Dial on Demand configuration to ISP [7:29867]
Hi Folks, Do you guys have Dial on Demand configuration to ISP using Asyn Port ( 2511 Series )? Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29867&t=29867 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routing protocols [7:29139]
I personally use the old ARPHA 4 layer definition when I am troubleshooting a tcp/ip problem. It is simple to use and works great as a structure to use when troubleshooting a real world problem. Regards Jon Gudmundsson -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: 14. desember 2001 03:58 To: [EMAIL PROTECTED] Subject: RE: Routing protocols [7:29139] I once had an interesting, if heated argument with someone off list about this. IIRC, I was told by that person that Cisco, in its current CCNP study materials, is saying just that - that something operates at the OSI layer above which it functions. I.e. if a routing protocol uses an IP protocol number, then it is operating at transport layer. Since BGP uses TCP port 179, it is operating at the session layer, along with RIP, which uses UDP port 520. ( BTW, I have also read in a reputable source that UDP is application layer because it is not reliable, and therefore cannot be transport layer, and there is no place else it really fits ) I recognize that Cisco just LOVES the OSI model in the lower level certifications, but the fact is that in terms of how things work it is crap, and tends to cause more confusion and add no value. Every vendor of content switches is calling them layer 4-7 switches. what kind of crap is that? I dare anyone to justify switching as a layer 5 or a layer 6 activity. Yet there it is. Also, to judge from what content switches do, the marketers are saying the OSI layer 7 is user application, not a service application, something Howard takes great pain to differentiate in his writings on the subject, again IIRC. TCP/IP is NOT OSI compliant, never has been, never will be. OSI is a reference model, and not necessarily related to anything in real life. End of rant. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jose Luis De Abreu Sent: Thursday, December 13, 2001 12:25 PM To: [EMAIL PROTECTED] Subject: Routing protocols [7:29139] Just an open question ? We read, learn and teach Routing protocols are at the NETWORK layer of the famous OSI model... But they have PROTOCOLS NUMBERS - TRANSPORT LAYER(such as IGRP protocol 9, EIGRP protocol 88 and OSPF protocol 89)and APPLICATION PORTS values - APPLICATION LAYER (RIP uses port 520 and BGP4 uses port 179) indicating they work in the upper layers and not in the network layer, although the result is shown int the NETWORK layer... So may question is... Do they really operate at LAYER 3 ? Warm regards, Jose Luis De Abreu __ Send your holiday cheer with http://greetings.yahoo.ca Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29868&t=29139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2500 Power Question [7:29869]
Anyone know how much power a 2500 pulls? I mean how many kilowatts does it use per hour? How can I tell how much it will cost to run 4 2500s for 12 hours if it costs 10 cents per kilowatt-hour. __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29869&t=29869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Latest Hackers Target: Routers [7:29844]
Chuck and Andreas,
I take note on the fact that authentication
can add major increases to the time taken in forming neighbor peer
relationships. Yes, MD5 based authentication as I suggested in my original
post is currently the operational model, but it was noted in rfc 2385 that
the MD5 was considered weak.
Nigel .
I guess this issue just spells out MPLS/VPN...
- Original Message -
From: "Chuck Larrieu"
To:
Sent: Friday, December 21, 2001 3:16 AM
Subject: RE: Latest Hackers Target: Routers [7:29844]
> I know from my studies that there is BGP neighbor md5 authentication.
>
> Somewhere in my reading I seem to recall that employing authentication can
> add 50-100% to the time it takes a neighbor relationship to form. Fine for
> lab work. maybe not so fine in the world of the production ISP.
>
> phrak, this is all we need. ISP's start preventing BGP packets from any
but
> known and trusted sources to cross their networks and there go the
internet
> BGP practice labs.
>
> damn anarchists.
>
> Chuck
>
> ---
> neighbor password
> To enable Message Digest 5 (MD5) authentication on a TCP connection
between
> two Border Gateway Protocol (BGP) peers, use the neighbor password router
> configuration command. To disable this function, use the no form of this
> command.
>
> neighbor {ip-address | peer-group-name} password string
> ---
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Andras Bellak
> Sent: Thursday, December 20, 2001 9:59 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Latest Hackers Target: Routers [7:29844]
>
>
> Nigel-
>
> If you dig back through the NANOG archives, there was a rather in depth
> and discouraging discussion of encrypting / authorizing BGP session
> neighbors. The general result was that almost nobody supported it, and
> many in the ISP groups that offer BGP connectivity didn't even know what
> it was.
>
> While it might or might not be on the CCIE exams, having some form of
> authentication between routing partners is a good thing to practice in
> your test labs, and put into production in your networks.
>
> Andras
>
> -Original Message-
> From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 20, 2001 8:33 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Latest Hackers Target: Routers [7:29844]
>
>
> Chuck,
> Yes, I got the thread on this today and forwarded a copy to
> some of my co-workers. I hope folks are making use of the various IOS
> implementations to limit the damage done by a prospective attacker.
> Things
> like CBAC, rate-limit could go a long way in simply providing the needed
> time to identify a serious attack and implement more specific filtering
> techniques to identify or completely block the attacker.
>
> As it applies to the sniffing of BGP packets to gain route information,
> I
> was wondering where do things stand now on the implementation of
> encrypted
> authentication within BGP. If I'm not mistaken, isn't this suppose to
> happen along with support for IPv6.This document references
> authentication which sounds like the existing support for MD5 based
> authentication.
>
> http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg
> 9(a) )
>
>
> Now this document does seem to address current issues with respects to
> the
> flaws/vulnerabilities inherent to all TCP based protocols. The important
> thing to note is this can be done without the presence of a MPLS aware
> backbone based on the model identified by RFC2547bis (MPLS/VPN).
>
> http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t
> xt
>
>
> Thoughts anyone..
>
> Nigel .
>
> - Original Message -
> From: "Chuck Larrieu"
> To:
> Sent: Thursday, December 20, 2001 10:14 PM
> Subject: RE: Latest Hackers Target: Routers [7:29810]
>
>
> > anyone see a thread about this on NANOG today? The archives are not up
> to
> > date with today's topics.
> >
> > Chuck
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Eric Rogers
> > Sent: Thursday, December 20, 2001 1:29 PM
> > To: [EMAIL PROTECTED]
> > Subject: OT: Latest Hackers Target: Routers [7:29810]
> >
> >
> > Paste into your browser:
> >
> > dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29871&t=29844
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: Re: Subject: Re: PIM kills OSPF [7:29336]
Hi there! Just a quick answer, I've been in a bit of stress the last days, and had no time to further investigate the issue... CSCdm68862 really looks like it, I'll look into it, weird though that it affects both 12.1 and 12.2, but I guess Cisco isn't that quick to fix all their bugs :-) I'll return with more info as soon as time is on my side :-) Merry christmas by the way, and really thanx for your info/reply! Greetings, Peter ""Paul Werner"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Comments within and below. [Verbosity bit is set] > > > > Hi there! > > > > Just a quick answer. First of all thanx for all your replies, > it's very > > valuable. In regards to the article about HSRP/PIM problems, > I have also > > found that one, but it didn't fit into the problem (sadly..). > > I figured that was probably the case. ALthough you did mention > that HSRP was affected with the addition of PIM to your > configurations, it was no guarantee that there were other > forces at play. > > > I'm at home today with no access to the equipment, but I'll > continue > > with it > > tomorrow together with a collegue of mine. The router CPU- > load is very > > low, > > there is now traffic since this is only done in our lab- > enviroment for > > the > > moment. > > > Well, I would not necessarily rule out a bug either (as was > originally suggested by another poster). The trick is > identifying the router CPU utilization/load during the > introduction of PIM commands. If no spike is seen during the > entire process, my hunch would be that other problems are at > stake. Still, I did find a few bugs that indicated loss of > connectivity in OSPF routes and HSRP problems with the addition > of PIM. > > > CSCdm68862 > > Hot Standby Router Protocol (HSRP) does not work when IP > Protocol Independent Multicast (PIM) is configured on a Fast > Ethernet interface that uses the DEC211140 chipset. The active > router does not reply to an Internet Control Message Protocol > (ICMP) ping of the virtual IP address. > > Workaround: Use the burned-in address by entering the standby > use-bia command. > > or this: > > CSCdr11784 > > If you configure Protocol Independent Multicast (PIM) or Hot > Standby Router Protocol (HSRP) on an ATM-LANE interface, the > CPU of the Route Switch Processor (RSP) may reach 99 percent. > This situation only occurs when Open Shortest Path First (OSPF) > is enabled on more than 12 interfaces in combination with ATM- > LANE. This situation does not occur on an RSP that is running > Cisco IOS Release 12.0 S or Release 11.2 GS. There is no > workaround. > > > > In regards to RP or not RP, it doesn't matter, for the moment > it's > > configured with BSR's where wg3r2 is the Candidate-RP for a > couple of > > groups. > > See, the lines listed above are another good example of what I > made reference to earlier. It is nearly impossible to make any > degree of accurate diagnosis of these type of problems without > all of the complete information. Partial configs are analogous > to the patient