How to recover ENABLE pwd from Cat-5000
I need to make some changes to one or our Cat-5000 switches and of course, the person who installed it a couple years ago is long gone. Any one know where I can get recovery procedures at? I've been checking Cisco's site, but haven't found it yet. Thanks Terry _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Strange scenario
Can I borrow someone¡¦s brain since mine is dead. Problem: One of my customer claims they can¡¦t ping 15000 bytes per packet cross the satellite link after the circuit was upgraded on Monday. After the test, I confirmed their claim. I couldn¡¦t ping anything larger than 12000 bytes cross the link, this is true to all other customers. Questions: Is this limited by the IOS or platform? Do you know if there is a size limitation in the ping command? __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SH RUN reveals encrypted password
ftp://artoo.net/pub/bin/windows/32bit/password/ GetPass!.exe is my favorite and very useful for clueless customers who misplace passwords/lose staff but don't want to have to crack a large number of routers. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "adam lee" [EMAIL PROTECTED] wrote in message 000201c089a8$be502b90$075901c0@meanboy4">news:000201c089a8$be502b90$075901c0@meanboy4... How readily available are these decryptors? I heard of them but I do not know anyone with one. ""Hans Stout"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello colleagues, do you know if there is a way to make the line 'enable secret 5 $1$vwIl$YEZxTVGPapUUVCD.c54Ya' invisible when doing a 'sh run' in user mode ? The problem is that I want to allow RO access and also allow to execute the 'sh run' command, but that with a password decryptor, one could eaily decrypt the enable password. Thanks for your help in advance. Regards, Hans _ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ccnp voice certification
Integrating Voice and Data Networks by Scott Keagy ISBN: 1578701961 -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "Ole Drews Jensen" [EMAIL PROTECTED] wrote in message 2019FB428FD3D311893700508B71EBFB54AE62@RWR_MAIL_SVR">news:2019FB428FD3D311893700508B71EBFB54AE62@RWR_MAIL_SVR... The only book I can find is this one (ISBN:1587200236) : http://www.ciscopress.com/book.cfm?series=2book=98 http://www.amazon.com/exec/obidos/ASIN/1587200236/qid%3D/107-8239556-3243701 (watch for wordwrap) It must be a pretty easy book to read, because according to CiscoPress, it only has 0 pages. :-) Should you deside to get it, please let me know if it's good, since I probably will look at that exam when I'm done with my CCNP. Hth, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.CiscoKing.com NEED A JOB ??? http://www.oledrews.com/job -Original Message- From: umerkhan [mailto:[EMAIL PROTECTED]] Sent: Monday, January 29, 2001 1:09 PM To: [EMAIL PROTECTED] Subject: ccnp voice certification hello=20 can anyone suggest me any book or guide for the prepration of the ccnp = cvoice certification (640-647 CVOICE) thanx, umer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Gateway of last resort ?
http://www.cisco.com/warp/public/105/default.html -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""John Kelley"" [EMAIL PROTECTED] wrote in message 9526es$4v4$[EMAIL PROTECTED]">news:9526es$4v4$[EMAIL PROTECTED]... No, they are not the same.. the Default gateway is where you send traffic that you do do not know how to get to. It is similar to a Default Gateway on a regular computer. The gateway of last resort is where you send Traffic that you do not have a route for in your routing tables. Here is an Example; to clarify the difference. someone is trying to get to 192.168.2.0, and the only local routes in the routing table is for 192.168.1.0. The router will send traffic destined to 192.168.2.0 to the gateway of last resort, because it doesn't have a route in its routing table. The default gateway comes into play, where there is absolutely nothing in the routing table. JK "John lay" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Guys, A very basic routing question. Are the gatway of the last resort is the same as the default gateway ? or there is any difference? Sherif ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Secure Policy Manager
Hello everyone, My company just purchased CSPM v2.1. I know how to configure the pix via CLI. Anyone know where I can find a good guide on how to configure the pix using CSPM? The built in tutorial did not help me much. Manny _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Radius server - which one should I use ?
Hi ! can anyone recommend a windows-based radius server - respectively can anyone send it to me - for test resons thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Enabling SSH on a router
I believe all Cisco devices that support SSH only support SSH v1. SSH v1 v2 are incompatible (although a server make implement both). -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Kevin Welch"" [EMAIL PROTECTED] wrote in message 041901c08526$565f1fe0$2a002a0a@sjc102498">news:041901c08526$565f1fe0$2a002a0a@sjc102498... Well I generated the crypto key and was able to verify its existence, but ssh commands like ip ssh still a no go. The router has a hostname and a domain name. -- Kevin - Original Message - From: "Kevin Welch" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 23, 2001 1:45 AM Subject: Enabling SSH on a router I searched Cisco's web site, followed all instructions in the link below = but cannot get ssh to function on my 2621... As a matter of fact now of = the ssh specific commands work even though it is supposed to be in every = crypto ios rev. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/= 121t/121t1/sshv1.htm Any help appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT (sort of) TAC Horror Stories
Only part failure I've ever had was out of the box with a 2900 with two slots. One slot had a FDDI module, and the other a FE module. It was acting as an expensive transceiver. TAC stayed on the phone while we troubleshooted the hardware and ended up getting 3 support personnel involved as it was thought to be a spanning tree issue with the FDDI. Basically, what I'm saying is that instead of just saying, "Yeah, bad part, send it in," they troubleshooted the mess out of the thing as it was a mission critical link to a bunch of legacy equipment (3 hours or so). In the meantime, we left a huge Bay box in place with the FDDI ring connected to it and a 10mbit hub port connected to the other Cisco gear. Even though we had a DOA part, the customer was very happy to see their support contract paying off already, and the part was there the next day and worked with no problems. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "dre" [EMAIL PROTECTED] wrote in message 94lis6$icg$[EMAIL PROTECTED]">news:94lis6$icg$[EMAIL PROTECTED]... Bob Johnson [EMAIL PROTECTED] wrote: Just curious about other peoples experiences with TAC on products "gone bad"... 1) Get call while almost in bed at 9:30 PM 2) 3548XL GigE interface goes down... The problem here was that you are using 3548XL switches... if you were using a modular chassis with redundant everything (i.e. 6500 w/ dual PSs, SUPs, et al), you probably wouldn't be worried about your 3548XL. Not to mention that the MTBF numbers on the XL series suck in comparison to the 6000/6500. I was lucky as the first unit worked (though it's fan did not) and did not over heat (mainly due to it's location)... Had there been cooling problems I would have yanked a fan off one of the other units (though as the part was not a "service item" TAC did not support such creativeness).. Just curious as to what anyone elses TAC horror stories have been like? I've personally never experienced any problems with the TAC. It is often that I get a front line person that has no idea what I'm talking about, and sometimes they try to help anyways, but after I explain to them that I would like it escalated, they do it. Good team of people, IMHO. Best tech-support ever. It sounds like your problems were not even TAC related, more like shipping and receiving problems (UPS, anyone?). So be more careful when trying to pin the blame on a tech-support department, especially the Cisco Technical Assistence Center. They were doing their jobs just fine. -dre _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slightly OT: VoIP Quality
I'd suggest taking a look at the compression used on the Nortel boxes and check the stats to see if it is detecting packets being dropped. If the calls just sound like poor quality but not loss of signal, then I'd say the compression is the problem. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "John Neiberger" [EMAIL PROTECTED] wrote in message 29183565.980270695088.JavaMail.imail@slippery">news:29183565.980270695088.JavaMail.imail@slippery... We have implemented VoIP at two of our branches as a test. We are using Nortel ITG cards in the branch PBX to convert the calls to IP and then we connect the card to a Cisco 2924XL switch with all voice traffic in its own VLAN. Then the traffic hits a 2620 router with LLQ configured. The voice calls then go through another branch with custom queueing configured, then to the destination branch with the same setup as the first branch. This is now up and running without any serious glitches, but the users at the branches complain that all incoming calls sound like cell phone calls. Is this the type of quality we can expect from this technology? Is it a natural result of packetizing real-time voice traffic? Or, can we expect better? Any thoughts or tips would be appreciated. Thanks, John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: securemote through pix firewall
Friesnds, Did lot of work on this issue. It may not work. The reason: Secure remote first dowload topology info. Then it writes the info to user.c file on client machine. It writes the IP addr of fw1 interface rather than real public IP. For auth It trys to reach the interface IP on FW1 instead of public IP which is unreachable, hence the auth fails. HTH pat --- Allen May [EMAIL PROTECTED] wrote: Did you remember to put the nat statement in for the IP range that the secureremote users are using and set up the access-list permits for them as well? Chapter 10 in the IPSec User Guide 5.3 covers this pretty well. - Original Message - From: "pat" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, January 30, 2001 10:27 PM Subject: Re: securemote through pix firewall Well am too having the same problem. The issue seems to be due to address translation the PIX does. The actual address on the firewall interface(outside) is different the secure remote client uses different IP (IP mapped by PIX) to establish the session. But I don't understand why authentication fails. In my case topology dowload goes through, but authentication fails. If i sit behind PIX everything is fine. PIX is trnslating Public IP to Private IP. Let me know if you get to know why this happens. thanks. --- [EMAIL PROTECTED] wrote: HEI I hope someone could help me with a big problem Ive got. My client needs to use securemot ipsec program through a pix firewall to a firewall1 at the remote sight. theres no problem to get key exchange process, and I am beeing prompted for password and username. after this the program says the authentication is OK, but explorer comes up with cannot find the page. When I test the same procedure connected without the pix everything functions OK. Could anyone please give me a tip to solve this situation. Thank you _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hybrid Routing Protocols
I expect there to be many excellent responses to this, but I'll start off with a mediocre one. :-) Distance vector and link state routing protocols primarily differ in three ways: how they notify their neighbors of the routes they know about, how they go about building their own routing table out of that information, and how they notify neighbors of changes. A DV protocol, like RIP or EIGRP, send their entire routing table to their directly attached neighbors and then receive their neighbors routing tables in return. That's an important point: they send the *entire* routing table, not just the routes they know about first hand. Based on their own information and the tables received from neighbors, they build a routing table that basically says "I have some route, and it's some distance away, and it's that direction (vector)." Hence the name, distance vector. RIP uses hop count as its metric, so a RIP routing table says "x.x.x.x is out that interface and it's Y hops away." EIGRP has a more complex metric but the end result in the routing table is similar. Now, link state protocols are quite different. They don't just haphazardly deluge each attached link with their entire routing tables, they do it in a little more organized fashion. Let's take OSPF as an example. An OSPF router will send advertisements to its neighbors about the routes or, more specifically, links that it's personally aware of. These advertisements get flooded throughout the area and all involved routers use those advertisements to construct a picture of the entire topology of the network. This is quite different behavior from DV protocols. They simply know direction and distance, but they don't have a big picture view of the entire network layout. A router running OSPF will have a complete understanding of its place in the network topology, and it builds its routing table by choosing the lowest-cost path to each other router in its area based on the link state information it received from its neighbors. Now, about updates; DV protocols handle these quite differently than LS protocols. RIP and IGRP periodically send their entire routing table, even if no change has occurred. EIGRP initially sends its entire table, but then sends incremental updates as changes occur. OSPF, once it has completely synchronized with its neighbors, will only send incremental updates as needed. This has been quite on over-simplification of the topic, but I hope that helps out a little bit. There will be other more complete and accurate responses that will give more details and probably be more intelligible. g Regards, John Hi I just a general question about routing protocols, if anyone could help me out here I'd be grateful. When comparing EIGRP to Distance Vector routing protocols, like RIP, the only similarity that I noticed was that the network statements are both classful. Is this the only characteristic that prevent EIGRP from being considered a total link-state routing protocol? Or is there something else I failed to notice? Thanks in Advance, Freddy Krugar III _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pls help me with vip4 problem
