PRI ISDN Callback, 3640, Mica Problem [7:36185]

[Devashish Chanda]

Dear all,

   We have a 3640 and want to terminate both analog and ISDN calls over the
PRI on the 3640. The 3640 should callback over the PRI to both analog and
ISDN users. All of the 30 available B channels should be dedicated to this
purpose.
   
We are using IOS 12.0.4(T), Mica-6DM Firmware CP ver 2310, E1/PRI ISDN
ctrl, client modems USRobotics, Multitech, Boca, D-Link etc.
   
We have the following problems:

1. A high rate a unsuccessfull incoming calls (~50%) with the modems idle
and a busy signal or no answer at all (debug on Cisco shows a generic ISDN
disconnect error)
2. During the callback the modems do not handhshake properly.
3. Connection is being established only at very low speed 9.6 kbps and below.
 
- the ISDN line is clean, show cont, show int ser 1/0:15 show no
errors at all. We use the framing no-crc4 command on the controller,
otherwise it goes down with alarm detected.

 
   Kindly send   the solution/configuration for the above. Thanks in advance.

Devashish Chanda
India




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36185t=36185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PRI ISDN Callback, 3640, Mica Problem [7:36185]

[Georg Pauwen]

Hello Devashish,

hard to tell what the cause of this behaviour is. Can you post the config of
the 3640 as well as the output of the 'debug isdn q931' command ? There is a
good document on the Cisco site with regard to Dial Technology Connectivity,
that might help you as well:

http://www.cisco.com/warp/customer/471/callin_calls.html#third

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36188t=36185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cat 5k system ram flash [7:36170]

[Georg Pauwen]

Hi Colin,

depends on your software release. Go to the following link:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/c5krn/sw_rns/index.htm

and check the respective 'Release x.x Memory Requirements'.

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36189t=36170
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Nortel NNCA certification [7:36190]

[James Barber]

Hi, firstly my apologies for posting this in a Cisco group.

However, there are (still) other networking vendors, and I'd like to
get the groups opinion on the Nortel NNCA certification.

James
___
 http://www.webmail.co.za the South-African free email service




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36190t=36190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP Redistro/Backdoor bug? Any ideas... [7:36191]

[Timothy Ouellette]

Team,


Was working on BGP backdoor on routerb.  Routera is advertising the
3.3.3.0/24 via eigrp 23 to routerb (the _ representing Ethernet).
Routera is also advertising that same prefix via ebgp to routerb (the
=== marks represent the serial link).  No biggie, so I threw the
network 3.3.3.0 mask 255.255.255.0 backdoor) command on routerb and
Voila,  routerb decided to use the route learned via eigrp (ad=90)
rather than the route learned via ebgp (ad=20).



___Eigrp 23___
 |   |
3.3.3.0/24---routera==routerb
(ebgp)



I then decided I was going to play around with redistribution.  So I
made routea stop advertising that 3.3.3.0/24 prefix to routerb via
ebgp.  No problem, routerb still knew about 3.3.3.0/24 via its
Ethernet.  I went into the bgp 2 process on routerb and did a
redistribute eigrp 23.  After about 90 seconds, I didnt see the
3.3.3.0/24 route in routerbs bgp table. I though what the and looked
for any typos (considering Ive been studying for 11 hours so far) but
didnt see any. I did however see that I forgot to take out the
backdoor statement from the previous exercise. I took that out and
about 15 seconds later I got this message (after turning on debugging of
course)

BGP(0): nettable_walker 3.3.3.0/24 route sourced locally

So I took a look in the bgp table and saw

r2#sh ip bgp
BGP table version is 16, local router ID is 22.22.4.1
Status codes: s suppressed, d damped, h history, * valid,  best, i -
internal
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network  Next HopMetric LocPrf Weight Path
* 3.3.3.0/24   25.25.25.3  409600 32768 ?

My question is,  is this a bug that if you have that backdoor in there,
BGP will not redistribute? The only thing I changed in my config was
that line and then it worked.

While I study, Im compiling a list of gotchas I need to remember for
BGP.  Anyone else done this, maybe we can compare notes?

Thanks team!

Tim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36191t=36191
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

...ISP management application !!!!!!!! [7:36192]

[[EMAIL PROTECTED]]

Hallo,

Question especialy for ISP's :

I am interested in an application with which I can manage 
the ISP customers, network devices, IP address space, and 
implement service level groups.

Exp:
1. for a site (device): location info, interfaces info 
(like addresses), other info
2. for a customer: details(location,contacts), interfaces 
info (IP), other info
3. service level groups: group customers based on different 
criteria (like VPN between them)
4. management of IP address space: group IP classes  based 
on location criteria (like in a tree).

Something to look like EasyIP.

Also multiuser, and with a nonpropietary database behind 
(so to integrate it with other applications).

Maybe it's an utopia-application.

Anyone has any ideea?

Any help very appreciated 

Chris,
mcse, ccna
bla bla 

Vrei sa pleci la munte???  Cum? Simplu!
Inscrie-te acum la http://www.romance.ro si CASTIGA un weekend la munte
pentru tine si perechea ta!
E gratis, si in plus te poti distra de milioane!
---
http://www.click.ro - unul dintre cele mai mari portaluri romanesti,
mail gratuit.
http://www.webmania.ro - FREE hosting.
http://www.funmanaia.ro - bancuri, poze si filme haioase.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36192t=36192
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access list question [7:36166]

[Georg Pauwen]

Hello Amit,

Ranma is right, you could use policy routing. Let's say you want to have all
traffic from xxx.xxx.xxx.240/28 routed through interface serial1. The config
would look like this:

route-map MAP1 permit 10
 match ip address 1
 set interface serial1 
!
access-list 1 permit xxx.xxx.xxx.240 255.255.255.240
!
interface serial1
 ip policy route-map MAP1

Actually, thinking about it, wouldn't it be easier to just add a static
route:

ip route xxx.xxx.xxx.240 255.255.255.240 serial1

Regards,

Georg



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36193t=36166
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF Virtual Link Authentication problem [7:36194]

[IT Guy]

Hi Guys,

Please help me to solve the issues.
DO we must have to configure virtual link for authentication aswell if our 
Area0 is configured for authentication also??

2nd. we have two areas A0 and A10,configured with different password keys  
and authentication schemes , and virtual link is setup b/w these two Area 
routers. So which password scheme and Key we should follow for virtual 
links???A0 or A10??

thanks for ur help in advance.

TOM

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36194t=36194
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Console speed [7:36155]

[Georg Pauwen]

Hi,

I am not sure if this works, but what happens if you just try

rommon  xmodem -y -s57600

to set the speed to 57600 ?

Regards,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36195t=36155
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re: China/Cisco connection [7:35946]

[Steven A. Ridder]

You are correct.  It's called Echelon.  There are some staellite stations in
England and Austalia and I'm sure others as well.  It's run by the NSA.
 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 It is also rumored that every cross-country electronic conversation anyone
 make is been recorded in a condensed form some where in the US.
 Conversations like telephone calls, Fax, emails, etc is been recorded and
 'diagnosed' for some specific information, and could be reproduced and
 expanded where necessary.

 With my knowledge of how Intrusion detection works in the Swicth blade
 (IDSM), where the blade sits as a line card in the backplane of the
Catalyst
 6000 switch, it does not interfere with the traffic going through the
Switch
 backplane but these traffics are copied to its buffer for examination, it
 triggers an alarm and send a detail message to the director interface when
 it discover a comparison between at least one of its stored signatures and
 the packet been examined, I kind of believe that sniffing the whole
internet
 is VERY possible and it cannot be just rumors.

 Again, how secure is the internet??? To me it is just a round-robin stuff.
 Someone implemented all the encryption technology we have seen so far and
 the key to decrypt then are not hiden far away in heaven, they are still
 with us humans.

 My 0.2 cent
 Regards.
 Oletu
 - Original Message -
 From: Steven A. Ridder
 To:
 Sent: Thursday, February 21, 2002 4:48 PM
 Subject: Re: Re: China/Cisco connection [7:35946]


  It's a rumor.
   wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I only agree partially. On the other hand, US government put
censorship
 on
   the whole Internet, if anyone could remember what happened during US
  bombing
   of the Serbs. The news said that a virus sent NATO secrets to an ICQ
 site,
   which was quickly deleted by an USA robot, and the robot notified
  government
   angecies of the discovery and the results. The same news claimed that
 the
   whole Internet is been checked every 10 minutes by various government
   programs. From TV, FRI (or CIA) experts publicly demostrated how they
  could
   trace a message from one end of the world to another end of the world.
  There
   was another news said that US government put on filters on Internet to
   search keywords, such as weapon.
  
   Since I am too old to be naive, I wonder what else would be on the
 filter
   list, or inside the robot programs.
  
   Let's hope whoever has the power to control information on Internet
only
  do
   it for legitimate purpose. But, I know that I asked for too much.
  
   Tony
  
  
  
   Dominick Marino  wrote:
  
   I agree with Joseph Brunner.
   
   To compare the two is absurd!   The Chinese will use the technology
to
   suppress the truth from becoming known to the people ( peasants to
the
   elite).  It is also a good way to find the subversives and eliminate
  them.
   
   As for the US government monitoring the traffic, I doubt that they
plan
  on
   killing anyone for their selection of web sites.
   
   Unless they are terrorists, then, if they want, I will supply the
 bullets
   myself.
   
  
  
  
   Dom Marino
   
   
   
   
   
   
   
   B.J. Wilson  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
An interesting article I came across this morning:
   
   
  
 

http://www.weeklystandard.com/Content/Public/Articles/000/000/000/922dgmtd.
  a
sp
   
Comments?
   --
  
  
  
  
   __
   Your favorite stores, helpful shopping tools and great gift ideas.
   Experience the convenience of buying online with Shop@Netscape!
   http://shopnow.netscape.com/
  
   Get your own FREE, personal Netscape Mail account today at
   http://webmail.netscape.com/
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36196t=35946
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN Services in PPTP .... [7:36197]

[Mahesh]

Hi,

Can some one give me the advice that how we can configure PPTP on cisco
router and my centers can access the my network. We are using the win2000 at
client place and we are trying to have VPN solution for the user. So that we
can have the secure network.

Thanks and Regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36197t=36197
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 640-900 BSCI or 640-503 Routing [7:36158]

[Godswill Oletu]

- Original Message -
From: Mohammed Fahim 
To: 
Sent: Friday, February 22, 2002 12:15 AM
Subject: Re: 640-900 BSCI or 640-503 Routing [7:36158]


 Hi Oletu
 Its not CISSP, its CCIP exam, If you are not sure of CISSP, here it is,
its
 a exam for security professional who have 3 yrs of real time security
 experience and is administered by Internation Information Systems security
 Certification Consortium or (ISC)2. you can visit www.cissp.com for
further
 details
 Hope you understand.

 regards
 Fahim
 Cisco Security Specialist

  wrote in message
 news:...
  If you are considering taking the CISSP exam at a later date, it would
be
  better you take the BSCI exam. It was added when Cisco added the new set
 of
  CQS exams. The BSCI is more wide and extensive than the 640-503 exam.
 
  However, if you do not want to cover the additional materials, then go
for
  the 640-503, but when you want to write the CISSP exam tomorrow, you
must
  write the BSCI (640-900) exam despite the fact that you have taken the
  640-503 exam before. Writing the 640-900 exam, fullfils two exam
  requirements(CCNP track) and CISSP track but the 640-504 only count
 towards
  your CCNP.
 
  Think of the time you would have saved, the additional knowledge, the
 $125,
  etc when you take the 640-900 instead of the 640-504 exam.
 

http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exam
  s/640-900.html
 
  Enjoy.
 
  Regards.
  Oletu
  - Original Message -
  From: Colin
  To:
  Sent: Thursday, February 21, 2002 6:28 PM
  Subject: 640-900 BSCI or 640-503 Routing [7:36158]
 
 
   Hi
  
   I was looking at the CCNP Exam page on the Cisco's web page and for
the
   Routing exam, the had two test listed.  They are 640-503 Routing and
   640-900 BSCI.  Why would one choose to take one exam over the other?
   When was the 640-900 BSCI test added?
  
   Thanks
  
   Colin
  _
  Do You Yahoo!?
  Get your free @yahoo.com address at http://mail.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36198t=36158
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Services in PPTP .... [7:36197]

[Ocsic]

Search Virtual Private Dial Up network config.. (VPDN)


Mahesh   Hi,

 Can some one give me the advice that how we can configure PPTP on cisco
 router and my centers can access the my network. We are using the win2000
at
 client place and we are trying to have VPN solution for the user. So that
we
 can have the secure network.

 Thanks and Regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36199t=36197
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX v6.2 [7:35987]

[Engelhard M. Labiro]

I heard that from another mailing-list, 6.2 will be release
around April 2002.
It seems that Cisco PIX team would not leak the 6.2 beta for public
consume, CMIIW.

 Hummm, I too scanned the Cisco site for 6.2 and only found 6.1.2.
 I'd heard
 from the rumor-mill that 6.2 was out, but perhaps that's incorrect.

 As I'm about ready to upgrade the failover 515UR, it'd be nice if I only
had
 to do this once -- this year.

 Any speculation on that 6.2 release date?

 Best, G.

  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, February 21, 2002 11:08 AM
  To: [EMAIL PROTECTED]
  Subject: RE: PIX v6.2 [7:35987]
 
 
  Where did you guys find the new 6.2 versions?  I looked at
  Cisco's site,
  no luck.
 
  Thanksnabil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36200t=35987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF Virtual Link Authentication problem [7:36194]

[Mensah, James]

A0---purpose of virtual link is to enable access to Area 0, for more on this
check. 
http://www.cisco.com/warp/public/104/27.html

James

-Original Message-
From: IT Guy [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 5:03 AM
To: [EMAIL PROTECTED]
Subject: OSPF Virtual Link Authentication problem [7:36194]


Hi Guys,

Please help me to solve the issues.
DO we must have to configure virtual link for authentication aswell if our 
Area0 is configured for authentication also??

2nd. we have two areas A0 and A10,configured with different password keys  
and authentication schemes , and virtual link is setup b/w these two Area 
routers. So which password scheme and Key we should follow for virtual 
links???A0 or A10??

thanks for ur help in advance.

TOM

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36201t=36194
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Nortel NNCA certification [7:36190]

[Ocsic]

any  NORTEL NEWSGROUP  ?
James Barber   Hi, firstly my apologies for posting this in a Cisco
group.

 However, there are (still) other networking vendors, and I'd like to
 get the groups opinion on the Nortel NNCA certification.

 James
 ___
  http://www.webmail.co.za the South-African free email service




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36202t=36190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CISCO equipment for rent in UAE [7:36205]

[rent router]

I have lot of equipment for CCNA, CCNP, CCIE Security and Routing /Switching
for rent in UAE only .

Kindly revert back for booking

Thanks
[EMAIL PROTECTED]


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36205t=36205
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access list question [7:36124]

[Evans, TJ]

Footnote - I believe this would also permit 'crafted' packets with the ack
bit set ... which is why a good firewall is better .


Thanks!
TJ



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 21, 2002 8:25 PM
To: [EMAIL PROTECTED]
Subject: RE: Access list question [7:36124]

That's a good conceptual explanation. I would add that technically, it 
allows TCP packets that have the ACK bit set. In other words, it allows 
packets that are acknowledging another packet. That means it would not 
allow an incoming SYN used to set up a session, but it would allow a reply 
to a SYN that already happened.

