Re: Wireless for backup T1 link??? [7:3651]

[suaveguru]

Use VSAT networks (satellite networks) , contact me if
you need this service


regards,

suaveguru
--- Kim Seng  wrote:
> Have anyone experience with Wireless technology for
> backup link solution?  I have 2 cities: NY city and
> LA
> connected via T1 point to point and looking for a
> backup solution that does not cost too much. Is
> wireless is a good solution for this backup?
> 
> Thanks!
> 
> Kim.
> 
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great
> prices
> http://auctions.yahoo.com/
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3763&t=3651
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: password recovery problem with AAA [7:3735]

[Michael E Taiwo]

Try out this page on cisco site
http://www.cisco.com/warp/public/474/pswdrec_1700.shtml

Michael.
- Original Message -
From: "Sim, CT (Chee Tong)" 
To: 
Sent: Wednesday, May 09, 2001 5:24 AM
Subject: password recovery problem with AAA [7:3735]


> I am doing a password recovery for a 1700 router, I manage to see its
> previous configuration part.  But I want to do a conf term to change
> setting. I found it was controlled by TACACS+ AAA server.   How do I
disable
> the setting of AAA so I can make change  See below
>
>
> rommom 1>confreg 0X2142
> rommom 2>reset
> Router>enable
>
> Router#conf mem
>
> Building configuration...
>
> 00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket
> KUL01#
> KUL01#
> *Mar  1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Serial0.2,
> cha
> nged state to down
> *Mar  1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console
> KUL01#conf term
> Command authorization failed.
>
> KUL01#
> *Mar  1 00:01:28: %-3-INVSTATE:  AUTHOR/CMD: Internal state is
invalid:
> astr
> uct 0x8093FF00 ustruct 0x0
> -Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0
>
>
>
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3762&t=3735
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix 5xx [7:3716]

[Robert Nelson-Cox]

>
>I don't know of a book that focuses just on PIX, but I think the "Managing
>Cisco Network Security" by Michael Wenstrom ISBN 1578701031 is good.

I agree, it's current bedtime reading, and sitting on my desk at the moment.

Rob./

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3761&t=3716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Brian]

Confirming what I had heard, that Canada has a much better grasp of last
mile solutions.

Brian

- Original Message -
From: "Kevin Wigle" 
To: 
Sent: Tuesday, May 08, 2001 11:46 PM
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]


> Not wishful thinking at all.
>
> Ethernet emulation - also known as transparent LAN services is offered in
> some form or different name by both AT&T and Bell up here in the Great
White
> North and I'm sure in other places.  Yes it can be provided to the end
user
> via fiber but it can also be provided over copper depending on how close
> they are to the pop (in the building).
>
> In a nutshell, an Upstream Service Provider provides access from a "smart
> building", a building which has a POP and connected to that provider's
> Metropolitan Area Network.  From  there a client can be mapped , usually
> through ATM through their provider's network to the World Internet.
>
> This has the advantage of getting higher speeds without a user requiring
ATM
> capable equipment or the expense of multiple T1s or Fractional T3.
> (available up to fast ethernet speeds)
>
> We are beginning to see more and more of these circuits and clients are
> starting to order up 2 of these circuits, one from each upstream provider
> for redundancy.
>
> We are also beginning to look at using this service with RFC 1483 bridging
> and getting the providers to connect the client site using ethernet and
then
> map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to
> OC-12).
>
> This way, we can re-map the client to another core/border router to get
> around failures and load balance without having to wait for the upstream
> provider to react.
>
> In any event, perhaps our use of HSRP is specialized (meaning unique) to
us
> as we sort of act like an ISP ourselves and we provide little security to
> the larger "intranet" as each customer provides their own firewall.
> Therefore the "inside" net is segregated mostly through routing, providing
> visibility to routes that we allow to be seen to the Internet and routes
> that are seen only on the inside.  And this "network" is not a few
> buildings, it is national in scope - sort of like a huge DMZ.
>
> Because of this, client's access can be seen by other client's and by the
> world at least up to their firewall.  Since the firewall is behind the
> access routers and those routers could be Ethernet to connect (using HSRP
> for failover) then this exploit has potential for us and we are moving to
> put those access lists in place.
>
> This may not be all that easy to follow but I can't get into more
specifics
> for the obvious security reasons.
>
> This whole issue is resulting I think as I said that the LAN and WAN are
> fading together.  What with GigE being proposed to replace ATM access,
> ethernet technologies may soon replace the traditional T1s etc, within
> metropolitan areas anyways.
>
> This also presents interesting limits on HSRP because if you have a router
> with three ethernet interfaces, 2 out and 1 in, because we're talking
> ethernet - it is no longer point-to-point with keepalives going end to
end.
> If a circuit becomes unavailable HSRP might not see it unless the actual
> interface goes down.  Therefore the circuit could be down farther up
beyond
> the local connection (hub/switch.etc) but as long as HSRP see's an
interface
> in the up/up condition it doesn't care about the actual end point.  This
> throws a wrench in conventional HSRP thinking and we have to use floating
> statics and let routing protocols provide protection for upstream
failures.
>
> Anyway, starting to get off topic.  Again, for us we have issues and I'm
> glad it was posted to the list.
>
>
> Kevin Wigle
>
>
> - Original Message -
> From: "Priscilla Oppenheimer"
> To:
> Sent: Tuesday, 08 May, 2001 14:54
> Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> > What is Ethernet emulation? It's definitely true that Ethernet is being
> > used across long distances, if that's what you mean. With single mode
> > fiber-optic cabling, Ethernet can span miles. Physical access is a
> > different story in this case, of course. The cables may actually be in
> > public places. They would be overhead on poles or underground, I guess,
> > though, wouldn't they?
> >
> > I think it would still be very difficult to wreak havoc. Physical access
> > would be difficult, and even if you had it, network-layer hacking would
be
> > hard to achieve. Wishful thinking? :-]
> >
> > Thanks
> >
> > Priscilla
> >
> > At 02:27 PM 5/9/01, Kevin Wigle wrote:
> > >However, Ethernet emulation is becoming quite popular and very price
> > >competitive.
> > >
> > >I have clients who have HSRP running on what would normally be called
> "WAN"
> > >ports but they are ethernet.  The HSRP virtual address is visible to
the
> > >world and therefore it is vunerable.
> > >
> > >I agree that traditionally HSRP has been used on the inside interfac

Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Kevin Wigle]

Not wishful thinking at all.

Ethernet emulation - also known as transparent LAN services is offered in
some form or different name by both AT&T and Bell up here in the Great White
North and I'm sure in other places.  Yes it can be provided to the end user
via fiber but it can also be provided over copper depending on how close
they are to the pop (in the building).

In a nutshell, an Upstream Service Provider provides access from a "smart
building", a building which has a POP and connected to that provider's
Metropolitan Area Network.  From  there a client can be mapped , usually
through ATM through their provider's network to the World Internet.

This has the advantage of getting higher speeds without a user requiring ATM
capable equipment or the expense of multiple T1s or Fractional T3.
(available up to fast ethernet speeds)

We are beginning to see more and more of these circuits and clients are
starting to order up 2 of these circuits, one from each upstream provider
for redundancy.

We are also beginning to look at using this service with RFC 1483 bridging
and getting the providers to connect the client site using ethernet and then
map the ATM PVC to our own LS-1010 on a current OC-3 (soon to be upped to
OC-12).

This way, we can re-map the client to another core/border router to get
around failures and load balance without having to wait for the upstream
provider to react.

In any event, perhaps our use of HSRP is specialized (meaning unique) to us
as we sort of act like an ISP ourselves and we provide little security to
the larger "intranet" as each customer provides their own firewall.
Therefore the "inside" net is segregated mostly through routing, providing
visibility to routes that we allow to be seen to the Internet and routes
that are seen only on the inside.  And this "network" is not a few
buildings, it is national in scope - sort of like a huge DMZ.

Because of this, client's access can be seen by other client's and by the
world at least up to their firewall.  Since the firewall is behind the
access routers and those routers could be Ethernet to connect (using HSRP
for failover) then this exploit has potential for us and we are moving to
put those access lists in place.

This may not be all that easy to follow but I can't get into more specifics
for the obvious security reasons.

This whole issue is resulting I think as I said that the LAN and WAN are
fading together.  What with GigE being proposed to replace ATM access,
ethernet technologies may soon replace the traditional T1s etc, within
metropolitan areas anyways.

This also presents interesting limits on HSRP because if you have a router
with three ethernet interfaces, 2 out and 1 in, because we're talking
ethernet - it is no longer point-to-point with keepalives going end to end.
If a circuit becomes unavailable HSRP might not see it unless the actual
interface goes down.  Therefore the circuit could be down farther up beyond
the local connection (hub/switch.etc) but as long as HSRP see's an interface
in the up/up condition it doesn't care about the actual end point.  This
throws a wrench in conventional HSRP thinking and we have to use floating
statics and let routing protocols provide protection for upstream failures.

Anyway, starting to get off topic.  Again, for us we have issues and I'm
glad it was posted to the list.


Kevin Wigle


- Original Message -
From: "Priscilla Oppenheimer" 
To: 
Sent: Tuesday, 08 May, 2001 14:54
Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]


> What is Ethernet emulation? It's definitely true that Ethernet is being
> used across long distances, if that's what you mean. With single mode
> fiber-optic cabling, Ethernet can span miles. Physical access is a
> different story in this case, of course. The cables may actually be in
> public places. They would be overhead on poles or underground, I guess,
> though, wouldn't they?
>
> I think it would still be very difficult to wreak havoc. Physical access
> would be difficult, and even if you had it, network-layer hacking would be
> hard to achieve. Wishful thinking? :-]
>
> Thanks
>
> Priscilla
>
> At 02:27 PM 5/9/01, Kevin Wigle wrote:
> >However, Ethernet emulation is becoming quite popular and very price
> >competitive.
> >
> >I have clients who have HSRP running on what would normally be called
"WAN"
> >ports but they are ethernet.  The HSRP virtual address is visible to the
> >world and therefore it is vunerable.
> >
> >I agree that traditionally HSRP has been used on the inside interfaces so
> >therefore your vunerability is from the inside where you should have
> >personnel/physical security in place.
> >
> >IPSec is cool but involves more cost to deploy an IPSec capable
IOS/router
> >if you're not already using IPSec.  Perhaps this is just another reason
to
> >do so.
> >
> >Someone also commented on the overhead of IPSec encrypting/decrypting
HSRP
> >hellos every 3 seconds.  Perhaps adjusting the HSRP timers would
allevia

RE: security opinions please [7:3666]

[Robert Nelson-Cox]

>
>How does one go upon "penetrating" the internal VLAN on a switch while only
>having access to the external VLAN and not traversing the PIX in the 
>middle?
>I have heard the response from numerous security engineers that anything is
>possible however I guess I'm a novice because I have never seen nor heard 
>of
>this being done in the situation mentioned above.  I attribute the idea of
>physically seperating these networks (even though VLAN based seperation is
>just as effective) as security paranoia.  This isn't necessarily a bad
>thing, after all that's what security guys are paid for, however I don't 
>see
>a technical reason why you can't have these VLANs connected to the same box
>as long as a properly configured firewall logically seperates them.

Launching a DoS on these devices is pretty easy, anything which transports 
data for management can be 'hacked'.

Rob./

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3759&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Protocol Type 0x886F [7:3737]

[David Chandler]

After looking over Microsofts Loadbalancing white paper; it apears that
microsoft is using a multicast MAC address for these heart beats.  The
switch is going the flood them across the vlan every time it gets one.  
Ask whoever maintains the Win 2000 servers why they have that enabled. 
They may not be aware what it is for.  I'd keep my fingers crossed for
this solution.

If it is enabled for a reason AND the heart beats are actually a
problem; you'll need to put the server cluster on a seperate VLAN. 
**There is a note about cisco routers (in the white paper) not liking
the multicast MAC with the unicast IP address.  It requires a static ARP
entry in the router. 

10% to 15% is that during a low traffic period?  Is this causing slow
responce or some other problem?

Keep us updated.

DaveC


Andy Prima wrote:
> 
> Thank you all for the answers. This frame consumes 10-15 % of total frames
> circling in my network. Any comment for this ? Can I filter it out? Is
there
> any consideration on filtering?
> 
> TIA,
> Andy
> 
> -Original Message-
> From: Brian Dennis [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 09, 2001 12:09 PM
> To: Andy Prima; [EMAIL PROTECTED]
> Subject: RE: Protocol Type 0x886F [7:3737]
> 
> It's a heartbeat frame for Windows NT Load Balancing Service.
> 
> Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
> 5G Networks, Inc.
> [EMAIL PROTECTED]
> (925) 260-2724
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Andy Prima
> > Sent: Tuesday, May 08, 2001 9:47 PM
> > To: [EMAIL PROTECTED]
> > Subject: Protocol Type 0x886F [7:3737]
> >
> >
> > Dear all,
> > I need help on protocol type 0x886F. It seems that this kind of Ethernet
> > Broadcast is circling around my network and I do not have a clue what it
> > really is.
> >
> > TIA
> > andy
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3756&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[Jacques Atlas]

On Tue, 8 May 2001, Drew Simonis wrote:

|Some decent reads:
|
|http://mlarchive.ima.com/firewalls/1999/4507.html
|http://packetstorm.securify.com/9909-exploits/vlan_security.txt

anyone want to  confirm this for 65xx ?

--
jacques




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3757&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[Robert Nelson-Cox]

>
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it.  Among these are an external
>internet vlan, a dmz, and several internal vlans.   The internal vlans are
>routed by an MSFC in the 6500.  Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box?  Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.

Cisco switches have been known to 'bleed' traffic between VLANs, esp. when 
carried over older switches through ISL.

I don't know of any issues with the 6500, but that doesn't mean that they 
don't exist.

I would not recommend this solution for exactly the reason that 'someone' is 
concerned about.  A DMZ, Outside and Inside should be kept physically 
seperate, on one piece of wire each.  What would happen is some 'idiot' 
plugged a connection between the Outside and the Inside VLAN, very uncool.

>From outside to inside should be a connection from an exterior router to the 
firewall - 100baseTX x-over cable.

DMZ - A hub or switch [1] connecting the port on the FW to DMZ hosts

Inside - Connect to switch for users to access.

That'll be $1,000 please. ;^)

Rob./

[1] Depending on network saturation.

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3755&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[Jacques Atlas]

hi

On Tue, 8 May 2001, [EMAIL PROTECTED] wrote:

|event of just the right failure/misconfiguration, someone could
|theoretically re-configure the switch to do bad things.

failure or misconfiguration has a direct fault which has to do with the
owner.

the switch doing something which people do not expect it to is the venders
fault.

-- 
jacques




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3754&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Frame Relay backup issue...(thanks) [7:3686]

[Erick B.]

Another possibility...

If they are using a dv routing protocol such as RIP
and every now and then they push alot of traffic
across frame, perhaps some routing updates are not
making it across causing the route to go away and the
router to use floating/alternate route over ISDN. I've

seen this happen with RIP with heavy traffic. 

