Re: Wireless for backup T1 link??? [7:3651]
Use VSAT networks (satellite networks) , contact me if you need this service regards, suaveguru --- Kim Seng wrote: > Have anyone experience with Wireless technology for > backup link solution? I have 2 cities: NY city and > LA > connected via T1 point to point and looking for a > backup solution that does not cost too much. Is > wireless is a good solution for this backup? > > Thanks! > > Kim. > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great > prices > http://auctions.yahoo.com/ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3763&t=3651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: password recovery problem with AAA [7:3735]
Try out this page on cisco site http://www.cisco.com/warp/public/474/pswdrec_1700.shtml Michael. - Original Message - From: "Sim, CT (Chee Tong)" To: Sent: Wednesday, May 09, 2001 5:24 AM Subject: password recovery problem with AAA [7:3735] > I am doing a password recovery for a 1700 router, I manage to see its > previous configuration part. But I want to do a conf term to change > setting. I found it was controlled by TACACS+ AAA server. How do I disable > the setting of AAA so I can make change See below > > > rommom 1>confreg 0X2142 > rommom 2>reset > Router>enable > > Router#conf mem > > Building configuration... > > 00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket > KUL01# > KUL01# > *Mar 1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.2, > cha > nged state to down > *Mar 1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console > KUL01#conf term > Command authorization failed. > > KUL01# > *Mar 1 00:01:28: %-3-INVSTATE: AUTHOR/CMD: Internal state is invalid: > astr > uct 0x8093FF00 ustruct 0x0 > -Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0 > > > > == > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > de afzender direct te informeren door het bericht te retourneren. > == > The information contained in this message may be confidential > and is intended to be exclusively for the addressee. Should you > receive this message unintentionally, please do not use the contents > herein and notify the sender immediately by return e-mail. > > > == > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3762&t=3735 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix 5xx [7:3716]
> >I don't know of a book that focuses just on PIX, but I think the "Managing >Cisco Network Security" by Michael Wenstrom ISBN 1578701031 is good. I agree, it's current bedtime reading, and sitting on my desk at the moment. Rob./ _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3761&t=3716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
Confirming what I had heard, that Canada has a much better grasp of last mile solutions. Brian - Original Message - From: "Kevin Wigle" To: Sent: Tuesday, May 08, 2001 11:46 PM Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534] > Not wishful thinking at all. > > Ethernet emulation - also known as transparent LAN services is offered in > some form or different name by both AT&T and Bell up here in the Great White > North and I'm sure in other places. Yes it can be provided to the end user > via fiber but it can also be provided over copper depending on how close > they are to the pop (in the building). > > In a nutshell, an Upstream Service Provider provides access from a "smart > building", a building which has a POP and connected to that provider's > Metropolitan Area Network. From there a client can be mapped , usually > through ATM through their provider's network to the World Internet. > > This has the advantage of getting higher speeds without a user requiring ATM > capable equipment or the expense of multiple T1s or Fractional T3. > (available up to fast ethernet speeds) > > We are beginning to see more and more of these circuits and clients are > starting to order up 2 of these circuits, one from each upstream provider > for redundancy. > > We are also beginning to look at using this service with RFC 1483 bridging > and getting the providers to connect the client site using ethernet and then > map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to > OC-12). > > This way, we can re-map the client to another core/border router to get > around failures and load balance without having to wait for the upstream > provider to react. > > In any event, perhaps our use of HSRP is specialized (meaning unique) to us > as we sort of act like an ISP ourselves and we provide little security to > the larger "intranet" as each customer provides their own firewall. > Therefore the "inside" net is segregated mostly through routing, providing > visibility to routes that we allow to be seen to the Internet and routes > that are seen only on the inside. And this "network" is not a few > buildings, it is national in scope - sort of like a huge DMZ. > > Because of this, client's access can be seen by other client's and by the > world at least up to their firewall. Since the firewall is behind the > access routers and those routers could be Ethernet to connect (using HSRP > for failover) then this exploit has potential for us and we are moving to > put those access lists in place. > > This may not be all that easy to follow but I can't get into more specifics > for the obvious security reasons. > > This whole issue is resulting I think as I said that the LAN and WAN are > fading together. What with GigE being proposed to replace ATM access, > ethernet technologies may soon replace the traditional T1s etc, within > metropolitan areas anyways. > > This also presents interesting limits on HSRP because if you have a router > with three ethernet interfaces, 2 out and 1 in, because we're talking > ethernet - it is no longer point-to-point with keepalives going end to end. > If a circuit becomes unavailable HSRP might not see it unless the actual > interface goes down. Therefore the circuit could be down farther up beyond > the local connection (hub/switch.etc) but as long as HSRP see's an interface > in the up/up condition it doesn't care about the actual end point. This > throws a wrench in conventional HSRP thinking and we have to use floating > statics and let routing protocols provide protection for upstream failures. > > Anyway, starting to get off topic. Again, for us we have issues and I'm > glad it was posted to the list. > > > Kevin Wigle > > > - Original Message - > From: "Priscilla Oppenheimer" > To: > Sent: Tuesday, 08 May, 2001 14:54 > Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534] > > > > What is Ethernet emulation? It's definitely true that Ethernet is being > > used across long distances, if that's what you mean. With single mode > > fiber-optic cabling, Ethernet can span miles. Physical access is a > > different story in this case, of course. The cables may actually be in > > public places. They would be overhead on poles or underground, I guess, > > though, wouldn't they? > > > > I think it would still be very difficult to wreak havoc. Physical access > > would be difficult, and even if you had it, network-layer hacking would be > > hard to achieve. Wishful thinking? :-] > > > > Thanks > > > > Priscilla > > > > At 02:27 PM 5/9/01, Kevin Wigle wrote: > > >However, Ethernet emulation is becoming quite popular and very price > > >competitive. > > > > > >I have clients who have HSRP running on what would normally be called > "WAN" > > >ports but they are ethernet. The HSRP virtual address is visible to the > > >world and therefore it is vunerable. > > > > > >I agree that traditionally HSRP has been used on the inside interfac
Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
Not wishful thinking at all. Ethernet emulation - also known as transparent LAN services is offered in some form or different name by both AT&T and Bell up here in the Great White North and I'm sure in other places. Yes it can be provided to the end user via fiber but it can also be provided over copper depending on how close they are to the pop (in the building). In a nutshell, an Upstream Service Provider provides access from a "smart building", a building which has a POP and connected to that provider's Metropolitan Area Network. From there a client can be mapped , usually through ATM through their provider's network to the World Internet. This has the advantage of getting higher speeds without a user requiring ATM capable equipment or the expense of multiple T1s or Fractional T3. (available up to fast ethernet speeds) We are beginning to see more and more of these circuits and clients are starting to order up 2 of these circuits, one from each upstream provider for redundancy. We are also beginning to look at using this service with RFC 1483 bridging and getting the providers to connect the client site using ethernet and then map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to OC-12). This way, we can re-map the client to another core/border router to get around failures and load balance without having to wait for the upstream provider to react. In any event, perhaps our use of HSRP is specialized (meaning unique) to us as we sort of act like an ISP ourselves and we provide little security to the larger "intranet" as each customer provides their own firewall. Therefore the "inside" net is segregated mostly through routing, providing visibility to routes that we allow to be seen to the Internet and routes that are seen only on the inside. And this "network" is not a few buildings, it is national in scope - sort of like a huge DMZ. Because of this, client's access can be seen by other client's and by the world at least up to their firewall. Since the firewall is behind the access routers and those routers could be Ethernet to connect (using HSRP for failover) then this exploit has potential for us and we are moving to put those access lists in place. This may not be all that easy to follow but I can't get into more specifics for the obvious security reasons. This whole issue is resulting I think as I said that the LAN and WAN are fading together. What with GigE being proposed to replace ATM access, ethernet technologies may soon replace the traditional T1s etc, within metropolitan areas anyways. This also presents interesting limits on HSRP because if you have a router with three ethernet interfaces, 2 out and 1 in, because we're talking ethernet - it is no longer point-to-point with keepalives going end to end. If a circuit becomes unavailable HSRP might not see it unless the actual interface goes down. Therefore the circuit could be down farther up beyond the local connection (hub/switch.etc) but as long as HSRP see's an interface in the up/up condition it doesn't care about the actual end point. This throws a wrench in conventional HSRP thinking and we have to use floating statics and let routing protocols provide protection for upstream failures. Anyway, starting to get off topic. Again, for us we have issues and I'm glad it was posted to the list. Kevin Wigle - Original Message - From: "Priscilla Oppenheimer" To: Sent: Tuesday, 08 May, 2001 14:54 Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534] > What is Ethernet emulation? It's definitely true that Ethernet is being > used across long distances, if that's what you mean. With single mode > fiber-optic cabling, Ethernet can span miles. Physical access is a > different story in this case, of course. The cables may actually be in > public places. They would be overhead on poles or underground, I guess, > though, wouldn't they? > > I think it would still be very difficult to wreak havoc. Physical access > would be difficult, and even if you had it, network-layer hacking would be > hard to achieve. Wishful thinking? :-] > > Thanks > > Priscilla > > At 02:27 PM 5/9/01, Kevin Wigle wrote: > >However, Ethernet emulation is becoming quite popular and very price > >competitive. > > > >I have clients who have HSRP running on what would normally be called "WAN" > >ports but they are ethernet. The HSRP virtual address is visible to the > >world and therefore it is vunerable. > > > >I agree that traditionally HSRP has been used on the inside interfaces so > >therefore your vunerability is from the inside where you should have > >personnel/physical security in place. > > > >IPSec is cool but involves more cost to deploy an IPSec capable IOS/router > >if you're not already using IPSec. Perhaps this is just another reason to > >do so. > > > >Someone also commented on the overhead of IPSec encrypting/decrypting HSRP > >hellos every 3 seconds. Perhaps adjusting the HSRP timers would allevia
RE: security opinions please [7:3666]
> >How does one go upon "penetrating" the internal VLAN on a switch while only >having access to the external VLAN and not traversing the PIX in the >middle? >I have heard the response from numerous security engineers that anything is >possible however I guess I'm a novice because I have never seen nor heard >of >this being done in the situation mentioned above. I attribute the idea of >physically seperating these networks (even though VLAN based seperation is >just as effective) as security paranoia. This isn't necessarily a bad >thing, after all that's what security guys are paid for, however I don't >see >a technical reason why you can't have these VLANs connected to the same box >as long as a properly configured firewall logically seperates them. Launching a DoS on these devices is pretty easy, anything which transports data for management can be 'hacked'. Rob./ _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3759&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Protocol Type 0x886F [7:3737]
After looking over Microsofts Loadbalancing white paper; it apears that microsoft is using a multicast MAC address for these heart beats. The switch is going the flood them across the vlan every time it gets one. Ask whoever maintains the Win 2000 servers why they have that enabled. They may not be aware what it is for. I'd keep my fingers crossed for this solution. If it is enabled for a reason AND the heart beats are actually a problem; you'll need to put the server cluster on a seperate VLAN. **There is a note about cisco routers (in the white paper) not liking the multicast MAC with the unicast IP address. It requires a static ARP entry in the router. 10% to 15% is that during a low traffic period? Is this causing slow responce or some other problem? Keep us updated. DaveC Andy Prima wrote: > > Thank you all for the answers. This frame consumes 10-15 % of total frames > circling in my network. Any comment for this ? Can I filter it out? Is there > any consideration on filtering? > > TIA, > Andy > > -Original Message- > From: Brian Dennis [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 09, 2001 12:09 PM > To: Andy Prima; [EMAIL PROTECTED] > Subject: RE: Protocol Type 0x886F [7:3737] > > It's a heartbeat frame for Windows NT Load Balancing Service. > > Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640 > 5G Networks, Inc. > [EMAIL PROTECTED] > (925) 260-2724 > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Andy Prima > > Sent: Tuesday, May 08, 2001 9:47 PM > > To: [EMAIL PROTECTED] > > Subject: Protocol Type 0x886F [7:3737] > > > > > > Dear all, > > I need help on protocol type 0x886F. It seems that this kind of Ethernet > > Broadcast is circling around my network and I do not have a clue what it > > really is. > > > > TIA > > andy > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3756&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
On Tue, 8 May 2001, Drew Simonis wrote: |Some decent reads: | |http://mlarchive.ima.com/firewalls/1999/4507.html |http://packetstorm.securify.com/9909-exploits/vlan_security.txt anyone want to confirm this for 65xx ? -- jacques Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3757&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
> >Let me lay out the basic topology of a network first: > >A 6500 has several VLANS configured on it. Among these are an external >internet vlan, a dmz, and several internal vlans. The internal vlans are >routed by an MSFC in the 6500. Routing between the internal, dmz, and >external are handled by a firewall external to the 6500. > >Are there any security issues with having all of these VLANS in the same >box? Someone in our organization is concerned that someone can hack the >switch just because the connection from the internet is plugged into it. >The switch's management address is on one of the internal vlans, and an >access list is on the telnet access that restricts access from only the >internal vlans. Cisco switches have been known to 'bleed' traffic between VLANs, esp. when carried over older switches through ISL. I don't know of any issues with the 6500, but that doesn't mean that they don't exist. I would not recommend this solution for exactly the reason that 'someone' is concerned about. A DMZ, Outside and Inside should be kept physically seperate, on one piece of wire each. What would happen is some 'idiot' plugged a connection between the Outside and the Inside VLAN, very uncool. >From outside to inside should be a connection from an exterior router to the firewall - 100baseTX x-over cable. DMZ - A hub or switch [1] connecting the port on the FW to DMZ hosts Inside - Connect to switch for users to access. That'll be $1,000 please. ;^) Rob./ [1] Depending on network saturation. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3755&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
hi On Tue, 8 May 2001, [EMAIL PROTECTED] wrote: |event of just the right failure/misconfiguration, someone could |theoretically re-configure the switch to do bad things. failure or misconfiguration has a direct fault which has to do with the owner. the switch doing something which people do not expect it to is the venders fault. -- jacques Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3754&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay backup issue...(thanks) [7:3686]
Another possibility... If they are using a dv routing protocol such as RIP and every now and then they push alot of traffic across frame, perhaps some routing updates are not making it across causing the route to go away and the router to use floating/alternate route over ISDN. I've seen this happen with RIP with heavy traffic. Hope this helps... Erick --- "Mark Z." wrote: > Thanks for the help E. I have a feeling that it > might be a backup load issue > that I'll have to fix. Can't give you much info > because I just found out I'm > going to this client tomorrow so I'll be able to > digest it all then. I'll > definitely be bringing this with me in my > head...it's appreciated friend, > thanks, > > Mark Z. > > - Original Message - > From: "EA Louie" > To: "Mark Z." ; > Sent: Tuesday, May 08, 2001 6:36 PM > Subject: Re: Frame Relay backup issue... [7:3686] > > > > ahhh, I'll give you a free answer anyway! ;-) > > > > Without making any assumptions except that the > Frame Relay interface is > > configured with a backup-interface statement > that's pointed to a dialer, > and > > that all the routing is working okay, and that the > dialer has a good > > dialer-list, then the config would look similar > to: > > > > interface serial0/1 > > encapsulation frame-relay > > backup interface dialer1 > > no backup load > > no backup delay > > > > interface dialer1 > > > > then the only thing that would bring the backup > into play is the serial > > going down/down momentarily. > > > > If there IS a backup load statement on serial, > then bandwidth percentage > > over the first parameter of that command would > initiate the dialer. > Adjust > > it higher or remove it. > > > > If there's no backup interface command on the > serial interface, then a > > floating static route is probably initiating the > DDR. If an IGP is used > > over the Frame Relay network then a route flap on > the default route would > > also start the dialing sequence. > > > > Let's see... is there a link for you? nope, can't > find one that's > > appropriate. > > > > > > -e- > > > > - Original Message - > > From: "Mark Z." > > To: > > Sent: Tuesday, May 08, 2001 2:39 PM > > Subject: Frame Relay backup issue... [7:3686] > > > > > > > Hi Guys, > > > Been a while since I've written to the list > (guess that's kind of a > > good > > > thing). Fairly simple question here: Lets say > there is a company with a > FR > > > network with a hub/spoke topology. When data is > sent from a site, alot > of > > > times the backup link kicks up, even though the > primary never went down. > I > > > remember this type of scenario in my readings > but forget what the > > > possibilities are. The simplest answer would be > that they are > > oversubscribing > > > their access on the line and the backup's > kicking up. Or the line is > just > > > bad...but I doubt that. What are some possible > scenarios that would > cause > > > this > > > issue. I'm not asking for free answers to this > but I would appreciate it > > if > > > someone could point me in the right direction in > terms of reading up on > > this. > > > Thanks guys...good to be back. > > > > > > Mark Zabludovsky ~ CCNP, CCDA > > > [EMAIL PROTECTED] > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations > to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3753&t=3686 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PPP Multilink and VRF [7:3752]
