Router- As400 - connectivity

[Gayathri]

Hi Group

Just to share with you, a few days ago on the 27th I had asked ofr help
regarding the AS400.

Now it seems like presently the problem is solved.

The AS400 team increased the MTU on the AS400 box to 4096 and it seems to
work okay. This is very strange because the mtu defined on our router is
1500. I can texpalin the theory behind this but for now it jsut worked.
Earlier we used to get a DR watson error at the branch servers. the dr
watson error was something like this.

If anybody can interpret this

28/03/2001 19:54:03 DrWatson Information None 4097 N/A U9010117 The
application, ..\..\bin\rt.exe, generated an application error The error
occurred on  3/28/2001 @ 19:53:57.768 The exception generated was c017
at address 77f64aef (RtlAllocateHeap)
28/03/2001 18:37:42 SNA Base Service Information None 626 NT
AUTHORITY\SYSTEM U9010117 Service started

 EXPLANATION
 The service shown in the message header started successfully.

 ACTION
 No action is necessary.
28/03/2001 18:37:21 OliMon None None 100 N/A U9010117 Olivetti PR 50 Port
Monitor initialization completed successfully
28/03/2001 18:31:31 DrWatson Information None 4097 N/A U9010117 The
application, ..\..\bin\rt.exe, generated an application error The error
occurred on  3/28/2001 @ 18:31:26.186 The exception generated was c017
at address 77f64aef (RtlAllocateHeap)
28/03/2001 18:27:46 SNA Base Service Information None 626 NT
AUTHORITY\SYSTEM U9010117 Service started

But after the MTU size was changes the Dr Watson Error has disappeared.


Best Regards,

Gayathri









_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Tacacs and dialup authentication

[Radford Dion]

This is a valid comment, but when a go into routerA, type 'no aaa
new-model', it works, which would eliminate the possibility of a password
problem.

> -Original Message-
> From: Gareth Hinton [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday 28 March 2001 22:43
> To:   [EMAIL PROTECTED]
> Subject:  Re: Tacacs and dialup authentication
> 
> Looked through it for ages. I may be missing something but looks like the
> authentication is just failing, possibly due to not using the same
> password
> on RouterA and RouterB?
> 
> On RouterA
> username RouterB password fred
> 
> On RouterB
> username RouterA password fred
> 
> Fingers like mine - too big to tyyppe?
> 
> Anyone feel free to correct me if info is garbage.
> 
> Cheers,
> 
> Gareth
> 
> 
> "Radford Dion" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi Everyone.
> >
> > I am having trouble trying to work out why I cannot get a router to
> connect
> > via ISDN to another router when tacacs is configured. I want to use the
> > local Tacacs database and I have followed the instructions on the cisco
> web
> > site
> >
> http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/aaaisg/c262c2.ht
> m.
> > I would appreciate any feedback that anyone has.
> >
> > This is the scenario
> >
> > RouterA ---> dials into > RouterB
> >
> > When I remove the aaa configuration parameters from router A it works
> fine.
> >
> > Router A config:
> > username RouterB password x
> >
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> >
> > int bri 0/0
> >  no ip address
> >  no ip redirects
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  dialer pool-member 1
> >  isdn switch-type basic-net3
> >  no fair-queue
> >  ppp authentication chap
> > !
> > interface Dialer1
> >  ip address 192.168.0.186 255.255.255.252
> >  no ip redirects
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  dialer remote-name RouterB
> >  dialer pool 1
> >  dialer idle-timeout 60
> >  dialer string 555
> >  dialer hold-queue 10
> >  dialer-group 1
> >  no fair-queue
> >  ppp authentication chap
> >
> >
> > Router B config:
> > username RouterA password x
> >
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> >
> > int bri 3/1
> >  ip address 192.168.0.186  255.255.255.252
> >  encapsulation ppp
> >  dialer idle-timeout 60
> >  dialer map ip 192.168.0.186  name RouterA 5554324
> >  dialer-group 2
> >  ppp authentication chap
> >
> > This is the debug output - I tried using debug aaa authentication but
> there
> > was no output from either router.
> >
> > Debug ppp authentication on Router A:
> > *Mar 21 23:30:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> > *Mar 21 23:30:17: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> > *Mar 21 23:30:17: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
> to
> > 555 .
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: BR0/0:1 CHAP: O CHALLENGE id 142 len 31 from "RouterA"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: I CHALLENGE id 227 len 31 from "RouterB"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: Unable to authenticate for peer
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> profile
> > Di1
> > *Mar 21 23:30:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> down
> > *Mar 21 23:30:19: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to
> up
> > *Mar 21 23:30:19: %DIALER-6-BIND: Interface BR0/0:2 bound to profile
> Di1.
> > *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> > *Mar 21 23:30:19: BR0/0:2 CHAP: O CHALLENGE id 66 len 31 from "RouterA"
> > *Mar 21 23:30:19: BR0/0:2 CHAP: I CHALLENGE id 228 len 31 from "RouterB"
> > *Mar 21 23:30:19: BR0/0:2 CHAP: Unable to authenticate for peer
> > *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> > *Mar 21 23:30:19: %DIALER-6-UNBIND: Interface BR0/0:2 unbound from
> profile
> > Di1
> > *Mar 21 23:30:20: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to
> down
> > *Mar 21 23:30:21: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> > *Mar 21 23:30:21: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> > *Mar 21 23:30:21: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:21: BR0/0:1 CHAP: O CHALLENGE id 143 len 31 from "RouterA"
> > *Mar 21 23:30:21: BR0/0:1 CHAP: I CHALLENGE id 229 len 31 from "RouterB"
> > .*Mar 21 23:30:21: BR0/0:1 CHAP: Unable to authenticate for peer
> >
> >
> > Debug ppp authentication on Router B:
> > *May 14 07:46:25: %LINK-3-UPDOWN: Interface BRI3/1:1, changed state to
> up
> > *May 14 07:46:25: BR3/1:1 PPP: Treating connection as a callin
> > *May 14 07:46:26: BR3/1:1 PPP: Phase is AUTHENTICATING, by both
> > *May 14 07:46:26: BR3/1:1 CHAP: O CHALLENGE id 217 len 31 from "RouterB"
> 

Re: trunking

[Erick B.]

802.1q doesn't support multiple spanning trees, but
many vendors have added their own support which may or
may not interoperate well with other vendors. YMMV. 

802.1s will which is at draft 9 (march 9 2001). To my
knowledge, I don't know of any vendors with support
for it at this time in it's draft form nor do I know
how different it is from PVST, etc. 

--- "Brant I. Stevens" <[EMAIL PROTECTED]>
wrote:
> This may seem like nit-picking, but it isn't
> actually a revision of
> 802.1Q that supports
> PVST, but rather, the vendor gear that supports PVST
> with the use of
> 802.1Q...  Nortel
> Passport (Accelar) switches support this as well...
> 
> -Brant
> 
> Rik wrote:
> 
> > Actually, most newer revisions of Dot1Q support
> PVST as well.
> >
> > Rik
> >
> > ""ciscosis"" <[EMAIL PROTECTED]> wrote in
> message
> > 001301c0b3b7$aba8b000$593d839b@nes2s50667">news:001301c0b3b7$aba8b000$593d839b@nes2s50667...
> > > ISL has a number of advantages over dot1q,  for
> example it supports per
> > vlan
> > > spanning tree (PVST) which allows a separate
> spantree instance per Vlan
> > > which makes networks more scalable and more
> stable than dot1q based.
> > >
> > > It is Cisco proprietary but it interoperates
> with dot1q (common spanning
> > > tree) compliant switches (using Cisco protocol
> PVST+)
> > >
> > >  If you are building a large cisco switched
> network with alot of Vlans and
> > > are worried about issues such as spanning tree
> convergence/ stability
> > > /reliability .. definately go for  ISL


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Tacacs and dialup authentication

[Radford Dion]

I probably should have outlined the reason for this type of configuration. 

The problem I am trying to solve is this - I want to use a remote tacacs
server for telnet authentication, but I want to use the local database for
ppp authentication (it would be a pain to add all the router names into the
tacacs server database). I have removed the tacacs server configuration
because I wanted to make the configuration as simple as possible, and just
use the local database.

The URL that I posted below shows how you would do this for a user->router,
but not for router->router.  It should be very simple - and I am sure that I
am missing something obvious.

I have experienced the same problem when routerA has been a 1603 and a 2600
with different IOS versions. The next step is to change RouterB and see what
happens.

Thanks for your help, keep it coming!


> -Original Message-
> From: Tony van Ree [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday 28 March 2001 23:56
> To:   Radford Dion; [EMAIL PROTECTED]
> Subject:  Re: Tacacs and dialup authentication
> 
> Hi,
> 
> Where is the TACACS configured.
> 
> I would have thought you would need a reference to TACACS in your AAA
> statements and a refernce to the TACACS server address.
> 
> aaa new-model
> aaa authentication login default tacacs+ local
> aaa authentication login console tacacs+ enable
> aaa authentication ppp default if-needed tacacs+ local
> aaa authentication ppp routers if-needed local
> aaa authorization exec default tacacs+ if-authenticated local
> aaa authorization network default tacacs+ local if-authenticated
> 
> !
> OTHER ROUTER STUFF
> !
> 
> tacacs-server host 192.168.0.1
> tacacs-server timeout 10
> tacacs-server key akeyword
> 
> 
> 
> Just a thought.  It seems you don't say to use TACACS in your AAA
> statements.
> 
> Teunis
> Hobart, Tasmania
> Australia
> 
> 
> 
> 
> On Wednesday, March 28, 2001 at 11:27:08 AM, Radford Dion wrote:
> 
> > Hi Everyone.
> > 
> > I am having trouble trying to work out why I cannot get a router to
> connect
> > via ISDN to another router when tacacs is configured. I want to use the
> > local Tacacs database and I have followed the instructions on the cisco
> web
> > site
> >
> http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/aaaisg/c262c2.ht
> m.
> > I would appreciate any feedback that anyone has.
> > 
> > This is the scenario
> > 
> > RouterA ---> dials into > RouterB
> > 
> > When I remove the aaa configuration parameters from router A it works
> fine.
> > 
> > Router A config:
> > username RouterB password x
> > 
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> > 
> > int bri 0/0
> >  no ip address
> >  no ip redirects
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  dialer pool-member 1
> >  isdn switch-type basic-net3
> >  no fair-queue
> >  ppp authentication chap
> > !
> > interface Dialer1
> >  ip address 192.168.0.186 255.255.255.252
> >  no ip redirects
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  dialer remote-name RouterB
> >  dialer pool 1
> >  dialer idle-timeout 60
> >  dialer string 555
> >  dialer hold-queue 10
> >  dialer-group 1
> >  no fair-queue
> >  ppp authentication chap
> > 
> > 
> > Router B config:
> > username RouterA password x
> > 
> > aaa new-model
> > aaa authentication enable default enable
> > aaa authentication ppp default local
> > 
> > int bri 3/1
> >  ip address 192.168.0.186  255.255.255.252
> >  encapsulation ppp
> >  dialer idle-timeout 60
> >  dialer map ip 192.168.0.186  name RouterA 5554324
> >  dialer-group 2
> >  ppp authentication chap
> > 
> > This is the debug output - I tried using debug aaa authentication but
> there
> > was no output from either router.
> > 
> > Debug ppp authentication on Router A:
> > *Mar 21 23:30:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> up
> > *Mar 21 23:30:17: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
> > *Mar 21 23:30:17: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected
> to
> > 555 .
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: BR0/0:1 CHAP: O CHALLENGE id 142 len 31 from "RouterA"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: I CHALLENGE id 227 len 31 from "RouterB"
> > *Mar 21 23:30:17: BR0/0:1 CHAP: Unable to authenticate for peer
> > *Mar 21 23:30:17: BR0/0:1 PPP: Treating connection as a callout
> > *Mar 21 23:30:17: %DIALER-6-UNBIND: Interface BR0/0:1 unbound from
> profile
> > Di1
> > *Mar 21 23:30:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
> down
> > *Mar 21 23:30:19: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to
> up
> > *Mar 21 23:30:19: %DIALER-6-BIND: Interface BR0/0:2 bound to profile
> Di1.
> > *Mar 21 23:30:19: BR0/0:2 PPP: Treating connection as a callout
> > *Mar 21 23:30:19: BR0/0:2 CHAP: O CHALLENGE id 66 len 31 from "RouterA"
> > *Mar 21 23:30:19: BR0/0:2 CHAP: I CHALLENGE id 228 len 31 from "Route

C1603 Time-Range not available

[Damien Kelly]

Cisco 1603 


Does anyone know how to implement time restrictions via an access list, I
know there is a time-range command on the latest release of the IOS, but I
don't have the luxury of being able to load the IOS as the router is on a
remote location.

I want to restrict DNS during out of office hours.  So I know I need to
block TCP & UDP on port 53,  but don't know if I can apply  time-range
restriction without the latest IOS release, any other methods?

Any suggestions?

Damien Kelly,   



**
The information contained in this message is confidential and 
is intended for the addressee(s) only.  If you have received 
this message in error or there are any problems please notify 
the originator immediately.  The unauthorised use, disclosure, 
copying or alteration of this message is strictly forbidden. This
message and any attachments have been scanned for viruses.
Orbiscom Ltd. will not be liable for direct, special, indirect or 
consequential damages arising from alteration of the contents 
of this message by a third party or as a result of any virus being
passed on.


www.Orbiscom.com
**

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Loopback Interfaces

[Atul Kumar Udupi]

1.   Basically loopback address is used to test whether tcpip protocol stack
is installed properly and working fine on a machine. Assume that just now
you have added tcpip to your machine and there is no ip address assigned at
that time one can use looopback ip address to verify the tcpip installation
by pining to the loopback interface.
2. And as u said some dynamic routing protocols use loopback  as a
ROUTER-ID. This is because loopback address is logical and available most of
the time to the peer. You can use ip address of any  hardware interface of a
router, but problem is incase the interface goes bad.  To avoid that its
better to use loopback ip address as a router id.

Hope this helps.

Atul kumar



"Asad Hasan" <[EMAIL PROTECTED]> wrote in message
98o5a6$vn1$[EMAIL PROTECTED]">news:98o5a6$vn1$[EMAIL PROTECTED]...
> What is the primary purpose of using the Loopback interface and can you
> telnet into a router using a IP assigned to the Loopback interface. I know
> the Loopback interfaces are used in OSPF and in BGP. But is there any
other
> purpose for them.
>
> Regards
> Asad
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VLAN and Cluster

[Daniel ma]

I am trying to configure several cat 3500 as one cluster group over
Giga-stack. However, I found the Giga-stack do not pass the VLAN
information. I could only access VLAN1 cross switches.

Is there any configuration issue? If I do not user cluster, and configure
Giga-stack as trunk port, there is not problem for other VLANs.