that goes to see the doctor and complains that > his head is always hurting. The doctor runs a battery of tests > and cannot come up with anything conclusive. When the patient > is ready to get discharged, the doctor turns to write on the > charts and finds the patient banging his head on the wall. The > doctor asks why he is doing this? The patient responds, "Well > doc, it feels really good when I stop" Obviously, a complete > medical history on the patient would have rendered a more > accurate and timely diagnosis - admission to the psyche ward. > > You need to post full sanitized configs of your routers to show > what is really going on. You just mentioned two salients facts > that were not previously mentioned. First is the fact that you > are using BSRs. In Cisco design for multicast networks, the > presence of a bootstrap router implies a non-homogeneous > network, i.e. you are using non-Cisco routers to do multicast. > You did not mention this previously. Also, since you are using > a BSR, this implies you are working with PIM version 2. The > real question to be asked is are all your routers also using > PIM version 2? > > > The adjacency is the same even if we run Auto-RP. In regards to > > PIM > > only sparse or only dense...haven't tried that yet :-) > > Another thought here on running Auto-RP in an environment with > a configured BSR; you may want to read this section (watch > wrap): > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/ > 121cgcr/ip_c/ipcprt3/1cdmulti.htm#xtocid994543 > > Specifically, make note of the following: > > "Either the BSR or Auto-RP should be chosen for a given range > of multicast groups. If there are PIM Version 1 routers in the > network, do not use the BSR." > > > > I visited Networks in Copenhagen for about a month ago, and > the lecture > > on > > multicast from Beau Williamson was very interesting, and yes > it's very > > true
Re: 2500 Power Question [7:29869]
I don't know this offhand but Cisco has all this information for each product on their web site. The k1d ""Lin Mi"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Anyone know how much power a 2500 pulls? I mean how > many kilowatts does it use per hour? How can I tell > how much it will cost to run 4 2500s for 12 hours if > it costs 10 cents per kilowatt-hour. > > > > __ > Do You Yahoo!? > Check out Yahoo! Shopping and Yahoo! Auctions for all of > your unique holiday gifts! Buy at http://shopping.yahoo.com > or bid at http://auctions.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29873&t=29869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Reflection X [7:29874]
I telnet using Reflection X to a terminal server that in turn connects via console to various Cisco routers etc. When trying to use the CTL+SHIFT+6 keyboard seq to return to my previous connection it does not work. Does anyone know how to set up Reflection X to do this? Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29874&t=29874 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2500 Power Question [7:29869]
Per the docs. a 2500 has a *max* draw of 1A @ 110V - YMMV but I'd imagine that you'll see these boxes pull significantly less than the advertised max value. Using the worst case number: 110W/hr * 12hrs = 1320W or 1.32KW At $0.10/KW Hour it will cost ~ $0.13 per router Again, this is based off the advertised max draw. In reality, I'd be surprised if it cost you much more than $0.50/day to run all four full-time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lin Mi Sent: Friday, December 21, 2001 4:55 AM To: [EMAIL PROTECTED] Subject: 2500 Power Question [7:29869] Anyone know how much power a 2500 pulls? I mean how many kilowatts does it use per hour? How can I tell how much it will cost to run 4 2500s for 12 hours if it costs 10 cents per kilowatt-hour. __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29875&t=29869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF summary route cost. [7:29876]
Could someone please explain to me why some OSPF summary routes are more expensive than other routes (even if the cheaper route is accessed via the more expensive route)? To illustrate my point, picture the following scenario: RouterA is connected to RouterB via network 1. Network 1 has a cost of 1. RouterB is connected to RouterC via network 2. Network 2 has a cost of 4. RouterC is connected to RouterD via network3. Network 3 has a cost of 16. Network 4 (which has a cost of 64) is only connected to RouterD. Network 1 is in OSPF area 1 (RouterA is an internal router and RouterB is the ABR for area 1) Network 2 is the only network in backbone area (area 0). Network 3 and network 4 is in area 2 (RouterD is an internal router and RouterC is the ABR for area 2) If you now perform a "show ip route" on RouterA, the cost to network 3 is 149 and the cost to network 4 is 85 !!! Even though network 4 is accessed via network 3, it is less expensive than network 3. The only rational explanation that I can find for this is that the ABR for Area2 adds an extra cost-factor for network 3 when it advertised it to other areas (but I cannot figure out why???). And if this is the case, why does it not add on an extra cost-factor for network 4 as well??? If someone had an answer to this, please enlighten me. I have to explain the OSPF costing concepts to some students (and how do you explain things if you do not understand it yourself?). Thanking you for your support on this forum. Abraham de Villiers (Diffy) Teltraswitch Facilitator Telkom Centre for Learning Tel : (021) 550 1855 or (021) 550 1800 Fax: (021) 551 4193 Cell: 082 824 9724 eMail : devilla1@telkom. Please Note: The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender by return e-mail. This document could contain proprietary information. The dissemination, copying, disclosure, use or the taking of any action in reliance on the contents thereof without the written consent of Telkom SA Ltd is strictly prohibited. [GroupStudy.com removed an attachment of type text/x-vcard] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29876&t=29876 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall, NAT and smtp [7:29794]
Steven A. Ridder wrote: >Try removing the access lists next. I can't see how POP get's in and smtp >dosen't, especially with CBAC off now. > I removed all access control from the interface and I still get the same problem. I'm going to test it on another router then I'm going after cisco with this one. Thanks for your help > > >""MADMAN"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Ray Brehm wrote: >> >>>MADMAN wrote: >>> Yes I have run into problems defining http also. The bottom line is I now only "inspect" TCP, UDP and FTP. These cover all the others >without > breaking them!!! >>>thanks for the heads up >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want >>>cisco's support) >>>what version of IOS have these problems? >>> >> I know it wasn't in 12.2!! As i said before, I don't think it's doing >>anything cept eating up NVRAM when you add, for example, inspect http >>when tcp covers http. >> >> Dave >> Dave "Steven A. Ridder" wrote: >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > >on > >CBAC. I ran into that problem before. > >""Ray Brehm"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to >> >the > >>inside SMTP server. I can connect to that same server using POP3 with >> >no > >>errors. The inside device is a static NAT. The port appears open when >> >I > >>port scan the IP address but I get TCP errors when trying to send >> >mail. > >>Any ideas? Did I miss something stupid? >>Is the fact that I have multiple "nat inside" interfaces relevant is >>this situation? (I've never known it to make a difference) >> >>Relevant config: >> >>ip inspect name firewall http >>ip inspect name firewall ftp >>ip inspect name firewall netshow >>ip inspect name firewall realaudio >>ip inspect name firewall rtsp >>ip inspect name firewall smtp >>ip inspect name firewall tcp >>ip inspect name firewall udp >> >>interface FastEthernet0/0 >>ip address 10.1.0.1 255.255.255.0 >>ip nat inside >>speed 10 >>full-duplex >>ntp broadcast >>bridge-group 1 >>! >>interface Serial0/0 >>ip address 10.1.12.1 255.255.255.0 >>ip nat inside >>bridge-group 1 >>! >>interface FastEthernet0/1 >>ip address 12.42.189.2 255.255.255.240 >>ip access-group 103 in >>ip nat outside >>ip inspect firewall out >>duplex auto >>speed auto >>! >>interface Serial0/1 >>ip address 10.1.13.1 255.255.255.0 >>ip nat inside >>bridge-group 1 >>! >>router eigrp 100 >>redistribute static metric 384 255 255 1 1500 >>network 10.0.0.0 >>auto-summary >>no eigrp log-neighbor-changes >>! >>ip nat inside source list 18 interface FastEthernet0/1 overload >>ip nat inside source static 10.1.0.4 12.42.189.4 >>ip classless >>ip route 0.0.0.0 0.0.0.0 12.42.189.1 >>! >>logging history debugging >>logging 10.1.0.3 >>access-list 18 permit 10.1.0.0 0.0.255.255 >>access-list 101 permit tcp any any ack >>access-list 101 permit udp any any >>access-list 101 permit icmp any any >>access-list 103 permit tcp any host 12.42.189.4 eq smtp >>access-list 103 permit tcp any host 12.42.189.4 eq pop3 >>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29877&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Latest Hackers Target: Routers [7:29844]
>Chuck and Andreas,
> I take note on the fact that authentication
>can add major increases to the time taken in forming neighbor peer
>relationships. Yes, MD5 based authentication as I suggested in my original
>post is currently the operational model, but it was noted in rfc 2385 that
>the MD5 was considered weak.
>
>Nigel .
>
>I guess this issue just spells out MPLS/VPN...
But MPLS inherently offers no more security than BGP. RFC2547 and
RFC2547 bis, as well as several other proposals, use BGP to
distribute reachability information. The various link setup
protocols have no particular security.
The problem becomes more tractable if you look at the main place for
security, QoS, etc., being at the edge. If a hacker has managed to
crack a major interprovider link or a major core link, you have even
more serious problems with sniffing.
Encrypting, even with IPsec, the connections from customers to their
first upstream is much more feasible. Most customers don't get full
routes anyway. Other precautions can be used at the edge, such as
ingress filtering of source addresses/unicast reverse path
verification, peer count limits, and traffic shaping directed against
DoS attacks.
There is a current discussion in the IDR working group that
resurrects and updates Sandy Murphy's BGP security analysis.