Is it possible to configure vrf forwarding under 2 leased line bundle - PPP Multilink between PE and CE. interface Multilink1 description Multilink ip address 192.168.10.1 255.255.255.252 no ip redirects no ip proxy-arp ip route-cache policy no ip route-cache cef ip policy route-map bundle no cdp enable ppp multilink multilink-group 1 Otherwise, May I use 2 links from PE in MPLS domain to 2 CEs router at the customer for load balancing and backup in case one of link fall down. Any suggestion will be appreciated. Kim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3752&t=3752 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Older PIX/Local Director [7:3751]
Sometimes I see people refer to older Local Directors as Local Director/PIX. Anyone know why? I mean can the older LDIR boxes (like the 415) run the PIX code? The boxes certainly look alot like PIX 1/Classic/510 boxes. Brian --- We have MOVED!! Make note of our new address!!! I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-213-4709 318-213-4701 Netjam, LLC http://www.netjam.net 333 Texas St. VISA/MC/AMEX/COD Suite 140130 day warranty Shreveport, LA 71101 Cisco Channel Partner p: 318-212-0245 f: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3751&t=3751 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3640 down with OIR [7:3554]
I have seen this before where reseating actually fixed the problem. I have also seen this indicate faulty hardware/midplane. Check the pins and whatnot to make sure none are bent as well. Brian On Tue, 8 May 2001, Shoaib Waqar wrote: > I just got my router down, it was 3640, which had been > working properly for last 3 months. It gave the > following error message and then hung up: > > %ORINT: OIR Event has occured oir_ctrl 5000 oir_stat > 8F8A > > I know that OIR is Online Insertion and Removal but > the strange thing is that nobody inserted or removed > any sort of hardware, and to utter astonishment, this > msg came and surprised me. I also searched this eroor > on TAC but there r only 4 of these error types OIR and > i could not find this one. So any idea about this??? > > P.S. 3640 has 12.1.8 IP/IPX/AT/DEC plus IOS and 16MB > flash, 64 MB DRAM > > Shoaib > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- We have MOVED!! Make note of our new address!!! I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-213-4709 318-213-4701 Netjam, LLC http://www.netjam.net 333 Texas St. VISA/MC/AMEX/COD Suite 140130 day warranty Shreveport, LA 71101 Cisco Channel Partner p: 318-212-0245 f: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3750&t=3554 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Protocol Type 0x886F [7:3737]
Thank you all for the answers. This frame consumes 10-15 % of total frames circling in my network. Any comment for this ? Can I filter it out? Is there any consideration on filtering? TIA, Andy -Original Message- From: Brian Dennis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 09, 2001 12:09 PM To: Andy Prima; [EMAIL PROTECTED] Subject: RE: Protocol Type 0x886F [7:3737] It's a heartbeat frame for Windows NT Load Balancing Service. Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640 5G Networks, Inc. [EMAIL PROTECTED] (925) 260-2724 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Andy Prima > Sent: Tuesday, May 08, 2001 9:47 PM > To: [EMAIL PROTECTED] > Subject: Protocol Type 0x886F [7:3737] > > > Dear all, > I need help on protocol type 0x886F. It seems that this kind of Ethernet > Broadcast is circling around my network and I do not have a clue what it > really is. > > TIA > andy > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3748&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and static routes [7:3484]
Yes, with a PIX you can configure static mappings of outside addresses to inside addresses, and then configure "conduits" to allow particular traffic types thru. Brian On Mon, 7 May 2001, John Gotti wrote: > Maybe I'm mistaken, but I thought it was possible to add static routes on > a PIX firewall?...For instance, if your "outside" interface's IP was > 198.6.1.4 and your "inside" Interface's IP was 172.16.0.1, couldn't you add > a static route to say for IP 172.24.9.0 255.255.255.0 go to 172.24.128.3 ? I > know a PIX isn't a router, but I thought it could forward traffic based on a > static route. Thanks!! > > -G > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- We have MOVED!! Make note of our new address!!! I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-213-4709 318-213-4701 Netjam, LLC http://www.netjam.net 333 Texas St. VISA/MC/AMEX/COD Suite 140130 day warranty Shreveport, LA 71101 Cisco Channel Partner p: 318-212-0245 f: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3747&t=3484 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: A question on EIGRP traffic [7:3464]
Cisco EIGRP by default will use "up to" 50% of the wire for its routing protocol traffic. This is a feature to prevent the routing protocol from consuming all available bandwidth. Brian On Mon, 7 May 2001, mindiani mindiani wrote: > I have been told the cisco EIGRP protocol is using by default 50% of the > bandwith of the WAN link. Can anybody give me more detail on this. > > > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- We have MOVED!! Make note of our new address!!! I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-213-4709 318-213-4701 Netjam, LLC http://www.netjam.net 333 Texas St. VISA/MC/AMEX/COD Suite 140130 day warranty Shreveport, LA 71101 Cisco Channel Partner p: 318-212-0245 f: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3746&t=3464 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF MaxAge [7:3745]
Hi List, I have a question abiut OSPF MaxAge parameter. AFAIK from two sources - Doyle book and the RFC, MaxAge should be one hour and it's an OSPF protocol constant, which means that it can not be configured. When I typed "show ip ospf" on 250x running 11.3 I got: ... Link State Update Interval is 0:30:00 and due in 0:16:25 Link State Age Interval is 0:20:00 and due in 0:16:25 ... Link State Age Interval - Specify max-aged update deletion interval and time until next database cleanup in hours:minutes:seconds. What's wrong with it? -- Semion Lisyansky Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3745&t=3745 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Protocol Type 0x886F [7:3737]
A, Check out Novell's site. 0x886F 111 OBJECT_NOT_FOUND 0x886F 111 NWE_OBJECT_NOT_FOUND HTH kv - Original Message - From: "Andy Prima" To: Sent: Tuesday, May 08, 2001 9:47 PM Subject: Protocol Type 0x886F [7:3737] > Dear all, > I need help on protocol type 0x886F. It seems that this kind of Ethernet > Broadcast is circling around my network and I do not have a clue what it > really is. > > TIA > andy > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3744&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP 1.0 [7:3733]
Hi Pat You can go ahead and take the last two exams from the new track and you would become a CCNP 1.0. However, if you retake the original two from the new track and then take the other two, you would become CCNP 2.0. In my opinion, the important part is getting the certification asap so that you can then start work on CCIE. regards Ali J Khan, CCNP - Original Message - From: "pat" To: Sent: Wednesday, May 09, 2001 7:58 AM Subject: CCNP 1.0 [7:3733] > I have taken ACRC & CMTD exams. Now that these old > exams are expired do I have to take all 4 new exams to > be CCNP or can I just take two new exams & still be > CCNP. > > I am CCNA 1.0 certified. Is it still valid or do I > have to take new exam for CCNA also..? > > > thanks, > patterson > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3742&t=3733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Protocol Type 0x886F [7:3737]
It's a heartbeat frame for Windows NT Load Balancing Service. Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640 5G Networks, Inc. [EMAIL PROTECTED] (925) 260-2724 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Andy Prima > Sent: Tuesday, May 08, 2001 9:47 PM > To: [EMAIL PROTECTED] > Subject: Protocol Type 0x886F [7:3737] > > > Dear all, > I need help on protocol type 0x886F. It seems that this kind of Ethernet > Broadcast is circling around my network and I do not have a clue what it > really is. > > TIA > andy > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3743&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Protocol Type 0x886F [7:3737]
886f Microsoft Corporation Redmond, WA found this on IEEE page http://standards.ieee.org/regauth/ethertype/type-pub.html Seem to have something to do with Microsoft load balancing. I have not read it all the way through yet. See>>> http://www.microsoft.com/TechNet/win2000/nlbovw.asp Keep us updated :-> DaveC Andy Prima wrote: > > Dear all, > I need help on protocol type 0x886F. It seems that this kind of Ethernet > Broadcast is circling around my network and I do not have a clue what it > really is. > > TIA > andy > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3741&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: addressing/mask question [7:3727]
Comments inline: PS: check out ICMP redirect It's another one that'll make your traffic do things that you wouldn't expect. DaveC Scott Meyer wrote: > > I have a question about network masks and proxy ARP that I have not > understood for a long time. I'm not sure that I can clearly explain the > question, but I'll give it my best. I got bits and pieces about the > situation, so I don't know exactly what is working and when. > > A co-worker has a customer that has a really messy IP scheme. For > simplicity, the network scheme should be > > network A router A > 172.16.1.0 /24172.16.1.1 e0 > 192.168.1.1 s0 > > connects over WAN to > > network B router B > 172.16.2.0 /24 172.16.2.1 e0 > 192.168.1.2 s0 > > This customer has hosts with misconfigured masks and default gateways all > over the place. Some hosts have wrong masks, some wrong gateways, on some > both are wrong, and some are right. The routers are configured correctly, as > above. Obviously he is experiencing some connectivity issues - sometimes > things work, and sometimes they don't. > > I would like to more completely understand why. Proxy ARP is on (default). > > Lets assume the following: > host A (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries to > connect to host B 172.16.2.6 (correctly configured as /24, gateway > 172.16.2.1) > > My understanding of what happens: Host A does binary anding, and thinks > that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is > on, so I would think the router recognize that it needs to respond to host > A's ARP request. Host A now thinks that host B = MAC address of router A. > Host A sends traffic to router A and router A forwards. Both router A and > host A know the correct MAC address of each other, so host B's response will > get to host A. So this should work consistently despite the > misconfiguration, but I know better. How am I thinking incorrectly? # That's correct: When the router sees an ARP for a subnet that it thinks is not local to the interface it will reply with a proxy-arp. >From your statement "but I know better. How am I thinking incorrectly?" I take it that it is not working? I see from your description that the 172.16.x.x is split between a 192.168.x.x. Are you using IGRP, EIGRP, or RIPv2 with no auto-summary OR OSPF Check router A's routing table to see where the 172.16.2.x network is. ## > > Next question, let's assume the following: > host A (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3) tries > to connect to host B 172.16.2.6 (correctly configured as /24, gateway > 172.16.2.1) > > My understanding of what happens: Host A does binary anding, and thinks > that host B is on another subnet. Host A thinks that the gateway is > 172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond > with it's MAC, host A will send traffic for host B to 172.16.1.3, which will > promptly drop it because it has no idea what to do with it. If there is not > a 172.16.1.3, host A will not get a response, and will timeout eventually. I > will need to check, but I don't think that host A will ARP for host B (as > opposed to ARPing for the gateway). So this should consistently not work. If > host A did not have a gateway at all, it would ARP for host B and router A > would respond (due to proxy ARP) and connectivity would be established. Am I > correct? # Yes: 100% so far... ## > > I do think it makes a difference who initiates the connection, because of > ARP. If host B tries to connect to host A, router A would ARP for host A. > Host A would place router A's MAC in it's ARP table for host B, and as long > as that entry existed, communication would work consistently? Am I thinking > correctly? ## I suppose someone cound program a IP stack that way but I have not seen any host do what you just described. Pretty much Host A will use the same process whether it initiates or is responding. ## > > If proxy ARP is enabled, why is a default gateway needed? I have never seen > a TCP/IP configuration that doesn't have a spot to enter a default gateway. > Conversely, if everything has a default gateway, why is proxy ARP needed? If > one of those (either the gateway or proxy ARP) is not working for whatever > reason, why is communication spotty? Should it not be consistently either > working or not? > > If proxy ARP works like it is supposed to, I don't see a need for hosts to > have masks and gateways configured. The only problem I see is if there are > multiple gateways available to a subnet, where both (or more) gateways will > forward the packet, so the destination gets 2 packets. What happens then is > protocol and application dependent. # Question: Why do you need proxy-arp, masks, and
Re: CCNP 1.0 [7:3733]
>From what I know you are fine. As long as you took the 2 1.0's when they were valid (well apparently), you can still finish the CCNP with the next 2 tests...and don't worry about the CCNA. I got my CCNP 2.0 while holding an NA 1.0...Good luck with the tests, Mark Z ~ CCNP, CCDA > > I have taken ACRC & CMTD exams. Now that these old > > exams are expired do I have to take all 4 new exams to > > be CCNP or can I just take two new exams & still be > > CCNP. > > > > I am CCNA 1.0 certified. Is it still valid or do I > > have to take new exam for CCNA also..? > > > > > > thanks, > > patterson > > > > __ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3739&t=3733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Protocol Type 0x886F [7:3737]
Dear all, I need help on protocol type 0x886F. It seems that this kind of Ethernet Broadcast is circling around my network and I do not have a clue what it really is. TIA andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3737&t=3737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: password recovery problem with AAA [7:3735]
I would guess that if you boot the router ignoring the content of NVRAM that you could then view the startup config (show start). You might then want to do a cut and paste to Notepad or capture the output of your terminal program. If loading the config disallows you from doing anything, then best to erase start and reload. That wipes the router clean. Then config t and use the Notepad copy to enter the parts that you need. > -Original Message- > From: Sim, CT (Chee Tong) [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 08, 2001 11:25 PM > To: [EMAIL PROTECTED] > Subject: password recovery problem with AAA [7:3735] > > > I am doing a password recovery for a 1700 router, I manage to see its > previous configuration part. But I want to do a conf term to change > setting. I found it was controlled by TACACS+ AAA server. > How do I disable > the setting of AAA so I can make change See below > > > rommom 1>confreg 0X2142 > rommom 2>reset > Router>enable > > Router#conf mem > > Building configuration... > > 00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket > KUL01# > KUL01# > *Mar 1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on > Interface Serial0.2, > cha > nged state to down > *Mar 1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console > KUL01#conf term > Command authorization failed. > > KUL01# > *Mar 1 00:01:28: %-3-INVSTATE: AUTHOR/CMD: Internal > state is invalid: > astr > uct 0x8093FF00 ustruct 0x0 > -Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0 > > > > == > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en > de afzender direct te informeren door het bericht te retourneren. > == > The information contained in this message may be confidential > and is intended to be exclusively for the addressee. Should you > receive this message unintentionally, please do not use the contents > herein and notify the sender immediately by return e-mail. > > > == > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3738&t=3735 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Printing Boson Exams and a ringing endorsement [7:3447]