Can you post a sh diag ? flem --- shanjun zou [EMAIL PROTECTED] wrote: dear all, who can tell me what's the problem? thanks very much. like these: -- System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1) Copyright (c) 2000 by cisco Systems, Inc. SLOT 2 RSP is system master SLOT 3 RSP is system slave RSP4 platform with 131072 Kbytes of main memory Self decompressing the image : [OK] 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PMA error register0 = 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PCI0 master address = 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PCI0 slave address = 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PMA error register1 = 0100 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 CPU-PCI address error 00:00:37: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PCI1 master address = 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 PCI1 slave address = 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 Latched Addresses 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 MPU addr exception/WPE address = 1480 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 MPU WPE addr/WPE data = 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 ProcMem addr exception = 00:00:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 Pakmem addr exception = 00:00:39: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 System reloaded by a fatal hardware error 00:00:39: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 caller=0x600BC474 00:00:39: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 System exception: sig=22, code=0x0, context=0x605E3168 00:00:39: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 $0 : , AT : 0048FF00, v0 : 0002E080, v1 : 5080, 00:00:39: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 a0 : 6077D120, a1 : 50800028, a2 : 038C8000, a3 : , 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 t0 : 6077F414, t1 : 3400C101, t2 : 3400C100, t3 : 00FF, 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 t4 : 600BC4B0, t5 : 00F8, t6 : , t7 : 0094, 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 s0 : 6077D120, s1 : 6077EA60, s2 : 6077EA60, s3 : 6077E100, 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 s4 : 5080, s5 : , s6 : 6054, s7 : , 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 t8 : 3400, t9 : , k0 : 3041, k1 : 1042E4B0, 00:00:40: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 gp : 604F8F80, sp : 605EA1E8, s8 : , ra : 60101920, 00:00:41: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 EPC : 60101940, ErrorEPC : 80008680, SREG : 3400C103 00:00:41: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 Cause (Code 0x0) 00:00:41: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. %VIP4 RM7000-1-MSG: slot0 Traceback= 60101940 6010382C 60100C78
Re: subnet routing scheme question
Hee, hee. This is very funny. As soon as I saw it I said too myself, "this looks really familiar." These are bullet points in my book, Top-Down Network Design. The bullets are in the CID class also and are based on concepts that Howard Berkowitz and Peter Welcher taught me. They might be in BSCN also because Howard had a big influence on that class also. However, some clueless person screwed it up! This must be from a COLT test. :-) At 07:50 AM 2/1/01, Hunt Lee wrote: I have got the following question, but I don't understand the answer... When you develop a subent routing scheme, to which guideline must you adhere? The question is supposed to be "When you develop a route summarization scheme..." A) IP addresses must share the same right-most bits. They changed left-most to right-most to make this a wrong answer. If IP addresses share left-most bits, then they can be summarized. B) Routers must base routing decisions on a 16bit or 32bit address They added 16-bit to make this a wrong answer. It would be right if it simply said "must base routing decisions on a 32-bit address." C) Routing protocols must carry the prefix length with the 32bit address This one is true (because the question is supposed to be about summarization). D) Routers must base routing decisions on a prefix length that is 16bit or 32bit long. They added 16-bit to make this wrong. Routing must be based on a 32-bit prefix in case there are host-specific routes. In other words, the router must look at all 32 bits. I thought the answer is C, but the answer is B. Any help would be greatly appreciated. Priscilla Regards, Hunt Lee IP Solution Analyst Cable and Wireless (Sydney) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Strange scenario
Hi! (Ping packets Should be less than 18000 bytes) Did you try changing MTU size to a value less than 12000 on both sides? -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 9:56 AM To: [EMAIL PROTECTED] Subject: Strange scenario Can I borrow someone=A1=A6s brain since mine is dead. Problem: One of my customer claims they can=A1=A6t ping 15000 bytes per packet cross the satellite link after the circuit was upgraded on Monday. After the test, I confirmed their claim. I couldn=A1=A6t ping anything larger than 12000 bytes cross the link, this is true to all other customers. =20 Questions: Is this limited by the IOS or platform? Do you know if there is a size limitation in the ping command? __ Get personalized email addresses from Yahoo! Mail - only $35=20 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: [Re: dual home with 3640?]
hi friends I am going to buy one 3640 rouer and one 2610 router for one of my client, who is going to have 64 KBPS leased line between his head office and branch office. I want the following features IP / IPX routing between head office and branch ofice VPN support for dial-up users from different parts VOIP support between head office and branch office please let me know which IOS will exactly meet my all above said requirepements tanx in advance bye ravee Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Seeking PPP authentication resource...
Hi Group, Can anyone please suggest a resource which has an in-depth explanation of the following Cisco IOS commands. I have not been able to understand their usage in all variations. The Cisco IOS Dial Solutions Configuration Guides Command Reference doesn't do a good job of explaining it at my level of comprehension. 1. "ppp chap hostname --" 2. "ppp pap sent username - password -" A good resource would be highly appreciated. Thanks in advance. Aziz _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Instructor Exam
Hello Group, I am about to sit for the ICP (the cisco instructor exam). I am ready for the lab portion however I am uncertain as to what the proctors are looking for during the presentation. Some cisco instructors have told me that it is ok to introduce information that will help the students understand the releavance of the material. Other instructors have told me that I would be taking a risk if I did so as I am expected to stick strictly to the material on hand. I would appreciate comments from instructors who have gone through the process. Thank You, Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Radius server - which one should I use ?
try VOP radius - Original Message - From: "Schimek, Hans" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 01, 2001 1:38 AM Subject: Radius server - which one should I use ? Hi ! can anyone recommend a windows-based radius server - respectively can anyone send it to me - for test resons thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Radius server - which one should I use ?
Have you tried Internet Authentication Services that ships with Windows 2000? I have a couple of client sites running it with Cisco dial-in gear and no complaints so far. Adam Burgess Brisbane, Australia - Original Message - From: "Schimek, Hans" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 01, 2001 7:38 PM Subject: Radius server - which one should I use ? Hi ! can anyone recommend a windows-based radius server - respectively can anyone send it to me - for test resons thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CVoice problem....
Hello, Help!... I have a problem One of our customer using 2600 (IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(2a), RELEASE SOFTWARE (fc1) series FXS and FXO voice cards and 3640 IOS (tm) 3600 Software (C3640-IS-M), Version 12.0(8), RELEASE SOFTWARE (fc1) EM voice cards on their WAN and running VoIP, We replaced the 3640 with a 3660 IOS (tm) 3600 Software (C3640-IS-M), Version 12.0(8), RELEASE SOFTWARE (fc1) FXS voice cards Now we have voice problem. Whenever we try to place a call we hear only some strange noises Do you know the reason?... or can we solve it?... (Any solution other than IOS upgrade will be highly appriciated) Thanx _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CVoice problem....
We had the same problem here - all configs the same, but a dial is garbled. The only solution was to upgrade the software to the same version -Original Message- From: Mustafa Kemal Furat [mailto:[EMAIL PROTECTED]] Sent: 01 February 2001 14:44 To: [EMAIL PROTECTED] Subject: CVoice problem Hello, Help!... I have a problem One of our customer using 2600 (IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(2a), RELEASE SOFTWARE (fc1) series FXS and FXO voice cards and 3640 IOS (tm) 3600 Software (C3640-IS-M), Version 12.0(8), RELEASE SOFTWARE (fc1) EM voice cards on their WAN and running VoIP, We replaced the 3640 with a 3660 IOS (tm) 3600 Software (C3640-IS-M), Version 12.0(8), RELEASE SOFTWARE (fc1) FXS voice cards Now we have voice problem. Whenever we try to place a call we hear only some strange noises Do you know the reason?... or can we solve it?... (Any solution other than IOS upgrade will be highly appriciated) Thanx _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco Instructor Exam
Pierre-Alex, I am also about to take the ICP (Feb. 12-13). I have been told that the presentation is graded on each Powerpoint slide, 1 for unsatisfactory, 2, covered the materials on the slide, and 3 , added something extra. Ave. must be at least a 2. The advice I got was to do the presentation covering ALL the bullets on each slide, even if this may not ge what you would do in a real class. -- Neil Schneider MCT MCSE CCNP ""Pierre-Alex"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello Group, I am about to sit for the ICP (the cisco instructor exam). I am ready for the lab portion however I am uncertain as to what the proctors are looking for during the presentation. Some cisco instructors have told me that it is ok to introduce information that will help the students understand the releavance of the material. Other instructors have told me that I would be taking a risk if I did so as I am expected to stick strictly to the material on hand. I would appreciate comments from instructors who have gone through the process. Thank You, Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Serial Line Protocol Problems
Hi All, I've got a problem with the serial port of a 2500 of mine. I used a serial back to back cable, in order to connect 2 2500s. I know what a normal response the 2500 should give, it should normally detect that the interface is up (I've used no shutdown already), and then set the line protocol to up. For one of the serial port, the interface and the line protocol changes to up when I connect the two routers together. But after awhile, this is what I get: 01:30:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:32:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down It keeps continuing. From what I can see, the line protocol keeps going up and down periodically, however the interface is still up. This is what I've tried: - Different cables. - Different serial ports - Changing clock rate and bandwidth - Rebooting the router Could someone give me some suggestions? Thanks Albert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix and MS Exchange
Bridgehead has nothing to do with being the first Exchange server. It only controls routing desisions between sites connected by X.400 connectors: bridgehead server: A Microsoft Exchange Server computer that acts as the end-point of a messaging connection between two sites configured as an X.400 Connector. This server is responsible for routing messages through that connection. (c) 1995-1998 Microsoft Corporation. Mark Rumfield Network Engineer Enterprise Products [EMAIL PROTECTED] -Original Message- From: J Roysdon [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 1:00 AM To: [EMAIL PROTECTED] Subject: Re: pix and MS Exchange Bridgehead is just the term for the first Exchange server, which must be replaced/moved if you are going to bring that server offline. It controls "routing" decisions. I suggest reading up a bit more at MS's TechNet site. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "ipguru" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am installing a 515pix. I am going to hang a Exchange server off one of the four interfaces. I have seen the page cisco has about the bridgehead server, but these guys just blew their wad on the pix (:-), they don't want to buy another server and another exchange. The inside is higher so I shouldn't have to do anything to allow users to get to the server, but coming back into the inside from dmz1..this is what I have: access-list exchange permit tcp 192.168.1.0 host 192.168.20.2 eq 139 access-list exchange permit udp 192.168.1.0 host 192.168.20.2 eq 137 access-list exchange permit udp 192.168.1.0 host 192.168.20.2 eq 138 access-list exchange permit tcp 192.168.1.0 host 192.168.20.2 eq 135 The inside is 192.168.1.0 network. The dmz1(mail) is 192.168.20.0, with the exchange server being 192.168.20.2. Anyone done this without the bridgehead? thanks, ipguru **As Marvin Gaye said-Let's Get it On! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Radius server - which one should I use ?
