Re: Does access list work for router originated packets [7:17364]
Nice catch Dan :) Dan Faulk wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Since ping uses returning packets to work its those that are being blocked. Use a sniffer to see the process. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 26, 2001 11:16 PM To: [EMAIL PROTECTED] Subject: Re: Does access list work for router originated packets [7:17357] Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I guess it comes about because I said to test with end devices. Router A is acting like an end device in your example. I should have been more clear. What is not obvious is that ACLs on Router B do not apply to pings to and from Router B. Every newbie has probably been bitten by that one, especially in simple labs. Priscilla At 09:42 PM 8/26/01, Brad Ellis wrote: Priscilla, that's not what I said. Here's what I said: ...pings sent by one router will not be filtered by another router? Hence my diagram for further explanation: Router A -=- Router B -=- Device A (-=- can be ethernet x-over, serial back-to-back, etc) An ACL is applied on Router B's interface (applied inbound) that is connected to Router A. What I originally said, and continue to say, is that Router B will most certainly block packets (pings or whatever) coming from Router A...and it is irrelevant if Router A is a router or a host device. The ACL on Router B doesnt care if the device sending packets is a router or an end host device! If Router B was initiating the ping and Router B had the ACL applied, that would be a different story. ttyl, -Brad Ellis CCIE#5796 [EMAIL PROTECTED] used Cisco: www.optsys.net Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:06 PM 8/26/01, Brad Ellis wrote: Priscilla, Are you saying
Re: Does access list work for router originated packets [7:17365]
You can use a local policy route to get packets generated by the router to go through an ACL. Not as straight forward but... --- [EMAIL PROTECTED] wrote: Try making it an outbound access list only and see what happens. I haven't played around with it much myself, but I think that the outbound packets (originating from the router) will pass through the ACL OK. However I think your ping replies are being blocked on the way back - I'm not going to dig through manuals right now, but I think the ACL will be checked and acted on before the router works out that the ping reply is for itself. So I think (without testing myself) that Priscilla is only half correct with the statement ACLs on Router B do not apply to pings to and from Router B. - I think they apply to pings *to* router B but not *from* router B. JMcL John Hardman To: [EMAIL PROTECTED] Subject: Re: Does access list work for router Sent by: originated packets [7:17357] nobody@groups tudy.com 27/08/2001 02:16 pm Please respond to John Hardman Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I
Data Encryption... [7:17366]
Hi, Can u tell me the equivalent of Cylink Link encrytor in Cisco?? Can v use Cisco's VPN concentrator?? Kindly revert back immediately. Regds, Surya. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17366t=17366 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Multilink PPP [7:17367]
Hi, I am working on combining to E1's to work as one so that the upper layers would see the bundle as a 4Mbps link with only one point to point IP at least that's what cisco says, i read about it on Cisco and found some sample configurations. I would like you guys to go through this setup and opinionate on this before i try it on actual E1's !! . I will have to ask my provider to configure at their end a similar configuration and also conbine the 2E1's to be addressed by IP address. interface Serial6/0 encapsulation ppp no keepalive dialer in-band dialer idle-timeout 30 dialer rotary-group 1 pulse-time 1 interface Serial6/1 no ip address encapsulation ppp no keepalive dialer in-band dialer idle-timeout 30 dialer rotary-group 1 pulse-time 1 interface Dialer1 ip address 192.168.0.1 255.255.255.0 encapsulation ppp dialer in-band dialer idle-timeout 30 dialer map llc2 name RouterB dialer map ip 1.1.1.2 name RouterB dialer load-threshold 1 either dialer-group 1 ppp multilink ppp authentication chap appn control-point NETA.ROUTERA complete appn port DIAL Dialer1 complete appn link-station ROUTERB port DIAL complete dialer-list 1 protocol ip permit dialer-list 1 protocol llc2 permit Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17367t=17367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ospf real world question [7:17274]
are you sure it wasn't the network address of the subnet, i.e. the ADV? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17368t=17274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: Tacacs [7:17110]
Hi stephen, You can use tacacs if you want to authenticate the users accessing your routers .You can get the log also.You can download the same from www.navya.com I don't have idea about kerboros ... In my setup tacacs is working fine thanks ramesh On Fri, 24 Aug 2001 Stephen Skinner wrote : Hello, i don`t mean to be rude but i think the reason the gentleman replyed the way he did was because way you posed your question was to say i`m to busy ...you lot do it for me now i personal believe that that is not the case and you were simply asking (as i do all the time) for some assistance in this subject matter. unfortunatly i don`t have an answer to your question but also require info on tacacs+so please don`t be afraid to pass on what you may learn Kindest Regards steve From: khramov Reply-To: khramov To: [EMAIL PROTECTED] Subject: Re: Tacacs [7:17110] Date: Fri, 24 Aug 2001 10:58:12 -0400 As far as I know this is Cisco newsgroup and it should be used for technical discussions not for personal insults. If you think that you are smarter than me or have better work habits that is fine, I am not going to argue with that. Otherwise I would be asking questions. Donald B Johnson jr wrote: After someone gives you an answer, are you going to have time to research if it is a good solution for you or are you going to just implement it. It sure must warm the cockles of your supervisors heart if he could see you now. actually the only two things that would make me to busy that I couldn't research an access solution would be; A raging blaze A Seinfeld rerun don - Original Message - From: khramov To: Sent: Friday, August 24, 2001 6:17 AM Subject: Tacacs [7:17110] Hi, Just like everyone else sometimes I do not have enough time to do the research myself and I post questions here. Here is what I am trying to do: I am trying to set up some sort of security server on my network to authorize user access on routers and switches. First of all what should I use Tacacs (extended or +), Radius, Kerberos, which one seem to work better. Second where can I buy/download the software or can I just configure a router as a Tacacs server. Just give me some ideas on this. Thanks a lot, alex - _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp 110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17369t=17110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multilink PPP [7:17367]
What's the type of E1 you're planning to use? Is there any E1 PRI in your scenario? I assume you're using point-to-point E1 however your configuration has references to dilaer profiles, which are irrelevent to permanent PPP connections. To configure 2 (dedicated, ppp) E1's as a Multilink bundle is very straight forward, however, PPP multilink is not the preferred solution and has many drawbacks. Why don't you just configure your (and your provider's) routers to use the 2 routes equally? Actually this will accomplish the same result you're aiming at, but you gain greater reliability. Muhammad Shakeel Shamsi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I am working on combining to E1's to work as one so that the upper layers would see the bundle as a 4Mbps link with only one point to point IP at least that's what cisco says, i read about it on Cisco and found some sample configurations. I would like you guys to go through this setup and opinionate on this before i try it on actual E1's !! . I will have to ask my provider to configure at their end a similar configuration and also conbine the 2E1's to be addressed by IP address. interface Serial6/0 encapsulation ppp no keepalive dialer in-band dialer idle-timeout 30 dialer rotary-group 1 pulse-time 1 interface Serial6/1 no ip address encapsulation ppp no keepalive dialer in-band dialer idle-timeout 30 dialer rotary-group 1 pulse-time 1 interface Dialer1 ip address 192.168.0.1 255.255.255.0 encapsulation ppp dialer in-band dialer idle-timeout 30 dialer map llc2 name RouterB dialer map ip 1.1.1.2 name RouterB dialer load-threshold 1 either dialer-group 1 ppp multilink ppp authentication chap appn control-point NETA.ROUTERA complete appn port DIAL Dialer1 complete appn link-station ROUTERB port DIAL complete dialer-list 1 protocol ip permit dialer-list 1 protocol llc2 permit Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17370t=17367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NetBios Header [7:17371]
Hello Group, I tried my best to find information about NetBios header format, but I could not. Could you please send me any useful link regarding this matter. Thanks Lw Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17371t=17371 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BOSON FOR CIT and Cisco Training Manuals [7:17149]
I bought test 1 2 for the CIT and found them very useful and very similar to the real exam regards J. Li wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Two quick questions. Q1. BOSON CIT Are BOSON tests good for CIT exam? I plan to buy 2 BOSON tests. Which ones do you recommend? Should I buy test #1 and #2 or test #2 and #3? Q2. Cisco Training Manuals -- Copyright I attended all Cisco training classes and have the official training manuals. Cisco says Cisco and its suppliers grant to you a nonexclusive and nontransferable license to use the Cisco Materials solely for your own personal use... After I finish my CCNP, I don't plan to keep these manuals. If I donate (transfer?) them to our local library, does it violate the license/copyright rule? Regards, J. Li __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17373t=17149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list ports ( TCP /UDP) [7:17374]
when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17374t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
I want to start certification cources in my institute [7:17372]
hi, I need your help as i am an indian and I want to start some certifation courses in my institute. I' ve 5000 sqr.ft. Of space having and running an institute in the name of Macil Info Systems Pvt Ltd. which has three class room, one lab having 30 systems with Windows 2000 pro. Networkink one library, cafeteria(full centrally air conditioned), large parking space and in the heart of the city. I just wanted to know that can I get the permission from the companies those who run the certification courses . Please guide me on this path i will be very great ful to you Please inform me on my email mail to: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Pradeep singh chauhan Macil House 8-Tilak marg dalibagh, Lucknow Uttar Pradesh India - Do You Yahoo!? Make international calls for as low as $0.04/minute with Yahoo! Messenger. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17372t=17372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing Software [7:16986]
Hi, You can do that with SNMP queries... Cheers Simon Asa Kabazzi wrote: Is there any software that can view routingn tables on a PC? For example if the network is running EIGRP the software will tell you what the networks, subnets, AD, AS number and various timeouts are. It would do the same for RIP, OSPF, BGP etc. Does such a software package exist? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17375t=16986 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does access list work for router originated packets [7:17376]
Yes, that's right! I have a configuration where I set up an ACL to completely filter telnet FROM and TO a certain network connected to it. I applied the ACL both inbound and outbound on an Ethernet interface. Done this, no one could telnet my router or any host on that Ethernet segment passing through my router. But I WAS ABLE to telnet any host on that segment as long as I originated the telnet from the router itself! From which you may conclude that an ACL doesn't affect packets originated on the router on which it is applied... Regards, Ednilson Rosa - Original Message - From: John Hardman To: Sent: Monday, August 27, 2001 1:16 AM Subject: Re: Does access list work for router originated packets [7:17357] Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I guess it comes about because I said to test with end devices. Router A is acting like an end device in your example. I should have been more clear. What is not obvious is that ACLs on Router B do not apply to pings to and from Router B. Every newbie has probably been bitten by that one, especially in simple labs. Priscilla At 09:42 PM 8/26/01, Brad Ellis wrote: Priscilla, that's not what I said. Here's what I said: ...pings sent by one router will not be filtered by another router? Hence my diagram for further explanation: Router A -=- Router B -=- Device A (-=- can be ethernet x-over, serial back-to-back, etc) An ACL is applied on Router B's interface (applied inbound) that is connected to Router A. What I originally said, and continue to say, is that Router B will most certainly block packets (pings or whatever) coming from Router A...and it is irrelevant if Router A is a router or a host device. The ACL on Router B doesnt care if the device sending packets is a router or an end host device! If Router B was initiating the ping and Router B had the ACL applied, that would be a different story. ttyl, -Brad Ellis CCIE#5796 [EMAIL PROTECTED] used Cisco: www.optsys.net
Re: access-list ports ( TCP /UDP) [7:17374]
You will have to know what protocols and ports the application you want to block uses. You may have a clue on that typing the commands below on the global config mode: Router-R1(config)#access-list 101 deny udp any any eq ? Router-R1(config)#access-list 101 deny tcp any any eq ? This will show you a help list with the most common UDP and TCP ports you may use. For a comprehensive list search on Cisco's Website. Regards, Ednilson Rosa - Original Message - From: shella kevin To: Sent: Monday, August 27, 2001 8:04 AM Subject: access-list ports ( TCP /UDP) [7:17374] when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17377t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP/IP question [7:17343]
It's the entire class! When this was done, people didn't thing that Internet
would grow so much and address space was considered to be enormous, so they
just decide to reserve the entire class for loopback..
Ednilson Rosa
- Original Message -
From: Howard C. Berkowitz
To:
Sent: Sunday, August 26, 2001 10:01 PM
Subject: Re: TCP/IP question [7:17343]
there was a question regarding 127.0.0.1. I understand that the actual
TCP/IP software actually uses this address for self testing.
when ping localhost {or computer {netbios} name} the actual ip address of
127.0.0.1 shows up on the screen.
In doing some research one book explains that 127.0.0.1 is not useable but
the rest of the addresses in the 127 network can be used.
I went to my trusty 2500 and try to plug in 127.12.12.25 and the router
would not allow me config the interface with that address.
Is entire 127 network off limits or just 127.0.0.1. is this a cisco thing.
any explaination is appreicated..
See RFC 1812. It's only defined to be the one address, but most
implementations block the 127 network.
Thank You..
