OT: Programming under IOS
Hi, First, my apologies if the question makes no sense at all as I am just = evaluating it's possibility. I am also fairly new to CISCO stuff (only = got my CCNA a month ago) so your advise on this will be very helpful = although it is off-topic. I am thinking of writing some small programs within the IOS platform = such that it can communicate with an external host, using socket = programming if you like. I am interested in obtaining the following: 1.basic configuration. I know it's contained in the startup-config = and with snmp turned on, this information can be retrieved. However, = what if snmp is not turned on? Is it possible, without going to all the = routers to enable snmp, to still obtain this information from a host = using tcp? =20 2.route table. Particularly I am interested in studying the dynamic = changes of the route table over some period of time. Hence if the = router can periodically send information to some internal host within = the network, a collection of route tables can be obtained. If in the end I have to do my own programming, it will lead on to = several other questions:=20 1.is it feasible in the first place, given that CISCO IOS is = proprietory stuff? =20 2.where can I get programming info? any recommendations? Really appreciate if you can help me on this. Cheers, Chee Leong _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Console access
Hi all, Can we stop access to the console port from VTY session or telnet. Thanks Omer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
actual speed (BW) on a Frame-Relay circuit
this is only if I know that the link is a T1. But what if I don't know the speed of the link ? Is there a way to check this out. Regards, Tarry -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 5:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: actual speed (BW) on a Frame-Relay circuit This is actually more complicated than you think. :-) Which do you want to know, the speed of the link or the available bandwidth? If it's the latter, what do you mean by available? Do you want to know the CIR? Or how much you can burst over your CIR? Let's say you have a frame relay T-1. The speed of that link is always 1.544 Mbps. If you send data across that link, regardless of the CIR, the data is travelling at 1.544 Mbps! Because it's frame relay, you might be paying for a certain CIR which is a statistical parameter that sometimes doesn't have much to do with how much data you can push across that link. In fact, if your provider isn't experiencing any congestion, then CIR doesn't mean squat as far as I'm concerned. Whenever you exceed your CIR, frames in the cloud can be marked as Discard Eligible. All that means is that during times of congestion, those get dropped first. If there's no congestion, DE status doesn't mean much. So, to answer your question... The speed of the link is whatever your link speed is. g The CIR can usually be seen by using the command "show frame-relay map". I hope that helps and didn't just confuse the issue more. I may have been imprecise, and if I have others will surely correct me. Regards, John [EMAIL PROTECTED] 3/29/01 6:57:53 AM Hi, is there a command to check the actual speed (BW) or max BW used on a Frame-Relay circuit. Thanks, Tarry. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: actual speed (BW) on a Frame-Relay circuit
Call your telco, they have all the information that was discussed (port speed, access speed, CIR) That's really the easiest answer...cheers. * This has been an Eyez Only streaming e-mail broadcast...We are watching. NetEyez - CCNP, CCDA - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 3:53 AM Subject: actual speed (BW) on a Frame-Relay circuit this is only if I know that the link is a T1. But what if I don't know the speed of the link ? Is there a way to check this out. Regards, Tarry -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 5:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: actual speed (BW) on a Frame-Relay circuit This is actually more complicated than you think. :-) Which do you want to know, the speed of the link or the available bandwidth? If it's the latter, what do you mean by available? Do you want to know the CIR? Or how much you can burst over your CIR? Let's say you have a frame relay T-1. The speed of that link is always 1.544 Mbps. If you send data across that link, regardless of the CIR, the data is travelling at 1.544 Mbps! Because it's frame relay, you might be paying for a certain CIR which is a statistical parameter that sometimes doesn't have much to do with how much data you can push across that link. In fact, if your provider isn't experiencing any congestion, then CIR doesn't mean squat as far as I'm concerned. Whenever you exceed your CIR, frames in the cloud can be marked as Discard Eligible. All that means is that during times of congestion, those get dropped first. If there's no congestion, DE status doesn't mean much. So, to answer your question... The speed of the link is whatever your link speed is. g The CIR can usually be seen by using the command "show frame-relay map". I hope that helps and didn't just confuse the issue more. I may have been imprecise, and if I have others will surely correct me. Regards, John [EMAIL PROTECTED] 3/29/01 6:57:53 AM Hi, is there a command to check the actual speed (BW) or max BW used on a Frame-Relay circuit. Thanks, Tarry. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
which hop will be taken by traceroute
I have some trace of the route in a network. Here every stage it is giving multiple paths. How would I know that which hope is actually taken at each stage ? thanks pratik 1 16.250.193.161 0 msec 16.250.193.194 0 msec 16.250.193.162 0 msec 2 16.250.2.61 236 msec 16.250.2.113 0 msec 16.250.1.153 0 msec 3 16.250.65.40 236 msec 240 msec 16.250.2.61 236 msec __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Programming under IOS
There is no porvision for running code other than the IOS itself on a Cisco router. (Except you can run Linux on 2500s, but that's probably not what you're after) On Fri, Mar 30, 2001 at 04:14:43PM -0800, Tan Chee Leong wrote: Hi, First, my apologies if the question makes no sense at all as I am just = evaluating it's possibility. I am also fairly new to CISCO stuff (only = got my CCNA a month ago) so your advise on this will be very helpful = although it is off-topic. I am thinking of writing some small programs within the IOS platform = such that it can communicate with an external host, using socket = programming if you like. I am interested in obtaining the following: 1.basic configuration. I know it's contained in the startup-config = and with snmp turned on, this information can be retrieved. However, = what if snmp is not turned on? Is it possible, without going to all the = routers to enable snmp, to still obtain this information from a host = using tcp? =20 2.route table. Particularly I am interested in studying the dynamic = changes of the route table over some period of time. Hence if the = router can periodically send information to some internal host within = the network, a collection of route tables can be obtained. If in the end I have to do my own programming, it will lead on to = several other questions:=20 1.is it feasible in the first place, given that CISCO IOS is = proprietory stuff? =20 2.where can I get programming info? any recommendations? Really appreciate if you can help me on this. Cheers, Chee Leong _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- Ryan O'Connell - [EMAIL PROTECTED] - http://www.complicity.co.uk I'm not losing my mind, no I'm not changing my lines, I'm just learning new things with the passage of time _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGS+(DTE) to 2523(DCE) back-to-back
Hi, I've got a AGS+ connected to a 2501 and 2502. The cross over cables you are using, which side is DTE and which side is DCE. This matters because on the DCE side of the cable, you have to add a clock rate statement for the link to work. My cables, the AGS side is DCE and the 2500 side is DTE, so I did have to fiddle with the jumpers on the AGS (sorry, its been about a year since I did it, so I don't remember exactly which jumpers I moved). I will post my configs so you can see how I have mine configured. If you need more help, let me know. AGS+ interface Serial0 ip address 192.168.2.2 255.255.255.252 clockrate 56000 2501 interface Serial1 description Serial to AGS ip address 192.168.2.1 255.255.255.252 Marty From: "ciscojolof" [EMAIL PROTECTED] Reply-To: "ciscojolof" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: AGS+(DTE) to 2523(DCE) back-to-back Date: Mon, 26 Mar 2001 09:56:40 -0600 Hi, For 3months I have been trynig to have my AGS+(DTE) talk to my 2523(DCE). I am at my fourth back-to-back cable. The 2523 is sending keepalives but the AGS+ is not. AGS+ is DTE BY DEFAULT, so I didn't tinker with its jumpers. Have someone ever made an AGS+(DTE) talk to a 25xx(DCE)? Please help me. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: which hop will be taken by traceroute
On Fri, Mar 30, 2001 at 01:29:10AM -0800, pratik shah wrote: I have some trace of the route in a network. Here every stage it is giving multiple paths. How would I know that which hope is actually taken at each stage ? thanks pratik 1 16.250.193.161 0 msec 16.250.193.194 0 msec 16.250.193.162 0 msec 2 16.250.2.61 236 msec 16.250.2.113 0 msec 16.250.1.153 0 msec 3 16.250.65.40 236 msec 240 msec 16.250.2.61 236 msec All the hops listed are used and are cycled through either no a per-packet or per-destination basis, depending on the router configs. Looks like you have multiple equal-cost paths to the destination. -- Ryan O'Connell - [EMAIL PROTECTED] - http://www.complicity.co.uk I'm not losing my mind, no I'm not changing my lines, I'm just learning new things with the passage of time _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 1720 Router question
Dear John, All you need doing is NAT. You can read more on http://www.cisco.com/warp/public/556/index.shtml Regards, Nurudeen John Shipley [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hey I have a question that I'm sure someone here can help me with...what I want to do seems to me should be simple yet I'm having issues geting it to work.. heres the situation. I have a network that has some published IP's and we want to assign one of those to a router and have all traffic to that address be forwarded to another router inside our network. The router that I have is a 1720.. any ideas of how this can be done?? I've looked at ip forwarding but it looks like I can only forward UDP not IP .. any help appreciated.. many thanks!! Todd. [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Systems prices
Does anybody in the group have the price information of the following items? 1. Cisco 2621 router 2. Catalyst 2900 switch 3. 24 port 3Com hub 4. 16 port 3com hub 5. Cisco 2501 router I will appreciate any quick response from any member. Cheers, Preye. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: banner problem
What di dyou use for your starting delimiting character? Does that character appear again in your banner? For example, if you use the letter C as your starting delemiting character, your banner will stop as soon as it reaches the next C (if you put say the word Cisco in your banner, it will stop there). Hope this helps, Marty From: "michael liu" [EMAIL PROTECTED] Reply-To: "michael liu" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: banner problem Date: Mon, 26 Mar 2001 23:39:42 htmlDIVHi, Guys:/DIV DIVnbsp;/DIV DIVnbsp; I setup banner on one of the router, when I login in, it only displays half the banner, but/DIV DIVin the configuation I have full banner. I checked process utilization is very low, and I have/DIV DIVenough memory on the router./DIV DIVnbsp;/DIV DIVAny ideas?/DIV DIVnbsp;/DIV DIVThx,/DIV DIVnbsp;/DIV DIVml/DIVbr clear=allhrGet your FREE download of MSN Explorer at a href="http://explorer.msn.com"http://explorer.msn.com/abr/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: using cisco cd without CD????
Install normaly from the first cd. Edit search.ini (in the installation dir for recent version, in \(windows|winnt) for older ones IIRC), you will find something like SourceDrive=E: PubDir=/cdpub (if E: is your cdrom drive). Change it to SourceDrive=C:\CiscoCd\2 PubDir=/cdpub and copy the whole second CD to or wherever you did specify. Note: Do not prepend the path to PubDir, append to SourceDrive or it will not work (for me at least). Also, keep that path rather short since there are very deep paths already on the cd, I remember having some problems for a couple of files sometimes... however those weren't very important for me so I just did not copy them. For the copy I'd avoid Windows explorer ecc, but use (on winnt) xcopy e:\*.* c:\CiscoCD\2\ /e /v /c /i /q /h or something similar, should be rather faster. Heiko -- -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Ferretto, 1 ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907087 -- ITALY -Original Message- From: Hugo [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 6:25 PM To: [EMAIL PROTECTED] Subject: Re: using cisco cd without CD I would like to copy the CD to my HD so I don't have to take my external CD drive with my laptop. Does anyone know how to do this? -- Hugo [EMAIL PROTECTED] ""Groupstudy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sounds like it was installed on a network drive. Get a hold of the first disk in the two disk documentation set and reinstall it to your local hard drive. It does not matter if you are connected to the Internet or not. There are a few links on the disk that do point to CCO though, just avoid them. 99.9% of the docs will be available directly from the CD. - Original Message - From: beth shriver [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 17, 2001 9:54 AM Subject: using cisco cd without network , why cant i? I know this is a silly question and im too embarrassed to ask the guys at the office... buy every time i try to user my doc cd it gives me a blank page unless im connected to a network how do i look at this if im on a plane or something. I know this is simple and pray no one from my office ever sees this! :) can anyone discreetly help? hahaha Thanks Bethy __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Finale: OSPF and IP Classless
Hi John, I would like to add another point to your observation. With 'no ip classless' , EIGRP also behaves the same way as OSPF when you have a supernet for the specific major net. Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown ones--would be routed based on the OSPF-installed supernet route. I then added 10.2.0.0/16 to the advertisement and saw what I expected: packets destined for either of those two subnets would be routed, all others failed. It works the same way if you repeat the above with EIGRP. But, the default route or GOLR is not considered under this situation if it is installed by EIGRP, whereas it is looked up when we use OSPF. Looks like 'ip classless' command is closely tied with the default route, rather than generically relating to a supernet. Regards, Srikanth. - Original Message - From: John Neiberger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 5:09 AM Subject: The Finale: OSPF and IP Classless If you thought this behavior was odd before, this will really bake your noodle. I did some more experiments as we discussed in the thread earlier today. Here's another short recap to catch everyone up. I have two routers, A and B, running OSPF. The link between them is 10.1.1.0/24, and A is originating a default into B. Router B has 'no ip classless' configured. This means that by Cisco's explanations, if I were to ping any unknown subnet of 10.0.0.0/8 it would fail and debugging would show that it was unroutable. However, that wasn't happening. If I used OSPF to originate a 0.0.0.0/0 default route, it would be installed as GOLR and router B would behave classlessly. I tried this using 0.0.0.0/0, 10.0.0.0/8, and 8.0.0.0/5. In all cases, when using OSPF to originate the route, router B would behave classlessly. This behavior would not occur when I used RIP v1 or v2, IGRP, or EIGRP. (If I understood IS-IS, I'd try that too.) Tonight I changed tactics and tried some new things. First, I ran two routing protocols, OSPF and RIP, but I let RIP advertise the default 0.0.0.0/0 to B. As expected, B behaved classfully and would not use the supernet route. This shows us that it's not merely the presence of OSPF on a router that can cause it to override 'no ip classless'. Next, I configured a manual static default 0.0.0.0/0 route on B while Router A was also advertising the same route. Of course the OSPF route would not be installed into the table because of the higher AD, but I wanted to verify Router B's behavior. In this case, it was classfull. Next, I set the AD of the static route to 120, higher than the 110 AD of the OSPF route. This means that the new GOLR, even thought it looks *exactly* the same in the routing table, was installed by OSPF. Guess what? Yep, classless behavior! Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown ones--would be routed based on the OSPF-installed supernet route. I then added 10.2.0.0/16 to the advertisement and saw what I expected: packets destined for either of those two subnets would be routed, all others failed. This means that the router behaves classlessly if there is a supernet route that was installed by OSPF...but only up to that point! In the situation I just mentioned, remember that there was also a static default route that was being ignored! So, the new rule is this: a router with 'no ip classless' configured will not forward traffic to unknown subnets of known major networks UNLESS THERE IS A VALID SUPERNET ROUTE INSTALLED BY OSPF. (sorry for the caps. g) Yikes, can this thread die now? :-) I know, I keep it going, but I wanted to really chase this down. I think I chased it down, kicked it, hit it with a stick, and now it's gone belly up not unlike the Norwegian Blue. As for me, I think I'm through with my 'no ip classless' experiments. Now maybe I can finally get to those NAT labs I've been trying to get to for a week! Regards, John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list
Network problem???
