BGP vs CCNP (For Fred R) [7:75207]
Fred R. You're obvious a pretty smart guy. Your posts here are very well structured and helpful. Don't put so much stock in the CCNP(NA) vs. bgp. I had my ccna only a few short months, when we went to multihoming with BGP. Do you really think that the small enterprise is going to use all the advanced BGP stuff to get it working nicely (route reflectors, confeds, clusters, etc). That stuff is for REALLY big Enterprises, and Bigger ISP's. I have never had to use more than route-maps, prefix-lists and "next-hop self" to get it working smooth. Also pretty much any ISP that runs BGP itself will allow you to advertise a /24 or greater. The only argument where the block comes from. MCI (formerly wcom/uunet) Qwest Sprint ATT Winstar (now owned by IDT) all have offered /24 and bgp for T-1 service. Several I use now. BGP for multihoming, load-balancing, and pretty much whatever else at the enterprise level is very basic and easy to design, setup and even troubleshoot. 1 thing I have always liked alot are the networkers "troubleshooting BGP and design" powerpoint files they put out ever year. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75207&t=75207 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: VPNs and CEF [7:74429]
Vpn's dont like out of order packets. Forget load balancing at layer3. USE MLPPP and do layer 2 load balancing. CEF may or may not be needed. You have to experiment with CPU util. I do the same thing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74430&t=74429 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Port Spanning (Monitoring) [7:73320]
Look into IOS bridging. You would then see layer 2 broadcasts (not unicasts) come through the router. This is true regardless of whether or not the actual switch on port 1 is a span port or not. Even if the first router port (connected to the network) is on a switch's span port, the layer 2 bridge (done in ios by the router) still cant forward all traffic thru (like cat6 rspan). The routers dont have a "span" like way of doing this. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73326&t=73320 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: SSL Remote Access VPNs [7:73253]
I am running compression based ssl vpn for extranet. this allows without a client 8 to 1 or so compression ratio for mostly spreadsheets sent over port 80. also the box is managed by ssh.. what do you mean by telnet ? most protocols such as ldap, exchange, etc, are very well compressed and work over the ssl vpn. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73319&t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: SSL Remote Access VPNs [7:73253]
www.netscaler.com their box does compression, and it has so many dos prevention and other killer things it blows away the competition. We went with it based on the performance it had during a syn flood blizard, and their ssl vpn rocks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73258&t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what cable do I need [7:72585]
Isn't really just a crossover rj-45, i mean same cat5 "ends" ? That is what I use with the pinout. 1 to 4 2 to 5 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72596&t=72585 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
Keith and Mark are correct. One thing to add, dont permit "icmp any any". You definately dont want to allow echo and other stuff from the internet for security reasons... It will allow script kiddie's to "map" your network. A better way is to only allow echo-replies, time-exceeded (trace routes), source-quench (so you can see icmp messages). Also allow icmp echo's (type 8) outbound. You will then be able to ping stuff on the net, but they can't ping you. see this sample... !create list access-list corp_internet_allowed_in permit icmp any any echo-reply access-list corp_internet_allowed_in permit icmp any any source-quench access-list corp_internet_allowed_in permit icmp any any unreachable access-list corp_internet_allowed_in permit icmp any any time-exceeded !apply list access-group corp_internet_allowed_in in interface outside ! create list access-list corp_internal_allowed_out permit icmp any !apply list access-group corp_internal_allowed_out in interface inside Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72535&t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSSP Security Exams [7:72508]
Yes. Just add the "safe" test. CSFPA, VPN3000 are all similar Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72536&t=72508 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Sniffer Recommendation [7:72372]
Then You need a network without switches. Without the span port, all unicast frames will only be forwarded to their correct destination ports. Your sniffer will not "see" the traffic. Using RMON/SNMP, its possible to poll some data directly from the switch, such as statistics, etc. I don't know a way to use snmp to tell the switch to "give me all frames for X flow". A way around this is to put a hub between the switch and the device being monitored (host, fw, router). Then plug your "sniffer" into that hub. The hub is a repeater and will get all frames to the sniffer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72373&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Log Analysis [7:72328]
Try Private-I or Sawmill. I prefer Sawmill. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72355&t=72328 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: vpn ispec error [7:72297]
maybe your trying to resv nearly a gbps on a 100mbps interface. Its telling your smallest is 8kbps, largest is 100mbps. Looks like nothing to do with MTU, just simple math. How can I RESERVE more than I can possibly trasmit at once ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72354&t=72297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
I think Doyle's VER1 book is too old. See if he mentions this in TCP/IP v2. In my lab (running all 12.2(17) 05/15/03) You must redistribute with "default information" or redis commands. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72240&t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CEF & Per-packet load sharing [7:72232]
in the new codes, if you turn on "ip load-sharing per-packet" cef is automatically enabled globally. CEF as far as performance issues, uses a bit of ram equal to the number of routes in your FIB (routing table). Cef builds its own little adjacency table to do those really fast lookups. For modern routers, with more RAM than my PC this is rarely an issue. Of course if your running an old MSFC1 or NFFC (cat5k) you may fret. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72239&t=72232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Desperate help with 3030 Concentrators!!!!!!!!!!!! [7:72131]