Priscilla

At 06:26 PM 2/21/02, David Jones wrote:
Justin,

This is typically used in an Internet/NAT situation where you are allowing
something from the Internet to come back in, only if it's a reply to a
request that originated from inside your network.  For instance, with a
router connected to the Internet, you typically want an access-list applied
to your Internet-facing port that denies incoming traffic, as you don't
want
them trying to walk all over your router or network.  However, this same
access list will drop valid replies to requests from clients inside your
network, i.e. http replies, etc.

With the 'established' option, you can tell the router with access lists
drop everything inbound from the Internet, except replies to requests made
from inside my network.

Typically, people do this because they don't want to pay for a firewall,
but
this isn't the best thing to do.  If you need to set this up for someone
for
Internet access, you need to dig a little deeper into it because if my
memory serves me right, this command may or may not work with UDP traffic
and only TCP traffic.  I'm not sure and might be totally wrong, so you need
to check.

Hope this helps,

Dave


Priscilla Oppenheimer
http://www.priscilla.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36206t=36124
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Nortel NNCA certification [7:36190]

[Tshon]

The answer,

First I like you to know that I am a Cisco Certified Systems Instructor, 
and also that I am a Nortel Networks
Certified Instructor.  But, anyone of the certifications will give you 
the knowledge you need to attain the other.
When it comes down to it, the standards are the standards.  Each vendor 
implements the standards, from there
they then implement propietary technoligies.  What you have to learn for 
both companies is who to interface,
with their equipment.command line or gui. then understand the 
proprietary and cross platform standards.
Sorry, that I have to inform you of this first.  But, most 
people in the industry have a higher regard for the
Cisco certs than any other Networking vendor.  That is usually because 
of limited implementation of the other
products.

You should one get the cert you need for your current employment 
situation.  Then you should pursue
you personal financial goals.  After that you can attain the others cert 
fairly easy.   I am not aware of any study
groups but good luck!

Tshon

Ocsic wrote:

any  NORTEL NEWSGROUP  ?
James Barber   Hi, firstly my apologies for posting this in a Cisco
group.

However, there are (still) other networking vendors, and I'd like to
get the groups opinion on the Nortel NNCA certification.

James
___
 http://www.webmail.co.za the South-African free email service




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36207t=36190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Nortel NNCA certification [7:36190]

[Shahid Muhammad Shafi]

Hi James,

Trust me it wont get u anywhere. Try Juniper instead

Shahid
NNCA


--- James Barber  wrote:
 Hi, firstly my apologies for posting this in a Cisco
 group.
 
 However, there are (still) other networking vendors,
 and I'd like to
 get the groups opinion on the Nortel NNCA
 certification.
 
 James

___
  http://www.webmail.co.za the South-African free
 email service
[EMAIL PROTECTED]


=
Shahid Muhammad Shafi

Every man dies; not every man really lives

Please help feed hungry people worldwide http://www.hungersite.com/
A small thing each of us can do to help others less fortunate than ourselves

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36208t=36190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF Virtual Link Authentication problem [7:36194]

[Chuck]

which area is a virtual link in?


IT Guy  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Guys,

 Please help me to solve the issues.
 DO we must have to configure virtual link for authentication aswell if our
 Area0 is configured for authentication also??

 2nd. we have two areas A0 and A10,configured with different password keys
 and authentication schemes , and virtual link is setup b/w these two Area
 routers. So which password scheme and Key we should follow for virtual
 links???A0 or A10??

 thanks for ur help in advance.

 TOM

 _
 Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36209t=36194
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 640-900 BSCI or 640-503 Routing [7:36158]

[Brian Zeitz]

I failed the 503, one time already. But now I think I overstudied (if
there is such a thing). Now I am sitting not sure what to do, either
cisco 640-503, or the new Beta Routing exam, or the 640-900. Arg! They
should have just added IS-IS in the 503 exam. Why is cisco going nuts on
the CCNP routing exam? Just make one exam already! I think if I take the
beta, ill save 75$, but I think you don't get results right away, and
get a pool of like 300 questions. I think the 640-503 is stressful
enough. I probably will be stupid and send Cisco 250$ cause Ill end up
taking the BCSN and The BSCI exam. Cisco how about charging like 25$ who
have already passed BCSN. They need to get there stuff together on this
one.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36210t=36158
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX information [7:35294]

[Patrick Ramsey]

wr st will do this for you... write standby

-Patrick

 Mears, Rob  02/21/02 05:24PM 
Any changes you make to the Pri PIX will be written to the SEC, no need to
day anything.  Good Idea to move the sec and do a Wr M


Rob

-Original Message-
From: Evans, TJ [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, February 13, 2002 12:53 PM
To: [EMAIL PROTECTED] 
Subject: RE: PIX information [7:35294]

I believe it sync's them auto-magically, or perhaps on a timed basis.
Regardless ... I always do a wr standby ... just to be sure.


Thanks!
TJ

 -Original Message-
From:   Hartnell, George [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, February 13, 2002 12:46 PM
To: [EMAIL PROTECTED] 
Subject:RE: PIX information [7:35294]

AND, am I to understand correctly, as the manual is quite vague, that an
upgrade of the primary failover unit also updates the secondary?  Or, must
the hapless administrator do each individually?

Best, G.

 -Original Message-
 From: Jose Celestino [mailto:[EMAIL PROTECTED]] 
 Sent: Wednesday, February 13, 2002 7:12 AM
 To: [EMAIL PROTECTED] 
 Subject: Re: PIX information [7:35294]
 
 
 PIX-FW1# copy ?
 usage: copy tftp[:[[//location][/pathname]]] flash
 
 For instance:
 
 copy tftp://192.168.2.2/configs/pix.cfg flash
 
 
 Thus spake BASSOLE Rock, on Wed, Feb 13, 2002 at 09:06:59AM -0500:
  Hello group,
  
  
  What command can I use to copy a configuraton form a tftp 
 server to a PIX
  Firewall? I have look on the cisco web site for the command 
 but couldn't
  find. Can somebody help.
  
  Thank you.
  
  Rock
 -- 
 Jose Celestino 
 -
 Little prigs and three-quarter madmen may have the conceit 
 that the laws of
 nature are constantly broken for their sakes.
 -- Friedrich Nietzsche

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 

*
  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. (WellStar) and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36211t=35294
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New config maker [7:35386]

[Anil Aravind]

I have downloaded it with out much problems. if you try segmented download
it may create problems.

Anil Aravind

William Pearch  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Has anyone had difficulty with the new Config Maker (v2.6)?  I tried
 downloading it tonight and the executable reports as being corrupted.
 Is it me?  Do they hate me?  :)

 TTFN,
 Bill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36212t=35386
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Services in PPTP .... [7:36197]

[Rafay Aslam]

CCO web site has very good information on setting VPN connection (PPTP,
IPSEC), and also you need to configure RADIUS server or TACAS Server if you
dont wanna do the local authenticaion on router.

Mahesh  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 Can some one give me the advice that how we can configure PPTP on cisco
 router and my centers can access the my network. We are using the win2000
at
 client place and we are trying to have VPN solution for the user. So that
we
 can have the secure network.

 Thanks and Regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36221t=36197
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Wireless MAN coverage [7:36223]

[Sites, Bob]

Has anyone setup or can you point me to a wireless solution for an entire
metro area? I have a hospital that we would like to link 10+ offices within
a 15 mile radius.  I've had good success with the Aironet 340 series, but at
this point we need something more geared towards a wide coverage area,
rather than point to point. Any ideas would be appreciated.   

Bob Sites
System Engineer
Valley Health System (IS)
[EMAIL PROTECTED]


Confidentiality Notice: 

This e-mail message, including any attachments, is for the sole use of the
intended recipients and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited. If
you are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36223t=36223
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access simple question [7:36213]

[Mark Odette II]

If I recall correctly, you are right, the answer would be S 3/1.  Perhaps
it's just a Type-O... It's not like that doesn't ever happen ;-)

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, February 22, 2002 9:34 AM
To: [EMAIL PROTECTED]
Subject: Remote Access simple question [7:36213]


Q) Which interface is line 97 on a 3640?
A)Answer is S 2/1.

The answer seems wrong to me. On a 3640, this is how lines are numbered:



slot0lines 1-32
slot133-64
slot265-96
slot397-128

So, the interface would be S 3/1 rather.
This question appears on Chapter4/Q6 in the QA section of cisco press
remote access cert.guide
Thank You




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36225t=36213
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: What after CCNA?? [7:36215]

[Godswill Oletu]

With your CCNA, you are qualify to take CSS1 (Cisco Security Specialist 1)
exam, it is a four modules exam, viz PIX, VPN,MCNS and CSIDS exams for this
Specialist path. If you want to continue in the Cisco career path CCNP would
be a good choice than CCDA, It all depends whether you prefer the design or
support aspect of Cisco networking.

Enjoy
Oletu

- Original Message -
From: Gandre Amit 
To: 
Sent: Friday, February 22, 2002 7:46 AM
Subject: What after CCNA?? [7:36215]


 Hi
   I got through my CCNA yesterday and I am looking forward to taking other
 certifications.

   I had the CCDA and CCNP in mind. I am not sure though which  one to
take.
 Also, if there is a Cisco certification that deals with Security, I would
 like to do that.

   Another factor is that, I do not have the money to pay for any courses
 and  so this is going to be self study. Woudl anyone recommend doing CCNP
or
 any higher security certification without a course or access to a lab..

BTW has anyone taken the SSCP and if so what books did u use..
 Please advice.
 Amit
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36224t=36215
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Reposting again: NAS and NACServer [7:36218]

[Godswill Oletu]

It means your Network Access Server like a AS5300 must have IOS v11.1 to be
able to support the TACACS+ protocol on your CiscoSecure Access Control
Server v2.3 installed on your Solaris V2.51 or V2.6, V7, V8 or IOS v11.2 to
support RADIUS protocol.

The requirement refer to both the Network Access Server(Cisco Box) and the
Cisco Secure Access control server(Solaris).

Enjoy
Oletu

- Original Message -
From: John Green 
To: 
Sent: Friday, February 22, 2002 8:07 AM
Subject: Reposting again: NAS and NACServer [7:36218]


 i am reposting this again. if someone could help me
 with this

 --
  Network Access Server and Network Access Control
  Server are two different boxes ?

  eg CiscoSecure Access Control Server (unix) is a
  software that is installed on Solaris box, to which
  a
  Network Access Server like a AS5300 can connect to
  or
  vice-versa for user authentication and authorization
  purposes ?

  but if you would refer to the software
  specifications
  as mentioned in

 http://www.cisco.com/univercd/cc/td/doc/pcat/sqasux.htm1
  it refers to IOS as well.

  Software specifications for CiscoSecure Access
  Control
  Server v2.3 for UNIX (Solaris).

  Solaris V2.51 or V2.6, V7, V8
  IOS v11.1 (TACACS+)
  IOS v11.2 (RADIUS)

  the Solaris OS versions refer to the fact that the
  Access Control Server software can be installed onto
  these Solaris Operating system versions. fine.
  where is this IOS ? where is this IOS installed ?

  is the logical diagram ok as below

   NAS---User
|
|
   AccessControl
   server

  is the logical flow ok ?

 __
 Do You Yahoo!?
 Yahoo! Sports - Coverage of the 2002 Olympic Games
 http://sports.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36227t=36218
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Dennis Laganiere's rif examples [7:36228]

[Eric Mwambaji]

Does anyone have a url to Dennis Laganiere's rif
examples? I almost have this RIF thing down but I
could use a few more examples.

Eric
CCNP

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36228t=36228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Certification Digest V2 #1920 [7:36229]

[Mo Kraushar]

Hi all;  
I would be interested in renting for several days  a 25xx or 26xx
cisco router preferably from someone in the greater ny area.

please email me at [EMAIL PROTECTED] if you can help.

mo  

__
Sent via the Pace University Mail system at fsmail.pace.edu




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36229t=36229
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Autonomous-system command [7:36067]

[Lupi, Guy]

It specifies your autonomous system if you are running the old EGP protocol.
I sent a message last night, here it is:

John, I don't know if you found an answer.  Looks like this command is used
to specify your AS number when you are running EGP, which is something like
the precursor to BGP.  There is actually a chapter on this in Doyle's
Routing TCP/IP Volume II, chapter 1.  HTH.

From CCO:

autonomous-system (EGP)
Use the autonomous-system global configuration command to specify the local
autonomous system that the router resides in for EGP. To remove the AS
number, use the no autonomous-system command.

autonomous-system local-as
no autonomous-system local-as 
Syntax Description
local-as  Local autonomous system (AS) number to which the router belongs.  

Default
None

Command Mode
Global configuration

Usage Guidelines
Before you can set up EGP routing, you must specify an autonomous system
number. The local AS number will be included in EGP messages sent by the
router.

Example
The following sample configuration specifies an autonomous system number of
110:

autonomous-system 110

Related Command
router egp

~-Original Message-
~From: Chuck [mailto:[EMAIL PROTECTED]]
~Sent: Friday, February 22, 2002 12:28 AM
~To: [EMAIL PROTECTED]
~Subject: Re: Autonomous-system command [7:36067]
~
~
~the question is - what does the command do? it does not appear in the
~documentation. there is no apparent result using show ip 
~protocol, or show
~ip anything else.
~
~if you can explain what the command autonomous-system does, 
~I'm all ears.
~
~Chuck
~
~
~
~Anthony Toh  wrote in message
~[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
~ Hi, take a look at the protocol IGRP in the Cisco website. 
~Maybe you can
~ have a better understanding of what an Autonomous system 
~number is all
~about.
~
~ Anthony.
~
~
~
~
~Report misconduct 
~and Nondisclosure violations to [EMAIL PROTECTED]
~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36230t=36067
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

site survey [7:36231]

[Stanzin Takpa]

Hi !
Do anybody know, what steps (checklist) one should follow when going
for a network site survey for deploying an ISP setup. Any website links ?

Thanks

Stanzin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36231t=36231
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dennis Laganiere's rif examples [7:36228]

[Wright, Jeremy]

hes on this list somewhere ...:) but you might want to check the groupstudy
archive

-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 11:18 AM
To: [EMAIL PROTECTED]
Subject: Dennis Laganiere's rif examples [7:36228]


Does anyone have a url to Dennis Laganiere's rif
examples? I almost have this RIF thing down but I
could use a few more examples.

Eric
CCNP

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36232t=36228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access Lists are a bit mystifying [7:36164]

[Tom Petzold]

Remember the model OSI model.  IP can have multiple higher level protocols
running over it.  So IP uses protocol numbers to identify the higher level
protocol that it should send the data to.  If you do a deny ? on a router
you will see all the different protocols (eigrp, gre, icmp, ospf, pim, tcp,
udp).  Once the IP layer passes the packet up to the transport layer the
layer 4 protocol has to know which application to send the data to.  So the
TCP protocol will send traffic on port 80 to the web server and traffic to
port 25 to the smtp server.

Layer 7 - Application
Layer 6 - Presentation
Layer 5 - Session
Layer 4 - Transport  Hi Anil,

 Sometimes its scaring posting to this group. =)

 To answer your question,
 if you don't the permit IP any any command, there is an implicit deny rule
 at the end of an access-list, which will drop all traffic that you have
not
 allowed through the access-list.