I have a problem with all of my Windows 2000 servers failed to authenticate into the PDC which is running Windows NT 4.0 server. The Apps people are saying that it is the Switches Network that I have. I checked all of my switches and routers, I can not find of any ACL or filter that cause their problem. They are thinking that I do not know what I am doing and ask me to call Cisco TAC for help. Before I do that, does anyone see this before? Kim, Thanks in advance. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Console access
If you want to prevent access to your router via telnet you could not assign a password to vty 0-4 also you can setup transport input none and lastly you can use an access list to limit who can telnet (in conjunction with a tacacs+ server) in case you want a few people to telnet in... You use access-class in 5 then create access-list 5 permint x.x.x.x Hope that helps. - Original Message - From: "Omer Ehsan Dar" [EMAIL PROTECTED] To: "Cisco GroupStudy" [EMAIL PROTECTED] Sent: Friday, March 30, 2001 3:37 AM Subject: Console access Hi all, Can we stop access to the console port from VTY session or telnet. Thanks Omer _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NTP Question?
Curiosity- why would your network need the atomic clock timing. As long as the peering/ stratum levels are configured correctly, convergence server timing works just as designed (perfect). I've tried a lot of combinations with the NTP projects I've done, but have always found the ISP keeps the best time usually are connected to either the atomic clock or are paying for some calibrated service (which is an extension of the atomic clock). This is where I first heard the term "clock suckers." These guys support the calibration of the service they draw the time off of more reliable devices (clocks) to calibrate you device (say quarterly). This way your leased device is always in time with Denver. Let me know what you come up with Thanks Phil - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 28, 2001 1:02 PM Subject: NTP Question? Does the Denver clock have an IP address , so I can set my router to it? Brian _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network problem???
Check your switches and make sure that Portfast is enabled on any ports connected to servers and workstations. Also, turn off EtherChannel and Trunking (which is in autonegotiation state by default). Heather Buri CSC Technology Services - Houston Phone: (713)-961-8592 Fax:(713)-961-8249 Mobile: Alpha Page: Mailing:1360 Post Oak Blvd Suite 500 Houston, TX 77056 -Original Message- From: Kim Seng [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 6:34 AM To: [EMAIL PROTECTED] Subject: Network problem??? I have a problem with all of my Windows 2000 servers failed to authenticate into the PDC which is running Windows NT 4.0 server. The Apps people are saying that it is the Switches Network that I have. I checked all of my switches and routers, I can not find of any ACL or filter that cause their problem. They are thinking that I do not know what I am doing and ask me to call Cisco TAC for help. Before I do that, does anyone see this before? Kim, Thanks in advance. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP over two ISP links
I know that in our case, trying to use BGP for failover between two providers, we (a) were required to have a /24 UUnet ... no problem (b) were required to have an AS#... no problem (c) PSI *required* us to 'take posssession' of the maintainer object for our /24 ... still working on that part a. very few people appear to have ever heard of RADB ... very frustrating (d) once we finish (c) we *should* be all set .. unless PSInet finds another way to delay us. I only send this because the "RADB/ Maintainer Object" part has been a really painful delay .. but, that should be resolved today :). Thanks! TJ -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 17:08 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject:Re: BGP over two ISP links At a minimum you're going to need a single /24, not two. You would announce this prefix on both connections. You're also going to need to apply for an autonomous system number from ARIN. Details can be found at www.arin.net. I'm wondering what you're really trying to accomplish. If this extra link isn't for redundancy, just load sharing, then why not have two connections to the same provider? This is FAR easier to implement, does not require a public AS number, and does not require using up an entire /24 prefix unnecessarily. Even if the link is for redundancy, you could multihome to different POPs of the same provider. Again, this is easier to implement, doesn't require the AS number, and doesn't burn up so many addresses. If you have a good provider this is an excellent solution. I'd seriously consider these other options before you make a decision. Regards, John "Ruihai An" [EMAIL PROTECTED] 3/29/01 2:11:17 PM Hi, All, Here is a quick question: We are planning to run BGP over two ISP links to provide loading balance. But we were told that we will run into major problems if we do not have full class Cs on both ends. Could somebody make comment on this? Thanks Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Secondary IP pix ?
Longish explanation I'm stumped with an IP address Range issue I fear can't be easily solved :( Suppose a Pix with 5.1(2) and a router (3640) with Ios 11.2(9)+ (yes yes I know, I hope it'll be 12.1 soon). "Server" | | Internal network | Pix | |. .100, mapped "Server" | DMZ, 10.64.1/24 | router | various connections Server is mapped with static to DMZ, let's pretend 10.64.1.100 . the router has several connections, some frame relay, some isdn ecc (not important). The other side of the connections (commercial partners) sometimes have overlapping networks, can't/won't use nat, or are generally not under our control. So some connections can't handle the 10.64.1/24 address range, however being usually outbound connections those are handled by int eth 0/0 ip nat inside int SOMEINT ip address SOMEINTADDR 255.255.255.0 ip nat outside ip route REMHOST SOMEINT ip nat outside source static Outside/Global IP of REMHOST REMHOST ip nat inside source route-map SOME-MAP interface SOMEINT overload route-map SOME-MAP match ip address SOME-LIST ip access-list extended SOME-LIST permit ip host 10.64.1.100 host REMHOST e.g. nat outside address to a range of our liking and overload the outgoing connection to the address specified on the interface. Not the best configuration probably, but working. Now, even with multiple concurrent connections like those there are no problems since the entries in the nat translation table are complete ip/port-ip/port. Now there comes an inbound/outbound connection with nat, which does mean a static mapping: ip nat inside source static 10.64.1.100 SOMEOTHERNET.100 int SOMEOTHERINT ip address SOMEOTHER_NET.1 255.255.255.0 ip nat outside You probably can see where this is leading to - collision. For example, if a connection from SERVER (through the pix) to the remote net is in action there is an IP-IP entry in the address translation table. If at the same time Server tries to initate a connection to REMHOST (need of overload/PAT on SOMEINT) this does fail, outgoing packets to REMHOST have a SOMEOTHERNET.100 source address instead of SOMEINTADDR, communication fails. Now AFAIK there is no way in Ios 11.2 to change this (if there is better way to do this please tell me where to look in the documentation and you'll have solved my problems. Sample conf would be nice, too :). A solution would be moving a connection to another router, but isn't really scalable (one router for every connection) Same for "one server for every connection" grin The pix is not capable to perform specific NAT based on SOURCEIP[port]-DESTIP[port] (like FW-1), only fixed nat through static, based on SOURCEIP, or dynamic with a pool, so it isn't even possible to nat the internal address to different (fixed) DMZ addresses based on destination ports. I'm wondering if it is possible (although after a quick glance in the manual I fear not) adding secondary addresses to the pix/interfac DMZ and the router/interface Ethernet (say in 172.16.1/24), static the server to 172.16.1.100, having effectively another DMZ on the same physical network. Point the routing for the new connection to router/eth-newDMZ-addr instead of router/eth-DMZ-addr, and avoid nat collision on the router (since the source address would be different). This would be somewhat scalabale also, since that additional DMZ can be as small as necessary (/29 would be fine), and could be located in every address range not already used somehwere else in the pix or the router (of course I suppose adding too much additional addresses to the interface could create problems.. OTOH with more different numbered DMZs you have less probability none of those are usable on the other side of the connection). Any idea how to implement this ? Or how to implemement some other scalable solution for this issue in any other way ? Heiko -- -- PREVINET S.p.A.[EMAIL PROTECTED] -- Via Ferretto, 1 ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907087 -- ITALY _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 5001 concentrator
Let me guess, the clients are behind a Linksys router doing PAT (NAPT)? PATing devices typically cannot allow more than 1 IPSec session to pass-thru. The reason for this is that the inbound IPSec SA is only determined by 3 things: dst addr, protocol (ESP or AH) and the Security Parameter Index (SPI). The dst addr and protocol will be the same, only ESP will work, so that only leaves the SPI to differentiate inbound SA's. The SPI is chosen by the destination and given to the sender during the initial ISAKMP negotiation. The PATing device can't see this negotiation, so it would be very difficult to allow multiple IPSec stations to establish connections. i.e. how can the PATing device determine which internal station the traffic is being sent to? One way you could do this would be to make an assumption that any new inbound SA's belong to the last inside station to initiate a connection and just keep track of all IPSec initiations from internal stations and map it to inbound SPI's. This would work in some cases, but then there are potential problems if you have lots of internal clients making requests about the same time. Bottom line, don't expect anyone to implement this functionality any time soon, if ever. What is more likely is that vendors will implement proprietary schemes to allow their VPN clients to talk through a NAT/PAT gateway to their VPN gateway as Cisco has done with the VPN 3000. (ala wrapping the IPSec packets with a UDP header) An option would be to terminate the IPSec tunnels on a common perimeter device for all internal clients, or use an alternative VPN protocol, like SSL ala the Aventail product. HTH, Kent On 29 Mar 2001, at 13:22, The.Rock wrote: Here's the problem: 2 clients,both sharing a DSL line. both use VPN client for 5001 When one is connected it is fine and if you add another connection off the same dsl while the other computer is connected, the VPN tunnel keeps dropping. Any ideas ? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX+Router+Frame relay to internet
Howard, Comments imbedded: On 29 Mar 2001, at 13:04, Howard C. Berkowitz wrote: snip There should also be no way for an untrusted network to bypass your firewall, which there is in this design. Kent, I'd be interested in your opinion about an approach I've increasingly used. Do you consider it evil? Traffic comes onto the DMZ from an external screening router. If it is destined for anything not on the DMZ, the options include: -- for IPsec transport mode and other encrypted traffic, send to a router with basic filtering (e.g., verify reverse path and drop traffic with source addresses and your internal network) and traffic policing (to prevent flooding), and let it into the network. A firewall not participating in the end-to-end encryption can't do anything with the packet -- why load up the firewall with conduits? The decision of where to terminate ones IPSec tunnels is a bit of a religious debate, but my preferred approach is to terminate them on the perimeter on a VPN box in front of the firewall. There are arguments as to whether the VPN box can reside in parallel with the FW, and there is a school of thought that says "yes", especially for performance reasons. I prefer to have only one way in and out of my security perimeters from a functional perspective, load-balancing a set of firewalls if its necessary for throughput, but keeping the policies consistent. As for passing encrypted tunnels through the FW, I don't like letting this sort of traffic through a security perimeter. It makes any sort of IDS all but worthless and its usually not necessary. There are always exceptions and there may be cases where one just cannot terminate the tunnels on the perimeter, but as a general rule of thumb I don't do it. -- for traffic using SSL proxies, send to an appropriate gateway, which MAY be the firewall. Same thing for IPsec tunnel mode security gateways. Same argument as above. :-) As you know, there are no absolutes, there are always exceptions to every rule. Very high-speed or very complex envrionments always stretch the rules of thumb we like to use. However, in all but the "one-off" scenarios, I try to follow a consistent architecture: terminate all encrypted tunnels on a security perimeter and have all traffic flow through a firewall(s) that enforce policy. I've found that this design makes for a very consistent, manageble and more secure perimeter. My .02, Kent _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
3DES through PIX
experts, i have got an access VPN connection to be configured to connect one of the VPN switches. i have got a pix, which is configured to translate the inside ip address to a internet routable ip address. but for the NAT function, the PIX does not do anything relating to ipsec. the cisco client we are using using 3DES whereas my PIX IOS is not enabled for 3DES. but as i said, the PIX is just passing whatever traffic to the internet. now, this conneciton does not go through. what could be the reason ? do i have to necessarily enable 3DES on PIX ? cheers, This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco FW and HTTP Java applet
I get problem to Web Page with Java applet. I does not show pop-up menu on the side (for example) but just only grey color (depending on the color of menu) ckeck log at cisco router running 12.1.5 Mar 30 15:27:56.743: %FW-3-HTTP_JAVA_BLOCK: JAVA applet is blocked from (195.18.19 1.20:80) to (10.24.3.30:2194). Mar 30 15:27:56.747: %FW-6-SESS_AUDIT_TRAIL: http session initiator (10.24.3.30:21 94) sent 278 bytes -- responder (195.18.191.20:80) sent 0 bytes Mar 30 15:27:56.755: %SEC-6-IPACCESSLOGP: list internet denied tcp 195.18.191.20(8 0) (Serial1/0:1 *PPP*) - x.x.x.x(2194), 1 packet Mar 30 15:27:57.291: %FW-3-HTTP_JAVA_BLOCK: JAVA applet is blocked from (195.18.19 1.20:80) to (10.24.3.30:2197). It sounds Java applet is blocked by router I don't have any ACL for Java Look at cisco CBAC page Java Inspection With Java, you must protect against the risk of users inadvertently downloading destructive applets into your network. To protect against this risk, you could require all users to disable Java in their browser. If this is not an agreeable solution, you can use CBAC to filter Java applets at firewall, which allows users to download only applets residing within the firewall and trusted applets from outside the firewall. Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except for sites specifically designated as "hostile." How can I make Java applet filtering ? Kim _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Buffer Problem
I have a condition when 1 system is attempt to hand a packet to a transmission buffer and no buffer is available a.Fast switching b.intput drop c.output drop d.route-cache Thanks Koliy Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco FW and HTTP Java applet
