FCS Errors between 2 5500's [7:64180]

[Chuck Church]

Elijah,

What kind of GBICs are you using?  If they're LX and MM fiber, are you
using mode-conditioning cables?

Chuck Church
CCIE #8776, MCNE, MCSE

>
From: Elijah Savage [mailto:[EMAIL PROTECTED]
Sent: Friday, February 28, 2003 8:27 AM
To: [EMAIL PROTECTED]
Subject: FCS Errors between 2 5500's [7:64072]


All,



Last night I had to shutdown a gig fiber trunk between 2 5500's to run
on a 100M trunk we setup as a backup. The FCS errors are only showing up
on one side the fiber between the 2 cats were replaced but the errors
are still showing up. Which side would you all say you would replace the
fiber daughter card the one with the errors or the side without the
errors?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64180&t=64180
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: CCIE Self-Employment [7:62367]

[Chuck Church]

Yes.  Money will depend on your skill level with both Cisco and other
products as well, such as Unix, NW, MS, etc.  It could be $30/hour, could be
$100.  Location is probably almost as important.  NYC pays pretty well, but
it cost's $50 to park a car for 4 hours!  The thing about consulting like
this is you need be a salesperson at times.  Personally, I hate salespeople,
and therefore don't make a good one myself.  There's also more
responsibility, as far as finding your own insurance, paying taxes, etc.  If
you can find a headhunter who will place you as a 1099 employee, that's
usually pretty good, but I haven't heard from my headhunter in months
:(I was on an indefinite project for a year, but that ended when they
outsourced.  Since then it's all been small projects, mostly complicated
installs involving layer 3 switching.  It's a tough market, and getting a
name for yourself can be difficult.  Personally, I'm looking for a full time
position now.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Jay Greenberg" 
To: ; 
Sent: Monday, February 03, 2003 12:14 PM
Subject: CCIE Self-Employment


> Any CCIEs on the list in business for themselves?  What's the money
> like, what sort of companies do you work for?  Do you do short-term or
> long term contracts?  Hourly work?
>
> Thanks,
>
> --
> Jason Greenberg, CCIE #11021
> 
> .




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62367&t=62367
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: L3 Switching & Swtich/Router Comparsion [7:62273]

[Chuck Church]

I got into this discussion kind of late, but here's my take:

Functionally, you can configure either to do what you want.  But a 1 armed
router has a couple major limitations that a layer 3 switch doesn't.  A
layer 3 switch has ASICs (application specific integrated chip/circuit) that
can perform MAC re-writes, RIB/FIB lookups, rate-limiting, QOS, and ACL at
wire speed without bothering the CPU of the device.  A 1 armed router needs
to use the CPU for some of these functions, and will quickly become a
bottleneck after a certain level of traffic is passing through.  Also, a 1
armed router is limited by it's 1 arm :)  That link will be limited to 100
mb/sec (unless you move up to a 72xx or higher router, where gig is
possible).  So for instance if you're copying a large file between VLANs,
it'd be pretty easy to use up all the bandwidth of that 100 mbit full duplex
link, even if the CPU wasn't working hard on the 1 armed router.  Moving to
a layer 3 switch typically bumps that layer 3 device to layer 2 backplane a
multi-gigabit speed connection.  So if your traffic between vlans will ever
exceed 100 mbit, you can either shell out huge bucks for a 72xx, or get a
real QOS-friendly 3550 that is both faster and cheaper.  Of course if you
need WAN modules in the device that's another story.  I was sent this chart
a while ago listing speeds of various routers and switches:

> Router Performance Specs
>
> Router Switching Performance - Performance based on 64 Byte packets
>
> PlatformProcess Fast   Fast
>SwitchingSwitching  Switching
> (PPS) (Mb/S)
> ---
> 1400  6004,000  2,048,000
> 16006004,000  2,048,000
> 1700  1,5008,400  4,300,800
> 25008004,400  2,252,800
> 261X  1,500   15,000  7,680,000
> 262X  1,500   25,000 12,800,000
> 265X  2,000   37,000 18,944,000
> 3620  2,000   40,000 20,480,000
> 3640  4,000   80,000 40,960,000
> 3660 12,000  120,000 61,440,000
> MC38102,000   10,000  5,120,000
> 4000  1,800   14,000  7,168,000
> 4500  5,000   40,000 20,480,000
> 4700  7,000   50,000 25,600,000
> 7120 13,000  175,000 89,600,000
> 7140 20,000  300,000153,600,000
> 7200-NPE100   7,000  100,000 51,200,000
> 7200-NPE150  10,000  150,000 76,800,000
> 7200-NPE175   9,000  175,000 89,600,000
> 7200-NPE200  13,000  200,000102,400,000
> 7200-NPE225  13,000  225,000115,200,000
> 7200-NPE300  20,000  300,000153,600,000
> 7200-NPE400  20,000  400,000204,800,000
> 7200-NSE-1   20,000  300,000153,600,000
> uBR-NPE150   10,000  100,000 51,200,000
> uBR-NPE200   13,000  150,000 76,800,000
> 7000-RP   2,500   30,000 15,360,000
> 7500-RSP2 5,000  220,000112,640,000
> 7500-RSP4 8,000  345,000176,640,000
> 7500-RSP822,000  470,000240,640,000
> Cat 2948G-L3N/A   10,000,000  5,120,000,000
> Cat 4908G-L3N/A   12,000,000  6,144,000,000
> Cat 4232-L3 N/A6,000,000  3,072,000,000
> Cat -RSM 14,000  175,000 89,600,000
> Catalyst-RSFC170,000 87,040,000
> Catalyst-RSFC/NFFCII   2,000,000  1,024,000,000
> Catalyst-MSFC (IP,IPX)15,000,000  7,680,000,000
> Catalyst-MSFC (Other)170,000 87,040,000
> Catalyst-MSFC2 (IP,IPX)   15,000,000  7,680,000,000
> Catalyst-MSFC2 (Other)   680,000    348,160,000
> Catalyst-MSFC (X-bar) 30,000,000 15,360,000,000
>
> NOTE: VIP2 Distributed Switching significantly increases
> the performance on RSP platforms.


Chuck Church
CCIE #8776, MCNE, MCSE



>>>>Please advice if there are any difference in the
>>>
>>>functionalities etc. if I
>>>
>>>>use
>>>>
>>>>1) a L3 switch for routing between VLANs,
>>>>2) a L2 switch followed by a router for routing
>>>
> between VLANs.
>
>>>1) define "functionality"
>>>
>>>2) define "difference"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62273&t=62273
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Buffer tuning [7:60647]

[Chuck Church]

I assume you're running in Hybrid mode (IOS on MSFC, CatOS on Sup).  12.1.9
to 12.1.11 had that problem.  Not exactly sure about the versions, but I
know it's fixed in 12.1.13.  The medium buffer category will disappear after
the upgrade, and the normal small, middle, etc will have few, if any,
misses.

Chuck Church
CCIE #8776, MCNE, MCSE

>Date: Wed, 8 Jan 2003 13:13:13 GMT
>From: "[EMAIL PROTECTED]" 
>Subject: Re: Buffer Tuning [7:60526]

Any thoughts on that?


==
Is it possible to tune the medium buffer?

I did find how to tune the middle buffer on the Cisco pages, but nothing
about medium buffer.  Also, I do not have that option on the 6509 MSFC.

The number of failures is very high, and that is why I want to tune it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60647&t=60647
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Subject: Re: question - how many commands are there [7:60086]

[Chuck Church]

I just recieved my 12.2 complete doc set the other day.  123 lbs in all, must
have been about 30 to 35 books, in a box the size of a Cat4006.  The command
references are just the right size for curls :)


Chuck Church
CCIE #8776, MCNE, MCSE



>Date: Wed, 1 Jan 2003 14:37:04 GMT
>From: "Howard C. Berkowitz" 
>Subject: Re: question - how many commands are there [7:60051]



>As a vague context, I weighed the 9.x command reference on my kitchen
>scale, and it was four ounces or so.  10.x was about ten ounces.
>11.x slammed the pointer beyond the limit with a loud thump.

>I have not repeated the experiment with 12.x. When I want to lift
>that much, I use barbells.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60086&t=60086
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re:Laying Cable Accross the Pond [7:59994]

[Chuck Church]

Travis,

I've often wondered the same thing.  I dug this up on google.  Amazingly
it dates back to the 1890s!
http://www.atlantic-cable.com/

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59994&t=59994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routers multicast address 224.0.0.2 [7:59666]

[Chuck Church]

HSRP uses 224.0.0.2, UDP port 1985.  Any ACLs blocking this?  Is IGMP
snooping enabled all places between the two routers?  Check out:
http://www.cisco.com/en/US/tech/tk648/tk365/technologies_q_and_a_item09186a0
0800a9679.shtml
for more info.  Also, check the switch's multicast forwarding tables.
HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


>
> Mohannad Khuffash wrote:
> >
> > Hi ...
> >
> > I have tried to configure HSRP on two 3660 routers, I
> > configured them
> > straight forward where only a little commands needed.But HSRP
> > don't worked
> > well ! The reason simply was that they are not seeing the HSRP
> > hello
> > messages so every one act as the active one ! When I checked
> > the problem
> > more, I discovered that both of them are not seeing the
> > 224.0.0.2 messages
> > by using the SHOW IP INTERFACE command where none of the
> > interfaces of the
> > two routers are joined for this multicast group !
> > My question now is how I can make them joined to 224.0.0.2
> > which should be
> > the default configuration ? Or may be I'm wrong in my
> > investigation ?!
> >
> > Thanks for your help
> >
> > --
> >
> >
> >
> >
> >
> >
> >
> > Mohannad  Khuffash




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59666&t=59666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: campus LAN design w/DHCP server [7:59664]

[Chuck Church]

Hey Priscilla,

I feel about 10 times better knowing it's a fast ethernet  :)  If
there's anyway to localize the traffic, such as putting department X's
clients and servers on vlan 100, and department Y's clients/servers on the
other, it'd be optimal.  But even if you can't it should run pretty well.
Worse comes to worse, they could always buy a 3550 and have that route
between VLANs at like light speed.  Which ghosting software is the client
using?  I thought that Ghost itself used multicast and was IGMP aware.

Chuck Church
CCIE #8776, MCNE, MCSE


>
> It's a fast Ethernet trunk, actually. I forgot to mention that. He does
have
> some internal servers. Do you think in and out of a Fast Ethernet trunk
will
> be less of a problem?
>
> You know my first reaction was also just move the subnet mask over. But he
> didn't seem to want to do that.
>
> He had a broadcast meltdown last week. Perhaps that's why he's concerned.
He
> was using ghosting software.
>
> Thanks for the input!
>
> Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59664&t=59664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: problem with initiating PPTP connection behind [7:59663]

[Chuck Church]

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec.  Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC, same
port.  At one time I thought it needed GRE, but I don't see it listed on
that doc.  HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Neil Moore" 
To: "eric nguyen" ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


> Its all broken... I will give you 500 bux for that pix ..no problem!
> 
> Neil Moore CCIE#10044
> - Original Message -
> From: "eric nguyen" 
> To: ; 
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall via
> PAT
>
>
> > I just replace my home linux "iptables" firewall fwith a "franken" pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash)  running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of the
> firewall is
> >
> > 172.16.1.254.  The "outside" interface of the firewall is 4.64.1.100.  I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation
> >
> > (PAT) to the "outside" interface and it seems to work OK.  On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering for
> both the "inside"
> >
> > and "outside" interface.  I use Websense server to filter out traffics
> that I don't want
> >
> >  my children to see.  Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside" network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place.  The problem is that
the
> >
> > connection keeps timing out.  The connection time out at the "verify
> username and
> >
> > password".  To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner).  Since my laptop
> has a valid
> >
> > external IP address, PPTP works.  If I place the laptop on the "inside"
> network
> >
> > behind the "franken" pix, PPTP doesn't work. I even make the firewall
> "wide-open" for
> >
> > both inbound and outbound and it still doesn't work.  Now if I replace
the
> "franken"
> >
> > pix firewall with a linux firewall, PPTP works just fine through IP
> masquerading which
> >
> > is equivalent to PAT.
> >
> > My question is this:  has anyone been able to successfully initiate a
PPTP
> >
> > from behind a Pix firewall via Port Address Translation (PAT)?  Does it
> even work
> >
> > at all with PAT?  I am starting to have serious doubt with Cisco Pix
> firewall.  It costs
> >
> > me $500 to build this "franken" pix firewall.  With the CPU, memory and
> flash, this
> >
> > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
> Interface) and it can
> >
> > not even do a simple thing like allowing PPTP through PAT.  My linux
> firewall is
> >
> > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
> it
> >
> > costs me $20 for that old system.
> >
> > I think PPTP will work with static NAT but I don't have an extra public
IP
> to spare.
> >
> > If anyone has PPTP works through PAT, please reply.  Thanks.
> >
> > Eric.
> >
> > Here is my Pix configuration
> >
> > HERNDON-PIX# wr t
> >
> > Building configuration...
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.2(2)
> >
> > nameif ethernet0 outside security0
> >
> > nameif ethernet1 inside security100
> >
> > nameif ethernet2 dmz security99
> >
> > nameif ethernet3 dmz2 security98
> >
> > enable password * encrypted
> >
> > passwd * encrypted
> >
> > hostname HOME-PIX
> >
> > domain-name home.com
> >
> > clock timezone est -5
> >
> > clock summer-time est dat

Re: problem with initiating PPTP connection behind [7:59673]

[Chuck Church]

You know, IPSec is far more secure than PPTP, especially if you're dealing
with an MS PPTP server.  Sound's like you need a PIX at work...