Rico Ortiz,
Regional Systems Manager,
Electronic Support Detachment New York
United States Coast Guard
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17378t=17343
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multilink PPP [7:17367]
Don't forsget: if this is a lower platform, like 1600, you might have problems with multilinking 2 serial connections. Anyhow, this config that you have is wrong, because you are obviously not using PRI interfaces. If you were using them, dialer interface would be the perfect solution. What you need is so called Virtual Template. Go to cisco.com and do search on configuring Virtual Template, that will explain everything. Regards, Dragi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17379t=17367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP in IP GRE tunneling [7:16833]
Sorry! My company doesn't allow to publish configs, even with fake addresses. - Original Message - From: Sam Deckert To: Sent: Wednesday, August 22, 2001 6:19 PM Subject: Re: IP in IP GRE tunneling [7:16833] AcessoBOL, ss R$ 9,90! Menos que a metade da Amirica! Assine ja! http://www.bol.com.br/acessobol/ Would you be able to post a sample config of GRE IP/IP tunnelling over the Internet (with and without IPSec?)?? That would be great. Having a bit of trouble with it Thanks! Sam. - Original Message - From: Juliano Moises da Luz To: Sent: Thursday, August 23, 2001 3:05 AM Subject: RE: IP in IP GRE tunneling [7:16833] I think the main advantage is easy to configure and troubleshoot. We have all VPN links using GRE tunneling with and without IPSEC and it works fine. -Original Message- From: YY [mailto:[EMAIL PROTECTED]] Sent: quarta-feira, 22 de agosto de 2001 13:23 To: [EMAIL PROTECTED] Subject: IP in IP GRE tunneling [7:16833] Hi, What's advantage or use of IP in IP GRE tunneling ? Thank you. Regards, YY [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17380t=16833 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Great Mortgage Rates [7:17354]
You cannot filter all spam without someone reading through every single message before it is being forwarded to the list members. As long as this list is a free service to you and me, we shouldn't complain about these spam e-mails, but simply delete just them like all the other spam sent directly to us. Happy studying, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rob Bains [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 26, 2001 11:06 PM To: [EMAIL PROTECTED] Subject: Re: Great Mortgage Rates [7:17354] Is this list no moderated How do people get away with this type of non-sense?? Rob [EMAIL PROTECTED] wrote: fs756d Whether a new home loan is what you seek or to refinance your current home loan at a lower interest rate, we can help! Mortgage rates haven't been this low in the last 12 months, take action now! Refinance your home with us and include all of those pesky credit card bills or use the extra cash for that pool you've always wanted... Where others say NO, we say YES!!! Even if you have been turned down elsewhere, we can help! Easy terms! Our mortgage referral service combines the highest quality loans with the most economical rates and the easiest qualifications! Take just 2 minutes to complete the following form. There is no obligation, all information is kept strictly confidential, and you must be at least 18 years of age. Service is available within the United States only. This service is fast and free. Free information request form: PLEASE VISIT http://www.freewebdirect.net/mortgagezone Since you have received this message you have either responded to one of our offers in the past or your address has been registered with us. If you wish to be removed please reply to: mailto:[EMAIL PROTECTED]@yahoo.com?subject=remove fsda0uio *** [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17381t=17354 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does access list work for router originated packets [7:17383]
Hi Yep sure enough! I knew I should have put the sniffer on the test, but it was late and I wanted to get to bed. Oh well, it was a good learning experience. -- John Hardman CCNP MCSE Jason Couch wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The access list is actually only blocking the icmp packets on the return path from the pinged router or host. The icmp packets sent outbound by the router sourcing the pings are actually allowed through the outbound access list. This can be seen by adding the log extension to your access list commands. Then you should see the following message: %SEC-6-IPACCESSLOGDP: list 100 denied icmp 192.168.10.50 - 192.168.10.20 (0/0), 1 packet The key is that you won't see the same log message for the outbound icmp packets. You can also run debug ip packet to see something similar to the following: IP: s=192.168.10.20 (local), d=192.168.10.50 (Ethernet0), len 100, sending ICMP type=8, code=0 IP: s=192.168.10.50 (Ethernet0), d=192.168.10.20 , len 100, access denied ICMP type=0, code=0 The outbound packets were sent, but the return packets were access denied. Hence you get: C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . because the entire ping path consists of both the forwarding AND the return path. HTH, Jason John Hardman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I guess it comes about because I said to test with end devices. Router A is acting like an end device in your example. I should have been more clear. What is not obvious is that ACLs on Router B do not apply to pings to and from Router B.
ISDN failover [7:17382]
Does anyone know which options you can set in the IOS to provide for failover to an ISDN line. I have a T-1 setup with Verio and if that line fails, I would like to go to ISDN for the backup but am unsure how I would begin to configure this as far as the ISDN commands are concerned. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17382t=17382 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test [7:17385]
Jason Farris Network Architect Sterling Commerce Inc. 614-793-7105 direct line [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17385t=17385 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Don't buy from IQSale Was Re: don't buy from C [7:17083]
Add this to the list of names used... IQELAB.COM , AVOID THEM Jason wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm sure there is some small number of people that has no problem with the eqpt but this appear to be the exception rather than the case. Kelly D Griffin wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... We purchased two routers from them and had no problems other than initial communication. Kelly D Griffin, CCDA, CCNA Network Engineer Kg2 Network Design http://kg2.com 877.418.4025 Toll-Free 501.418.4026 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brad Ellis Sent: Friday, August 24, 2001 7:12 PM To: [EMAIL PROTECTED] Subject: Re: Don't buy from IQSale Was Re: don't buy from C [7:17083] IQSale is now known as Onesource. FYI It seems like there are quite a few unhappy customers out there. We were (stopped using them about 6 mos ago) using them as one of our sources on occasion and I can't say we ever had any problems with them. -Brad Ellis CCIE#5796 [EMAIL PROTECTED] used Cisco: www.optsys.net Fanglo MA wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Agree! I also had such experience with IQSale. Fanglo Jason wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... And they probably thought that you didn't know what you are asking for and that they are doing you a favour by giving you a switch :-P What I would really tell everybody is not to buy from IQSale and Grandstore, these guys are FRAUD !!! CHEATERS. So guys, remember, don't buy from IQSale aka Grandstore aka HiTEK they also use different seller names in eBay FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] http://kg2.com 8Mb Flash for Cisco 2500 series routers for $47 16Mb DRAM for Cisco 2500 series routers for $24 Back-to-Back cables starting at $24 Octal cables for Cisco 2509 and 2511 for $28 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17358t=17083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Setup [7:17285]
I would recommend the routers below as a minimum setup. (1) 2511 (2) 2503 (2) 2513 (1) 2520 (2) 2501 (1) ISDN simulator (1) Cat 2901 with CatOS 4.5 code Some of the router should have 16 Dram and 16 Flash Marc Russell www.ccbootcamp.com XYZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I would like to setup a CCIE R/S Lab, what routers and switches should I have in the Lab? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17355t=17285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP/IP question [7:17343]
It's the entire class! When this was done, people didn't thing that Internet
would grow so much and address space was considered to be enormous, so they
just decide to reserve the entire class for loopback..
Ednilson Rosa
I stand corrected, although I have seen router implementations that
will only trash 127.0.0.1 specifically. From RFC 1812:
5.3.7 Martian Address Filtering
An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.
An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).
A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.
A router SHOULD NOT forward any packet that has an invalid IP
destination address or a destination address on network 0. A router
SHOULD NOT forward, except over a loopback interface, any packet that
has a destination address on network 127. A router MAY have a switch
that allows the network manager to disable these checks. If such a
switch is provided, it MUST default to performing the checks.
If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if
the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.
- Original Message -
From: Howard C. Berkowitz
To:
Sent: Sunday, August 26, 2001 10:01 PM
Subject: Re: TCP/IP question [7:17343]
there was a question regarding 127.0.0.1. I understand that the actual
TCP/IP software actually uses this address for self testing.
when ping localhost {or computer {netbios} name} the actual ip address of
127.0.0.1 shows up on the screen.
In doing some research one book explains that 127.0.0.1 is not useable but
the rest of the addresses in the 127 network can be used.
I went to my trusty 2500 and try to plug in 127.12.12.25 and the router
would not allow me config the interface with that address.
Is entire 127 network off limits or just 127.0.0.1. is this a cisco thing.
any explaination is appreicated..
See RFC 1812. It's only defined to be the one address, but most
implementations block the 127 network.
Thank You..
Rico Ortiz,
Regional Systems Manager,
Electronic Support Detachment New York
United States Coast Guard
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17386t=17343
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
HElP! Xyplex terminal server. [7:17384]
Good monday morning all! I recently purchased a Xyplex 1600 Series terminal server. The box cost me $30 without a flash card. Supposedly I can load it via the network with a rarp/bootp server. Anyone know a working rarp/bootp server? I tried to force down the OS with hyperterm but was unsuccessful and the only output I see from the xyplex box is requesting network load and I can't seem to send down the OS to it. Has anyone here in this group ever worked with such a device and had it load successfully? If anyone has any hints, please let me know. Thanks all! Tim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17384t=17384 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN failover [7:17382]
Try http://www.cisco.com/warp/public/125/19.html -Original Message- From: bob Perez [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 9:20 AM To: [EMAIL PROTECTED] Subject: ISDN failover [7:17382] Does anyone know which options you can set in the IOS to provide for failover to an ISDN line. I have a T-1 setup with Verio and if that line fails, I would like to go to ISDN for the backup but am unsure how I would begin to configure this as far as the ISDN commands are concerned. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17387t=17382 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Route issue [7:17242]
If it's doing NAT and IPSec you need a ruleset to not use NAT for a destination on the IPSec tunnel. It looks like that is what's happening. Allen - Original Message - From: pat To: Sent: Monday, August 27, 2001 1:18 AM Subject: Re: Pix Route issue [7:17242] PIX can't route back on the same interface. Hence this does not work. So workaround will be to let router be gateway to your subnet PIX be gateway to router. Router can route to remote subnet accross point to point link as well as to PIX. Hope this helps. --- Bob Nawrocki wrote: We have a Pix firewall that is serving as a default gateway to the Internet as well as providing ipsec tunnel connectivity to several remote offices for serveral hosts on a subnet. On the same subnet we have a 2600 providing a point to point wan link. I added a route to the Pix on the inside interface to point to the 2600 for the wan route. I am still not able to connect to that subnet unless i add a specific route on the hosts. When running debug logging on the Pix I get the following output: 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst inside:10.112.3.3 (type 8, code 0) Any thoughts? Bob Nawrocki CCNP CCDP [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17388t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does access list work for router originated packets [7:17389]
On Mon, 27 Aug 2001, John Hardman wrote: Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. Right, the packets leaving the router are not blocked, they are sourced from the router and bypass the ACL. The reply packets are blocked however, they are not sourced from the router. --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny, CCIE #8036 Netjam, LLC [EMAIL PROTECTED] http://www.netjam.net VISA/MC/AMEX/COD phone: 318-212-0245 30 day warranty fax: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17389t=17389 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Great Mortgage Rates [7:17354]
No it is not moderated. I hate moderated lists as it kills the free-flow of information. The list does look for keywords and sends those messages that match the keyword to the moderator for review. But most messages go through without review. The occasional spam is what we will have to deal with. Some people have been writing to the originator asking to have the address [EMAIL PROTECTED] removed from the list. Please do not do this. You are just validating that the e-mail address that they are using is valid and a big juicy target. They people are skum and will honor the request by sending even more mail. Paul - Original Message - From: Rob Bains To: Sent: Monday, August 27, 2001 12:05 AM Subject: Re: Great Mortgage Rates [7:17354] Is this list no moderated How do people get away with this type of non-sense?? Rob [EMAIL PROTECTED] wrote: fs756d Whether a new home loan is what you seek or to refinance your current home loan at a lower interest rate, we can help! Mortgage rates haven't been this low in the last 12 months, take action now! Refinance your home with us and include all of those pesky credit card bills or use the extra cash for that pool you've always wanted... Where others say NO, we say YES!!! Even if you have been turned down elsewhere, we can help! Easy terms! Our mortgage referral service combines the highest quality loans with the most economical rates and the easiest qualifications! Take just 2 minutes to complete the following form. There is no obligation, all information is kept strictly confidential, and you must be at least 18 years of age. Service is available within the United States only. This service is fast and free. Free information request form: PLEASE VISIT http://www.freewebdirect.net/mortgagezone Since you have received this message you have either responded to one of our offers in the past or your address has been registered with us. If you wish to be removed please reply to: mailto:[EMAIL PROTECTED]@yahoo.com?subject=remove fsda0uio *** [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17390t=17354 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Looking for CISCO newsgroups [7:17352]
with regards to Cisco list pricing, you can always call 1-800-553-NETS and follow the call tree to pre-sales support. if you are a customer or a partner, you can use the Cisco pricing tool at oops - I don't have the link on this PC. sorry. for used equipment - best I can suggest is check out the auction sites and see what they are going for. I've had customers go to auctions, thinking they can pick up equipment on the cheap, and find otherwise. the economics of it is quite simple. If something lists for 1000, and customer A usually gets a 35% discount and customer B usually gets a 20% discount, customer A is unwilling to pay more than 650 for the item in an auction while customer B is willing to pay as high as 800. Customer A finds no deals at auctions. best wishes Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Henry Stock Sent: Sunday, August 26, 2001 7:13 PM To: [EMAIL PROTECTED] Subject: Looking for CISCO newsgroups [7:17352] Hi. This is my first post on this news group. I am working in an environment where I need to learn as much as possible about CISCO routers and switches, so I am looking for newsgroups as well as books and classes to take. My boss also wants me to evaluate a CISCO enterprise level routable switch that we have an opportunity to buy. He wants me to give him an assessment of what it is worth. Do any of you know some good sources to check on this? Are there other public news groups that you use for CISCO info? Please reply also to: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17391t=17352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: Re: TCP/IP question [7:17343]
This subject is not as clear as it ought to be. If you look at
the subject of loopbacks generically, there are two RFCs that
come to mind. The first deals with RFC 1122 Requirements for
Internet Hosts. The second deals with RFC 1122 Requirements
for IPv4 Routers.
