Re: Radius vs. TACACS+ [7:33650]

[Kevin Pan]

Do you know where can I find those "free" TACACS software?

Rgds,
Kevin

""Ian Henderson""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Wed, 30 Jan 2002, Rodney Jackson wrote:
>
> > I want to setup a Radius server or a TACACS+, which do you guys think is
> > better and why?
>
> Depends on what you want it for.
>
> If its to give customers access to dial ins, RADIUS is by far more
> flexible. If you're looking for a commercial solution, have a look at
> Radiator - www.open.com.au. Its very good :)
>
> If its to give telnet access to routers for your staff, TACACS+ has the
> ability to do per-command accounting (ie, it will log everything somebody
> types).
>
> Rgds,
>
>
>
> - I.
>
> --
> Ian Henderson CCNA, CCNP
> Network Engineer, iiNet Limited




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33657&t=33650
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NetMeeting Study Group [7:33656]

[Ed Chuchaisri]

Guys,

I have got a few more spots on the NetMeeting Study Group on Thursday, 1/31
at 7:30pm PST.  Best of all, it's free and it's all about learning.  This
session will focus on Static Route (Chapter 3 from Doyle Routing TCP/IP
V1).  Let me know if anyone is intersted.  Check out
www.router4u.com/studygroups.htm for more info.

Ed


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33656&t=33656
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Radius vs. TACACS+ [7:33650]

[Ian Henderson]

On Wed, 30 Jan 2002, Rodney Jackson wrote:

> I want to setup a Radius server or a TACACS+, which do you guys think is
> better and why?

Depends on what you want it for.

If its to give customers access to dial ins, RADIUS is by far more
flexible. If you're looking for a commercial solution, have a look at
Radiator - www.open.com.au. Its very good :)

If its to give telnet access to routers for your staff, TACACS+ has the
ability to do per-command accounting (ie, it will log everything somebody
types).

Rgds,



- I.

--
Ian Henderson CCNA, CCNP
Network Engineer, iiNet Limited




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33655&t=33650
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: which reference book is better? [7:33629]

[Chee Kin]

Yes, I passed the exam using the CCNP Support exam prep book.  The other
helping factor is my work experience.

I think this was mentioned somewhere in one of those postings.  The exam
prep book is to help you prepare for the exam.  The CIT book is "ported"
from the CIT course (I guess, I have not seen the content of that book).  My
guess is that one focuses more on what you need to know, the other on what
you need to know for exam.  They are more or less the same, in my opinion.

The reason why I used the exam prep book was because I couldn't get a copy
of the CIT book.  I was using the BSCN, BCMSN and BCRAN coursebooks for the
other three exams.

Looking back at your question, if you are comfortable with the CIT content
then go through the CCNP Support exam prep book thoroughly.  I remember
going through the book twice or thrice before sitting for the exam.  One
more thing, go through the questions that come with the CD.

cheekin

- Original Message -
From: "Sim, CT (Chee Tong)" 
To: 
Sent: Wednesday, January 30, 2002 1:37 PM
Subject: RE: which reference book is better? [7:33629]


> Did you pass it using CCNP support exam guide?  It seems to be strange why
> cisco publish two books for one exam and let people choose.  But the CIT
> book seems to be published quite a few year and it is used for CCNP
version
> 1.  Is that true?
>
>
>
> -Original Message-
> From: Chee Kin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 30, 2002 11:42 AM
> To: Sim, CT (Chee Tong); [EMAIL PROTECTED]
> Subject: Re: which reference book is better? [7:33629]
>
>
> Hi,
>
> I studied using the CCNP Support exam prep book.  That was the only
material
> I use.  It's a tough exam but if you know your stuff, it should be OK.
>
> Good luck.
>
> cheekin
>
> - Original Message -
> From: "Sim, CT (Chee Tong)"
> To:
> Sent: Wednesday, January 30, 2002 10:30 AM
> Subject: which reference book is better? [7:33629]
>
>
> > Hi..
> >
> > I am going for the support 2.0 exam.  There are two reference books for
> the
> > exam 1) CCNP Support exam certification guide and 2) Cisco Internetwork
> > Troubleshooting.  Which one is better?  If I only study CCNP support
exam
> > certification guide, is it enough?
> >
> > ==
> > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> > onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> > de afzender direct te informeren door het bericht te retourneren.
> > ==
> > The information contained in this message may be confidential
> > and is intended to be exclusively for the addressee. Should you
> > receive this message unintentionally, please do not use the contents
> > herein and notify the sender immediately by return e-mail.
> >
> >
> > ==
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33654&t=33629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Internet Router? [7:33639]

[Circusnuts_1999]

I was under the impression full Internet route tables required 128 Megs
of RAM, with 256 as the target build.  The 7206s have up to 512 RAM
available in the NPE, as does the Juniper M5 (just to give a few good
examples of Internet routers).  I have not fitted an Internet router in
@ least 6 months, but the last time I looked we were up to 120,000
prefixes on the net.  The 3640 can definitely handle the T-1 traffic
you're describing, but with BGP as the solution, I think you may want
something like a 3660 or 7204.  I believe the max upgrade for the 3640
it 128 and the 3660 is 256 (don't quote me :o)  Also- the 3660 enters in
a little more redundancy, unless you had planned to 3640s.

.02
Phil 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Scott Nawalaniec
Sent: Tuesday, January 29, 2002 11:45 PM
To: [EMAIL PROTECTED]
Subject: Internet Router? [7:33639]

Hello Everybody,

I just want to run this by everyone for their input from experience. 

Scenario:
I'm looking for a Cisco router that will be providing Internet
connectivity
running BGP and that will be able to handle the capacity of 2 PTP T1's
to
the Internet. I know minimum RAM will have to be 64mbs for BGP routes. I
just want to know what people have tried that does and doesn't work.

My choice would be a 3640 for future T1 expandability and/or a HSSI
port.
 
Thank you for the input. 

Scott
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33653&t=33639
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: which reference book is better? [7:33629]

[Sim, CT (Chee Tong)]

Did you pass it using CCNP support exam guide?  It seems to be strange why
cisco publish two books for one exam and let people choose.  But the CIT
book seems to be published quite a few year and it is used for CCNP version
1.  Is that true?



-Original Message-
From: Chee Kin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 30, 2002 11:42 AM
To: Sim, CT (Chee Tong); [EMAIL PROTECTED]
Subject: Re: which reference book is better? [7:33629]


Hi,

I studied using the CCNP Support exam prep book.  That was the only material
I use.  It's a tough exam but if you know your stuff, it should be OK.

Good luck.

cheekin

- Original Message -
From: "Sim, CT (Chee Tong)" 
To: 
Sent: Wednesday, January 30, 2002 10:30 AM
Subject: which reference book is better? [7:33629]


> Hi..
>
> I am going for the support 2.0 exam.  There are two reference books for
the
> exam 1) CCNP Support exam certification guide and 2) Cisco Internetwork
> Troubleshooting.  Which one is better?  If I only study CCNP support exam
> certification guide, is it enough?
>
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==
==
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
==
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33652&t=33629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: is it possible to bridge accross a tunnel? [7:33567]

[JEK]

Well guys I think that should do it for the config, tell me if anything
looks wrong.
Also as a side note you may also want to use an ACL in the range of 700-799
(MAC Address Acl) to limit what traffic that you want to be sent over the
dlsw
circuits.  I hope this info helps and all my syntax is correct.  Thanks,

- jek

Router A
!
hostname RouterA
dlsw local-peer peer-id 10.10.10.254
dlsw remote-peer 0 tcp 10.10.20.254
dlsw bridge-group 1
!
interface Tunnel0
 ip unnumbered Ethern0
 tunnel source Ethernet0
 tunnel destination 128.29.183.247
!
interface Ethernet0
 ip address 10.10.10.254 255.255.255.0
 bridge-group 1
!
interface Serial0
 ip address 128.29.182.247 255.255.255.252
!
bridge 1 protocol ieee
 bridge 1 route ip
 no bridge 1 bridge ip
!


Router B
!
hostname RouterB
dlsw local-peer peer-id 10.10.20.254
dlsw remote-peer 0 tcp 10.10.10.254
dlsw bridge-group 1
!
interface Tunnel0
 ip unnumbered Ethern0
 tunnel source Ethernet0
 tunnel destination 128.29.182.247
!
interface Ethernet0
 ip address 10.10.20.254 255.255.255.0
 bridge-group 1
!
interface Serial0
 ip address 128.29.183.247 255.255.255.252
!
bridge 1 protocol ieee
 bridge 1 route ip
 no bridge 1 bridge ip
!



 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> how do you configure this with dlsw?
>
> 10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x
>
>
> ""Jason""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Is this something you just want to do for the sake of doing?  If so, I
say
> > have at it.  Will it work, don't know.  I have never tried it.  If you
are
> > looking to do this to fulfill a production requirement I would question
> why
> > you weren't looking at using DLSW?
> >
> > Jason
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Eric Waguespack
> > Sent: Tuesday, January 29, 2002 9:38 AM
> > To: [EMAIL PROTECTED]
> > Subject: is it possible to bridge accross a tunnel? [7:33567]
> >
> >
> > ok, I have looked into this, and supposedly the answer
> > is "yes" but the config is "unsupported"
> >
> > here is the network diagram
> >
> >
> > 10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x
> >
> > this is supposed to do it but i can't seem to make it
> > work:
> >
> > >int tunnel 2
> > >no ip addr
> > >tunnel source eth 0
> > >tunnel destination 128.29.183.247
> > >bridge-group 1
> >
> >
> > should this work? what will work? anything? do i need
> > to do l2f instead? what did you have for breakfast?
> >
> > thanks
> >
> > -Eric
> >
> > __
> > Do You Yahoo!?
> > Great stuff seeking new owners in Yahoo! Auctions!
> > http://auctions.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33651&t=33567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Radius vs. TACACS+ [7:33650]

[Rodney Jackson]

I want to setup a Radius server or a TACACS+, which do you guys think is
better and why?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33650&t=33650
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Internet Router? [7:33639]

[John Neiberger]

A 3640 would be a great choice.  I think a 2650 might also be 
an option.  Fewer slots but it sounds like you don't need that 
many.

John



Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag


 On Tue, 29 Jan 2002, Scott Nawalaniec ([EMAIL PROTECTED]) 
wrote:

> Hello Everybody,
> 
> I just want to run this by everyone for their input from 
experience. 
> 
> Scenario:
> I'm looking for a Cisco router that will be providing Internet
> connectivity
> running BGP and that will be able to handle the capacity of 2 
PTP T1's
> to
> the Internet. I know minimum RAM will have to be 64mbs for 
BGP routes. I
> just want to know what people have tried that does and 
doesn't work.
> 
> My choice would be a 3640 for future T1 expandability and/or 
a HSSI
> port.
>  
> Thank you for the input. 
> 
> Scott
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33648&t=33639
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Recent One-Day Lab Takers?? [7:33592]

[Jason]

Mouse run away after it saw Robert coming

""Wright, Jeremy""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> no mouse??   :)
>
> -Original Message-
> From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 2:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Recent One-Day Lab Takers?? [7:33592]
>
>
> I never actually saw any equipment just a monitor and keyboard.  I could
> hazzard a guess though that most of the equipment was Cisco.  ;->
>
> -Original Message-
> From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
> Sent: 29 January 2002 19:29
> To: [EMAIL PROTECTED]
> Subject: Recent One-Day Lab Takers?? [7:33592]
>
>
> Hello,
>
> Has anyone is this group taken the new one-day lab recently? Wanted to
know
> what kind of routers did you see, I mean is it now more than 6 routers or
> still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch,
> is it still the Cat5? Just wanted to gather this info. to build a lab and
> work on it..visualize that I am actually working on the real lab and
> busting my brains. Thank you Cisco :-)
>
> Thanks!
>
>
>
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33649&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Radius vs. TACACS+ [7:33647]

[Rodney Jackson]

I want to setup a Radius server or a TACACS+, which do you guys think is
better and why?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33647&t=33647
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router problem inserting into token ring [7:33304]

[adam lee]

I connected to a mau at work and it was 16mb.  Have you solved the problem
yet?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
adam lee
Sent: Sunday, January 27, 2002 12:54 AM
To: [EMAIL PROTECTED]
Subject: RE: Router problem inserting into token ring [7:33304]


How are the ri and ro setup and what's the speed of the cards?  I thought
maus were 4mbs but I could be wrong.  I attached a 16mbs device into a port
configured for 4mbs and the port began flashing. Not a good thing.

If you can't get the maus to work, dump those things and buy a cabletron
trix with 24 ports.  I think those things are available on e-bay for around
$20.00.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Daniel Cotts
Sent: Saturday, January 26, 2002 6:01 PM
To: [EMAIL PROTECTED]
Subject: RE: Router problem inserting into token ring [7:33304]


It is possible that the MAUs are defective. Substitution is a good
troubleshooting step. Do you know anyone who does have TR working? If so,
substitute your MAU for theirs and see if it works for them. Try their MAU
with your routers.

> -Original Message-
> From: Joseph Slawinski [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 26, 2002 2:27 PM
> To: [EMAIL PROTECTED]
> Subject: Router problem inserting into token ring [7:33304]
>
>
> I am having a problem I know most of you folks could help me
> with.  I have
> two 2502 routers and two token ring hubs.  The hubs are "dumb
> hubs," they
> have no network management capabilities.  They don't even
> have external
> power supplies.
>
> The problem is I am able to hook up my computers to the hubs,
> the token ring
> cards will automatically attemt to insert themselves into the
> rings on the
> hubs.  The relays light up every 15 seconds, so I know that
> is working ok.
>
> My problem is, I am unable to configure the routers to insert
> themselves
> into the ring.  I have experience connecting hubs with
> network management
> modules into routers with no problems, but I somehow can't
> find a way to
> configure the routers to attach to these "dumb hubs."  I know that I'm
> missing something key here.  I was thinking maybe the media
> filters I am
> using are defective, but I can't be sure.
>
> I know this question may sound dumb, but I have nowhere else to turn.
>
> Thank you in advance for your help,
> Joseph J. Slawinski
> AT&T Global Networks
> Network Technician
> CCNP,CCNA,A+,Apple,HP,Canon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33646&t=33304
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Router doesn't hold Enable Passwrod [7:33645]

[Washington Rico]

I appreciate any information you may have..

I have a 3600 was IOS version 12.0.7 and I was trying to create the enable
password.  I believe I did it correctly but the router does not hold the
enable password, it just goes directly into enable mode when I type
("enable").  Even after I create an enable password, anyone know why?

The Syntax I entered is below
(
config t
en password password
)


Thank in advance..



_
$B$*E9$h$j$b5$7Z$K!*9%$-$J%b%N9%$-$J$@$18+$i$l$k(B MSN $B%7%g%C%T%s%0(B 
http://shopping.msn.co.jp/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33645&t=33645
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Totally OT : Was there a man on the moon ? [7:33465]

[Michael Williams]

Here is enough science and reason to shut up those fools that believe the
Fox special about landing on the moon:

(watch for wrap)

http://www.badastronomy.com/bad/tv/foxapollo.html

Mike W.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33643&t=33465
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Router does not hold enable Password [7:33644]

[Washington Rico]

I appreciate any information you may have..

I have a 3600 was IOS version 12.0.7 and I was trying to create the enable 
password.  I believe I did it correctly but the router does not hold the 
enable password, it just goes directly into enable mode when I type 
("enable") even after I create an enable password, anyone know why?

The Syntax I entered is below
(
config t
en password XX
)


Thank in advance..



_
$B$*E9$h$j$b5$7Z$K!*9%$-$J%b%N9%$-$J$@$18+$i$l$k(B MSN $B%7%g%C%T%s%0(B 
http://shopping.msn.co.jp/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33644&t=33644
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: EIGRP problem [7:33636]

[Mark Odette II]

What about IP Classless...

is "no ip classless" part of the current config... if so, try removing it.

also, auto-summary might be something to look at... if you don't see it in
the config, try a "no auto-summary" under the eigrp 100 config.

you should also turn on some debugging, and log it to a syslog server of
sorts to get a more precise idea as to what is causing the interface change.

HTHs,
Mark Odette II

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Vajira Wijesinghe
Sent: Tuesday, January 29, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: EIGRP problem [7:33636]


I have a 2610 router having IP IOS software (12.0.8).
This is connected to two different sites with 64kbps links.
eg
interface serial 0/0
ip address 192.168.1.1 255.255.255.252

interface serial 0/1
ip address 192.168.1.5 255.255.255.252

router is running with routing protocol EIGRP

router eigrp 100
network 192.168.1.0


Problem:

I'm able to work with only ONE serial link at a time.
ie.
If one serial link is active, other one becomes "line protocol down"
If I remove the cable of the UP interface, the OTHER interface become UP

I suspect this is due to the operation of EIGRP
Because I cannot configure subnet mask for the network defined under
eigrp 100
This particular IOS doesn't allow me to do this and DRAM and FLASH
limitation prevents me from upgrading the IOS.

Can any one tell me how to overcome the situation?

Thanks,
Vajira







12.0.8 ip
- (on postoffice)

The information contained in this email is confidential and is meant to be
read only by the person to whom it is addressed.Please visit
http://www.millenniumit.com/legal/email.htm to read the entire
confidentiality clause.

-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33642&t=33636
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Recent One-Day Lab Takers?? [7:33592]

[Cisco Nuts]

I had asked for some honest advice as to what router models I needed to
'simulate' the actual lab at home but alas...some people seem to have
wasted their time in replying some irrelevant answers.  Sad..