Hope this helps... Erick

--- "Mark Z."  wrote:
> Thanks for the help E. I have a feeling that it
> might be a backup load issue
> that I'll have to fix. Can't give you much info
> because I just found out I'm
> going to this client tomorrow so I'll be able to
> digest it all then. I'll
> definitely be bringing this with me in my
> head...it's appreciated friend,
> thanks,
> 
> Mark Z.
> 
> - Original Message -
> From: "EA Louie" 
> To: "Mark Z." ; 
> Sent: Tuesday, May 08, 2001 6:36 PM
> Subject: Re: Frame Relay backup issue... [7:3686]
> 
> 
> > ahhh, I'll give you a free answer anyway!  ;-)
> >
> > Without making any assumptions except that the
> Frame Relay interface is
> > configured with a backup-interface statement
> that's pointed to a dialer,
> and
> > that all the routing is working okay, and that the
> dialer has a good
> > dialer-list, then the config would look similar
> to:
> >
> > interface serial0/1
> >  encapsulation frame-relay
> >  backup interface dialer1
> >  no backup load
> >  no backup delay
> >
> > interface dialer1
> >
> > then the only thing that would bring the backup
> into play is the serial
> > going down/down momentarily.
> >
> > If there IS a backup load statement on serial,
> then bandwidth percentage
> > over the first parameter of that command would
> initiate the dialer.
> Adjust
> > it higher or remove it.
> >
> > If there's no backup interface command on the
> serial interface, then a
> > floating static route is probably initiating the
> DDR.  If an IGP is used
> > over the Frame Relay network then a route flap on
> the default route would
> > also start the dialing sequence.
> >
> > Let's see... is there a link for you?  nope, can't
> find one that's
> > appropriate.
> >
> >
> > -e-
> >
> > - Original Message -
> > From: "Mark Z." 
> > To: 
> > Sent: Tuesday, May 08, 2001 2:39 PM
> > Subject: Frame Relay backup issue... [7:3686]
> >
> >
> > > Hi Guys,
> > > Been a while since I've written to the list
> (guess that's kind of a
> > good
> > > thing). Fairly simple question here: Lets say
> there is a company with a
> FR
> > > network with a hub/spoke topology. When data is
> sent from a site, alot
> of
> > > times the backup link kicks up, even though the
> primary never went down.
> I
> > > remember this type of scenario in my readings
> but forget what the
> > > possibilities are. The simplest answer would be
> that they are
> > oversubscribing
> > > their access on the line and the backup's
> kicking up. Or the line is
> just
> > > bad...but I doubt that. What are some possible
> scenarios that would
> cause
> > > this
> > > issue. I'm not asking for free answers to this
> but I would appreciate it
> > if
> > > someone could point me in the right direction in
> terms of reading up on
> > this.
> > > Thanks guys...good to be back.
> > >
> > > Mark Zabludovsky ~ CCNP, CCDA
> > > [EMAIL PROTECTED]
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations
> to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3753&t=3686
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PPP Multilink and VRF [7:3752]

[Kim Quang Vo]

Is it possible to configure vrf forwarding under 2 leased line bundle - PPP
Multilink between PE and CE.


interface Multilink1
 description  Multilink
 ip address 192.168.10.1 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip route-cache policy
 no ip route-cache cef
 ip policy route-map bundle
  no cdp enable
 ppp multilink
 multilink-group 1

Otherwise, 
May I use 2 links from PE  in MPLS domain to 2 CEs router at the customer
for load balancing and backup in case one of link fall down.

Any suggestion will be appreciated.


Kim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3752&t=3752
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Older PIX/Local Director [7:3751]

[Brian]

Sometimes I see people refer to older Local Directors
as Local Director/PIX.  Anyone know why?  I mean can
the older LDIR boxes (like the 415) run the PIX code?

The boxes certainly look alot like PIX 1/Classic/510
boxes.

Brian



---
We have MOVED!! Make note of our new address!!!

I'm buying / selling used CISCO gear!!
email me for a quote

Brian Feeny,CCDP,CCNP+VAS Scarlett Parria
[EMAIL PROTECTED] [EMAIL PROTECTED]
318-213-4709  318-213-4701

Netjam, LLC   http://www.netjam.net
333 Texas St. VISA/MC/AMEX/COD
Suite 140130 day warranty
Shreveport, LA 71101  Cisco Channel Partner
p: 318-212-0245
f: 318-212-0246




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3751&t=3751
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3640 down with OIR [7:3554]

[Brian]

I have seen this before where reseating actually fixed the problem.  I
have also seen this indicate faulty hardware/midplane.

Check the pins and whatnot to make sure none are bent as well.

Brian


On Tue, 8 May 2001, Shoaib Waqar wrote:

> I just got my router down, it was 3640, which had been
> working properly for last 3 months. It gave the
> following error message and then hung up:
>
> %ORINT: OIR Event has occured oir_ctrl 5000 oir_stat
> 8F8A
>
> I know that OIR is Online Insertion and Removal but
> the strange thing is that nobody inserted or removed
> any sort of hardware, and to utter astonishment, this
> msg came and surprised me. I also searched this eroor
> on TAC but there r only 4 of these error types OIR and
> i could not find this one. So any idea about this???
>
> P.S. 3640 has 12.1.8 IP/IPX/AT/DEC plus IOS and 16MB
> flash, 64 MB DRAM
>
> Shoaib
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


---
We have MOVED!! Make note of our new address!!!

I'm buying / selling used CISCO gear!!
email me for a quote

Brian Feeny,CCDP,CCNP+VAS Scarlett Parria
[EMAIL PROTECTED] [EMAIL PROTECTED]
318-213-4709  318-213-4701

Netjam, LLC   http://www.netjam.net
333 Texas St. VISA/MC/AMEX/COD
Suite 140130 day warranty
Shreveport, LA 71101  Cisco Channel Partner
p: 318-212-0245
f: 318-212-0246




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3750&t=3554
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Protocol Type 0x886F [7:3737]

[Andy Prima]

Thank you all for the answers. This frame consumes 10-15 % of total frames
circling in my network. Any comment for this ? Can I filter it out? Is there
any consideration on filtering?

TIA,
Andy

-Original Message-
From: Brian Dennis [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 12:09 PM
To: Andy Prima; [EMAIL PROTECTED]
Subject: RE: Protocol Type 0x886F [7:3737]


It's a heartbeat frame for Windows NT Load Balancing Service.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
[EMAIL PROTECTED]
(925) 260-2724

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Andy Prima
> Sent: Tuesday, May 08, 2001 9:47 PM
> To: [EMAIL PROTECTED]
> Subject: Protocol Type 0x886F [7:3737]
> 
> 
> Dear all,
> I need help on protocol type 0x886F. It seems that this kind of Ethernet
> Broadcast is circling around my network and I do not have a clue what it
> really is. 
> 
> TIA
> andy
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3748&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX and static routes [7:3484]

[Brian]

Yes, with a PIX you can configure static mappings of outside addresses to
inside addresses, and then configure "conduits" to allow particular
traffic types thru.

Brian


On Mon, 7 May 2001, John Gotti wrote:

> Maybe I'm mistaken, but I thought it was possible to add static routes on
> a PIX firewall?...For instance, if your "outside" interface's IP was
> 198.6.1.4 and your "inside" Interface's IP was 172.16.0.1, couldn't you add
> a static route to say for IP 172.24.9.0 255.255.255.0 go to 172.24.128.3 ?
I
> know a PIX isn't a router, but I thought it could forward traffic based on
a
> static route. Thanks!!
>
>   -G
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


---
We have MOVED!! Make note of our new address!!!

I'm buying / selling used CISCO gear!!
email me for a quote

Brian Feeny,CCDP,CCNP+VAS Scarlett Parria
[EMAIL PROTECTED] [EMAIL PROTECTED]
318-213-4709  318-213-4701

Netjam, LLC   http://www.netjam.net
333 Texas St. VISA/MC/AMEX/COD
Suite 140130 day warranty
Shreveport, LA 71101  Cisco Channel Partner
p: 318-212-0245
f: 318-212-0246




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3747&t=3484
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: A question on EIGRP traffic [7:3464]

[Brian]

Cisco EIGRP by default will use "up to" 50% of the wire for its routing
protocol traffic.  This is a feature to prevent the routing protocol from
consuming all available bandwidth.

Brian


On Mon, 7 May 2001, mindiani mindiani wrote:

> I have been told the cisco EIGRP protocol is using by default 50% of the
> bandwith of the WAN link. Can anybody give me more detail on this.
>
>
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


---
We have MOVED!! Make note of our new address!!!

I'm buying / selling used CISCO gear!!
email me for a quote

Brian Feeny,CCDP,CCNP+VAS Scarlett Parria
[EMAIL PROTECTED] [EMAIL PROTECTED]
318-213-4709  318-213-4701

Netjam, LLC   http://www.netjam.net
333 Texas St. VISA/MC/AMEX/COD
Suite 140130 day warranty
Shreveport, LA 71101  Cisco Channel Partner
p: 318-212-0245
f: 318-212-0246




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3746&t=3464
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF MaxAge [7:3745]

[Semion Lisyansky]

Hi List,

I have a question abiut OSPF MaxAge parameter.  AFAIK from two 
sources - Doyle book and the RFC, MaxAge should be one hour and 
it's an OSPF protocol constant, which means that it can not be 
configured. When I typed "show ip ospf" on 250x running 11.3 I got:

...
Link State Update Interval is 0:30:00 and due in 0:16:25
Link State Age Interval is 0:20:00 and due in 0:16:25
...

Link State Age Interval - Specify max-aged update deletion interval 
and time until next database cleanup in hours:minutes:seconds.

What's wrong with it?

--
Semion Lisyansky




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3745&t=3745
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Protocol Type 0x886F [7:3737]

[Ken Vandenbark]

A,
Check out Novell's site.

0x886F 111 OBJECT_NOT_FOUND
0x886F 111 NWE_OBJECT_NOT_FOUND

HTH

kv
- Original Message -
From: "Andy Prima" 
To: 
Sent: Tuesday, May 08, 2001 9:47 PM
Subject: Protocol Type 0x886F [7:3737]


> Dear all,
> I need help on protocol type 0x886F. It seems that this kind of Ethernet
> Broadcast is circling around my network and I do not have a clue what it
> really is.
>
> TIA
> andy
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3744&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNP 1.0 [7:3733]

[Ali J Khan]

Hi Pat

You can go ahead and take the last two exams from the new track and you
would become a CCNP 1.0.
However, if you retake the original two from the new track and then take the
other two, you would become CCNP 2.0.
In my opinion, the important part is getting the certification asap so that
you can then start work on CCIE.

regards

Ali J Khan, CCNP


- Original Message -
From: "pat" 
To: 
Sent: Wednesday, May 09, 2001 7:58 AM
Subject: CCNP 1.0 [7:3733]


> I have taken ACRC & CMTD exams. Now that these old
> exams are expired do I have to take all 4 new exams to
> be CCNP or can I just take two new exams & still be
> CCNP.
>
> I am CCNA 1.0 certified. Is it still valid or do I
> have to take new exam for CCNA also..?
>
>
> thanks,
> patterson
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3742&t=3733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Protocol Type 0x886F [7:3737]

[Brian Dennis]

It's a heartbeat frame for Windows NT Load Balancing Service.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
[EMAIL PROTECTED]
(925) 260-2724

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Andy Prima
> Sent: Tuesday, May 08, 2001 9:47 PM
> To: [EMAIL PROTECTED]
> Subject: Protocol Type 0x886F [7:3737]
> 
> 
> Dear all,
> I need help on protocol type 0x886F. It seems that this kind of Ethernet
> Broadcast is circling around my network and I do not have a clue what it
> really is. 
> 
> TIA
> andy
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3743&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Protocol Type 0x886F [7:3737]

[David Chandler]

886f
Microsoft Corporation
Redmond, WA 

found this on IEEE page   
http://standards.ieee.org/regauth/ethertype/type-pub.html

Seem to have something to do with Microsoft load balancing.  I have not
read it all the way through yet.
See>>>   http://www.microsoft.com/TechNet/win2000/nlbovw.asp

Keep us updated :->

DaveC




Andy Prima wrote:
> 
> Dear all,
> I need help on protocol type 0x886F. It seems that this kind of Ethernet
> Broadcast is circling around my network and I do not have a clue what it
> really is.
> 
> TIA
> andy
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3741&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: addressing/mask question [7:3727]

[David Chandler]

Comments inline:

PS: check out ICMP redirect It's another one that'll make your
traffic do things that you wouldn't expect.


DaveC

Scott Meyer wrote:
> 
> I have a question about network masks and proxy ARP that I have not
> understood for a long time. I'm not sure that I can clearly explain the
> question, but I'll give it my best. I got bits and pieces about the
> situation, so I don't know exactly what is working and when.
> 
> A co-worker has a customer that has a really messy IP scheme. For
> simplicity, the network scheme should be
> 
> network A   router A
> 172.16.1.0 /24172.16.1.1 e0
> 192.168.1.1  s0
> 
> connects over WAN to
> 
> network B   router B
> 172.16.2.0 /24  172.16.2.1   e0
> 192.168.1.2  s0
> 
> This customer has hosts with misconfigured masks and default gateways all
> over the place. Some hosts have wrong masks, some wrong gateways, on some
> both are wrong, and some are right. The routers are configured correctly,
as
> above. Obviously he is experiencing some connectivity issues - sometimes
> things work, and sometimes they don't.
> 
> I would like to more completely understand why. Proxy ARP is on (default).
> 
> Lets assume the following:
> host A  (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries
to
> connect to host B  172.16.2.6 (correctly configured as /24, gateway
> 172.16.2.1)
> 
> My understanding of what happens:  Host A does binary anding, and thinks
> that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is
> on, so I would think the router recognize that it needs to respond to host
> A's ARP request. Host A now thinks that host B = MAC address of router A.
> Host A sends traffic to router A and router A forwards. Both router A and
> host A know the correct MAC address of each other, so host B's response
will
> get to host A. So this should work consistently despite the
> misconfiguration, but I know better. How am I thinking incorrectly?

#

That's correct: When the router sees an ARP for a subnet that it thinks
is not local to the interface it will reply with a proxy-arp.   

>From your statement "but I know better. How am I thinking incorrectly?"
I take it that it is not working?  I see from your description that the
172.16.x.x is split between a 192.168.x.x.  Are you using IGRP, EIGRP,
or RIPv2 with no auto-summary OR OSPF  Check router A's routing
table to see where the 172.16.2.x network is.

##

> 
> Next question, let's assume the following:
> host A  (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3)
tries
> to connect to host B  172.16.2.6 (correctly configured as /24, gateway
> 172.16.2.1)
> 
> My understanding of what happens:   Host A does binary anding, and thinks
> that host B is on another subnet. Host A thinks that the gateway is
> 172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond
> with it's MAC, host A will send traffic for host B to 172.16.1.3, which
will
> promptly drop it because it has no idea what to do with it. If there is not
> a 172.16.1.3, host A will not get a response, and will timeout eventually.
I
> will need to check, but I don't think that host A will ARP for host B (as
> opposed to ARPing for the gateway). So this should consistently not work.
If
> host A did not have a gateway at all, it would ARP for host B and router A
> would respond (due to proxy ARP) and connectivity would be established. Am
I
> correct?

#

Yes: 100% so far...

##

> 
> I do think it makes a difference who initiates the connection, because of
> ARP. If host B tries to connect to host A, router A would ARP for host A.
> Host A would place router A's MAC in it's ARP table for host B, and as long
> as that entry existed, communication would work consistently? Am I thinking
> correctly?

##

I suppose someone cound program a IP stack that way but I have not seen
any host do what you just described.  Pretty much Host A will use the
same process whether it initiates or is responding.

##

> 
> If proxy ARP is enabled, why is a default gateway needed? I have never seen
> a TCP/IP configuration that doesn't have a spot to enter a default gateway.
> Conversely, if everything has a default gateway, why is proxy ARP needed?
If
> one of those (either the gateway or proxy ARP) is not working for whatever
> reason, why is communication spotty? Should it not be consistently either
> working or not?
> 
> If proxy ARP works like it is supposed to, I don't see a need for hosts to
> have masks and gateways configured. The only problem I see is if there are
> multiple gateways available to a subnet, where both (or more) gateways will
> forward the packet, so the destination gets 2 packets. What happens then is
> protocol and application dependent.

#

Question:
Why do you need proxy-arp, masks, and

Re: CCNP 1.0 [7:3733]

[Mark Z.]

>From what I know you are fine. As long as you took the 2 1.0's when they
were valid (well apparently), you can still finish the CCNP with the next 2
tests...and don't worry about the CCNA. I got my CCNP 2.0 while holding an
NA 1.0...Good luck with the tests,

Mark Z ~ CCNP, CCDA

> > I have taken ACRC & CMTD exams. Now that these old
> > exams are expired do I have to take all 4 new exams to
> > be CCNP or can I just take two new exams & still be
> > CCNP.
> >
> > I am CCNA 1.0 certified. Is it still valid or do I
> > have to take new exam for CCNA also..?
> >
> >
> > thanks,
> > patterson
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3739&t=3733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Protocol Type 0x886F [7:3737]

[Andy Prima]

Dear all,
I need help on protocol type 0x886F. It seems that this kind of Ethernet
Broadcast is circling around my network and I do not have a clue what it
really is. 

TIA
andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3737&t=3737
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: password recovery problem with AAA [7:3735]

[Daniel Cotts]

I would guess that if you boot the router ignoring the content of NVRAM that
you could then view the startup config (show start). You might then want to
do a cut and paste to Notepad or capture the output of your terminal
program. If loading the config disallows you from doing anything, then best
to erase start and reload. That wipes the router clean. Then config t and
use the Notepad copy to enter the parts that you need.