For starters, both RFCs do define the address as:
RFC1122 INTERNET LAYER
October 1989
(g) { 127, :any: }
Internal host loopback address. Addresses of
this form MUST NOT appear outside a host.
Baker Standards Track
[Page 47]
RFC 1812 Requirements for IP Version 4 Routers
June 1995
(e) { 127, :any: }
Internal host loopback address. Addresses of this
form MUST NOT appear outside a host.
Now the issue becomes how have Internet hosts adopted this
practice. When you approach it from a host perspective, the
answer is as always, it depends. In the case of Windows
hosts, they have taken a traditonal view of using 127.0.0.1.
You can see that first by examing the routing table(I hope this
comes out okay):
E:\route print
===
Interface List
0x1 ... MS TCP Loopback interface
0x2 ...00 c0 f0 12 ae 56 .. Novell 2000 Adapter.
===
===
Active Routes:
Network DestinationNetmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1
192.168.1.69 1
127.0.0.0255.0.0.0127.0.0.1
127.0.0.1 1
192.168.1.0255.255.255.0 192.168.1.69
192.168.1.69 1
192.168.1.69 255.255.255.255127.0.0.1
127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.69
192.168.1.69 1
224.0.0.0224.0.0.0 192.168.1.69
192.168.1.69 1
255.255.255.255 255.255.255.255 192.168.1.69
192.168.1.69 1
===
You will note that any packet with an address destination of
127.x.x.x will be sent to the loopback interface address (which
is defined as 127.0.0.1). Interestingly enough, when you ping
a non-127.0.0.1 IP address on the 127.0.0.0 network, it will
return the same address:
E:\ping 127.23.45.61
Pinging 127.23.45.61 with 32 bytes of data:
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
You may be asking why did vendors seem to settle on 127.0.0.1
as the magical address? I don't know. My best answer to that
would be to use a Tim Brown expression and say, original sin.
More important is why the entire 127.0.0.0 network is used for
loopback and testing. That is a clear and obvious waste of
address space. This gets fixed in IPv6, whereby a single host
address is used for a loopback.
Another point about host loopbacks is key here. This traffic
does not go out on the wire, rather it is kept internal to the
host. You cannot even capture it with sniffer software. The
best way to see the logic diagramm for this and how it works is
to go to the definitive reference on TCP/IP, namely TCP/IP
Illustrated, by W. Richard Stevens. You may want to take a
peek at Figure 2.4 on page 28. If you don't have a copy of
this book, get one.
Next is the issue of Internet gateways (routers). Here, the
lines get a little bit muddied. The reason for this is that
Cisco seems to have adopted a software loopback interface that
goes beyond the definition of a generic loopback interface on
an Internet host. Software loopbacks on the router are not
limited to one (as they typically might be on an Internet
host). The limits on a router are typically those found for
IDBs (interface descriptor blocks). See my previous post in
the archives for the links on the limits of IDBs per platform.
The loopback interfaces on the routers tend to take an
exclusionary view of IP addressing. What I mean by this is
that unless a particular IP address or address range is
prohibited, it can be assigned. For example, see output below:
werner-gateway(config)#int lo 100
werner-gateway(config-if)#ip add 0.2.2.2 255.0.0.0
Not a valid host address - 0.2.2.2
werner-gateway(config-if)#ip add 127.2.2.2 255.0.0.0
Not a valid host address - 127.2.2.2
werner-gateway(config-if)#ip add 127.0.0.1 255.0.0.0
Not a valid host address - 127.0.0.1
werner-gateway(config-if)#ip add 223.0.0.1 255.0.0.0
werner-gateway(config-if)#ip add 224.0.0.1 255.0.0.0
Not a valid host address - 224.0.0.1
werner-gateway(config-if)#ip add 255.0.0.1 255.0.0.0
Not a valid host address - 255.0.0.1
Now the final
who needs router for practise the lab please conta [7:17394]
[EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17394t=17394 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN failover [7:17382]
int s0 backup bri0 or dialer0 alternatively you may use floating static route to set the route through isdn higher distance than that of primary int. cheers yy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of bob Perez Sent: Monday, August 27, 2001 10:20 PM To: [EMAIL PROTECTED] Subject: ISDN failover [7:17382] Does anyone know which options you can set in the IOS to provide for failover to an ISDN line. I have a T-1 setup with Verio and if that line fails, I would like to go to ISDN for the backup but am unsure how I would begin to configure this as far as the ISDN commands are concerned. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17395t=17382 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX design question [7:16801]
Check out Dragon Sensor. It has a client that sits outside the firewall to communicate with the internal sensors. Personally, at the risk of starting a flame war, I hate the idea of running ANYTHING besides firewall software on a firewall. IDS just adds strain and possible added points of failure when run on the firewall in my opinion. IDS should just sit by passively check packets on a separate box. Allen - Original Message - From: Kent Hundley To: Sent: Saturday, August 25, 2001 1:19 PM Subject: RE: PIX design question [7:16801] Patrick, First, I'm generally not a fan of the interface to interface design for firewalls for one simple reason: IDS. If you wanted to deploy any kind of IDS, and I highly recommend that you do, you would not be able to place a sensor between the Internet and Intranet firewalls. Switches are cheap and add no amount of latency that will be noticable. I wouldn't do it this way. As to the second question, it's best to keep servers on protected DMZ's. I would place the servers in question on the Internet firewalls' DMZ for consistency and simplicity of design. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Wednesday, August 22, 2001 6:56 AM To: [EMAIL PROTECTED] Subject: PIX design question [7:16801] We are in the middle of migrating to a new network, this includes replacing Checkpoint firewalls with PIX. My question concerns the proposed design of the Internet and IntrAnet PIX firewalls and in particular a connection between the two firewalls. It has been suggested that we connect the IntrAnet firewall's outside interface to one of the Internet firewalls DMZs. I can see that this may reduce latency for traffic passing to the internet from our intrAnet but I'd like to hear anyone's thoughts on this one, routing or security issues perhaps. Another design issue which was raised was the placement of some servers in the same outside interface of the intrAnet firewall. These servers would require access to one of the intrAnet firewall's DMZ and be accessible from another DMZ on the internet firewall which are in turn are accessible from the Internet. This seems a bit of a complicated design and could be a security loophole (??). Thoughts and experiences please regards Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17396t=16801 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Exam Cram [7:17334]
considering the number of blatant errors / typos / whatever, no wonder. Keeps the failure rate high! ;- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 26, 2001 11:15 AM To: [EMAIL PROTECTED] Subject: CCIE Exam Cram [7:17334] Cisco added CCIE Exam Cram to the recommended reading list! http://www.cisco.com/warp/public/625/ccie/certifications/routing.html Rayappa. This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify us immediately. You should not copy it or use it for any purpose, nor disclose it's contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of Wilco International. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17393t=17334 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Looking for CISCO newsgroups [7:17352]
A good place to start is www.cisco.comCisco provides good resources about their own products (routers and switches being two of the product lines). For pure product information (specifications, features, etc) go to the Product section. comp.dcom.sys.cisco and alt.certification.cisco are two public newsgroups that offer Cisco discussions. There is a wealth of books to read - all you'd need to do is go to Amazon and search for cisco. Training and certifications are located on their homepage under Training/Certifications In addition, there are a wealth of websites that are training and certifcation-based - some of those are www.brainbuzz.com www.certificationzone.com www.boson.com www.mentorlabs.com just to name a few. This mailing list is also a good source of information. If you don't already have a good base in network technology, almost required reading is the cisco Internetworking Technology Overview at (watch the URL wrap) http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm good luck in your quest. -e- - Original Message - From: Henry Stock To: Sent: Sunday, August 26, 2001 7:13 PM Subject: Looking for CISCO newsgroups [7:17352] Hi. This is my first post on this news group. I am working in an environment where I need to learn as much as possible about CISCO routers and switches, so I am looking for newsgroups as well as books and classes to take. My boss also wants me to evaluate a CISCO enterprise level routable switch that we have an opportunity to buy. He wants me to give him an assessment of what it is worth. Do any of you know some good sources to check on this? Are there other public news groups that you use for CISCO info? Please reply also to: [EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17397t=17352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Route issue [7:17242]
Oh yeah...didn't see this part for my last reply. You're going to have a hard time getting it to work this way. I've never tried using passive RIP to see if it would learn the path..anyone else tried it? Since you can't put more than one IP on a PIX interface it would need a gateway to the other internal network to do the routing for you. In other words..the other guys reply was correct. Allen - Original Message - From: Farhan Ahmed To: Sent: Sunday, August 26, 2001 12:34 AM Subject: RE: Pix Route issue [7:17242] two networks connect to inside interface the inside interface add is 10.1.1.4 route inside 10.1.2.0 255.0.0.0 10.1.1.4 1 route inside 10.1.3.0 255.0.0.0 10.1.1.4 1 Best Regards Have A Good Day!! *** Farhan Ahmed* MCSE+I, MCP Win2k, CCDA, CCNA, CSE Network Engineer Mideast Data Systems Abudhabi Uae. *** Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. -Original Message- From: Bob Nawrocki [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 25, 2001 8:30 PM To: [EMAIL PROTECTED] Subject: Pix Route issue [7:17242] We have a Pix firewall that is serving as a default gateway to the Internet as well as providing ipsec tunnel connectivity to several remote offices for serveral hosts on a subnet. On the same subnet we have a 2600 providing a point to point wan link. I added a route to the Pix on the inside interface to point to the 2600 for the wan route. I am still not able to connect to that subnet unless i add a specific route on the hosts. When running debug logging on the Pix I get the following output: 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst inside:10.112.3.3 (type 8, code 0) Any thoughts? Bob Nawrocki CCNP CCDP [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17398t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Setup [7:17399]
One way to save a good sum of money is to have the telco pull you a 2B1D(Bri) ISDN line and use one B channel per router. Does everthing except multilink (and that can be done with a willing partner) and costs a lot less than a simulator (most Ive seen run $1500-2500 compared to about $300 in telco charges). Might want to do this towards the end to keep costs down and cancel the service when finished. Anybody know a different way would be great to hear it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17399t=17399 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: rommon [7:17244]
To much BGP on the soup? Once upon a time I did some verses for my local prefered peer, but now, with so little time after work and studies, only keepalive and update messages between us. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17400t=17244 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Logging to remote UNIX server [7:17401]
Hey All, I have been trying to set up my 3660 (IOS 12.1) access router to log everything to my HP OpenView server (Solaris 8). It seems simple to set up on the Cisco side with only a few commands but it doesn't seem to be working. The 'show logging' command indicates that it is working and sending messages to the remote box but it is not receiving anything. Any thoughts, guidelines, info? Thanks, Charles. These are the configuration items I entered: logging on logging buffered 1 debugging no logging rate-limit logging trap debugging logging facility syslog logging 192.168.x.x Results of 'show logging': router#sh logging Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 1559 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 1560 messages logged Logging Exception size (0 bytes) Trap logging: level debugging, 1564 message lines logged Logging to 192.168.x.x, 33 message lines logged Log Buffer (1 bytes): [GroupStudy.com removed an attachment of type text/x-vcard which had a name of cdowling.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17401t=17401 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN failover [7:17382]
Check out http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcdbaks.htm#xtocid162971 Good luck bob Perez @groupstudy.com on 08/27/2001 04:19:46 PM Please respond to bob Perez Sent by: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: ISDN failover [7:17382] Does anyone know which options you can set in the IOS to provide for failover to an ISDN line. I have a T-1 setup with Verio and if that line fails, I would like to go to ISDN for the backup but am unsure how I would begin to configure this as far as the ISDN commands are concerned. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17402t=17382 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: Re: TCP/IP question [7:17343]
This subject is not as clear as it ought to be. If you look at
the subject of loopbacks generically, there are two RFCs that
come to mind. The first deals with RFC 1122 Requirements for
Internet Hosts. The second deals with RFC 1122 Requirements
for IPv4 Routers.
Kind of a nit, but 1122 has been superceded by 1812.
For starters, both RFCs do define the address as:
RFC1122 INTERNET LAYER
October 1989
(g) { 127, :any: }
Internal host loopback address. Addresses of
this form MUST NOT appear outside a host.
Baker Standards Track
[Page 47]
RFC 1812 Requirements for IP Version 4 Routers
June 1995
(e) { 127, :any: }
Internal host loopback address. Addresses of this
form MUST NOT appear outside a host.
Now the issue becomes how have Internet hosts adopted this
practice. When you approach it from a host perspective, the
answer is as always, it depends. In the case of Windows
hosts, they have taken a traditonal view of using 127.0.0.1.
You can see that first by examing the routing table(I hope this
comes out okay):
E:\route print
===
Interface List
0x1 ... MS TCP Loopback interface
0x2 ...00 c0 f0 12 ae 56 .. Novell 2000 Adapter.