>From: "Louie Belt" >Reply-To: "Louie Belt" >To: [EMAIL PROTECTED]
>Subject: RE: Recent One-Day Lab Takers?? [7:33592] >Date: Tue, 29 Jan
2002 19:57:21 -0500 > >You'll go blind if you touch your flux capacitor
too much. > >-Original Message- >From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of >c1sc0k1d >Sent: Tuesday,
January 29, 2002 6:35 PM >To: [EMAIL PROTECTED] >Subject: Re: Recent
One-Day Lab Takers?? [7:33592] > > >I saw my gear in RTP as well. Except
in RTP they said not to touch the flux >capacitor as the proctor already
calibrated it before the lab started. > > > > >""Hire, Ejay"" wrote in
message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I'm surprised.
In san Jose, they are in big red/orange cabinets next to >the > > cubicle
you work in. You have to go over to the rack to check dial > > tone/ring
on your VoIp Phone... and to align the flux capacitor. > > > > -Ejay > >
> > -Original Message- > > From: McCallum, Robert
[mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, January 29, 2002 3:52
PM > > To: [EMAIL PROTECTED] > > Subject: RE: Recent One-Day Lab
Takers?? [7:33592] > > > > > > I never actually saw any equipment just a
monitor and keyboard. I could > > hazzard a guess though that most of the
equipment was Cisco. ;-> > > > > -Original Message- > > From:
Cisco Nuts [mailto:[EMAIL PROTECTED]] > > Sent: 29 January 2002 19:29
> > To: [EMAIL PROTECTED] > > Subject: Recent One-Day Lab Takers??
[7:33592] > > > > > > Hello, > > > > Has anyone is this group taken the
new one-day lab recently? Wanted to >know > > what kind of routers did
you see, I mean is it now more than 6 routers or > > still just 6? What
models? Is it 2 2513's or 2 2504's etc? And the switch, > > is it still
the Cat5? Just wanted to gather this info. to build a lab and > > work on
it..visualize that I am actually working on the real lab and > >
busting my brains. Thank you Cisco :-) > > > > Thanks! > > > > > > >
> _ > >
Join the worlds largest e-mail service with MSN Hotmail. > >
http://www.hotmail.com
>_ >Do You
Yahoo!? >Get your free @yahoo.com address at http://mail.yahoo.com > > >
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



MSN Photos is the easiest way to share and print your photos: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33641&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Drother in a BDR state....Why? [7:33640]

[Cisco Nuts]

Hello,In an OSPF broadcast mode in a FR hub-and-spoke topology, the spoke
router that is the DROTHER shows up as being in a BDR state when issuing
the #sh ip os int s0 command? Should it  say Drother state or BDR state?
RTB#Process
ID 100, Router ID 5.5.5.5, Network Type BROADCAST, Cost: 64
 Transmit Delay is 1 sec, State BDR, Priority 1 The hub router lists it
as being a Drother router:RTA#sh ip os neiNeighbor ID Pri  
State   Dead Time   Address Interface
7.7.7.7   1   FULL/BDR00:00:31192.168.10.243  Serial0
5.5.5.5   1   FULL/DROTHER00:00:39192.168.10.242  Serial0 The
BDR router shows up as being  in a BDR state which is correct:RTC# Process
ID 100, Router ID 7.7.7.7, Network Type BROADCAST, Cost: 64
 Transmit Delay is 1 sec, State BDR, Priority 1 Now when I configure the
priorities on the spoke routers as 0, then they correctly show us as
being in a Drother state:RTB# Process ID 100, Router ID 5.5.5.5, Network
Type BROADCAST, Cost: 64
Transmit Delay is 1 sec, State DROTHER, Priority 0 Any reason for this
behavior or does it just work this way?? Thank you.[FORM NOT SHOWN]



Join the worlds largest e-mail service with MSN Hotmail. Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33640&t=33640
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Internet Router? [7:33639]

[Scott Nawalaniec]

Hello Everybody,

I just want to run this by everyone for their input from experience. 

Scenario:
I'm looking for a Cisco router that will be providing Internet connectivity
running BGP and that will be able to handle the capacity of 2 PTP T1's to
the Internet. I know minimum RAM will have to be 64mbs for BGP routes. I
just want to know what people have tried that does and doesn't work.

My choice would be a 3640 for future T1 expandability and/or a HSSI port.
 
Thank you for the input. 

Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33639&t=33639
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Network Monitoring Tool [7:33544]

[FREDL L AZARES]

Has anyone installed Netview on their Nt4 or Windows 2000 servers? 
What is the minimum hardware and software requirements? Thanks
in advance.

Fredl Azares

GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33638&t=33544
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

EIGRP problem [7:33636]

[Vajira Wijesinghe]

I have a 2610 router having IP IOS software (12.0.8).
This is connected to two different sites with 64kbps links.
eg
interface serial 0/0
ip address 192.168.1.1 255.255.255.252

interface serial 0/1
ip address 192.168.1.5 255.255.255.252

router is running with routing protocol EIGRP

router eigrp 100
network 192.168.1.0


Problem:

I'm able to work with only ONE serial link at a time.
ie.
If one serial link is active, other one becomes "line protocol down"
If I remove the cable of the UP interface, the OTHER interface become UP

I suspect this is due to the operation of EIGRP
Because I cannot configure subnet mask for the network defined under
eigrp 100
This particular IOS doesn't allow me to do this and DRAM and FLASH
limitation prevents me from upgrading the IOS.

Can any one tell me how to overcome the situation?

Thanks,
Vajira







12.0.8 ip
- (on postoffice)

The information contained in this email is confidential and is meant to be
read only by the person to whom it is addressed.Please visit
http://www.millenniumit.com/legal/email.htm to read the entire
confidentiality clause.

-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33636&t=33636
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: which reference book is better? [7:33629]

[Chee Kin]

Hi,

I studied using the CCNP Support exam prep book.  That was the only material
I use.  It's a tough exam but if you know your stuff, it should be OK.

Good luck.

cheekin

- Original Message -
From: "Sim, CT (Chee Tong)" 
To: 
Sent: Wednesday, January 30, 2002 10:30 AM
Subject: which reference book is better? [7:33629]


> Hi..
>
> I am going for the support 2.0 exam.  There are two reference books for
the
> exam 1) CCNP Support exam certification guide and 2) Cisco Internetwork
> Troubleshooting.  Which one is better?  If I only study CCNP support exam
> certification guide, is it enough?
>
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33635&t=33629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: is it possible to bridge accross a tunnel? [7:33567]

[[EMAIL PROTECTED]]

how do you configure this with dlsw?

10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x


""Jason""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Is this something you just want to do for the sake of doing?  If so, I say
> have at it.  Will it work, don't know.  I have never tried it.  If you are
> looking to do this to fulfill a production requirement I would question
why
> you weren't looking at using DLSW?
>
> Jason
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Eric Waguespack
> Sent: Tuesday, January 29, 2002 9:38 AM
> To: [EMAIL PROTECTED]
> Subject: is it possible to bridge accross a tunnel? [7:33567]
>
>
> ok, I have looked into this, and supposedly the answer
> is "yes" but the config is "unsupported"
>
> here is the network diagram
>
>
> 10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x
>
> this is supposed to do it but i can't seem to make it
> work:
>
> >int tunnel 2
> >no ip addr
> >tunnel source eth 0
> >tunnel destination 128.29.183.247
> >bridge-group 1
>
>
> should this work? what will work? anything? do i need
> to do l2f instead? what did you have for breakfast?
>
> thanks
>
> -Eric
>
> __
> Do You Yahoo!?
> Great stuff seeking new owners in Yahoo! Auctions!
> http://auctions.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33634&t=33567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet to inside through VPN [7:33589]

[John Kaberna]

You cannot telnet to the inside address from the outside even over a VPN
AFAIK.  Just use SSH to the outside if you have RADIUS or TACACS.  Otherwise
you'll have to SSH or Telnet to a host on the inside of the PIX and then
Telnet back in.  So, if you have a router or switch on the inside of the
network just go to it first and then back to the inside interface of the
PIX.

John Kaberna
CCIE #7146
www.netcginc.com
(415) 750-3800

Instructor for 5-day CCIE class for ccbootcamp.com
__
CCIE Security Training
www.netcginc.com/training.htm

""Dante Martins""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> How can I telnet to PIX inside interface from the VPN (I.E. from
> 10.128.128.0 telnet 172.16.3.252).
>
> I have tried using telnet command:
> "telnet 10.128.128.0 255.255.255.0 inside" but still no working.
>
> Can you help me?
>
> Dante
>
>
>
>
> CONF MAIN PIX
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ1 security10
> nameif ethernet3 intf3 security15
> nameif ethernet4 intf4 security20
> nameif ethernet5 intf5 security25
> enable password *** encrypted
> passwd ** encrypted
> hostname MAIN
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
> 255.255.255.0
> access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
> 255.255.240.0
> access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
> 255.255.255.0
> access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
> 255.255.255.0
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> interface ethernet3 auto
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> mtu outside 1500
> mtu inside 1500
> mtu DMZ1 1500
> mtu intf3 1500
> mtu intf4 1500
> mtu intf5 1500
> ip address outside 200.219.100.2 255.255.255.0
> ip address inside 10.128.159.253 255.255.224.0
> ip address DMZ1 10.255.255.254 255.255.224.0
> ip address intf3 10.250.11.254 255.255.255.0
> ip address intf4 127.0.0.1 255.255.255.255
> ip address intf5 127.0.0.1 255.255.255.255
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address DMZ1 0.0.0.0
> failover ip address intf3 0.0.0.0
> failover ip address intf4 0.0.0.0
> failover ip address intf5 0.0.0.0
> pdm history enable
> arp timeout 14400
> global (outside) 1 200.219.100.100-200.219.100.199
> global (outside) 1 200.219.100.200
> global (DMZ1) 1 10.255.224.10-10.255.224.70
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
> alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
> alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
> alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
> alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255
>
> static (inside,outside) 200.219.100.26 10.128.128.26 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.30 10.128.128.30 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.31 10.128.128.32 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.54 10.128.128.54 netmask
> 255.255.255.255 0 0
>
> conduit permit icmp any any
> conduit permit tcp host 200.219.100.30 eq www any
> conduit permit tcp host 200.219.100.30 eq domain any
> conduit permit udp host 200.219.100.30 eq domain any
> conduit permit tcp host 200.219.100.31 eq www any
> conduit permit tcp host 200.219.100.31 eq domain any
> conduit permit udp host 200.219.100.31 eq domain any
> conduit permit tcp host 200.219.100.26 eq 161 any
> conduit permit tcp host 200.219.100.26 eq 162 any
> conduit permit udp host 200.219.100.26 eq snmp any
> conduit permit udp host 200.219.100.26 eq snmptrap any
> conduit permit tcp host 200.219.100.54 eq domain any
> conduit permit udp host 200.219.100.54 eq domain any
> conduit permit tcp host 200.219.100.54 eq 22 any
>
> route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
> route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> snmp-server host inside 10.128.128.21
> snmp-server location mainsite
> snmp-server contact support@mainsite
> snmp-server community pixpix
> snmp-server enable traps
> floodguard enable
> sysopt connectio

OT: 2901 switch for sale [7:33632]

[Michael Williams]

5000s/5500s, I don't have a need for this switch at home.

(watch for URL wrap)
http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?ViewItem&item=1329209228

Thanks,
Mike W.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33632&t=33632
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: which reference book is better? [7:33629]

[David L. Blair]

I bought and used both.

-dlb

""Sim, CT (Chee Tong)""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi..
>
> I am going for the support 2.0 exam.  There are two reference books for
the
> exam 1) CCNP Support exam certification guide and 2) Cisco Internetwork
> Troubleshooting.  Which one is better?  If I only study CCNP support exam
> certification guide, is it enough?
>
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
>
>
> ==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33631&t=33629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: is it possible to bridge accross a tunnel? [7:33567]

[Jason]

Is this something you just want to do for the sake of doing?  If so, I say
have at it.  Will it work, don't know.  I have never tried it.  If you are
looking to do this to fulfill a production requirement I would question why
you weren't looking at using DLSW?

Jason

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Eric Waguespack
Sent: Tuesday, January 29, 2002 9:38 AM
To: [EMAIL PROTECTED]
Subject: is it possible to bridge accross a tunnel? [7:33567]


ok, I have looked into this, and supposedly the answer
is "yes" but the config is "unsupported"

here is the network diagram


10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x

this is supposed to do it but i can't seem to make it
work:

>int tunnel 2
>no ip addr
>tunnel source eth 0
>tunnel destination 128.29.183.247
>bridge-group 1


should this work? what will work? anything? do i need
to do l2f instead? what did you have for breakfast?

thanks

-Eric

__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33630&t=33567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

which reference book is better? [7:33629]

[Sim, CT (Chee Tong)]

Hi.. 

I am going for the support 2.0 exam.  There are two reference books for the
exam 1) CCNP Support exam certification guide and 2) Cisco Internetwork
Troubleshooting.  Which one is better?  If I only study CCNP support exam
certification guide, is it enough?

==
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
==
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33629&t=33629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ls1010 switch [7:33620]

[Daniel Cotts]

CES = circuit emulation. IIRC It emulates a voice T-1 without compression.
There is a 4 port CES T1 PAM for the LS1010. There are/were various CES
cards for the 7200. They were double width. One side had an ATM interface
OC-3 or DS-3, the other four T-1 CES ports.

Are you asking which ASP card your switch has? The LS1010 documentation
would have that. Again from memory - an ASP-B or an ASP-C each with two
choices. Per VP Queueing or per flow queueing.
A show ver will tell you the DRAM and Flash. HTH

> -Original Message-
> From: george gittins [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 5:06 PM
> To: [EMAIL PROTECTED]
> Subject: ls1010 switch [7:33620]
> 
> 
> Im trying to configure video to be pass through my ls1010 
> switch into a
> accord mcu unit
> is their a special interface i need to get ...they told me a 
> ces ciruit?
> also what command would help me know what type of interface 
> processor i
> =have and  the amount of flash and ram
> thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33628&t=33620
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Aggregate 3 T1's would this work. [7:33599]

[John Jones]

Thanks for the help.

I was actually looking into CEF, but I was unsure about using it. 

Thanks again.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33626&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: RE: Transport Input Telnet and Terminal Servers [7:33511]

[Baety Wayne A1C 18 CS/SCBX]

On Cisco routers, the asynchronous ports by default are set to send traffic
with the TxD (transmit data) pin when activated by a protocol.  As soon as
input is received on the RxD (receive data) pin, the router engages an Exec
process.  I only said this to get a point of reference going.  This is the
natural forward direction of communication flow.  It's more useful to think
of this process by assuming the Cisco router is set up only to receive
traffic and then engaging an exec process to handle the traffic.

The reverse direction is to INITIATE communication by binding the
asynchronous ports to some sort of transport protocol.  This 'transport
protocol' could be any communication capable protocol. Instead of waiting
for an exec process starting because traffic was received on the RxD pins,
the router is set up to activate an exec process as soon as a transport
protocol is initiated by a user.

In the case of the tcp transport protocol the router is set up to initiate
communication whenever a tcp socket (tcp port 2000 + line number for telnet
in Ascii mode) is established from any active IP address on the router.  It
would bring up the async line and send what ever data tcp sends over the
async line.  Telnet is a method as well as an application that manages the
tcp protocol stream from the user perspective.  It resides totally within
the data portion of a tcp segment.  Telnet is active on a tcp stream
whenever you use the telnet application or any application that communicates
with such a protocol. Take a look at RFC 854-856 for a more involved study
of telnet.


WAYNE BAETY, MCSE, A1C, USAF
Network Systems Trainer


> -Original Message-
> From: John Neiberger [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 30, 2002 6:15 AM
> To: [EMAIL PROTECTED]
> Subject: RE: RE: Transport Input Telnet and Terminal Servers [7:33511]
> 
> That makes sense except for the fact that the telnet protocol
> is *not* running on the console link!  It's called reverse
> telnet but that doesn't describe the protocol that is actually
> on the link itself.  That's why it's curious to me why I would
> have to permit telnet for it to work.
> 
> I blame you for getting me on this thread in the first
> place!  :-)  But I'd really like to find an answer.
> 
>  On Tue, 29 Jan 2002, Ouellette, Tim
> ([EMAIL PROTECTED]) wrote:
> 
> > Are you still going on about this *grin*
> >
> > Sure feels weird being call the "someone" in your earlier
> comment of "I
> > was
> > in a discussion with someone this weekend regarding terminal
> server
> > configuration".   Hehhehe. The conclusion I came up with is as
> > followings.
> > Let's say your on a router and you ping your ethernet
> interface.  The
> > pings
> > actually goes out on the wire and loops back to test your own
> interface
> > (obviously loopbacks are different).  But I would think that
> in the
> > concept
> > of a telnet, the reverse telnet goes out on the wire to the
> far end and
> > then
> > loops back establishing a connection?  Also, as an FYI, when
> a do a
> > "transport input all" on my terminal server, it
> substitues "transport
> > input
> > LAT MOP TELNET blah blah" for me.  So the telnet is actually
> a subset of
> > the
> > ALL parameter.?
> >
> > Did that make any sense or do I need more coffee?
> >
> > Tim
> >
> > -Original Message-
> > From: John Neiberger [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, January 28, 2002 9:59 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: RE: Transport Input Telnet and Terminal Servers
> [7:33511]
> >
> >
> > I think, as is often the case, I wasn't clear enough.  Let me
> > try to restate the issue another way.
> >
> > When you connect a terminal server to a console port, the
> > telnet protocol is not operating on that link.  That link is
> a
> > simple async serial terminal session.  Because of that, I
> don't
> > understand why "transport input telnet" works:  the input is
> > *not* telnet, it's async serial!
> >
> > If you telnet to a terminal server and from there do a
> reverse
> > telnet to a device, your actual telnet session--and I'm being
> > very specific here--stops at the terminal server.  The
> protocol
> > being carried on the async line is *not* telnet.
> >
> > Does that make more sense?  Okay, back to the coffee for me...
> >
> > Thanks,
> > John
> >
> >  On Mon, 28 Jan 2002, Daniel Cotts
> > ([EMAIL PROTECTED]) wrote:
> >
> > > "all" works because telnet is a subset of "all" - it is
> > included without
> > > being specifically named. Do a "show line" to determine the
> > mapping of
> > > line
> > > numbers to ports - then do a "show line 1" or whatever.
> Lots
> > more
> > > output!
> > > Look on the line that starts "Allowed transports"
> > > We are used to configuring terminal servers with ip host
> > mapping a name
> > > to
> > > an ip and port. A more bare bones implementation would have
> > us "telnet
> > > 2002"
> > > or whatever port we wished to reach. Try that.
> > >
> > > > -O

RE: Recent One-Day Lab Takers?? [7:33592]

[Louie Belt]

You'll go blind if you touch your flux capacitor too much.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
c1sc0k1d
Sent: Tuesday, January 29, 2002 6:35 PM
To: [EMAIL PROTECTED]
Subject: Re: Recent One-Day Lab Takers?? [7:33592]


I saw my gear in RTP as well.  Except in RTP they said not to touch the flux
capacitor as the proctor already calibrated it before the lab started.




