abt
trunking though...

regards,
jef


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70032&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70034]

[Richard Campbell]

Hi..  Daniel and Dear all,

Thanks for the guide.  May I know whether Remote VPN client to PIX515 can be 
authenticated by my W2K server  or not? I recall I can in VPN3000.  I am not 
familiar about RADIUS.  May I ask whether I should install a RADIUS server 
on my network or the PIX515 itself can act as the RADIUS server to 
authenticate?  (I prefer to authenticate locally in PIX515 without install 
radius server)

>From the config shown below, what is aaa.bbb.ccc.10 ?  a IP address of 
RADIUS server? can we make authentication done locally in PIX515?

aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10

>From: Daniel Cotts 
>To: "'Richard Campbell'" , [EMAIL PROTECTED]
>Subject: RE: multiple isakmp policies question-No authentication [7:69996]
>Date: Mon, 2 Jun 2003 18:25:38 -0500
>
>In the following config RADIUS is used to authenticate the Clients. IIRC 
>The
>group password is sufficient to allow a client to connect - although not 
>too
>secure as all clients would have one password.
>crypto map FF_fw_int0 client authentication AuthInbound
>aaa-server RADIUS protocol radius
>aaa-server AuthInbound protocol radius
>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
>10
>
> > -Original Message-
> > From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 02, 2003 8:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: multiple isakmp policies question-No authentication
> > [7:69996]
> >
> >
> > Hey...  thanks..  finally I got response from my PIX515, but
> > it just hang at
> > securing communication channel stage (see below) and it
> > doesn't authenticate
> > the users.  What config should I add to point it to my
> > authentication server
> > 192.168.1.201?  For your info, my VPN client is installed at
> > Win95 and my
> > authentication server is a W2K server.
> >
> > Initializing the connection...
> > Contacting the gateway at 100.100.100.101...
> > Negotiating security policies...
> > Securing communication channel...
> >
> > I remember in VPN3000 server, I need to specify the
> > authentication server
> > for VPN group, but why in PIX515 sample on the net, why it
> > doesn't have this
> > entry
> >
> > >From: Andrew Larkins
> > >
> > >from what I remember about this, they will try each policy
> > until a match is
> > >amde, otherwise the connection terminates
> > >
> > >-Original Message-
> > >From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > >
> > >hey..  I have a PIX 515 and have a PIX to PIX connection to
> > London and NY
> > >using pre-shared key des, hash sha and dh group 1 and I am
> > going to let
> > >VPN3000 client 3.X connect to here as here and I created
> > another isakmp
> > >policy 20, with hash md5, dh group 2 as shown below.  Can u
> > take a look
> > >whether the config is correct?
> > >
> > >And my question is I have 2 isakmp policies here, how does
> > the PIX-PIX and
> > >VPN 3000 3.X client know which isakmp policy to take?
> > >
> > >crypto ipsec transform-set newset esp-des
> > >crypto dynamic-map dynmap 30 set transform-set newset
> > >crypto map newmap 10 ipsec-isakmp
> > >crypto map newmap 10 match address 101
> > >crypto map newmap 10 set peer nyapix
> > >crypto map newmap 10 set transform-set newset
> > >crypto map newmap 20 ipsec-isakmp
> > >crypto map newmap 20 match address 102
> > >crypto map newmap 20 set peer ldnpix
> > >crypto map newmap 20 set transform-set newset
> > >crypto map newmap 30 ipsec-isakmp dynamic dynmap
> > >crypto map newmap interface outside
> > >isakmp enable outside
> > >isakmp key  address ldnpix netmask 255.255.255.255
> > >isakmp key  address nyapix netmask 255.255.255.255
> > >isakmp identity address
> > >isakmp policy 10 authentication pre-share
> > >isakmp policy 10 encryption des
> > >isakmp policy 10 hash sha
> > >isakmp policy 10 group 1
> > >isakmp policy 10 lifetime 86400
> > >
> > >isakmp policy 20 authentication pre-share
> > >isakmp policy 20 encryption des
> > >isakmp policy 20 hash md5
> > >isakmp policy 20 group 2
> > >isakmp policy 20 lifetime 86400
> > >
> > >vpngroup CLIENTS address-pool REMOTEIPPOOLS
> > >vpngroup CLIENTS dns-server 192.168.1.201
> > >vpngroup CLIENTS wins-server 192.168.1.201
> > >vpngroup CLIENTS default-domain xyz.com
> > >vpngroup CLIENTS idle-time 1800
> > >vpngroup CLIENTS password 
> > >
> > >_
> > >Protect your PC - get McAfee.com VirusScan Online
> > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > _
> > Add photos to your messages with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=features/featuredemail
_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70034&t=

Re: OSPF over FR [7:70025]

[Rivalino YMT.]