> -Original Message-
> From: Sim, CT (Chee Tong) [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 11:25 PM
> To: [EMAIL PROTECTED]
> Subject: password recovery problem with AAA [7:3735]
> 
> 
> I am doing a password recovery for a 1700 router, I manage to see its
> previous configuration part.  But I want to do a conf term to change
> setting. I found it was controlled by TACACS+ AAA server.   
> How do I disable
> the setting of AAA so I can make change  See below
> 
> 
> rommom 1>confreg 0X2142
> rommom 2>reset
> Router>enable
> 
> Router#conf mem
> 
> Building configuration...
> 
> 00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket
> KUL01#
> KUL01#
> *Mar  1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on 
> Interface Serial0.2,
> cha
> nged state to down
> *Mar  1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console
> KUL01#conf term
> Command authorization failed.
> 
> KUL01#
> *Mar  1 00:01:28: %-3-INVSTATE:  AUTHOR/CMD: Internal 
> state is invalid:
> astr
> uct 0x8093FF00 ustruct 0x0
> -Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0
> 
> 
> 
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
> de afzender direct te informeren door het bericht te retourneren. 
> ==
> The information contained in this message may be confidential 
> and is intended to be exclusively for the addressee. Should you 
> receive this message unintentionally, please do not use the contents 
> herein and notify the sender immediately by return e-mail.
> 
> 
> ==
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct 
> and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3738&t=3735
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Printing Boson Exams and a ringing endorsement [7:3447]

[John Andrews]

Wow...I bought the test alsoI am glad to know I can update.  Thanks.

Thanks.
John A


>= Original Message From "Donald B Johnson jr"  
=
>What are you talking about. All those stupid idiot letters under your name
>and you still can't read. I'll spell it out. I bought those test You are
>permitted to update!!
>He checked their database and I was in there!! He sent the
>codes!!
>You better hope your boss/client aint on this site now they will know what
>we all suspected.
>
>Couple other points:
>he ain't my friend - just had business dealings,
>and we ain't mates.  - skip.
>Don
>
>- Original Message -
>From: "Michael E Taiwo"
>To: "Donald B Johnson jr"
>Cc: ;
>Sent: Monday, May 07, 2001 9:00 AM
>Subject: Re: Printing Boson Exams and a ringing endorsement [7:3447]
>
>
>> Sorry, I don't mean to be involve in these, but don't you think that
>you've
>> actually put the guy that gave you, the crack in danger, by exposing  his
>> Email address in Groupstudy.
>>
>> Reason been is, that the guys that set the boson questions are in this
>> groupstudy, and believe me your friends job is on the line mate.
>>
>> Mike.
>>
>> CCNP,CCDP,CCNA,CCDA,MCSE+I
>> - Original Message -
>> From: "Donald B Johnson jr"
>> To:
>> Sent: Monday, May 07, 2001 3:33 PM
>> Subject: Re: Printing Boson Exams and a ringing endorsement [7:3447]
>>
>>
>> > Thanks Kevin
>> > Worked like a charm, the pdf thing.
>> > Did you know that you can update your boson tests to version 3.67.
>> > It adds a cool feature that lets you test by category plus it updates
>your
>> > questions, "example I just created a pdf with all bgp questions" from
>the
>> > bscn test I bought.
>> > Just email this guy  [EMAIL PROTECTED]  with your serial numbers
>and
>> he
>> > will send you back new unlock codes.
>> > You also have to go to their site and down load the new testing engine.
>> > Oh by the way, Chad is working on his last test for CCNP then he is
>going
>> > for CCIE so he understands what we are about, not just a sales man with
>no
>> > clue. He was also one of the most helpful people I ever dealt with. I
>> > e-mailed my serial numbers, 10 in all and he sent me back my new 3.67
>> > unlocks in fifteen minutes. One of the numbers I sent was wrong so I
>> resent
>> > the correct number and a new unlock was sent in about five minutes.
>GREAT
>> > SERVICE BOSON, thanks Chad!!!
>> > Lets review
>> > 10 test @ 30 dollars = CCNA/CCDA/CCNP/CCDP + two CCIE tests locked in
>the
>> > chamber for the written in a month for Don + great testing content +
>good
>> > money for the test writers + great service from Chad. What a value.
>> > No I don't work for Boson but so what if I did, I ain't lying.
>> >
>> >
>> > Don
>> >
>> >
>> > - Original Message -
>> > From: "Kevin Wigle"
>> > To:
>> > Sent: Saturday, May 05, 2001 1:06 PM
>> > Subject: Printing Boson Exams [7:3327]
>> >
>> >
>> > > Dear Group,
>> > >
>> > > Lost the original post but here's an answer of sorts.
>> > >
>> > > At the top in the File menu tree you can print each question.
>> > >
>> > > The print operation doesn't ask you where to print, it just uses the
>> > default
>> > > printer.
>> > >
>> > > So, create a new "printer" that prints to file (local printer -
>Generic)
>> > and
>> > > make it the default while you're doing the questions.
>> > >
>> > > Not very elegant actually as each question will overwrite the last one
>> > > saved.  So keep windows explorer open and rename the output each time.
>> > >
>> > > Unfortunately, graphics won't come across too well.
>> > >
>> > > So if you own the Adobe Editor - it installs the Adobe Distiller which
>> is
>> > > another print to file operation but you get to keep all the graphics
>and
>> > its
>> > > in .pdf format.
>> > >
>> > > So you can't dump an exam but you can get all the info you want one by
>> one
>> > > if you're patient.
>> > >
>> > > Kevin Wigle
>> > > FAQ, list archives, and subscription info:
>> > http://www.groupstudy.com/list/cisco.html
>> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> > FAQ, list archives, and subscription info:
>> http://www.groupstudy.com/list/cisco.html
>> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Have a great day!
John A




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3734&t=3447
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: security opinions please [7:3666]

[Bradley J. Wilson]

Drew wrote:

>It can be, and it is.  But, so is just about everything.  It is the
>probability of the risk being exploited that really matters, and in
>this case I see that as a small one.  Now, lets talk about using
>Microsoft as a security benchmark...  ;-)

Reminds me of an obscure Steve Martin routine..."Hi, I'm Fred!  I have a
bank!  Ya got fifteen hundred?  I'll put it, uh, over here, in my white
suit."

BJ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3710&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

password recovery problem with AAA [7:3735]

[Sim, CT (Chee Tong)]

I am doing a password recovery for a 1700 router, I manage to see its
previous configuration part.  But I want to do a conf term to change
setting. I found it was controlled by TACACS+ AAA server.   How do I disable
the setting of AAA so I can make change  See below


rommom 1>confreg 0X2142
rommom 2>reset
Router>enable

Router#conf mem

Building configuration...

00:00:57: %IP_SNMP-3-SOCKET: can't open UDP socket
KUL01#
KUL01#
*Mar  1 00:01:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.2,
cha
nged state to down
*Mar  1 00:01:08: %SYS-5-CONFIG_I: Configured from memory by console
KUL01#conf term
Command authorization failed.

KUL01#
*Mar  1 00:01:28: %-3-INVSTATE:  AUTHOR/CMD: Internal state is invalid:
astr
uct 0x8093FF00 ustruct 0x0
-Traceback= 8006C154 8006C01C 800A41D0 800A5098 800B0CB8 80114BE0



==
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
==
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3735&t=3735
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNP 1.0 [7:3733]

[Traceroute]

This link has requirements for the "640-50X" series.
http://www.cisco.com/warp/public/cc/serv/mkt/cert/career/ccnp_ds.htm

you may have to email them on this one...


- Original Message -
From: "pat" 
To: 
Sent: Tuesday, May 08, 2001 10:58 PM
Subject: CCNP 1.0 [7:3733]


> I have taken ACRC & CMTD exams. Now that these old
> exams are expired do I have to take all 4 new exams to
> be CCNP or can I just take two new exams & still be
> CCNP.
>
> I am CCNA 1.0 certified. Is it still valid or do I
> have to take new exam for CCNA also..?
>
>
> thanks,
> patterson
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3736&t=3733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCNP 1.0 [7:3733]

[pat]

I have taken ACRC & CMTD exams. Now that these old
exams are expired do I have to take all 4 new exams to
be CCNP or can I just take two new exams & still be
CCNP.

I am CCNA 1.0 certified. Is it still valid or do I
have to take new exam for CCNA also..?


thanks,
patterson

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3733&t=3733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[andyh]

interesting thread, and on a subject that crops up again and again...

sure it's possible to compromise VLANs, but as has been said, thru
misconfiguration rather than anything else.  Say you have a switch in a
hosting centre that customers can plug into - set your ports to anything
other than "trunk off" and you're in big trouble :-(

Interestingly a place I worked at had a network design submitted by a *VERY*
well known and respected organisation (acting as consultants for an ASP-type
deal), with 26 (count-'em) switches so as to avoid these apparent security
flaws.  Having laughed them out of the building, guess what eventually got
installed?  A pair of 6509s - so go figure

Andy

- Original Message -
From: 
To: 
Sent: Tuesday, May 08, 2001 11:32 PM
Subject: Re: security opinions please [7:3666]


> From a pure security perspective, this design is not as secure as
> having separate switches for the outside, dmz and inside networks.
> The reasoning is very simple, yes, you can put lots of software in
> place to prevent people from telneting to the switch, but in the
> event of just the right failure/misconfiguration, someone could
> theoretically re-configure the switch to do bad things.
>
> I have had long discussions with people about this issue and the
> bottom line is that while a compromise in this configuration is
> highly improbable, it is not impossible.  When you have physical
> separation of switches, it is impossible for a software
> failure/misconfiguration in the switch to lead to an internal
> compromise, it is therefore a more secure configuration to use
> multiple switches.
>
> It is, however, very convenient to use a single switch.  As a
> compromise, I recommend a single external switch and a common
> internal switch for the dmz's and internal segments.  As there are
> normally very few connections on the outside, this is a reasonable
> compromise at a very small incremental cost.
>
> HTH,
> Kent
>
> On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote:
>
> > Let me lay out the basic topology of a network first:
> >
> > A 6500 has several VLANS configured on it.  Among these are an
> > external internet vlan, a dmz, and several internal vlans.   The
> > internal vlans are routed by an MSFC in the 6500.  Routing between the
> > internal, dmz, and external are handled by a firewall external to the
> > 6500.
> >
> > Are there any security issues with having all of these VLANS in the
> > same box?  Someone in our organization is concerned that someone can
> > hack the switch just because the connection from the internet is
> > plugged into it. The switch's management address is on one of the
> > internal vlans, and an access list is on the telnet access that
> > restricts access from only the internal vlans.
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html Report misconduct and
> > Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3732&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: encapsulation [7:3701]

[andyh]

PPP gives you authentication (PAP/CHAP), plus standards-based
inter-operability

HDLC is quasi-standards-based, having been developmeped from SLDC
originally, although different manufacturers are inter-operable to a greater
or lesser extent (Nokia for instance support "Cisco"-HDLC on their firewall
boxes).  HDLC has a slightly lower overhead than PPP.

I tend to use HDLC on internal leased-lines where I *shouldn't* need
authentication, and PPP on dial-based stuff.

hth

Andy

- Original Message -
From: "SH Wesson" 
To: 
Sent: Tuesday, May 08, 2001 11:53 PM
Subject: encapsulation [7:3701]


> Should I use hdlc or ppp encapsulation on a point to point connection
> between two wan sites.  The connection is used to access data.  And also
> what is the benefit and disadvantages of using one over the other.
Thanks.
> _
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3731&t=3701
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

答复: Re: [7:3730]

[[EMAIL PROTECTED]]

Thank you,buddy.But ther's still another question:since i have only 4MB 
flash on my cisco 2503,and although you compress that IOS12.0 image,it's 
still much larger than 4MB,so,wher should i put the compressed 
file/image?on a TFTP server?
any advance will be appreciated,thank you.




henry 
2001-05-08 20:06

 
f6d;6d::o
f
i
o< 
d< gh4o< 
d8;i"o<  Re: B4C0B8B4: IOS upgrade, failure [7:3513] [7: 3520]


It's very easy. 
You can use Unix tools gzip to compress the IOS file . 
Then change IOS file from *.bin to *.Z 
Final you should have 4MB plus IOS file size(uncompress)  RAM 
Then you can play IOS 12.03 with 4MB flash and 18MB(16+2)RAM 
Good Luck 
 
"[EMAIL PROTECTED]" wrote: 
You can't do that upgrade,I have also a 2503 with 4MB flash, i want IOS 
12.0??!! 
"John Brandis" 
7"<~HK#: [EMAIL PROTECTED] 
2001-05-08 09:04 
Gk4p84 8x "John Brandis" 
 
JU<~HK#:[EMAIL PROTECTED] 
3-KM#: 
4+UfVB#: 
VwLb#:  IOS upgrade, failure [7:3513] 
Hey all, I am back on for the day, 
Have a 2503 router with suspected 4MB flash. I need to upgrade from IOS 
10.2 
to at least 11.3. Problem is that IOS 11.3 is 5MB. 
What can I do besides upgrade the flash.?? 
John Brandis 
Network Engineer 
GoWireless Communications 
155 George Street Sydney 
+61 2 9251 5000 
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] 
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3730&t=3730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: real world BGP question [7:3506]

[Trey Webb]

Those /24s likely have something to do with the fact that the blocks in the
A space you
mentioned are ARIN allocated CIDR blocks. I believe that ISPs tend to be a
little less
restrictive on them. Several other route-servers mirror your findings on
cerf.net.

For those of you that haven't seen it:

 http://www.arin.net/regserv/IPStats.html#cidr

--trey

Chuck Larrieu wrote:

> I respectfully disagree. A brief look through route-server.cerf.net shows
an
> awful lot of /24's in class A space, particularly in the 24.0.0.0,
64.0.0.0,
> 65.0.0.0, and 66.0.0.0 space. Not to mention a lot in class B space. My
hand
> hurts from scrolling through the routing table there. Granted, everything
is
> relative. What cerf.net shows is not necessarily what any other provider
> shows. But I suggest that CIDR is broken and there are lots of prefixes
> longer than /19, no matter what the classful block. :->
>
> Chuck
>
> -Original Message-
> From:   Brian [mailto:[EMAIL PROTECTED]]
> Sent:   Monday, May 07, 2001 5:05 PM
> To: Chuck Larrieu
> Cc: [EMAIL PROTECTED]
> Subject:RE: real world BGP question [7:3506]
>
> many providers filter based on the classful origin of the space.  If the
> block is out of what was once class a or b space, the likelihood of a /24
> getting filtered out is fairly high.  My previous employer did that.
>
> Brian "Sonic" Whalen
> Success = Preparation + Opportunity
>
> On Mon, 7 May 2001, Chuck Larrieu wrote:
>
> > Seems rather presumptuous of Cisco to speak for every ISP in the
world
> >
> > In order to limit the number of routes being advertised on the internet,
I
> > believe it was considered "best current practice" to limit prefix length
> to
> > /19 or shorter. ( can't find the RFC at the moment, but I recall it being
> > referenced several times in various threads on the NANOG list. )
> >
> > Obviously, with well over 100K routes in "the internet routing table"
> there
> > are a great number of longer prefixes being advertised, no doubt in great
> > part because of the number of companies that are "connected to multiple
> > ISP's so they can load balance across the internet"
> >
> > Prefix advertising my be influenced by peering arrangements, downstream
> and
> > upstream agreements, and customer requirements. Generally, once holes are
> > punched through CIDR blocks, what can anyone do?
> >
> > When someone makes a statement like you attribute to Cisco, one must
> always
> > follow up with specifics to determine what is really meant. Not all
routes
> > seen in one provider's network routing tables are necessarily present in
> the
> > tables of another provider.
> >
> > Chuck
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > Murphy, Brennan
> > Sent: Monday, May 07, 2001 4:01 PM
> > To:   '[EMAIL PROTECTED]'; Charlie Winckless; Murphy, Brennan
> > Cc:   [EMAIL PROTECTED]
> > Subject:  RE: real world BGP question
> >
> > Cisco told me today that a /24 drawn from Class C space
> > has a better chance of being propogated throughout the Internet
> >  than a /24 taken from Class B space. Anyone disagree with that?
> > Can anyone recommend a good source of info on this. Ive checked
> > Halabi.
> >
> > I came across a good reference during my quest www.traceroute.org
> > Unfortunately, it doesnt offer plain answers to my questions.
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, April 27, 2001 1:58 PM
> > To: Charlie Winckless; 'Murphy, Brennan'
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: real world BGP question
> >
> >
> > Currently on a US basis a /24 would generaly work.  Internationaly
> (Europe)
> > most providers would filter out anywhing longer then /20.
> >
> >
> > - Original Message -
> > From: "Charlie Winckless"
> > To: "'Murphy, Brennan'"
> > Cc:
> > Sent: Friday, April 27, 2001 1:18 PM
> > Subject: RE: real world BGP question
> >
> >
> > > I used to work for VERIO. At that time they would not
> > > router smaller than /19 on their backbone.
> > >
> > > This may have changed.
> > >
> > > > -Original Message-
> > > > From: Murphy, Brennan [mailto:[EMAIL PROTECTED]]
> > > > Sent: Friday, April 27, 2001 10:46 AM
> > > > To: 'Michelle T'; '[EMAIL PROTECTED]'
> > > > Subject: RE: real world BGP question
> > > >
> > > >
> > > > I guess that is my real question: what is the longest prefix that
> > > > is exchanged among/between major carriers.
> > > >
> > > > The real world example here is what if you had 4 server farms
> > > > answering
> > > > to one DNS name:  ftp.foo.com  You have Round Robin DNS running
> > > > round trip times to match a user with their nearest server farm
> > > > so it sends back the closest/fastest IP. The question is, how
> > > > big do those
> > > > subnets for the server farms have to be in order to be maximally
> > > > advertised throughout the internet?
> > > >
> > > > So, I've seen two answers

Re: 2610 w/ an additional 1e 2w module [7:3402]

[Jason Baker]

If you want to use your 2600 as frame relay switch do as i have done buy a
NM-4a/s, 4t, 8a/s or 8/t.

