test-do not open [7:35599]
TEST Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35599&t=35599 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test-do not open [7:35598]
test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35598&t=35598 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DRAM and FLASH question [7:35600]
Hi all, I was wondering if somebody good tell me the secret on Kingston memory and flash in Cisco Routers. Where is a good and not so expensive (I'm Dutch .. :-)) site for selling these items ? Thanks in advanced ... Cheers Ronald Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35600&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary ip address and ip helper-address [7:35601]
Make sure your Microcrap server is using a superscope to encompass both your DHCP scopes. ""J-B"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Team, > I have the following problem: > > Our network has 10 sites, I am in the process of readdressing current > network. I have setup secondary ip address on every site, At the present > time I am setting up a wk2000 dhcp/win server in one site. The problem is > that I am not able to obtain ip address from the DHCP server via the WAN, it > works fine in the site where it is locate. The layout is the following: > > Hub site > > interface Ethernet0 > ip address 192.168.13.1 255.255.255.0 secondary > ip address 192.168.1.1 255.255.255.0 > ip helper-address 192.168.12.17 > ip directed-broadcast > no cdp enable > > interface Serial0 > no ip address > ip directed-broadcast > encapsulation frame-relay IETF > no ip mroute-cache > frame-relay lmi-type ansi > > interface Serial0.3 point-to-point > description Spoke site > bandwidth 384 > ip unnumbered Ethernet0 > ip helper-address 192.168.12.17 > ip directed-broadcast > frame-relay interface-dlci 26 > > Spoke site > > interface Ethernet0 > ip address 192.168.12.1 255.255.255.0 secondary > ip address 192.168.2.1 255.255.255.0 > > interface Serial0 > no ip address > encapsulation frame-relay IETF > no fair-queue > frame-relay lmi-type ansi > ! > interface Serial0.1 point-to-point > description connection to Hub > ip unnumbered Ethernet0 > bandwidth 384 > frame-relay interface-dlci 16 > ! > > The ip address of the DHCP sever is 192.168.12.17 > > Be aware that I have not problem pinging to the DHCP server from the Hub > site. > > Team, what I am doing wrong here...HELP > > > Thanks (nothing can replace experiencewo) > > > JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35601&t=35601 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary ip address and ip helper-address [7:35539]
Just a clarification. It is possible to have multiple subnets on an interface and configure the DHCP server to assign IPs to any of these scopes. No router address flip-flopping or other machinations are required or needed. As has been posted, the primary IP address on the interface is *usually* (see details below) the giaddr placed into the DHCP packet by the relay agent (router). Lets assume that the interface doing the IP helpering has four subnets: P (the primary) and S1, S2, and S3. On any reasonable DHCP server, one can configure the secondary subnets to be "secondaries" to the primary in the DHCP config. So when one configures their DHCP server, they define the primary subnet information for P, and then define the information for S1, S2, and S3. One then ties these all together by making S1 a "secondary" of P on the DHCP server. Ditto for S2 and S3. The manner in which one makes S1, S2, and S3 secondaries is DHCP server dependent. If you have CNR and want to make S1 a secondary to P do the following: 1) Define the scope information for P, S1, S2, and S3. This would entail defining the range of address to hand out for each scope, the policy (DHCP attributes, selection tags, etc.) 2) Using the GUI, select the S1 subnet, then "properties" and then the "advanced" tab. Half way down, there a selection box to make this scope a secondary. Select this box, and when you do this, you can then select the primary for this scope. Select P. Note, this can also be done using the CLI. I believe the attribute name is "primary-scope" (or something close). Using the CLI, for scope S1, set its "primary-scope" attribute to the scope name you defined for subnet P. Once you;ve done this, when a packet arrives at the DHCP server with a giaddr of P, the DHCP server now knows that P and S1, S2, and S3 are all related. The DHCP server uses this, and any configurations the operator has provided to help select the appropriate scope (subnet) and thus IP for this device. Doing the above is very common practice in the cable industry. On any CMTS cable inteface, cable companies will have customer IPs subnets (for PCs) and subnets for cable modems. CPEs will be assigned globally routeable addresses (net24, net12, etc). and the cable modems will be assigned net10 addresses. The structure define above is used-- one of these subnets will be the primary on the CMTS interface and the rest will be secondaries. All are tied together on the DHCP server via the "priamry-secondary" logic described above. Cable operators configure the DHCP server logic to identify a DHCP request from a modem and map it to one of the subnet(s) on the interface created for modems. Ditto for PCs. Note, above I indicated that the primary address is *usually* the giaddr. Two caveats to this: * Cisco changed how the relay helpering works in some IOS revs-- in some 11.x or 12.x revs, the giaddr can cycle through all gateway addresses assigned on the helpering interface. That is, when a packet gets helpered, the router will initially insert the P address as the giaddr. If the DHCP server does not respond, and the router has helpered 3-4 DISCOVERs on behalf of a source, the 5-8th DHCP DISCOVER packets will get helpered using a giaddr of S1. This repeats 3-4 times, and if no DHCP response is received, S2 is used as the next giaddr. Note, the router maintains the state for each source so a new device will get helpered initially with P as the giaddr. (I don't recall when cisco enabled this cycling feature to be the defualt behavior. I believe they changed the default behavior back to only using "P" as the giaddr (I don't recall the IOS rev). However, I believe they've added a new know so that one can enable this "cycling" "feature" in current IOS revs. * On cable infrastructure gear (CMTSs), there are extra knobs to customize what value is inserted into the giaddr. One can configure the CMTS to always use the "P" address as the giaddr or to perform the cycling (described above). Michael Williams wrote: > > Plus, upon re-reading your post, I don't see an IP helper setup on the eth0 > interface on the spoke router just like you have on the hub router. You > need to add that. > > The point of my previous post was to highlight the fact that you need to > make sure that the primary IP on the eth0 on the spoke router be in the same > subnet with the IPs you want to hand out via DHCP. AFAIK, it's not possible > to service multiple subnets simultaneously on a single interface via > IP-Helper. (i.e. I don't think it's possible service any secondary IP > subnets on eth0 at the spoke site because the IP-Helper uses the primary > eth0 IP as the source address for the DHCP directed request) > > Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35602&t=35539 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report
2610 with VIC BRI S/T TE... [7:35604]
Hi everybody;I configured a 2610 router with VIC-BRI S/T TE and NM-2V voice module for VoIP applications.The router runs with IOS c2600-is-mz.120-7.XK1. But I could not achived to make voice call with remote site. Actually when I dial my local number I get too high dial tone and could not dial remote site, vice-versa...The configuration is like below... ! interface BRI1/0 no ip address no ip directed-broadcast isdn switch-type basic-net3 isdn incoming-voice voice isdn sending-complete isdn static-tei 0 !voice-port 1/0/0 ! voice-port 1/0/1 ! dial-peer voice 1 pots destination-pattern 201 port 1/0/0 prefix 0 ! dial-peer voice 2 pots destination-pattern 202 port 1/0/1 ! dial-peer voice 10 voip destination-pattern 101 session target ipv4:X.X.X.X! Thanks alot...Murat EMEL Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35604&t=35604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
The proxy problem with pix 525? [7:35603]
R--FW--DMZ | Inside | Proxy One proxy is connected to the inside switch connecting to the FW, but internal users are slow to the outside,but the DMZ users are good.why? I think something wrong with the proxy configuration! The config is follwing: sh conf : Saved : PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit tcp any host 202.99.33.66 eq domain access-list 101 permit udp any host 202.99.33.66 eq domain access-list 101 permit tcp any host 202.99.33.67 eq domain access-list 101 permit udp any host 202.99.33.67 eq domain access-list 101 permit tcp any host 202.99.33.69 eq smtp pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 ip address outside 202.99.34.26 255.255.255.248 ip address inside 192.168.4.1 255.255.255.0 ip address dmz 202.99.33.254 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 202.99.33.253 netmask 255.255.255.0 global (dmz) 1 202.99.33.73 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 static (inside,outside) 202.99.33.74 192.168.4.250 netmask 255.255.255.255 0 0 static (inside,dmz) 202.99.33.75 192.168.4.250 netmask 255.255.255.255 0 0 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 202.99.34.30 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps no floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:c64047c1918e68b2c5136af635cd2a0d pixfirewall(config)# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35603&t=35603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Network jobs in Dallas, TX? [7:35608]