Hans, Steelbelted radius worked very well for us, used with VPN, RAS using local and/or pass-thru authentication to NT domain(s). They provide a full featured eval on the WEB at www.funk.com Can be run on WNT or Unix, supports SQL database. Very robust system and good support from the vendor. Regards, ""Schimek, Hans"" [EMAIL PROTECTED] wrote in message D602426F3CB3D411952E009027DDDB9DC94387@VIE501NT">news:D602426F3CB3D411952E009027DDDB9DC94387@VIE501NT... Hi ! can anyone recommend a windows-based radius server - respectively can anyone send it to me - for test resons thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VTP Operating Mode
2912XL - I think that is an access switch so the command is vtp clientor vtp serveror vtp transparent Joey -Original Message- From: JT [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 5:13 PM To: [EMAIL PROTECTED] Subject: VTP Operating Mode Hi Group, I'm brain dead here...could someone gives me a hint please. I'm trying to set the VTP operating mode on my 2912XL switch to be "client" instead of "server", what command to I use to do this? Thanks, JT _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay
Layer 2 Seriously, FR is a Layer 2 protocol, as is Ethernet, Token Ring, etc. As those other protocols support numerous Layer 3 (or higher) protocols, so will FR. The beauty of the OSI model is that there is separation of the layers without too much interaction between them. In other words, the Layer 4 datagrams get encapsulated into the Layer 3 packets, which in turn get encapsulated into Layer 2 frames. FR doesn't care for the most part what is "inside" the Layer 3 stuff coming down the pipe. ;-} Rik -Original Message- From: Pierre-Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Frame Relay What element in a frame relay packet allows support for multiple protocols? Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] , This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VTP Operating Mode
Yup. To get into VTP config mode, type "vlan dat" at the enable prompt. Rik -Original Message- From: Fowler, Joey [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 9:07 AM To: [EMAIL PROTECTED] Subject: RE: VTP Operating Mode 2912XL - I think that is an access switch so the command is vtp clientor vtp serveror vtp transparent Joey -Original Message- From: JT [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 5:13 PM To: [EMAIL PROTECTED] Subject: VTP Operating Mode Hi Group, I'm brain dead here...could someone gives me a hint please. I'm trying to set the VTP operating mode on my 2912XL switch to be "client" instead of "server", what command to I use to do this? Thanks, JT _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] , This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Problem
I have a customer with a network that was using a Point to point T1 with a channel bank on each end to initiate dial calls for AS-400 terminals to a main office along with standard voice calls. Everything was working fine. They were only using 5 of the channels of the T1 for these calls, so they wanted to use the rest of it to provide data connections for their Ethernet Network. The AS-400 is not on the Ethernet. So we introduced a 2610 Router at each end, with VWIC CSU/DSUs that can do Drop and Insert on the T1, we connected the T1 to the router, then the router out to the Channel bank. The VWIC is configured to use the first 12 channels for voice and the last 12 channels for data. The data side works flawlessly and a call can be initiated from channel bank to channel bank without a problem. Voice calls work fine, so the VWIC is configured properly. The problem comes in with the AS400 modems attempting to dial out, we can see them attempt the connection, but then the data rate is walked down from 21,600 to 300 then disconnects without establishing a connection. Any ideas? Tom McNamara _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN 3000
Where do you do this? "Andy Wu" [EMAIL PROTECTED] wrote in message D178087C9E82D311817900508B4AB47C0101230D@GIAEXCHANGE">news:D178087C9E82D311817900508B4AB47C0101230D@GIAEXCHANGE... I'm running the W2K Beta version and it's been flawless. Join the Cisco Beta users and sign up for the W2K clients. Andy -Original Message- From: Tommy Mitchell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 4:05 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN 3000 ""John Hardman"" [EMAIL PROTECTED] wrote in message 95aau1$vap$[EMAIL PROTECTED]">news:95aau1$vap$[EMAIL PROTECTED]... Cons: The current cleint software doesn't support Win2K or WinME, which makes the Win2K and WinME L2TP/IPSEC config a royal pain in the A$$! The rummor is that there will be either a 2.6 or 3.0 version releasing soon that does support Win2K and WinME. I have zero problems with the 3000 client version 2.5A running on WinME, but perhaps I'm the exception. I would like to see the Win2k client released soon, though. Tommy _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF command
network 192.168.100.0 0.0.0.255 area 0.0.0.1 Will the router take the 0.0.0.1 as area 1? Is there a good reason to do this? Thanks in advance, Duncan Maccubbin Senior Network Engineer - ICS LLC CCNA, CCNP _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Catalyst 6500
How can separate VLANs on a 6500 talk without routing enabled? It's happening and I can't figure out how. Thanks... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Serial Line Protocol Problems
Check your IOS versions and upgrade if needed. I ran into this exact problem using frame relay encapsulation when one side was running 12.1(6) and the other was 11.1(something). As soon as I upgraded the second one to a 12 release, all was well. HTH, John Hi All, I've got a problem with the serial port of a 2500 of mine. I used a serial back to back cable, in order to connect 2 2500s. I know what a normal response the 2500 should give, it should normally detect that the interface is up (I've used no shutdown already), and then set the line protocol to up. For one of the serial port, the interface and the line protocol changes to up when I connect the two routers together. But after awhile, this is what I get: 01:30:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:32:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down It keeps continuing. From what I can see, the line protocol keeps going up and down periodically, however the interface is still up. This is what I've tried: - Different cables. - Different serial ports - Changing clock rate and bandwidth - Rebooting the router Could someone give me some suggestions? Thanks Albert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DR Election
Brian, I would like to see if you, or anyone on the list can assist me in getting this config to work correctly. Lab: I have 3 routers (2501's) 1 frame switch, ~hub and spoke topology backbone. 2 other routers (2501's) for my virtual-link. The backbone is configured with NBMA, and off of each backside is an (ethernet) broadcast area labeled 1, 2, and 3. Off of r5's ethernet is area 2. I have connected r3's ethernet to this segment, and the serial side of r3 is another area -area 4. I have setup the ethernet interface on the r3 a virtual link to r5 through that (ethernet segment) broadcast area. The problem is that r5 doesn't get routing information for area 4. All the other routers do receive routing information for area 4 through the virtual-link, and area 4 receives routing info for everything else. There seems to be a problem with the virtual-link setup. ___r5---area 2---r3---area 4 / area 1---r6--frameswitch \___r4---area 3 Now after reading over my message it looks like I need to include some configs. I'll get to the lab and copy some configs. I'll just throw this out there and see if anyone can see any mistakes that stick out. Brian From: "Brian Dennis" [EMAIL PROTECTED] Reply-To: "Brian Dennis" [EMAIL PROTECTED] To: "Brian Lodwick" [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 13:13:11 -0800 Brian, An OSPF virtual link is treated as an IP unnumbered point-to-point link. There isn't a DR or BDR on an OSPF point-to-point link. Brian Dennis CCIE #2210 (RS)(ISP/Dial) CCSI #98640 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Lodwick Sent: Wednesday, January 31, 2001 12:40 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: DR Election What about this configuration I can't get this to work right? NBMA backbone area w/virtual-link punching through a broadcast area to the backbone. Does the router off of the virtual link create an adjacency with the DR/BDR on the backbone? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 15:00:13 -0500 What about Virtual-links too, aren't they considered a traffic type? I might be getting in trouble here answering off the top of my head, but IIRC they are treated as point-to-point links terminating in the router ID at each end. Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 12:19:07 -0500 There are three main types on environments (I hope) Correct, but also let me add: Demand circuit Broadcast Point-to-Point NBMA (Non-Broadcast Multi-Access) Point to Point would not be a multi-access segment. The other two would. An Example of Broadcast is Ethernet, while an example of NBMA would be Frame-Relay. Following this logic ' DR and BDR concepts ' would not have to be broadcast, only multi-access. Point to point creates an adjacency instead of using DR's and BDR's. I hope the diagram below turns out, but the first one is point to point, so information is exchanged directly, however in a multi-access environment both other routers only exchange information with the DR so as not to have to have an adjacency with every single router. X---X O X-| O If OSPF worked that way and you had 10 routers connected via Ethernet, each would each have to exchange information with the other 9. That would create 45 adjacency's. Way to much traffic would have to exchanged. With those same 10 Routers using OSPF DR and BDR concepts, you could have 1 Router with 10 "Adjacency's" total. Much less routing traffic. I hope I haven't muddled things to much. Joey -Original Message- From: pinoal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 2:58 AM To: [EMAIL PROTECTED] Subject: DR Election Hi , From the OSPF Design Guide - Sam Halabi ' DR and BDR concepts are per multiaccess segment ' My question is what type of segments are considered as "multiaccess segment" ? Ethernet , FR with Point-to-Multipoint with broadcast option enabled , any others?? What does he mean by 'per multiaccess segment ' ? thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL
Re: OSPF command
Duncan, The area field is 32 bits. Converting 0.0.0.1 to Binary gives '0001'. So I believe it would therefore correspond to decimal area 1. However, in the interests of consistency throughout your network you should use one technique OR the other. Regards, Phil. --- "Maccubbin, Duncan" [EMAIL PROTECTED] wrote: network 192.168.100.0 0.0.0.255 area 0.0.0.1 Will the router take the 0.0.0.1 as area 1? Is there a good reason to do this? Thanks in advance, Duncan Maccubbin Senior Network Engineer - ICS LLC CCNA, CCNP _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
What should I block???