This is IOS firewall? ip inspect name (whatever) http java-list 51 access-list 51 permit any Hope this helps and I found this info myself somewhere on Cisco.com Cory -Original Message- From: eto [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 7:51 AM To: [EMAIL PROTECTED] Subject: Cisco FW and HTTP Java applet I get problem to Web Page with Java applet. I does not show pop-up menu on the side (for example) but just only grey color (depending on the color of menu) ckeck log at cisco router running 12.1.5 Mar 30 15:27:56.743: %FW-3-HTTP_JAVA_BLOCK: JAVA applet is blocked from (195.18.19 1.20:80) to (10.24.3.30:2194). Mar 30 15:27:56.747: %FW-6-SESS_AUDIT_TRAIL: http session initiator (10.24.3.30:21 94) sent 278 bytes -- responder (195.18.191.20:80) sent 0 bytes Mar 30 15:27:56.755: %SEC-6-IPACCESSLOGP: list internet denied tcp 195.18.191.20(8 0) (Serial1/0:1 *PPP*) - x.x.x.x(2194), 1 packet Mar 30 15:27:57.291: %FW-3-HTTP_JAVA_BLOCK: JAVA applet is blocked from (195.18.19 1.20:80) to (10.24.3.30:2197). It sounds Java applet is blocked by router I don't have any ACL for Java Look at cisco CBAC page Java Inspection With Java, you must protect against the risk of users inadvertently downloading destructive applets into your network. To protect against this risk, you could require all users to disable Java in their browser. If this is not an agreeable solution, you can use CBAC to filter Java applets at firewall, which allows users to download only applets residing within the firewall and trusted applets from outside the firewall. Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except for sites specifically designated as "hostile." How can I make Java applet filtering ? Kim _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Buffer Problem
Is this a test? :-) Heather Buri CSC Technology Services - Houston Phone: (713)-961-8592 Fax:(713)-961-8249 Mobile: Alpha Page: Mailing:1360 Post Oak Blvd Suite 500 Houston, TX 77056 -Original Message- From: KOLIY [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 8:04 AM To: [EMAIL PROTECTED] Subject: Buffer Problem I have a condition when 1 system is attempt to hand a packet to a transmission buffer and no buffer is available a.Fast switching b.intput drop c.output drop d.route-cache Thanks Koliy Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP over two ISP links
Believe me, I sympathize. My first attempt to connect to the Internet failed due to not considering publishing my policy in a routing registry (e.g., RADB). See http://www.radb.net, or the routing registry areas at http://www.arin.net and http://www.ripe.net. One of my concerns with the way that Internet routing is taught is that most presentations are about the configuration of a router or two, when it is essential first to understand how the routers fit into the global routing system. Playing in the global routing system involves a lot more than BGP announcements. As you have observed, it involves address assignment, AS number assignment, and registering a routing policy at the very least. Reverse DNS, swip/rwhois, filtering, and many other factors will enter into real-world operations. It's also often unclear what people are trying to do when they want anything beyond single-link, default-routed connectivity to an ISP. Have you ever been to a convention where officious people push you around with no explanation other than muttering "security?" I'm afraid I often hear "load-sharing" muttered in the same way with respect to Internet connectivity. There is no single thing that is defined as load sharing, and there are different reasons to want or not want different load sharing options. In my BGP tutorials at CertificationZone (member area), I've tried to emphasize "define policy first, then think about configuration." You'll also see this philosophy in my tutorials at NANOG, and in my upcoming book (end of the year) on building service provider networks. The message remains, whenever someone thinks they are ready to configure BGP on a live router to an ISP, if that is all they think they need to do to get connected, they are not ready. Since a lot of this isn't written down, it's very wise to find a knowledgeable ISP and work with their presales people very closely. Finding the clueful people can be a crapshoot, I will admit. I can think of one national carrier with whom I've dealt in different cities. For the account in Washington DC, which literally did have Presidential priority, the particular carrier was slow and inflexible. For a different account with the same provider in Nashville, the account team couldn't have been more responsive, both at sales and engineering levels. I know that in our case, trying to use BGP for failover between two providers, we (a) were required to have a /24UUnet ... no problem (b) were required to have an AS# ... no problem (c) PSI *required* us to 'take posssession' of the maintainer object for our /24 ... still working on that part a. very few people appear to have ever heard of RADB ... very frustrating (d) once we finish (c) we *should* be all set .. unless PSInet finds another way to delay us. Unless, of course, PSInet simply goes into bankruptcy. I wish them well, but the financial press does seem to suggest that the vultures are getting very close. I only send this because the "RADB/ Maintainer Object" part has been a really painful delay .. but, that should be resolved today :). Thanks! TJ -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 17:08 To:[EMAIL PROTECTED] Cc:[EMAIL PROTECTED] Subject: Re: BGP over two ISP links At a minimum you're going to need a single /24, not two. You would announce this prefix on both connections. You're also going to need to apply for an autonomous system number from ARIN. Details can be found at www.arin.net. I'm wondering what you're really trying to accomplish. If this extra link isn't for redundancy, just load sharing, then why not have two connections to the same provider? This is FAR easier to implement, does not require a public AS number, and does not require using up an entire /24 prefix unnecessarily. Even if the link is for redundancy, you could multihome to different POPs of the same provider. Again, this is easier to implement, doesn't require the AS number, and doesn't burn up so many addresses. If you have a good provider this is an excellent solution. I'd seriously consider these other options before you make a decision. Regards, John "Ruihai An" [EMAIL PROTECTED] 3/29/01 2:11:17 PM Hi, All, Here is a quick question: We are planning to run BGP over two ISP links to provide loading balance. But we were told that we will run into major problems if we do not have full class Cs on both ends. Could somebody make comment on this? Thanks Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PAT
I have a frame relay circuit connected to a 1750 router with an = ip-unnumbered assign to the serial int to point to the Ethernet = interface. I shut down the Ethernet interface and configured a second = serial interface on the router with the ip add. that is attached to a = Cisco 2600 router. I also changed the ip unnumbered to point to that = serial interface. I configured the 2600 to overload Nat and configured = some static interfaces. My problem is: this 1750 is connected to the = internet via frame relay and I'm unable to get any internet traffic to = go pass the 1750. I create a static mapping for the DNS server we are = using and I'm still no able to get no traffic. Need some advice from _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE LAB on NYC area
Hi all, Does any one knows if there is a very good CCIE LAB in NYC area... something like the LAB in San Jose? Thank you, Mike _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Stupid question
!doctype html public "-//w3c//dtd html 4.0 transitional//en" html Dear all, pI have a stupid question, want to clarify. bris it I cannot make two or more interfaces share the same subnet in the Router? pThanks pBest Regards, brrick/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Token Ring Question
Let me ask you this. Are the interfaces of equal cost? Do you want routing loops? What prevents routing loops, and how are loops prevented? Scott Vincent wrote: For I am not familiar with TokenRing. I just wondering how come i insert 2 router into the token ring hub, one of the interface is up/down all the time. Thanks Vincent _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Token Ring Tool WAS Token Ring Problem
Media Insertion Tool - is the name I learned about 10 years ago I think. Scott Daniel Cotts wrote: I've heard about those zapper tools for MAUs but have never seen one. Is there an official name for it? Any manufacturer or part number? Might be worth finding on eBay. I have several old MAUs that I haven't tested. TIA -Original Message- From: ElephantChild [mailto:[EMAIL PROTECTED]] Typical causes, in no particular order, are: - Stuck relay, if you're using an old mechanical MAU, eg a 8228. If that's the problem, just phaser the relay unstuck. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Token Ring Problem
Thanks all! Problem fixed. Just follow cisco recommendation and it works. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: actual speed (BW) on a Frame-Relay circuit
If you have an external CSU/DSU then the router has no idea what the actual speed of the link is. The default bandwidth configured on a serial interface is 1.544 Mbps, but that means nothing. You could have a 56k line and the router would still have 1.544 Mbps configured. As far as I know, there is no way--from IOS--to definitely prove the link speed in a situation like this. Sometimes you can tell from the circuit ID itself what the link speed is, depending on the provider. For instance, with our provider, any circuit ID that contains QGEA, HCGL, or YBGA is a T-1, while YGGA is a fractional T-1 and XHGL is 56k frame relay. Sorry, I know that doesn't help much. You can try doing a 'show frame map' and looking at the CIR. If the CIR was automatically assigned, it's usually some percentage of the actual link speed. With our provider, the default CIR on a PVC on a t-1 is 768000. Good luck! John [EMAIL PROTECTED] 3/30/01 1:53:14 AM this is only if I know that the link is a T1. But what if I don't know the speed of the link ? Is there a way to check this out. Regards, Tarry -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 5:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: actual speed (BW) on a Frame-Relay circuit This is actually more complicated than you think. :-) Which do you want to know, the speed of the link or the available bandwidth? If it's the latter, what do you mean by available? Do you want to know the CIR? Or how much you can burst over your CIR? Let's say you have a frame relay T-1. The speed of that link is always 1.544 Mbps. If you send data across that link, regardless of the CIR, the data is travelling at 1.544 Mbps! Because it's frame relay, you might be paying for a certain CIR which is a statistical parameter that sometimes doesn't have much to do with how much data you can push across that link. In fact, if your provider isn't experiencing any congestion, then CIR doesn't mean squat as far as I'm concerned. Whenever you exceed your CIR, frames in the cloud can be marked as Discard Eligible. All that means is that during times of congestion, those get dropped first. If there's no congestion, DE status doesn't mean much. So, to answer your question... The speed of the link is whatever your link speed is. g The CIR can usually be seen by using the command "show frame-relay map". I hope that helps and didn't just confuse the issue more. I may have been imprecise, and if I have others will surely correct me. Regards, John [EMAIL PROTECTED] 3/29/01 6:57:53 AM Hi, is there a command to check the actual speed (BW) or max BW used on a Frame-Relay circuit. Thanks, Tarry. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Finale: OSPF and IP Classless (partial retraction)
Oops, I just re-read your post and see that you were talking about advertising a specific major net, not the 0.0.0.0/0 default. So, are you saying that if I use EIGRP and advertise 10.0.0.0/8 from router A to router B that I can then successfully route packets destined for 10.5.5.5, for instance? So, just as in my experiments, the router behaves classlessly up to a point. In this example, it would use the major network supernet route but still would not be able to use the 0.0.0.0/0 supernet, right? Good grief. I'm just going to leave 'ip classless' on all the time and not worry about it. g Thanks, John "R.Srikanth" [EMAIL PROTECTED] 3/30/01 9:17:28 AM Hi John, I would like to add another point to your observation. With 'no ip classless' , EIGRP also behaves the same way as OSPF when you have a supernet for the specific major net. Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown ones--would be routed based on the OSPF-installed supernet route. I then added 10.2.0.0/16 to the advertisement and saw what I expected: packets destined for either of those two subnets would be routed, all others failed. It works the same way if you repeat the above with EIGRP. But, the default route or GOLR is not considered under this situation if it is installed by EIGRP, whereas it is looked up when we use OSPF. Looks like 'ip classless' command is closely tied with the default route, rather than generically relating to a supernet. Regards, Srikanth. - Original Message - From: John Neiberger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 5:09 AM Subject: The Finale: OSPF and IP Classless If you thought this behavior was odd before, this will really bake your noodle. I did some more experiments as we discussed in the thread earlier today. Here's another short recap to catch everyone up. I have two routers, A and B, running OSPF. The link between them is 10.1.1.0/24, and A is originating a default into B. Router B has 'no ip classless' configured. This means that by Cisco's explanations, if I were to ping any unknown subnet of 10.0.0.0/8 it would fail and debugging would show that it was unroutable. However, that wasn't happening. If I used OSPF to originate a 0.0.0.0/0 default route, it would be installed as GOLR and router B would behave classlessly. I tried this using 0.0.0.0/0, 10.0.0.0/8, and 8.0.0.0/5. In all cases, when using OSPF to originate the route, router B would behave classlessly. This behavior would not occur when I used RIP v1 or v2, IGRP, or EIGRP. (If I understood IS-IS, I'd try that too.) Tonight I changed tactics and tried some new things. First, I ran two routing protocols, OSPF and RIP, but I let RIP advertise the default 0.0.0.0/0 to B. As expected, B behaved classfully and would not use the supernet route. This shows us that it's not merely the presence of OSPF on a router that can cause it to override 'no ip classless'. Next, I configured a manual static default 0.0.0.0/0 route on B while Router A was also advertising the same route. Of course the OSPF route would not be installed into the table because of the higher AD, but I wanted to verify Router B's behavior. In this case, it was classfull. Next, I set the AD of the static route to 120, higher than the 110 AD of the OSPF route. This means that the new GOLR, even thought it looks *exactly* the same in the routing table, was installed by OSPF. Guess what? Yep, classless behavior! Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown ones--would be routed based on the OSPF-installed supernet route. I then added 10.2.0.0/16 to the advertisement and saw what I expected: packets destined for either of those two subnets would be routed, all others failed. This means that the router behaves classlessly if there is a supernet route that was installed by OSPF...but only up to that point! In the situation I just mentioned, remember that there was also a static default route that was being ignored! So, the new rule is this: a router with 'no ip classless' configured will not forward traffic to unknown subnets of known major networks UNLESS THERE IS A VALID SUPERNET ROUTE INSTALLED BY OSPF. (sorry for the caps. g) Yikes, can this thread die now? :-) I know, I keep it going, but I wanted to really chase this down.