I'm new to the Dallas area and recently laid-off. I was wondering if folks here knew of anyone looking for somebody with 10 years network exp. and a CCIE in the Dallas area? If so please reply. Thanks, Mark Egan, CCIE #8775 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35608&t=35608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TTL and modern (fast) routers [7:35507]
Yes, RFC 1812 is where this is discussed. IIRC, the author notes that all of the router manufacturers complained that trying to use time rather than hops was impractical if not impossible from their perspective. Chuck ""Howard C. Berkowitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >AFAIK, the TTL gets decremented by one by a router as it passes it on (if > >it's held under one second), or by the number of seconds it was held if it > >is held over one second. I agree that anything more than 1000ms of delay > >seems outrageous for a single hop these days, but I don't know of anything > >that has changed that "rule" that both you and I describe. > > > >Mike W. > > This is off the top of my head, but I think the changing of the rule > to decrementing the hop count is in RFC 1812. TTL for fragment > reassembly is a little different. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35610&t=35507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
what is wrong with the job market ? [7:35611]
seems all jobs have just vanished. well then who runs the networks and equipment ? it's real bad out there in the job market. any web sites to put the resume ? seems dice, monster, headhunter are not producing any results. how long is this goind to last ? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35611&t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary ip address and ip helper-address [7:35539]
Comments inline.. > Once you;ve done this, when a packet arrives at the DHCP server > with a > giaddr of > P, the DHCP server now knows that P and S1, S2, and S3 are all > related. > The DHCP > server uses this, and any configurations the operator has > provided > to help select the appropriate scope (subnet) and thus IP for > this > device. I understand the logic of tying the secondary scopes to the primary at ehe DHCP side, however if the giaddr always reflects the primary subnet, how the the DHCP server ever know to hand out addrs from the other secondary scopes? > Note, above I indicated that the primary address is *usually* > the > giaddr. > Two caveats to this: > > * Cisco changed how the relay helpering works in some IOS > revs-- in some > 11.x > or 12.x revs, the giaddr can cycle through all gateway addresses > assigned on the > helpering interface. That is, when a packet gets helpered, the > router > will initially > insert the P address as the giaddr. If the DHCP server does not > respond, and > the router has helpered 3-4 DISCOVERs on behalf of a source, > the 5-8th > DHCP DISCOVER > packets will get helpered using a giaddr of S1. This repeats > 3-4 times, > and if no > DHCP response is received, S2 is used as the next giaddr. This "feature" you describe sounds pretty worthless. If the giaddr is always from P, and rotates through S1, S2, S3, etc when the DHCP server doesn't respond, then unless your DHCP server is down or all IPs have been allotted for subnet P, then the DHCP request will always result in an IP from the scope for P. Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35612&t=35539 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easy ways to pick up a few extra minutes on the CCIE lab. [7:35613]
I borrowed some of these from other folks. Some I derived myself. In the real lab I found myself using some more than others. knowing the various switches makes these very useful. note that first two lines - for your initial configuration of routers, this helps immensely, assuming you have made no typos. My favorite dumb thing I once did was mis typing exec-timeout 0 4 that one was real fun to correct. I should probably add an eigrp command or two. also an alias for "exit" as several of these aliases don't work unless you are at the router(config)> prompt come to think of it, aliases for show access-list and show route-map might be useful as well. I hesitate for feat that I'll end up spending too much time creating the list ;-> enable conf t no ip domain-lookup no ip http server ip classless ip subnet-zero ip tcp synwait-time 5 alias configure a access-list alias configure ae alias exec alias configure rm route-map alias configure ro router ae a show access-list ae b show ip bgp ae d show dlsw ae e show ip eigrp ae f show frame ae ib show ip interface brief ae ip show ip protocol ae ir show ip route ae o show ip ospf ae p show protocol ae sr show run | begin ae xb show ipx interface brief ae ap show ipx route line con 0 exec-timeout 0 0 privilege level 15 ""Wright, Jeremy"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > also, check the groupstudy database...there was a list of aliases that a guy > put on the list > > -Original Message- > From: Daniel Cotts [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 15, 2002 2:19 PM > To: [EMAIL PROTECTED] > Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab. > [7:35547] > > > Better than the CTRL+R that I've been using. > > > -Original Message- > > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > > Sent: Friday, February 15, 2002 1:45 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab. > > [7:35541] > > > > > > That's a really good one. I hate it when the console blasts > > some stupid > > message at you while you're typing. It still throws me off > > even though I > > should be used to it. ;-) Thanks for telling us about this. > > > > Priscilla > > > > At 02:11 PM 2/15/02, Sean Knox wrote: > > >I always enter console config and turn on "logging > > synchronous"; it inserts > > >a carriage return automatically after system messages show > > up. Doesn't hurt > > >to enable it on the vtys either. > > > > > >core8500#conf t > > >Enter configuration commands, one per line. End with CNTL/Z. > > >core8500(config)#line con 0 > > >core8500(config-line)#logg sync > > > > > >-Original Message- > > >From: Hire, Ejay [mailto:[EMAIL PROTECTED]] > > >Sent: Friday, February 15, 2002 10:32 AM > > >To: [EMAIL PROTECTED] > > >Subject: Easy ways to pick up a few extra minutes on the CCIE lab. > > >[7:35523] > > > > > > > > >no ip domain-lookup (how do you spell pnig again) > > >terminal escape-char 3 (Press Ctrl-c to break out of ping & Telnet) > > > > > >Anybody got others? > > > > > > Priscilla Oppenheimer > > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35613&t=35613 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easy ways to pick up a few extra minutes on th [7:35580]
for some reason, the Lab proctors frown on people installing their own software on their terminals. ;-> I've been told that they frown on people even saving things like their notepad files to the computers in the lab. I don't recall any instruction one way or another on this one. I do vaguely recall one proctor saying that if somehow you hack your way to the internet, and they catch you, you will be disqualified immediately. Chuck ""Ozzie Sutcliffe"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Can you use terraTerm instead of hyperterm ? > If so set the scroll buffer to 10,000 lines this way you have a complete > history by scrolling up the gui in terra term > > oz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35614&t=35580 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary ip address and ip helper-address [7:35601]