Catherine,

You forget to define ospf network type in each frame interface.
Add this interface config command: ip ospf network point-to-point

Thank,
Rivalino

On Mon, 2 Jun 2003, Catherine Wu wrote:

> I am testing Hub-Spoke for OSPF over FR,
> 
> I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and
> 3.3.3.3 in the routing table, 
> 
> RouterA#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time   Address Interface
> 3.3.3.3   1   FULL/  -00:01:4110.1.1.6
> Serial0/0.2
> 2.2.2.2   1   FULL/  -00:01:3910.1.1.2
> Serial0/0.1
> RouterB#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time   Address Interface
> 1.1.1.1   1   FULL/BDR00:01:3810.1.1.1Serial0/0
> RouterC#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time   Address Interface
> 1.1.1.1   1   FULL/BDR00:01:3410.1.1.5Serial0/0
> 
> RouterA#sh ip ro
> Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
>D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
>N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
>E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
>i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
> area
>* - candidate default, U - per-user static route, o - ODR
>P - periodic downloaded static route
> 
> Gateway of last resort is not set
> 
>  1.0.0.0/32 is subnetted, 1 subnets
> C   1.1.1.1 is directly connected, Loopback0
>  10.0.0.0/30 is subnetted, 2 subnets
> C   10.1.1.0 is directly connected, Serial0/0.1
> C   10.1.1.4 is directly connected, Serial0/0.2
> 
> Please help.
> 
> Thanks 
> 
> Catherine
> 
> RouterA
> interface Loopback0
>  ip address 1.1.1.1 255.255.255.255
> !
> interface Serial0/0
>  no ip address
>  encapsulation frame-relay
>  frame-relay lmi-type ansi
>  no sh
> !
> interface Serial0/0.1 point-to-point
>  ip address 10.1.1.1 255.255.255.252
>  ip ospf hello-interval 30
>  frame-relay interface-dlci 101
> !
> interface Serial0/0.2 point-to-point
>  ip address 10.1.1.5 255.255.255.252
>  ip ospf hello-interval 30
>  frame-relay interface-dlci 102
> !
> router ospf 1
>  log-adjacency-changes
>  network 1.1.1.1 0.0.0.0 area 1
>  network 10.1.1.0 0.0.0.3 area 0
>  network 10.1.1.4 0.0.0.3 area 0
> 
> RouterB
> !
> interface Loopback0
>  ip address 2.2.2.2 255.255.255.255
> !
> interface Serial0/0
>  ip address 10.1.1.2 255.255.255.252
>  encapsulation frame-relay
>  frame-relay map ip 10.1.1.1 110 broadcast
>  no frame-relay inverse-arp
>  frame-relay lmi-type ansi
>  no sh
> !
> router ospf 1
>  log-adjacency-changes
>  network 2.2.2.2 0.0.0.0 area 2
>  network 10.1.1.0 0.0.0.3 area 0
>  neighbor 10.1.1.1 
> !
> RouterC
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface Serial0/0
>  ip address 10.1.1.6 255.255.255.252
>  encapsulation frame-relay
>  frame-relay map ip 10.1.1.5 120 broadcast
>  no frame-relay inverse-arp
>  frame-relay lmi-type ansi
>  no sh
> !
> router ospf 1
>  log-adjacency-changes
>  network 3.3.3.3 0.0.0.0 area 3
>  network 10.1.1.4 0.0.0.3 area 0
>  neighbor 10.1.1.5 
> 
> [GroupStudy removed an attachment of type application/ms-tnef which had a
> name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70036&t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fwd: Re: Problem with RSA ACE SERVER (aka SecureID) [7:70035]

[Pete Felber]

There used to be a key value called 'shared secret' that you had to 
configure on the ACE server as well as the 'requesting' device (and 
unfortuanately it was plain text).  I haven't played with an ACE server 
for about 5yrs so that may have changed.
Pete

d tran wrote:

>All,
>I am trying to get the RSA ACE Server to authenticate VPN remote 
>users that terminate VPN connection to my Pix firewall.  So far it is
>not working and here is my scenario:
> 
>Pix FW: 
>Outside IP:  12.1.1.100 (netmask /21)
>Inside IP:  172.161.254 (netmask /24)
>DMZ IP:  172.18.1.254 (netmask /24)
> 
>The IP address of the RSA ACE-Server is 172.18.1.2.  Here is the 
>configuration on my pix firewall.  By the way, I am using Pix OS 6.3(1):
> 
>ip local pool test 172.30.1.1-172.30.1.254
>aaa-server radius-authport 1812
>aaa-server radius-acctport 1813
>aaa-server ACE-SERVER protocol radius
>aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5
>sysopt connection permit-ipsec
>crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac
>crypto ipsec transform-set set2 esp-des esp-sha-hmac
>crypto ipsec transform-set set3 esp-des esp-md5-hmac
>crypto ipsec security-association lifetime seconds 3600
>crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3
>crypto map outside 20 ipsec-isakmp dynamic vpnremote
>crypto map outside client configuration address respond
>crypto map outside client authentication ACE-SERVER
> outside interface outside
>isakmp enable outside
>isakmp key *** address 0.0.0.0 netmask 0.0.0.0
>isakmp identity address
>isakmp client configuration address-pool local test outside
>isakmp policy 10 authentication pre-share
>isakmp policy 10 encryption des
>isakmp policy 10 hash md5
>isakmp policy 10 group 2
>isakmp policy 10 lifetime 86400
>vpngroup default address-pool test
>vpngroup default dns-server 129.174.1.8
>vpngroup default wins-server 129.174.1.8
>vpngroup default default-domain test.com
>vpngroup default split-tunnel 100
>vpngroup default split-dns test.com
>vpngroup default idle-time 1800
> 
>The problem is that whenever the pix sends an "access-request" to the
>RSA ACE Server, the ACE Server sends back an "access-reject" to the 
>pix.  It seems like the ACE Server thinks that the pix is an 
>"unauthorized" host to communicate with the ACE Server.  Now, I 
>add the pix as an "Agent Hosts" on the ACE Server (Is this similar to
>the clients.conf to FreeRadius?) and it still wouldn't work.  Radius is 
>also running on the ACE Server so I know that the communication is 
>there.  Furthermore, the is NO blocking of communication between the
>Pix and the ACE Server. Can someone with experience with ACE Server
>help me out with this problem?  It has been a frustrating week.  
> 
>I am running ACE Server version 5.1 on both Windows 2000 Server.
> 
>D
>
>
>-
>Do you Yahoo!?
>The New Yahoo! Search - Faster. Easier. Bingo.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70035&t=70035
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP Policy-based Routing -- applicable for inbound and outbound [7:70037]