Hi Group, I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and hope you guys can help out. Thanks all, =o) Mark Z... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cd burner LAST
OK, here is the last waste of time/bits/bandwidth,etc on this... Sure a positive attitude is great, and being helpful is great. And I don't mind hitting delete several hundred times each day BUT OFF TOPIC questions should go somewhere else. --Bottom line--. I mean the ? about the CD burner is nowhere near the target. Questions about blocking Napster or how to resolve problems with Microsoft domain controllers are borderline. Actually, the questions about PDCs and BDCs bother me more than other borderline errors. I'm sure that MS has ample information about this somewhere else. In fact, I bet they even have their own study groupbut maybe the people at the MS groupstudy aren't as sharp as those at Cisco/groupstudy... : --- hao vu [EMAIL PROTECTED] wrote: ... That's GREAT! Thank you for your positive attitude. ;-) HV -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bradley J. Wilson Sent: Wednesday, January 31, 2001 3:55 PM To: cisco Subject: Re: cd burner Oh, come on folks...an off-topic post isn't any skin off your back. The topic clearly states what the author is posting about, and one more press of the "delete" button isn't going to break your keyboard. Do you holler at co-workers when they want to talk about non-work-related issues? Of course not. Relax. ;-) - Original Message - From: someone To: someone else Sent: Wednesday, January 31, 2001 12:27 PM Subject: RE: cd burner Good to know and all, but I think it would have been more appropriate posted s_o_m_e_w_h_e_r_e e_l_s_e --- "Someone Q. Ciscolearner" [EMAIL PROTECTED] wrote: As low priced as they are, the Lite-On CD Burners and Smart and Friendly brands have been good to me as well. I've done just over 1000 CDs on each without a single coaster. If I had the money though, I'd get one of those 12x Plextors. Fast, good quality and last forever. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Don't forget to cross your digits... Dan West -- CCNA, CCNP (in progress) __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF command
network 192.168.100.0 0.0.0.255 area 0.0.0.1 Will the router take the 0.0.0.1 as area 1? Is there a good reason to do this? Thanks in advance, Duncan Maccubbin Senior Network Engineer - ICS LLC CCNA, CCNP What is the problem you are trying to solve? Yes, the 0.0.0.1 will be accepted. For that matter, I _strongly_ recommend always writing area numbers in the four-octet form, because not all vendors will interpret area 1 as 0.0.0.1; some will assume it is 1.0.0.0. Is that what you mean by good reason? -- "What Problem are you trying to solve?" ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Technical Director, CertificationZone.com Senior Mgr. IP Protocols Algorithms, Core Networks Advanced Technology, NortelNetworks (for ID only) but Cisco stockholder! "retired" Certified Cisco Systems Instructor (CID) #93005 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: securemote through pix firewall
Are you trying to set up a pool of IP addresses that are public IPs on the external interface? I've got it set up using a pool of IP addresses matching the internal interface subnet, set up NAT for that pool, and tada! You may have an ACL issue if it's assigning external IP's to the user. I'm not sure and haven't had my coffee yet, but it seems if it adds an external IP that the remote station would have a new route added internally to route traffic for the external interface of the PIX through the VPN tunnel...which could possibly really mess with you being able to access the external interface itself for the tunnel. Let me think more on this before I elaborate ;) (going to get coffee right now!) Allen - Original Message - From: "pat" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, January 31, 2001 11:39 PM Subject: Re: securemote through pix firewall Friesnds, Did lot of work on this issue. It may not work. The reason: Secure remote first dowload topology info. Then it writes the info to user.c file on client machine. It writes the IP addr of fw1 interface rather than real public IP. For auth It trys to reach the interface IP on FW1 instead of public IP which is unreachable, hence the auth fails. HTH pat --- Allen May [EMAIL PROTECTED] wrote: Did you remember to put the nat statement in for the IP range that the secureremote users are using and set up the access-list permits for them as well? Chapter 10 in the IPSec User Guide 5.3 covers this pretty well. - Original Message - From: "pat" [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, January 30, 2001 10:27 PM Subject: Re: securemote through pix firewall Well am too having the same problem. The issue seems to be due to address translation the PIX does. The actual address on the firewall interface(outside) is different the secure remote client uses different IP (IP mapped by PIX) to establish the session. But I don't understand why authentication fails. In my case topology dowload goes through, but authentication fails. If i sit behind PIX everything is fine. PIX is trnslating Public IP to Private IP. Let me know if you get to know why this happens. thanks. --- [EMAIL PROTECTED] wrote: HEI I hope someone could help me with a big problem Ive got. My client needs to use securemot ipsec program through a pix firewall to a firewall1 at the remote sight. theres no problem to get key exchange process, and I am beeing prompted for password and username. after this the program says the authentication is OK, but explorer comes up with cannot find the page. When I test the same procedure connected without the pix everything functions OK. Could anyone please give me a tip to solve this situation. Thank you _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Frame Relay
What element in a frame relay packet allows support for multiple protocols? Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Looking for Cisco 4000/4500 in Australia
I am looking for a Second-Hand Cisco 4000 or 4500 in Australia or NZ if = possible. Unit must be working but I am not concerned with what modules are = installed, how much RAM it has, or what IOS is installed. Regards Adam Burgess Brisbane, Australia _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: in fddi, what is the charateristics of 4b/5b encoding?
it is my understanding that the 4b/5b encoding is used to translate 4 bits into a 5 bit string, there is some table that lists exactly what get gets translated to what each time. the whole idea behind this is to make it so you don't have sequences with the same repeated bit pattern (4 zeros perhaps) sent out across the network. with self-clocking schemes (manchester, etc) you want to have a variance in signals that are sent, otherwise one router a few hundred yards away from the sending device may not be able to accurately tell if that was 3 or 4 zeros that was just sent. the 4b/5b is so you can never have more than 3 low voltage bits after one another jon - Original Message - From: "õ¸®¾È¸ÞÀÏ" [EMAIL PROTECTED] To: "cisco group study" [EMAIL PROTECTED] Sent: Wednesday, January 31, 2001 9:25 PM Subject: in fddi, what is the charateristics of 4b/5b encoding? in fddi, what is the charateristics of 4b/5b encoding? cisco www show me a little information.. that 4b/5b is used in multi-mode fiber over fddi or atm.. and that is a encoding scheme.. and support speed up to 100Mbps..on multimode fiber.. I just know some more characteristics about 4b/5b enconding over fddi or atm.. could you give me those? thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix and MS Exchange
I've done this successfully several times. Your access lists look good for client logins, server RPC, etc. The bridgehead scenario is certainly not required, especially in a smaller environment where you may only really need just 1 box. A bridgehead in this case is an MS term and not really related to PIX security. Cisco is just making a suggestion for placement of the bridgehead. Rik -Original Message- From: J Roysdon [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 2:00 AM To: [EMAIL PROTECTED] Subject: Re: pix and MS Exchange Bridgehead is just the term for the first Exchange server, which must be replaced/moved if you are going to bring that server offline. It controls "routing" decisions. I suggest reading up a bit more at MS's TechNet site. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "ipguru" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am installing a 515pix. I am going to hang a Exchange server off one of the four interfaces. I have seen the page cisco has about the bridgehead server, but these guys just blew their wad on the pix (:-), they don't want to buy another server and another exchange. The inside is higher so I shouldn't have to do anything to allow users to get to the server, but coming back into the inside from dmz1..this is what I have: access-list exchange permit tcp 192.168.1.0 host 192.168.20.2 eq 139 access-list exchange permit udp 192.168.1.0 host 192.168.20.2 eq 137 access-list exchange permit udp 192.168.1.0 host 192.168.20.2 eq 138 access-list exchange permit tcp 192.168.1.0 host 192.168.20.2 eq 135 The inside is 192.168.1.0 network. The dmz1(mail) is 192.168.20.0, with the exchange server being 192.168.20.2. Anyone done this without the bridgehead? thanks, ipguru **As Marvin Gaye said-Let's Get it On! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] , This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Prep lab at UCSC
I have passed the written and was interested in trying this out in addition to my home lab, just to get used to the environment and time limits. Here is what the lab manager from UCSC wrote me: Hello Nathan, This is not instructor basis lab you will be given scenarios to practice and solve on your own. There is some assistance but mainly your on your own.You can either practice on our simulation test and scenarios or troubleshoot your own problem/test and the ccie practice lab exercises do include solutions for most of the exercises. The lab hours are 9 am to 5p.m., Monday through Friday, there is no CCIE practice lab on the weekends. Please note enrollment is basis on first come first serve basis's.This lab is setup for Routing and Switching. Best Regards, Fardin Rahim CCIE practice lab Kevin Welch wrote: I was wondering if anyone has any expereince using the CCIE Prep Lab = facility at UCSC. Thoughts, comments, usefulness of this facility = appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP Tunneling - Typical requirement
If I understand your requirements correctly, what you need to do is configure and IPSEC tunnel between your network and the customer network. Many companies that are doing business via the internet use IPSEC to create secure encrypted access into their intranets or extranets. If you not concerned about security of clear text traffic between your companie and your partners then just simply open up your router/firewall to permit this connection. --- A Mateen [EMAIL PROTECTED] wrote: Hi ! I have a typical requirement as follows 1. I have a public network 2. One of the customers is having the public IP from other service provider. 3. my requirement is that I want to route the IP packets of the other ISP network via my routing policies and my IP network. 4. I was planning to put a tunnel ip over ip and convert the other ISP IPs into my registered public IPs at interface with both the routers. 5. I am looking for such configuration Pls guide me to do so _ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame Relay
I would disagree with the statement below. Ethernet, Token Ring etc are interacting with the upper layers. For example Ethernet II has an Ethertype value that identifies the upper layer for 0x0800 is IP, the same goes for DSAP/SSAP values in the 802.3 header. The OSI layers are somewhat independent of each other except at the borders where they interact. For IP the interaction between the layer 3 and higher uses a Protocol ID field in the header to specify TCP UDP EIGRP etc. Regarding Frame Relay this is done in the encapsulation part. For example if you would use the IETF encapsulation method you (the system) would use a NLPID that identifies the upper layer protocol. For more info on this see http://andrew2.andrew.cmu.edu/rfc/rfc1490.html . Cisco uses a proprietary encapsulation as well where 2 bytes are used for indicating packet type. Willy Schoots -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rik Guyler Sent: Thursday, February 01, 2001 3:29 PM To: Cisco Groupstudy (E-mail) Subject: RE: Frame Relay Layer 2 Seriously, FR is a Layer 2 protocol, as is Ethernet, Token Ring, etc. As those other protocols support numerous Layer 3 (or higher) protocols, so will FR. The beauty of the OSI model is that there is separation of the layers without too much interaction between them. In other words, the Layer 4 datagrams get encapsulated into the Layer 3 packets, which in turn get encapsulated into Layer 2 frames. FR doesn't care for the most part what is "inside" the Layer 3 stuff coming down the pipe. ;-} Rik -Original Message- From: Pierre-Alex [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 8:41 AM To: [EMAIL PROTECTED] Subject: Frame Relay What element in a frame relay packet allows support for multiple protocols? Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] , This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How is Cisco CCNP Remote Access Exam Certification Guide ?
To All, Did anyone use Cisco CCNP Remote Access Exam Certification Guide to pass the BCRAN ? Did anyone use any of the Exam Certification Guide for any of the CCNP exams ? Where these books any help? Comment are welcome. Thank you. Raheem _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
[2511..looses Config When I Reboot it]
Hi! I have configured 2511 from TFTP server, it runs fine after Loading config from TFTP, but if I reboot it with "RELOAD" command it looses its entire content. I used following sequesnce EXACTLY 1. COPY TFTP STAR 2. COPY STAR RUN 3. COPY RUN STAR 4. RELOAD Still I got above problem. Any solution cause? Thanks a lot in advance. Regards MK Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Wire speed (wasRe: What should I block???)
PIX is wire-speed, hardware based! Checkpoint is based on the box you have it installed, which could be better than PIX's box... agreed!, but it is also software based. CheckPoint does have an embedded hardware based box made by NOKIA, but that market is not doing so well. Khalid Khan "Wire speed" and "hardware based" come up often in many discussions, but need to be taken with MANY grains of salt. By and large, they are marketing hype. * On Wire Speed (but what about fiber?) * Start by considering that the packet rate _must_ be less than the "wire" transmission rate on "wires" using encoding such as 4B/5B or 8B/10B. There's been a recent discussion thread on the IETF Benchmarking Methodology Working Group mailing list about whether "wire speed" is a terribly useful or meaningful term. The consensus is that it is not. A couple of expert comments: At 8:27 PM -0500 1/19/2001, Scott Bradner wrote: RFC 2544 and its' parent 1944 don't use the term wire-speed. and I think that was an omission too many people are using the term "wire speed" in their own ways Internet average packet size, Internet packet size mix, and minimum sized packets are all definitions I've seen - to me its only the last one that makes sense At 7:41 AM -0500 1/22/2001, Jim McQuaid wrote: I agree with Scott. The only meaningful definition is handling the maximum possible frame rate, i.e. the minimum size packets. This is the "implied" definition of wire speed, even if the reality is quite different. Every so often there has been discussion of "average" traffic or "typical" traffic. It is possible to imagine coming up with some defined 'bag of frames' that represents "typical traffic" but in reality the consensus is never there. There is no such thing as ""typical" traffic for testing purposes. The well-defined (if artificial) traffic loads of 2544 and others are the workable, implementable and consensus ways to do this, it seems. At 8:47 AM -0800 1/22/2001, David Newman wrote: I would say the wire rate is 10Gbps because the physical interface is able to forward 10Gbps. No Some physical media ALWAYS operate at X bits per second, regardless of whether they carry packets. A measurement that says "this interface operates at X bit/s" isn't terribly meaningful if the forwarding rate is 0 pps. At 3:07 PM -0800 1/25/2001, Ramesh Menon wrote: I posed this question originally but had to drop out of the thread for a bit. Jambi, thanks for guiding it back to the original question. Jim, you asserted in an earlier mail: "Let's focus on the goal. If it is to benchmark for router performance, we have what we need." Routers are not the only interesting devices our there that need benchmarking. The great thing about 2544 is that it can used for benchmarking NICs, analyzers etc. The design (and price point) for a lot of these are different from routers. Some of these have no concept of forwarding and as such are are optimized for other metrics, including price/performance. While it may do less than 100% at 64 byte frames it can keep up with every situation out there bar synthetic traffic. The reality on the ground is that it is not easy for engineers in companies with marketing departments to go out and say that their card (not *router*) can keep up with only 75% at the smallest frame size. This is even if none of their customers would care. Quoting Jim again "... "implied" definition of wire speed, even if the reality is quite different". I have spent quite a bit of time on standards bodies before and I would argue that if we don't take *reality* into account, we are quickly going to be written off to oblivion. DUT vendors that can do 100% will report at every frame size, those that cant must have the option to report for a mix. I would urge this group to adopt a more pragmatic and practical approach to this issue. *** On Being Hardware Based *** Ummm...I hate to say it, but there is very little practical software that isn't hardware based. People also rarely make the distinction of whether something is running a real-time operating system (IOS, VXworks, etc.) versus a general purpose operating system (e.g., MacOS, UNIX, NT). For that matter, what if the OS is kernelized? Is MACH hardware based? What if the routing processes run over pthreads in a multiprocessing environment (i.e., all the processors are general purpose RISC or CISC, not ASIC). Which of the following is software based? Hardware based? Which is fast? Slow? 1. An ASIC for route lookup which has been loaded with a lookup table computed on a 68000 processor? 2. The RISC processor in a VIP, using a FIB created in a RISC RSP8? 3. Optimum switching in an RSP, given the lookup uses a CAM with content set up by a RISC? 4. CEF on a 7200 with a NPE-300? 5. Silicon switching on a 7000 with a 68040 CPU?