One must be wary of using secondary addresses. As has been discussed here many a time, in many a context, secondary addressing on routers is problematic. Adjacencies in various routing protocols do not form. Routes do not get exchanged. In general, the router will use the primary address as it's source for lots of things, including DCHP forwarding. one solution to the particular problem might be to use the router itself as the local DHCP server. Chuck ""GAHellinger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Make sure your Microcrap server is using a superscope to encompass both your > DHCP scopes. > > > ""J-B"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Team, > > I have the following problem: > > > > Our network has 10 sites, I am in the process of readdressing current > > network. I have setup secondary ip address on every site, At the present > > time I am setting up a wk2000 dhcp/win server in one site. The problem is > > that I am not able to obtain ip address from the DHCP server via the WAN, > it > > works fine in the site where it is locate. The layout is the following: > > > > Hub site > > > > interface Ethernet0 > > ip address 192.168.13.1 255.255.255.0 secondary > > ip address 192.168.1.1 255.255.255.0 > > ip helper-address 192.168.12.17 > > ip directed-broadcast > > no cdp enable > > > > interface Serial0 > > no ip address > > ip directed-broadcast > > encapsulation frame-relay IETF > > no ip mroute-cache > > frame-relay lmi-type ansi > > > > interface Serial0.3 point-to-point > > description Spoke site > > bandwidth 384 > > ip unnumbered Ethernet0 > > ip helper-address 192.168.12.17 > > ip directed-broadcast > > frame-relay interface-dlci 26 > > > > Spoke site > > > > interface Ethernet0 > > ip address 192.168.12.1 255.255.255.0 secondary > > ip address 192.168.2.1 255.255.255.0 > > > > interface Serial0 > > no ip address > > encapsulation frame-relay IETF > > no fair-queue > > frame-relay lmi-type ansi > > ! > > interface Serial0.1 point-to-point > > description connection to Hub > > ip unnumbered Ethernet0 > > bandwidth 384 > > frame-relay interface-dlci 16 > > ! > > > > The ip address of the DHCP sever is 192.168.12.17 > > > > Be aware that I have not problem pinging to the DHCP server from the Hub > > site. > > > > Team, what I am doing wrong here...HELP > > > > > > Thanks (nothing can replace experiencewo) > > > > > > JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35615&t=35601 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Easy ways to pick up a few extra minutes on th [7:35580]
So everthing is telnet then I guess..If so which telnet client.. Ok troops we need to get Cisco to put terra term on the docs CD rom hey it's freeware. Also the terminals are *nix windoze sparky or ??? Oz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35616&t=35580 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
Go to the GroupStudy Jobs discussion group (Web, newsfeed or mailing list). There are a number of recruiters who can help. Best of luck! Paul - Original Message - From: "John Green" To: Sent: Saturday, February 16, 2002 11:16 AM Subject: what is wrong with the job market ? [7:35611] > seems all jobs have just vanished. well then who runs > the networks and equipment ? it's real bad out there > in the job market. > any web sites to put the resume ? seems dice, monster, > headhunter are not producing any results. > > how long is this goind to last ? > > __ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35618&t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCDA exam Sucked and now the CID exam? [7:35619]
Hi all, I just took the CCDA exam and it really sucked! The boson exam did not help at all and i have all of them. Lucky for me I still passed. The Cisco press helped but doesn't cover most of the areas. Most of the test was just reading, understand and assuming what should be done. . Now, is the CID exam going to be in the same format? Any ideas out there what study material should I use. Ko, CCNA,CCNP,CCDA.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35619&t=35619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Slightly OT: SSH Poll [7:35505]
John, I _always_ recommend using ssh instead of telnet wherever possible. In fact, I can't think of a single good reason not to use it for in-band management. I'm not sure I understand what you mean by it being a pain since you change passwords often. I don't see how using ssh is any more of a pain than using telnet, and its certainly more secure. I have seen clients whose security policies dictated the use of ssh or, if that were not possible, use of 2-factor authorization such as securid. I suspect most organizations are moving to the use of ssh or have plans to do so if they are in the least bit security conscious. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Neiberger Sent: Friday, February 15, 2002 8:07 AM To: [EMAIL PROTECTED] Subject: Slightly OT: SSH Poll [7:35505] I'm wondering how many of you are involved in networks that use SSH exclusively for router access. Since we're in the financial sector, external auditors continually suggest that this is necessary. While it's probably not a bad idea, I personally feel it's more of pain that it's worth, especially considering how often we change the passwords. But that's another matter altogether... So, are any of you using SSH exclusively in fairly large networks? If so, has it been working well for you? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35620&t=35505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCDA exam Sucked and now the CID exam? [7:35619]
how you will succeed if you don't have lots of reading before you get into real practical...?? huh... you got the point, one reference book is not enough. the CID book from ciscopress is pretty good; again, find something else too, such as the cisco website, it has lots of materials, that's my recommendation. ""ko haag"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > I just took the CCDA exam and it really sucked! The boson exam did not > help at all and i have all of them. Lucky for me I still passed. The > Cisco press helped but doesn't cover most of the areas. Most of the > test was just reading, understand and assuming what should be done. . > > Now, is the CID exam going to be in the same format? Any ideas out > there what study material should I use. > > Ko, CCNA,CCNP,CCDA.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35621&t=35619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: Slightly OT: SSH Poll [7:35505]
When I said that it was a pain it meant that we'll have to change some things operationally which, like most other security measures, make things a little more difficult. Just minor issues, no big deal. One example might be that if I go to a remote site to do some work, I may not normally take a laptop as I could simply telnet in from a workstation. That capability would go away. Like I said, not a big deal at all. It seems that the primary reason we might use SSH--and the reason mentioned by auditors--is to avoid sending passwords in the clear. However, as someone else mentioned, the version of SSH supported by Cisco sends passwords in the clear! If that's not the case, please let me know. The other issue that I discovered after I made the original post is that the 2500 series does not appear to support SSH and we have mostly 2500s at our remote sites. Again, if I'm mistaken there please let me know. Many thanks! Regards, John http://neiby.home.attbi.com On Sat, 16 Feb 2002, Kent Hundley ([EMAIL PROTECTED]) wrote: > John, > > I _always_ recommend using ssh instead of telnet wherever possible. In > fact, I can't think of a single good reason not to use it for in-band > management. I'm not sure I understand what you mean by it being a pain > since you change passwords often. I don't see how using ssh is any more > of > a pain than using telnet, and its certainly more secure. > > I have seen clients whose security policies dictated the use of ssh or, > if > that were not possible, use of 2-factor authorization such as securid. > I > suspect most organizations are moving to the use of ssh or have plans to > do > so if they are in the least bit security conscious. > > Regards, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Neiberger > Sent: Friday, February 15, 2002 8:07 AM > To: [EMAIL PROTECTED] > Subject: Slightly OT: SSH Poll [7:35505] > > > I'm wondering how many of you are involved in networks that use SSH > exclusively for router access. Since we're in the financial sector, > external auditors continually suggest that this is necessary. While > it's probably not a bad idea, I personally feel it's more of pain that > it's worth, especially considering how often we change the passwords. > But that's another matter altogether... > > So, are any of you using SSH exclusively in fairly large networks? If > so, has it been working well for you? > > Thanks, > John [EMAIL PROTECTED] > > Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35623&t=35505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
redistribution and tags [7:35624]
At what point during redistribution is a route-map processed? In other words, if I want to redistribute from EIGRP (supports tags) to IGRP (doesn't support tags) can I match tags in the route map and then let those routes go into IGRP? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35624&t=35624 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: redistribution and tags [7:35624]