Not a very first step, but in the BMWG work on BGP convergence, we do
plan to have an option for measuring the overhead of MD5.
>
>
>- Original Message -
>From: "Chuck Larrieu"
>To:
>Sent: Friday, December 21, 2001 3:16 AM
>Subject: RE: Latest Hackers Target: Routers [7:29844]
>
>
>> I know from my studies that there is BGP neighbor md5 authentication.
>>
>> Somewhere in my reading I seem to recall that employing authentication
can
>> add 50-100% to the time it takes a neighbor relationship to form. Fine
for
>> lab work. maybe not so fine in the world of the production ISP.
>>
>> phrak, this is all we need. ISP's start preventing BGP packets from any
>but
>> known and trusted sources to cross their networks and there go the
>internet
>> BGP practice labs.
>>
>> damn anarchists.
>>
>> Chuck
>>
>> ---
>> neighbor password
>> To enable Message Digest 5 (MD5) authentication on a TCP connection
>between
>> two Border Gateway Protocol (BGP) peers, use the neighbor password router
>> configuration command. To disable this function, use the no form of this
>> command.
>>
>> neighbor {ip-address | peer-group-name} password string
>> ---
>>
>>
>>
>>
>>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>> Andras Bellak
>> Sent: Thursday, December 20, 2001 9:59 PM
>> To: [EMAIL PROTECTED]
>> Subject: RE: Latest Hackers Target: Routers [7:29844]
>>
>>
>> Nigel-
>>
>> If you dig back through the NANOG archives, there was a rather in depth
>> and discouraging discussion of encrypting / authorizing BGP session
>> neighbors. The general result was that almost nobody supported it, and
>> many in the ISP groups that offer BGP connectivity didn't even know what
>> it was.
>>
>> While it might or might not be on the CCIE exams, having some form of
>> authentication between routing partners is a good thing to practice in
>> your test labs, and put into production in your networks.
>>
>> Andras
>>
>> -Original Message-
>> From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, December 20, 2001 8:33 PM
>> To: [EMAIL PROTECTED]
>> Subject: Re: Latest Hackers Target: Routers [7:29844]
>>
>>
>> Chuck,
>> Yes, I got the thread on this today and forwarded a copy to
>> some of my co-workers. I hope folks are making use of the various IOS
>> implementations to limit the damage done by a prospective attacker.
>> Things
>> like CBAC, rate-limit could go a long way in simply providing the needed
>> time to identify a serious attack and implement more specific filtering
>> techniques to identify or completely block the attacker.
>>
>> As it applies to the sniffing of BGP packets to gain route information,
> > I
>> was wondering where do things stand now on the implementation of
>> encrypted
>> authentication within BGP. If I'm not mistaken, isn't this suppose to
>> happen along with support for IPv6.This document references
>> authentication which sounds like the existing support for MD5 based
>> authentication.
>>
>> http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg
>> 9(a) )
>>
>>
>> Now this document does seem to address current issues with respects to
>> the
>> flaws/vulnerabilities inherent to all TCP based protocols. The important
>> thing to note is this can be done without the presence of a MPLS aware
>> backbone based on the model identified by RFC2547bis (MPLS/VPN).
>>
>> http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t
>> xt
>>
>>
>> Thoughts anyone..
>>
>> Nigel .
>>
>> - Original
RE: IOS firewall, NAT and smtp [7:29794]
Ray, A few more ideas: 1) Can the SMTP server resolve the name of the external machine? Some apps like to do a reverse lookup on the IP addresses that connect to them and may fail if they cannot. If your not sure if it can resolve the name, try adding the connecting machines IP address to the /etc/hosts file of your mail server. (It's under winnt/system32/drivers on Windows) 2) Try completely removing all CBAC (if you haven't already) and create a permit access-list like this: access-list 103 permit tcp any eq 25 log access-list 103 permit tcp any eq 110 access-list 103 permit udp any log access-list 103 permit tcp any log access-list 103 permit icmp any log access-list 103 permit ip any any And see what your log files look like. (you probably want to do this sometime when your router isn't moving a lot of traffic as there could be a lot of logging info) You may also want to put an acl on your fe 0/0 interface like this: access-list 104 permit tcp any log access-list 104 permit udp any log access-list 104 permit icmp any log access-list 104 permit ip any any This will give you a good idea of what's happening at the packet level. If it _still_ doesn't work, I would definitely consider replacing the router. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 8:20 AM To: [EMAIL PROTECTED] Subject: Re: IOS firewall, NAT and smtp [7:29794] Steven A. Ridder wrote: >Try removing the access lists next. I can't see how POP get's in and smtp >dosen't, especially with CBAC off now. > I removed all access control from the interface and I still get the same problem. I'm going to test it on another router then I'm going after cisco with this one. Thanks for your help > > >""MADMAN"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Ray Brehm wrote: >> >>>MADMAN wrote: >>> Yes I have run into problems defining http also. The bottom line is I now only "inspect" TCP, UDP and FTP. These cover all the others >without > breaking them!!! >>>thanks for the heads up >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want >>>cisco's support) >>>what version of IOS have these problems? >>> >> I know it wasn't in 12.2!! As i said before, I don't think it's doing >>anything cept eating up NVRAM when you add, for example, inspect http >>when tcp covers http. >> >> Dave >> Dave "Steven A. Ridder" wrote: >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > >on > >CBAC. I ran into that problem before. > >""Ray Brehm"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to >> >the > >>inside SMTP server. I can connect to that same server using POP3 with >> >no > >>errors. The inside device is a static NAT. The port appears open when >> >I > >>port scan the IP address but I get TCP errors when trying to send >> >mail. > >>Any ideas? Did I miss something stupid? >>Is the fact that I have multiple "nat inside" interfaces relevant is >>this situation? (I've never known it to make a difference) >> >>Relevant config: >> >>ip inspect name firewall http >>ip inspect name firewall ftp >>ip inspect name firewall netshow >>ip inspect name firewall realaudio >>ip inspect name firewall rtsp >>ip inspect name firewall smtp >>ip inspect name firewall tcp >>ip inspect name firewall udp >> >>interface FastEthernet0/0 >>ip address 10.1.0.1 255.255.255.0 >>ip nat inside >>speed 10 >>full-duplex >>ntp broadcast >>bridge-group 1 >>! >>interface Serial0/0 >>ip address 10.1.12.1 255.255.255.0 >>ip nat inside >>bridge-group 1 >>! >>interface FastEthernet0/1 >>ip address 12.42.189.2 255.255.255.240 >>ip access-group 103 in >>ip nat outside >>ip inspect firewall out >>duplex auto >>speed auto >>! >>interface Serial0/1 >>ip address 10.1.13.1 255.255.255.0 >>ip nat inside >>bridge-group 1 >>! >>router eigrp 100 >>redistribute static metric 384 255 255 1 1500 >>network 10.0.0.0 >>auto-summary >>no eigrp log-neighbor-changes >>! >>ip nat inside source list 18 interface FastEthernet0/1 overload >>ip nat inside source static 10.1.0.4 12.42.189.4 >>ip classless >>ip route 0.0.0.0 0.0.0.0 12.42.189.1 >>! >>logging history debugging >>logging 10.1.0.3 >>access-list 18 permit 10.1.0.0 0.0.255.255 >>access-list 101 permit tcp any any ack >>access-list 101 permit udp any any >>access-list 101 permit icmp any any >>access-list 103 permit tcp any host 12.42.189.4 eq smtp >>access-list 103 permit tcp any host 12.42.189.4 eq pop3 >>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.p
Re: NetworkForce.com CCIE Lab Scenario [7:29676]
There are a lot of good comments on its online labs & scenarios posted on NetworkForce.com. Can anyone share their experiences ? Thanks. Happy Holidays ! John ""Pham, James"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > It's time to put the theory into practice and pay my dues on the journey to > CCIE! I'm shopping around for the good guys that offer good CCIE Lab > scenarios and lab rental at a reasonable rate. I think it would work better > if I buy the CCIE lab scenarios that were designed for their rack. Had > anyone ever used the NetworkForce CCIE Lab scenarios and their lab. How > good are they? Any advices, comments on how to prepare for the real CCIE > Lab. I don't have the luxury to pay $5,000 for the CCbootcamp class! > > Thanks, > > James Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29856&t=29676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with remote access [7:29826]
Gregg, Get a cheapo PC for Linux (you can get decent machines for under $100 on ebay). Set it up for SSH (_not_ telnet) and pick a very strong password for your friend to use. (something at least 8 chars long with special characters like $,%,#,@,+,}, etc) This is essentially how I access my own home lab, it works fine and is reasonably secure. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gregg Malcolm Sent: Thursday, December 20, 2001 3:45 PM To: [EMAIL PROTECTED] Subject: OT: Help with remote access [7:29826] Have a really, really dumb question. I'm trying to help out a former co-worker who's studying to be a CCIE but doesn't have access to an ISDN sim. I'm working on granting him access to my home lab. I have DSL with a lame Home Portal combo F/W, USB and Enet hub, can opener and toaster. I have permitted telnet thru this cheapo box. I'm using Exceed on my laptop. Problem is, when I telnet into my laptop, then try to open a telnet from there into my lab, the telnet window only opens up locally on the laptop (I.E - from his host all he will see is DOS prompt - my laptop will have telnet window opened). Tried messing with comspec in Exceed to run telnet.exe instead of command.com (found it to be a reliable way to lock up my laptop). I know I could set up X and export my display, but it's a lot of work and I'm a little leery of security (xhost + :( ) Anybody have any ideas ? Other than loading Linux on my laptop (which of course makes way too much sense). Thanks in advance, Gregg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29880&t=29826 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall, NAT and smtp [7:29794]