[Hinwoto]

hi guys,

Can BGP Policy-based routing be configured both on inbound and outbound
interfaces ?
I know that it is definitely for inbound interface.
And can the policy-based routing also be used to alter the final destination
of the packet ?
I don't think there's an option to set that.

Please, show the light.
Thanks guys
hin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70037&t=70037
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco's BGP Course is Okay [7:70038]

[Mwalie W]

Hi All,

This is just a comment arising after I read a paper in the current IEEE
Communications Magazine.

I was a little surprised. The paper is, of course, a refereed paper and was
written by three guys, one of them a PhD.

I was surprised because I could write the same paper just from the knowledge
I gained on BGP through self-study. I understood the paper in its entirety
without any struggle at all.

So, my main point is that we can get good knowledge through Cisco
Certifications, knowledge which can even help us attend conferences and
present very decent papers.

Good Luck.

Mwalie


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70038&t=70038
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

permit only even subnets [7:70039]

[lost in space]

Dear groupstudy members,

Lets say we have these networks:

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24

how do we permit only even subnets and deny all the odd subnets?
what would be the network number and wildcard mask should i use in the
access-list statement?

sorry if this question has been asked before...


RD


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70039&t=70039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Redistribute OSPF to RIPv1 [7:69969]

[Peter Paul]

you could try to configure area 1 range  command at the abr, R2.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70041&t=69969
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: permit only even subnets [7:70039]

[Peter Paul]

To match the even subnets, use 

access-list 1 permit 192.168.0.0 0.0.254.255

To match the odd subnets, use

access-list 1 permit 192.168.1.0 0.0.254.255


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70040&t=70039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70043]

[Richard Campbell]

Hi..  Sorry me again, I just realise that W2K can act as a RADIUS server, is 
it true??  I tried to installed cisco CSACS software on my W2K server, it 
prompt me that another program is using RADIUS port, pls disable it, it 
means my W2K server come with RADIUS?  Where to configure it?

the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server?  I should 
configure my W2k Radius server to have the same key "PASSWORD HERE" as the 
PIX515 right?  Where can I enter this value in my W2k server?