Route maps are essentially built around an "if then else(if)" logic. the point of their activation is the point of their inception. therefore if you were to have a route-map such as: route-map eigrp_tag_igrp permit 10 match tag X set metric 1 100 255 1 1500 and the redistribute statement: router igrp 100 redistribute eigrp 50 route-map eigrp_tag_igrp then the logic flow is: 1) take a route learned from eigrp 50 2)if the tag for that route is X then set the metric as stated and redistribute it into IGRP 100 3) else don't redistribute in this case, only those routes with a tag of X learned from eigrp 50 will be redistributed into igrp ( subject to the classfulness of the route ) sometimes it can be a little difficult to determine where exactly things happen in the various processes on a router. for example, linear redistribute seems not to occur at all, even if that does not seem logical. ( can't redistribute from rip to igrp to ospf an the same router, not and get anything coherent or predictable as a result ) however, in this case, the logic appears to be straightforward, so far as I can tell. HTH Chuck ""Scott H."" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At what point during redistribution is a route-map processed? In other > words, if I want to redistribute from EIGRP (supports tags) to IGRP (doesn't > support tags) can I match tags in the route map and then let those routes go > into IGRP? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35625&t=35624 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary ip address and ip helper-address [7:35539]
Hi Mike, Responses inline: > I understand the logic of tying the secondary scopes to the primary at ehe > DHCP side, however if the giaddr always reflects the primary subnet, how the > the DHCP server ever know to hand out addrs from the other secondary scopes? On the DHCP server, one configures the S1, S2, and S3 scopes to be "related" to the P scope. The DHCP server then knows there are four different subnets on this interface are related through P. When the DHCP server receives a DHCP DISCOVER with P as the giaddr, the above linkage indicates to the DHCP server that four subnets are on the same router interface. Without any additional logic, the DHCP server could randonly pick a free IP address from any of these four scopes, and send the selected IP in the DHCP OFFER. Note, that the DHCP server will send the DHCP OFFER (and ACK) to the giaddr IP (P). The router receives the DHCP packet, knows what interface it's asociated with (P), and forwards out the inteface accordingly. Also note that the DHCP server will likely also return other DHCP information in the OFFER including default gateway, subnet mask, DNS server IPs and domain information. The default gateway and subnet mask will be specific to the scope from which the IP was selected. Now, one could configure extra smarts into the DHCP server so that based on the device making the DHCP request, the DHCP server could assign the device an address out of one specific scope. Some devices will use DHCP Option 60 to inform the DHCP server of its device type. The DHCP server can be configured to use this information to help it select which of the scopes on the interface are applicable for this device. There are other mechanisms that can also be used by the DHCP server to help determine how to select which scope the DHCP request should be mapped to (device MAC address or OUI, DHCP Option 82, etc.) > This "feature" you describe sounds pretty worthless. If the giaddr is > always from P, and rotates through S1, S2, S3, etc when the DHCP server > doesn't respond, then unless your DHCP server is down or all IPs have been > allotted for subnet P, then the DHCP request will always result in an IP > from the scope for P. I think the idea for this cycling feature is as follows: If one wanted to assign multiple subnets onto an interface and these subnets are configured to have their IPs assigned via DHCP, then you have the problem discussed in this thread. I expect that there are some off-the-shelf DHCP servers which didn't have the ability to logically associate multiple subnets together. That is, the DHCP server had the limitation that each scope had to appear as if it was on its own interface. In this sort of environment, the only way for the DHCP server to match any of the secondary subnets was if it saw a giaddr from one of these secondary subnets. If the router only ever inserted the P address in the giaddr, none of the other scopes would ever be matched. This cycling approach causes the giaddr to change and rotate through all the subnets on the interface. As mentioned before, cisco now has a command which allows one to specify the DHCP relay behavior (ie always use the primary address or cycle through all subnets on the interface). This command is called "ip dhcp smart-relay". http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122csum/csum1/122csip1/1sfdhcp.htm#xtocid1563023 So in answer to the original poster's question, this command could be used to solve his/her problem. Of course, one needs to be running the right IOS rev and this approach will take 10s of seconds or minutes for the device to come online (as the DHCP cycling happens). Configuring the interaces to be related on the DHCP server is really that way to go (IMO). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35626&t=35539 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: syslog message with UDP CRC error [7:35177]
This is a documented bug in the version of IOS that you are running. The workaround is to change the source interface for syslog messages to another interface then the one currently sending the syslog messages. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christophe Nemeth Sent: Tuesday, February 12, 2002 5:23 AM To: [EMAIL PROTECTED] Subject: syslog message with UDP CRC error [7:35177] Hi, I have a 2620 running IOS Version 12.1(5)with FW feature set running. I am trying to send syslog to an Information Security Management tool (Netforensics) to the standard syslog port UDP 514. The messages arrive to the destination device, I can see them with tcpdump, but netforensics cannot read them. Checking more in details the packets, I see that all packets are coming with a CRC error. With all the other router I have, it works properly. Does anybody already experienced that? thanks for your input. chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35627&t=35177 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Dening telnet access [7:35628]
Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35628&t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
www.memoryx.net great prices, selection Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Ronnie [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 6:38 AM To: [EMAIL PROTECTED] Subject: DRAM and FLASH question [7:35600] Hi all, I was wondering if somebody good tell me the secret on Kingston memory and flash in Cisco Routers. Where is a good and not so expensive (I'm Dutch .. :-)) site for selling these items ? Thanks in advanced ... Cheers Ronald Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35622&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
talk to Brad oz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35606&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
www.memoryx.net great prices, selection Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: Ronnie [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 6:38 AM To: [EMAIL PROTECTED] Subject: DRAM and FLASH question [7:35600] Hi all, I was wondering if somebody good tell me the secret on Kingston memory and flash in Cisco Routers. Where is a good and not so expensive (I'm Dutch .. :-)) site for selling these items ? Thanks in advanced ... Cheers Ronald Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35622&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The proxy problem with pix 525? [7:35603]
It's always a good idea to hard-code speed and duplex settings. interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto ""cage"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > R--FW--DMZ >| > Inside >| >Proxy > One proxy is connected to the inside switch connecting to the FW, but > internal users are slow to the outside,but the DMZ users are good.why? I > think something wrong with the proxy configuration! > The config is follwing: > > > sh conf > : Saved > : > PIX Version 6.0(1) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > nameif ethernet3 intf3 security15 > nameif ethernet4 intf4 security20 > enable password 8Ry2YjIyt7RRXU24 encrypted > passwd 2KFQnbNIdI.2KYOU encrypted > hostname pixfirewall > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 1720 > fixup protocol rsh 514 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > names > access-list 101 permit tcp any host 202.99.33.66 eq domain > access-list 101 permit udp any host 202.99.33.66 eq domain > access-list 101 permit tcp any host 202.99.33.67 eq domain > access-list 101 permit udp any host 202.99.33.67 eq domain > > > access-list 101 permit tcp any host 202.99.33.69 eq smtp > pager lines 24 > interface ethernet0 auto > interface ethernet1 auto > interface ethernet2 auto > interface ethernet3 auto shutdown > interface ethernet4 auto shutdown > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > mtu intf3 1500 > mtu intf4 1500 > ip address outside 202.99.34.26 255.255.255.248 > ip address inside 192.168.4.1 255.255.255.0 > ip address dmz 202.99.33.254 255.255.255.0 > ip address intf3 127.0.0.1 255.255.255.255 > ip address intf4 127.0.0.1 255.255.255.255 > ip audit info action alarm > ip audit attack action alarm > no failover > failover timeout 0:00:00 > failover poll 15 > failover ip address outside 0.0.0.0 > failover ip address inside 0.0.0.0 > > > failover ip address dmz 0.0.0.0 > failover ip address intf3 0.0.0.0 > failover ip address intf4 0.0.0.0 > pdm history enable > arp timeout 14400 > global (outside) 1 202.99.33.253 netmask 255.255.255.0 > global (dmz) 1 202.99.33.73 netmask 255.255.255.0 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 > static (inside,outside) 202.99.33.74 192.168.4.250 netmask 255.255.255.255 0 > 0 > static (inside,dmz) 202.99.33.75 192.168.4.250 netmask 255.255.255.255 0 0 > access-group 101 in interface outside > route outside 0.0.0.0 0.0.0.0 202.99.34.30 1 > timeout xlate 3:00:00 > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 > 0:05:00 sip 0:30:00 sip_media 0:02:00 > timeout uauth 0:05:00 absolute > aaa-server TACACS+ protocol tacacs+ > aaa-server RADIUS protocol radius > no snmp-server location > no snmp-server contact > snmp-server community public > no snmp-server enable traps > no floodguard enable > no sysopt route dnat > > > telnet timeout 5 > ssh timeout 5 > terminal width 80 > Cryptochecksum:c64047c1918e68b2c5136af635cd2a0d > > pixfirewall(config)# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35605&t=35603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DRAM and FLASH question [7:35600]