 The other two deny statements are dropping netbios port 139 and something
 that uses port .

 Hope this helps.

 Scott

 -Original Message-
 From: Anil Gupte [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 21, 2002 7:59 PM
 To: [EMAIL PROTECTED]
 Subject: Access Lists are a bit mystifying [7:36164]


 Hi All!

 I watch this list occassionally (when I have time).  This is my first post
 to this list, so be kind. :p)

 In the access list below:
 **
 conf t
 int ethernet0/0
 no ip access-list extended secure2
 ip access-list extended secure2
 deny tcp any any eq 
 deny tcp any any eq 139
 permit ip any any

 int ethernet0/0
 ip access-group secure2 out
 ip access-group secure2 in

 exit
 wr
 **
 Why is it that you need to deny TCP and permit IP?  Or did I not do this
 right?

 Thanx,
 Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36233t=36164
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Console speed [7:36155]

[Scott Nawalaniec]

Hello,

I tried this on a new 2650 router and it states The -s speed option is not
supported on this platform, which it sounds like it is supported on other
platforms. 

Scott

-Original Message-
From: Georg Pauwen [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 2:57 AM
To: [EMAIL PROTECTED]
Subject: RE: Console speed [7:36155]


Hi,

I am not sure if this works, but what happens if you just try

rommon  xmodem -y -s57600

to set the speed to 57600 ?

Regards,

Georg




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36234t=36155
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 640-900 BSCI or 640-503 Routing [7:36158]

[s vermill]

My recommendation would be to proceed with caution.  IS-IS is not just an
additional topic on the 900 exam.  It is core to it.  Also, since the CCIP
is geared towards ISP environments, know you BGP very well.  This is a tough
exam.  Longer than 503 and requires higher passing score.  Good luck!


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36236t=36158
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: cipt [7:36148]

[tony paparazzo]

Excuse me...So it's a problem to ask how an exam was. You really think its
bad to ask what a passing score is.. Damn..Not like I was asking for the
answers..Wow..Unbelievable...By the way..I have those objectives the day I
satrted studying..I was JUST asking how the exam was...

So I cant perform research cuz I asked for what passing score is...Man
whatever.



Tony











Tim Medley  wrote in message
news:[EMAIL PROTECTED]...
 Part of becoming Cisco Certified is the ability to perform research.

 http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_
 exams/9E0-402.html

 Also what does it matter what the passing score is for the exam?


 Tim Medley - CCNP+Voice, CCDP
 Sr. Network Architect
 VoIP Group
 iReadyWorld

 p 704.943.3615
 f 704.525.9119

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 tony paparazzo
 Sent: Thursday, February 21, 2002 8:28 PM
 To: [EMAIL PROTECTED]
 Subject: cipt [7:36148]

 Anyone take this yet..What is passing..What are some key areas to
 study..

 Thanks

 Tony




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36237t=36148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Foundation Exam [7:36186]

[Vincent Miller]

Don't drink any coffee beforehand ! You are on the right track with respect
to the ciscopress books. The exam will follow those


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36238t=36186
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hop count in EIGRP? [7:36082]

[s vermill]

Chuck wrote:
 
 BTW, it occurs to me that we have had this discussion before.
 There being
 nothing in the routing table indicating IGRP or EIGRP hop
 counts, how does
 (E)IGRP know the diameter of the network of which it is a
 member? And why
 would it care? ;-)
 
 Maybe one of these days I'll daisy chain the routers in my lab,
 and set the
 max hops to 4 and see what happens ;-
 
 Chuck

If you look at my earlier post you will see that I have already done this. 
Hop count is carried in the payload I believe - not the header.  Exceeding
the hop cound causes routes to disappear.  It is used and enforced apparently.

Regards


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36239t=36082
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

simple access-lists question [7:36240]

[NetEng]

Why is this simple task beating me?

I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?

access-list 101 permit 80 any any
access-list 101 permit 21 any any
access-list 101 permit 23 any any
access-list 101 permit 53 any any
access-list 101 permit icmp any any

ip access-group 101 out (on ethernet of lab side)

TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36240t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[Steven A. Ridder]

I believe you need something like

access-list 101 permit tcp any any eq www

you have something that permits IP protocol numbers I think.   Like 6 is
tcp, 17 is udp, 9 is igrp, etc..

etc...

--
RFC 1149 Compliant.


NetEng  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why is this simple task beating me?

 I have a router with 2eth. that separates my lab from the corporate
network.
 I would like web/ftp/telnet access from the lab to the world and back. I
 created an access list and applied it to my lab's ethernet int. This is
the
 list. Am I missing something?

 access-list 101 permit 80 any any
 access-list 101 permit 21 any any
 access-list 101 permit 23 any any
 access-list 101 permit 53 any any
 access-list 101 permit icmp any any

 ip access-group 101 out (on ethernet of lab side)

 TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36241t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Easy ways to pick up a few extra minutes on the CCIE lab. [7:36242]

[Jeff Buehler]

Another option with a newer IOS is if you want to see the Config for an
interface is to use:

sh ru INT E 0

and you will get the config for the interface only


Redback Users  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Well, start by not to see the config so often (just to look for the IP
 address).

 25XX is extremely slow doing the thing so.

 Better use show ip int brie or show ip int  instead.


 Wright, Jeremy  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  also, check the groupstudy database...there was a list of aliases that a
 guy
  put on the list
 
  -Original Message-
  From: Daniel Cotts [mailto:[EMAIL PROTECTED]]
  Sent: Friday, February 15, 2002 2:19 PM
  To: [EMAIL PROTECTED]
  Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab.
  [7:35547]
 
 
  Better than the CTRL+R that I've been using.
 
   -Original Message-
   From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
   Sent: Friday, February 15, 2002 1:45 PM
   To: [EMAIL PROTECTED]
   Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab.
   [7:35541]
  
  
   That's a really good one. I hate it when the console blasts
   some stupid
   message at you while you're typing. It still throws me off
   even though I
   should be used to it. ;-) Thanks for telling us about this.
  
   Priscilla
  
   At 02:11 PM 2/15/02, Sean Knox wrote:
   I always enter console config and turn on logging
   synchronous; it inserts
   a carriage return automatically after system messages show
   up. Doesn't hurt
   to enable it on the vtys either.
   
   core8500#conf t
   Enter configuration commands, one per line.  End with CNTL/Z.
   core8500(config)#line con 0
   core8500(config-line)#logg sync
   
   -Original Message-
   From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
   Sent: Friday, February 15, 2002 10:32 AM
   To: [EMAIL PROTECTED]
   Subject: Easy ways to pick up a few extra minutes on the CCIE lab.
   [7:35523]
   
   
   no ip domain-lookup  (how do you spell pnig again)
   terminal escape-char 3  (Press Ctrl-c to break out of ping  Telnet)
   
   Anybody got others?
   
  
   Priscilla Oppenheimer
   http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36242t=36242
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE Question [7:36243]

[Brian Zeitz]

I saw a resume with CCIE (Q) after their name, what is the Q mean?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36243t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Question [7:36243]

[Chris Charlebois]

I would quess that means that person has passed the CCIE Qualification Exam,
or the written portion of the certification.  He or she is presumably
studying/preparing for the lab exam.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36246t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[MJ]

it means they only passed the qualification exam. they should not be putting
CCIE on their resume at all

Brian Zeitz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I saw a resume with CCIE (Q) after their name, what is the Q mean?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36244t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NAT Detection Utility [7:36248]

[Kwame]

Anyone know of a tool for detecting NAT activity on the network. I work in a
large university and we've instituted a policy against nat especially in the
dorms due to some very serious security breaches. Is there anything out
there that can remotely detect a nat operation? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36248t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dennis Laganiere's rif examples [7:36228]

[Debbie Westall]

Try this link, it allows you to test your RIF
knowledge.

http://www.loopy.org/rif.cgi

I have attached Dennis' RIF paper. It's very good.

Debbie Westall

--- Wright, Jeremy  wrote:
 hes on this list somewhere ...:) but you might want
 to check the groupstudy
 archive
 
 -Original Message-
 From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 22, 2002 11:18 AM
 To: [EMAIL PROTECTED]
 Subject: Dennis Laganiere's rif examples [7:36228]
 
 
 Does anyone have a url to Dennis Laganiere's rif
 examples? I almost have this RIF thing down but I
 could use a few more examples.
 
 Eric
 CCNP
 
 __
 Do You Yahoo!?
 Yahoo! Sports - Coverage of the 2002 Olympic Games
 http://sports.yahoo.com
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

[GroupStudy.com removed an attachment of type application/pdf which had a
name of Doing RIFs.pdf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36249t=36228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hop count in EIGRP? [7:36082]

[Priscilla Oppenheimer]

At 12:51 AM 2/22/02, Chuck wrote:
it gets complicated, routing protocols versus ip packets.

It's not complicated. Is this Chuck Larrieu? You know that it's not 
complicated.

Of course IP routing protocol packets are carried in an IP packet. No 
biggie. They can set the IP TTL in the IP header to whatever they want. 
Routing protocols generally set the IP TTL to 1 in their routing protocol 
packets. That works fine because the recipient is next door.

Note that we are not talking about the hop count in distance vector route 
descriptors carried by RIP, IGRP, and EIGRP.

OSPF sets the TTL to 1. OSPF virtual links are a special case. The packet 
might have to go more hops, as you say.

BGP also sets the TTL to 1. eBGP multihop might be another special case.

RIPv1 and v2, IGRP, and EIGRP set the TTL to 2. Maybe the developers were 
worried that the recipient would decrement by one and trash the packet.

Priscilla


first of all, if I understand correctly, all ip routing protocols use ip
headers. The routing protocol packet is the payload, and not an entity unto
itself. I have seen traces of OSPF packets showing IP TTL of various values.
Someone shared with me some traces to validate something I suspected - that
the OSPF virtual link packet has an initial TTL of 255. My theory is that it
has to be deliberately set high because there is no predicting the number of
hops a virtual link will traverse.

The eBGP multihop command sets the IP TTL to something greater than the
native BGP TTL of 1.

EIGRP? Don't know. Was merely speculating. But consider - where else might
the hop limit occur? The EIGRP header has no field indicating hop count
that I can see. My source is the Rad Com World of Protocols book.

Yes, RIP and RIPv2 contain within the RIP packet ( not the IP header ) a
field in which metric / hopcount is carried. This leads me to believe that
RIP does nothing to manipulate the IP TTL value. The others appear to do
just that, however.

Chuck


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  At 08:05 PM 2/21/02, Chuck wrote:
  to augment the other answers, the IP hop count is really the IP TTL
value.
  It can never exceed 255
 
  You're confusing two issues.
 
  Remember the router has two jobs: forwarding packets and learning the
  topology. Hop count has to do with the latter and affects what goes in
the
  routing table. The IP TTL causes a router to drop a packet before
  forwarding if the TTL becomes zero.
 
 
  EIGRP defaults to 100 hops, so I would expect that the routing packet IP
TTL
  is set at 100 at that point.
 
  Routing packets only go to neighbors. The IP TTL should be set to one or
  two. This has nothing to do with hop count which will be later in the
  packet in the distance vectors.
 
 
  Well ( checking the sniffer trace that Priscilla so thoughtfully
supplied
a
  couple of days ago ) I'm seeing the IP TTL as 2. Still, maybe there is
an
  adjustment made. After all, the (E)IGRP metric includes end to end
metrics.
  hhmmm... ( looking over Priscilla's trace again ) way down there I see
an
  EIGRP hop count 0 line.
 
  The router was advertising a directly-connected network.
 
 
  the IP TTL is still really the only thing that makes sense in terms of
the
  way IP works.
 
  In terms of forwarding maybe. You better reconsider routing protocols
  though...
 
  Priscilla
 
 
  Anyone?
  
  Chuck
  
  Steven A. Ridder  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Anyone know why there is a hop-count in EIGRP?  It has a 1 byte
value,
  but
it doesn't limit the number of hops and it looks like routers don't
use
  it
in their calculations.  Why is it there?
   
--
RFC 1149 Compliant.
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36247t=36082
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[John Neiberger]

Hey, are you ever going to upgrade to RFC 2549 compliance?  If you
haven't already, you're behind the times by about three years!  :-)

John

 Steven A. Ridder  2/22/02 11:43:33 AM

I believe you need something like

access-list 101 permit tcp any any eq www

you have something that permits IP protocol numbers I think.   Like 6
is
tcp, 17 is udp, 9 is igrp, etc..

etc...

--
RFC 1149 Compliant.


NetEng  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Why is this simple task beating me?

 I have a router with 2eth. that separates my lab from the corporate
network.
 I would like web/ftp/telnet access from the lab to the world and
back. I
 created an access list and applied it to my lab's ethernet int. This
is
the
 list. Am I missing something?

 access-list 101 permit 80 any any
 access-list 101 permit 21 any any
 access-list 101 permit 23 any any
 access-list 101 permit 53 any any
 access-list 101 permit icmp any any

 ip access-group 101 out (on ethernet of lab side)

 TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36250t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: simple access-lists question [7:36240]

[Ole Drews Jensen]

Your syntax is wrong.

You are permitting IP protocols 80, 21, 23 and 53 - NOT ports 80, 21, 23 and
53.

The correct syntax would be:

access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq domain
access-list 101 permit icmp any any

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: NetEng [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:39 PM
To: [EMAIL PROTECTED]
Subject: simple access-lists question [7:36240]


Why is this simple task beating me?

I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?

access-list 101 permit 80 any any
access-list 101 permit 21 any any
access-list 101 permit 23 any any
access-list 101 permit 53 any any
access-list 101 permit icmp any any

ip access-group 101 out (on ethernet of lab side)

TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36251t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hop count in EIGRP? [7:36082]

[Priscilla Oppenheimer]

At 12:56 AM 2/22/02, Chuck wrote:
BTW, it occurs to me that we have had this discussion before.

Yes, unfortunately. ;-)

There being
nothing in the routing table indicating IGRP or EIGRP hop counts,

You can't see the hop count with show ip route perhaps, but the router 
certainly saves the info. Try the show ip eigrp  command. It shows 
the hop count.

how does
(E)IGRP know the diameter of the network of which it is a member?

It's basic distance vector processing.

I receive a packet that lists a network as being 0 hops away. (The router 
listing it is directly connected.) From my point of view, then, the network 
is 1 hop away. When I advertise this network, I say that it is 1 hop away. 
My downstream neighbor considers it 2 hops away.

When I add 1 to the hop count, if that causes the hop count to exceed 
maximum hop count, then I trash the route and don't advertise it.

  And why
would it care? ;-

Now, that's a good question. But why does any routing protocol care?


Maybe one of these days I'll daisy chain the routers in my lab, and set the
max hops to 4 and see what happens ;-

Just set the max to something smaller than the actual width. You'll see 
routes disappear.


Chuck


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  At 08:05 PM 2/21/02, Chuck wrote:
  to augment the other answers, the IP hop count is really the IP TTL
value.
  It can never exceed 255
 
  You're confusing two issues.
 
  Remember the router has two jobs: forwarding packets and learning the
  topology. Hop count has to do with the latter and affects what goes in
the
  routing table. The IP TTL causes a router to drop a packet before
  forwarding if the TTL becomes zero.
 
