RE: Different type of intervlan routing problem... [7:35595]
Larry, thanks for the response. As I tried to explain in the initial post, the host on the other end of the 1q connection is a trunk connection. I don't understand why it's not being routed. Any clues? -Original Message- From: Larry Letterman To: Sean Knox; [EMAIL PROTECTED] Sent: 2/17/02 11:52 PM Subject: RE: Different type of intervlan routing problem... [7:35595] The device connected to the 1Q trunk must be a trunk connection. The host on the other end of the trunk link will not usually respond to your ping when the link is a trunk. If you want the host to respond you need the link to be a switchport access type link. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean Knox Sent: Friday, February 15, 2002 11:06 PM To: [EMAIL PROTECTED] Subject: Different type of intervlan routing problem... [7:35595] Hi all, I'm having a problem with intervlan routing on a 3500XL. Port FastEthernet0/17 is an access link and the host, part of VLAN23, is working fine and can traverse the network. FastEthernet 0/18 is a 802.1q trunk link connected to a 802.1q aware host (a special network device my company makes). Vlan24 is defined as the native vlan for this link on both sides (the switch and 802.1q host). Connected to the 3500XL's FastEthernet 0/1 is a router with subifs defined with IP addresses and appropriate 802.1q VLAN tags for each vlan. VLAN23, our access link, is routed fine throughout the network. However, I can't ping the 802.1q host on VLAN24 from the connected router or elsewhere. The 802.1q device has its default gateway set to the corresponding router subinterface. What am I missing? Below are the relevant parts of the 3500XL config and router config. Thanks in advance! Sean Relevant parts of show running-config on 3500XL: interface FastEthernet0/1 duplex full speed 100 switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet0/17 duplex full speed 100 switchport access vlan 23 spanning-tree portfast interface FastEthernet0/18 duplex half speed 100 switchport trunk encapsulation dot1q switchport trunk native vlan 24 switchport mode trunk spanning-tree portfast interface VLAN1 ip address 10.6.200.2 255.255.255.0 no ip directed-broadcast no ip route-cache ! ip default-gateway 10.6.200.1 Switch#show vlan VLAN Name StatusPorts - --- 1default activeFa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/1, Gi0/2 24 VLAN0024 active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 - -- - -- -- -- -- 1enet 11 1500 - - ---1002 1003 24 enet 100024 1500 - - ---0 0 Router8510#show run interface FastEthernet1/0/4 description Core8500 to 3500XL ip address 10.6.200.2 255.255.255.0 duplex full speed 100 interface FastEthernet1/0/4.23 encapsulation dot1Q 23 ip address 10.6.23.1 255.255.255.0 interface FastEthernet1/0/4.24 encapsulation dot1Q 24 ip address 10.6.24.1 255.255.255.0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35714t=35595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN problem [7:35715]
I am having problems with clients, that connect to the pix, when they are connected, they canĀ“t go back out to the internet through the same pix here is a part of the configuration ip local pool heima 192.168.15.50-192.168.15.100 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local heima vpdn group 1 client configuration dns 157.157.144.30 vpdn group 1 client configuration wins 157.157.144.10 vpdn group 1 client authentication local any sugestions ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35715t=35715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Visual switch manager gone after upgrade TFTP. [7:35716]
I was doing a TFTP upgrade procedure on the XL switch. There is a procedure to delete the HTML files: delete flash:html/* before copying the new flash and I have done that. After I upgraded the IOS and reload it. The IOS was successfully upgraded but when I go to web based (Visual switch manager) , there is no page shown. Then I go to my flash:html/ , it is empty % SwitchA#dir flash:html/ Directory of flash:html/ 190 d--x 0 Mar 01 1993 00:09:40 Snmp 3612672 bytes total (1850880 bytes free) %% I went to other switch (B), I found there are a lot of files on the html folder, what should I do to make the Visual Switch manager working again? Should I copy all the file to switch A? SwitchB#dir flash:html/ Directory of flash:html/ 5 -rwx 965 Mar 01 1993 00:09:55 Detective.html.gz 6 -rwx 671 Mar 01 1993 00:09:55 GraphFrame.html.gz 7 -rwx 675 Mar 01 1993 00:09:55 GraphFrameIE.html.gz 8 -rwx1182 Mar 01 1993 00:09:55 ethhelp.html.gz 9 -rwx1499 Mar 01 1993 00:09:55 fddihelp.html.gz 10 -rwx1538 Mar 01 1993 00:09:56 fdnethlp.html.gz 11 -rwx 538 Mar 01 1993 00:09:56 ieGraph.html.gz 12 -rwx 524 Mar 01 1993 00:09:56 ieLink.html.gz 13 -rwx 959 Mar 01 1993 00:09:56 LinkFetch.html.gz 14 -rwx 960 Mar 01 1993 00:09:56 LinkFetchIE.html.gz 15 -rwx 796 Mar 01 1993 00:09:56 LinkReport.html.gz 16 -rwx3346 Mar 01 1993 00:09:56 TopoMain.html.gz 17 -rwx5154 Mar 01 1993 00:09:57 address.html.gz 18 -rwx3332 Mar 01 1993 00:09:57 addrhelp.html.gz 19 -rwx2573 Mar 01 1993 00:09:57 amether.html.gz 20 -rwx2706 Mar 01 1993 00:09:57 amfddi.html.gz 21 -rwx2907 Mar 01 1993 00:09:58 amfdnet.html.gz 22 -rwx3291 Mar 01 1993 00:09:58 amtr.html.gz 23 -rwx3018 Mar 01 1993 00:09:58 amtrnet.html.gz 24 -rwx3071 Mar 01 1993 00:09:58 arp.html.gz 25 -rwx1147 Mar 01 1993 00:09:58 arphelp.html.gz 26 -rwx 210 Mar 01 1993 00:09:59 back.html.gz 27 -rwx4975 Mar 01 1993 00:09:59 balboa.html.gz 28 -rwx3171 Mar 01 1993 00:09:59 basichlp.html.gz 29 -rwx 171 Mar 01 1993 00:09:59 blank.html.gz 30 -rwx 527 Mar 01 1993 00:09:59 bottom.html.gz 31 -rwx3861 Mar 01 1993 00:10:00 cdp.html.gz 32 -rwx1562 Mar 01 1993 00:10:00 cdphelp.html.gz 33 -rwx3926 Mar 01 1993 00:10:00 cgmp.html.gz 34 -rwx1790 Mar 01 1993 00:10:00 cgmphelp.html.gz == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35716t=35716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SNA in CCDP [7:35717]
Hello I'm a little bit confusing about CCDP exam topics. According to the Cisco site there is no SNA on CCDP , also there is no VoIP. In the CID training there is no SNA but there is some VoIP. In the CID book by Birkner ( Cisco Press) there is SNA The question is: What is on the exam? Regards EMIL Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35717t=35717 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35718t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SNA in CCDP [7:35717]
There are alot one cannot say because of NDA, however it would be safer you read and know SNA very well. Enjoy. Regards. Oletu - Original Message - From: Emil To: Sent: Monday, February 18, 2002 1:46 AM Subject: SNA in CCDP [7:35717] Hello I'm a little bit confusing about CCDP exam topics. According to the Cisco site there is no SNA on CCDP , also there is no VoIP. In the CID training there is no SNA but there is some VoIP. In the CID book by Birkner ( Cisco Press) there is SNA The question is: What is on the exam? Regards EMIL _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35719t=35717 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SNA in CCDP [7:35717]
Emil, Last week i checked the course outline and it had an SNA section I've just looked again and its gone !!! this is the section .. but I don't know if you need to study it or not ! SNA Design Identify the physical media options in a campus network environment Describe transparent bridging in a campus network environment Describe spanning trees and their use in a campus network environment Identify the two types of BPDUs Describe VLANs and the needs they meet Describe the key Cisco features available for campus networking Define the key terms related to Layer 3 switching Describe the use of Hot Standby Router Protocol (HSRP) in a campus network environment Define Integrated Routing and Bridging (IRB) Regards David Kent - Original Message - From: Emil To: Sent: Monday, February 18, 2002 9:46 AM Subject: SNA in CCDP [7:35717] Hello I'm a little bit confusing about CCDP exam topics. According to the Cisco site there is no SNA on CCDP , also there is no VoIP. In the CID training there is no SNA but there is some VoIP. In the CID book by Birkner ( Cisco Press) there is SNA The question is: What is on the exam? Regards EMIL [GroupStudy.com removed an attachment of type image/gif which had a name of clip_image001.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35720t=35717 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP split horizon rule + reflectors =??? [7:35679]
Tnx a lot Scott. I'm still not there. The more I think about it, the more I get confused. I only have more questions. You remark about the AS# cleared up some things though. Obviously the AS-path attribute is the only means by which BGP is able to tell where a routing update contains a loop, that is going thru different AS systems. One thing you write is that IBGP neighbors will not propagate routes to each other as a matter of loop protection. Further on in your example you state that R1 will forward it's routes to R2. R2 will forward it's routes to R3. So I am confused between the difference between propagate (not done) and forwarding (done). If a router, running EBGP on one interface and IBGP on another, has learned an external route (EBGP out of its AS), it will forward this route to all IBGP peers, doesn't it? And since IBGP peers are either fully meshed or clustered, each IBGP route will learn the EBGP external route directly, not via another IBGP peers, but directly from the router running EBGP and IBGP, don't they? Exactly what internal routers will IBGP peers forward to each other except EGBP routes? Only IGP routes? In this case, IBGP learned routes will not be propagated unless they are learned by IGP as well, aren't they? So if each router already has learned the route(s) by IGP, why bother with learning them from IBGP anyway? Sorry about hasseling you like this. I did reread the BSCN book, but it didn't make thing clearer, because it mostly state what is the case, rather then why it is the case. Joep, (CCNA, CCDA) BTW: The notion of BGP split horizon, I think I got this one from the BSCN book. BGP split horizon implies that those routes that are learned via IBGP are not propagated to other IBGP peers, meaning you will need to have a full-mesh IBGP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35722t=35679 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ip wccp [7:35723]
Hi group I have 2610 router in which i have configured the wccp .The problem is that My squid is no accepting the wccp packet it says gre-proto-encap 0x88e .Can some buddy help me on this .Plz help thanx kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35723t=35723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Visual switch manager gone after upgrade TFTP. [7:35716]
Hi Sim , Have you enabled the http server on the switch ?. Henry D'souza, Infrastructure Development Management TATA CONSULTANCY SERVICES Seepz, Mumbai - 400096. Hello # 8291680 ext 1208. Direct line 8292406 Sim, CT (Chee Tong) cc: Sent by: Subject: Visual switch manager gone after upgrade TFTP. [7:35716] [EMAIL PROTECTED] 02/18/2002 03:13 PM Please respond to Sim, CT (Chee Tong) I was doing a TFTP upgrade procedure on the XL switch. There is a procedure to delete the HTML files: delete flash:html/* before copying the new flash and I have done that. After I upgraded the IOS and reload it. The IOS was successfully upgraded but when I go to web based (Visual switch manager) , there is no page shown. Then I go to my flash:html/ , it is empty % SwitchA#dir flash:html/ Directory of flash:html/ 190 d--x 0 Mar 01 1993 00:09:40 Snmp 3612672 bytes total (1850880 bytes free) %% I went to other switch (B), I found there are a lot of files on the html folder, what should I do to make the Visual Switch manager working again? Should I copy all the file to switch A? SwitchB#dir flash:html/ Directory of flash:html/ 5 -rwx 965 Mar 01 1993 00:09:55 Detective.html.gz 6 -rwx 671 Mar 01 1993 00:09:55 GraphFrame.html.gz 7 -rwx 675 Mar 01 1993 00:09:55 GraphFrameIE.html.gz 8 -rwx1182 Mar 01 1993 00:09:55 ethhelp.html.gz 9 -rwx1499 Mar 01 1993 00:09:55 fddihelp.html.gz 10 -rwx1538 Mar 01 1993 00:09:56 fdnethlp.html.gz 11 -rwx 538 Mar 01 1993 00:09:56 ieGraph.html.gz 12 -rwx 524 Mar 01 1993 00:09:56 ieLink.html.gz 13 -rwx 959 Mar 01 1993 00:09:56 LinkFetch.html.gz 14 -rwx 960 Mar 01 1993 00:09:56 LinkFetchIE.html.gz 15 -rwx 796 Mar 01 1993 00:09:56 LinkReport.html.gz 16 -rwx3346 Mar 01 1993 00:09:56 TopoMain.html.gz 17 -rwx5154 Mar 01 1993 00:09:57 address.html.gz 18 -rwx3332 Mar 01 1993 00:09:57 addrhelp.html.gz 19 -rwx2573 Mar 01 1993 00:09:57 amether.html.gz 20 -rwx2706 Mar 01 1993 00:09:57 amfddi.html.gz 21 -rwx2907 Mar 01 1993 00:09:58 amfdnet.html.gz 22 -rwx3291 Mar 01 1993 00:09:58 amtr.html.gz 23 -rwx3018 Mar 01 1993 00:09:58 amtrnet.html.gz 24 -rwx3071 Mar 01 1993 00:09:58 arp.html.gz 25 -rwx1147 Mar 01 1993 00:09:58 arphelp.html.gz 26 -rwx 210 Mar 01 1993 00:09:59 back.html.gz 27 -rwx4975 Mar 01 1993 00:09:59 balboa.html.gz 28 -rwx3171 Mar 01 1993 00:09:59 basichlp.html.gz 29 -rwx 171 Mar 01 1993 00:09:59 blank.html.gz 30 -rwx 527 Mar 01 1993 00:09:59 bottom.html.gz 31 -rwx3861 Mar 01 1993 00:10:00 cdp.html.gz 32 -rwx1562 Mar 01 1993 00:10:00 cdphelp.html.gz 33 -rwx3926 Mar 01 1993 00:10:00 cgmp.html.gz 34 -rwx1790 Mar 01 1993 00:10:00 cgmphelp.html.gz == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35724t=35716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN problem [7:35715]
You need to enable split-tunnel. This will require an access list permitting ip from your internal network range to your vpn pool range. Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:17 AM To: [EMAIL PROTECTED] Subject: VPN problem [7:35715] I am having problems with clients, that connect to the pix, when they are connected, they can4t go back out to the internet through the same pix here is a part of the configuration ip local pool heima 192.168.15.50-192.168.15.100 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local heima vpdn group 1 client configuration dns 157.157.144.30 vpdn group 1 client configuration wins 157.157.144.10 vpdn group 1 client authentication local any sugestions ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35725t=35715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ccnp beta [7:35726]
Anyone passed or participated in a CCNP beta exam? How is it? How many questions, how much time, how difficult? Do you think it is worth, or take the normal exam? Any answers appreciated. Costin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35726t=35726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ip wccp [7:35723]
Dear kaushalender, go thru the following link. this may help you. http://www.spc.org.nc/it/TechHead/Wccp-squid.html goog luck swapnil jain kaushalender wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group I have 2610 router in which i have configured the wccp .The problem is that My squid is no accepting the wccp packet it says gre-proto-encap 0x88e .Can some buddy help me on this .Plz help thanx kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35727t=35723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID Exam [7:35685]
As Cisco says, 640-025 is the current CID exam. Good luck pal. Dvass Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35728t=35685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what does peer routers mean? [7:35705]
AFAIK, in OSPF it means that you should not have more than 50 routers in one area, in EIGRP it means that you should not have more than 50 routers in the same AS. Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35729t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pim [7:35702]