I made the same mistake.. are you running late model code ? they have option to run 3 kinds of lan2lan tunnels, originate only, answer only, and Bi-directional. Do you have any lan2lan tunnels config'd ? First thing DISABLE vrrp Configuration > System > Ip routing > redundancy on both. If you're just running client connections you don't need vrrp. instead use Configuration | System | Load Balancing this is VCA. to get everything stable again, you may need to totally blow away the config file.. Administration | File Management once all files there are deleted (even .bak ones) just hit the power switch.. reconfigure from scratch (remember you need a straight 1-8, 1-8 db9 female to db9 female cable to console back in. You can also drop in a config from a before this snafu backup. let me know.. I have pretty fixed alot of major mishaps with these.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72137&t=72131 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Distributing Cisco VPN Client [7:72061]
You can 'push' the .pcf file profile during the install with a simple batch file, or via the .ini file utility that comes with the client. the best way, is setup a vpn package, with silent install. It will install and reboot the clients. The group user/name is encrypted in the pcf file, so I dont know how far you want to go to secure it... Once that pcf file is out there, that is all someone needs to tunnel in (then a username completes the authentication process). So telling everyone the group password, and pushing the pcf file around for the config settings are both insecure. Pick your Poison. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72063&t=72061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Redistributing default route from BGP into OSPF [7:72058]
This horse has been beat dead far too many times. The default route must come from EBGP so the tag field is populated with meaningful data (last i recall) I my lab I just know it never works from IBGP>REDIS OSPF Must be EBGP>OSPF> Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72064&t=72058 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: STP problem [7:70797]
PVST+ Except no substitute. Hardcode everything. No PAGP, DISL, or VTP EVER AGAIN. Next make sure your root bridge is really what you think it is (knowing what spanning-tree uplink fast does to bridge priority, etc). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70807&t=70797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: UDP Forwarding [7:70606]
I think in global config, Router(Config)#ip forward-protocol udp 798 Router(Config)#ip forward-protocol udp 799 Research the "ip forward-protocol" command on cco. remember the "ip helper-address" is for specific ports/protocols only. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70611&t=70606 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Traffic Shaping web traffic will this work? [7:70559]
(this from my usenet post on kazaa) apply source/dest ip when making traffic shaping decisions!) the problem is the response from the user in your org to the internet is not going back over port 1214.. usually it will hit 1214 and go back like 2000 to 4000 tcp (assuming windoze boxes) your best best is using "ranges" of a subnet or one whole subnet for just users.. then use traffic shaping to slow down bw upload... see (say users are .129 to .254 in 10.0.1.0/24 access-list 102 permit ip 10.0.1.128 0.0.0.127 any int s0/0 traffic-shape group 102 64000 8000 8000 1000 Just make sure to remember traffic shaping effect data going OUT of an Interface... also check order of operation, find out if nat comes before or after traffic shaping (i think after) then you would need to match THE IP the users nat to on your OUTSIDE interface.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70588&t=70559 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Qual Exam Question ... [7:70162]
Most of those are not "re-certified". I would like to know of the 11,000+ ccie's how many are still active ? I guess they retire your number even if you become inactive. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70208&t=70162 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RHCE Vs. CCIE [7:69801]
Want a laugh.. I was installing Redhat 8 (graphical install) during the install was an "advertisement" for the RHCE. I would like REDHAT to answer this... If your RHCE is so great ("Top Overall IT Certification"), then why is a Cat6k (sup1/2 clearly visible) in the background ? check out these screenshots... http://www.kiatex.com/rhce/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69801&t=69801 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN CONCENTRATOR Parallel FW [7:66819]
No Read what the tunnel default gateway does... (from the concentrator page where you set it) "Enter the IP address of the default gateway or router for tunnels. Enter 0.0.0.0 for no default router." This is used to have a different gateway for IPSEC tunnels than for ip routing.. What we are discussing is how servers with two possible next hops, a pix and a vpn, will determine which to use for what subnets. The servers (defaulted to the pix) have to bypass it to speak to remote subnet (and use the concentrator instead). A common workaround (one I used to employ) was NT route add statements for each subnet that should "bypass" the pix, their default gateway, and use the Concentrator instead. A better and more scalable solution is to put a router between the concentrator and pix internal segment, and the servers. INBOUND For inbound internet and inbound ipsec tunnel traffic back, the pix and the vpn concentrator have a route to the "server's subnet" with the router as the next-hop. OUTBOUND Subnets reachable via vpn 3000 are routed to the vpn concentrator's private interface, a default route for Outbound Internet traffic is towards the pix. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66865&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN CONCENTRATOR Parallel FW [7:66819]
You need a router when running them parrallel. The router will determine internet traffic goes to the pix, remote vpn lan's etc go to the vpn 3000. Mine is like VPN 3000 PIX 10.0.0.210.0.0.10 10.0.0.0/24 10.0.0.1 RTR 192.168.0.1 SERVERS 192.168.0.0/24 This way no servers need "route" commands to know where to route what. And you guessed it, my vpn clients get addresses on the subnet between router and vpn (10.0.0.0/24) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66843&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
HYBRID, Especiall for someone like you who needs uptime/redundancy. In hybrid, if the MSFC dies, you don't loose the whole switch, just intervlan routing, etc. You can still telnet to the supervisor engine to get and and find out whats up. In native the whole switch dies and your burned. Cisco's answer- buy two sup2/msfc2/pfc2 boards and run high availability.. No thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66780&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
What's sloppy about it ? Would you prefer the overhead of an acl ? Please suggest a better way.. But with the AD in there set to 200, it looks like a route in a "holding pattern" for bgp redistribution. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66759&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN question [7:63380]