Chuck Church
CCIE #8776, MCNE, MCSE


  - Original Message -
  From: eric nguyen
  To: [EMAIL PROTECTED] ; 'Chuck Church' ; [EMAIL PROTECTED] ;
[EMAIL PROTECTED]
  Sent: Friday, December 20, 2002 10:27 PM
  Subject: RE: problem with initiating PPTP connection behind a Pix Firewall
via PAT


  Thanks for the info.

  This absolutely sucks.  I am sure there are many folks out there with
broadband

  connection like myself, cable modem or DSL, that has only one external IP

  address.  Those folks might be using Cisco Pix501, Pix506 or Pix506E for
their

  home firewall.  I am sure they need to connect to their corporate network
via

  PPTP just like myself. Now I have no choice but to switch back to my Linux

  firewall. Pix firewall, what a piece of shit.  For an expensive product
like
that,

  you would think that Cisco makes an effort to make PPTP work via PAT.

  Enough of me venting off my frustration.  Thanks everyone for your help.

  Eric

   "Raymond Jett (rajett)"  wrote:

Hmmm To quote cisco.com...

PPTP through the PIX with Port Address Translation (PAT) does not work
because there is no concept of ports in GRE.

That was from:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094a5a.shtml

This URL shows you how to do it with NAT...

Although, interestingly enough... You can do it with IOS:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xample09186a00800949c0.shtml

Watch the word wrap on the URLs!

Raymond

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
eric nguyen
Sent: Friday, December 20, 2002 8:59 PM
To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT

Chuck,
I did try the following:
static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0 access-list 100 permit ip any any access-list 100
permit gre any any access-list 100 permit icmp any any access-group 100
in interface outside it still doesn't work. The example you provided
has to do with Cisco IOS. Pix is not the same as Cisco IOS even though
it comes from the same company. This is really frustrating. I feel like
I am being "ripped-off" by Cisco Pix firewall
(even though I am running a clone, there is no way in hell that Cisco
will support it). It is really amazing that an expensive product like
this one doesn't support PPTP with PAT (to my knowlegde). Even Linux
firewall supports PPTP over PAT. I feel like I am hitting a brick wall
here. Please help. Eric Chuck Church
wrote:Eric,

To get PPTP to work with PAT, you need to play with it like you do with
I! PSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xamp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same port. At one time I thought it needed GRE, but I don't see it
listed on that doc. HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Neil Moore"
To: "eric nguyen" ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT


> Its all broken... I will give you 500 bux for that pix ..no problem!
> 
> Neil Moore CCIE#10044
> - Original Message -
> From: "eric nguyen"
> To: ;
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall
via
> PAT
>
>
> > ! I just replace my home linux "iptables" firewall fwith a "franken"
> > pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of
> > the
> firewall is
> >
> > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100.

> > I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of
> > 172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation
> >
> > (PAT) to the "outside" interface and it seems to work OK. On the
"inside&

Re: problem with initiating PPTP connection behind [7:59672]

[Chuck Church]

Eric,

I just checked it with an ACL.  GRE is used incoming from a PPTP server,
at least from my work PIX it does.  But the trick is getting the incoming GRE
(with a destination of your PATing PIX) to the client inside.  Can you try
putting a 1-to-1 static from the PIX address pointing to the inside client? 
I
don't have a PIX here to try it.  I think anything then without a translation
will be sent to your inside client.  But it's not really the PIX's fault.
What you're trying to do is PAT a protocol that for the most part is
incompatible with it.  Give it a shot.

Chuck Church
CCIE #8776, MCNE, MCSE


  - Original Message -
  From: eric nguyen
  To: Chuck Church ; [EMAIL PROTECTED] ; [EMAIL PROTECTED]
  Sent: Friday, December 20, 2002 9:59 PM
  Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


  Chuck,

  I did try the following:

  static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0

  access-list 100 permit ip any any

  access-list 100 permit gre any any

  access-list 100 permit icmp any any

  access-group 100 in interface outside

  it still doesn't work.  The example you provided has to do with Cisco IOS.
Pix is

  not the same as Cisco IOS even though it comes from the same company.

  This is really frustrating. I feel like I am being "ripped-off" by Cisco
Pix
firewall

  (even though I am running a clone, there is no way in hell that Cisco will
support

  it).  It is really amazing that an expensive product like this one doesn't
support

  PPTP with  PAT (to my knowlegde).  Even Linux firewall supports PPTP over
PAT.

  I feel like I am hitting a brick wall here.  Please help.

  Eric

   Chuck Church  wrote:

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_ex
amp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same
port. At one time I thought it needed GRE, but I don't see it listed on
that doc. HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Neil Moore"
To: "eric nguyen" ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall
via PAT


> Its all broken... I will give you 500 bux for that pix ..no problem!
> 
> Neil Moore CCI! E#10044
> - Original Message -
> From: "eric nguyen"
> To: ;
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall
via
> PAT
>
>
> > I just replace my home linux "iptables" firewall fwith a "franken"
pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of
the
> firewall is
> >
> > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100.
I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of
172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation> >
> > (PAT) to the "outside" interface and it seems to work OK. On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering
for
> both the "inside"
> >
> > and "outside" interface. I use Websense server to filter out traffics
> that I don't want
> >
> > my children to see. Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside"
network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place. The problem is that
the
> >
> > connection keeps timing out. The connection time out at the "verify
> username and
> >
> > password". To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner). Since m! y
laptop
> has a valid
> >
> > external IP address, PPTP works. If I place the laptop on the
"inside"
> network
> >
> > behind the "franken" pix, PPTP doesn't work. I even make the firewall
> &q

Re: problem with initiating PPTP connection behind [7:59663]

[Chuck Church]

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec.  Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC, same
port.  At one time I thought it needed GRE, but I don't see it listed on
that doc.  HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Neil Moore" 
To: "eric nguyen" ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


> Its all broken... I will give you 500 bux for that pix ..no problem!
> 
> Neil Moore CCIE#10044
> - Original Message -
> From: "eric nguyen" 
> To: ; 
> Sent: Friday, December 20, 2002 4:47 PM
> Subject: problem with initiating PPTP connection behind a Pix Firewall via
> PAT
>
>
> > I just replace my home linux "iptables" firewall fwith a "franken" pix
> firewall
> >
> > (700MHz CPU/512MB RAM/16MBFlash)  running version 6.2(2) with PDM
2.1(1).
> >
> > My internal network is 172.16.1.0/24 with the "inside" interface of the
> firewall is
> >
> > 172.16.1.254.  The "outside" interface of the firewall is 4.64.1.100.  I
> also have
> >
> > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
> Machines
> >
> > on both the "inside" and "dmz" access the Internet via Port Address
> Translation
> >
> > (PAT) to the "outside" interface and it seems to work OK.  On the
"inside"
> network,
> >
> > I have a Websense filter server (IP 172.16.1.2) to do url filtering for
> both the "inside"
> >
> > and "outside" interface.  I use Websense server to filter out traffics
> that I don't want
> >
> >  my children to see.  Everything is working great with a minor
exception:
> >
> > I need to make a PPTP connection from a laptop on the "inside" network
(IP
> >
> > 172.16.1.100) to a PPTP server at my work place.  The problem is that
the
> >
> > connection keeps timing out.  The connection time out at the "verify
> username and
> >
> > password".  To make sure that this is not a problem with my laptop, I
hook
> my
> >
> > laptop directly to the cable modem (I have roadrunner).  Since my laptop
> has a valid
> >
> > external IP address, PPTP works.  If I place the laptop on the "inside"
> network
> >
> > behind the "franken" pix, PPTP doesn't work. I even make the firewall
> "wide-open" for
> >
> > both inbound and outbound and it still doesn't work.  Now if I replace
the
> "franken"
> >
> > pix firewall with a linux firewall, PPTP works just fine through IP
> masquerading which
> >
> > is equivalent to PAT.
> >
> > My question is this:  has anyone been able to successfully initiate a
PPTP
> >
> > from behind a Pix firewall via Port Address Translation (PAT)?  Does it
> even work
> >
> > at all with PAT?  I am starting to have serious doubt with Cisco Pix
> firewall.  It costs
> >
> > me $500 to build this "franken" pix firewall.  With the CPU, memory and
> flash, this
> >
> > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit
> Interface) and it can
> >
> > not even do a simple thing like allowing PPTP through PAT.  My linux
> firewall is
> >
> > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
> it
> >
> > costs me $20 for that old system.
> >
> > I think PPTP will work with static NAT but I don't have an extra public
IP
> to spare.
> >
> > If anyone has PPTP works through PAT, please reply.  Thanks.
> >
> > Eric.
> >
> > Here is my Pix configuration
> >
> > HERNDON-PIX# wr t
> >
> > Building configuration...
> >
> > : Saved
> >
> > :
> >
> > PIX Version 6.2(2)
> >
> > nameif ethernet0 outside security0
> >
> > nameif ethernet1 inside security100
> >
> > nameif ethernet2 dmz security99
> >
> > nameif ethernet3 dmz2 security98
> >
> > enable password * encrypted
> >
> > passwd * encrypted
> >
> > hostname HOME-PIX
> >
> > domain-name home.com
> >
> > clock timezone est -5
> >
> > clock summer-time est dat

RE: campus LAN design w/DHCP server [7:59646]

[Chuck Church]

If everyone just goes to the internet, it'll work.  But if you've got one or
more servers internally, I'd be real afraid of trunking on a 10 mb interface.
You'll reduce your broadcasts, but I think performance will suffer horribly
crossing the router.  Since you've run out of addresses on a /24, I assume
you've got a couple hundred devices.  Personally I'd just move the mask back
one or 2 bits, making it a /22 or /23, and using the additional 1.0 or 1,2,
and 3.0 subnets.  There's things you can do to almost all OSs to reduce
broadcasts.  How many broadcasts are you seeing per second?  If it's no more
than 20 on average, I wouldn't even worry about it.

Chuck Church
CCIE #8776, MCNE, MCSE

>The customer has been using 192.168.168.0/24 in one small flat LAN. He
>has run out of these addresses and is being hit by performance issues
>related to broadcasts.

>He wants to implement subnets and VLANs:

>VLAN 100 192.168.168.0/24
>VLAN 200 192.168.169.0/24

>New design:

 Internet
 |
 s0
  2600 router e1 --- public servers
 e0
 | dot1q trunk
   switch
VLAN 200 VLAN 100

There is just one DHCP server. It will be in VLAN 100, address
192.168.168.10. The DHCP server will have 2 scopes for the 2 subnets.

We're going to do inter-VLAN routing on the 2600 router.