""Hire, Ejay""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm surprised.  In san Jose, they are in big red/orange cabinets next to
the
> cubicle you work in.  You have to go over to the rack to check dial
> tone/ring on your VoIp Phone...  and to align the flux capacitor.
>
> -Ejay
>
> -Original Message-
> From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 3:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Recent One-Day Lab Takers?? [7:33592]
>
>
> I never actually saw any equipment just a monitor and keyboard.  I could
> hazzard a guess though that most of the equipment was Cisco.  ;->
>
> -Original Message-
> From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
> Sent: 29 January 2002 19:29
> To: [EMAIL PROTECTED]
> Subject: Recent One-Day Lab Takers?? [7:33592]
>
>
> Hello,
>
> Has anyone is this group taken the new one-day lab recently? Wanted to
know
> what kind of routers did you see, I mean is it now more than 6 routers or
> still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch,
> is it still the Cat5? Just wanted to gather this info. to build a lab and
> work on it..visualize that I am actually working on the real lab and
> busting my brains. Thank you Cisco :-)
>
> Thanks!
>
>
>
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33624&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Recent One-Day Lab Takers?? [7:33592]

[c1sc0k1d]

I saw my gear in RTP as well.  Except in RTP they said not to touch the flux
capacitor as the proctor already calibrated it before the lab started.




""Hire, Ejay""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm surprised.  In san Jose, they are in big red/orange cabinets next to
the
> cubicle you work in.  You have to go over to the rack to check dial
> tone/ring on your VoIp Phone...  and to align the flux capacitor.
>
> -Ejay
>
> -Original Message-
> From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 3:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Recent One-Day Lab Takers?? [7:33592]
>
>
> I never actually saw any equipment just a monitor and keyboard.  I could
> hazzard a guess though that most of the equipment was Cisco.  ;->
>
> -Original Message-
> From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
> Sent: 29 January 2002 19:29
> To: [EMAIL PROTECTED]
> Subject: Recent One-Day Lab Takers?? [7:33592]
>
>
> Hello,
>
> Has anyone is this group taken the new one-day lab recently? Wanted to
know
> what kind of routers did you see, I mean is it now more than 6 routers or
> still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch,
> is it still the Cat5? Just wanted to gather this info. to build a lab and
> work on it..visualize that I am actually working on the real lab and
> busting my brains. Thank you Cisco :-)
>
> Thanks!
>
>
>
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33623&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Works 2000 & Cisco Works for Win [7:33321]

[Stull, Cory]

There is an eval copy of CiscoWorks for Windows if you have a CCO login.   I
agree with John though its not worth the money.



-Original Message-
From: John Kaberna [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 7:13 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco Works 2000 & Cisco Works for Windows [7:33321]


Cisco Works for Windows is basically Whats Up Gold with Cisco View.  It's
pretty much a waste of money if you ask me.  It's not very reliable and your
Log viewer refreshes periodically erasing your entire screen for a couple of
seconds.  There is no way to highlight an event so you can see which events
come in are new.  It's a little hard to explain, but it's very annoying and
hard to manage.  It's nothing like HP Openview.  I only use it on my laptop
so I can quickly setup Syslog and SNMP traps at customers sites.  I would
never recommend it to use on a regular basis.

I don't believe there is an eval copy, but your local reseller should be
able to hook you up with a demo at their office.  But, if you want to see
99% of what it will do, download an eval copy of What's Up Gold from
www.ipswitch.com  Getting a copy of CiscoWorks for Solaris is not possible
unless your organization does a LARGE amount of business with Cisco or if
your reseller does you a favor.

John Kaberna
CCIE #7146
www.netcginc.com
(415) 750-3800

Instructor for 5-day CCIE class for ccbootcamp.com
__
CCIE Security Training
www.netcginc.com/training.htm

""Jonathan Mian""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Gang,
>
> Is there such a thing as an eval copy...I'd like to know what this thing
> looks like since I've heard/read so much about. Alos is there an eval copy
> for Cisco Works for Windows?
>
> All the best,
> Jon Mian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33598&t=33321
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Telnet to inside through VPN [7:33589]

[Dante Martins]

How can I telnet to PIX inside interface from the VPN (I.E. from
10.128.128.0 telnet 172.16.3.252).

I have tried using telnet command:
"telnet 10.128.128.0 255.255.255.0 inside" but still no working.

Can you help me?

Dante




CONF MAIN PIX
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted
hostname MAIN
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any
conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any
conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any
conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any

route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong
crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 102
crypto map cmap 2 set peer 200.200.111.2
crypto map cmap 2 set transform-set strong
crypto map cmap 3 ipsec-isakmp
crypto map cmap 3 match address 103
crypto map cmap 3 set peer 200.200.222.2
crypto map cmap 3 set transform-set strong
crypto map cmap 4 ipsec-isakmp
crypto map cmap 4 match address 104
crypto map cmap 4 set peer 200.202.202.2
crypto map cmap 4 set transform-set strong
crypto map cmap 5 ipsec-isakmp
crypto map cmap 5 match address 105
crypto map cmap 5 set peer 205.205.205.2
crypto map cmap 5 set transform-set strong
crypto 

Re: Lab Kit.... [7:33412]

[Kwame]

Brad,

How much does this bundle go for?  I sent you a direct reply but it bounced
back.

""Brad Ellis""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Joe,
>
> Here's what I typically sell/recommend for a minumum CCIE kit:
>
>   2x 2501s
>   2x 2503s (for ISDN)
>   1x 2511 (reverse telnet AS)
>   2x or 3x 2513s (TR/Ether)
>   1x 2522 (frame-switch)
>   ISDN Simulator
>   Catalyst 5k switch
>   3900 TR Switch or 3920 simulator
>   + accessories
>
> I dont think you need quite so many PCs, but I guess it cant hurt if you
> already have them.  If you have a 2900 series switch, make sure it is a
2926
> or 2901 that runs the cat5k OS.
>
> thanks,
> -Brad Ellis
> CCIE#5796 (R&S / Security)
> Network Learning Inc
> [EMAIL PROTECTED]
> used Cisco gear:  www.optsys.net
> CCIE Labs, racks, and classes:  http://www.ccbootcamp.com/quicklinks.html
>
> ""Joel Satterley""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Can anyone advise on the base set of equipment for running test labs as
a
> > prep
> > for the CCIE lab ?
> >
> > I'm thinking -
> >
> > 4 x eth + tok routers (3 with at least one serial + 1 with three or
more)
> > 2 x Cat switches (2900 + 4000)
> > 1 x Token ring switch.
> > 3 x PC's
> >
> > Anything else (apart from modems + ISDN, got plenty of that).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33591&t=33412
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SolarWinds [7:33606]

[Robert]

We use Solar Winds Pro Plus and it is great. Easy to configure. It is a
pretty complete set of tools.

""Richard Tufaro""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Anyone have any experience with solar winds Orion, software for monitoring
> the WAN/LAN? Also anyone have a suggestion for an enterprise LAN/WAN alert
> monitoring software solution?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33621&t=33606
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ls1010 switch [7:33620]

[george gittins]

Im trying to configure video to be pass through my ls1010 switch into a
accord mcu unit
is their a special interface i need to get ...they told me a ces ciruit?
also what command would help me know what type of interface processor i
=have and  the amount of flash and ram
thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33620&t=33620
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Looking for V.35 Cables [7:33619]

[Kwame]

Looking for a couple of V.35 Cables for back to back router connection from
a 7513 to 2511. Anyone?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33619&t=33619
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SolarWinds [7:33606]

[Jeff D]

What's Up Gold rocks. If you've got the loot, you can integrate WebNM (they
use mrtg) which is even cooler. We use this at work, and I love it.

Check out www.somix.com and www.ipswitch.com

These are much cheaper solutions than alot of the stuff out there (hp
openview/tivoli)

Jeff
\
""Richard Tufaro""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Anyone have any experience with solar winds Orion, software for monitoring
> the WAN/LAN? Also anyone have a suggestion for an enterprise LAN/WAN alert
> monitoring software solution?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33618&t=33606
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aggregate 3 T1's would this work. [7:33599]

[MADMAN]

The far router needs no concept of CEF to receive the packets equally
over the three T1's though it would be preferred that the ISP router
also load balance since most customers Internet connections receive more
than they send.

 Dave

James Willard wrote:
> 
> Right, the remote router must also have ip cef capability. The cisco
> equipment was assumed since this is a Cisco group :). In case of no Cisco
> equipment on the far end, you can always just use static default routes as
a
> previous post suggested. It will, however, not give you true load
balancing.
> 
> James
> 
> - Original Message -
> From: "Hartnell, George"
> To:
> Sent: Tuesday, January 29, 2002 4:38 PM
> Subject: RE: Aggregate 3 T1's would this work. [7:33599]
> 
> > Would this not also be a function of just what the ISP has/wants on the
> far
> > end?
> >
> > My hookup uses a 3Com Accessbuilder 6100 I-Mux --- HSSI---Cisco 7200. 
The
> > three T1's are inverse multiplexed on the 3Com.  Scaleable to 7 T1's.
> >
> > 'Couse this is a 'Cisco' newsgroup
> >
> > Best, G.
> >
> > > -Original Message-
> > > From: James Willard [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, January 29, 2002 12:33 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: Aggregate 3 T1's would this work. [7:33599]
> > >
> > >
> > > John,
> > >
> > > What you want to look at is Cisco Express Forwarding (CEF).
> > > It allows load
> > > balancing across multiple T1's. For each serial interface you
> > > would have
> > > your own subnet (such as a /30) to your provider, because the serial
> > > interfaces cannot be on the same subnet. Turn on CEF using
> > > "ip cef" globally
> > > (you may want to ensure you have a recent IOS, as CEF was
> > > buggy early on).
> > > Then, on each serial interface, issue either "ip load-sharing
> > > per-packet" or
> > > "ip load-sharing per-destination" depending on how you want the load
> > > distributed. To give you the full 4.5Mbps to any one site,
> > > use per-packet
> > > load balancing.
> > >
> > > James Willard, CCNA
> > > [EMAIL PROTECTED]
> > >
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > > John Jones
> > > Sent: Tuesday, January 29, 2002 3:17 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Aggregate 3 T1's would this work. [7:33599]
> > >
> > >
> > > I have a configuration question.
> > > I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
> > > FastEthernet ports installed. All dedicated T's are from the same ISP.
> > > I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
> > > Would I run into issues
> > >
> > > Here is my config.  Would this work?
> > >
> > >
> > > !
> > > hostname Cisco3620
> > > !
> > > !
> > > no ip name-server
> > > !
> > > ip subnet-zero
> > > no ip domain-lookup
> > > ip routing
> > > !
> > > interface Ethernet 0/0
> > >  no description
> > >  ip address 172.16.10.1 255.255.255.0
> > >  !
> > > interface Serial 0/0
> > >  no shutdown
> > >  ip address 1.1.1.2 255.255.255.248
> > >  !
> > > interface Serial 0/1
> > >  no shutdown
> > >  ip address 1.1.1.3 255.255.255.248
> > >  !
> > > interface Serial 1/0
> > >  no shutdown
> > >  ip address 1.1.1.4 255.255.255.248
> > >  !
> > > ip route 0.0.0.0 0.0.0.0 serial0/0
> > > ip route 0.0.0.0 0.0.0.0 serial0/1
> > > ip route 0.0.0.0 0.0.0.0 serial1/0
> > >
> > > !
> > > !
> > > ip classless
> > > no ip http server
> > > !
> > > end
> > >
> > >
> > > I tried this config with Cisco's config maker and I get IP
> > > address errors on
> > > the serial ports, specifically being on the same subnet.
> > > Would this do basic aggregation?
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33617&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Traffic-rate shape [7:32072]

[Steven A. Ridder]

You still did gts and not FRTS.  You should specify frts out with CIR,
mincir, bc, etc.  For inbound interface, I still recommend CAR.

""Joseba Izaga""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> OK... I tested everything.
>
> I am using FRTS instead of GTS.
>
> The config i am using is
>
> !
> interface Serial1
>  bandwidth 256
>  no ip address
>  no ip directed-broadcast
>  encapsulation frame-relay IETF
>  no keepalive
>  no fair-queue
>  frame-relay traffic-shaping
> !
> interface Serial1.1 multipoint
>  ip address 132.1.21.1 255.255.255.0
>  no ip directed-broadcast
>  no arp frame-relay
>  frame-relay map ip 132.1.21.2 515
> !
> interface Serial1.2 point-to-point
>  bandwidth 64
>  ip unnumbered FastEthernet0
>  no ip directed-broadcast
>  no arp frame-relay
>  no cdp enable
>  frame-relay interface-dlci 516
>   class t64
> !
> map-class frame-relay t64
>  frame-relay traffic-rate 16000 64000
>  frame-relay bc 64000
> !
>
>
> Router#sh int ser 1
> Serial1 is up, line protocol is up
>   Hardware is PowerQUICC Serial
>   Description:
>   MTU 1500 bytes, BW 256 Kbit, DLY 2 usec,
>  reliability 255/255, txload 40/255, rxload 6/255
>   Encapsulation FRAME-RELAY IETF, loopback not set
>   Keepalive not set
>   Broadcast queue 0/64, broadcasts sent/dropped 20/0, interface broadcasts
2
>   Last input 00:01:25, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 3w4d
>   Queueing strategy: fifo
>   Output queue 0/40, 631 drops; input queue 0/75, 0 drops
>   5 minute input rate 7000 bits/sec, 5 packets/sec
>   5 minute output rate 12 bits/sec, 6 packets/sec
>  6423620 packets input, 648992350 bytes, 0 no buffer
>  Received 0 broadcasts, 0 runts, 96 giants, 0 throttles
>  96 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
>  7910460 packets output, 3812516915 bytes, 0 underruns
>  0 output errors, 0 collisions, 1 interface resets
>  0 output buffer failures, 0 output buffers swapped out
>  0 carrier transitions
>  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
>
> Router#sh frame-relay pvc 516
>
> PVC Statistics for interface Serial1 (Frame Relay DTE)
>
> DLCI = 516, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial1.2
>
>   input pkts 5790202   output pkts 7230308  in bytes 543324449
>   out bytes 3254580372 dropped pkts 0   in FECN pkts 0
>   in BECN pkts 0   out FECN pkts 0  out BECN pkts 0
>   in DE pkts 0 out DE pkts 0
>   out bcast pkts 5  out bcast bytes 380
>   pvc create time 3w3d, last time pvc status changed 3w3d
>   cir 16000 bc 16000 be 48000 limit 6250   interval 125
>   mincir 8000  byte increment 250   BECN response no
>   pkts 37256 bytes 5958824   pkts delayed 500   bytes delayed
181477
>   shaping inactive
>   traffic shaping drops 0
>   Serial1.2 dlci 516 is first come first serve default queueing
>
>   Output queue 0/40, 0 drop, 500 dequeued
>
> Router#sh traffic-shape ser 1.2
> Access TargetByte   Sustain   ExcessInterval
Increment
> Adapt
> I/F List   Rate  Limit  bits/int  bits/int  (ms)   (bytes)
> Active
> Se1.2  16000 6250   16000 48000 125
> 250   -
>
> This is all the statistics, and as you can see is just limiting the
inbound
> traffic, not the outbound. It is working as the GTS.
>
> I am using IOS ver 12.0(3)T.
>
> What else can I do?
>
> Regards,
>
> Joseba Izaga
>
>
>
> - Original Message -
> From:
> To:
> Sent: Thursday, January 17, 2002 7:19 PM
> Subject: Re: Traffic-rate shape [7:32072]
>
>
> > Well, unless I'm just suffering from Friday Afternoon Brain, the traffic
> > figures still look weird to me.
> > Can you look at the traffic figures from the other end of the PVC?  If
so,
> > what do they say?
> >
> > I guess if the txload/rxload figures are for a 5-minute exponential
> > average (which I believe they are) and the 5-minute input/output figures
> > are a normal average (which I'm not sure of), those figures could make
> > sense, but you'd have to have a pretty extreme traffic pattern (which I
> > suppose you could if you've been testing throughput).
> >
> > What happens if you use FRTS instead of GTS?
> >
> > JMcL
> >
> >
> > - Forwarded by Jenny Mcleod/NSO/CSDA on 18/01/2002 02:05 pm -
> >
> >
> > "Joseba Izaga"
> > Sent by: [EMAIL PROTECTED]
> > 18/01/2002 11:54 am
> > Please respond to "Joseba Izaga"
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Re: Traffic-rate shape [7:32072]
> >
> >
> > s1.1 is not used.
> >
> > To the physical interface I connected a frame-relay radio-modem
configured
> > as Star (multipoint). So s1.1 is just for mapping clinet units.
> >
> > s1.1 doesn4t have traffic at all.
> >
> > - Original Message -
> > From:
> > To:
> > Sent: Thursday, January 17, 2002 3:39 PM
> > Subject: Re: Traffic-rate shape [7:32072]
> >
> >
> > > Some

Re: SolarWinds [7:33606]

[sam sneed]

As far as alertign software there's alot of free stuff for UNIX, big brother
is probably the most used. It is a bitch to configure though if you ask me.
I took the easy way out and bought servers alive for $99. It works on
NT/2000 and is easy to confiure and customizable. Try it out, you can
monitor 10 services as an eval.

http://www.woodstone.nu/salive/

I use mrtg and ntop  (ntop.org) to monitor LAN/WAN usage.