Internet tutorial ppt
Maybe someone knows... At one time (around last Summer) someone from this list posted an awesome link to a site that had a PowerPoint tutorial about the Internet origins and the backbone description, NAP's etc. Somehow I lost this link. I searched the archives but couldn't find it. There's probably others as well. Does anyone know of this one or even another one? Thanks, Ken _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Finale: OSPF and IP Classless
In my testing, I found exactly the opposite, which is why all of this is so odd. With 'no ip classless' configured and using EIGRP to originate a default from Router A into Router B, B would still behave classfully in its route lookups. It would *not* use a supernet route for destinations in unknown subnets of known major networks. (geez, what a mouthfull!). Specifically in my case, the link is 10.1.1.0/24. When router A would advertise a 0.0.0.0/0 route to router B and I tried to ping 10.5.5.5, for instance, it would fail, as expected. The router knows about 10.1.1.0/24 but it doesn't know anything about 10.5.5.5. In classfull operation, that is unroutable. Now if I remove EIGRP and use OSPF for this, router B starts to behave classlessly in its lookups even if 'no ip classless' is still configured! That is the true oddity here. I've seen no documentation that says OSPF overrides 'no ip classless' but that is, in fact, what I've proven to my satisfaction. I've tried just about every possible configuration I (and a few others) could think of and I can predict consistently how it's going to behave now. If anyone would like to see a VERY long detailed description of the experiments including configurations and command output, I could put it together. I'd rather you do it yourselves on your own equipment, though, to verify these results. Besides, that's a lot of work. g Regards, John "R.Srikanth" [EMAIL PROTECTED] 3/30/01 9:17:28 AM Hi John, I would like to add another point to your observation. With 'no ip classless' , EIGRP also behaves the same way as OSPF when you have a supernet for the specific major net. Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown ones--would be routed based on the OSPF-installed supernet route. I then added 10.2.0.0/16 to the advertisement and saw what I expected: packets destined for either of those two subnets would be routed, all others failed. It works the same way if you repeat the above with EIGRP. But, the default route or GOLR is not considered under this situation if it is installed by EIGRP, whereas it is looked up when we use OSPF. Looks like 'ip classless' command is closely tied with the default route, rather than generically relating to a supernet. Regards, Srikanth. - Original Message - From: John Neiberger [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 5:09 AM Subject: The Finale: OSPF and IP Classless If you thought this behavior was odd before, this will really bake your noodle. I did some more experiments as we discussed in the thread earlier today. Here's another short recap to catch everyone up. I have two routers, A and B, running OSPF. The link between them is 10.1.1.0/24, and A is originating a default into B. Router B has 'no ip classless' configured. This means that by Cisco's explanations, if I were to ping any unknown subnet of 10.0.0.0/8 it would fail and debugging would show that it was unroutable. However, that wasn't happening. If I used OSPF to originate a 0.0.0.0/0 default route, it would be installed as GOLR and router B would behave classlessly. I tried this using 0.0.0.0/0, 10.0.0.0/8, and 8.0.0.0/5. In all cases, when using OSPF to originate the route, router B would behave classlessly. This behavior would not occur when I used RIP v1 or v2, IGRP, or EIGRP. (If I understood IS-IS, I'd try that too.) Tonight I changed tactics and tried some new things. First, I ran two routing protocols, OSPF and RIP, but I let RIP advertise the default 0.0.0.0/0 to B. As expected, B behaved classfully and would not use the supernet route. This shows us that it's not merely the presence of OSPF on a router that can cause it to override 'no ip classless'. Next, I configured a manual static default 0.0.0.0/0 route on B while Router A was also advertising the same route. Of course the OSPF route would not be installed into the table because of the higher AD, but I wanted to verify Router B's behavior. In this case, it was classfull. Next, I set the AD of the static route to 120, higher than the 110 AD of the OSPF route. This means that the new GOLR, even thought it looks *exactly* the same in the routing table, was installed by OSPF. Guess what? Yep, classless behavior! Now for the really interesting part (if you've read this far and are still awake!) I set a static 0.0.0.0/0 route on Router B but then also advertised 10.1.0.0/16 from router A. Now Router B behaved classlessly but only for subnets of 10.1.0.0/16! If I tried to ping 10.2.1.1, for instance, it was unroutable, but any subnet of 10.1.0.0/16--even the unknown
Re: Stupid question
This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Can't ping anything on LAN when connected on dial-up adapter
This might be a little off topic since it is not regarding Cisco, but then again maybe not, since it's about routing and connectivity after all. I have a small LAN where five workstations and one printer. Everybody can ping eachother and the printer. However, if one of the users establish a dial-up connection to the ISP, she can't ping anything on the LAN anymore. The workstations are running Windows 95/98. I haven't been able to find anything (yet) in Microsofts Knowledgebase (I'm still looking), but I thought that some of you might have had this problem yourselves. Any comments on this will be appreciated. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3DES through PIX
Your Internet accessable Ip that you are using on the PIX Is this global address a single address? Probably it is... once again, you can't do IPsec through PAT (many to one nat) Try assigning that station that needs to VPN a static addres on the public side. Moe. -Original Message- From: Ragavendran K Rao (CTS) To: '[EMAIL PROTECTED]' Sent: 3/30/2001 5:57 AM Subject: 3DES through PIX experts, i have got an access VPN connection to be configured to connect one of the VPN switches. i have got a pix, which is configured to translate the inside ip address to a internet routable ip address. but for the NAT function, the PIX does not do anything relating to ipsec. the cisco client we are using using 3DES whereas my PIX IOS is not enabled for 3DES. but as i said, the PIX is just passing whatever traffic to the internet. now, this conneciton does not go through. what could be the reason ? do i have to necessarily enable 3DES on PIX ? cheers, This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco Systems prices
US List. French duty costs may raise the price significantly. For the routers, you need IOS, so I've provided you the price of IP-only software, and you didn't indicate any WICs for the 2621, so I'm assuming that you don't need any. You also didn't specify any modules for GBICs in the 2900, so I'll assume that you don't need those. Cisco V.35 serial interface cables are $100 each - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 2:26 AM Subject: Cisco Systems prices Does anybody in the group have the price information of the following items? 1. Cisco 2621 router $3095 IOS IP-only $15 2. Catalyst 2900 switch $5995 48 port 3. 24 port 3Com hub $440, 10/100 4. 16 port 3com hub - I don't see a 16 port 3Com hub in my pricebook, just 12 and 24 port 5. Cisco 2501 router $2195 IOS IP-only $15 I will appreciate any quick response from any member. Cheers, Preye. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Slightly OT: Juniper Classes
Hi Eric, I teach the class. It won't be enough for you to pass JNCIS. It is however a very good course, but then I would say that. Dave Humphrey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Thomas Sent: 30 March 2001 02:38 To: Eric Gunn; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Slightly OT: Juniper Classes I take it in 2 weeks email me then and I will let you know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Gunn Sent: Tuesday, March 27, 2001 12:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Slightly OT: Juniper Classes Has anyone taken the 5 day training class put out by Juniper? I want to make sure it is worth the money since I will be spending my own money to attend it. Is it worth the money? Does it cover enough to pass the JNCIS? I am currently a CCNP+Security that has passed the CCIE written and in the process of studying for my Lab exam. Any opinions, suggestions, Etc Thank You, Eric Gunn **NOTE** All LAB SWAP messages should now be sent to the LAB SWAP Message board on groupstudy.com. ___ To unsubscribe from the CCIELAB list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe ccielab _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Can't ping anything on LAN when connected on dial-up adapter
Hiya, This is due to when the user dials up, the Win32 pc sets a default route to the ISP. This route is taken over any others in the delivery of packets. The best way I have found around this is to add static routes back to my LAN while dialed up. This is very common. Hope this helps, Dave On Friday 30 March 2001 10:52, Ole Drews Jensen wrote: This might be a little off topic since it is not regarding Cisco, but then again maybe not, since it's about routing and connectivity after all. I have a small LAN where five workstations and one printer. Everybody can ping eachother and the printer. However, if one of the users establish a dial-up connection to the ISP, she can't ping anything on the LAN anymore. The workstations are running Windows 95/98. I haven't been able to find anything (yet) in Microsofts Knowledgebase (I'm still looking), but I thought that some of you might have had this problem yourselves. Any comments on this will be appreciated. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PAT
First thing that jumps into mind is why don't you define a loopback interface with an ip address? Martijn -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Ruddy Cordero Verzonden: vrijdag 30 maart 2001 16:52 Aan: [EMAIL PROTECTED] Onderwerp: PAT I have a frame relay circuit connected to a 1750 router with an = ip-unnumbered assign to the serial int to point to the Ethernet = interface. I shut down the Ethernet interface and configured a second = serial interface on the router with the ip add. that is attached to a = Cisco 2600 router. I also changed the ip unnumbered to point to that = serial interface. I configured the 2600 to overload Nat and configured = some static interfaces. My problem is: this 1750 is connected to the = internet via frame relay and I'm unable to get any internet traffic to = go pass the 1750. I create a static mapping for the DNS server we are = using and I'm still no able to get no traffic. Need some advice from _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP over two ISP links
Well said Howard, I always believe reading Halabi's book only makes understand BGP and know how to configure it on Cisco. But there is no way you can play a peer router in a NAP just based on that knowledge. You will mostly screw it up. As you said, most of things are not documented, it is really hard to find good reference on how to setup an ISP from scratch. Looking forward to your book. I would suggest that if you could put more real cases/examples of setup peer routers, verify/update peer policy and trouble-shooting routing problems. Also it would be great if you could, based on your wide contact in the industry, give us something like this, for example: This is how UUnet updates their peer policy everyday, they use a Perl script to grap daily updates from whois.radb.net database, and automatically update their peer routers. The script looks like this:. Other ISPs do it other ways like uses xxx and xxx uses xxx. I bet most of people, especially who works for ISPs but not at the top level, would pay their money for. Just my 2 cents. KY ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p05001902b6ea44b7d429@[63.216.127.100]... Believe me, I sympathize. My first attempt to connect to the Internet failed due to not considering publishing my policy in a routing registry (e.g., RADB). See http://www.radb.net, or the routing registry areas at http://www.arin.net and http://www.ripe.net. One of my concerns with the way that Internet routing is taught is that most presentations are about the configuration of a router or two, when it is essential first to understand how the routers fit into the global routing system. Playing in the global routing system involves a lot more than BGP announcements. As you have observed, it involves address assignment, AS number assignment, and registering a routing policy at the very least. Reverse DNS, swip/rwhois, filtering, and many other factors will enter into real-world operations. It's also often unclear what people are trying to do when they want anything beyond single-link, default-routed connectivity to an ISP. Have you ever been to a convention where officious people push you around with no explanation other than muttering "security?" I'm afraid I often hear "load-sharing" muttered in the same way with respect to Internet connectivity. There is no single thing that is defined as load sharing, and there are different reasons to want or not want different load sharing options. In my BGP tutorials at CertificationZone (member area), I've tried to emphasize "define policy first, then think about configuration." You'll also see this philosophy in my tutorials at NANOG, and in my upcoming book (end of the year) on building service provider networks. The message remains, whenever someone thinks they are ready to configure BGP on a live router to an ISP, if that is all they think they need to do to get connected, they are not ready. Since a lot of this isn't written down, it's very wise to find a knowledgeable ISP and work with their presales people very closely. Finding the clueful people can be a crapshoot, I will admit. I can think of one national carrier with whom I've dealt in different cities. For the account in Washington DC, which literally did have Presidential priority, the particular carrier was slow and inflexible. For a different account with the same provider in Nashville, the account team couldn't have been more responsive, both at sales and engineering levels. I know that in our case, trying to use BGP for failover between two providers, we (a) were required to have a /24 UUnet ... no problem (b) were required to have an AS# ... no problem (c) PSI *required* us to 'take posssession' of the maintainer object for our /24 ... still working on that part a. very few people appear to have ever heard of RADB ... very frustrating (d) once we finish (c) we *should* be all set .. unless PSInet finds another way to delay us. Unless, of course, PSInet simply goes into bankruptcy. I wish them well, but the financial press does seem to suggest that the vultures are getting very close. I only send this because the "RADB/ Maintainer Object" part has been a really painful delay .. but, that should be resolved today :). Thanks! TJ -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 17:08 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: BGP over two ISP links At a minimum you're going to need a single /24, not two. You would announce this prefix on both connections. You're also going to need to apply for an autonomous system number from ARIN. Details can be found at www.arin.net. I'm wondering what you're really trying to accomplish. If this extra link isn't for redundancy, just load sharing, then why not have two connections to the same provider? This is FAR easier to implement, does
Re: 3DES through PIX
VPN has to be on an internet accessible IP. You can set up an ACL or static/conduit to give the internal VPN box a public IP. Make sure you open the correct ports. tcp port 1723 and gre need to be opened to it. As long as you're not using PAT it will work. Hopefully you have a free public IP you can assign to the box or it won't work unless you use the PIX as the IPSec VPN with Radius or TACACS+. - Original Message - From: "Ragavendran K Rao (CTS)" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 7:57 AM Subject: 3DES through PIX experts, i have got an access VPN connection to be configured to connect one of the VPN switches. i have got a pix, which is configured to translate the inside ip address to a internet routable ip address. but for the NAT function, the PIX does not do anything relating to ipsec. the cisco client we are using using 3DES whereas my PIX IOS is not enabled for 3DES. but as i said, the PIX is just passing whatever traffic to the internet. now, this conneciton does not go through. what could be the reason ? do i have to necessarily enable 3DES on PIX ? cheers, This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping anything on LAN when connected on dial-up adapter
They have 'use default gateway on remote network' selected. This forces their workstation to use the default route of the dial-up rather than the local network. BUT this should only affect things off the LAN so that may not be your answer after all (now that I take a sip of coffee..heh). Try setting TCP/IP on the local adapter to default see if that helps. It may just be trying to use the dial-up adapter as default and timing out. OK enough shots in the dark...I need more coffee. The above is good to know but most likely not your answer ;) Do a ROUTE PRINT before and after dialing in and see what the differences are. If possible cut paste it to us and I can try to figure it out from there. Allen - Original Message - From: "Ole Drews Jensen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 9:52 AM Subject: OT: Can't ping anything on LAN when connected on dial-up adapter This might be a little off topic since it is not regarding Cisco, but then again maybe not, since it's about routing and connectivity after all. I have a small LAN where five workstations and one printer. Everybody can ping eachother and the printer. However, if one of the users establish a dial-up connection to the ISP, she can't ping anything on the LAN anymore. The workstations are running Windows 95/98. I haven't been able to find anything (yet) in Microsofts Knowledgebase (I'm still looking), but I thought that some of you might have had this problem yourselves. Any comments on this will be appreciated. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
Thank you for your response. Another question is when or why would you be required to use set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Buffer Problem
I would think this will cause input drop, and if you do a "sh int " on the router, you will see the number count of "no buffer" Ruihai "KOLIY" [EMAIL PROTECTED] wrote in message 20010330140354.17601.qmail@nwcst293">news:20010330140354.17601.qmail@nwcst293... I have a condition when 1 system is attempt to hand a packet to a transmission buffer and no buffer is available a.Fast switching b.intput drop c.output drop d.route-cache Thanks Koliy Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
Sorry ... the message should have read: Thank you for your response. Another question is when or why would you be required to set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
The IP address on a switch or hub is for management purposes only and is not applied to an actual physical port. The IP address in a switch or hub is applied to a virtual interface so you can use IP to test connectivity or telnet to the device for configuration purposes. "Wang Chia Ta" [EMAIL PROTECTED] 3/30/01 9:40:46 AM Thank you for your response. Another question is when or why would you be required to use set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: URGENT: regarding VoIP