I bought some regular 72 pin simms to upgrade my memory on a 2514 from a local computer store for $16 for 15mg of dram and it worked fine. I bought an additional 8mg of flash for 40 on ebay but you might be able to get it cheaper. Good luck! Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35629&t=35600 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
Not sure of your network topology but it looks as if all you have done is to prevent users on the ethernet interface from using telnet. You can apply an 'access-class' (which works identically to access-group on a physical interface) to your vty lines to restrict telnet access from outside into your router. ex: router#(config)line vty 0 4 router#(config-line)access-class 99 in router#(config)access-list 99 permit 1.1.1.1 McHugh Randy wrote: > > Access list problem: > > Why does this extended access list not work to deny telnet > access applied to the internet interface on a 2514? > > Extended IP access list 199 > deny tcp any any eq telnet > > interface Ethernet0 > > ip access-group 199 in > > I have alot more statments than this and of course the statement > access-list 199 permit ip any any > > to take care of the implicit deny all , but I can still access > the router from the internet through telnet. > Anyone have any ideas what else might be needed to prevent of > selectivly allow telnet access to my router. > Thanks, > Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35630&t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Increasing or decreasing log buffer size [7:35631]
Does anyone know how to increase or decrease the log buffer size on the router? Is the buffer just written over once it fills up? Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns) Console logging: level debugging, 98303 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 98303 messages logged Logging Exception size (4096 bytes) Trap logging: level informational, 98307 message lines logged Log Buffer (4096 bytes): Thank you, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35631&t=35631 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Increasing or decreasing log buffer size [7:35631]
logging buffered [buffer size (bytes)] When the buffer gets full, oldest events are dropped in favor of new events. Regards, John http://neiby.home.attbi.com Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Sat, 16 Feb 2002, McHugh Randy ([EMAIL PROTECTED]) wrote: > Does anyone know how to increase or decrease the log buffer size on the > router? Is the buffer just written over once it fills up? > > Syslog logging: enabled (0 messages dropped, 0 messages rate- limited, 0 > flushes, 0 overruns) > Console logging: level debugging, 98303 messages logged > Monitor logging: level debugging, 0 messages logged > Buffer logging: level debugging, 98303 messages logged > Logging Exception size (4096 bytes) > Trap logging: level informational, 98307 message lines logged > > Log Buffer (4096 bytes): > > Thank you, > Randy [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35632&t=35631 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Increasing or decreasing log buffer size [7:35631]
I think router(config)#logging history size (0-500) McHugh Randy wrote: > > Does anyone know how to increase or decrease the log buffer > size on the router? Is the buffer just written over once it > fills up? > > Syslog logging: enabled (0 messages dropped, 0 messages > rate-limited, 0 flushes, 0 overruns) > Console logging: level debugging, 98303 messages logged > Monitor logging: level debugging, 0 messages logged > Buffer logging: level debugging, 98303 messages logged > Logging Exception size (4096 bytes) > Trap logging: level informational, 98307 message lines > logged > > Log Buffer (4096 bytes): > > Thank you, > Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35633&t=35631 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Problem telnetting into router with NAT enabled [7:35634]
I am having a problem telnetting into the router from the outside when I have NAT on the router. Once I take the ip nat outside command off the outside interface, I can telnet into the router from the outside. I can ping the NAT router regardless of whether ip nat outside is on the interface or not. Note that I do, of course, have the vty 0 4 passworded. Here's the config (edited for bandwidth purposes): interface Ethernet0 ip address 209.xxx.xxx.xxx 255.255.255.0 ip nat outside ! interface Serial0 ip address 192.168.1.1 255.255.255.252 ip nat inside encapsulation ppp clockrate 200 ! ip nat inside source list 101 interface Ethernet0 overload ! access-list 101 permit ip any any ip classless ! vty 0 4 password hrmm login ! end Packets are coming into the router from the telnetting host, and NAT tries to do a translation on it, but fails, I think..? NOTE in the debug output: 209.xxx.xxx.xxx is the external router ip address and 216.xxx.xxx.xxx is where I'm telnetting from. This is output from a debug ip nat detailed and debug ip nat port combined: 04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 0, refcount 55, localport -1, localaddr 0.0.0.0, flags 1, syscount 55 04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 23, refcount 2, localport -1, localaddr 0.0.0.0, flags 1, syscount 2 04:09:59: NAT: Allocated Port for 209.xxx.xxx.xxx -> 209.xxx.xxx.xxx: wanted 23 got 2 04:09:59: NAT: i: tcp (209.xxx.xxx.xxx, 23) -> (216.xxx.xxx.xxx, 3012) [0] 04:09:59: NAT: TCP s=23->2, d=3012 04:09:59: NAT: o: tcp (216.xxx.xxx.xxx, 3012) -> (209.xxx.xxx.xxx, 2) [51] 04:09:59: NAT: TCP s=3012, d=2->23 04:09:59: NAT: updated sys port: port 23, refcount 1, localport -1, localaddr 0.0.0.0, flags 1, syscount 1 04:11:08: NAT: expiring 209.xxx.xxx.xxx (209.xxx.xxx.xxx) tcp 2 (23) Any ideas? Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35634&t=35634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIx 501 [7:35635]
Team, I just got my 501 pix, which book is a good one that I could use to fully understand this small box(very small). Thanks, Juan Blanco MCSE, CCNA, CCNP, CCDA, CCDP...One day CCIE Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35635&t=35635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
Are you wanting to deny telnet through the router, or to the router? If you are wanting to deny access to the router, You should create a standard access-list and apply that to the vty interfaces. Access-list 10 deny any Line vty 0 4 access-class 10 in Thanks Larry -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35636&t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem telnetting into router with NAT enabled [7:35634]