>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
>10

>From: Daniel Cotts 
>To: "'Richard Campbell'" , [EMAIL PROTECTED]
>Subject: RE: multiple isakmp policies question-No authentication [7:69996]
>Date: Mon, 2 Jun 2003 18:25:38 -0500
>
>In the following config RADIUS is used to authenticate the Clients. IIRC 
>The
>group password is sufficient to allow a client to connect - although not 
>too
>secure as all clients would have one password.
>crypto map FF_fw_int0 client authentication AuthInbound
>aaa-server RADIUS protocol radius
>aaa-server AuthInbound protocol radius
>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
>10
>
> > -Original Message-
> > From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 02, 2003 8:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: multiple isakmp policies question-No authentication
> > [7:69996]
> >
> >
> > Hey...  thanks..  finally I got response from my PIX515, but
> > it just hang at
> > securing communication channel stage (see below) and it
> > doesn't authenticate
> > the users.  What config should I add to point it to my
> > authentication server
> > 192.168.1.201?  For your info, my VPN client is installed at
> > Win95 and my
> > authentication server is a W2K server.
> >
> > Initializing the connection...
> > Contacting the gateway at 100.100.100.101...
> > Negotiating security policies...
> > Securing communication channel...
> >
> > I remember in VPN3000 server, I need to specify the
> > authentication server
> > for VPN group, but why in PIX515 sample on the net, why it
> > doesn't have this
> > entry
> >
> > >From: Andrew Larkins
> > >
> > >from what I remember about this, they will try each policy
> > until a match is
> > >amde, otherwise the connection terminates
> > >
> > >-Original Message-
> > >From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > >
> > >hey..  I have a PIX 515 and have a PIX to PIX connection to
> > London and NY
> > >using pre-shared key des, hash sha and dh group 1 and I am
> > going to let
> > >VPN3000 client 3.X connect to here as here and I created
> > another isakmp
> > >policy 20, with hash md5, dh group 2 as shown below.  Can u
> > take a look
> > >whether the config is correct?
> > >
> > >And my question is I have 2 isakmp policies here, how does
> > the PIX-PIX and
> > >VPN 3000 3.X client know which isakmp policy to take?
> > >
> > >crypto ipsec transform-set newset esp-des
> > >crypto dynamic-map dynmap 30 set transform-set newset
> > >crypto map newmap 10 ipsec-isakmp
> > >crypto map newmap 10 match address 101
> > >crypto map newmap 10 set peer nyapix
> > >crypto map newmap 10 set transform-set newset
> > >crypto map newmap 20 ipsec-isakmp
> > >crypto map newmap 20 match address 102
> > >crypto map newmap 20 set peer ldnpix
> > >crypto map newmap 20 set transform-set newset
> > >crypto map newmap 30 ipsec-isakmp dynamic dynmap
> > >crypto map newmap interface outside
> > >isakmp enable outside
> > >isakmp key  address ldnpix netmask 255.255.255.255
> > >isakmp key  address nyapix netmask 255.255.255.255
> > >isakmp identity address
> > >isakmp policy 10 authentication pre-share
> > >isakmp policy 10 encryption des
> > >isakmp policy 10 hash sha
> > >isakmp policy 10 group 1
> > >isakmp policy 10 lifetime 86400
> > >
> > >isakmp policy 20 authentication pre-share
> > >isakmp policy 20 encryption des
> > >isakmp policy 20 hash md5
> > >isakmp policy 20 group 2
> > >isakmp policy 20 lifetime 86400
> > >
> > >vpngroup CLIENTS address-pool REMOTEIPPOOLS
> > >vpngroup CLIENTS dns-server 192.168.1.201
> > >vpngroup CLIENTS wins-server 192.168.1.201
> > >vpngroup CLIENTS default-domain xyz.com
> > >vpngroup CLIENTS idle-time 1800
> > >vpngroup CLIENTS password 
> > >
> > >_
> > >Protect your PC - get McAfee.com VirusScan Online
> > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > _
> > Add photos to your messages with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=features/featuredemail
_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70043&t=70043
--
F

RE: Multiple VLANs in a single switch port [7:69991]

[Erick B.]

Multiple-VLANs per port can be configured on certain
models, but if you do multiple VLANs then you can't do
dot1q or ISL trunks anywhere on the box. one or the
other... thats the limitation.

I wonder why cisco doesn't do protocol-based VLANs,
etc like some other vendors. It's a sweet feature that
rocks.

--- Michael Montiverdi  wrote:
> Hi,
> I believe it depends on the switch, like Marco said.
> I have a Catalyst
> 3548XL and I can setup multiple vlans on one port.
> 
> Thanks,
> Michael Montiverdi
>  
>  
>  
> 
> -Original Message-
> From: M.C. van den Bovenkamp
> [mailto:[EMAIL PROTECTED] 
> Sent: Monday, June 02, 2003 9:15 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Multiple VLANs in a single switch port
> [7:69991]
> 
> koh jef wrote:
> 
> > is there any way/s to configure mulitple VLANs in
> a single switch
> port?
> 
> Aside from ISL or 802.1Q trunking? The answer is 'it
> depends'. Mostly on
> 
> what switch you're using.
> 
> Most switches can't do it, but some can; Cisco's
> 2900 series can, for 
> instance.
> 
>   Regards,
> 
>   Marco.
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70042&t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: appletalk stuff [7:69961]

[Scott Nelson]

Also, are you doing it via "one arm routing" or do you have separate
interfaces in each vlan?
( fa0/0 in vlan or lan x, fa0/1 in vlan or lan y, etc., etc. )

http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/subifs.htm

You should definitely use sub-interfaces though..  ( Reference above )