""Richard Tufaro""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Anyone have any experience with solar winds Orion, software for monitoring
> the WAN/LAN? Also anyone have a suggestion for an enterprise LAN/WAN alert
> monitoring software solution?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33615&t=33606
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aggregate 3 T1's would this work. [7:33599]

[James Willard]

Right, the remote router must also have ip cef capability. The cisco
equipment was assumed since this is a Cisco group :). In case of no Cisco
equipment on the far end, you can always just use static default routes as a
previous post suggested. It will, however, not give you true load balancing.

James

- Original Message -
From: "Hartnell, George" 
To: 
Sent: Tuesday, January 29, 2002 4:38 PM
Subject: RE: Aggregate 3 T1's would this work. [7:33599]


> Would this not also be a function of just what the ISP has/wants on the
far
> end?
>
> My hookup uses a 3Com Accessbuilder 6100 I-Mux --- HSSI---Cisco 7200.  The
> three T1's are inverse multiplexed on the 3Com.  Scaleable to 7 T1's.
>
> 'Couse this is a 'Cisco' newsgroup
>
> Best, G.
>
> > -Original Message-
> > From: James Willard [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, January 29, 2002 12:33 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Aggregate 3 T1's would this work. [7:33599]
> >
> >
> > John,
> >
> > What you want to look at is Cisco Express Forwarding (CEF).
> > It allows load
> > balancing across multiple T1's. For each serial interface you
> > would have
> > your own subnet (such as a /30) to your provider, because the serial
> > interfaces cannot be on the same subnet. Turn on CEF using
> > "ip cef" globally
> > (you may want to ensure you have a recent IOS, as CEF was
> > buggy early on).
> > Then, on each serial interface, issue either "ip load-sharing
> > per-packet" or
> > "ip load-sharing per-destination" depending on how you want the load
> > distributed. To give you the full 4.5Mbps to any one site,
> > use per-packet
> > load balancing.
> >
> > James Willard, CCNA
> > [EMAIL PROTECTED]
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > John Jones
> > Sent: Tuesday, January 29, 2002 3:17 PM
> > To: [EMAIL PROTECTED]
> > Subject: Aggregate 3 T1's would this work. [7:33599]
> >
> >
> > I have a configuration question.
> > I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
> > FastEthernet ports installed. All dedicated T's are from the same ISP.
> > I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
> > Would I run into issues
> >
> > Here is my config.  Would this work?
> >
> >
> > !
> > hostname Cisco3620
> > !
> > !
> > no ip name-server
> > !
> > ip subnet-zero
> > no ip domain-lookup
> > ip routing
> > !
> > interface Ethernet 0/0
> >  no description
> >  ip address 172.16.10.1 255.255.255.0
> >  !
> > interface Serial 0/0
> >  no shutdown
> >  ip address 1.1.1.2 255.255.255.248
> >  !
> > interface Serial 0/1
> >  no shutdown
> >  ip address 1.1.1.3 255.255.255.248
> >  !
> > interface Serial 1/0
> >  no shutdown
> >  ip address 1.1.1.4 255.255.255.248
> >  !
> > ip route 0.0.0.0 0.0.0.0 serial0/0
> > ip route 0.0.0.0 0.0.0.0 serial0/1
> > ip route 0.0.0.0 0.0.0.0 serial1/0
> >
> > !
> > !
> > ip classless
> > no ip http server
> > !
> > end
> >
> >
> > I tried this config with Cisco's config maker and I get IP
> > address errors on
> > the serial ports, specifically being on the same subnet.
> > Would this do basic aggregation?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33614&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Lab Kit.... [7:33412]

[Colin]

Hi

What would anybody suggest for a CCNP Lab?  I am currently putting 
together a list of equipment to purchase for my CCNP lab and have come 
up with the following:

Cat 5000 with a Sup I card (would I need a Sup II for ISL)
Cat 2912 (would a Cat 1900 work.)
2501
2621 (or could I use a 2514?  I want to be able to fast  
Etherchannel & ISL.)

Any suggestion/comments would be greatly appreciated.

Thanks

Colin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33613&t=33412
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aggregate 3 T1's would this work. [7:33599]

[MADMAN]

Fix your addressing, enable CEF and your set.  If you like you can to
per packet or per destination load sharing via CEF with the appropriate
interface commands.  Of coarse you can mess things up and encapsulate
your serial interface PPP and use PPP multilink...

  Dave

John Jones wrote:
> 
> I have a configuration question.
> I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
> FastEthernet ports installed. All dedicated T's are from the same ISP.
> I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
> Would I run into issues
> 
> Here is my config.  Would this work?
> 
> !
> hostname Cisco3620
> !
> !
> no ip name-server
> !
> ip subnet-zero
> no ip domain-lookup
> ip routing
> !
> interface Ethernet 0/0
>  no description
>  ip address 172.16.10.1 255.255.255.0
>  !
> interface Serial 0/0
>  no shutdown
>  ip address 1.1.1.2 255.255.255.248
>  !
> interface Serial 0/1
>  no shutdown
>  ip address 1.1.1.3 255.255.255.248
>  !
> interface Serial 1/0
>  no shutdown
>  ip address 1.1.1.4 255.255.255.248
>  !
> ip route 0.0.0.0 0.0.0.0 serial0/0
> ip route 0.0.0.0 0.0.0.0 serial0/1
> ip route 0.0.0.0 0.0.0.0 serial1/0
> 
> !
> !
> ip classless
> no ip http server
> !
> end
> 
> I tried this config with Cisco's config maker and I get IP address errors
on
> the serial ports, specifically being on the same subnet.
> Would this do basic aggregation?
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33612&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Aggregate 3 T1's would this work. [7:33599]

[Hartnell, George]

Would this not also be a function of just what the ISP has/wants on the far
end?

My hookup uses a 3Com Accessbuilder 6100 I-Mux --- HSSI---Cisco 7200.  The
three T1's are inverse multiplexed on the 3Com.  Scaleable to 7 T1's.

'Couse this is a 'Cisco' newsgroup

Best, G.

> -Original Message-
> From: James Willard [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 29, 2002 12:33 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Aggregate 3 T1's would this work. [7:33599]
> 
> 
> John,
> 
> What you want to look at is Cisco Express Forwarding (CEF). 
> It allows load
> balancing across multiple T1's. For each serial interface you 
> would have
> your own subnet (such as a /30) to your provider, because the serial
> interfaces cannot be on the same subnet. Turn on CEF using 
> "ip cef" globally
> (you may want to ensure you have a recent IOS, as CEF was 
> buggy early on).
> Then, on each serial interface, issue either "ip load-sharing 
> per-packet" or
> "ip load-sharing per-destination" depending on how you want the load
> distributed. To give you the full 4.5Mbps to any one site, 
> use per-packet
> load balancing.
> 
> James Willard, CCNA
> [EMAIL PROTECTED]
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> John Jones
> Sent: Tuesday, January 29, 2002 3:17 PM
> To: [EMAIL PROTECTED]
> Subject: Aggregate 3 T1's would this work. [7:33599]
> 
> 
> I have a configuration question.
> I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
> FastEthernet ports installed. All dedicated T's are from the same ISP.
> I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
> Would I run into issues
> 
> Here is my config.  Would this work?
> 
> 
> !
> hostname Cisco3620
> !
> !
> no ip name-server
> !
> ip subnet-zero
> no ip domain-lookup
> ip routing
> !
> interface Ethernet 0/0
>  no description
>  ip address 172.16.10.1 255.255.255.0
>  !
> interface Serial 0/0
>  no shutdown
>  ip address 1.1.1.2 255.255.255.248
>  !
> interface Serial 0/1
>  no shutdown
>  ip address 1.1.1.3 255.255.255.248
>  !
> interface Serial 1/0
>  no shutdown
>  ip address 1.1.1.4 255.255.255.248
>  !
> ip route 0.0.0.0 0.0.0.0 serial0/0
> ip route 0.0.0.0 0.0.0.0 serial0/1
> ip route 0.0.0.0 0.0.0.0 serial1/0
> 
> !
> !
> ip classless
> no ip http server
> !
> end
> 
> 
> I tried this config with Cisco's config maker and I get IP 
> address errors on
> the serial ports, specifically being on the same subnet.
> Would this do basic aggregation?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33611&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Recent One-Day Lab Takers?? [7:33592]

[Hire, Ejay]

I'm surprised.  In san Jose, they are in big red/orange cabinets next to the
cubicle you work in.  You have to go over to the rack to check dial
tone/ring on your VoIp Phone...  and to align the flux capacitor.

-Ejay

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 3:52 PM
To: [EMAIL PROTECTED]
Subject: RE: Recent One-Day Lab Takers?? [7:33592]


I never actually saw any equipment just a monitor and keyboard.  I could
hazzard a guess though that most of the equipment was Cisco.  ;->

-Original Message-
From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
Sent: 29 January 2002 19:29
To: [EMAIL PROTECTED]
Subject: Recent One-Day Lab Takers?? [7:33592]


Hello,

Has anyone is this group taken the new one-day lab recently? Wanted to know 
what kind of routers did you see, I mean is it now more than 6 routers or 
still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch, 
is it still the Cat5? Just wanted to gather this info. to build a lab and 
work on it..visualize that I am actually working on the real lab and 
busting my brains. Thank you Cisco :-)

Thanks!



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33610&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Aggregate 3 T1's would this work. [7:33599]

[Hire, Ejay]

Actually, your t-1's will probably not be in the same subnet.  They will
probably have a /30 for each link.  Additionally, you may consider adding no
ip route-cache to each t1 interface.  This will allow per-packet load
balancing instead of per destination.  

New Config...
00
interface Ethernet 0/0
 ip address 172.16.10.1 255.255.255.0
 !
interface Serial 0/0
 ip address 1.1.1.1 255.255.255.252
 no ip route-cache
 !
interface Serial 0/1
 ip address 1.1.1.5 255.255.255.252
 no ip route-cache
 !
interface Serial 1/0
 ip address 1.1.1.9 255.255.255.252
 no ip route-cache
 !
ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 serial0/1
ip route 0.0.0.0 0.0.0.0 serial1/0
!
ip classless
!
0--0

-Original Message-
From: John Jones [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 3:17 PM
To: [EMAIL PROTECTED]
Subject: Aggregate 3 T1's would this work. [7:33599]


I have a configuration question.
I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
FastEthernet ports installed. All dedicated T's are from the same ISP.
I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
Would I run into issues

Here is my config.  Would this work?


!
hostname Cisco3620
!
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Ethernet 0/0
 no description
 ip address 172.16.10.1 255.255.255.0
 !
interface Serial 0/0
 no shutdown
 ip address 1.1.1.2 255.255.255.248
 !
interface Serial 0/1
 no shutdown
 ip address 1.1.1.3 255.255.255.248
 !
interface Serial 1/0
 no shutdown
 ip address 1.1.1.4 255.255.255.248
 !
ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 serial0/1
ip route 0.0.0.0 0.0.0.0 serial1/0

!
!
ip classless
no ip http server
!
end


I tried this config with Cisco's config maker and I get IP address errors on
the serial ports, specifically being on the same subnet.
Would this do basic aggregation?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33609&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cache Engine [7:33442]

[Joseba Izaga]

Thanks.

Right now is working so good.

Regards,

Joseba Izaga

- Original Message -
From: "Dimitris Vassilopoulos" 
To: 
Sent: Tuesday, January 29, 2002 3:07 AM
Subject: RE: Cache Engine [7:33442]


> You should configure in the global configuration of the 7204:
>
> 7204(config)#ip wccp web-cache
>
> You should also redirect http traffic from the intresting interfaces of
the
> 7204 to the cache engine.
>
> conf t
> interface serial x
> ip wccp web-cache redirect out
>
> Cache engine should be configured like this:
>
> cache-engine#sh run
>
> Building configuration...
> Current configuration:
> !
> !
> !
> group add admin gid 0
> group add everyone gid 1000
> group add LocalUsers gid 1004
> !
> user add admin uid 0  password 1 "xx"  capability admin-access
> user add anonymous uid 1002
> !
> !
> !
> hostname cache-engine
> !
> interface ethernet 0
>  ip address xxx.xxx.xxx.xxx 255.255.xxx.xxx
>  ip broadcast-address xxx.xxx.xxx.xxx
>  bandwidth 100
>  fullduplex
> exit
> !
> !
> interface ethernet 1
> exit
> !
> ip default-gateway xxx.xxx.xxx.xxx (internet router)
> ip name-server xxx.xxx.xxx.xxx
> ip domain-name xx
> cron file /local/etc/crontab
> !
> !
> http proxy outgoing exclude enable
> no bypass load enable
> wccp router-list 1 xxx.xxx.xxx.xxx
> wccp web-cache router-list-num 1
> wccp version 2
> !
> transaction-logs destination disk
> !
> !
> end
>
> Dvass




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33608&t=33442
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Recent One-Day Lab Takers?? [7:33592]

[Wright, Jeremy]

no mouse??   :) 

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 2:52 PM
To: [EMAIL PROTECTED]
Subject: RE: Recent One-Day Lab Takers?? [7:33592]


I never actually saw any equipment just a monitor and keyboard.  I could
hazzard a guess though that most of the equipment was Cisco.  ;->

-Original Message-
From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
Sent: 29 January 2002 19:29
To: [EMAIL PROTECTED]
Subject: Recent One-Day Lab Takers?? [7:33592]


Hello,

Has anyone is this group taken the new one-day lab recently? Wanted to know 
what kind of routers did you see, I mean is it now more than 6 routers or 
still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch, 
is it still the Cat5? Just wanted to gather this info. to build a lab and 
work on it..visualize that I am actually working on the real lab and 
busting my brains. Thank you Cisco :-)

Thanks!



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33607&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

SolarWinds [7:33606]

[Richard Tufaro]

Anyone have any experience with solar winds Orion, software for monitoring
the WAN/LAN? Also anyone have a suggestion for an enterprise LAN/WAN alert
monitoring software solution?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33606&t=33606
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: RE: Transport Input Telnet and Terminal Servers [7:33511]

[John Neiberger]

That makes sense except for the fact that the telnet protocol 
is *not* running on the console link!  It's called reverse 
telnet but that doesn't describe the protocol that is actually 
on the link itself.  That's why it's curious to me why I would 
have to permit telnet for it to work.

I blame you for getting me on this thread in the first 
place!  :-)  But I'd really like to find an answer.

 On Tue, 29 Jan 2002, Ouellette, Tim 
([EMAIL PROTECTED]) wrote:

> Are you still going on about this *grin*
> 
> Sure feels weird being call the "someone" in your earlier 
comment of "I
> was
> in a discussion with someone this weekend regarding terminal 
server
> configuration".   Hehhehe. The conclusion I came up with is as
> followings.
> Let's say your on a router and you ping your ethernet 
interface.  The
> pings
> actually goes out on the wire and loops back to test your own 
interface
> (obviously loopbacks are different).  But I would think that 
in the
> concept
> of a telnet, the reverse telnet goes out on the wire to the 
far end and
> then
> loops back establishing a connection?  Also, as an FYI, when 
a do a
> "transport input all" on my terminal server, it 
substitues "transport
> input
> LAT MOP TELNET blah blah" for me.  So the telnet is actually 
a subset of
> the
> ALL parameter.?
> 
> Did that make any sense or do I need more coffee?
> 
> Tim
> 
> -Original Message-
> From: John Neiberger [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 28, 2002 9:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: RE: Transport Input Telnet and Terminal Servers 
[7:33511]
> 
> 
> I think, as is often the case, I wasn't clear enough.  Let me 
> try to restate the issue another way.
> 
> When you connect a terminal server to a console port, the 
> telnet protocol is not operating on that link.  That link is 
a 
> simple async serial terminal session.  Because of that, I 
don't 
> understand why "transport input telnet" works:  the input is 
> *not* telnet, it's async serial!
> 
> If you telnet to a terminal server and from there do a 
reverse 
> telnet to a device, your actual telnet session--and I'm being 
> very specific here--stops at the terminal server.  The 
protocol 
> being carried on the async line is *not* telnet.
> 
> Does that make more sense?  Okay, back to the coffee for me...
> 
> Thanks,
> John
> 
>  On Mon, 28 Jan 2002, Daniel Cotts 
> ([EMAIL PROTECTED]) wrote:
> 
> > "all" works because telnet is a subset of "all" - it is 
> included without
> > being specifically named. Do a "show line" to determine the 
> mapping of
> > line
> > numbers to ports - then do a "show line 1" or whatever. 
Lots 
> more
> > output!
> > Look on the line that starts "Allowed transports"
> > We are used to configuring terminal servers with ip host 
> mapping a name
> > to
> > an ip and port. A more bare bones implementation would have 
> us "telnet
> > 2002"
> > or whatever port we wished to reach. Try that.
> > 
> > > -Original Message-
> > > From: John Neiberger 
[mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, January 28, 2002 4:28 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Transport Input Telnet and Terminal Servers 
> [7:33511]
> > > 
> > > 
> > > I was in a discussion with someone this weekend regarding 
> terminal
> > > server configuration and the following issue came up.  
CCO 
> states that
> > > on the terminal server, at the very least "transport 
input 
> > > telnet" needs
> > > to be configured, if not "transport input all".  Why is 
> this?
> > > 
> > > With a terminal server, we are connecting to a console 
port 
> > > that has no
> > > concept of IP or telnet.  You connect to the console port 
> using async
> > > serial terminal protocols, *not* telnet.  Sure, it may be 
> > > called Reverse
> > > Telnet, but the telnet protocol is not end-to-end; it 
stops 
> at the
> > > terminal server.  From the terminal server to the device 
it 
> > > is connected
> > > to you are simply using async serial.  So, why do we need 
> transport
> > > input telnet??
> > > 
> > > We did verify that without this command it will not 
work.  
> Also, why
> > > would the ALL keyword work?  As far as I can see, none of 
> the 
> > > available
> > > protocols make any sense in this context.  
> > > 
> > > Just curious.  Perhaps I'm suffering from a brain cloud 
> today.  :-)
> > > 
> > > John
> [EMAIL PROTECTED]
> > 
> > 
> 
> 
> 
> Get your own "800" number
> Voicemail, fax, email, and a lot more
> http://www.ureach.com/reg/tag
[EMAIL PROTECTED]
> 
> 



Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33605&t=33511
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations t

Re: using BGP private AS [7:33595]

[Peter van Oene]

Why not simply prevent your customer routes from entering your IGP by the 
normal means?  Is there some relationship from BGP to the IGP in your 
network that we may not be aware of?