Daniel


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VLAN routing in Cat6000

[Daniel ma]

I am trying to configure VLAN routing in Cat 6006, (Super engine does
support routing).

However, after I configure interface VLAN2, it said VLAN 2 is shutdown. it's
no use to issue 'no shutdown' command.

How should I configure it?




_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP clarification

[Vijay Ramcharan]

For the purposes of the exam EIGRP is a DV protocol.

Vijay Ramcharan

- Original Message -
From: "Rizzo Damian" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 10:06 PM
Subject: EIGRP clarification


>
>   Preparing for my BSCN exam, I have found myself unclear as to whether or
> not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco
> classes I've been too have always referred to EIGRP as a Balanced Hybrid
> protocol, now studying for my CCNP, I am finding EIGRP referred to as a
> Distance-vector protocol???...How is this possible? Thanks...
>
>
>
>
>
>  -Rizzo
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: trunking

[Vijay Ramcharan]

Another issue to consider is the fact that if IP telephony will ever be
implemented (Cisco's anyway), dot1q trunking has to be used, negating the
use of ISL.  A recent implementation has emerged called MISTP (Multiple
Instance STP) that supposedly supports multiple spanning trees over the
dot1q protocol.  Does it work in an IP telephony environment?  I leave that
up to someone more qualified to answer.

Vijay Ramcharan

- Original Message -
From: "Erick B." <[EMAIL PROTECTED]>
To: "Brant I. Stevens" <[EMAIL PROTECTED]>; "Rik"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 3:28 AM
Subject: Re: trunking


>
> 802.1q doesn't support multiple spanning trees, but
> many vendors have added their own support which may or
> may not interoperate well with other vendors. YMMV.
>
> 802.1s will which is at draft 9 (march 9 2001). To my
> knowledge, I don't know of any vendors with support
> for it at this time in it's draft form nor do I know
> how different it is from PVST, etc.
>
> --- "Brant I. Stevens" <[EMAIL PROTECTED]>
> wrote:
> > This may seem like nit-picking, but it isn't
> > actually a revision of
> > 802.1Q that supports
> > PVST, but rather, the vendor gear that supports PVST
> > with the use of
> > 802.1Q...  Nortel
> > Passport (Accelar) switches support this as well...
> >
> > -Brant
> >
> > Rik wrote:
> >
> > > Actually, most newer revisions of Dot1Q support
> > PVST as well.
> > >
> > > Rik
> > >
> > > ""ciscosis"" <[EMAIL PROTECTED]> wrote in
> > message
> > > 001301c0b3b7$aba8b000$593d839b@nes2s50667">news:001301c0b3b7$aba8b000$593d839b@nes2s50667...
> > > > ISL has a number of advantages over dot1q,  for
> > example it supports per
> > > vlan
> > > > spanning tree (PVST) which allows a separate
> > spantree instance per Vlan
> > > > which makes networks more scalable and more
> > stable than dot1q based.
> > > >
> > > > It is Cisco proprietary but it interoperates
> > with dot1q (common spanning
> > > > tree) compliant switches (using Cisco protocol
> > PVST+)
> > > >
> > > >  If you are building a large cisco switched
> > network with alot of Vlans and
> > > > are worried about issues such as spanning tree
> > convergence/ stability
> > > > /reliability .. definately go for  ISL
>
>
> __
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/?.refer=text
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: problem with installing vpn 3.0 client for win2000

[Vijay Ramcharan]

I've installed 301k9 twice now on Win2K Pro and have never had any problems
(apart from the fact that it doesn't work with our PIX and I didn't find
that out until I read the documentation).  I've also installed or tried to
install the VPN 5K client, the VPN 1.1 client and whatever else Cisco has,
just to see what they look like.  My machine has never once crashed.

Vijay Ramcharan

- Original Message -
From: "Frank Kim" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 2:09 AM
Subject: problem with installing vpn 3.0 client for win2000


> Hi folks,
> Anyone has any success on installing the cisco vpn 3.0 client for win2000
> professional or adv server?  My win2000 box kept failing after the
> installation; it kept rebooting.  Please share your experience.  This is
> the name of the file which I tried to install: vpnclient-win-3.0.1.Rel-k9
>
> Thanks for any input.
>
> -Frank
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DNS problem?

[Secrist John J Contr 27 IS/IND]

A funny thing is happening on our network and it has us stumped.

1 - Some websites are not reachable by typing the hostname in a browser
(i.e. www.yahoo.com).
2 - Some websites ARE reachable by typing the hostname in a browser (i.e.
www.altavista.com).
3 - When I ping the unreachable addresses they time out - but the ping does
resolve the IP address.
4 - When I type the IP address in the web browser, the page opens fine.

Was thinking this is maybe a DNS problemany thoughts?  Thanks,

Jake

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: EIGRP clarification

[Juliano Moises da Luz]

In BSCN course it appears as a ADVANCED DISTANCE VECTOR routing protocol. 



-Original Message-
From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 1:19 AM
To: [EMAIL PROTECTED]
Subject: Re: EIGRP clarification


>   Preparing for my BSCN exam, I have found myself unclear as to whether or
>not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco
>classes I've been too have always referred to EIGRP as a Balanced Hybrid
>protocol, now studying for my CCNP, I am finding EIGRP referred to as a
>Distance-vector protocol???...How is this possible? Thanks...


 From a technical standpoint, EIGRP is emphatically distance vector. 
 From a marketing standpoint, Cisco has called it "hybrid," which has 
no accepted technical meaning. Training and certification have picked 
up that terminology.

"Hybrid" is an attempt to differentiate EIGRP, and its DUAL 
algorithm, from the problems of first and second generation DV 
protocols. JJ Garcia-Luna-Aceves, the inventor of DUAL, always has 
called it an advanced DV protocol, and he continues to work on even 
more advanced DV.

There's nothing inherently wrong with DV.  EIGRP legitimately has 
fixed some of the problems of earlier DV protocols, such as the lack 
of a hello subprotocol and reliable update mechanism.  Without these 
mechanisms, periodic update becomes necessary, and the protocol can't 
be loop-free.

Calling something "hybrid" is about as sensible as saying "route bad, 
switch good," or "all animals are equal, but some are more equal than 
others."

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS problem?

[kentdj]

one possiblility ...DNS server cant talk to the root servers but is
resolving some addresses  from it's cache. If that's the case then before
long (depending on how your DNS server is configured) all the entries will
age out and no names will be resolved.
your pings timing out is not uncommon accross the internet  a cached entry
on your router or DNS  is probably resolving the name to an address ..

Maybe your ISP Is having problems with it's DNS servers

I might be right  I might be wrong  let us know what you find out .. try NS
lookup to see how names are being /not being resolved
- Original Message -
From: "Secrist John J Contr 27 IS/IND" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 11:38 AM
Subject: DNS problem?


> A funny thing is happening on our network and it has us stumped.
>
> 1 - Some websites are not reachable by typing the hostname in a browser
> (i.e. www.yahoo.com).
> 2 - Some websites ARE reachable by typing the hostname in a browser (i.e.
> www.altavista.com).
> 3 - When I ping the unreachable addresses they time out - but the ping
does
> resolve the IP address.
> 4 - When I type the IP address in the web browser, the page opens fine.
>
> Was thinking this is maybe a DNS problemany thoughts?  Thanks,
>
> Jake
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2511

[RamG]

Hello Friends,

I am planning to buy this router.  What's the fair price?  Your comments
appreciated.

2511 16F/32R 2 Octal Cables + Rack Hardware 68030 Processor - Revision M
16384K bytes of processor board system flash (read only)

Thanks

RamG


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF Asymmetric routing with 2 ABRs per area

[Howard C. Berkowitz]

>Hi all,
>
>Need to find out if there is a method for avoiding asymmetric routing
>between 2 areas both with 2 ABRs and equal capacity links (E1 - 2.048Mbps).


First, what is the problem you are trying to solve?  Asymmetric 
routing is a reality in most hierarchical networks that use dynamic 
routing.  In most cases, it's best to work within its limits.

When there are strict latency or other requirements that really 
demand symmetrical routing, you probably need explicit static routes 
or MPLS paths in both directions.

>
>I'm looking to influence flow of traffic to certain destinations to remain
>on a single link, and not have traffic to lets say 10.32.0.0/12 go out on
>link A (ABR A) and return on link B (ABR B).


In the OSPF world, a starting point would be to avoid all stubby 
areas, so the ingress routers can consider the end-to-end path to the 
destination.

>If I have a range of addresses 10.0.0.0/12, I know I can split it between
>ABR A (10.0.0.0/13) and ABR B (10.8.0.0/13) - using area summary statements.
>But the difficulty is actually configuring the other ABR as a backup for the
>same routes.  I.e. ABR A backs up ABR B's range 10.8.0.0/13 and vice versa.

Cisco and Bay/Nortel took different approaches to ABR summarization. 
Both approaches have good and bad features, and I really wish each 
vendor would offer both methods.

Cisco's assumption is that stability is most important.  Once an ABR 
is programmed with less-specific summaries, it will always announce 
those to area 0.0.0.0 even if some or all of the intra-area 
more-specifics are down.  It will announce them even if that means 
some traffic is blackholed.

Bay/Nortel's approach is that precision is most important.  If some 
of the constituent more-specifics of an aggregate go down, the ABR 
will stop advertising the summary and only advertise the 
more-specifics.

>
>Is the above possible?
>
>regards,
>Ming.

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 508-CS versus 2509/2511

[Alex Lee]

What is considered a good IOS version for c2509rj ?


""EA Louie"" <[EMAIL PROTECTED]> wrote in message
99un8a$hek$[EMAIL PROTECTED]">news:99un8a$hek$[EMAIL PROTECTED]...
> hmmm... if you have access to the 508-CS, it's old, but if its running
9.21
> then many of the minimal features of the 2509/11 are available.  know the
> other line commands that go with the newer 12.0 IOS, though, because you
may
> need them in the lab  ;-)
>
> -e-
>
> Ken W. Alger <[EMAIL PROTECTED]> wrote in message
> 99ufk5$1jh$[EMAIL PROTECTED]">news:99ufk5$1jh$[EMAIL PROTECTED]...
> > For a CCNP/CCIE lab, is a 508-CS sufficient to act as a terminal server
or
> > is it better to go for the 2509/11?
> >
> > Thanks,
> > Ken
> >
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Buffer

[KOLIY]

I have a condition when 1 system is attempt to hand a packet to
a transmission buffer and no buffer is available
a.Fast switching
b.intput drop
c.output drop
d.route-cache

Thanks
Koliy


Get free email and a permanent address at http://www.netaddress.com/?N=1

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

actual speed (BW) on a Frame-Relay circuit

[CCNA]

Hi,

is there a command to check the actual speed (BW) or max BW used on a
Frame-Relay circuit.

Thanks,

Tarry.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Token Ring Problem

[Vincent]

Hi;

My cisco 2521 token ring interface has problme, the interface keep
intialize, never up.
Would like to hear an advice?

2:51:25: %TR-3-OPENFAIL: Unit 0, open failed: Phys. Insertion, ring
beaconing
02:51:25: %TR-3-BADSTART: Unit 0, Start completion and wrong idb state -
state=
0
02:51:26: TR0: reset from 305116C
02:51:26: TR0: txtmr: 0x0, msclk: 0x9CF444, qt: 0x3471AC (6849172ms)
starting.
02:51:48: %TR-3-OPENFAIL: Unit 0, open failed: Phys. Insertion, ring
beaconing
02:51:48: %TR-3-BADSTART: Unit 0, Start completion and wrong idb state -
state=
0
02:51:49: TR0: reset from 305116C
02:51:49: TR0: txtmr: 0x0, msclk: 0x9D5028, qt: 0x3471AC (6872696ms)
starting.

Thanks
Vincent


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

1705 router ios software

[Ganesh Chintalapati]

Dear all,

This is in connection to my previous mail with subject Erased Flash.

I am very much thankful to all of you for giving me various methods of so=
lving
the problem, but my main problem is I do not have the IOS to load it from=
 tftp
or to load through xmodem from rommon prompt.

Pls let me know where will I get the IOS from the website so that I can
download the IOS and load it.

Thank in advance

Ganesh

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ISDN BRI Channel Separation

[Ash Aslam]

Hi Group!!

I would like to know if it's possible to separate the two ISDN B Channels so
that one remains active whilst the other one is free.  I have checked on the
Cisco web site and Cisco press books but could not find anything on how to
configure the BRI Channels separately.

Can someone pls shed some light by providing a small config or point me in
the right direction.

Thanks & kind Regards,
Ash

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: My CCNA test -Tips to follow

[Evans, TJ]

Drop the s in the middle ... 
www.sureshhomepage.com



Thanks!
TJ

 -Original Message-
From:   Jack  Nalbandian [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, March 27, 2001 15:11
To: [EMAIL PROTECTED]
Subject:RE: My CCNA test -Tips to follow

Paul,

The Suresh link didn't work for some reason.  Can you verify the url?

Paul Anderson [mailto:[EMAIL PROTECTED]] wrote:

[snip]

Microsoft does. The test was true to the objectives! Purchased the CCNA =
Preparation Kit from www.sureshshomepage.com and Todd Lammle's Sybex =
book. Suresh has got good amount stuffs really you can make use of it. =
To tell you the truth, out of the 65 questons I was asked at the real =
test, about 40Qs line-by-line were from Suresh's kit. I was really =
zapped.=20

[snip]

Regards,

Jack Nalbandian, CCNA, MCSE
Network Engineer
DATAFLEX - U.S. Operations
310.445.1052 x275
[EMAIL PROTECTED]
   
www.telephonyexperts.com  

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.   

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Performance

[Evans, TJ]

Although I agree on the PIX being able to handle the load; other
considerations may include:
* The traffic from the DMZ though the PIX to the internal servers ...
depending on how their applications/web servers work in conjunction with the
db servers there could be significant load there

Of course, the counter-point to that is - even with the DMZ interface max'ed
out you are looking at 100mbps ... and 4 T1's max'ed out = 6mbps .. so still
a mx invcoming load of 106mbps, well below the PIX's ability.