Wow...I bought the test alsoI am glad to know I can update. Thanks. Thanks. John A >= Original Message From "Donald B Johnson jr" = >What are you talking about. All those stupid idiot letters under your name >and you still can't read. I'll spell it out. I bought those test You are >permitted to update!! >He checked their database and I was in there!! He sent the >codes!! >You better hope your boss/client aint on this site now they will know what >we all suspected. > >Couple other points: >he ain't my friend - just had business dealings, >and we ain't mates. - skip. >Don > >- Original Message - >From: "Michael E Taiwo" >To: "Donald B Johnson jr" >Cc: ; >Sent: Monday, May 07, 2001 9:00 AM >Subject: Re: Printing Boson Exams and a ringing endorsement [7:3447] > > >> Sorry, I don't mean to be involve in these, but don't you think that >you've >> actually put the guy that gave you, the crack in danger, by exposing his >> Email address in Groupstudy. >> >> Reason been is, that the guys that set the boson questions are in this >> groupstudy, and believe me your friends job is on the line mate. >> >> Mike. >> >> CCNP,CCDP,CCNA,CCDA,MCSE+I >> - Original Message - >> From: "Donald B Johnson jr" >> To: >> Sent: Monday, May 07, 2001 3:33 PM >> Subject: Re: Printing Boson Exams and a ringing endorsement [7:3447] >> >> >> > Thanks Kevin >> > Worked like a charm, the pdf thing. >> > Did you know that you can update your boson tests to version 3.67. >> > It adds a cool feature that lets you test by category plus it updates >your >> > questions, "example I just created a pdf with all bgp questions" from >the >> > bscn test I bought. >> > Just email this guy [EMAIL PROTECTED] with your serial numbers >and >> he >> > will send you back new unlock codes. >> > You also have to go to their site and down load the new testing engine. >> > Oh by the way, Chad is working on his last test for CCNP then he is >going >> > for CCIE so he understands what we are about, not just a sales man with >no >> > clue. He was also one of the most helpful people I ever dealt with. I >> > e-mailed my serial numbers, 10 in all and he sent me back my new 3.67 >> > unlocks in fifteen minutes. One of the numbers I sent was wrong so I >> resent >> > the correct number and a new unlock was sent in about five minutes. >GREAT >> > SERVICE BOSON, thanks Chad!!! >> > Lets review >> > 10 test @ 30 dollars = CCNA/CCDA/CCNP/CCDP + two CCIE tests locked in >the >> > chamber for the written in a month for Don + great testing content + >good >> > money for the test writers + great service from Chad. What a value. >> > No I don't work for Boson but so what if I did, I ain't lying. >> > >> > >> > Don >> > >> > >> > - Original Message - >> > From: "Kevin Wigle" >> > To: >> > Sent: Saturday, May 05, 2001 1:06 PM >> > Subject: Printing Boson Exams [7:3327] >> > >> > >> > > Dear Group, >> > > >> > > Lost the original post but here's an answer of sorts. >> > > >> > > At the top in the File menu tree you can print each question. >> > > >> > > The print operation doesn't ask you where to print, it just uses the >> > default >> > > printer. >> > > >> > > So, create a new "printer" that prints to file (local printer - >Generic) >> > and >> > > make it the default while you're doing the questions. >> > > >> > > Not very elegant actually as each question will overwrite the last one >> > > saved. So keep windows explorer open and rename the output each time. >> > > >> > > Unfortunately, graphics won't come across too well. >> > > >> > > So if you own the Adobe Editor - it installs the Adobe Distiller which >> is >> > > another print to file operation but you get to keep all the graphics >and >> > its >> > > in .pdf format. >> > > >> > > So you can't dump an exam but you can get all the info you want one by >> one >> > > if you're patient. >> > > >> > > Kevin Wigle >> > > FAQ, list archives, and subscription info: >> > http://www.groupstudy.com/list/cisco.html >> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >> > FAQ, list archives, and subscription info: >> http://www.groupstudy.com/list/cisco.html >> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] >FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Have a great day! John A Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3734&t=3447 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: security opinions please [7:3666]
Drew wrote: >It can be, and it is. But, so is just about everything. It is the >probability of the risk being exploited that really matters, and in >this case I see that as a small one. Now, lets talk about using >Microsoft as a security benchmark... ;-) Reminds me of an obscure Steve Martin routine..."Hi, I'm Fred! I have a bank! Ya got fifteen hundred? I'll put it, uh, over here, in my white suit." BJ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3710&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
password recovery problem with AAA [7:3735]
I am doing a password recovery for a 1700 router, I manage to see its previous configuration part. But I want to do a conf term to change setting. I found it was controlled by TACACS+ AAA server. How do I disable the setting of AAA so I can make change See below rommom 1>confreg 0X2142 rommom 2>reset Router>enable Router#conf mem Building configuration... 00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket KUL01# KUL01# *Mar 1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.2, cha nged state to down *Mar 1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console KUL01#conf term Command authorization failed. KUL01# *Mar 1 00:01:28: %-3-INVSTATE: AUTHOR/CMD: Internal state is invalid: astr uct 0x8093FF00 ustruct 0x0 -Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0 == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3735&t=3735 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP 1.0 [7:3733]
This link has requirements for the "640-50X" series. http://www.cisco.com/warp/public/cc/serv/mkt/cert/career/ccnp_ds.htm you may have to email them on this one... - Original Message - From: "pat" To: Sent: Tuesday, May 08, 2001 10:58 PM Subject: CCNP 1.0 [7:3733] > I have taken ACRC & CMTD exams. Now that these old > exams are expired do I have to take all 4 new exams to > be CCNP or can I just take two new exams & still be > CCNP. > > I am CCNA 1.0 certified. Is it still valid or do I > have to take new exam for CCNA also..? > > > thanks, > patterson > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3736&t=3733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP 1.0 [7:3733]
I have taken ACRC & CMTD exams. Now that these old exams are expired do I have to take all 4 new exams to be CCNP or can I just take two new exams & still be CCNP. I am CCNA 1.0 certified. Is it still valid or do I have to take new exam for CCNA also..? thanks, patterson __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3733&t=3733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
interesting thread, and on a subject that crops up again and again... sure it's possible to compromise VLANs, but as has been said, thru misconfiguration rather than anything else. Say you have a switch in a hosting centre that customers can plug into - set your ports to anything other than "trunk off" and you're in big trouble :-( Interestingly a place I worked at had a network design submitted by a *VERY* well known and respected organisation (acting as consultants for an ASP-type deal), with 26 (count-'em) switches so as to avoid these apparent security flaws. Having laughed them out of the building, guess what eventually got installed? A pair of 6509s - so go figure Andy - Original Message - From: To: Sent: Tuesday, May 08, 2001 11:32 PM Subject: Re: security opinions please [7:3666] > From a pure security perspective, this design is not as secure as > having separate switches for the outside, dmz and inside networks. > The reasoning is very simple, yes, you can put lots of software in > place to prevent people from telneting to the switch, but in the > event of just the right failure/misconfiguration, someone could > theoretically re-configure the switch to do bad things. > > I have had long discussions with people about this issue and the > bottom line is that while a compromise in this configuration is > highly improbable, it is not impossible. When you have physical > separation of switches, it is impossible for a software > failure/misconfiguration in the switch to lead to an internal > compromise, it is therefore a more secure configuration to use > multiple switches. > > It is, however, very convenient to use a single switch. As a > compromise, I recommend a single external switch and a common > internal switch for the dmz's and internal segments. As there are > normally very few connections on the outside, this is a reasonable > compromise at a very small incremental cost. > > HTH, > Kent > > On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote: > > > Let me lay out the basic topology of a network first: > > > > A 6500 has several VLANS configured on it. Among these are an > > external internet vlan, a dmz, and several internal vlans. The > > internal vlans are routed by an MSFC in the 6500. Routing between the > > internal, dmz, and external are handled by a firewall external to the > > 6500. > > > > Are there any security issues with having all of these VLANS in the > > same box? Someone in our organization is concerned that someone can > > hack the switch just because the connection from the internet is > > plugged into it. The switch's management address is on one of the > > internal vlans, and an access list is on the telnet access that > > restricts access from only the internal vlans. > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html Report misconduct and > > Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3732&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: encapsulation [7:3701]
PPP gives you authentication (PAP/CHAP), plus standards-based inter-operability HDLC is quasi-standards-based, having been developmeped from SLDC originally, although different manufacturers are inter-operable to a greater or lesser extent (Nokia for instance support "Cisco"-HDLC on their firewall boxes). HDLC has a slightly lower overhead than PPP. I tend to use HDLC on internal leased-lines where I *shouldn't* need authentication, and PPP on dial-based stuff. hth Andy - Original Message - From: "SH Wesson" To: Sent: Tuesday, May 08, 2001 11:53 PM Subject: encapsulation [7:3701] > Should I use hdlc or ppp encapsulation on a point to point connection > between two wan sites. The connection is used to access data. And also > what is the benefit and disadvantages of using one over the other. Thanks. > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3731&t=3701 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
答复: Re: [7:3730]
Thank you,buddy.But ther's still another question:since i have only 4MB flash on my cisco 2503,and although you compress that IOS12.0 image,it's still much larger than 4MB,so,wher should i put the compressed file/image?on a TFTP server? any advance will be appreciated,thank you. henry 2001-05-08 20:06 f6d;6d::o f io< d< gh4o< d8;i"o< Re: B4C0B8B4: IOS upgrade, failure [7:3513] [7: 3520] It's very easy. You can use Unix tools gzip to compress the IOS file . Then change IOS file from *.bin to *.Z Final you should have 4MB plus IOS file size(uncompress) RAM Then you can play IOS 12.03 with 4MB flash and 18MB(16+2)RAM Good Luck "[EMAIL PROTECTED]" wrote: You can't do that upgrade,I have also a 2503 with 4MB flash, i want IOS 12.0??!! "John Brandis" 7"<~HK#: [EMAIL PROTECTED] 2001-05-08 09:04 Gk4p84 8x "John Brandis" JU<~HK#:[EMAIL PROTECTED] 3-KM#: 4+UfVB#: VwLb#: IOS upgrade, failure [7:3513] Hey all, I am back on for the day, Have a 2503 router with suspected 4MB flash. I need to upgrade from IOS 10.2 to at least 11.3. Problem is that IOS 11.3 is 5MB. What can I do besides upgrade the flash.?? John Brandis Network Engineer GoWireless Communications 155 George Street Sydney +61 2 9251 5000 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3730&t=3730 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: real world BGP question [7:3506]
Those /24s likely have something to do with the fact that the blocks in the A space you mentioned are ARIN allocated CIDR blocks. I believe that ISPs tend to be a little less restrictive on them. Several other route-servers mirror your findings on cerf.net. For those of you that haven't seen it: http://www.arin.net/regserv/IPStats.html#cidr --trey Chuck Larrieu wrote: > I respectfully disagree. A brief look through route-server.cerf.net shows an > awful lot of /24's in class A space, particularly in the 24.0.0.0, 64.0.0.0, > 65.0.0.0, and 66.0.0.0 space. Not to mention a lot in class B space. My hand > hurts from scrolling through the routing table there. Granted, everything is > relative. What cerf.net shows is not necessarily what any other provider > shows. But I suggest that CIDR is broken and there are lots of prefixes > longer than /19, no matter what the classful block. :-> > > Chuck > > -Original Message- > From: Brian [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 5:05 PM > To: Chuck Larrieu > Cc: [EMAIL PROTECTED] > Subject:RE: real world BGP question [7:3506] > > many providers filter based on the classful origin of the space. If the > block is out of what was once class a or b space, the likelihood of a /24 > getting filtered out is fairly high. My previous employer did that. > > Brian "Sonic" Whalen > Success = Preparation + Opportunity > > On Mon, 7 May 2001, Chuck Larrieu wrote: > > > Seems rather presumptuous of Cisco to speak for every ISP in the world > > > > In order to limit the number of routes being advertised on the internet, I > > believe it was considered "best current practice" to limit prefix length > to > > /19 or shorter. ( can't find the RFC at the moment, but I recall it being > > referenced several times in various threads on the NANOG list. ) > > > > Obviously, with well over 100K routes in "the internet routing table" > there > > are a great number of longer prefixes being advertised, no doubt in great > > part because of the number of companies that are "connected to multiple > > ISP's so they can load balance across the internet" > > > > Prefix advertising my be influenced by peering arrangements, downstream > and > > upstream agreements, and customer requirements. Generally, once holes are > > punched through CIDR blocks, what can anyone do? > > > > When someone makes a statement like you attribute to Cisco, one must > always > > follow up with specifics to determine what is really meant. Not all routes > > seen in one provider's network routing tables are necessarily present in > the > > tables of another provider. > > > > Chuck > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > > Murphy, Brennan > > Sent: Monday, May 07, 2001 4:01 PM > > To: '[EMAIL PROTECTED]'; Charlie Winckless; Murphy, Brennan > > Cc: [EMAIL PROTECTED] > > Subject: RE: real world BGP question > > > > Cisco told me today that a /24 drawn from Class C space > > has a better chance of being propogated throughout the Internet > > than a /24 taken from Class B space. Anyone disagree with that? > > Can anyone recommend a good source of info on this. Ive checked > > Halabi. > > > > I came across a good reference during my quest www.traceroute.org > > Unfortunately, it doesnt offer plain answers to my questions. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 27, 2001 1:58 PM > > To: Charlie Winckless; 'Murphy, Brennan' > > Cc: [EMAIL PROTECTED] > > Subject: Re: real world BGP question > > > > > > Currently on a US basis a /24 would generaly work. Internationaly > (Europe) > > most providers would filter out anywhing longer then /20. > > > > > > - Original Message - > > From: "Charlie Winckless" > > To: "'Murphy, Brennan'" > > Cc: > > Sent: Friday, April 27, 2001 1:18 PM > > Subject: RE: real world BGP question > > > > > > > I used to work for VERIO. At that time they would not > > > router smaller than /19 on their backbone. > > > > > > This may have changed. > > > > > > > -Original Message- > > > > From: Murphy, Brennan [mailto:[EMAIL PROTECTED]] > > > > Sent: Friday, April 27, 2001 10:46 AM > > > > To: 'Michelle T'; '[EMAIL PROTECTED]' > > > > Subject: RE: real world BGP question > > > > > > > > > > > > I guess that is my real question: what is the longest prefix that > > > > is exchanged among/between major carriers. > > > > > > > > The real world example here is what if you had 4 server farms > > > > answering > > > > to one DNS name: ftp.foo.com You have Round Robin DNS running > > > > round trip times to match a user with their nearest server farm > > > > so it sends back the closest/fastest IP. The question is, how > > > > big do those > > > > subnets for the server farms have to be in order to be maximally > > > > advertised throughout the internet? > > > > > > > > So, I've seen two answers
Re: 2610 w/ an additional 1e 2w module [7:3402]
If you want to use your 2600 as frame relay switch do as i have done buy a NM-4a/s, 4t, 8a/s or 8/t. A 1fe2w only works in 3600. Regards, Jason Baker - Original Message - From: To: Cc: Sent: Tuesday, May 08, 2001 4:44 AM Subject: Re: 2610 w/ an additional 1e 2w module [7:3402] > o.k. so basically to get this puppy to work in the 2600 series i need to > get > a 1FE2W encasing module to hold the wic 2t's ?? I'm going to try to use > this box as a > frame switch so i'm trying to get as many serial interfaces on it as > possible... > > Thanks for your help guy's!! > > Randy > > > On Mon, 7 May 2001 13:53:25 +1000 "Jason Baker" > writes: > > also another tip. The WIC 2-T modules do not work in plain ethernet > > based > > modules (such as 1e2w). > > You need to get a 1FE2W at least to put the WIC 2t-s in. > > > > However the wic 2-t's will work in the fixed serial slots in the > > 2600's. > > > > Regards, > > > > Jason Baker > > --- > > Network Engineer > > > > - Original Message - > > From: > > To: > > Sent: Monday, May 07, 2001 1:17 PM > > Subject: 2610 w/ an additional 1e 2w module [7:3402] > > > > > > > Hi all !! > > > > > > I have just finished installinga new 1 e 2 w module in my 2610 > > router & > > > It's not being recognized, unit allready had an existing Wic 2t > > plus the > > > built in ethernet > > > port. I added the 2t 1e which is actually 2 wic 1 t cards with an > > > ethernet port on the main module > > > and it's not being recognized, When i remove the existin wic 2 t > > cards > > > only the main ethernet shows up on the show > > > version..I do see the Act led on the module solid green but > > nothing on > > > the sho ver.. > > > > > > Am i mssing something ... do I have to activate this new module > > somehow > > > ?? > > > > > > Clueless @ this point... > > > > > > TIA for any info you might provide. > > > > > > Randy > > > > > > GET INTERNET ACCESS FROM JUNO! > > > Juno offers FREE or PREMIUM Internet access for less! > > > Join Juno today! For your FREE software, visit: > > > http://dl.www.juno.com/get/tagj. > > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > > > > > > GET INTERNET ACCESS FROM JUNO! > Juno offers FREE or PREMIUM Internet access for less! > Join Juno today! For your FREE software, visit: > http://dl.www.juno.com/get/tagj. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3728&t=3402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Lab Date Swap for RTP November 17, 18 [7:3726]
I am looking to swap my Lab date in RTP scheduled for November 17 and 18, 2001. I am interested in mid-July or august timeframe at the same location (RTP). Regards, Louis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3726&t=3726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
addressing/mask question [7:3727]