 
  EIGRP defaults to 100 hops, so I would expect that the routing packet IP
TTL
  is set at 100 at that point.
 
  Routing packets only go to neighbors. The IP TTL should be set to one or
  two. This has nothing to do with hop count which will be later in the
  packet in the distance vectors.
 
 
  Well ( checking the sniffer trace that Priscilla so thoughtfully
supplied
a
  couple of days ago ) I'm seeing the IP TTL as 2. Still, maybe there is
an
  adjustment made. After all, the (E)IGRP metric includes end to end
metrics.
  hhmmm... ( looking over Priscilla's trace again ) way down there I see
an
  EIGRP hop count 0 line.
 
  The router was advertising a directly-connected network.
 
 
  the IP TTL is still really the only thing that makes sense in terms of
the
  way IP works.
 
  In terms of forwarding maybe. You better reconsider routing protocols
  though...
 
  Priscilla
 
 
  Anyone?
  
  Chuck
  
  Steven A. Ridder  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Anyone know why there is a hop-count in EIGRP?  It has a 1 byte
value,
  but
it doesn't limit the number of hops and it looks like routers don't
use
  it
in their calculations.  Why is it there?
   
--
RFC 1149 Compliant.
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36252t=36082
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[Michael J. Doherty]

It seems to be common these days to use that abbreviation to mean that the
individual has taken, and passed, the Written exam, but not yet
challenged/passed the Lab.

As for me, personally, when I get to that point, I do not plan on
advertising it in this manner.  If it comes up in an interview question, I
would answer it.  But, I refuse to put any certification on my resume until
I can honestly claim the entire title.


- Original Message -
From: Brian Zeitz 
To: 
Sent: Friday, February 22, 2002 1:54 PM
Subject: CCIE Question [7:36243]


 I saw a resume with CCIE (Q) after their name, what is the Q mean?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36253t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Easy ways to pick up a few extra minutes on the CCIE lab. [7:36254]

[Sean Knox]

Nice! Been looking for something like that for awhile.

Sean

-Original Message-
From: Jeff Buehler [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 10:46 AM
To: [EMAIL PROTECTED]
Subject: Re: Easy ways to pick up a few extra minutes on the CCIE lab.
[7:36242]


Another option with a newer IOS is if you want to see the Config for an
interface is to use:

sh ru INT E 0

and you will get the config for the interface only


Redback Users  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Well, start by not to see the config so often (just to look for the IP
 address).

 25XX is extremely slow doing the thing so.

 Better use show ip int brie or show ip int  instead.


 Wright, Jeremy  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  also, check the groupstudy database...there was a list of aliases that a
 guy
  put on the list
 
  -Original Message-
  From: Daniel Cotts [mailto:[EMAIL PROTECTED]]
  Sent: Friday, February 15, 2002 2:19 PM
  To: [EMAIL PROTECTED]
  Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab.
  [7:35547]
 
 
  Better than the CTRL+R that I've been using.
 
   -Original Message-
   From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
   Sent: Friday, February 15, 2002 1:45 PM
   To: [EMAIL PROTECTED]
   Subject: RE: Easy ways to pick up a few extra minutes on the CCIE lab.
   [7:35541]
  
  
   That's a really good one. I hate it when the console blasts
   some stupid
   message at you while you're typing. It still throws me off
   even though I
   should be used to it. ;-) Thanks for telling us about this.
  
   Priscilla
  
   At 02:11 PM 2/15/02, Sean Knox wrote:
   I always enter console config and turn on logging
   synchronous; it inserts
   a carriage return automatically after system messages show
   up. Doesn't hurt
   to enable it on the vtys either.
   
   core8500#conf t
   Enter configuration commands, one per line.  End with CNTL/Z.
   core8500(config)#line con 0
   core8500(config-line)#logg sync
   
   -Original Message-
   From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
   Sent: Friday, February 15, 2002 10:32 AM
   To: [EMAIL PROTECTED]
   Subject: Easy ways to pick up a few extra minutes on the CCIE lab.
   [7:35523]
   
   
   no ip domain-lookup  (how do you spell pnig again)
   terminal escape-char 3  (Press Ctrl-c to break out of ping  Telnet)
   
   Anybody got others?
   
  
   Priscilla Oppenheimer
   http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36254t=36254
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[Persio Pucci]

Hehehe... just like some folks that I've seen saying that they are CCNP 1/4
or 2/4... u can do the math :)

- Original Message -
From: Chris Charlebois 
To: 
Sent: Friday, February 22, 2002 4:02 PM
Subject: RE: CCIE Question [7:36243]


 I would quess that means that person has passed the CCIE Qualification
Exam,
 or the written portion of the certification.  He or she is presumably
 studying/preparing for the lab exam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36255t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[nrf]

Cisco has made it clear that passing the written -CCIE exam does not get you
a certificate in itself.  Only by passing both the written and the lab do
you obtain a cert.  I don't know how it came to be acceptable that people
can claim a certificate that doesn't exist.

While you might say that it's not really a big deal - after all, the written
is an exam, so it 'sort-of' is like a cert, so what's the harm in pretending
that it's another cert?  Well, the real problem is that if people are
allowed to make up a CCIE-Q cert that doesn't exist, then what's to stop
them from making up other qualifications that don't exist?  It's the classic
slippery slope.  For example, if the CCIE-Q becomes an accepted pseudo-cert,
then later somebody will inevitably say they have a CCIE-A, because they
(A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
who's never even seen a router in his life, but has heard about the CCIE
program and is thinking about doing it in the (F)uture.  Or heck, how about
a Bachelor's Degree-(F) for somebody who's never stepped into a classroom in
his life, but might do it in the future.  I don't know about you, but I hold
a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
from Harvard.




Michael J. Doherty  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 It seems to be common these days to use that abbreviation to mean that the
 individual has taken, and passed, the Written exam, but not yet
 challenged/passed the Lab.

 As for me, personally, when I get to that point, I do not plan on
 advertising it in this manner.  If it comes up in an interview question, I
 would answer it.  But, I refuse to put any certification on my resume
until
 I can honestly claim the entire title.


 - Original Message -
 From: Brian Zeitz
 To:
 Sent: Friday, February 22, 2002 1:54 PM
 Subject: CCIE Question [7:36243]


  I saw a resume with CCIE (Q) after their name, what is the Q mean?
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36256t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hop count in EIGRP? [7:36082]

[Priscilla Oppenheimer]

It should say show ip eigrp topology network. Network is the argument to 
the command. I had it encapsulated in less than and greater than symbols so 
it got munged by the mail server. Argh.

There's probably other ways to see the hop count too. Bottom line: the 
router saves it. You just have to get the router to tell it to you.

At 02:25 PM 2/22/02, Priscilla Oppenheimer wrote:
At 12:56 AM 2/22/02, Chuck wrote:
 BTW, it occurs to me that we have had this discussion before.

Yes, unfortunately. ;-)

 There being
 nothing in the routing table indicating IGRP or EIGRP hop counts,

You can't see the hop count with show ip route perhaps, but the router
certainly saves the info. Try the show ip eigrp  command. It shows
the hop count.

 how does
 (E)IGRP know the diameter of the network of which it is a member?

It's basic distance vector processing.

I receive a packet that lists a network as being 0 hops away. (The router
listing it is directly connected.) From my point of view, then, the network
is 1 hop away. When I advertise this network, I say that it is 1 hop away.
My downstream neighbor considers it 2 hops away.

When I add 1 to the hop count, if that causes the hop count to exceed
maximum hop count, then I trash the route and don't advertise it.

   And why
 would it care? ;-

Now, that's a good question. But why does any routing protocol care?


 Maybe one of these days I'll daisy chain the routers in my lab, and set
the
 max hops to 4 and see what happens ;-

Just set the max to something smaller than the actual width. You'll see
routes disappear.


 Chuck
 
 
 Priscilla Oppenheimer  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   At 08:05 PM 2/21/02, Chuck wrote:
   to augment the other answers, the IP hop count is really the IP TTL
 value.
   It can never exceed 255
  
   You're confusing two issues.
  
   Remember the router has two jobs: forwarding packets and learning the
   topology. Hop count has to do with the latter and affects what goes in
the
   routing table. The IP TTL causes a router to drop a packet before
   forwarding if the TTL becomes zero.
  
  
   EIGRP defaults to 100 hops, so I would expect that the routing packet
IP
 TTL
   is set at 100 at that point.
  
   Routing packets only go to neighbors. The IP TTL should be set to one
or
   two. This has nothing to do with hop count which will be later in the
   packet in the distance vectors.
  
  
   Well ( checking the sniffer trace that Priscilla so thoughtfully
supplied
 a
   couple of days ago ) I'm seeing the IP TTL as 2. Still, maybe there is
an
   adjustment made. After all, the (E)IGRP metric includes end to end
 metrics.
   hhmmm... ( looking over Priscilla's trace again ) way down there I see
an
   EIGRP hop count 0 line.
  
   The router was advertising a directly-connected network.
  
  
   the IP TTL is still really the only thing that makes sense in terms of
 the
   way IP works.
  
   In terms of forwarding maybe. You better reconsider routing protocols
   though...
  
   Priscilla
  
  
   Anyone?
   
   Chuck
   
   Steven A. Ridder  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Anyone know why there is a hop-count in EIGRP?  It has a 1 byte
value,
   but
 it doesn't limit the number of hops and it looks like routers don't
 use
   it
 in their calculations.  Why is it there?

 --
 RFC 1149 Compliant.
   
  
   Priscilla Oppenheimer
   http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36257t=36082
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Detection Utility [7:36248]

[Patrick Ramsey]

dynamic nat a security breach?  I was under the impression that dynamic was
a security practice?and if you are speaking of static nat, well
darn...that's you guys...

-Patrick

 Kwame  02/22/02 02:04PM 
Anyone know of a tool for detecting NAT activity on the network. I work in a
large university and we've instituted a policy against nat especially in the
dorms due to some very serious security breaches. Is there anything out
there that can remotely detect a nat operation? Thanks.
  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. (WellStar) and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36258t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dennis Laganiere's rif examples [7:36228]

[Kaminski, Shawn G]

Here are the ones I could find from Dennis:


1.  RIF - 0810.0011.0033.0040
2.  RIF - 0a10.0032.00b3.0124.0020
3.  RIF - 0810.0022.0013.0020
4.  RIF - 0800.0011.0022.0030
5.  RIF - 0a10.0011.00a2.0033.0040
6.  RIF - 0630.0011.0191.0030
7.  RIF - 0810.00a1.014f.01e0
8.  RIF - 0830.0195.00a1.0230
9.  RIF - 0a10.0045.0067.0101.0080
10. RIF - 0c10.047e.0067.00c8.043a.0080


Here are my answers:

1. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 8 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 1 (0x1), Bridge 1 (0x1)
Ring 3 (0x3), Bridge 3 (0x3) 
Ring 2 (0x4) to the destination

2. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 10 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 3 (0x3), Bridge 2 (0x2)
Ring 11 (0xb), Bridge 3 (0x3) 
Ring 18 (0x12), Bridge 4 (0x4) 
Ring 2 (0x2) to the destination

3. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 8 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 2 (0x2), Bridge 2 (0x2)
Ring 1 (0x1), Bridge 3 (0x3) 
Ring 3 (0x3) to the destination

4. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 8 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 512 bytes
Ring 1 (0x1), Bridge 1 (0x1)
Ring 3 (0x2), Bridge 3 (0x2) 
Ring 3 (0x3) to the destination

5. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 10 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 1 (0x1), Bridge 1 (0x1)
Ring a (0x10), Bridge 2 (0x2) 
Ring 3 (0x3), Bridge 3(0x3) 
Ring 4 (0x4) to the destination

6.  The RIF is invalid because the length specified in the RIF differs from
the actual length of the RIF

7.  The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 8 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 10 (0xa), Bridge 1 (0x1)
Ring 20 (0x14), Bridge 15 (0xf) 
Ring 30 (0x1e) to the destination

8. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 8 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 4,472 bytes
Ring 25 (0x19), Bridge 5 (0x5)
Ring 10 (0xa), Bridge 1 (0x1) 
Ring 35 (0x23) to the destination

9. The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 10 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 4 (0x4), Bridge 5 (0x5)
Ring 6 (0x6), Bridge 7 (0x7) 
Ring 16 (0x10), Bridge 1 (0x1) 
Ring 8 (0x8) to the destination

10.  The RIF is valid, and its breakdown is:
RIF type: single route frame
RIF Length: 12 bytes 
Direction to read the RIF: left-to-right
Maximum frame length: up to 1,500 bytes
Ring 71 (0x47), Bridge 15 (0xe)
Ring 6 (0x6), Bridge 7 (0x7) 
Ring 12 (0xc), Bridge 8 (0x8) 
Ring 67 (0x43), Bridge 10 (0xa) 
Ring 8 (0x8) to the destination


Shawn K.

-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 22, 2002 12:18 PM
To: [EMAIL PROTECTED]
Subject: Dennis Laganiere's rif examples [7:36228]


Does anyone have a url to Dennis Laganiere's rif
examples? I almost have this RIF thing down but I
could use a few more examples.

Eric
CCNP

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36259t=36228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Detection Utility [7:36248]

[dre]

Have you been reading NANOG or Slashdot?  There was an article
about Comcast, specifically, who is trying to combat NAT.

What was determined is that:

1) There is no definite way to detect NAT
2) There are many implementations of NAT (even many RFC's stating how NAT
works)
3) Bandwidth usage or number of open connections can not be correlated to
using NAT

What I do not understand is your AUP.  I also do not understand how NAT has
very serious security breach implications.  You seem to have a
misunderstanding
of NAT operation.  What is the real problem you are trying to solve?

For understanding NAT, you might want to read up, especially:
RFC 1631, 2391, 2428, 2663, 2694, 2709, 2766, 2962, 2993, 3022, 3027, and
3235
Internet-Drafts http://www.ietf.org/ids.by.wg/nat.html

Bandwidth usage can be combated in several other different ways.

1) Add more bandwidth (well, this costs money and you are a University...
so...)
2) Implement QoS methods (rate-limiting, queueing, RED, etc -- there are
many ways)
3) Get a cache server (either transparent, wpad, or configured) and
optionally join a cache hierarchy

Your overall network design and bottlenecks should be looked at very
closely.  Gathering the right
data to know what's going on in your network is probably the number one
priority over everything else.
Some of the tools are easy to setup (Ntop, MRTG, etc).  The best way to look
at your network is really
up to you and may take years of work to get exactly what you want.  Some
suggestions that people
from Cisco would give would be like using NBAR or NetFlow and maybe RMON to
get at the network
application data passing through your network.  There are millions of ways
to do this.

Also, you might want to take a look at your AUP and policies again.  It
sounds like you might be
moving in a direction that doesn't fit the needs of your University or your
users.

Read through RFC 1173 and RFC 1746 for help in building up your AUP.

I believe that setting up a cache server (especially Squid) may help you
with a lot of your problems,
especially if you use it as a staging ground to combat the problems you
think you are having.  Fight
fire with fire.  If somebody is going proxy-crazy on your network and
creating all sort of covert channels
all over the place (playing with TCP/IP in interesting ways), then put up
your own proxies and covert
channels.  Maybe you will learn a lot about their methods and motivations,
as well.