Hi Faisal, It seems that their is something wrong with your pix. You can rule it out by bypassing the pix or the access-lists. You can do some of the debugging on your voice routers acting as h.323 gateway. debug voip spi debug voip ccapi inout With these commands you will be able to know whether the call is getting bridged or not.I hope this will help you out. Regards Rajeev BHaradwaj Faisal Khan wrote: Hello guys Greetings.. I have my CCIE Exam on April 10 and 11. I need your urgent help. I am trying to setup a Voice over IP. Well everything works fine. When I put access list on one of the router to act as a IOS firewall, I can't make calls. Here is a sample access list access-list 140 permit tcp any any range 11000 11999 access-list 150 permit ospf any any access-list 150 permit icmp any any echo-reply access-list 123 permit ip host 138.1.249.6 host 138.1.252.4 access-list 150 permit udp any any range 16384 2000 access-list 150 permit tcp any any eq 1720 access-list 150 permit tcp any eq 1720 any access-list 150 permit tcp any any range 11000 11999 access-list 150 deny ip any any with this configuration, I can ring both phone from either location but I can't hear anything. Also does any one has info on IP OSFP Demand Circuit over ISDN. My ISDN line keep flapping even after putting the demand circuit. I can see that my routes in OSPF Database has DNA mark beside it but the line keep coming up. When do a show dialer, I see the d=224.0.0.5 Any idea what could cause this? I do have access list that permit only ISDN Network. Anyway help would be highly appreciate. Thank you faisal = __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPsec port
I configured my PIX as the IPsec VPN terminator to support DES VPN client. I have an inbound access-list on my perimeter router. Does any one know the ports I need to open for IPsec VPN traffic on my perimeter router ? Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP over two ISP links
Well said Howard, I always believe reading Halabi's book only makes understand BGP and know how to configure it on Cisco. But there is no way you can play a peer router in a NAP just based on that knowledge. You will mostly screw it up. As you said, most of things are not documented, it is really hard to find good reference on how to setup an ISP from scratch. At a certain level, this is good. At another level, it is bad. I was chatting yesterday with a colleague. Both of us have medical backgrounds, and made an analogy between heart surgery and ISP-level routing. It's been statistically demonstrated beyond any serious challenge that your outcome as a heart surgery patient depends on how often the surgeon AND the whole team/hospital does the procedure. It's completely unreasonable to assume that a primary physician will be trained in such procedures, and it is also unreasonable to assume that an "occasional" heart surgeon will be good at it. It's one thing to set up a local ISP or a multihomed enterprise, and, even there, there is a need for what I'll call maturity of networking experience. How many people post questions here, asking how to "load share," without any indication of what problem they are trying to solve, the source (if any of their address space), the nature of their applications, etc.? If you can't define what problem you are trying to solve, how would you recognize a good solution? Looking forward to your book. I would suggest that if you could put more real cases/examples of setup peer routers, verify/update peer policy and trouble-shooting routing problems. While my focus is more planning than operations, I'll probably have some of this. My inclination would be to use registry-based tools (e.g., PRTraceroute) that emphasize policy, with specific single-vendor examples at a much lower priority. Also it would be great if you could, based on your wide contact in the industry, give us something like this, for example: This is how UUnet updates their peer policy everyday, they use a Perl script to grap daily updates from whois.radb.net database, and automatically update their peer routers. The script looks like this:. Other ISPs do it other ways like uses xxx and xxx uses xxx. Interesting that you mention UUnet as an example. Several observations: first, the procedures that a large "tier 1" uses may not be relevant to smaller providers. Second, many of these procedures are considered proprietary, although I consider that a little silly given the movement of senior routing engineers. UUnet Europe did present some of their routing policy procedures at the RIPE meeting last year. A great deal of this was controlled by data base technologies. They created, for example, a hierarchy of AS-SETs with which a router could peer, roughly at intercontinental, continental, regional, and local levels. A routing engineer at a certain level could only peer to a predefined set of AS. The data base software let them distinguish between who could modify the sets, who could delegate access (of various sorts) to these sets, and who could use the sets. I would hesitate to try to define the actual scripts, because they tend to be very provider-specific (e.g., being very tied to their ordering/provisioning systems). I have presented some script prototypes for managing customer addressing and related topics; see my ARIN October 1999 and subsequent NANOG addressing presentations. I bet most of people, especially who works for ISPs but not at the top level, would pay their money for. Just my 2 cents. KY _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPsec port
AH-port 50, ESP-port 51 and ISAKMP-port 500 -Original Message- From: Ruihai An [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:05 PM To: [EMAIL PROTECTED] Subject: IPsec port I configured my PIX as the IPsec VPN terminator to support DES VPN client. I have an inbound access-list on my perimeter router. Does any one know the ports I need to open for IPsec VPN traffic on my perimeter router ? Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
When you connect to a brand new router for the first time you need to use a console connection because there isn't an IP address yet to allow you to connect via telnet. Its the same thing with switches and hubs. If you don't have an IP address on the box, you're reduced to using console connections to manage them. No PING, no SNMP, no telnet. Does that help? Karen Young *** REPLY SEPARATOR *** On 3/30/2001 at 11:45 AM Wang Chia Ta wrote: Sorry ... the message should have read: Thank you for your response. Another question is when or why would you be required to set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
Yes, two or more interfaces can share the same subnet, but bridging is involved. You just can't assign ip networks willy nilly to interfaces. :) What you're looking for is called IRB Bridging. An example follows. The ip address on the BVI interface is available through both ethernet interfaces. interface ethernet0 no ip address bridge-group 1 interface ethernet1 no ip address bridge-group 1 interface BVI 1 ip address 192.168.1.1 255.255.255.0 bridge irb bridge 1 protocol ieee no bridge 1 bridge ip bridge 1 route ip Rodgers Moore "Rick" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... !doctype html public "-//w3c//dtd html 4.0 transitional//en" html Dear all, pI have a stupid question, want to clarify. bris it I cannot make two or more interfaces share the same subnet in the Router? pThanks pBest Regards, brrick/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Back -to-Back
I would appreciate someone's knowledge on how to setup two Cisco 1750's each having T1 DSU/CSU WIC's. Thank you in advance for your assitance. John Huston [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: linux on a 2500 ? Was: Programming under IOS
You can run Linux on a 2500? I searched the archive for more details.. didn't find any, anyone got a link? -Eric Karen E Young wrote: Chee Leong, There really isn't a need to write an external interface method (such as sockets) when one already exists. Most, if not all, of what you're asking for is available via SNMP. If you really want to write a program to obtain this info all you need to do is write one to issue SNMP GETs for the info you want to obtain, collect the responses, parse the data, and format it into your chosen format. Perl is a pretty good choice for something like this and it seems to me that I ran across something in Visual Basic that would let you do it too. Hope this helps, Karen Young *** REPLY SEPARATOR *** On 3/30/2001 at 10:30 AM Ryan O'Connell wrote: There is no porvision for running code other than the IOS itself on a Cisco router. (Except you can run Linux on 2500s, but that's probably not what you're after) On Fri, Mar 30, 2001 at 04:14:43PM -0800, Tan Chee Leong wrote: Hi, First, my apologies if the question makes no sense at all as I am just = evaluating it's possibility. I am also fairly new to CISCO stuff (only = got my CCNA a month ago) so your advise on this will be very helpful = although it is off-topic. I am thinking of writing some small programs within the IOS platform = such that it can communicate with an external host, using socket = programming if you like. I am interested in obtaining the following: 1.basic configuration. I know it's contained in the startup-config = and with snmp turned on, this information can be retrieved. However, = what if snmp is not turned on? Is it possible, without going to all the = routers to enable snmp, to still obtain this information from a host = using tcp? =20 2.route table. Particularly I am interested in studying the dynamic = changes of the route table over some period of time. Hence if the = router can periodically send information to some internal host within = the network, a collection of route tables can be obtained. If in the end I have to do my own programming, it will lead on to = several other questions:=20 1.is it feasible in the first place, given that CISCO IOS is = proprietory stuff? =20 2.where can I get programming info? any recommendations? Really appreciate if you can help me on this. Cheers, Chee Leong _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- Ryan O'Connell - [EMAIL PROTECTED] - http://www.complicity.co.uk I'm not losing my mind, no I'm not changing my lines, I'm just learning new things with the passage of time _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Slightly OT: Juniper Classes
Can you tell me what comapny you work for, I need to know where I should take the class. If anyone knows of other companies that would be great also. Are there any hands-on lab type classes for Juniper that may help with the lab test? Thanks. -Original Message- From: Dave Humphrey [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 8:08 AM To: Tom Thomas; Eric Gunn; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Slightly OT: Juniper Classes Hi Eric, I teach the class. It won't be enough for you to pass JNCIS. It is however a very good course, but then I would say that. Dave Humphrey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Thomas Sent: 30 March 2001 02:38 To: Eric Gunn; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Slightly OT: Juniper Classes I take it in 2 weeks email me then and I will let you know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Gunn Sent: Tuesday, March 27, 2001 12:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Slightly OT: Juniper Classes Has anyone taken the 5 day training class put out by Juniper? I want to make sure it is worth the money since I will be spending my own money to attend it. Is it worth the money? Does it cover enough to pass the JNCIS? I am currently a CCNP+Security that has passed the CCIE written and in the process of studying for my Lab exam. Any opinions, suggestions, Etc Thank You, Eric Gunn **NOTE** All LAB SWAP messages should now be sent to the LAB SWAP Message board on groupstudy.com. ___ To unsubscribe from the CCIELAB list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe ccielab _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Back -to-Back
Try here: http://www-1.cisco.com/cgi-bin/Support/OpenForum/dispnewqa.pl/6614 -Original Message- From: John Huston [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:47 PM To: [EMAIL PROTECTED] Subject: Back -to-Back I would appreciate someone's knowledge on how to setup two Cisco 1750's each having T1 DSU/CSU WIC's. Thank you in advance for your assitance. John Huston [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Syslog software comparison
Can somebody recommend a Syslog server? We are comparing Syslog servers from Cisco, 3Com, and Private I, and we would like features such as: support PIX and routers, allow flexible query by source, destination IP, port, or word in message body, trigger alert, e-mail. Thanks Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPsec port
One important distinction - AH and ESP are not on 'ports' per se, but protocols... i.e. - to allow AH thorugh PIX you *would not* use conduit permit tcp host w.x.y.z eq AH any replacing AH w/ 50 will also not work ... well, it will - but will allow instead, the following would be TWID: conduit permit ah any any same for esp, icmp if allowing all ... see also http://www.chebucto.ns.ca/~rakerman/port-table.html ... "Note that certain services such as IPSec and Microsoft's PPTP use non-TCP/UDP protocols so they are not covered on this page. In particular, PPTP uses GRE (protocol 47) and IPSec uses ESP (protocol 50) and AH (protocol 51). Protocol numbers are not the same as port numbers. IANA maintains the Assigned Internet Protocol Numbers. " Thanks! TJ -Original Message- From: Rizzo Damian [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:19 To: 'Ruihai An'; [EMAIL PROTECTED] Subject:RE: IPsec port AH-port 50, ESP-port 51 and ISAKMP-port 500 -Original Message- From: Ruihai An [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:05 PM To: [EMAIL PROTECTED] Subject: IPsec port I configured my PIX as the IPsec VPN terminator to support DES VPN client. I have an inbound access-list on my perimeter router. Does any one know the ports I need to open for IPsec VPN traffic on my perimeter router ? Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: The Finale: OSPF and IP Classless (partial retraction)
Actually, John my treatises :) on this subject a year ago showed this. ip classless *only* affects the lookups *outside* the classful aggregate. Any supernet *within* the classful aggregate *will* be used, even with no ip classless set. Thus, a learned route, 10.1.0.0/16 , will be used for address 10.1.1.1 , but not 10.2.2.2 . (*if* I still understand what I wrote below ;). Here is part of my original work on the subject for those who are feeling drowsy, but just can't nod off completely ;) Thanks to the lab of Ding So I was able to pound the last nail in the coffin of how [no] ip classless affects route lookups (the doco makes no mention of route installation, so we would guess that it has no effect. Further investigation will be required to confirm/debunk this). I will do a little write up, here, that can be challenged by anyone with a dash of temerity: (Note that I've tried several times and I just can't seem to find a clear, yet succinct way to describe this. ) == Under old, classful routing it was assumed that all local networks would be subnets of one or a couple of classful networks and that all the subnets of a particular classful network, say "X" (e.g., X=172.16.0.0), would be "connected" to each other. What this means is that, for each and every pair of subnets of classful network "X", there would be an interconnecting path among 1 or more routers, that could be traversed *entirely* on segments whose IP network addresses are subnets of classful network "X". If the above requirement does not obtain, i.e., if the network path *must* include a subnet of a *different* classful network, say "Y", then we call this situation "a discontiguous network". or "X has discontiguous subnets" or "X has disconnected subnets" . Another assumption in this environment is that, if we (a router) know about any particular subnet of "X", then we should know about *all* subnets of "X" that actually exist; either by our having one or more interfaces within a subnet of X, an admin giving us proper static routes, or by information received from a routing protocol. With the above in mind, the router will not entertain a route to a subnet of network "Y" that isn't a route to a network address *within* network "Y" (it can be that actual network aggregate, itself; e.g., a route to 172.16.0.0/16, in the above example) -- that would mean discontiguity. In particular, it will *not* consider the "default" route 0.0.0.0/0 for any address within classful Y, if it has information about at least one subnet of Y. In addition (and this is the one always left out of the textbooks), it will not consider *any* *supernets* routes of Y. The 0.0.0.0/0 is just a particular case of this rule (0.0.0.0/0 is always a supernet of *every* network address -- it contains *0* bits that do not match). If you look at a show ip route you'll notice that the table is broken up into sections at *classful* network boundaries, *even* if ip classless is set. Note that supernet routes, including 0.0.0.0/0, are not listed within any classful section -- they are listed separately, on their own. What the router does, with no ip classless set, is to first check to see if the target address in question falls within one of these "known" sections -- i.e., in one of the "known" classful networks. If so, he will use the *longest* match for the target address that he can find in that section. (Note that this is a point also often left out of the text books. Remember: a router will *always* try to do a longest-prefix match, except for the constraint mentioned here, for 'no ip classless. ) *But*, he will *not* look *outside* that section (classful network), when no ip classless is set. With the advent of the Internet and CIDR and "prefixes", the above logic may not be good enough. When considering a given prefix and because of the vagaries of the way addresses were handed out in the beginning, it is very possible that "subnets" of that prefix (addresses with a longer prefix, but yet still matching the original prefix in question) may be disconnected. Of course, this is a situation that is trying to be remedied, but it is still possible. So, now, it is very desirable to try "supernet" routes, in particular the ever-hopeful "default" route, 0.0.0.0/0. (Actually, in this "prefix" environment, the concept of "supernet" and "subnet" disappear. Every route is simply a summary or aggregate route to a bunch of possible addresses. ) This is what ip classless does. It allows the router look *outside* the classful "section" (It can "think outside the lines", if you just *have* to use that terminology:) ) In fact, the router doesn't care about the "sections" (classful networks) anymore. He simply uses the longest match that he can find anywhere in the table,
Updated Cisco Visio Icons
I recently downloaded the latest Cisco icons as a PowerPoint presentation and have converted them into a Visio stencil. Since Cisco explicitly renounces copyright: "These icons are free for your use in network diagrams, presentations, and so on. Cisco Systems Inc. retains no registration or copyrights for the useage of the icons." I have put them up on a website (excuse the quick HTML) at http://143.190.10.229/ It is about 700K zipped. Andrew Cook _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Back -to-Back
hey again, I've done this. I got the info on back-to-back at: http://www.cisco.com/warp/public/471/75.html This should be about all ya need :) Dave On Friday 30 March 2001 12:46, John Huston wrote: I would appreciate someone's knowledge on how to setup two Cisco 1750's each having T1 DSU/CSU WIC's. Thank you in advance for your assitance. John Huston [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPsec port
Actually, you have it backwards. AH = port 51. ESP = port 50. Christopher A. Kane, CCNP Senior Network Control Tech Router Ops Center/Hilliard NOC UUNET (614)723-7877 -Original Message- From: Rizzo Damian [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:19 PM To: 'Ruihai An'; [EMAIL PROTECTED] Subject: RE: IPsec port AH-port 50, ESP-port 51 and ISAKMP-port 500 -Original Message- From: Ruihai An [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:05 PM To: [EMAIL PROTECTED] Subject: IPsec port I configured my PIX as the IPsec VPN terminator to support DES VPN client. I have an inbound access-list on my perimeter router. Does any one know the ports I need to open for IPsec VPN traffic on my perimeter router ? Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ANYBODY HELP ? I cant understand this assigment.....!