Hi, PIM stands for Protocol Independent Multicast. Follow this link to read all about it: http://www.cisco.com/warp/public/cc/pd/iosw/tech/ipmu_ov.htm Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35730t=35702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Loading IOS on a 4000M [7:35689]
Hi Gragg, here is what I found on the Open Forum: Question: What does this errormessage mean:%NIM-2-BADNIMID: Bad NIM ID (Oxe) in slot 1.- mean? Process = *Init*, level=5- Traceback = 1031db8 103d42 103fe70 103d01e 100d068 100058c 10086d8 10001Cisco 4000, software 10.2(2)? Answer: Bus communication on this device has failed. This could be due to a hardware or a software failure (most likely cause is hardware). Please open a case with the TAC and discuss this with an engineer. Other things to try are re-seating the NIM, starting the router with no interfaces attached, and check the power available to make sure it is within spec (i.e low voltage, spikes). Other causes include installing the NIM without the proper version of IOS (i.e 4T with 9.1). Regards, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35731t=35689 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SNA in CCDP [7:35717]
The CID test is a lot of SNA. Emil wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello I'm a little bit confusing about CCDP exam topics. According to the Cisco site there is no SNA on CCDP , also there is no VoIP. In the CID training there is no SNA but there is some VoIP. In the CID book by Birkner ( Cisco Press) there is SNA The question is: What is on the exam? Regards EMIL Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35733t=35717 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pim [7:35702]
..check this link or other section on the Cisco website..it will give you an overview of the use of PIM in IP Multicast routing. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_18a/config/mc astmls.htm Karl - Original Message - From: kaushalender To: Sent: Sunday, February 17, 2002 11:03 PM Subject: pim [7:35702] Hello group, Can somebody tell me what is pim.how it works.Plz give the information Thanx in advance kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35734t=35702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN problem [7:35715]
Thanx for the information, can I use this with w2k clients connecting, or do I have to use the Cisco VPN client? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35735t=35715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP split horizon rule + reflectors =??? [7:35679]
Tnx a lot Scott. I'm still not there. The more I think about it, the more I get confused. I only have more questions. You remark about the AS# cleared up some things though. Obviously the AS-path attribute is the only means by which BGP is able to tell where a routing update contains a loop, that is going thru different AS systems. One thing you write is that IBGP neighbors will not propagate routes to each other as a matter of loop protection. Further on in your example you state that R1 will forward it's routes to R2. R2 will forward it's routes to R3. So I am confused between the difference between propagate (not done) and forwarding (done). Propagation refers to control information, like routing data packets. Forwarding refers to data information -- rout_ed_ rather than rout_ing_. If a router, running EBGP on one interface and IBGP on another, has learned an external route (EBGP out of its AS), it will forward this route to all IBGP peers, doesn't it? And since IBGP peers are either fully meshed or clustered, each IBGP route will learn the EBGP external route directly, not via another IBGP peers, but directly from the router running EBGP and IBGP, don't they? yes, unless they get it from a reflector or a hierarchy of reflectors. Exactly what internal routers will IBGP peers forward to each other except EGBP routes? Only IGP routes? IGP and BGP propagate independently. In this case, IBGP learned routes will not be propagated unless they are learned by IGP as well, aren't they? So if each router already has learned the route(s) by IGP, why bother with learning them from IBGP anyway? eBGP routes usually are not propagated in the IGP. But let's say the router learns a route from iBGP, but also speaks eBGP to an external router. If it doesn't learn it through iBGP, how does it know that is a route to be advertised/propagated externally, rather than a purely internal (IGP) route? Sorry about hasseling you like this. I did reread the BSCN book, but it didn't make thing clearer, because it mostly state what is the case, rather then why it is the case. Joep, (CCNA, CCDA) BTW: The notion of BGP split horizon, I think I got this one from the BSCN book. BGP split horizon implies that those routes that are learned via IBGP are not propagated to other IBGP peers, meaning you will need to have a full-mesh IBGP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35736t=35679 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
I agree with nrf. I'd also like to add that you have to believe in the vision of this field if you want to stay in. If you believe that computers (and your toaster, refrigerator or your car) are going to become an omni-present, networked entity as most technologists and futurists predict, then you have to know that the field of networking and the Internet is still in it's infancy. If you are going to have computers everywhere, you need to link them. And it's not just computers that are going to be connected - home appliances, cars, gadgets, and things I can't imagine are going to be on the net. That's just *one* aspect in which I see us being useful. Heck, I just took a proposal a few weeks ago for a snack company to have us link their vending machines with Cisco routers, so they could monitor their levels without sending a guy in a van to check. There are hundreds of predictions that everything will be connected to the Internet, that computers will become more networked, (based on a peer-to-peer type design that Napster and others proved to be so sucessful), bandwidth will increase (we haven't seen our first 10 Terabit link yet in the core of the Internet nor do most homes have anything faster than a dial-up connection), that voice, video and data networks will converge (they already are starting to) and many other things. All these things take people to roll-out. So just because we're in a recession doesn't mean we're all doomed. Companies would like to hire us, they would like to grow and be able to add more employees, computers, locations, etc., but they can't spend money right now. If you follow the market, most economists think we have just been through the worst of it, and that it's going to be a slow and steady recovery to the 4th quarter of this year when it will pick up. my $0.02 nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This is going to sound fairly cutthroat and antisocial, but one of the best ways to judge whether a particular career has staying power is to see just how easy it is to become qualified. Was it easy for you to learn the skill - i.e. did it require little financial investment or not much study time, or whatever? If it was easy for you, then it's probably easy for other people also, and inevitably the forces of commoditization will hit you hard. On the other hand, if a particular position requires endless years of schooling (like a medical doctor), requires that you have a degree from an Ivy League college, or requires experience with extremely expensive and rare pieces of equipment, then that job stands a much better chance of maintaining its worth, because the simple fact is that if you happen to have those particular qualities in question, then it is difficult to find somebody to replace you with. You have to look at the barriers to entry, because that's what allows you to maintain your value. Companies, under the profit motive, love to replace expensive people with cheap people, and ideally would love to pay everybody minimum wage, or even less by just moving the job offshore where the labor is cheap. So if you want to maintain a decent wage, you will constantly have to show that you cannot be easily replaced. You have to show that you have a set of skills that few others (ideally nobody else) have. s vermill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... When I was in high school (vocational) studying to be an electronic repair technician, I thought I would retire from that job a very wealthy man. Two realities caught up with me and the rest of that career field pretty quickly. First, the throw away revolution. Second, a bloated job market (DeVry was as common as McDonalds for a while there). I'm glad I didn't mortgage the farm on a degree in that field. The Navy was kind enough to give me a free education instead. I guess if you have a perfect job, you had better start looking for the next one. AMR wrote: Something I have noticed with clients is that they have laid off too deep and then end up having to use jr. staff or rehire staff with the same constrained budget to manage their systems and network. As a result these companies are still running their networks but with less qualified staff at much lower wages. It seems great at first but these companies will come to their senses when their network falls apart. But I hear your frustration. You also have to understand that MASSIVE number of people rushing into the networking/IT job market. It's simple economics. The more people that come into the sector, the fewer the jobs, and the lower the wages. If you are old enough to recall or study historical data this has happened to several job sectors in the past. The last I recall reading about was the jet mechanics in the commercial airline industry. Not a lot of highly skilled
RE: Dening telnet access [7:35628]
Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35738t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How many questions in the Cisco pool for CCNA ? [7:35739]
I've heard near 200 questions. Is that right ? I just wonder :) Don't reply it if you don't know it. Thanks for intersted. Just wondering.. Please don't say 65 :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35739t=35739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what does peer routers mean? [7:35705]
Peer routers are routers in the same area. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of mlh Sent: Sunday, February 17, 2002 11:32 PM To: [EMAIL PROTECTED] Subject: what does peer routers mean? [7:35705] OSPF and EIGRP could support a maximum of 50 peer routers. Does it mean only 50 routers using OSPF or EIGRP can connect to the same subnet? Thank you in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35740t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what does peer routers mean? [7:35705]
George and Tom, Thank you for your answer. Could you give me more detail about an area? Is it a subnet or AS? - Original Message - From: Tom Petzold To: mlh ; Sent: Monday, February 18, 2002 11:01 AM Subject: RE: what does peer routers mean? [7:35705] Peer routers are routers in the same area. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of mlh Sent: Sunday, February 17, 2002 11:32 PM To: [EMAIL PROTECTED] Subject: what does peer routers mean? [7:35705] OSPF and EIGRP could support a maximum of 50 peer routers. Does it mean only 50 routers using OSPF or EIGRP can connect to the same subnet? Thank you in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35741t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35742t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35743t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35744t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35745t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SNA in CCDP [7:35717]
I don't want to violate the NDA so I will tread carefully. I sat the CID (640-025) exam on friday and was very dissapointed. I worked hard on many topics, the one this thread is discussing being one of them, only to find not a single question on it. It was on the website previously, however on the day, no questions, and the breakdown at the end, it stated I got 0% in that section which is entirely accurate if there was no answer to get correct (or wrong). I can only presume they are in the middle of a migration, phasing out certain elements of the exam. Out of the 7 Cisco exams and 6 MS exams I have done, I rate it as the poorest. I barely passed and this was not down to a lack of preperation - the questions were terrible to say the least. A for ambiguous is now the first word in my CCDP dictionary ;-) Having a break for the summer now after 18 months of non stop exams. my 2p worth (not 3 Euros yet) ;-) -Original Message- From: Godswill HO [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 10:16 To: [EMAIL PROTECTED] Subject: Re: SNA in CCDP [7:35717] There are alot one cannot say because of NDA, however it would be safer you read and know SNA very well. Enjoy. Regards. Oletu - Original Message - From: Emil To: Sent: Monday, February 18, 2002 1:46 AM Subject: SNA in CCDP [7:35717] Hello I'm a little bit confusing about CCDP exam topics. According to the Cisco site there is no SNA on CCDP , also there is no VoIP. In the CID training there is no SNA but there is some VoIP. In the CID book by Birkner ( Cisco Press) there is SNA The question is: What is on the exam? Regards EMIL _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35746t=35717 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
To filter telnet packets to the router it is necessary to apply access lists to the vty lines with the access-class command. Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35747t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what does peer routers mean? [7:35705]
FOr eigrp, Peers would be entries in the neighbor table. 50 routers in the same AS would limit the scale of an internetwork. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35748t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pim [7:35702]