Will this config work as far as DHCP is concerned?

interface ethernet 0
no ip address
interface ethernet 0.1
encapsulation dot1q  100
ip address 192.168.168.1  255.255.255.0
interface ethernet 0.2
encapsulation dot1q  200
ip address 192.168.169.1  255.255.255.0
ip helper-address 192.168.168.10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59646&t=59646
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: High Speed Internet Test from Browser [7:59118]

[Chuck Church]

Well, I suppose they could have a script that downloaded to your PC and then
tested some sites for speed.  But I think your browser would warn you about
that.  The most simple way would be for the web server to ping you, say with
a 500 byte packet, and based on the reply time, determine your speed.  To be
more accurate, it could ping with a small packet, then a big one to analyze
the difference.  I've got a cable modem.  Two different pings:

Pinging www.novell.com [192.233.80.5] with 32 bytes of data:

Reply from 192.233.80.5: bytes=32 time=110ms TTL=34
Reply from 192.233.80.5: bytes=32 time=152ms TTL=34
Reply from 192.233.80.5: bytes=32 time=109ms TTL=34
Reply from 192.233.80.5: bytes=32 time=111ms TTL=34

Ping statistics for 192.233.80.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 109ms, Maximum = 152ms, Average = 120ms

C:\Documents and Settings\church>ping www.novell.com -l 500

Pinging www.novell.com [192.233.80.5] with 500 bytes of data:

Reply from 192.233.80.5: bytes=500 time=114ms TTL=34
Reply from 192.233.80.5: bytes=500 time=122ms TTL=34
Reply from 192.233.80.5: bytes=500 time=146ms TTL=34
Reply from 192.233.80.5: bytes=500 time=144ms TTL=34

Ping statistics for 192.233.80.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 114ms, Maximum = 146ms, Average = 131ms

As you can see, even though the the second ping data size was over 10
times bigger, the time went up very little, indicating your connection isn't
the bottleneck, but the latency through numerous router hops was.  Try the
same on a slow connection, and you'd see a much bigger difference between
the two.

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59118&t=59118
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Little Help Please blocking pop ups and ads [7:58182]

[Chuck Church]

Elijah,

Not real easy to do with a PIX.  You could setup ACLs to block access to
all the big marketing companies like doubleclick.net, etc.  But that would be
a never-ending battle.  An alternative is running Mozilla as your browser.
It's got an option to turn off unrequested windows.  I'm not sure, the newer
Netscapes might do it now as well.  It works fine.
http://www.mozilla.org

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58182&t=58182
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hsrp & isl trunking [7:58144]

[Chuck Church]

I think the 'use-bia' may have been a fix for the problem as well.  It's
been a while since it happened.  For all I know it might have been a problem
with the CatOS on the switch.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: "Larry Letterman" 
To: "Chuck Church" 
Cc: 
Sent: Tuesday, November 26, 2002 6:36 PM
Subject: Re: hsrp & isl trunking [7:58144]


> And..
> on the new msfc-2 you only get 16 hsrp groups
> supposedly the issue that chuck states below is
> not an issue with the new msfc-2 for the 6509's
>
> Chuck Church wrote:
>
> >Dennis,
> >
> >It's better to have a unique HSRP group for each VLAN.  Cisco bases
the
> >virtual MAC address on the group.  If you reuse the group number, you'll
have
> >duplicate MAC addresses.  Granted, they're on seperate VLANs and
shouldn't
> >matter, but I had a Cat4000 that didn't like it at all, and gave me lots
of
> >logged messages about MACs moving around.
> >
> >Chuck Church
> >CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58153&t=58144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hsrp & isl trunking [7:58144]

[Chuck Church]

Dennis,

It's better to have a unique HSRP group for each VLAN.  Cisco bases the
virtual MAC address on the group.  If you reuse the group number, you'll have
duplicate MAC addresses.  Granted, they're on seperate VLANs and shouldn't
matter, but I had a Cat4000 that didn't like it at all, and gave me lots of
logged messages about MACs moving around.

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58144&t=58144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Client & WIN2000 Internet sharing [7:58062]

[Chuck Church]

I'm not really sure what 'IPSec passthough' means.  I've seen it used by
different companies and it means different things.  If the PIX is smart
enough to detect your IKE going out, and setup the necessary IKE and IPSec
translations for the other end of the VPN (for the return traffic), then you
don't need the statics.  This is how the Linksys DSL/Cable routers work, I
beleive.  But if it doesn't work, try setting up the statics for IKE and
IPSec.  What works on the router should work on the PIX, although I don't
know for sure if the PIX will let you do the extended translations like the
IOS does.  Don't have a PIX here to try it on.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -----
From: "Elijah Savage III" 
To: "Chuck Church" ; 
Sent: Monday, November 25, 2002 4:32 PM
Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062]


Chuck,

Please correct me if I am wrong but you are using a router with PAT, and
with a router you will need those statics. But on the PIX you do not
need to have statics because it supports ipsec passthrough, I have no
statics on my PIX at all.

-Original Message-
From: Chuck Church [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 25, 2002 4:03 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062]


Guys,

IPSec will work with PAT, with some caveats.  On the device doing
the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the
designated inside device.  Like this:

ip nat inside source list 100 interface Ethernet0/0 overload (Standard
PAT statement) ip nat inside source static esp 192.168.0.2 interface
Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0
500
(IKE/ISAKMP)

By doing this, inside device 192.168.0.2 can connect to an IPSec VPN,
using the 3.x client.  I'm doing it right now.  Of course, if you've got
more than 1 internal needing to dial, you'll need more external
addresses.  Now whether the M$ ICS can be told to send incoming ISAKMP
and IPSec to a certain internal client is another question...

Chuck Church
CCIE #8776, MCNE, MCSE



>
> This is correct.  IPSec will NOT through PAT.  At the moment, Pix does

> NOT support "NAT traversal (udp encapsulation)".  Therefore, trying to
> connect
> to a Pix behind a NAT device with vpn dialer will not work.  VPN
> concentrators, on the other hand will work.  Or better yet, throw away
> your Pix and put in either a CheckPoint NG Firewall or linux firewall
> (iptables).  Both CP and Linux
> are "stateful" firewalls.  If you want to stick with Pix, wait until
> version 6.3 where it will support "NAT traversal (UDP encapsulation)".
>
>  Edward Sohn  wrote:nope, it won't work...ipsec needs it's own IP
> address and not PAT. i've tested this extensively, and it won't
> work...if anyone else can comment, please do.
>
> either way, best thing to do is get a few statics from your ISP and
> statically translate...
>
> ed
>
> - -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
> Of Derek
> Sent: Sunday, November 24, 2002 9:12 AM
> To: [EMAIL PROTECTED]
> Subject: PIX Client & WIN2000 Internet sharing [7:57988]
>
>
> I have a home network which uses an ADSL line which is shared via
> Internet Connection Sharing. I have 3 pc's in the network and they can

> all access the internet. From these pc's i am trying to connect to my
> office VPN.I Can ping the address but cannot connect via Dialer. The
> VPN connection works when Internet Sharing is disabled. Is their
> anyway around this ? Do you Yahoo!? Yahoo! Mail Plus -
> Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58064&t=58062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Client & WIN2000 Internet sharing [7:58062]

[Chuck Church]

Guys,

IPSec will work with PAT, with some caveats.  On the device doing the
NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated
inside device.  Like this:

ip nat inside source list 100 interface Ethernet0/0 overload
(Standard PAT statement)
ip nat inside source static esp 192.168.0.2 interface Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500
(IKE/ISAKMP)

By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using
the 3.x client.  I'm doing it right now.  Of course, if you've got more than
1 internal needing to dial, you'll need more external addresses.  Now
whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a
certain internal client is another question...

Chuck Church
CCIE #8776, MCNE, MCSE



>
> This is correct.  IPSec will NOT through PAT.  At the moment, Pix does
> NOT
> support "NAT traversal (udp encapsulation)".  Therefore, trying to
> connect
> to a Pix behind a NAT device with vpn dialer will not work.  VPN
> concentrators, on the other hand will work.  Or better yet, throw away
> your Pix and put in either a CheckPoint NG Firewall or linux firewall
> (iptables).  Both CP and Linux
> are "stateful" firewalls.  If you want to stick with Pix, wait until
> version 6.3 where it will support "NAT traversal (UDP encapsulation)".
>
>  Edward Sohn  wrote:nope, it won't work...ipsec needs it's own IP
> address and not PAT. i've tested this extensively, and it won't
> work...if anyone else can comment, please do.
>
> either way, best thing to do is get a few statics from your ISP and
> statically translate...
>
> ed
>
> - -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Derek
> Sent: Sunday, November 24, 2002 9:12 AM
> To: [EMAIL PROTECTED]
> Subject: PIX Client & WIN2000 Internet sharing [7:57988]
>
>
> I have a home network which uses an ADSL line which is shared via
> Internet Connection Sharing. I have 3 pc's in the network and they can
> all access the internet. From these pc's i am trying to connect to my
> office VPN.I Can ping the address but cannot connect via Dialer. The VPN
> connection works when Internet Sharing is disabled. Is their anyway
> around this ? Do you Yahoo!? Yahoo! Mail Plus - Powerful.
> Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58062&t=58062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Apparent packet loss... [7:57957]

[Chuck Church]

Keith,

Don't ever listen to a sales person.  Ever!  What is the ratio of
collisions to frames output on that interface to the provider?  Cisco
recommends limiting collisions to 1 out of every 1000 frames, although 1 out
of every 100 isn't bad.  If it's worse than 1 out of every 100, definitely
get
them to make it full duplex.  Frames queueing up on this interface could be
causing problems with the others.  Definitely turn on CEF.  If they want to
limit your network speed it should occur on their interface to their own
equipment, not yours.  NBAR (Network Based Application Recognition) is
available on 12.2 and does a lot of what Packeteer can do.  Assuming you've
got adequate memory (do a 'sh mem', check how much is free), I'd bump up both
the buffers a bit and the queues on the interfaces.  Shouldn't be too much
more CPU load.  Do 200/300 per/max for small buffers, 100/150 for middle, and
75/150 for big.  Double the size of the interface queues that have drops.  Go
with this for a day, and see how it looks.  Also, do a 'sh int stat' to see
the ratio of process to fast switched packets.  This ratio should improve
with
CEF.  Hope this helps.  Let me know if you need more help.

Chuck Church
CCIE #8776, MCNE, MCSE

Date: Sat, 23 Nov 2002 18:18:16 GMT
From: "Keith Woodworth" 
Subject: Re: Apparent packet loss... [7:57922]

On Sat, 23 Nov 2002, The Long and Winding Road wrote:

|->> They have told us to config our ethernet port to half duplex so packets
|->> will be retransmitted if they get lost in their ATM cloud so we have a
|->> fairly high collison rate on this port. I dont know enough about ATM to
|->> say if this is good or bad...?
|->
|->
|->CL: huh? the retransmission is determined from and between the source and
|->destination hosts, not by routers along the way. this half duplex
|->instruction doesn't make sense to me.

Nor does it to me either but before we put in the 7206, we had their 7204
as the gateway connected to a switch and it was set half-duplex even
before I started here. I'm going to dig more into this.

The part of this that annoys me is when I asked my boss about this he said
the provider would charge us an xtra $2k/month to run the port
full-duplextelus is hurting and are trying to squeeze as much as they
can from us and everyone else.

|->CL: have you considered doing traffic studies to determine if any qos type
|->services could be of benefit? anything like traffic shaping, random early
|->detect, things like that?

We have started doing that because we started noticing that outbound
traffic higher than inbound. About 6 weeks ago we moved the routers to a
switch as a start just to look at sniffing the traffic via port spanning.
4pm in the afternoon we started and within an hour, we found that 50-60%
of traffic outbound was riding on port 1214 (Kazaa etc) At that time
outbound traffic was pushing 18Megs, inbound was about 15Megs.

Historically traffic was 8-10Megs out and 15-18Megs in. P2P is killing us.

A few simple ACL's have been put to rate-limit outgoing traffic on that
port for P2P, which has helped. And we are looking at packet shaping
possiblities. My boss wants a Packeteerbut I'd like to see if I can do
something with the router instead of spending 20 grand.

|->CL: according to the following link, up to 400,000 pps
|->
|->http://www.cisco.com/warp/public/cc/pd/rt/7200/prodlit/c7200_ds.htm
|->
|->your description doesn't indicate you have oversubscribed the back plane.
|->

Yea I dont think we are either now that Ive seen some numbers. I was
looking for specs on the NSE1 not the 7206. Thanks for the link.

|->> Anyway to acutally tell for certain if the router is dropping packets?
|->
|->show buffers
|->show queueing
|->show queue interface etc.

Showing misses/failures on all buffers but these have the most:

Small buffers, 104 bytes (total 50, permanent 50, peak 201 @ 7w0d):
 44 in free list (20 min, 150 max allowed)
 1991931468 hits, 98395 misses, 43142 trims, 43142 created
 2371 failures (0 no memory)
Middle buffers, 600 bytes (total 25, permanent 25, peak 92 @ 3d20h):
 23 in free list (10 min, 150 max allowed)
 43042905 hits, 2828 misses, 2508 trims, 2508 created
 703 failures (0 no memory)
Big buffers, 1524 bytes (total 50, permanent 50, peak 68 @ 6d12h):
 50 in free list (5 min, 150 max allowed)
 12398616 hits, 359 misses, 81 trims, 81 created
 79 failures (0 no memory)

so according to docs on CCO about buffers, misses/failures usually lead to
dropped packets. This leads me to believe that data is coming in at a rate
higher than the RP can keep up though. Will have to look at upping the #
of permenant buffers and see if that helps.