Thanks!
TJ

 -Original Message-
From:   Groupstudy [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, March 15, 2001 22:47
To: [EMAIL PROTECTED]
Subject:Re: PIX Performance

Bottlenecks almost always end up being the smallest pipe on a network.  In
your case you have a possible 4 T1's which even when all are fully utilized
will only pass around 6mb of traffic per second.   Even your darn 10 baseT
ethernet pipes could handle that.  The PIX can handle up to 170mb per second
and won't even blink at 4 fully loaded T1's.  I suggest you give the client
the numbers and let them do the math.  After they have done their own math,
and if they are still not convinced your right, may I suggest you ask them
why they need your help, they obviously know more about the matter at hand
than you do :-)


- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 15, 2001 6:33 PM
Subject: PIX Performance


> Hello everyone.  Here is the situation.  A client of mine plans on setting
up
> some DMZs off either a PIX 515 or 525.  Servers will consist of smtp
relay,
> ftp,  2 to 4 web servers, 2 OWA servers, and 5 to 10 web app servers.
Inside
> (the internal LAN), there are about 10 servers, some database, which dmz
> servers will need to access.  They currently have 2 T1s for external
access
> to these DMZ based servers (no internally initiated web traffic), and do
not
> plan to upgrade to more that 4 T1s anytime soon.  To the point, the client
> claims that the PIX will be unable to handle all the traffic from the
front
> end and the access to the back end and that it will become a performance
> bottleneck with an extremely complicated, long rule set.  My experience
and
> opinion tell me that the PIX will do just fine and could probably handle a
> hell of a lot more.  It is doing static NAT also but not any VPN stuff.
If
> anything, with about 6000 remote clients accessing certain servers
throughout
> the day, the potential bottleneck with be the 2 T1s or the 2610 router in
> front of the PIX, not the PIX itself - but he won't believe me!  I have
> plenty of performance test results and have implemented multiple PIXs and
> some Check Point Firewalls.  Am I missing something?  How do I convince
him?
> Since this may not be perceived as a certification issue, you should
probably
> answer me directly and not clog up the list.  Thank-you in advance...
>
> David Raker CCDP, CCNP, MCSE, MCP + Internet
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNA

[David L. Blair]

The best source is Cisco's web site.  Since Cisco does change its =
certification requirements periodically.  Listed below are the tests =
needed for the various certifications in the "Routing and Switching" =
field.  Cisco has other fields of certification, but it seems that =
"Routing and Switching" is the most popular.

CertificationPrerequisitesRequired Tests
CCNANone640-507 CCNA

CCDANone640-441 DCN

CCNPCCNA  640-503 Routing, 640-504 Switching, =
640-505 Remote, 640-506 Support
 =
   OR
 640-509 Foundation, and =
640-506 Support

CCDPCCNA, CCDA640-503 Routing, 640-504 Switching, =
640-505 Remote, 640-025 CID
 =
   OR
 640-509 Foundation, and =
640-025 CID

CCIENone  Written Exam 350-00, and CCIE Lab =
Exam

All test leading up to the CCIE certification are $100.00 US per test.  =
The CCIE Written is $300.00 US and the CCIE Lab is $1250.00 US.  I hope =
that answers most of your questions.


"Through Complexity there is Simplicity,
 Through Simplicity there is =
Complexity"

David L. Blair - CCNP(2/4), CCNA, MCSE, CBE, A+, 3Wizard





_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: UPDATE: OSPF overriding 'no ip classless'

[Bob Vance]

Interesting :)
And, of course, if it were a designed feature, it should be documented.
Someone should call this in.



-
Tks        | 
BV     | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 12:23 AM
To: [EMAIL PROTECTED]
Subject: UPDATE: OSPF overriding 'no ip classless'


Okay, here are my latest findings.  Bob and others wanted me to try
various
supernet routes to see how the routers reacted.  Well, I did, and the
router
with 'no ip classless' is definitely behaving classlessly when OSPF is
running.

First, a recap.  I have router A connected to router B and am running
OSPF.
Router A is originating a default route, and Router B has 'no ip
classless'
configured.  The prefix for the link is 10.1.1.0/24.

By all official explanations of 'no ip classless', in this scenario if I
tried to ping an unknown subnet of 10.0.0.0/8, it would fail and
debugging
would show that the packets were unroutable.  This is true when I used
RIP
v1, RIP v2, IGRP, and EIGRP.  However, when I use OSPF it's a whole
'nuther
story!  It shouldn't matter how the routes are installed, but for some
reason, Router B behaves as if 'ip classless' were configured if I run
OSPF.

Tonight, I first tried the original experiment and originated 0.0.0.0/0.
Router B behaved classlessly and would route packets for ANY destination
to
Router A.

Next, I tried redistributing the static route for 10.0.0.0/8.  Packets
for
any subnet of 10.0.0.0/8 would be routed, all other destinations would
fail.
Again, classless behavior.

Thirdly, I redistributed a route for 8.0.0.0/5 just for grins.  Packets
destined for anything in that range were routed (8.0.0.0/8 throught
11.0.0.0/8) but all other unknown subnets failed.

Ah!!  I've tried this on two different routers and three different
IOS
versions and I get the same results.  Where is it written that when OSPF
is
running that the router will now behave classlessly in spite of 'no ip
classless' being in the configuration?

I guess I have no problem with this, I just wish they would document it
somewhere.  If someone would like to try these tests to verify the
results
I'd appreciate it.  I'd love to get some verification so I know I'm not
just
losing my mind.

Thanks!
John





___
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Transparent Bridging and DHCP

[Greene, Patrick]

Here's the problem... 
I have a 3640 running 12.1.5YB with an OC-3 and Fast-E.  I have about 200
pvc's defined as point-to-point and belonging to bridge group 1.  The Fast-E
is also a member of Bridge group 1.  I also have the router configured to be
a dhcp server.  My problem is that the device on the pvc does not get an ip
address from the router, however it will get an address from a dhcp server
on the other end of the Fast-E.

Thanks, 
Patrick 


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Free Training Materials for CCNA, CCDA, CCNP, CCDP and CCIE

[CiscoDiety]

http://www.gdd.net



Clayton Dukes
CCNA, CCDA, CCDP, CCNP


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Implementing SSH on Cisco IOS

[kent . hundley]

Karl,

If the question is "why don't you use tacacs instead of ssh?", the 
answer is:

1) Tacacs+ only encrypts between the NAS (router) and the 
Tacacs+ server, the username and password are still passed in 
clear-text between the telnet client and the router.

2) They're not mutually exclusive.  You can use SSH and Tacacs+ 
together.  In fact, this is the best way to remotely manage your 
routers if you don't have out-of-band access.

Regards,
Kent

On 28 Mar 2001, at 14:30, West, Karl wrote:

> What about TACACS+/cisco SecureAcs on your routers!
> 
> -Original Message-
> From: Simmons, Chad [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 26, 2001 7:49 AM
> To: 'Glenn Johnson '; '[EMAIL PROTECTED] '
> Subject: RE: Implementing SSH on Cisco IOS
> 
> 
> Last time I asked a few months ago they had no plans.
> 
> Chad A. Simmons, MCSE, CCNP, CCDP
> Network Consultant
> Court Square Data Group, Inc.
> www.csdg.com
> 
> -Original Message-
> From: Glenn Johnson
> To: [EMAIL PROTECTED]
> Sent: 3/26/01 1:39 AM
> Subject: RE: Implementing SSH on Cisco IOS
> 
> Related Q: Anyone know if Cisco has plans to support SSH2 anytime
> soon?
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Simmons, Chad Sent: Sunday, March 25, 2001 11:00 PM To: 'Sean Young';
> [EMAIL PROTECTED] Subject: RE: Implementing SSH on Cisco IOS
> 
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121new
> ft /121 t/121t1/sshv1.htm
> 
> Supported Platforms
> Cisco 1700 series
> Cisco 2600 series
> Cisco 3600 series
> Cisco 7200 series
> Cisco 7500 series
> Cisco ubr920 series
> 
> But it does require a DES or 3Des software image. You may want to
> check CCO before posting erronious info.
> 
> Best Regards,
> 
> Chad A. Simmons, MCSE, CCNP, CCDP
> Network Consultant
> Network Services Group
> Court Square Data Group, Inc.
> 1391 Main St.
> Springfield, Ma. 01103
> (413) 746-0054 (Phone)
> (413) 746-0058 (Fax)
> [EMAIL PROTECTED]
> http://www.csdg.com
> Information solutions that work in the real world.
> 
> 
> -Original Message-
> From: Sean Young [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, March 25, 2001 10:50 PM
> To: [EMAIL PROTECTED]
> Subject: Implementing SSH on Cisco IOS
> 
> 
> Doesn't Cisco realize that telnet is a security risk on Cisco devices
> especially for us who often has to telnet to the router remotely to
> fix/troubleshoot problems?  Because username and password are
> traveling across the Internet in CLEAR TEXT, the risk is too great.  I
> work for a company that would not allow us to telnet to the router
> from the Internet to our company routers and switches.  I know that
> SSH (version 1) is available on IOS 12.1.x (only on 7000 and GSR
> platforms).  Why don't they just implement SSH on all platforms?  It
> is not that difficult to do this (in my opinion). Because of SSH
> lacking in Cisco IOS, I have to drive all the way to work to
> troubleshoot when there is problem. This is suck.  You could implement
> all access-list all you like; however, the problem is that telnet will
> no encrypt information especially username and password across the
> Internet.  SSH is widely implemented on almost all of Unix flavor and
> Juniper as well.  How difficult is it to implement it on Cisco IOS?
> 
> Anyone disagree?
> 
> Sean
> 
> _ Get
> your FREE download of MSN Explorer at http://explorer.msn.com
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Token Ring Question

[Vincent]

For I am not familiar with TokenRing. I just wondering how come i insert 2
router into the token ring hub,
one of the interface is up/down all the time.

Thanks
Vincent


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX+Router+Frame relay to internet

[kent . hundley]

Murat,

My comment is don't do this.  It violates a very fundamental 
principal of network security, "keep your untrusted and your trusted 
networks physically separated".  There should also be no way for 
an untrusted network to bypass your firewall, which there is in this 
design.  

There are lots of issues with this setup, but the most basic is that 
you would need to bring untrusted traffic into the router, forward it 
to the PIX, have the PIX forward it back to the same router and then 
to the remote sites.  Depending on how many LAN interfaces your 
router has, you could probably make this happen, but its just not a 
good idea.  

If for any reason something in your configuration isn't setup 
correctly, packets from the Internet could reach other remote sites 
on your FR network without going through the firewall.  In a good 
perimeter design, this should not be possible.

I realize that this was probably setup this way to save money, but 
how much money would it cost the company to have their entire 
network compromised?  

If cost is the primary concern, save the money on the PIX, use a 
cheaper FW solution and get a separate physical line for your 
Internet connection and a separate router.  

HTH,
Kent

On 29 Mar 2001, at 10:19, Murat Kirmaci wrote:

> Hello Everybody,
> I would like to learn if I have got a Cisco router connected to frame
> relay network and over this frame relay network there are connections
> to their remote offices and another pvc to the INTERNET (not a
> seperate leased line), in addition to this also I have to insert a PIX
> firewall into this structure.
> 
> I would be pleased to get your comments about this type of networks.
> should I do NAT in the router? If yes then How will I insert the PIX?
> 
> 
> Murat KIRMACI
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: UPDATE: OSPF overriding 'no ip classless'

[John Neiberger]

Well, there are two different issues.  You're talking about the way the
routing protocols themselves behave: whether they pass subnet mask
information or not.  The issue here is routing table lookups, not how
those routes are installed.  

With 'no ip classless' configured, even if there is a valid supernet
route in the routing table--including a 0.0.0.0/0 default route--the
router should not choose it.  For some reason, at least on my routers,
if OSPF is running it changes this behavior.  

This is pretty odd.  To be consistent Cisco should cause the
configuration to change to 'ip classless' when an OSPF process is
configured.  

Hey, here's something I didn't try!  Someone should do this during the
day since I won't be able to do it until tonight.  Run OSPF *and*
another routing protocol, let's say RIP, but use RIP to advertise the
default route, not OSPF.  That would be an interesting test to see if
the router is behaving classlessly only for OSPF-learned routes or if it
really makes the router become completely classless.

Okay, I need to get started on my coffee.  

John

>>> "Stull, Cory" <[EMAIL PROTECTED]> 3/29/01 7:50:04 AM >>>
John,

I haven't followed this as closely as I should have before answering
but I
hope I am guessing correctly here...  OSPF sends the subnet
information
along with it when it does its routing updates, the only way to have
it
behave classfully is to manually summarize.  The reason the other
protocols
were working the way they were is because they either A) don't send
subnet
information in the updates or B) were autosummarizing at the classful
network boundary like EIGRP does.

Am I way off base here?   I'm working on an OSPF type lab right now too
so
let me know.

Cory

-Original Message-
From: Bob Vance [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, March 29, 2001 8:22 AM
To: CISCO_GroupStudy List (E-mail)
Subject: RE: UPDATE: OSPF overriding 'no ip classless'


Interesting :)
And, of course, if it were a designed feature, it should be
documented.
Someone should call this in.



-
Tks| 
BV | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 12:23 AM
To: [EMAIL PROTECTED] 
Subject: UPDATE: OSPF overriding 'no ip classless'


Okay, here are my latest findings.  Bob and others wanted me to try
various
supernet routes to see how the routers reacted.  Well, I did, and the
router
with 'no ip classless' is definitely behaving classlessly when OSPF is
running.

First, a recap.  I have router A connected to router B and am running
OSPF.
Router A is originating a default route, and Router B has 'no ip
classless'
configured.  The prefix for the link is 10.1.1.0/24.

By all official explanations of 'no ip classless', in this scenario if
I
tried to ping an unknown subnet of 10.0.0.0/8, it would fail and
debugging
would show that the packets were unroutable.  This is true when I used
RIP
v1, RIP v2, IGRP, and EIGRP.  However, when I use OSPF it's a whole
'nuther
story!  It shouldn't matter how the routes are installed, but for some
reason, Router B behaves as if 'ip classless' were configured if I run
OSPF.

Tonight, I first tried the original experiment and originated
0.0.0.0/0.
Router B behaved classlessly and would route packets for ANY
destination
to
Router A.

Next, I tried redistributing the static route for 10.0.0.0/8.  Packets
for
any subnet of 10.0.0.0/8 would be routed, all other destinations would
fail.
Again, classless behavior.

Thirdly, I redistributed a route for 8.0.0.0/5 just for grins. 
Packets
destined for anything in that range were routed (8.0.0.0/8 throught
11.0.0.0/8) but all other unknown subnets failed.

Ah!!  I've tried this on two different routers and three different
IOS
versions and I get the same results.  Where is it written that when
OSPF
is
running that the router will now behave classlessly in spite of 'no ip
classless' being in the configuration?

I guess I have no problem with this, I just wish they would document
it
somewhere.  If someone would like to try these tests to verify the
results
I'd appreciate it.  I'd love to get some verification so I know I'm
not
just
losing my mind.

Thanks!
John





___
Send a cool gift with your E-Card
http://www.bluemountain.com/giftcenter/ 


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report mis

Re: actual speed (BW) on a Frame-Relay circuit

[John Neiberger]

This is actually more complicated than you think.  :-)  Which do you
want to know, the speed of the link or the available bandwidth?  If it's
the latter, what do you mean by available?  Do you want to know the CIR?
 Or how much you can burst over your CIR?