PIM is a multicast routing protocol. We have had many discussion at GroupStudy about IGMP and CGMP. Those protocols allow routers and switches to learn which local ports should receive multicast streams. In an internetwork, there's more to the story, however. The routers must also learn the paths to multicast recipients. PIM is one of many protocols that handle that aspect of multicasting. There's an excellent paper on multicasting at www.certificationzone.com. It's by Dave Wolfefer who has written many good papers for them. Here's what I had to say about the topic in my book, Top-Down Network Design. PIM works in tandem with IGMP; it also works with a unicast routing protocol, such as OSPF, RIP, Enhanced IGRP, and so on. PIM has two modes: dense mode and sparse mode. Dense-mode PIM is similar to an older dense-mode protocol, the Distance-Vector Multicast Routing Protocol (DVMRP), which is described in RFC 1075 and is a derivative of RIP. Both protocols use a reverse-path forwarding (RPF) mechanism to compute the shortest (reverse) path between a source and all possible recipients of a packet. Dense-mode PIM is simpler than DVMRP, however, because it does not require the computation of routing tables. If a router running dense-mode PIM receives a multicast packet from a source to a group, it first verifies in the standard unicast routing table that the incoming interface is the one that it uses for sending unicast packets toward the source. If this is not the case, it drops the packet and sends back a prune message. If it is the case, the router forwards a copy of the packet on all interfaces for which it has not received a prune message for the source/group destination pair. If there are no such interfaces, it sends back a prune message. The first packet for a group is flooded to all interfaces. Once this has occurred, however, routers listen to prune messages to help them develop a map of the network that lets them send multicast packets only to those networks that should receive the packets. The prune messages also let routers avoid loops that would cause more than one router to send a multicast packet to a segment. Dense-mode PIM works best in environments with large multicast groups and a high likelihood that any given LAN has a group member, which limits the router's need to send prune messages. Because of the flooding of the first packet for a group, dense-mode does not make sense in environments where a few sparsely-located users wish to participate in a multicast application. In this case, sparse-mode PIM, which is described in the next section, is a better solution. Sparse-mode PIM is quite different than dense-mode PIM. Rather than allowing traffic to be sent everywhere and then pruned back where it is not needed, sparse-mode PIM defines a rendezvous point. The rendezvous point provides a registration service for a multicast group. Sparse-mode PIM relies on IGMP, which lets a host join a group by sending a membership-report message, and detach from a group by sending a leave message. A designated router for a network segment tracks membership-report and leave messages on its segment, and periodically sends join and prune PIM messages to the rendezvous point. The join and prune messages are processed by all the routers between the designated router and the rendezvous point. The result is a distribution tree that reaches all group members and is centered at the rendezvous point. When a source initially sends data to a group, the designated router on the source's network unicasts register messages to the rendezvous point with the source's data packets encapsulated within. If the data rate is high, the rendezvous point can send join/prune messages back towards the source. This enables the source's data packets to follow a source-specific shortest-path tree, and eliminates the need for the packets to be encapsulated in register messages. Whether the packets arrive encapsulated or not, the rendezvous point forwards the source's decapsulated data packets down the distribution tree toward group members. Priscilla At 11:03 PM 2/17/02, kaushalender wrote: Hello group, Can somebody tell me what is pim.how it works.Plz give the information Thanx in advance kaushalender Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35749t=35702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
At 05:11 AM 2/18/02, Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35750t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
Most indications seem to be that the networking industry, and the telco/provider segment in particular will greatly lag any general economic recovery. Nobody is predicting a serious telecom recovery this year, and many economists don't even predict one next year. Many big names have already gone down - Exodus, Excite@home, GlobalCrossing - and others are playing serious defense - Level3, MCIWorldcom, ATT, Qwest. Huge debt payments continue to hang over the industry, and that problem won't be cleared up anytime soon. One dirty little secret of the provider industry is that very few providers actually make consistent profit on a true cash-flow basis. Just like the dotcoms, the providers can't figure out how to wring a decent amount of profit out from the Internet either. Sure, many providers will claim pro-forma profits, but after the Enron catastrophe, nobody wants to see pro-forma numbers, correctly preferring real cash-flow numbers. But all this talk might be a case of fiddling while Rome burns. All this talk of a future recovery in the long run doesn't really help anybody right now. Like the macro-economist John Maynard Keynes once said: In the long run, we're all dead. Specifically, discussion of decent job prospects in the future doesn't exactly help a guy who needs to pay the bills now. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's the economy. When it picks up, so will the jobs. saktown wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't know if this is going to make you feel better or not (probably not), but anyways it is not strictly true that there are all these networks that need to be maintained. A lot of people have wondered how the industry can be laying all these people off if there are a constant number of complex networks to maintain. The fallacy in that logic is that in reality the number of networks, and their complexity, has indeed gone down in absolute terms. While the enterprise space still continues to maintain lukewarm demand, the telco/provider segment is nothing less than a disaster of epic proportions. I would contend that for every new box requisitioned by an enterprise, another 2 or 3 have been decommissioned by a dying provider. Check out the latest auction of Cisco gear from Excite@Home as a poignant example. Furthermore, much of the growth in the enterprise space requires very little skill to set up (i.e. install a single router to connect to an ISP), whereas provider networks tend to be tremendously complicated, therefore requiring great expertise to maintain, but of course now there is no more provider network to maintain. Hence, you have lots of highly skilled network dudes who got laid off from providers who are now competing for jobs running networks for enterprises. - Original Message - From: John Green To: Sent: Saturday, February 16, 2002 11:16 AM Subject: what is wrong with the job market ? [7:35611] seems all jobs have just vanished. well then who runs the networks and equipment ? it's real bad out there in the job market. any web sites to put the resume ? seems dice, monster, headhunter are not producing any results. how long is this goind to last ? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35751t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
For example, here is just one study from today: http://news.com.com/2009-1033-839335.html nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Most indications seem to be that the networking industry, and the telco/provider segment in particular will greatly lag any general economic recovery. Nobody is predicting a serious telecom recovery this year, and many economists don't even predict one next year. Many big names have already gone down - Exodus, Excite@home, GlobalCrossing - and others are playing serious defense - Level3, MCIWorldcom, ATT, Qwest. Huge debt payments continue to hang over the industry, and that problem won't be cleared up anytime soon. One dirty little secret of the provider industry is that very few providers actually make consistent profit on a true cash-flow basis. Just like the dotcoms, the providers can't figure out how to wring a decent amount of profit out from the Internet either. Sure, many providers will claim pro-forma profits, but after the Enron catastrophe, nobody wants to see pro-forma numbers, correctly preferring real cash-flow numbers. But all this talk might be a case of fiddling while Rome burns. All this talk of a future recovery in the long run doesn't really help anybody right now. Like the macro-economist John Maynard Keynes once said: In the long run, we're all dead. Specifically, discussion of decent job prospects in the future doesn't exactly help a guy who needs to pay the bills now. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's the economy. When it picks up, so will the jobs. saktown wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't know if this is going to make you feel better or not (probably not), but anyways it is not strictly true that there are all these networks that need to be maintained. A lot of people have wondered how the industry can be laying all these people off if there are a constant number of complex networks to maintain. The fallacy in that logic is that in reality the number of networks, and their complexity, has indeed gone down in absolute terms. While the enterprise space still continues to maintain lukewarm demand, the telco/provider segment is nothing less than a disaster of epic proportions. I would contend that for every new box requisitioned by an enterprise, another 2 or 3 have been decommissioned by a dying provider. Check out the latest auction of Cisco gear from Excite@Home as a poignant example. Furthermore, much of the growth in the enterprise space requires very little skill to set up (i.e. install a single router to connect to an ISP), whereas provider networks tend to be tremendously complicated, therefore requiring great expertise to maintain, but of course now there is no more provider network to maintain. Hence, you have lots of highly skilled network dudes who got laid off from providers who are now competing for jobs running networks for enterprises. - Original Message - From: John Green To: Sent: Saturday, February 16, 2002 11:16 AM Subject: what is wrong with the job market ? [7:35611] seems all jobs have just vanished. well then who runs the networks and equipment ? it's real bad out there in the job market. any web sites to put the resume ? seems dice, monster, headhunter are not producing any results. how long is this goind to last ? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35753t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 05:11 AM 2/18/02, Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35755t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
I have more information on this. On my 11.0.22 Ios AGS, an inbound access-list has no effect on Telnet traffic. The access-class has to be applied on the vty 0 x interface. On the 12.0 Ios 25xx's on r1r2.com, an inbound access-list STOPS Telnet traffic. (For Both for the interface Ip, and a loopback ip.) I am assuming that this is a feature that Cisco fixed sometime in the last 1.5 year. -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35754t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP [7:35756]
Whats the best test practise suite for CCNP I am doing the exams in this order a. switching b. routing c. remote access d. support whats the best for a. switching b. routing Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35756t=35756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35757t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35758t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking a firewall [7:34978]
look to some sites as : www.cert.org www.packetstormattack.com www.securityfocus.com to get some procedures for testing firewall installations , otherwise you must get in touch with experts to evaluate your configuration and the vulnirability degree of your firewall. there are also some remote scanning tools , in internet from security websites. sami natour a icrit dans le message news: [EMAIL PROTECTED] Hi , I am trying to test how secure BigFire firewall.I need to run some tests in other words I want to find if I can hack it or not.It is very important to our company to know how secure it is . Best Regards , sami , __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35759t=34978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ccnp beta [7:35726]
I'm like u, I need a help to pass my first exam in ccnp(bscn). Please send me what you have for help. May God be with U. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35761t=35726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP [7:35756]
I have found that going through the book a couple of times is the best thing. The Boson's are heralded but I don't know why. I think they suck. JMO. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Liko Agosta Sent: Monday, February 18, 2002 2:17 PM To: [EMAIL PROTECTED] Subject: CCNP [7:35756] Whats the best test practise suite for CCNP I am doing the exams in this order a. switching b. routing c. remote access d. support whats the best for a. switching b. routing Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35764t=35756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. There's still a pretty large demand for high-speed internet. Now we just have to wait for the right technology to come by and offer good service at a good price. There is also another problem that was just as bad - the market was flooded with service providers. There was WAY too much supply and only moderatre demand. I still see plenty of growth in this industry, even excluding the service provider market. nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... For example, here is just one study from today: http://news.com.com/2009-1033-839335.html nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Most indications seem to be that the networking industry, and the telco/provider segment in particular will greatly lag any general economic recovery. Nobody is predicting a serious telecom recovery this year, and many economists don't even predict one next year. Many big names have already gone down - Exodus, Excite@home, GlobalCrossing - and others are playing serious defense - Level3, MCIWorldcom, ATT, Qwest. Huge debt payments continue to hang over the industry, and that problem won't be cleared up anytime soon. One dirty little secret of the provider industry is that very few providers actually make consistent profit on a true cash-flow basis. Just like the dotcoms, the providers can't figure out how to wring a decent amount of profit out from the Internet either. Sure, many providers will claim pro-forma profits, but after the Enron catastrophe, nobody wants to see pro-forma numbers, correctly preferring real cash-flow numbers. But all this talk might be a case of fiddling while Rome burns. All this talk of a future recovery in the long run doesn't really help anybody right now. Like the macro-economist John Maynard Keynes once said: In the long run, we're all dead. Specifically, discussion of decent job prospects in the future doesn't exactly help a guy who needs to pay the bills now. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's the economy. When it picks up, so will the jobs. saktown wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't know if this is going to make you feel better or not (probably not), but anyways it is not strictly true that there are all these networks that need to be maintained. A lot of people have wondered how the industry can be laying all these people off if there are a constant number of complex networks to maintain. The fallacy in that logic is that in reality the number of networks, and their complexity, has indeed gone down in absolute terms. While the enterprise space still continues to maintain lukewarm demand, the telco/provider segment is nothing less than a disaster of epic proportions. I would contend that for every new box requisitioned by an enterprise, another 2 or 3 have been decommissioned by a dying provider. Check out the latest auction of Cisco gear from Excite@Home as a poignant example. Furthermore, much of the growth in the enterprise space requires very little skill to set up (i.e. install a single router to connect to an ISP), whereas provider networks tend to be tremendously complicated, therefore requiring great expertise to maintain, but of course now there is no more provider network to maintain. Hence, you have lots of highly skilled network dudes who got laid off from providers who are now competing for jobs running networks for enterprises. - Original Message - From: John Green To: Sent: Saturday, February 16, 2002 11:16 AM Subject: what is wrong with the job market ? [7:35611] seems all jobs have just vanished. well then who runs the networks and equipment ? it's real bad out there in the job market. any web sites to put the resume ? seems dice, monster, headhunter are not producing any results. how long is this goind to last ? __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35762t=35611 --