the office 3000 concentrator will route packets between each spoke client (3002). Its sort of like a hub & spoke frame relay network in a routing sense. For implementation, just make sure the 3002 are passed routes via their split tunneling network list on the the 3000 concentrator. Or if your not using split tunneling, the 3002's should be picking up all routes anyway, as reachable via the 3000 (except their default gateway, or course!) You will run network extension mode on with the 3002's (NOT PAT OVER TUNNEL). The 3002 can't terminate any tunnels, so you can't ipsec connect B & C Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63390&t=63380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internet Access Through Cisco VPN Concentrator? [7:61999]
Yes. Do it all the time. I also use it as a remote office router for other clients on the lan behind the 3005. It has great built in nat functionality (PAT REALLY !). Along with filter lists for security your set. But for clients, just enable "split tunneling". Let them get to the internet directly. Saves you bandwidth and overhead. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62001&t=61999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: snmp [7:61084]
what you need to do is learn to use the "whodo" utility in mrtg\contrib directory.. Of course you will need to learn ip accounting if you don't already. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61100&t=61084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Concetrator #3030 [7:58982]
Responses in line 1. what do I do for Redundancy, ( VPN Redundant Bundle) It runs VRRP for concentrator redundancy. For user sessions you make a cluster using VCA under "Configuration | System | Load Balancing". For redundancy on LAN to LAN tunnels its much harder.. They way the concentrator does lan to lan, you have to configure the lan to lan tunnel with the IP of who the peer is going to be speaking to. Also the VRRP master IP MUST be the main concentrators, ip's. This means you need to take the backup concentrator offline (the vrrp slave), change its ip's to the primaries, and configure the lan to lan rules WHILE its using the master's IPs. This is so it will have a correct SA database stored in its config. You then change its ip's back to the ones it uses while its a backup. Put in back online with the different ip's and continue vrrp. Just be careful not to change any lan to lan configs while the slave is using its main ip's. When the primary fails the slave assumes the master's ips for ipsec related protocols. http admin still works using the slave ip's. I wish cisco would come up with a way to replicate the config over the wire ? Any one from cisco care to join in 2. Load balancing See above. 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. You can do either. If its behind a firewall you need to open IP Protocol 50 (ESP) and UDP port 1 (IPSEC/UDP). This is what the concentrator needs out of the box. You may also need to open TCP ports, if you run IPSEC/TCP for your pat users. I would put the concentrator behind the fw, for protection from dos attacks and similar stuff that is possible. One caveat is to make sure you dont run nat on the VPN concentrator (i.e. use public ip's behind your FW) the concentrator DOES NOT like double nat, even with the new 3.6 Code which supposedly provides "IPSec over NAT-T". Tested it, still works best with public IP's everywhere.. Maybe pat at the remote side. Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59006&t=58982 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WINS replication problem across PPP network [7:41410]
wins is a directed tcp connection. wins dosent need ip helper address. most likely his wins is incorrectly configured. he should have a push (and or pull) relation defined in wins manager between the two servers. I didnt get what he said about adding the ports. maybe his access lists are killing wins replication. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 14, 2002 2:13 AM To: [EMAIL PROTECTED] Subject: RE: WINS replication problem across PPP network [7:41410] I'm sure someone can provide a more detailed and accurate answer, but hopefully I can help. WINS is a TCP and UDP protocol. I imagine an IP HELPER-ADDRESS command might be of use here. Try a search for WINS on CCO at www.cisco.com. hth, Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mayo, Simer Sent: Saturday, April 13, 2002 10:19 PM To: [EMAIL PROTECTED] Subject: WINS replication problem across PPP network [7:41410] I'm having problem with WINS replication to 2 differ servers Server 1 in Network 1 in Phx (PDC...WINS Server) Server 2 in Network 2 in LA (BDC...WINS Server) server1.cisco2600---PPP---cisco2600.server2 The server2 can browse all machines in network 1 and 2 but server 1 cant see network 2. I have enabled the TCP ports 42 and 135 on both the routers but still no success. The network is NT 4 domain. Thanks in advance for help Simer Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41416&t=41410 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Uptime MIB [7:41046]
system.sysUpTime.0 1.3.6.1.2.1.1.3.0 works all cisco stuff Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: John Jackson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: Uptime MIB [7:41046] We have 40 or so 75xx routers and we are looking for a SNMP MIB that we could uses to check the uptime on them. Any ideas? Thanks in advance. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41058&t=41046 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ac-path access list [7:40983]
from my experience using such an as-path regex, ^10$ would be ONLY 10 and _10_ would be "containing 10 in the path" there for denying 4513 10 as well Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:39 PM To: [EMAIL PROTECTED] Subject: ac-path access list [7:40983] Is there any difference in these two commands? A. ip as-path access-list deny _10_ B. ip as-path access-list deny ^10$ If I understand corerctly, they both deny AS 10, and only 10. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41027&t=40983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Uptime MIB [7:41046]
system.sysUpTime.0 1.3.6.1.2.1.1.3.0 works all cisco stuff Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: John Jackson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: Uptime MIB [7:41046] We have 40 or so 75xx routers and we are looking for a SNMP MIB that we could uses to check the uptime on them. Any ideas? Thanks in advance. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41058&t=41046 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ac-path access list [7:40983]
from my experience using such an as-path regex, ^10$ would be ONLY 10 and _10_ would be "containing 10 in the path" there for denying 4513 10 as well Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:39 PM To: [EMAIL PROTECTED] Subject: ac-path access list [7:40983] Is there any difference in these two commands? A. ip as-path access-list deny _10_ B. ip as-path access-list deny ^10$ If I understand corerctly, they both deny AS 10, and only 10. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41027&t=40983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network latency [7:40295]