-dre

Kwame  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Anyone know of a tool for detecting NAT activity on the network. I work in
a
 large university and we've instituted a policy against nat especially in
the
 dorms due to some very serious security breaches. Is there anything out
 there that can remotely detect a nat operation? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36260t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[nrf]

I never meant to imply that you supported the practice.  I should have said
that some people treat this as a common practice, not that you were one of
those people.


- Original Message -
From: Michael J. Doherty 
To: nrf ; 
Sent: Friday, February 22, 2002 12:19 PM
Subject: Re: CCIE Question [7:36243]


 Never said that I agreed with the practice.  I am perfectly well aware of
 Cisco's stance on the subject.

 My message, also, did not state that I thought that it is not a big deal.
 Personally, if I were in a position responsible for hiring, all candidates
 who posted that information in their resume would automatically find
 themselves removed from consideration.

 I am proud of my own accomplishments and all of the initials that I can
 place behind my name are placed with the full knowledge that I have the
 score sheets and experience to back them up.

 Sincerely,

 Michael J. Doherty
 MCSE-NT4, MCSE-W2K, CCNA Certified, CCDA Certified,  NREMT-P and many
others
 that do not have initials.

 - Original Message -
 From: nrf 
 To: 
 Sent: Friday, February 22, 2002 2:46 PM
 Subject: Re: CCIE Question [7:36243]


  Cisco has made it clear that passing the written -CCIE exam does not get
 you
  a certificate in itself.  Only by passing both the written and the lab
do
  you obtain a cert.  I don't know how it came to be acceptable that
people
  can claim a certificate that doesn't exist.
 
  While you might say that it's not really a big deal - after all, the
 written
  is an exam, so it 'sort-of' is like a cert, so what's the harm in
 pretending
  that it's another cert?  Well, the real problem is that if people are
  allowed to make up a CCIE-Q cert that doesn't exist, then what's to
stop
  them from making up other qualifications that don't exist?  It's the
 classic
  slippery slope.  For example, if the CCIE-Q becomes an accepted
 pseudo-cert,
  then later somebody will inevitably say they have a CCIE-A, because
they
  (A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
  who's never even seen a router in his life, but has heard about the CCIE
  program and is thinking about doing it in the (F)uture.  Or heck, how
 about
  a Bachelor's Degree-(F) for somebody who's never stepped into a
classroom
 in
  his life, but might do it in the future.  I don't know about you, but I
 hold
  a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
  from Harvard.
 
 
 
 
  Michael J. Doherty  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   It seems to be common these days to use that abbreviation to mean that
 the
   individual has taken, and passed, the Written exam, but not yet
   challenged/passed the Lab.
  
   As for me, personally, when I get to that point, I do not plan on
   advertising it in this manner.  If it comes up in an interview
question,
 I
   would answer it.  But, I refuse to put any certification on my resume
  until
   I can honestly claim the entire title.
  
  
   - Original Message -
   From: Brian Zeitz
   To:
   Sent: Friday, February 22, 2002 1:54 PM
   Subject: CCIE Question [7:36243]
  
  
I saw a resume with CCIE (Q) after their name, what is the Q mean?
   _
   Do You Yahoo!?
   Get your free @yahoo.com address at http://mail.yahoo.com
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36265t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Port Secure not working ? [7:36267]

[Pierre-Alex GUANEL]

I was expecting to see a FastEthernet 0/26 ENABLED after the configuration
below. Instead it is disabled. Any ideas?

Thanks,

Pierre-Alex

Switch1(config)#int f 0/26
Switch1(config-if)#port secure max-mac-count 1
Switch1(config-if)#exit
Switch1(config)#address-violation suspend
Switch1(config)#end

Switch1#sh mac-address-table security

Action upon address violation : Disable

Interface Addressing Security Address Table Size Clear Address

---
Ethernet 0/1 Disabled N/A No
Ethernet 0/2 Disabled N/A No
Ethernet 0/3 Disabled N/A No
Ethernet 0/4 Disabled N/A No
Ethernet 0/5 Disabled N/A No
Ethernet 0/6 Disabled N/A No
Ethernet 0/7 Disabled N/A No
Ethernet 0/8 Disabled N/A No
Ethernet 0/9 Disabled N/A No
Ethernet 0/10 Disabled N/A No
Ethernet 0/11 Disabled N/A No
Ethernet 0/12 Disabled N/A No
Ethernet 0/13 Disabled N/A No
Ethernet 0/14 Disabled N/A No
Ethernet 0/15 Disabled N/A No
Ethernet 0/16 Disabled N/A No
Ethernet 0/17 Disabled N/A No

--More--
Ethernet 0/18 Disabled N/A No
Ethernet 0/19 Disabled N/A No
Ethernet 0/20 Disabled N/A No
Ethernet 0/21 Disabled N/A No
Ethernet 0/22 Disabled N/A No
Ethernet 0/23 Disabled N/A No
Ethernet 0/24 Disabled N/A No
Ethernet 0/25 Disabled N/A No
FastEthernet 0/26 Disabled N/A No
FastEthernet 0/27 Disabled N/A No   No




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36267t=36267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

LLQ Configuration [7:36272]

[Steve Manuel]

To Group:

I am working with a client who is having problems with Video Conference 
using Polycom Equipment. The problem is jitter and audio drops. 

The solution that has been suggested to us by Cisco Low Latency Queueing
(LLQ)
over Frame Relay. 

I'm not sure the release but I was told this is a new feature for Frame
Relay.
We were instructed to upgrade to 12.2.6a IP Plus Feature Set...

We did this..

This particular client has one DLCI on the physical interface, the port
speed of the interface
is 768kb. This is the same for both sites that have the video equipment. 

Here's the configuration I put together.


access-list 101 permit tcp any any range 3230 3231
access-list 101 permit udp any any range 3230 3235


class-map match-all video
match access-group 101


Policy-map video-police
class video
priority 540
class class-default
fair-queue 64


map-class frame-relay video-data
no frame-relay adaptive-shaping
frame-relay cir 768000
frame-relay bc 7680
frame-relay be 0
service-policy out video-police
frame-relay fragment 1280

Applied to these two commands to physical interface.

frame-relay traffic-shaping
frame-relay class video-data

Here's the error we are getting.

I/f Serial0/0 DLCI 400 class video requested bandwidth 540 (kbps)
Not Available
Removing service policy from map-class

We even tried this on a router not connected to the network at all. When you
do a show 
run after the error the service-policy statement is removed from the
map-class configuration.

Does anyone have experience with LLQ or have any suggestions.

Stephen Manuel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36272t=36272
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Interesting DDR Brain Teaser (long and pointless ) [7:36271]

[John Neiberger]

I was just talking to a guy I work with about this and I thought it was
an interesting scenario.  It was his idea and my first thought was that
it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean desirable. 
:-)Here's the scoop:



[A]-[B]
  |  \
  |\
  |  \
  |\
  |  \
  |\
  |  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C and
D are connected via frame relay but obviously only use the frame relay
link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both links
to A go away (Dialer Watch).  Now for the twist  What if you wanted
to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the line
utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty is
that the Dialer interface that calls Site B would have to have absolute
priority.  If the primary link goes down, because Dialer0 is configured
as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear the
line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this variety,
but this sounded like an interesting brain teaser.

Regards,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36271t=36271
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Detection Utility [7:36248]

[Patrick Bass]

The probably want the ability to scan every machine on their network; if
you're behind a NAT firewall they can't do this.  Sounds to me like they've
got a problem but are trying to correct it with the *wrong* solution.


Hire, Ejay  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 The only way to do it would be to look for out of baseline utilization
 patterns, and investigate them.

 On the security policy ...
 How does a guy in a dorm with a linksys router performing NAT impose a
 security risk?
 -Original Message-
 From: Kwame [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 22, 2002 2:05 PM
 To: [EMAIL PROTECTED]
 Subject: NAT Detection Utility [7:36248]


 Anyone know of a tool for detecting NAT activity on the network. I work in
a
 large university and we've instituted a policy against nat especially in
the
 dorms due to some very serious security breaches. Is there anything out
 there that can remotely detect a nat operation? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36273t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: LLQ Configuration [7:36272]

[Steven A. Ridder]

I'm guessig you have the bandwidth statement set to 768 on the serial
interface.  If so, type max-reserved-bandwidth 90  on the serial interface.
Show us the stats for s0/0 when you do sh int s0/0.
Steve Manuel  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 To Group:

 I am working with a client who is having problems with Video Conference
 using Polycom Equipment. The problem is jitter and audio drops.

 The solution that has been suggested to us by Cisco Low Latency Queueing
 (LLQ)
 over Frame Relay.

 I'm not sure the release but I was told this is a new feature for Frame
 Relay.
 We were instructed to upgrade to 12.2.6a IP Plus Feature Set...

 We did this..

 This particular client has one DLCI on the physical interface, the port
 speed of the interface
 is 768kb. This is the same for both sites that have the video equipment.

 Here's the configuration I put together.


 access-list 101 permit tcp any any range 3230 3231
 access-list 101 permit udp any any range 3230 3235


 class-map match-all video
 match access-group 101


 Policy-map video-police
 class video
 priority 540
 class class-default
 fair-queue 64


 map-class frame-relay video-data
 no frame-relay adaptive-shaping
 frame-relay cir 768000
 frame-relay bc 7680
 frame-relay be 0
 service-policy out video-police
 frame-relay fragment 1280

 Applied to these two commands to physical interface.

 frame-relay traffic-shaping
 frame-relay class video-data

 Here's the error we are getting.

 I/f Serial0/0 DLCI 400 class video requested bandwidth 540 (kbps)
 Not Available
 Removing service policy from map-class

 We even tried this on a router not connected to the network at all. When
you
 do a show
 run after the error the service-policy statement is removed from the
 map-class configuration.

 Does anyone have experience with LLQ or have any suggestions.

 Stephen Manuel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36274t=36272
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT Detection Utility [7:36248]

[Hire, Ejay]

The only way to do it would be to look for out of baseline utilization
patterns, and investigate them.

On the security policy ...
How does a guy in a dorm with a linksys router performing NAT impose a
security risk?
-Original Message-
From: Kwame [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 2:05 PM
To: [EMAIL PROTECTED]
Subject: NAT Detection Utility [7:36248]


Anyone know of a tool for detecting NAT activity on the network. I work in a
large university and we've instituted a policy against nat especially in the
dorms due to some very serious security breaches. Is there anything out
there that can remotely detect a nat operation? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36261t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: simple access-lists question [7:36240]

[Steven A. Ridder]

Not enought customers have asked for that feature yet.  :)  Was RFC 1149 the
precursor to wireless?


John Neiberger  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hey, are you ever going to upgrade to RFC 2549 compliance?  If you
 haven't already, you're behind the times by about three years!  :-)

 John

  Steven A. Ridder  2/22/02 11:43:33 AM
 
 I believe you need something like

 access-list 101 permit tcp any any eq www

 you have something that permits IP protocol numbers I think.   Like 6
 is
 tcp, 17 is udp, 9 is igrp, etc..

 etc...

 --
 RFC 1149 Compliant.


 NetEng  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Why is this simple task beating me?
 
  I have a router with 2eth. that separates my lab from the corporate
 network.
  I would like web/ftp/telnet access from the lab to the world and
 back. I
  created an access list and applied it to my lab's ethernet int. This
 is
 the
  list. Am I missing something?
 
  access-list 101 permit 80 any any
  access-list 101 permit 21 any any
  access-list 101 permit 23 any any
  access-list 101 permit 53 any any
  access-list 101 permit icmp any any
 
  ip access-group 101 out (on ethernet of lab side)
 
  TIA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36275t=36240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Question [7:36243]

[Roberts, Larry]

That's ok, because I'm the President of the United States (F-MLN)
(Future-Most Likely Not )

:)

Larry

-Original Message-
From: nrf [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 22, 2002 2:46 PM
To: [EMAIL PROTECTED]
Subject: Re: CCIE Question [7:36243]


Cisco has made it clear that passing the written -CCIE exam does not get you
a certificate in itself.  Only by passing both the written and the lab do
you obtain a cert.  I don't know how it came to be acceptable that people
can claim a certificate that doesn't exist.

While you might say that it's not really a big deal - after all, the written
is an exam, so it 'sort-of' is like a cert, so what's the harm in pretending
that it's another cert?  Well, the real problem is that if people are
allowed to make up a CCIE-Q cert that doesn't exist, then what's to stop
them from making up other qualifications that don't exist?  It's the classic
slippery slope.  For example, if the CCIE-Q becomes an accepted pseudo-cert,
then later somebody will inevitably say they have a CCIE-A, because they
(A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
who's never even seen a router in his life, but has heard about the CCIE
program and is thinking about doing it in the (F)uture.  Or heck, how about
a Bachelor's Degree-(F) for somebody who's never stepped into a classroom in
his life, but might do it in the future.  I don't know about you, but I hold
a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
from Harvard.




Michael J. Doherty  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 It seems to be common these days to use that abbreviation to mean that 
 the individual has taken, and passed, the Written exam, but not yet 
 challenged/passed the Lab.

 As for me, personally, when I get to that point, I do not plan on 
 advertising it in this manner.  If it comes up in an interview 
 question, I would answer it.  But, I refuse to put any certification 
 on my resume
until
 I can honestly claim the entire title.


 - Original Message -
 From: Brian Zeitz
 To:
 Sent: Friday, February 22, 2002 1:54 PM
 Subject: CCIE Question [7:36243]


  I saw a resume with CCIE (Q) after their name, what is the Q mean?
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36263t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[Michael J. Doherty]

Never said that I agreed with the practice.  I am perfectly well aware of
Cisco's stance on the subject.

My message, also, did not state that I thought that it is not a big deal.
Personally, if I were in a position responsible for hiring, all candidates
who posted that information in their resume would automatically find
themselves removed from consideration.

I am proud of my own accomplishments and all of the initials that I can
place behind my name are placed with the full knowledge that I have the
score sheets and experience to back them up.

Sincerely,

Michael J. Doherty
MCSE-NT4, MCSE-W2K, CCNA Certified, CCDA Certified,  NREMT-P and many others
that do not have initials.

- Original Message -
From: nrf 
To: 
Sent: Friday, February 22, 2002 2:46 PM
Subject: Re: CCIE Question [7:36243]


 Cisco has made it clear that passing the written -CCIE exam does not get
you
 a certificate in itself.  Only by passing both the written and the lab do
 you obtain a cert.  I don't know how it came to be acceptable that people
 can claim a certificate that doesn't exist.

 While you might say that it's not really a big deal - after all, the
written
 is an exam, so it 'sort-of' is like a cert, so what's the harm in
pretending
 that it's another cert?  Well, the real problem is that if people are
 allowed to make up a CCIE-Q cert that doesn't exist, then what's to stop
 them from making up other qualifications that don't exist?  It's the
classic
 slippery slope.  For example, if the CCIE-Q becomes an accepted
pseudo-cert,
 then later somebody will inevitably say they have a CCIE-A, because they
 (A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
 who's never even seen a router in his life, but has heard about the CCIE
 program and is thinking about doing it in the (F)uture.  Or heck, how
about
 a Bachelor's Degree-(F) for somebody who's never stepped into a classroom
in
 his life, but might do it in the future.  I don't know about you, but I
hold
 a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
 from Harvard.