Let's say you have a frame relay T-1.  The speed of that link is always
1.544 Mbps.  If you send data across that link, regardless of the CIR,
the data is travelling at 1.544 Mbps!  Because it's frame relay, you
might be paying for a certain CIR which is a statistical parameter that
sometimes doesn't have much to do with how much data you can push across
that link.

In fact, if your provider isn't experiencing any congestion, then CIR
doesn't mean squat as far as I'm concerned.  Whenever you exceed your
CIR, frames in the cloud can be marked as Discard Eligible.  All that
means is that during times of congestion, those get dropped first.  If
there's no congestion, DE status doesn't mean much.

So, to answer your question...  The speed of the link is whatever your
link speed is.The CIR can usually be seen by using the command
"show frame-relay map".

I hope that helps and didn't just confuse the issue more.  I may have
been imprecise, and if I have others will surely correct me.

Regards,
John

>>> <[EMAIL PROTECTED]> 3/29/01 6:57:53 AM >>>
Hi,

is there a command to check the actual speed (BW) or max BW used on a
Frame-Relay circuit.

Thanks,

Tarry.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net 

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Rommon on AS5300

[ramius]

I rebooted an AS5300 in my lab and it went into rommon. History:
CCO has been usless with these errors by the way.  I have been through all
rommon commands and have tried reloading the image through xmodem, but I get
a "transfer cancelled by remote user". ( I have successfully done this
before) The key (i think) is getting rid of the flash error, but I have
replaced the flash and get the same result. I can't see why the bootflash:
does not work.

1. dir flash:
device does not contain a valid magic number
dir: cannot open device "flash:"

2.dir bootflash:
1383864 bytes (0x151db8)   0xfc16c5300-boot-mz.120-4.T1

3.boot bootflash:
   loadprog: error - Invalid image for platform
   e_machine = 35, cpu_type = 59
   boot: cannot load "bootflash:"

Any ideas or insights?
thanks in advance

Ramius






_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Advance Cisco PIX Configuration Exam - Passed!

[GNOME]

Hi

I am implementing PIX firewall. Can u recommend any Cisco course or books
for in-depth PIX exam preparation?

Thanks


"Richie, Nathan" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I passed the Advance PIX configuration exam last Friday.  Second time is a
> charm.  I used hands-on, course outline and Cisco's website to prepare for
> the exam.
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Asymmetric routing with 2 ABRs per area

[Erick B.]

Look into policy routing. Also, don't forget OSPF
prefers intra-area routes.
Example:

  r3
 / \
r1---r2

r1 to r2 is area 0 - Fast Ether
r1 to r3 is area 1 - 128k line
r2 to r3 is area 1 - T1 line

Traffic will go from r1 to r3 instead of r1 to r2 then
r3. To get it to go from r1 to r2 to r3 you need to
put the routers all in the same area or put the r1-r3
link in it's own area.

--- Low How Ming <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> Need to find out if there is a method for avoiding
> asymmetric routing
> between 2 areas both with 2 ABRs and equal capacity
> links (E1 - 2.048Mbps).
> 
> I'm looking to influence flow of traffic to certain
> destinations to remain
> on a single link, and not have traffic to lets say
> 10.32.0.0/12 go out on
> link A (ABR A) and return on link B (ABR B).
> 
> If I have a range of addresses 10.0.0.0/12, I know I
> can split it between
> ABR A (10.0.0.0/13) and ABR B (10.8.0.0/13) - using
> area summary statements.
> But the difficulty is actually configuring the other
> ABR as a backup for the
> same routes.  I.e. ABR A backs up ABR B's range
> 10.8.0.0/13 and vice versa.
> 
> Is the above possible?
> 
> regards,
> Ming.



__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE:

[Maness, Drew]

Can you identify the type of DOS.  What IOS is he running? If this is a
known bug is there a cisco bug track ID on it?

Thanks

Drew

-Original Message-
From: Sean Young [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 28, 2001 2:57 PM
To: [EMAIL PROTECTED]
Subject: 


Hi everyone,
I have a story that wish to share with everyone.  One of my friends
works for a company that uses Cisco PIX as the firewall.  This afternoon,
he called and told me that the company firewall is experiencing a Denial
of Service (DOS) attack.  The attack is so heavy that the PIX is just
simply gives up.  The company contacts Cisco and the TAC told my friend
that there is a bug in the Cisco PIX code and he will have to wait a
few days for the new code to arrive.  Frustrated, he decides to use his
workstation which is running NetBSD, put in an extra NIC, shutoff all
essential services but SSH and netfilter.  Amazingly, the new BSD
firewall withstand the DOS and connectivity is restored.

The point of the story.  Not everything from Cisco is good.  Their code
is just buggy as everyone else.  Just because it carries the name Cisco
doesn't mean it is safe.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How do I backup the existing PIX ios 4.2 to a tftp server?

[fartcatcher]

Thanks for replying Gary. It looks as though 'copy' is not a valid command for 
version 4.2(2). I used the write net command to copy my config to a tftp 
server, but how do I backup the ios and not the config? Also, I have only one 
activation key for version 5.1(4), isn't that all I need?

Thanks,
fartcatcher

In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] ("Gary 
Crouch") wrote:
>command is=20
>
>copy tftp://xxx.xxx.xxx.xxx/filename flash
>
>just sub your tftp address for the xxx.xxx.xxx.xxx and the name you want =
>the file called for filename
>
>besure to back up config as the upgrade wipes it out also copy down the =
>Activation Key number you will need it if you lose it during the upgrade =
>you will need to load each upgrade between 4.2 and 5.14 one at a time=20
>I just upgraded mine to 5.3(1) let me know if you need any help
>
>good luck
>
>
 fartcatcher <[EMAIL PROTECTED]> 03/28/01 04:00PM >>>
>Hello everyone,
>
>we're upgrading our PIX to 5.1.4 from 4.2 and I would like to know how =
>copy
>the ios to a tftp server as a backup. I have copied the config (write =
>net...)=20
>but can't find out how to do the ios.
>
>Thank you
>fartcatcher.
>
>_
>FAQ, list archives, and subscription info: http://www.groupstudy.com/list/c=
>isco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_
>FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2509 image (was 508-CS versus 2509/2511)

[EA Louie]

3 things to consider when asking for the 'good' IOS version to use:

1.  what purpose is the termserver going to serve?
2.  how much flash is onboard? (although apparently you can use a
compression utility to squeeze a larger image into smaller flash)
3.  what features do you want to want to use/experiment with?

anything marked GD from the 12.0 version tree should work fine.

Alex Lee <[EMAIL PROTECTED]> wrote in message
99vfsk$pr9$[EMAIL PROTECTED]">news:99vfsk$pr9$[EMAIL PROTECTED]...
> What is considered a good IOS version for c2509rj ?
>
>
> ""EA Louie"" <[EMAIL PROTECTED]> wrote in message
> 99un8a$hek$[EMAIL PROTECTED]">news:99un8a$hek$[EMAIL PROTECTED]...
> > hmmm... if you have access to the 508-CS, it's old, but if its running
> 9.21
> > then many of the minimal features of the 2509/11 are available.  know
the
> > other line commands that go with the newer 12.0 IOS, though, because you
> may
> > need them in the lab  ;-)
> >
> > -e-
> >
> > Ken W. Alger <[EMAIL PROTECTED]> wrote in message
> > 99ufk5$1jh$[EMAIL PROTECTED]">news:99ufk5$1jh$[EMAIL PROTECTED]...
> > > For a CCNP/CCIE lab, is a 508-CS sufficient to act as a terminal
server
> or
> > > is it better to go for the 2509/11?
> > >
> > > Thanks,
> > > Ken
> > >
> > >
> > > _
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routers can't ping own interface

[Jim Dixon]

When I did a search, I didn't find a good answer right away but here is what
I did find.




Question: 

What is required to make pinging a local or remote interface work?
Answer: You must have a running Cisco router, configured for IP on that
interface, at the other end of the serial line. Since HEARSELF is defined on
the serial interface, the ping to our own address will go out the wire. The
router on the other end will send it back to us, and we will recieve it.
We'll then send a ping response to ourselves out the wire, and the router on
the other end will send it back to us. Note that when we ping our own serial
address, the ping times are much larger than when we ping the other router's
address. This is because each packet goes on a path that is twice as long. 

I found it at 
http://www.cisco.com/openf/TechTips/Internetworking/Protocols/291.html

-Original Message-
From: Robert Padjen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 28, 2001 4:29 PM
To: Vincent; [EMAIL PROTECTED]
Subject: Re: Routers can't ping own interface


Cisco routers employ 'hearself' on the serial
interfaces. A look at CCO should explain the details
and help you understand the specifics for this
problem.


--- Vincent <[EMAIL PROTECTED]> wrote:
> Hi;
> 
> Can you ping 127.0.0.1
> 
> Thanks
> Vincent
> <[EMAIL PROTECTED]> ¼¶¼g©ó¶l¥ó
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> >
> > I have a question - please if I have overlooked
> something just point me in
> the
> > right direction, I'm not looking to be spoon fed.
> :) I looked through the
> Cisco
> > web site and documentation that I had but I was
> wondering if anyone else
> had
> > seen this.
> >
> > I have two routers in a test lab, a 2509 and a
> 2514. Without going into
> great
> > details regarding the way they are configured (I
> can certainly provide
> more
> > detail if necessary - I just figured this might be
> a simple dumb thing I
> > overlooked type question), neither router can ping
> their own serial port.
> > However, each can ping the others serial port.
> Both routers can ping their
> own
> > Ethernet port, but neither can ping the others. IP
> is the only protocol
> > configured,  the 2509 is configured as the DCE,
> the 2514 as the DTE. Both
> are
> > running IOS 11.3.
> >
> > There are other issues as well, but the whole
> "can't ping their own
> interface"
> > thing has me confusedany ideas?
> >
> > I'm going to scrap both configs today and start
> from scratch, but this was
> > driving me nuts!
> >
> > TIA
> >
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> 
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
Robert Padjen

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: using cisco cd without CD????

[Hugo]

I would like to copy the CD to my HD so I don't have to take my external CD
drive with my laptop.
Does anyone know how to do this?
--
Hugo
[EMAIL PROTECTED]
""Groupstudy"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Sounds like it was installed on a network drive.  Get a hold of the first
> disk in the two disk documentation set and reinstall it to your local hard
> drive.   It does not matter if you are connected to the Internet or not.
> There are a few links on the disk that do point to CCO though, just avoid
> them.  99.9% of the docs will be available directly from the CD.
>
> - Original Message -
> From: beth shriver <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, March 17, 2001 9:54 AM
> Subject: using cisco cd without network , why cant i?
>
>
> > I know this is a silly question and im  too
> > embarrassed to ask the guys at the office... buy every
> > time i try to user my doc cd it gives me a blank page
> > unless im connected to a network how do i look at this
> > if im on a plane or something. I know this is simple
> > and pray no one from my office ever sees this! :)
> > can anyone discreetly help? hahaha
> > Thanks
> > Bethy
> >
> > __
> > Do You Yahoo!?
> > Get email at your own domain with Yahoo! Mail.
> > http://personal.mail.yahoo.com/
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX+Router+Frame relay to internet

[Allen May]

What exactly are you trying to do?  I"m a little vague as to the layout.  Is
the other pvc in your office or a branch office on the frame-relay?  If it's
in another office and you're trying to get internet connection, the PIX
needs to be at the location with the internet pvc to keep traffic separated.
If it's in your office, the PIX would go there.

Let me know what you're trying to accomplish and I'll be glad to help you
out.

Allen
- Original Message -
From: "Murat Kirmaci" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 1:19 AM
Subject: PIX+Router+Frame relay to internet


> Hello Everybody,
> I would like to learn if I have got a Cisco router connected to frame
relay
> network and over this frame relay network there are connections to their
> remote offices and another pvc to the INTERNET (not a seperate leased
line),
> in addition to this also I have to insert a PIX firewall into this
> structure.
>
> I would be pleased to get your comments about this type of networks.
should
> I do NAT in the router? If yes then How will I insert the PIX?
>
>
> Murat KIRMACI
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX has been brought to its knee

[Allen May]

Not making accusations, but it's ironic that this story came out just after
we had a debate about this ;)

Just giving you a hard time..hehe.  No flames...just kidding.  Seriously. ;)
You're a kewl guy but I'm kewler..haha.

Hey why didn't he just block their IP?  Seems like a lot of work to build a
new firewall rather than just lock them out.  If he had IDS it could have
blocked them automatically.

There is the new 'stick' DoS attack that simulates hundreds of simultaneous
DoS attacks that is designed to bring IDS down.  Did he look in syslog to
see what kind of attack it was?  I'd be very interested in knowing what the
bug is in the PIX so I can follow up on this to keep our firewalls secure.
Also is he showing the DoS attacks were continuing with the new firewall or
did they assume the site was down during the time he was switching over?

I'm not taking sides...just curious & getting as much info as I can.  I'm
setting up a customer FreeBSD firewall with IPSec very soon & they will be
upgrading to a PIX soon after.  If I can verify this bug & what version
they're running I can recommend they wait until it's been resolved by TAC.

Allen
- Original Message -
From: "Sean Young" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 28, 2001 5:18 PM
Subject: Cisco PIX has been brought to its knee


> Hi everyone,
> I have a story that wish to share with everyone.  One of my friends
> works for a company that uses Cisco PIX as the firewall.  This afternoon,
> he called and told me that the company firewall is experiencing a Denial
> of Service (DOS) attack.  The attack is so heavy that the PIX is just
> simply gives up.  The company contacts Cisco and the TAC told my friend
> that there is a bug in the Cisco PIX code and he will have to wait a
> few days for the new code to arrive.  Frustrated, he decides to use his
> workstation which is running NetBSD, put in an extra NIC, shutoff all
> essential services but SSH and netfilter.  Amazingly, the new BSD
> firewall withstand the DOS and connectivity is restored.
>
> The point of the story.  Not everything from Cisco is good.  Their code
> is just buggy as everyone else.  Just because it carries the name Cisco
> doesn't mean it is safe.
>
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FW: UPDATE: OSPF overriding 'no ip classless'

[Bob Vance]

Excellent !!
This is like the Energizer Bunny!

Hmmm.
You already tested adding a static default route (with lower admin
distance) and it changed the classless behavior, right?
Then you deleted the static and classless returned.

Just for completeness :) , it might be mildly interesting to add the
static with a higher admin than OSPF -- it won't show up in the routing
table and thus it shouldn't change the classless behavior like the lower
admin one did -- or would it ;>)
Also, allow OSPF also to advertise the default, along with RIP, and see
that since the OSPF route is in the table, it still subverts to
classless even though it knows that it also received a RIP route that it
is currently ignoring.

-
Tks        | 
BV     | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 10:16 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: FW: UPDATE: OSPF overriding 'no ip classless'


Well, there are two different issues.  You're talking about the way the
routing protocols themselves behave: whether they pass subnet mask
information or not.  The issue here is routing table lookups, not how
those routes are installed.