The simulation code you are given treats the Ethernet as a star = topology LAN with a central repeater and a line to each node. All = traffic appears on every line. The simulation assumes that the longest = distance from one station to another across an ethernet is 400m, and the = signal travels at 80% of the speed of light, which is 300 million metres = per second. Determine D for this network (D is the propagation delay = across the network).=20 Conduct simulations of this network at 10%, 40%, 80%, 95% and 120% = nominal utilization. Utilization is the proportion of the time that the = ethernet is carrying successful packets. The nominal utilization is the = utilization which would be achieved if all packets were successfully = carried. For example, 40% nominal utilisation will be achieved when = packets arrive at the rate 0.4 * 10,000,000 / (250*8) =3D 2000 packets = per second. Some of these factors mean that the actual proportion of = time during which the network is busy could be greater or less than 40%. = In each of these simulations, you should measureor investigate:=20 a.. the effective utilization rate (only count bits successfully = sent),=20 b.. the rate at which packets are rejected by the ethernet access = layer (also known as the packet loss rate),=20 c.. packet throughput (ie. 1 - the loss rate),=20 d.. collision rate (collisions per packet),=20 e.. average number of packets involved in a collision,=20 f.. the average number of collisions experienced by a packet given = that it experiences one collision, and=20 g.. the average delay experienced by a packet.=20 In addition, repeat the simulations at 40% and 80% for a network with = 100 times the propagation delay, as might be experienced if the network = was extended over too wide a physical distance.=20 Note that the package length in the program is in bytes, and some = figures may not be explicitly designed in the program, it requires you = to investigate from the program execution statistics.=20 Submission Requirements=20 The submission should be in the form of essay. In the essay, you should=20 1. determine the number of bits which can be transmitted in the time D, = given that the transmission rate of the network is 10 Mbit/s, the = average packet length is 250 bytes, and the nominal utilization level of = the network is 80%.=20 2. tabulate or plot these resultsfor the network of LAN at different = nominal utilization. Also, you should comment on the significance of the = results for the successful management of an ethernet LAN.=20 3. tabulate or plot the results for the network (ie, 100 times the = propagation delays) but only at 40% and 80% of the nominal utilization. = You shall comment on the implication of these experiments _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: The Finale: OSPF and IP Classless (partial retraction)
Geez, you're right. I'm starting to miss the forest because I've looked at too many trees! Yes, even in my experiments, I now remember seeing that the router would pick a supernet route for a specific major network. Others pointed this out to me and I had completely forgotten that particular point. The moral of the story is: always use 'ip classless' and then quit worrying about it. From here onward I will no longer refer to 'ip classless'.it is now 'ip clueless'. :-) "Bob Vance" [EMAIL PROTECTED] 3/30/01 11:22:53 AM Actually, John my treatises :) on this subject a year ago showed this. ip classless *only* affects the lookups *outside* the classful aggregate. Any supernet *within* the classful aggregate *will* be used, even with no ip classless set. Thus, a learned route, 10.1.0.0/16 , will be used for address 10.1.1.1 , but not 10.2.2.2 . (*if* I still understand what I wrote below ;). Here is part of my original work on the subject for those who are feeling drowsy, but just can't nod off completely ;) Thanks to the lab of Ding So I was able to pound the last nail in the coffin of how [no] ip classless affects route lookups (the doco makes no mention of route installation, so we would guess that it has no effect. Further investigation will be required to confirm/debunk this). I will do a little write up, here, that can be challenged by anyone with a dash of temerity: (Note that I've tried several times and I just can't seem to find a clear, yet succinct way to describe this. ) == Under old, classful routing it was assumed that all local networks would be subnets of one or a couple of classful networks and that all the subnets of a particular classful network, say "X" (e.g., X=172.16.0.0), would be "connected" to each other. What this means is that, for each and every pair of subnets of classful network "X", there would be an interconnecting path among 1 or more routers, that could be traversed *entirely* on segments whose IP network addresses are subnets of classful network "X". If the above requirement does not obtain, i.e., if the network path *must* include a subnet of a *different* classful network, say "Y", then we call this situation "a discontiguous network". or "X has discontiguous subnets" or "X has disconnected subnets" . Another assumption in this environment is that, if we (a router) know about any particular subnet of "X", then we should know about *all* subnets of "X" that actually exist; either by our having one or more interfaces within a subnet of X, an admin giving us proper static routes, or by information received from a routing protocol. With the above in mind, the router will not entertain a route to a subnet of network "Y" that isn't a route to a network address *within* network "Y" (it can be that actual network aggregate, itself; e.g., a route to 172.16.0.0/16, in the above example) -- that would mean discontiguity. In particular, it will *not* consider the "default" route 0.0.0.0/0 for any address within classful Y, if it has information about at least one subnet of Y. In addition (and this is the one always left out of the textbooks), it will not consider *any* *supernets* routes of Y. The 0.0.0.0/0 is just a particular case of this rule (0.0.0.0/0 is always a supernet of *every* network address -- it contains *0* bits that do not match). If you look at a show ip route you'll notice that the table is broken up into sections at *classful* network boundaries, *even* if ip classless is set. Note that supernet routes, including 0.0.0.0/0, are not listed within any classful section -- they are listed separately, on their own. What the router does, with no ip classless set, is to first check to see if the target address in question falls within one of these "known" sections -- i.e., in one of the "known" classful networks. If so, he will use the *longest* match for the target address that he can find in that section. (Note that this is a point also often left out of the text books. Remember: a router will *always* try to do a longest-prefix match, except for the constraint mentioned here, for 'no ip classless. ) *But*, he will *not* look *outside* that section (classful network), when no ip classless is set. With the advent of the Internet and CIDR and "prefixes", the above logic may not be good enough. When considering a given prefix and because of the vagaries of the way addresses were handed out in the beginning, it is very possible that "subnets" of that prefix (addresses with a longer prefix, but yet still matching the original prefix in question) may be disconnected. Of course, this is a situation that is trying to be remedied, but it is still possible. So, now, it is very desirable to try "supernet" routes, in particular the ever-hopeful "default" route, 0.0.0.0/0.
Re: Stupid question
"John Neiberger" [EMAIL PROTECTED] wrote: The IP address on a switch or hub is for management purposes only and is not applied to an actual physical port. The IP address in a switch or hub is applied to a virtual interface so you can use IP to test connectivity or telnet to the device for configuration purposes. ...and don't forget for SNMP monitoring/management, too, if enabled :-) -e- "Wang Chia Ta" [EMAIL PROTECTED] 3/30/01 9:40:46 AM Thank you for your response. Another question is when or why would you be required to use set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ATM
Hi, I have a question regarding the ATM PVC configurations on GSR. Any help on this would be highly appreciated. 1. How many PVCs can be configured on one single ATM sub-interface, passing traffic through all the PVC,s. 2. How many PVCs can be configured on the GSR box? Thanks, Mohammed. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Updated Cisco Visio Icons
The first set I posted was in Visio 2000 format - I just added another link for V5... Andrew - Original Message - From: "Andrew Cook" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 1:22 PM Subject: Updated Cisco Visio Icons I recently downloaded the latest Cisco icons as a PowerPoint presentation and have converted them into a Visio stencil. Since Cisco explicitly renounces copyright: "These icons are free for your use in network diagrams, presentations, and so on. Cisco Systems Inc. retains no registration or copyrights for the useage of the icons." I have put them up on a website (excuse the quick HTML) at http://143.190.10.229/ It is about 700K zipped. Andrew Cook _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: The Finale: OSPF and IP Classless (partial retraction)
it is now 'ip clueless'. :-) LOL - Tks      | mailto:[EMAIL PROTECTED] BV   | mailto:[EMAIL PROTECTED] Sr. Technical Consultant, SBM, A Gates/Arrow Co. Vox 770-623-3430   11455 Lakefield Dr. Fax 770-623-3429  Duluth, GA 30097-1511 = -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 1:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: The Finale: OSPF and IP Classless (partial retraction) Geez, you're right. I'm starting to miss the forest because I've looked at too many trees! Yes, even in my experiments, I now remember seeing that the router would pick a supernet route for a specific major network. Others pointed this out to me and I had completely forgotten that particular point. The moral of the story is: always use 'ip classless' and then quit worrying about it. From here onward I will no longer refer to 'ip classless'.it is now 'ip clueless'. :-) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP clarification
It reminds me more of "Life of Brian", where Brian tells the multitude "You're all individuals! You're all different!" A single voice in the crowd replies "I'm not". --Original Message-- From: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: March 29, 2001 6:30:18 PM GMT Subject: Re: EIGRP clarification Look at all those routing technologies - they are all different; except *that* one, it's the same... Z Are you quoting Yakov Rekhter: "at a sufficiently high level, everything is the same?" Not sure I follow your point. From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EIGRP clarification Date: Wed, 28 Mar 2001 23:19:21 -0500 Preparing for my BSCN exam, I have found myself unclear as to whether or not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco classes I've been too have always referred to EIGRP as a Balanced Hybrid protocol, now studying for my CCNP, I am finding EIGRP referred to as a Distance-vector protocol???...How is this possible? Thanks... From a technical standpoint, EIGRP is emphatically distance vector. From a marketing standpoint, Cisco has called it "hybrid," which has no accepted technical meaning. Training and certification have picked up that terminology. "Hybrid" is an attempt to differentiate EIGRP, and its DUAL algorithm, from the problems of first and second generation DV protocols. JJ Garcia-Luna-Aceves, the inventor of DUAL, always has called it an advanced DV protocol, and he continues to work on even more advanced DV. There's nothing inherently wrong with DV. EIGRP legitimately has fixed some of the problems of earlier DV protocols, such as the lack of a hello subprotocol and reliable update mechanism. Without these mechanisms, periodic update becomes necessary, and the protocol can't be loop-free. Calling something "hybrid" is about as sensible as saying "route bad, switch good," or "all animals are equal, but some are more equal than others." _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid question
Just to throw a wrinkle in all of this, a Cisco router WILL allow you to place up to 4 SERIAL interfaces in the same subnet. Try it... do like this: Routerconf t Router(config)int s0 Router(config-if)ip add 10.1.1.1 255.255.255.0 Router(config-if)int s1 Router(config-if)ip add 10.1.1.3 255.255.255.0 This works... the router will not complain. Why would you need to do this? I dunno, but you can if you want to - only on SERIAL interfaces... Z From: EA LOUIE [EMAIL PROTECTED] Reply-To: EA LOUIE [EMAIL PROTECTED] To: "John Neiberger" [EMAIL PROTECTED], [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Stupid question Date: 30 Mar 2001 10:50:28 PST "John Neiberger" [EMAIL PROTECTED] wrote: The IP address on a switch or hub is for management purposes only and is not applied to an actual physical port. The IP address in a switch or hub is applied to a virtual interface so you can use IP to test connectivity or telnet to the device for configuration purposes. ...and don't forget for SNMP monitoring/management, too, if enabled :-) -e- "Wang Chia Ta" [EMAIL PROTECTED] 3/30/01 9:40:46 AM Thank you for your response. Another question is when or why would you be required to use set an ip address on a switch and/or hub interface? Thx. Wang Chia Ta Systems Support Mitsubishi Motors --- ""John Neiberger"" [EMAIL PROTECTED] wrote in message sac446f2.062@fsutil01">news:sac446f2.062@fsutil01... This isn't a stupid question, it's a very important point to make. If you are routing, each interface on the router must be in its own subnet. Otherwise routing would not work. If you're bridging, then the bridged interfaces are in the same subnet but you don't specifically assign an IP address to those interfaces. I'm guessing that you're really asking the former question: in a routing situation can two different interfaces be in the same subnet, and the answer is no. HTH, John After removing all of the HTML, Rick appeared to say... Dear all, I have a stupid question, want to clarify. is it I cannot make two or more interfaces share the same subnet in the Router? Thanks Best Regards, rick _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get free email and a permanent address at http://www.netaddress.com/?N=1 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 5001 concentrator
Thanks, that was very informative. But let me give you an update... We decided to try another scenario: We tried throwing a Win200 running Internet connection sharing into the mix: Internet router Win2K ( workstation dual nic, one to router other to hub) hub clients on hub. This seems to somehow bypass any problems that we had with the router. I guess Win2k is able to differentiate the sessions to the corresponding client when multiple tunnels are initiated. We have tried this with 2 different routers and haven't had any problems. [EMAIL PROTECTED] wrote in message 3A39CA99.6102.409A2@localhost">news:3A39CA99.6102.409A2@localhost... Let me guess, the clients are behind a Linksys router doing PAT (NAPT)? PATing devices typically cannot allow more than 1 IPSec session to pass-thru. The reason for this is that the inbound IPSec SA is only determined by 3 things: dst addr, protocol (ESP or AH) and the Security Parameter Index (SPI). The dst addr and protocol will be the same, only ESP will work, so that only leaves the SPI to differentiate inbound SA's. The SPI is chosen by the destination and given to the sender during the initial ISAKMP negotiation. The PATing device can't see this negotiation, so it would be very difficult to allow multiple IPSec stations to establish connections. i.e. how can the PATing device determine which internal station the traffic is being sent to? One way you could do this would be to make an assumption that any new inbound SA's belong to the last inside station to initiate a connection and just keep track of all IPSec initiations from internal stations and map it to inbound SPI's. This would work in some cases, but then there are potential problems if you have lots of internal clients making requests about the same time. Bottom line, don't expect anyone to implement this functionality any time soon, if ever. What is more likely is that vendors will implement proprietary schemes to allow their VPN clients to talk through a NAT/PAT gateway to their VPN gateway as Cisco has done with the VPN 3000. (ala wrapping the IPSec packets with a UDP header) An option would be to terminate the IPSec tunnels on a common perimeter device for all internal clients, or use an alternative VPN protocol, like SSL ala the Aventail product. HTH, Kent On 29 Mar 2001, at 13:22, The.Rock wrote: Here's the problem: 2 clients,both sharing a DSL line. both use VPN client for 5001 When one is connected it is fine and if you add another connection off the same dsl while the other computer is connected, the VPN tunnel keeps dropping. Any ideas ? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPsec port
If your running radius authentication don't you also have to open up 1812 1813 ? Or is this done off of another interface and not the inbound IPsec port ( I don't know, I don't have a Pix) ? ""Kane, Christopher A."" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, you have it backwards. AH = port 51. ESP = port 50. Christopher A. Kane, CCNP Senior Network Control Tech Router Ops Center/Hilliard NOC UUNET (614)723-7877 -Original Message- From: Rizzo Damian [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:19 PM To: 'Ruihai An'; [EMAIL PROTECTED] Subject: RE: IPsec port AH-port 50, ESP-port 51 and ISAKMP-port 500 -Original Message- From: Ruihai An [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 12:05 PM To: [EMAIL PROTECTED] Subject: IPsec port I configured my PIX as the IPsec VPN terminator to support DES VPN client. I have an inbound access-list on my perimeter router. Does any one know the ports I need to open for IPsec VPN traffic on my perimeter router ? Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: The Finale: OSPF and IP Classless (partial retraction)
Since the solution points to adding "ip classless", my question would be: When would someone use/need to have "no ip classless". Does anyone use "no ip classless" as a standard in their configurations? And if so, what is gained? Christopher A. Kane, CCNP Senior Network Control Tech Router Ops Center/Hilliard NOC UUNET (614)723-7877 -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 1:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: The Finale: OSPF and IP Classless (partial retraction) Geez, you're right. I'm starting to miss the forest because I've looked at too many trees! Yes, even in my experiments, I now remember seeing that the router would pick a supernet route for a specific major network. Others pointed this out to me and I had completely forgotten that particular point. The moral of the story is: always use 'ip classless' and then quit worrying about it. From here onward I will no longer refer to 'ip classless'.it is now 'ip clueless'. :-) "Bob Vance" [EMAIL PROTECTED] 3/30/01 11:22:53 AM Actually, John my treatises :) on this subject a year ago showed this. ip classless *only* affects the lookups *outside* the classful aggregate. Any supernet *within* the classful aggregate *will* be used, even with no ip classless set. Thus, a learned route, 10.1.0.0/16 , will be used for address 10.1.1.1 , but not 10.2.2.2 . (*if* I still understand what I wrote below ;). Here is part of my original work on the subject for those who are feeling drowsy, but just can't nod off completely ;) Thanks to the lab of Ding So I was able to pound the last nail in the coffin of how [no] ip classless affects route lookups (the doco makes no mention of route installation, so we would guess that it has no effect. Further investigation will be required to confirm/debunk this). I will do a little write up, here, that can be challenged by anyone with a dash of temerity: (Note that I've tried several times and I just can't seem to find a clear, yet succinct way to describe this. ) == Under old, classful routing it was assumed that all local networks would be subnets of one or a couple of classful networks and that all the subnets of a particular classful network, say "X" (e.g., X=172.16.0.0), would be "connected" to each other. What this means is that, for each and every pair of subnets of classful network "X", there would be an interconnecting path among 1 or more routers, that could be traversed *entirely* on segments whose IP network addresses are subnets of classful network "X". If the above requirement does not obtain, i.e., if the network path *must* include a subnet of a *different* classful network, say "Y", then we call this situation "a discontiguous network". or "X has discontiguous subnets" or "X has disconnected subnets" . Another assumption in this environment is that, if we (a router) know about any particular subnet of "X", then we should know about *all* subnets of "X" that actually exist; either by our having one or more interfaces within a subnet of X, an admin giving us proper static routes, or by information received from a routing protocol. With the above in mind, the router will not entertain a route to a subnet of network "Y" that isn't a route to a network address *within* network "Y" (it can be that actual network aggregate, itself; e.g., a route to 172.16.0.0/16, in the above example) -- that would mean discontiguity. In particular, it will *not* consider the "default" route 0.0.0.0/0 for any address within classful Y, if it has information about at least one subnet of Y. In addition (and this is the one always left out of the textbooks), it will not consider *any* *supernets* routes of Y. The 0.0.0.0/0 is just a particular case of this rule (0.0.0.0/0 is always a supernet of *every* network address -- it contains *0* bits that do not match). If you look at a show ip route you'll notice that the table is broken up into sections at *classful* network boundaries, *even* if ip classless is set. Note that supernet routes, including 0.0.0.0/0, are not listed within any classful section -- they are listed separately, on their own. What the router does, with no ip classless set, is to first check to see if the target address in question falls within one of these "known" sections -- i.e., in one of the "known" classful networks. If so, he will use the *longest* match for the target address that he can find in that section. (Note that this is a point also often left out of the text books. Remember: a router will *always* try to do a longest-prefix match, except for the constraint mentioned here, for 'no ip classless. ) *But*, he will *not* look *outside* that section (classful network), when no ip classless is set. With the advent of the
ccbootcamp written prep material?