Thanks,
Keith




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57957&t=57957
---

6509 Buffer problem - Fix [7:57009]

[Chuck Church]

6509 dude,

Sorry, don't remember the person's name who posted the original
question, but I was dealing with the same thing.  Installed 12.1.13E last
night, now I'm getting nothing but hits, even with default buffer settings.
Hope this helps.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57009&t=57009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: buffer tuning 6509 [7:56906]

[Chuck Church]

Mr. Joshua,

This looks like a bug I'm working with:

"Anyway, the issue might be related to the middle buffer "not populating"
and there is a bug which was open for the similar issue 
(should be fixed in later IOS versions): CSCdx15857 (Buffer Failure). You
couldn't change the middle buffers because of the same bug.
In order to fix the issue you should upgrade the IOS but prior of doing this
you would probably need to consult your Cisco NSA/SE."

That came from a TAC guy I'm working with.  He's telling me the 12.1.13E
code will fix that problem, where you can't even configure medium buffers.
Keep in mind that buffers use RAM, so occasionally do a 'sh mem' and make
sure your 2 pools aren't running low.  I'd install that code, and then run
it for a few days.  After that, set your permanent buffers to between 50 and
75% of what the peak was for that particular pool.  Set the max to maybe 100
more than the permanent.  So for below I'd start out with:

buff sma per 750
buff sma max 850
buff med per 75
buff med max 150
buff mid per 300
buff mid max 400
buff big per 600
buff big max 700
buff very per 20
(use default for very max)
buff large per 10
buff large max 25
buff huge per 10
buff huge max 20

Paste these in, see how it goes.  Good luck.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000

Date: Tue, 5 Nov 2002 12:41:12 GMT
From: "Mr Joshua" >
Subject: buffer tuning 6509 [7:56891]

Does anybody know of a good white paper on buffer tuning? I have read a
couple of generic ones on Cisco's website, yet they are not
good enough to satisfy what I need to know. Called TAC - not a whole
lot of help this time! As you can see, there are a lot of misses on 
medium and middle buffers. I also see that total and permanent are
not allocated. I know the general CCNP level of what those mean and
commands to adjust them, but does anybody know this - the second line
of output says that there are 500 max allowed. Does that mean that
I need to break this number down into public buffer pool? Does that mean
that the cumulative sum of all public pools can't be more than 500? (as you
can see, the big buffers are 500). Does anybody know of a GOOD paper that
gives examples of buffer tuning? Sorry if those are stupid questions.

here is the output:

Buffer elements:
499 in free list (500 max allowed)
898918875 hits, 0 misses, 0 created

Public buffer pools:
Small buffers, 104 bytes (total 73, permanent 50, peak 1501 @ 7w0d):
72 in free list (20 min, 150 max allowed)
609248534 hits, 201320 misses, 121659 trims, 121682 created
86630 failures (0 no memory)
Medium buffers, 256 bytes (total 0, permanent 0, peak 123 @ 4d08h):
0 in free list (0 min, 0 max allowed)
705511 hits, 140644897 misses, 1414484 trims, 1414484 created
139937655 failures (0 no memory)
Middle buffers, 600 bytes (total 150, permanent 25, peak 555 @ 7w0d):
149 in free list (10 min, 150 max allowed)
185320811 hits, 4615702 misses, 167032 trims, 167157 created
4439672 failures (0 no memory)
Big buffers, 1524 bytes (total 500, permanent 500, peak 595 @ 7w0d):
500 in free list (5 min, 500 max allowed)
41418467 hits, 3577401 misses, 39229 trims, 39229 created
3540388 failures (0 no memory)
VeryBig buffers, 4520 bytes (total 10, permanent 10, peak 20 @ 7w0d):
10 in free list (0 min, 100 max allowed)
1006090 hits, 3524469 misses, 22 trims, 22 created
3524458 failures (0 no memory)
Large buffers, 5024 bytes (total 0, permanent 0):
0 in free list (0 min, 10 max allowed)
0 hits, 3524458 misses, 0 trims, 0 created
3524458 failures (0 no memory)
Huge buffers, 18024 bytes (total 2, permanent 0, peak 2 @ 7w0d):
2 in free list (0 min, 4 max allowed)
4580 hits, 3522061 misses, 120 trims, 122 created
3522000 failures (0 no memory)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56906&t=56906
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX & Novell [7:51427]

[Chuck Church]

Brian,

A well-designed NW network is a very stable and secure environment.
I used to work for a bank with over 400 NW 4.11 servers.  The support team
consisted of myself and two others.  We spent all our free time studying
Cisco!  The major problem these days is VARs send their MCSE drones to try
to fix these networks, and break all kinds of things.  People who don't
understand how NDS works shouldn't be touching it.  You'll see issues in MS
like this once (if ever) people start trying to install Active Directory.
All the NW IP clients work great with the 1.1 and 3.x Cisco VPN clients
also, so VPN shouldn't really be an issue.  I know for a fact that the NW
client will NOT work through NAT, but no one should be accessing a server
over the internet without encryption anyways.
MS uses tons of broadcasts and directed broadcasts for everything.
It's actually worse than NW these days.  Multicasting is the way to go.
Just enable PIM, and all servers and clients can see each other.  It's
really easy compared to WINS.
Security holes?  You can't possibly think that NW has more security
holes than MS.  Even Gartner Group now recommends that companies stay away
from IIS from any internet-accessible servers.  Patching NT servers is a
full time job (with no benefits).

P.S.  Cisco's stock is pretty crappy right now also (bought some of mine at
$80 :(.  But I'm not recommending Foundry to anyone either.  Use what you
like, 

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000

>If you believe any of this, you can spend $1.50 and own some of the
>Novell Company (stock market). About the cost of a candy bar? My
>experience with Novell you need to spend a lot of effort to get anything
>to work, and there support is non-existant. I have heard of even
>hardcore Novell shops switch to a different OS, after trying Novell 5
>with horror stories. Everything about Novell works with broadcasts that
>flood the network. They are considered a step up from Apple networks
>though, in the unnecessary traffic they create. Recently, I was told I
>needed to make a VPN connection to another company using ADSL, the
>problem is that Novell Client will not work with ADSL. It may work now
>in Novell 6 client. There was a long laundry list of "work arounds", and
>modifications you had to do to get it running. I really don't have this
>kind of patience, so I think they dropped the idea of getting a VPN
>connection into Novell. Some of the fixes were playing games with the
>MTU size to get it to work. The problem with that, is the rest of my
>network is using the ADSL line.

>I think you will find issues with using Pix Firewall with Novell. Novell
>requires so many modifications to make it work, that you will compromise
>performance and security (i.e. "compatability mode), if you can get it
>to work at all. With major security Vulnerabilities like "Denial of
>Service" issues with the Novell VPN.

>I find a lot of people like Novell (and other obsolete OS's) because
>they have good memories of running the 3.xx box on a 386. Maybe back
>then it was worth mentioning. Now, it is full of security holes, and
>bugs that are in the Novell OS which no one bothers to fix. At this
>point, they are just struggling to keep the lights on at Novell.

>Novell got IPX from Xerox anyway, not so innovating at all. 



Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51427&t=51427
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

re: Cisco PIX & Novell [7:51358]

[Chuck Church]

John,

Keep in mind that Pure IP NW uses multicasts as part of SLP to map
server names to IP addresses and build a table.  The PIX won't pass
multicasts.  I assume you're manually putting in the server IP address into
the client.  Otherwise you'll need a directory agent.  Or replace it with
MS.  Now that's funny :)

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51358&t=51358
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE#8903 [7:37511]

[Chuck Church]

George,

Way to go.  I guess we were good partners for each other at NMC-1!
Congratulations.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
George Zhang
Sent: Wednesday, March 06, 2002 5:57 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: CCIE#8903


All,

The title says it all.  I took my first attempt at the CCIE lab test 
yesterday (March 5) in Halifax and received the "Congratulations on Passing 
the CCIE Lab!" this morning.

I was the only person taking the lab test in Halifax yesterday.  I was told 
that there was another person scheduled yesterday but did not show up.  My 
test started about 8:15 AM in the morning.  We broke for lunch at about 
12:20PM.  By then, I only finished all the IGP stuff and felt some pressure 
on time.  But I have already reviewed rest of the test and knew that I could

go through the rest quickly.  After the 15 min lunch break, I worked through

rest of the test very quickly.  By about 3:00 PM, I finished every thing 
except one small requirement that I had no clue how to do it.  I decided to 
skip that item.  Then, I started reviewing and checking my config.  Along 
the way of reviewing/checking, I spotted and fixed a few issues.  Just about

the time I finished reviewing every thing, the proctor walked in and told me

that it' time.  I looked at the watch.  It was 4:30 PM.  My proctor was 
Steve.  Steve is a great proctor.  He answered quite a few of my questions 
and cleared my mis-understanding and confusion about the requirements of the

test.

I would like to take this opportunity to thank all people who helped me to 
achieve my goal.  First, I would like to thank my wife for her support and 
understanding.  Without her support, there is no way I could achieve my 
goal.  Next, I will give my thanks to Bruce, Val, and Fred of 
NetMasterClass.  As I said earlier, the NMC1 class is the most important 
part of my final preparation.  Thanks to Katie Wong of Cisco who scheduled 
me to access the ASET racks.  Thats my primary resource for hands-on 
practices for the past couple of months.  Thanks to Eric Fairfield for 
lending me a few routers when I was in Wisconsin.  Also thanks to those that

I've either studied with or have helped me one way or another.  Thanks also 
to Paul for putting this great list together.

As far as my story, I started my quest of the Cisco certifications a little 
over two and half years ago.  I got my CCNA and CCNP in the first year.  
Three months later, I passed the CCIE written test.  I wanted to take the 
lab a year ago.  However, due to work and personal reasons, I did not get 
time to do it until now.  Last year, I was too busy to do much study.  At 
work, as a consultant, I was billing at least 40 hours/week for the whole 
year.  At home, my second child was born in February, my wife finished 
school in July, and we moved to New Jersey from Wisconsin in September.  In 
October of last year, I foresaw a window of opportunity for me to take the 
lab test early this year.  Then, I lobbed my manager to let me go to the 
ECP1 class.  By the time my manager approved my training request, I found 
that Mentor Technologies went belly up.  However, I learned that Bruce and 
Val founded a new company called NetMasterClass, LLC 
(www.netmasterclass.net) and offering the NMC1 and NMC2 classes.  I 
registered and took the NMC1 class by the end January.  By the end of last 
year, the project I worked on finished.  So since the beginning of this year

I got a lot of time to study.  For the past couple of months, I have studied

8-10 hours every day.

As far as how I prepared, I have read most of the books (Doyle I & II, 
Caslow, Halabi, Tam-Nam-Kee, Solie, Satterlee, etc.) recommended by people 
on this list.  Among this long list of books, the only one I dont like is 
Solies book because there are too many errors in the book.  There are a few

topics I was more confused after reading the book.  I dont have a home lab.