With 'no ip classless' configured, even if there is a valid supernet
route in the routing table--including a 0.0.0.0/0 default route--the
router should not choose it.  For some reason, at least on my routers,
if OSPF is running it changes this behavior.

This is pretty odd.  To be consistent Cisco should cause the
configuration to change to 'ip classless' when an OSPF process is
configured.

Hey, here's something I didn't try!  Someone should do this during the
day since I won't be able to do it until tonight.  Run OSPF *and*
another routing protocol, let's say RIP, but use RIP to advertise the
default route, not OSPF.  That would be an interesting test to see if
the router is behaving classlessly only for OSPF-learned routes or if it
really makes the router become completely classless.

Okay, I need to get started on my coffee.  

John

>>> "Stull, Cory" <[EMAIL PROTECTED]> 3/29/01 7:50:04 AM >>>
John,

I haven't followed this as closely as I should have before answering
but I
hope I am guessing correctly here...  OSPF sends the subnet
information
along with it when it does its routing updates, the only way to have
it
behave classfully is to manually summarize.  The reason the other
protocols
were working the way they were is because they either A) don't send
subnet
information in the updates or B) were autosummarizing at the classful
network boundary like EIGRP does.

Am I way off base here?   I'm working on an OSPF type lab right now too
so
let me know.

Cory

-Original Message-
From: Bob Vance [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 8:22 AM
To: CISCO_GroupStudy List (E-mail)
Subject: RE: UPDATE: OSPF overriding 'no ip classless'


Interesting :)
And, of course, if it were a designed feature, it should be
documented.
Someone should call this in.



-
Tks| 
BV | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 12:23 AM
To: [EMAIL PROTECTED]
Subject: UPDATE: OSPF overriding 'no ip classless'


Okay, here are my latest findings.  Bob and others wanted me to try
various
supernet routes to see how the routers reacted.  Well, I did, and the
router
with 'no ip classless' is definitely behaving classlessly when OSPF is
running.

First, a recap.  I have router A connected to router B and am running
OSPF.
Router A is originating a default route, and Router B has 'no ip
classless'
configured.  The prefix for the link is 10.1.1.0/24.

By all official explanations of 'no ip classless', in this scenario if
I
tried to ping an unknown subnet of 10.0.0.0/8, it would fail and
debugging
would show that the packets were unroutable.  This is true when I used
RIP
v1, RIP v2, IGRP, and EIGRP.  However, when I use OSPF it's a whole
'nuther
story!  It shouldn't matter how the routes are installed, but for some
reason, Router B behaves as if 'ip classless' were configured if I run
OSPF.

Tonight, I first tried the original experiment and originated
0.0.0.0/0.
Router B behaved classlessly and would route packets for ANY
destination
to
Router A.

Next, I tried redistributing the static route for 10.0.0.0/8. 

RE: Token Ring Question

[Daniel Cotts]

Both routers have the same ring speed?
Verify the cables. Verify the MAU. Divide a problem into smaller parts. Then
test each part. Substitute a questionable item for a known good item. If the
new arrangement now fails the questionable item is defective. Conversely if
the new arrangement works the questionable item is good. etc. 

> -Original Message-
> From: Vincent [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 29, 2001 9:15 AM
> To: [EMAIL PROTECTED]
> Subject: Token Ring Question
> 
> 
> For I am not familiar with TokenRing. I just wondering how 
> come i insert 2
> router into the token ring hub,
> one of the interface is up/down all the time.
> 
> Thanks
> Vincent
> 
> 
> _
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct 
> and Nondisclosure violations to [EMAIL PROTECTED]
> 

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cvoice

[Ruddy Cordero]

For you guys and girls that have CVOICE
specializations. Do cisco send you a certificate or
card for passing the CVOICE?

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FW: UPDATE: OSPF overriding 'no ip classless'

[John Neiberger]

One thing I didn't try, which you might be alluding to, is allowing OSPF
to advertise the default (which was causing classless behavior) but then
also manually add a static default on router B.  I have not tried that
yet.  I did try the manual static default route without OSPF advertising
the default and the router behaved classfully.

Then, as you suggest, I could change the distance on the manually added
default to see what happens.  So, there are two more things to try right
there.  

You're right Bob, this just keeps going and going and going  I just
want to hear someone from Cisco say "Whoops, didn't we tell you about
that?  Sorry, forgot...we'll go document that feature now."  

Either that or I want to find out I've been missing something this
whole time.  Certainly I can't be the first person to notice this,
especially since I've tried this with older IOS versions.  

>>> "Bob Vance" <[EMAIL PROTECTED]> 3/29/01 9:53:36 AM >>>
Excellent !!
This is like the Energizer Bunny!

Hmmm.
You already tested adding a static default route (with lower admin
distance) and it changed the classless behavior, right?
Then you deleted the static and classless returned.

Just for completeness :) , it might be mildly interesting to add the
static with a higher admin than OSPF -- it won't show up in the
routing
table and thus it shouldn't change the classless behavior like the
lower
admin one did -- or would it ;>)
Also, allow OSPF also to advertise the default, along with RIP, and
see
that since the OSPF route is in the table, it still subverts to
classless even though it knows that it also received a RIP route that
it
is currently ignoring.

-
Tks| 
BV | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 10:16 AM
To: [EMAIL PROTECTED] 
Cc: [EMAIL PROTECTED] 
Subject: Re: FW: UPDATE: OSPF overriding 'no ip classless'


Well, there are two different issues.  You're talking about the way
the
routing protocols themselves behave: whether they pass subnet mask
information or not.  The issue here is routing table lookups, not how
those routes are installed.

With 'no ip classless' configured, even if there is a valid supernet
route in the routing table--including a 0.0.0.0/0 default route--the
router should not choose it.  For some reason, at least on my routers,
if OSPF is running it changes this behavior.

This is pretty odd.  To be consistent Cisco should cause the
configuration to change to 'ip classless' when an OSPF process is
configured.

Hey, here's something I didn't try!  Someone should do this during the
day since I won't be able to do it until tonight.  Run OSPF *and*
another routing protocol, let's say RIP, but use RIP to advertise the
default route, not OSPF.  That would be an interesting test to see if
the router is behaving classlessly only for OSPF-learned routes or if
it
really makes the router become completely classless.

Okay, I need to get started on my coffee.  

John

>>> "Stull, Cory" <[EMAIL PROTECTED]> 3/29/01 7:50:04 AM >>>
John,

I haven't followed this as closely as I should have before answering
but I
hope I am guessing correctly here...  OSPF sends the subnet
information
along with it when it does its routing updates, the only way to have
it
behave classfully is to manually summarize.  The reason the other
protocols
were working the way they were is because they either A) don't send
subnet
information in the updates or B) were autosummarizing at the classful
network boundary like EIGRP does.

Am I way off base here?   I'm working on an OSPF type lab right now
too
so
let me know.

Cory

-Original Message-
From: Bob Vance [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, March 29, 2001 8:22 AM
To: CISCO_GroupStudy List (E-mail)
Subject: RE: UPDATE: OSPF overriding 'no ip classless'


Interesting :)
And, of course, if it were a designed feature, it should be
documented.
Someone should call this in.



-
Tks| 
BV | 
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430   11455 Lakefield Dr.
Fax 770-623-3429   Duluth, GA 30097-1511
=





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Neiberger
Sent: Thursday, March 29, 2001 12:23 AM
To: [EMAIL PROTECTED] 
Subject: UPDATE: OSPF overriding 'no ip classless'


Okay, here are my latest findings.  Bob and others wanted me to try
various
supernet routes to see how the routers reacted.  Well, I did, and the
router
w

Re: Can we find the PC's IP address connect to particular switch port?

[EA Louie]

Identification of PC's

Q1 - you can get the IP address of the PC  if you know the MAC address of
the NIC in the PC.  That MAC address/PC mapping is a good table to keep
somewhere, where you associate the MAC address with an office location
(especially if you're using DHCP and assigning dynamic IP addresses) and a
PC name.  Then, you can get the MAC-IP association from the ARP table in the
switch or the default gateway (router) for that network segment.

Q2 - sure you can!  what you need to know about the PC's in question are the
MAC address of the NIC (network interface card), and associate that MAC
address with a location.  In a cisco switch, depending on the operating
system, you can show cam  or use menu options which gives you a listing of
the MAC addresses associated with the ports.

- Original Message -
From: Richard spalding <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 27, 2001 6:21 PM
Subject: Can we find the PC's IP address connect to particular switch port?


> Can we find the PC's IP address connect to particular switch port?  Or for
a
> PC , can we know which port of the switch it connect to, other than
tracing
> the cable???
>
> Richard
>
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IT Career Academy?

[Jonathan Hays]

That's a good joke any way you slice it, Howard.

"Howard C. Berkowitz" wrote:

> >Mask Of Zorro wrote:
> >
> >>
> >>  only written tests... Anybody with enough time to read all of the exam crams
> >>  and study guides for these exams can pass them.
> >>
> >>  Can that same person be of much use in a real production environment?
> >>  Probably not. But I have seen people do this - many people. In fact, I would
> >>
> >
> >It depends. The guy I hired a year ago had a paper CCNA and no IT
> >experience at all (he used to be a baker during previous 15 years). He
> >was (and is) doing very good and passed his BSCMSN yesterday.
> >
> >/felis
>
> I wonder if he ever made seven-layer cakes in his previous career?
> Might have been good OSI preparation.
>
> _
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

--
Jonathan Hays
Acropolis Systems, Inc.
(408) 935-3016


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Token Ring Question

[NP-BASS LEON]

If you are atempting to plug two Token-Ring cables into one MAU, just make
sure both of those interfaces are on the same network (Which really wouldn't
give you much), But just to test this, get two MAU's do not connect them to
any part of your network, place one cable in one MAU and the other cable in
the second MAU, your beacon errors will go away. The reason you are
beaconing, is the first one to initialize is boss, so when you come with
another connection, the MAU has already been taken. Run the test and you
will see, I'm right.

-Original Message-
From: Daniel Cotts [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 11:45 AM
To: 'Vincent'; [EMAIL PROTECTED]
Subject: RE: Token Ring Question


Both routers have the same ring speed?
Verify the cables. Verify the MAU. Divide a problem into smaller parts. Then
test each part. Substitute a questionable item for a known good item. If the
new arrangement now fails the questionable item is defective. Conversely if
the new arrangement works the questionable item is good. etc. 

> -Original Message-
> From: Vincent [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 29, 2001 9:15 AM
> To: [EMAIL PROTECTED]
> Subject: Token Ring Question
> 
> 
> For I am not familiar with TokenRing. I just wondering how 
> come i insert 2
> router into the token ring hub,
> one of the interface is up/down all the time.
> 
> Thanks
> Vincent
> 
> 
> _
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct 
> and Nondisclosure violations to [EMAIL PROTECTED]
> 

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Terminal server - does anyone know other options??

[Brian]

Perhaps an old Livingston PM-2?

Bri

On Tue, 27 Mar 2001, KP wrote:

> Does anyone know of another option for a terminal server outside of a CS-5xx
> or 25xx.  I would love to put a terminal server off my cable modem
> connection (legal IP address) and be able to reverse telnet from it.  I have
> a bunch of 2500's, a 4000 and T/R and Ehternet switches I would need to
> connect to.  I looked at a xyplex max 1600, the one's on ebay do not have
> software or flash card, and am looking to stay under $100.
>
> Thanks
>
>
> _
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cannot see the Serial Interface at all..

[Kumar, N K. Satish, BCARE]

I have a Cisco 2524 with an removable T1 card while cisco is booting it
says service-module check passed but when i see the interfaces it just has
the Ethernet NO serial interface at all...

tried removing/replacing no luck

Any help greatly appreciated.

Thanks
Satish

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routers can't ping own interface

[pmcallister]

To all who offered to help by looking at configs etc, thank you. One of my
"helpful" co-workers decided to load a backup config on the routers in question
last night thereby blowing away my config. On top of that another co-worker blew
away the workstation holding the config I had made along with all the other
backups, the tftp server etc.so I guess this shall remain a mystery.

The only upside I suppose is that if I screwed this up once, it is quite
possible I'll do it again

In answer to Howard's queries, the answer to both is yes, but it depends on who
you ask which question.  :)


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cvoice

[Dmitry Kuzin]

When I was pass my CVOICE exam, I've got nothing... :(

___
WBR,
Dmitry Kuzin.
CCSI#22706
CompTek Int.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ruddy Cordero
Sent: Thursday, March 29, 2001 8:58 PM
To: [EMAIL PROTECTED]
Subject: Cvoice


For you guys and girls that have CVOICE
specializations. Do cisco send you a certificate or
card for passing the CVOICE?

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP Movie -- Warriors Of The Net

[Erick B.]

For those who liked www.routergod.com check out

www.warriorsofthe.net

They have a move about how IP works.


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Advance Cisco PIX Configuration Exam - Passed!

[Moe Tavakoli]

The best way to go about this from what I can tell, is
to go on CCO and get the config guides in the
documentation section.  If this is your first install
you may get confused.  If you like send some detail on
your config and I can give you a list of commands to
look at. 

Moe.

--- GNOME <[EMAIL PROTECTED]> wrote:
> Hi
> 
> I am implementing PIX firewall. Can u recommend any
> Cisco course or books
> for in-depth PIX exam preparation?
> 
> Thanks
> 
> 
> "Richie, Nathan" <[EMAIL PROTECTED]> wrote in
> message
>
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I passed the Advance PIX configuration exam last
> Friday.  Second time is a
> > charm.  I used hands-on, course outline and
> Cisco's website to prepare for
> > the exam.
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> 
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
_
Moe Tavakoli

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX has been brought to its knee

[Moe Tavakoli]

Ok, hope Sean doesn't get his feelings hurt but here a
bit of my Criminal Law School training coming out:

Given the fact that you (Sean) were going to any means
to "prove" that a Linux based firewall is better than
a PIX for the last week or so, this email of yours has
very little credibility.  You went to lengths to prove
your point.  Some point valid and others not so valid.
 So it's not much of a strech for you to send this
email out without any "real" backing.  
>From the technical side I would like to know what kind
of connection your "friend" has to the Internet.  Even
if this guy had a 515, it would take somewhere in the
excess of 50mbps (from my findings) to bring the PIX
to a level where you could say that "it has been
brought to it's knees"  Furthermore, there aren't many
instances (and I know I may be putting my foot in my
mouth here) where any one has questioned that the PIX
is the best performing firewall on the market.
If there are some truth in your story I would have to
say that your "friend" had a mis-configed PIX.  Maybe
the damn thing was running at 10mbps and
half-duplex. (the half duplex happens quite often
in auto-neg.)

Just some thoughts.

Moe.