Scotty



""Priscilla Oppenheimer""  wrote in message
news:[EMAIL PROTECTED]
> It's funny that we are seeing this message after seeing all those
complaints
> about the CCDP recert exam including AppleTalk! :-)
>
> =?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote:
> >
> > Does anyone have an idea on that:
> > we use 7200 in the center of a big bay-networks routers
> > we use ipx , ip and appletalk
> > ip , ipx works fine in FR/PPP links and OSPF etc..
> > apple talk zones and routing are shown ok on the macintosh
> > machines
>
> All zones are showing up on the Macs? That's a good sign.
>
> Routing wouldn't show up on the Macs, but do all routes show up on the
> routers?
>
> Most AppleTalk problems are related to routing, not finding services. To
> avoid problems with split horizon, be sure to use Frame Relay
subinterfaces.
>
> > there is appletalk services advertised on PPP links
>
> AppleTalk services are never advertised. Users look for them.
>
> > but they are not advertised on FR links
> > routing is RTMP , zones are ok on FR links
> > just the macintosh servers does not show up on FR !!
>
> Do you mean that servers don't show up when users who are across the Frame
> Relay network try to find them? That is indeed strange.
>
> > no access-lists of any kind
>
> Hmmm. It does seem like an access list problem, though
>
> It also sounds like it could be a duplicate network number. If this is a
new
> or updated design, it's pretty common to mistakenly reuse an AppleTalk
cable
> range, or have overlapping ranges. Other than misconfigured access lists,
> that's the only time I've ever seen such a strange result as what you're
> seeing, if I understand what you're seeing (zones and routes OK, but users
> can't find services).
>
> If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole
> other story. I think Mac OS X uses Service Location Protocol, which is
> multicast based and requires IGMP and an IP multicast routing protocol to
be
> working correctly.
>
> Is this a new problem? What changed? What version of Mac OS are the users
> using? Is this pure AppleTalk or AppleTalk over TCP/IP?
>
> I might be willing to help if you could send more info on what's
happening,
> version numbers, config, etc.
>
> Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70044&t=69961
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Virtual MAC and Port Security [7:70030]

[Mark W. Odette II]

David- it's been a while since I did this, but from what I understand
you to say, you are trying to provide fault tolerance (fail-over) at the
NIC level for these servers.

I can't vouch for the 6500s, but on the 5500s that I used to manage, we
used Intel NICs in a "teaming" fashion (which was to provide said fault
tolerance).  These NICs had their FastEthernet cables going to each
switch respectively. (4 NICs in each Server, 2 CAT5500's to plug into).

The virtual mac's of the Teaming group was plugged into the port
security table on the CATs.  The CATs were also Trunk'd together via
GBICs, so STP would block one Fast-Ether-Channel group of NIC cables on
one switch while allowing the other group to operate.

So, the short of it is, I believe you'll have to set up an EtherChannel
with the NIC Pool(s) and it's assumed that you already are Trunking
between your 6500's for backbone redundancy.  Port Security should be
straight forward- just one Virtual-MAC per NIC Pool to be plugged into
the MAC Security Table, and reference the security mac table on the
ports you want to enable port security.

It's been a couple of years since I did this, so hopefully I remembered
all the steps required. YMMV :)

HTHs
-Mark
-Original Message-
From: David Vital [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: Virtual MAC and Port Security [7:70030]

I have several Servers that are going to be doing NIC pooling.  So I'm
supposed to see a virtual MAC address instead of the actual physical
address
of the NIC's.  I run the NICs from one server to different switches for
fault tolerance.  If I have several 6500 series switches how can I set
it up
for Port Security?  I know I can set up the ports to handle several
MAC's
but if they are running the same virtual MAC what's the answer?

David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70045&t=70030
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF over FR [7:70025]

[Danny Free]

Catherine, 

You forget to define ospf network type in each frame interface. 
Add this interface config command: ip ospf network point-to-point 

Thank, 
Rivalino 

Exactly right but you will have to do 2 more things:
1)Since you changed the hello-interval to 30 on Router A's
point-to-point subinterfaces you will have to do the same for
Router B and Router C's interfaces.
2) Remove the neighbor statement from Router B and Router C's
OSPF process. Not needed. 
So just add the "ip ospf network point-to-point on Routers B and
C frame relay physical interface and do steps 1 and 2. Best of luck.
Danny


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70046&t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Lab prep in Sydney [7:70048]

[Pichai Ruangroj]

Hi,
Where can I find a lab prep in Sydney? Please give me the contact of
them.
Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70048&t=70048
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70051]

[Mark W. Odette II]

Richard- Google is your friend 

Fluf-fluf http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html



-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 11:37 PM
To: [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication
[7:70043]

Hi..  Sorry me again, I just realise that W2K can act as a RADIUS
server, is 
it true??  I tried to installed cisco CSACS software on my W2K server,
it 
prompt me that another program is using RADIUS port, pls disable it, it 
means my W2K server come with RADIUS?  Where to configure it?

the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server?  I should 
configure my W2k Radius server to have the same key "PASSWORD HERE" as
the 
PIX515 right?  Where can I enter this value in my W2k server?