  So my primary resource for hands-on practice is remote labs such as Mentor

Technologies vlabs (not available any more), Cisco ASET lab.  Because I 
dont have a home lab, my preparation included more reading than hands-on 
practice.  That actually worked out very well for me.  Above all, the most 
important part of my preparation is the NMC1 class taught by Bruce, Val and 
Fred.  IF I HAD NOT TAKEN THE NMC1 CLASS, IT PROBABLY WOULD HAVE TAKEN ME 
ONE OR TWO MORE ATTEMPTS BEFORE I COULD GET MY NUMBER.  There are a lot of 
things that just cannot be learned from reading books or practicing.  So the

NMC1 class helped me to fill in that gap very well.  It also helped me to 
access my strength and weakness.  So I know what to study on the last few 
weeks.  I strongly recommend taking the NMC1 class a fe

Whew! CCIE 8776! [7:35257]

[Chuck Church]

All,

I think the title says it all.  Took the lab today at RTP.  4th time
was the charm.  I don't know where to begin.  Might as well start with the
thank you's.  Thanks to Bruce, Val, and Fred at NetMasterClass.  Thanks also
to those on the list that I've either studied with or have helped me out in
the past with problems.  Thanks also to Paul for putting this great list
together.  As far as how I prepared, I might as well give the whole story.
Started working on Cisco about 2 1/2 years ago after going though the Novell
and MS Certs.  After getting NA, DA, NP, and DP, I passed the CCIE written
in October 2000.  Without really knowing how to study or what to prepare
for, I got my butt handed to me in January at RTP.  Didn't know much more
than your average CCNP would.  Tried again in April, but BGP killed me, and
again I didn't make it to day 2.  After that, I found a study partner
(Thanks Boris) and we worked pretty hard last summer.  Did all the bootcamp
labs, thought I knew everything I needed to.
November 4 of 2001, figured I'd breeze through the lab.  I don't
know if it's true, but I heard the first couple of months with the new 1 day
format had a very low pass rate.  I know I could have used a couple more
hours to finish.  If anyone took the lab in Oct or Nov of last year and
failed, don't be discouraged.  I think they've scaled it back a little
nowadays.
Fast forwarding to today.  After spending a week with Val, Bruce,
and Fred at the NMC-1 course, and doing nothing but working on my speed, I
felt pretty prepared.  Everything in the Doyle Volume 1 and Bruce/Val's book
made sense.  Though running a little low on sleep, I felt good this morning.
Roughly 4.5 hours into the test, we got lunch.  At that point I was done
with the IGP's and almost done with the EGP's.  In other words about 2/3 of
the way done, by my estimate.  At 1:30 I was done, but needed to go back and
work on 3 things I couldn't figure out.  A little discussing with the
proctor, and 2 of them were fixed.  But then I think I read too much.  I had
solved a problem one way, but realized the wording of the question might
change what they were looking for.  Checking with the proctor, I got the
impression that he really didn't like my solution.  So there I am, 1.5 hours
to go, and I'm making a somewhat major change :(  Looked OK, but with 1/2 an
hour to go, I noticed a 'neighborship' bouncing up and down :o  10 minutes
to go, got it all working, but didn't get a chance to completely double
check all my other work as time expired.  I know I left 1 thing unconfigured
(a 2 pointer), but started wondering if I'd made other mistakes.  They said
to expect the results tomorrow afternoon.  A plane flight back to New York,
and there's the email waiting.  8776!
If anyone's wondering what I used to study, here's the short list:

Groupstudy!  Paul's done a great job.  There are certain people on this list
that should be flagged as must-reads.  I won't mention any last names, but
there are a couple guys named 'Brian' (both long-time CCIEs) that are a huge
asset to this list.  Thanks guys.

Doyle - Volumes 1 and 2 - Everything you ever wanted to know about IP, but
were afraid to ask.

Bridges, Routers, and Switches for CCIEs - Bruce Caslow and Val Pavlichenko
- Used edition 2, but I understand 3 is coming out soon.  This book covers
most everything.  I expect the new edition will cover more multicast and
QOS, and drop Appletalk and DECnet.  But still the most useful book I've
found.

Halabi - Used 1st edition, but everything I was asked to do with BGP is in
that book.

Bootcamp labs - Worked though these with a partner, because his company was
cool enough to buy them for him, and my company wasn't!  Great preparation
and simulation for the test.

Various docs from CCO - Might as well go to the source!

Most importantly - NMC-1 http://www.netmasterclass.net/nmc/  Bruce and Val
explain the most difficult subjects very well.  A couple of things are a
little lacking in the book, but they cover those very well in the class.  Be
prepared to work your a** off that week though.  8:30AM to 11PM is the norm
that week.  But I highly recommend it, especially if you've come close to
passing before.

Well, sorry to ramble on so much.  I'm off to bed for a L O N G
sleep.

Thanks again,

Chuck Church
CCIE 8776
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35257&t=35257
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to block MSN, and others. [7:31107]

[Chuck Church]

There's really two reasons to block access to these services.  Managers
don't want their employees wasting time, but the more important reason is
network security.  If you're providing email accounts for employees, what's
the need to access Hotmail, etc?  By doing so, they're bypassing your email
virus scanning capabilities.  That's how my company got stung with Nimda.
Most companies already have a policy for computer use.  Usually it's
something along the lines of 'business use only'.  Accessing your
home/personal email account at work usually isn't business related.  Now if
I can just figure out how to block Media Player using NBAR...

Chuck

> What is the purpose of giving users access to the Internet when you will
> be blocking even the hotmail for them?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31107&t=31107
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to block MSN, and others. [7:31057]

[Chuck Church]

All,

I've had good luck blocking access by denying all traffic to the IP
ranges of the login servers for those services.  Currently I block all
traffic to:

AOL IM
152.163.0.0 /16   255.255.0.0
205.188.0.0 /16
64.12.0.0   /16

MSN Messenger
64.4.0.0/18  255.255.192.0

Yahoo Messenger
216.136.224.0 /22  255.255.252.0


This works currently.  You might want to keep all 3 installed you your work
PC, and check them once a week.  If one starts working, they must have added
another network.  Open a DOS window, and do a 'netstat'.  Look for the
connection to login server, most likely will mention the company in the DNS
name.  Mine looked like this:
TCPsuperdave:1530 msgr-ns56.msgr.hotmail.com:1863  ESTABLISHED

If you then do a netstat -n, you'll get the address rather than the
DNS name.  Then look up that address in www.arin.net in the WHOIS utility.
That will give you the block of addresses.  Add that block of addresses, and
you'll be blocking them all once again.

Chuck 

P.S.  Blocking MSN will also block Hotmail access, you you kill 2 birds with
1 stone!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31057&t=31057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Portfast

[Chuck Church]

One of my customers had a problem only with W2K machines and DHCP.  His
NT4.0 and 98 machines didn't need port fast.  Possibly W2K has less of a
delay between loading the lan driver (and activating the link) and looking
for a DHCP server?  Or maybe they were just faster machines.  Or maybe W2K
has a shorter timeout for the DCHP lease request?  Anyway, I've been using
portfast on almost all workstation ports for the past few months.

Thanks,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


-Original Message-
From: Scott Morris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 4:44 PM
To: 'Chuck Church'; ''Ccielab' (E-mail)'; 'Cisco@Groupstudy. Com
(E-mail)'
Subject: RE: Portfast


It's not specific to Windows 2000 machines...  Any machine that needs DHCP
and boots up with any speed (less than 50 seconds), or any machine running a
novell client where it would try a GetNearestServer and find nothing

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Chuck Church
Sent: Thursday, March 01, 2001 4:22 PM
To: 'Ccielab' (E-mail); Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


If this bdpu guard works as it supposed to, I'll definitely use it.  Windows
2000 machines seem to need portfast for DHCP, and almost all Windows
machines need it for IPX.  I've always pointed out to the customer about
NEVER connecting other layer 2 devices to the ports I configured portfast
on.  This is good insurance.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


-Original Message-
From: Latimer, Keith [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 11:13 AM
To: 'McCallum, Robert'; 'John Chang'; 'Ccielab' (E-mail);
Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


Check out the new portfast bpdu guard feature. It can shut down ports that
have portfast enabled when detecting bpdus on the line.
Keith

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 10:44 AM
To: 'John Chang'; 'Ccielab' (E-mail); Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


No,

The problem occurs if he creates a loop i.e. you have a main switch a cable
from the main switch goes to user A.  User A decides to connect a hub and a
few terminals - Outcome fine.  User B then says hey user A can you access
those terminals and the main network.  User A says yeah how do you want to
connect?  User A says yes and inadvertently patches his own pc and the
original connection that was from him to the main switch outcome is now main
switch has 2 connections to the minihub.  NOW spanning tree goes oh my and
recalculates - outcome 30 second outage for everyone on that vlan.  Then the
users go home, switch off their kit and go to the pub.
Next day. The mini hub is switched back on - because portfast is enabled
the ports go whoosh straight into forwarding mode - result - spanning tree
goes oh my!! and recalculates.

Outcome -- You and every other support member run about like loonies
trying to find this fault which occurs only when the user decides to switch
on his equipment.

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: 01 March 2001 15:34
To: McCallum, Robert
Subject: RE: Portfast


Let me see if I got this correct.  If he only connects one mini-hub or
mini-switch it is OK to have portfast on on the main switch.  If he then
connects another mini-hub or mini-switch onto the first mini-hub or
mini-switch than there will be a problem.  But when you connect 2 mini-hubs
aren't you just extending the amount of ports and in a sense there is only
one virtual mini-hub?

At 03:24 PM 3/1/2001 +, you wrote:
>yes, but only if he then connects another link to another hub / switch and
>causes a bridging loop.
>
>-Original Message-
>From: John Chang [mailto:[EMAIL PROTECTED]]
>Sent: 01 March 2001 15:08
>To: [EMAIL PROTECTED]
>Subject: Portfast
>
>
>In the below website it says not to have portfast on if you connect
>switches, hubs, or routers.  I understand that point but what if a user
>connected a mini-hub (Ex. Linksys EtherFast 8-Port 10/100 Desktop Hub)
>or  unmanaged mini-switch (Ex. Farallon NetLINE 10/100 switch) so that he
>could connect multiple computers.  Would this cause any problems?  Thank
>you!
>
>
>http://www-1.cisco.com/warp/public/473/12.html
>
>Note: The portfast feature should never be used on switch ports that
>connect to other switches, hubs, or routers. These connections may cause
>physical loops
>and it is very important that spanning tree go through the full
>initialization procedure

RE: Portfast

[Chuck Church]

If this bdpu guard works as it supposed to, I'll definitely use it.  Windows
2000 machines seem to need portfast for DHCP, and almost all Windows
machines need it for IPX.  I've always pointed out to the customer about
NEVER connecting other layer 2 devices to the ports I configured portfast
on.  This is good insurance.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


-Original Message-
From: Latimer, Keith [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 11:13 AM
To: 'McCallum, Robert'; 'John Chang'; 'Ccielab' (E-mail);
Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


Check out the new portfast bpdu guard feature. It can shut down ports that
have portfast enabled when detecting bpdus on the line.
Keith 

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 10:44 AM
To: 'John Chang'; 'Ccielab' (E-mail); Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


No,

The problem occurs if he creates a loop i.e. you have a main switch a cable
from the main switch goes to user A.  User A decides to connect a hub and a
few terminals - Outcome fine.  User B then says hey user A can you access
those terminals and the main network.  User A says yeah how do you want to
connect?  User A says yes and inadvertently patches his own pc and the
original connection that was from him to the main switch outcome is now main
switch has 2 connections to the minihub.  NOW spanning tree goes oh my and
recalculates - outcome 30 second outage for everyone on that vlan.  Then the
users go home, switch off their kit and go to the pub.  
Next day. The mini hub is switched back on - because portfast is enabled
the ports go whoosh straight into forwarding mode - result - spanning tree
goes oh my!! and recalculates.  

Outcome -- You and every other support member run about like loonies
trying to find this fault which occurs only when the user decides to switch
on his equipment.

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: 01 March 2001 15:34
To: McCallum, Robert
Subject: RE: Portfast


Let me see if I got this correct.  If he only connects one mini-hub or 
mini-switch it is OK to have portfast on on the main switch.  If he then 
connects another mini-hub or mini-switch onto the first mini-hub or 
mini-switch than there will be a problem.  But when you connect 2 mini-hubs 
aren't you just extending the amount of ports and in a sense there is only 
one virtual mini-hub?

At 03:24 PM 3/1/2001 +, you wrote:
>yes, but only if he then connects another link to another hub / switch and
>causes a bridging loop.
>
>-Original Message-
>From: John Chang [mailto:[EMAIL PROTECTED]]
>Sent: 01 March 2001 15:08
>To: [EMAIL PROTECTED]
>Subject: Portfast
>
>
>In the below website it says not to have portfast on if you connect
>switches, hubs, or routers.  I understand that point but what if a user
>connected a mini-hub (Ex. Linksys EtherFast 8-Port 10/100 Desktop Hub)
>or  unmanaged mini-switch (Ex. Farallon NetLINE 10/100 switch) so that he
>could connect multiple computers.  Would this cause any problems?  Thank
>you!
>
>
>http://www-1.cisco.com/warp/public/473/12.html
>
>Note: The portfast feature should never be used on switch ports that
>connect to other switches, hubs, or routers. These connections may cause
>physical loops
>and it is very important that spanning tree go through the full
>initialization procedure in these situations. A spanning tree loop can
>bring your network down. If portfast
>is turned on for a port that is part of a physical loop, it can cause a
>window of time where packets could possibly be continuously forwarded (and
>even multiply) in
>such a way that the network cannot recover.
>
>_
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IPX undocumented secrets....