Re: Ip addressing question
RFC 950 was the original subnetting rule that did not allow the use of subnet zero. The new RFC 1812 does allow the use of subnet zero. This assumes that you are using a routing protocol that is aware of the difference between 131.107.0.0/16 and 131.107.0.0/17. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Looking for Cheap of Used Book
Dear Group, I'm currently study distance degree, did anybody got below 2 book? If those member have it, kindly let me know the edition and also issit hardcover or paperback? Or did anyone know where I can buy cheap in Malaysia. 1) Computer Network and Internet by Douglas E. Comer, Publisher: Prentice Hall 2) Business Data Communication and Networking by J. Fitzgerald A. Dennis Publisher: John Wiley Sons Thanks and Best Regards, =20 Steiven Poh _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
TFTP Server
How do you setup a WindowsME laptop as a TFTP server so that you can upload/download Cisco configs? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
TFTP Server
How do you setup a WindowsME laptop as a TFTP server so that you can upload/download Cisco configs? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
nat vs pat
Thanks for all the help, it is clear now. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
nat vs pat
Can someone please explain to me the difference between NAT and PAT. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
radius and dynamic address assignment
Can anyone tell me, how I could assign IP Addresses dynamically using RADIUS ( cistron on a Linux machine ) and is accounting possible with that server ? thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
highly recommended vendor training
My coworkers and I have taken many Cisco courses at Mentor Technologies (http://www.mentortech.com). All agree that each training experience was excellent. They go above and beyond the normal training in that they create additional customized labs to reinforce the course material. Randy _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
1605 Gateway?
Hey all, I know this subject has been touched on previously and there were some postings in the archive. However, the threads I looked at were not very definitive. So, can someone relate tips, experiences, or, if possible, config scripts on how to use my 1605 to route into a hub for connection sharing on my Cable Modem. And, yes, it is a two-way connection. I have tried John Seaman's config, but, am not able to get past my router's gateway. Any help, ladies and gents? TIA, Rob _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Inquires...
Hi All, I am wandering what is the command line to put in main router to make the remote routers to syncronize the time with the main router.We are in east coast (Eastern time). Does anyone knows who is the Company that can install a DARKFIBER in New York area? Thanks, Mike _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 6500
Maybe one of the attached hosts is a server with routing enabled? -Original Message- From: user [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 10:45 AM To: [EMAIL PROTECTED] Subject: Catalyst 6500 How can separate VLANs on a 6500 talk without routing enabled? It's happening and I can't figure out how. Thanks... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: nat vs pat
http://www.cisco.com/warp/public/556/index.shtml -Original Message- From: Thomas Tran [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 9:49 AM To: [EMAIL PROTECTED] Subject: nat vs pat Can someone please explain to me the difference between NAT and PAT. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Radius and Accounting ?
Hi! For our Dial- In- Concept we are trying to install Radius-Service - As we also want to bill the customers ( based on connection time ) we have to use Radius Accounting - up-to-now we are using Cistron Radius on a Linux machine - but I realized that the accounting information which this server provides are limited- Does anyone know a Radius Server which provides DETAILED information about their connected users - would be nice if you could help me. thanx hans = COLT Telecom Austria GmbH Phone: +43 1 20500-315 Hans SchimekFax: +43 1 20500-399 Router Technician Mobile:+43 69910605315 Kärnter Ring 12 mailto:[EMAIL PROTECTED] 1010 Vienna - Austria http://www.colt-telecom.at = _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: [2511..looses Config When I Reboot it]
In sh ver what does the config-register say? Brian From: Manishkumar Patel [EMAIL PROTECTED] Reply-To: Manishkumar Patel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [2511..looses Config When I Reboot it] Date: 1 Feb 2001 12:45:20 EST Hi! I have configured 2511 from TFTP server, it runs fine after Loading config from TFTP, but if I reboot it with "RELOAD" command it looses its entire content. I used following sequesnce EXACTLY 1. COPY TFTP STAR 2. COPY STAR RUN 3. COPY RUN STAR 4. RELOAD Still I got above problem. Any solution cause? Thanks a lot in advance. Regards MK Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquires...
On dark fiber in nyc, try http://www.mmfn.com/ ak Mike Peterson wrote: Hi All, I am wandering what is the command line to put in main router to make the remote routers to syncronize the time with the main router.We are in east coast (Eastern time). Does anyone knows who is the Company that can install a DARKFIBER in New York area? Thanks, Mike _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Radius server - which one should I use ?
Don't forget about Cisco ACS which supports TACACS+ and RADIUS. Dual support was a plus and finalized my decision. It costs a little more, but comes with more functionality. -Original Message- From: Luke [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 7:12 AM To: [EMAIL PROTECTED] Subject: Re: Radius server - which one should I use ? Hans, Steelbelted radius worked very well for us, used with VPN, RAS using local and/or pass-thru authentication to NT domain(s). They provide a full featured eval on the WEB at www.funk.com Can be run on WNT or Unix, supports SQL database. Very robust system and good support from the vendor. Regards, ""Schimek, Hans"" [EMAIL PROTECTED] wrote in message D602426F3CB3D411952E009027DDDB9DC94387@VIE501NT">news:D602426F3CB3D411952E009027DDDB9DC94387@VIE501NT... Hi ! can anyone recommend a windows-based radius server - respectively can anyone send it to me - for test resons thx hans _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF command
Yes, in the network area command, 0.0.0.1 and 1 are equivalent, but in this situation and I don't see why you'd want to do it that way; it just creates extra typing for you. Either notation works, but I personally see no advantage to using the dotted-decimal notation unless you wanted to create some sort of hierarchical numbering system for your areas. Perhaps in your non-backbone areas you could use the loopback interface IP address of some important router as your area number. That might simplify troubleshooting in some instances, but I think it would create more headaches than necessary in the long run. Just my $.02, John network 192.168.100.0 0.0.0.255 area 0.0.0.1 Will the router take the 0.0.0.1 as area 1? Is there a good reason to do this? Thanks in advance, Duncan Maccubbin Senior Network Engineer - ICS LLC CCNA, CCNP _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2620 wic interfaces
You could go with a couple of WIC-2T's. Then you could use your 2600 as a frame switch in the future. This would give you 4 serial ports on one box. Obviously the WIC-1T's are cheaper and more plentiful on E-bay. -Original Message- From: Brad Ellis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 7:27 PM To: [EMAIL PROTECTED] Subject: Re: 2620 wic interfaces Mo, I'd recommend ordering WIC-1Ts for your 26xx router. The WIC-1T has a DB60 serial connection which can be very easily connected to one of your 25xx routers via a DB60-DB60 x-over cable. -B ""mo"" [EMAIL PROTECTED] wrote in message news:00c601c08ca6$13dbb700$04796520@mo... hi all; I am considering getting a 2620 or 2621 router to keep my 2500 routers company in my home lab. Never having really worked with one i am a bit confused as to what wan interface to order. I would like to connect the 262x over a cisco cross cable (one of those 60 pin jobs that gets discussed here frequently) to one or more of my 2500s. what wic should i order ? will the current cables i have do ? thanks; mo (ex lurker) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Strange scenario
Have you left the default timeout at 2 seconds? If you raise that, you may have more luck. I have seen this on WAN links several times. Jim -Original Message- From: Mustafa Kemal Furat [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 6:44 AM To: suaveguru; [EMAIL PROTECTED] Subject: RE: Strange scenario Hi! (Ping packets Should be less than 18000 bytes) Did you try changing MTU size to a value less than 12000 on both sides? -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 9:56 AM To: [EMAIL PROTECTED] Subject: Strange scenario Can I borrow someone=A1=A6s brain since mine is dead. Problem: One of my customer claims they can=A1=A6t ping 15000 bytes per packet cross the satellite link after the circuit was upgraded on Monday. After the test, I confirmed their claim. I couldn=A1=A6t ping anything larger than 12000 bytes cross the link, this is true to all other customers. =20 Questions: Is this limited by the IOS or platform? Do you know if there is a size limitation in the ping command? __ Get personalized email addresses from Yahoo! Mail - only $35=20 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: nat vs pat
Thomas, NAT (Network Address Translation) - every inside (private) address is directly translated to a valid (public) outside address - one to one. eg 10.1.1.1 144.1.1.1 10.1.1.2 144.1.1.2 PAT (Port Address Translation) - every inside address is translated using one or more addresses but using also the ports number also to specify the connection. Each ip address can have 4000 translations on it. eg 10.1.1.1 144.1.1.1:1025 10.1.1.2 144.1.1.1:1026 . . . . . . 10.1.255.1 - 144.1.2:2002 Rich On Feb 1, 4:57pm, Thomas Tran chatted about: Subject:nat vs pat Can someone please explain to me the difference between NAT and PAT. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- End of waffle from Thomas Tran -- *** Please copy your emails to [EMAIL PROTECTED] *** #---# #.. ..| Richard Gallagher | Office:+32 2 704 5000 # #|| ||| Euro-CATS | Direct:+32 2 704 5421 # #|| ||| Cisco Systems Belgium | Fax: +32 2 704 6000 # # | Pegasus Park | email: [EMAIL PROTECTED] # #.:||:.:||:.| De Kleetlaan, 6A | # # Cisco Systems | BE 1831 Diegem| http://www.cisco.com/tac # #---# "Normal people believe that if it ain't broke, don't fix it. Engineers believe that if it ain't broke, it doesn't have enough features yet." Check out this link: http://www.cisco.com/warp/customer/63/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquires...