>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
>10

>From: Daniel Cotts 
>To: "'Richard Campbell'" , [EMAIL PROTECTED]
>Subject: RE: multiple isakmp policies question-No authentication
[7:69996]
>Date: Mon, 2 Jun 2003 18:25:38 -0500
>
>In the following config RADIUS is used to authenticate the Clients.
IIRC 
>The
>group password is sufficient to allow a client to connect - although
not 
>too
>secure as all clients would have one password.
>crypto map FF_fw_int0 client authentication AuthInbound
>aaa-server RADIUS protocol radius
>aaa-server AuthInbound protocol radius
>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
>10
>
> > -Original Message-
> > From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 02, 2003 8:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: multiple isakmp policies question-No authentication
> > [7:69996]
> >
> >
> > Hey...  thanks..  finally I got response from my PIX515, but
> > it just hang at
> > securing communication channel stage (see below) and it
> > doesn't authenticate
> > the users.  What config should I add to point it to my
> > authentication server
> > 192.168.1.201?  For your info, my VPN client is installed at
> > Win95 and my
> > authentication server is a W2K server.
> >
> > Initializing the connection...
> > Contacting the gateway at 100.100.100.101...
> > Negotiating security policies...
> > Securing communication channel...
> >
> > I remember in VPN3000 server, I need to specify the
> > authentication server
> > for VPN group, but why in PIX515 sample on the net, why it
> > doesn't have this
> > entry
> >
> > >From: Andrew Larkins
> > >
> > >from what I remember about this, they will try each policy
> > until a match is
> > >amde, otherwise the connection terminates
> > >
> > >-Original Message-
> > >From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > >
> > >hey..  I have a PIX 515 and have a PIX to PIX connection to
> > London and NY
> > >using pre-shared key des, hash sha and dh group 1 and I am
> > going to let
> > >VPN3000 client 3.X connect to here as here and I created
> > another isakmp
> > >policy 20, with hash md5, dh group 2 as shown below.  Can u
> > take a look
> > >whether the config is correct?
> > >
> > >And my question is I have 2 isakmp policies here, how does
> > the PIX-PIX and
> > >VPN 3000 3.X client know which isakmp policy to take?
> > >
> > >crypto ipsec transform-set newset esp-des
> > >crypto dynamic-map dynmap 30 set transform-set newset
> > >crypto map newmap 10 ipsec-isakmp
> > >crypto map newmap 10 match address 101
> > >crypto map newmap 10 set peer nyapix
> > >crypto map newmap 10 set transform-set newset
> > >crypto map newmap 20 ipsec-isakmp
> > >crypto map newmap 20 match address 102
> > >crypto map newmap 20 set peer ldnpix
> > >crypto map newmap 20 set transform-set newset
> > >crypto map newmap 30 ipsec-isakmp dynamic dynmap
> > >crypto map newmap interface outside
> > >isakmp enable outside
> > >isakmp key  address ldnpix netmask 255.255.255.255
> > >isakmp key  address nyapix netmask 255.255.255.255
> > >isakmp identity address
> > >isakmp policy 10 authentication pre-share
> > >isakmp policy 10 encryption des
> > >isakmp policy 10 hash sha
> > >isakmp policy 10 group 1
> > >isakmp policy 10 lifetime 86400
> > >
> > >isakmp policy 20 authentication pre-share
> > >isakmp policy 20 encryption des
> > >isakmp policy 20 hash md5
> > >isakmp policy 20 group 2
> > >isakmp policy 20 lifetime 86400
> > >
> > >vpngroup CLIENTS address-pool REMOTEIPPOOLS
> > >vpngroup CLIENTS dns-server 192.168.1.201
> > >vpngroup CLIENTS wins-server 192.168.1.201
> > >vpngroup CLIENTS default-domain xyz.com
> > >vpngroup CLIENTS idle-time 1800
> > >vpngroup CLIENTS password 
> > >
> > >_
> > >Protect your PC - get McAfee.com VirusScan Online
> > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > _
> > Add photos to your messages with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=feature

PIX 520 Static NAT [7:70049]

[Danial Morison]

Hi group,

we have a pix 520 with 3 interfaces, what we want is to allow outside 
10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as 
inside network. and the server 10.16.206.21 already has a static translation 
entry to a public IP address.

static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 
0 0

and the outside network 10.20.20.0/24 is allowed to access inside network by 
NAT 0 command & ACL with permit host.

Any idea to allow inside IP address 10.16.206.21 from outside and outside 
network is 10.20.20.0/24 even we have a static translation above.

Thanks & Best Regards

DA'

_
Send sxde postkort til sxde mennesker http://www.msn.dk/postkort




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70049&t=70049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Access for Inside IP Pool [7:70050]

[Danial Morison]

Hi group,

we have a pix 520 with 3 interfaces, what we want is to allow outside 
10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as 
inside network. and the server 10.16.206.21 already has a static translation 
entry to a public IP address.

static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 
0 0

and the outside network 10.20.20.0/24 is allowed to access inside network by 
NAT 0 command & ACL with permit host.

Any idea to allow inside IP address 10.16.206.21 from outside and outside 
network is 10.20.20.0/24 even we have a static translation above.

Thanks & Best Regards

DA'

_
Tag din Hotmail med dig, ner du ger http://www.msn.dk/mobile




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70050&t=70050
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Jens von Bülow]

Check out RANCID - http://www.shrubbery.net/rancid/

RANCID - Really Awesome New Cisco confIg Differ


Rancid monitors a router's (or device's) configuration, including software
and hardware (cards, serial numbers, etc), using CVS. Rancid currently
supports Bay routers, Cisco routers, Juniper routers, Catalyst switches,
Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd),
Alteon switches, and HP procurve switches.
Rancid logs into each of the devices in a router table file, runs various
commands, chomps the output, and emails any differences ( sample) from the
previous collection to a mail list.

Rancid is known to be used at: Global Crossing, MFN, Verio, Certainty
Solutions Inc.