Pete


At 02:57 PM 1/29/2002 -0500, you wrote:
>Hi, Everyone: I saw some examples to use BGP private AS for single
>ISP redundancy. I was wonderingwhether I could use it for DMZ. that will
>disallow customer routes inject to my IGP?
>ISP1   ISP2
>|   |
>AS200 -AS5400-- AS100 Any suggestion? Thanks, ~q
>
>
>
>Send and receive Hotmail on your mobile device: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33604&t=33595
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Aggregate 3 T1's would this work. [7:33599]

[Andrew Smith]

On 29-Jan-2002, John Jones wrote:
> I have a configuration question.
> I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
> FastEthernet ports installed. All dedicated T's are from the same ISP.
> I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
> Would I run into issues
> 
> Here is my config.  Would this work?

No it wouldn't. Cisco's complain severely. Assuming you have a similar
router with the other end of those 3 T1's, you would do something like
this:

> !
> hostname Cisco3620
> !
> !
> no ip name-server
> !
> ip subnet-zero
> no ip domain-lookup
> ip routing
> !
> interface Ethernet 0/0
>  no description
>  ip address 172.16.10.1 255.255.255.0
>  !
> interface Serial 0/0
>  no shutdown
>  ip address 1.1.1.2 255.255.255.252

On the other end, you would have
   ip address 1.1.1.1 255.255.255.252

>  !
> interface Serial 0/1
>  no shutdown
>  ip address 1.1.1.6 255.255.255.252
On the other end, you would have
   ip address 1.1.1.5 255.255.255.252
>  !
> interface Serial 1/0
>  no shutdown
>  ip address 1.1.1.10 255.255.255.252
On the other end, you would have
   ip address 1.1.1.9 255.255.255.252
>  !
> ip route 0.0.0.0 0.0.0.0 serial0/0
> ip route 0.0.0.0 0.0.0.0 serial0/1
> ip route 0.0.0.0 0.0.0.0 serial1/0
On the other end you would have
  ip route 172.16.10.0 255.255.255.0 serial 0/0
  ip route 172.16.10.0 255.255.255.0 serial 0/1
  ip route 172.16.10.0 255.255.255.0 serial 1/1
> 
> !
> !
> ip classless
> no ip http server
> !
> end

Now, this alone isn't going to give true load balancing ... your ip cache
is going to make shortcuts to specific hosts so that traffic from client A
to server B always goes over the same T1. You need to either turn off ip
route cache in the interfaces, or use cef and do per-packet load balancing
in the interfaces.

> I tried this config with Cisco's config maker and I get IP address errors
on
> the serial ports, specifically being on the same subnet.
> Would this do basic aggregation?
-- 
---
  ** Andrew W. Smith ** [EMAIL PROTECTED] ** Senior Network Engineer **
** http://www.neosoft.com/neosoft/staff/andrew ** 1-888-NEOSOFT **
 ** NeoSoft, Inc. An Internet America Company  1-800-BE-A-GEEK **
   ** "Opportunities multiply as they are seized" - Sun Tzu **
---




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33603&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Recent One-Day Lab Takers?? [7:33592]

[McCallum, Robert]

I never actually saw any equipment just a monitor and keyboard.  I could
hazzard a guess though that most of the equipment was Cisco.  ;->

-Original Message-
From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
Sent: 29 January 2002 19:29
To: [EMAIL PROTECTED]
Subject: Recent One-Day Lab Takers?? [7:33592]


Hello,

Has anyone is this group taken the new one-day lab recently? Wanted to know 
what kind of routers did you see, I mean is it now more than 6 routers or 
still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch, 
is it still the Cat5? Just wanted to gather this info. to build a lab and 
work on it..visualize that I am actually working on the real lab and 
busting my brains. Thank you Cisco :-)

Thanks!



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33602&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Aggregate 3 T1's would this work. [7:33599]

[James Willard]

John,

What you want to look at is Cisco Express Forwarding (CEF). It allows load
balancing across multiple T1's. For each serial interface you would have
your own subnet (such as a /30) to your provider, because the serial
interfaces cannot be on the same subnet. Turn on CEF using "ip cef" globally
(you may want to ensure you have a recent IOS, as CEF was buggy early on).
Then, on each serial interface, issue either "ip load-sharing per-packet" or
"ip load-sharing per-destination" depending on how you want the load
distributed. To give you the full 4.5Mbps to any one site, use per-packet
load balancing.

James Willard, CCNA
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Jones
Sent: Tuesday, January 29, 2002 3:17 PM
To: [EMAIL PROTECTED]
Subject: Aggregate 3 T1's would this work. [7:33599]


I have a configuration question.
I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
FastEthernet ports installed. All dedicated T's are from the same ISP.
I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
Would I run into issues

Here is my config.  Would this work?


!
hostname Cisco3620
!
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Ethernet 0/0
 no description
 ip address 172.16.10.1 255.255.255.0
 !
interface Serial 0/0
 no shutdown
 ip address 1.1.1.2 255.255.255.248
 !
interface Serial 0/1
 no shutdown
 ip address 1.1.1.3 255.255.255.248
 !
interface Serial 1/0
 no shutdown
 ip address 1.1.1.4 255.255.255.248
 !
ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 serial0/1
ip route 0.0.0.0 0.0.0.0 serial1/0

!
!
ip classless
no ip http server
!
end


I tried this config with Cisco's config maker and I get IP address errors on
the serial ports, specifically being on the same subnet.
Would this do basic aggregation?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33600&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Aggregate 3 T1's would this work. [7:33599]

[John Jones]

I have a configuration question.
I have 3 dedicated T1's a router 3620 with three T1 CSU/DSU and one
FastEthernet ports installed. All dedicated T's are from the same ISP.
I want to aggregate the three T1's for increased bandwidth (4.5 Mbps)
Would I run into issues

Here is my config.  Would this work?


!
hostname Cisco3620
!
!
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Ethernet 0/0
 no description
 ip address 172.16.10.1 255.255.255.0
 !
interface Serial 0/0
 no shutdown
 ip address 1.1.1.2 255.255.255.248
 !
interface Serial 0/1
 no shutdown
 ip address 1.1.1.3 255.255.255.248
 !
interface Serial 1/0
 no shutdown
 ip address 1.1.1.4 255.255.255.248
 !
ip route 0.0.0.0 0.0.0.0 serial0/0
ip route 0.0.0.0 0.0.0.0 serial0/1
ip route 0.0.0.0 0.0.0.0 serial1/0

!
!
ip classless
no ip http server
!
end


I tried this config with Cisco's config maker and I get IP address errors on
the serial ports, specifically being on the same subnet.
Would this do basic aggregation?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33599&t=33599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Network Monitoring Tool [7:33544]

[William Gragido]

Solarwinds works well.  But, Cheops is free ;-)

-Original Message-
From: Bond, Jeffrey T [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 2:01 PM
To: 'William Gragido'; [EMAIL PROTECTED]
Subject: RE: Network Monitoring Tool [7:33544]


I would say the best bang for your buck is "Solarwinds Network Monitoring
Tools"  at solarwinds.net which comes in different flavors depending on your
job responsibilities.

Jeff

-Original Message-
From: William Gragido [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: Network Monitoring Tool [7:33544]


How much budget do you have?

If you have the budget, I'd say that Openview is stellar and for performance
monitoring, VitalSuite is outstanding.  If money is tight, Cheops works
well.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kwame
Sent: Monday, January 28, 2002 11:01 PM
To: [EMAIL PROTECTED]
Subject: Network Monitoring Tool [7:33544]


Any recommendation for Network Monitoring Tools?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33597&t=33544
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Network Monitoring Tool [7:33544]

[Bond, Jeffrey T]

I would say the best bang for your buck is "Solarwinds Network Monitoring
Tools"  at solarwinds.net which comes in different flavors depending on your
job responsibilities.

Jeff

-Original Message-
From: William Gragido [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: Network Monitoring Tool [7:33544]


How much budget do you have?

If you have the budget, I'd say that Openview is stellar and for performance
monitoring, VitalSuite is outstanding.  If money is tight, Cheops works
well.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kwame
Sent: Monday, January 28, 2002 11:01 PM
To: [EMAIL PROTECTED]
Subject: Network Monitoring Tool [7:33544]


Any recommendation for Network Monitoring Tools?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33596&t=33544
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

using BGP private AS [7:33595]

[michael qin]

Hi, Everyone: I saw some examples to use BGP private AS for single
ISP redundancy. I was wonderingwhether I could use it for DMZ. that will
disallow customer routes inject to my IGP?
ISP1   ISP2 
|   |   
AS200 -AS5400-- AS100 Any suggestion? Thanks, ~q



Send and receive Hotmail on your mobile device: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33595&t=33595
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: css 11000 [7:33498]

[Gaz]

I'm not doubting that there is one, but what's the importance of using
sticky for http?

Fill a gap in my knowledge. I've only ever seen the requirement for sticky
for SSL.
I've not seen a great deal of load balancing with the CSS 11000's, we use
mainly Foundry. What's the role of the "arrowpoint-cookie". Are the servers
actually configured to issue cookies?

If its http, don't all proxy's mess up your requirement for sticky?

Sorry, I'm asking more questions than you did, but trying to understand your
problem as I have an interest in this area.

Cheers,


Gaz



""John Neiberger""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Yes, you can load balance on the SSL Session ID.
>
> John
>
> >>> "Arinze Okafo"  1/29/02 11:07:39 AM >>>
> I don't have ssl enabled in the servers. Currently I am load balancing
> on
> port 80. I am not sure using SSL 443 would work since I do not have it
> on
> the servers.
>
> Secondly I am using ICMP for keepalive in the services.
>
> Still serching for an answer...
>
> Thanks
> >From: "Gaz"
> >Reply-To: "Gaz"
> >To: [EMAIL PROTECTED]
> >Subject: Re: css 11000 [7:33498]
> >Date: Mon, 28 Jan 2002 18:38:28 -0500
> >
> >What port are you load balancing? If it's SSL, can you load balance
> based
> >on
> >SSL session ID?
> >
> >Gaz
> >
> >
> >""Arinze Okafo""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Does anyone have a solution to this problem?
> > >
> > > I have configured a CSS 11000 switch for server load balancing,
> using
> >the
> > > advanced-balance arrowpoint-cookie but some users are having
> problems
> >with
> > > stickiness. These users access the site via a mega-proxy.
> > >
> > > I have also tried to use a sticky-mask 255.255.240.0, without much
> >success .
> > >
> > > Any ideas?
> > >
> > > Thanks  Anybody  for your help.
> > >
> > >
> > >
> > > _
> > > Chat with friends online, try MSN Messenger:
> http://messenger.msn.com
> _
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33594&t=33498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Recent One-Day Lab Takers?? [7:33592]

[Cisco Nuts]

Hello,

Has anyone is this group taken the new one-day lab recently? Wanted to know 
what kind of routers did you see, I mean is it now more than 6 routers or 
still just 6? What models? Is it 2 2513's or 2 2504's etc? And the switch, 
is it still the Cat5? Just wanted to gather this info. to build a lab and 
work on it..visualize that I am actually working on the real lab and 
busting my brains. Thank you Cisco :-)

Thanks!



_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33592&t=33592
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what to do ? (longish) [7:33392]

[Cisco Nuts]

CSSP?? Is that a new cert regarding MPLS.
I know about the new CCIP but CSSP? :-(



>From: "Brad Ellis" 
>Reply-To: "Brad Ellis" 
>To: [EMAIL PROTECTED]
>Subject: Re: what to do ? (longish) [7:33392]
>Date: Tue, 29 Jan 2002 08:15:05 -0500
>
>Why do you want to complete the other certs?  Is there something extra they
>will do for you that your current standing wont?  If not, then go for your
>CCIE.  If the other certs will open other doors for you in your current
>position (or in the seeking of another position), determine where you would
>like to be 1yr, 2yr, 5yrs from now and follow that path accordingly (ie, if
>you want to eventually become a CCIE in Security, then go the CSS1 route, 
>if
>you want to become a CCIE in C&S go for the CSSP, etc).
>
>Just my personal thoughts.
>
>(also, your post isn't that long...go look in the archives at howard's
>posts...those are long!)
>
>thanks,
>-Brad Ellis
>CCIE#5796 (R&S / Security)
>Network Learning Inc
>[EMAIL PROTECTED]
>used Cisco gear:  www.optsys.net
>CCIE Labs, racks, and classes:  http://www.ccbootcamp.com/quicklinks.html
>
>""Johnny McKenzie""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I'm contemplating my next move, finished my CCNP, and am currently
>studying
> > for my CCIE written. But I'm a long way from being ready for the CCIE 
>lab,
> > probally a year or more. In the meantime, I would like to complete some
>other
> > cisco certs.
> >
> > So I see some options as follows:
> >
> > Do my DA and DP. Two papers for two certs is pretty tempting. But it is
>the
> > infamous CID exam, and I'm not sure how much design I'm going to do
> >
> > Follow Ole's footsteps and do CSS1 - Security will always be a good 
>field
> > (thanks for the switching apps Ole)
> >
> > Do the CSSP - And become a MPLS guy - looks like a growth area
> >
> > Study hard and go straight for CCIE R&S
> >
> > And thoughts on other options ?
> >
> >
> > At my new job ( large telco ) I've been looking for an area to upskill 
>and
>no
> > one has done anything about IPv6. Done some research and it appears that
> > deployment is still in very early stages. Anybody else doing much here ?
> > Could this be a good chance to be first in the door for what will be the
> > biggest upgrade ever ?
> >
> > Thanks for your input
> >
> > Johnny
_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33588&t=33392
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX: Telnet to inside through VPN [7:33589]

[Dante Martins]

How can I telnet to PIX inside interface from the VPN (I.E. from
10.128.128.0 telnet 172.16.3.252).

I have tried using telnet command:
"telnet 10.128.128.0 inside" but still no working.

Can you help me?

Dante




CONF MAIN PIX
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted
hostname MAIN
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any
conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any
conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any
conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any

route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong
crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 102
crypto map cmap 2 set peer 200.200.111.2
crypto map cmap 2 set transform-set strong
crypto map cmap 3 ipsec-isakmp
crypto map cmap 3 match address 103
crypto map cmap 3 set peer 200.200.222.2
crypto map cmap 3 set transform-set strong
crypto map cmap 4 ipsec-isakmp
crypto map cmap 4 match address 104
crypto map cmap 4 set peer 200.202.202.2
crypto map cmap 4 set transform-set strong
crypto map cmap 5 ipsec-isakmp
crypto map cmap 5 match address 105
crypto map cmap 5 set peer 205.205.205.2
crypto map cmap 5 set transform-set strong
crypto map cmap inter

RE: PIX % DNS Doctoring [7:33331]

[Dante Martins]

Guys,

Thank you for your help. The problem has fixed. There was a router
filtering the DNS querys.(ip domain-lookup)
The DNS is on DMZ and I have created a alias to each server that was
using static.
 

Other problem is:

How can I telnet to PIX inside interface from the VPN (I.E. from
10.128.128.0 telnet 172.16.3.252).

I have tried using telnet command:
"telnet 10.128.128.0 inside" but still no working.

Can you help me?


Dante

CONF MAIN PIX
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted
hostname MAIN
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any
conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any
conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any
conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any

route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong
crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 102
crypto map cmap 2 set peer 200.200.111.2
crypto map cmap 2 set transform-set strong
crypto map cmap 3 ipsec-isakmp
crypto map cmap 3 match address 103
crypto map cmap 3 set peer 200.200.222.2
crypto map cmap 3 set transform-set strong
crypto map cmap 4 ipsec-isakmp
crypto map cmap 4 match address 104
crypto map cmap 4 set peer 200.202.

Re: Limit access to serial link to four users [7:33306]

[Gaz]

Thanks for your comments ideas.
One thing - I'm under the impression that the Translation timeout is a
sliding window (ie the counter starts when the translation ceases to pass
traffic), so wouldn't kick a user until he'd been idle for 60 seconds.
Still need to test this, but for some reason I've always had that stuck in
my mind.

Cheers,

Gaz


""Joseph Brunner""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> see comments below
>
> -Original Message-
> From: Gaz [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 26, 2002 3:51 PM
> To: [EMAIL PROTECTED]
> Subject: Limit access to serial link to four users [7:33306]
>
>
> >Hi all,
>
> >I'm after some ideas if you'd be so kind :-)
>
> >A 2Mb link being used mainly for streaming media has about 15 potential
> >users. The task is to limit the number of users at any one time to four,
so
> >they have half a Mb each (ish).
>
> All 15 @ once may be able to watch this stream. you should run a test to
> determine if this is a 300kbps, (DSL cable stream) or a 150Kbps "T-1"
> stream. if you go to Abcnews.com or somesites to watch video, they
> expect corporate users to choose a T-1 stream, because they run on a
> business line which is not exclusively for the streaming.
>
> What I would do is ask people to choose the lower res stream, and enforce
> this with an aggresive car / traffic shaping policy. It would be nice
> if this stream uses layer 4 characteristics which will make it easy to
> classify and apply policy to, however assuming it uses a protocol you
> don't wish to delay (like tcp 80, http), you can always use car to limit
> per ip bandwidth for your 15 potential users, this would easiest if their
> ip's were in a neat little /28 range)
>
>
> >My initial idea, which I must admit, I dont think is such a good one is
to
> >set up a NAT pool of four addresses, and drag the translation timeout
down
> >to about a minute (yet to be tested), so that the first four users to
pass
> >traffic will be translated and allowed through, but after that, they'll
> have
> >to wait.
>
> this can work.. however every minute it would get kicked.. not cool if the
> stream is long. (you can make sure the potential users are in a specific
> range
> and then make a route map, keeping the hosts in their own nat pool, unless
> your potential users are your only users.
>
> >I'm off to look at something like TACACS to see if I can control network
> >authorization by number of users (shot in the dark).
>
> >No equipment in place yet, so we have a clean drawing board.
>
> >Anybody have any neat ideas please!!
>
>
> Thanks,
>
> Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33579&t=33306
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Traffic-rate shape [7:32072]

[Joseba Izaga]

OK... I tested everything.