Try this command: ip nat inside source static tcp 192.168.1.1 23 209.xxx.xxx.xxx 23 extendable This will map the telnet port of the outside IP address to the inside, should work for you, let us know. ~-Original Message- ~From: Tim Booth [mailto:[EMAIL PROTECTED]] ~Sent: Saturday, February 16, 2002 7:29 PM ~To: [EMAIL PROTECTED] ~Subject: Problem telnetting into router with NAT enabled [7:35634] ~ ~ ~I am having a problem telnetting into the router from the outside ~when I have NAT on the router. Once I take the ip nat outside command ~off the outside interface, I can telnet into the router from the ~outside. I can ping the NAT router regardless of whether ip nat outside ~is on the interface or not. Note that I do, of course, have the vty 0 4 ~passworded. Here's the config (edited for bandwidth purposes): ~ ~interface Ethernet0 ~ ip address 209.xxx.xxx.xxx 255.255.255.0 ~ ip nat outside ~! ~interface Serial0 ~ ip address 192.168.1.1 255.255.255.252 ~ ip nat inside ~ encapsulation ppp ~clockrate 200 ~! ~ip nat inside source list 101 interface Ethernet0 overload ~! ~access-list 101 permit ip any any ~ip classless ~! ~vty 0 4 ~password hrmm ~login ~! ~end ~ ~ Packets are coming into the router from the telnetting host, and NAT ~tries to do a translation on it, but fails, I think..? NOTE in ~the debug ~output: 209.xxx.xxx.xxx is the external router ip address and ~216.xxx.xxx.xxx is where I'm telnetting from. This is output from a ~debug ip nat detailed and debug ip nat port combined: ~ ~04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 0, ~refcount 55, localport -1, localaddr 0.0.0.0, flags 1, syscount 55 ~04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 23, ~refcount 2, localport -1, localaddr 0.0.0.0, flags 1, syscount 2 ~04:09:59: NAT: Allocated Port for 209.xxx.xxx.xxx -> 209.xxx.xxx.xxx: ~wanted 23 got 2 ~04:09:59: NAT: i: tcp (209.xxx.xxx.xxx, 23) -> (216.xxx.xxx.xxx, 3012) ~[0] ~04:09:59: NAT: TCP s=23->2, d=3012 ~04:09:59: NAT: o: tcp (216.xxx.xxx.xxx, 3012) -> (209.xxx.xxx.xxx, 2) ~[51] ~04:09:59: NAT: TCP s=3012, d=2->23 ~04:09:59: NAT: updated sys port: port 23, refcount 1, localport -1, ~localaddr 0.0.0.0, flags 1, syscount 1 ~04:11:08: NAT: expiring 209.xxx.xxx.xxx (209.xxx.xxx.xxx) tcp 2 (23) ~ ~ Any ideas? ~ ~Kind Regards, ~Tim Booth ~MCDBA, CCNP, CCDP, CCIE written ~- ~Those who would give up essential liberty to purchase a little ~temporary ~safety deserve neither liberty nor safety. ~Benjamin Franklin, 1759 ~ ~ ~ ~ ~Report misconduct ~and Nondisclosure violations to [EMAIL PROTECTED] ~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35637&t=35634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem telnetting into router with NAT enabled [7:35634]
Try this command: ip nat inside source static tcp 192.168.1.1 23 209.xxx.xxx.xxx 23 extendable This will map the telnet port of the outside IP address to the inside, should work for you, let us know. ~I am having a problem telnetting into the router from the outside ~when I have NAT on the router. Once I take the ip nat outside command ~off the outside interface, I can telnet into the router from the ~outside. I can ping the NAT router regardless of whether ip nat outside ~is on the interface or not. Note that I do, of course, have the vty 0 4 ~passworded. Here's the config (edited for bandwidth purposes): ~ ~interface Ethernet0 ~ ip address 209.xxx.xxx.xxx 255.255.255.0 ~ ip nat outside ~! ~interface Serial0 ~ ip address 192.168.1.1 255.255.255.252 ~ ip nat inside ~ encapsulation ppp ~clockrate 200 ~! ~ip nat inside source list 101 interface Ethernet0 overload ~! ~access-list 101 permit ip any any ~ip classless ~! ~vty 0 4 ~password hrmm ~login ~! ~end ~ ~ Packets are coming into the router from the telnetting host, and NAT ~tries to do a translation on it, but fails, I think..? NOTE in ~the debug ~output: 209.xxx.xxx.xxx is the external router ip address and ~216.xxx.xxx.xxx is where I'm telnetting from. This is output from a ~debug ip nat detailed and debug ip nat port combined: ~ ~04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 0, ~refcount 55, localport -1, localaddr 0.0.0.0, flags 1, syscount 55 ~04:09:59: NAT - SYSTEM PORT for 209.xxx.xxx.xxx: allocated port 23, ~refcount 2, localport -1, localaddr 0.0.0.0, flags 1, syscount 2 ~04:09:59: NAT: Allocated Port for 209.xxx.xxx.xxx -> 209.xxx.xxx.xxx: ~wanted 23 got 2 ~04:09:59: NAT: i: tcp (209.xxx.xxx.xxx, 23) -> (216.xxx.xxx.xxx, 3012) ~[0] ~04:09:59: NAT: TCP s=23->2, d=3012 ~04:09:59: NAT: o: tcp (216.xxx.xxx.xxx, 3012) -> (209.xxx.xxx.xxx, 2) ~[51] ~04:09:59: NAT: TCP s=3012, d=2->23 ~04:09:59: NAT: updated sys port: port 23, refcount 1, localport -1, ~localaddr 0.0.0.0, flags 1, syscount 1 ~04:11:08: NAT: expiring 209.xxx.xxx.xxx (209.xxx.xxx.xxx) tcp 2 (23) ~ ~ Any ideas? ~ ~Kind Regards, ~Tim Booth ~MCDBA, CCNP, CCDP, CCIE written ~- ~Those who would give up essential liberty to purchase a little ~temporary ~safety deserve neither liberty nor safety. ~Benjamin Franklin, 1759 ~ ~ ~ ~ ~Report misconduct ~and Nondisclosure violations to [EMAIL PROTECTED] ~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35639&t=35634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Confussion about CIT Book ! [7:35481]
Thanks to all of you for your input. I think now i have a fairly good idea about what book should i use. Thanks again, Kaz >From: "Priscilla Oppenheimer" >Reply-To: "Priscilla Oppenheimer" >To: [EMAIL PROTECTED] >Subject: Re: Confussion about CIT Book ! [7:35481] >Date: Fri, 15 Feb 2002 13:21:33 -0500 >Received: from [63.104.50.75] by hotmail.com (3.2) with ESMTP id >MHotMailBE36A203001A400431DF3F68324B0A853; Fri, 15 Feb 2002 10:44:50 -0800 >Received: from localhost (mail@localhost)by groupstudy.com (8.9.3/8.9.3) >with SMTP id NAA19430;Fri, 15 Feb 2002 13:42:40 -0500 >Received: by groupstudy.com (bulk_mailer v1.13); Fri, 15 Feb 2002 13:21:36 >-0500 >Received: (from listserver@localhost)by groupstudy.com (8.9.3/8.9.3) id >NAA10101GroupStudy Mailer; Fri, 15 Feb 2002 13:21:33 -0500 >Received: (from mail@localhost)by groupstudy.com (8.9.3/8.9.3) id >NAA10086GroupStudy Mailer; Fri, 15 Feb 2002 13:21:33 -0500 >From [EMAIL PROTECTED] Fri, 15 Feb 2002 10:46:10 -0800 >Message-Id: >X-GroupStudy-Version: 3.1.1a >X-GroupStudy: Network Technical >Sender: [EMAIL PROTECTED] >Precedence: bulk > >The CIT book edited by Laura Chappell and Dan Farkas IS the CIT course, >ported to book format. It's true that it's a bit dry. They should have >added some more text and explanation perhaps. But it should help one pass >the test since the test is based on the course/book. > >The other one is a certification guide that supposedly guides you to >passing the test. It is not just a port to book format. > >Priscilla > >At 07:22 AM 2/15/02, Steven A. Ridder wrote: > >I believe the book you want to read for the test is the CCNP support exam > >cert. guide. That's the one for the test. The other one has good > >knowledge, but it more focused on general troubleshooting. It's good to > >read (very dry) but there's no way one could pass the CIT reading it. > >-- > > > >RFC 1149 Compliant. > > > > > >FAQ, list archives, and subscription info: > >http://www.groupstudy.com/list/cisco.html > >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > >Priscilla Oppenheimer >http://www.priscilla.com _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35638&t=35481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem telnetting into router with NAT enabled [7:35634]
-- Try this command: ip nat inside source static tcp 192.168.1.1 23 209.xxx.xxx.xxx 23 extendable This will map the telnet port of the outside IP address to the inside, should work for you, let us know. -- Guy, Thanks very much. It fixed the problem. However, I'm curious as to WHY I needed to do this and what does the extendable command function to do? Thanks, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35640&t=35634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
'in or out' depends on whether you want to apply the access list to the incoming or outgoing interface. Outgoing is the default. Jenn 2/15/2002 8:03:07 PM, "none ya" wrote: >Would someone please give me a simple explanation/example that will clarify >when to use "in" or "out" when you apply an ACL to a router interface? >Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35642&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group ## in or out? [7:35578]
Its all from the routers perspective, traffic from lan is coming IN your ethernet interface traffic from the net is coming in net connected interface, and out your lan connected int. Brian On Fri, 15 Feb 2002, none ya wrote: > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35643&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Strange Problem: Everything works fine but the Router can [7:35644]
Or if you have an incorrect number of default routes.. Bri On Fri, 15 Feb 2002, PING wrote: > This also happens if you have duplicate IP address > > Nadeem > == > > Hamid Ali Asgari wrote: > > > Hi group, > > > > I have a router which is the main gateway of my network. All the > > hosts on my network can successfully ping everywhere on the internet, > > but the ROUTER itself has always a success rate at 50%. Bellow is the > > ping result: > > > > Router#ping > > Protocol [ip]: > > Target IP address: 193.0.0.193 > > Repeat count [5]: 10 > > Datagram size [100]: > > Timeout in seconds [2]: > > Extended commands [n]: > > Sweep range of sizes [n]: > > Type escape sequence to abort. > > Sending 10, 100-byte ICMP Echos to 193.0.0.193, timeout is 2 seconds: > > !.!.!.!.!. > > Success rate is 50 percent (5/10), round-trip min/avg/max = > > > > Same time my computer which is exactly behind the router can ping > > 193.0.0.193 without any errors. > > > > No routing protocol is running on the router and it's using simple > > static routes and all of its interfaces have VALID IP addresses. > > > > Any idea what the problem is ??? > > > > Thanks in advance, > > > > __ > > Do You Yahoo!? > > Great stuff seeking new owners in Yahoo! Auctions! > > http://auctions.yahoo.com > -- > > Ishrat Nadeem Zahid > CCNP > Cisco Systems,Inc. > Chelmsford, MA 01824 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35644&t=35644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Slightly OT: SSH Poll [7:35505]