FYI, I plugged that exact config you sent into a 2621 with 12.2.6 IOS and it worked fine. I could telnet into an Exchange 2000 server via 25 and 110 on the same LAN , and on the external lan usine the natted external IP addres. It worked in both instances with 25 and 110 with CBAC on and with the access list on. So I don't think it's the config or the router. I still can't imagine you getting into 110 and not 25 anyways. I can imaging not sending mail with cbac on cause of the ESMTP commands on. I'd look at the gateway in the server or something. It was .2 on the router. ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ray, > > A few more ideas: > > 1) Can the SMTP server resolve the name of the external machine? Some apps > like to do a reverse lookup on the IP addresses that connect to them and may > fail if they cannot. If your not sure if it can resolve the name, try > adding the connecting machines IP address to the /etc/hosts file of your > mail server. (It's under winnt/system32/drivers on Windows) > > 2) Try completely removing all CBAC (if you haven't already) and create a > permit access-list like this: > > access-list 103 permit tcp any eq 25 log > access-list 103 permit tcp any eq 110 > access-list 103 permit udp any log > access-list 103 permit tcp any log > access-list 103 permit icmp any log > access-list 103 permit ip any any > > And see what your log files look like. (you probably want to do this > sometime when your router isn't moving a lot of traffic as there could be a > lot of logging info) You may also want to put an acl on your fe 0/0 > interface like this: > > access-list 104 permit tcp any log > access-list 104 permit udp any log > access-list 104 permit icmp any log > access-list 104 permit ip any any > > This will give you a good idea of what's happening at the packet level. > > If it _still_ doesn't work, I would definitely consider replacing the > router. > > HTH, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 21, 2001 8:20 AM > To: [EMAIL PROTECTED] > Subject: Re: IOS firewall, NAT and smtp [7:29794] > > > Steven A. Ridder wrote: > > >Try removing the access lists next. I can't see how POP get's in and smtp > >dosen't, especially with CBAC off now. > > > I removed all access control from the interface and I still get the same > problem. > I'm going to test it on another router then I'm going after cisco with > this one. > Thanks for your help > > > > > > >""MADMAN"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Ray Brehm wrote: > >> > >>>MADMAN wrote: > >>> > Yes I have run into problems defining http also. The bottom line is I > now only "inspect" TCP, UDP and FTP. These cover all the others > > >without > > > breaking them!!! > > >>>thanks for the heads up > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > >>>cisco's support) > >>>what version of IOS have these problems? > >>> > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > >>anything cept eating up NVRAM when you add, for example, inspect http > >>when tcp covers http. > >> > >> Dave > >> > Dave > > "Steven A. Ridder" wrote: > > >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > > > >on > > > >CBAC. I ran into that problem before. > > > >""Ray Brehm"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to > >> > >the > > > >>inside SMTP server. I can connect to that same server using POP3 with > >> > >no > > > >>errors. The inside device is a static NAT. The port appears open when > >> > >I > > > >>port scan the IP address but I get TCP errors when trying to send > >> > >mail. > > > >>Any ideas? Did I miss something stupid? > >>Is the fact that I have multiple "nat inside" interfaces relevant is > >>this situation? (I've never known it to make a difference) > >> > >>Relevant config: > >> > >>ip inspect name firewall http > >>ip inspect name firewall ftp > >>ip inspect name firewall netshow > >>ip inspect name firewall realaudio > >>ip inspect name firewall rtsp > >>ip inspect name firewall smtp > >>ip inspect name firewall tcp > >>ip inspect name firewall udp > >> > >>interface FastEthernet0/0 > >>ip address 10.1.0.1 255.255.255.0 > >>ip nat inside > >>speed 10 > >>full-duplex > >>ntp broadcast > >>bridge-group 1 > >>! > >>interface Serial0/0 > >>ip address 10.1.12.1 255.255.255.0 > >>ip nat inside > >>bridge-group 1 > >>! > >>interface FastEthernet0/1 > >>ip address 12.42.189.2 255.255.255.240 > >>ip access-group 103 in > >>ip nat outside > >>ip inspect firewall out > >>duplex au
Re: IOS firewall, NAT and smtp [7:29794]
I mean the gateway on your PC if you are on the 12.x.x.x network when trying. it. ""Steven A. Ridder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > FYI, > > I plugged that exact config you sent into a 2621 with 12.2.6 IOS and it > worked fine. I could telnet into an Exchange 2000 server via 25 and 110 on > the same LAN , and on the external lan usine the natted external IP addres. > It worked in both instances with 25 and 110 with CBAC on and with the access > list on. So I don't think it's the config or the router. I still can't > imagine you getting into 110 and not 25 anyways. I can imaging not sending > mail with cbac on cause of the ESMTP commands on. > > I'd look at the gateway in the server or something. It was .2 on the > router. > > > ""Kent Hundley"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Ray, > > > > A few more ideas: > > > > 1) Can the SMTP server resolve the name of the external machine? Some > apps > > like to do a reverse lookup on the IP addresses that connect to them and > may > > fail if they cannot. If your not sure if it can resolve the name, try > > adding the connecting machines IP address to the /etc/hosts file of your > > mail server. (It's under winnt/system32/drivers on Windows) > > > > 2) Try completely removing all CBAC (if you haven't already) and create a > > permit access-list like this: > > > > access-list 103 permit tcp any eq 25 log > > access-list 103 permit tcp any eq 110 > > access-list 103 permit udp any log > > access-list 103 permit tcp any log > > access-list 103 permit icmp any log > > access-list 103 permit ip any any > > > > And see what your log files look like. (you probably want to do this > > sometime when your router isn't moving a lot of traffic as there could be > a > > lot of logging info) You may also want to put an acl on your fe 0/0 > > interface like this: > > > > access-list 104 permit tcp any log > > access-list 104 permit udp any log > > access-list 104 permit icmp any log > > access-list 104 permit ip any any > > > > This will give you a good idea of what's happening at the packet level. > > > > If it _still_ doesn't work, I would definitely consider replacing the > > router. > > > > HTH, > > Kent > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 21, 2001 8:20 AM > > To: [EMAIL PROTECTED] > > Subject: Re: IOS firewall, NAT and smtp [7:29794] > > > > > > Steven A. Ridder wrote: > > > > >Try removing the access lists next. I can't see how POP get's in and > smtp > > >dosen't, especially with CBAC off now. > > > > > I removed all access control from the interface and I still get the same > > problem. > > I'm going to test it on another router then I'm going after cisco with > > this one. > > Thanks for your help > > > > > > > > > > >""MADMAN"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > >>Ray Brehm wrote: > > >> > > >>>MADMAN wrote: > > >>> > > Yes I have run into problems defining http also. The bottom line is I > > now only "inspect" TCP, UDP and FTP. These cover all the others > > > > >without > > > > > breaking them!!! > > > > >>>thanks for the heads up > > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > > >>>cisco's support) > > >>>what version of IOS have these problems? > > >>> > > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > > >>anything cept eating up NVRAM when you add, for example, inspect http > > >>when tcp covers http. > > >> > > >> Dave > > >> > > Dave > > > > "Steven A. Ridder" wrote: > > > > >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > > > > > >on > > > > > >CBAC. I ran into that problem before. > > > > > >""Ray Brehm"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to > > >> > > >the > > > > > >>inside SMTP server. I can connect to that same server using POP3 > with > > >> > > >no > > > > > >>errors. The inside device is a static NAT. The port appears open > when > > >> > > >I > > > > > >>port scan the IP address but I get TCP errors when trying to send > > >> > > >mail. > > > > > >>Any ideas? Did I miss something stupid? > > >>Is the fact that I have multiple "nat inside" interfaces relevant is > > >>this situation? (I've never known it to make a difference) > > >> > > >>Relevant config: > > >> > > >>ip inspect name firewall http > > >>ip inspect name firewall ftp > > >>ip inspect name firewall netshow > > >>ip inspect name firewall realaudio > > >>ip inspect name firewall rtsp > > >>ip inspect name firewall smtp > > >>ip inspect name firewall tcp > > >>ip inspect name firewall udp > > >> > > >>interface FastEthernet0/0 >
Re: Subject: OT: Call Manager and Military DSN [7:29805]
Thanks for the great info Paul. 1. Is the Call Manager a DSN compliant switch? 2. Do you have to order a separate DSN compliant trunk from the Telco? John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm ""Paul Werner"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > DSN is not exactly what I would refer to as tapping into the > local telco. DSN (Defense Switched Network) replaced AUTOVON > (Automatic Voice network in the mid to late 1980s and through > the early 90s). AUTOVON was set up to principally be a voice > only network, and in many case over analog switch facilities. > DSN converted it over to all diigital, and included voice, > video, and data over the same trunks. > > The key difference between DSN and a regular commercial call is > they go over different trunks and they terminate at DSN > compliant switches. There are several things different about > DSN compliant switches, but the key difference is the use of > precedence, and precedence codes. They have no real > counterpart in a commercial trunk, other than an operator > interrupt for an emergency. With DSN, the end user can preempt > a trunk and knock another user off the line with the proper > precedence level. Some folks out there who know their RFCs and > remember the early 760 series standards may recognize those > precedence levels. They are: > > FLASH OVERRIDE (FO) -FO takes precedence over and preempts all > calls on the DSN and is not preemptible. FO is reserved for the > President of the United States, Secretary of Defense, Chairman > of the Joint Chiefs of Staff, chiefs of military services, and > others as specified by the President. > > FLASH (F) -FLASH calls override lower precedence calls and can > be preempted by FLASH OVERRIDE only. Some of the uses for FLASH > are initial enemy contact, major strategic