I am using FRTS instead of GTS.

The config i am using is

!
interface Serial1
 bandwidth 256
 no ip address
 no ip directed-broadcast
 encapsulation frame-relay IETF
 no keepalive
 no fair-queue
 frame-relay traffic-shaping
!
interface Serial1.1 multipoint
 ip address 132.1.21.1 255.255.255.0
 no ip directed-broadcast
 no arp frame-relay
 frame-relay map ip 132.1.21.2 515
!
interface Serial1.2 point-to-point
 bandwidth 64
 ip unnumbered FastEthernet0
 no ip directed-broadcast
 no arp frame-relay
 no cdp enable
 frame-relay interface-dlci 516
  class t64
!
map-class frame-relay t64
 frame-relay traffic-rate 16000 64000
 frame-relay bc 64000
!


Router#sh int ser 1
Serial1 is up, line protocol is up
  Hardware is PowerQUICC Serial
  Description:
  MTU 1500 bytes, BW 256 Kbit, DLY 2 usec,
 reliability 255/255, txload 40/255, rxload 6/255
  Encapsulation FRAME-RELAY IETF, loopback not set
  Keepalive not set
  Broadcast queue 0/64, broadcasts sent/dropped 20/0, interface broadcasts 2
  Last input 00:01:25, output 00:00:00, output hang never
  Last clearing of "show interface" counters 3w4d
  Queueing strategy: fifo
  Output queue 0/40, 631 drops; input queue 0/75, 0 drops
  5 minute input rate 7000 bits/sec, 5 packets/sec
  5 minute output rate 12 bits/sec, 6 packets/sec
 6423620 packets input, 648992350 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 96 giants, 0 throttles
 96 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 7910460 packets output, 3812516915 bytes, 0 underruns
 0 output errors, 0 collisions, 1 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Router#sh frame-relay pvc 516

PVC Statistics for interface Serial1 (Frame Relay DTE)

DLCI = 516, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial1.2

  input pkts 5790202   output pkts 7230308  in bytes 543324449
  out bytes 3254580372 dropped pkts 0   in FECN pkts 0
  in BECN pkts 0   out FECN pkts 0  out BECN pkts 0
  in DE pkts 0 out DE pkts 0
  out bcast pkts 5  out bcast bytes 380
  pvc create time 3w3d, last time pvc status changed 3w3d
  cir 16000 bc 16000 be 48000 limit 6250   interval 125
  mincir 8000  byte increment 250   BECN response no
  pkts 37256 bytes 5958824   pkts delayed 500   bytes delayed 181477
  shaping inactive
  traffic shaping drops 0
  Serial1.2 dlci 516 is first come first serve default queueing

  Output queue 0/40, 0 drop, 500 dequeued

Router#sh traffic-shape ser 1.2
Access TargetByte   Sustain   ExcessInterval  Increment
Adapt
I/F List   Rate  Limit  bits/int  bits/int  (ms)   (bytes)
Active
Se1.2  16000 6250   16000 48000 125
250   -

This is all the statistics, and as you can see is just limiting the inbound
traffic, not the outbound. It is working as the GTS.

I am using IOS ver 12.0(3)T.

What else can I do?

Regards,

Joseba Izaga



- Original Message -
From: 
To: 
Sent: Thursday, January 17, 2002 7:19 PM
Subject: Re: Traffic-rate shape [7:32072]


> Well, unless I'm just suffering from Friday Afternoon Brain, the traffic
> figures still look weird to me.
> Can you look at the traffic figures from the other end of the PVC?  If so,
> what do they say?
>
> I guess if the txload/rxload figures are for a 5-minute exponential
> average (which I believe they are) and the 5-minute input/output figures
> are a normal average (which I'm not sure of), those figures could make
> sense, but you'd have to have a pretty extreme traffic pattern (which I
> suppose you could if you've been testing throughput).
>
> What happens if you use FRTS instead of GTS?
>
> JMcL
>
>
> - Forwarded by Jenny Mcleod/NSO/CSDA on 18/01/2002 02:05 pm -
>
>
> "Joseba Izaga"
> Sent by: [EMAIL PROTECTED]
> 18/01/2002 11:54 am
> Please respond to "Joseba Izaga"
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Traffic-rate shape [7:32072]
>
>
> s1.1 is not used.
>
> To the physical interface I connected a frame-relay radio-modem configured
> as Star (multipoint). So s1.1 is just for mapping clinet units.
>
> s1.1 doesn4t have traffic at all.
>
> - Original Message -
> From:
> To:
> Sent: Thursday, January 17, 2002 3:39 PM
> Subject: Re: Traffic-rate shape [7:32072]
>
>
> > Something's a bit odd here.
> > >From your 'show int', BW is 256 Kbps, txload is 64/255 (i.e close
> enough
> > to 64 Kbps for a bandwidth of 256 Kbps), yet the 5-minute output rate is
> > 235 Kbps.  Are you sure your bandwidth is configured correctly?
> >
> > Your 'show int' is for the physical interface, so it will include
> traffic
> > for all sub-interfaces (actually, in my experience, even if you do a
> 'show
> > int' for the sub-interface, the txload and rxload figures will actually
> be
> > for

Re: css 11000 [7:33498]

[John Neiberger]

Yes, you can load balance on the SSL Session ID.

John

>>> "Arinze Okafo"  1/29/02 11:07:39 AM >>>
I don't have ssl enabled in the servers. Currently I am load balancing
on 
port 80. I am not sure using SSL 443 would work since I do not have it
on 
the servers.

Secondly I am using ICMP for keepalive in the services.

Still serching for an answer...

Thanks
>From: "Gaz" 
>Reply-To: "Gaz" 
>To: [EMAIL PROTECTED] 
>Subject: Re: css 11000 [7:33498]
>Date: Mon, 28 Jan 2002 18:38:28 -0500
>
>What port are you load balancing? If it's SSL, can you load balance
based 
>on
>SSL session ID?
>
>Gaz
>
>
>""Arinze Okafo""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Does anyone have a solution to this problem?
> >
> > I have configured a CSS 11000 switch for server load balancing,
using 
>the
> > advanced-balance arrowpoint-cookie but some users are having
problems 
>with
> > stickiness. These users access the site via a mega-proxy.
> >
> > I have also tried to use a sticky-mask 255.255.240.0, without much
>success .
> >
> > Any ideas?
> >
> > Thanks  Anybody  for your help.
> >
> >
> >
> > _
> > Chat with friends online, try MSN Messenger:
http://messenger.msn.com 
_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33587&t=33498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: css 11000 [7:33498]

[Arinze Okafo]

I don't have ssl enabled in the servers. Currently I am load balancing on 
port 80. I am not sure using SSL 443 would work since I do not have it on 
the servers.

Secondly I am using ICMP for keepalive in the services.

Still serching for an answer...

Thanks
>From: "Gaz" 
>Reply-To: "Gaz" 
>To: [EMAIL PROTECTED]
>Subject: Re: css 11000 [7:33498]
>Date: Mon, 28 Jan 2002 18:38:28 -0500
>
>What port are you load balancing? If it's SSL, can you load balance based 
>on
>SSL session ID?
>
>Gaz
>
>
>""Arinze Okafo""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Does anyone have a solution to this problem?
> >
> > I have configured a CSS 11000 switch for server load balancing, using 
>the
> > advanced-balance arrowpoint-cookie but some users are having problems 
>with
> > stickiness. These users access the site via a mega-proxy.
> >
> > I have also tried to use a sticky-mask 255.255.240.0, without much
>success.
> >
> > Any ideas?
> >
> > Thanks Anybody for your help.
> >
> >
> >
> > _
> > Chat with friends online, try MSN Messenger: http://messenger.msn.com
_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33586&t=33498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Assigning an IP address by username [7:33568]

[Georg Pauwen]

Hi,

the only thing I can think of that might come close to what you want is to
use the Cisco IOS DHCP-Server on your 2522, assign a dhcp pool for every
single user, and configure manual bindings. For example, for user John it
would look like this:

Router(config)#ip dhcp pool John
Router(config-dhcp)# host address [mask | /prefix-length]
Router(config-dhcp)# hardware-address hardware-address type
or
Router(config-dhcp)# client-identifier unique-identifier
Router(config-dhcp)# client-name John 

Just a thought.

Regards,

Georg






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33585&t=33568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Secure ACS, AP350, and Orinoco AP1000 [7:33571]

[Georg Pauwen]

Terry,

I found some info on the following website:

http://www.tuanistechnology.com/Orinoco/orinoco_ap1000.htm

"Industry-Wide Interoperability and Compliance
The ORiNOCO AP-1000 is interoperable with other manufacturers' high-speed
IEEE 802.11b compliant systems. It's also compatible with Lucent's previous
2 Mbit/s and Turbo products."

That sounds like it should at least be compatible with the Cisco A350s.

If you follow the link http://www.tuanistechnology.com/pdf_files.htm, you
can also download an install guide in .PDF-format.
Hope this might help.

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33582&t=33571
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multilinking more than two ISDN channels [7:33493]

[Hire, Ejay]

You have several different options.  You can make a rotary group or a dialer
group/pool (the config posted to the group earlier is a dialer group)

Good Luck,
Ejay

-Original Message-
From: KM Reynolds [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 29, 2002 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Multilinking more than two ISDN channels [7:33493]


Steve,

I looked into the multilink-group command.  On CCO I found documentation 
titled Configuring MLP on Multiple ISDN BRI Interfaces.  This looks like 
what I was looking for.

As per the doc it states to enable multilink PPP on multiple ISDN BRI 
interfaces, I need to set up a dialer rotary interface and configure it for 
multilink PPP.  Then to configure the BRI interfaces separately and add them

to the same rotary group.  The example shown is as follows:

interface BRI0
no ip address
encapsulation ppp
dialer idle-timeout 2147483
dialer rotary-group 0
dialer load-threshold 1 either
ppp multilink

interface BRI1
no ip address
encapsulation ppp
dialer idle-timeout 2147483
dialer rotary-group 0
dialer load-threshold 1 either
ppp multilink

interface dialer0
ip address 10.x.x.x 255.255.255.252
encapsulation ppp
dialer in-band
dialer idle-timeout 2147483
dialer map ip next-hop name hostname broadcast dial-string
dialer load-thresold 1 either
dialer-group 1
ppp authentication chap
ppp multilink


It looks like there are number of ways to configure multilink PPP on 
multiple BRI interfaces, such as multilink bundle and dialer profiles.  
Thank you for your assistance, by pointing out multilink-group, it helped to

find the doc.

KM


>From: "Steven A Ridder" 
>To: "'KM Reynolds'" 
>Subject: RE: Multilinking more than two ISDN channels [7:33493]
>Date: Mon, 28 Jan 2002 18:27:52 -0500
>
>I thought to bundle interfaces together in a multilink group, you needed
>the multilink group # command in each interface and apply that to
>multilink.
>
>-Original Message-
>From: KM Reynolds [mailto:[EMAIL PROTECTED]]
>Sent: Monday, January 28, 2002 6:04 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: Multilinking more than two ISDN channels [7:33493]
>
>
>Below is the config for the single BRI.
>
>interface BRI0
>no ip address
>encapsulation ppp
>dialer pool-member 1 max-link 2
>isdn spid1 xxx
>isdn spid2 xxx
>isdn switch-type basic-ni
>ppp multilink
>
>
>interface dialer 1
>ip address 10.x.x.x 255.255.255.252
>encapsulation ppp
>dialer remote-name
>dialer pool 1
>dialer idle-timeout 2147483
>dialer load-thresold 1 either
>dialer-group 1
>ppp authentication chap
>
>If BRI1 was installed.  Would you need to configure it the same as BRI0,
>but
>change the dialer pool-member 1 max-link to 4?  Sounds to easy.
>
>
> >From: "Steven A. Ridder" 
> >Reply-To: "Steven A. Ridder" 
> >To: [EMAIL PROTECTED]
> >Subject: Re: Multilinking more than two ISDN channels [7:33493]
> >Date: Mon, 28 Jan 2002 17:27:25 -0500
> >
> >How are the Bri's in a multilink group?
> >
> >
> >""MADMAN""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Here ya go, an example that I did some time ago, the 12.1 code was
> > > buggy.  The gist of it is you set up a dialer and attach the bri's
> > > via the dialer pool.  This may not be on CCO but it works.
> > >
> > >   Dave
> > >
> > >
> > > KM Reynolds wrote:
> > > >
> > > > No offence, I just thought I was missing something.  I have read
> > > > your
> > > emails
> > > > in the past, and I do know you know what you are talking about.
> > > >
> > > > I aslo know you can bind PRIs, I just haven't heard of
> > > > multilinking
> >BRIs.
> > > I
> > > > looked in the archives and tried searching the Cisco Web Site, but
>
> > > > had
> >no
> > > > luck.  So I thought it was a good question and posted it.
> > > >
> > > > KM
> > >
> > > David Madland
> > > Sr. Network Engineer
> > > CCIE# 2016
> > > Qwest Communications Int. Inc.
> > > [EMAIL PROTECTED]
> > > 612-664-3367
> > >
> > > "Emotion should reflect reason not guide it"
> > >   This config is an ISDN dial backup binding three BRIs together
> > >
> > >   9/2000
> > > !
> > > ! Last configuration change at 14:54:55 UTC Mon Sep 25 2000 ! NVRAM
> > > config last updated at 14:55:07 UTC Mon Sep 25 2000 !
> > > version 12.1
> > > service timestamps debug uptime
> > > service timestamps log datetime localtime
> > > no service password-encryption
> > > !
> > > hostname CL_Spokane
> > > !
> > > logging buffered 4096 informational
> > > enable password converge*clpriv
> > > !
> > > username CL_Bristol password 0 converge*clpriv
> > > !
> > > ip subnet-zero
> > > ip cef
> > > no ip domain-lookup
> > > ip host routerA 10.1.254.254
> > > !
> > > ipx routing 0030.945d.35e1
> > > isdn switch-type basic-5ess
> > > !
> > > !interface Loopback0
> > >  ip address 10.1.253.253 255.255.255.0
> > > !
> > > interface Loopback100
> > >  ip address 50.1.1.1 255.255.255.0
> > > !
> > > interface Serial2/0.21 point-to-point
> > >  description PVC to Bristol
> > >  ip address 172.31

RE: PIX % DNS Doctoring [7:33331]

[Dante Martins]

I have a dns on inside using static (200.219.100.30 10.128.128.30) . The
dns database is resolving names to valid IP's. The problem is the
worktations from inside can't access these servers using the valid
IP's.I found some docs on Cisco site about DNS Doctoring (
http://www.cisco.com/warp/public/110/alias.html )but in the cisco
exemple the DNS is on outside. I need that dns send some zone forward to
other dns that is inside the VPN so...if I move that dns(200.219.100.30)
to outside interface he will not have access to the network
10.250.0.0(VPN). I had the same problem in other situation but I was
using Checkpoint Firewall_1 and it works.  

There is some way to do it work ( using DNS on iside with static ) or I
need to move to outside??



CONF MAIN PIX

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted

hostname MAIN

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0

pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown

mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm
ip audit attack action alarm

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0

pdm history enable
arp timeout 14400

global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255


static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0


conduit permit icmp any any

conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any

conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any

conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any


route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat


crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong

crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 1

OT - 508 CS for trade or sale (2509 less serial po [7:33534]

[[EMAIL PROTECTED]]

I have three cs-508's for sale or trade, and I would like to know if anyone
is interested? I am doing this to cut down on the time it would take to sell
these and get what I and some study partners need ( I let other people use
this lab as well). On ebay they are usually selling over $300 and will take
$250 in trade or buying it straight out.  Two currently have 2 megs, and one
has 10 megs, all have IOS 9.1.  I will also send a tftp server if needed,
help with configuration, and point you to the area on cisco you need to get
10.3 image for tftp booting (cisco login required).  I will also include an
AUI transceiver, Cisco Documentation CD-ROM, and a cisco roll cable for
configuration.  I have tested these devices and can put them on line for
inspection, however one caveat, I had trouble with reverse telnet with two
ports on each of these boxes, however I am not sure if I missed something.
Please note the I can log into each of the boxes through the console and
reverse telnet to at least 6 ports without a problem, so I will guarentee
that six of eight ports work on each of these boxes including the uplink
port R1.

Items I am looking for specifically in trade to upgrade my lab:
APC Masterswitch or Baytech Ethernet Capable Power Reboot Strip
Cable Modem
Set based Ethernet switch
NP Modules for a cisco 4000M.
8 Meg flash memory modules for 2500 routers.
POTS or ISDN simulator.
ISL cap. router.
I currently have in my lab 2 2504's 16/8, 2 2505's 16/8, 2924, 1800, cs-516,
and a 4000 4s,2e 16/8, one open slot, modem dial-in/out and cable modem
service.
If you think I am missing anything and would like to trade me to upgrade my
lab and it is not on my list, please feel free to let me know. I am also
open to bigger trades involving some of my lab for some of yours. Just drop
me an e-mail if interested at [EMAIL PROTECTED] if you are interested.

Thanks for your time,

Doug Morrell
[EMAIL PROTECTED]
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33534&t=33534
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BGP and one backup link [7:33433]

[Joseph Brunner]

Sometimes As prepending won't work.. your best bet is to telnet
to route-views.oregon-ix.net (public route server) and do a show ip bgp with
your
as # (then you will know who is using your prepended path to get there. Most
likely 
one peer of your backup link providers, sets local pref or metric
on a private peering arrangement, thereby nullifying your prepends.
Unfortunately 
there is nothing you can do.. if you were a hi-cap T-3 or larger customer,
they
might traffic engineer this for you.