 Michael J. Doherty  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  It seems to be common these days to use that abbreviation to mean that
the
  individual has taken, and passed, the Written exam, but not yet
  challenged/passed the Lab.
 
  As for me, personally, when I get to that point, I do not plan on
  advertising it in this manner.  If it comes up in an interview question,
I
  would answer it.  But, I refuse to put any certification on my resume
 until
  I can honestly claim the entire title.
 
 
  - Original Message -
  From: Brian Zeitz
  To:
  Sent: Friday, February 22, 2002 1:54 PM
  Subject: CCIE Question [7:36243]
 
 
   I saw a resume with CCIE (Q) after their name, what is the Q mean?
  _
  Do You Yahoo!?
  Get your free @yahoo.com address at http://mail.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36262t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: LLQ Configuration [7:36272]

[John Neiberger]

Strangely enough, we're using LLQ to support video conferencing with
Polycomm equipment.  However, I don't really have any idea why you're
getting that error.  What routers are you using?

About the only difference I can think of between our implementations is
that we're setting the IP  Precendence in the Polycomm units and then
I'm using that to identify video traffic in the class-map instead of
using an access list.  That won't matter with this issue, obviously.

Another trick, which I don't think is officially supported but seems to
work, is to not apply the LLQ to the frame relay class directly.  Simply
go to the major interface and use the service-policy command there.  It
may not be correct, but it might accomplish your goal anyway.

Also, even though it won't make a difference here, you may want to
reconsider the use of fragmentation, or at least try it without it once
you get this working.  I've found, at lease with VoIP, that
fragmentation made things worse.  I'm not sure why, but it did.

Regards,
John

 Steve Manuel  2/22/02 2:05:40 PM 
To Group:

I am working with a client who is having problems with Video Conference

using Polycom Equipment. The problem is jitter and audio drops. 

The solution that has been suggested to us by Cisco Low Latency
Queueing
(LLQ)
over Frame Relay. 

I'm not sure the release but I was told this is a new feature for
Frame
Relay.
We were instructed to upgrade to 12.2.6a IP Plus Feature Set...

We did this..

This particular client has one DLCI on the physical interface, the
port
speed of the interface
is 768kb. This is the same for both sites that have the video
equipment. 

Here's the configuration I put together.


access-list 101 permit tcp any any range 3230 3231
access-list 101 permit udp any any range 3230 3235


class-map match-all video
match access-group 101


Policy-map video-police
class video
priority 540
class class-default
fair-queue 64


map-class frame-relay video-data
no frame-relay adaptive-shaping
frame-relay cir 768000
frame-relay bc 7680
frame-relay be 0
service-policy out video-police
frame-relay fragment 1280

Applied to these two commands to physical interface.

frame-relay traffic-shaping
frame-relay class video-data

Here's the error we are getting.

I/f Serial0/0 DLCI 400 class video requested bandwidth 540 (kbps)
Not Available
Removing service policy from map-class

We even tried this on a router not connected to the network at all.
When you
do a show 
run after the error the service-policy statement is removed from the
map-class configuration.

Does anyone have experience with LLQ or have any suggestions.

Stephen Manuel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36276t=36272
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[Tshon]

guys should keep in mind:

No there is no CCIE Q or written cert.  Cisco has identified you as 
a lab candidate.  This applies
to everyone on the planet.  You have been invited to take the lab, 
if you pass the written and after
that date you are still a CCIE candidate just like everyone elso on 
the planet.
Just because you are a CCNP w/a specialization or not. you are 
not invited!

Next there is the financial aspect for corporations (the smart one). 
 CCIE's are expensive salaries are easily
$120,000/yr plus.  But, if I can get a guy just before he passes lab 
but after he has passed his written, I know
that he is trying and his knowledge will continue to increase.  I 
then close to lab time have a CCIE on staff,
working for pennies.  And I have first crack at a offer.

So, thanks to the demand for CCIE's the CCIE written as you have 
been identified has had a little weight,
not taking into account the present economy.

Now there have been job posting for CCIE written, candidates, 
Qualification exam people.  And if you feel
confident enough to wear that title put what they are looking for on 
the resume.  

Now CCNP whatevers have not been identified as such by anyone on 
the planet.

Finally it comes down to this Do you have a number behind those 
letters?

nrf wrote:

Cisco has made it clear that passing the written -CCIE exam does not get you
a certificate in itself.  Only by passing both the written and the lab do
you obtain a cert.  I don't know how it came to be acceptable that people
can claim a certificate that doesn't exist.

While you might say that it's not really a big deal - after all, the written
is an exam, so it 'sort-of' is like a cert, so what's the harm in pretending
that it's another cert?  Well, the real problem is that if people are
allowed to make up a CCIE-Q cert that doesn't exist, then what's to stop
them from making up other qualifications that don't exist?  It's the classic
slippery slope.  For example, if the CCIE-Q becomes an accepted pseudo-cert,
then later somebody will inevitably say they have a CCIE-A, because they
(A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
who's never even seen a router in his life, but has heard about the CCIE
program and is thinking about doing it in the (F)uture.  Or heck, how about
a Bachelor's Degree-(F) for somebody who's never stepped into a classroom in
his life, but might do it in the future.  I don't know about you, but I hold
a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
from Harvard.




Michael J. Doherty  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

It seems to be common these days to use that abbreviation to mean that the
individual has taken, and passed, the Written exam, but not yet
challenged/passed the Lab.

As for me, personally, when I get to that point, I do not plan on
advertising it in this manner.  If it comes up in an interview question, I
would answer it.  But, I refuse to put any certification on my resume

until

I can honestly claim the entire title.


- Original Message -
From: Brian Zeitz
To:
Sent: Friday, February 22, 2002 1:54 PM
Subject: CCIE Question [7:36243]


I saw a resume with CCIE (Q) after their name, what is the Q mean?

_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36277t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Interesting DDR Brain Teaser (long and pointless ) [7:36279]

[Tshon]

Yes this is possible exactly as you discribed.  Hope fully in this 
scenario you have more than one bri.  But, say you don't
you have two B channels unless the load exceeds one of the B channels 
you have no problem I believe the last question
is is there a priority or preempt command?  Make a dialer interface 
and see : - )

John Neiberger wrote:

I was just talking to a guy I work with about this and I thought it was
an interesting scenario.  It was his idea and my first thought was that
it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean desirable. 
:-)Here's the scoop:



[A]-[B]
  |  \
  |\
  |  \
  |\
  |  \
  |\
  |  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C and
D are connected via frame relay but obviously only use the frame relay
link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both links
to A go away (Dialer Watch).  Now for the twist  What if you wanted
to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the line
utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty is
that the Dialer interface that calls Site B would have to have absolute
priority.  If the primary link goes down, because Dialer0 is configured
as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear the
line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this variety,
but this sounded like an interesting brain teaser.

Regards,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36279t=36279
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: LLQ Configuration [7:36272]

[Mike Bernico]

I've done lot's of LLQ but never with FR.  My bet however, would be than you
can do LLQ on the int, for FRTS, but not both.

Mike

---
Mike Bernico [EMAIL PROTECTED]
Illinois Century Network  http://www.illinois.net
(217) 557-6555


 -Original Message-
 From: Steve Manuel [mailto:[EMAIL PROTECTED]]
 Sent: Friday, February 22, 2002 3:06 PM
 To: [EMAIL PROTECTED]
 Subject: LLQ Configuration [7:36272]
 
 
 To Group:
 
 I am working with a client who is having problems with Video 
 Conference 
 using Polycom Equipment. The problem is jitter and audio drops. 
 
 The solution that has been suggested to us by Cisco Low 
 Latency Queueing
 (LLQ)
 over Frame Relay. 
 
 I'm not sure the release but I was told this is a new feature 
 for Frame
 Relay.
 We were instructed to upgrade to 12.2.6a IP Plus Feature Set...
 
 We did this..
 
 This particular client has one DLCI on the physical 
 interface, the port
 speed of the interface
 is 768kb. This is the same for both sites that have the video 
 equipment. 
 
 Here's the configuration I put together.
 
 
 access-list 101 permit tcp any any range 3230 3231
 access-list 101 permit udp any any range 3230 3235
 
 
 class-map match-all video
 match access-group 101
 
 
 Policy-map video-police
 class video
 priority 540
 class class-default
 fair-queue 64
 
 
 map-class frame-relay video-data
 no frame-relay adaptive-shaping
 frame-relay cir 768000
 frame-relay bc 7680
 frame-relay be 0
 service-policy out video-police
 frame-relay fragment 1280
 
 Applied to these two commands to physical interface.
 
 frame-relay traffic-shaping
 frame-relay class video-data
 
 Here's the error we are getting.
 
 I/f Serial0/0 DLCI 400 class video requested bandwidth 540 (kbps)
 Not Available
 Removing service policy from map-class
 
 We even tried this on a router not connected to the network 
 at all. When you
 do a show 
 run after the error the service-policy statement is removed from the
 map-class configuration.
 
 Does anyone have experience with LLQ or have any suggestions.
 
 Stephen Manuel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36280t=36272
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Interesting DDR Brain Teaser (long and pointless ) [7:36281]

[John Neiberger]

Thanks.  I knew there was a way to set the dialer priority but I just
wasn't sure how it operated.  I have yet to find a reference on CCO that
specifies what the priority really accomplishes.  If a dialer with a
high priority needs to use a line but the line is being used by a dialer
with a lower priority, does it simply disconnect the existing call and
take over?

Or, does it make use of the fast idle timer to be a little more fair? 
I'm still looking on CCO at the moment.  Hopefully, I'll find a link
that makes this more clear.

Thanks again,
John

 Tshon  2/22/02 3:07:43 PM 
Yes this is possible exactly as you discribed.  Hope fully in this 
scenario you have more than one bri.  But, say you don't
you have two B channels unless the load exceeds one of the B channels 
you have no problem I believe the last question
is is there a priority or preempt command?  Make a dialer interface 
and see : - )

John Neiberger wrote:

I was just talking to a guy I work with about this and I thought it
was
an interesting scenario.  It was his idea and my first thought was
that
it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean desirable.

:-)Here's the scoop:



[A]-[B]
  |  \
  |\
  |  \
  |\
  |  \
  |\
  |  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C
and
D are connected via frame relay but obviously only use the frame
relay
link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both links
to A go away (Dialer Watch).  Now for the twist  What if you
wanted
to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went
down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the
line
utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty
is
that the Dialer interface that calls Site B would have to have
absolute
priority.  If the primary link goes down, because Dialer0 is
configured
as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear
the
line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this variety,
but this sounded like an interesting brain teaser.

Regards,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36281t=36281
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[nrf]

Inline
Tshon  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 guys should keep in mind:

 No there is no CCIE Q or written cert.  Cisco has identified you as
 a lab candidate.  This applies
 to everyone on the planet.  You have been invited to take the lab,
 if you pass the written and after
 that date you are still a CCIE candidate just like everyone elso on
 the planet.
 Just because you are a CCNP w/a specialization or not. you are
 not invited!

 Next there is the financial aspect for corporations (the smart one).
  CCIE's are expensive salaries are easily
 $120,000/yr plus.

Maybe in 1999.  Not anymore.

 But, if I can get a guy just before he passes lab
 but after he has passed his written, I know
 that he is trying and his knowledge will continue to increase.  I
 then close to lab time have a CCIE on staff,
 working for pennies.  And I have first crack at a offer.

 If he passes, which is no sure thing.


 So, thanks to the demand for CCIE's the CCIE written as you have
 been identified has had a little weight,
 not taking into account the present economy.

Sure, but I think to be more relevant you do indeed have to take account of
the present economy.



 Now there have been job posting for CCIE written, candidates,
 Qualification exam people.  And if you feel
 confident enough to wear that title put what they are looking for on
 the resume.

 Now CCNP whatevers have not been identified as such by anyone on
 the planet.

 Finally it comes down to this Do you have a number behind those
 letters?

 nrf wrote:

 Cisco has made it clear that passing the written -CCIE exam does not get
you
 a certificate in itself.  Only by passing both the written and the lab do
 you obtain a cert.  I don't know how it came to be acceptable that people
 can claim a certificate that doesn't exist.
 
 While you might say that it's not really a big deal - after all, the
written
 is an exam, so it 'sort-of' is like a cert, so what's the harm in
pretending
 that it's another cert?  Well, the real problem is that if people are
 allowed to make up a CCIE-Q cert that doesn't exist, then what's to
stop
 them from making up other qualifications that don't exist?  It's the
classic
 slippery slope.  For example, if the CCIE-Q becomes an accepted
pseudo-cert,
 then later somebody will inevitably say they have a CCIE-A, because
they
 (A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
 who's never even seen a router in his life, but has heard about the CCIE
 program and is thinking about doing it in the (F)uture.  Or heck, how
about
 a Bachelor's Degree-(F) for somebody who's never stepped into a classroom
in
 his life, but might do it in the future.  I don't know about you, but I
hold
 a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
 from Harvard.
 
 
 
 
 Michael J. Doherty  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 
 It seems to be common these days to use that abbreviation to mean that
the
 individual has taken, and passed, the Written exam, but not yet
 challenged/passed the Lab.
 
 As for me, personally, when I get to that point, I do not plan on
 advertising it in this manner.  If it comes up in an interview question,
I
 would answer it.  But, I refuse to put any certification on my resume
 
 until
 
 I can honestly claim the entire title.
 
 
 - Original Message -
 From: Brian Zeitz
 To:
 Sent: Friday, February 22, 2002 1:54 PM
 Subject: CCIE Question [7:36243]
 
 
 I saw a resume with CCIE (Q) after their name, what is the Q mean?
 
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36282t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Interesting DDR Brain Teaser (long and pointless ) [7:36283]

[Tshon]

I can't remember but... this also helps

dialer pool-member number [priority priority] [min-link minimum] [max 
link maximum] - Assigns a physical interface to a dialer pool.
priority priority - Sets the priority of the physical interface within 
the dialer pool (from 1 to 255). Interfaces with the highest priorities 
are selected first when dialing out.
min-link minimum - Sets the minimum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255). Used for dialer 
backup.
max-link maximum - Sets the maximum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255).


John Neiberger wrote:

Thanks.  I knew there was a way to set the dialer priority but I just
wasn't sure how it operated.  I have yet to find a reference on CCO that
specifies what the priority really accomplishes.  If a dialer with a
high priority needs to use a line but the line is being used by a dialer
with a lower priority, does it simply disconnect the existing call and
take over?

Or, does it make use of the fast idle timer to be a little more fair? 
I'm still looking on CCO at the moment.  Hopefully, I'll find a link
that makes this more clear.

Thanks again,
John

Tshon  2/22/02 3:07:43 PM 

Yes this is possible exactly as you discribed.  Hope fully in this 
scenario you have more than one bri.  But, say you don't
you have two B channels unless the load exceeds one of the B channels 
you have no problem I believe the last question
is is there a priority or preempt command?  Make a dialer interface 
and see : - )

John Neiberger wrote:

I was just talking to a guy I work with about this and I thought it

was

an interesting scenario.  It was his idea and my first thought was

that

it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean desirable.