MRTG with PING PROBE SCRIPTS. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: Mike Bernico [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 10:06 AM To: [EMAIL PROTECTED] Subject: RE: Network latency [7:40295] I'd also like to get a program like that. We had to write our own, but I'm sure an outside company could do a better job. Mike --- Mike Bernico [EMAIL PROTECTED] Illinois Century Network http://www.illinois.net (217) 557-6555 > -Original Message- > From: Michalis Palis [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, April 03, 2002 12:09 AM > To: [EMAIL PROTECTED] > Subject: Network latency [7:40295] > > > Dear all > > I am looking for a goot tool to measure network > latence and packet loss. Any idea? > > __ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40360&t=40295 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: AS-Path Filtering in Confederations? [7:40249]
ip as-path access-list 1 deny _65001_ outbound from 65002 towards 65003 dosent work ? have you tried both route-map match as-path 1 and neighbor 1.1.1.1 filter-list 1 out ? (not at the same time of course :) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: William Lijewski [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 6:11 PM To: [EMAIL PROTECTED] Subject: AS-Path Filtering in Confederations? [7:40249] Can you filter out certain confederations (in the main AS) using AS-Path access-lists? I don't think that it's possible since they are technically in one big main AS. I have also tried it to no avail, but the thing that makes me think it may be able to be done is if I do a show bgp regexp ^$ it shows just my routes local to my confederation, not anyone elses. I've looked on CCO without any luck. Can someone tell me if this is possible or not? Thanks. Example: (65001) - (65002) - (65003) I want to filter so that confederation 65003 does not see any routes that originated in confederation 65001 using AS-Path Access-Lists. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40311&t=40249 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISL Trunking from a h/w's perspective [7:39246]
"Danny Andaluz, CCNP" - It will work. did it on a 2611. Ci$co, won't support it and obviously they want you to buy more expensive 100 Mbps ports/routers (even if my total of 4 vlans uses 1mbps) Why do you believe everything cisco tells you ? Most of their tech docs were written by people that have never had beyond level 1 on a production router. Would you take make out advice from the loser geek virgin ? Business advice from Enron ? "You must unlearn what you have learned." - yoda Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:08 PM To: [EMAIL PROTECTED] Subject: Re: ISL Trunking from a h/w's perspective [7:39246] I don't know what else you want me to do to prove it. This was true at one time but it has changed. I have personally not tried this config and seen it work but if I have some time on Monday I'll confirm whether or not the 3660 will do as advertised. Dave "Danny Andaluz, CCNP" wrote: > no you can't. I got straight from cisco that they have to be 100 meg > full-dux interfaces. > ""MADMAN"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Actually on some platforms with the right IOS you can trunk 10 meg ports: > > > > C3660B(config)#inter e2/0.1 > > C3660B(config-subif)#encap dot1 1 > > C3660B(config-subif)# > > > > Dave > > > > danny wrote: > > > > > The router's ethernet must be 100 full dux. You configure subinterfaces > on > > > the ethernet. a trunking protocol must be configured on each sub with > the > > > corresponding vlan #. The router will route between Vlans. > > > > > > Hope this helps. > > > > > > Danny > > > ""George Siaw"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Thanks for all your responses. > > > > > > > > One last question though. For external router, routing between vlans > if > > > > I have just one FastEthernet interface on the router can I route > between > > > > vlans? > > > > > > > > George. > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of > > > > Scott H. > > > > Sent: 23 March 2002 00:53 > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: ISL Trunking from a h/w's perspective [7:39246] > > > > > > > > The only time the SC0 interface comes into play is for telnet into the > > > > box. > > > > If you have any 100 MB ports on your switch, you can run trunking. > > > > > > > > set trunk (mod/port) on isl > > > > > > > > If this trunk is running into a router, you need to create the > > > > subinterfaces > > > > on the router to enable routing between VLANS. > > > > > > > > int fa1/0.100 > > > > ip address (the subnet of the vlan) > > > > encap isl (the vlan #) > > > > > > > > HTH, > > > > Scott > > > > > > > > ""George Siaw"" wrote in message > > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > Do I need an Sc0 port when routing between Vlans? However, there's > no > > > > > uplink module on neither of my supervisor engines. Would you know a > > > > s/w > > > > > work around without having to buy the module? > > > > > > > > > > George. > > > > > > > > > > -Original Message- > > > > > From: Larry Letterman [mailto:[EMAIL PROTECTED]] > > > > > Sent: 23 March 2002 00:17 > > > > > To: George Siaw; [EMAIL PROTECTED] > > > > > Subject: RE: ISL Trunking from a h/w's perspective [7:39246] > > > > > > > > > > You dont have to configure SC0 interface to do isl or dot1q. Its > only > > > > > needed > > > > > for management, telnet etc... > > > > > > > > > > > > > > > Larry Letterman > > > > > Cisco Systems > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Beha
RE: Jr. CCIE Ad on Dice [7:38034]
Every headhunter does that.. i used to be one.. lie lie lie on the phone to hiring managers, candidates. You ask candiditates who have they interviewed with, so you can call that manager and push different candidates, you feel are worth more money (to up your % fee thats paid) and you ask managers who they have been interviewing so you can badmouth that candidate, to get one of yours in. That is the business. EVERY HEADHUNTER does this. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: RE: Jr. CCIE Ad on Dice [7:38034] Atlantis Partners is just a bad company all around, from what I can tell. Here in Denver they post fake job openings just to get people to send in resumes to fill their databases. I couldn't believe it when I discovered that they did this. Why would anyone use a company that does stuff like that?? John >>> "Sean Knox" 3/13/02 3:02:29 PM >>> I would say it's a sign that recruiting firms, such as Atlantis, don't have a clue, as it has always been. - Sean -Original Message- From: Tarek Sabry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 6:27 PM To: [EMAIL PROTECTED] Subject: RE: Jr. CCIE Ad on Dice [7:38034] This is really funny :) I don't think it's a sign that the industry doesn't acknowledge CCIEs as all-round experts anymore (hopefully not anyway!) I think the word "junior" is just to justify the relatively low salary range they're offering (in California). Tarek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ken Diliberto Sent: Tuesday, March 12, 2002 7:42 PM To: [EMAIL PROTECTED] Subject: Jr. CCIE Ad on Dice [7:38034] This is good for a laugh. They are looking for a junior CCIE. http://www.dice.com/DandL/c/cxapga.35951.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38242&t=38034 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: nter-Vlan routing [7:38088]