===
===
Active Routes:
Network DestinationNetmask Gateway
Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1
192.168.1.69 1
127.0.0.0255.0.0.0127.0.0.1
127.0.0.1 1
192.168.1.0255.255.255.0 192.168.1.69
192.168.1.69 1
192.168.1.69 255.255.255.255127.0.0.1
127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.69
192.168.1.69 1
224.0.0.0224.0.0.0 192.168.1.69
192.168.1.69 1
255.255.255.255 255.255.255.255 192.168.1.69
192.168.1.69 1
===
You will note that any packet with an address destination of
127.x.x.x will be sent to the loopback interface address (which
is defined as 127.0.0.1). Interestingly enough, when you ping
a non-127.0.0.1 IP address on the 127.0.0.0 network, it will
return the same address:
E:\ping 127.23.45.61
Pinging 127.23.45.61 with 32 bytes of data:
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
Reply from 127.23.45.61: bytes=32 time 10ms TTL=128
You may be asking why did vendors seem to settle on 127.0.0.1
as the magical address? I don't know. My best answer to that
would be to use a Tim Brown expression and say, original sin.
More important is why the entire 127.0.0.0 network is used for
loopback and testing. That is a clear and obvious waste of
address space. This gets fixed in IPv6, whereby a single host
address is used for a loopback.
Another point about host loopbacks is key here. This traffic
does not go out on the wire, rather it is kept internal to the
host. You cannot even capture it with sniffer software. The
best way to see the logic diagramm for this and how it works is
to go to the definitive reference on TCP/IP, namely TCP/IP
Illustrated, by W. Richard Stevens. You may want to take a
peek at Figure 2.4 on page 28. If you don't have a copy of
this book, get one.
Next is the issue of Internet gateways (routers). Here, the
lines get a little bit muddied. The reason for this is that
Cisco seems to have adopted a software loopback interface that
goes beyond the definition of a generic loopback interface on
an Internet host. Software loopbacks on the router are not
limited to one (as they typically might be on an Internet
host). The limits on a router are typically those found for
IDBs (interface descriptor blocks). See my previous post in
the archives for the links on the limits of IDBs per platform.
The loopback interfaces on the routers tend to take an
exclusionary view of IP addressing. What I mean by this is
that unless a particular IP address or address range is
prohibited, it can be assigned. For example, see output below:
werner-gateway(config)#int lo 100
werner-gateway(config-if)#ip add 0.2.2.2 255.0.0.0
Not a valid host address - 0.2.2.2
werner-gateway(config-if)#ip add 127.2.2.2 255.0.0.0
Not a valid host address - 127.2.2.2
werner-gateway(config-if)#ip add 127.0.0.1 255.0.0.0
Not a valid host address - 127.0.0.1
werner-gateway(config-if)#ip add 223.0.0.1 255.0.0.0
werner-gateway(config-if)#ip add 224.0.0.1 255.0.0.0
Not a valid host address - 224.0.0.1
werner-gateway(config-if)#ip add 255.0.0.1 255.0.0.0
Not a valid host address - 255.0.0.1
This Is A Special Invitation Just For You! [7:17404]
[IMAGE] [IMAGE] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17404t=17404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2501 boot rom replacement [7:17405]
I replaced the boot roms in a 2501, they are in the correct slots, even tried two different sets. I can not get a console window. All the directions say don't pay attention to the jumpers. Any other tricks that I might be missing? Thanks.. -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17405t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Does access list work for router originated packets [7:17406]
technically, the access-list applies only to packets that have passed through the routing process. this all gets down to understanding the difference between the routing / forwarding process versus the router architecture process and how packets get from here to there. let's hope I word this correctly, because it is a bit complex, and subject to misunderstanding. 1) case for inbound - a router receives a packet on an interface, checks the headers against any inbound access-list on that interface, accepts or denies the packet based on that list, then places the packet into the forwarding process 2) case for outbound - forwarding process determines the outbound interface, checks for the existence of an access-list outbound on that interface, processes the packet headers against that list, and if it passes, places the packet into the interface buffer for forwarding. 3) locally originated packet ( router doing something, for example ping, or routing protocol update ) router creates the packet, places it directly into the interface buffer for processing. local ping has a function which allows one to create a packet, and send that packet through the forwarding processes, which in turn forces that packet to follow one of the rules above. confused? hope this helped a little. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Sent: Monday, August 27, 2001 7:52 AM To: [EMAIL PROTECTED] Subject: Re: Does access list work for router originated packets [7:17389] On Mon, 27 Aug 2001, John Hardman wrote: Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. Right, the packets leaving the router are not blocked, they are sourced from the router and bypass the ACL. The reply packets are blocked however, they are not sourced from the router. --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny, CCIE #8036 Netjam, LLC [EMAIL PROTECTED] http://www.netjam.net VISA/MC/AMEX/COD phone: 318-212-0245 30 day warranty fax: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17406t=17406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Route issue [7:17242]
Only one route is allowed? I hope you are not reffering to the pix or a 2600 as those are the only pieces of hardware in the scenario...Becausde both allow for multiple routes. -Patrick Farhan Ahmed 08/26/01 01:26AM only one route is allowed.. Best Regards Have A Good Day!! *** Farhan Ahmed* MCSE+I, MCP Win2k, CCDA, CCNA, CSE Network Engineer Mideast Data Systems Abudhabi Uae. *** Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. -Original Message- From: Bob Nawrocki [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 25, 2001 8:30 PM To: [EMAIL PROTECTED] Subject: Pix Route issue [7:17242] We have a Pix firewall that is serving as a default gateway to the Internet as well as providing ipsec tunnel connectivity to several remote offices for serveral hosts on a subnet. On the same subnet we have a 2600 providing a point to point wan link. I added a route to the Pix on the inside interface to point to the 2600 for the wan route. I am still not able to connect to that subnet unless i add a specific route on the hosts. When running debug logging on the Pix I get the following output: 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst inside:10.112.3.3 (type 8, code 0) Any thoughts? Bob Nawrocki CCNP CCDP [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17407t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging to remote UNIX server [7:17401]
There is a bug in some releases of 12.1 that will cause this. The workaround is to specifically set the source interface use the logging source-interface command. HTH, John Charles Dowling 8/27/01 9:56:09 AM Hey All, I have been trying to set up my 3660 (IOS 12.1) access router to log everything to my HP OpenView server (Solaris 8). It seems simple to set up on the Cisco side with only a few commands but it doesn't seem to be working. The 'show logging' command indicates that it is working and sending messages to the remote box but it is not receiving anything. Any thoughts, guidelines, info? Thanks, Charles. These are the configuration items I entered: logging on logging buffered 1 debugging no logging rate-limit logging trap debugging logging facility syslog logging 192.168.x.x Results of 'show logging': router#sh logging Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 1559 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 1560 messages logged Logging Exception size (0 bytes) Trap logging: level debugging, 1564 message lines logged Logging to 192.168.x.x, 33 message lines logged Log Buffer (1 bytes): [GroupStudy.com removed an attachment of type text/x-vcard which had a name of cdowling.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17408t=17401 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2501 boot rom replacement [7:17405]
How positive are you that they are in the correct slots? I know since these are in order from left to right it would be hard to mess up, but not impossible. On other 2500 models they are more confusing, but not on the 2501. As long as from left to right you have FW1 and then FW2 you should be just fine. Are they inserted all the way, flush into their mounts? I've had situations where they weren't quite seated correctly and this caused some problems. I really don't know what else could be causing this except perhaps you fried your router with static electricity. ;-) Let's hope that's not the case. Good luck, and I'm sorry I couldn't be of more help... John Rik Thomas 8/27/01 10:08:00 AM I replaced the boot roms in a 2501, they are in the correct slots, even tried two different sets. I can not get a console window. All the directions say don't pay attention to the jumpers. Any other tricks that I might be missing? Thanks.. -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17409t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2501 boot rom replacement [7:17405]
On Mon, 27 Aug 2001, John Neiberger wrote: How positive are you that they are in the correct slots? I know since these are in order from left to right it would be hard to mess up, but not impossible. On other 2500 models they are more confusing, but not on the 2501. As long as from left to right you have FW1 and then FW2 you should be just fine. I checked it more than twice. Even had the book out just to make sure, I tried two other chips that I had received today as well. Are they inserted all the way, flush into their mounts? I've had situations where they weren't quite seated correctly and this caused some problems. I really don't know what else could be causing this except perhaps you fried your router with static electricity. ;-) Let's hope that's not the case. I don't think I fried the router, the old chips still work just fine, they are just too old to recognize the IOS I want to use. I know it should be very easy, that is what is bothering me. I doubt they could have sent me two sets of bad roms. I am going to try the new ones in some other routers I have to make sure. This is a pretty old router, but it should still work. Good luck, and I'm sorry I couldn't be of more help... Thanks for the reply, I appreciate it. John -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17410t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging to remote UNIX server [7:17401]
I am sure its sending the syslog to the server. Can you run a sniffer or tcpdump on the server to see that there is stuff coming in? Do you have the syslog on the solaris box configured to accept remote connections? (By default syslog does NOT receive remote connections, you must read the man page and enable syslog to allow remote connections). Brian On Mon, 27 Aug 2001, Charles Dowling wrote: Hey All, I have been trying to set up my 3660 (IOS 12.1) access router to log everything to my HP OpenView server (Solaris 8). It seems simple to set up on the Cisco side with only a few commands but it doesn't seem to be working. The 'show logging' command indicates that it is working and sending messages to the remote box but it is not receiving anything. Any thoughts, guidelines, info? Thanks, Charles. These are the configuration items I entered: logging on logging buffered 1 debugging no logging rate-limit logging trap debugging logging facility syslog logging 192.168.x.x Results of 'show logging': router#sh logging Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 1559 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 1560 messages logged Logging Exception size (0 bytes) Trap logging: level debugging, 1564 message lines logged Logging to 192.168.x.x, 33 message lines logged Log Buffer (1 bytes): [GroupStudy.com removed an attachment of type text/x-vcard which had a name of cdowling.vcf] I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny, CCIE #8036 Netjam, LLC [EMAIL PROTECTED] http://www.netjam.net VISA/MC/AMEX/COD phone: 318-212-0245 30 day warranty fax: 318-212-0246 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17411t=17401 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2501 boot rom replacement [7:17405]
This might be a stupid question, but are you sure you have the right bootrom's for your 2501? Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rik Thomas [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 11:38 AM To: [EMAIL PROTECTED] Subject: Re: 2501 boot rom replacement [7:17405] On Mon, 27 Aug 2001, John Neiberger wrote: How positive are you that they are in the correct slots? I know since these are in order from left to right it would be hard to mess up, but not impossible. On other 2500 models they are more confusing, but not on the 2501. As long as from left to right you have FW1 and then FW2 you should be just fine. I checked it more than twice. Even had the book out just to make sure, I tried two other chips that I had received today as well. Are they inserted all the way, flush into their mounts? I've had situations where they weren't quite seated correctly and this caused some problems. I really don't know what else could be causing this except perhaps you fried your router with static electricity. ;-) Let's hope that's not the case. I don't think I fried the router, the old chips still work just fine, they are just too old to recognize the IOS I want to use. I know it should be very easy, that is what is bothering me. I doubt they could have sent me two sets of bad roms. I am going to try the new ones in some other routers I have to make sure. This is a pretty old router, but it should still work. Good luck, and I'm sorry I couldn't be of more help... Thanks for the reply, I appreciate it. John -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17412t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does access list work for router originated packets [7:17413]
Well, I said I couldn't remember under exactly what situations it happens!? And, I understand Brad's comment now. He thought I was saying of course not to his comment. I would never say that to a CCIE. ;-) I was saying of course not to his question are you saying Sorry, I'm in such a rush. Priscilla At 12:16 AM 8/27/01, John Hardman wrote: Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I guess it comes about because I said to test with end devices. Router A is acting like an end device in your example. I should have been more clear. What is not obvious is that ACLs on Router B do not apply to pings to and from Router B. Every newbie has probably been bitten by that one, especially in simple labs. Priscilla At 09:42 PM 8/26/01, Brad Ellis wrote: Priscilla, that's not what I said. Here's what I said: ...pings sent by one router will not be filtered by another router? Hence my diagram for further explanation: Router A -=- Router B -=- Device A (-=- can be ethernet x-over, serial back-to-back, etc) An ACL is applied on Router B's interface (applied inbound) that is connected to Router A. What I originally said, and continue to say, is that Router B will most certainly block packets (pings or whatever) coming from Router A...and it is irrelevant if Router A is a router or a host device. The ACL on Router B doesnt care if the device sending packets is a router or an end host device! If Router B was initiating the ping and Router B had the ACL applied, that would be a different story. ttyl, -Brad Ellis CCIE#5796 [EMAIL PROTECTED] used Cisco: www.optsys.net Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 08:06 PM 8/26/01, Brad Ellis wrote: Priscilla, Are you saying that pings sent by one router will not be filtered by another router? I beg to differ. Of course not. Pings sent by the router where the ACL
2501 Acces Pro [7:17414]
Has anyone had any experience with these? I just was given two of them for free and want to upgrade them to new code. When I try to upgrade them, I get a message that says wrong software for this platform. I'm not sure if it is because the boot rom is too old, or if it is something else. If I put in new 2500 boot rom and upgrade the memory, will these run the new code? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17414t=17414 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