:-)Here's the scoop:



[A]-[B]
 |  \
 |\
 |  \
 |\
 |  \
 |\
 |  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C

and

D are connected via frame relay but obviously only use the frame

relay

link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both links
to A go away (Dialer Watch).  Now for the twist  What if you

wanted

to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went

down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the

line

utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty

is

that the Dialer interface that calls Site B would have to have

absolute

priority.  If the primary link goes down, because Dialer0 is

configured

as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear

the

line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this variety,
but this sounded like an interesting brain teaser.

Regards,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36283t=36283
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Interesting DDR Brain Teaser (long and pointless ) [7:36284]

[John Neiberger]

I've been reading and I still don't see how to do it.  The command you
mention seems to solve a different problem.  If I had a single dialer
interface and two physical interfaces to choose from, the priority lets
the dialer know which to try first.

I have yet to see how to give one dialer interface priority over
another when there is only a single BRI available.  Still looking
though!

John

 Tshon  2/22/02 3:45:58 PM 
I can't remember but... this also helps

dialer pool-member number [priority priority] [min-link minimum] [max 
link maximum] - Assigns a physical interface to a dialer pool.
priority priority - Sets the priority of the physical interface within

the dialer pool (from 1 to 255). Interfaces with the highest priorities

are selected first when dialing out.
min-link minimum - Sets the minimum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255). Used for
dialer 
backup.
max-link maximum - Sets the maximum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255).


John Neiberger wrote:

Thanks.  I knew there was a way to set the dialer priority but I just
wasn't sure how it operated.  I have yet to find a reference on CCO
that
specifies what the priority really accomplishes.  If a dialer with a
high priority needs to use a line but the line is being used by a
dialer
with a lower priority, does it simply disconnect the existing call
and
take over?

Or, does it make use of the fast idle timer to be a little more fair?

I'm still looking on CCO at the moment.  Hopefully, I'll find a link
that makes this more clear.

Thanks again,
John

Tshon  2/22/02 3:07:43 PM 

Yes this is possible exactly as you discribed.  Hope fully in this 
scenario you have more than one bri.  But, say you don't
you have two B channels unless the load exceeds one of the B channels

you have no problem I believe the last question
is is there a priority or preempt command?  Make a dialer interface

and see : - )

John Neiberger wrote:

I was just talking to a guy I work with about this and I thought it

was

an interesting scenario.  It was his idea and my first thought was

that

it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean
desirable.


:-)Here's the scoop:



[A]-[B]
 |  \
 |\
 |  \
 |\
 |  \
 |\
 |  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C

and

D are connected via frame relay but obviously only use the frame

relay

link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both
links
to A go away (Dialer Watch).  Now for the twist  What if you

wanted

to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went

down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the

line

utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty

is

that the Dialer interface that calls Site B would have to have

absolute

priority.  If the primary link goes down, because Dialer0 is

configured

as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear

the

line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this
variety,
but this sounded like an interesting brain teaser.

Regards,
John
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36284t=36284
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Interesting DDR Brain Teaser (long and pointless ) [7:36285]

[Tshon]

go further down... the command I sent you let you set a minimum number 
and max number of B channels to use
there for excluding some B channels for use by another dialer profile.

John Neiberger wrote:

I've been reading and I still don't see how to do it.  The command you
mention seems to solve a different problem.  If I had a single dialer
interface and two physical interfaces to choose from, the priority lets
the dialer know which to try first.

I have yet to see how to give one dialer interface priority over
another when there is only a single BRI available.  Still looking
though!

John

Tshon  2/22/02 3:45:58 PM 

I can't remember but... this also helps

dialer pool-member number [priority priority] [min-link minimum] [max 
link maximum] - Assigns a physical interface to a dialer pool.
priority priority - Sets the priority of the physical interface within

the dialer pool (from 1 to 255). Interfaces with the highest priorities

are selected first when dialing out.
min-link minimum - Sets the minimum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255). Used for
dialer 
backup.
max-link maximum - Sets the maximum number of ISDN B channels on an 
interface reserved for this dialer pool (from 1 to 255).


John Neiberger wrote:

Thanks.  I knew there was a way to set the dialer priority but I just
wasn't sure how it operated.  I have yet to find a reference on CCO

that

specifies what the priority really accomplishes.  If a dialer with a
high priority needs to use a line but the line is being used by a

dialer

with a lower priority, does it simply disconnect the existing call

and

take over?

Or, does it make use of the fast idle timer to be a little more fair?


I'm still looking on CCO at the moment.  Hopefully, I'll find a link
that makes this more clear.

Thanks again,
John

Tshon  2/22/02 3:07:43 PM 

Yes this is possible exactly as you discribed.  Hope fully in this 
scenario you have more than one bri.  But, say you don't
you have two B channels unless the load exceeds one of the B channels


you have no problem I believe the last question
is is there a priority or preempt command?  Make a dialer interface


and see : - )

John Neiberger wrote:

I was just talking to a guy I work with about this and I thought it

was

an interesting scenario.  It was his idea and my first thought was

that

it wasn't possible, but then after a little more pondering I decided
that it might be possible.  Note:  'possible' does not mean

desirable.

:-)Here's the scoop:



[A]-[B]
|  \
|\
|  \
|\
|  \
|\
|  \
[C] --- [D]

Site A is connected to B, a disaster recovery facility, via frame
relay.  A also has point-to-point connections to sites C and D.   C

and

D are connected via frame relay but obviously only use the frame

relay

link to reach A if their own primary link goes down.

C and D have ISDN connections configured to dial B in case both

links

to A go away (Dialer Watch).  Now for the twist  What if you

wanted

to configure C to dial D when the load on its primary link reached a
certain point, yet still dial B if both point-to-point links went

down?

I haven't completely figured out how to do this yet, but here's a
start.  You might configure two Dialer profiles, one for each
destination.  On the major interface on C you'd configure Dialer0 as
your backup interface and configure an appropriate load.  When the

line

utilization reaches that load, the router would dial Site D.

Then you might configure Dialer Watch on Dialer1 and make it dialer
Site B if routes originating from Site A disappear.  The difficulty

is

that the Dialer interface that calls Site B would have to have

absolute

priority.  If the primary link goes down, because Dialer0 is

configured

as a backup it might grab the BRI first.  Even if it does get there
first, when Dialer Watch kicks in, we'd have to have a way to clear

the

line immediately so Dialer1 could dial out.

Is that possible?  Admittedly, I'm a bit weak on DDR of this

variety,

but this sounded like an interesting brain teaser.

Regards,
John
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36285t=36285
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: Port Secure not working ? [7:36278]

[Pierre-Alex GUANEL]

Problem solved . port secure was to enabled!

Thanks!

Pierre-Alex

-Original Message-
From: Pierre-Alex GUANEL [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 2:56 PM
To: Cisco
Subject: Port Secure not working ?




I was expecting to see a FastEthernet 0/26 ENABLED after the configuration
below. Instead it is disabled. Any ideas?

Thanks,

Pierre-Alex

Switch1(config)#int f 0/26
Switch1(config-if)#port secure max-mac-count 1
Switch1(config-if)#exit
Switch1(config)#address-violation suspend
Switch1(config)#end

Switch1#sh mac-address-table security

Action upon address violation : Disable

Interface Addressing Security Address Table Size Clear Address

---
Ethernet 0/1 Disabled N/A No
Ethernet 0/2 Disabled N/A No
Ethernet 0/3 Disabled N/A No
Ethernet 0/4 Disabled N/A No
Ethernet 0/5 Disabled N/A No
Ethernet 0/6 Disabled N/A No
Ethernet 0/7 Disabled N/A No
Ethernet 0/8 Disabled N/A No
Ethernet 0/9 Disabled N/A No
Ethernet 0/10 Disabled N/A No
Ethernet 0/11 Disabled N/A No
Ethernet 0/12 Disabled N/A No
Ethernet 0/13 Disabled N/A No
Ethernet 0/14 Disabled N/A No
Ethernet 0/15 Disabled N/A No
Ethernet 0/16 Disabled N/A No
Ethernet 0/17 Disabled N/A No

--More--
Ethernet 0/18 Disabled N/A No
Ethernet 0/19 Disabled N/A No
Ethernet 0/20 Disabled N/A No
Ethernet 0/21 Disabled N/A No
Ethernet 0/22 Disabled N/A No
Ethernet 0/23 Disabled N/A No
Ethernet 0/24 Disabled N/A No
Ethernet 0/25 Disabled N/A No
FastEthernet 0/26 Disabled N/A No
FastEthernet 0/27 Disabled N/A No   No




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36278t=36278
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Last Minute Prayers, Advice and Tips---CSIDSPM [7:36288]

[Godswill HO]

Hi all,

I have just 2 hours between me and my Cisco Secure Intrusion Detection
Systems
with Policy Manager(CSIDSPM) version 2.1 exam. It is the last lap to my CSS1
certification.

Please any last minute tips, advice and offcourse prayers would be
appreciated. Send an offline message where necessary.

Until I hear from you, Enjoy.

Regards.
Godswill Oletu CCNP,CCDP,CSS1(3/4).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36288t=36288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Question [7:36243]

[Todd Carswell]

I don't think employers are being fooled by somebody putting CCIE-Q on their
resume.  I can see a person getting into a tight spot, though, if they
fraudulently try to pass themselves off as having passed the CCIE.  After
all, a company can just check with Cisco to make sure that a person is
certified.  The penalty for this infraction would be a rescinded job offer.

I personally have put the phrase CCIE candidate on my resume.  I am
currently unemployed (Lucent shut our facility down here in Raleigh) and
actively seeking employment.  I have put that phrase on my resume to let
employers know that, although I am out of work, I am not sitting around
twittling my thumbs waiting for a job to fall out of the sky.  In addition,
it will create a scenario where interviewers will ask my about my networking
knowledge.

My full-time job right now is studying for the CCIE.  My lab exam is on May
2nd.  Hope I pass it!!!  :-)




nrf  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Cisco has made it clear that passing the written -CCIE exam does not get
you
 a certificate in itself.  Only by passing both the written and the lab do
 you obtain a cert.  I don't know how it came to be acceptable that people
 can claim a certificate that doesn't exist.

 While you might say that it's not really a big deal - after all, the
written
 is an exam, so it 'sort-of' is like a cert, so what's the harm in
pretending
 that it's another cert?  Well, the real problem is that if people are
 allowed to make up a CCIE-Q cert that doesn't exist, then what's to stop
 them from making up other qualifications that don't exist?  It's the
classic
 slippery slope.  For example, if the CCIE-Q becomes an accepted
pseudo-cert,
 then later somebody will inevitably say they have a CCIE-A, because they
 (A)ttempted the written (but didn't pass).  Or  a CCIE-F for somebody
 who's never even seen a router in his life, but has heard about the CCIE
 program and is thinking about doing it in the (F)uture.  Or heck, how
about
 a Bachelor's Degree-(F) for somebody who's never stepped into a classroom
in
 his life, but might do it in the future.  I don't know about you, but I
hold
 a Ph.D-(F), an MBA-(F),  a Law-degree-(F), and a Medical-degree-(F), all
 from Harvard.




 Michael J. Doherty  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  It seems to be common these days to use that abbreviation to mean that
the
  individual has taken, and passed, the Written exam, but not yet
  challenged/passed the Lab.
 
  As for me, personally, when I get to that point, I do not plan on
  advertising it in this manner.  If it comes up in an interview question,
I
  would answer it.  But, I refuse to put any certification on my resume
 until
  I can honestly claim the entire title.
 
 
  - Original Message -
  From: Brian Zeitz
  To:
  Sent: Friday, February 22, 2002 1:54 PM
  Subject: CCIE Question [7:36243]
 
 
   I saw a resume with CCIE (Q) after their name, what is the Q mean?
  _
  Do You Yahoo!?
  Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36290t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

passed ccie-security written exam!! [7:36268]

[Patrick Bass]

I passed the CCIE security qualification exam today.  I'm very excited about
this.  My main study guides were:

CCIE Security Written Exam Workbook
(http://www.ccbootcamp.com/secexamwkbk.asp) -- I consider this a *must have*
CSIDS Book
CSVPN Book (The first few chapters were the best)
MCNS Book
CCIE Exam Cram (The regular R/S one was great to review *IP* routing and
switching topics)
Vconsole CCIE Security exam simulation, another must have
(http://www.ccbootcamp.com/secpractest.asp)

I also read and studied several white papers on IPSec and VPNs from CCO...
general security info from NIST and others.

I also used the Boson CCIE-Security exam simulation; my advice on this one
is don't waste your money.

In case anyone is interested I have over six years of experience in
networking and security.  I'm also a CISSP.  I'm looking forward to the lab
challenge.  I just ordered a lab subscription from hellocomputers.com

Good luck in YOUR endeavors!

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36268t=36268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IP helper-address, domain browsing amp;amp; N [7:36089]

[Alex Lee]

I am going to venture a guess :-

According to MS NT's static ports assignment, TCP: 42 is for WINS
replication, perhaps by changing this statetment from
ip nat inside source static 10.0.3.40 xxx.xxx.xxx.156 extendable
  to
ip nat inside source static 10.0.3.40 42 xxx.xxx.xxx.156 42 extendable
may solve the problem.

However, according to MS two other ports are also used in WINS functions:
TCP:135 for WINS Manager and TCP:137 for WINS Registration.

Interest to know if this helps.


Kurdziel Peter  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Does anyone know of any issues using the IP helper-address and domain
 browsing while using NAT?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36220t=36089
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IP helper-address, domain browsing amp;amp; N [7:36089]

[Steven A. Ridder]

Is Nat on on the NJ router?  If so, just Nat from CA only.

--
RFC 1149 Compliant.

Kurdziel Peter  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Does anyone know of any issues using the IP helper-address and domain
 browsing while using NAT?


 I have 2 locations, CA and NJ.
 CA has a connection to the internet, NJ does not. CA and NJ are connected
 via a point-to-point link via their serial insterfaces. With the help of
 NATting NJ now is able to access the internet via the router in CA.

 My problem is that I need the servers at each location to replicate their
 WINS databases. To try and solve this issues I added IP Helper-adress to
the
 serial point to point link on both side. If I remove the ip nat inside or
 the ip nat outside command from either the fastethernet or the serail
 interfaces I can broswe the domain and replicate the Wins database in
either
 location. But the NJ location does not have internet access.

 What do I need to do to enable both browsing to and from either location
and
 Internet access at both locations.