RE: what does peer routers mean? [7:35705]
The area I was talking about is an OSPF area. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of mlh Sent: Monday, February 18, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: Re: what does peer routers mean? [7:35705] George and Tom, Thank you for your answer. Could you give me more detail about an area? Is it a subnet or AS? - Original Message - From: Tom Petzold To: mlh ; Sent: Monday, February 18, 2002 11:01 AM Subject: RE: what does peer routers mean? [7:35705] Peer routers are routers in the same area. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of mlh Sent: Sunday, February 17, 2002 11:32 PM To: [EMAIL PROTECTED] Subject: what does peer routers mean? [7:35705] OSPF and EIGRP could support a maximum of 50 peer routers. Does it mean only 50 routers using OSPF or EIGRP can connect to the same subnet? Thank you in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35763t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
Not true, that is a way not the way. Dave Tim Booth wrote: To filter telnet packets to the router it is necessary to apply access lists to the vty lines with the access-class command. Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35767t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35768t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
I would think that is a bug in the 12.0 code. Back in the old days, prior to the in keyword option, when applying an ip access-group to an interface all access-lists were outgoing only. I can't recall when the in/out keywords came into existance but I'm pretty sure it was 11.something. Dave Hire, Ejay wrote: I have more information on this. On my 11.0.22 Ios AGS, an inbound access-list has no effect on Telnet traffic. The access-class has to be applied on the vty 0 x interface. On the 12.0 Ios 25xx's on r1r2.com, an inbound access-list STOPS Telnet traffic. (For Both for the interface Ip, and a loopback ip.) I am assuming that this is a feature that Cisco fixed sometime in the last 1.5 year. -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35766t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP [7:35756]
Do the exams you are most comfortable with. The routing exam is the one my friends had problems with but I didn't because of my experience. The exam that gave me much pain was the Switching exam. The exam crams worked pretty good for me. Ko Liko Agosta wrote: Whats the best test practise suite for CCNP I am doing the exams in this order a. switching b. routing c. remote access d. support whats the best for a. switching b. routing Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35765t=35756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com
Re: Dening telnet access [7:35628]
hey Mad Guy, does your organization permit DNS requests from any old place, or do you restrict that to sources only within your space? Chuck trying to drag you into another thread entirely MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35770t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what does peer routers mean? [7:35705]
Right, one of the answers had 50 routers per AS for EIGRP. For OSPF, I have heard 50 to 150 per area depending on how they are configured. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35771t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS Request Redirection [7:35703]
Out of curiosity, what is the best practice for someone who has a DNS server on their private network with a private IP address? How would one go about doing this with a router? Is it impossible? Is the best practice/only possibly way to have the DNS server having a public IP address (in a DMZ)? Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 13:16 To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35772t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
in the case of a number of the CLEC's, part of the problem was the old telco monopoly that they had to fight. companies like COVAD, Northpoint, Concentric ( now part of XO ) to name a few, were there firstest with the mostest while the telco's dragged their feet on bringing DSL to their customer base. All the time racking up revenues through their local loop charges. Now the telcos are in the market full tilt boogie, steamrolling the CLEC's by taking advantage of their existing base, and more importantly, their existing infrastructure. I've had DSL through Concentric/XO, and before that with Flashcom. In both cases, new wire had to be used for me to get my line. The telco racked up the installation charges, and the local loop revenue. Now, the telco is offering to come in, and throw DSL on my existing dial tone line, something the CLEC's couldn't do. The result is that the telco can charge slightly less for DSL, and they don't have any additional costs in terms of wiring. the pure economics of it is that the telcos continue to have the distinct advantage. They sat back, let the CLEC's do all the initial work, let the CLEC's do all the initial marketing, and then they blew in and blew the CLEC's out of business. Chuck Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. There's still a pretty large demand for high-speed internet. Now we just have to wait for the right technology to come by and offer good service at a good price. There is also another problem that was just as bad - the market was flooded with service providers. There was WAY too much supply and only moderatre demand. I still see plenty of growth in this industry, even excluding the service provider market. nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... For example, here is just one study from today: http://news.com.com/2009-1033-839335.html nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Most indications seem to be that the networking industry, and the telco/provider segment in particular will greatly lag any general economic recovery. Nobody is predicting a serious telecom recovery this year, and many economists don't even predict one next year. Many big names have already gone down - Exodus, Excite@home, GlobalCrossing - and others are playing serious defense - Level3, MCIWorldcom, ATT, Qwest. Huge debt payments continue to hang over the industry, and that problem won't be cleared up anytime soon. One dirty little secret of the provider industry is that very few providers actually make consistent profit on a true cash-flow basis. Just like the dotcoms, the providers can't figure out how to wring a decent amount of profit out from the Internet either. Sure, many providers will claim pro-forma profits, but after the Enron catastrophe, nobody wants to see pro-forma numbers, correctly preferring real cash-flow numbers. But all this talk might be a case of fiddling while Rome burns. All this talk of a future recovery in the long run doesn't really help anybody right now. Like the macro-economist John Maynard Keynes once said: In the long run, we're all dead. Specifically, discussion of decent job prospects in the future doesn't exactly help a guy who needs to pay the bills now. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's the economy. When it picks up, so will the jobs. saktown wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't know if this is going to make you feel better or not (probably not), but anyways it is not strictly true that there are all these networks that need to be maintained. A lot of people have wondered how the industry can be laying all these people off if there are a constant number of complex networks to maintain. The fallacy in that logic is that in reality the number of networks, and their complexity, has indeed gone down in absolute terms. While the enterprise space still continues to maintain lukewarm demand, the telco/provider segment is nothing less than a disaster of epic proportions. I would contend that for every new box requisitioned by an enterprise, another 2 or 3 have been decommissioned by a dying
Re: DNS Request Redirection [7:35703]
Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work?
RE: Dening telnet access [7:35628]
This is what I am seeing on 12.2(3) (various 2600 series routers) ACL's do not work except for devices behind the router...ACC's work for the router it's self. -Patrick Roberts, Larry 02/18/02 02:17PM The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35774t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
what platform and what ios? That's odd... That exact ACL does not work on my 2600's. Now this is going to bug me. 12.2(3) MADMAN 02/18/02 03:19PM Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information
Re: DNS Request Redirection [7:35703]
thanks, Cil. I guess we can lay this one to rest. the network in question probably needs make no changes and life will be dandy. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all
RE: Dening telnet access [7:35628]
And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35777t=35628 -- FAQ,
Re: DNS Request Redirection [7:35703]
Thanks for everyone who responded. I did some testing and here is what I found. Our current ISP's DNS is not reachable from the outside world it seems that we use an internal DNS server which then forwards the request to the internal side of there firewall which forwards to there external DNS and then out to the world. I have tested using our new ISP's DNS server from our old ISP connections and it seems to work just fine. It looks like I will need to touch every machine and correct there DNS entries. So if I must go to each workstation that I will just stand up a DHCP server. This correct the problem once and for all. That way if anything changes DNS, Subnet, IP address I will be able to change it on the server and be done with it. It would make life alot simpler. Thanks again for everyones input... Michael Michael Hair wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35779t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
Thank God. I thought I was the only one who was seeing this. Chuck wrote: in the case of a number of the CLEC's, part of the problem was the old telco monopoly that they had to fight. companies like COVAD, Northpoint, Concentric ( now part of XO ) to name a few, were there firstest with the mostest while the telco's dragged their feet on bringing DSL to their customer base. All the time racking up revenues through their local loop charges. Now the telcos are in the market full tilt boogie, steamrolling the CLEC's by taking advantage of their existing base, and more importantly, their existing infrastructure. I've had DSL through Concentric/XO, and before that with Flashcom. In both cases, new wire had to be used for me to get my line. The telco racked up the installation charges, and the local loop revenue. Now, the telco is offering to come in, and throw DSL on my existing dial tone line, something the CLEC's couldn't do. The result is that the telco can charge slightly less for DSL, and they don't have any additional costs in terms of wiring. the pure economics of it is that the telcos continue to have the distinct advantage. They sat back, let the CLEC's do all the initial work, let the CLEC's do all the initial marketing, and then they blew in and blew the CLEC's out of business. Chuck Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. There's still a pretty large demand for high-speed internet. Now we just have to wait for the right technology to come by and offer good service at a good price. There is also another problem that was just as bad - the market was flooded with service providers. There was WAY too much supply and only moderatre demand. I still see plenty of growth in this industry, even excluding the service provider market. nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... For example, here is just one study from today: http://news.com.com/2009-1033-839335.html nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Most indications seem to be that the networking industry, and the telco/provider segment in particular will greatly lag any general economic recovery. Nobody is predicting a serious telecom recovery this year, and many economists don't even predict one next year. Many big names have already gone down - Exodus, Excite@home, GlobalCrossing - and others are playing serious defense - Level3, MCIWorldcom, ATT, Qwest. Huge debt payments continue to hang over the industry, and that problem won't be cleared up anytime soon. One dirty little secret of the provider industry is that very few providers actually make consistent profit on a true cash-flow basis. Just like the dotcoms, the providers can't figure out how to wring a decent amount of profit out from the Internet either. Sure, many providers will claim pro-forma profits, but after the Enron catastrophe, nobody wants to see pro-forma numbers, correctly preferring real cash-flow numbers. But all this talk might be a case of fiddling while Rome burns. All this talk of a future recovery in the long run doesn't really help anybody right now. Like the macro-economist John Maynard Keynes once said: In the long run, we're all dead. Specifically, discussion of decent job prospects in the future doesn't exactly help a guy who needs to pay the bills now. Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's the economy. When it picks up, so will the jobs. saktown wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't know if this is going to make you feel better or not (probably not), but anyways it is not strictly true that there are all these networks that need to be maintained. A lot of people have wondered how the industry can be laying all these people off if there are a constant number of complex networks to maintain. The fallacy in that logic is that in reality the number of networks, and their complexity, has indeed gone down in absolute terms. While the enterprise space still continues to maintain lukewarm demand, the telco/provider segment is nothing less than a disaster of epic proportions. I would contend that for every new box requisitioned by an enterprise, another 2 or 3 have been decommissioned by a dying provider. Check out the latest auction of Cisco gear from Excite@Home as a
Re: DNS Request Redirection [7:35703]
not to add any heat underneath anyone behind, but I routinely use UUNET/Mindspring/Earthlink/Qwest... (their caching of course) to be honest with you, I have never run into an isp that wouldn't allow lookups from external hosts... I mean...for authoratative servers, how would you propagate your zones without allowing lookups from other caching servers? Unless you restricted lookups from root servers only...But wouldn't that be kinda unefficient? -Patrick Priscilla Oppenheimer 02/18/02 03:50PM Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better
RE: access-group ## in or out? [7:35578]