Mike, You need to look at NTP (Network Time Protocol). See the following link for more info: http://www.cisco.com/univercd/cc/td/doc/product/software/ios11/cbook/csysmgmt.htm#xtocid398114 Rich On Feb 1, 5:12pm, Mike Peterson chatted about: Subject:Inquires... Hi All, I am wandering what is the command line to put in main router to make the remote routers to syncronize the time with the main router.We are in east coast (Eastern time). Does anyone knows who is the Company that can install a DARKFIBER in New York area? Thanks, Mike _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- End of waffle from Mike Peterson -- *** Please copy your emails to [EMAIL PROTECTED] *** #---# #.. ..| Richard Gallagher | Office:+32 2 704 5000 # #|| ||| Euro-CATS | Direct:+32 2 704 5421 # #|| ||| Cisco Systems Belgium | Fax: +32 2 704 6000 # # | Pegasus Park | email: [EMAIL PROTECTED] # #.:||:.:||:.| De Kleetlaan, 6A | # # Cisco Systems | BE 1831 Diegem| http://www.cisco.com/tac # #---# "Normal people believe that if it ain't broke, don't fix it. Engineers believe that if it ain't broke, it doesn't have enough features yet." Check out this link: http://www.cisco.com/warp/customer/63/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst 6500
I have the same problem with our 6509. We have three VLANs, subnet *.*.112.0/23 VLAN 0001 *.*.214.0/24 VLAN 90 *.*.212.0/24 VLAN 91 VTP server mode is enabled but no trunking or routing is enabled on all ports. When I try to ping from a wktsn on subnet *.*.112.0/23 the IP addresses *.*.214.3 or *.*.214.4 it's successful. But when I try to ping any other addresses aside from *.*.214.3 and *.*.214.4 its unsuccesful. When I go to a wkstn who is a member of VLAN 90 and try pinging *.*.112.3 and *.*.112.4 I'm also successful , any other address is unsuccessful. Can anybody tell me what is the reason? Any help will be appreciated. -Original Message- From: Fowler, Joey [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, February 01, 2001 6:47 PM Subject: RE: Catalyst 6500 Maybe one of the attached hosts is a server with routing enabled? -Original Message- From: user [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 10:45 AM To: [EMAIL PROTECTED] Subject: Catalyst 6500 How can separate VLANs on a 6500 talk without routing enabled? It's happening and I can't figure out how. Thanks... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What should I block???
I've got a better ideaget rid of the Checkpoint firewall and let the PIX handle everything. :-) Seriously, the PIX is a lot beefier machine. I would reconsider your decision to let the Checkpoint handle the brunt of the traffic. The PIX can handle far more traffic than the Checkpoint, assuming you have a fairly new PIX and your checkpoint FW isn't a dual 1.5 GHz Pentium III with a gig of RAM. Then again, I may be wrong and your mileage may vary. I guess that I can't really give you a definite answer without knowing more about your specific goals and network topology. Hi Group, I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and hope you guys can help out. Thanks all, =o) Mark Z... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: nat vs pat
Can someone please explain to me the difference between NAT and PAT. NAT is the direct translation of one IP address to another. As an example, let's say you had a /28 block of external registered addresses (let's use 200.10.10.0/28, I have no idea who that really is) and you're using the 10.0.0.0 private network addresses inside. If you were using NAT only, the first device requiring an outgoing internet-routable address from your network would get one IP address from your /28. The next device would get another IP address from the pool. However, once you've used up your 14 usable addresses, you're in trouble; you have no more addresses left. Now, if you were using PAT in conjunction with NAT, the first 14 addresses would be assigned in the same way as the first example. The difference is what happens when the next device requires an IP address. Let's say the 14th request for an address was user IP 10.1.1.1 browsing the web. His source IP is 10.1.1.1, and source port is 4684 (just for grins.) When this IP is translated, the port is translated as well, so you might end up with a mapping like 10.1.1.1(4684) to 200.10.10.14(65001). So, the outside world would see that last IP/port combo as that user. Now, another user wants to do some web surfing and they need an outside address. Let's say they are 10.1.1.42(5812). They would be translated to the *same* IP address as the previous person, 200.10.10.14, but to a different port, perhaps 65002 (I'm being very arbitrary about these numbers, but you get the idea.) This allows you to have FAR more than 14 users without requiring you to get a larger block of assigned addresses. Using NAT and PAT, you could quite easily handle hundreds of users with only a /28 block of public addresses. I hope that makes sense. It's early and I'm only on my second cup of coffee. :-) John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Serial Line Protocol Problems
Hie - you should have DTE cable on one router and the other DCE - check your clock-rate on the DCE interface - you could also check the encapsulation on either intefaces, they should match bosire Albert Lu wrote: Hi All, I've got a problem with the serial port of a 2500 of mine. I used a serial back to back cable, in order to connect 2 2500s. I know what a normal response the 2500 should give, it should normally detect that the interface is up (I've used no shutdown already), and then set the line protocol to up. For one of the serial port, the interface and the line protocol changes to up when I connect the two routers together. But after awhile, this is what I get: 01:30:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:32:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down It keeps continuing. From what I can see, the line protocol keeps going up and down periodically, however the interface is still up. This is what I've tried: - Different cables. - Different serial ports - Changing clock rate and bandwidth - Rebooting the router Could someone give me some suggestions? Thanks Albert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- ___ «¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤»§«¤»¥«¤ Richard Bosire Network Engineer CCNA,CCSE AfricaOnline (k) Ltd tel +254-2-243775 fax +254-2-243762 http://www.africaonline.co.ke _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What should I block???
PIX is wire-speed, hardware based! Checkpoint is based on the box you have it installed, which could be better than PIX's box... agreed!, but it is also software based. CheckPoint does have an embedded hardware based box made by NOKIA, but that market is not doing so well. Khalid Khan "John Neiberger" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I've got a better ideaget rid of the Checkpoint firewall and let the PIX handle everything. :-) Seriously, the PIX is a lot beefier machine. I would reconsider your decision to let the Checkpoint handle the brunt of the traffic. The PIX can handle far more traffic than the Checkpoint, assuming you have a fairly new PIX and your checkpoint FW isn't a dual 1.5 GHz Pentium III with a gig of RAM. Then again, I may be wrong and your mileage may vary. I guess that I can't really give you a definite answer without knowing more about your specific goals and network topology. Hi Group, I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and hope you guys can help out. Thanks all, =o) Mark Z... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Serial Line Protocol Problems
Can you tell what is the clocking on both the router.. To me this appears to be a clocking issue... -Original Message- From: Perusek, Rick [SMTP:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 10:47 AM To: 'Albert Lu'; GroupStudy Subject: RE: Serial Line Protocol Problems Hi Albert, Are you using the same encapsulation type on both interfaces? (Probably HDLC for a back to back hookup.) What about keepalives? Are they set to the same value at both ends? It sounds like one router is sending keepalives and the other one is not. Rick -Original Message- From: Albert Lu [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 7:58 AM To: GroupStudy Subject: Serial Line Protocol Problems Hi All, I've got a problem with the serial port of a 2500 of mine. I used a serial back to back cable, in order to connect 2 2500s. I know what a normal response the 2500 should give, it should normally detect that the interface is up (I've used no shutdown already), and then set the line protocol to up. For one of the serial port, the interface and the line protocol changes to up when I connect the two routers together. But after awhile, this is what I get: 01:30:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:32:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down It keeps continuing. From what I can see, the line protocol keeps going up and down periodically, however the interface is still up. This is what I've tried: - Different cables. - Different serial ports - Changing clock rate and bandwidth - Rebooting the router Could someone give me some suggestions? Thanks Albert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Serial Line Protocol Problems
I'd try debug interface, or lmi if you are using frame and see what the sequence numbers look like. Also what does the show controllers look like for this interface? Brian From: "Perusek, Rick" [EMAIL PROTECTED] Reply-To: "Perusek, Rick" [EMAIL PROTECTED] To: "'Albert Lu'" [EMAIL PROTECTED],GroupStudy [EMAIL PROTECTED] Subject: RE: Serial Line Protocol Problems Date: Thu, 1 Feb 2001 10:47:26 -0500 Hi Albert, Are you using the same encapsulation type on both interfaces? (Probably HDLC for a back to back hookup.) What about keepalives? Are they set to the same value at both ends? It sounds like one router is sending keepalives and the other one is not. Rick -Original Message- From: Albert Lu [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 7:58 AM To: GroupStudy Subject: Serial Line Protocol Problems Hi All, I've got a problem with the serial port of a 2500 of mine. I used a serial back to back cable, in order to connect 2 2500s. I know what a normal response the 2500 should give, it should normally detect that the interface is up (I've used no shutdown already), and then set the line protocol to up. For one of the serial port, the interface and the line protocol changes to up when I connect the two routers together. But after awhile, this is what I get: 01:30:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:31:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:31:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down 01:32:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to up 01:32:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed state to down It keeps continuing. From what I can see, the line protocol keeps going up and down periodically, however the interface is still up. This is what I've tried: - Different cables. - Different serial ports - Changing clock rate and bandwidth - Rebooting the router Could someone give me some suggestions? Thanks Albert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DR Election
Brian, Can you forward the ospf configs for the R3, R5 and R6. Also the following commands from R3 and R5 "show ip ospf virtual-links" and a "show ip ospf" Thanks, Brian -Original Message- From: Brian Lodwick [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 7:28 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: DR Election Brian, I would like to see if you, or anyone on the list can assist me in getting this config to work correctly. Lab: I have 3 routers (2501's) 1 frame switch, ~hub and spoke topology backbone. 2 other routers (2501's) for my virtual-link. The backbone is configured with NBMA, and off of each backside is an (ethernet) broadcast area labeled 1, 2, and 3. Off of r5's ethernet is area 2. I have connected r3's ethernet to this segment, and the serial side of r3 is another area -area 4. I have setup the ethernet interface on the r3 a virtual link to r5 through that (ethernet segment) broadcast area. The problem is that r5 doesn't get routing information for area 4. All the other routers do receive routing information for area 4 through the virtual-link, and area 4 receives routing info for everything else. There seems to be a problem with the virtual-link setup. ___r5---area 2---r3---area 4 / area 1---r6--frameswitch \___r4---area 3 Now after reading over my message it looks like I need to include some configs. I'll get to the lab and copy some configs. I'll just throw this out there and see if anyone can see any mistakes that stick out. Brian From: "Brian Dennis" [EMAIL PROTECTED] Reply-To: "Brian Dennis" [EMAIL PROTECTED] To: "Brian Lodwick" [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 13:13:11 -0800 Brian, An OSPF virtual link is treated as an IP unnumbered point-to-point link. There isn't a DR or BDR on an OSPF point-to-point link. Brian Dennis CCIE #2210 (RS)(ISP/Dial) CCSI #98640 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Lodwick Sent: Wednesday, January 31, 2001 12:40 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: DR Election What about this configuration I can't get this to work right? NBMA backbone area w/virtual-link punching through a broadcast area to the backbone. Does the router off of the virtual link create an adjacency with the DR/BDR on the backbone? Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 15:00:13 -0500 What about Virtual-links too, aren't they considered a traffic type? I might be getting in trouble here answering off the top of my head, but IIRC they are treated as point-to-point links terminating in the router ID at each end. Brian From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: DR Election Date: Wed, 31 Jan 2001 12:19:07 -0500 There are three main types on environments (I hope) Correct, but also let me add: Demand circuit Broadcast Point-to-Point NBMA (Non-Broadcast Multi-Access) Point to Point would not be a multi-access segment. The other two would. An Example of Broadcast is Ethernet, while an example of NBMA would be Frame-Relay. Following this logic ' DR and BDR concepts ' would not have to be broadcast, only multi-access. Point to point creates an adjacency instead of using DR's and BDR's. I hope the diagram below turns out, but the first one is point to point, so information is exchanged directly, however in a multi-access environment both other routers only exchange information with the DR so as not to have to have an adjacency with every single router. X---X O X-| O If OSPF worked that way and you had 10 routers connected via Ethernet, each would each have to exchange information with the other 9. That would create 45 adjacency's. Way to much traffic would have to exchanged. With those same 10 Routers using OSPF DR and BDR concepts, you could have 1 Router with 10 "Adjacency's" total. Much less routing traffic. I hope I haven't muddled things to much. Joey -Original Message- From: pinoal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 31, 2001 2:58 AM To: [EMAIL PROTECTED] Subject: DR Election Hi , From the OSPF Design Guide - Sam Halabi ' DR and BDR concepts are per multiaccess segment ' My question is what type of segments are considered as "multiaccess segment" ? Ethernet , FR with Point-to-Multipoint with broadcast option enabled , any others?? What does he mean by 'per multiaccess segment ' ? thanks _ FAQ, list
Re: [2511..looses Config When I Reboot it]