A 1fe2w only works in 3600.

Regards,

Jason Baker

- Original Message -
From: 
To: 
Cc: 
Sent: Tuesday, May 08, 2001 4:44 AM
Subject: Re: 2610 w/ an additional 1e 2w module [7:3402]


> o.k. so basically to get this puppy to work in the 2600 series i need to
> get
> a 1FE2W encasing module to hold the wic 2t's ?? I'm going to try to use
> this box as a
> frame switch so i'm trying to get as many serial interfaces on it as
> possible...
>
> Thanks for your help guy's!!
>
> Randy
>
>
> On Mon, 7 May 2001 13:53:25 +1000 "Jason Baker" 
> writes:
> > also another tip. The WIC 2-T modules do not work in plain ethernet
> > based
> > modules (such as 1e2w).
> > You need to get a 1FE2W at least to put the WIC 2t-s in.
> >
> > However the wic 2-t's will work in the fixed serial slots in the
> > 2600's.
> >
> > Regards,
> >
> > Jason Baker
> > ---
> > Network Engineer
> >
> > - Original Message -
> > From: 
> > To: 
> > Sent: Monday, May 07, 2001 1:17 PM
> > Subject: 2610 w/ an additional 1e 2w module [7:3402]
> >
> >
> > > Hi all !!
> > >
> > > I have just finished installinga new 1 e 2 w module in my 2610
> > router &
> > > It's not being recognized, unit allready had an existing Wic 2t
> > plus the
> > > built in ethernet
> > > port. I added the 2t 1e which is actually 2 wic 1 t cards with an
> > > ethernet port on the main module
> > > and it's not being recognized, When i remove the existin wic 2 t
> > cards
> > > only the main ethernet shows up on the show
> > > version..I do see the Act led on the module solid green but
> > nothing on
> > > the sho ver..
> > >
> > > Am i mssing something ... do I have to activate this new module
> > somehow
> > > ??
> > >
> > > Clueless @ this point...
> > >
> > > TIA for any info you might provide.
> > >
> > > Randy
> > > 
> > > GET INTERNET ACCESS FROM JUNO!
> > > Juno offers FREE or PREMIUM Internet access for less!
> > > Join Juno today!  For your FREE software, visit:
> > > http://dl.www.juno.com/get/tagj.
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to
> > [EMAIL PROTECTED]
> > >
> >
> >
> 
> GET INTERNET ACCESS FROM JUNO!
> Juno offers FREE or PREMIUM Internet access for less!
> Join Juno today!  For your FREE software, visit:
> http://dl.www.juno.com/get/tagj.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3728&t=3402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Lab Date Swap for RTP November 17, 18 [7:3726]

[Bouchard, Louis]

I am looking to swap my Lab date in RTP scheduled for November 17 and 18,
2001.

I am interested in mid-July or august timeframe at the same location (RTP).

Regards,

Louis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3726&t=3726
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

addressing/mask question [7:3727]

[Scott Meyer]

I have a question about network masks and proxy ARP that I have not
understood for a long time. I'm not sure that I can clearly explain the
question, but I'll give it my best. I got bits and pieces about the
situation, so I don't know exactly what is working and when.

A co-worker has a customer that has a really messy IP scheme. For
simplicity, the network scheme should be

network A   router A
172.16.1.0 /24172.16.1.1 e0
192.168.1.1  s0

connects over WAN to

network B   router B
172.16.2.0 /24  172.16.2.1   e0
192.168.1.2  s0


This customer has hosts with misconfigured masks and default gateways all
over the place. Some hosts have wrong masks, some wrong gateways, on some
both are wrong, and some are right. The routers are configured correctly, as
above. Obviously he is experiencing some connectivity issues - sometimes
things work, and sometimes they don't.

I would like to more completely understand why. Proxy ARP is on (default).

Lets assume the following:
host A  (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries to
connect to host B  172.16.2.6 (correctly configured as /24, gateway
172.16.2.1)

My understanding of what happens:  Host A does binary anding, and thinks
that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is
on, so I would think the router recognize that it needs to respond to host
A's ARP request. Host A now thinks that host B = MAC address of router A.
Host A sends traffic to router A and router A forwards. Both router A and
host A know the correct MAC address of each other, so host B's response will
get to host A. So this should work consistently despite the
misconfiguration, but I know better. How am I thinking incorrectly?

Next question, let's assume the following:
host A  (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3) tries
to connect to host B  172.16.2.6 (correctly configured as /24, gateway
172.16.2.1)

My understanding of what happens:   Host A does binary anding, and thinks
that host B is on another subnet. Host A thinks that the gateway is
172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond
with it's MAC, host A will send traffic for host B to 172.16.1.3, which will
promptly drop it because it has no idea what to do with it. If there is not
a 172.16.1.3, host A will not get a response, and will timeout eventually. I
will need to check, but I don't think that host A will ARP for host B (as
opposed to ARPing for the gateway). So this should consistently not work. If
host A did not have a gateway at all, it would ARP for host B and router A
would respond (due to proxy ARP) and connectivity would be established. Am I
correct?

I do think it makes a difference who initiates the connection, because of
ARP. If host B tries to connect to host A, router A would ARP for host A.
Host A would place router A's MAC in it's ARP table for host B, and as long
as that entry existed, communication would work consistently? Am I thinking
correctly?

If proxy ARP is enabled, why is a default gateway needed? I have never seen
a TCP/IP configuration that doesn't have a spot to enter a default gateway.
Conversely, if everything has a default gateway, why is proxy ARP needed? If
one of those (either the gateway or proxy ARP) is not working for whatever
reason, why is communication spotty? Should it not be consistently either
working or not?

If proxy ARP works like it is supposed to, I don't see a need for hosts to
have masks and gateways configured. The only problem I see is if there are
multiple gateways available to a subnet, where both (or more) gateways will
forward the packet, so the destination gets 2 packets. What happens then is
protocol and application dependent.

Any comment is appreciated. I'm currently learning how little I know. ;-)

Scott Meyer
CCNA, CCDA, MCSE, etc
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3727&t=3727
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

question about using MRTG to survey the traffic of POS [7:3725]

[jack xu]

hi,everyone here
i meet a problem in using MRTG to survey the traffic of POS interface in
cisco's GSR router and juniper's m160 router,the amount of traffic of pos
interface displayed in MRTG is much smaller than that displayed in router's
exec command,but they are same if the interface is a atm interface or a
enthernet interface. I guess there is a bug in MRTG programming or
misconfiguration in the configuration file,Can anyone give me the true
answer? thanks in advance.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3725&t=3725
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: FW: security opinions please [7:3666]

[Jim Gillen]

Very passionate but I think you missed the point...and got it at the same
time. You are right nothing is safe including firewalls which have various
degrees of accreditation by national security advisory groups, including the
military which have higher levels than most. You can only ever minimise the
chance of a penetration not prevent it!

I am not going to discuss here how it can be done but you can research that
for yourself. It is everywhere on the internet and in books.

I still would not allow an external network to be directly connected to a
switch with internal networks on it in any network that I am responsible for
it is just too dangerous!

However, if you have discussed the security implications with the Business
side and costs are a consideration and they understand the risks then go for
it.

Do you have a security policy in place...this is very important. Most don't
and some will suffer the consequences. There are many other configuration
considerations aside that need to be considered to develop a security policy.

I could go on and on and on and on...




Cheers

Jim Gillen

Snr Communications Engineer
AUSTRAC

Ph:   9950 0842
Fax:  9950 0074



>>> "Eric Rivard"  9/05/01 10:19:16 >>>
This message has been scanned by MAILSweeper.


call me naive, but how can a hacker know you are connected to a switch?
Let alone find the IP address of the switch if it is on the internal
address? Yes the switch is separating traffic by software, but isn't
very firewall doing the same thing? PIX, CheckPoint, Cisco IOS Firewall
feature set, are all software, so should we usenone of these products,
because no software is perfect. Think about the PIX, the inside traffic
and outside traffic is handled all in ONE box. Whats the differnce?
First of all, anyone that has set up a co-location or web server on a
DMZ knows that your firewall is not your first line of defense. The
first line is your Internet Router. Here you only allow web,smtp,dns,
and ftp (if you want) traffic in. The hacker has to get through this
first. You can also put an access-list on this router to prevent any
traffic to hit the actual outside interface of the pix, so it cannot be
directly attached. Then we have the PIX which provides additional
security from out inside network. How can a hacker telnet into a switch
it the IP address is inside the the PIX prohibits this? Last time I
check you can't use a MAC address to telnet. And besides, don't Cisco
switches have over a 1000 MAC addresses in the Supervisor Engine? How
can you over flow a switch with MAC addresses or traffic? You should use
a highed switch for your web traffic. Most of these switches can switch
billions of packets per second. Your Internet connection will crash
before anyone can even come close to this. In addition most companies
set up their web server in a co-location where space is a premium. You
cannot put in 3 4000 or 5000 switches in one rack and your servers also.
And then these companies have internal routers connecting their internal
network to this co-location where they put more access-lists. I think
any hacker would give up before trying to continue on. Yes no software
is perfect, but every firewall is software. The only secure way it to
have no Internet access.

-Original Message-
From: Jim Gillen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 4:42 PM
To: [EMAIL PROTECTED]
Subject: Re: FW: security opinions please [7:3666]


Have you ever looked into how a switch can be compromised by an
experienced
hacker?

Even though, theoretically, VLANS can't talk to each other except
through a
router you are still having external and internal traffic on the same
physical
box running OS software, which is not perfect.




Cheers

Jim Gillen

Snr Communications Engineer
AUSTRAC

Ph:   9950 0842
Fax:  9950 0074



>>> "Brian"  9/05/01 8:59:56 >>>
This message has been scanned by MAILSweeper.


Echoing these sentiments here, the whole point of vlans is traffic
separation.

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 8 May 2001, Eric Rivard wrote:

> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have
seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS,
they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the
inside,
> and one for the DMZ. I don't see how a hacker can break into a
different
> VLAN from the outside. Switches see VLANs as logical switches inside
of
> it. If a hacker wants to get to the internal VLAN from the Out

Re: 3620 with 2 x NM-2FE-2W problem [7:3687]

[Kevin Wigle]

ok, typically when trying to get a positive indication, either good or bad -
from Cisco about capabilities - is a very difficult thing.

We have had good long threads on the list about things that work vs. things
that are supported.

That being said, here is a snippet from:

http://www.cisco.com/warp/customer/cc/pd/rt/3600/prodlit/atmnm_ov.htm

Which describes an ATM module for the 3600 series.

Technical Specifications
ATM OC-3 Network Module System Requirements

Only supported on the Cisco 3600 series routers at this time

Not supported on the Cisco 2600 series

No slot placement restrictions on either platform

* Maximum recommended on a single Cisco 3640 and Cisco 3620 is one

* Max two high-speed network modules in a Cisco 3640 (includes Fast
Ethernet, ATM, HSSI)

Requires Plus feature sets of Cisco IOS Release 12.0(3)T or above

Operates in conjunction with all currently available Cisco 3600 network
modules and WAN interface cards (WICs)

**

Note my stars.  Although it says 2 modules I think this was before the 2FE2W
was around..

Now, below is a table from:
http://www.cisco.com/warp/customer/cc/pd/rt/3600/prodlit/1fefx_ov.htm

Which is for the 1FEFX

Supported Configurations
The following table provides configurations supported by the new modules.

Table 2: Module Maximum Quantity in Cisco Max Number of NM-1FE-FX  3620
3640
NM-1FE-FX  1 3

*

bad pasting but it reads 1 FEFX for a 3620 and 3 for a 3640.

Now having said all that, this page says that YES you can put 2 x NM-2FE2W
in a 3620:

http://www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/2636m_ds.htm

The Maximum Number of NMs that can be utilized in each of the 2600/3600
families is as follows:

NM-2FE2W  N/A
   2600  3620  3640  3660
 N/A   2  46

Also: The minimum level of IOS is IOS 12.0(7)XK or 12.1(1)T

And finally.

You may want to look and see if you have a 3620 that has PCI bus problems.

In this case (I actually had one and returned it), it was specifically ATM
but your output did mention PCI dev 5
http://www.cisco.com/warp/public/770/51.shtml

give the command: show pci hardware
and if you see 0x22 or 0xE2 - then your 3620 should be returned.

In any event, I think you have a case to take to TAC.


Kevin Wigle



- Original Message -
From: "Gareth Hinton" 
To: 
Sent: Tuesday, 08 May, 2001 19:56
Subject: Re: 3620 with 2 x NM-2FE-2W problem [7:3687]


> That's exactly the sort of thing I'm looking for, but I've scoured CCO and
> cannot find anything that says it will or won't work.
>
> I've heard rumour that the only limiting factor was that I would not get a
> non-blocking configuration, but I'll put up with that if I can get it to
> work.
>
> Anybody any clues, particularly on the error that points to ROM version,
> while ROM version seems to be sufficient?
>
> Thanks,
>
> Gaz
>
> ""Kevin Wigle""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I would have to find it again but I'm sure that somewhere on CCO it says
> > that a 3620 shouldn't have more than 2 fast interfaces be they fast
> ethernet
> > or ATM or a combination.
> >
> > Your router now has 4 fast interfaces.
> >
> > Kevin Wigle
> >
> > - Original Message -
> > From: "Gareth Hinton"
> > To:
> > Sent: Tuesday, 08 May, 2001 17:39
> > Subject: 3620 with 2 x NM-2FE-2W problem [7:3687]
> >
> >
> > > Hi all,
> > >
> > > Problem with a 3620:
> > >
> > > Takes one NM-2FE-2W fine. When second one is inserted major problems
> > arise.
> > >
> > > NM slot 0: PCI dev 5 init failed
> > > No fault history 0x. Need 11.1 (2) or higher ROM
> > >
> > > The boot rom is "System Bootstrap, Version 11.1(20)AA2"
> > >
> > > I've gone through CCO to confirm that the 3620 will take these cards,
> and
> > > although there were a few doubts, eventually found it and they should
be
> > OK.
> > >
> > > Anybody seen similar or got ideas.
> > >
> > > Thanks,
> > >
> > > Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3723&t=3687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix 5xx [7:3716]

[Karim Manji]

I don't know of a book that focuses just on PIX, but I think the "Managing 
Cisco Network Security" by Michael Wenstrom ISBN 1578701031 is good.


>From: "Keith Townsend" 
>Reply-To: "Keith Townsend" 
>To: [EMAIL PROTECTED]
>Subject: Pix 5xx [7:3716]
>Date: Tue, 8 May 2001 19:57:01 -0400
>
>Anybody knows a good book for learning the Cisco Pix.  I had to install one
>of these and I got the job done but
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3722&t=3716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Trade - Lab gear [7:3721]

[PacketSlinger]

I am building my home lab and have a hodge-podge of stuff.
I am hoping to get different stuff that will meet my lab needs.

I have the following:

1 x NM-1CT1-CSU (1-port channelized T1-PRI mod w/CSU)approx.$2000new
1 x NM-8AM (8-port Analog Modem mod)approx.$1550new
2 x NM-1FE-2W (2-port 10/100 + 2 Wic slots)approx.$1600new


I am looking for:
1 x NM-4A/S or NM-8A/S (8 or 4 port async/sync NM)
1 x NM-16A (16 port async module)
2 x NM-1V or NM-2V (1 or 2 slot voice module)
1 x VIC-2FXS (2 port FXS mod)
1 x VIC-2FXO (2 port FXO mod)

Anybody wanna trade?

-Sling



Get free email and a permanent address at http://www.amexmail.com/?A=1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3721&t=3721
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Sending JPEG across an ISDN bridged link brings the network to [7:3720]

[KM Reynolds]

Hi all,

Need the groups advice.