I Just posted this in the associate group, but I'll cross-post it here. The context was that the chap wanted to block smtp traffic from a specific external subnet. Visualize it. Let's assume your connection to the internet looks like this. Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople The source of the traffic you want to block is badpeople. Pretend you are the router. You want to block traffic from badpeople (SOURCE) that is going to your mailserver (Destination) and you want to block it as it travels IN (Inbound) from your ISP (Serial 0). -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface serial 0 -access-group 101 in Alternately, you could let the traffic cross you (the router) and block it as it travels OUT (outbound) of the Ethernet port (E0) towards the mail server. It would be a waste of router resources to let it cross the router before being dropped, but if this was a very busy router with many ports and a dedicated port to the mail server then it might be an option. -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface Ethernet 0 -access-group 101 out Additionally, Traffic travels in both directions. I can't think of a reason why you'd want to, but you could block traffic as it leaves the mail server (source) headed back to badpeople (destination). This traffic would travel In the ethernet port (ethernet 0 access-group xxx in) and Out the serial port (serial 0 access-group xxx out). You don't block traffic this (if possible) because you don't know what port the outbound tcp connection will be on. -Ejay I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please contact me off-list if you have any openings or suggestions. -Original Message- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use in or out when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35737t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
They say misery loves company. Well, for what it's worth: http://news.com.com/2100-1017-832553.html Dude has an engineering degree from a respected school and an MBA and is tossing mail for the post office for $13 an hour. A former marketing manager is stocking shelves. Another guy with master's degrees from Columbia and Harvard is doing lawn-care work (forklifts, fertizilier, etc.) . Even more poignantly, a dude with computer and networking certifications (doesn't specify what kind of certs) now has the hazardous job of clearing crud in an oil refinery coker unit. s vermill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... When I was in high school (vocational) studying to be an electronic repair technician, I thought I would retire from that job a very wealthy man. Two realities caught up with me and the rest of that career field pretty quickly. First, the throw away revolution. Second, a bloated job market (DeVry was as common as McDonalds for a while there). I'm glad I didn't mortgage the farm on a degree in that field. The Navy was kind enough to give me a free education instead. I guess if you have a perfect job, you had better start looking for the next one. AMR wrote: Something I have noticed with clients is that they have laid off too deep and then end up having to use jr. staff or rehire staff with the same constrained budget to manage their systems and network. As a result these companies are still running their networks but with less qualified staff at much lower wages. It seems great at first but these companies will come to their senses when their network falls apart. But I hear your frustration. You also have to understand that MASSIVE number of people rushing into the networking/IT job market. It's simple economics. The more people that come into the sector, the fewer the jobs, and the lower the wages. If you are old enough to recall or study historical data this has happened to several job sectors in the past. The last I recall reading about was the jet mechanics in the commercial airline industry. Not a lot of highly skilled people available so those that were qualified were writing their own tickets. Eventually more people were lured into that skillset with the amount of money they saw. The jobs became fewer and the salaries lowered as a result and then the airlines hit a few down periods and that killed the massive interest in being an airline mechanic. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35752t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Network Security [7:35783]
Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35783t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
And to add one more point Filtering for queries just from root servers wouldn't work either. It's not the root server that sends the query. The root server responds to the requesting server with the address of the authoritative server for a name. Then the requesting server asks the authoritative server. So the queries come from all over the place, not just from root servers. It sounds like the filter would work to avoid just anyone using a caching server, to avoid overuse of the server, for example. But it would be impractical to filter queries to a server that is acting as the authority for names. There are probably entire Web sites devoted to the issues of DNS and security. Someday I will have to look at them! ;-) Priscilla At 04:09 PM 2/18/02, Patrick Ramsey wrote: not to add any heat underneath anyone behind, but I routinely use UUNET/Mindspring/Earthlink/Qwest... (their caching of course) to be honest with you, I have never run into an isp that wouldn't allow lookups from external hosts... I mean...for authoratative servers, how would you propagate your zones without allowing lookups from other caching servers? Unless you restricted lookups from root servers only...But wouldn't that be kinda unefficient? -Patrick Priscilla Oppenheimer 02/18/02 03:50PM Yes, I can use that DNS server that you mentioned without any problem. I have my PC set to use it right now. And I know of others that anyone can use too, but I'm not going to give details in case they would not like this info to get out. ;-) Priscilla At 03:24 PM 2/18/02, Chuck wrote: the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP,
Re: Dening telnet access [7:35628]
I'll bite. Not being responsible for our network I asked a peer who is more familiar with it and yes we do allow DNS requests. DNS servers are generally located in a DMZ are are not a high security risk. If you have no DNS server then you only need to allow replies since you obviously have nothing to request.. Dave Chuck wrote: hey Mad Guy, does your organization permit DNS requests from any old place, or do you restrict that to sources only within your space? Chuck trying to drag you into another thread entirely MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide
Re: Network Security [7:35783]
Perhaps. A war dialer is a phreaking tool used on the old days to dial number to try and discover modems. My friends used to use them. Rodney Jackson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35786t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPX default network / default route [7:35789]
Not an exciting topic, but you never can tell where this might show up ;- R1--R3--R4--R7-R8 |---tunnel--|ethernet serialserial 1FA.0010.7b7e.ebdf 8.8.8.8 no routing takes place between R1 and R3 R1 has a default route to R3 R3 advertises a default route to the tunnel interface address of R1 R1 relevant configuration: ipx route default AFFA.0003.0003.0003 note that although the IPX default-network command has been entered, it does not show up in the configuration output R3 relevant configuration: ipx route default AFFA.0001.0001.0001 ! ipx router rip no network AFFA ! note - to break routing between R1 and R3 I had to remove the tunnel interface from the routing process. R1 routing table: S FFFE via AFFA.0003.0003.0003,Tu13 C1FA (SAP), Et0 C 11AA (UNKNOWN), Lo1 C AFFA (TUNNEL),Tu13 R1# note the default route. note there are no other IPX routes in the table. IPX routing is not taking place. the default route points to the tunnel interface address of R3. R3 routing table: S FFFE via AFFA.0001.0001.0001,Tu13 C1FB (NOVELL-ETHER), Et0 C AFFA (TUNNEL),Tu13 R 7 [01/01] via 1FB..0c8d.2257, 49s, Et0 R 8 [01/01] via 1FB..0c8d.2257, 49s, Et0 R 47FF [02/01] via 1FB..0c8d.2257, 49s, Et0 R 78FF [01/01] via 1FB..0c8d.2257, 49s, Et0 R 8101 [01/01] via 1FB..0c8d.2257, 49s, Et0 R 8102 [01/01] via 1FB..0c8d.2257, 49s, Et0 R 8103 [01/01] via 1FB..0c8d.2257, 49s, Et0 R 8 [14/02] via 1FB..0c8d.2257, 49s, Et0 R3# note there are lots of IPX routes, but the default is to the tunnel interface R8 routing table: E FFFE [270336000/3] via 78FF.0077.0077.0077, age 01:00:07, 1u, Se1 L 8 is the internal network C 8 (UNKNOWN), Lo104 C 78FF (HDLC), Se1 C 8101 (UNKNOWN), Lo101 C 8102 (UNKNOWN), Lo102 C 8103 (UNKNOWN), Lo103 E 7 [2297856/0] via 78FF.0077.0077.0077, age 01:00:57, 2u, Se1 E1FB [2707456/0] via 78FF.0077.0077.0077, age 01:00:57, 1u, Se1 E 47FF [2681856/0] via 78FF.0077.0077.0077, age 01:00:57, 1u, Se1 E AFFA [270336000/2] via 78FF.0077.0077.0077, age 01:00:12, 1u, Se1 R8# note the existence of the default route. not there are lots of routes in the table. Connectivity: R8#ping 1FA.0010.7b7e.ebdf Translating 1FA.0010.7b7e.ebdf Translating 1FA.0010.7b7e.ebdf Type escape sequence to abort. Sending 5, 100-byte IPX Novell Echoes to 1FA.0010.7b7e.ebdf, timeout is 2 second s: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/68 ms R8# note - able to ping an unknown network. R1#ping Protocol [ip]: ipx Target IPX address: 8.8.8.8 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Verbose [n]: Type escape sequence to abort. Sending 5, 100-byte IPX Novell Echoes to 8.0008.0008.0008, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 52/54/56 ms R1# R1, with no routes other than the default route, can ping an unknown network. ( extended ping, because the IPX network in question would be interpreted as an IP address otherwise ) Some points of interest: 1) IPX default-route must be issued on every router where you want the default route to be advertised. this does not show up in the running or stored config. 2) while the default-route can be associate with a physical interface, one can use an IPX network as well. that network cannot reside on the router where the ipx route default command resides. 3) when constructing an IPX default route, one needs keep in mind the requirements. It does not work at all like an IP default route. My topology probably limits the usefulness of the IPX default route. Hope this is of some use to some of you. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35789t=35789 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dening telnet access [7:35628]
The orginal post was done on a 7507 running beta IOS. This is on my 2620: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any 3w3d: ICMP: dst (172.28.64.28) administratively prohibited unreachable sent to 172.28.56.48 IOS 12.2.(4)T1 Dave Patrick Ramsey wrote: what platform and what ios? That's odd... That exact ACL does not work on my 2600's. Now this is going to bug me. 12.2(3) MADMAN 02/18/02 03:19PM Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion
Re: Dening telnet access [7:35628]
Heres the proof: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.64.11 any eq telnet log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login line vty 5 15 login C2620B# 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) - 172.28.64.28(23), 1 packet C2620B# Dave Roberts, Larry wrote: And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error,
Re: Dening telnet access [7:35628]
Access-classes are exclusively for denying access to the router so yes that is the correct way ip suppose. I just wanted to point out that there is another way cause it can and has burned me!!! Also a while ago, as I mentioned earlier, all access-lists were outbound but I don't think anyone on this list is running 9.0 or earlier!! Dave Roberts, Larry wrote: Wow, that makes no sense. It must be a new feature.:) Anyways your right, I'm wrong. I would like to point out that if you are asked by Cisco to restrict access to the router, If you want credit I would strongly Advise using access-class statements. Remember the answer is the Cisco way, not always the right way. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:42 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Heres the proof: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.64.11 any eq telnet log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login line vty 5 15 login C2620B# 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) - 172.28.64.28(23), 1 packet C2620B# Dave Roberts, Larry wrote: And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc r/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the
RE: DNS Request Redirection [7:35703]
Chuck, et al., One DNS Server IP that I've used for years when I don't have a specific IP given when doing installations for customers, i.e., they don't tell me any additional info in regards to whether or not their ISP told them to use X.X.X.X and Y.Y.Y.Y for their client DNS settings, is a UUNet DNS Cache server: 198.6.1.2 Never had any problems with it yet. But then again, I don't keep them on that DNS Setting... It's usually just for initial install/test for DNS /Internet connectivity. Then I go get the rest of the information. And again, these steps are only performed this way when the customer contact is quite busy, and disappears on me within minutes of me confirming my arrival to work, or they have the classic response of Uh, I'm not sure right now... lemme go try to dig that info up in our paperwork... and they still don't come back for an extended period of time. Otherwise, I work efficiently, and request all of the specific configuration info up front as part of the install plan. :) SO.. Give the UUNet Caching server a spin, and let us know if it fails certain queries. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 2:25 PM To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu -
RE: Dening telnet access [7:35628]
Wow, that makes no sense. It must be a new feature.:) Anyways your right, I'm wrong. I would like to point out that if you are asked by Cisco to restrict access to the router, If you want credit I would strongly Advise using access-class statements. Remember the answer is the Cisco way, not always the right way. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:42 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Heres the proof: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.64.11 any eq telnet log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login line vty 5 15 login C2620B# 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) - 172.28.64.28(23), 1 packet C2620B# Dave Roberts, Larry wrote: And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc r/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of
RE: what does peer routers mean? [7:35705]
There is a meaning common to all routing protocols, and an additional special meaning in BGP. A peer is a router with which you have a direct IP connection. In other words, two BGP routers are peers as long as the BGP connection is between the loopbacks on both routers; there can be intervening IGP routers. Peer implies neighbor, but, in some protocols, has the additional nuance that you exchange routing information with it as well as forward through it. As a rule of thumb, you should not have more than 20-30 iBGP or eBGP peers on a BGP router, unless you know exactly what you are doing and can do the appropriate capacity planning. This is a reasonable rule for IGP routers as well, with the caveat that you can have more static peers than that. The total number of peers are limited by the number of Interface Descriptor Blocks that are available. IDBs are the sum of all logical and physical interfaces, including subinterfaces. For a long time, it was 300, but newer releases allow more. The 50 router limit per OSPF area is conservative, but it doesn't refer to peers, but the total number of OSPF routers in the area. The reason for this is the workload for computing the Dijkstra, in a single area, is proportional to: ((numberOfPrefixes * numberOfPrefixes) * log(numberOfRouters) So the more total routers (i.e., Type 1 LSAs), the more the CPU load goes up. Still, an experienced designer may be able to get hundreds of routers working in an area, although they may need fast CPUs. I wouldn't want to have more than a maximum of 47 OSPF routers on the same segment, since that's the maximum you can fit into a single Hello packet. Someone mentioned limits of peers per AS. Certainly, if that's in the BGP sense, large providers routinely have thousands, perhaps tens of thousands, of routers. They certainly use hierarchy and don't put excessive peers on any given box. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications Technical Director, CertificationZone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35793t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Security [7:35783]