I have a question about network masks and proxy ARP that I have not understood for a long time. I'm not sure that I can clearly explain the question, but I'll give it my best. I got bits and pieces about the situation, so I don't know exactly what is working and when. A co-worker has a customer that has a really messy IP scheme. For simplicity, the network scheme should be network A router A 172.16.1.0 /24172.16.1.1 e0 192.168.1.1 s0 connects over WAN to network B router B 172.16.2.0 /24 172.16.2.1 e0 192.168.1.2 s0 This customer has hosts with misconfigured masks and default gateways all over the place. Some hosts have wrong masks, some wrong gateways, on some both are wrong, and some are right. The routers are configured correctly, as above. Obviously he is experiencing some connectivity issues - sometimes things work, and sometimes they don't. I would like to more completely understand why. Proxy ARP is on (default). Lets assume the following: host A (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries to connect to host B 172.16.2.6 (correctly configured as /24, gateway 172.16.2.1) My understanding of what happens: Host A does binary anding, and thinks that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is on, so I would think the router recognize that it needs to respond to host A's ARP request. Host A now thinks that host B = MAC address of router A. Host A sends traffic to router A and router A forwards. Both router A and host A know the correct MAC address of each other, so host B's response will get to host A. So this should work consistently despite the misconfiguration, but I know better. How am I thinking incorrectly? Next question, let's assume the following: host A (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3) tries to connect to host B 172.16.2.6 (correctly configured as /24, gateway 172.16.2.1) My understanding of what happens: Host A does binary anding, and thinks that host B is on another subnet. Host A thinks that the gateway is 172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond with it's MAC, host A will send traffic for host B to 172.16.1.3, which will promptly drop it because it has no idea what to do with it. If there is not a 172.16.1.3, host A will not get a response, and will timeout eventually. I will need to check, but I don't think that host A will ARP for host B (as opposed to ARPing for the gateway). So this should consistently not work. If host A did not have a gateway at all, it would ARP for host B and router A would respond (due to proxy ARP) and connectivity would be established. Am I correct? I do think it makes a difference who initiates the connection, because of ARP. If host B tries to connect to host A, router A would ARP for host A. Host A would place router A's MAC in it's ARP table for host B, and as long as that entry existed, communication would work consistently? Am I thinking correctly? If proxy ARP is enabled, why is a default gateway needed? I have never seen a TCP/IP configuration that doesn't have a spot to enter a default gateway. Conversely, if everything has a default gateway, why is proxy ARP needed? If one of those (either the gateway or proxy ARP) is not working for whatever reason, why is communication spotty? Should it not be consistently either working or not? If proxy ARP works like it is supposed to, I don't see a need for hosts to have masks and gateways configured. The only problem I see is if there are multiple gateways available to a subnet, where both (or more) gateways will forward the packet, so the destination gets 2 packets. What happens then is protocol and application dependent. Any comment is appreciated. I'm currently learning how little I know. ;-) Scott Meyer CCNA, CCDA, MCSE, etc [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3727&t=3727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
question about using MRTG to survey the traffic of POS [7:3725]
hi,everyone here i meet a problem in using MRTG to survey the traffic of POS interface in cisco's GSR router and juniper's m160 router,the amount of traffic of pos interface displayed in MRTG is much smaller than that displayed in router's exec command,but they are same if the interface is a atm interface or a enthernet interface. I guess there is a bug in MRTG programming or misconfiguration in the configuration file,Can anyone give me the true answer? thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3725&t=3725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: FW: security opinions please [7:3666]
Very passionate but I think you missed the point...and got it at the same time. You are right nothing is safe including firewalls which have various degrees of accreditation by national security advisory groups, including the military which have higher levels than most. You can only ever minimise the chance of a penetration not prevent it! I am not going to discuss here how it can be done but you can research that for yourself. It is everywhere on the internet and in books. I still would not allow an external network to be directly connected to a switch with internal networks on it in any network that I am responsible for it is just too dangerous! However, if you have discussed the security implications with the Business side and costs are a consideration and they understand the risks then go for it. Do you have a security policy in place...this is very important. Most don't and some will suffer the consequences. There are many other configuration considerations aside that need to be considered to develop a security policy. I could go on and on and on and on... Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "Eric Rivard" 9/05/01 10:19:16 >>> This message has been scanned by MAILSweeper. call me naive, but how can a hacker know you are connected to a switch? Let alone find the IP address of the switch if it is on the internal address? Yes the switch is separating traffic by software, but isn't very firewall doing the same thing? PIX, CheckPoint, Cisco IOS Firewall feature set, are all software, so should we usenone of these products, because no software is perfect. Think about the PIX, the inside traffic and outside traffic is handled all in ONE box. Whats the differnce? First of all, anyone that has set up a co-location or web server on a DMZ knows that your firewall is not your first line of defense. The first line is your Internet Router. Here you only allow web,smtp,dns, and ftp (if you want) traffic in. The hacker has to get through this first. You can also put an access-list on this router to prevent any traffic to hit the actual outside interface of the pix, so it cannot be directly attached. Then we have the PIX which provides additional security from out inside network. How can a hacker telnet into a switch it the IP address is inside the the PIX prohibits this? Last time I check you can't use a MAC address to telnet. And besides, don't Cisco switches have over a 1000 MAC addresses in the Supervisor Engine? How can you over flow a switch with MAC addresses or traffic? You should use a highed switch for your web traffic. Most of these switches can switch billions of packets per second. Your Internet connection will crash before anyone can even come close to this. In addition most companies set up their web server in a co-location where space is a premium. You cannot put in 3 4000 or 5000 switches in one rack and your servers also. And then these companies have internal routers connecting their internal network to this co-location where they put more access-lists. I think any hacker would give up before trying to continue on. Yes no software is perfect, but every firewall is software. The only secure way it to have no Internet access. -Original Message- From: Jim Gillen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 4:42 PM To: [EMAIL PROTECTED] Subject: Re: FW: security opinions please [7:3666] Have you ever looked into how a switch can be compromised by an experienced hacker? Even though, theoretically, VLANS can't talk to each other except through a router you are still having external and internal traffic on the same physical box running OS software, which is not perfect. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "Brian" 9/05/01 8:59:56 >>> This message has been scanned by MAILSweeper. Echoing these sentiments here, the whole point of vlans is traffic separation. Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 8 May 2001, Eric Rivard wrote: > If you look at all of Cisco's documentation on their website it > recommends you use VLANs just like this. They even did a study with > Microsoft and posted it on Microsoft's website suggesting to use VLANS > to distinguish between outside, dmz, and internal networks. I have seen > many big companies do it this way. For example, last month Cisco had > Exciter's network diagram on its site, saying how they used VLANS, they > also had an Oracle example. I have set up quite a bit of co locations > using only a 5500 with 3 VLANs, one for the outside, one for the inside, > and one for the DMZ. I don't see how a hacker can break into a different > VLAN from the outside. Switches see VLANs as logical switches inside of > it. If a hacker wants to get to the internal VLAN from the Out
Re: 3620 with 2 x NM-2FE-2W problem [7:3687]
ok, typically when trying to get a positive indication, either good or bad - from Cisco about capabilities - is a very difficult thing. We have had good long threads on the list about things that work vs. things that are supported. That being said, here is a snippet from: http://www.cisco.com/warp/customer/cc/pd/rt/3600/prodlit/atmnm_ov.htm Which describes an ATM module for the 3600 series. Technical Specifications ATM OC-3 Network Module System Requirements Only supported on the Cisco 3600 series routers at this time Not supported on the Cisco 2600 series No slot placement restrictions on either platform * Maximum recommended on a single Cisco 3640 and Cisco 3620 is one * Max two high-speed network modules in a Cisco 3640 (includes Fast Ethernet, ATM, HSSI) Requires Plus feature sets of Cisco IOS Release 12.0(3)T or above Operates in conjunction with all currently available Cisco 3600 network modules and WAN interface cards (WICs) ** Note my stars. Although it says 2 modules I think this was before the 2FE2W was around.. Now, below is a table from: http://www.cisco.com/warp/customer/cc/pd/rt/3600/prodlit/1fefx_ov.htm Which is for the 1FEFX Supported Configurations The following table provides configurations supported by the new modules. Table 2: Module Maximum Quantity in Cisco Max Number of NM-1FE-FX 3620 3640 NM-1FE-FX 1 3 * bad pasting but it reads 1 FEFX for a 3620 and 3 for a 3640. Now having said all that, this page says that YES you can put 2 x NM-2FE2W in a 3620: http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/2636m_ds.htm The Maximum Number of NMs that can be utilized in each of the 2600/3600 families is as follows: NM-2FE2W N/A 2600 3620 3640 3660 N/A 2 46 Also: The minimum level of IOS is IOS 12.0(7)XK or 12.1(1)T And finally. You may want to look and see if you have a 3620 that has PCI bus problems. In this case (I actually had one and returned it), it was specifically ATM but your output did mention PCI dev 5 http://www.cisco.com/warp/public/770/51.shtml give the command: show pci hardware and if you see 0x22 or 0xE2 - then your 3620 should be returned. In any event, I think you have a case to take to TAC. Kevin Wigle - Original Message - From: "Gareth Hinton" To: Sent: Tuesday, 08 May, 2001 19:56 Subject: Re: 3620 with 2 x NM-2FE-2W problem [7:3687] > That's exactly the sort of thing I'm looking for, but I've scoured CCO and > cannot find anything that says it will or won't work. > > I've heard rumour that the only limiting factor was that I would not get a > non-blocking configuration, but I'll put up with that if I can get it to > work. > > Anybody any clues, particularly on the error that points to ROM version, > while ROM version seems to be sufficient? > > Thanks, > > Gaz > > ""Kevin Wigle"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I would have to find it again but I'm sure that somewhere on CCO it says > > that a 3620 shouldn't have more than 2 fast interfaces be they fast > ethernet > > or ATM or a combination. > > > > Your router now has 4 fast interfaces. > > > > Kevin Wigle > > > > - Original Message - > > From: "Gareth Hinton" > > To: > > Sent: Tuesday, 08 May, 2001 17:39 > > Subject: 3620 with 2 x NM-2FE-2W problem [7:3687] > > > > > > > Hi all, > > > > > > Problem with a 3620: > > > > > > Takes one NM-2FE-2W fine. When second one is inserted major problems > > arise. > > > > > > NM slot 0: PCI dev 5 init failed > > > No fault history 0x. Need 11.1 (2) or higher ROM > > > > > > The boot rom is "System Bootstrap, Version 11.1(20)AA2" > > > > > > I've gone through CCO to confirm that the 3620 will take these cards, > and > > > although there were a few doubts, eventually found it and they should be > > OK. > > > > > > Anybody seen similar or got ideas. > > > > > > Thanks, > > > > > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3723&t=3687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix 5xx [7:3716]
I don't know of a book that focuses just on PIX, but I think the "Managing Cisco Network Security" by Michael Wenstrom ISBN 1578701031 is good. >From: "Keith Townsend" >Reply-To: "Keith Townsend" >To: [EMAIL PROTECTED] >Subject: Pix 5xx [7:3716] >Date: Tue, 8 May 2001 19:57:01 -0400 > >Anybody knows a good book for learning the Cisco Pix. I had to install one >of these and I got the job done but >FAQ, list archives, and subscription info: >http://www.groupstudy.com/list/cisco.html >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3722&t=3716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Trade - Lab gear [7:3721]
I am building my home lab and have a hodge-podge of stuff. I am hoping to get different stuff that will meet my lab needs. I have the following: 1 x NM-1CT1-CSU (1-port channelized T1-PRI mod w/CSU)approx.$2000new 1 x NM-8AM (8-port Analog Modem mod)approx.$1550new 2 x NM-1FE-2W (2-port 10/100 + 2 Wic slots)approx.$1600new I am looking for: 1 x NM-4A/S or NM-8A/S (8 or 4 port async/sync NM) 1 x NM-16A (16 port async module) 2 x NM-1V or NM-2V (1 or 2 slot voice module) 1 x VIC-2FXS (2 port FXS mod) 1 x VIC-2FXO (2 port FXO mod) Anybody wanna trade? -Sling Get free email and a permanent address at http://www.amexmail.com/?A=1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3721&t=3721 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Sending JPEG across an ISDN bridged link brings the network to [7:3720]
Hi all, Need the groups advice. The network consists of two 1605 routers with 128k ISDN connections in a transparent bridge environment. This network suffers from lockups often,however, not consistently. Yesterday, speaking with a user, he asked me a question. The question was, "Why is it when I send a JPEG file to a user located across the ISDN link, the network come to a halt?". I told him that if the JPEG was very large in size ex. 2MB, when it has to cross the ISDN link, its like trying to squeeze a lemon(a small one) into a pop bottle(maybe not a good example, but that is all I could think off). This saturates the ISDN link which is only 128k. Am I correct in my explanation? What would be a good explanation? I am not comfortable with my explanation(maybe I am wrong). I look forward to hearing the groups thoughts, as well as any solutions(change to routing, QOS, etc.) TIA KM _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3720&t=3720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: security opinions please [7:3666]
At 06:11 PM 5/8/01 -0400, Jacques Atlas wrote: >On Tue, 8 May 2001, Michael Cohen wrote: > >|How does one go upon "penetrating" the internal VLAN on a switch while only >|having access to the external VLAN and not traversing the PIX in the middle? > >i would also be interted in finding out the theory behind this. > >|I have heard the response from numerous security engineers that anything is >|possible however I guess I'm a novice because I have never seen nor heard of >|this being done in the situation mentioned above. > >did they give you proof ? > >|I attribute the idea of physically seperating these networks (even >|though VLAN based seperation is just as effective) as security paranoia. > >there are also times when you can not afford to buy a decent switch for >every service that you want and a large switch could give the best >possible sollution. > >-- >jacques Some quite nasty security issues with Switches Believe it or not, there is a way to sniff on a switch. :( So, enter scenario 1, where you HAVE to assume the DMZ gets compromised. (Because this happens, and is inevitable. If it didn't, why bother with a DMZ?) The host can possibly sniff the network, I really hope you got ssh enabled everywhere. SNMP is not encrypted yet (If I recall correctly), so, that's another give away for more info. Fallacy #3 or so is to believe that the internal network is safe, hence clear text is 'OK', well it's not. :) Or, you can try to do "MAC Address Locking", which would stop it. The basis of sniffing on a switch is basically ARP Forging. Do recall the secure MAC Address Locking is somewhat inconvenient at times. But worth it if you are the Security Ninja that they expect you to be! :) Switches are vulnerable to IP DoSes due to management ips and snmp and what not, you probably could setup ACLs to help stop that though. Oh yeah, there was a bug with Windows XP and a Catalyst where I believe the Windows XP box absolutely demolished the Catalyst. Cisco admitted the fault and put up a security advisory. I suppose a DoS doesn't count as penetration, but it sure is annoying. "A frame that enters a Cat5K backplane gets dumped to all ports on the switch. It is then up to the processor to tell all ports (minus the actual destination port) to drop the frame. Should the processor become overloaded, it cannot inform the ports to drop the frame" Guthrie, Jeremy. ``Re: Cisco Catalyst switches.'' 14 June 2000. URL: http://www.securityfocus.com/frames/?content=/templates/archive.pike(19 August 2000.) Ah well, leaky ethernet packets aren't so hot for security either, and when you can bust the layer 2 level, Pix or not, it's smooth sailing to the internal network. VLAN Hopping! Although there is not any specific implementation to do this, the possibility is quite frightening. Oh yeah, if you do trunking, since ISL has no authentication, there might be ways to claim particular VLANs and MAC addresses. "Unfortunately, the ISL protocol has no authentication. This lack of authentication allows an attack where a user spoofs ISL packets in order to communicate with other VLANs that exist on the switch". Russel, Ryan. ``Cisco Catalyst issues.'' 30 October 1998. URL: http://lists.synfin.net/Archives/firewall-wizards/1998/Nov/msg00039.html I am sure there are a ton of other nasty possibilities. Also, realize that Cisco switch products are generally designed for performance (since everyone loves zoom zoom zoom switches), they are not really designed for security. I am not sure if they are really doing a high level security audit on their switches for high levels of security. I guess you could take the risk. But if follow the original axiom of security which is not to trust anyone, why should I begin to trust the Cisco Catalyst? However, with Security Axiom #2 or so being, If the security solution brings about great "cost" (defined by inconvenience + price) in a staggering proportion compared to the value of what is being protected, you are doing yourself a disservice, it does not mean to just throw away all Catalysts and slay the mighty VLAN Daemons inside! It just means, seriously weigh the costs out yourself. And admittedly, after doing the heavy duty research, you could do a fair amount of work to secure the Catalyst to a "reasonable" degree, so it is not as bad as I originally thought. However, the potential is there, good luck with evaluating! And down with the HaX0rS and CraCkeRs! ;) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3719&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: FW: security opinions please [7:3666]