Were you able to specify encapsulation ISL/DOT1Q on the router? You still need to be able to understand the trunked VLANS being received on 1 physical connection, using the same encapsulation as the switch. I think you need the PLUS/ENTERPRISE Feature set, hence more dram/flash. A valid configuration, puts ip addresses and specifies encapsulation per sub-if, and each each sub-if is assigned a vlan #. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Kelly Cobean [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: RE: nter-Vlan routing [7:38088] You don't need the IP+ feature-set to route VLAN's. I just tried creating a sub-interface off of the FE on one of our 2621's running 12.1.5 IP, and it let me. That's the only requirement. Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of colin newman Sent: Wednesday, March 13, 2002 4:59 AM To: [EMAIL PROTECTED] Subject: nter-Vlan routing [7:38088] Hi In order to do Inter-Vlan routing with a 2620, do I need IP Plus IOS? If the IOS does indeed need to be IP Plus, I will have to add more DRAM to the 2620. Currently the router has a 32M module of DRAM. Can I just add another module into the second slot - is it that easy? Any gotchas I should be aware of? Thanks Colin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38103&t=38088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: concentrator 3000 vs. checkpoint vpn [7:37474]
The checkpoint is the black sheep of the industry. It is a poorly documented, un-intuative, overly licensed B.S. interface. The checkpoint where I used to work (nokia IP 440) reminded me of this cartoon with porky pig and daffy duck. Porky pig gets a hotel room for .10Cents. The mouse comes and starts chewing celery so he can't sleep. Then daffy wants like $10 for a cat to get rid of the mouse. Then the cat keeps him from sleeping so daffy wants $20 for a dog to get rid of the cat, and its goes all the way till an elephant to get rid of a lion for several hundred dollars. And guess what gets rid of the elephant, (now taking up all the space in his hotel room) ? You guessed it a MOUSE !. Moral of the story, they string you along with different answers on each call (so issues just go in circles), the licenses make the product too expensive, while not as good at VPN tunneling as a Cisco VPN Concentrator, which comes with 100 USERS for only around $4K. The Checkpoint is garbage. Avoid it at all costs. Long live Altiga (Cisco) VPNs. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice -Original Message- From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 2:18 AM To: [EMAIL PROTECTED] Subject: RE: concentrator 3000 vs. checkpoint vpn [7:37474] I've worked with the 3000 concentrator but not with the Checkpoint. The 3000 is very user friendly and easy to use. You have to do minor configuration via console and then you're off with the web interface which is very simple to use. I can't make a recommendation for which you should buy but the Cisco products always make me happy. I've set up a vpn tunnel from a cisco router to a checkpoint firewall and it seemed like the person on the configuring end of the checkpoint had a lot of problems with upgrading software and technical support but that may have been a one person scenario. I can't say for sure. Jason -Original Message- From: Colin [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 8:03 AM To: [EMAIL PROTECTED] Subject: Re: concentrator 3000 vs. checkpoint vpn [7:37474] I haven't used both but I had to reply. I had set up a CheckPoint SecuRemote VPN, the VPN package that came with CP 2000 on a Nokia box and I have to say, it's not worth the hassle. CP tossed in the VPN component as a selling point so they could say, "Hey our firewall does it all". I should also mention that their documentation on getting SecuRemote up and running is sad, if not almost non-existent. Colin Alex Lei wrote: > Group, > > Has anyone used both concentrator 3000 and checkpoint vpn (either software > or hardware)? What are each's advantages and disadvantages? I am interested > in the following factors: Ease of installation and configuration, security, > manageability, reporting and logging, scalability, and pricing. I've > searched the archives but couldn't find any real world advices. > > Thanks, > > Alex Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37592&t=37474 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cat 2950-24 [7:37374]
Moreover, the 6509 complains (cat-os) if it hears BPDU's on a port configured for Portfast . That port is automatically, immediately disabled. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Mike Mandulak [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 9:11 PM To: [EMAIL PROTECTED] Subject: Re: Cat 2950-24 [7:37374] The portfast command does not turn STP off. The following is from CCO: Cisco added a feature named "portfast" or "fast-start," which means the STP for this port will assume that the port is not part of a loop and will immediately move to the forwarding state, without going through the blocking, listening, or learning states. This command does not turn STP off. It just makes STP skip a few (unnecessary in this circumstance) steps in the beginning on the selected port. Note: The portfast feature should never be used on switch ports that connect to other switches, hubs, or routers. These connections may cause physical loops and it is very important that spanning tree go through the full initialization procedure in these situations. A spanning tree loop can bring your network down. If portfast is turned on for a port that is part of a physical loop, it can cause a window of time where packets could possibly be continuously forwarded (and even multiply) in such a way that the network cannot recover. - Original Message - From: "Elijah Savage" To: Sent: Wednesday, March 06, 2002 10:56 AM Subject: RE: Cat 2950-24 [7:37374] > From my knowledge if you use this command (spanning-tree portfast) on a > switch port it actually disable spanning tree for that port you should > only do this if pc's are connected. So if you enable portfast you > disable spanning tree for that port, if you disable portfast you enable > spanning tree for that port. > > What this does with it enabled and a pc connected to it, it will keep > the port from going through all the spanning tree phases you know like > learning, listening, blocking etc it will take the switch 60 seconds to > figure all this out before it starts passing traffic to that port. If > portfast is enabled then it does not go through those phases and will > only take approximately 3 seconds before traffic is passing according to > Cisco. Someone please correct me if I am wrong here or missed something. > Hope that helps > > www.digitalrage.org latest in Technical News and HowTo's > www.digitalrage.org/phpBB Discussion Forums > > > -Original Message- > From: Cebuano [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 06, 2002 7:21 AM > To: [EMAIL PROTECTED] > Subject: Re: Cat 2950-24 [7:37374] > > You don't disable STP on the port to the PC because > STP is only run between Layer2 devices. > I believe you are referring to PortFast. > > Elmer > > - Original Message - > From: "Brian" > To: > Sent: Wednesday, March 06, 2002 2:34 AM > Subject: Re: Cat 2950-24 [7:37374] > > > > If