Rodney, War Dialers are used to identify analog modems and isdn modems that may be a point of concern within an organization, specifically if they are not monitored or accounted for. Unless you have a ton of them out on your network, I wouldn't worry too much about it. Its a good idea to conduct an assessment though and evaluate where your organization is from a security perspective and see if change is warranted. Later, Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rodney Jackson Sent: Monday, February 18, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Network Security [7:35783] Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35795t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Security [7:35783]
They are not out of style per se. We use them when performing security assessments of client environments. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Monday, February 18, 2002 4:15 PM To: [EMAIL PROTECTED] Subject: Re: Network Security [7:35783] Perhaps. A war dialer is a phreaking tool used on the old days to dial number to try and discover modems. My friends used to use them. Rodney Jackson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35797t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Oh, sorry, I misunderstood his comment about forwarding. Yes, the new ISP has to send the packets to the old ISP because the users are using the old ISP's DNS server. As you say, this should work unless the old ISP denies requests coming from sources outside its IP address range. (And that may not be the case, see my other comment! ;-) Priscilla At 02:16 PM 2/18/02, Chuck wrote: hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 05:11 AM 2/18/02, Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35798t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Visual switch manager gone after upgrade TFTP. [7:35716]
You need to upgrade the HTML files as well. The .bin file contains the IOS image only. There is a .tar file that upgrades the IOS as well as the HTML files. See http://www.cisco.com/warp/customer/473/36.shtml for more info. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sim, CT (Chee Tong) Sent: Monday, February 18, 2002 3:43 AM To: [EMAIL PROTECTED] Subject: Visual switch manager gone after upgrade TFTP. [7:35716] I was doing a TFTP upgrade procedure on the XL switch. There is a procedure to delete the HTML files: delete flash:html/* before copying the new flash and I have done that. After I upgraded the IOS and reload it. The IOS was successfully upgraded but when I go to web based (Visual switch manager) , there is no page shown. Then I go to my flash:html/ , it is empty % SwitchA#dir flash:html/ Directory of flash:html/ 190 d--x 0 Mar 01 1993 00:09:40 Snmp 3612672 bytes total (1850880 bytes free) %% I went to other switch (B), I found there are a lot of files on the html folder, what should I do to make the Visual Switch manager working again? Should I copy all the file to switch A? SwitchB#dir flash:html/ Directory of flash:html/ 5 -rwx 965 Mar 01 1993 00:09:55 Detective.html.gz 6 -rwx 671 Mar 01 1993 00:09:55 GraphFrame.html.gz 7 -rwx 675 Mar 01 1993 00:09:55 GraphFrameIE.html.gz 8 -rwx1182 Mar 01 1993 00:09:55 ethhelp.html.gz 9 -rwx1499 Mar 01 1993 00:09:55 fddihelp.html.gz 10 -rwx1538 Mar 01 1993 00:09:56 fdnethlp.html.gz 11 -rwx 538 Mar 01 1993 00:09:56 ieGraph.html.gz 12 -rwx 524 Mar 01 1993 00:09:56 ieLink.html.gz 13 -rwx 959 Mar 01 1993 00:09:56 LinkFetch.html.gz 14 -rwx 960 Mar 01 1993 00:09:56 LinkFetchIE.html.gz 15 -rwx 796 Mar 01 1993 00:09:56 LinkReport.html.gz 16 -rwx3346 Mar 01 1993 00:09:56 TopoMain.html.gz 17 -rwx5154 Mar 01 1993 00:09:57 address.html.gz 18 -rwx3332 Mar 01 1993 00:09:57 addrhelp.html.gz 19 -rwx2573 Mar 01 1993 00:09:57 amether.html.gz 20 -rwx2706 Mar 01 1993 00:09:57 amfddi.html.gz 21 -rwx2907 Mar 01 1993 00:09:58 amfdnet.html.gz 22 -rwx3291 Mar 01 1993 00:09:58 amtr.html.gz 23 -rwx3018 Mar 01 1993 00:09:58 amtrnet.html.gz 24 -rwx3071 Mar 01 1993 00:09:58 arp.html.gz 25 -rwx1147 Mar 01 1993 00:09:58 arphelp.html.gz 26 -rwx 210 Mar 01 1993 00:09:59 back.html.gz 27 -rwx4975 Mar 01 1993 00:09:59 balboa.html.gz 28 -rwx3171 Mar 01 1993 00:09:59 basichlp.html.gz 29 -rwx 171 Mar 01 1993 00:09:59 blank.html.gz 30 -rwx 527 Mar 01 1993 00:09:59 bottom.html.gz 31 -rwx3861 Mar 01 1993 00:10:00 cdp.html.gz 32 -rwx1562 Mar 01 1993 00:10:00 cdphelp.html.gz 33 -rwx3926 Mar 01 1993 00:10:00 cgmp.html.gz 34 -rwx1790 Mar 01 1993 00:10:00 cgmphelp.html.gz == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35799t=35716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ccnp beta [7:35726]
I took some beta exams for CCNP back the last time(?) they reworked the tests a few years ago. Got some big surprises on questions covering some odd areas, but they seemed pretty fair. As long as you aren't in a rush to get results back go for it, Darrell Constantin Tivig wrote: Anyone passed or participated in a CCNP beta exam? How is it? How many questions, how much time, how difficult? Do you think it is worth, or take the normal exam? Any answers appreciated. Costin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35800t=35726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... in the case of a number of the CLEC's, part of the problem was the old telco monopoly that they had to fight. Maybe it was part of the problem, but not the whole problem. True, the RBOC's were hindering the DSL CLEC's. But that doesn't explain the financial failures of international network backbone providers (Global Crossing), the biggest cable-modem ISP (Excite@Home), or the biggest hosting service (Exodus). Or the downward spiral of many of the other big providers. Now you might say that all these companies made mistakes, and surely they did. On the other hand, I believe it is the case that even if these companies had executed perfectly, they still would have failed, although I agree they would have lasted longer. The biggest factor contributing to their decline is that the demand wasn't there to sustain them. If there had been as much demand as these providers thought there was, then I believe that most of these providers would be doing quite well, mistakes or no. companies like COVAD, Northpoint, Concentric ( now part of XO ) to name a few, were there firstest with the mostest while the telco's dragged their feet on bringing DSL to their customer base. All the time racking up revenues through their local loop charges. Now the telcos are in the market full tilt boogie, steamrolling the CLEC's by taking advantage of their existing base, and more importantly, their existing infrastructure. I've had DSL through Concentric/XO, and before that with Flashcom. In both cases, new wire had to be used for me to get my line. The telco racked up the installation charges, and the local loop revenue. On the other hand, consider this. Not only is the DSL CLEC model flawed financially , I believe the entire DSL business model, whether by a RBOC or a CLEC, is fatally flawed as it exists today. Even RBOC's report miniscule profits (not revenue, but profits) from DSL, so if even the RBOC's can't make it work, how exactly were these CLEC's supposed to make money? Or, as stated eloquently in Network Magazine :... the RBOCs uniformly report that DSL deployment is, to quote SBC, revenue dilutive. So here's the question: Can the wholesaler of another company's network elements profit from selling a service that the original company couldn't profitably exploit? We don't have a provable residential profit model for broadband, and we're asking carriers to fund an expensive experiment to find one http://www.networkmagazine.com/article/NMG20020206S0018 So basically DSL as it exists doesn't really work financially, at least not at the price points it's being offered at. RBOC's make good profit from dialtone and from expensive leased lines like T-1's and up. But not from DSL, and looks like RBOC's only continue to offer DSL as a defensive maneuver against cable-modems, hoping that in the future they will be able to unlock some profit. But they aren't exactly scrambling to roll out more DSL, if the SBC cancellation of Project Pronto is any indication. Now, the telco is offering to come in, and throw DSL on my existing dial tone line, something the CLEC's couldn't do. The result is that the telco can charge slightly less for DSL, and they don't have any additional costs in terms of wiring. But they still have to maintain their CO's with DSLAM's and backhaul lines. And, the worst part of all, they have to send out technicians out on expensive truck rolls when something bad happens to a DSL connection ( which is quite often). The simple fact is that no company has ever generated a consistent profit from DSL, especially consumer DSL. All network equipment vendors are suffering from revenue declines, but those vendors who specialize in DSL equipment are really taking it on the chin, and this is because providers, whether CLEC or RBOC, are not investing in DSL, and the reason for that is that the profit margins are pretty much nonexistent. the pure economics of it is that the telcos continue to have the distinct advantage. They sat back, let the CLEC's do all the initial work, let the CLEC's do all the initial marketing, and then they blew in and blew the CLEC's out of business. Chuck Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. There's still a pretty large demand for high-speed internet. Now we just have to wait
Re: Dening telnet access [7:35628]
I don't think the mad one cares about what Cisco says on any more tests because he's already a CCIE. :) Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Wow, that makes no sense. It must be a new feature.:) Anyways your right, I'm wrong. I would like to point out that if you are asked by Cisco to restrict access to the router, If you want credit I would strongly Advise using access-class statements. Remember the answer is the Cisco way, not always the right way. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:42 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Heres the proof: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.64.11 any eq telnet log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login line vty 5 15 login C2620B# 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) - 172.28.64.28(23), 1 packet C2620B# Dave Roberts, Larry wrote: And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc r/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David
Re: what is wrong with the job market ? [7:35611]
nrf wrote: Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... in the case of a number of the CLEC's, part of the problem was the old telco monopoly that they had to fight. Maybe it was part of the problem, but not the whole problem. True, the RBOC's were hindering the DSL CLEC's. But that doesn't explain the financial failures of international network backbone providers (Global Crossing), the biggest cable-modem ISP (Excite@Home), or the biggest hosting service (Exodus). Or the downward spiral of many of the other big providers. Now you might say that all these companies made mistakes, and surely they did. On the other hand, I believe it is the case that even if these companies had executed perfectly, they still would have failed, although I agree they would have lasted longer. The biggest factor contributing to their decline is that the demand wasn't there to sustain them. If there had been as much demand as these providers thought there was, then I believe that most of these providers would be doing quite well, mistakes or no. First it's nice to see folks from the trenches talking about these things in public. I totally agree that demand was less than projected. This really beat to hell the working capital management practices companies had adopted. A shortfall in demand in the short term wasn't a big deal as that'd been happening throughout the boom. It was the lack of access to new capital so that there was time to build the demand. The time horizons for profitability on many of these firms was tightened by several years. Massive changes needed to take place to realize thatwe're watching that now along with a general economic recession. Another factor that most large telecom builds have in common is the use of debt(usually bonds) to fund the builds. Given two equal providers; one who has a significant debt/interest burden can't last nearly as long. We have seen much progress with providers dumping debt by negotiating with bond holders.(At least the bond holders are getting something now while they can) These facts of telecom providers led to psuedo price wars with a big downward spiral in prices. Firms trying to survive dropped pricing beyond sustainable levels to increase revenue, they have(are) gone(going) out of business. Their assets are being purchased at much lower price points with the resulting providers able to offer services much cheaper than the debt burdened providers. I'm not going to speculate here about how the telcos will pull out of this mess, but in looking at this we can't ignore the tightened timeframe to profitability higher interest payments from longterm debt aquired during the boom. Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35804t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
Recursion is precisely what he was concerned about. As you have alluded, there are two roles for a DNS server, cacheing (which requires recursion), and authoritataive. An ISP does not need to publish the addresses of a authoritative nameserver, those addresses are stored in the distributed database and are therefore found naturally. The only reason for publishing an ISPs DNS server addresses to their customers is for use as cacheing servers (often confusingly called resolvers). Whereas using another ISPs DNS cache servers may be technically possible right now because of lax practices, I wouldn't want all my users to be cut off by events beyond my control e.g. when said lax ISP engages a half-decent DNS consultant. Within DNS circles the practice is frowned upon, and it might be held that it is actually criminal in several juridsdictions. My own belief is that running your own cacheing DNS server is almost always the best solution, but then I am biased since DNS is my specialism :-) rgds Marc TXK Priscilla Oppenheimer wrote: At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward
Re: DNS Request Redirection [7:35703]
Tim, If you wish to provide authoritative DNS service from behind a NAT router, then with a Cisco the NAT code contains various ALGs (application level gateway I think) including one for DNS. This ALG translates A records, MX and PTR records where it can. IIRC if it can't then the response is not passed at all (which many people believe is a major issue). So if the DNS server is behind the same NAT boundary as the servers, all well and good, just use the private addresses in the DNS and they'll be translated. However if the DNS server is not behind the same NAT boundary as the servers, then you're stuffed. In DNS circles, the purists don't like all this because this technique is probably not possible to maintain for more complex DNS record types, and I believe it only does UDP, so I guess that it isn't best practice. rgds Marc TXK Tim Booth wrote: Out of curiosity, what is the best practice for someone who has a DNS server on their private network with a private IP address? How would one go about doing this with a router? Is it impossible? Is the best practice/only possibly way to have the DNS server having a public IP address (in a DMZ)? Kind Regards, Tim Booth MCDBA, CCNP, CCDP, CCIE written - Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety. Benjamin Franklin, 1759 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 13:16 To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35807t=35703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Network jobs in Dallas, TX? [7:35608]