--- Jay Swan <[EMAIL PROTECTED]> wrote:
> What version of the code was he running? I seem to
> remember reading
> somewhere recently a cross-vendor firewall
> evaluation where the PIX came out
> very well in the anti-DoS category.
> 
> Thanks,
> Jay
> 
> 
> ""Sean Young"" <[EMAIL PROTECTED]> wrote in
> message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi everyone,
> > I have a story that wish to share with everyone. 
> One of my friends
> > works for a company that uses Cisco PIX as the
> firewall.  This afternoon,
> > he called and told me that the company firewall is
> experiencing a Denial
> > of Service (DOS) attack.  The attack is so heavy
> that the PIX is just
> > simply gives up.  The company contacts Cisco and
> the TAC told my friend
> > that there is a bug in the Cisco PIX code and he
> will have to wait a
> > few days for the new code to arrive.  Frustrated,
> he decides to use his
> > workstation which is running NetBSD, put in an
> extra NIC, shutoff all
> > essential services but SSH and netfilter. 
> Amazingly, the new BSD
> > firewall withstand the DOS and connectivity is
> restored.
> >
> > The point of the story.  Not everything from Cisco
> is good.  Their code
> > is just buggy as everyone else.  Just because it
> carries the name Cisco
> > doesn't mean it is safe.
> >
> >
>
_
> > Get your FREE download of MSN Explorer at
> http://explorer.msn.com
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> >
> 
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
_
Moe Tavakoli

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cannot see the Serial Interface at all..

[Bob Timmons]

I have the same router, same T1 card.  Is this a new unit, was
it ever working?

When I do a "show int", I get the following output

Serial0 is up, line protocol is up(This is my T1)
  Hardware is HD64570 with FT1 CSU/DSU

Serial1 is administratively down, line protocol is down(This is empty)
  Hardware is HD64570

"Show controller" give me:

HD unit 0, idb = 0xB8FB8, driver structure at 0xBE268 (T1 card)
buffer size 1524  HD unit 0, Integrated FT1 CSU/DSU module

HD unit 1, idb = 0xC3018, driver structure at 0xC82C8(Empty)
buffer size 1524  HD unit 1, No module present

I'd say that if you don't 'see' the hardware in these statements, you'd
probably want to call TAC.  Not much we can do here for bad hardware.

Bob

> I have a Cisco 2524 with an removable T1 card while cisco is booting
it
> says service-module check passed but when i see the interfaces it just has
> the Ethernet NO serial interface at all...
>
> tried removing/replacing no luck
>
> Any help greatly appreciated.
>
> Thanks
> Satish
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX+Router+Frame relay to internet

[Howard C. Berkowitz]

At 9:17 AM -0800 3/29/01, [EMAIL PROTECTED] made some very 
interesting points:
>Murat,
>
>My comment is don't do this.  It violates a very fundamental
>principal of network security, "keep your untrusted and your trusted
>networks physically separated".


In the classified world with RED/BLACK isolation criteria, devices 
handling RED (i.e., cleartext of classified traffic) are physically 
separated from BLACK (carrying ciphertext or unclassified traffic). 
This may be enforced either by putting the devices too far apart to 
patch between with patchcords allowed into the crypto area, or by 
using physically different connectors on RED and BLACK so that you 
CANNOT plug red into black (without a Really Big hammer).

>  There should also be no way for
>an untrusted network to bypass your firewall, which there is in this
>design.


Kent, I'd be interested in your opinion about an approach I've 
increasingly used.  Do you consider it evil?

Traffic comes onto the DMZ from an external screening router.  If it 
is destined for anything not on the DMZ, the options include:

-- for IPsec transport mode and other encrypted traffic, send to
   a router with basic filtering (e.g., verify reverse path and drop
   traffic with source addresses and your internal network) and traffic
   policing (to prevent flooding), and let it into the network.  A firewall
   not participating in the end-to-end encryption can't do anything with
   the packet -- why load up the firewall with conduits?

-- for traffic using SSL proxies, send to an appropriate gateway, which
   MAY be the firewall.  Same thing for IPsec tunnel mode security
   gateways.

-- for cleartext traffic requesting access to servers, run through
   conventional firewalling.

Of course, load balancing and failover makes this even more complex, 
but let's start with security

>
>There are lots of issues with this setup, but the most basic is that
>you would need to bring untrusted traffic into the router, forward it
>to the PIX, have the PIX forward it back to the same router and then
>to the remote sites.  Depending on how many LAN interfaces your
>router has, you could probably make this happen, but its just not a
>good idea. 
>
>If for any reason something in your configuration isn't setup
>correctly, packets from the Internet could reach other remote sites
>on your FR network without going through the firewall.  In a good
>perimeter design, this should not be possible.
>
>I realize that this was probably setup this way to save money, but
>how much money would it cost the company to have their entire
>network compromised? 
>
>If cost is the primary concern, save the money on the PIX, use a
>cheaper FW solution and get a separate physical line for your
>Internet connection and a separate router. 
>
>HTH,
>Kent   
>
>On 29 Mar 2001, at 10:19, Murat Kirmaci wrote:
>
>>  Hello Everybody,
>>  I would like to learn if I have got a Cisco router connected to frame
>>  relay network and over this frame relay network there are connections
>>  to their remote offices and another pvc to the INTERNET (not a
>>  seperate leased line), in addition to this also I have to insert a PIX
>>  firewall into this structure.
>>
>>  I would be pleased to get your comments about this type of networks.
>  > should I do NAT in the router? If yes then How will I insert the PIX?

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FEC and multi link trunking

[Jack]

are they pretty much one and the same thing?


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routers can't ping own interface

[Mask Of Zorro]

With co-workers like those, who needs enemas?

Z


>From: [EMAIL PROTECTED]
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Routers can't ping own interface
>Date: Thu, 29 Mar 2001 12:24:14 -0500
>
>To all who offered to help by looking at configs etc, thank you. One of my
>"helpful" co-workers decided to load a backup config on the routers in 
>question
>last night thereby blowing away my config. On top of that another co-worker 
>blew
>away the workstation holding the config I had made along with all the other
>backups, the tftp server etc.so I guess this shall remain a 
>mystery.
>
>The only upside I suppose is that if I screwed this up once, it is quite
>possible I'll do it again
>
>In answer to Howard's queries, the answer to both is yes, but it depends on 
>who
>you ask which question.  :)
>
>
>_
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP clarification

[Mask Of Zorro]

Look at all those routing technologies - they are all different; except 
*that* one, it's the same...

Z

>From: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
>Reply-To: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: EIGRP clarification
>Date: Wed, 28 Mar 2001 23:19:21 -0500
>
> >   Preparing for my BSCN exam, I have found myself unclear as to whether 
>or
> >not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco
> >classes I've been too have always referred to EIGRP as a Balanced Hybrid
> >protocol, now studying for my CCNP, I am finding EIGRP referred to as a
> >Distance-vector protocol???...How is this possible? Thanks...
>
>
>  From a technical standpoint, EIGRP is emphatically distance vector.
>  From a marketing standpoint, Cisco has called it "hybrid," which has
>no accepted technical meaning. Training and certification have picked
>up that terminology.
>
>"Hybrid" is an attempt to differentiate EIGRP, and its DUAL
>algorithm, from the problems of first and second generation DV
>protocols. JJ Garcia-Luna-Aceves, the inventor of DUAL, always has
>called it an advanced DV protocol, and he continues to work on even
>more advanced DV.
>
>There's nothing inherently wrong with DV.  EIGRP legitimately has
>fixed some of the problems of earlier DV protocols, such as the lack
>of a hello subprotocol and reliable update mechanism.  Without these
>mechanisms, periodic update becomes necessary, and the protocol can't
>be loop-free.
>
>Calling something "hybrid" is about as sensible as saying "route bad,
>switch good," or "all animals are equal, but some are more equal than
>others."
>
>_
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routers can't ping own interface

[pmcallister]

Well ,after all, our IT motto is Ready, Fire, Aim...

:)







"Mask Of Zorro" <[EMAIL PROTECTED]> on 03/29/2001 01:18:36 PM





  
  
  
 To:  Patrick McAllister/SOC/WGL@WGL, 
  [EMAIL PROTECTED]
  
 cc:  
  
  
  
 Subject: Re: Routers can't ping own interface
  







With co-workers like those, who needs enemas?

Z


>From: [EMAIL PROTECTED]
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Routers can't ping own interface
>Date: Thu, 29 Mar 2001 12:24:14 -0500
>
>To all who offered to help by looking at configs etc, thank you. One of my
>"helpful" co-workers decided to load a backup config on the routers in
>question
>last night thereby blowing away my config. On top of that another co-worker
>blew
>away the workstation holding the config I had made along with all the other
>backups, the tftp server etc.so I guess this shall remain a
>mystery.
>
>The only upside I suppose is that if I screwed this up once, it is quite
>possible I'll do it again
>
>In answer to Howard's queries, the answer to both is yes, but it depends on
>who
>you ask which question.  :)
>
>
>_
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
Get your FREE download of MSN Explorer at http://explorer.msn.com




_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VLAN routing in Cat6000

[Christopher Supino]

You must have at least one active switch port in VLAN 2 in order for the
interface to come up.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Daniel ma
Sent: Thursday, March 29, 2001 5:03 AM
To: [EMAIL PROTECTED]
Subject: VLAN routing in Cat6000


I am trying to configure VLAN routing in Cat 6006, (Super engine does
support routing).

However, after I configure interface VLAN2, it said VLAN 2 is shutdown. it's
no use to issue 'no shutdown' command.

How should I configure it?




_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP clarification

[Howard C. Berkowitz]

>Look at all those routing technologies - they are all different; 
>except *that* one, it's the same...
>
>Z


Are you quoting Yakov Rekhter: "at a sufficiently high level, 
everything is the same?"  Not sure I follow your point.

>
>>From: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
>>Reply-To: "Howard C. Berkowitz" <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED]
>>Subject: Re: EIGRP clarification
>>Date: Wed, 28 Mar 2001 23:19:21 -0500
>>
>>>Preparing for my BSCN exam, I have found myself unclear as to whether or
>>>not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco
>>>classes I've been too have always referred to EIGRP as a Balanced Hybrid
>>>protocol, now studying for my CCNP, I am finding EIGRP referred to as a
>>>Distance-vector protocol???...How is this possible? Thanks...
>>
>>
>>  From a technical standpoint, EIGRP is emphatically distance vector.
>>  From a marketing standpoint, Cisco has called it "hybrid," which has
>>no accepted technical meaning. Training and certification have picked
>>up that terminology.
>>
>>"Hybrid" is an attempt to differentiate EIGRP, and its DUAL
>>algorithm, from the problems of first and second generation DV
>>protocols. JJ Garcia-Luna-Aceves, the inventor of DUAL, always has
>>called it an advanced DV protocol, and he continues to work on even
>>more advanced DV.
>>
>>There's nothing inherently wrong with DV.  EIGRP legitimately has
>>fixed some of the problems of earlier DV protocols, such as the lack
>>of a hello subprotocol and reliable update mechanism.  Without these
>>mechanisms, periodic update becomes necessary, and the protocol can't
>>be loop-free.
>>
>>Calling something "hybrid" is about as sensible as saying "route bad,
>>switch good," or "all animals are equal, but some are more equal than
>>others."

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Buffer

[Rahul Kachalia]

Koliy,

my guess is output drop.

rahul

- Original Message -
From: "KOLIY" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 5:41 AM
Subject: Buffer


> I have a condition when 1 system is attempt to hand a packet to
> a transmission buffer and no buffer is available
> a.Fast switching
> b.intput drop
> c.output drop
> d.route-cache
>
> Thanks
> Koliy
>
> 
> Get free email and a permanent address at http://www.netaddress.com/?N=1
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Ethernet address question

[Debbie Becker]

>From a NetWare Connection article by Laura Chappell:

Node Address 1 (6 bytes) --   This field contains the MAC address of the
network interface board that is attached to the network with the address
defined above. (Node address 0x00-00-00-00-00-01 always belongs to the
internal IPX network.)

Deb


"Janne Kettunen" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> This may be trivial, but I can't find answer from www.iana.org or
> www.ieee.org or www.cisco.com.
>
> What kind of Ethernet address is this:
>
> 00:00:00:00:00:01
>
> Layer-3 protocol type in frame is 0x0800 (IP)
>
> --
> Regards Janne Kettunen
> CCNA, CFFE
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 508-CS versus 2509/2511

[John Hardman]

Hi

Yes these are good boxes. As far as I know (anyone taken the lab correct me)
the 2511 used in the lab is just for reverse telnet access to the rest of
the rack and is not used in the labs. So the ability to run IOS above 10.3
shouldn't matter. Note, you will have to TFTP boot 10.3 for find the upgrade
on Ebay if you want to run 10.3.

As for the overall impression, they are great, a little slow on the boot up,
but otherwise very nice and half the price of a 2509/2511.

HTH

John Hardman


""Ken W. Alger"" <[EMAIL PROTECTED]> wrote in message
99ufk5$1jh$[EMAIL PROTECTED]">news:99ufk5$1jh$[EMAIL PROTECTED]...
> For a CCNP/CCIE lab, is a 508-CS sufficient to act as a terminal server or
> is it better to go for the 2509/11?
>
> Thanks,
> Ken
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Wireless T1 WAN backup

[Kim Seng]

Hi Everyone,

Have anyone experienced with Wireless T1 WAN using as
a backup link? Please shed me some light or give me
your comment.

Thanks in advance.

Kim.

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Advance Cisco PIX Configuration Exam - Passed!

[Hartnell, George]

Well, I've looked there, at the CCO, and the documentation I've found is
'ok'.

By 'ok' I mean that you *can* successfully set up the PIX from those docs.
The PIX, however, isn't there for just NAT, it's there to help secure your
network.  To that end there seems, to me, to be very little in the way of
code snippets for, say, preventing a simple smurf, or for dropping IP
packets where the source isn't from your address range.  Things that CERT
talks about, but how do you *do* that on your firewall?

In fact, some current 'how tos' at the Cisco PIX site still talk about the
'outbound' command; something even IOS 5.1 (5.3 is current) indicates has
been superseded by the 'access-list' command.  Check out this outdated
'help' yourselves:

"Question: How do you configure outbound access lists on the PIX box?

http://www-1.cisco.com/cgi-bin/Support/OpenForum/dispnewqa.pl/3753  "

While it's sometimes nice to have archival information for past IOS
versions, clearly this information is less-than-useful to current PIX IOS
users.  Unless, as many, I'm lost in the vastness of CCO-land, which,
admittedly, is possible.

So, it's nice that somebody passed the exam.  It would also be nice to find
a resource for the PIX.  I'm still struggling, but making headway.

Best, G.


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN 5001 concentrator

[The.Rock]

Here's the problem:

2 clients,both sharing a DSL line. both use VPN client for 5001

When one is connected it is fine and if you add another connection off the
same dsl while the other computer is connected, the VPN tunnel keeps
dropping. Any ideas ?