you connect a computer to a switch port, it takes spanning tree a > bit > to > > allow traffic to pass. If this is an individual host being connected, > you > > could try disabling spanning tree on the port.. > > > > Bri > > > > - Original Message - > > From: "Ismail Al-Shelh" > > To: > > Sent: Tuesday, March 05, 2002 10:44 PM > > Subject: Cat 2950-24 [7:37374] > > > > > > > Dear all > > > We have Pc with 3Com 3c90x-Tx 10/100 Network Card. This PC is > installed > > > with Dos 6.22 Operating System. We used to connect this to our 3com > > > Switch1100 with the dos driver provided by 3Com. The sequence of > loading > > > the 3com driver to connect to 3com Switch1100 is as follows: > > > LSL.COM > > > 3C90X.EXE > > > IPXODI.COM > > > NETX.EXE > > > F: > > > LOGIN > > > This is in a batch file and when we run the batch file it will > connect > > > immediately. > > > The problem I am facing while connect to CISCO CATALYST 2950-24 port > is > > that > > > If I am > > > running the same batch file it will not connect. > > > I have to load the LSL.COM first and port on switch to which this > computer > > > is connected will be in Green color. But When > > > I will load 3c90x.exe immediately the port on the switch color > becomes > > > amber. > > > I have to wait for 1 to 1.5 minutes for the port color to become > green > > > and after that if load IPXODI.COM and NETX.EXE then it will connect. > > > I can see this because I am sitting in front
RE: CCIE Lab - San Jose [7:37444]
MOTEL 6 - SAN JOSE AIRPORT, CALIFORNIA #1007, San Jose, CA US 101/Bayshore Freeway at the 1st Street exit Ph: (408) 436-8180 (its by a car rental place and accross the fwy is a hyatt.. used to live there at that hotel... :) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 2:52 PM To: [EMAIL PROTECTED] Subject: RE: CCIE Lab - San Jose [7:37444] There is a $50/night motel 6 with a denny's in the parking lot that is okay.I can't remember the name of the street it's on, but it's only about 2 mi. from the hq. -Ejay -Original Message- From: timothy thielen [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 07, 2002 12:57 PM To: [EMAIL PROTECTED] Subject: RE: CCIE Lab - San Jose [7:37444] If you test date is a long way off, or you are close by, start walking now. Remember to pack food and supplies for cold and warm weather. Also, a rain poncho may be wise. Carry or search for a cardboard box (the only approved Homeless/bum shelter approved for use within San Jose). Find a space to sleep either near the cisco compound or near a light-rail station. Transportation from Box to Cisco: Take the light-rail. USUALLY nobody will even check for a ticket. If the transit police DO check, at least you have a better place to sleep tomorrow night. Seriously, though, things are not cheap in San Jose. BUT, the do have an abundance of Starbucks Coffee Installations, where jack-booted Caffiene-Nazi's are likely to force you to consume the People's Drink. --Tim James wrote: > > Hello, > > I hope to get some advice from those who attempted the > lab in San Jose. I have a lab scheduled soon and hope > that someone can let me know where to stay at the best > rates, travel arrangements from hotel to Cisco, etc.. > any information is greatly appreciated. > Thank you > > > > __ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! > http://mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37591&t=37444 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: strange problem [7:37359]
David Letterman's top 10 reasons this customer can't browse the internet: 10) PPP - Pre-Historic Pathetic Protocol 9) ISDN - Inferior Service for Dinosaur Networks 8) DNS - Dosent' networking Suck 7) ACL - Adamantium Cisco Locks 6) RIP - Rest In Peace (V2 also) 5) BGP - Big Geek Past-time 4) NAT - Non Acceptable Timeouts ? 3) PING - Please Investigate News Groups 1st ! 2) CBAC - Can't Browse ? Ask Cisco 1) TAC - Try Accepting Counseling Ping first by name, if it does not resolve to ip, try nat settings... if it does resolve try telnetting to something external.. next check ie settings.. make sure they dont have a proxy set or something. Post config here. ""kaushalender"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi group > > I am facing strange problem one of customer whom we have given 128Kbps > linkand connected on ppp ecapsulation. They r not able to browse the > website.When i did traceroute and ping it was working fine and customer > is able to reach the internet .But when i typed www.yahoo.com in the > browser the browser was respoding "website found waiting for reply " and > it keeps on waiting .Can somebody can help me in identifing that why > http request is dieng or geting killed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37368&t=37359 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix NAT - Two to one [7:37179]
pix will respond with error if you do more than 1 static command (specify more than one public > private translation, using the static command). Pix dosent offer "extendable" either (im running 6 train on the pix) Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: RE: Pix NAT - Two to one [7:37179] On a cisco router, you use the Extendable command. not sure about the pix. -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Pix NAT - Two to one [7:37179] Hi all, Has anybody tried NAT'ing two outside addresses to one internal (DMZ) address on the same port (80) in some way. Not too difficult to get round, as I can get the DNS of one site changed and use the single address outside to single inside. The advantage would be that when the web sites are separated, to two machines inside, I would like to be able to change the pix settings immediately rather than change DNS and wait a couple of days for DNS to propagate. I'm sure there may be some simple way of doing it, but I couldn't find it whilst playing about today. Any ideas welcome. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37200&t=37179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CIT Support Passing Score [7:37113]
100%, anything less, john chambers puts your name in a database that prevents you from working on his equipment for 10 years. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: john jones [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 03, 2002 6:20 PM To: [EMAIL PROTECTED] Subject: CIT Support Passing Score [7:37113] All, What's the passing score for the 640-506 support exam. Thanks, John __ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37116&t=37113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco CPU [7:36765]