The network consists of two 1605 routers with 128k ISDN connections in a 
transparent bridge environment.
This network suffers from lockups often,however, not consistently. 
Yesterday, speaking with a user, he asked me a question. The question was, 
"Why is it when I send a JPEG file to a user located across the ISDN link, 
the network come to a halt?".
I told him that if the JPEG was very large in size ex. 2MB, when it has to 
cross the ISDN link, its like trying to squeeze a lemon(a small one) into a 
pop bottle(maybe not a good example, but that is all I could think off).  
This saturates the ISDN link which is only 128k.

Am I correct in my explanation?  What would be a good explanation? I am not 
comfortable with my explanation(maybe I am wrong).  I look forward to 
hearing the groups thoughts, as well as any solutions(change to routing, 
QOS, etc.)

TIA
KM


_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3720&t=3720
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: security opinions please [7:3666]

[Carroll Kong]

At 06:11 PM 5/8/01 -0400, Jacques Atlas wrote:
>On Tue, 8 May 2001, Michael Cohen wrote:
>
>|How does one go upon "penetrating" the internal VLAN on a switch while only
>|having access to the external VLAN and not traversing the PIX in the
middle?
>
>i would also be interted in finding out the theory behind this.
>
>|I have heard the response from numerous security engineers that anything is
>|possible however I guess I'm a novice because I have never seen nor heard
of
>|this being done in the situation mentioned above.
>
>did they give you proof ?
>
>|I attribute the idea of physically seperating these networks (even
>|though VLAN based seperation is just as effective) as security paranoia.
>
>there are also times when you can not afford to buy a decent switch for
>every service that you want and a large switch could give the best
>possible sollution.
>
>--
>jacques

Some quite nasty security issues with Switches

Believe it or not, there is a way to sniff on a switch.  :(  So, enter 
scenario 1, where you HAVE to assume the DMZ gets compromised.  (Because 
this happens, and is inevitable.  If it didn't, why bother with a 
DMZ?)  The host can possibly sniff the network, I really hope you got ssh 
enabled everywhere.  SNMP is not encrypted yet (If I recall correctly), so, 
that's another give away for more info.  Fallacy #3 or so is to believe 
that the internal network is safe, hence clear text is 'OK', well it's 
not.  :)  Or, you can try to do "MAC Address Locking", which would stop 
it.  The basis of sniffing on a switch is basically ARP Forging.  Do recall 
the secure MAC Address Locking is somewhat inconvenient at times.  But 
worth it if you are the Security Ninja that they expect you to be!  :)

Switches are vulnerable to IP DoSes due to management ips and snmp and what 
not, you probably could setup ACLs to help stop that though.  Oh yeah, 
there was a bug with Windows XP and a Catalyst where I believe the Windows 
XP box absolutely demolished the Catalyst.  Cisco admitted the fault and 
put up a security advisory.  I suppose a DoS doesn't count as penetration, 
but it sure is annoying.

"A frame that enters a Cat5K backplane gets dumped to all ports on the 
switch. It is then up to the processor to tell all ports (minus the actual 
destination port) to drop the frame. Should the processor become 
overloaded, it cannot inform the ports to drop the frame"

Guthrie, Jeremy. ``Re: Cisco Catalyst switches.'' 14 June 2000. URL:
http://www.securityfocus.com/frames/?content=/templates/archive.pike(19 
August 2000.)

Ah well, leaky ethernet packets aren't so hot for security either, and when 
you can bust the layer 2 level, Pix or not, it's smooth sailing to the 
internal network.  VLAN Hopping!  Although there is not any specific 
implementation to do this, the possibility is quite frightening.

Oh yeah, if you do trunking, since ISL has no authentication, there might 
be ways to claim particular VLANs and MAC addresses.

"Unfortunately, the ISL protocol has no authentication. This lack of 
authentication allows an attack where a user spoofs ISL packets in order to 
communicate with other VLANs that exist on the switch".

Russel, Ryan. ``Cisco Catalyst issues.'' 30 October 1998. URL:
http://lists.synfin.net/Archives/firewall-wizards/1998/Nov/msg00039.html

I am sure there are a ton of other nasty possibilities.  Also, realize that 
Cisco switch products are generally designed for performance (since 
everyone loves zoom zoom zoom switches), they are not really designed for 
security.  I am not sure if they are really doing a high level security 
audit on their switches for high levels of security.  I guess you could 
take the risk.  But if follow the original axiom of security which is not 
to trust anyone, why should I begin to trust the Cisco Catalyst?

However, with Security Axiom #2 or so being, If the security solution 
brings about great "cost" (defined by inconvenience + price) in a 
staggering proportion compared to the value of what is being protected, you 
are doing yourself a disservice, it does not mean to just throw away all 
Catalysts and slay the mighty VLAN Daemons inside!  It just means, 
seriously weigh the costs out yourself.

And admittedly, after doing the heavy duty research, you could do a fair 
amount of work to secure the Catalyst to a "reasonable" degree, so it is 
not as bad as I originally thought.  However, the potential is there, good 
luck with evaluating!  And down with the HaX0rS and CraCkeRs!  ;)


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3719&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: FW: security opinions please [7:3666]

[Eric Rivard]

call me naive, but how can a hacker know you are connected to a switch?
Let alone find the IP address of the switch if it is on the internal
address? Yes the switch is separating traffic by software, but isn't
very firewall doing the same thing? PIX, CheckPoint, Cisco IOS Firewall
feature set, are all software, so should we usenone of these products,
because no software is perfect. Think about the PIX, the inside traffic
and outside traffic is handled all in ONE box. Whats the differnce?
First of all, anyone that has set up a co-location or web server on a
DMZ knows that your firewall is not your first line of defense. The
first line is your Internet Router. Here you only allow web,smtp,dns,
and ftp (if you want) traffic in. The hacker has to get through this
first. You can also put an access-list on this router to prevent any
traffic to hit the actual outside interface of the pix, so it cannot be
directly attached. Then we have the PIX which provides additional
security from out inside network. How can a hacker telnet into a switch
it the IP address is inside the the PIX prohibits this? Last time I
check you can't use a MAC address to telnet. And besides, don't Cisco
switches have over a 1000 MAC addresses in the Supervisor Engine? How
can you over flow a switch with MAC addresses or traffic? You should use
a highed switch for your web traffic. Most of these switches can switch
billions of packets per second. Your Internet connection will crash
before anyone can even come close to this. In addition most companies
set up their web server in a co-location where space is a premium. You
cannot put in 3 4000 or 5000 switches in one rack and your servers also.
And then these companies have internal routers connecting their internal
network to this co-location where they put more access-lists. I think
any hacker would give up before trying to continue on. Yes no software
is perfect, but every firewall is software. The only secure way it to
have no Internet access.

-Original Message-
From: Jim Gillen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 4:42 PM
To: [EMAIL PROTECTED]
Subject: Re: FW: security opinions please [7:3666]


Have you ever looked into how a switch can be compromised by an
experienced
hacker?

Even though, theoretically, VLANS can't talk to each other except
through a
router you are still having external and internal traffic on the same
physical
box running OS software, which is not perfect.




Cheers

Jim Gillen

Snr Communications Engineer
AUSTRAC

Ph:   9950 0842
Fax:  9950 0074



>>> "Brian"  9/05/01 8:59:56 >>>
This message has been scanned by MAILSweeper.


Echoing these sentiments here, the whole point of vlans is traffic
separation.

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 8 May 2001, Eric Rivard wrote:

> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have
seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS,
they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the
inside,
> and one for the DMZ. I don't see how a hacker can break into a
different
> VLAN from the outside. Switches see VLANs as logical switches inside
of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and
companies
> like Microsoft and Excite are implementing it, I don't see how it can
be
> a security risk. See this link for a really good document on setting
up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -Original Message-
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an
external
> >internet vlan, a dmz, and several internal vlans.   The internal
vlans
> are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz,
and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box?  Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and
an
> >access list is on the telnet access that restricts ac

RE: Passed CCIE Written but NOT doing lab [7:3568]

[Jim Gillen]

Agree, in spades




Cheers

Jim Gillen

Snr Communications Engineer
AUSTRAC

Ph:   9950 0842
Fax:  9950 0074



>>> "William E. Grudged"  9/05/01 9:17:06 >>>
This message has been scanned by MAILSweeper.


Caroll's right, you can't BS that lab!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Carroll Kong
Sent: Tuesday, May 08, 2001 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: Passed CCIE Written but NOT doing lab [7:3568]


At 01:27 PM 5/8/01 -0400, Chris Haller wrote:
>The school I am currently attending for CCIE
>written/lab is pumping out "paper" CCIE's faster than
>I can say .. "help, the written ccie is almost as
>worthless as the mcse"
>
>Juniper ??  I hear their test is twice as hard as
>CCIE.  Mabey you should attempt that one 

But by definition, there is no paper CCIE.  You have no CCIE certification
if you only pass the qualifier (written exam).  I do not know if you can
even consider it "half way" there.  It is just a prelude of things to come
and to weed out people.  I have not taken the written personally, so not
sure if it is "bookwormable".  I am assuming it is since anything written /
multiple choice ends up being that way in the end.

The Juniper written lab or the juniper practical lab is "twice" as
hard?If it is more emphasis on ISIS or Juniper-isms, it is a
matter of spending some time to apply your basic networking knowledge to
understand new protocols (ISIS isn't concentrated on as heavily in CCIE
exams if I remember correctly) and learning a particular company's
"isms".  Or working with the company's particular hardware.  (ouch, good
luck finding those guys on ebay for a good price).  Should not be too hard
for good networking guys (written part), exposure to the hardcore equipment
might be hard, but also makes you wonder if the market space is really that
big for heavy duty core work.



-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3717&t=3568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Pix 5xx [7:3716]

[Keith Townsend]

Anybody knows a good book for learning the Cisco Pix.  I had to install one
of these and I got the job done but




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3716&t=3716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3620 with 2 x NM-2FE-2W problem [7:3687]

[Gareth Hinton]

That's exactly the sort of thing I'm looking for, but I've scoured CCO and
cannot find anything that says it will or won't work.

I've heard rumour that the only limiting factor was that I would not get a
non-blocking configuration, but I'll put up with that if I can get it to
work.

Anybody any clues, particularly on the error that points to ROM version,
while ROM version seems to be sufficient?

Thanks,

Gaz

""Kevin Wigle""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I would have to find it again but I'm sure that somewhere on CCO it says
> that a 3620 shouldn't have more than 2 fast interfaces be they fast
ethernet
> or ATM or a combination.
>
> Your router now has 4 fast interfaces.
>
> Kevin Wigle
>
> - Original Message -
> From: "Gareth Hinton"
> To:
> Sent: Tuesday, 08 May, 2001 17:39
> Subject: 3620 with 2 x NM-2FE-2W problem [7:3687]
>
>
> > Hi all,
> >
> > Problem with a 3620:
> >
> > Takes one NM-2FE-2W fine. When second one is inserted major problems
> arise.
> >
> > NM slot 0: PCI dev 5 init failed
> > No fault history 0x. Need 11.1 (2) or higher ROM
> >
> > The boot rom is "System Bootstrap, Version 11.1(20)AA2"
> >
> > I've gone through CCO to confirm that the 3620 will take these cards,
and
> > although there were a few doubts, eventually found it and they should be
> OK.
> >
> > Anybody seen similar or got ideas.
> >
> > Thanks,
> >
> > Gaz
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3715&t=3687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: tcp intercept [7:3685]

[Jeff Duchin]

I found them as well, thanks.

I guess I need to rephrase the question... there are many parameters
(watch-timeout/drop-mode,etc.) that you can configure and I was wondering
what most people out there are using?

There's usually pros and cons to everything and talking to people who have
already done this might have some good advice... or not, heh, heh, heh.

Cheers,
Jeff


""andyh""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> check
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
> _c/scprt3/scdenial.htm
>
> or alternatively search for tcp and intercept at:
>
> www.cisco.com
>
> like I just did
>
> Andy
>
> - Original Message -
> From: "Jeff Duchin"
> To:
> Sent: Tuesday, May 08, 2001 10:27 PM
> Subject: tcp intercept [7:3685]
>
>
> > What's the best way to enable this as I've seen a bunch of different
> > variations... I want this on my external router...
> >
> > Thanks,
> > Jeff
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3714&t=3685
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: security opinions please [7:3666]

[Jim Gillen]

Have you ever looked into how a switch can be compromised by an experienced
hacker?

Even though, theoretically, VLANS can't talk to each other except through a
router you are still having external and internal traffic on the same
physical
box running OS software, which is not perfect.




Cheers

Jim Gillen

Snr Communications Engineer
AUSTRAC

Ph:   9950 0842
Fax:  9950 0074



>>> "Brian"  9/05/01 8:59:56 >>>
This message has been scanned by MAILSweeper.


Echoing these sentiments here, the whole point of vlans is traffic
separation.

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 8 May 2001, Eric Rivard wrote:

> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS, they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the inside,
> and one for the DMZ. I don't see how a hacker can break into a different
> VLAN from the outside. Switches see VLANs as logical switches inside of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and companies
> like Microsoft and Excite are implementing it, I don't see how it can be
> a security risk. See this link for a really good document on setting up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -Original Message-
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an external
> >internet vlan, a dmz, and several internal vlans.   The internal vlans
> are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box?  Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button.  IF you really want to be secure, you
> are
> NOT going to be using VLANs at all.  You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE.  However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability."  A true pro can penetrate "VLAN"
> based
> security.  A novice and probably most intermediates, will not.  You
> decide
> and weigh out your costs in choosing the far less flexible hard switches
> on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do.  i.e.  If you are
> guarding
> the Fort Knox of the computer realm, I'd probably go hardcore.  If you
> are
> not, you may want to stick with VLANs.  Security is always a balance
> between convenience and security.  :(  The sad truth is, the ultimate
> security is, the wire cutters.  (and perhaps a Faraday Cage if wireless
> takes off).  :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7

Re: security opinions please [7:3666]

[Drew Simonis]

Michael Cohen wrote:
> 
> How does one go upon "penetrating" the internal VLAN on a switch while only
> having access to the external VLAN and not traversing the PIX in the
middle?
> I have heard the response from numerous security engineers that anything is
> possible however I guess I'm a novice because I have never seen nor heard
of
> this being done in the situation mentioned above.  I attribute the idea of
> physically seperating these networks (even though VLAN based seperation is
> just as effective) as security paranoia.  

They say you have to do is flood the switch with ARP requests and 
overflow the CAM table...  easy to talk about, hard to do in practice.  
There are, however, some tools that suppose to help you attack a 
switch.  macof, part of dsniff, comes to mind.  As does ettercap.

In fact, I've never seen VLAN's mentioned as anything more than a handy
way to break up broadcast domains.  I don't consider them a security
feature, and I don't know anyone else who does either.  

Some decent reads:

http://mlarchive.ima.com/firewalls/1999/4507.html
http://packetstorm.securify.com/9909-exploits/vlan_security.txt




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3712&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ATM AAL5 errors [7:3682]

[David Chandler]

#1.  The source device encapsulates whatever traffic it has to send in a
AAL5 PDU then segments the PDU and places the pieces of the PDU into the
payload of the ATM cells.

#2.  AAL5 is almost always is used in UBR (unspecified bit rate) calls. 
 ie: No garuntee from the carrier that they will deliver your cell to
the destination.

#3.  During times of congestion the carrier will drop cells in a UBR
call.

#4.  If a cell (or cells) are dropped within the carrier's network; the
AAL5 PDU's CRC will be invalid.

#5.  There is a EOF (end of frame) bit within the Cell header; which
tells the destination when it has recieved the last cell comprising the
AAL5 PDU.

#6.  If the EOF cell is lost then the destination will try to recombine
2 (or more) AAL5 PDUs possibly resulting in a PDU that is too large.  

OR 

If the only cell comprising a AAL5 PDU made it through the network was
the EOF cell then the destination will find that the reassembled AAL5
PDU is smaller than the min allowed


This is a Breif overwiew of what ATM does and why you'll see AAL5
errors.  
There are always ifs and buts and a million little details; BUT I won't
get into those

PS: if the errored AAL5 frames are not over 1% then don't worry about
it.


DaveC


Q wrote:
> 
> I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one
> another in terms of rate of errors. This is a difficult problem in terms
> that they are both related. One problem is that the other sidce of the WAN
> is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA!
> 
> marc
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3711&t=3682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: tcp intercept [7:3685]

[andyh]

check

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt3/scdenial.htm

or alternatively search for tcp and intercept at:

www.cisco.com

like I just did

Andy

- Original Message -
From: "Jeff Duchin" 
To: 
Sent: Tuesday, May 08, 2001 10:27 PM
Subject: tcp intercept [7:3685]


> What's the best way to enable this as I've seen a bunch of different
> variations... I want this on my external router...
>
> Thanks,
> Jeff
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3709&t=3685
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN Job in the Metro Detroit area [7:3683]

[William E. Gragido]

dude, have you checked the joblist?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, May 08, 2001 4:24 PM
To: [EMAIL PROTECTED]
Subject: WAN Job in the Metro Detroit area [7:3683]


I am looking for a WAN job in the Detroit area, I can send you my resume
and cover letter upon request.