call me naive, but how can a hacker know you are connected to a switch? Let alone find the IP address of the switch if it is on the internal address? Yes the switch is separating traffic by software, but isn't very firewall doing the same thing? PIX, CheckPoint, Cisco IOS Firewall feature set, are all software, so should we usenone of these products, because no software is perfect. Think about the PIX, the inside traffic and outside traffic is handled all in ONE box. Whats the differnce? First of all, anyone that has set up a co-location or web server on a DMZ knows that your firewall is not your first line of defense. The first line is your Internet Router. Here you only allow web,smtp,dns, and ftp (if you want) traffic in. The hacker has to get through this first. You can also put an access-list on this router to prevent any traffic to hit the actual outside interface of the pix, so it cannot be directly attached. Then we have the PIX which provides additional security from out inside network. How can a hacker telnet into a switch it the IP address is inside the the PIX prohibits this? Last time I check you can't use a MAC address to telnet. And besides, don't Cisco switches have over a 1000 MAC addresses in the Supervisor Engine? How can you over flow a switch with MAC addresses or traffic? You should use a highed switch for your web traffic. Most of these switches can switch billions of packets per second. Your Internet connection will crash before anyone can even come close to this. In addition most companies set up their web server in a co-location where space is a premium. You cannot put in 3 4000 or 5000 switches in one rack and your servers also. And then these companies have internal routers connecting their internal network to this co-location where they put more access-lists. I think any hacker would give up before trying to continue on. Yes no software is perfect, but every firewall is software. The only secure way it to have no Internet access. -Original Message- From: Jim Gillen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 4:42 PM To: [EMAIL PROTECTED] Subject: Re: FW: security opinions please [7:3666] Have you ever looked into how a switch can be compromised by an experienced hacker? Even though, theoretically, VLANS can't talk to each other except through a router you are still having external and internal traffic on the same physical box running OS software, which is not perfect. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "Brian" 9/05/01 8:59:56 >>> This message has been scanned by MAILSweeper. Echoing these sentiments here, the whole point of vlans is traffic separation. Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 8 May 2001, Eric Rivard wrote: > If you look at all of Cisco's documentation on their website it > recommends you use VLANs just like this. They even did a study with > Microsoft and posted it on Microsoft's website suggesting to use VLANS > to distinguish between outside, dmz, and internal networks. I have seen > many big companies do it this way. For example, last month Cisco had > Exciter's network diagram on its site, saying how they used VLANS, they > also had an Oracle example. I have set up quite a bit of co locations > using only a 5500 with 3 VLANs, one for the outside, one for the inside, > and one for the DMZ. I don't see how a hacker can break into a different > VLAN from the outside. Switches see VLANs as logical switches inside of > it. If a hacker wants to get to the internal VLAN from the Outside he > would have to go through the firewall. If Cisco recommends and companies > like Microsoft and Excite are implementing it, I don't see how it can be > a security risk. See this link for a really good document on setting up > a e-commerce co-location network, it also has router and pix configs > > http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp > > > -Original Message- > From: Carroll Kong [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 08, 2001 1:44 PM > To: [EMAIL PROTECTED] > Subject: Re: security opinions please [7:3666] > > > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: > >Let me lay out the basic topology of a network first: > > > >A 6500 has several VLANS configured on it. Among these are an external > >internet vlan, a dmz, and several internal vlans. The internal vlans > are > >routed by an MSFC in the 6500. Routing between the internal, dmz, and > >external are handled by a firewall external to the 6500. > > > >Are there any security issues with having all of these VLANS in the > same > >box? Someone in our organization is concerned that someone can hack > the > >switch just because the connection from the internet is plugged into > it. > >The switch's management address is on one of the internal vlans, and an > >access list is on the telnet access that restricts ac
RE: Passed CCIE Written but NOT doing lab [7:3568]
Agree, in spades Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "William E. Grudged" 9/05/01 9:17:06 >>> This message has been scanned by MAILSweeper. Caroll's right, you can't BS that lab! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carroll Kong Sent: Tuesday, May 08, 2001 3:44 PM To: [EMAIL PROTECTED] Subject: Re: Passed CCIE Written but NOT doing lab [7:3568] At 01:27 PM 5/8/01 -0400, Chris Haller wrote: >The school I am currently attending for CCIE >written/lab is pumping out "paper" CCIE's faster than >I can say .. "help, the written ccie is almost as >worthless as the mcse" > >Juniper ?? I hear their test is twice as hard as >CCIE. Mabey you should attempt that one But by definition, there is no paper CCIE. You have no CCIE certification if you only pass the qualifier (written exam). I do not know if you can even consider it "half way" there. It is just a prelude of things to come and to weed out people. I have not taken the written personally, so not sure if it is "bookwormable". I am assuming it is since anything written / multiple choice ends up being that way in the end. The Juniper written lab or the juniper practical lab is "twice" as hard?If it is more emphasis on ISIS or Juniper-isms, it is a matter of spending some time to apply your basic networking knowledge to understand new protocols (ISIS isn't concentrated on as heavily in CCIE exams if I remember correctly) and learning a particular company's "isms". Or working with the company's particular hardware. (ouch, good luck finding those guys on ebay for a good price). Should not be too hard for good networking guys (written part), exposure to the hardcore equipment might be hard, but also makes you wonder if the market space is really that big for heavy duty core work. -Carroll Kong FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3717&t=3568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Pix 5xx [7:3716]
Anybody knows a good book for learning the Cisco Pix. I had to install one of these and I got the job done but Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3716&t=3716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3620 with 2 x NM-2FE-2W problem [7:3687]
That's exactly the sort of thing I'm looking for, but I've scoured CCO and cannot find anything that says it will or won't work. I've heard rumour that the only limiting factor was that I would not get a non-blocking configuration, but I'll put up with that if I can get it to work. Anybody any clues, particularly on the error that points to ROM version, while ROM version seems to be sufficient? Thanks, Gaz ""Kevin Wigle"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I would have to find it again but I'm sure that somewhere on CCO it says > that a 3620 shouldn't have more than 2 fast interfaces be they fast ethernet > or ATM or a combination. > > Your router now has 4 fast interfaces. > > Kevin Wigle > > - Original Message - > From: "Gareth Hinton" > To: > Sent: Tuesday, 08 May, 2001 17:39 > Subject: 3620 with 2 x NM-2FE-2W problem [7:3687] > > > > Hi all, > > > > Problem with a 3620: > > > > Takes one NM-2FE-2W fine. When second one is inserted major problems > arise. > > > > NM slot 0: PCI dev 5 init failed > > No fault history 0x. Need 11.1 (2) or higher ROM > > > > The boot rom is "System Bootstrap, Version 11.1(20)AA2" > > > > I've gone through CCO to confirm that the 3620 will take these cards, and > > although there were a few doubts, eventually found it and they should be > OK. > > > > Anybody seen similar or got ideas. > > > > Thanks, > > > > Gaz > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3715&t=3687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tcp intercept [7:3685]
I found them as well, thanks. I guess I need to rephrase the question... there are many parameters (watch-timeout/drop-mode,etc.) that you can configure and I was wondering what most people out there are using? There's usually pros and cons to everything and talking to people who have already done this might have some good advice... or not, heh, heh, heh. Cheers, Jeff ""andyh"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > check > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur > _c/scprt3/scdenial.htm > > or alternatively search for tcp and intercept at: > > www.cisco.com > > like I just did > > Andy > > - Original Message - > From: "Jeff Duchin" > To: > Sent: Tuesday, May 08, 2001 10:27 PM > Subject: tcp intercept [7:3685] > > > > What's the best way to enable this as I've seen a bunch of different > > variations... I want this on my external router... > > > > Thanks, > > Jeff > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3714&t=3685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: security opinions please [7:3666]
Have you ever looked into how a switch can be compromised by an experienced hacker? Even though, theoretically, VLANS can't talk to each other except through a router you are still having external and internal traffic on the same physical box running OS software, which is not perfect. Cheers Jim Gillen Snr Communications Engineer AUSTRAC Ph: 9950 0842 Fax: 9950 0074 >>> "Brian" 9/05/01 8:59:56 >>> This message has been scanned by MAILSweeper. Echoing these sentiments here, the whole point of vlans is traffic separation. Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 8 May 2001, Eric Rivard wrote: > If you look at all of Cisco's documentation on their website it > recommends you use VLANs just like this. They even did a study with > Microsoft and posted it on Microsoft's website suggesting to use VLANS > to distinguish between outside, dmz, and internal networks. I have seen > many big companies do it this way. For example, last month Cisco had > Exciter's network diagram on its site, saying how they used VLANS, they > also had an Oracle example. I have set up quite a bit of co locations > using only a 5500 with 3 VLANs, one for the outside, one for the inside, > and one for the DMZ. I don't see how a hacker can break into a different > VLAN from the outside. Switches see VLANs as logical switches inside of > it. If a hacker wants to get to the internal VLAN from the Outside he > would have to go through the firewall. If Cisco recommends and companies > like Microsoft and Excite are implementing it, I don't see how it can be > a security risk. See this link for a really good document on setting up > a e-commerce co-location network, it also has router and pix configs > > http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp > > > -Original Message- > From: Carroll Kong [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 08, 2001 1:44 PM > To: [EMAIL PROTECTED] > Subject: Re: security opinions please [7:3666] > > > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: > >Let me lay out the basic topology of a network first: > > > >A 6500 has several VLANS configured on it. Among these are an external > >internet vlan, a dmz, and several internal vlans. The internal vlans > are > >routed by an MSFC in the 6500. Routing between the internal, dmz, and > >external are handled by a firewall external to the 6500. > > > >Are there any security issues with having all of these VLANS in the > same > >box? Someone in our organization is concerned that someone can hack > the > >switch just because the connection from the internet is plugged into > it. > >The switch's management address is on one of the internal vlans, and an > >access list is on the telnet access that restricts access from only the > >internal vlans. > > Oh boy, the big security button. IF you really want to be secure, you > are > NOT going to be using VLANs at all. You want hard, cold, old fashioned > separate layer 2 networks, by HARDWARE. However, realize security is > really a layering process and hopefully warding off attackers of a > particular experience level by making the task seem like "too much > trouble", or "beyond their ability." A true pro can penetrate "VLAN" > based > security. A novice and probably most intermediates, will not. You > decide > and weigh out your costs in choosing the far less flexible hard switches > on > the side method, or using the far more flexible Catalyst VLAN style. > > That is the security cost analysis you must do. i.e. If you are > guarding > the Fort Knox of the computer realm, I'd probably go hardcore. If you > are > not, you may want to stick with VLANs. Security is always a balance > between convenience and security. :( The sad truth is, the ultimate > security is, the wire cutters. (and perhaps a Faraday Cage if wireless > takes off). :) > > > > -Carroll Kong > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7
Re: security opinions please [7:3666]
Michael Cohen wrote: > > How does one go upon "penetrating" the internal VLAN on a switch while only > having access to the external VLAN and not traversing the PIX in the middle? > I have heard the response from numerous security engineers that anything is > possible however I guess I'm a novice because I have never seen nor heard of > this being done in the situation mentioned above. I attribute the idea of > physically seperating these networks (even though VLAN based seperation is > just as effective) as security paranoia. They say you have to do is flood the switch with ARP requests and overflow the CAM table... easy to talk about, hard to do in practice. There are, however, some tools that suppose to help you attack a switch. macof, part of dsniff, comes to mind. As does ettercap. In fact, I've never seen VLAN's mentioned as anything more than a handy way to break up broadcast domains. I don't consider them a security feature, and I don't know anyone else who does either. Some decent reads: http://mlarchive.ima.com/firewalls/1999/4507.html http://packetstorm.securify.com/9909-exploits/vlan_security.txt Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3712&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATM AAL5 errors [7:3682]
#1. The source device encapsulates whatever traffic it has to send in a AAL5 PDU then segments the PDU and places the pieces of the PDU into the payload of the ATM cells. #2. AAL5 is almost always is used in UBR (unspecified bit rate) calls. ie: No garuntee from the carrier that they will deliver your cell to the destination. #3. During times of congestion the carrier will drop cells in a UBR call. #4. If a cell (or cells) are dropped within the carrier's network; the AAL5 PDU's CRC will be invalid. #5. There is a EOF (end of frame) bit within the Cell header; which tells the destination when it has recieved the last cell comprising the AAL5 PDU. #6. If the EOF cell is lost then the destination will try to recombine 2 (or more) AAL5 PDUs possibly resulting in a PDU that is too large. OR If the only cell comprising a AAL5 PDU made it through the network was the EOF cell then the destination will find that the reassembled AAL5 PDU is smaller than the min allowed This is a Breif overwiew of what ATM does and why you'll see AAL5 errors. There are always ifs and buts and a million little details; BUT I won't get into those PS: if the errored AAL5 frames are not over 1% then don't worry about it. DaveC Q wrote: > > I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one > another in terms of rate of errors. This is a difficult problem in terms > that they are both related. One problem is that the other sidce of the WAN > is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA! > > marc > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3711&t=3682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tcp intercept [7:3685]
check http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur _c/scprt3/scdenial.htm or alternatively search for tcp and intercept at: www.cisco.com like I just did Andy - Original Message - From: "Jeff Duchin" To: Sent: Tuesday, May 08, 2001 10:27 PM Subject: tcp intercept [7:3685] > What's the best way to enable this as I've seen a bunch of different > variations... I want this on my external router... > > Thanks, > Jeff > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3709&t=3685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WAN Job in the Metro Detroit area [7:3683]
dude, have you checked the joblist? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 08, 2001 4:24 PM To: [EMAIL PROTECTED] Subject: WAN Job in the Metro Detroit area [7:3683] I am looking for a WAN job in the Detroit area, I can send you my resume and cover letter upon request. Thanks Brian FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3708&t=3683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CCIE Written but NOT doing lab [7:3568]
Caroll's right, you can't BS that lab! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carroll Kong Sent: Tuesday, May 08, 2001 3:44 PM To: [EMAIL PROTECTED] Subject: Re: Passed CCIE Written but NOT doing lab [7:3568] At 01:27 PM 5/8/01 -0400, Chris Haller wrote: >The school I am currently attending for CCIE >written/lab is pumping out "paper" CCIE's faster than >I can say .. "help, the written ccie is almost as >worthless as the mcse" > >Juniper ?? I hear their test is twice as hard as >CCIE. Mabey you should attempt that one But by definition, there is no paper CCIE. You have no CCIE certification if you only pass the qualifier (written exam). I do not know if you can even consider it "half way" there. It is just a prelude of things to come and to weed out people. I have not taken the written personally, so not sure if it is "bookwormable". I am assuming it is since anything written / multiple choice ends up being that way in the end. The Juniper written lab or the juniper practical lab is "twice" as hard?If it is more emphasis on ISIS or Juniper-isms, it is a matter of spending some time to apply your basic networking knowledge to understand new protocols (ISIS isn't concentrated on as heavily in CCIE exams if I remember correctly) and learning a particular company's "isms". Or working with the company's particular hardware. (ouch, good luck finding those guys on ebay for a good price). Should not be too hard for good networking guys (written part), exposure to the hardcore equipment might be hard, but also makes you wonder if the market space is really that big for heavy duty core work. -Carroll Kong FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3707&t=3568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: security opinions please [7:3666]
Eric Rivard wrote: > > If Cisco recommends and companies > like Microsoft and Excite are implementing it, I don't see how it can be > a security risk. It can be, and it is. But, so is just about everything. It is the probability of the risk being exploited that really matters, and in this case I see that as a small one. Now, lets talk about using Microsoft as a security benchmark... ;-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3706&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
cisco news story [7:3705]