[Chuck Church]

Nigel,

 The purpose of the static SAPs you're creating is to create dummy
entries pointing to dummy services.  These dummy services need to have a
socket number of what the service is trying to emulate.  The socket number
for SAP is what the router will use in the actual SAP packet sent out once a
minute.  This SAP packet will use a SAP socket number, but the records
inside the SAP packet will reference the socket numbers that you entered in
the static entry.  Hope this helps.

Chuck Church

-Original Message-
From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 23, 2001 6:45 PM
To: Cisco Group Study; CCIE_Lab Group Study
Cc: Bryant Andrews
Subject: IPX undocumented secrets


Hi All,
I've just begun to place a spin on my IPX preparation and I must =
admit things seem a little more confusing now more than ever.  Caslow's =
book gives a lot of very specific information on IPX itself which is =
been helpful but now I'm trying to understand how most of what I'm =
currently looking at comes together to enable IPX as a routing protocol. =
=20

What I'm trying to understand is in creating static SAP entries the =
command is

ipx sap 

Now in looking at Caslow's book pg. 499 he list the IPX Socket Numbers =
that direct data encapsulation to the appropriate upper layer protocols =
as follows;

0x451 -   NCP
0x452 -   SAP
0x453 -   RIP=20
0x455 -   NETBIOS
0x456 -   Diagnostic
0x457 -   Serialization
0x4001   -  =20
0x7FFF  -   Client Socket Numbers
0x85BE  -   IPX EIGRP
0x9001   -   NLSP
0x9004   -   IPXWAN
0x9086   -   IPX PING


In listing this I'm trying to understand lab examples where the =
requirement calls for static SAP entries that make use of various IPX =
sockets namely 0x451.  I'm thinking since there's a socket for SAP why =
and how come the other IPX sockets are used in SAP entries?

Nigel..


___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OFF TOPIC - Where is everyone?

[Chuck Church]

If there's one thing tougher than the lab exam, it's winning in Oakland.
Here's hoping that the Ravens don't go onto day 2 either.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 14, 2001 12:03 PM
To: Cisco Mail List; CCIE_Lab Groupstudy List
Subject: OFF TOPIC - Where is everyone?


You bad boys and girls watching football today instead of studying?

GO RAIDERS! :->


Chuck
http://www.1112.net/lastpage.html




___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cool DDoS (Distributed Denial of Service) link

[Chuck Church]

It sounds like an anti-spoofing mechanism, much like not allowing packets
from the internet into your network with a source address of your network.
This goes a little beyond that by verifying that the source is reachable
from the interface it was received on.  I've always done this with an access
list, which is easy with only 1 connection to the 'Net.  Doing it with CEF
rather than process switching has got to offer some big performance
benefits.  Now, if I could only remember which platforms support CEF... 

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 02, 2001 3:58 PM
To: Chuck Church; '[EMAIL PROTECTED]'
Subject: Re: Cool DDoS (Distributed Denial of Service) link


At 08:49 AM 1/2/01, Chuck Church wrote:
> From Network Computing:
>
>http://www.nwc.com/1201/1201f1c1.html

Indeed, very nicely-written article. The best thing in it was the link to 
the Cisco site on Unicast Reverse Path Forwarding, which I'd never heard 
of. (I'd heard of Multicast RPF, but not unicast.)

I'm curious, is anyone using Unicast RPF? Does it work well? Any 
performance problems with it?

Here's what it does:

"When Unicast RPF is enabled on an interface, the router examines all 
packets received as input on that interface to make sure that the source 
address and source interface appear in the routing table and match the 
interface on which the packet was received. This 'look backwards' ability 
is available only when Cisco express forwarding (CEF) is enabled on the 
router, because the lookup relies on the presence of the Forwarding 
Information Base (FIB). CEF generates the FIB as part of its operation."

For  more info see:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
r_c/scprt5/scdrpf.htm

Priscilla


>Chuck Church
>CCNP, CCDP, MCNE, MCSE
>Sr. Network Engineer
>Magnacom Technologies
>140 N. Rt. 303
>Valley Cottage, NY 10989
>845-267-4000 x218
>
>
>_
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Priscilla Oppenheimer
http://www.priscilla.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cool DDoS (Distributed Denial of Service) link

[Chuck Church]

>From Network Computing:

http://www.nwc.com/1201/1201f1c1.html

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE LAB Groupstudy list

[Chuck Church]

Sam,

This URL should cover both.

http://www.cisco.com/warp/public/625/ccie/exam_preparation/preparation.html

Chuck

- Original Message -
From: "SAM Meng Wai" <[EMAIL PROTECTED]>
To: "'ElephantChild'" <[EMAIL PROTECTED]>; "Brian" <[EMAIL PROTECTED]>
Cc: "Paul Borghese" <[EMAIL PROTECTED]>; "Nigel Taylor"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, December 04, 2000 1:08 AM
Subject: RE: CCIE LAB Groupstudy list


> Do anyboody have any information of taking CCIE Lab Test. How can
> i prepare for this exam ?
>
> Rgds,
> Sam
>
> > -Original Message-
> > From: ElephantChild [SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, December 04, 2000 11:45 AM
> > To: Brian
> > Cc: Paul Borghese; Nigel Taylor; [EMAIL PROTECTED];
> > [EMAIL PROTECTED]
> > Subject: Re: CCIE LAB Groupstudy list
> >
> > On Sun, 3 Dec 2000, Brian wrote:
> >
> > > On Sun, 3 Dec 2000, Paul Borghese wrote:
> > >
> > > > For the last two weeks I have been fighting them to get
> > > > more bandwidth.  The end result is going to be we need to move the
> > server to
> > > > a new location.  Any ideas?
> > >
> > > You could put it at ShreveNet :)  We have transit to Sprint, Qwest,
> > Global
> > > Crossing, UUNet and Cable and Wireless.
> > >
> > > I would offer you free colo at shreve.net, we have plenty of
> > > bandwidth.
> >
> > Or you could ask cdrom.com (aka Walnut Creek). IIRC their own traffic, I
> > doubt that they would notice a 5GB/day increase. :-) (Sorry, I don't
> > have any contact there.)
> >
> > --
> > "Airplane travel is nature's way of making you look like your passport
> > photo." --- Al Gore
> >
> > _
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE LAB Groupstudy list

[Chuck Church]

Does anyone know how to get in touch with the admin for the CCIE Lab list?
I've sent a couple requests and never got a response.

Thanks,
Chuck Church

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco CD used in CCIE LAB

[Chuck Church]

Recent lab takers,

  Is the Cisco CD that they provide for the lab exam always the most
current?  If not, how old is it?

TIA,

Chuck Church

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 4 NET WORK CARDS IN ONE SERVER

[Chuck Church]

>I have done some extensive
>performance tests of aggregating 100Mbs cards using FEC (Fast Ether
>ChannelThis was the Intel Server Card) and the increased CPU load
>managing the FEC negated the minimal increase in throughput...not to
mention
>the major Disk Array bottleneck.

I've got to agree here.  NT has never been known as a "bandwidth-taxing" OS,
unlike NetWare.  Remember that 100 mbps equates to about 9 megabytes per
second, in each direction if full duplex.  Not much reason to go beyond 2
NICs, in my opinion.  FEC with 2 cards is a good idea for redundancy, but
the last time I checked, the channel ports needed to be on the same line
card of the switch.  If you've got redundant switches, FEC won't help with 2
NICs.  If you're doing redundant switches, the 3Com and Intel "virtual
address" teaming methods seem to work good.  They give immediate fail over
if a NIC fails, and they do load balancing in transmitting.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IS-IS use??

[Chuck Church]

All,

 I'm just curious as to when and why you'd use IS-IS rather than OSPF or
EIGRP?  I've never seen IS-IS in any business I've worked with or for in the
6 years I've been doing this.  Do any other router manufacturers support it?
Is it eventually going to go away?

Thanks,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE R&S lab prep

[Chuck Church]

All,

I was talking to a Cisco SE Tuesday and he mentioned that the All-In-One
Cisco CCIE Lab Study Guide by Stephen Hutnik and Michael Satterlee was the
book to use.  Apparently many internal Cisco people in RTP use this book for
preparation.  I've ordered it, and am currently using the Doyle and Halabi
books as well.  Has anyone used this all in one guide to prepare?  Was it
useful?  Also, I found out for sure there will be a small amount of voice on
the test - FXS/FXO on a couple of routers.  Any idea on where to start or
what to read?  Maybe some CCO URLs?

TIA,

Chuck Church
R&S Lab - Jan 12/13 RTP (AKA D-Day)
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re:enabling WCCP

[Chuck Church]

Ref,

I think for most platforms, WCCP requires the IP Plus feature set.
Straight IP doesn't have it.

Chuck

> Dear All,
>
> I'm trying to issue the command " IP WCCP ENABLE" but
not accepted by router.
> It keeps on saying "Invaslid   "
>
> The router IOS ver is 12.0(7)t and should support
WCCP
>
> Any help please
>
> Ref


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Ping HSRP 224.0.0.2 Strange reply ?

[Chuck Church]

I thought SLP used something in the 10 or 20s range for the last octet.
HSRP uses 0100 5E00 0002 for the destination MAC address.  Is this what ARP
is resolving?

Chuck

>Jeff,
>   It is a Novell  5 Server. Think it may have
>something to do with SLP protocol on this box using
>the same multicast address 224.0.0.2

>Regards,

>Phil.


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT timeout

[Chuck Church]

Have you done a 'sh ip nat tra' on the router?  What does the output look
like?  Can you ping either DNS names or addresses from the workstations?


Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

R&S lab - ATM gone?

[Chuck Church]

All,

I'm a little curious about them taking ATM LANE off the lab.  Why didn't
they just say ATM?  Is ATM without the LAN emulation supported on any Cisco
devices that are part of the lab?  I know they don't require you to set up
ATM switching, but is it used in native mode on any of the AVVID products?

Thanks,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Check what's new on CCIE R/S Webpage, right now!

[Chuck Church]

Based on the amount of voice/multiservice on the written, it looks like
AVVID will be plentiful on the lab.  That, and the fact that Cisco wants us,
as a reseller, to really push IP telephony.  I just hope this doesn't make
the CCIE "easier" to obtain.  I'd rather have to take it twice than having
it become easy enough so that most people pass it the first time.  My MCSE
(which I got in '96 when it was harder) is so easy to get these days, it's
ridiculous.  (Please no flames from those who just got their MCSEs)  I'd
just rather see it remain the high-paying, hard to obtain cert that it is.

Just my .02,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

>Hello,

>That is pretty nice for the new folks to Internetworking like myself.  I
>just passed the CCIE written a few days ago and am about to schedule my lab
>date.  I wonder what kind of configs we will see on the lab to replace the
>waning technologies.  

>I guess in retrospect this is both good and bad.  Good in the fact that
>Cisco is keeping up with all the new technologies but bad because the study
>materials and equipment to setup and practice for things like VOIP and
AVVID
>are not easily accessible.

>I guess we cannot have our cake and eat it too :(

>Hunter Dorroh
>MCSE, CCNP, CCDP

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Yet another "CCIE R/S Written Passed" message...

[Chuck Church]

Wow, Nice score for not studying in a month.  I assume you cleaned house in
the BGP section, working for an ISP.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE written passed - Must be a Chuck thing!

[Chuck Church]

All,

 I guess it was a good weekend to be taking the CCIE Written if your
name was Chuck!  This morning I passed with a 75%.  Had but 5 minutes to
spare, but never really felt rushed.  It was a fair but mentally draining
test.  None of the questions were ambiguous.  I could have spent more time
studying BGP, IS-IS, and DECnet, but everything else was fairly familiar.
My score sheet doesn't list the number of questions in each section, but
I'll list my percentages for the possible benefit of the group.  Things that
I used to prepare were:

1.  On the job experience - I worked with Cat 5000 and 72xx extensively at
my last job which was a bank.  Currently working for a reseller where I'm
doing everything from PIX to Aironet wireless.  I can't imagine passing the
test without lots of hands-on experience.

2.  Cisco Press books - Used the Halabi BGP book, and most of the actual
courseware from the CCNP track.  Also used some of the titles from the CCIE
development series.

3.  Giles CCIE prep book.  Has some amazing (and amazingly boring) details
on token ring and FDDI.  I think the Cisco Press books are much better,
though.