Anybody have any experience with the CCIE written prep. material from ccbootcamp.com? Is it a fair measure of being prepared for the written exam? Thanks, Scott CCNP _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 5001 concentrator
I forgot to add one thing. If we use a Linksys router we can get it to work one way: We have two VPN boxes both at a different location across the US ( site A and site B). As long as one client connects to site A and the other client connects to site B, they work. Its when you try the same site that it eventually fails. [EMAIL PROTECTED] wrote in message 3A39CA99.6102.409A2@localhost">news:3A39CA99.6102.409A2@localhost... Let me guess, the clients are behind a Linksys router doing PAT (NAPT)? PATing devices typically cannot allow more than 1 IPSec session to pass-thru. The reason for this is that the inbound IPSec SA is only determined by 3 things: dst addr, protocol (ESP or AH) and the Security Parameter Index (SPI). The dst addr and protocol will be the same, only ESP will work, so that only leaves the SPI to differentiate inbound SA's. The SPI is chosen by the destination and given to the sender during the initial ISAKMP negotiation. The PATing device can't see this negotiation, so it would be very difficult to allow multiple IPSec stations to establish connections. i.e. how can the PATing device determine which internal station the traffic is being sent to? One way you could do this would be to make an assumption that any new inbound SA's belong to the last inside station to initiate a connection and just keep track of all IPSec initiations from internal stations and map it to inbound SPI's. This would work in some cases, but then there are potential problems if you have lots of internal clients making requests about the same time. Bottom line, don't expect anyone to implement this functionality any time soon, if ever. What is more likely is that vendors will implement proprietary schemes to allow their VPN clients to talk through a NAT/PAT gateway to their VPN gateway as Cisco has done with the VPN 3000. (ala wrapping the IPSec packets with a UDP header) An option would be to terminate the IPSec tunnels on a common perimeter device for all internal clients, or use an alternative VPN protocol, like SSL ala the Aventail product. HTH, Kent On 29 Mar 2001, at 13:22, The.Rock wrote: Here's the problem: 2 clients,both sharing a DSL line. both use VPN client for 5001 When one is connected it is fine and if you add another connection off the same dsl while the other computer is connected, the VPN tunnel keeps dropping. Any ideas ? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ANYBODY HELP ? I cant understand this assigment.....!
I saw this on Star Trek once. You have to induce a subspace photon gamma ray beacon to neutralize the incorrect propogation electron strays in the data stream. heh...actually I don't have a clue. Which test is this for?? - Original Message - From: "Steiven Poh (Jaring)" [EMAIL PROTECTED] To: "Cisco Group Study" [EMAIL PROTECTED] Sent: Friday, March 30, 2001 12:30 PM Subject: ANYBODY HELP ? I cant understand this assigment.! The simulation code you are given treats the Ethernet as a star = topology LAN with a central repeater and a line to each node. All = traffic appears on every line. The simulation assumes that the longest = distance from one station to another across an ethernet is 400m, and the = signal travels at 80% of the speed of light, which is 300 million metres = per second. Determine D for this network (D is the propagation delay = across the network).=20 Conduct simulations of this network at 10%, 40%, 80%, 95% and 120% = nominal utilization. Utilization is the proportion of the time that the = ethernet is carrying successful packets. The nominal utilization is the = utilization which would be achieved if all packets were successfully = carried. For example, 40% nominal utilisation will be achieved when = packets arrive at the rate 0.4 * 10,000,000 / (250*8) =3D 2000 packets = per second. Some of these factors mean that the actual proportion of = time during which the network is busy could be greater or less than 40%. = In each of these simulations, you should measureor investigate:=20 a.. the effective utilization rate (only count bits successfully = sent),=20 b.. the rate at which packets are rejected by the ethernet access = layer (also known as the packet loss rate),=20 c.. packet throughput (ie. 1 - the loss rate),=20 d.. collision rate (collisions per packet),=20 e.. average number of packets involved in a collision,=20 f.. the average number of collisions experienced by a packet given = that it experiences one collision, and=20 g.. the average delay experienced by a packet.=20 In addition, repeat the simulations at 40% and 80% for a network with = 100 times the propagation delay, as might be experienced if the network = was extended over too wide a physical distance.=20 Note that the package length in the program is in bytes, and some = figures may not be explicitly designed in the program, it requires you = to investigate from the program execution statistics.=20 Submission Requirements=20 The submission should be in the form of essay. In the essay, you should=20 1. determine the number of bits which can be transmitted in the time D, = given that the transmission rate of the network is 10 Mbit/s, the = average packet length is 250 bytes, and the nominal utilization level of = the network is 80%.=20 2. tabulate or plot these resultsfor the network of LAN at different = nominal utilization. Also, you should comment on the significance of the = results for the successful management of an ethernet LAN.=20 3. tabulate or plot the results for the network (ie, 100 times the = propagation delays) but only at 40% and 80% of the nominal utilization. = You shall comment on the implication of these experiments _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP clarification
You're unique. Just like everyone else. - Original Message - From: "Jack Williams" [EMAIL PROTECTED] To: "Howard C. Berkowitz" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, March 30, 2001 1:25 PM Subject: Re: EIGRP clarification It reminds me more of "Life of Brian", where Brian tells the multitude "You're all individuals! You're all different!" A single voice in the crowd replies "I'm not". --Original Message-- From: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: March 29, 2001 6:30:18 PM GMT Subject: Re: EIGRP clarification Look at all those routing technologies - they are all different; except *that* one, it's the same... Z Are you quoting Yakov Rekhter: "at a sufficiently high level, everything is the same?" Not sure I follow your point. From: "Howard C. Berkowitz" [EMAIL PROTECTED] Reply-To: "Howard C. Berkowitz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EIGRP clarification Date: Wed, 28 Mar 2001 23:19:21 -0500 Preparing for my BSCN exam, I have found myself unclear as to whether or not EIGRP is in fact a Hybrid or Distance-Vector protocol. All the Cisco classes I've been too have always referred to EIGRP as a Balanced Hybrid protocol, now studying for my CCNP, I am finding EIGRP referred to as a Distance-vector protocol???...How is this possible? Thanks... From a technical standpoint, EIGRP is emphatically distance vector. From a marketing standpoint, Cisco has called it "hybrid," which has no accepted technical meaning. Training and certification have picked up that terminology. "Hybrid" is an attempt to differentiate EIGRP, and its DUAL algorithm, from the problems of first and second generation DV protocols. JJ Garcia-Luna-Aceves, the inventor of DUAL, always has called it an advanced DV protocol, and he continues to work on even more advanced DV. There's nothing inherently wrong with DV. EIGRP legitimately has fixed some of the problems of earlier DV protocols, such as the lack of a hello subprotocol and reliable update mechanism. Without these mechanisms, periodic update becomes necessary, and the protocol can't be loop-free. Calling something "hybrid" is about as sensible as saying "route bad, switch good," or "all animals are equal, but some are more equal than others." _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Finale: OSPF and IP Classless (partial retraction)
I'm blonde. I don't get it. - Original Message - From: "Bob Vance" [EMAIL PROTECTED] To: "CISCO_GroupStudy List (E-mail)" [EMAIL PROTECTED] Sent: Friday, March 30, 2001 1:11 PM Subject: RE: The Finale: OSPF and IP Classless (partial retraction) it is now 'ip clueless'. :-) LOL - Tks | mailto:[EMAIL PROTECTED] BV | mailto:[EMAIL PROTECTED] Sr. Technical Consultant, SBM, A Gates/Arrow Co. Vox 770-623-3430 11455 Lakefield Dr. Fax 770-623-3429 Duluth, GA 30097-1511 = -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 1:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: The Finale: OSPF and IP Classless (partial retraction) Geez, you're right. I'm starting to miss the forest because I've looked at too many trees! Yes, even in my experiments, I now remember seeing that the router would pick a supernet route for a specific major network. Others pointed this out to me and I had completely forgotten that particular point. The moral of the story is: always use 'ip classless' and then quit worrying about it. From here onward I will no longer refer to 'ip classless'.it is now 'ip clueless'. :-) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Back -to-Back
Just make a crossover cable. You need pins 1 2, and also 4 5 . Reverse this on the other end of the cable. This is what the links say. I don't know why they couldn't tell ya... ""John Huston"" [EMAIL PROTECTED] wrote in message 9a2kr9$a2e$[EMAIL PROTECTED]">news:9a2kr9$a2e$[EMAIL PROTECTED]... I would appreciate someone's knowledge on how to setup two Cisco 1750's each having T1 DSU/CSU WIC's. Thank you in advance for your assitance. John Huston [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ANYBODY HELP ? I cant understand this assigment.....!