Agreed, at minimum mgmt of the routers would be via a network that had as its access server ssh only. Ever used a packet sniffer? Try ethereal using telnet, that'll confirm for you why you should use ssh. Brian On Sat, 16 Feb 2002, Kent Hundley wrote: > John, > > I _always_ recommend using ssh instead of telnet wherever possible. In > fact, I can't think of a single good reason not to use it for in-band > management. I'm not sure I understand what you mean by it being a pain > since you change passwords often. I don't see how using ssh is any more of > a pain than using telnet, and its certainly more secure. > > I have seen clients whose security policies dictated the use of ssh or, if > that were not possible, use of 2-factor authorization such as securid. I > suspect most organizations are moving to the use of ssh or have plans to do > so if they are in the least bit security conscious. > > Regards, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > John Neiberger > Sent: Friday, February 15, 2002 8:07 AM > To: [EMAIL PROTECTED] > Subject: Slightly OT: SSH Poll [7:35505] > > > I'm wondering how many of you are involved in networks that use SSH > exclusively for router access. Since we're in the financial sector, > external auditors continually suggest that this is necessary. While > it's probably not a bad idea, I personally feel it's more of pain that > it's worth, especially considering how often we change the passwords. > But that's another matter altogether... > > So, are any of you using SSH exclusively in fairly large networks? If > so, has it been working well for you? > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35645&t=35505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: redistribution and tags [7:35624]
Thanks Chuck. This is actually part of a greater redistribution plan to match routes already in EIGRP from another protocol and prevent them from going into IGRP. I then permit those routers in the other protocol into IGRP and deny the EIGRP routes in that protocol. Since I can use the tag to match the routes prior to going into IGRP, this scenario just got incredibly easy. Without the tags, my brain was starting to melt trying to figure out all the statements for the ACL. ""Chuck"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Route maps are essentially built around an "if then else(if)" logic. the > point of their activation is the point of their inception. > > therefore if you were to have a route-map such as: > > route-map eigrp_tag_igrp permit 10 > match tag X > set metric 1 100 255 1 1500 > > and the redistribute statement: > > router igrp 100 > redistribute eigrp 50 route-map eigrp_tag_igrp > > then the logic flow is: > > 1) take a route learned from eigrp 50 > 2)if the tag for that route is X then set the metric as stated and > redistribute it into IGRP 100 > 3) else don't redistribute > > in this case, only those routes with a tag of X learned from eigrp 50 will > be redistributed into igrp ( subject to the classfulness of the route ) > > sometimes it can be a little difficult to determine where exactly things > happen in the various processes on a router. for example, linear > redistribute seems not to occur at all, even if that does not seem logical. > ( can't redistribute from rip to igrp to ospf an the same router, not and > get anything coherent or predictable as a result ) however, in this case, > the logic appears to be straightforward, so far as I can tell. > > HTH > > Chuck > > ""Scott H."" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At what point during redistribution is a route-map processed? In other > > words, if I want to redistribute from EIGRP (supports tags) to IGRP > (doesn't > > support tags) can I match tags in the route map and then let those routes > go > > into IGRP? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35646&t=35624 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
if your internet connection is via ether0, this would work, but if it is via serial, you want it inbound on the net connected serial int. Brian On Sat, 16 Feb 2002, McHugh Randy wrote: > Access list problem: > > Why does this extended access list not work to deny telnet access applied to > the internet interface on a 2514? > > Extended IP access list 199 > deny tcp any any eq telnet > > interface Ethernet0 > > ip access-group 199 in > > I have alot more statments than this and of course the statement > access-list 199 permit ip any any > > to take care of the implicit deny all , but I can still access the router > from the internet through telnet. > Anyone have any ideas what else might be needed to prevent of selectivly > allow telnet access to my router. > Thanks, > Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35647&t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PVC status don't go down [7:35389]
Ok, The PVC status would never go down till the switch reports it as down, and only then will the line protocol go down. I have come across this scenario a couple of times (with ATM, concept is the same). And the trick is to use a routing protocol between the 2 routers, a routing protocol senses that the keepalives / hellos are not being answered and so will consider the neighbor as down, and in turn will activate the isdn circuit. You could also use dialer watch, watch a route and if that route goes down (when one end of the frame goes down) activate the isdn. hth Nick Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35649&t=35389 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIx 501 [7:35635]
The new Cisco Secure PIX Firewalls book edited by David and Andy is an excellent guide. In case you decide going into cisco security certification, the book will help with the PIX exam as well. Good hands on you new baby-PIX 501. Regards. Oletu - Original Message - From: Juan Blanco To: Sent: Saturday, February 16, 2002 4:30 PM Subject: PIx 501 [7:35635] > Team, > I just got my 501 pix, which book is a good one that I could use to fully > understand this small box(very small). > Thanks, > > Juan Blanco > MCSE, CCNA, CCNP, CCDA, CCDP...One day CCIE _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35650&t=35635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Spammer [7:35641]
Apparently someone is collecting e-mail addresses from this group and sending a limited number of spam messages promoting a Cisco certification product. Normally we would arrange a boycott against their products. In the past, boycotts have been very sucessful. Both cases in the past where this happened we were able to put the company out of business. One was a very established company .. but being labeled a spammer in this industry is the kiss of death.Thanks to the outrage of the group, our little boycott was amazingly sucessful! In this case, the perpetrater is someone little known. By arranging a boycott against this person, they would probably gain market share :-). So for now, if you do happen to receive an e-mail advertising a product on homestead.com, please please complain to: http://www.homestead.com/PersonalSplash.ffhtml?TARGET=%2f%7esite%2fCompanyIn fo%2fCompanyInfo%2effhtml My guess is homestead will just kill their account. If you ever suspect a company is obtaining e-mails from this list and using it to send UBE, please notifiy me immediately. Since employees of their upstream provider are probably on this list, we have options not available other places :-). Thanks! Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35641&t=35641 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Whew! CCIE 8776! [7:35648]
Chuck, I was just going over the steps laid out in caslow's book, do you think the step 1, step 2, step 3 approach is better than the layered approach - layer 2, layer 3, access-list, etc. Thanks. - Original Message - From: "Joe Morabito" To: "Chuck Church" ; ; Sent: Wednesday, February 13, 2002 7:46 AM Subject: Re: Whew! CCIE 8776! > Congrats! > > What did you do the last couple of months? Practice speed? Or maybe > practice the many "little" things in IOS? > > Thanks! > > I too long for a good night sleep > > > - Original Message - > From: "Chuck Church" > To: ; > Sent: Wednesday, February 13, 2002 12:43 AM > Subject: Whew! CCIE 8776! > > > > All, > > > > I think the title says it all. Took the lab today at RTP. 4th time > > was the charm. I don't know where to begin. Might as well start with the > > thank you's. Thanks to Bruce, Val, and Fred at NetMasterClass. Thanks > also > > to those on the list that I've either studied with or have helped me out > in > > the past with problems. Thanks also to Paul for putting this great list > > together. As far as how I prepared, I might as well give the whole story. > > Started working on Cisco about 2 1/2 years ago after going though the > Novell > > and MS Certs. After getting NA, DA, NP, and DP, I passed the CCIE written > > in October 2000. Without really knowing how to study or what to prepare > > for, I got my butt handed to me in January at RTP. Didn't know much more > > than your average CCNP would. Tried again in April, but BGP killed me, > and > > again I didn't make it to day 2. After that, I found a study partner > > (Thanks Boris) and we worked pretty hard last summer. Did all the > bootcamp > > labs, thought I knew everything I needed to. > > November 4 of 2001, figured I'd breeze through the lab. I don't > > know if it's true, but