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCDP or CVOICE Advice

[Ruddy Cordero]

I just finished by CCNP and I would like to go ahead with my CVOICE =
specialization. I work for VoIP company and it would help me a bit to =
have but CVOICE is going to be eliminated and there is no cert. or ID to =
recognized you as having a voice specialization. My question is: Should =
I continue with my studies or should I just study for my CCDP?

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routers can't ping own interface

[Howard C. Berkowitz]

>With co-workers like those, who needs enemas?
>
>Z
>
>
>>From: [EMAIL PROTECTED]
>>Reply-To: [EMAIL PROTECTED]
>>To: [EMAIL PROTECTED]
>>Subject: Re: Routers can't ping own interface
>>Date: Thu, 29 Mar 2001 12:24:14 -0500
>>
>>To all who offered to help by looking at configs etc, thank you. One of my
>>"helpful" co-workers decided to load a backup config on the routers in
>>question
>>last night thereby blowing away my config. On top of that another co-worker
>>blew
>>away the workstation holding the config I had made along with all the other
>>backups, the tftp server etc.so I guess this shall remain a
>>mystery.
>>
>>The only upside I suppose is that if I screwed this up once, it is quite
>>possible I'll do it again
>>
>>In answer to Howard's queries, the answer to both is yes, but it depends on
>>who
>  >you ask which question.  :)


I always appreciate satisfied users of My Favorite Question, but I 
must share a comment made by Vijay Gill at the last NANOG.  During a 
panel discussion on BGP scaling issues, he commented with respect to 
RFC2547-style VPNs:  "If this is the answer, it must have been a 
pretty stupid question."

:-)

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP or CVOICE Advice

[Vijay Ramcharan]

Since you're in the groove, you could just take your 2 exams and get the
CCDP.  I did the same and finished CCDP in a couple of months.

Vijay Ramcharan


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ruddy Cordero
Sent: Thursday, March 29, 2001 2:18 PM
To: [EMAIL PROTECTED]
Subject: CCDP or CVOICE Advice


I just finished by CCNP and I would like to go ahead with my CVOICE =
specialization. I work for VoIP company and it would help me a bit to =
have but CVOICE is going to be eliminated and there is no cert. or ID to =
recognized you as having a voice specialization. My question is: Should =
I continue with my studies or should I just study for my CCDP?

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCDP or CVOICE Advice

[Ruddy Cordero]

I have my CCDA so all I need is CID. So you think that CVOICE is not worth
taking the test for. I just started reading the book but If I don't have to
I wont take the test.

- Original Message -
From: "Vijay Ramcharan" <[EMAIL PROTECTED]>
To: "'Ruddy Cordero'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 2:30 PM
Subject: RE: CCDP or CVOICE Advice


> Since you're in the groove, you could just take your 2 exams and get the
> CCDP.  I did the same and finished CCDP in a couple of months.
>
> Vijay Ramcharan
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Ruddy Cordero
> Sent: Thursday, March 29, 2001 2:18 PM
> To: [EMAIL PROTECTED]
> Subject: CCDP or CVOICE Advice
>
>
> I just finished by CCNP and I would like to go ahead with my CVOICE =
> specialization. I work for VoIP company and it would help me a bit to =
> have but CVOICE is going to be eliminated and there is no cert. or ID to =
> recognized you as having a voice specialization. My question is: Should =
> I continue with my studies or should I just study for my CCDP?
>
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN 5001 concentrator

[Vijay Ramcharan]

I actually have a similar problem.  I connect to a PIX firewall which is the
VPN server, from home.  If I connect through Mindspring or other ISP, I have
no problems connecting and authenticating against the PIX.
If I dial in to a RAS server which has Internet connectivity via a DSL
router (which is doing NAT for about 60 users), I can connect to the PIX,
but I can't successfully authenticate.  My guess is that something is lost
in the translation from local to global IP address.
I know this doesn't help but I'm just throwing this out there also.

Vijay Ramcharan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
The.Rock
Sent: Thursday, March 29, 2001 2:22 PM
To: [EMAIL PROTECTED]
Subject: VPN 5001 concentrator


Here's the problem:

2 clients,both sharing a DSL line. both use VPN client for 5001

When one is connected it is fine and if you add another connection off the
same dsl while the other computer is connected, the VPN tunnel keeps
dropping. Any ideas ?


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP or CVOICE Advice

[Buri, Heather H]

well, I guess it depends on what is more important to you.  I personally
would go for the one that interests you and not worry about a "paper
certificate" as much.  

But that is just my .02 cents.

Heather Buri   
CSC Technology Services - Houston

Phone:  (713)-961-8592
Fax:(713)-961-8249
Mobile: 
Alpha Page: 

Mailing:1360 Post Oak Blvd
  Suite 500
  Houston, TX 77056



-Original Message-
From: Ruddy Cordero [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 1:18 PM
To: [EMAIL PROTECTED]
Subject: CCDP or CVOICE Advice


I just finished by CCNP and I would like to go ahead with my CVOICE =
specialization. I work for VoIP company and it would help me a bit to =
have but CVOICE is going to be eliminated and there is no cert. or ID to =
recognized you as having a voice specialization. My question is: Should =
I continue with my studies or should I just study for my CCDP?

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN 5001 concentrator

[EA Louie]

NAT and IPSec/UDP 500 conflicts?  (do the workstations have their own
external IP addresses?)

-e-
The.Rock <[EMAIL PROTECTED]> wrote in message
9a060t$7km$[EMAIL PROTECTED]">news:9a060t$7km$[EMAIL PROTECTED]...
> Here's the problem:
>
> 2 clients,both sharing a DSL line. both use VPN client for 5001
>
> When one is connected it is fine and if you add another connection off the
> same dsl while the other computer is connected, the VPN tunnel keeps
> dropping. Any ideas ?
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

voice port OID.

[Paulo Roque]

Hi All,

I need to monitor the status of voice ports on 3810 and 7204 routers using
snmp.
Does anybody know where I can find the voice port OID?

Thanks.
Paulo Roque


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCDP or CVOICE Advice

[Allen May]

Woohoo!  Another 2 cents!

- Original Message -
From: "Buri, Heather H" <[EMAIL PROTECTED]>
To: "'Ruddy Cordero'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, March 29, 2001 1:47 PM
Subject: RE: CCDP or CVOICE Advice


> well, I guess it depends on what is more important to you.  I personally
> would go for the one that interests you and not worry about a "paper
> certificate" as much.
>
> But that is just my .02 cents.
>
> Heather Buri
> CSC Technology Services - Houston
>
> Phone: (713)-961-8592
> Fax: (713)-961-8249
> Mobile:
> Alpha Page:
>
> Mailing: 1360 Post Oak Blvd
>   Suite 500
>   Houston, TX 77056
>
>
>
> -Original Message-
> From: Ruddy Cordero [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 29, 2001 1:18 PM
> To: [EMAIL PROTECTED]
> Subject: CCDP or CVOICE Advice
>
>
> I just finished by CCNP and I would like to go ahead with my CVOICE =
> specialization. I work for VoIP company and it would help me a bit to =
> have but CVOICE is going to be eliminated and there is no cert. or ID to =
> recognized you as having a voice specialization. My question is: Should =
> I continue with my studies or should I just study for my CCDP?
>
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cannot see the Serial Interface at all..-------Fixed

[Kumar, N K. Satish, BCARE]

I got this fixed What i ended up doing is i made the router boot
from ROM which detected the Serial0, I configured from the ROM and then
upgraded the IOS and then when i reboot  it boots fine and sees the serial
card in it..

Thanks a lot guy for your replies..

> -Original Message-
> From: Bob Timmons [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, March 29, 2001 1:04 PM
> To:   [EMAIL PROTECTED]
> Subject:  Re: Cannot see the Serial Interface at all..
> 
> I have the same router, same T1 card.  Is this a new unit, was
> it ever working?
> 
> When I do a "show int", I get the following output
> 
> Serial0 is up, line protocol is up(This is my T1)
>   Hardware is HD64570 with FT1 CSU/DSU
> 
> Serial1 is administratively down, line protocol is down(This is empty)
>   Hardware is HD64570
> 
> "Show controller" give me:
> 
> HD unit 0, idb = 0xB8FB8, driver structure at 0xBE268 (T1 card)
> buffer size 1524  HD unit 0, Integrated FT1 CSU/DSU module
> 
> HD unit 1, idb = 0xC3018, driver structure at 0xC82C8(Empty)
> buffer size 1524  HD unit 1, No module present
> 
> I'd say that if you don't 'see' the hardware in these statements, you'd
> probably want to call TAC.  Not much we can do here for bad hardware.
> 
> Bob
> 
> > I have a Cisco 2524 with an removable T1 card while cisco is booting
> it
> > says service-module check passed but when i see the interfaces it just
> has
> > the Ethernet NO serial interface at all...
> >
> > tried removing/replacing no luck
> >
> > Any help greatly appreciated.
> >
> > Thanks
> > Satish
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> 
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ot: Is Flash = Flash

[Tim Rutherford]

Is the 16MB flash module for 6400 = 16MB flash module for 2600
Is MEM-NRP-FS16M = MEM2600-8U16FS



Get free email and a permanent address at http://www.amexmail.com/?A=1

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP over two ISP links

[Ruihai An]

Hi, All,

Here is a quick question:
We are planning to run BGP over two ISP links to provide loading balance.
But we were told that we will run into major problems if we do not have full
class Cs on both ends.

Could somebody make comment on this?

Thanks

Ruihai


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: problem with installing vpn 3.0 client for win2000

[Ruihai An]

I installed on 2000 pro and did not have any problem.  You have the correct
file.
vpnclient-win-301Rel-k9.exe
Ruihai

"Frank Kim" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi folks,
> Anyone has any success on installing the cisco vpn 3.0 client for win2000
> professional or adv server?  My win2000 box kept failing after the
> installation; it kept rebooting.  Please share your experience.  This is
> the name of the file which I tried to install: vpnclient-win-3.0.1.Rel-k9
>
> Thanks for any input.
>
> -Frank
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BGP over two ISP links

[Moe Tavakoli]

The ISPs don;t tend to accept route advers via BGP less than a /24.  Some
do, but it has become some kind of a "standard"

If they allowed smaller route ads then the full BGP route table would be way
too large.

Moe.

-Original Message-
From: Ruihai An [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 1:11 PM
To: [EMAIL PROTECTED]
Subject: BGP over two ISP links


Hi, All,

Here is a quick question:
We are planning to run BGP over two ISP links to provide loading balance.
But we were told that we will run into major problems if we do not have full
class Cs on both ends.

Could somebody make comment on this?

Thanks

Ruihai


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Token Ring Tool WAS Token Ring Problem

[Daniel Cotts]

I've heard about those zapper tools for MAUs but have never seen one. Is
there an official name for it? Any manufacturer or part number? Might be
worth finding on eBay. I have several old MAUs that I haven't tested.
TIA
> -Original Message-
> From: ElephantChild [mailto:[EMAIL PROTECTED]]
 
> Typical causes, in no particular order, are:
> 
> - Stuck relay, if you're using an old mechanical MAU, eg a 8228. If
>   that's the problem, just phaser the relay unstuck.
> 

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN 5001 concentrator

[Moe Tavakoli]

You can;t do VPN through a PAT (many-to-one NAT, NAT
overload, NAPT or whatever it's called right now.) 
There some exceptions... but that should be a safe
rule to go by.

Moe.

--- Vijay Ramcharan <[EMAIL PROTECTED]> wrote:
> I actually have a similar problem.  I connect to a
> PIX firewall which is the
> VPN server, from home.  If I connect through
> Mindspring or other ISP, I have
> no problems connecting and authenticating against
> the PIX.
> If I dial in to a RAS server which has Internet
> connectivity via a DSL
> router (which is doing NAT for about 60 users), I
> can connect to the PIX,
> but I can't successfully authenticate.  My guess is
> that something is lost
> in the translation from local to global IP address.
> I know this doesn't help but I'm just throwing this
> out there also.
> 
> Vijay Ramcharan
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> The.Rock
> Sent: Thursday, March 29, 2001 2:22 PM
> To: [EMAIL PROTECTED]
> Subject: VPN 5001 concentrator
> 
> 
> Here's the problem:
> 
> 2 clients,both sharing a DSL line. both use VPN
> client for 5001
> 
> When one is connected it is fine and if you add
> another connection off the
> same dsl while the other computer is connected, the
> VPN tunnel keeps
> dropping. Any ideas ?
> 
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> 
> _
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
_
Moe Tavakoli

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DNS problem?

[Sam Hebert]

We have this happen on our dns servers.  I don't know what you're running
but normally a cleaning of the dns cache does the trick over here.

Samuel Hebert
Network Administrator
Cisco Certified Network Associate 

Great Minds Discuss Ideas;
Average minds discuss events;
Small minds discuss people.

Intervisual
Suite 200, 709 - 11th Ave SW
Calgary, AB T2R 0E3
Ph: 403.264.9199
Fax: 403.264.9225
http://www.intervisual.com
"Internet Solutions Developer"

-Original Message-
From: ElephantChild [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 29, 2001 2:42 PM
To: Secrist John J Contr 27 IS/IND
Cc: '[EMAIL PROTECTED]'
Subject: Re: DNS problem?


On Thu, 29 Mar 2001, Secrist John J Contr 27 IS/IND wrote:

> A funny thing is happening on our network and it has us stumped.
> 
> 1 - Some websites are not reachable by typing the hostname in a browser
> (i.e. www.yahoo.com).
> 2 - Some websites ARE reachable by typing the hostname in a browser (i.e.
> www.altavista.com).
> 3 - When I ping the unreachable addresses they time out - but the ping
does
> resolve the IP address.

Do you mean that "ping www.yahoo.com" will time out but will be
able to resolve www.yahoo.com to eg, 1.2.3.4? Or that "ping 1.2.3.4"
will time out but will be able to reverse-resolve 1.2.3.4 to
www.yahoo.com? 

> 4 - When I type the IP address in the web browser, the page opens fine.

I assume that you mean the IP address of a host you can't reach, as with
www.yahoo.com in 1 above?

> Was thinking this is maybe a DNS problemany thoughts?  Thanks,

Hmm, 1 and 4 together imply that there's definitely a DNS problem
somewhere, but I can't tell where from the info you supply. Depending on
what you mean by 3, there may also be a filter somewhere along the way
that blocks ICMP echo requests or echo replies.

-- 
According to Joyce Melton, "respondability" is cromulent.


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN BRI Channel Separation

[Tony van Ree]

Hi,

If you configure your router without a threshold statement only one channel will come 
up.  The channel it choses is dependant on the ISDN switch as I understand it.  You 
can configure the BRI to place two separate calls.