decisions of great > urgency, and presidential action notices essential to national > survival during attack or preattack conditions. > > IMMEDIATE (1) -IMMEDIATE precedence preempts PRIORITY and > ROUTINE calls and is reserved for calls pertaining to > situations that gravely affect the security of the United > States. Examples of IMMEDIATE calls are enemy contact, > intelligence essential to national security, widespread civil > disturbance, and vital information concerning aircraft, > spacecraft, or missile operations. > > PRIORITY (P) -PRIORITY precedence is for calls requiring > expeditious action or furnishing essential information for the > conduct of government operations. Examples of PRIORITY calls > are intelligence; movement of naval, air, and ground forces; > and important information concerning administrative military > support functions. > > ROUTINE (R) -ROUTINE precedence is for official government > communications that require rapid transmission by telephone. > These calls do not require preferential handling. > > > When I was involved in DSN communications in Europe, my unit > had a Flash precedence phone line, mainly because we had a > special mission (which is about all I can say). We had the > capability of bumping everybody off the DSN network save for > the CINC US Army Europe and a few other folks. You will most > likely have to deal with the issue of precedence. Also, access > to a commercial line is normally done with dialing a 9 first > (typical for trunk access); DSN usually uses an 8 - Your > mileage may vary; check your local listings. > > Finally, DSN uses a slightly different dial plan than the rest > of the universe (go figure:-) While you may be able to access > the US with a country code of 001, or Germany with a country > code of 49, that's not how it's done with DSN. Access is > determined by regions, and each region has its own "country > code". The regions are: > > Canadian Section > Caribbean Section > CONUS Section > European Section > Pacific/Alaska Section > Southwest Asia Section > > All of the above information is public knowledge and freely > available. Anything more is likely classified, and not subject > to posting on this list. In case it isn't already clear at > this point, DSN is totally separate from the PSTN. > > HTH, > > Paul Werner > > > > I am working on an IP telephony solution and I need to hook > in to the > > DSN. > > From my current understanding DSN is sent out to the local > telco via the > > PSTN and is routed from there. This would make for a fairly > simple dial > > plan > > in Call Manager. Has anybody heard anything different about > how DSN is > > setup to work? > > > Get your own "800" number > Voicemail, fax, email, and a lot more > http://www.ureach.com/reg/tag Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29883&t=29805 -- FAQ, list archives, and subscription
Re: IOS firewall, NAT and smtp [7:29794]
If you have nothing blocking access to your mail server but SMTP still doesn't work why do you think the router is the issue?? Could it be the mail server Dave Ray Brehm wrote: > > Steven A. Ridder wrote: > > >Try removing the access lists next. I can't see how POP get's in and smtp > >dosen't, especially with CBAC off now. > > > I removed all access control from the interface and I still get the same > problem. > I'm going to test it on another router then I'm going after cisco with > this one. > Thanks for your help > > > > > > >""MADMAN"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Ray Brehm wrote: > >> > >>>MADMAN wrote: > >>> > Yes I have run into problems defining http also. The bottom line is I > now only "inspect" TCP, UDP and FTP. These cover all the others > > >without > > > breaking them!!! > > >>>thanks for the heads up > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > >>>cisco's support) > >>>what version of IOS have these problems? > >>> > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > >>anything cept eating up NVRAM when you add, for example, inspect http > >>when tcp covers http. > >> > >> Dave > >> > Dave > > "Steven A. Ridder" wrote: > > >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > > > >on > > > >CBAC. I ran into that problem before. > > > >""Ray Brehm"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to > >> > >the > > > >>inside SMTP server. I can connect to that same server using POP3 with > >> > >no > > > >>errors. The inside device is a static NAT. The port appears open when > >> > >I > > > >>port scan the IP address but I get TCP errors when trying to send > >> > >mail. > > > >>Any ideas? Did I miss something stupid? > >>Is the fact that I have multiple "nat inside" interfaces relevant is > >>this situation? (I've never known it to make a difference) > >> > >>Relevant config: > >> > >>ip inspect name firewall http > >>ip inspect name firewall ftp > >>ip inspect name firewall netshow > >>ip inspect name firewall realaudio > >>ip inspect name firewall rtsp > >>ip inspect name firewall smtp > >>ip inspect name firewall tcp > >>ip inspect name firewall udp > >> > >>interface FastEthernet0/0 > >>ip address 10.1.0.1 255.255.255.0 > >>ip nat inside > >>speed 10 > >>full-duplex > >>ntp broadcast > >>bridge-group 1 > >>! > >>interface Serial0/0 > >>ip address 10.1.12.1 255.255.255.0 > >>ip nat inside > >>bridge-group 1 > >>! > >>interface FastEthernet0/1 > >>ip address 12.42.189.2 255.255.255.240 > >>ip access-group 103 in > >>ip nat outside > >>ip inspect firewall out > >>duplex auto > >>speed auto > >>! > >>interface Serial0/1 > >>ip address 10.1.13.1 255.255.255.0 > >>ip nat inside > >>bridge-group 1 > >>! > >>router eigrp 100 > >>redistribute static metric 384 255 255 1 1500 > >>network 10.0.0.0 > >>auto-summary > >>no eigrp log-neighbor-changes > >>! > >>ip nat inside source list 18 interface FastEthernet0/1 overload > >>ip nat inside source static 10.1.0.4 12.42.189.4 > >>ip classless > >>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > >>! > >>logging history debugging > >>logging 10.1.0.3 > >>access-list 18 permit 10.1.0.0 0.0.255.255 > >>access-list 101 permit tcp any any ack > >>access-list 101 permit udp any any > >>access-list 101 permit icmp any any > >>access-list 103 permit tcp any host 12.42.189.4 eq smtp > >>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > >>bridge 1 protocol ieee -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29884&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Afterthoughts - CCIE written [7:29885]
Hi there, Took the CCIE Written today and passed. Here's my 2 cents worth: The test is quite tricky although I wouldn't use the word "tough" to describe it. If you went through the CCNA/CCNP track and took the time to *understand* (i.e. not memorising the stuff in a parrot fashion) the topics in the CCNP track then you should be okay. 85% of this exam is like an extension to the CCNP topics and perhaps 15% are not covered in the CCNP track. For anybody that's taken the CID exam, this exam feels and looks similar in my opinion. Also 100 questions, 2 hours and quite tricky. I've seen posts whereby people say they think this exam is harder because it doesn't tell you how many correct answers. Personally, I think if you know your stuff, you should already *know* what the correct answers are. Some of the answers are clearly wrong anyway. You shouldn't depend on the question to tell you which answers are correct. Besides, I think about 80% of the questions are single answers and 20% multiple answers. Very important that you spend the time to actually read the questions carefully. Read if twice, three times or even four times if you have to. Just make sure you know what they're asking. Can't stress this enough. Pick out the key words. For example, if it asks you something like "Host A sends a packet to Host B on an Ethernet segment, what is the RIF?" The key word is Ethernet, there is no such thing as RIFs in Ethernet!! The test has 100 questions with 120 minutes. I would say don't spend more than 1 minute per question. If you get stuck, mark the question and go back later at the end. Just before anybody asks, here are the resources I used to study: - Caslow's book (I read it 3 times over and over again. Although a bit overkill for the written test, I think it builds a solid foundation for the lab) - Lou Rossi's Token Ring paper. (Go through it until you are 100% confident you know what you're doing) Make sure you go through the exercises. - CCO - not extensively, but just to clarify some topics. - CCIE Studyguide from Cramsession. Very good to refresh all the topics once you've covered them. I'd not use it as the primary study resource though. Good luck to all. Blanco Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29885&t=29885 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall, NAT and smtp [7:29794]
You say you get "TCP errors when you try to send mail." What kind of TCP errors? Where are they reported? Are you just relying on Cisco diagnostics or have you watched what is really happening with a sniffer? Using a sniffer might reveal that something more than SMTP is involved. Since none of the obvious answers helped, I'm going out on a limb here. I'm wondering if the server is also running authentication and sends a SYN back to the client to port 113. I could easily imagine it breaking in a firewall, NAT situations. Check this out that I found by searching on Port 113 SMTP in Google. http://support.intel.com/support/express/routers/30472.htm Please tell us more about the research you have done into this problem, sniffer trace, what TCP error means, etc. It's intriguing! ;-) Thanks. Priscilla At 11:19 AM 12/21/01, Ray Brehm wrote: >Steven A. Ridder wrote: > > >Try removing the access lists next. I can't see how POP get's in and smtp > >dosen't, especially with CBAC off now. > > >I removed all access control from the interface and I still get the same >problem. >I'm going to test it on another router then I'm going after cisco with >this one. >Thanks for your help > > > > > > >""MADMAN"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Ray Brehm wrote: > >> > >>>MADMAN wrote: > >>> > Yes I have run into problems defining http also. The bottom line is I > now only "inspect" TCP, UDP and FTP. These cover all the others > > >without > > > breaking them!!! > > >>>thanks for the heads up > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > >>>cisco's support) > >>>what version of IOS have these problems? > >>> > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > >>anything cept eating up NVRAM when you add, for example, inspect http > >>when tcp covers http. > >> > >> Dave > >> > Dave > > "Steven A. Ridder" wrote: > > >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > > > >on > > > >CBAC. I ran into that problem before. > > > >""Ray Brehm"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to > >> > >the > > > >>inside SMTP server. I can connect to that same server using POP3 with > >> > >no > > > >>errors. The inside device is a static NAT. The port appears open when > >> > >I > > > >>port scan the IP address but I get TCP errors when trying to send > >> > >mail. > > > >>Any ideas? Did I miss something stupid? > >>Is the fact that I have multiple "nat inside" interfaces relevant is > >>this situation? (I've never known it to make a difference) > >> > >>Relevant config: > >> > >>ip inspect name firewall http > >>ip inspect name firewall ftp > >>ip inspect name firewall netshow > >>ip inspect name firewall realaudio > >>ip inspect name firewall rtsp > >>ip inspect name firewall smtp > >>ip inspect name firewall tcp > >>ip inspect name firewall udp > >> > >>interface FastEthernet0/0 > >>ip address 10.1.0.1 255.255.255.0 > >>ip nat inside > >>speed 10 > >>full-duplex > >>ntp broadcast > >>bridge-group 1 > >>! > >>interface Serial0/0 > >>ip address 10.1.12.1 255.255.255.0 > >>ip nat inside > >>bridge-group 1 > >>! > >>interface FastEthernet0/1 > >>ip address 12.42.189.2 255.255.255.240 > >>ip access-group 103 in > >>ip nat outside > >>ip inspect firewall out > >>duplex auto > >>speed auto > >>! > >>interface Serial0/1 > >>ip address 10.1.13.1 255.255.255.0 > >>ip nat inside > >>bridge-group 1 > >>! > >>router eigrp 100 > >>redistribute static metric 384 255 255 1 1500 > >>network 10.0.0.0 > >>auto-summary > >>no eigrp log-neighbor-changes > >>! > >>ip nat inside source list 18 interface FastEthernet0/1 overload > >>ip nat inside source static 10.1.0.4 12.42.189.4 > >>ip classless > >>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > >>! > >>logging history debugging > >>logging 10.1.0.3 > >>access-list 18 permit 10.1.0.0 0.0.255.255 > >>access-list 101 permit tcp any any ack > >>access-list 101 permit udp any any > >>access-list 101 permit icmp any any > >>access-list 103 permit tcp any host 12.42.189.4 eq smtp > >>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > >>bridge 1 protocol ieee Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29886&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall, NAT and smtp [7:29794]
All right, I setup an exchange server and a pix firewall in my lab and I'm getting the same results. POP goes through but SMTP does not. I'm going to start looking at packet traffic locally to see what the exchange server is trying to do when port 25 is contacted. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29887&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't ping 'through' router..help? [7:29724]
Nat would resolve your issue,but just do this..Easier Just add 168 network to RIP router rip version 2 network 66.0.0.0 network 192.168.2.0 network 168.0.0.0.0 passive-interface Ethernet 1/0 no auto-summary Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29888&t=29724 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't ping 'through' router..help? [7:29724]
Nat would resolve your issue,but just do this..Easier Just add 168 network to RIP router rip version 2 network 66.0.0.0 network 192.168.2.0 network 168.0.0.0.0 passive-interface Ethernet 1/0 no auto-summary Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29889&t=29724 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and Trace Route [7:29854]
According to Cisco, this is actually a feature to prevent people from knowing about your network layout. Providing you're permitting traces through the pix. HTH.Nabil Tom Richs cc: Sent by: Subject: PIX and Trace Route [7:29854] nobody@groups tudy.com 12/21/2001 01:37 AM Please respond to Tom Richs When I do a trace from a server from one side to another side of the firewall, if there's a total of 5 hops, all 5 hops that return are displayed with the address of the destination address. Does anyone know why it is doing this. Thanks. Tom _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29891&t=29854 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS firewall, NAT and smtp [7:29794]
Try fixup protocol smtp 25 and obviously, conduit to allow smtp. -Keyur Shah- CCIE# 4799 (Security; Routing and Switching) css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna Hello Computers "Say Hello to Your Future!" http://www.hellocomputers.com Toll-Free: 1.877.794.3556 Fremont: 510.795.6815 Santa Clara: 408.496.0801 Europe: +(44)20 7900 3011 Fax: 510.291.2250 -Original Message- From: Ray Brehm [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 12:35 PM To: [EMAIL PROTECTED] Subject: Re: IOS firewall, NAT and smtp [7:29794] All right, I setup an exchange server and a pix firewall in my lab and I'm getting the same results. POP goes through but SMTP does not. I'm going to start looking at packet traffic locally to see what the exchange server is trying to do when port 25 is contacted. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29892&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall, NAT and smtp [7:29794]
Eureka he exclaims while back-handing his Exchange engineer!!! And the answer is... After reading some more of your suggestions and grilling my "Exchange expert" on the server config, I did some poking around on the server myself. It seems that the SMTP virtual server was configured with connection control to allow only the local subnet to make connections. I removed this restriction and, amazingly enough, everything works. My engineer claims that they were taught to prevent mail relay by denying access through both connection control and relay restrictions and that's the way he's always configured the servers. Now this may work if your NAT translates the public address to a private address and then contacts the server but I was taught to do it the other way for security. I personally have no MS training. Does anyone know if MS really teaches it this way? If so, I have to go untrain a couple more engineers. Thanks to everyone for your help. Happy Holidays Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29893&t=29794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE written test passed ! [7:29894]
Today I passed the qualification exam. It was a very difficult exam IMHO much harder than the CCNP exams and I barely managed a pass score, but a pass is always good enough for me. Thank you all for your help your insight and the inspiration you gave me. My sources were Caslow second edition (absolute must for the Lab exam) Doyle vol I Lou Rossi's Token Ring paper (absolute must read) and for review Boson exam 2. As someone mentioned do not underestimate Internetworking Technology Overview at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm it has a lot of valuable info that covered in the exam. Considering the breadth of topics covered in the exam it is best to study from as many sources as you can. My exam strategy that literaly saved me was to go ahead and finish all 100 questions in 1 hour marking the ones I was uncertain about and fighting all of them during the remaining hour. Now that its over I feel like I have qualified for the Olympics and there is just one little detail of winning the gold medal :-). Anyway now it is time to rest enjoy the holidays and spend some time with the family because for the next 18 months I will eat drink and sleep Cisco routers and switches :-0 Happy holidays to all. George Yiannibas MCSE CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29894&t=29894 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NetworkForce.com CCIE Lab Scenario [7:29676]
John, Isnt that your site and your company??? thanks, -Brad Ellis CCIE#5796 (R&S / Security) Network Learning Inc [EMAIL PROTECTED] used Cisco gear: www.optsys.net CCIE Labs, racks, and classes: http://www.ccbootcamp.com/quicklinks.html ""jc0"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > There are a lot of good comments on its online labs & scenarios posted on > NetworkForce.com. Can anyone share their experiences ? Thanks. > > Happy Holidays ! > > John > > > ""Pham, James"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi, > > > > It's time to put the theory into practice and pay my dues on the journey > to > > CCIE! I'm shopping around for the good guys that offer good CCIE Lab > > scenarios and lab rental at a reasonable rate. I think it would work > better > > if I buy the CCIE lab scenarios that were designed for their rack. Had > > anyone ever used the NetworkForce CCIE Lab scenarios and their lab. How > > good are they? Any advices, comments on how to prepare for the real CCIE > > Lab. I don't have the luxury to pay $5,000 for the CCbootcamp class! > > > > Thanks, > > > > James Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29890&t=29676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP Default-network [7:29895]
Can someone please explain to me what's the difference between a static route & ip default-network? I have always been thinking that default-network is similar to static routes - gateway of last resort. That is, when the router doesn't know how to forward the route, it will send it to "default network" (as compared to a single destination specified by static route). I read up the Ip default-network on Caslow (on p352 - about configuring default routes for IGRP), it states that whatever network you reference with "ip default-network" statement must be in the routing table of the router that is sourcing the default-network or must be advertised by the originating router as a classful prefix. Which makes me even more confused Any help is greatly appreciated. Hunt Lee IP Solution Analyst Cable & Wireless Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29895&t=29895 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF acting funky [7:29896]
I have a buring question. Have you guys seen this error before? I set ospf b/w two sites and the following happened. *Dec 21 14:42:56: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 from DOWN to DOWN, Neighbor Down: Dead timer expired *Dec 21 14:43:14: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.121 on Vlan115 from EXSTART to DOWN, Neighbor Down: Too many DBD retransmitions *Dec 21 14:44:08: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 from EXSTART to DOWN, Neighbor Down: Too many DBD retransmitions *Dec 21 14:44:14: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.121 on Vlan115 from DOWN to DOWN, Neighbor Down: Dead timer expired *Dec 21 14:45:08: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 from DOWN to DOWN, Neighbor Down: Dead timer expired Does anyone know how to resolve this issue? Thanks Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29896&t=29896 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF summary route cost. [7:29876]