Target[2621_cpu]: 1.3.6.1.4.1.9.2.1.57.0&1.3.6.1.4.1.9.2.1.58.0:@ MaxBytes[2621_cpu]: 100 AbsMax[2621_cpu]: 100 Options[2621_cpu]: gauge,nopercent,growright Unscaled[2621_cpu]: dwmy YLegend[2621_cpu]: Utilization ShortLegend[2621_cpu]: % LegendI[2621_cpu]: 1 Min: LegendO[2621_cpu]: 5 Min: Legend1[2621_cpu]: AvgBusy 1 Min Legend2[2621_cpu]: AvgBusy 5 Min Title[2621_cpu]: 2621_Kansas Router CPU Utilization PageTop[2621_cpu]: 2621_Kansas Router CPU Utilization Target[2621_mem]: 1.3.6.1.4.1.9.9.48.1.1.1.5.1&1.3.6.1.4.1.9.9.48.1.1.1.6.1:@ MaxBytes[2621_mem]: 15365292 Options[2621_mem]: gauge,nopercent,growright Unscaled[2621_mem]: dwmy YLegend[2621_mem]: Memory Used ShortLegend[2621_mem]: Bytes LegendI[2621_mem]: Used LegendO[2621_mem]: Free Legend1[2621_mem]: Memory Used Legend2[2621_mem]: Memory Free Title[2621_mem]: 2621_Kansas Memory Utilization PageTop[2621_mem]: Memory Utilization of 2621_Kansas Memory CPU = Just go with 100% MEMORY is router specific.. telnet to the router and do show mem.. if i found MIT_CORE_1>sh mem HeadTotal(b) Used(b) Free(b) Lowest(b) Largest(b) Processor 62298CE090600224 48963288570389685493368 85631408 I/O790 7340032 2273784 5066248 5041504 5066012 90600224 would be my maxbytes for mem. I use Processor mem in my mrtg configs.. because i think the other parts of my memory in I/0 are reserved for IOS and shouldn't be counted.. plus the OID only concerns processor memory. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 11:02 PM To: [EMAIL PROTECTED] Subject: Cisco CPU [7:36765] Hey guys..a little off topic but where is the BEST place to find out how to install and configure Cisco CPU and Memory stats with MRTG. I get to somix and the MIB's but what do i do with them? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36769&t=36765 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MPLS in the Enterprise [7:36670]
i was pitched this very thing recently by wcom and qwest.. basically it is only as secure as your carriers.. if some "f*cks up" and imports something into your VRF, either a default, another vpn, or whatever you security is finished.. plug banks are supposed to encrypt over IPSEC, so why bother running MPLS (come one how much diff-serv can do you on frac T-1's anyway) if you are just going to IPSEC the packets between pix's or vpn concentrators anyway.. MPLS right now for 100 sites, just can't be trusted. I used to work for ISP's, everyone there was a perp.. trust my vpn security to some loser ISP. No thanks read this http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/mxinf_ds.htm Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:24 PM To: [EMAIL PROTECTED] Subject: MPLS in the Enterprise [7:36670] Okay, I'm about to show how clueless I am when it comes to MPLS I've been getting calls from multiple providers lately all trying to suggest that I migrate our 100-site frame relay network to their MPLS network, suggesting that we'll have any-to-any connectivity and the ability to prioritize traffic classes within the MPLS network. Are any of you doing something like this? I'm going to read up on it but I'm having trouble visualizing it. Does this basically turn our network into a giant multipoint network? Do our branch routers need to be aware of MPLS or do providers make this transparent somehow? How does this affect routing? It seems that if we have any-to-any connectivity then the branch routers don't even need to run a routing protocol; every router would have one exit point to get to any destination. But, how would the MPLS cloud know where to route packets? The more I think about it it seems like our branch routers would have to participate in MPLS to provide the necessary destination info for the MPLS cloud. See how clueless I am? Ugh... Time to do some studying on this. Since we already do a little video conferencing over IP and are working on getting VoIP working, it might be beneficial to get away from the frame relay network. But since I don't understand this new technology, I don't know if it's a viable solution for us or not. Off to CCO I go! Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36672&t=36670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: China/Cisco connection [7:35946]
>BTW, does the US government filter access to the internet for it's employees >and from it's offices? bet they do! Don't compare the access US govt employees have @ work, (where our tax dollars pay the bills) to the access these same employees have in their homes. The Chinese "government" is not just blocking its employees internet access while on the job, it is limiting free speech in the entire country. Such an arrogant comparison is dangerous. Lets not forget our countrymen who were held against their will as pow's for 2 weeks last year. China is an oppressive communist dictatorship, hate our government all you want, at home you have free reign of the net. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 9:35 AM To: [EMAIL PROTECTED] Subject: Re: China/Cisco connection [7:35946] so. BFD, packets can be sniffed and access to certain sites can be blocked. so what? nothing new here. We get questions on this list regularly about how to do it. There are several companies, including but not only Cisco, who make a lot of money selling content blocking products. Most things in life can be used for good or evil. The internet is no different. Corporate and government response to the internet is no different. BTW, does the US government filter access to the internet for it's employees and from it's offices? bet they do! Chuck Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36037&t=35946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP's and ISP going out of business [7:35850]
No. Its usually non-portable space. Unless your a really important company like USPS that has tonnes of portable space Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 9:48 AM To: [EMAIL PROTECTED] Subject: IP's and ISP going out of business [7:35850] If a company has a block of public IP's assigned to them via their ISP, and that ISP goes out of business, can a company transfer those IP's to a different ISP? I don't think so, but maybe I'm wrong. -- RFC 1149 Compliant. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35856&t=35850 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
www.memoryx.net great prices, selection Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Ronnie [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 6:38 AM To: [EMAIL PROTECTED] Subject: DRAM and FLASH question [7:35600] Hi all, I was wondering if somebody good tell me the secret on Kingston memory and flash in Cisco Routers. Where is a good and not so expensive (I'm Dutch .. :-)) site for selling these items ? Thanks in advanced ... Cheers Ronald Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35622&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
www.memoryx.net great prices, selection Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Ronnie [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 6:38 AM To: [EMAIL PROTECTED] Subject: DRAM and FLASH question [7:35600] Hi all, I was wondering if somebody good tell me the secret on Kingston memory and flash in Cisco Routers. Where is a good and not so expensive (I'm Dutch .. :-)) site for selling these items ? Thanks in advanced ... Cheers Ronald Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35622&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dynamic Mac Address Assignment [7:35303]
IOS based switch - 3524XL_ATL(config-if)#mac-address ? H.H.H MAC address Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Kwame [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 10:11 AM To: [EMAIL PROTECTED] Subject: Dynamic Mac Address Assignment [7:35303] Pls ignore my previous post b'cos it's wrongly frame. Here's what I want to ask: Is it possible to assign a mac address to a catalyst switch such that the switch would not use the burned-in-mac but rather use the assigned mac? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35309&t=35303 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Concentrator 3030 RADIUS authentication [7:34537]