You should understand which applications use which ports and why they use them if you are a network administrator and to implement any type of filtering. You should check out which network applications you use (SMTP, DNS,.. etc ) and look them all up in the rfc to see how they work. Making the access-lists will be a snap after that. http://www.rfc-editor.org/rfc.html shella kevin wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17415t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does access list work for router originated packets [7:17416]
At 08:38 AM 8/27/01, Ednilson Rosa wrote: Yes, that's right! I have a configuration where I set up an ACL to completely filter telnet FROM and TO a certain network connected to it. I applied the ACL both inbound and outbound on an Ethernet interface. Done this, no one could telnet my router or any host on that Ethernet segment passing through my router. But I WAS ABLE to telnet any host on that segment as long as I originated the telnet from the router itself! Ah hah! ;-) This is the type of anomaly that I'm talking about. I know I need to test it, but I don't have time right now It sounds like the bottom line is that output traffic from the router itself does not actually go through the ACL. Pings may still fail, however, if the Ping reply does go through an ACL that blocks it. Telnet from the router does not go through the ACL either. The replies may get through, depending on the ACL, as Ednilson describes below. In the classroom, our students get confused by this. They set up an ACL and test from the router where the ACL is configured and the ACL doesn't block traffic as expected. If I'm still off base, just let me know. I don't mind at all! ;-) Priscilla From which you may conclude that an ACL doesn't affect packets originated on the router on which it is applied... Regards, Ednilson Rosa - Original Message - From: John Hardman To: Sent: Monday, August 27, 2001 1:16 AM Subject: Re: Does access list work for router originated packets [7:17357] Hi I can't believe I am challenging Priscilla! I just tried what you are talking about, i.e. that the ACL on the router does not effect the traffic generated by the router it's self. I created an extended ACL to block all ICMP traffic and applied it to E0 as both IN and OUT. Before appling the ACL I can ping just fine to any host on the network and any host on the network can ping the router. After Appling the ACL I am not able to ping from the router, or to the router. I am running 11.1 IOS, maybe it would yield different results with a different IOS version. What IOS and platform did you see this behavior? Here's my config. Windoze PC 192.168.10.50 --- E0 Router2 192.168.10.20 RedHat PC 192.168.10.2 -Router config-- Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname C2501-R2 ! enable secret 5 XXX enable password none ! ip subnet-zero ! interface Ethernet0 ip address 192.168.10.20 255.255.255.0 ip access-group 100 in ip access-group 100 out no ip mroute-cache no ip route-cache ! interface Serial0 ip address 192.168.50.1 255.255.255.252 no ip mroute-cache encapsulation ppp no ip route-cache ! interface Serial1 no ip address no ip mroute-cache no ip route-cache shutdown ! ip classless logging buffered access-list 100 deny icmp any any access-list 100 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 transport input all line vty 0 4 exec-timeout 0 0 password login ! end ---Router Config-- ---Ping results- C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: . Success rate is 0 percent (0/5) C2501-R2#conf t Enter configuration commands, one per line. End with CNTL/Z. C2501-R2(config)#int e0 C2501-R2(config-if)#no ip access-group 100 in C2501-R2(config-if)#no ip access-group 100 out C2501-R2(config-if)#^Z C2501-R2# %SYS-5-CONFIG_I: Configured from console by console C2501-R2#ping 192.168.10.50 Type escape sequence to abort. Sending 5, 100-byte ICMP Echoes to 192.168.10.50, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms C2501-R2# Windoze Ping with ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Reply from 192.168.10.20: Destination net unreachable. Ping statistics for 192.168.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Windoze Ping without ACL C:\ping 192.168.10.20 Pinging 192.168.10.20 with 32 bytes of data: Reply from 192.168.10.20: bytes=32 time wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I know it's not what you said. What you said was obvious. I guess it comes about because I said to test with end devices. Router A is acting like an end device in your example. I should have been more clear. What is not obvious is that ACLs on Router B do not apply to pings to and from Router B. Every newbie has probably been bitten by that one, especially in simple labs. Priscilla At 09:42 PM 8/26/01, Brad Ellis wrote: Priscilla, that's not what I said. Here's what I said:
Re: access-list ports ( TCP /UDP) [7:17374]
Try the Assigned Numbers RFC, which is RFC 1700. It tells you port numbers for various applications and whether they use TCP or UDP or both. It's a good RFC to bookmark. I found it here: http://www.faqs.org/rfcs/rfc1700.html Priscilla - Original Message - From: shella kevin To: Sent: Monday, August 27, 2001 8:04 AM Subject: access-list ports ( TCP /UDP) [7:17374] when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17417t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Fridays funnies [7:17141]
10 days?, oh! young lazy people! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17418t=17141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DDR setup [7:17419]
Is there a way that I can cause a BRI interface to activate when the load drops to 0 on the T-1 and then deactivate when there is activity on the T-1. I have a point to point from DE to AZ with constant traffic and I have seen where an interface will not transmit traffic even though it is being reported as up and the DDR int never activates. I cannot use a load-threshold and everything you learn about DDR states how to do this when the traffic reaches a certain climax and how to disconnect when it falls under specs and I would like to do this but also in that when ther traffic hits 0 it can activate as well. Any suggestions, please. I am kind of a newbie at setting up DDR and any help would be gfreatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17419t=17419 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2501 boot rom replacement [7:17405]
Says 2500 right on the boot-2500 right on the box. :) - Original Message - From: Ole Drews Jensen To: Sent: Monday, August 27, 2001 1:09 PM Subject: RE: 2501 boot rom replacement [7:17405] This might be a stupid question, but are you sure you have the right bootrom's for your 2501? Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rik Thomas [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 11:38 AM To: [EMAIL PROTECTED] Subject: Re: 2501 boot rom replacement [7:17405] On Mon, 27 Aug 2001, John Neiberger wrote: How positive are you that they are in the correct slots? I know since these are in order from left to right it would be hard to mess up, but not impossible. On other 2500 models they are more confusing, but not on the 2501. As long as from left to right you have FW1 and then FW2 you should be just fine. I checked it more than twice. Even had the book out just to make sure, I tried two other chips that I had received today as well. Are they inserted all the way, flush into their mounts? I've had situations where they weren't quite seated correctly and this caused some problems. I really don't know what else could be causing this except perhaps you fried your router with static electricity. ;-) Let's hope that's not the case. I don't think I fried the router, the old chips still work just fine, they are just too old to recognize the IOS I want to use. I know it should be very easy, that is what is bothering me. I doubt they could have sent me two sets of bad roms. I am going to try the new ones in some other routers I have to make sure. This is a pretty old router, but it should still work. Good luck, and I'm sorry I couldn't be of more help... Thanks for the reply, I appreciate it. John -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17420t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging to remote UNIX server [7:17401]
You are spending too much time on Microsoft Windows, that's why your Unix skill is getting rusty. Joking aside, on a serious thought, make sure that your syslogd is accepting remote logging connection. On your Solaris box, do the following: ps -eaf | grep syslog, if you see something like this: root 434 1 0 09:49 ?00:00:00 syslogd -m 0 -r it means that your syslog is accepting remote logging -r. If not, restart your syslog server by doing this: 1) killall syslogd 2) syslogd -m 0 -r Now your syslog will start logging remotely. let me know if you have questions. From: Brian Reply-To: Brian To: [EMAIL PROTECTED] Subject: Re: Logging to remote UNIX server [7:17401] Date: Mon, 27 Aug 2001 12:57:07 -0400 I am sure its sending the syslog to the server. Can you run a sniffer or tcpdump on the server to see that there is stuff coming in? Do you have the syslog on the solaris box configured to accept remote connections? (By default syslog does NOT receive remote connections, you must read the man page and enable syslog to allow remote connections). Brian On Mon, 27 Aug 2001, Charles Dowling wrote:Hey All, I have been trying to set up my 3660 (IOS 12.1) access router to log everything to my HP OpenView server (Solaris 8). It seems simple to set up on the Cisco side with only a few commands but it doesn't seem to be working. The 'show logging' command indicates that it is working and sending messages to the remote box but it is not receiving anything. Any thoughts, guidelines, info? Thanks, Charles. These are the configuration items I entered: logging on logging buffered 1 debugging no logging rate-limit logging trap debugging logging facility syslog logging 192.168.x.x Results of 'show logging': router#sh logging Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 1559 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 1560 messages logged Logging Exception size (0 bytes) Trap logging: level debugging, 1564 message lines logged Logging to 192.168.x.x, 33 message lines logged Log Buffer (1 bytes): [GroupStudy.com removed an attachment of type text/x-vcard which had a name of cdowling.vcf] I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny, CCIE #8036 Netjam, LLC [EMAIL PROTECTED] http://www.netjam.net VISA/MC/AMEX/COD phone: 318-212-0245 30 day warranty fax: 318-212-0246 misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17421t=17401 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2501 boot rom replacement [7:17405]
Does it on your Cisco router say Best before January 1987? Just kidding - I have no clue! Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rik Thomas [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:44 PM To: Ole Drews Jensen; [EMAIL PROTECTED] Subject: Re: 2501 boot rom replacement [7:17405] Says 2500 right on the boot-2500 right on the box. :) - Original Message - From: Ole Drews Jensen To: Sent: Monday, August 27, 2001 1:09 PM Subject: RE: 2501 boot rom replacement [7:17405] This might be a stupid question, but are you sure you have the right bootrom's for your 2501? Ole ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rik Thomas [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 11:38 AM To: [EMAIL PROTECTED] Subject: Re: 2501 boot rom replacement [7:17405] On Mon, 27 Aug 2001, John Neiberger wrote: How positive are you that they are in the correct slots? I know since these are in order from left to right it would be hard to mess up, but not impossible. On other 2500 models they are more confusing, but not on the 2501. As long as from left to right you have FW1 and then FW2 you should be just fine. I checked it more than twice. Even had the book out just to make sure, I tried two other chips that I had received today as well. Are they inserted all the way, flush into their mounts? I've had situations where they weren't quite seated correctly and this caused some problems. I really don't know what else could be causing this except perhaps you fried your router with static electricity. ;-) Let's hope that's not the case. I don't think I fried the router, the old chips still work just fine, they are just too old to recognize the IOS I want to use. I know it should be very easy, that is what is bothering me. I doubt they could have sent me two sets of bad roms. I am going to try the new ones in some other routers I have to make sure. This is a pretty old router, but it should still work. Good luck, and I'm sorry I couldn't be of more help... Thanks for the reply, I appreciate it. John -- Rik Thomas [EMAIL PROTECTED] http://SmartBackups.com Is your Website Smart? Automated Website backups. Free 30Day trial! Ph: 302.672.7314 Fx: 302.672.7315 ICQ: 879956 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17423t=17405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2501 Acces Pro [7:17414]
Are you talking about router cards that fit into a PC? Check the archives of GroupStudy. We used to have a fellow on list who sold them. He posted some advice. Look for Oz around late '99 to '00. He still has a web page up but dated. http://www.mcseco-op.com/CiscoStuff.htm -Original Message- From: Jim Newton [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:22 PM To: [EMAIL PROTECTED] Subject: 2501 Acces Pro [7:17414] Has anyone had any experience with these? I just was given two of them for free and want to upgrade them to new code. When I try to upgrade them, I get a message that says wrong software for this platform. I'm not sure if it is because the boot rom is too old, or if it is something else. If I put in new 2500 boot rom and upgrade the memory, will these run the new code? Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17422t=17414 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: router boots into rommon mode... [7:16890]
Currently, the full image is on the bootflash (I guess Flash SIMM in this case). I'll put the full image on the flash card and the boot image on the flash simm today. - Sean Daniel Cotts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On an RSM/RSP bootflash is a Flash SIMM that stores a boot image. The full IOS image that you run normally goes on a Flash card. It appears from your post that you put a regular image in the bootflash. Guess that's OK if your config points to it. Where is your boot image? -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED]] Sent: Friday, August 24, 2001 10:18 PM To: [EMAIL PROTECTED] Subject: Re: router boots into rommon mode... [7:16890] Thanks everyone, I have fixed the rommon booting problem and the RSM now boots the image. The main issue was my understanding (or lack thereof) of the config-register. For some reason, I thought the value displayed in show versions was the value you were -supposed- to set the config-register to...I didn't realize that show versions simply displays what the register is currently set to. Once I booted the flash image manually via rommon, I then executed: RSM-5500(config)# boot system flash slot0:c5rsm-isv-mz.113-5.WA4.8.bin Which then boots that image from slot0. Later I copied the image to bootflash via RSM-5500# copy slot0:c5rsm-isv-mz.113-5.WA4.8.bin bootflash:c5rsm-isv-mz.113-5.WA4.8.bin and then I cleared the slot0 card by deleting the files on it and then doing a squeeze to wipe them permanently. Booting off the boot flash is faster than the PCMCIA card, correct? Thanks again, Sean Daniel Cotts wrote in message news:[EMAIL PROTECTED]... An RSM is similar to an RSP in a 7500 series router. From rommon it looks by default for a boot image in the bootflash. If you have a boot bootldr image name line in your config it will use that. It then loads the boot image. It next looks for a full image. By default that is the first image on the first Flash card. You may specify which image to use with boot system flash image name. boot system flash slot1:rsp-jsv-mz_113-11a.bin boot bootldr slot0:rsp-boot-mz_113-11a.bin My guess is that you don't have a boot image or your config is looking for an image that was erased. Look in your bootflash. TGE_7513#sh flash bootflash: -#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name 1 .. unknown 0FD57943 3CE2EC 21 3727980 Nov 01 1997 21:14:50 rsp-boot-mz.111-10.CA Check to see which is your present working directory TGE_7513#pwd slot0 You can change that. TGE_7513#cd slot1: TGE_7513#pwd slot1 TGE_7513#cd slot0: TGE_7513#pwd slot0 Check for the contents on the flash card. router#dir slot0: -Original Message- From: Sean Knox [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 23, 2001 12:51 AM To: [EMAIL PROTECTED] Subject: Re: router boots into rommon mode... [7:16890] I did change the config-register to 0x2102 (that's what was shown in sh version). Yet the router still boots to rommon. I will try issuing the confreg 0x2102 command in rommon, but I don't see how that will help. Would the fact that this router is actually a route switch module using a flash card possibly change the configuration steps? Regards, Sean richard dumoulin wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think you should change the config-register to a value like 0x2102 or something finishing with 2. If I remember well, the number 2 means that the router should load the ios from flash.I believe you have set this value to something like 0x2101 or 0x2100. Regards. note: I need to check this, as I am forgetting the CCNA stuff :) note2: to change the register, you can try ? to see which rommon os command will let you do it. In certain rommon the command is confreg 0x2102 and in others it is o/r 0x2102.Then you issue boot or i to boot the router. Regards. Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17424t=16890 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2501 Acces Pro [7:17414]