Joseph Brunner
ASN 21572
MortgageIT MITLending
New York, NY 10038
(212) 651 - 7695 Voice
(212) 651 - 7795 Fax



-Original Message-
From: Alejandro Acosta [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 28, 2002 10:36 AM
To: [EMAIL PROTECTED]
Subject: BGP and one backup link [7:33433]


Hi all,
  I have a BGP question.
  In this moment we have one Internet link with just one provider, now, we
have got a second link  just for backup. I mean, we can only use it for 180
hrs per month.
  I can easily manage my outgoing traffic (using local preferece or weight),
however the incomming traffic in more difficult. I added many prepends (9)
in the publication of the second link but there still few traffic on it.
  There is not IBGP between my two providers.

  Any ideas?

Thks in advanced.

Alejandro Acosta




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33441&t=33433
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

recommended list of MIB objects for IP network [7:33578]

[Yaron E]

Hi All,

I am trying to design my NMS system for my IP network.
The network consists of Cisco 3640 and 7200 routers, some 2924 and 4000
catalyst switches and 5300 access router.
we run OSPF and BGP, MPLS in the future.

Does anybody have a recommended list of MIB objects to collect for a start,
based of self experience?
Any recommended design for grouping those objects into logical Mib object
groups?

Thanks in advance for any recommendation,

Yaron

reccomended list of MIB objects for IP network




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33578&t=33578
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NPE300 in 7206VXR [7:31534]

[Tom Briscoe]

Also, if there is a MII interface, type setting the
media-type on the interface to what type your using, I
recall having a similar problem in the past.

T,
TB

--- MADMAN  wrote:
> The NPE doesn't have a FE or any port.  Do you have
> a single FE I/O
> card? These are pretty stable though you may want to
> do a bug search on
> the IOS your running.  Also I wouldn't so quickly
> reload the router
> before trying to reset the interface, do a shut/no
> shut and grab a show
> tech and sh log.  I have seen here and there on
> ethernet interface that
> were wedged, the input or output queue would be for
> example 75/75 or
> 40/40 which should never happen but when it does the
> interface says it's
> up but nothing works.
> 
>   my $.02
> 
>   Dave
> 
> travis marlow wrote:
> > 
> > Hi everybody, longtime reader, first time poster. 
> Was wondering if anybody
> > has had problems with the fastethernet port on the
> NPE300 for the 7206VXR
> > platform.  Lastnight for some reason the box was
> not able to ping the other
> > router that it was connected to via this port. 
> When doing a sh arp it
> > showed the ip I was trying to ping with a mac of
> INCOMPLETE.  All other
> > interfaces to this router were up and passing
> traffic, after doing the
> magic
> > "reload", everything was fine.  It's weird that
> this port would just freeze
> > up, it still said up and up on a sh int before the
> reload.  After talking
> to
> > a buddy, he said that they had had issues with
> using the fastethernet port
> > on the NPE.  I figured I would disseminate this
> problem to a larger group
> to
> > see if anybody else had seen this.  Thanks.
> -- 
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
> 
> "Emotion should reflect reason not guide it"
[EMAIL PROTECTED]


__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33576&t=31534
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Mirroring 2 ports on 2 different VLANs through 1 SPAN port [7:33575]

[Gandolf]

You can not monitor two Vlans with one port.  As a general rule you can not
monitor two vlans with one sniffer the port your sniffer is connected to
must be in the same vlan you are watching (no multi vlan ports allowed).  It
is possible to monitor both vlans at the same time with one sniffer by
mirroring to one port for Vlan 10 and mirroring to a second port for Vlan 20
and then connecting a hub to these two ports and sniffing the hub.  However,
This is not recommended.  You need to be aware that this will bridge the two
Vlans and basically defeats the purpose of the Vlan.

As for the multi Vlan port. This will assign a port to more than one Vlan.
So for example a server could talk to devises on both Vlan 10 and Vlan 20.
The multi vlan comand will also prevent the use of a trunk on the XL series
switches.  As a general rule you are better off to do vlan routing to get to
your server rather than to connect the server to a multi vlan port.


""Jerry Lu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello everyone,
>
> I got into a situation here:
>
> Hareware: Cisco Catalyst 2900XL
> ISO: 12.0(5.1)XP
>
> Say interface FE 0/1 is assigned to Vlan 10, and interface FE 0/2 is
> assigned to Vlan 20. Is it possible to make interface FE 0/3 as a SPAN
> port whcih monitors both FE 0/1 and FE 0/2 ? I need to attach a sniffer
> onto FE 0/3 and analyst the traffic so FE 0/3 could not be a trunk port
> (the sniffer doesn't understand VLAN taggings).
>
> I know under normal circumstance this setup is not allowed (can't monitor
> 2 vlan traffic through 1 port). But is there a work around?
>
> BTW, what's the meaning of the interface commands "switchport multi vlan"?
> If I run this command on an interface, will this interface become a trunk
> port or an access port? I can't seem to find out the detailed explanation
> on this command from Cisco's website.
>
> Thanks for your help!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33575&t=33575
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Feasible distance? [7:33557]

[Kaminski, Shawn G]

This is the way I understand it (if the drawing below doesn't come out
right, draw it on paper):

10  14
A---B---D
|   |
|_C_|
   4   22

Let's say router A is trying to reach router D. It is determined that the
best path to get to router D is through router B. This is known as the
successor. The feasible distance in this case is the distance from router A
to router D when going through router B (let's say it is 24). The advertised
distance in this case is the distance from router B to router D (let's say
it is 14). There is a second-best route from router A to router D that goes
through router C. The feasible distance in this case is the distance from
router A to router D when going through router C (let's say 26). The
advertised distance in this case is the distance from router C to router D
(let's say 22). Can the route from router A to router D going through router
C become the feasible successor? It can if the advertised distance of the
second best route is shorter than the feasible distance of the best route.
The advertised distance of the second-best route is 22 and the feasible
distance of the best route is 24. So, in this case, the second-best route
can be the feasible successor. 

HTH,

Shawn K. 




-Original Message-
From: Colin [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 29, 2002 5:58 AM
To: [EMAIL PROTECTED]
Subject: Feasible distance? [7:33557]


Hi

Just reading about EIGRP @ Cisco's web site and am having difficulty 
understanding the difference between Feasible distance and Reported 
distance. Throw a Feasible successor in the mix and now I'm really 
confused. Please correct me if I'm wrong but from what I understand, the 
Reported distance is the total distance to the destination network.  So, 
then what is the Feasible distance?

Thanks
Colin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33573&t=33557
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: another OT: [7:33569]

[Steven A. Ridder]

I like the old Cisco better.  It's easier to look at.
""paul""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> my apologies,
> here is a better link
> http://web.archive.org/web/*/http://www.cisco.com
>   - Original Message -
>   From: Jim Dixon
>   To: 'paul'
>   Sent: Tuesday, January 29, 2002 2:45 PM
>   Subject: RE: another OT:
>
>
>   Paul,
>
>   I am confused.  This is IENG's site.
>   What is Cisco4s?
>
>   -Original Message-
>   From: paul [mailto:[EMAIL PROTECTED]]
>   Sent: Tuesday, January 29, 2002 05:01
>   To: [EMAIL PROTECTED]
>   Subject: another OT: Cisco4s first web site? [7:33558]
>
>
>
>   Sorry for the way OT content,
>   but i thought there should be at least someone interested in seeing
Cisco4s
>   first site ;)
>   http://web.archive.org/web/19961106114149/http://ieng.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33572&t=33569
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Secure ACS, AP350, and Orinoco AP1000 [7:33571]

[Terry Hartman]

I've got a customer that currently has one Orinoco AP1000 AccessPoint and
needs two more AccessPoints to cover the area they want wireless
connectivity to. They are interested in using Cisco AP350s (the Orinoco was
purchased without anyone giving their blessing - better to ask for
forgiveness than ask for permission). I suggested to them before installing
"any" wireless" solution - they need some type of authentication and have
suggested CiscoSecure ACS 3.0.

Does anyone have any experience with putting the three together and actually
having a working solution?

By the way - they also purchased the Orinoco Gold PCI cards.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33571&t=33571
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multilinking more than two ISDN channels [7:33493]

[KM Reynolds]

Steve,

I looked into the multilink-group command.  On CCO I found documentation 
titled Configuring MLP on Multiple ISDN BRI Interfaces.  This looks like 
what I was looking for.

As per the doc it states to enable multilink PPP on multiple ISDN BRI 
interfaces, I need to set up a dialer rotary interface and configure it for 
multilink PPP.  Then to configure the BRI interfaces separately and add them 
to the same rotary group.  The example shown is as follows:

interface BRI0
no ip address
encapsulation ppp
dialer idle-timeout 2147483
dialer rotary-group 0
dialer load-threshold 1 either
ppp multilink

interface BRI1
no ip address
encapsulation ppp
dialer idle-timeout 2147483
dialer rotary-group 0
dialer load-threshold 1 either
ppp multilink

interface dialer0
ip address 10.x.x.x 255.255.255.252
encapsulation ppp
dialer in-band
dialer idle-timeout 2147483
dialer map ip next-hop name hostname broadcast dial-string
dialer load-thresold 1 either
dialer-group 1
ppp authentication chap
ppp multilink


It looks like there are number of ways to configure multilink PPP on 
multiple BRI interfaces, such as multilink bundle and dialer profiles.  
Thank you for your assistance, by pointing out multilink-group, it helped to 
find the doc.

KM


>From: "Steven A Ridder" 
>To: "'KM Reynolds'" 
>Subject: RE: Multilinking more than two ISDN channels [7:33493]
>Date: Mon, 28 Jan 2002 18:27:52 -0500
>
>I thought to bundle interfaces together in a multilink group, you needed
>the multilink group # command in each interface and apply that to
>multilink.
>
>-Original Message-
>From: KM Reynolds [mailto:[EMAIL PROTECTED]]
>Sent: Monday, January 28, 2002 6:04 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: Multilinking more than two ISDN channels [7:33493]
>
>
>Below is the config for the single BRI.
>
>interface BRI0
>no ip address
>encapsulation ppp
>dialer pool-member 1 max-link 2
>isdn spid1 xxx
>isdn spid2 xxx
>isdn switch-type basic-ni
>ppp multilink
>
>
>interface dialer 1
>ip address 10.x.x.x 255.255.255.252
>encapsulation ppp
>dialer remote-name
>dialer pool 1
>dialer idle-timeout 2147483
>dialer load-thresold 1 either
>dialer-group 1
>ppp authentication chap
>
>If BRI1 was installed.  Would you need to configure it the same as BRI0,
>but
>change the dialer pool-member 1 max-link to 4?  Sounds to easy.
>
>
> >From: "Steven A. Ridder" 
> >Reply-To: "Steven A. Ridder" 
> >To: [EMAIL PROTECTED]
> >Subject: Re: Multilinking more than two ISDN channels [7:33493]
> >Date: Mon, 28 Jan 2002 17:27:25 -0500
> >
> >How are the Bri's in a multilink group?
> >
> >
> >""MADMAN""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Here ya go, an example that I did some time ago, the 12.1 code was
> > > buggy.  The gist of it is you set up a dialer and attach the bri's
> > > via the dialer pool.  This may not be on CCO but it works.
> > >
> > >   Dave
> > >
> > >
> > > KM Reynolds wrote:
> > > >
> > > > No offence, I just thought I was missing something.  I have read
> > > > your
> > > emails
> > > > in the past, and I do know you know what you are talking about.
> > > >
> > > > I aslo know you can bind PRIs, I just haven't heard of
> > > > multilinking
> >BRIs.
> > > I
> > > > looked in the archives and tried searching the Cisco Web Site, but
>
> > > > had
> >no
> > > > luck.  So I thought it was a good question and posted it.
> > > >
> > > > KM
> > >
> > > David Madland
> > > Sr. Network Engineer
> > > CCIE# 2016
> > > Qwest Communications Int. Inc.
> > > [EMAIL PROTECTED]
> > > 612-664-3367
> > >
> > > "Emotion should reflect reason not guide it"
> > >   This config is an ISDN dial backup binding three BRIs together
> > >
> > >   9/2000
> > > !
> > > ! Last configuration change at 14:54:55 UTC Mon Sep 25 2000 ! NVRAM
> > > config last updated at 14:55:07 UTC Mon Sep 25 2000 !
> > > version 12.1
> > > service timestamps debug uptime
> > > service timestamps log datetime localtime
> > > no service password-encryption
> > > !
> > > hostname CL_Spokane
> > > !
> > > logging buffered 4096 informational
> > > enable password converge*clpriv
> > > !
> > > username CL_Bristol password 0 converge*clpriv
> > > !
> > > ip subnet-zero
> > > ip cef
> > > no ip domain-lookup
> > > ip host routerA 10.1.254.254
> > > !
> > > ipx routing 0030.945d.35e1
> > > isdn switch-type basic-5ess
> > > !
> > > !interface Loopback0
> > >  ip address 10.1.253.253 255.255.255.0
> > > !
> > > interface Loopback100
> > >  ip address 50.1.1.1 255.255.255.0
> > > !
> > > interface Serial2/0.21 point-to-point
> > >  description PVC to Bristol
> > >  ip address 172.31.254.1 255.255.255.0
> > >  ipx network AAA
> > >  frame-relay interface-dlci 21
> > > !
> > > interface BRI3/0
> > >  description ISDN CKT#__ ISDN backup to routera's BRI3/0
> > >  bandwidth 128
> > >  no ip address
> > >  ip load-sharing per-packet
> > >  encapsulation ppp
> > >  dialer pool-member 1
> > >  isdn switch-type basic-ni
> > >  isdn spid1 x11

Re: another OT: [7:33569]

[paul]

my apologies,
here is a better link
http://web.archive.org/web/*/http://www.cisco.com
  - Original Message -
  From: Jim Dixon
  To: 'paul'
  Sent: Tuesday, January 29, 2002 2:45 PM
  Subject: RE: another OT:


  Paul,

  I am confused.  This is IENG's site.
  What is Cisco4s?

  -Original Message-
  From: paul [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, January 29, 2002 05:01
  To: [EMAIL PROTECTED]
  Subject: another OT: Cisco4s first web site? [7:33558]



  Sorry for the way OT content,
  but i thought there should be at least someone interested in seeing Cisco4s
  first site ;)
  http://web.archive.org/web/19961106114149/http://ieng.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33569&t=33569
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VPDN Static IP addresses [7:33503]

[Keyur Shah]

Brian,

Did you try without pool statement, vpdn group 1 client configuration
address local pptp-pool

It will use its current ip. Make sure to nat 0 from inside to client's ip.

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.794.3556 
"Now offering CCIE Security Lab Workbook and remote bootcamp,
http://www.hellocomputers.com/hellosuccess.html";
 

-Original Message-
From: Brian Wilkins [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 28, 2002 1:19 PM
To: [EMAIL PROTECTED]
Subject: PIX VPDN Static IP addresses [7:33503]


Does anyone know if there is a way to specify static IP addresses using PPTP
on a PIX firewall?  It works fine using a pool defined on the PIX, but I
can't seem to find a way to configure static addresses using PPTP.

Thanks,

Brian Wilkins




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33553&t=33503
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Assigning an IP address by username [7:33568]

[Cisco Breaker]

I want to assign IP addresses to my users based on their username and
password on the 2522 router. They are connecting through the async lines. So
far I was giving IP addresses from the ip pool but because of the rules on
the firewall I have to do something like this. Can it be done without an AAA
server? Any help will be appreciated?

Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33568&t=33568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

is it possible to bridge accross a tunnel? [7:33567]

[Eric Waguespack]

ok, I have looked into this, and supposedly the answer
is "yes" but the config is "unsupported"

here is the network diagram


10.10.10.x --(R1)--(public network)--(R2)---10.10.10.x

this is supposed to do it but i can't seem to make it
work:

>int tunnel 2
>no ip addr
>tunnel source eth 0
>tunnel destination 128.29.183.247
>bridge-group 1


should this work? what will work? anything? do i need
to do l2f instead? what did you have for breakfast?

thanks

-Eric

__
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33567&t=33567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE On-line lab prep [7:33566]

[EFIRD, TREECE (CONTRACTOR)]

It seems like sometime back in the Fall, someone on the list reviewed a
remote lab test/training option. This particular lab was timed and had two
portions: the practice lab, and the simulated final lab. You could take the
practice lab as many times as you wanted, but you could only take the
simulated (and timed) final lab once. I also think the cost of this was
around $500.

I looked through the archives and the only thing close to this that I found
was Chuck's review of the now defunct Mentor Tech vLab. That didn't seem
quite right, but I could be mistaken.

Does anyone recall this review, or know of a similar situation?

Thanks,
Treece




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33566&t=33566
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Mirroring 2 ports on 2 different VLANs through 1 SPAN port [7:33565]

[Jerry Lu]

Hello everyone,

I got into a situation here:

Hareware: Cisco Catalyst 2900XL
ISO: 12.0(5.1)XP

Say interface FE 0/1 is assigned to Vlan 10, and interface FE 0/2 is
assigned to Vlan 20. Is it possible to make interface FE 0/3 as a SPAN
port whcih monitors both FE 0/1 and FE 0/2 ? I need to attach a sniffer
onto FE 0/3 and analyst the traffic so FE 0/3 could not be a trunk port
(the sniffer doesn't understand VLAN taggings).

I know under normal circumstance this setup is not allowed (can't monitor
2 vlan traffic through 1 port). But is there a work around?

BTW, what's the meaning of the interface commands "switchport multi vlan"?
If I run this command on an interface, will this interface become a trunk
port or an access port? I can't seem to find out the detailed explanation
on this command from Cisco's website.

Thanks for your help!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33565&t=33565
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MD5 encrypting vty passords [7:33533]

[Henry D.]