  Thanks  Brian
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3708&t=3683
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CCIE Written but NOT doing lab [7:3568]

[William E. Gragido]

Caroll's right, you can't BS that lab!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Carroll Kong
Sent: Tuesday, May 08, 2001 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: Passed CCIE Written but NOT doing lab [7:3568]


At 01:27 PM 5/8/01 -0400, Chris Haller wrote:
>The school I am currently attending for CCIE
>written/lab is pumping out "paper" CCIE's faster than
>I can say .. "help, the written ccie is almost as
>worthless as the mcse"
>
>Juniper ??  I hear their test is twice as hard as
>CCIE.  Mabey you should attempt that one 

But by definition, there is no paper CCIE.  You have no CCIE certification
if you only pass the qualifier (written exam).  I do not know if you can
even consider it "half way" there.  It is just a prelude of things to come
and to weed out people.  I have not taken the written personally, so not
sure if it is "bookwormable".  I am assuming it is since anything written /
multiple choice ends up being that way in the end.

The Juniper written lab or the juniper practical lab is "twice" as
hard?If it is more emphasis on ISIS or Juniper-isms, it is a
matter of spending some time to apply your basic networking knowledge to
understand new protocols (ISIS isn't concentrated on as heavily in CCIE
exams if I remember correctly) and learning a particular company's
"isms".  Or working with the company's particular hardware.  (ouch, good
luck finding those guys on ebay for a good price).  Should not be too hard
for good networking guys (written part), exposure to the hardcore equipment
might be hard, but also makes you wonder if the market space is really that
big for heavy duty core work.



-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3707&t=3568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: security opinions please [7:3666]

[Drew Simonis]

Eric Rivard wrote:
> 
>   If Cisco recommends and companies
> like Microsoft and Excite are implementing it, I don't see how it can be
> a security risk. 

It can be, and it is.  But, so is just about everything.  It is the 
probability of the risk being exploited that really matters, and in 
this case I see that as a small one.  Now, lets talk about using 
Microsoft as a security benchmark...  ;-)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3706&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

cisco news story [7:3705]

[Ian Gomeche]

cisco news story:

http://news.bbc.co.uk/hi/english/business/newsid_132/1320189.stm

ian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3705&t=3705
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Frame Relay backup issue...(thanks) [7:3686]

[Mark Z.]

Thanks for the help E. I have a feeling that it might be a backup load issue
that I'll have to fix. Can't give you much info because I just found out I'm
going to this client tomorrow so I'll be able to digest it all then. I'll
definitely be bringing this with me in my head...it's appreciated friend,
thanks,

Mark Z.

- Original Message -
From: "EA Louie" 
To: "Mark Z." ; 
Sent: Tuesday, May 08, 2001 6:36 PM
Subject: Re: Frame Relay backup issue... [7:3686]


> ahhh, I'll give you a free answer anyway!  ;-)
>
> Without making any assumptions except that the Frame Relay interface is
> configured with a backup-interface statement that's pointed to a dialer,
and
> that all the routing is working okay, and that the dialer has a good
> dialer-list, then the config would look similar to:
>
> interface serial0/1
>  encapsulation frame-relay
>  backup interface dialer1
>  no backup load
>  no backup delay
>
> interface dialer1
>
> then the only thing that would bring the backup into play is the serial
> going down/down momentarily.
>
> If there IS a backup load statement on serial, then bandwidth percentage
> over the first parameter of that command would initiate the dialer.
Adjust
> it higher or remove it.
>
> If there's no backup interface command on the serial interface, then a
> floating static route is probably initiating the DDR.  If an IGP is used
> over the Frame Relay network then a route flap on the default route would
> also start the dialing sequence.
>
> Let's see... is there a link for you?  nope, can't find one that's
> appropriate.
>
>
> -e-
>
> - Original Message -
> From: "Mark Z." 
> To: 
> Sent: Tuesday, May 08, 2001 2:39 PM
> Subject: Frame Relay backup issue... [7:3686]
>
>
> > Hi Guys,
> > Been a while since I've written to the list (guess that's kind of a
> good
> > thing). Fairly simple question here: Lets say there is a company with a
FR
> > network with a hub/spoke topology. When data is sent from a site, alot
of
> > times the backup link kicks up, even though the primary never went down.
I
> > remember this type of scenario in my readings but forget what the
> > possibilities are. The simplest answer would be that they are
> oversubscribing
> > their access on the line and the backup's kicking up. Or the line is
just
> > bad...but I doubt that. What are some possible scenarios that would
cause
> > this
> > issue. I'm not asking for free answers to this but I would appreciate it
> if
> > someone could point me in the right direction in terms of reading up on
> this.
> > Thanks guys...good to be back.
> >
> > Mark Zabludovsky ~ CCNP, CCDA
> > [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3704&t=3686
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3620 with 2 x NM-2FE-2W problem [7:3687]

[Kevin Wigle]

I would have to find it again but I'm sure that somewhere on CCO it says
that a 3620 shouldn't have more than 2 fast interfaces be they fast ethernet
or ATM or a combination.

Your router now has 4 fast interfaces.

Kevin Wigle

- Original Message -
From: "Gareth Hinton" 
To: 
Sent: Tuesday, 08 May, 2001 17:39
Subject: 3620 with 2 x NM-2FE-2W problem [7:3687]


> Hi all,
>
> Problem with a 3620:
>
> Takes one NM-2FE-2W fine. When second one is inserted major problems
arise.
>
> NM slot 0: PCI dev 5 init failed
> No fault history 0x. Need 11.1 (2) or higher ROM
>
> The boot rom is "System Bootstrap, Version 11.1(20)AA2"
>
> I've gone through CCO to confirm that the 3620 will take these cards, and
> although there were a few doubts, eventually found it and they should be
OK.
>
> Anybody seen similar or got ideas.
>
> Thanks,
>
> Gaz
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3703&t=3687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FW: security opinions please [7:3666]

[Brian]

Echoing these sentiments here, the whole point of vlans is traffic
separation.

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 8 May 2001, Eric Rivard wrote:

> If you look at all of Cisco's documentation on their website it
> recommends you use VLANs just like this. They even did a study with
> Microsoft and posted it on Microsoft's website suggesting to use VLANS
> to distinguish between outside, dmz, and internal networks. I have seen
> many big companies do it this way. For example, last month Cisco had
> Exciter's network diagram on its site, saying how they used VLANS, they
> also had an Oracle example. I have set up quite a bit of co locations
> using only a 5500 with 3 VLANs, one for the outside, one for the inside,
> and one for the DMZ. I don't see how a hacker can break into a different
> VLAN from the outside. Switches see VLANs as logical switches inside of
> it. If a hacker wants to get to the internal VLAN from the Outside he
> would have to go through the firewall. If Cisco recommends and companies
> like Microsoft and Excite are implementing it, I don't see how it can be
> a security risk. See this link for a really good document on setting up
> a e-commerce co-location network, it also has router and pix configs
>
> http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
>
>
> -Original Message-
> From: Carroll Kong [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: Re: security opinions please [7:3666]
>
>
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an external
> >internet vlan, a dmz, and several internal vlans.   The internal vlans
> are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the
> same
> >box?  Someone in our organization is concerned that someone can hack
> the
> >switch just because the connection from the internet is plugged into
> it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button.  IF you really want to be secure, you
> are
> NOT going to be using VLANs at all.  You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE.  However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability."  A true pro can penetrate "VLAN"
> based
> security.  A novice and probably most intermediates, will not.  You
> decide
> and weigh out your costs in choosing the far less flexible hard switches
> on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do.  i.e.  If you are
> guarding
> the Fort Knox of the computer realm, I'd probably go hardcore.  If you
> are
> not, you may want to stick with VLANs.  Security is always a balance
> between convenience and security.  :(  The sad truth is, the ultimate
> security is, the wire cutters.  (and perhaps a Faraday Cage if wireless
> takes off).  :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3702&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

encapsulation [7:3701]

[SH Wesson]

Should I use hdlc or ppp encapsulation on a point to point connection 
between two wan sites.  The connection is used to access data.  And also 
what is the benefit and disadvantages of using one over the other.  Thanks.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3701&t=3701
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Frame Relay backup issue... [7:3686]

[EA Louie]

ahhh, I'll give you a free answer anyway!  ;-)

Without making any assumptions except that the Frame Relay interface is
configured with a backup-interface statement that's pointed to a dialer, and
that all the routing is working okay, and that the dialer has a good
dialer-list, then the config would look similar to:

interface serial0/1
 encapsulation frame-relay
 backup interface dialer1
 no backup load
 no backup delay

interface dialer1

then the only thing that would bring the backup into play is the serial
going down/down momentarily.

If there IS a backup load statement on serial, then bandwidth percentage
over the first parameter of that command would initiate the dialer.  Adjust
it higher or remove it.

If there's no backup interface command on the serial interface, then a
floating static route is probably initiating the DDR.  If an IGP is used
over the Frame Relay network then a route flap on the default route would
also start the dialing sequence.

Let's see... is there a link for you?  nope, can't find one that's
appropriate.


-e-

- Original Message -
From: "Mark Z." 
To: 
Sent: Tuesday, May 08, 2001 2:39 PM
Subject: Frame Relay backup issue... [7:3686]


> Hi Guys,
> Been a while since I've written to the list (guess that's kind of a
good
> thing). Fairly simple question here: Lets say there is a company with a FR
> network with a hub/spoke topology. When data is sent from a site, alot of
> times the backup link kicks up, even though the primary never went down. I
> remember this type of scenario in my readings but forget what the
> possibilities are. The simplest answer would be that they are
oversubscribing
> their access on the line and the backup's kicking up. Or the line is just
> bad...but I doubt that. What are some possible scenarios that would cause
> this
> issue. I'm not asking for free answers to this but I would appreciate it
if
> someone could point me in the right direction in terms of reading up on
this.
> Thanks guys...good to be back.
>
> Mark Zabludovsky ~ CCNP, CCDA
> [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3700&t=3686
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Just been Hacked!!!!! [7:3452]

[[EMAIL PROTECTED]]

Kevin,

Just to add a little to the comments you've already received:

1) After a compromise, you essentially have 2 approaches: One, 
cut the box off the network and leave it alone.  Call local law 
enforcement and the FBI.  This approach is used if you wish to 
pursue litigation.  I should point out that unless you have very 
detailed network logging showing times, IP addresses, etc. this 
approach will likely be a dead-end.  

The second approach is to assume your not going to pursue the 
attacker and concentrate on recovery.  Assume that everything on 
the box is suspect.  Re-format and start from scratch, install data 
from a good backup. If you don't have a good backup, you will want 
to remove all executable programs and replace them with known 
good ones, and then hope for the best.

2) If you don't have a good IDS system, including proper log 
monitoring on your end systems, you'll almost surely never know 
for certain how a box was compromised and more importantly you 
won't know what was done after the compromise.  You can make 
some educated guesses based on what services your running and 
what files _appear_ to have changed.  

However, there is always a problem that if you have a very clever 
attacker, what looks like a very simple script exploit could be a red 
herring and the attacker actually installed their own versions of 
some obscure executables.  If they're clever, the file sizes match, 
so you would need to compare known good hash values against 
hash values on all of your executables to be sure.  This is 
obviously a major pain.

In general, I always recommend having an experienced security 
person perform a complete audit on a network.  This is a lot more 
than just doing some remote scanning, its taking a comprehensive 
look at services, procedures, backup strategy, etc.  The problem is 
that these services are usually not cheap (but then again, neither is 
recovering from a compromise).  If you want a few quick hits:

1) Host security, get a good book on securing your particular host 
OS.

2) Application security, look at every app you run and find out what 
exploits are out there for that app.  You can find a list at many 
security sites but http://www.securityfocus.com is a good one.

3) Logging, use whatever logging is available for your OS and send 
the logs to an external central server.  Logs are usually one of the 
first things modified on a system after a successful compromise 
and they can tell you a lot IF they are on a trusted machine.

4) File integrity systems such as Tripwire and worth looking into for 
public facing servers.  They will help you determine what files have 
been changed after a compromise.

5) IDS systems can be very useful, but only if they are properly 
installed AND monitored.  A lot of IDS systems are not properly 
setup and not properly monitored, giving a false sense of security. 

6) Have a plan.  Even the most secure perimeters can be 
compromised, having a contingency plan can be the difference 
between a quick recovery and not recovering at all.  I recommend 
"The process of network security" as a good starting book.

HTH,
Kent

On 7 May 2001, at 10:32, Kevin O'Gilvie wrote:

> Apparently over the weekend Poison Box got pass my Pix and overwrote
> some files on the intranet Box and maybe more damage than I know of at
> this Moment. I need help on finding out hjw they got in and how to
> prevent it happeneing in the future. Please help.
> 
> Thanks,
> 
> Kevin
> _ Get
> your FREE download of MSN Explorer at http://explorer.msn.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3699&t=3452
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[[EMAIL PROTECTED]]

>From a pure security perspective, this design is not as secure as 
having separate switches for the outside, dmz and inside networks. 
The reasoning is very simple, yes, you can put lots of software in 
place to prevent people from telneting to the switch, but in the 
event of just the right failure/misconfiguration, someone could 
theoretically re-configure the switch to do bad things. 

I have had long discussions with people about this issue and the 
bottom line is that while a compromise in this configuration is 
highly improbable, it is not impossible.  When you have physical 
separation of switches, it is impossible for a software 
failure/misconfiguration in the switch to lead to an internal 
compromise, it is therefore a more secure configuration to use 
multiple switches. 

It is, however, very convenient to use a single switch.  As a 
compromise, I recommend a single external switch and a common 
internal switch for the dmz's and internal segments.  As there are 
normally very few connections on the outside, this is a reasonable 
compromise at a very small incremental cost.

HTH,
Kent

On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote:

> Let me lay out the basic topology of a network first:
> 
> A 6500 has several VLANS configured on it.  Among these are an
> external internet vlan, a dmz, and several internal vlans.   The
> internal vlans are routed by an MSFC in the 6500.  Routing between the
> internal, dmz, and external are handled by a firewall external to the
> 6500.  
> 
> Are there any security issues with having all of these VLANS in the
> same box?  Someone in our organization is concerned that someone can
> hack the switch just because the connection from the internet is
> plugged into it. The switch's management address is on one of the
> internal vlans, and an access list is on the telnet access that
> restricts access from only the internal vlans.
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3698&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: security opinions please [7:3666]

[Eric Rivard]

If you look at all of Cisco's documentation on their website it
recommends you use VLANs just like this. They even did a study with
Microsoft and posted it on Microsoft's website suggesting to use VLANS
to distinguish between outside, dmz, and internal networks. I have seen
many big companies do it this way. For example, last month Cisco had
Exciter's network diagram on its site, saying how they used VLANS, they
also had an Oracle example. I have set up quite a bit of co locations
using only a 5500 with 3 VLANs, one for the outside, one for the inside,
and one for the DMZ. I don't see how a hacker can break into a different
VLAN from the outside. Switches see VLANs as logical switches inside of
it. If a hacker wants to get to the internal VLAN from the Outside he
would have to go through the firewall. If Cisco recommends and companies
like Microsoft and Excite are implementing it, I don't see how it can be
a security risk. See this link for a really good document on setting up
a e-commerce co-location network, it also has router and pix configs

http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp


-Original Message-
From: Carroll Kong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 1:44 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]


At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it.  Among these are an external
>internet vlan, a dmz, and several internal vlans.   The internal vlans
are
>routed by an MSFC in the 6500.  Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the
same
>box?  Someone in our organization is concerned that someone can hack
the
>switch just because the connection from the internet is plugged into
it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.

Oh boy, the big security button.  IF you really want to be secure, you
are 
NOT going to be using VLANs at all.  You want hard, cold, old fashioned 
separate layer 2 networks, by HARDWARE.  However, realize security is 
really a layering process and hopefully warding off attackers of a 
particular experience level by making the task seem like "too much 
trouble", or "beyond their ability."  A true pro can penetrate "VLAN"
based 
security.  A novice and probably most intermediates, will not.  You
decide 
and weigh out your costs in choosing the far less flexible hard switches
on 
the side method, or using the far more flexible Catalyst VLAN style.

That is the security cost analysis you must do.  i.e.  If you are
guarding 
the Fort Knox of the computer realm, I'd probably go hardcore.  If you
are 
not, you may want to stick with VLANs.  Security is always a balance 
between convenience and security.  :(  The sad truth is, the ultimate 
security is, the wire cutters.  (and perhaps a Faraday Cage if wireless 
takes off).  :)



-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3697&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Juniper Job Market (was: Passed CCIE Written but NOT doing [7:3696]

[Chris Haller]

The key here is Nationwide.  905 jobs nationwide using
just the extremely general word "Cisco" ???