-Original Message-
From: Vincent Tocco [mailto:[EMAIL PROTECTED] 
Sent: 02 June 2003 09:45
To: [EMAIL PROTECTED]
Subject: Re: Router Configuration Backups?? [7:70009]


We use Pancho, it's a perl script that downloads the configs via snmp. 
Just setup a cron job on a unix box.. http://www.panchoproject.org/

After you setup that, you can run diff on the files to see if anything 
changed.. Maybe every night?


-Vince

Stevo wrote:
> Hey Group,
> 
> I have a number of routers that don't get their configs backed up on a 
> regular basis... does anyone have (or know of) any software products 
> out there that will do the backups for me...  or even better still, 
> let me know if a config is changed by someone??
> 
> Thanks
> 
> --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70052&t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list [7:70022]

[Troy Leliard]

Silly thing to overlook, but best to check anyway is that you have applied
the ACL to the correct interface


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70053&t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF over FR [7:70025]

[Troy Leliard]

Hi Catherine, 

Because you are using point to point sub interfaces on the one routea and
one the other just using the real interface, OSPF behaves differently and
has different helo / dead timers etc, and this is why you are not getting
all your routes.  You need to make sure that all ospf interfaces in the same
area are of the same "network type" using the interface command ip ospf
network

Below is a link to a quick ref 

http://www.chuckslongroad.info/OSPF_Frame_Reference.htm

Catherine Wu wrote:
> 
> I am testing Hub-Spoke for OSPF over FR,
> 
> I verified the neighbor adjacency,but I couldn't see route
> 2.2.2.2 and
> 3.3.3.3 in the routing table, 
> 
> RouterA#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time  
> Address Interface
> 3.3.3.3   1   FULL/  -00:01:4110.1.1.6
> Serial0/0.2
> 2.2.2.2   1   FULL/  -00:01:3910.1.1.2
> Serial0/0.1
> RouterB#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time  
> Address Interface
> 1.1.1.1   1   FULL/BDR00:01:38   
> 10.1.1.1Serial0/0
> RouterC#sh ip ospf nei
> 
> Neighbor ID Pri   State   Dead Time  
> Address Interface
> 1.1.1.1   1   FULL/BDR00:01:34   
> 10.1.1.5Serial0/0
> 
> RouterA#sh ip ro
> Codes: C - connected, S - static, I - IGRP, R - RIP, M -
> mobile, B - BGP
>D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
> inter area
>N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
> type 2
>E1 - OSPF external type 1, E2 - OSPF external type 2, E
> - EGP
>i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
> IS-IS inter
> area
>* - candidate default, U - per-user static route, o - ODR
>P - periodic downloaded static route
> 
> Gateway of last resort is not set
> 
>  1.0.0.0/32 is subnetted, 1 subnets
> C   1.1.1.1 is directly connected, Loopback0
>  10.0.0.0/30 is subnetted, 2 subnets
> C   10.1.1.0 is directly connected, Serial0/0.1
> C   10.1.1.4 is directly connected, Serial0/0.2
> 
> Please help.
> 
> Thanks 
> 
> Catherine
> 
> RouterA
> interface Loopback0
>  ip address 1.1.1.1 255.255.255.255
> !
> interface Serial0/0
>  no ip address
>  encapsulation frame-relay
>  frame-relay lmi-type ansi
>  no sh
> !
> interface Serial0/0.1 point-to-point
>  ip address 10.1.1.1 255.255.255.252
>  ip ospf hello-interval 30
>  frame-relay interface-dlci 101
> !
> interface Serial0/0.2 point-to-point
>  ip address 10.1.1.5 255.255.255.252
>  ip ospf hello-interval 30
>  frame-relay interface-dlci 102
> !
> router ospf 1
>  log-adjacency-changes
>  network 1.1.1.1 0.0.0.0 area 1
>  network 10.1.1.0 0.0.0.3 area 0
>  network 10.1.1.4 0.0.0.3 area 0
> 
> RouterB
> !
> interface Loopback0
>  ip address 2.2.2.2 255.255.255.255
> !
> interface Serial0/0
>  ip address 10.1.1.2 255.255.255.252
>  encapsulation frame-relay
>  frame-relay map ip 10.1.1.1 110 broadcast
>  no frame-relay inverse-arp
>  frame-relay lmi-type ansi
>  no sh
> !
> router ospf 1
>  log-adjacency-changes
>  network 2.2.2.2 0.0.0.0 area 2
>  network 10.1.1.0 0.0.0.3 area 0
>  neighbor 10.1.1.1 
> !
> RouterC
> interface Loopback0
>  ip address 3.3.3.3 255.255.255.255
> !
> interface Serial0/0
>  ip address 10.1.1.6 255.255.255.252
>  encapsulation frame-relay
>  frame-relay map ip 10.1.1.5 120 broadcast
>  no frame-relay inverse-arp
>  frame-relay lmi-type ansi
>  no sh
> !
> router ospf 1
>  log-adjacency-changes
>  network 3.3.3.3 0.0.0.0 area 3
>  network 10.1.1.4 0.0.0.3 area 0
>  neighbor 10.1.1.5 
> 
> [GroupStudy removed an attachment of type application/ms-tnef
> which had a name of winmail.dat]
> 
> 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70054&t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS for 2500 series router. [7:70056]

[Amir Tahir]

Hi, 
I will be thankful to you if you could let me know from where i can download
IOS version for my Home Cisco 2500 series routers.