4.  Certification Zone - Practice written tests and the white papers are
great.  Well worth the money.  The practice written tests are tougher than
the real one.  I had scores of 600, 750, 700, and 710 these last 4 months.
Great preparation.


Now I just got that little lab thingy to pass :)  What's the lead time for
scheduling?  I'm thinking I might be ready by January?  If there's anyone in
the NYC area looking for a CCIE lab study partner, let me know.

SCORES:

Cisco device operation  - 71%
Networking Theory   - 83%
Bridging and LAN switching  - 70%  Ughh, token ring
TCP/IP  - 75%  
IP Routing Protocols- 80% 
Desktop Protocols- 87% Knowledge of NetWare helped here
Performance Management  - 33% I have no idea what happened here
WAN - 83%
LAN - 60% I always thought I was better with LAN
than WAN...
Security- 100% This is more of a mystery than the 33%
above
Multiservice- 0%  I assume there was only a couple questions
here.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sniffer Pro 3.5

[Chuck Church]

Surprise.  This has nothing to do with this highly annoying flame-fest.  My
question is about Sniffer Pro 3.5.  Is this a typo, or is 3.5 out now?  I've
been waiting for the new version that runs on W2K, but I was told late
November.  Their web site says nothing about 3.5 yet.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Lost config on 5505

[Chuck Church]

Rick,

Are you running VTP?  If all your switches are VTP servers, meaning
they mutually agree on the set of VLANs, it's important that all switches
are reachable while making changes.  If a switch was added to your network
and had a higher database version of VTP, it will overwrite the VLAN
configuration of the other switches, even if it's an empty configuration.
You're better off having 1 or 2 servers, and the rest clients.  Then only
make changes to the servers.  Hope this helps.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

>What would cause the configuration to be "wiped out" from a 5505, besides
>the obvious "clear config all"...?



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Certification Zone CCIE written results

[Chuck Church]

All,

 Did anyone who took the Certification Zone CCIE written this month find
your scores really low?  I'm taking the real exam in a couple weeks, but was
real disappointed to get a much lower (100 points less than my previous
worst) score this month.  I'm hoping it was just the test.

Slightly worried,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Phony CCIE

[Chuck Church]

Doesn't the 'E' in CCIE actually stand for Expert?  Not only is this guy a
phony, but kind of a bonehead as well.  Definitely let Cisco (mail address
is [EMAIL PROTECTED]) know.
See http://www.cisco.com/warp/public/625/ccie/ for the logo.


Good luck,
Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

>I recently worked on a project with a fellow who claimed to be a CCIE. He
>even gave me his card with the CCIE logo on it. At least I think it is the
>CCIE logo. It is a router symbol surrounded with laurels and has the words
>Cisco Certified Internetwork Engineer circling it as well.

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Linux, terminal emulation for console port

[Chuck Church]

All,

 My coworker is playing with Red Hat Linux, but he can't find the Linux
command or application for terminal emulation though the serial port, much
like HyperTerminal.  Does such a thing exist, or can anyone recommend an
equivalent?

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE question about buffers being used up on router

[Chuck Church]

Wouldn't the answer to this depend on the speed of the router, and which
switching method is used?  A 16xx or 25xx using access lists might not be
able to handle 5000 pps.  I thought a process switched 2500 was actually in
the sub-1000 range for pps.  What's the actual answer?

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NTP support

[Chuck Church]

Hey,

 Is there any easy way to know which IOS feature sets support NTP
(network time protocol)?  I need correct time on our customer's routers for
logging (datetime) purposes.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP protocol numbers - found them

[Chuck Church]

All,

 I found a link to my question about IP protocol numbers - 

http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

It's pretty interesting.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP protocol numbers

[Chuck Church]

All,

Does anyone have a link to or list of IP protocol numbers?  I'm not
looking for TCP or UDP port numbers, but actually what protocol numbers that
TCP, UDP, ESP, etc use.  I've looked through all my Cisco books and can't
find a definitive list.  The IETF.org site doesn't have much as far as
search capabilities either.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Napster Question

[Chuck Church]

I think the key is to allow outbound packets to the Napster servers and
other PCs on the Internet, but not allowing external PCs to establish a
connection to your users' PCs.  Find out the ports that a PC running Napster
is listening on, and then block those at the FW.  A PIX should do this by
default, unless you specifically added a conduit statement to allow Napster.
The access list on the outside interface of a router with FW FS should not
allow inbound Napster connections.  On the Napster client, you'll need to
pick the 'I'm behind a firewall, and can't do anything about it' (or
something like that) option.  I'm blocking Napster both ways at work, so I
can't test it for you.

HTH
Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



>Hello everyone,
>
>I searched through the archives and found lots of good information on
>blocking but I did not see anything on the possibility of allowing users to
>connect to Napster and download music but NOT be permitted to upload.


**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Secure VPN client

[Chuck Church]

Ken,

I'm not sure about a part number, but it is downloadable from CCO - 

http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-crypto

watch the wrap.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

>Anyone knows the product number for the software?

>I have VPN-SW-DES-100=  but it is just the license.

>TIA.
>Ken



**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: personal firewall

[Chuck Church]

In picking out a hardware firewall, make sure it supports DHCP on the
external side.  Most cable and DSL providers use DHCP.  You could hardcode
the DHCP-given address on a firewall, but when the lease is up, your
firewall won't respond to the re-lease requests.  Your current address will
be given out to someone else, causing a conflict and really annoying your
ISP.  Best bet is to get a static address from the ISP.  Also, Cisco has a
new PIX - the 506 which is targeted for SOHO.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

> >Any recommendation on a good hardware personal
> >firewall? I'm looking for a not too expansive, easy to
> >configure, can support NAT one.
> >

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Network Analyzer - Slightly OT

[Chuck Church]

All,

I'm in the process of specing a new laptop for our company to use for
protocol analysis.  I plan on running NT or 2000.  Sniffer will have a
version for 2000 in November, a NAI rep told me.  Has anyone used Etherpeek,
and it's upper-layer portion - Netsense?  How does it compare to Sniffer
Pro, which I've used quite a bit.  Also, I'm looking for a Cardbus PCCard to
use with it.  I've heard rumors that 3Com cards perform hardware layer error
filtering, so that errors aren't passed up the stack, hence the analyzer
won't see see any runts, collisions, etc.  Using Sniffer Pro with a 3Com
card seems to verify this.  Does anyone have any recommendations on a
Cardbus 10/100 card that doesn't filter errors.  NAI told me they sell their
own "version" of a Xircom card, but they want $500 for it.  Any idea if it's
different from a retail version?

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BYE

[Chuck Church]

Dude,

 You are way too good for us.  You should just schedule your CCIE
written for Monday.  I'm sure you'll do great.  Just read the book.  While
you've got them on the phone, might as well schedule the CCIE lab.  Let us
know how you do.

Chuck
CCNP, CCDP, MCNE, MCSE


>Well the past couple weeks have been fun but reading through over 100
emails
>a day is too much.  I thought this list might have helped me along but
>mostly it just wasted valuable time.

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem in 2948g switch

[Chuck Church]

Whoa!  Doesn't bridging defeat the purpose of buying a layer 3 switch?  I'd
only recommend that as a last resort.  Get off of Netbeui if you're using
it, and go with IP and WINS.  I think this should fix your problem.  This
might not fix the problem with MS's crappy Master browser process, but some
creative IP helper statements should help there.

Good luck;
Chuck Church
CCNP, CCDP, MCNE, MCSE

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccie r/s practice tests>?

[Chuck Church]

Lauren,

 How did you find the CertificationZone tests different?  I'm shooting
to take the written (first attempt) in last October/early November
timeframe.  I've been using those tests to gauge my understanding of the
material.  Would I be better off with something else?  What did other
"Written-Passers" use to study or test themselves with?

Thanks,
Chuck Church
CCNP, CCDP, MCNE, MCSE

jason wrote:
>
> anyone on the list seen some new practice tests for the written recently.?
> I have been seeing a bunch of the same test questions floating around.
some
> stuff on atm, voip, etc, would be nice.
>

www.certificationzone.com has CCIE written practice tests, but
personally I didnt find them that close to the real thing.

TTFN
Lauren

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCDA passed

[Chuck Church]

All,

  Decided to take a break from preparing for CCIE written and took the
CCDA test Friday.  Just used the Cisco Press CCDA  book.  Passed with a 931,
but I honestly thought I was going to fail about half way through.  There
were many questions where they showed you an exhibit consisting of 4 - 5
paragraphs about a company's existing network.  Then you had to parse
through it and find what they were looking for.  They were quite time
consuming and annoying.  They didn't really seem to test you on actually
designing networks.  Perhaps having finished the CCNP track, I was reading
too much into each question.  Finished in about an hour.  If you've recently
passed the ACRC (or it's newer equivalent, which I can't remember the name
of), I'd recommend taking this and getting it out of the way.  The questions
other than those mentioned above closely match ACRC questions, such as which
protocols are Distance Vector vs. Link State, and what is better to use
when.  Thinking about taking the CID this Friday, and getting CCDP out of
the way.  Does anyone have any suggestions or pointers on this test?

Thanks,
Chuck Church
CCNP, MCNE, MCSE, (CCDA)


**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Printer

[Chuck Church]

Amjad,

MS's IP printing relies on LPR on the workstation/server and LPD on the
print server itself.  When you install the printer, Windows will check for a
response from the printer on the LPD port - TCP 515.  Make sure you're using
a valid queue name - usually 'raw' or 'auto' works, but check with the Print
server docs.  Check your NT/2000 event viewer - Application for errors.
Make sure your server does not have a space in the name.  This seems to make
LPR fail, from a WS I worked on last week.  Neither MS nor Xerox had an
explanation.  Typical MS problem...

Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies
140 Route 303
Valley Cottage, NY 10989
Email:[EMAIL PROTECTED]
Voice: 914 267-4000 ext 218
Fax:   914 267-1034

>I have network printer in one segment and wanted to print to it from remote
>computers across a router (2 hops away). The printer is attached to an
Intel
>EtherExpress Pro 100 box and is configured to use TCP/IP printing.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Upgrade from 4.4(1) to 5.1(2)

[Chuck Church]

I finally did the upgrade on our 515R.  No problems at all.   Just a few new
defaults.  I know this is a dumb question, but did you save the current
configuration before reloading it for the upgrade?

Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Upgrade from 4.4(1) to 5.1(2)

[Chuck Church]

I'd compare the old 4.4.1 configuration (which you hopefully still have) to
current one.  I'm planning the same upgrade on ours to get VPN capability,
so I'm kind of interested in the problem.

Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

>Hello,
>I was just curious if any body have any problems when upgrading the pix
>software from Ver. 4.4(1) to 5.1(2). When I performed the above upgrade
>traffic would no longer flow through the pix. I could ping it from inside
>but I could not surf out. Also from outside I could not surf into my
>website.
>Any suggestions, thoughts, comments would be appreciated.

>Thanks
>Ronnie John

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: collision - Load counters

[Chuck Church]

Keep in mind that when Cisco puts 'load' on an interface, it's only refering
to transmit, not total.  It seems like the versions of IOS ending in 'T'
list both 'tx load' and 'rx load' for convenience.  Also, since this is
ethernet, does packets and bytes received on the interface refer to all
traffic on the wire, or just that destined to this router.  I'm thinking
that it's only traffic destined to the router, so there might be much more
traffic on the wire than the rx counters are telling you.  Get a sniffer and
look at utilization with that.  Or if your hubs have a little utilization
meter (most 3Com's do), what does it show?  If you're hitting 50%
frequently, it's time for a switch or 100 mb.

Chuck Church
CCNP, MCNE, MCSE

>Ok, not sure what everyone has recommended here, but the load you have on
>the interface is 4/255 which I believe is a running 5 minute average so
>taking workstations off the segment is not correct IMHO.  Also where you
are
>right now is .03% which is below the .1% tolerance acceptable.  So...
>reset the counters, and see over the next 10 to 30 minutes what happens,
>(resend the show int to us).


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sysco cert question

[Chuck Church]

Hopefully something.  My little sister poured my lab equipment on a
hamburger, and to my utter disbelief, ate it.  But it was probably a good
thing.  Without a serious hardware upgrade, I was only capable of running
COS (condiment operating system) version 11.3.8, which lacks support for
salsa, and some varieties of squash.  I was on site at a family picnic for
hours trying to figure out that one.  Luckily my CAC case is a level one
priority, so I'm updated daily.  Gotta go study (have the munchies!)