No these are actual 2501's but they are cheap versions of the real thing. They are painted white, and don't seem to have full IOS on them, but I was just wondering if they are upgradeable if I go through the work. -Original Message- From: Daniel Cotts [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:50 PM To: 'Jim Newton'; [EMAIL PROTECTED] Subject: RE: 2501 Acces Pro [7:17414] Are you talking about router cards that fit into a PC? Check the archives of GroupStudy. We used to have a fellow on list who sold them. He posted some advice. Look for Oz around late '99 to '00. He still has a web page up but dated. http://www.mcseco-op.com/CiscoStuff.htm -Original Message- From: Jim Newton [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:22 PM To: [EMAIL PROTECTED] Subject: 2501 Acces Pro [7:17414] Has anyone had any experience with these? I just was given two of them for free and want to upgrade them to new code. When I try to upgrade them, I get a message that says wrong software for this platform. I'm not sure if it is because the boot rom is too old, or if it is something else. If I put in new 2500 boot rom and upgrade the memory, will these run the new code? Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17425t=17414 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Written practice RIFs [7:17426]
I put together this list of practice RIFs for anybody who is studying for the CCIE Written. Please let me know if you have any to add to the list, or if you find any errors; also let me know if this is helpful, or if you have any comments... Enjoy... 1. RIF - 0810.0011.0033.0040 2. RIF - 0a10.0032.00b3.0124.0020 3. RIF - 0810.0022.0013.0020 4. RIF - 0800.0011.0022.0030 5. RIF - 0a10.0011.00a2.0033.0040 6. RIF - 0630.0011.0191.0030 7. RIF - 0810.00a1.014f.01e0 8. RIF - 0830.0195.00a1.0230 9. RIF - 0a10.0045.0067.0101.0080 10. RIF - 0c10.047e.0067.00c8.043a.0080 Here are my answers: 1. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 8 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 1 (0x1), Bridge 1 (0x1) Ring 3 (0x3), Bridge 3 (0x3) Ring 2 (0x4) to the destination 2. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 10 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 3 (0x3), Bridge 2 (0x2) Ring 11 (0xb), Bridge 3 (0x3) Ring 18 (0x12), Bridge 4 (0x4) Ring 2 (0x2) to the destination 3. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 8 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 2 (0x2), Bridge 2 (0x2) Ring 1 (0x1), Bridge 3 (0x3) Ring 3 (0x3) to the destination 4. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 8 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 512 bytes Ring 1 (0x1), Bridge 1 (0x1) Ring 3 (0x2), Bridge 3 (0x2) Ring 3 (0x3) to the destination 5. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 10 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 1 (0x1), Bridge 1 (0x1) Ring a (0x10), Bridge 2 (0x2) Ring 3 (0x3), Bridge 3(0x3) Ring 4 (0x4) to the destination 6. The RIF is invalid because the length specified in the RIF differs from the actual length of the RIF 7. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 8 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 10 (0xa), Bridge 1 (0x1) Ring 20 (0x14), Bridge 15 (0xf) Ring 30 (0x1e) to the destination 8. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 8 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 4,472 bytes Ring 25 (0x19), Bridge 5 (0x5) Ring 10 (0xa), Bridge 1 (0x1) Ring 35 (0x23) to the destination 9. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 10 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 4 (0x4), Bridge 5 (0x5) Ring 6 (0x6), Bridge 7 (0x7) Ring 16 (0x10), Bridge 1 (0x1) Ring 8 (0x8) to the destination 10. The RIF is valid, and its breakdown is: RIF type: single route frame RIF Length: 12 bytes Direction to read the RIF: left-to-right Maximum frame length: up to 1,500 bytes Ring 71 (0x47), Bridge 15 (0xe) Ring 6 (0x6), Bridge 7 (0x7) Ring 12 (0xc), Bridge 8 (0x8) Ring 67 (0x43), Bridge 10 (0xa) Ring 8 (0x8) to the destination Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17426t=17426 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2501 Acces Pro [7:17414]
CiscoPro! No problem. To load a new IOS you have to Cisco-ize the box. There is a small utility that does that. If you have a CCO login then: http://www.cisco.com/cgi-bin/Software/Tablebuild/tablebuild.pl/rsl If not, it may come on new IOS CDs. Many came with 4MB of Flash. You may have to upgrade that. -Original Message- From: Jim Newton [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 1:31 PM To: Daniel Cotts; [EMAIL PROTECTED] Subject: RE: 2501 Acces Pro [7:17414] No these are actual 2501's but they are cheap versions of the real thing. They are painted white, and don't seem to have full IOS on them, but I was just wondering if they are upgradeable if I go through the work. -Original Message- From: Daniel Cotts [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:50 PM To: 'Jim Newton'; [EMAIL PROTECTED] Subject: RE: 2501 Acces Pro [7:17414] Are you talking about router cards that fit into a PC? Check the archives of GroupStudy. We used to have a fellow on list who sold them. He posted some advice. Look for Oz around late '99 to '00. He still has a web page up but dated. http://www.mcseco-op.com/CiscoStuff.htm -Original Message- From: Jim Newton [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 12:22 PM To: [EMAIL PROTECTED] Subject: 2501 Acces Pro [7:17414] Has anyone had any experience with these? I just was given two of them for free and want to upgrade them to new code. When I try to upgrade them, I get a message that says wrong software for this platform. I'm not sure if it is because the boot rom is too old, or if it is something else. If I put in new 2500 boot rom and upgrade the memory, will these run the new code? Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17427t=17414 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: rommon [7:17244]
Is that Ray Rommon-o? The stand up comedian and star of Eveyone Loves Raymond? Chuck Larrieu To: [EMAIL PROTECTED] Subject: RE: rommon [7:17244] Sent by: nobody@groups tudy.com 08/26/2001 11:37 AM Please respond to Chuck Larrieu what with all the hurrahs and kudos, dare I ask: Rommon-o, oh Rommon-o, wherefore art thou Rommon-o? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Saturday, August 25, 2001 9:36 AM To: [EMAIL PROTECTED] Subject: rommon [7:17244] This was the noblest rommon of them all, All the configurators, save only it, Did that they did in envy of great Cisco He only, in a general-honest thought And common good to all, made erase of them. His life had parity, and the elements So mix'd in him that IOS might stand up And say to all the world, This was a boot! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17429t=17244 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
I use http://www.iana.org/assignments/port-numbers for finding out about port numbers. Re the dns topic below, udp is fine for a company that does not have its own dns servers and only makes queries. TCP is used for zone transfers. I believe that in newer versions of bind, random hi port numbers are used. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, shella kevin wrote: when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17431t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
The problem with this reference is that all applications are listed with both UDP and TCP ports, what is not allways true in pratice. Ednilson Rosa - Original Message - From: Priscilla Oppenheimer To: Sent: Monday, August 27, 2001 2:44 PM Subject: Re: access-list ports ( TCP /UDP) [7:17374] Try the Assigned Numbers RFC, which is RFC 1700. It tells you port numbers for various applications and whether they use TCP or UDP or both. It's a good RFC to bookmark. I found it here: http://www.faqs.org/rfcs/rfc1700.html Priscilla - Original Message - From: shella kevin To: Sent: Monday, August 27, 2001 8:04 AM Subject: access-list ports ( TCP /UDP) [7:17374] when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17434t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Setup [7:17285]
The list is on the cisco site. Part of becoming a CCIE is being familar with different routers/switches and ports (interfaces). You may want to get a lab guide and see what they are using and how, this should be a good start. I would say at a minimum 36 serial interfaces. 20 sync 16 async - Original Message - From: XYZ To: Sent: Saturday, August 25, 2001 9:24 PM Subject: CCIE Lab Setup [7:17285] I would like to setup a CCIE R/S Lab, what routers and switches should I have in the Lab? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17436t=17285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
The problem with this list is that every application seem to use both UDP and TCP, which is not always true. Ednilson Rosa - Original Message - From: Brian Whalen To: Sent: Monday, August 27, 2001 5:03 PM Subject: Re: access-list ports ( TCP /UDP) [7:17374] I use http://www.iana.org/assignments/port-numbers for finding out about port numbers. Re the dns topic below, udp is fine for a company that does not have its own dns servers and only makes queries. TCP is used for zone transfers. I believe that in newer versions of bind, random hi port numbers are used. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, shella kevin wrote: when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17435t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
point-to-point question? [7:17437]
Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17437t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: point-to-point question? [7:17437]
Perhaps they're talking about clocking. If you have control over csus on both sides, typically one would be a timing source, and the other would be set to external timing. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17438t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab exam - booked twice [7:17310]
Oh I see maybe they could roll out a red carpet as you stroll up. No better yet I could throw rose petal since I aint busy anymore cause you double booked and I gotta wait for the really good guys to keep going through until they pass. Then you say you would cancel the second one if you failed, I think you meant pass. If this is your thought process you may want to add a third date. You may try pirating that Transcender test for a test brain too. - Original Message - From: Rashid Lohiya To: Sent: Sunday, August 26, 2001 2:49 AM Subject: CCIE Lab exam - booked twice [7:17310] Guys, Does anyone know whether one person can book the lab twice? ie. 1 for April, 1 for June, thus allowing him to cancel and get a refund on the second one if the first is failed. In this way, the year long wait would not need to be endured if I was to fail the first time around. -- Rashid Lohiya [EMAIL PROTECTED] 020 8509 2990 07785 362626 www.pioneer-computers.com London UK www.rashidl.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17439t=17310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
I have two 1602 routers on each side. They each of a T1 WIC card that is also the DSU... Do I need to set a clock rate on one side? I didn't think so, but maybe I was wrong. Thanks again, -Original Message- From: Brian Whalen [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 4:36 PM To: Marshal Schoener Cc: [EMAIL PROTECTED] Subject: Re: point-to-point question? [7:17437] Perhaps they're talking about clocking. If you have control over csus on both sides, typically one would be a timing source, and the other would be set to external timing. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17442t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Exam Cram [7:17334]
no they didn't did they Thank You, Donald B Johnson Jr Engineering/Technical Operations Corporate Manager Technical Support Services Adelphia Communications Corp. P# 888-277-6872 support line Pg# 866-690-9276 pager P# 814-260-3259 office F# 814-260-3227 fax [EMAIL PROTECTED] - Original Message - From: Rayappa Mayakunthala To: Sent: Sunday, August 26, 2001 11:14 AM Subject: CCIE Exam Cram [7:17334] Cisco added CCIE Exam Cram to the recommended reading list! http://www.cisco.com/warp/public/625/ccie/certifications/routing.html Rayappa. This message is confidential and may also be legally privileged. If you are not the intended recipient, please notify us immediately. You should not copy it or use it for any purpose, nor disclose it's contents to any other person. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of Wilco International. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17440t=17334 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Fridays funnies [7:17141]
Hummm, with those kinds of credentials those guys shouldn't have to work. They could teach. Best, G. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17443t=17141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: point-to-point question? [7:17437]
Whoever told you that should be smacked soundly and then asked to clarify and justify the statement. In what context was this discussed? Off the top of my head I have no idea what this might be referring to. It requires no special effort to get the link up and running. If you have a Cisco router on each end, set the IP address and you're off and running. If either router is non-Cisco then you'll also need to set PPP encapsulation. That's all that's needed for connectivity. Perhaps this person was somehow referring to database exchanges in OSPF, but that also doesn't make much sense because Master and Slave are chosen dynamically. Which one is which is of no consequence. HmmI really just can't figure that one out. Please let us know more about the specifics. It would be interesting to figure out what this person is trying to communicate to you. HTH, John Marshal Schoener 8/27/01 2:44:07 PM Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17441t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
clock rate is a different deal. Is this a full or fractional t1? if its full t1, I suspect the card will support that rate properly. If its fractional, then your intervention will be required to set the number of timeslots properly. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: I have two 1602 routers on each side. They each of a T1 WIC card that is also the DSU... Do I need to set a clock rate on one side? I didn't think so, but maybe I was wrong. Thanks again, -Original Message- From: Brian Whalen [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 4:36 PM To: Marshal Schoener Cc: [EMAIL PROTECTED] Subject: Re: point-to-point question? [7:17437] Perhaps they're talking about clocking. If you have control over csus on both sides, typically one would be a timing source, and the other would be set to external timing. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17445t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX design question [7:16801]