Configuration | User Management | Groups | Modify For the group under IPSEC you need to specify the authentication method (Internal, NT Domain, Radius, SDI, etc) in addition to labeling it an "external" group. once you do this if it still will not work, then do some debugs under Configuration | System | Events | Classes for all 3 auth's Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Jim Bond [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 5:50 PM To: [EMAIL PROTECTED] Subject: Concentrator 3030 RADIUS authentication [7:34537] Hello, I'm trying to set up authenticating groups externally through RADIUS. I created a group and changed the type to "External". On my RADIUS server (Safeword 5.1), I created a group with the same name on 3030. Users couldn't get authenticated. On 3030 log, it said user unspecific. Any thoughts? Thanks. Jim __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34547&t=34537 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cef debug error "slow service", what [7:34218]
are you running cef with NAT ? Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: bergenpeak [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 02, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: cef debug error "slow service", what's it mean? [7:34218] I'm having some problems wit CEF and so enabled a number of CEF debug commands (ip cef drops, events, received). I'm getting periodic debug output which says "CEF: slow service". What does this mean? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34229&t=34218 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Topic repeat [7:33865]
get real.. what SDSL Provider is going to do BGP with you ? Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 12:20 PM To: [EMAIL PROTECTED] Subject: Re: Topic repeat [7:33865] You can use BGP if you simply receive partial routes from say the SDSL provider and point default at the other with floating default for SDSL provider. This way you can dynamically announce your network, get some load balancing and redundancy. Dave Shawn Xu wrote: > > First of all, I should announce I have searched Archives before I post this > message, but not exactly match my question. > > Some people said for this topic you have to use BGP, and some people said > you can use default route if you are only for load balance and fault > tolerance purpose. > > We have one client, who currently uses T1 line (Cisco 2503 router) to an > ISP, and has a whole class C ip address (/24) from the ISP. And on their > local network, they have web server, mail server, etc. everything is working > fine. > > Now they want to connect to us using SDSL line (Cisco 1605 router) for load > balance and fault tolerance. > > How to do that? > > 1. Cannot use BGP, because nobody wants to buy a BGP router. > 2. Static or default route: > (1) HSRP groups implement load sharing, and automatically switching over in > case of one line is down, is it right? > (2) Because they are using T1 line ISP's IP address for local network, if T1 > line is down, how can we route their traffic through DSL line, ip route > 0.0.0.0 0.0.0.0 DSL_ISP will work? and from outside how people can reach > their local network through DSL line? > > Thanks > > Shawn > > _ > Chat with friends online, try MSN Messenger: http://messenger.msn.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33895&t=33865 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP and one backup link [7:33433]
Sometimes As prepending won't work.. your best bet is to telnet to route-views.oregon-ix.net (public route server) and do a show ip bgp with your as # (then you will know who is using your prepended path to get there. Most likely one peer of your backup link providers, sets local pref or metric on a private peering arrangement, thereby nullifying your prepends. Unfortunately there is nothing you can do.. if you were a hi-cap T-3 or larger customer, they might traffic engineer this for you. Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Alejandro Acosta [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 10:36 AM To: [EMAIL PROTECTED] Subject: BGP and one backup link [7:33433] Hi all, I have a BGP question. In this moment we have one Internet link with just one provider, now, we have got a second link just for backup. I mean, we can only use it for 180 hrs per month. I can easily manage my outgoing traffic (using local preferece or weight), however the incomming traffic in more difficult. I added many prepends (9) in the publication of the second link but there still few traffic on it. There is not IBGP between my two providers. Any ideas? Thks in advanced. Alejandro Acosta Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33441&t=33433 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Limit access to serial link to four users [7:33306]
see comments below -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 26, 2002 3:51 PM To: [EMAIL PROTECTED] Subject: Limit access to serial link to four users [7:33306] >Hi all, >I'm after some ideas if you'd be so kind :-) >A 2Mb link being used mainly for streaming media has about 15 potential >users. The task is to limit the number of users at any one time to four, so >they have half a Mb each (ish). All 15 @ once may be able to watch this stream. you should run a test to determine if this is a 300kbps, (DSL cable stream) or a 150Kbps "T-1" stream. if you go to Abcnews.com or somesites to watch video, they expect corporate users to choose a T-1 stream, because they run on a business line which is not exclusively for the streaming. What I would do is ask people to choose the lower res stream, and enforce this with an aggresive car / traffic shaping policy. It would be nice if this stream uses layer 4 characteristics which will make it easy to classify and apply policy to, however assuming it uses a protocol you don't wish to delay (like tcp 80, http), you can always use car to limit per ip bandwidth for your 15 potential users, this would easiest if their ip's were in a neat little /28 range) >My initial idea, which I must admit, I dont think is such a good one is to >set up a NAT pool of four addresses, and drag the translation timeout down >to about a minute (yet to be tested), so that the first four users to pass >traffic will be translated and allowed through, but after that, they'll have >to wait. this can work.. however every minute it would get kicked.. not cool if the stream is long. (you can make sure the potential users are in a specific range and then make a route map, keeping the hosts in their own nat pool, unless your potential users are your only users. >I'm off to look at something like TACACS to see if I can control network >authorization by number of users (shot in the dark). >No equipment in place yet, so we have a clean drawing board. >Anybody have any neat ideas please!! Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33313&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]