cisco news story: http://news.bbc.co.uk/hi/english/business/newsid_132/1320189.stm ian Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3705&t=3705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay backup issue...(thanks) [7:3686]
Thanks for the help E. I have a feeling that it might be a backup load issue that I'll have to fix. Can't give you much info because I just found out I'm going to this client tomorrow so I'll be able to digest it all then. I'll definitely be bringing this with me in my head...it's appreciated friend, thanks, Mark Z. - Original Message - From: "EA Louie" To: "Mark Z." ; Sent: Tuesday, May 08, 2001 6:36 PM Subject: Re: Frame Relay backup issue... [7:3686] > ahhh, I'll give you a free answer anyway! ;-) > > Without making any assumptions except that the Frame Relay interface is > configured with a backup-interface statement that's pointed to a dialer, and > that all the routing is working okay, and that the dialer has a good > dialer-list, then the config would look similar to: > > interface serial0/1 > encapsulation frame-relay > backup interface dialer1 > no backup load > no backup delay > > interface dialer1 > > then the only thing that would bring the backup into play is the serial > going down/down momentarily. > > If there IS a backup load statement on serial, then bandwidth percentage > over the first parameter of that command would initiate the dialer. Adjust > it higher or remove it. > > If there's no backup interface command on the serial interface, then a > floating static route is probably initiating the DDR. If an IGP is used > over the Frame Relay network then a route flap on the default route would > also start the dialing sequence. > > Let's see... is there a link for you? nope, can't find one that's > appropriate. > > > -e- > > - Original Message - > From: "Mark Z." > To: > Sent: Tuesday, May 08, 2001 2:39 PM > Subject: Frame Relay backup issue... [7:3686] > > > > Hi Guys, > > Been a while since I've written to the list (guess that's kind of a > good > > thing). Fairly simple question here: Lets say there is a company with a FR > > network with a hub/spoke topology. When data is sent from a site, alot of > > times the backup link kicks up, even though the primary never went down. I > > remember this type of scenario in my readings but forget what the > > possibilities are. The simplest answer would be that they are > oversubscribing > > their access on the line and the backup's kicking up. Or the line is just > > bad...but I doubt that. What are some possible scenarios that would cause > > this > > issue. I'm not asking for free answers to this but I would appreciate it > if > > someone could point me in the right direction in terms of reading up on > this. > > Thanks guys...good to be back. > > > > Mark Zabludovsky ~ CCNP, CCDA > > [EMAIL PROTECTED] > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3704&t=3686 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3620 with 2 x NM-2FE-2W problem [7:3687]
I would have to find it again but I'm sure that somewhere on CCO it says that a 3620 shouldn't have more than 2 fast interfaces be they fast ethernet or ATM or a combination. Your router now has 4 fast interfaces. Kevin Wigle - Original Message - From: "Gareth Hinton" To: Sent: Tuesday, 08 May, 2001 17:39 Subject: 3620 with 2 x NM-2FE-2W problem [7:3687] > Hi all, > > Problem with a 3620: > > Takes one NM-2FE-2W fine. When second one is inserted major problems arise. > > NM slot 0: PCI dev 5 init failed > No fault history 0x. Need 11.1 (2) or higher ROM > > The boot rom is "System Bootstrap, Version 11.1(20)AA2" > > I've gone through CCO to confirm that the 3620 will take these cards, and > although there were a few doubts, eventually found it and they should be OK. > > Anybody seen similar or got ideas. > > Thanks, > > Gaz > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3703&t=3687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: security opinions please [7:3666]
Echoing these sentiments here, the whole point of vlans is traffic separation. Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 8 May 2001, Eric Rivard wrote: > If you look at all of Cisco's documentation on their website it > recommends you use VLANs just like this. They even did a study with > Microsoft and posted it on Microsoft's website suggesting to use VLANS > to distinguish between outside, dmz, and internal networks. I have seen > many big companies do it this way. For example, last month Cisco had > Exciter's network diagram on its site, saying how they used VLANS, they > also had an Oracle example. I have set up quite a bit of co locations > using only a 5500 with 3 VLANs, one for the outside, one for the inside, > and one for the DMZ. I don't see how a hacker can break into a different > VLAN from the outside. Switches see VLANs as logical switches inside of > it. If a hacker wants to get to the internal VLAN from the Outside he > would have to go through the firewall. If Cisco recommends and companies > like Microsoft and Excite are implementing it, I don't see how it can be > a security risk. See this link for a really good document on setting up > a e-commerce co-location network, it also has router and pix configs > > http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp > > > -Original Message- > From: Carroll Kong [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 08, 2001 1:44 PM > To: [EMAIL PROTECTED] > Subject: Re: security opinions please [7:3666] > > > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: > >Let me lay out the basic topology of a network first: > > > >A 6500 has several VLANS configured on it. Among these are an external > >internet vlan, a dmz, and several internal vlans. The internal vlans > are > >routed by an MSFC in the 6500. Routing between the internal, dmz, and > >external are handled by a firewall external to the 6500. > > > >Are there any security issues with having all of these VLANS in the > same > >box? Someone in our organization is concerned that someone can hack > the > >switch just because the connection from the internet is plugged into > it. > >The switch's management address is on one of the internal vlans, and an > >access list is on the telnet access that restricts access from only the > >internal vlans. > > Oh boy, the big security button. IF you really want to be secure, you > are > NOT going to be using VLANs at all. You want hard, cold, old fashioned > separate layer 2 networks, by HARDWARE. However, realize security is > really a layering process and hopefully warding off attackers of a > particular experience level by making the task seem like "too much > trouble", or "beyond their ability." A true pro can penetrate "VLAN" > based > security. A novice and probably most intermediates, will not. You > decide > and weigh out your costs in choosing the far less flexible hard switches > on > the side method, or using the far more flexible Catalyst VLAN style. > > That is the security cost analysis you must do. i.e. If you are > guarding > the Fort Knox of the computer realm, I'd probably go hardcore. If you > are > not, you may want to stick with VLANs. Security is always a balance > between convenience and security. :( The sad truth is, the ultimate > security is, the wire cutters. (and perhaps a Faraday Cage if wireless > takes off). :) > > > > -Carroll Kong > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3702&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
encapsulation [7:3701]
Should I use hdlc or ppp encapsulation on a point to point connection between two wan sites. The connection is used to access data. And also what is the benefit and disadvantages of using one over the other. Thanks. _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3701&t=3701 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay backup issue... [7:3686]
ahhh, I'll give you a free answer anyway! ;-) Without making any assumptions except that the Frame Relay interface is configured with a backup-interface statement that's pointed to a dialer, and that all the routing is working okay, and that the dialer has a good dialer-list, then the config would look similar to: interface serial0/1 encapsulation frame-relay backup interface dialer1 no backup load no backup delay interface dialer1 then the only thing that would bring the backup into play is the serial going down/down momentarily. If there IS a backup load statement on serial, then bandwidth percentage over the first parameter of that command would initiate the dialer. Adjust it higher or remove it. If there's no backup interface command on the serial interface, then a floating static route is probably initiating the DDR. If an IGP is used over the Frame Relay network then a route flap on the default route would also start the dialing sequence. Let's see... is there a link for you? nope, can't find one that's appropriate. -e- - Original Message - From: "Mark Z." To: Sent: Tuesday, May 08, 2001 2:39 PM Subject: Frame Relay backup issue... [7:3686] > Hi Guys, > Been a while since I've written to the list (guess that's kind of a good > thing). Fairly simple question here: Lets say there is a company with a FR > network with a hub/spoke topology. When data is sent from a site, alot of > times the backup link kicks up, even though the primary never went down. I > remember this type of scenario in my readings but forget what the > possibilities are. The simplest answer would be that they are oversubscribing > their access on the line and the backup's kicking up. Or the line is just > bad...but I doubt that. What are some possible scenarios that would cause > this > issue. I'm not asking for free answers to this but I would appreciate it if > someone could point me in the right direction in terms of reading up on this. > Thanks guys...good to be back. > > Mark Zabludovsky ~ CCNP, CCDA > [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3700&t=3686 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Just been Hacked!!!!! [7:3452]
Kevin, Just to add a little to the comments you've already received: 1) After a compromise, you essentially have 2 approaches: One, cut the box off the network and leave it alone. Call local law enforcement and the FBI. This approach is used if you wish to pursue litigation. I should point out that unless you have very detailed network logging showing times, IP addresses, etc. this approach will likely be a dead-end. The second approach is to assume your not going to pursue the attacker and concentrate on recovery. Assume that everything on the box is suspect. Re-format and start from scratch, install data from a good backup. If you don't have a good backup, you will want to remove all executable programs and replace them with known good ones, and then hope for the best. 2) If you don't have a good IDS system, including proper log monitoring on your end systems, you'll almost surely never know for certain how a box was compromised and more importantly you won't know what was done after the compromise. You can make some educated guesses based on what services your running and what files _appear_ to have changed. However, there is always a problem that if you have a very clever attacker, what looks like a very simple script exploit could be a red herring and the attacker actually installed their own versions of some obscure executables. If they're clever, the file sizes match, so you would need to compare known good hash values against hash values on all of your executables to be sure. This is obviously a major pain. In general, I always recommend having an experienced security person perform a complete audit on a network. This is a lot more than just doing some remote scanning, its taking a comprehensive look at services, procedures, backup strategy, etc. The problem is that these services are usually not cheap (but then again, neither is recovering from a compromise). If you want a few quick hits: 1) Host security, get a good book on securing your particular host OS. 2) Application security, look at every app you run and find out what exploits are out there for that app. You can find a list at many security sites but http://www.securityfocus.com is a good one. 3) Logging, use whatever logging is available for your OS and send the logs to an external central server. Logs are usually one of the first things modified on a system after a successful compromise and they can tell you a lot IF they are on a trusted machine. 4) File integrity systems such as Tripwire and worth looking into for public facing servers. They will help you determine what files have been changed after a compromise. 5) IDS systems can be very useful, but only if they are properly installed AND monitored. A lot of IDS systems are not properly setup and not properly monitored, giving a false sense of security. 6) Have a plan. Even the most secure perimeters can be compromised, having a contingency plan can be the difference between a quick recovery and not recovering at all. I recommend "The process of network security" as a good starting book. HTH, Kent On 7 May 2001, at 10:32, Kevin O'Gilvie wrote: > Apparently over the weekend Poison Box got pass my Pix and overwrote > some files on the intranet Box and maybe more damage than I know of at > this Moment. I need help on finding out hjw they got in and how to > prevent it happeneing in the future. Please help. > > Thanks, > > Kevin > _ Get > your FREE download of MSN Explorer at http://explorer.msn.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html Report misconduct and > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3699&t=3452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
>From a pure security perspective, this design is not as secure as having separate switches for the outside, dmz and inside networks. The reasoning is very simple, yes, you can put lots of software in place to prevent people from telneting to the switch, but in the event of just the right failure/misconfiguration, someone could theoretically re-configure the switch to do bad things. I have had long discussions with people about this issue and the bottom line is that while a compromise in this configuration is highly improbable, it is not impossible. When you have physical separation of switches, it is impossible for a software failure/misconfiguration in the switch to lead to an internal compromise, it is therefore a more secure configuration to use multiple switches. It is, however, very convenient to use a single switch. As a compromise, I recommend a single external switch and a common internal switch for the dmz's and internal segments. As there are normally very few connections on the outside, this is a reasonable compromise at a very small incremental cost. HTH, Kent On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote: > Let me lay out the basic topology of a network first: > > A 6500 has several VLANS configured on it. Among these are an > external internet vlan, a dmz, and several internal vlans. The > internal vlans are routed by an MSFC in the 6500. Routing between the > internal, dmz, and external are handled by a firewall external to the > 6500. > > Are there any security issues with having all of these VLANS in the > same box? Someone in our organization is concerned that someone can > hack the switch just because the connection from the internet is > plugged into it. The switch's management address is on one of the > internal vlans, and an access list is on the telnet access that > restricts access from only the internal vlans. > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html Report misconduct and > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3698&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: security opinions please [7:3666]
If you look at all of Cisco's documentation on their website it recommends you use VLANs just like this. They even did a study with Microsoft and posted it on Microsoft's website suggesting to use VLANS to distinguish between outside, dmz, and internal networks. I have seen many big companies do it this way. For example, last month Cisco had Exciter's network diagram on its site, saying how they used VLANS, they also had an Oracle example. I have set up quite a bit of co locations using only a 5500 with 3 VLANs, one for the outside, one for the inside, and one for the DMZ. I don't see how a hacker can break into a different VLAN from the outside. Switches see VLANs as logical switches inside of it. If a hacker wants to get to the internal VLAN from the Outside he would have to go through the firewall. If Cisco recommends and companies like Microsoft and Excite are implementing it, I don't see how it can be a security risk. See this link for a really good document on setting up a e-commerce co-location network, it also has router and pix configs http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp -Original Message- From: Carroll Kong [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 1:44 PM To: [EMAIL PROTECTED] Subject: Re: security opinions please [7:3666] At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: >Let me lay out the basic topology of a network first: > >A 6500 has several VLANS configured on it. Among these are an external >internet vlan, a dmz, and several internal vlans. The internal vlans are >routed by an MSFC in the 6500. Routing between the internal, dmz, and >external are handled by a firewall external to the 6500. > >Are there any security issues with having all of these VLANS in the same >box? Someone in our organization is concerned that someone can hack the >switch just because the connection from the internet is plugged into it. >The switch's management address is on one of the internal vlans, and an >access list is on the telnet access that restricts access from only the >internal vlans. Oh boy, the big security button. IF you really want to be secure, you are NOT going to be using VLANs at all. You want hard, cold, old fashioned separate layer 2 networks, by HARDWARE. However, realize security is really a layering process and hopefully warding off attackers of a particular experience level by making the task seem like "too much trouble", or "beyond their ability." A true pro can penetrate "VLAN" based security. A novice and probably most intermediates, will not. You decide and weigh out your costs in choosing the far less flexible hard switches on the side method, or using the far more flexible Catalyst VLAN style. That is the security cost analysis you must do. i.e. If you are guarding the Fort Knox of the computer realm, I'd probably go hardcore. If you are not, you may want to stick with VLANs. Security is always a balance between convenience and security. :( The sad truth is, the ultimate security is, the wire cutters. (and perhaps a Faraday Cage if wireless takes off). :) -Carroll Kong FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3697&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Juniper Job Market (was: Passed CCIE Written but NOT doing [7:3696]
The key here is Nationwide. 905 jobs nationwide using just the extremely general word "Cisco" ??? That is horrible, and I shall go cry after I finish this responce. Juniper only having 46 is not bad for such a new "core" producer. Cisco has been around for over a decade and we got 905 !!! :-( I'm going back to selling Vacuum Cleaners --- "Bradley J. Wilson" wrote: > Carroll Kong wrote: > > >...but also makes you wonder if the market space is > really that > >big for heavy duty core work. > > > I just did an impromptu and informal search on > geekfinder.com - I put in the > word "Cisco" and pulled up 905 jobs nationwide, both > contract and perm. > Then I did the same search for "Juniper" and pulled > up only 46 jobs. You be > the judge. ;-) > > BJ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Chris from Chicago MasterCNE, 5.x CNE, ICNE, 4.x CNE, CCNA, MCP __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3696&t=3696 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