I think you misunderstood my response. I wasn't saying to run IDS on the PIX, I was saying that a good reason not to run a cross-over cable between the Intranet PIX and Internet PIX was so that one could deploy an IDS sensore between the 2 PIXen and this would require a switch. Sorry if this wasn't clear. -Kent -Original Message- From: Allen May [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 7:48 AM To: Kent Hundley; [EMAIL PROTECTED] Subject: Re: PIX design question [7:16801] Check out Dragon Sensor. It has a client that sits outside the firewall to communicate with the internal sensors. Personally, at the risk of starting a flame war, I hate the idea of running ANYTHING besides firewall software on a firewall. IDS just adds strain and possible added points of failure when run on the firewall in my opinion. IDS should just sit by passively check packets on a separate box. Allen - Original Message - From: Kent Hundley To: Sent: Saturday, August 25, 2001 1:19 PM Subject: RE: PIX design question [7:16801] Patrick, First, I'm generally not a fan of the interface to interface design for firewalls for one simple reason: IDS. If you wanted to deploy any kind of IDS, and I highly recommend that you do, you would not be able to place a sensor between the Internet and Intranet firewalls. Switches are cheap and add no amount of latency that will be noticable. I wouldn't do it this way. As to the second question, it's best to keep servers on protected DMZ's. I would place the servers in question on the Internet firewalls' DMZ for consistency and simplicity of design. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Wednesday, August 22, 2001 6:56 AM To: [EMAIL PROTECTED] Subject: PIX design question [7:16801] We are in the middle of migrating to a new network, this includes replacing Checkpoint firewalls with PIX. My question concerns the proposed design of the Internet and IntrAnet PIX firewalls and in particular a connection between the two firewalls. It has been suggested that we connect the IntrAnet firewall's outside interface to one of the Internet firewalls DMZs. I can see that this may reduce latency for traffic passing to the internet from our intrAnet but I'd like to hear anyone's thoughts on this one, routing or security issues perhaps. Another design issue which was raised was the placement of some servers in the same outside interface of the intrAnet firewall. These servers would require access to one of the intrAnet firewall's DMZ and be accessible from another DMZ on the internet firewall which are in turn are accessible from the Internet. This seems a bit of a complicated design and could be a security loophole (??). Thoughts and experiences please regards Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17446t=16801 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
Aha! Now we're talking. I was making the assumption you were discussing higher-layer configs. This person is talking about physical layer configuration of your CSU/DSU. In that situation you do have a master/slave relationship. Usually, the CSU/DSU is the 'slave' and derives its clocking from the line. If you have a router with built-in CSU/DSUs then you'd need to configure the router appropriately. HTH, John Marshal Schoener 8/27/01 2:47:01 PM Thanks for the reply... Basically, the person at the telco (Verizon) told me that point-to-point interfaces, such as the one I am using between 2 sites, needs to have a master and a slave for clocking purposes :-) I have never heard of this myself, and thought like you said, with HDLC all you need to do is give the serial interface an ip address. Thanks again for responding! -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 4:47 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: point-to-point question? [7:17437] Whoever told you that should be smacked soundly and then asked to clarify and justify the statement. In what context was this discussed? Off the top of my head I have no idea what this might be referring to. It requires no special effort to get the link up and running. If you have a Cisco router on each end, set the IP address and you're off and running. If either router is non-Cisco then you'll also need to set PPP encapsulation. That's all that's needed for connectivity. Perhaps this person was somehow referring to database exchanges in OSPF, but that also doesn't make much sense because Master and Slave are chosen dynamically. Which one is which is of no consequence. HmmI really just can't figure that one out. Please let us know more about the specifics. It would be interesting to figure out what this person is trying to communicate to you. HTH, John Marshal Schoener 8/27/01 2:44:07 PM Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17447t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SSH question [7:17448]
Does anyone have any good links to point me to for setting up a ssh session with a router? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17448t=17448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
Thanks, It's a full T1. There was never a problem until there was a power outage. Ever since then, there have been strange problems trying to hit the remote servers from the offices... The setup is simple, being that it is HDLC and only really requires an IP address on the interface and some routes :) But, Im thinking that there can be a problem on one of the WICs... Thanks again, -Original Message- From: Brian Whalen [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 4:55 PM To: Marshal Schoener Cc: [EMAIL PROTECTED] Subject: RE: point-to-point question? [7:17437] clock rate is a different deal. Is this a full or fractional t1? if its full t1, I suspect the card will support that rate properly. If its fractional, then your intervention will be required to set the number of timeslots properly. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: I have two 1602 routers on each side. They each of a T1 WIC card that is also the DSU... Do I need to set a clock rate on one side? I didn't think so, but maybe I was wrong. Thanks again, -Original Message- From: Brian Whalen [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 4:36 PM To: Marshal Schoener Cc: [EMAIL PROTECTED] Subject: Re: point-to-point question? [7:17437] Perhaps they're talking about clocking. If you have control over csus on both sides, typically one would be a timing source, and the other would be set to external timing. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, Marshal Schoener wrote: Hey all, I was told that on a point-to-point dedicated T1, one router needs to be setup as a master, and the other router needs to be setup as a slave... Is there any truth to this, and if so, how would I go about doing it? I have never heard of anything like this before. Again, it isn't frame-relay, it's just a dedicated point-to-point link. Thanks a million in advance, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17450t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
spanning tree,priority, and elections [7:17449]
According to cisco doc's, the spanning tree tree algortihm specifies a priority field which defaults to 32,768. When switches power up they assume they are the bridge root and advertise this value in BPDU's across the network to elect a root bridge. Since they all have same priority by default, the election is then decided by lowest MAC address of the tied switches. As a matter of fact, cisco uses the lowest MAC address tie-breaker in other algorithms as well. This seems simple enough to understand. I'd like to know is when they manufatcure switches do they burn in a lower MAC addresses in their core and distribution switched than in their access layer switches. Otherwise, access layer switches might be elected as root bridges during the election which would not be optimal. Can anyone give some insight on this? p.s. Excuse me for any grammar or punctuation errors, as I am a product of N.J. Public Schools. Sam Sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17449t=17449 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Route issue [7:17242]
I would hazard a guess that your NAT rule does not include that subnet. -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: 27 August 2001 17:20 To: [EMAIL PROTECTED] Subject: RE: Pix Route issue [7:17242] Only one route is allowed? I hope you are not reffering to the pix or a 2600 as those are the only pieces of hardware in the scenario...Becausde both allow for multiple routes. -Patrick Farhan Ahmed 08/26/01 01:26AM only one route is allowed.. Best Regards Have A Good Day!! *** Farhan Ahmed* MCSE+I, MCP Win2k, CCDA, CCNA, CSE Network Engineer Mideast Data Systems Abudhabi Uae. *** Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. -Original Message- From: Bob Nawrocki [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 25, 2001 8:30 PM To: [EMAIL PROTECTED] Subject: Pix Route issue [7:17242] We have a Pix firewall that is serving as a default gateway to the Internet as well as providing ipsec tunnel connectivity to several remote offices for serveral hosts on a subnet. On the same subnet we have a 2600 providing a point to point wan link. I added a route to the Pix on the inside interface to point to the 2600 for the wan route. I am still not able to connect to that subnet unless i add a specific route on the hosts. When running debug logging on the Pix I get the following output: 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst inside:10.112.3.3 (type 8, code 0) Any thoughts? Bob Nawrocki CCNP CCDP [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17451t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
Ok, Ednilson is correct in that the list will not help Shella solve her problem. However, I would generally take what www.iana.org says as the standard that all should abide by. Does that mean people will break it? You betcha. What kind of authority says that they are right? Well, any good network engineer knows that RFC1918 claims a particular set of networks are deemed for private usage. Guess who tries to mandate such RFCs in ip address allocation and port allocation, iana. http://www.iana.org/assignments/ipv4-address-space The list has allocated the port, UDP and TCP for it. Yes, not every application uses both, but they might, and that is the point. They do preallocation for a particular protocol and people stick with those 'well known ports' as a standard to avoid pure chaos. In reference to Shella, the best way is unfortunately, to read the RFC for the protocol. As far as I remember, DNS uses UDP almost exclusively for all queries, and TCP for DNS Zone Transfers. If that does not make any sense to you, you really should double up on the reading on DNS. For most intents and purpose, you only really need UDP to go through unless you got secondaries, tertiaries, quadaries (sic) sitting far and away. This is assuming a well defined DNS server that follows the specs. I am sure you can find deviations from the ever-so-popular microsoft DNS servers or any other dns server. But hey, that's the price you pay for buying into the pioneers of their own standards. At 04:39 PM 8/27/01 -0400, Ednilson Rosa wrote: The problem with this list is that every application seem to use both UDP and TCP, which is not always true. Ednilson Rosa - Original Message - From: Brian Whalen To: Sent: Monday, August 27, 2001 5:03 PM Subject: Re: access-list ports ( TCP /UDP) [7:17374] I use http://www.iana.org/assignments/port-numbers for finding out about port numbers. Re the dns topic below, udp is fine for a company that does not have its own dns servers and only makes queries. TCP is used for zone transfers. I believe that in newer versions of bind, random hi port numbers are used. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, shella kevin wrote: when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17452t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix Route issue [7:17242]
or maybe... Is your route inside 10.0.0.0 255.0.0.0? I think the message is indicating that you have too general a route to the remote subnet. try adding a more specific route. -Original Message- From: Allen May [mailto:[EMAIL PROTECTED]] Sent: 27 August 2001 15:50 To: [EMAIL PROTECTED] Subject: Re: Pix Route issue [7:17242] If it's doing NAT and IPSec you need a ruleset to not use NAT for a destination on the IPSec tunnel. It looks like that is what's happening. Allen - Original Message - From: pat To: Sent: Monday, August 27, 2001 1:18 AM Subject: Re: Pix Route issue [7:17242] PIX can't route back on the same interface. Hence this does not work. So workaround will be to let router be gateway to your subnet PIX be gateway to router. Router can route to remote subnet accross point to point link as well as to PIX. Hope this helps. --- Bob Nawrocki wrote: We have a Pix firewall that is serving as a default gateway to the Internet as well as providing ipsec tunnel connectivity to several remote offices for serveral hosts on a subnet. On the same subnet we have a 2600 providing a point to point wan link. I added a route to the Pix on the inside interface to point to the 2600 for the wan route. I am still not able to connect to that subnet unless i add a specific route on the hosts. When running debug logging on the Pix I get the following output: 106011: Deny inbound (No xlate) icmp src inside:10.111.1.55 dst inside:10.112.3.3 (type 8, code 0) Any thoughts? Bob Nawrocki CCNP CCDP [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17453t=17242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: Tacacs [7:17110]
See this is what I am talking about here is a snipit from that page. __ Download xtacacsd v4.1 for Cisco terminal servers. Does Skey, PH databases, accounting and more _ Note: this software is not being developed any more because of the advent of better protocols such as radius and tac_plus. _ So why don't you just roll that one out since you're busy, then when a bug locks everybody out don't call them for support. You'll be researching how to do a lot of good old fashion console work without the boss finding out. - Original Message - From: Ramesh K To: Sent: Monday, August 27, 2001 2:14 AM Subject: Re: Re: Tacacs [7:17110] Hi stephen, You can use tacacs if you want to authenticate the users accessing your routers .You can get the log also.You can download the same from www.navya.com I don't have idea about kerboros ... In my setup tacacs is working fine thanks ramesh On Fri, 24 Aug 2001 Stephen Skinner wrote : Hello, i don`t mean to be rude but i think the reason the gentleman replyed the way he did was because way you posed your question was to say i`m to busy ...you lot do it for me now i personal believe that that is not the case and you were simply asking (as i do all the time) for some assistance in this subject matter. unfortunatly i don`t have an answer to your question but also require info on tacacs+so please don`t be afraid to pass on what you may learn Kindest Regards steve From: khramov Reply-To: khramov To: [EMAIL PROTECTED] Subject: Re: Tacacs [7:17110] Date: Fri, 24 Aug 2001 10:58:12 -0400 As far as I know this is Cisco newsgroup and it should be used for technical discussions not for personal insults. If you think that you are smarter than me or have better work habits that is fine, I am not going to argue with that. Otherwise I would be asking questions. Donald B Johnson jr wrote: After someone gives you an answer, are you going to have time to research if it is a good solution for you or are you going to just implement it. It sure must warm the cockles of your supervisors heart if he could see you now. actually the only two things that would make me to busy that I couldn't research an access solution would be; A raging blaze A Seinfeld rerun don - Original Message - From: khramov To: Sent: Friday, August 24, 2001 6:17 AM Subject: Tacacs [7:17110] Hi, Just like everyone else sometimes I do not have enough time to do the research myself and I post questions here. Here is what I am trying to do: I am trying to set up some sort of security server on my network to authorize user access on routers and switches. First of all what should I use Tacacs (extended or +), Radius, Kerberos, which one seem to work better. Second where can I buy/download the software or can I just configure a router as a Tacacs server. Just give me some ideas on this. Thanks a lot, alex - _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp 110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17454t=17110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: spanning tree,priority, and elections [7:17449]