Chuck

P.S.  I heard that the SCCE lab is a 2 day buffet.  M

>
> Date: Tue, 01 Aug 2000 16:57:35 -0400
> From: Rodney <[EMAIL PROTECTED]>
> Subject: RE: Sysco cert question
>
> Hey Brad, I know you're the one to come to about equipment, what do you
have
> available for this lab?
>
> Rodney
>
> - -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ryan
> Ward
> Sent: Tuesday, August 01, 2000 1:41 PM
> To: Stephen Skinner; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Sysco cert question
>
> ok I was thinking of doing the exam but can anyone recommend the best
books
> or willing to give up the course material in exchange for a no name brand
> ketchup bottle? Has anyone used the Boson practice tests?
>
> also my boss pays me squat and need to know how much you condiment
engineers
> make blah blah blah ;)


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco specializations - Which?

[Chuck Church]

Hopefully this won't cause a huge thread, but my company (a reseller)
naturally want's to sell everything Cisco makes, so I'm being asked to learn
the Aironet wireless, VPNs and firewall, and IP telephony.  This is all in
addition to my current pursuit of the R&S CCIE.  Since it's pretty hard to
be an expert in everything, what's the consensus on these three product
categories?  I've done some VPN and Firewall with PIX, but haven't really
touched wireless or VoIP.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

P.S.  Today diagnosing a frame internet connection, I saw packets with an IP
protocol number 89 and multicast destination 224.0.0.9.  Any idea what these
were?  I didn't get a capture, saw them in a 'deb ip pack det'.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: no access to router

[Chuck Church]

I had the same problem with a 2501.  Must have something to do with the
console port chips that Cisco uses.  Certain versions don't like Win 98
Hyperterm.  If you're using Win98, go to the advanced settings, and tell it
not to use FIFO buffers.

Chuck Church
CCNP, MCNE, MCSE

groupstudy wrote:

> too bad , i will throw my 2503 out of window ,kiding..,thanks anyway
> ElephantChild wrote in message ...
> >On Sat, 29 Jul 2000, groupstudy wrote:
> >
> >>I got a cisco 2503 . I can't get access to the console except that i
> can
> >> see the information in the terminal window but can't not type .and
> >> unfortunately I lost the telnet password and enable password.


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 flash and RAM

[Chuck Church]

Does anyone know of a good source for 2500 flash and RAM?  I'm looking for
something cheap for a home lab, so I don't really care if it voids the Cisco
warranty.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco CCIE All-in-one Lab Study Guide

[Chuck Church]

In Brad's defense, he's helped me with a couple problems.  A lot of CCIE's
don't bother helping other people after they cross over to CCIE land.  He's
still on the list helping others, in addition to selling stuff.  If I had a
way to help other people learn Cisco and also make money, I'd do it.

Chuck Church
CCNP, MCNE, MCSE



>Date: Fri, 28 Jul 2000 21:16:20 -0400
>From: "RingLord" <[EMAIL PROTECTED]>
>Subject: RE: Cisco CCIE All-in-one Lab Study Guide

>Tell me Brad do you ever post anything useful to the group or are you just
>into advertising your company? Are you affiliatated with CCIE BootCamp? I
>thought this list was about certification and studying. You working towards
>a meaningful goal in life.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reverse telneting to a console port

[Chuck Church]

All,

Can anyone tell me how to setup reverse telnet on a 2511 to connect to
the console port of another router?  I have the octal cable with RJ45
directly plugged into the console port of another.  Is a x-over needed on
this cable?  I can't seem to find how to do it on CCO.  I did notice that if
I have the first 3 lines connected to routers, and do a port scan on the
2511, I don't see it listening on ports 2001-2003.  If I unplug the RJ45s
from the other routers, the port is listening.  Here's my partial 2511
config:

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
 no ip directed-broadcast
!
.
!
line con 0
 password cisco
 login
 transport input none
line 1
 modem InOut
 transport input telnet
 stopbits 1
 speed 38400
 flowcontrol hardware
line 2 16
 modem InOut
 transport input all
 stopbits 1
 flowcontrol hardware
line aux 0
line vty 0 4
 password cisco
 login
!

SH LINE 1 looks like this:

2511# sh line 1
 Tty Typ Tx/RxA Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*  1 TTY  38400/38400 - inout ---  0   0 0/0   -

Line 1, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 38400/38400, no parity, 1 stopbits, 8 databits
Status: Ready, Active, No Exit Banner
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
  Modem Callout, Modem RI is CD
Modem state: Ready
Group codes:0
Modem hardware state: CTS DSR  DTR RTS
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
^^xnone   - -   none
Timeouts:  Idle EXECIdle Session   Modem Answer  Session   Dispatch
   00:10:00nevernone not set
Idle Session Disconnect Warning
  never
Login-sequence User Response
 00:00:30
Autoselect Initial Wait
  not set
Modem type is unknown.
Session limit is not set.
Time since activation: 00:04:12
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed transports are lat pad v120 mop telnet rlogin nasi.  Preferred is
lat.
No output characters are padded
No special data dispatching characters

Thanks in advance,
Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fixed - 2500 - Doesn't accept console input

[Chuck Church]

Thanks Brad, Brian, and Darrin.  I tried Hyperterm from NT, and it worked.
I eventually got it to work under 98.  On the port configuration, I went to
advanced, and unchecked the 'Use FIFO buffers'  This particular 2501 had
a system board dated 1993.  My other ones were '96 and '98.  Must be the
older ones don't like fast bursts of characters.  Thanks again.

Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 - Doesn't accept console input

[Chuck Church]

All,

  I picked up a used 2501, but I'm having some problems.  I can see it
boot up and it looks ok, but it doesn't accept any keystrokes from the
console port.  Hyperterm settings are ok, no problems with same
configuration on other 2500s.  I can break into ROM monitor mode, but then
cannot enter anything again at the prompt.  I tried taking out both the
flash and the ram, relying on the ROM IOS and the 1 Mb of system board RAM,
but it made no difference.  Can anyone think of anything else to try before
I return it?  I'm going to attempt to view it's IP address from cdp nei det,
but without a password, I'm probably stuck again.  Any ideas?

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DCE cables

[Chuck Church]

All,

  Does anyone know of a good V.35 cable source?  I'm in the process of
building my home lab for CCIE, and all the routers I've got have DTE cables.
I guess I need some DCE cables to go back-to-back, right?  All the routers
are 2500s with 60 pin serial.  I know I should know this, but I've always
dealt with integrated CSU/DSU WICs, so I've never touched a CSU.  I checked
Black Box, but they only had Cisco brand cables, for about $95 each.  I'm
looking for something cheaper.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MS Exchange and Outlook 97

[Chuck Church]

Daryn,

  Are you using 3Com NICs on any devices?  I've noticed that 3Coms DO
NOT autonegotiate correctly with Cisco set-based switches.  One side will
always come up half duplex, the other side full.  Intel and Compaq NICs
don't seem to have this problem.  You're better off hardcoding everything to
100 full, switch ports and NICs, assuming everything is capable of it.  Do a
'sh port count' and 'sh port' on the switches, make sure there's no errors
on any port.  Check the servers first.  Very slow response is a symtom of
mismatched duplexity (is that a word?).

Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies
140 Route 303
Valley Cottage, NY 10989
Voice: 914 267-4000 ext 218
Fax:   914 267-1034
<mailto:[EMAIL PROTECTED]>


- - Original Message -
From: "Bartlett, DS1" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 09, 2000 6:34 PM
Subject: 

> After our recent upgrade to our backbone (6500's) we are now pushing
traffic
> at incredible speeds. Unfortunately my users only notice that it now
takes
> forever for their outlook to open up. We use Exchange 5.5 (sp2) and
Outlook
> 97. We do not have messenger services loaded. We have Novell servers
> on-line, but the Exchange servers do not have IPX client software loaded.
> Sometimes it takes as much as 2 minutes for mail to come up. I have
allowed
> all udp traffic to be forwarded so netbios will work.
>
> Any thoughts would be appreciated to an extremely frustrated administrator
> who is fed up with users.
>
> Daryn
>

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

!!!!! WHAT IS WITH THIS INDIVIDUAL MESSAGE DISTRIBUTION ?????

[Chuck Church]

Is everyone getting each individual message?  I'm getting them faster than I
can delete them.  I know Paul had some sendmail problems.  Is this an
aftereffect?


Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies 
140 Route 303 
Valley Cottage, NY 10989 
Email:[EMAIL PROTECTED] 
Voice: 914 267-4000 ext 218 
Fax:   914 267-1034 

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Micosoft 'routers'

[Chuck Church]

The routing table is a good question.  There's also all the features that
Cisco supports with IOS.  Can MS do bridging, access-lists, HSRP,
redistribution, and ISL?  Plus if you've got backup hardware and a copy of
your config, a totally dead router can be replaced with another in 5
minutes.  How fast can a server be built?  I'm thinking MS may be useful for
adding a couple segments to an existing net, but basing an enterprise on all
MS routers seems almost comical.  With the cost of layer 3 switching coming
down, and performance going through the roof, it looks like switches are
going to be running the core from here on out.

Chuck Church
CCNP, MCNE, MCSE
Network Engineer
Magnacom Technologies
140 N. Rt 303
Valley Cottage, NY 10989

>I see that Microsoft has provided resources to configure OSPF and RIP in
>Windows 2000 servers
>to provide routing capabilities.

>Has anybody evaluate this ? Do you think this could substitute 'real'
>routers ?

>Thanks,

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Passed CIT, now a CCNP - Woohoo!

[Chuck Church]

All,

Passed CIT 4.0 today with a 861.  Needed 720.  Used just the Cisco Press
CIT 4.0 book, and a lot of work experience with Cat 5000 and 7200 routers
(Routers only routed Ethernet, not WAN).  I scored an incredible 0% on the
AppleTalk section, but made up for it on the Frame, IPX, and switching
sections.  Lots of ISDN questions, including 1 that I didn't know that was
asked 3 times with slightly different wording.  As usual, there was lots of
poorly worded questions.  I'm guessing the test questions are all a couple
years old, based on the amount of AppleTalk questions, and lack of ISL
questions.  Very little questions on routing protocols.  Now on to CCIE -
R&S.

P.S.  Any recommendations on CCIE?  I'm thinking I should start building my
home lab.

Chuck Church 
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies 
140 Route 303 
Valley Cottage, NY 10989 
Email:[EMAIL PROTECTED] 
Voice: 914 267-4000 ext 218 
Fax:   914 267-1034 

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

passed CMTD today

[Chuck Church]

All,

 I passed my CMTD 8.0 test today with a 914 out of 1000.  Took about 35
minutes out of the 90 allowed.  I used the BCRAN book, and the Boson
CMTD/BCRAN test set #1.  A couple questions were kind of ambiguous, but
overall very easy.  All of the 21 topic areas from the Exam Objectives PDF
file are covered.  Some a little, some a lot.  Now on to CIT...

Chuck Church
MCNE, MCSE, CCNA, (CCNP this month, hopefully :)
Network Engineer
Magnacom Technologies
140 Route 303
Valley Cottage, NY 10989

Email:[EMAIL PROTECTED]

Voice: 914 267-4000 ext 218
Fax:   914 267-1034

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

HTML mail

[Chuck Church]

All,

  I try not to complain, but could we get out of the habit of sending
HTML mail to this list?  It seems like lately there's about 10 pages of





I

in every digest.  If you're using Outlook, just go to 'Format', and pick
'Plain Text'.  'Ok' to any warning, and it'll be plain text.  I've already
warn the letters off my 'page down' key, but maybe it's not too late for
others on this list  :)

Thanks,
Chuck Church
MCNE, MCSE, CCNA



___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CMTD with using BCRAN study material

[Chuck Church]

All,

   I'm taking the CMTD 8.0 test on Thursday.  I was unable to find any
original course material or Cisco Press books for CMTD when I finished CLSC
6 weeks ago.  I didn't want to sit idle waiting for the BCRAN test release
so I've gone through the new BCRAN Cisco Press book, but since this isn't
the right book for this test, I'm a little nervous.  I'm getting about 80%
on the Boson tests I purchased the first time I take them, but they seem
geared for BCRAN more than CMTD.  Any last minute pointers?  I think I've
got the CMTD objectives down, but I need a little reassurance.

Thanks,
Chuck Church
MCNE, MCSE, CCNA, CCNP hopefully 1 test away after Thursday ;)

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]