While I don't live in Texas, I would imagine that there would indeed be lots of unemployed network guys hanging around Dallas, due to the proximity of Telecom Alley, and the implosion of the telecom industr. AMR wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Get in line. There's hundreds in line in front of you with similar skills. ME wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm new to the Dallas area and recently laid-off. I was wondering if folks here knew of anyone looking for somebody with 10 years network exp. and a CCIE in the Dallas area? If so please reply. Thanks, Mark Egan, CCIE #8775 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35808t=35608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
yep - seems to work just fine. Chuck Mark Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, et al., One DNS Server IP that I've used for years when I don't have a specific IP given when doing installations for customers, i.e., they don't tell me any additional info in regards to whether or not their ISP told them to use X.X.X.X and Y.Y.Y.Y for their client DNS settings, is a UUNet DNS Cache server: 198.6.1.2 Never had any problems with it yet. But then again, I don't keep them on that DNS Setting... It's usually just for initial install/test for DNS /Internet connectivity. Then I go get the rest of the information. And again, these steps are only performed this way when the customer contact is quite busy, and disappears on me within minutes of me confirming my arrival to work, or they have the classic response of Uh, I'm not sure right now... lemme go try to dig that info up in our paperwork... and they still don't come back for an extended period of time. Otherwise, I work efficiently, and request all of the specific configuration info up front as part of the install plan. :) SO.. Give the UUNet Caching server a spin, and let us know if it fails certain queries. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 2:25 PM To: [EMAIL PROTECTED] Subject: Re: DNS Request Redirection [7:35703] the simple way to test this would be to set your workstation with some other ISP's DNS address, and see how things go. In one of my posts I provided the real IP of an active DNS server. Someone want to give it a try? or post one that you know about. I'll be happy to test. I wish the guy who posted the original question would get back to us with his results. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote: Any decent ISP will refuse DNS recursion from any IP address that is not within its own address space. He wasn't asking about recursion. He was asking about the initial query from the end host. Although I could believe you that a service provider should make sure these queries only come from customers, my experience is that service providers don't do this. I can set my PC to use a variety of DNS servers around the Internet and it works. I think it's because it's tricky to do, especially for small ISPs. Some ISPs might have only one DNS server. The same server that provides DNS services to Internet-access customers may also be the authority for various names managed by the ISP. The ISP may be doing Web hosting and be the authority for a bunch of names. In that case, it can't filter out DNS queries coming from the Internet. For example, say your PC asks your local DNS server to resolve www.priscilla.com. Your server can't do it. It asks its upstream server, probably one of the root servers. The root server figures out that petiteisp.com owns www.priscilla.com and tells your server the IP address of the authoritative name server at petiteisp.com. Your server queries petiteisp.com which gives your server the IP address for www.priscilla.com. Your server finally responds to your PC. Notice that the query to petiteisp.com came from some unexpected IP address that can't be anticipated in a filter. If petiteisp.com had a filter to allow queries only from its customers, the query from your server would have failed. Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger ISPs have more than one DNS server, one for Internet access customers, and one that is the authority for names owned by the ISP. Priscilla This is fundamental to DNS security. You need to rewrite the destination IP address. Note that Cisco's NAT is not suitable for this because of the DNS ALG. The easiest thing to do may be to provide an on-site cacheing DNS using the old ISPs DNS addresses. If you've got a lot of workstations and a decent bandwidth to the Internet, you will probably find that running your own DNS cache will be more satisfactory anyway. rgds Marc TXK Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward
Re: Dening telnet access [7:35628]
Dave is right... r7#sh run int e0 Building configuration... Current configuration : 128 bytes ! interface Ethernet0 ip address 10.10.10.77 255.255.255.0 ip access-group 101 in no ip route-cache no ip mroute-cache end r7#sh access-lists Extended IP access list 101 deny tcp any any eq telnet log (2 matches) permit ip any any (32 matches) r7# 04:08:59: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.222(11010) - 10.10.10.77(23), 1 packet r7# 04:10:18: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.10.10.111(11017) - 10.10.10.77(23), 1 packet CM - Original Message - From: Roberts, Larry To: Sent: Monday, February 18, 2002 9:00 PM Subject: RE: Dening telnet access [7:35628] And for reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr as_r/1rfip1.htm#xtocid1 Note that your source address is NOT on the same Ethernet subnet ( 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is being made. Put your machine on the 172.28.64.11 subnet and show me this getting dropped. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:21 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Not in my world: interface Ethernet4/0/0 bandwidth 1000 ip address 172.28.64.11 255.255.255.192 ip access-group 150 in no ip directed-broadcast no ip mroute-cache ! access-list 150 deny tcp host 172.28.56.48 any eq telnet log access-list 150 permit ip any any *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.56.48(57010) - 172.28.64.11(23), 1 packet Thank you!! Dave Roberts, Larry wrote: The only way that the access-list applied to the inbound interface ( non-vty ) blocked your telnet is if you were trying to telnet To an address that was not the directly connected address ( loopback or far side serial/ethernet ) If you were to telnet directly to the interface that the access-list was applied to you WOULD get in. Only an access-class applied To the VTY ports will stop that. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 1:05 PM To: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] I know it does. I have, even fairly recently, locked myself out of a router via an inbound access list applied to an interface,DOH:( Try again and if it doesn't work I would like to see the config. Are you sure the interface on which you applied the access list is the interface you were telneting to/thru?? Dave Patrick Ramsey wrote: really? I have had no luck using inbound acl's to control telnet to the router...I always have to use acc's on the vty's Is there a trick to this? -Patrick MADMAN 02/18/02 12:16PM Actually telnet packets are processed by inbound access-list. Now if your refering to outbound access-lists then you would be correct. Dave Hire, Ejay wrote: Because telnet packets destined for the router are not normally processed by access-lists. (i don't understand why not, but hey...) instead do this access-list y deny xx.xx.xx.xx xx.xx.xx.xx line vty 0 n (n = the results of a ?, usually 4) access-class y -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying
Re: DNS Request Redirection [7:35703]
I have been re-reading the posts again and I have one question. I believe what Chuck says is true about NAT outbound changes the source address, not the destination address. So Would it be possible to change the destination address on the inbound side ? For example. Let say I have a web server behind my router doing NAT. 192.168.75.105. How would I tell the router to redirect connections going to 209.165.166.59 port 80 to go to 192.168.75.105 port 80. So I would be using the private address on the inside but still want the public IP address to be used by outside world. Would this not be changing the destination address ? Can this actually be done ? Thanks Michael Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 05:11 AM 2/18/02, Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I would be greatful... Thanks Michael _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35812t=35703 -- FAQ, list archives, and
Re: Network Security [7:35783]
We have used them in the past, but have limited there use. To many complaints about answering the phone and either getting the tone in ear or no one there. We also had problems issues about identifying whether or not we discovered a modem or fax machine. This may have been a probably related to the program we were using. We mainly a Windows NT environment so we went to using a logon type script to identify if a modem driver was installed or not. Unfortunately it only identified if the driver was installed, which did not actually mean there is a modem present in the system, just that at one time there was once. The only true way to tell was to use SMS or visit the machine. We currently use Microsoft's SMS to collect hardware profiles in which we can query the database to identify where modems are installed. Michael Rodney Jackson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35813t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Security [7:35783]
Which one do you use? -Original Message- From: William Gragido [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:47 PM To: [EMAIL PROTECTED] Subject: RE: Network Security [7:35783] They are not out of style per se. We use them when performing security assessments of client environments. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Monday, February 18, 2002 4:15 PM To: [EMAIL PROTECTED] Subject: Re: Network Security [7:35783] Perhaps. A war dialer is a phreaking tool used on the old days to dial number to try and discover modems. My friends used to use them. Rodney Jackson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35814t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Security [7:35783]
Thanks for you help I guess I asked the wrong question. I know what they are used for but I don't which ones are safe or good. Can you help me with that. -Original Message- From: William Gragido [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:44 PM To: [EMAIL PROTECTED] Subject: RE: Network Security [7:35783] Rodney, War Dialers are used to identify analog modems and isdn modems that may be a point of concern within an organization, specifically if they are not monitored or accounted for. Unless you have a ton of them out on your network, I wouldn't worry too much about it. Its a good idea to conduct an assessment though and evaluate where your organization is from a security perspective and see if change is warranted. Later, Will -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rodney Jackson Sent: Monday, February 18, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Network Security [7:35783] Has anyone ever used a war dialer and if so would you please give me some feed back? I'm concerned about the free ware having back doors do you think that a legitimate concern? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35815t=35783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Request Redirection [7:35703]
I think what you are talking about is a static nat ( conduit, in Cisco speak ) It's done all the time, for just the reason you mention. any device for which you want / need a single internet face, use a static NAT. Chuck Michael Hair wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have been re-reading the posts again and I have one question. I believe what Chuck says is true about NAT outbound changes the source address, not the destination address. So Would it be possible to change the destination address on the inbound side ? For example. Let say I have a web server behind my router doing NAT. 192.168.75.105. How would I tell the router to redirect connections going to 209.165.166.59 port 80 to go to 192.168.75.105 port 80. So I would be using the private address on the inside but still want the public IP address to be used by outside world. Would this not be changing the destination address ? Can this actually be done ? Thanks Michael Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... hhmmm. as I understand the original question, each workstation in the network in question is hard coded for DNS. So, if for example, my machine is hard coded for DNS server 207.126.96.162 ( my ISP DNS server ) and I change ISP's, and make no changes to my workstation, then any DNS request will have a destination address of 207.126.96.162 The question, as I understand, if how to change that destination address without making workstation visits. Policy routing can change next hop, but not destination address. NAT outbound changes source address, not destination address. Unless there is a packet interceptor that takes all DNS requests, and physically changes the destination address, the user has few options. Again, IF the former ISP does not restrict DNS requests to its own address space, i.e. accepts DNS requests from anywhere, then there is no problem, and no changes need be made. However IF ( and this would be good practice for a lot of reasons ) the former ISP does indeed restrict DNS requests to source addresses within its own space, then there will have to be additional changes on the user network. This whole discussion illustrates why people SHOULD follow best practice from the get go. If they want to hard code IP's, then I believe DHCP can be configured so that it provides only DNS info and default gateway info, for example. the people who have insisted that their network hard code everything are now learning the hard lesson. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 05:11 AM 2/18/02, Godswill HO wrote: You can still use your former ISP's DNS records while using the new ISP's bandwidth. It does not matter who owns the DNS server. Everybody have access to it once they are in the internet. Except when they are specifically filtered. The only drawn back is that, Your new ISP have to forward the packet in a round trip to the old ISP's network through the internet before they are resolved and sent back to you machine, It would depend on what records they are accessing. If the users are going to the Internet and accessing sites such as www.cisco.com and www.groupstudy.com, for example, the DNS queries don't have to go back to the original ISP. had it been you are using the DNS of your new ISP, these request would stop there. Do not loose your sleep, because at the worst these delays are in milisseconds and not easily noticeable by the eye, more each machine have a cache so it does not forward every request. Great if you have a Cache Engine to compliment the machine's cache. Whatever, you are kool and everything will be fine, switch to your new ISP and enjoy. Regards. Oletu - Original Message - From: Michael Hair To: Sent: Sunday, February 17, 2002 8:07 PM Subject: DNS Request Redirection [7:35703] I was wondering what is the best way to take care of the following: I have been using a private address space behind a Cisco 4500 router connected up to our current ISP using NAT, now we want to move our connection from our current ISP to a new ISP with better bandwidth. My problem is that we don't want to change all our client machines TCP/IP settings, which are all static, for some reason or another they were all setup to use our ISP's DNS. Not my idea but that another problem. So how can I setup our router to forward requests looking from our current ISP's DNS to our new ISP's DNS without touching all the client machines. Would the best way be to use policy-base routing? Would a static route work? Could I use a static route under NAT? If someone could proved me a sample of how you could do this I