Thanks & regards
Amir


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70056&t=70056
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP addressing [7:70057]

[maine dude]

Hi,

Can someone please check below, to see if I am going in the right direction.

I have 3 sites A B C 

A wants 500 users. 
B wants 2000 users 
c unknown up to 200 

IP address range I have is as follows:- 

10.225.200.0 to 10.225.219.255 

 

I have worked the following:- 

For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of
255.255.254.0 or is it 255.255.255.0

For B the range is 10.225.202.0-255 
   10.225.203.0-255 
   10.225.204.0-255 
   10.225.205.0-255 
   10.225.206.0-255 
   10.225.207.0-255 
   10.225.208.0-255 
   
All with a subnet mask of 255.255.248.0. 

For C the range is 10.225.209.0-255 to 10.225.210.0-255 
subnet mask of 255.255.254.0 

if all on single network will all these talk without any problems and I
still have 211 through to 219 free.

Another quick question was should these all respond across different subnets
even using OSPF or won't they.

Thanks,

-DJ





-
Yahoo! Plus - For a better Internet experience




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70057&t=70057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Wireless Spec. question [7:69842]

[DW]

By kit I mean questions about the Cisco devices (1200 / 350 / Bridges etc),
and their abilities, specs etc. I had no questions on the CLI at all..

""1 cisco""  wrote in message
news:[EMAIL PROTECTED]
> Do you mean cisco interface when talking about the KIT?
> Any questions on the cli?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70058&t=69842
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BRI [7:70059]

[koh jef]

Hi ppl,

i'm encountering some issues on the 2nd channel, it takes quite a while for
it to come up despite the 1st channel hits the threshold, is there any
command that i can issue to monitor on the 2nd channel?

thanks

regards,

jef 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70059&t=70059
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RTP Cisco User's Group Meeting - June 4 2003 [7:70061]

[Stephen Alston]

Folks,
  The Research Triangle Park (RTP) Cisco User's group will meet on June 4th
from 12:00 to 1:00 PM in the first floor conference room of the Lake
Building on Cisco's RTP campus.

  This meeting's topic will be TAC procedures and best practices.  The
meeting will also include a guided tour through sections of the Cisco.com
website.  Learn answers to questions such as -- What is the difference
between a management escalation and a technical escalation?  Which is the
best method to use to open a TAC case?  Who is "[EMAIL PROTECTED]"?

  We apologize for the short notice and plan to provide more notice in the
future.

  If you're planning to attend please RSVP to so we can get a good head
count.

  BTW, more info on RTPCiscoUsers can be found at Yahoo Group.

  I'm a member of the group and will answer what questions I can.  Feel free
to email me at [EMAIL PROTECTED]

Thanks,
Steve Alston




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70061&t=70061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IP addressing [7:70057]

[Larry Letterman]

See Inline.


Hi,

Can someone please check below, to see if I am going in the right
direction.

I have 3 sites A B C 

A wants 500 users.  - should be a /23
B wants 2000 users  - should be a /21
c unknown up to 200 - should be a /24

IP address range I have is as follows:- 

10.225.200.0 to 10.225.219.255 

 

I have worked the following:- 

For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of
255.255.254.0 or is it 255.255.255.0

It should be 255.255.254.0 for a /23



For B the range is 10.225.202.0-10.225.203.255  - 512 address
   10.225.204.0-10.225.205.255  - 512 address
   10.225.206.0-10.225.207.255  - 512 address
   10.225.208.0-10.225.209.255  - 512 address
   
All with a subnet mask of 255.255.248.0.  

For C the range is 10.225.209.0-255 to 10.225.210.0-255 
subnet mask of 255.255.254.0 

The bldg C address should be a /24 for 200 address's...you don't need a
/23 for 200 address's.
The 209 subnet is part of the /21 for area Byou should use
10.225.210.0 - 255 /24.



if all on single network will all these talk without any problems and I
still have 211 through to 219 free.

You will obviously need a router and have 3 networks...one for area A,
B, C...which would be 3 networks
Not one single network

Another quick question was should these all respond across different
subnets even using OSPF or won't they.

They should respond and work across any routing protocol if the switches
and router are config'd correctly...

Thanks,

-DJ





-
Yahoo! Plus - For a better Internet experience




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70060&t=70057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BRI [7:70059]

[Dom]

Show isdn status then use debug isdn q921 for more detailed information.


Best regards,

Dom Stocqueler
CTO - SysDom Technologies

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: 03 June 2003 10:33
To: [EMAIL PROTECTED]
Subject: Re: BRI [7:70059]


Hi ppl,

i'm encountering some issues on the 2nd channel, it takes quite a while
for it to come up despite the 1st channel hits the threshold, is there
any command that i can issue to monitor on the 2nd channel?

thanks

regards,

jef




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70062&t=70059
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]