My first thought is that your config register is set to ignore the startup config upon boot. Make sure it is set to 0x2102. I should mention that we have a 2511 here that exhibits a similar problem, but only with select portions of the config. If I were to reboot it right now, the running config would still show all of my dialer in-band statements and my encapsulation ppp statements. Yet, if you do a show interfaces, they all will show SLIP as the encapsulation. And, if you make config changes to the dial backup config, it will report "Must configure dialer in-band first" or something to that effect. My solution is to do copy start run after every reboot, or manually type in those two commands. HTH, John Hi! I have configured 2511 from TFTP server, it runs fine after Loading config from TFTP, but if I reboot it with "RELOAD" command it looses its entire content. I used following sequesnce EXACTLY 1. COPY TFTP STAR 2. COPY STAR RUN 3. COPY RUN STAR 4. RELOAD Still I got above problem. Any solution cause? Thanks a lot in advance. Regards MK Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hybrid Routing Protocol
Well, it certainly is called a hybrid, but that's marketing hype; it's operation is completely DV in nature. It's "hybrid" characteristic is that it only sends incremental updates and it establishes neighbor relationships, which other DV protocols do not do. That does not, however, change its basic nature, which is distance vector. Actually EIGRP is a hybrid protocol. I believe it is the ONLY example of one, in fact. JW A DV protocol, like RIP or EIGRP, send their entire routing table to their directly attached neighbors and then receive their neighbors routing tables in return. That's an important point: they send the *entire* routing table, not just the routes they know about first hand. ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Clearing show line
I was wondering if anyone might know of a way to clear the counters you see when you issue the show line command. Tty Typ Tx/Rx A Modem Roty AccO AccI UsesNoise Overruns 0 CTY -- --- 02 1/167232 1 AUX 38400/38400 - inout --- 100/0 * 2 VTY -- --- 50600/0 3 VTY -- ---2600/0 4 VTY -- --- 000/0 5 VTY -- --- 000/0 6 VTY -- --- 000/0 I'd like to clear this if I could for further analysis. Thx for any suggestions. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clearing show line
Sorry, I tried clear counters but it doesn't do the job... ""James Haynes"" [EMAIL PROTECTED] wrote in message 95cdh4$oi4$[EMAIL PROTECTED]">news:95cdh4$oi4$[EMAIL PROTECTED]... I was wondering if anyone might know of a way to clear the counters you see when you issue the show line command. Tty Typ Tx/Rx A Modem Roty AccO AccI UsesNoise Overruns 0 CTY -- --- 02 1/167232 1 AUX 38400/38400 - inout --- 100/0 * 2 VTY -- --- 50600/0 3 VTY -- ---2600/0 4 VTY -- --- 000/0 5 VTY -- --- 000/0 6 VTY -- --- 000/0 I'd like to clear this if I could for further analysis. Thx for any suggestions. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TFTP Server
Have you even tried to do any research to figure it out? Brian From: "Turfis" [EMAIL PROTECTED] Reply-To: "Turfis" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: TFTP Server Date: Thu, 1 Feb 2001 10:04:23 -0800 How do you setup a WindowsME laptop as a TFTP server so that you can upload/download Cisco configs? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TFTP Server
http://www.cisco.com/pcgi-bin/tablebuild.pl/tftp -Original Message- From: Turfis [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 10:03 AM To: [EMAIL PROTECTED] Subject: TFTP Server How do you setup a WindowsME laptop as a TFTP server so that you can upload/download Cisco configs? Thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What should I block???
Well, that depends. My first recommendation would be to review your company security policy which was signed off on by executive management. That policy should list what types of traffic, ports, etc. your company has deemed necessary and will allow into their environment. It should also dictate what types of traffic will be allowed *out* of your network. My first recommendation isn't probably terribly useful since I have found that most companies don't have a well defined security policy blessed by the CEO. This is, IMHO, a recipe for disaster. I would strongly recommend either having them come up with a security policy (which will then dictate what your ACL and FW rulebase look like), or you come up with one, but have them "bless" it. You should definitely set up access lists to protect the router itself (i.e. deny telnet, SNMP, etc.) Some people also "mirror" the security policy (i.e. rule base) on their firewall on the border router. This lets the router receive the brunt of most port scans, etc. I would also recommend blocking the receipt of any packet with a source address of any of the RFC 1918 addresses, any packet with a source address with a first octet of 255, etc. You can either block the RFC 1918 addresses with an ACL, or route them to Null0. I've seen both approaches used. Pick long, complex passwords for your border router and use "service password encryption" to encrypt them. Check your logs regularly. Be a good internet neighbor and set up outbound ACLs that only allow traffic that originated on your network out. This cuts down on spoofing. If your management won't sign off on whatever security policy you come up with, make sure you figure out in advance who is responsible/culpable when you get hacked. If you are new to Checkpoint Firewalls and Information Security, subscribe to the FW-1 mailing list on the Checkpoint web site. There are some great, knowledgeable guys and gals on that list. It is focused mainly on FW-1, but they also cover many general security concepts from time to time. Also, check out www.phoneboy.com/fw1 for FW-1 related "stuff." Marcus Ranum runs a good, vendor agnostic firewall mailing list at http://www.nfr.com/mailman/listinfo/firewall-wizards HTH, Jim [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Group, I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere near a FW (FW Virgin) I'm a little nervous and hope you guys can help out. Thanks all, =o) Mark Z... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
1200 Catalyst for CCNP lab?
Group, I would like to know if it is a good buy to get a few Catalyst 1200's for switching certification. Has anyone used them, and are they any use for the exam. The 1900 with Enterprise I already have has IOS and the syntaxes etc on the 1200 look different, but support building VLAN's, TRUNK's etc. Cheers Martijn _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What should I block???
Although not completely directed at what you wanna know, this document as some general security information about blocking some common attacks, including access list templates to paste into your router/pix http://www.cisco.com/public/cons/isp/documents/IOSEssentialsPDF.zip. Rich On Feb 1, 8:28pm, Jim Deane chatted about: Subject:Re: What should I block??? SANS (www.sans.org) usually has some good resources. Here is the direct link to their sample security policies: http://www.sans.org/newlook/resources/policies/policies.htm Jim ""Tom"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I've heard many things about a "security policy" and I understand what I would specify on one, but could someone point me in a direction to check out a "sample" security policy. At least I could look at what questions should be answered by my policy. Just looking for some general guidelines. Even a reference to a book or website would be welcome. Thanks, Tom McNamara, MCSE, CCNA McNamara Professional Services (407)822-5199 Phone A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Deane Sent: Thursday, February 01, 2001 1:28 PM To: [EMAIL PROTECTED] Subject: Re: What should I block??? Well, that depends. My first recommendation would be to review your company security policy which was signed off on by executive management. That policy should list what types of traffic, ports, etc. your company has deemed necessary and will allow into their environment. It should also dictate what types of traffic will be allowed *out* of your network. My first recommendation isn't probably terribly useful since I have found that most companies don't have a well defined security policy blessed by the CEO. This is, IMHO, a recipe for disaster. I would strongly recommend either having them come up with a security policy (which will then dictate what your ACL and FW rulebase look like), or you come up with one, but have them "bless" it. You should definitely set up access lists to protect the router itself (i.e. deny telnet, SNMP, etc.) Some people also "mirror" the security policy (i.e. rule base) on their firewall on the border router. This lets the router receive the brunt of most port scans, etc. I would also recommend blocking the receipt of any packet with a source address of any of the RFC 1918 addresses, any packet with a source address with a first octet of 255, etc. You can either block the RFC 1918 addresses with an ACL, or route them to Null0. I've seen both approaches used. Pick long, complex passwords for your border router and use "service password encryption" to encrypt them. Check your logs regularly. Be a good internet neighbor and set up outbound ACLs that only allow traffic that originated on your network out. This cuts down on spoofing. If your management won't sign off on whatever security policy you come up with, make sure you figure out in advance who is responsible/culpable when you get hacked. If you are new to Checkpoint Firewalls and Information Security, subscribe to the FW-1 mailing list on the Checkpoint web site. There are some great, knowledgeable guys and gals on that list. It is focused mainly on FW-1, but they also cover many general security concepts from time to time. Also, check out www.phoneboy.com/fw1 for FW-1 related "stuff." Marcus Ranum runs a good, vendor agnostic firewall mailing list at http://www.nfr.com/mailman/listinfo/firewall-wizards HTH, Jim [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Group, I know that this is going to be very broad but just bare with me on this one. We are switching over our firewall router from a bay to a cisco. The cisco one that I am going to work on is already pre-configured except for access-lists and filters. What they basically told me is that the checkpoint device behind it will take care of all of the intense blocking and forwarding, but on this FW-router we just want to block the basic things that are usually not allowed through. Here's what I was hoping for. Just a basic list of things that are normally blocked on the router above the FW. For example, I know that I'm gonna set an inbound access-list denying telnet so that the checkpoint doesn't even have to worry about that. I am just looking for a list of services/ports/etc., that as a rule of thumb to you FW guru's, are usually denied. I know this is broad and I'll understand if I don't get much feedback. Gotta also find that whitepaper on FW's. Concidering this will be my first time coming anywhere
PIX VPN IP Pool
OK I get all the VPN stuff for IPSec. I have a working PIX-PIX VPN working right now and am in the process of implementing CiscoSecure to PIX VPN. I haven't implemented it quite yet because I"m worried about a possible conflict here. Configuring IKE Mode Config parameters calls for the following: ip local pool (pool-name) ip-range isakmp cilent cnofiguration address-pool local (pool-name) outside crypto map (crypto-map-name) client configuration address initiate The first 2 lines have a common pool-name but have no places in there to match it to previous commands set up for the specific VPN. All others in my config have some reference either by a name or a number in the command. The 3rd line also has no reference whatsoever to which VPN this should apply. There are no similar commands for the PIX-PIX vpn but I'm wondering if this will somehow interfere or am I just being overly cautious here? Allen May _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: any way of unsubscribing off this list
keep trying, we know you'll eventually figure it out! ""Libone Mhlanga"" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I have tried all the obvious ones. Get your small business started at Lycos Small Business at http://www.lycos.com/business/mail.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISL vs. 802.1Q
If Cisco were to add-on to dot1q, how would it be able to communicate with other non-Cisco routers using 802.1q? Luckily, the earlier quote isn't quite correct. It's IEEE that is augmenting 802.1Q to include the good ISL extensions such as spanning tree per VLAN. Expect the industry generally to support the same functionality. Some of Cisco's recent acquisitions in the switch area only had chipsets that supported 802.1Q. From: Chris Supino [EMAIL PROTECTED] Reply-To: Chris Supino [EMAIL PROTECTED] To: Jun Pati [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: ISL vs. 802.1Q Date: Wed, 31 Jan 2001 21:04:30 -0500 Jun, Used to be that ISL supported a spanning-tree per VLAN, where Dot1q supported only a single spanning-tree. I was told at a seminar recently that Cisco has expanded the capabilities of their implementation of Dot1q, and it is now almost as fully featured as ISL, including supporting a spanning-tree per vlan. ISL is being phased out. Christopher Supino MCSE, MCP+I, CCNA, CNA Netware 5, Compaq ASE Senior Systems Engineer TransNet Corp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jun Pati Sent: Wednesday, January 31, 2001 7:29 PM To: [EMAIL PROTECTED] Subject: ISL vs. 802.1Q What is the advantage of using ISL on an all-Cisco network compared to dot1Q aside from being able to handle frames larger than the ethernet mtu. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISL vs. 802.1Q
Cisco LAN Switching by Clark and Hamilton Cisco Press ISBN 1-57870-094-9 For VLAN 1, BPDUs are sent to the usual Spanning Tree multicast address of 01-80-C2-00-00-00. All switches recognize this address. For all other VLANs, BPDUs are sent to the multicast address of 01-00-0C-CC-CC-CD. Non Cisco switches do not recognize them and flood them. They are "tunneled" through regular 802.1Q switches. Cisco switches recognize them as BPDUs and use them for PVST+. -Original Message- From: Fred Danson [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 12:57 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: ISL vs. 802.1Q If Cisco were to add-on to dot1q, how would it be able to communicate with other non-Cisco routers using 802.1q? From: Chris Supino [EMAIL PROTECTED] Reply-To: Chris Supino [EMAIL PROTECTED] To: Jun Pati [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: ISL vs. 802.1Q Date: Wed, 31 Jan 2001 21:04:30 -0500 Jun, Used to be that ISL supported a spanning-tree per VLAN, where Dot1q supported only a single spanning-tree. I was told at a seminar recently that Cisco has expanded the capabilities of their implementation of Dot1q, and it is now almost as fully featured as ISL, including supporting a spanning-tree per vlan. ISL is being phased out. Christopher Supino MCSE, MCP+I, CCNA, CNA Netware 5, Compaq ASE Senior Systems Engineer TransNet Corp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jun Pati Sent: Wednesday, January 31, 2001 7:29 PM To: [EMAIL PROTECTED] Subject: ISL vs. 802.1Q What is the advantage of using ISL on an all-Cisco network compared to dot1Q aside from being able to handle frames larger than the ethernet mtu. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Wire speed (wasRe: What should I block???)