Not in my experience... You need to manually tune the bridge ID priority to elect the root bridge where you want it. It also pays to think about a secondary root should the the primary should fail. -Original Message- From: sam sneed [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 2:17 PM To: [EMAIL PROTECTED] Subject: spanning tree,priority, and elections [7:17449] According to cisco doc's, the spanning tree tree algortihm specifies a priority field which defaults to 32,768. When switches power up they assume they are the bridge root and advertise this value in BPDU's across the network to elect a root bridge. Since they all have same priority by default, the election is then decided by lowest MAC address of the tied switches. As a matter of fact, cisco uses the lowest MAC address tie-breaker in other algorithms as well. This seems simple enough to understand. I'd like to know is when they manufatcure switches do they burn in a lower MAC addresses in their core and distribution switched than in their access layer switches. Otherwise, access layer switches might be elected as root bridges during the election which would not be optimal. Can anyone give some insight on this? p.s. Excuse me for any grammar or punctuation errors, as I am a product of N.J. Public Schools. Sam Sneed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17456t=17449 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab exam - booked twice [7:17310]
Hmm Triple booking, good idea feller! I like your thinking! (Well at least one of us is thinking anyway). And while your'e at it, some tea and cakes would not go amiss too. Please excuse me for asking, (and of course for my glaring mistakes, I am a burn-out from way back). Oh well! back to the trouble-shooting. Rashid Donald B Johnson jr wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Oh I see maybe they could roll out a red carpet as you stroll up. No better yet I could throw rose petal since I aint busy anymore cause you double booked and I gotta wait for the really good guys to keep going through until they pass. Then you say you would cancel the second one if you failed, I think you meant pass. If this is your thought process you may want to add a third date. You may try pirating that Transcender test for a test brain too. - Original Message - From: Rashid Lohiya To: Sent: Sunday, August 26, 2001 2:49 AM Subject: CCIE Lab exam - booked twice [7:17310] Guys, Does anyone know whether one person can book the lab twice? ie. 1 for April, 1 for June, thus allowing him to cancel and get a refund on the second one if the first is failed. In this way, the year long wait would not need to be endured if I was to fail the first time around. -- Rashid Lohiya [EMAIL PROTECTED] 020 8509 2990 07785 362626 www.pioneer-computers.com London UK www.rashidl.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17455t=17310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
At 05:18 PM 8/27/01 -0400, Marshal Schoener wrote: Thanks, It's a full T1. There was never a problem until there was a power outage. Ever since then, there have been strange problems trying to hit the remote servers from the offices... The setup is simple, being that it is HDLC and only really requires an IP address on the interface and some routes :) But, Im thinking that there can be a problem on one of the WICs... Thanks again, Well, is it possible that you guys configured some settings, and forgot to write the configuration to NVRAM? So a power outage caused you to load the old configuration which is now... unfit for your network settings. When was the next to last reboot of the box? Anyway, just something to think about. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17457t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Logging to remote UNIX server [7:17401]
Hello Charles, Please try as an example logging 192.168.x.x logging trap debugging logging facility local6 ( you can use other facilities here but match what you do on the SUN box.) On the SUN box try (in the syslog.conf file) local6.debug/var/adm/messages (or any file you like) Winston CCIE #7991 -Original Message- From: Charles Dowling [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 5:56 PM To: [EMAIL PROTECTED] Subject: Logging to remote UNIX server [7:17401] Hey All, I have been trying to set up my 3660 (IOS 12.1) access router to log everything to my HP OpenView server (Solaris 8). It seems simple to set up on the Cisco side with only a few commands but it doesn't seem to be working. The 'show logging' command indicates that it is working and sending messages to the remote box but it is not receiving anything. Any thoughts, guidelines, info? Thanks, Charles. These are the configuration items I entered: logging on logging buffered 1 debugging no logging rate-limit logging trap debugging logging facility syslog logging 192.168.x.x Results of 'show logging': router#sh logging Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 1559 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 1560 messages logged Logging Exception size (0 bytes) Trap logging: level debugging, 1564 message lines logged Logging to 192.168.x.x, 33 message lines logged Log Buffer (1 bytes): [GroupStudy.com removed an attachment of type text/x-vcard which had a name of cdowling.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17458t=17401 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SSH question [7:17448]
It's tricky setting up SSH for certain Cisco products, because they use version 1.5, which you won't see with most SSH clients. I had to use the Putty client for a Pix. Your best bet is to set up your SSH server to a workstation, and allow telnet (w/ TACACS auth) from that workstation only on the inside of your network. Art Davis CCIE #6430 CCNP + Voice Access Specialization Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17459t=17448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Passed BSCN [7:17460]
Team, I want to thanks for all your help one way of another in passing my BSCN test(wow it was hard), this group is great and I know many people feel the the same way. Now to start working on the switching test, I have two questionAny recomendation on which books to buyWhat hardware do I need in order to get readyPlease I want to pass the test but at the same time I want to learn in order for me to be ready one day for the CCIE(I feel good).I would not have done this without God blessing...Thanks God Thanks to all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17460t=17460 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2500/2600 rack bracket screws??? [7:17461]
Does anyone have a source for the little screws you need to mount the rack ears onto 2500/2600 series chassis? I always seem to lose a few here and there.. Bob Johnson [EMAIL PROTECTED] Engineering Stox Broadcast Corporation The Landing, 300-375 Water St. Vancouver, BC V6B 5C6 Tel. 604-633-2900 Fax. 604-685-3170 www.stox.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17461t=17461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: Re: Subject: Re: TCP/IP question [7:17343]
Comments within and below. Subject: Re: Subject: Re: TCP/IP question [7:17343] This subject is not as clear as it ought to be. If you look at the subject of loopbacks generically, there are two RFCs that come to mind. The first deals with RFC 1122 Requirements for Internet Hosts. The second deals with RFC 1122 Requirements for IPv4 Routers. Kind of a nit, but 1122 has been superceded by 1812. I must respectfully disagree. The lineage of the RFC progression of Internet Gateways is documented very well in Fred Baker's hyperlinked RFC pages and other sources. On the first page he notes in the preface the following: PREFACE This document is an updated version of RFC 1716, the historical Router Requirements document. That RFC preserved the significant work that went into the working group, but failed to adequately describe current technology for the IESG to consider it a current standard. This disclaimer statement is likely necessary because RFC 1716 was categorized as informational, not standards track. If you go to RFC 1716 and look at the introductory paragraph it states the following: 1 INTRODUCTION The goal of this work is to replace RFC-1009, Requirements for Internet Gateways ([INTRO:1]) with a new document. If you go to RFC 1009, that appears to be more or less the first defined RFC named, Requirements for Internet Gateways. Although RFC 985 does deserve mention, it was only a draft standard. The RFCs that are referenced in this document number 62 references, including the original RFCs governing IP (700 series RFCs). If you look at RFC 1122, it states the following: Status of This Memo This RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. Distribution of this document is unlimited. There are no listed or named successor standards that supercede RFC 1122 in the standards track (as they relate exclusively to Internet Hosts). The general point of confusion exists around this specific statement in RFC 1812, para. 1.2 appropriately titled, Relationship to other standards. It states, Host Requirements - This pair of documents reviews the specifications that apply to hosts and supplies guidance and clarification for any ambiguities. Note that these requirements also apply to routers, except where otherwise specified in this memo. As of this writing, the current versions of these documents are RFC 1122 and RFC 1123 (STD 3), [INTRO:2] and [INTRO:3]. This is saying not that the standard has been superceded, but rather it has been incoporated by reference. Any areas of ambiguities (as they apply to Internet gateways) are to be resolved explicitly in RFC 1812. Okay, if you have made it this far, you are naturally asking, what is my point? There are discontinuities in certain areas of RFC 1122 and RFC 1812. If the device is an Internet host (not a router), it is only required to comply with the requirrements in RFC 1122. If it is an IPv4 router, than it should comply with the requirements in RFC 1812. So where's the discontinuity? Let's try subnet zero for starters. Look at this statement from RFC 1812, page 49, para. 4.2.2.11: DISCUSSION Previous versions of this document also noted that subnet numbers must be neither 0 nor -1, and must be at least two bits in length. In a CIDR world, the subnet number is clearly an extension of the network prefix and cannot be interpreted without the remainder of the prefix. This restriction of subnet numbers is therefore meaningless in view of CIDR and may be safely ignored. This says that subnet zero is allowed and is considered a good practice to use in the CIDR world (why waste address space?) Here's the rub. Go to RFC 1122 and see what it says about subnet zero: From the Assigned Numbers memo [9]: In certain contexts, it is useful to have fixed addresses with functional significance rather than as identifiers of specific hosts. When such usage is called for, the address zero is to be interpreted as meaning this, as in this network. The address of all ones are to be interpreted as meaning all, as in all hosts. For example, the address 128.9.255.255 could be interpreted as meaning all hosts on the network 128.9. Or, the address 0.0.0.37 could be interpreted as meaning host 37 on this network. It is useful to preserve and extend the interpretation of these special addresses in subnetted networks. This means the values of all zeros and all ones in the subnet field should not be assigned to actual (physical) subnets. So, what is the issue and what are the differences? RFC 1812 indicates that subnet zero is allowed, useful in CIDR, and should be used. RFC 1122 clearly indicates that Internet hosts should not be placed in subnet zero networks. One could easily ask, what relevance does this have to
Comments on new 806 Broadband Router [7:17463]
Anyone have any good/bad experiences with the new 806 broadband router. This device is fairly inexpensive (approx $500) and looks like a great idea for the home.It is not modular, but appears to suit the needs of a small office or a home user. I'd much rather pick up one of these new than an old 1605 (then again ... )? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17463t=17463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: incorrect TCP checksum [7:16776]
I have seen TCP checksum errors in the real world. We had a customer with a 1720 dialing into a ISP via ISDN. They could browse the internet, and send email with no problems. However they could not get email. They could dial in with a analog line and get email. After working with TAC for awhile, trying different IOS versions etc., we discovered it was a problem with multilink. For some reason, this particulat POP3 (or SMTP? never keep those 2 straight ) server didnt like multilink packets. We set ppp max fragments to 1 and everything worked. Scott Meyer CCNA, CCDA, MCSE, etc [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, August 22, 2001 1:45 PM To: [EMAIL PROTECTED] Subject: Re: incorrect TCP checksum [7:16776] Is this an academic question or are you actually seeing TCP checksum errors? I have never seen a TCP checksum error, so I wondered. Well, I have seen them when people change the data in Sniffer traces without recalculating the checksum, but that's not real world. In answer to your question, TCP checksum errors would have to be a software bug, or possibly firmware bug if TCP were implemented in firmware. If the frame gets damaged in transit, it gets trashed by the recipient because the data-link-layer CRC isn't right. If the routing process or IP implementation trashes the frame, then the IP checksum won't be right and TCP trashes the frame. If the frame gets all the way to TCP and ends up with a checksum error, then software at the TCP layer damaged it. I think your real question might be what is causing TCP retransmissions? TCP transmissions can result from errors at any layer that caused a frame or an acknowledgement to not reach the intended recipient. TCP retransmissions are much more likely to result from the following potential errors than from a TCP checksum error: Frames getting damaged in transit and getting trashed Issue a show int and check reliability and CRC error rates If Ethernet, check for excessive collisions, duplex mismatch problems Routers or switches dropping frames due to buffer overflows Issue a show int and check for dropped frames Issue a show buffer and check for problems Frames getting dropped by service provider If frame relay, check that you aren't going above your CIR There's probably a bunch of other reasons. I recommend the various Cisco Internetwork Troubleshooting books. The Cisco Press one is very good. One other thought: a few retransmissions are normal. You might want to check the percentage. I hesitate to give a threshold, but if it's just a few percent of your frames getting retransmitted, don't worry about it. Are users noticing a problem? That's the bottom line. Priscilla At 03:30 AM 8/22/01, Anatoly Shein wrote: Hi According to my knowledge incorrect TCP check sum cause to TCP retransmissions. What could be reason for incorrect TCP checksum? As I understand it could be problem in one of the router/proxy probably switch. And intuitively I think that problem should be wherever in OS. Can you give me any suggestion about detection of the fault machine or source to find more info about this problem. Suggestions I mean something more constructive than putting sniffers on each leg of the device and look for TCP checksum errors. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17464t=16776 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Passed Written [7:17466]
Hey all, Well, I passed the written today. That was one tough test! Glad it is over. I plan on taking a break from studying for a couple of months. One question: What are the scheduling times looking like right now? I am hoping to get in for an early April lab. Ohh.. and let me not forget. Thanks again to all on the list for all the great posts that stimulate thinking. This list has been an invaluable asset to me throughout my Cisco studies. P.S. Are any of the CCIE candidates on the list involved with the Cisco ASET program, and if so, can you contact me offline with what the experience has been like? Thanks in advance. Christopher Supino CCNP, CCDP, MCSE, CNA5, ASE Senior Network Design Engineer (and CCIE candidate that feels good :)) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17466t=17466 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Learn2route.net not accepting reservations [7:17467]
Hi, Does anybody know why learn2route.net is not accepting anymore reservations? thanks, Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17467t=17467 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