I can't find those functions on my calculator... DAMN, I'm getting behind already!!! I'm looking at this and I'm thinking that some of your answers will vary with the type of equipment you have? Am I wrong in thinking this. Also there is a certain amount of variables "assumed" here. I can tell you this, without having to do all the math. The higher the utilization the more traffic generated thus causing more collisions and higher latency. The implications of higher utilization is that your network will bog down and physically, as well as virtually, suck! There's my 2 cents... LOL ""Steiven Poh (Jaring)"" [EMAIL PROTECTED] wrote in message 007801c0b947$a1137f40$[EMAIL PROTECTED]">news:007801c0b947$a1137f40$[EMAIL PROTECTED]... The simulation code you are given treats the Ethernet as a star = topology LAN with a central repeater and a line to each node. All = traffic appears on every line. The simulation assumes that the longest = distance from one station to another across an ethernet is 400m, and the = signal travels at 80% of the speed of light, which is 300 million metres = per second. Determine D for this network (D is the propagation delay = across the network).=20 Conduct simulations of this network at 10%, 40%, 80%, 95% and 120% = nominal utilization. Utilization is the proportion of the time that the = ethernet is carrying successful packets. The nominal utilization is the = utilization which would be achieved if all packets were successfully = carried. For example, 40% nominal utilisation will be achieved when = packets arrive at the rate 0.4 * 10,000,000 / (250*8) =3D 2000 packets = per second. Some of these factors mean that the actual proportion of = time during which the network is busy could be greater or less than 40%. = In each of these simulations, you should measureor investigate:=20 a.. the effective utilization rate (only count bits successfully = sent),=20 b.. the rate at which packets are rejected by the ethernet access = layer (also known as the packet loss rate),=20 c.. packet throughput (ie. 1 - the loss rate),=20 d.. collision rate (collisions per packet),=20 e.. average number of packets involved in a collision,=20 f.. the average number of collisions experienced by a packet given = that it experiences one collision, and=20 g.. the average delay experienced by a packet.=20 In addition, repeat the simulations at 40% and 80% for a network with = 100 times the propagation delay, as might be experienced if the network = was extended over too wide a physical distance.=20 Note that the package length in the program is in bytes, and some = figures may not be explicitly designed in the program, it requires you = to investigate from the program execution statistics.=20 Submission Requirements=20 The submission should be in the form of essay. In the essay, you should=20 1. determine the number of bits which can be transmitted in the time D, = given that the transmission rate of the network is 10 Mbit/s, the = average packet length is 250 bytes, and the nominal utilization level of = the network is 80%.=20 2. tabulate or plot these resultsfor the network of LAN at different = nominal utilization. Also, you should comment on the significance of the = results for the successful management of an ethernet LAN.=20 3. tabulate or plot the results for the network (ie, 100 times the = propagation delays) but only at 40% and 80% of the nominal utilization. = You shall comment on the implication of these experiments _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Wake on LAN NICs and 3548 switch
Is there anything on a 3548XL switch that might prevent Wake on LAN NICs from working? Thanks, Jeff If Barbie is so popular, why do you have to buy her friends? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco Systems prices
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 30, 2001 2:26 AM Subject: Cisco Systems prices Does anybody in the group have the price information of the following items? 1. Cisco 2621 router$3095 list (Try EBAY for 2/3 cost) 2. Catalyst 2900 switch $ 2995 (2924 XL-EN) list (Try EBAY for 2/3 cost) 3. 24 port 3Com hubtry CDW.com/Insight.com/or other wholesaler 4. 16 port 3com hubtry CDW.com/Insight.com/or other wholesaler 5. Cisco 2501 router btwn $700-$900 on ebay dep on RAM I will appreciate any quick response from any member. Cheers, Preye. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ASN18506 up and running
[I'm resending this from my work address because the first attempt didn't appear to succeed.] Forgive me if I missed something but this appears to be the famous iBGP synchronization problem, which I believe can be fixed by turning off synchronization and set 'next-hop-self' on advertisements between your two internal routers. When one router takes external routes and passes them to an internal neighbor, it doesn't alter the next hop attribute. When the other internal neighbor receives the route, the next hop is not the other internal peer, but the external peer it was received from. If the second iBGP peer in this example does not have a valid IGP route to that next hop, the route can't be installed into the routing table. I only quickly looked through your post so I may be way off base here. Take it with a grain of salt. g HTH, John Ok, more info (plus I have BGP to UUNET up and have the same problem the reverse direction). 206.51.253.1 is part of UUNET AS701. 64.6.1.1 is part of Sprint AS1239: ISC-Mod-3640#sh ip bgp 206.51.253.1 BGP routing table entry for 206.51.253.0/24, version 0 Paths: (1 available, no best path) Not advertised to any peer 701 157.130.196.245 (metric 1) from 63.107.123.249 (63.107.123.253) Origin IGP, localpref 100, valid, internal, not synchronized ISC-Mod-3640# ISC-Tur-2600-2#sh ip bgp 64.6.1.1 BGP routing table entry for 64.6.0.0/20, version 0 Paths: (1 available, no best path) Not advertised to any peer 1239 144.232.206.65 (metric 1) from 63.107.123.250 (63.172.195.1) Origin IGP, metric 60, localpref 100, valid, internal, not synchronized There-in lies my problem. How do I get each router to synchronize so it will allow it into the routing table? Two cool public BGP looking glass routers: route-views.oregon-ix.net route-server.cerf.net -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""J Roysdon"" [EMAIL PROTECTED] wrote in message 9a0gj6$c5a$[EMAIL PROTECTED]">news:9a0gj6$c5a$[EMAIL PROTECTED]... It's been delayed time and again, but I've finally found the time to push through the docs and configuration notes needed to get our ASN up and running with our upstream providers. So, this morning we began announcing ASN 18506 and our netblocks out Sprintlink with no problems. I had them turn on full routes and we're up to: '11176 network entries and 11169 paths' and still climbing. Ok, so hears the setup: UUNET - [T1/FR] - s0/0.1 2621 s0/1 - [T1] - s0/1 3640 s1/2 - [T1] - Sprint I'm still trying to get our Accounts Payable folks to get us our UUNET account number so I haven't got any BGP communications up with UUNET yet. As the 2621 is maxed at 64mb RAM, I'm going to tell UUNET to only send me customer routes. Also, presently I'm filtering non-iBGP info from the 3640 to the 2621 and only allowing Sprint's own ASN through (eventually I'll have it pass Sprint and their customers). The 2621 shows all the 1238 netblocks that should be getting through in the bgp table, but if I do a 'sh ip route' they don't appear, and in fact no BGP routes show. Here's the pertinent current config sections: 3640: interface Serial0/1 description External T1 to Turlock 2621 s0/1 ip address 63.107.123.250 255.255.255.252 ip rip send version 2 ip rip receive version 2 ! interface Serial1/2 description T1 to Sprint ip address 144.232.206.66 255.255.255.252 ! router rip version 2 redistribute static passive-interface Ethernet0/0 passive-interface Serial0/0 passive-interface Ethernet0/1 passive-interface Serial1/0 passive-interface Serial1/1 passive-interface Serial1/2 passive-interface Serial1/3 network 63.0.0.0 network 144.232.0.0 network 206.216.246.0 network 207.92.43.0 network 207.92.140.0 network 207.223.144.0 neighbor 63.107.123.149 no auto-summary ! router bgp 18506 bgp router-id 63.172.195.1 bgp cluster-id 3478924129 bgp log-neighbor-changes network 63.172.195.0 mask 255.255.255.0 network 63.172.204.0 mask 255.255.254.0 network 144.232.206.64 mask 255.255.255.252 network 206.216.246.0 network 207.92.43.0 network 207.92.140.0 network 207.223.144.0 neighbor 63.107.123.249 remote-as 18506 neighbor 63.107.123.249 description Turlock 2621 to UUNET neighbor 63.107.123.249 password [removed] neighbor 63.107.123.249 update-source Serial0/1 neighbor 63.107.123.249 version 4
RE: OT: Can't ping anything on LAN when connected on dial-up adapter
Thanks to all the replies on this. I can't really tell you what was wrong, because even though I disconnected the dial-up connection, and even restarted the computer, I was suddently not able to see IP addresses (except for the PC itself) on the LAN at all. I finally had them power cycle the router that had the build-in 8-port hub, and the printer, and fiddleley-fum, the IP addresses could be ping'd again. The thing is that the IDSL circuit on the WAN side of the router was terminated by Northpoint late last night or early this morning without any notice, and that must have triggered the router to go into Orbit mode, and convert the hub into a piano interface... WHAT DO I KNOW!!! Have a great weekend, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATM
answers are below I hope this helps -- Boomie Okeowo [EMAIL PROTECTED] - email (202) 777-2642 x4056 - voicemail/fax "Mohammed Khan" [EMAIL PROTECTED] wrote: Hi, I have a question regarding the ATM PVC configurations on GSR. Any help on this would be highly appreciated. 1. How many PVCs can be configured on one single ATM sub-interface, passing traffic through all the PVC,s. 0-4294967295 2. How many PVCs can be configured on the GSR box? 1-2047 Thanks, Mohammed. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ FREE voicemail, email, and fax...all in one place. Sign Up Now! http://www.onebox.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping anything on LAN when connected on dial-up adapter
try looking up this Q article at www.microsoft.com/technet I think it may be related RAS Clients Using TCP/IP Can Access All Subnets But Their Own [Q142052] Dave H -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 30, 2001 10:52 AM To: [EMAIL PROTECTED] Subject: OT: Can't ping anything on LAN when connected on dial-up adapter This might be a little off topic since it is not regarding Cisco, but then again maybe not, since it's about routing and connectivity after all. I have a small LAN where five workstations and one printer. Everybody can ping eachother and the printer. However, if one of the users establish a dial-up connection to the ISP, she can't ping anything on the LAN anymore. The workstations are running Windows 95/98. I haven't been able to find anything (yet) in Microsofts Knowledgebase (I'm still looking), but I thought that some of you might have had this problem yourselves. Any comments on this will be appreciated. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Finale: OSPF and IP Classless (partial retraction)
I'm blonde. I don't get it. Does that mean that the reason that (male) blonde routing engineers get better as they age, not from experience but from male pattern baldness? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BCMSN...set-based or IOS switches
I've searched the archives, but can't find an answer. Which switches are set-based and which are IOSand does the title 'Catalyst' have anything to do with it? Seems like all Cisco switches are Catalyst switches per their Product Guide. As far as I can tell, all switches 2948 and lower are IOS and 3500 and up are set-basedis this correct? Thanks, Jake _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Fridays funnies
Bill, Hillary, and Al were in an airplane that crashed. They're up in heaven, and God's sitting on the great white throne. God addresses Al first. "Al, what do you believe in?" Al replies, "Well, I believe that the combustion engine is evil and that we need to save the world from CFCs and that if any more freon is used, the whole earth will become a greenhouse and we'll all die." God thinks for a second and says "Okay, I can live with that. Come and sit at my left." God then addresses Bill. "Bill, what do you believe in?" Bill replies, "Well, I believe in power to the people. I think people should be able to make their own choices about things and that no one should ever be able to tell someone else what to do. I also believe in feeling people's pain." God thinks for a second and says "Okay, that sounds good. Come and sit at my right." God then address Hillary. "Hillary, what do you believe in?" "I believe you're in my chair." Two friends were playing golf when one pulled out a cigar. He didn't have a lighter, so he asked his friend if he had one. "I sure do," he replied while he reached into his golf bag and pulled out a 12 inch Bic lighter. "Wow!" said his friend, "Where did you get that monster lighter?" "I got it from my genie." "You have a genie?" "Yes, right here in my golf bag." "Could I see him?" He opens his golf bag and out pops a genie. The friend asks the genie, "Since, I'm a good friend of your master, will you grant me one wish?" "Yes I will'" the genie replies. The friend asks the genie for a million bucks. The genie hops back into the golf bag and leaves him standing there, waiting for his million bucks. Suddenly, the sky begins to darken and the sound of a million ducks flying overhead is heard. The friend tells his golfing partner, "I asked for a million bucks, not a million ducks!" He answers,"I forgot to tell you that the genie is hard of hearing. Do you really think I asked him for a 12 inch Bic?" -- Natasha Flazynski http://www.ciscobot.com My Cisco information site. http://www.botbuilders.com Artificial Intelligence and Linux development "Out of Clutter, find Simplicity. From Discord, find harmony. In the middle of difficulty, lies opportunity." - Albert Einstein _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NTP Question?
htmlDIV PJust about everything I know about NTP came from A href="http://www.usno.navy.mil"http://www.usno.navy.mil/Anbsp;in one way or another.BR/P/DIVbr clear=allhrGet your FREE download of MSN Explorer at a href="http://explorer.msn.com"http://explorer.msn.com/abr/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Netware 4 server
htmlDIV PAre we talking about IPX or IP?nbsp; If it's IPX you have to have the right IPX encapsulation...nbsp; Whether you're using 802.2 or 802.3...nbsp; I'm not sure, but I think Novell is one and SAP is the other you can use...BR/P/DIV P P/POriginal Message Follows BRFrom: "Ray Mosely" [EMAIL PROTECTED]BRReply-To: "Ray Mosely" [EMAIL PROTECTED]BRTo: "KOLIY" [EMAIL PROTECTED], [EMAIL PROTECTED]BRSubject: RE: Netware 4 server BRDate: Wed, 28 Mar 2001 09:30:06 -0600 BRReceived: from [63.104.50.75] by hotmail.com (3.2) with ESMTP id MHotMailBC8B5217004B4004325D3F68324B086B18; Wed Mar 28 07:46:28 2001 BRReceived: from localhost (mail@localhost)by groupstudy.com (8.9.3/8.9.3) with SMTP id LAA19843;Wed, 28 Mar 2001 11:46:55 -0500 BRReceived: by groupstudy.com (bulk_mailer v1.12); Wed, 28 Mar 2001 11:40:30 -0500 BRReceived: (from listserver@localhost)by groupstudy.com (8.9.3/8.9.3) id LAA17467GroupStudy Mailer; Wed, 28 Mar 2001 11:40:29 -0500 BRReceived: from saluki-mailsmtp.siu.edu (saluki-mailsmtp.siu.edu [131.230.252.26])by groupstudy.com (8.9.3/8.9.3) with ESMTP id LAA17448GroupStudy Mailer; Wed, 28 Mar 2001 11:40:27 -0500 BRReceived: from saluki-mail.siu.edu (saluki-mail.siu.e! du [131.230.252.17])by saluki-mailsmtp.siu.edu (8.9.1/8.9.1) with ESMTP id JAA06710;Wed, 28 Mar 2001 09:28:26 -0600 BRReceived: from ws066076 (ws066076.ims.siu.edu [131.230.66.76])by saluki-mail.siu.edu (8.9.1/8.9.1) with SMTP id JAA42804;Wed, 28 Mar 2001 09:28:17 -0600 BRFrom [EMAIL PROTECTED] Wed Mar 28 07:48:22 2001 BRMessage-ID: [EMAIL PROTECTED]BRX-Priority: 3 (Normal) BRX-MSMail-Priority: Normal BRX-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) BRX-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 BRIn-Reply-To: lt;[EMAIL PROTECTED]gt; BRImportance: Normal BRSender: [EMAIL PROTECTED] BRPrecedence: bulk BRBRCan you ping the server from the router? BRBR-Original Message- BRFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of BRKOLIY BRSent: Wednesday, March 28, 2001 8:43 AM BRTo: [EMAIL PROTECTED] BRSubject: Netware! 4 server BRBRBRI have a netware 4 server and a cisco router just be installed on BRthe Ethernet. The router can't see the server BRa.encapsulation difference BRb.router address must be configured on the server BRc.server need to be the default gateway BRd.rebbot the router BRBRThanks BRBR BRGet free email and a permanent address at http://www.netaddress.com/?N=1 BRBR_ BRFAQ, list archives, and subscription info: BRhttp://www.groupstudy.com/list/cisco.html BRReport misconduct and Nondisclosure violations to [EMAIL PROTECTED] BRBR_ BRFAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html BRReport misconduct and Nondisclosure violations to [EMAIL PROTECTED] BRbr clear=allhrGet your FREE download of MSN Explorer at a href="http://explorer.msn.com"http://explorer.m! sn.com/abr/p/html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't ping anything on LAN when connected on dial-up adapter
Why would a default gateway override, or have any effect on a directly connected network though? Gareth ""Luke"" [EMAIL PROTECTED] wrote in message 9a2ffn$dai$[EMAIL PROTECTED]">news:9a2ffn$dai$[EMAIL PROTECTED]... Ole, When the user establishes a DU session the route table (in NT dos cmd 'route print') is modified and by default replaces the default gateway. You can modify the behavior by unchecking the 'Use default gateway on remote network' check box in DU properties on the Server tab under the TCP/IP Settings... You could also write a batch to add or remove routes after the DU seesion is running. Investigate the 'route print / route add / route delete' commands before and after a DU session is started to help you visualize how the route table of the client is modified by the DU session. Hope this helps. "Ole Drews Jensen" [EMAIL PROTECTED] wrote in message 2019FB428FD3D311893700508B71EBFB6C3F29@RWR_MAIL_SVR">news:2019FB428FD3D311893700508B71EBFB6C3F29@RWR_MAIL_SVR... This might be a little off topic since it is not regarding Cisco, but then again maybe not, since it's about routing and connectivity after all. I have a small LAN where five workstations and one printer. Everybody can ping eachother and the printer. However, if one of the users establish a dial-up connection to the ISP, she can't ping anything on the LAN anymore. The workstations are running Windows 95/98. I haven't been able to find anything (yet) in Microsofts Knowledgebase (I'm still looking), but I thought that some of you might have had this problem yourselves. Any comments on this will be appreciated. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp NEED A JOB ??? http://www.oledrews.com/job _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2511
Hello Gang, Would appreciate your comment to the following. Router 2511 with 16R/8F - USD.950 1 Octal Cable, 1 power adapter, 1 Mounting Kit, 1 Serial to V.35 DCE, 1 Transceiver, 6 Modem adapters, 1 Console Cable, 1 Serial to Console Adapter, 1 Cisco IP Feature Pack 12.0 Kit Free Shipping. Is it a good deal? Thanks RamG _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Inter VLAN routing
I have a question, There is a campus network, with several buildings, and in each building there is a main switch (say Catalyst 2924-XL-EN) with vlan on each port. Basically there are two ports (out of 24) reserved with fast ether channel to the main switch, (for example Catalyst 3524-XL-EN). If there are 5 buildings connected to the main switch (with 22 X 5 = 110 vlans), how to set up the inter vlan routing among all switches, so say a computer from Mr. A, from building A, can be moved to building B with the same IP address. Can this be done with one main router, for example Cisco 2620, or should it be using higher version of Cisco Router, like Cisco 3620, or each building should has its own router ? Also to make the condition above possible (any computer on that campus can be moved on any building on that campus), should each computer has its own VLAN ? If so, that means, if that campus has 10,000 computers, there should be around 5 switch (say each switch can support 2000 different vlans) ? Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Secure telnet to your router using SSH
I have been using SSH to secure my telnet connection toPIX. Does anyone know how to do the samething to IOS router? Thanks Ruihai _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]