That is horrible, and I shall go cry after I finish
this responce.  Juniper only having 46 is not bad for
such a new "core" producer.  Cisco has been around for
over a decade and we got 905 !!!  :-(

I'm going back to selling Vacuum Cleaners 


--- "Bradley J. Wilson" 
wrote:
> Carroll Kong wrote:
> 
> >...but also makes you wonder if the market space is
> really that
> >big for heavy duty core work.
> 
> 
> I just did an impromptu and informal search on
> geekfinder.com - I put in the
> word "Cisco" and pulled up 905 jobs nationwide, both
> contract and perm.
> Then I did the same search for "Juniper" and pulled
> up only 46 jobs.  You be
> the judge. ;-)
> 
> BJ
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


=
Chris from Chicago
MasterCNE, 5.x CNE, ICNE, 4.x CNE, CCNA, MCP

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3696&t=3696
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Brian Dennis]

Priscilla,
It didn't take the "access-group 100 in" command on your router? Did you
have "no service stupid mistake" on your router? Just kidding. I was doing
it out of memory in a text editor. I've come to like making the config for a
router in a text editor and just pasting it in.

Come to think of it is there any other protocol besides IP 8)

Brian

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Priscilla Oppenheimer
> Sent: Tuesday, May 08, 2001 2:12 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
>
> I tried the HSRP access list from Brian (CCIE) and it works, (of
> course. ;-)
>
> It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets
> with EtherPeek and edited one to say the packet was from my PC
> and that my
> priority was higher than the two legitimate HSRP routers. I then
> repeatedly
> sent this packet, using the timer that the legitimate HSRP routers were
> using.
>
> The standby HSRP stopped sending HSRP packets (not sure why?) The
> previously active made itself standby. PCs on the LAN that were
> set to use
> the HSRP gateway address were unable to reach non-local stations. The DOS
> worked, in other words. This is a lab network, by the way.
>
> I used the access list below to make sure the HSRP routers only accepted
> from each other and it solved the problem. I meant to save the
> HyperTerminal session and show you that the deny in the access list was
> getting invoked, but I forgot to save it.
>
> Note one minor bug in configs below:
>
> It should say "ip access-group 100 in" (at least on my routers,
> the ip was
> required)
>
> Priscilla
>
>
>
>
> At 03:54 AM 5/8/01, Brian Dennis wrote:
> >It's not the best solution but if you're really worried you
> could create an
> >access-list (see configs below). HSRP uses UDP port 1985 and the
> destination
> >address is to all routers (224.0.0.2). Perfect solution? No. Better than
> >nothing? Yes.
> >
> >Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
> >5G Networks, Inc.
> >[EMAIL PROTECTED]
> >(925) 260-2724
> >
> >!
> >hostname R1
> >interface Ethernet 0
> >  ip address 192.168.1.1 255.255.255.0
> >  standby ip 192.168.1.254
> >  standby authentication c!sc0b2b
> >  access-group 100 in
> >!
> >access-list 100 permit udp host 192.168.1.2 eq 1985 host
> 224.0.0.2 eq 1985
> >access-list 100 deny udp any eq 1985 any eq 1985
> >access-list 100 permit ip any any
> >
> >
> >!
> >hostname R2
> >!
> >interface Ethernet 0
> >  ip address 192.168.1.2 255.255.255.0
> >  standby ip 192.168.1.254
> >  standby authentication c!sc0b2b
> >  access-group 100 in
> >!
> >access-list 100 permit udp host 192.168.1.1 eq 1985 host
> 224.0.0.2 eq 1985
> >access-list 100 deny udp any eq 1985 any eq 1985
> >access-list 100 permit ip any any
> >
> >
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > Jacques Atlas
> > > Sent: Monday, May 07, 2001 11:10 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> > >
> > >
> > > On Tue, 8 May 2001, Curtis Call wrote:
> > >
> > > |In other words always use authentication.
> > >
> > > i dont think the authentication in clear text is going to help,
> > > the solution from the vendor is to run HSRP with IPSec.
> > >
> > > --
> > > jacques
> > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> 
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3695&t=3534
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: security opinions please [7:3666]

[Jacques Atlas]

On Tue, 8 May 2001, Michael Cohen wrote:

|How does one go upon "penetrating" the internal VLAN on a switch while only
|having access to the external VLAN and not traversing the PIX in the middle?

i would also be interted in finding out the theory behind this.

|I have heard the response from numerous security engineers that anything is
|possible however I guess I'm a novice because I have never seen nor heard of
|this being done in the situation mentioned above.

did they give you proof ?

|I attribute the idea of physically seperating these networks (even
|though VLAN based seperation is just as effective) as security paranoia.

there are also times when you can not afford to buy a decent switch for
every service that you want and a large switch could give the best
possible sollution.

-- 
jacques




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3694&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passed Switching: 912 [7:3678]

[EA Louie]

Congratulations in spite of YOUR penchant to get distracted by the list  ;-)

912 is mighty respectable I might add, mate.  Good job!

-e-

- Original Message -
From: "Gareth Hinton" 
To: 
Sent: Tuesday, May 08, 2001 2:00 PM
Subject: Passed Switching: 912 [7:3678]


> Thanks to all in the Study Group.
>
> Even though you managed to distract me from studying for most of the
planned
> time, I managed to pass today :-)
> Seems like the info I've seen from the Group recently stands true: 64
> questions, 75 minutes, 699 to pass.
> I think the Cisco Press Study Guide covered just about everything. Nothing
I
> can remember waivered from the book.
>
> Anybody know what subjects are covered by Cisco Fundamentals? It appears I
> may be p**s poor in this area. All the others were OK.
>
> Routing next - My God does this mean I'm going to have to attempt to
> understand Howard's BGP posts. Maybe one day soon it will all become
clear.
>
> Cheers,
>
> Gaz
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3693&t=3678
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: security opinions please [7:3666]

[Michael Cohen]

How does one go upon "penetrating" the internal VLAN on a switch while only
having access to the external VLAN and not traversing the PIX in the middle?
I have heard the response from numerous security engineers that anything is
possible however I guess I'm a novice because I have never seen nor heard of
this being done in the situation mentioned above.  I attribute the idea of
physically seperating these networks (even though VLAN based seperation is
just as effective) as security paranoia.  This isn't necessarily a bad
thing, after all that's what security guys are paid for, however I don't see
a technical reason why you can't have these VLANs connected to the same box
as long as a properly configured firewall logically seperates them.

-Michael Cohen CCIE #6080

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Carroll Kong
Sent: Tuesday, May 08, 2001 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]


At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it.  Among these are an external
>internet vlan, a dmz, and several internal vlans.   The internal vlans are
>routed by an MSFC in the 6500.  Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box?  Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.

Oh boy, the big security button.  IF you really want to be secure, you are
NOT going to be using VLANs at all.  You want hard, cold, old fashioned
separate layer 2 networks, by HARDWARE.  However, realize security is
really a layering process and hopefully warding off attackers of a
particular experience level by making the task seem like "too much
trouble", or "beyond their ability."  A true pro can penetrate "VLAN" based
security.  A novice and probably most intermediates, will not.  You decide
and weigh out your costs in choosing the far less flexible hard switches on
the side method, or using the far more flexible Catalyst VLAN style.

That is the security cost analysis you must do.  i.e.  If you are guarding
the Fort Knox of the computer realm, I'd probably go hardcore.  If you are
not, you may want to stick with VLANs.  Security is always a balance
between convenience and security.  :(  The sad truth is, the ultimate
security is, the wire cutters.  (and perhaps a Faraday Cage if wireless
takes off).  :)



-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3692&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ATM AAL5 errors [7:3682]

[Daniel Cotts]

1) Is this a new install or has it worked in the past? If it worked in the
past, you can eliminate a lot of configuration causes. 
2) Assuming that it worked in the past, has anyone changed anything in the
config or operating system of either end?
3) Consider physical layer issues. Can you take the circuit off line and
test end to end for errors? Can your Service Provider help?
4) Can you loop back your own output to verify your box?
5) If you have a spare box can you create a back-to-back lab to test your
box? If that works, can you ship the spare box to the other end to
substitute for the Cabletron?
6) Bet that there are show and debug outputs that will help.
Let us know what the cause was. 

> -Original Message-
> From: Q [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 08, 2001 4:23 PM
> To: [EMAIL PROTECTED]
> Subject: ATM AAL5 errors [7:3682]
> 
> 
> I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one
> another in terms of rate of errors. This is a difficult 
> problem in terms
> that they are both related. One problem is that the other 
> sidce of the WAN
> is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA!
> 
> marc
> FAQ, list archives, and subscription info: 
> http://www.groupstudy.com/list/cisco.html
> Report misconduct 
> and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3691&t=3682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Juniper Job Market (was: Passed CCIE Written but NOT doing lab) [7:3690]

[Bradley J. Wilson]

Carroll Kong wrote:

>...but also makes you wonder if the market space is really that
>big for heavy duty core work.


I just did an impromptu and informal search on geekfinder.com - I put in the
word "Cisco" and pulled up 905 jobs nationwide, both contract and perm.
Then I did the same search for "Juniper" and pulled up only 46 jobs.  You be
the judge. ;-)

BJ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3690&t=3690
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX 520 : RESET CAUSED LOCKOUT ... [7:3689]

[Moahzam Durrani]

Apparently we were having some network issues  and  kind of pinpointed it to
the PIX. Basically we  were able to ping everything on our inside 

 After doing a Reset on the PIX , (did cold power shut down first ..no
improvement) We got  network connectivity to our internet router configured
for the outside. However we were unable to log in through telnet or from the
console .. I got the password reset utility from Cisco.. which I will do
tonight.. Has any one experienced being locked out after doing a reboot or
reset on their PIX? it looks like all our holes and configs are ok as we
tested it from the outside.. We believe their is a possibility of some type
of hacking..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3689&t=3689
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: security opinions please [7:3666]

[[EMAIL PROTECTED]]

Yeah, I'd love to know as well.  I've searched CCO pretty thoroughly, and
can't find anything that really relates to this.

-Original Message-
From: Sam [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 4:19 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]


Interesting, I'm wondering what Cisco's stand on this subject would be.
Anyone know or have other opinions.  The same concern has been expressed to
me with regards to a similar configuration.

""Carroll Kong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an external
> >internet vlan, a dmz, and several internal vlans.   The internal vlans
are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the same
> >box?  Someone in our organization is concerned that someone can hack the
> >switch just because the connection from the internet is plugged into it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button.  IF you really want to be secure, you are
> NOT going to be using VLANs at all.  You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE.  However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability."  A true pro can penetrate "VLAN"
based
> security.  A novice and probably most intermediates, will not.  You decide
> and weigh out your costs in choosing the far less flexible hard switches
on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do.  i.e.  If you are guarding
> the Fort Knox of the computer realm, I'd probably go hardcore.  If you are
> not, you may want to stick with VLANs.  Security is always a balance
> between convenience and security.  :(  The sad truth is, the ultimate
> security is, the wire cutters.  (and perhaps a Faraday Cage if wireless
> takes off).  :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3688&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

3620 with 2 x NM-2FE-2W problem [7:3687]

[Gareth Hinton]

Hi all,

Problem with a 3620:

Takes one NM-2FE-2W fine. When second one is inserted major problems arise.

NM slot 0: PCI dev 5 init failed
No fault history 0x. Need 11.1 (2) or higher ROM

The boot rom is "System Bootstrap, Version 11.1(20)AA2"

I've gone through CCO to confirm that the 3620 will take these cards, and
although there were a few doubts, eventually found it and they should be OK.

Anybody seen similar or got ideas.

Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3687&t=3687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Frame Relay backup issue... [7:3686]

[Mark Z.]

Hi Guys,
Been a while since I've written to the list (guess that's kind of a good
thing). Fairly simple question here: Lets say there is a company with a FR
network with a hub/spoke topology. When data is sent from a site, alot of
times the backup link kicks up, even though the primary never went down. I
remember this type of scenario in my readings but forget what the
possibilities are. The simplest answer would be that they are oversubscribing
their access on the line and the backup's kicking up. Or the line is just
bad...but I doubt that. What are some possible scenarios that would cause
this
issue. I'm not asking for free answers to this but I would appreciate it if
someone could point me in the right direction in terms of reading up on this.
Thanks guys...good to be back.

Mark Zabludovsky ~ CCNP, CCDA
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3686&t=3686
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

tcp intercept [7:3685]

[Jeff Duchin]

What's the best way to enable this as I've seen a bunch of different
variations... I want this on my external router...

Thanks,
Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3685&t=3685
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Just been Hacked!!!!! [7:3452]

[Davis, Scott [ISE/RAC]]

> > >Step #1 to securing NT: disable IIS ;-p
> > 
> > Step #1 to securing your network - Remove all MS  products.

>Step #1 to securing your network: remove all users.

Step #1 to securing your network: realizing no network is ever truly
"Secure"

Step #2: never accepting any one OS as better or more secure and realizing
security is only as good as your policy, planning, attention to detail, and
user training.
-- 
"Someone approached me and asked me to teach a javascript course. I was
about to decline, saying that my complete ignorance of the subject made
me unsuitable, then I thought again, that maybe it doesn't, as driving
people away from it is a desirable outcome." --Me
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3684&t=3452
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

WAN Job in the Metro Detroit area [7:3683]

[[EMAIL PROTECTED]]

I am looking for a WAN job in the Detroit area, I can send you my resume 
and cover letter upon request.

  Thanks  Brian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3683&t=3683
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ATM AAL5 errors [7:3682]

[Q]

I'm getting AAL5 CRC and AAL5 Length errors. They are both tied to one
another in terms of rate of errors. This is a difficult problem in terms
that they are both related. One problem is that the other sidce of the WAN
is a Cabletron SSR 8600 hunk oof crap. Someone give me a clue...TIA!

marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3682&t=3682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[Sam]

Interesting, I'm wondering what Cisco's stand on this subject would be.
Anyone know or have other opinions.  The same concern has been expressed to
me with regards to a similar configuration.

""Carroll Kong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
> >Let me lay out the basic topology of a network first:
> >
> >A 6500 has several VLANS configured on it.  Among these are an external
> >internet vlan, a dmz, and several internal vlans.   The internal vlans
are
> >routed by an MSFC in the 6500.  Routing between the internal, dmz, and
> >external are handled by a firewall external to the 6500.
> >
> >Are there any security issues with having all of these VLANS in the same
> >box?  Someone in our organization is concerned that someone can hack the
> >switch just because the connection from the internet is plugged into it.
> >The switch's management address is on one of the internal vlans, and an
> >access list is on the telnet access that restricts access from only the
> >internal vlans.
>
> Oh boy, the big security button.  IF you really want to be secure, you are
> NOT going to be using VLANs at all.  You want hard, cold, old fashioned
> separate layer 2 networks, by HARDWARE.  However, realize security is
> really a layering process and hopefully warding off attackers of a
> particular experience level by making the task seem like "too much
> trouble", or "beyond their ability."  A true pro can penetrate "VLAN"
based
> security.  A novice and probably most intermediates, will not.  You decide
> and weigh out your costs in choosing the far less flexible hard switches
on
> the side method, or using the far more flexible Catalyst VLAN style.
>
> That is the security cost analysis you must do.  i.e.  If you are guarding
> the Fort Knox of the computer realm, I'd probably go hardcore.  If you are
> not, you may want to stick with VLANs.  Security is always a balance
> between convenience and security.  :(  The sad truth is, the ultimate
> security is, the wire cutters.  (and perhaps a Faraday Cage if wireless
> takes off).  :)
>
>
>
> -Carroll Kong
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3681&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Priscilla Oppenheimer]

I tried the HSRP access list from Brian (CCIE) and it works, (of course. ;-)

It was surprisingly easy to hack HSRP! :-[] I captured some HSRP packets 
with EtherPeek and edited one to say the packet was from my PC and that my 
priority was higher than the two legitimate HSRP routers. I then repeatedly 
sent this packet, using the timer that the legitimate HSRP routers were
using.

The standby HSRP stopped sending HSRP packets (not sure why?) The 
previously active made itself standby. PCs on the LAN that were set to use 
the HSRP gateway address were unable to reach non-local stations. The DOS 
worked, in other words. This is a lab network, by the way.

I used the access list below to make sure the HSRP routers only accepted 
from each other and it solved the problem. I meant to save the 
HyperTerminal session and show you that the deny in the access list was 
getting invoked, but I forgot to save it.