Have you explicitly specified the costs via "ip ospf cost" interface command ? What media (ethernet/serial etc.)is being used to connect Routers A, B, C D... Nick S. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29897&t=29876 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF acting funky [7:29896]
Try doing 'sh ip ospf nei' to see if you have any neighbors. DBD is database descriptor. Looks like you have interfaces going up and down. Here's a decent link : http://www.cisco.com/warp/public/104/29.html ""mike rose"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have a buring question. Have you guys seen this error before? I set ospf > b/w two sites and the following happened. > > *Dec 21 14:42:56: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 > from DOWN to DOWN, Neighbor Down: Dead timer expired > *Dec 21 14:43:14: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.121 on Vlan115 > from EXSTART to DOWN, Neighbor Down: Too many DBD retransmitions > *Dec 21 14:44:08: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 > from EXSTART to DOWN, Neighbor Down: Too many DBD retransmitions > *Dec 21 14:44:14: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.121 on Vlan115 > from DOWN to DOWN, Neighbor Down: Dead timer expired > *Dec 21 14:45:08: %OSPF-5-ADJCHG: Process 100, Nbr xxx.xx.xx.2 on Vlan115 > from DOWN to DOWN, Neighbor Down: Dead timer expired > > Does anyone know how to resolve this issue? > > > Thanks > > > Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29899&t=29896 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing [7:29653]
Picciani, Here are a couple Option 1 You can configure Dual HSRP and have 1/2 of clients point to each HSRP address. That will load balance out bound traffic. Return traffic will have the same issue and so you would have to do the same at the other end. Option 2 If you are in a big network and have the option to have multiple layers of routers, then move your users at least 1 router hop back from the WAN routers. Then the cisco routers will have equal cost paths to both WAN routers. If you have fast switching or CEF turned on then the routers will load balance. Mike Picciani Francesco Saverio wrote: > The default gateway of some clients is the IP of two routers in HSRP. > Each of the router have a link to a remote site. > I wont have load balancing beetween these two links. > Can someone tell me how to do. > > Thanks > > Francesco Saverio Picciani > Sales Engineer BU Top Clients > Albacom S.p.A. > * Via Mario Bianchini 15 - 00142 Roma > * (+ 39 06) 8741.6959 > Fax (+39 06) 8741.6320 > * 349/2354835 > * e-mail: [EMAIL PROTECTED] [GroupStudy.com removed an attachment of type text/x-vcard which had a name of michael.paulson.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29900&t=29653 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Lab Equip [7:29763]
I have a 2924 XL I will sale for $800. Mike Paulson [EMAIL PROTECTED] Jonathan Kephart wrote: > Hello, >I have an equipment question - I would like to confirm my logic with > those of you who are more experienced with the whole CCIE path. I am > thinking that the actual HW platform doesn't matter nearly as much as just > the technology (BGP, VoIP, TR ect). So, as long as you can load the > appropriate code like 12.1X it doesn't matter really if you are using a > 2500, 3600, or a 4000. The exception to this is obviously the modules that > are supported and port density. You need a 26XX or 36XX for the VoIP stuff, > and something larger than a 25XX (like an old 4000) for the port density (4+ > serial ports). Or am I mistaken - is there something I am missing? > > What I was thinking of for my lab is: > > Three 2501's plus some other 25XX's > Two 2610's with NM-2V & WIC-2T cards > Three 4000's with various TR, Eth, and Serial cards > > Some to be determined Switch equipment. > > Curious for your opinion, > -Jonathan [GroupStudy.com removed an attachment of type text/x-vcard which had a name of michael.paulson.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29901&t=29763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: OT: Call Manager and Military DSN [7:29805]
John, When I suggested the solution we used to implement VoiP support with DSN, I was only making reference to the operational configuration required to support VoIP itself. Having been in the military(AF) for some eight years I do know of the information Paul mentioned. In our implementation we had access to the Government Demarc(switch) which was already supporting DSN. The question then would be if the solution you're providing is going to interface with a switch that already supports existing DSN calling. In this case the trunk that is used for DSN service is pretty much transparent like allthe other trunks.In that case the 8 prefix used in dialing DSN would pretty much identify the calls that will ride the trunk designated for DSN. Nigel former SSgt(seperated) :-> >From: "John Kaberna" >Reply-To: "John Kaberna" >To: [EMAIL PROTECTED] >Subject: Re: Subject: OT: Call Manager and Military DSN [7:29805] >Date: Fri, 21 Dec 2001 13:59:05 -0500 > >Thanks for the great info Paul. > >1. Is the Call Manager a DSN compliant switch? >2. Do you have to order a separate DSN compliant trunk from the Telco? > >John Kaberna >CCIE #7146 >NETCG Inc. >www.netcginc.com >(415) 750-3800 > >Instructor for CCBootcamp 5-day class www.ccbootcamp.com >__ >CCIE Security Training >www.netcginc.com/training.htm > > >""Paul Werner"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > DSN is not exactly what I would refer to as tapping into the > > local telco. DSN (Defense Switched Network) replaced AUTOVON > > (Automatic Voice network in the mid to late 1980s and through > > the early 90s). AUTOVON was set up to principally be a voice > > only network, and in many case over analog switch facilities. > > DSN converted it over to all diigital, and included voice, > > video, and data over the same trunks. > > > > The key difference between DSN and a regular commercial call is > > they go over different trunks and they terminate at DSN > > compliant switches. There are several things different about > > DSN compliant switches, but the key difference is the use of > > precedence, and precedence codes. They have no real > > counterpart in a commercial trunk, other than an operator > > interrupt for an emergency. With DSN, the end user can preempt > > a trunk and knock another user off the line with the proper > > precedence level. Some folks out there who know their RFCs and > > remember the early 760 series standards may recognize those > > precedence levels. They are: > > > > FLASH OVERRIDE (FO) -FO takes precedence over and preempts all > > calls on the DSN and is not preemptible. FO is reserved for the > > President of the United States, Secretary of Defense, Chairman > > of the Joint Chiefs of Staff, chiefs of military services, and > > others as specified by the President. > > > > FLASH (F) -FLASH calls override lower precedence calls and can > > be preempted by FLASH OVERRIDE only. Some of the uses for FLASH > > are initial enemy contact, major strategic decisions of great > > urgency, and presidential action notices essential to national > > survival during attack or preattack conditions. > > > > IMMEDIATE (1) -IMMEDIATE precedence preempts PRIORITY and > > ROUTINE calls and is reserved for calls pertaining to > > situations that gravely affect the security of the United > > States. Examples of IMMEDIATE calls are enemy contact, > > intelligence essential to national security, widespread civil > > disturbance, and vital information concerning aircraft, > > spacecraft, or missile operations. > > > > PRIORITY (P) -PRIORITY precedence is for calls requiring > > expeditious action or furnishing essential information for the > > conduct of government operations. Examples of PRIORITY calls > > are intelligence; movement of naval, air, and ground forces; > > and important information concerning administrative military > > support functions. > > > > ROUTINE (R) -ROUTINE precedence is for official government > > communications that require rapid transmission by telephone. > > These calls do not require preferential handling. > > > > > > When I was involved in DSN communications in Europe, my unit > > had a Flash precedence phone line, mainly because we had a > > special mission (which is about all I can say). We had the > > capability of bumping everybody off the DSN network save for > > the CINC US Army Europe and a few other folks. You will most > > likely have to deal with the issue of precedence. Also, access > > to a commercial line is normally done with dialing a 9 first > > (typical for trunk access); DSN usually uses an 8 - Your > > mileage may vary; check your local listings. > > > > Finally, DSN uses a slightly different dial plan than the rest > > of the universe (go figure:-) While you may be able to access > > the US with a country code of 001, or Germany with a country > > code of 49, that's not how it's done with DSN. Access is > > determined by regions
Re: IP Default-network [7:29895]
There was fairly recently a long thread on this. I think you know what a static route is so lets assume you meant static default route. Most routing protocols understand the 0.0.0.0 to be the psuedo default route. But IGRP does not, you must flag a network as the default network using the default-network command. I think what Caslow is refering to is that if you flag 192.168.1.0 as your default network you must have a route to that network in your routing table. Dave Hunt Lee wrote: > > Can someone please explain to me what's the difference between a static > route & ip default-network? I have always been thinking that default-network > is similar to static routes - gateway of last resort. That is, when the > router doesn't know how to forward the route, it will send it to "default > network" (as compared to a single destination specified by static route). > > I read up the Ip default-network on Caslow (on p352 - about configuring > default routes for IGRP), it states that whatever network you reference with > "ip default-network" statement must be in the routing table of the router > that is sourcing the default-network or must be advertised by the > originating router as a classful prefix. > > Which makes me even more confused > > Any help is greatly appreciated. > > Hunt Lee > IP Solution Analyst > Cable & Wireless -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29903&t=29895 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Issue with VPN 3015 behind a FW-1 [7:29759]