Priscilla, It didn't take the "access-group 100 in" command on your router? Did you have "no service stupid mistake" on your router? Just kidding. I was doing it out of memory in a text editor. I've come to like making the config for a router in a text editor and just pasting it in. Come to think of it is there any other protocol besides IP 8) Brian > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Priscilla Oppenheimer > Sent: Tuesday, May 08, 2001 2:12 PM > To: [EMAIL PROTECTED] > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534] > > > I tried the HSRP access list from Brian (CCIE) and it works, (of > course. ;-) > > It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets > with EtherPeek and edited one to say the packet was from my PC > and that my > priority was higher than the two legitimate HSRP routers. I then > repeatedly > sent this packet, using the timer that the legitimate HSRP routers were > using. > > The standby HSRP stopped sending HSRP packets (not sure why?) The > previously active made itself standby. PCs on the LAN that were > set to use > the HSRP gateway address were unable to reach non-local stations. The DOS > worked, in other words. This is a lab network, by the way. > > I used the access list below to make sure the HSRP routers only accepted > from each other and it solved the problem. I meant to save the > HyperTerminal session and show you that the deny in the access list was > getting invoked, but I forgot to save it. > > Note one minor bug in configs below: > > It should say "ip access-group 100 in" (at least on my routers, > the ip was > required) > > Priscilla > > > > > At 03:54 AM 5/8/01, Brian Dennis wrote: > >It's not the best solution but if you're really worried you > could create an > >access-list (see configs below). HSRP uses UDP port 1985 and the > destination > >address is to all routers (224.0.0.2). Perfect solution? No. Better than > >nothing? Yes. > > > >Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640 > >5G Networks, Inc. > >[EMAIL PROTECTED] > >(925) 260-2724 > > > >! > >hostname R1 > >interface Ethernet 0 > > ip address 192.168.1.1 255.255.255.0 > > standby ip 192.168.1.254 > > standby authentication c!sc0b2b > > access-group 100 in > >! > >access-list 100 permit udp host 192.168.1.2 eq 1985 host > 224.0.0.2 eq 1985 > >access-list 100 deny udp any eq 1985 any eq 1985 > >access-list 100 permit ip any any > > > > > >! > >hostname R2 > >! > >interface Ethernet 0 > > ip address 192.168.1.2 255.255.255.0 > > standby ip 192.168.1.254 > > standby authentication c!sc0b2b > > access-group 100 in > >! > >access-list 100 permit udp host 192.168.1.1 eq 1985 host > 224.0.0.2 eq 1985 > >access-list 100 deny udp any eq 1985 any eq 1985 > >access-list 100 permit ip any any > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > > Jacques Atlas > > > Sent: Monday, May 07, 2001 11:10 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534] > > > > > > > > > On Tue, 8 May 2001, Curtis Call wrote: > > > > > > |In other words always use authentication. > > > > > > i dont think the authentication in clear text is going to help, > > > the solution from the vendor is to run HSRP with IPSec. > > > > > > -- > > > jacques > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com/list/cisco.html > > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > > Priscilla Oppenheimer > http://www.priscilla.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3695&t=3534 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: security opinions please [7:3666]
On Tue, 8 May 2001, Michael Cohen wrote: |How does one go upon "penetrating" the internal VLAN on a switch while only |having access to the external VLAN and not traversing the PIX in the middle? i would also be interted in finding out the theory behind this. |I have heard the response from numerous security engineers that anything is |possible however I guess I'm a novice because I have never seen nor heard of |this being done in the situation mentioned above. did they give you proof ? |I attribute the idea of physically seperating these networks (even |though VLAN based seperation is just as effective) as security paranoia. there are also times when you can not afford to buy a decent switch for every service that you want and a large switch could give the best possible sollution. -- jacques Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3694&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed Switching: 912 [7:3678]
Congratulations in spite of YOUR penchant to get distracted by the list ;-) 912 is mighty respectable I might add, mate. Good job! -e- - Original Message - From: "Gareth Hinton" To: Sent: Tuesday, May 08, 2001 2:00 PM Subject: Passed Switching: 912 [7:3678] > Thanks to all in the Study Group. > > Even though you managed to distract me from studying for most of the planned > time, I managed to pass today :-) > Seems like the info I've seen from the Group recently stands true: 64 > questions, 75 minutes, 699 to pass. > I think the Cisco Press Study Guide covered just about everything. Nothing I > can remember waivered from the book. > > Anybody know what subjects are covered by Cisco Fundamentals? It appears I > may be p**s poor in this area. All the others were OK. > > Routing next - My God does this mean I'm going to have to attempt to > understand Howard's BGP posts. Maybe one day soon it will all become clear. > > Cheers, > > Gaz > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3693&t=3678 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: security opinions please [7:3666]
How does one go upon "penetrating" the internal VLAN on a switch while only having access to the external VLAN and not traversing the PIX in the middle? I have heard the response from numerous security engineers that anything is possible however I guess I'm a novice because I have never seen nor heard of this being done in the situation mentioned above. I attribute the idea of physically seperating these networks (even though VLAN based seperation is just as effective) as security paranoia. This isn't necessarily a bad thing, after all that's what security guys are paid for, however I don't see a technical reason why you can't have these VLANs connected to the same box as long as a properly configured firewall logically seperates them. -Michael Cohen CCIE #6080 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carroll Kong Sent: Tuesday, May 08, 2001 3:44 PM To: [EMAIL PROTECTED] Subject: Re: security opinions please [7:3666] At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: >Let me lay out the basic topology of a network first: > >A 6500 has several VLANS configured on it. Among these are an external >internet vlan, a dmz, and several internal vlans. The internal vlans are >routed by an MSFC in the 6500. Routing between the internal, dmz, and >external are handled by a firewall external to the 6500. > >Are there any security issues with having all of these VLANS in the same >box? Someone in our organization is concerned that someone can hack the >switch just because the connection from the internet is plugged into it. >The switch's management address is on one of the internal vlans, and an >access list is on the telnet access that restricts access from only the >internal vlans. Oh boy, the big security button. IF you really want to be secure, you are NOT going to be using VLANs at all. You want hard, cold, old fashioned separate layer 2 networks, by HARDWARE. However, realize security is really a layering process and hopefully warding off attackers of a particular experience level by making the task seem like "too much trouble", or "beyond their ability." A true pro can penetrate "VLAN" based security. A novice and probably most intermediates, will not. You decide and weigh out your costs in choosing the far less flexible hard switches on the side method, or using the far more flexible Catalyst VLAN style. That is the security cost analysis you must do. i.e. If you are guarding the Fort Knox of the computer realm, I'd probably go hardcore. If you are not, you may want to stick with VLANs. Security is always a balance between convenience and security. :( The sad truth is, the ultimate security is, the wire cutters. (and perhaps a Faraday Cage if wireless takes off). :) -Carroll Kong FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3692&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ATM AAL5 errors [7:3682]
1) Is this a new install or has it worked in the past? If it worked in the past, you can eliminate a lot of configuration causes. 2) Assuming that it worked in the past, has anyone changed anything in the config or operating system of either end? 3) Consider physical layer issues. Can you take the circuit off line and test end to end for errors? Can your Service Provider help? 4) Can you loop back your own output to verify your box? 5) If you have a spare box can you create a back-to-back lab to test your box? If that works, can you ship the spare box to the other end to substitute for the Cabletron? 6) Bet that there are show and debug outputs that will help. Let us know what the cause was. > -Original Message- > From: Q [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 08, 2001 4:23 PM > To: [EMAIL PROTECTED] > Subject: ATM AAL5 errors [7:3682] > > > I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one > another in terms of rate of errors. This is a difficult > problem in terms > that they are both related. One problem is that the other > sidce of the WAN > is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA! > > marc > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3691&t=3682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Juniper Job Market (was: Passed CCIE Written but NOT doing lab) [7:3690]
Carroll Kong wrote: >...but also makes you wonder if the market space is really that >big for heavy duty core work. I just did an impromptu and informal search on geekfinder.com - I put in the word "Cisco" and pulled up 905 jobs nationwide, both contract and perm. Then I did the same search for "Juniper" and pulled up only 46 jobs. You be the judge. ;-) BJ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3690&t=3690 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 520 : RESET CAUSED LOCKOUT ... [7:3689]
Apparently we were having some network issues and kind of pinpointed it to the PIX. Basically we were able to ping everything on our inside After doing a Reset on the PIX , (did cold power shut down first ..no improvement) We got network connectivity to our internet router configured for the outside. However we were unable to log in through telnet or from the console .. I got the password reset utility from Cisco.. which I will do tonight.. Has any one experienced being locked out after doing a reboot or reset on their PIX? it looks like all our holes and configs are ok as we tested it from the outside.. We believe their is a possibility of some type of hacking.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3689&t=3689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: security opinions please [7:3666]
Yeah, I'd love to know as well. I've searched CCO pretty thoroughly, and can't find anything that really relates to this. -Original Message- From: Sam [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 4:19 PM To: [EMAIL PROTECTED] Subject: Re: security opinions please [7:3666] Interesting, I'm wondering what Cisco's stand on this subject would be. Anyone know or have other opinions. The same concern has been expressed to me with regards to a similar configuration. ""Carroll Kong"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: > >Let me lay out the basic topology of a network first: > > > >A 6500 has several VLANS configured on it. Among these are an external > >internet vlan, a dmz, and several internal vlans. The internal vlans are > >routed by an MSFC in the 6500. Routing between the internal, dmz, and > >external are handled by a firewall external to the 6500. > > > >Are there any security issues with having all of these VLANS in the same > >box? Someone in our organization is concerned that someone can hack the > >switch just because the connection from the internet is plugged into it. > >The switch's management address is on one of the internal vlans, and an > >access list is on the telnet access that restricts access from only the > >internal vlans. > > Oh boy, the big security button. IF you really want to be secure, you are > NOT going to be using VLANs at all. You want hard, cold, old fashioned > separate layer 2 networks, by HARDWARE. However, realize security is > really a layering process and hopefully warding off attackers of a > particular experience level by making the task seem like "too much > trouble", or "beyond their ability." A true pro can penetrate "VLAN" based > security. A novice and probably most intermediates, will not. You decide > and weigh out your costs in choosing the far less flexible hard switches on > the side method, or using the far more flexible Catalyst VLAN style. > > That is the security cost analysis you must do. i.e. If you are guarding > the Fort Knox of the computer realm, I'd probably go hardcore. If you are > not, you may want to stick with VLANs. Security is always a balance > between convenience and security. :( The sad truth is, the ultimate > security is, the wire cutters. (and perhaps a Faraday Cage if wireless > takes off). :) > > > > -Carroll Kong > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3688&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
3620 with 2 x NM-2FE-2W problem [7:3687]
Hi all, Problem with a 3620: Takes one NM-2FE-2W fine. When second one is inserted major problems arise. NM slot 0: PCI dev 5 init failed No fault history 0x. Need 11.1 (2) or higher ROM The boot rom is "System Bootstrap, Version 11.1(20)AA2" I've gone through CCO to confirm that the 3620 will take these cards, and although there were a few doubts, eventually found it and they should be OK. Anybody seen similar or got ideas. Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3687&t=3687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Frame Relay backup issue... [7:3686]
Hi Guys, Been a while since I've written to the list (guess that's kind of a good thing). Fairly simple question here: Lets say there is a company with a FR network with a hub/spoke topology. When data is sent from a site, alot of times the backup link kicks up, even though the primary never went down. I remember this type of scenario in my readings but forget what the possibilities are. The simplest answer would be that they are oversubscribing their access on the line and the backup's kicking up. Or the line is just bad...but I doubt that. What are some possible scenarios that would cause this issue. I'm not asking for free answers to this but I would appreciate it if someone could point me in the right direction in terms of reading up on this. Thanks guys...good to be back. Mark Zabludovsky ~ CCNP, CCDA [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3686&t=3686 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
tcp intercept [7:3685]
What's the best way to enable this as I've seen a bunch of different variations... I want this on my external router... Thanks, Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3685&t=3685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Just been Hacked!!!!! [7:3452]
> > >Step #1 to securing NT: disable IIS ;-p > > > > Step #1 to securing your network - Remove all MS products. >Step #1 to securing your network: remove all users. Step #1 to securing your network: realizing no network is ever truly "Secure" Step #2: never accepting any one OS as better or more secure and realizing security is only as good as your policy, planning, attention to detail, and user training. -- "Someone approached me and asked me to teach a javascript course. I was about to decline, saying that my complete ignorance of the subject made me unsuitable, then I thought again, that maybe it doesn't, as driving people away from it is a desirable outcome." --Me FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3684&t=3452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WAN Job in the Metro Detroit area [7:3683]
I am looking for a WAN job in the Detroit area, I can send you my resume and cover letter upon request. Thanks Brian Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3683&t=3683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ATM AAL5 errors [7:3682]
I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one another in terms of rate of errors. This is a difficult problem in terms that they are both related. One problem is that the other sidce of the WAN is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA! marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3682&t=3682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
Interesting, I'm wondering what Cisco's stand on this subject would be. Anyone know or have other opinions. The same concern has been expressed to me with regards to a similar configuration. ""Carroll Kong"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: > >Let me lay out the basic topology of a network first: > > > >A 6500 has several VLANS configured on it. Among these are an external > >internet vlan, a dmz, and several internal vlans. The internal vlans are > >routed by an MSFC in the 6500. Routing between the internal, dmz, and > >external are handled by a firewall external to the 6500. > > > >Are there any security issues with having all of these VLANS in the same > >box? Someone in our organization is concerned that someone can hack the > >switch just because the connection from the internet is plugged into it. > >The switch's management address is on one of the internal vlans, and an > >access list is on the telnet access that restricts access from only the > >internal vlans. > > Oh boy, the big security button. IF you really want to be secure, you are > NOT going to be using VLANs at all. You want hard, cold, old fashioned > separate layer 2 networks, by HARDWARE. However, realize security is > really a layering process and hopefully warding off attackers of a > particular experience level by making the task seem like "too much > trouble", or "beyond their ability." A true pro can penetrate "VLAN" based > security. A novice and probably most intermediates, will not. You decide > and weigh out your costs in choosing the far less flexible hard switches on > the side method, or using the far more flexible Catalyst VLAN style. > > That is the security cost analysis you must do. i.e. If you are guarding > the Fort Knox of the computer realm, I'd probably go hardcore. If you are > not, you may want to stick with VLANs. Security is always a balance > between convenience and security. :( The sad truth is, the ultimate > security is, the wire cutters. (and perhaps a Faraday Cage if wireless > takes off). :) > > > > -Carroll Kong > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3681&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