That specifies type 7 encryption, you can enable it before or after
you configured your vty's. "enable secret " is used to enter
password which will be encrypted with MD5. If using MD5 don't use it in
conjunction with "enable password " command as that would create
another enable password and would make your MD5 password as prone
to discoveries as type 7.

""bergenpeak""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Is the MD5 encryption used when one enables the "service
> password-encryption"
> before entering the vty password?
>
> What encryption mechanism is used when a password is entered as type 7?
>
> Thanks
>
>
> "Henry D." wrote:
> >
> > It's not possible to use MD5 on vty's.
> > I suppose the reason would be that MD5 enable
> > password is not all that much more secure than type
> > 7 passwords. When you type them they both are being
> > sent over the network in clear text anyway. The only reason
> > for using MD5 would be so anyone who sees your config
> > wouldn't be able to crack the MD5 password as easily as type 7.
> > But on the other hand, if you have access to the config, you're either
> > already in enabled mode or you store it in insecure place. If insecure
> place
> > then there may be other ways to break into or your equipment anyways.
> > You see, there is no perfect simple solution, you got to rely on many
steps
> > to protect what needs to be protected.
> >
> > ""Charlie Wehner""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Is there any way to MD5 encrypt vty passords?
> > >
> > > If so, how?
> > >
> > > If not, why not?
> > >
> > > Thanks,
> > > Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33564&t=33533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: pix problem [7:33184]

[Keyur Shah]

Make sure your dmz network is routed to outside interface of the pix. It
seems that you do not want to nat dmz network, if that is not what you want,
remove nat(dmz) 0 and add nat(dmz) 1 0 0 statement.

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.794.3556 
"Now offering CCIE Security Lab Workbook and remote bootcamp,
http://www.hellocomputers.com/hellosuccess.html";
 

-Original Message-
From: cage [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 25, 2002 6:36 AM
To: [EMAIL PROTECTED]
Subject: pix problem [7:33184]


The following is my configure of pix 525, now the nodes in the dmz can not
connect to the outside, why? and do i have to use the NAT command to the
traffic from the dmz to the outside. It seem that the pix cant route the dmz
traffic to the outside. help me! please!

sh conf
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit tcp any host 202.99.33.69 eq smtp access-list
acl_in permit tcp any host 202.99.33.72 eq www access-list acl_in permit tcp
any host 202.99.33.66 eq domain access-list acl_in permit tcp any host
202.99.33.67 eq domain access-list acl_in permit icmp any any access-list
ping_acl permit icmp any any pager lines 30 interface ethernet0 auto
interface ethernet1 auto interface ethernet2 auto


interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
ip address outside 210.82.34.29 255.255.255.0
ip address inside 192.168.4.1 255.255.255.0
ip address dmz 202.99.33.254 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
pdm history enable
arp timeout 14400
global (dmz) 1 202.99.33.73 netmask 255.255.255.0
nat (inside) 1 0 0
nat (dmz) 0 202.99.33.0 255.255.255.0 0 0
static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0


static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0
access-group acl_in in interface outside access-group ping_acl in interface
dmz route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no
snmp-server location no snmp-server contact snmp-server community public no
snmp-server enable traps floodguard enable no sysopt route dnat telnet
timeout 5 ssh timeout 5 terminal width 80
Cryptochecksum:3be86ece2c90058e0c9190f986717d63

pixfirewall#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33393&t=33184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

[Dante Martins]

I have a dns on inside using static (200.219.100.30 10.128.128.30) . The dns
database is resolving names to valid IP's. The problem is the worktations
from inside can't access these servers using the valid IP's.I found some
docs on Cisco site about DNS Doctoring (
http://www.cisco.com/warp/public/110/alias.html )but in the cisco exemple
the DNS is on outside. I need that dns send some zone forward to other dns
that is inside the VPN so...if I move that dns(200.219.100.30) to outside
interface he will not have access to the network 10.250.0.0(VPN). I had the
same problem in other situation but I was using Checkpoint Firewall_1 and it
works.
There is some way to do it work ( using DNS on iside with static ) or I need
to move to outside??


CONF MAIN PIX
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted
hostname MAIN
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

static (inside,outside) 200.219.100.26 10.128.128.26 netmask 255.255.255.255
0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask 255.255.255.255
0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask 255.255.255.255
0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask 255.255.255.255
0 0

conduit permit icmp any any
conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any
conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any
conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any
conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any

route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong
crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 102
crypto map cmap 2 set peer

OT - Cisco CS-508 for sale or trade (2509 less ser [7:33528]

[[EMAIL PROTECTED]]

I have three cs-508's for sale or trade, and I would like to know if anyone
is interested? I am doing this to cut down on the time it would take to sell
these and get what I and some study partners need ( I let other people use
this lab as well). On ebay they are usually selling over $300 and will take
$250 in trade or buying it straight out.  Two currently have 2 megs, and one
has 10 megs, all have IOS 9.1.  I will also send a tftp server if needed,
help with configuration, and point you to the area on cisco you need to get
10.3 image for tftp booting (cisco login required).  I will also include an
AUI transceiver, Cisco Documentation CD-ROM, and a cisco roll cable for
configuration.  I have tested these devices and can put them on line for
inspection, however one caveat, I had trouble with reverse telnet with two
ports on each of these boxes, however I am not sure if I missed something.
Please note the I can log into each of the boxes through the console and
reverse telnet to at least 6 ports without a problem, so I will guarentee
that six of eight ports work on each of these boxes including the uplink
port R1.

Items I am looking for specifically in trade to upgrade my lab:
APC Masterswitch or Baytech Ethernet Capable Power Reboot Strip
Cable Modem
Set based Ethernet switch
NP Modules for a cisco 4000M.
8 Meg flash memory modules for 2500 routers.
POTS or ISDN simulator.
ISL cap. router.
I currently have in my lab 2 2504's 16/8, 2 2505's 16/8, 2924, 1800, cs-516,
and a 4000 4s,2e 16/8, one open slot, modem dial-in/out and cable modem
service.
If you think I am missing anything and would like to trade me to upgrade my
lab and it is not on my list, please feel free to let me know. I am also
open to bigger trades involving some of my lab for some of yours. Just drop
me an e-mail if interested at [EMAIL PROTECTED] if you are interested.

Thanks for your time,

Doug Morrell
[EMAIL PROTECTED]
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33528&t=33528
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Lab Kit.... [7:33412]

[Brad Ellis]

Joe,

Here's what I typically sell/recommend for a minumum CCIE kit:

  2x 2501s
  2x 2503s (for ISDN)
  1x 2511 (reverse telnet AS)
  2x or 3x 2513s (TR/Ether)
  1x 2522 (frame-switch)
  ISDN Simulator
  Catalyst 5k switch
  3900 TR Switch or 3920 simulator
  + accessories

I dont think you need quite so many PCs, but I guess it cant hurt if you
already have them.  If you have a 2900 series switch, make sure it is a 2926
or 2901 that runs the cat5k OS.

thanks,
-Brad Ellis
CCIE#5796 (R&S / Security)
Network Learning Inc
[EMAIL PROTECTED]
used Cisco gear:  www.optsys.net
CCIE Labs, racks, and classes:  http://www.ccbootcamp.com/quicklinks.html

""Joel Satterley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Can anyone advise on the base set of equipment for running test labs as a
> prep
> for the CCIE lab ?
>
> I'm thinking -
>
> 4 x eth + tok routers (3 with at least one serial + 1 with three or more)
> 2 x Cat switches (2900 + 4000)
> 1 x Token ring switch.
> 3 x PC's
>
> Anything else (apart from modems + ISDN, got plenty of that).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33524&t=33412
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX % DNS Doctoring [7:33331]

[Keyur Shah]

Dante,

Try this document,
http://www.cisco.com/warp/public/110/alias.html

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
css1,ccna,ccda,scsa,scna,mct,mcse,mcp+i,mcp,cni,mcne,cne,cna
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com
Toll-Free: 1.877.794.3556 
"Now offering CCIE Security Lab Workbook and remote bootcamp,
http://www.hellocomputers.com/hellosuccess.html";

-Original Message-
From: Dante Martins [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 26, 2002 4:58 PM
To: [EMAIL PROTECTED]
Subject: PIX % DNS Doctoring [7:1]


Somebody knows how to do DNS doctoring on PIX 
I have the DNS on DMZ with static and the clients workstations are on inside
interface. 
Dante



This email has been scanned for all viruses by the MessageLabs service.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33389&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: pix problem [7:33183]

[Andrew Larkins]

HI, 

>From below there are a few issues here:
1. Your inside users should not be able to work to the outside but can to
the DMZ. There is no translation for them on the outside interface.
2. As for the DMZ - NAT 0 says that there is no translation needed /
required. Try changing the NAT ID for the DMZ to "2" for example.
3. Is the routing correct for the DMZ from the router on the outside
interface.
4. What do the logs on the firewall say when you try to connect out??


-Original Message-
From: cage [mailto:[EMAIL PROTECTED]]
Sent: 25 January 2002 16:36 PM
To: [EMAIL PROTECTED]
Subject: pix problem [7:33183]


The following is my configure of pix 525, now the nodes in the dmz can not
connect to the outside, why?
and do i have to use the NAT command to the traffic from the dmz to the
outside. It seem that the pix cant route the dmz traffic to the outside.
help me! please!

sh conf
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit tcp any host 202.99.33.69 eq smtp
access-list acl_in permit tcp any host 202.99.33.72 eq www
access-list acl_in permit tcp any host 202.99.33.66 eq domain
access-list acl_in permit tcp any host 202.99.33.67 eq domain
access-list acl_in permit icmp any any
access-list ping_acl permit icmp any any
pager lines 30
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
ip address outside 210.82.34.29 255.255.255.0
ip address inside 192.168.4.1 255.255.255.0
ip address dmz 202.99.33.254 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
pdm history enable
arp timeout 14400
global (dmz) 1 202.99.33.73 netmask 255.255.255.0
nat (inside) 1 0 0
nat (dmz) 0 202.99.33.0 255.255.255.0 0 0
static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0


static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group ping_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 210.82.34.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3be86ece2c90058e0c9190f986717d63

pixfirewall#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33407&t=33183
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE R&S Lab Exam Study Guides [7:33323]

[Kwame]

Has anyone looked at CCBootCamp's CCIE R&S Lab Exam Study Guides?  If
you've, do you mind sharing what you think of them? I'm putting together lab
study guides to prepare for the lab so your reviews would be most welcome.
Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33323&t=33323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX % DNS Doctoring [7:33331]

[Dante Martins]

I have a dns on inside using static (200.219.100.30 10.128.128.30) . The
dns database is resolving names to valid IP's. The problem is the
worktations from inside can't access these servers using the valid
IP's.I found some docs on Cisco site about DNS Doctoring (
http://www.cisco.com/warp/public/110/alias.html )but in the cisco
exemple the DNS is on outside. I need that dns send some zone forward to
other dns that is inside the VPN so...if I move that dns(200.219.100.30)
to outside interface he will not have access to the network
10.250.0.0(VPN). I had the same problem in other situation but I was
using Checkpoint Firewall_1 and it works.  

There is some way to do it work ( using DNS on iside with static ) or I
need to move to outside??



CONF MAIN PIX

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted

hostname MAIN

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0

pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown

mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm
ip audit attack action alarm

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0

pdm history enable
arp timeout 14400

global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255


static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0


conduit permit icmp any any

conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any

conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any

conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any


route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat


crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong

crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 1

Re: Limit access to serial link to four users [7:33306]

[Gaz]

Darrell,
As you put so much work in to reply I'll post it myself. The formatting has
been lost in cut and paste but info all there.
Thanks for your help. I have plenty of ideas to be reading up on.
Thanks,
Gaz
-Original Message-
From: Darrell Newcomb
Sent: 27 January 2002 18:29
To: Gaz
Subject: [Fwd: Re: Limit access to serial link to four users [7:33306]]

Every attempt to send this to the group has failed so I'll just send it to
you. I used to be able to post without a problem so I don't know what's
happening. Hope this is of some use.
 Original Message 
Subject: Re: Limit access to serial link to four users [7:33306]
Date: Sat, 26 Jan 2002 14:48:12 -0800
From: Darrell Newcomb
Newsgroups: groupstudy.cisco
References: 
I try not to use the below logic on my networks, but have also never had it
fail to deliver service when there was no other choice.
The common streaming of windows media and real have such large client side
buffers that you'll find you can seemingly overload the link without having
any user observable qualitative difference. Some factors which contribute
even more to the success of overloading are the bit rate varies as the
encoders don't always output the maximum data rate.
The fact that most streams on the public internet are short lived, the
standard buffers can cover the end of the stream the user is still viewing
leaving capacity for other streams to go through their peak startup period.
The traditional stat muxing factors come into play where depending upon the
application there is some downcycle in streaming usage in the workflow. You
only need a 2.5:1 to get 300kbps streams through uncongested.
Lastly I think you are approaching the wrong problem. Non streaming uses for
the same 2Mbps link will be the big enemy of predictably good streaming
performance. Your application may even be one of those by downloading other
supporting data...
To more directly approach the problem space you posed:
-There is xauth in pixOS and I believe IOS as well
-Couple that with a creative authentication server, or script to control
it -The above should get you the max number of sessions through. -Can't
recall the reflexive access lists with CAR ball of wax off the top of my
head. But there is some per-session rate limiting in cisco.
There are various rate limiting equipment out there. Riverstone has good
affordable routers for this, Netscreen claims to do it(haven't used them
yet), and Packeteer also does this type of thing. There is more but I
believe them to be the notables.
There are proxy and/or cache products which would address the max number of
sessions issue and maybe address the usage pattern you have.
Not that I'd recommend this, but if your application and rest of the network
path can adequately support forcing the streams over a tcp session you'll
probably find it much easier to deal with the rate limiting. But really try
to handle it without forcing tcp as any backoffs will hurt the qualitative
performance if there are other signficant numbers of tcps over any congested
link.(read: IME(nee
opinion) tcp will backoff quicker than a given streaming protocol)
Good Luck,
Darrell (always looking for contract work) Newcomb
[EMAIL PROTECTED]


Gaz wrote:
>
> Hi all,
>
> I'm after some ideas if you'd be so kind :-)
>
> A 2Mb link being used mainly for streaming media has about 15
> potential users. The task is to limit the number of users at any one
> time to four, so they have half a Mb each (ish).
>
> My initial idea, which I must admit, I dont think is such a good one
> is to set up a NAT pool of four addresses, and drag the translation
> timeout down to about a minute (yet to be tested), so that the first
> four users to pass traffic will be translated and allowed through, but
> after that, they'll have to wait.
>
> I'm off to look at something like TACACS to see if I can control
> network authorization by number of users (shot in the dark).
>
> No equipment in place yet, so we have a clean drawing board.
>
> Anybody have any neat ideas please!!
>
> Thanks,
>
> Gaz
""Darrell Newcomb""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If all of my responses get through this will be embarassing.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33385&t=33306
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX % DNS Doctoring [7:33331]

[Dante Martins]

I have a dns on inside using static (200.219.100.30 10.128.128.30) . The
dns database is resolving names to valid IP's. The problem is the
worktations from inside can't access these servers using the valid
IP's.I found some docs on Cisco site about DNS Doctoring (
http://www.cisco.com/warp/public/110/alias.html )but in the cisco
exemple the DNS is on outside. I need that dns send some zone forward to
other dns that is inside the VPN so...if I move that dns(200.219.100.30)
to outside interface he will not have access to the network
10.250.0.0(VPN). I had the same problem in other situation but I was
using Checkpoint Firewall_1 and it works.  

There is some way to do it work ( using DNS on iside with static ) or I
need to move to outside??



CONF MAIN PIX

PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ1 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password *** encrypted
passwd ** encrypted

hostname MAIN

fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000

names
access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
255.255.255.0
access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
255.255.255.0
access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
255.255.240.0
access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
255.255.255.0
access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
255.255.255.0

pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet3 auto
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown

mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500

ip address outside 200.219.100.2 255.255.255.0
ip address inside 10.128.159.253 255.255.224.0
ip address DMZ1 10.255.255.254 255.255.224.0
ip address intf3 10.250.11.254 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255

ip audit info action alarm
ip audit attack action alarm

no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ1 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0

pdm history enable
arp timeout 14400

global (outside) 1 200.219.100.100-200.219.100.199
global (outside) 1 200.219.100.200
global (DMZ1) 1 10.255.224.10-10.255.224.70
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0

alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255


static (inside,outside) 200.219.100.26 10.128.128.26 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.30 10.128.128.30 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.31 10.128.128.32 netmask
255.255.255.255 0 0
static (inside,outside) 200.219.100.54 10.128.128.54 netmask
255.255.255.255 0 0


conduit permit icmp any any

conduit permit tcp host 200.219.100.30 eq www any
conduit permit tcp host 200.219.100.30 eq domain any
conduit permit udp host 200.219.100.30 eq domain any

conduit permit tcp host 200.219.100.31 eq www any
conduit permit tcp host 200.219.100.31 eq domain any
conduit permit udp host 200.219.100.31 eq domain any

conduit permit tcp host 200.219.100.26 eq 161 any
conduit permit tcp host 200.219.100.26 eq 162 any
conduit permit udp host 200.219.100.26 eq snmp any
conduit permit udp host 200.219.100.26 eq snmptrap any

conduit permit tcp host 200.219.100.54 eq domain any
conduit permit udp host 200.219.100.54 eq domain any
conduit permit tcp host 200.219.100.54 eq 22 any


route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
route outside 10.0.64.0 255.255.224.0 10.128.159.252 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

snmp-server host inside 10.128.128.21
snmp-server location mainsite
snmp-server contact support@mainsite
snmp-server community pixpix
snmp-server enable traps

floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat


crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map cmap 1 ipsec-isakmp
crypto map cmap 1 match address 101
crypto map cmap 1 set peer 200.200.100.2
crypto map cmap 1 set transform-set strong

crypto map cmap 2 ipsec-isakmp
crypto map cmap 2 match address 1