I hope this answers your question about esp rules working through your f/w. ESP uses protocol 50, but you have to set ip filters for tcp and udp as well. You did not say what type of vpn box you are using, so you will need to verify. Also, if you have a Net Ranger or similar device, you might be getting "shunned" by it. If you do a tcp dump on the internal and external burb and you see terminal resets, check your Net Ranger Sensors and change the alarm thresholds. Chris Gordon ""Joel Satterley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, does anyone know what rule should allow ESP back thru a FW-1 firewall > from a VPN concentrator ? I have it coming INBOUND ok, but the replies get > dropped on the FW internal rule. Very odd. > > ?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29904&t=29759 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX scenario [7:29905]
Here is the challenging questions I think it is doable, but needs to know for sure before I give green signal to my customer. Customer has only one web server sitting on a physical public IP address 68.112.1.5, and has about 10 virtual IP addresses mapped to different names. They ran out of addresses, and purchased two additional blocks from the ISP. 208.212.23.32 and 208.198.12.5, and these are all virtual IP addresses. There are 3 different network segments running off only one web server. I installed a PIX and DMZ port assigned an IP address from a physical segment 68.112.1.6 and configured a default gateway on a web server pointing to 68.112.1.5. Surely people were able to browse the web server from outside, but only services to one segment. The other two virtual segments were not be able to browse able since there is only one default gateway that web server could talk to. I suggested to put a router between PIX's DMZ and the web server, and assigned secondary addresses to the router. For example, router's Ethernet Interfaces: ip address 68.112.1.6 255.255.255.240 ip address 208.212.23.34 255.255.255.240 secondary ip address 208.198.12.6 255.255.255.240 secondary. by doing this way the web server will just give it a packet to router and router will handle all the virtual ip addresses coming from the 3 segments. I believe this solution should work. At that time customer was not agreeing to change their web servers ip addresses to just one private network segment, but now they want to go with that. My question to you guys, if customer chooses network segment 192.168.103.0 and assigns all the ip addresses from this segment, can then pix will be able to handle through one dmz port. All I need to do is create static mapping for each private virtual link to public addresses ( Note: 3 public segments). For example, static (dmz1, outside) 1 68.112.1.10 192.168.102.10 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.212.23.38 192.168.102.38 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.198.12.12 192.168.103.12 netmask 255.255.255.255 (ANY MANY MORE) Note: PIX will do the Nating from the same private network segment to 3 different public segments. In my opinion this should work. Please advise. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29905&t=29905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: Help with remote access [7:29826]
Maybe this tools can help you. http://www.tglmicro.com/Inet2Com.htm http://www.esei.com/electrocomm/ good luck. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29906&t=29826 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NetworkForce.com CCIE Lab Scenario [7:29676]
I have never used the scenarios but I have used the rack time on a few occasions. The rack time prices are reasonable, especially if you get them on ebay. The equipment was always functional and the folk(s) were easy to do business with. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29898&t=29676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CIT CCNP questions [7:29477]
with all the certs I've taken (not that many), I don't think I've ever spent more than 30 minutes taking the exam. the longest was my win2k pro, and that was the half hour. I was in and out of my CCNA, N+, and both A+ modules in 25 minutes or less, and scored fairly high on all. after failing the CCNP sem 5 practical on the first run, I'm a bit excited. I'm hoping the written exams for the CCNP cert provide a greater challenge. -jon kintner Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29907&t=29477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: OT: Call Manager and Military DSN [7:29805]
Hi Nigel. Paul and I had an offline discussion and neither of us are quite sure of the answer but he knows someone that probably does. They do not have an existing switch so the Call Manager will need to hook up to a DSN trunk somehow. If you're really interested in the outcome I'll post what I find out. I am ex-military also but I didn't deal with this kind of stuff when I was in. John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm ""Nigel Taylor"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > John, > When I suggested the solution we used to implement VoiP support with > DSN, I was only making reference to the operational configuration required > to support VoIP itself. Having been in the military(AF) for some eight > years I do know of the information Paul mentioned. In our implementation we > had access to the Government Demarc(switch) which was already supporting > DSN. > > The question then would be if the solution you're providing is going to > interface with a switch that already supports existing DSN calling. > > In this case the trunk that is used for DSN service is pretty much > transparent like allthe other trunks.In that case the 8 prefix used in > dialing DSN would pretty much identify the calls that will ride the trunk > designated for DSN. > > > Nigel > former SSgt(seperated) :-> > > >From: "John Kaberna" > >Reply-To: "John Kaberna" > >To: [EMAIL PROTECTED] > >Subject: Re: Subject: OT: Call Manager and Military DSN [7:29805] > >Date: Fri, 21 Dec 2001 13:59:05 -0500 > > > >Thanks for the great info Paul. > > > >1. Is the Call Manager a DSN compliant switch? > >2. Do you have to order a separate DSN compliant trunk from the Telco? > > > >John Kaberna > >CCIE #7146 > >NETCG Inc. > >www.netcginc.com > >(415) 750-3800 > > > >Instructor for CCBootcamp 5-day class www.ccbootcamp.com > >__ > >CCIE Security Training > >www.netcginc.com/training.htm > > > > > >""Paul Werner"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > DSN is not exactly what I would refer to as tapping into the > > > local telco. DSN (Defense Switched Network) replaced AUTOVON > > > (Automatic Voice network in the mid to late 1980s and through > > > the early 90s). AUTOVON was set up to principally be a voice > > > only network, and in many case over analog switch facilities. > > > DSN converted it over to all diigital, and included voice, > > > video, and data over the same trunks. > > > > > > The key difference between DSN and a regular commercial call is > > > they go over different trunks and they terminate at DSN > > > compliant switches. There are several things different about > > > DSN compliant switches, but the key difference is the use of > > > precedence, and precedence codes. They have no real > > > counterpart in a commercial trunk, other than an operator > > > interrupt for an emergency. With DSN, the end user can preempt > > > a trunk and knock another user off the line with the proper > > > precedence level. Some folks out there who know their RFCs and > > > remember the early 760 series standards may recognize those > > > precedence levels. They are: > > > > > > FLASH OVERRIDE (FO) -FO takes precedence over and preempts all > > > calls on the DSN and is not preemptible. FO is reserved for the > > > President of the United States, Secretary of Defense, Chairman > > > of the Joint Chiefs of Staff, chiefs of military services, and > > > others as specified by the President. > > > > > > FLASH (F) -FLASH calls override lower precedence calls and can > > > be preempted by FLASH OVERRIDE only. Some of the uses for FLASH > > > are initial enemy contact, major strategic decisions of great > > > urgency, and presidential action notices essential to national > > > survival during attack or preattack conditions. > > > > > > IMMEDIATE (1) -IMMEDIATE precedence preempts PRIORITY and > > > ROUTINE calls and is reserved for calls pertaining to > > > situations that gravely affect the security of the United > > > States. Examples of IMMEDIATE calls are enemy contact, > > > intelligence essential to national security, widespread civil > > > disturbance, and vital information concerning aircraft, > > > spacecraft, or missile operations. > > > > > > PRIORITY (P) -PRIORITY precedence is for calls requiring > > > expeditious action or furnishing essential information for the > > > conduct of government operations. Examples of PRIORITY calls > > > are intelligence; movement of naval, air, and ground forces; > > > and important information concerning administrative military > > > support functions. > > > > > > ROUTINE (R) -ROUTINE precedence is for official government > > > communications that require rapid transmission by telephone. > > > These calls do not require preferential handling. > > > > > > > > > Whe
accesslist [7:29909]
Hi, we have satelite up link with spcl and downlink on dvb technology we have 2610 router which is directile conected to the uplink on serial and downlink with ethernet . I have observed that lot of unmanted traffic is generated and router is acting as relay it is forwarding the packet to default route which is chocking our bandwith.To prevent unwanted traffic i had made a access-list.I wanted that our ip 64.110.93.194/28 and 216.252.243.0/24 should be permited rest traffic should be denyied . access-list 12 permit 216.252.243.0 0.0.0.255 log access-list 12 permit 64.110.93.192 0.0.0.15 applied on ethernet in inbound traffic interface Ethernet0/0 ip address 10.101.3.48 255.255.252.0 secondary ip address 216.252.243.161 255.255.255.240 secondary ip address 64.110.93.194 255.255.255.240 ip access-group 12 in ip route-cache flow full-duplex Promblem 1)If i trace from machine which have ip address 216.252.243.163.The trace only goes to 1st hop which 64.110.93.194.Than trafffic stops going out 2) I am fail to understand why router is acting as relay agent and generating the so much of traffic .which is chocking the uplink 3)how i can prevent looping of the traffic Plz help me thanks regards kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29909&t=29909 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