I tried the HSRP access list from Brian (CCIE) and it works, (of course. ;-) It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets with EtherPeek and edited one to say the packet was from my PC and that my priority was higher than the two legitimate HSRP routers. I then repeatedly sent this packet, using the timer that the legitimate HSRP routers were using. The standby HSRP stopped sending HSRP packets (not sure why?) The previously active made itself standby. PCs on the LAN that were set to use the HSRP gateway address were unable to reach non-local stations. The DOS worked, in other words. This is a lab network, by the way. I used the access list below to make sure the HSRP routers only accepted from each other and it solved the problem. I meant to save the HyperTerminal session and show you that the deny in the access list was getting invoked, but I forgot to save it. Note one minor bug in configs below: It should say "ip access-group 100 in" (at least on my routers, the ip was required) Priscilla At 03:54 AM 5/8/01, Brian Dennis wrote: >It's not the best solution but if you're really worried you could create an >access-list (see configs below). HSRP uses UDP port 1985 and the destination >address is to all routers (224.0.0.2). Perfect solution? No. Better than >nothing? Yes. > >Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640 >5G Networks, Inc. >[EMAIL PROTECTED] >(925) 260-2724 > >! >hostname R1 >interface Ethernet 0 > ip address 192.168.1.1 255.255.255.0 > standby ip 192.168.1.254 > standby authentication c!sc0b2b > access-group 100 in >! >access-list 100 permit udp host 192.168.1.2 eq 1985 host 224.0.0.2 eq 1985 >access-list 100 deny udp any eq 1985 any eq 1985 >access-list 100 permit ip any any > > >! >hostname R2 >! >interface Ethernet 0 > ip address 192.168.1.2 255.255.255.0 > standby ip 192.168.1.254 > standby authentication c!sc0b2b > access-group 100 in >! >access-list 100 permit udp host 192.168.1.1 eq 1985 host 224.0.0.2 eq 1985 >access-list 100 deny udp any eq 1985 any eq 1985 >access-list 100 permit ip any any > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Jacques Atlas > > Sent: Monday, May 07, 2001 11:10 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534] > > > > > > On Tue, 8 May 2001, Curtis Call wrote: > > > > |In other words always use authentication. > > > > i dont think the authentication in clear text is going to help, > > the solution from the vendor is to run HSRP with IPSec. > > > > -- > > jacques > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3680&t=3534 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2610 w/ an additional 1e 2w module [7:3402]
o.k. so basically to get this puppy to work in the 2600 series i need to get a 1FE2W encasing module to hold the wic 2t's ?? I'm going to try to use this box as a frame switch so i'm trying to get as many serial interfaces on it as possible... Thanks for your help guy's!! Randy On Mon, 7 May 2001 13:53:25 +1000 "Jason Baker" writes: > also another tip. The WIC 2-T modules do not work in plain ethernet > based > modules (such as 1e2w). > You need to get a 1FE2W at least to put the WIC 2t-s in. > > However the wic 2-t's will work in the fixed serial slots in the > 2600's. > > Regards, > > Jason Baker > --- > Network Engineer > > - Original Message - > From: > To: > Sent: Monday, May 07, 2001 1:17 PM > Subject: 2610 w/ an additional 1e 2w module [7:3402] > > > > Hi all !! > > > > I have just finished installinga new 1 e 2 w module in my 2610 > router & > > It's not being recognized, unit allready had an existing Wic 2t > plus the > > built in ethernet > > port. I added the 2t 1e which is actually 2 wic 1 t cards with an > > ethernet port on the main module > > and it's not being recognized, When i remove the existin wic 2 t > cards > > only the main ethernet shows up on the show > > version..I do see the Act led on the module solid green but > nothing on > > the sho ver.. > > > > Am i mssing something ... do I have to activate this new module > somehow > > ?? > > > > Clueless @ this point... > > > > TIA for any info you might provide. > > > > Randy > > > > GET INTERNET ACCESS FROM JUNO! > > Juno offers FREE or PREMIUM Internet access for less! > > Join Juno today! For your FREE software, visit: > > http://dl.www.juno.com/get/tagj. > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > > > GET INTERNET ACCESS FROM JUNO! Juno offers FREE or PREMIUM Internet access for less! Join Juno today! For your FREE software, visit: http://dl.www.juno.com/get/tagj. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3679&t=3402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Passed Switching: 912 [7:3678]
Thanks to all in the Study Group. Even though you managed to distract me from studying for most of the planned time, I managed to pass today :-) Seems like the info I've seen from the Group recently stands true: 64 questions, 75 minutes, 699 to pass. I think the Cisco Press Study Guide covered just about everything. Nothing I can remember waivered from the book. Anybody know what subjects are covered by Cisco Fundamentals? It appears I may be p**s poor in this area. All the others were OK. Routing next - My God does this mean I'm going to have to attempt to understand Howard's BGP posts. Maybe one day soon it will all become clear. Cheers, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3678&t=3678 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: security opinions please [7:3666]
At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote: >Let me lay out the basic topology of a network first: > >A 6500 has several VLANS configured on it. Among these are an external >internet vlan, a dmz, and several internal vlans. The internal vlans are >routed by an MSFC in the 6500. Routing between the internal, dmz, and >external are handled by a firewall external to the 6500. > >Are there any security issues with having all of these VLANS in the same >box? Someone in our organization is concerned that someone can hack the >switch just because the connection from the internet is plugged into it. >The switch's management address is on one of the internal vlans, and an >access list is on the telnet access that restricts access from only the >internal vlans. Oh boy, the big security button. IF you really want to be secure, you are NOT going to be using VLANs at all. You want hard, cold, old fashioned separate layer 2 networks, by HARDWARE. However, realize security is really a layering process and hopefully warding off attackers of a particular experience level by making the task seem like "too much trouble", or "beyond their ability." A true pro can penetrate "VLAN" based security. A novice and probably most intermediates, will not. You decide and weigh out your costs in choosing the far less flexible hard switches on the side method, or using the far more flexible Catalyst VLAN style. That is the security cost analysis you must do. i.e. If you are guarding the Fort Knox of the computer realm, I'd probably go hardcore. If you are not, you may want to stick with VLANs. Security is always a balance between convenience and security. :( The sad truth is, the ultimate security is, the wire cutters. (and perhaps a Faraday Cage if wireless takes off). :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3677&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed CCIE Written but NOT doing lab [7:3568]
At 01:27 PM 5/8/01 -0400, Chris Haller wrote: >The school I am currently attending for CCIE >written/lab is pumping out "paper" CCIE's faster than >I can say .. "help, the written ccie is almost as >worthless as the mcse" > >Juniper ?? I hear their test is twice as hard as >CCIE. Mabey you should attempt that one But by definition, there is no paper CCIE. You have no CCIE certification if you only pass the qualifier (written exam). I do not know if you can even consider it "half way" there. It is just a prelude of things to come and to weed out people. I have not taken the written personally, so not sure if it is "bookwormable". I am assuming it is since anything written / multiple choice ends up being that way in the end. The Juniper written lab or the juniper practical lab is "twice" as hard?If it is more emphasis on ISIS or Juniper-isms, it is a matter of spending some time to apply your basic networking knowledge to understand new protocols (ISIS isn't concentrated on as heavily in CCIE exams if I remember correctly) and learning a particular company's "isms". Or working with the company's particular hardware. (ouch, good luck finding those guys on ebay for a good price). Should not be too hard for good networking guys (written part), exposure to the hardcore equipment might be hard, but also makes you wonder if the market space is really that big for heavy duty core work. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3676&t=3568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Switches/cables [7:3673]
It is sort of like the ratings on tires. You should buy something like a Z rated tire for high speeds on an automobile. You can buy a cheaper tire, but it probably won't hold up at 150mph. It will work fine for cruising around, but watch out when you try to push it to the limit. Those connectors will work but errors and other issues can effectively reduce your net speed. -Original Message- From: John Chang [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 08, 2001 2:08 PM To: [EMAIL PROTECTED] Subject: Switches/cables [7:3673] I looked at my G4 mac and the Apple System Profiler says 100Mbps/full duplex. The 3548 XL switch says 100Mbps/full duplex. How could that be possible when the patch panel connectors are 10Mbps and the connector on the wall is 10Mbps. The cable is Cat 5. I thought everything was suppose to be 100Mbps for the switch and the computer to register it as 100Mbps/full?? So, what gives? Thanks. FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3675&t=3673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
hi On Tue, 8 May 2001, Priscilla Oppenheimer wrote: |I'm surprised it's not in more products??? being surprised is something that i am getting used to ;-) -- jacques Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3674&t=3534 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Switches/cables [7:3673]
I looked at my G4 mac and the Apple System Profiler says 100Mbps/full duplex. The 3548 XL switch says 100Mbps/full duplex. How could that be possible when the patch panel connectors are 10Mbps and the connector on the wall is 10Mbps. The cable is Cat 5. I thought everything was suppose to be 100Mbps for the switch and the computer to register it as 100Mbps/full?? So, what gives? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3673&t=3673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP [7:3663]
Load balance or deterministic routing is accomplished by adjusting the metrics or careful placement of static routes (the latter is a bad way to go). Not sure I understand the question of redistributing from router to router. Is this EIGRP to EIGRP ??? I have passes summarized routes from the Core EIGRP AS to Distribution (smaller route tables that way & a floating default gateway). Is this what you are referring to. I know the CCO has a lot of stuff on EIGRP. This is the Cisco pride & joy :o) Pepelnjak's Cisco Press book is a great asset for EIGRP networks (ISBN 1947270165 Phil - Original Message - From: Douglas Staz To: Sent: Tuesday, May 08, 2001 3:10 PM Subject: EIGRP [7:3663] > How do you verify and enable equal load balancing on EIGRP, specifically > with Static routes? Also, How do you redistribute static routes from router > to router? > Thanks in advance. > > Doug > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3672&t=3663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Wireless for backup T1 link??? [7:3651]
Thought about buying dsl internet access at each office then building a secure tunnel between the two? Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 8 May 2001, Circusnuts wrote: > Maybe between to buildings, but I would not think between two coastal > cities. If I recall, the wireless solution I saw when working with the > government cost out around $250,000 per month for 50 Meg link. Apples to > oranges I know, but even if it were to cost a 10th or 20th... the sum would > be outrageous for T1 or Frame. > > Phil > - Original Message - > From: Kim Seng > To: > Sent: Tuesday, May 08, 2001 2:06 PM > Subject: Wireless for backup T1 link??? [7:3651] > > > > Have anyone experience with Wireless technology for > > backup link solution? I have 2 cities: NY city and LA > > connected via T1 point to point and looking for a > > backup solution that does not cost too much. Is > > wireless is a good solution for this backup? > > > > Thanks! > > > > Kim. > > > > __ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great prices > > http://auctions.yahoo.com/ > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3669&t=3651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: back-to-back t1 with wic-1dsu-t1? [7:3633]
here is the show int: Router#sh int s0/0 Serial0/0 is down, line protocol is down Hardware is PQUICC with Fractional T1 CSU/DSU MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters 00:21:48 Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 43 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=up DTR=up RTS=up CTS=down Neil ""Neil Schneider"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Pinouts are 1-4 and 2-5 crossed. leds show alarm on both cards. They are > definately not shutdown. Show int results will have to wait. I just tried > to update the ios on one router and now it is not booting correctly. No > interfaces are being seen. (makes it hard to do a tftp download) > > Neil Schneider > > > - Original Message - > From: "Jim Brown" > To: "'Neil Schneider'" ; > Sent: Tuesday, May 08, 2001 12:42 PM > Subject: RE: back-to-back t1 with wic-1dsu-t1? [7:3633] > > > > I believe clock source internal on one of the cards is all you need to > bring > > them up. Please post the 'show interface' results from both routers and > the > > related configs. > > > > What pinouts did you use for the cross-over cable? > > > > What LEDs are illuminated on the cards with the cable plugged in? > > > > Are you sure the interfaces are not in a shutdown state? > > > > -Original Message- > > From: Neil Schneider [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, May 08, 2001 10:47 AM > > To: [EMAIL PROTECTED] > > Subject: back-to-back t1 with wic-1dsu-t1? [7:3633] > > > > > > I am trying to set up 2 t1 wics back to back to simulate a t1 wan > > connection. I have a T1 crossover cable, clock source is internal on one > > card, but I get nothing, down and down. Is anyone doing this and willing > to > > share a configuration? Or give me a hint as to what may be wrong > > > > Thanks > > > > Neil Schneider > > CCNP CCSI (setting up a CCIE lab) > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3670&t=3633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How many routers in a typical IP/IPX network. [7:3664]
255 hops, but convergence & route table size are the issues that promote multiple AS's with route summarization. The Dual Algorithm can be a real pain when you have Stuck In Actives traversing a large network. If this is a real project, get Pepelnjak's Cisco Press EIGRP Network Design Solutions (ISBN 1947270165). Phil - Original Message - From: mindiani mindiani To: Sent: Tuesday, May 08, 2001 3:11 PM Subject: How many routers in a typical IP/IPX network. [7:3664] > I would like to know how many routers a typical large IP/IPX network can > have using EIGRP protocol with one autonomous system. > > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3671&t=3664 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How many routers in a typical IP/IPX network. [7:3664]
I worked on a network with 200+ routers in one AS - wasn't a problem after the EIGRP flapping problems in 10.3 went away ;-) That architecture was redundant backbone routers in the campuses, multiple paths (partial mesh) between major sites, and hub-and-spoke from major sites to remotes. Once EIGRP settles (from an addition or deletion), it behaves pretty well. I'd be willing to venture that others on the list have worked with even larger networks in a single AS. There is no real 'typical' IP/IPX network. The classification of networks that I've seen is Enterprise (large multiple remote site and multicampus), medium business (single-campus, multiple remote sites), and small (single site or a few remotes and Internet access). And there are some incredibly large Enterprise networks out there. -e- - Original Message - From: "mindiani mindiani" To: Sent: Tuesday, May 08, 2001 12:11 PM Subject: How many routers in a typical IP/IPX network. [7:3664] > I would like to know how many routers a typical large IP/IPX network can > have using EIGRP protocol with one autonomous system. > > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3668&t=3664 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Wireless for backup T1 link??? [7:3651]
Maybe between to buildings, but I would not think between two coastal cities. If I recall, the wireless solution I saw when working with the government cost out around $250,000 per month for 50 Meg link. Apples to oranges I know, but even if it were to cost a 10th or 20th... the sum would be outrageous for T1 or Frame. Phil - Original Message - From: Kim Seng To: Sent: Tuesday, May 08, 2001 2:06 PM Subject: Wireless for backup T1 link??? [7:3651] > Have anyone experience with Wireless technology for > backup link solution? I have 2 cities: NY city and LA > connected via T1 point to point and looking for a > backup solution that does not cost too much. Is > wireless is a good solution for this backup? > > Thanks! > > Kim. > > __ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3667&t=3651 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
security opinions please [7:3666]
Let me lay out the basic topology of a network first: A 6500 has several VLANS configured on it. Among these are an external internet vlan, a dmz, and several internal vlans. The internal vlans are routed by an MSFC in the 6500. Routing between the internal, dmz, and external are handled by a firewall external to the 6500. Are there any security issues with having all of these VLANS in the same box? Someone in our organization is concerned that someone can hack the switch just because the connection from the internet is plugged into it. The switch's management address is on one of the internal vlans, and an access list is on the telnet access that restricts access from only the internal vlans. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3666&t=3666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
catalyst 6509 cookbook config [7:3665]
Looking for a really concise configuration guide for the 6509 catalyst switch. Been through the CCO and did not see anything too stellar. Any pointers would be appreciated. Thanks in advance- Joseph Please reply to this address: [EMAIL PROTECTED] Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3665&t=3665 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP [7:3663]
How do you verify and enable equal load balancing on EIGRP, specifically with Static routes? Also, How do you redistribute static routes from router to router? Thanks in advance. Doug Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3663&t=3663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How many routers in a typical IP/IPX network. [7:3664]
I would like to know how many routers a typical large IP/IPX network can have using EIGRP protocol with one autonomous system. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3664&t=3664 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]