Just comparing an operating system with all kinds of software and a kernel that supports just about anything vs a stripped down o/s designed specifically for the hardware. It tends to have less of a chance of crashing with some other service/daemon/module or whatever running simultaneously. Just my 2 cents worth my personal opinion based on past experience. I've been running PIX firewalls since 95 and never had one crash even once. - Original Message - From: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 01, 2001 1:21 PM Subject: Re: "Wire speed" (wasRe: What should I block???) I would agree here. Things like maximum concurrent connections and how many connections/second need to be considered as well. Personally I prefer hardware simply for the stability factor. There's nothing like having to go reboot the firewall server at 2am...grrr. Been there, done that, burned the t-shirt. But again I will raise the question "what is hardware?" No practical firewall is going to run completely from ROM or in ASICs. If it did, you couldn't update it against continuing threats. Is the distinction you are trying to make between real-time and general-purpose, or extremely fault tolerant versus commercial grade software? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Prep lab at UCSC
I went there for 2 days. I found the equipment to be excellent, and I figure part of my passing on the 1st lab attempt to having seen this rack, as that's pretty much how it looks in the lab (which they will freely tell you, no NDA problem here!). However, I found their lab scenarios that I saw to be a little less than I hoped for (I had already done most of the fatkid ccbootcamp labs). I only went for 2 days, I think 1-2 days there is enough if you already did a lot of labs on your own. If I had it to do again, I'd probably communicate with the lab aide more via email before arriving, so we could come to an understanding of what types of lab scenarios they could give me that would help me best prepare. Nathan Casassa [EMAIL PROTECTED] 02/01 9:14 AM I have passed the written and was interested in trying this out in addition to my home lab, just to get used to the environment and time limits. Here is what the lab manager from UCSC wrote me: Hello Nathan, This is not instructor basis lab you will be given scenarios to practice and solve on your own. There is some assistance but mainly your on your own.You can either practice on our simulation test and scenarios or troubleshoot your own problem/test and the ccie practice lab exercises do include solutions for most of the exercises. The lab hours are 9 am to 5p.m., Monday through Friday, there is no CCIE practice lab on the weekends. Please note enrollment is basis on first come first serve basis's.This lab is setup for Routing and Switching. Best Regards, Fardin Rahim CCIE practice lab Kevin Welch wrote: I was wondering if anyone has any expereince using the CCIE Prep Lab = facility at UCSC. Thoughts, comments, usefulness of this facility = appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: in fddi, what is the charateristics of 4b/5b encoding?
At 11:25 AM 2/1/01, =?ks_c_5601-1987?B?w7W4rr7IuN7Azw==?= wrote: in fddi, what is the charateristics of 4b/5b encoding? cisco www show me a little information.. that 4b/5b is used in multi-mode fiber over fddi or atm.. and that is a encoding scheme.. and support speed up to 100Mbps..on multimode fiber.. I just know some more characteristics about 4b/5b enconding over fddi or atm.. Encoding happens at the PHY layer, which is sandwiched between the Physical Medium Dependent (PMD) layer below and the Media Access Control (MAC) layer above. I think ATM is far enough up the layers, that a question about ATM encoding doesn't make sense. In the case of FDDI, however, the question makes sense. FDDI's MAC layer depends on the PHY layer to encode bits using 4b/5b for sending over interfaces defined at the PMD layer. 4b/5b coding is a way of encoding ones and zeroes along with clocking information. The shorthand notation of 4b/5b means 4 bits are encoded into 5 code bits. In high-speed networks, it is almost always necessary to encode data if there is no "master clock" and no separate clocking signal. There are many ways of doing this. Original 10 Mbps Ethernet, for example, used Manchester encoding. Fast Ethernet uses 4b/5b when fiber-optic cabling is used. Gigabit Ethernet uses 8b/10b. T1 WAN circuits use Bipolar with 8 Zeros Substituted (B8ZS). Zeros cause a problem when clocking is embedded in the signal. Too many zeros are indistinguishable from no signal. FDDI deals with this by substituting each 4-bit "nibble" with a 5-bit nibble that is guaranteed not to have too many zeros. So, becomes 0, for example. 0001 becomes 01001. And so. The senders and receivers use a table lookup to encode and decode all 4-bit values. Sounds inefficient, eh? Well, it is. But the other way to look at is that FDDI is really 125 Mbps. Priscilla could you give me those? thanks. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP unnumbered and OSPF
Karl, Tom, I think you are both mistaken--in fact, RFC 2328 contains multiple references to unnumbered point-to-point links and what should be done about them when developing an OSPF implementation. The router doesn't need an exact interface IP address on a point-to-point link in order to form a neighbor relationship. All OSPF packets on a point-to-point link are going to be sent to the multicast address 224.0.0.5, and it really doesn't matter what IP address is the source in those packets. The neighboring router is identified by its router ID, not its address on the interface. I have set up OSPF with IP unnumbered, and it worked just fine. Pamela At 02:07 AM 2/1/01 -0500, Tom Pruneau wrote: Greetings Karl I can't remember exactly where I read that , but I did. More specifically you can't have ip unnumbered on an interface running OSPF because there is no address to be neighbors with. If what you want to do is have a router with some ospf interfaces and some other interface not running ospf, and you want unnumbered on the non-OSPF interfaces, I think taht would be OK. Tom At 03:22 PM 01/31/2001 -0500, Karl R. West wrote: Refresh me please... I remember reading some where why you should not have IP UNNUMBERED running on the router your going to put OSPF on. Can some one refresh my memory. Regards, Karl _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cat 6509 and Cabletron MMAC
What's up! I've got a 6509 with a VLAN int that has a crossover going to our old Cabletron MMAC. (we're in the process of upgrading and have most of the network still on the MMAC side of the house).. here's my dilemma... Every once in awhile I get the following error: Native vlan mismatch detected on port [dec]/[dec] Now the MMAC I can't assign it a vlan... traffic still gets through with the error but I'm afraid it might die eventually. I've disabled port chan and trunking on that int. thinking it might help. Oh yeah, the MMAC is strictly Layer2. Has anyone run into this before or have any ideas? Thanks in advance, Jeff _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cat 6509 and Cabletron MMAC
Seems like you have a user on that MMAC that is trying to set up trunking on his workstation. - Original Message - From: "Jeff Duchin" [EMAIL PROTECTED] Newsgroups: groupstudy.cisco To: [EMAIL PROTECTED] Sent: Thursday, February 01, 2001 3:14 PM Subject: Cat 6509 and Cabletron MMAC What's up! I've got a 6509 with a VLAN int that has a crossover going to our old Cabletron MMAC. (we're in the process of upgrading and have most of the network still on the MMAC side of the house).. here's my dilemma... Every once in awhile I get the following error: Native vlan mismatch detected on port [dec]/[dec] Now the MMAC I can't assign it a vlan... traffic still gets through with the error but I'm afraid it might die eventually. I've disabled port chan and trunking on that int. thinking it might help. Oh yeah, the MMAC is strictly Layer2. Has anyone run into this before or have any ideas? Thanks in advance, Jeff _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Prep lab at UCSC
Hi Nathan, Could you post the URL giving info on the lab? Thanks Nathan Casassa wrote: I have passed the written and was interested in trying this out in addition to my home lab, just to get used to the environment and time limits. Here is what the lab manager from UCSC wrote me: Hello Nathan, This is not instructor basis lab you will be given scenarios to practice and solve on your own. There is some assistance but mainly your on your own.You can either practice on our simulation test and scenarios or troubleshoot your own problem/test and the ccie practice lab exercises do include solutions for most of the exercises. The lab hours are 9 am to 5p.m., Monday through Friday, there is no CCIE practice lab on the weekends. Please note enrollment is basis on first come first serve basis's.This lab is setup for Routing and Switching. Best Regards, Fardin Rahim CCIE practice lab Kevin Welch wrote: I was wondering if anyone has any expereince using the CCIE Prep Lab = facility at UCSC. Thoughts, comments, usefulness of this facility = appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Prep lab at UCSC
http://www.ucsc-extension.edu/internetworking/ -Original Message- From: Jonathan Hays [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 3:40 PM To: Nathan Casassa Cc: [EMAIL PROTECTED]; Kevin Welch Subject: Re: CCIE Prep lab at UCSC Hi Nathan, Could you post the URL giving info on the lab? Thanks Nathan Casassa wrote: I have passed the written and was interested in trying this out in addition to my home lab, just to get used to the environment and time limits. Here is what the lab manager from UCSC wrote me: Hello Nathan, This is not instructor basis lab you will be given scenarios to practice and solve on your own. There is some assistance but mainly your on your own.You can either practice on our simulation test and scenarios or troubleshoot your own problem/test and the ccie practice lab exercises do include solutions for most of the exercises. The lab hours are 9 am to 5p.m., Monday through Friday, there is no CCIE practice lab on the weekends. Please note enrollment is basis on first come first serve basis's.This lab is setup for Routing and Switching. Best Regards, Fardin Rahim CCIE practice lab Kevin Welch wrote: I was wondering if anyone has any expereince using the CCIE Prep Lab = facility at UCSC. Thoughts, comments, usefulness of this facility = appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]