I heard the first couple of months with the new 1 > day > > format had a very low pass rate. I know I could have used a couple more > > hours to finish. If anyone took the lab in Oct or Nov of last year and > > failed, don't be discouraged. I think they've scaled it back a little > > nowadays. > > Fast forwarding to today. After spending a week with Val, Bruce, > > and Fred at the NMC-1 course, and doing nothing but working on my speed, I > > felt pretty prepared. Everything in the Doyle Volume 1 and Bruce/Val's > book > > made sense. Though running a little low on sleep, I felt good this > morning. > > Roughly 4.5 hours into the test, we got lunch. At that point I was done > > with the IGP's and almost done with the EGP's. In other words about 2/3 > of > > the way done, by my estimate. At 1:30 I was done, but needed to go back > and > > work on 3 things I couldn't figure out. A little discussing with the > > proctor, and 2 of them were fixed. But then I think I read too much. I > had > > solved a problem one way, but realized the wording of the question might > > change what they were looking for. Checking with the proctor, I got the > > impression that he really didn't like my solution. So there I am, 1.5 > hours > > to go, and I'm making a somewhat major change :( Looked OK, but with 1/2 > an > > hour to go, I noticed a 'neighborship' bouncing up and down :o 10 minutes > > to go, got it all working, but didn't get a chance to completely double > > check all my other work as time expired. I know I left 1 thing > unconfigured > > (a 2 pointer), but started wondering if I'd made other mistakes. They > said > > to expect the results tomorrow afternoon. A plane flight back to New > York, > > and there's the email waiting. 8776! > > If anyone's wondering what I used to study, here's the short list: > > > > Groupstudy! Paul's done a great job. There are certain people on this > list > > that should be flagged as must-reads. I won't mention any last names, but > > there are a couple guys named 'Brian' (both long-time CCIEs) that are a > huge > > asset to this list. Thanks guys. > > > > Doyle - Volumes 1 and 2 - Everything you ever wanted to know about IP, but > > were afraid to ask. > > > > Bridges, Routers, and Switches for CCIEs - Bruce Caslow and Val > Pavlichenko > > - Used edition 2, but I understand 3 is coming out soon. This book covers > > most everything. I expect the new edition will cover more multicast and > > QOS, and drop Appletalk and DECnet. But still the most useful book I've > > found. > > > > Halabi - Used 1st edition, but everything I was asked to do with BGP is in > > that book. > > > > Bootcamp labs - Worked though these with a partner, because his company > was > > cool enough to buy them for him, and my company wasn't! Great preparation > > and simulation for the test. > > > > Various docs from CCO - Might as well go to the source! > > > > Most importantly - NMC-1 http://www.netmasterclass.net/nmc/ Bruce and Val > > explain the most difficult subjects very well. A couple of things are a > > little lacking in the book, but they
Re: access-group ## in or out? [7:35578]
Look at it from both the Router and the Interface perpective.eg if the interface facing your LAN is E0 and the interface to the internet is S0. For traffics coming from your LAN into the Router through the E0 interface, as the traffic is entering that interface from your LAN it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface E0 and 'in' relative to interface S0, when it leaves interface S0 into the internet, it is then considered 'out' relative to interface S0. For traffics coming from the internet into the Router through the S0 interface, as the traffic is entering that interface from the internet it is 'in' and as it passes and go out of that interface into the backplane of the router, it is considered 'out' relative to interface S0 and 'in' relative to interface E0, when it leaves interface E0 into your LAN, it is then considered 'out' relative to interface E0. You now see that each interface have two instances of 'in' and two instances of 'out'. Most security designs uses 'in' more often than 'out' and you should consider using it as well, if tight security implementation is your goal. The 'in' keyword makes the router to examine the packets before they enter the interface and impose the Access-list on the traffic before they ever have the chance of either entering the Router or your network, while the 'out' keyword only do that after the traffic have pass through the interface in question, this should only be allowed for trusted traffics for which you only want to disallow access to certain services. If you want to restrict a particular source address from entering into your network or router, using the 'out' keyword have no effect and it is a security breach because the traffic would have entered your router or network before it is acted upon. Have a clear picture of what you want the access-list to do against the particular traffic, that will give you a clue on the keyword to use. However for me security is always at the back of my mind, so by default I use the 'in' keyword except where otherwise unnecessary. Regards. Oletu - Original Message - From: none ya To: Sent: Friday, February 15, 2002 6:03 PM Subject: access-group ## in or out? [7:35578] > Would someone please give me a simple explanation/example that will clarify > when to use "in" or "out" when you apply an ACL to a router interface? > Thanks! _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35651&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP - bandwidth [7:35103]
Considering default payload of 20 bytes, VoIP over Ethernet, no compression: Codec sample size of 10 Bytes and sample interval of 10 ms: Voice Packet per second = 1/byte size/sample size*sample interval*1000 = 1/20/10 / 10*1000 = 50 PPS Total Packet size = IP+UDP+RTP+Enet+Payload=20+8+12+18+20= 78 bytes So Bandwidth per call = 78*bits * 50 PPS = 31200 = 31.2 Kbps *If you don't consider L2 overhead, then it comes down to 24 Kbps (each way). Hope it helps. Nadeem -- Ishrat Nadeem Zahid CCNP Cisco Systems,Inc. Chelmsford, MA 01824 > Hi, > > Just a simple question. > If I make a g.729 VoIP call over a 128K Serial link how much bandwith do I > need? (20 bytes/packet, no VAD, cRTP,) > Am I right that I have to count two voice streams when provisioning VoIP? > A speaker --> B listener > A listener > So, is it around 11kbps or 22kbps? > > Attila Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35652&t=35103 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: WFQ On High Speed Link [7:34913]
There are circumstances when WFQ and CBWFQ are used on high speed interfaces, specially in diffserv QoS environment. Nadeem == s vermill wrote: > All, > > Would you be so kind as to share your thoughts/experience with WFQ on high > speed links? I know that Cisco generally considers it to be unnecessary on > links greater than 2 Mbps. > > I have a client with a 16 Mbps HSSI connection between 3640 routers. The > config has been in place for a long time. However, the circuit does not > seem to support the throughput that they should be getting. I finally got > them to share a copy of the config file. Not only is WFQ enabled, but the > congestive discard value was left at a default 64 messages. > > I am wondering if this is just unnecessary or if it is/can be detrimental? > As I said, there are indications that there are throughput issues. > > Please note that I am just looking for comments. Unfortunately, I have > never had my hands on any of their equipment (yet). Thus, I have no debug > or even visual observations to offer. All of my information is third > party. Just trying to understand the wisdom of using WFQ in this environment. > > Many thanks, > > Scott -- Ishrat Nadeem Zahid CCNP Cisco Systems,Inc. Chelmsford, MA 01824 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35653&t=34913 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PVC status don't go down [7:35389]
You could also use Frame-Relay End-To-End keepalives (FREEK). This works best if a subinterface is used. --- "Nick S." wrote: > Ok, The PVC status would never go down till the > switch reports it as down, > and only then will the line protocol go down. > > I have come across this scenario a couple of times > (with ATM, concept is the > same). And the trick is to use a routing protocol > between the 2 routers, a > routing protocol senses that the keepalives / hellos > are not being answered > and so will consider the neighbor as down, and in > turn will activate the > isdn circuit. > > You could also use dialer watch, watch a route and > if that route goes down > (when one end of the frame goes down) activate the > isdn. > > hth > Nick __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35654&t=35389 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Not allowed to use 802.1q and ISL at the same time? [7:35655]
I was surprised to find that I couldn't enable ISL and 802.1q on different ports on a Catalyst 8500. Is this a known "feature?" Sean Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35655&t=35655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