RE: what does peer routers mean? [7:35705]
There is a meaning common to all routing protocols, and an additional special meaning in BGP. A peer is a router with which you have a direct IP connection. In other words, two BGP routers are peers as long as the BGP connection is between the loopbacks on both routers; there can be intervening IGP routers. Peer implies neighbor, but, in some protocols, has the additional nuance that you exchange routing information with it as well as forward through it. As a rule of thumb, you should not have more than 20-30 iBGP or eBGP peers on a BGP router, unless you know exactly what you are doing and can do the appropriate capacity planning. This is a reasonable rule for IGP routers as well, with the caveat that you can have more static peers than that. The total number of peers are limited by the number of Interface Descriptor Blocks that are available. IDBs are the sum of all logical and physical interfaces, including subinterfaces. For a long time, it was 300, but newer releases allow more. The 50 router limit per OSPF area is conservative, but it doesn't refer to peers, but the total number of OSPF routers in the area. The reason for this is the workload for computing the Dijkstra, in a single area, is proportional to: ((numberOfPrefixes * numberOfPrefixes) * log(numberOfRouters) So the more total routers (i.e., Type 1 LSAs), the more the CPU load goes up. Still, an experienced designer may be able to get hundreds of routers working in an area, although they may need fast CPUs. I wouldn't want to have more than a maximum of 47 OSPF routers on the same segment, since that's the maximum you can fit into a single Hello packet. Someone mentioned limits of peers per AS. Certainly, if that's in the BGP sense, large providers routinely have thousands, perhaps tens of thousands, of routers. They certainly use hierarchy and don't put excessive peers on any given box. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications Technical Director, CertificationZone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35817t=35705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Network jobs in Dallas, TX? [7:35608]
I was an Ericsson casualty. They recently cut 400 RD people. They also just gave notice to more network engineers. Nortel has several large buildings that are empty as does Ericsson. I don't know about Alcatel, but they are big here. Even Cisco cut people here. It's not a good place to be. Ken nrf 02/18/02 06:06PM While I don't live in Texas, I would imagine that there would indeed be lots of unemployed network guys hanging around Dallas, due to the proximity of Telecom Alley, and the implosion of the telecom industr. AMR wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Get in line. There's hundreds in line in front of you with similar skills. ME wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm new to the Dallas area and recently laid-off. I was wondering if folks here knew of anyone looking for somebody with 10 years network exp. and a CCIE in the Dallas area? If so please reply. Thanks, Mark Egan, CCIE #8775 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35818t=35608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. I'm afraid I have to disagree. The simple fact is that in many cases, the services were in fact not wanted, at least at the price points they were offered at, but then of course if they were offered at lower price points, there would have been even less profit than there already was. And the fact is, despite all the hype from New Economy providers, there is not a huge outcry of demand for high-speed access. There is some demand, but nowhere near the demand that a lot of people thought there would be. I used to believe otherwise. Because I'm always doing stuff on the Net, and therefore I rely on my broadband, I assumed that there must have been ravenous demand for broadband connections. I assumed that everybody was like me. Wrongo. The fact is that there is only a small subset of the population that is tech and computer savvy and can honestly feel the difference between a broadband link and standard dialup, certainly enough that they would feel the need to pay extra for broadband. The numbers say otherwise. In the past, broadband was not widely available, but not this is not so. It is estimated that well over 70% of households within the US have access to some kind of broadband (cable/DSL/satellite/fixed wireless). (70% of all U.S. households have access to high-speed cable, and I'm not even talking about the other kinds of broadband - http://www.ntia.doc.gov/ntiahome/broadband/comments2/Napster.htm, ) Yet a sobering fact is that even where broadband is available, consumer demand has been low: ...even where there is deployment of broadband infrastructure, there has been low consumer uptake...Groups such as the Consumer Energy Council of America and the National Cable Television Association have also noted the slow uptake of consumer use of DSL and cable modems even where currently deployed. http://www.digitaldividenetwork.org/content/stories/index.cfm?key=10 Perhaps the most sobering is the Hart/Winston study that states: ' The bottom line is that among people who are most likely to subscribe to high-speed Internet access, the obstacles are price and lack of appeal, said Hart, CEO of Hart Research. Forty-eight percent have no interest regardless of price and another 21 percent are willing to pay at most $20 per month. If you cannot win over the people who are currently using the Internet, consumer acceptance of high-speed access will be slow and limited... ' http://www.comptel.org/press/nov29_2001_voices.html If you still need convincing, then flip things around. If there really is this huge groundswell of demand for broadband access, then ..why have only 10 percent of those with access to broadband purchased it? (http://www.theneteconomy.com/article/0,3658,s=916a=19232,00.asp). In the United States, basic phone uptake rates are at 99% or so, basic cable TV is about 70%, uptake, digital cable TV is about 25% uptake, and cellphone uptake is at least 25% (uptake defined to be those people who can get who choose to get it). So why is broadband uptake so low. You would think that if people were beating down the doors for broadband, that uptake would be much much higher than it is.Or, as Stephen Ricchetti said it best: Overwhelmingly, people think it's a bad deal at current costs, Ricchetti said. What we are looking at is a demand issue, not a supply issue http://www.theneteconomy.com/article/0,3658,s=916a=19232,00.asp The simple fact is, the demand is not really there. The vast majority of people (generally high-income, tech-savvy people) who want high-speed access already have it. The majority of the population is not like this, and for whatever reason do not see a whole lot of value in high-speed. Is this a price thing - is it just too expensive? Maybe (but according to Hart/Winston, when 48% of people currently without broadband express no interest in it, and another 21% will not pay more than what they pay for dialup, maybe price is not the issue - http://www.comptel.org/press/nov29_2001_voices.html). Or is it a problem with perception and marketing? Or both? Who knows? Another depressing snippet from Hart/Winston: ...Other data show that while the majority believed some form of Internet access should be available in all parts of the country, relatively few users (30 percent) place a high priority on ensuring that all Americans have
Re: what is wrong with the job market ? [7:35611]
Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That article taked about 1 problem, the problem almost every company had - grabing too much land and equipment with no customers or sustainable revenue. But that's also the problem every dot-bomb had. Thankfully the buble burst, the madness ended and took out the garbage. No company would stay in business that way. This dosen't mean that their services weren't wanted. Most every home who has a dial-up, most buisinesses that don't have DSL in their area are still waiting for the right company/technology to come by and at the right price. I'm afraid I have to disagree. The simple fact is that in many cases, the services were in fact not wanted, at least at the price points they were offered at, but then of course if they were offered at lower price points, there would have been even less profit than there already was. And the fact is, despite all the hype from New Economy providers, there is not a huge outcry of demand for high-speed access. There is some demand, but nowhere near the demand that a lot of people thought there would be. I used to believe otherwise. Because I'm always doing stuff on the Net, and therefore I rely on my broadband, I assumed that there must have been ravenous demand for broadband connections. I assumed that everybody was like me. Wrongo. The fact is that there is only a small subset of the population that is tech and computer savvy and can honestly feel the difference between a broadband link and standard dialup, certainly enough that they would feel the need to pay extra for broadband. The numbers bear this out. In the past, broadband was not widely available, but not this is not so. It is estimated that well over 70% of households within the US have access to some kind of broadband (cable/DSL/satellite/fixed wireless). (70% of all U.S. households have access to high-speed cable, and I'm not even talking about the other kinds of broadband - http://www.ntia.doc.gov/ntiahome/broadband/comments2/Napster.htm, ) Yet a sobering fact is that even where broadband is available, consumer demand has been low: ...even where there is deployment of broadband infrastructure, there has been low consumer uptake...Groups such as the Consumer Energy Council of America and the National Cable Television Association have also noted the slow uptake of consumer use of DSL and cable modems even where currently deployed. http://www.digitaldividenetwork.org/content/stories/index.cfm?key=10 Perhaps the most sobering is the Hart/Winston study that states: ' The bottom line is that among people who are most likely to subscribe to high-speed Internet access, the obstacles are price and lack of appeal, said Hart, CEO of Hart Research. Forty-eight percent have no interest regardless of price and another 21 percent are willing to pay at most $20 per month. If you cannot win over the people who are currently using the Internet, consumer acceptance of high-speed access will be slow and limited... ' http://www.comptel.org/press/nov29_2001_voices.html If you still need convincing, then flip things around. If there really is this huge groundswell of demand for broadband access, then ..why have only 10 percent of those with access to broadband purchased it? (http://www.theneteconomy.com/article/0,3658,s=916a=19232,00.asp). In the United States, basic phone uptake rates are at 99% or so, basic cable TV is about 70%, uptake, digital cable TV is about 25% uptake, and cellphone uptake is at least 25% (uptake defined to be those people who can get who choose to get it). So why is broadband uptake so low? You would think that if people were beating down the doors for broadband, that uptake would be much much higher than it is.Or, as Stephen Ricchetti said it best: Overwhelmingly, people think it's a bad deal at current costs, Ricchetti said. What we are looking at is a demand issue, not a supply issue http://www.theneteconomy.com/article/0,3658,s=916a=19232,00.asp The simple fact is, the demand is not really there. The vast majority of people (generally high-income, tech-savvy people) who want high-speed access already have it. The majority of the population is not like this, and for whatever reason do not see a whole lot of value in high-speed. Is this a price thing - is it just too expensive? Maybe (but according to Hart/Winston, when 48% of people currently without broadband express no interest in it, and another 21% will not pay more than what they pay for dialup, maybe price is not the issue - http://www.comptel.org/press/nov29_2001_voices.html). Or is it a problem with perception and marketing? Or both? Who knows? Another depressing snippet from Hart/Winston: ...Other data show that while the majority believed some form of Internet access should be available in all parts of the country, relatively few users (30 percent) place a high priority on ensuring that all Americans have
Re: access-group ## in or out? [7:35578]
Also keep in mind that inbound access lists will hammer your routing (distance vector) protocols whereas outbound will not. also learned that the hard way;) Dave Hire, Ejay wrote: I Just posted this in the associate group, but I'll cross-post it here. The context was that the chap wanted to block smtp traffic from a specific external subnet. Visualize it. Let's assume your connection to the internet looks like this. Mailserver --- Ethernet0 (Router) Serial 0 --- ISP --- Badpeople The source of the traffic you want to block is badpeople. Pretend you are the router. You want to block traffic from badpeople (SOURCE) that is going to your mailserver (Destination) and you want to block it as it travels IN (Inbound) from your ISP (Serial 0). -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface serial 0 -access-group 101 in Alternately, you could let the traffic cross you (the router) and block it as it travels OUT (outbound) of the Ethernet port (E0) towards the mail server. It would be a waste of router resources to let it cross the router before being dropped, but if this was a very busy router with many ports and a dedicated port to the mail server then it might be an option. -access-list 101 deny xx.xx.xx.0 0.0.0.255 123.123.123.123 eq 25 -access-list 101 permit any any -interface Ethernet 0 -access-group 101 out Additionally, Traffic travels in both directions. I can't think of a reason why you'd want to, but you could block traffic as it leaves the mail server (source) headed back to badpeople (destination). This traffic would travel In the ethernet port (ethernet 0 access-group xxx in) and Out the serial port (serial 0 access-group xxx out). You don't block traffic this (if possible) because you don't know what port the outbound tcp connection will be on. -Ejay I'm a CCNA and CCNP and I'm looking for full-time or Contract work, please contact me off-list if you have any openings or suggestions. -Original Message- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use in or out when you apply an ACL to a router interface? Thanks! -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35794t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]