Teunis
Hobart, Tasmania
Australia



On Thursday, March 29, 2001 at 03:17:23 PM, Ash Aslam wrote:

> Hi Group!!
> 
> I would like to know if it's possible to separate the two ISDN B Channels so
> that one remains active whilst the other one is free.  I have checked on the
> Cisco web site and Cisco press books but could not find anything on how to
> configure the BRI Channels separately.
> 
> Can someone pls shed some light by providing a small config or point me in
> the right direction.
> 
> Thanks & kind Regards,
> Ash
> 
> _
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> 
> 


--
www.tasmail.com


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

URGENT: regarding VoIP

[Faisal Khan]

Hello guys

Greetings..
I have my CCIE Exam on April 10 and 11.  I need your urgent help. I am trying to setup 
a Voice
over IP.  Well everything works fine. When I put access list on one of the router to 
act as a IOS
firewall, I can't make calls.  Here is a sample access list

access-list 140 permit tcp any any range 11000 11999
access-list 150 permit ospf any any
access-list 150 permit icmp any any echo-reply
access-list 123 permit ip host 138.1.249.6 host 138.1.252.4
access-list 150 permit udp any any range 16384 2000
access-list 150 permit tcp any any eq 1720
access-list 150 permit tcp any eq 1720 any
access-list 150 permit tcp any any range 11000 11999
access-list 150 deny ip any any

with this configuration, I can ring both phone from either location but I can't hear 
anything.
Also does any one has info on IP OSFP Demand Circuit over ISDN.  My ISDN line keep 
flapping even
after putting the demand circuit.  I can see that my routes in OSPF Database has DNA 
mark beside
it but the line keep coming up.  When do a show dialer, I see the d=224.0.0.5 Any idea 
what could
cause this?

I do have access list that permit only ISDN Network.

Anyway help would be highly appreciate.
Thank you
faisal


=


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP over two ISP links

[John Neiberger]

At a minimum you're going to need a single /24, not two.  You would
announce this prefix on both connections.  You're also going to need to
apply for an autonomous system number from ARIN.  Details can be found
at www.arin.net. 

I'm wondering what you're really trying to accomplish.  If this extra
link isn't for redundancy, just load sharing, then why not have two
connections to the same provider?  This is FAR easier to implement, does
not require a public AS number, and does not require using up an entire
/24 prefix unnecessarily.

Even if the link is for redundancy, you could multihome to different
POPs of the same provider.  Again, this is easier to implement, doesn't
require the AS number, and doesn't burn up so many addresses.  If you
have a good provider this is an excellent solution.

I'd seriously consider these other options before you make a decision.

Regards,
John

>>> "Ruihai An" <[EMAIL PROTECTED]> 3/29/01 2:11:17 PM >>>
Hi, All,

Here is a quick question:
We are planning to run BGP over two ISP links to provide loading
balance.
But we were told that we will run into major problems if we do not have
full
class Cs on both ends.

Could somebody make comment on this?

Thanks

Ruihai


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Can you have more than one SPAN port on Catalyst 6505?

[Ruihai An]

We need at least two SPAN ports on each 6505 switch to connect our IDS and
Sniffer.   When we config the second SPAN, it always overwrite the prevously
configured SPAN port.  It seems you can not configure more than more than
two SPAN on one switch.  I am not sure if that is true.

Thanks

Ruihai


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ASN18506 up and running

[J Roysdon]

It's been delayed time and again, but I've finally found the time to push
through the docs and configuration notes needed to get our ASN up and
running with our upstream providers.

So, this morning we began announcing ASN 18506 and our netblocks out
Sprintlink with no problems.  I had them turn on full routes and we're up
to: '11176 network entries and 11169 paths' and still climbing.

Ok, so hears the setup:

UUNET - [T1/FR] - s0/0.1 2621 s0/1 - [T1] - s0/1 3640 s1/2 - [T1] - Sprint

I'm still trying to get our Accounts Payable folks to get us our UUNET
account number so I haven't got any BGP communications up with UUNET yet.
As the 2621 is maxed at 64mb RAM, I'm going to tell UUNET to only send me
customer routes.  Also, presently I'm filtering non-iBGP info from the 3640
to the 2621 and only allowing Sprint's own ASN through (eventually I'll have
it pass Sprint and their customers).  The 2621 shows all the 1238 netblocks
that should be getting through in the bgp table, but if I do a 'sh ip route'
they don't appear, and in fact no BGP routes show.

Here's the pertinent current config sections:
3640:
interface Serial0/1
 description External T1 to Turlock 2621 s0/1
 ip address 63.107.123.250 255.255.255.252
 ip rip send version 2
 ip rip receive version 2
!
interface Serial1/2
 description T1 to Sprint
 ip address 144.232.206.66 255.255.255.252
!
router rip
 version 2
 redistribute static
 passive-interface Ethernet0/0
 passive-interface Serial0/0
 passive-interface Ethernet0/1
 passive-interface Serial1/0
 passive-interface Serial1/1
 passive-interface Serial1/2
 passive-interface Serial1/3
 network 63.0.0.0
 network 144.232.0.0
 network 206.216.246.0
 network 207.92.43.0
 network 207.92.140.0
 network 207.223.144.0
 neighbor 63.107.123.149
 no auto-summary
!
router bgp 18506
 bgp router-id 63.172.195.1
 bgp cluster-id 3478924129
 bgp log-neighbor-changes
 network 63.172.195.0 mask 255.255.255.0
 network 63.172.204.0 mask 255.255.254.0
 network 144.232.206.64 mask 255.255.255.252
 network 206.216.246.0
 network 207.92.43.0
 network 207.92.140.0
 network 207.223.144.0
 neighbor 63.107.123.249 remote-as 18506
 neighbor 63.107.123.249 description Turlock 2621 to UUNET
 neighbor 63.107.123.249 password [removed]
 neighbor 63.107.123.249 update-source Serial0/1
 neighbor 63.107.123.249 version 4
 neighbor 63.107.123.249 filter-list 98 out
 neighbor 144.232.206.65 remote-as 1239
 neighbor 144.232.206.65 description Sprintlink Modesto T1
 neighbor 144.232.206.65 update-source Serial1/2
 neighbor 144.232.206.65 version 4
 neighbor 144.232.206.65 distribute-list BGP-Egress-Filter out
 neighbor 144.232.206.65 filter-list 99 out
ip route 0.0.0.0 0.0.0.0 144.232.206.65
ip route 0.0.0.0 0.0.0.0 Serial1/1 254
ip route 10.0.0.0 255.0.0.0 Null0
ip route 63.172.195.0 255.255.255.0 Null0 254
ip route 63.172.195.24 255.255.255.252 63.172.195.3
ip route 63.172.195.28 255.255.255.252 Serial1/3
ip route 63.172.195.32 255.255.255.248 63.172.195.18
ip route 63.172.195.40 255.255.255.248 63.172.195.3
ip route 63.172.204.0 255.255.254.0 Null0 254
ip route 63.172.204.0 255.255.255.0 63.172.195.10
ip route 144.232.187.198 255.255.255.255 Serial1/2
ip route 165.236.160.6 255.255.255.255 Serial1/1
ip route 165.236.161.193 255.255.255.255 Serial1/1
ip route 165.236.161.208 255.255.255.255 Serial1/1
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 204.30.40.0 255.255.255.0 Serial1/1
ip route 206.216.246.0 255.255.255.0 Null0 254
ip route 207.92.43.0 255.255.255.0 Null0 254
ip route 207.92.43.48 255.255.255.240 Serial1/3
ip route 207.92.43.80 255.255.255.240 63.172.195.10
ip route 207.92.140.0 255.255.255.0 Null0 254
ip route 207.92.140.128 255.255.255.128 Serial1/0
ip route 207.223.144.0 255.255.255.0 63.172.195.10
ip route 207.223.144.0 255.255.255.0 Null0 254
ip as-path access-list 98 permit ^$
ip as-path access-list 98 permit ^1239$
ip as-path access-list 99 permit ^$
!
ip access-list standard BGP-Egress-Filter
 remark  Limit BGP annoucements to only NetsWork's (ASN 18506) netblocks

 remark ** Sprintlink supplied netblocks **
 permit 63.172.195.0 0.0.0.255
 permit 63.172.204.0 0.0.0.254
 remark ** UUNET supplied netblocks ** (off until BGP with UUNET is
established)
 remark ** Netcom (now Earthlink) supplied netblocks **
 permit 207.92.43.0 0.0.0.255
 permit 207.92.140.0 0.0.0.255
 remark ** Netcom (ICG) supplied netblocks **
 permit 207.223.144.0 0.0.0.255
 remark ** Netcom (ICG) supplied netblock for Dreamscope **
 permit 206.216.246.0 0.0.0.255

ISC-Mod-3640#sh ip bgp 64.6.0.0
BGP routing table entry for 64.6.0.0/24, version 30255
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  1239 14363
144.232.206.65 from 144.232.206.65 (144.228.242.65)
  Origin IGP, metric 33, localpref 100, valid, external, best

ISC-Mod-3640#sh ip bgp neigh
BGP neighbor is 63.107.123.249,  remote AS 18506, internal link
 Description: Turlock 2621 to UUNET
  

Re: 1705 router ios software

[Ruihai An]

You can download the IOS from Cisco web site if you have a service contract.
If you do not, you can download IOS from another 1700 router.

Ruihai


"Ganesh Chintalapati" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> Dear all,
>
> This is in connection to my previous mail with subject Erased Flash.
>
> I am very much thankful to all of you for giving me various methods of so=
> lving
> the problem, but my main problem is I do not have the IOS to load it from=
>  tftp
> or to load through xmodem from rommon prompt.
>
> Pls let me know where will I get the IOS from the website so that I can
> download the IOS and load it.
>
> Thank in advance
>
> Ganesh
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Command to clear the hit counter of Conduit ??

[Ruihai An]

Does any pro know the command to clear the hit count of Conduit on PIX ?

Thanks


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: problem with installing vpn 3.0 client for win2000

[J Roysdon]

The v3 client won't work with the PIX 5.x software.  PIX 6.x will support
the v3 client.  For now, I rolled back to the Win2k 2.5 beta once I found
that out.  Rumor has it that the v3 client will also work with upcoming IOS
releases.

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Cisco resources: http://r2cisco.artoo.net/


""Vijay Ramcharan"" <[EMAIL PROTECTED]> wrote in message
001401c0b83a$3380d8f0$de05020a@vjwin2k">news:001401c0b83a$3380d8f0$de05020a@vjwin2k...
> I've installed 301k9 twice now on Win2K Pro and have never had any
problems
> (apart from the fact that it doesn't work with our PIX and I didn't find
> that out until I read the documentation).  I've also installed or tried to
> install the VPN 5K client, the VPN 1.1 client and whatever else Cisco has,
> just to see what they look like.  My machine has never once crashed.
>
> Vijay Ramcharan
>
> - Original Message -
> From: "Frank Kim" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, March 29, 2001 2:09 AM
> Subject: problem with installing vpn 3.0 client for win2000
>
>
> > Hi folks,
> > Anyone has any success on installing the cisco vpn 3.0 client for
win2000
> > professional or adv server?  My win2000 box kept failing after the
> > installation; it kept rebooting.  Please share your experience.  This is
> > the name of the file which I tried to install:
vpnclient-win-3.0.1.Rel-k9
> >
> > Thanks for any input.
> >
> > -Frank
> >
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 1705 router ios software

[J Roysdon]

Whenever a router is purchased, IOS must also be purchased, even if it's the
$15 IP-only IOS.  You should have the original IOS available if it was
legally licensed (it usually ships a in white box), and comes on CD or
sometimes floppies.

Worst case, spend $15 and purchase IP-only IOS

--
Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
List email: [EMAIL PROTECTED]
Homepage: http://jason.artoo.net/
Cisco resources: http://r2cisco.artoo.net/


""Ruihai An"" <[EMAIL PROTECTED]> wrote in message
9a0i2e$hi9$[EMAIL PROTECTED]">news:9a0i2e$hi9$[EMAIL PROTECTED]...
> You can download the IOS from Cisco web site if you have a service
contract.
> If you do not, you can download IOS from another 1700 router.
>
> Ruihai
>
>
> "Ganesh Chintalapati" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> > Dear all,
> >
> > This is in connection to my previous mail with subject Erased Flash.
> >
> > I am very much thankful to all of you for giving me various methods of
so=
> > lving
> > the problem, but my main problem is I do not have the IOS to load it
from=
> >  tftp
> > or to load through xmodem from rommon prompt.
> >
> > Pls let me know where will I get the IOS from the website so that I can
> > download the IOS and load it.
> >
> > Thank in advance
> >
> > Ganesh
> >
> > _
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP default originate

[proto man]

Hi,
  I have a question regarding this setup


  EBGP   EBGP
   R1-R2-R3 
   (100)  (200)  (300)

   R1,R2,R3 are all boxes running BGP. 
   in AS 100,200,300 respectively.

   In R2's configuration 
   neighbor  default-originate

   R2 sends a default route to R3 (ASPATH = 200 )

   R2 now learns a dynamic default from R1.
   R2 does not seem to be propagating the route
   (from R1) to R3.

   Is this a bug or neighbor default-originate takes
   precedence over dynamically learnt default
routes..?

Appreciate any answer.
Thanks,
-pm


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Can we find the PC's IP address connect to particular switch port?

[Chris Larson]

Sure. Get the mac address and then on the switch do a show cam dynamic.
Match the MAC on the PC with the MAC in the CAM. The cam will also list the
Vlan and port the mac is assigned to.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Richard spalding
Sent: Tuesday, March 27, 2001 9:22 PM
To: [EMAIL PROTECTED]
Subject: Can we find the PC's IP address connect to particular switch
port?


Can we find the PC's IP address connect to particular switch port?  Or for a
PC , can we know which port of the switch it connect to, other than tracing
the cable???

Richard


_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Conduit commands do not allow traffic to pass after 5.3(1)upgrade

[Gary Crouch]

after upgrading PIX 520 to 5.3(1) from 4.4 conduit commands do not allow =
traffic to pass=20
I have to configure  access-list and access-group for traffic to pass  is =
there a command to enable the conduits ?
are there any other things you need to add to your old config  after =
upgraded to 5.3?

Thanks for your help
I need to get this up as our other pix almost died today keep resetting =
due to a bad power supply had to grab a power supply from a old PC to get =
it back up we the old power supplie we need the fail over working.

 this box would not work because of the conduit cammands would not pass =
traffic=20
adding access lists works.






after upgrading PIX 520 to 5.3(1) from 4.4 conduit commands do 
not allow traffic to pass 
I have to configure  access-list and 
access-group for traffic to pass  is there a command to enable the 
conduits ?
are there any other things you need to add to your old 
config  after upgraded to 5.3?
 
Thanks for your help
I need to get this up as our other pix almost died today keep 
resetting due to a bad power supply had to grab a power supply from a old PC to 
get it back up we the old power supplie we need the fail over 
working.
 
 this box would not work because of the conduit cammands 
would not pass traffic 
adding access lists works.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]