Note one minor bug in configs below:

It should say "ip access-group 100 in" (at least on my routers, the ip was 
required)

Priscilla




At 03:54 AM 5/8/01, Brian Dennis wrote:
>It's not the best solution but if you're really worried you could create an
>access-list (see configs below). HSRP uses UDP port 1985 and the destination
>address is to all routers (224.0.0.2). Perfect solution? No. Better than
>nothing? Yes.
>
>Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
>5G Networks, Inc.
>[EMAIL PROTECTED]
>(925) 260-2724
>
>!
>hostname R1
>interface Ethernet 0
>  ip address 192.168.1.1 255.255.255.0
>  standby ip 192.168.1.254
>  standby authentication c!sc0b2b
>  access-group 100 in
>!
>access-list 100 permit udp host 192.168.1.2 eq 1985 host 224.0.0.2 eq 1985
>access-list 100 deny udp any eq 1985 any eq 1985
>access-list 100 permit ip any any
>
>
>!
>hostname R2
>!
>interface Ethernet 0
>  ip address 192.168.1.2 255.255.255.0
>  standby ip 192.168.1.254
>  standby authentication c!sc0b2b
>  access-group 100 in
>!
>access-list 100 permit udp host 192.168.1.1 eq 1985 host 224.0.0.2 eq 1985
>access-list 100 deny udp any eq 1985 any eq 1985
>access-list 100 permit ip any any
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jacques Atlas
> > Sent: Monday, May 07, 2001 11:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> > On Tue, 8 May 2001, Curtis Call wrote:
> >
> > |In other words always use authentication.
> >
> > i dont think the authentication in clear text is going to help,
> > the solution from the vendor is to run HSRP with IPSec.
> >
> > --
> > jacques
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3680&t=3534
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2610 w/ an additional 1e 2w module [7:3402]

[[EMAIL PROTECTED]]

o.k. so basically to get this puppy to work in the 2600 series i need to
get 
a 1FE2W encasing module to hold the wic 2t's ?? I'm going to try to use
this box as a 
frame switch so i'm trying to get as many serial interfaces on it as
possible...

Thanks for your help guy's!!

Randy


On Mon, 7 May 2001 13:53:25 +1000 "Jason Baker" 
writes:
> also another tip. The WIC 2-T modules do not work in plain ethernet 
> based
> modules (such as 1e2w).
> You need to get a 1FE2W at least to put the WIC 2t-s in.
> 
> However the wic 2-t's will work in the fixed serial slots in the 
> 2600's.
> 
> Regards,
> 
> Jason Baker
> ---
> Network Engineer
> 
> - Original Message -
> From: 
> To: 
> Sent: Monday, May 07, 2001 1:17 PM
> Subject: 2610 w/ an additional 1e 2w module [7:3402]
> 
> 
> > Hi all !!
> >
> > I have just finished installinga new 1 e 2 w module in my 2610 
> router &
> > It's not being recognized, unit allready had an existing Wic 2t 
> plus the
> > built in ethernet
> > port. I added the 2t 1e which is actually 2 wic 1 t cards with an
> > ethernet port on the main module
> > and it's not being recognized, When i remove the existin wic 2 t 
> cards
> > only the main ethernet shows up on the show
> > version..I do see the Act led on the module solid green but 
> nothing on
> > the sho ver..
> >
> > Am i mssing something ... do I have to activate this new module 
> somehow
> > ??
> >
> > Clueless @ this point...
> >
> > TIA for any info you might provide.
> >
> > Randy
> > 
> > GET INTERNET ACCESS FROM JUNO!
> > Juno offers FREE or PREMIUM Internet access for less!
> > Join Juno today!  For your FREE software, visit:
> > http://dl.www.juno.com/get/tagj.
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to 
> [EMAIL PROTECTED]
> >
> 
> 

GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/tagj.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3679&t=3402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Passed Switching: 912 [7:3678]

[Gareth Hinton]

Thanks to all in the Study Group.

Even though you managed to distract me from studying for most of the planned
time, I managed to pass today :-)
Seems like the info I've seen from the Group recently stands true: 64
questions, 75 minutes, 699 to pass.
I think the Cisco Press Study Guide covered just about everything. Nothing I
can remember waivered from the book.

Anybody know what subjects are covered by Cisco Fundamentals? It appears I
may be p**s poor in this area. All the others were OK.

Routing next - My God does this mean I'm going to have to attempt to
understand Howard's BGP posts. Maybe one day soon it will all become clear.

Cheers,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3678&t=3678
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: security opinions please [7:3666]

[Carroll Kong]

At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it.  Among these are an external
>internet vlan, a dmz, and several internal vlans.   The internal vlans are
>routed by an MSFC in the 6500.  Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the same
>box?  Someone in our organization is concerned that someone can hack the
>switch just because the connection from the internet is plugged into it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.

Oh boy, the big security button.  IF you really want to be secure, you are 
NOT going to be using VLANs at all.  You want hard, cold, old fashioned 
separate layer 2 networks, by HARDWARE.  However, realize security is 
really a layering process and hopefully warding off attackers of a 
particular experience level by making the task seem like "too much 
trouble", or "beyond their ability."  A true pro can penetrate "VLAN" based 
security.  A novice and probably most intermediates, will not.  You decide 
and weigh out your costs in choosing the far less flexible hard switches on 
the side method, or using the far more flexible Catalyst VLAN style.

That is the security cost analysis you must do.  i.e.  If you are guarding 
the Fort Knox of the computer realm, I'd probably go hardcore.  If you are 
not, you may want to stick with VLANs.  Security is always a balance 
between convenience and security.  :(  The sad truth is, the ultimate 
security is, the wire cutters.  (and perhaps a Faraday Cage if wireless 
takes off).  :)



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3677&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passed CCIE Written but NOT doing lab [7:3568]

[Carroll Kong]

At 01:27 PM 5/8/01 -0400, Chris Haller wrote:
>The school I am currently attending for CCIE
>written/lab is pumping out "paper" CCIE's faster than
>I can say .. "help, the written ccie is almost as
>worthless as the mcse"
>
>Juniper ??  I hear their test is twice as hard as
>CCIE.  Mabey you should attempt that one 

But by definition, there is no paper CCIE.  You have no CCIE certification 
if you only pass the qualifier (written exam).  I do not know if you can 
even consider it "half way" there.  It is just a prelude of things to come 
and to weed out people.  I have not taken the written personally, so not 
sure if it is "bookwormable".  I am assuming it is since anything written / 
multiple choice ends up being that way in the end.

The Juniper written lab or the juniper practical lab is "twice" as 
hard?If it is more emphasis on ISIS or Juniper-isms, it is a 
matter of spending some time to apply your basic networking knowledge to 
understand new protocols (ISIS isn't concentrated on as heavily in CCIE 
exams if I remember correctly) and learning a particular company's 
"isms".  Or working with the company's particular hardware.  (ouch, good 
luck finding those guys on ebay for a good price).  Should not be too hard 
for good networking guys (written part), exposure to the hardcore equipment 
might be hard, but also makes you wonder if the market space is really that 
big for heavy duty core work.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3676&t=3568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Switches/cables [7:3673]

[Jim Brown]

It is sort of like the ratings on tires. You should buy something like a Z
rated tire for high speeds on an automobile. You can buy a cheaper tire, but
it probably won't hold up at 150mph. It will work fine for cruising around,
but watch out when you try to push it to the limit.

Those connectors will work but errors and other issues can effectively
reduce your net speed.

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 2:08 PM
To: [EMAIL PROTECTED]
Subject: Switches/cables [7:3673]


I looked at my G4 mac and the Apple System Profiler says 100Mbps/full 
duplex.  The 3548 XL switch says 100Mbps/full duplex.  How could that be 
possible when the patch panel connectors are 10Mbps and the connector on 
the wall is 10Mbps.  The cable is Cat 5.  I thought everything was suppose 
to be 100Mbps for the switch and the computer to register it as 
100Mbps/full??  So, what gives?  Thanks.
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3675&t=3673
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Jacques Atlas]

hi

On Tue, 8 May 2001, Priscilla Oppenheimer wrote:

|I'm surprised it's not in more products???

being surprised is something that i am getting used to ;-)

-- 
jacques




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3674&t=3534
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Switches/cables [7:3673]

[John Chang]

I looked at my G4 mac and the Apple System Profiler says 100Mbps/full 
duplex.  The 3548 XL switch says 100Mbps/full duplex.  How could that be 
possible when the patch panel connectors are 10Mbps and the connector on 
the wall is 10Mbps.  The cable is Cat 5.  I thought everything was suppose 
to be 100Mbps for the switch and the computer to register it as 
100Mbps/full??  So, what gives?  Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3673&t=3673
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP [7:3663]

[Circusnuts]

Load balance or deterministic routing is accomplished by adjusting the
metrics or careful placement of static routes (the latter is a bad way to
go).  Not sure I understand the question of redistributing from router to
router. Is this EIGRP to EIGRP ???  I have passes summarized routes from the
Core EIGRP AS to Distribution (smaller route tables that way & a floating
default gateway).  Is this what you are referring to.  I know the CCO has a
lot of stuff on EIGRP.  This is the Cisco pride & joy :o)  Pepelnjak's Cisco
Press book is a great asset for EIGRP networks (ISBN 1947270165

Phil

- Original Message -
From: Douglas Staz 
To: 
Sent: Tuesday, May 08, 2001 3:10 PM
Subject: EIGRP [7:3663]


> How do you verify and enable equal load balancing on EIGRP, specifically
> with Static routes?  Also, How do you redistribute static routes from
router
> to router?
> Thanks in advance.
>
> Doug
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3672&t=3663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Wireless for backup T1 link??? [7:3651]

[Brian]

Thought about buying dsl internet access at each office then building a
secure tunnel between the two?

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Tue, 8 May 2001, Circusnuts wrote:

> Maybe between to buildings, but I would not think between two coastal
> cities.  If I recall, the wireless solution I saw when working with the
> government cost out around $250,000 per month for 50 Meg link.  Apples to
> oranges I know, but even if it were to cost a 10th or 20th... the sum would
> be outrageous for T1 or Frame.
>
> Phil
> - Original Message -
> From: Kim Seng
> To:
> Sent: Tuesday, May 08, 2001 2:06 PM
> Subject: Wireless for backup T1 link??? [7:3651]
>
>
> > Have anyone experience with Wireless technology for
> > backup link solution?  I have 2 cities: NY city and LA
> > connected via T1 point to point and looking for a
> > backup solution that does not cost too much. Is
> > wireless is a good solution for this backup?
> >
> > Thanks!
> >
> > Kim.
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Auctions - buy the things you want at great prices
> > http://auctions.yahoo.com/
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3669&t=3651
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: back-to-back t1 with wic-1dsu-t1? [7:3633]

[Neil Schneider]

here is the show int:


Router#sh int s0/0
Serial0/0 is down, line protocol is down
  Hardware is PQUICC with Fractional T1 CSU/DSU
  MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:21:48
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
 Conversations  0/0/256 (active/max active/max total)
 Reserved Conversations 0/0 (allocated/max allocated)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 0 packets input, 0 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 0 packets output, 0 bytes, 0 underruns
 0 output errors, 0 collisions, 43 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=down  DSR=up  DTR=up  RTS=up  CTS=down


Neil




""Neil Schneider""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Pinouts are 1-4 and 2-5 crossed.  leds show alarm on both cards.  They are
> definately not shutdown.  Show int results will have to wait.  I just
tried
> to update the ios on one router and now it is not booting correctly.  No
> interfaces are being seen.  (makes it hard to do a tftp download)
>
> Neil Schneider
>
>
> - Original Message -
> From: "Jim Brown"
> To: "'Neil Schneider'" ;
> Sent: Tuesday, May 08, 2001 12:42 PM
> Subject: RE: back-to-back t1 with wic-1dsu-t1? [7:3633]
>
>
> > I believe clock source internal on one of the cards is all you need to
> bring
> > them up. Please post the 'show interface' results from both routers and
> the
> > related configs.
> >
> > What pinouts did you use for the cross-over cable?
> >
> > What LEDs are illuminated on the cards with the cable plugged in?
> >
> > Are you sure the interfaces are not in a shutdown state?
> >
> > -Original Message-
> > From: Neil Schneider [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, May 08, 2001 10:47 AM
> > To: [EMAIL PROTECTED]
> > Subject: back-to-back t1 with wic-1dsu-t1? [7:3633]
> >
> >
> > I am trying to set up 2 t1 wics back to back to simulate a t1 wan
> > connection.  I have a T1 crossover cable,  clock source is internal on
one
> > card, but I get nothing, down and down.  Is anyone doing this and
willing
> to
> > share a configuration?  Or give me a hint as to what may be wrong
> >
> > Thanks
> >
> > Neil Schneider
> > CCNP   CCSI (setting up a CCIE lab)
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3670&t=3633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How many routers in a typical IP/IPX network. [7:3664]

[Circusnuts]

255 hops, but convergence & route table size are the issues that promote
multiple AS's with route summarization.  The Dual Algorithm can be a real
pain when you have Stuck In Actives traversing a large network.  If this is
a real project, get Pepelnjak's Cisco Press EIGRP Network Design Solutions
(ISBN 1947270165).

Phil

- Original Message -
From: mindiani mindiani 
To: 
Sent: Tuesday, May 08, 2001 3:11 PM
Subject: How many routers in a typical IP/IPX network. [7:3664]


> I would like to know how many routers a typical large IP/IPX network can
> have  using EIGRP protocol with one autonomous system.
>
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3671&t=3664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How many routers in a typical IP/IPX network. [7:3664]

[EA Louie]

I worked on a network with 200+ routers in one AS - wasn't a problem after
the EIGRP flapping problems in 10.3 went away  ;-)  That architecture was
redundant backbone routers in the campuses, multiple paths (partial mesh)
between major sites, and hub-and-spoke from major sites to remotes.  Once
EIGRP settles (from an addition or deletion), it behaves pretty well.

I'd be willing to venture that others on the list have worked with even
larger networks in a single AS.

There is no real 'typical' IP/IPX network.  The classification of networks
that I've seen is Enterprise (large multiple remote site and multicampus),
medium business (single-campus, multiple remote sites), and small (single
site or a few remotes and Internet access).  And there are some incredibly
large Enterprise networks out there.

-e-

- Original Message -
From: "mindiani mindiani" 
To: 
Sent: Tuesday, May 08, 2001 12:11 PM
Subject: How many routers in a typical IP/IPX network. [7:3664]


> I would like to know how many routers a typical large IP/IPX network can
> have  using EIGRP protocol with one autonomous system.
>
>
> _
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3668&t=3664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Wireless for backup T1 link??? [7:3651]

[Circusnuts]

Maybe between to buildings, but I would not think between two coastal
cities.  If I recall, the wireless solution I saw when working with the
government cost out around $250,000 per month for 50 Meg link.  Apples to
oranges I know, but even if it were to cost a 10th or 20th... the sum would
be outrageous for T1 or Frame.

Phil
- Original Message -
From: Kim Seng 
To: 
Sent: Tuesday, May 08, 2001 2:06 PM
Subject: Wireless for backup T1 link??? [7:3651]


> Have anyone experience with Wireless technology for
> backup link solution?  I have 2 cities: NY city and LA
> connected via T1 point to point and looking for a
> backup solution that does not cost too much. Is
> wireless is a good solution for this backup?
>
> Thanks!
>
> Kim.
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3667&t=3651
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

security opinions please [7:3666]

[[EMAIL PROTECTED]]

Let me lay out the basic topology of a network first:

A 6500 has several VLANS configured on it.  Among these are an external
internet vlan, a dmz, and several internal vlans.   The internal vlans are
routed by an MSFC in the 6500.  Routing between the internal, dmz, and
external are handled by a firewall external to the 6500.  

Are there any security issues with having all of these VLANS in the same
box?  Someone in our organization is concerned that someone can hack the
switch just because the connection from the internet is plugged into it.
The switch's management address is on one of the internal vlans, and an
access list is on the telnet access that restricts access from only the
internal vlans.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3666&t=3666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

catalyst 6509 cookbook config [7:3665]

[admin]

Looking for a really concise configuration guide for the 6509 catalyst
switch. Been through the CCO and did not see anything too stellar. Any
pointers would be appreciated. Thanks in advance- Joseph

Please reply to this address:
[EMAIL PROTECTED]

Thanks!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3665&t=3665
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

EIGRP [7:3663]

[Douglas Staz]

How do you verify and enable equal load balancing on EIGRP, specifically
with Static routes?  Also, How do you redistribute static routes from router
to router?
Thanks in advance.

Doug




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3663&t=3663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How many routers in a typical IP/IPX network. [7:3664]

[mindiani mindiani]

I would like to know how many routers a typical large IP/IPX network can 
have  using EIGRP protocol with one autonomous system.


_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3664&t=3664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]