 Here is a copy of my config from both locations.

 hostname California
 !
 enable secret
 !
 !
 !
 !
 !
 memory-size iomem 25
 ip subnet-zero
 !
 !
 !
 !
 interface Serial0
  description Connection to ISP
  ip address 10.0.10.1 255.255.255.252
  ip nat outside
  no fair-queue


 interface Serial1
  description point to point t1 to New Jersey
  ip address 192.168.254.2 255.255.255.252
  ip helper-address 10.0.3.40  ***Server's IP in New Jersey*
  no fair-queue
 !
 interface FastEthernet0
  ip address 10.0.2.1 255.255.255.0 secondary
  ip address xxx.xxx.xxx.155 255.255.255.248
  ip nat inside
  speed auto
 !
 ip nat pool local xxx.xxx.xxx.155 xxx.xxx.xxx.155 prefix-length 28
 ip nat inside source list 1 pool local overload
 ip nat inside source static 10.0.3.40 xxx.xxx.xxx.156 extendable
 ip classless

 ip route 0.0.0.0 0.0.0.0 serial0
 ip route 10.0.3.0 255.255.255.0 192.168.254.1
 ip route xxx.xxx.xxx.0 255.255.255.248 192.168.254.1


 no ip http server
 !
 access-list 1 permit 10.0.2.0 0.0.0.255
 !
 line con 0
  password
  line aux 0
  password
  line vty 0 4
  password
  !
 end


 
 hostname NewJersy
 !
 enable secret
 !
 !
 !
 !
 !
 memory-size iomem 25
 ip subnet-zero
 !
 !
 !
 !
 interface Serial0
  description point to point t1 to California
  ip address 192.168.254.1 255.255.255.252
  ip nat outside
  no fair-queue
  service-module t1 timeslots 1-24
 !
 interface FastEthernet0
  ip address 10.0.3.1 255.255.255.0 secondary
  ip address xxx.xxx.xxx.46 255.255.255.248
  ip helper-address 10.0.2.9  ***Server's IP in California*
  ip nat inside
  speed auto
 !
 ip nat pool local xxx.xxx.xxx.46 xxx.xxx.xxx.46 prefix-length 28
 ip nat inside source list 1 pool local overload
 ip nat inside source static 10.0.3.40 xxx.xxx.xxx.45 extendable
 ip classless
 ip route 0.0.0.0 0.0.0.0 192.168.254.2
 no ip http server
 !
 access-list 1 permit 10.0.3.0 0.0.0.255
 !
 line con 0
  password
  line aux 0
  password
  line vty 0 4
  password
  !
 end




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36204t=36089
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dennis Laganiere's rif examples [7:36228]

[Wright, Jeremy]

actually Dennis has a book out with ccbootcamp. you can find it on amazon
isbn #1931881006. I went to a class that Dennis put on and he helped me
understand all about bridging and RIF's. This book is a good asset to have
in your CCIE library..i also have that book reviewed on amazon.



-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 11:18 AM
To: [EMAIL PROTECTED]
Subject: Dennis Laganiere's rif examples [7:36228]


Does anyone have a url to Dennis Laganiere's rif
examples? I almost have this RIF thing down but I
could use a few more examples.

Eric
CCNP

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36235t=36228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Should I buy IDS ? [7:36053]

[Kent Hundley]

IMO, there is no reason for any organization connected to the Internet not
to run IDS.  There is an increasing trend in the security arena away from
formal risk analysis/cost benefit methodologies towards one of implementing
best practices.  There are several reasons for this:

1) Formal risk analysis methodologies generally take a long time and cost a
lot of money.  There are abbreviated versions of the process, but it's still
a significant effort to do these correctly.

2) In the end, the effort may not be all that helpful.  The problem is that
a risk analysis is based on cost/benefit numbers that don't really map to
hackers and vandals.  You may not consider your web server to be worth much
since it has only public data, but it may be very valuable to someone who
can use it to attack other sites.  Also, it is nearly impossible to weigh
the risk of a loss of customer confidence in your company.  If your site is
publicly compromised, it doesn't matter much whether companies do financial
transactions through your web-site or not, they probably will have a very
dim view of your organization if you can't keep your web site secure.

3) There are efforts underway to formalize best practices for security for
anyone connected to the Internet. (for example, see
http://www.cisecurity.org/)  It is logical to assume that as these efforts
become widespread, a company may very well be held financially responsible
if they do not follow these practices under traditional business standards
of due care.  If your site is compromised and is used to compromise other
sites, it is likely you will be sued and lose.  If your site becomes a warez
site, software companies may sue you for supporting piracy, and you will
lose.  There is simply too much information on good security practices and
too many open source tools that can be deployed for almost zero cost for any
organization to continue to claim ignorance or budget as an excuse for not
implementing basic security measures.

Given this, the question is not should someone deploy IDS,  the question
is what IDS should we deploy.  Snort is an excellent choice for the cost
and has a sizable installed base of admins to help newbies.  If budget
permits, there are lot's of decent products to choose from and one can
certainly mix and match open source with commercial tools to suit almost any
budget.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Thursday, February 21, 2002 7:15 AM
To: [EMAIL PROTECTED]
Subject: Re: Should I buy IDS ? [7:36053]


Well...it depends on how secure you want your network!

The size is completely irrelevant... if you own a medical practice with
patient data floating around your network and you only have 10 computers,
with 4 of them offering some type of internet service through the
firewal,etc etc... then I would say yes...ids is important... if you own
jokenetwork.com and you have 50,000 machines trading jokes all day, are you
worried about sombody stealing your jokes? probably not...

If you do decide to implement some type of ids, look at http://www.lids.org/

remember signature based ids are signature based ids regardless of company
and price as long as you have a constant way to update signatures, you
should be fine.  To supplement your signature based design, though check out
www.lancope.com ...They have an AWESOME supplement to signature based
systems.  Even though there box will trigger on some signature based
attacks, it is not meant to trigger on them as soon as they happenThis
is why I say it is a supplement and not a complete kit.

Of course...a good security policy would help you decide on what you need!
:)

http://www.sans.org/newlook/resources/policies/policies.htm#template

-Patrick

ps. if you run tons of data through your internet connection (45mb plus) or
your ids is from backbone to backbone, I would stay away from LIDS unless
you have a BADA$$ machine to run it on...  :)

 Arni V. Skarphedinsson  02/21/02 09:32AM 
I am administrating a network of about 500 computers, 30 servers, and
somthink like 70 WAN locations,

I have been thinking about the Cisco IDS system, anyone have any good
reasons to use one, have you used it, and has it detected much intrusion.

I realy need somthing to sell the ides to the managment.
  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. (WellStar) and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or 

RE: What after CCNA?? [7:36215]

[Logan, Harold]

The CCDA is only one more exam and gets you another certification. I'm
sure it's possible to pass the CCNP without access to lab equipment, but
you'd be doing yourself a huge disservice by attempting it. If you want
to go after the CCNP exams, consider looking for a CCNP Network Academy
site in your area. You'll almost always end up paying less then you
would for a CCNP bootcamp, and since most CCNP academies are community
colleges, you may be able to swing financial aid as well. There's an
academy locator at http://cisco.netacad.net.

Good luck,
Hal

-Original Message-
From: Gandre Amit [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 10:47 AM
To: [EMAIL PROTECTED]
Subject: What after CCNA?? [7:36215]


Hi
  I got through my CCNA yesterday and I am looking forward to taking
other
certifications.

  I had the CCDA and CCNP in mind. I am not sure though which  one to
take.
Also, if there is a Cisco certification that deals with Security, I
would
like to do that.

  Another factor is that, I do not have the money to pay for any courses
and  so this is going to be self study. Woudl anyone recommend doing
CCNP or
any higher security certification without a course or access to a lab..

   BTW has anyone taken the SSCP and if so what books did u use..
Please advice.
Amit




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36226t=36215
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CISCO INTERNSHIP.....CCIE..... [7:36091]

[Cisco Nuts]

That's cool of you to give that tip, Larry.  How about giving such tips for 
all members of this group for different areas of the country??


From: Larry Letterman 
Reply-To: Larry Letterman 
To: [EMAIL PROTECTED]
Subject: RE: CISCO INTERNSHIP.CCIE. [7:36091]
Date: Fri, 22 Feb 2002 02:19:58 -0500

there are some positions at Bank one in Illinois and ohio..
if your interested..

Larry Letterman
Cisco Systems
[EMAIL PROTECTED]





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Marc Maxwell
Sent: Thursday, February 21, 2002 9:45 PM
To: [EMAIL PROTECTED]
Subject: Re: CISCO INTERNSHIP.CCIE. [7:36091]


ONe would hope that would be factored in.  The high cost of living here,
still doesn't automatically raise salaries I am afraid.  The bootcamps
eventually lower everyone's salary since they are churning out armies of
'qualified' people, that look somewhat the same on paper to many 
recruiters.

At the moment there seem to be NO jobs for networking in the SF Bay area.  
I
have 5+ years experience, consulting exp, network design, security, etc.   
I
am currently teaching a Cisco class as well.  Although I have made a lot
more when the economy was better, I would LOVE to interview for a 50k job 
at
the moment!

Desperately yours,

Marc Maxwell
CCNA/MCSE/A+



 From: Steven A. Ridder
 Reply-To: Steven A. Ridder
 To: [EMAIL PROTECTED]
 Subject: Re: CISCO INTERNSHIP.CCIE. [7:36091]
 Date: Thu, 21 Feb 2002 18:37:34 -0500
 
 In MA we have a high cost of living, so maybe that explains it.
 Larry Letterman  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I would have to assume that your ccna candidates
   are paid well then..Most places in the midwest
   pay ccnp people about 60K or so...as far as training
   I have not been seeing many people in the last few
   classes I have attended.
  
   Larry Letterman
   Cisco Systems
   [EMAIL PROTECTED]
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
   Steven A. Ridder
   Sent: Thursday, February 21, 2002 1:35 PM
   To: [EMAIL PROTECTED]
   Subject: Re: CISCO INTERNSHIP.CCIE. [7:36091]
  
  
   Well in the good old days of the economy, I made more than that even
 before
   becoming a CCNA.  I would never settle for 50k, even in this econ.,
   especially as a CCIE.  Plus, a CCIE IMO should already have exp., and
 lots
   of it.  Otherwise it defeats the purpose of becoming a CCIE - cisco
   certified internet EXPERT!
  
   --
   RFC 1149 Compliant.
  
   Sean Knox  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
A CCNA with little or no experience? Hardly. He's lucky to even land 
a
 job
right now. I think this intern program is aimed at people new to the
   field.
   
-Original Message-
From: Steven A. Ridder [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 12:50 PM
To: [EMAIL PROTECTED]
Subject: Re: CISCO INTERNSHIP.CCIE. [7:36091]
   
   
A CCNA makes more than 50k.  And you wouldn't have to pay your 
company
 to
work for them and get training.  Most companies pay you and pay for
 your
training.
   
--
RFC 1149 Compliant.
   
Sean Knox  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I've taken some classes at ICTP. From what I gather, their CCIE
 intern
 program works like this: you sign up for their CCIE program (which
 is
   not
 cheap I should add) and when you pass your CCIE written/lab (I
 vaguely
 remember that the CCIE written pass is all you need), you can work
 as
 a
 subcontractor for ICTP. You make substantially   less money than a
 CCIE
   is
 worth, (I believe around $50,000, don't quote me on that) but 
for
   those
 with little or no experience (i.e., people enrolling in this
 program),
   it
 works out really well. Hopefully Mr. Lee could explain the program
 more
   in
 detail.

 - Sean

 -Original Message-
 From: Brian [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 21, 2002 11:34 AM
 To: [EMAIL PROTECTED]
 Subject: Re: CISCO INTERNSHIP.CCIE. [7:36091]


 Perhaps its a new look on recruiting, they train u, get a slice of
 the
 dough for awhile??  Just speculating of course..

 Brian

 On Thu, 21 Feb 2002, Cisco Nuts wrote:

  And upon finishing the program, how many years of slavery will 
we
  unfortunate ones be indebted to your gracious company? :-)
  Can you clarify this??
 
 
  From: Jason Lee
  Reply-To: Jason Lee
  To: [EMAIL PROTECTED]
  Subject: CISCO INTERNSHIP.CCIE. [7:36091]
  Date: Thu, 21 Feb 2002 13:40:20 -0500
  
  Hi all,
  
  My name is Jason Lee I currently work for ICTP located in 
anaheim
  california
  we are currently looking for few candidates to go through our
 very
 intense
  

Re: What after CCNA?? [7:36215]

[Clayton Dukes]

You can do all but the CCIE just by reading and having a good networking
background, however, if you've never touched a Cisco router it will be much
more difficult.
A good source of free study guides/cheat sheets (or whatever you wanna call
them) can be obtained from http://www.gdd.net

HTH!


Clayton Dukes
CCNA, CCDA, CCDP, CCNP, NCC
(h) 904-292-1881
(c) 904-477-7825
#rm -rf /bin/laden
#kill -9 /bin/laden


- Original Message -
From: Gandre Amit 
To: 
Sent: Friday, February 22, 2002 10:46 AM
Subject: What after CCNA?? [7:36215]


 Hi
   I got through my CCNA yesterday and I am looking forward to taking other
 certifications.

   I had the CCDA and CCNP in mind. I am not sure though which  one to
take.
 Also, if there is a Cisco certification that deals with Security, I would
 like to do that.

   Another factor is that, I do not have the money to pay for any courses
 and  so this is going to be self study. Woudl anyone recommend doing CCNP
or
 any higher security certification without a course or access to a lab..

BTW has anyone taken the SSCP and if so what books did u use..
 Please advice.
 Amit




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36222t=36215
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Question [7:36243]

[Brian Zeitz]

Oh I am not a recruiter, I just read something on the net. Can I put
CCNP(q) when/if I pass my routing exam. Ha ha, just kidding! I know
there is a few kinds of CCIE, Security, and SR. Though maybe the (Q)
was for QOS. Nevermind :)


-Original Message-
From: Brad Ellis [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 22, 2002 1:57 PM
To: Brian Zeitz
Subject: Re: CCIE Question [7:36243]

it means they only passed the qualification exam. they should not be
putting
CCIE on their resume at all.  toss it!  :)

thanks,
-Brad Ellis
CCIE#5796 (RS / Security)
Network Learning Inc
[EMAIL PROTECTED]
used Cisco gear:  www.optsys.net
22 1-Day Lab Scenarios Now Shipping:
http://www.ccbootcamp.com/quicklinks.html
Voice: 248-299-7789
FAX: 509-271-9288

- Original Message -
From: Brian Zeitz 
Newsgroups: groupstudy.cisco
Sent: Friday, February 22, 2002 1:54 PM
Subject: CCIE Question [7:36243]


 I saw a resume with CCIE (Q) after their name, what is the Q mean?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36245t=36243
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: passed ccie-security written exam!! [7:36268]

[Thom Castognalia]

Great job man.  I'm taking the RS written in a couple weeks.  I hope I can
do just as well and post a message like that.  I'm really getting nervous
about my test.  (I'm paying for it out of my own pocket)

TC


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36291t=36268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Anybody read this book? [7:36292]

[Shahid Muhammad Shafi]

Hi All,

Did anybody give a look to new book from Doyle? Is it
good enough resource for JNCIS or need some
supllement?

http://www.amazon.com/exec/obidos/ASIN/0072194812/junipernetwor-20/103-2737968-0643821


Thanks,

Shahid

=
Shahid Muhammad Shafi

Every man dies; not every man really lives

Please help feed hungry people worldwide http://www.hungersite.com/
A small thing each of us can do to help others less fortunate than ourselves

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36292t=36292
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Q on FR spoke configuration. [7:36293]

[Rajesh Kumar]

Hi all,

Can somebody clarify me the following :

1.  In a Hub-Spoke configuration of FR network, what is the appropriate
configuration on the spoke side when it is a

(a)   Physical Interface : FR map statements /
Interface-dlci

(b)   Point-Point interface :I am pretty sure it is
Interface-dlci config.

(c)Multipoint interface  :FR map /  Interface-dlci
( I know it doesn't mean much by making a spoke to be a
multipoint
interface, but lets keep for argument sake..)


Thanks,
Rajesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36293t=36293
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Detection Utility [7:36248]

[Chuck]

you might be surprised...

I'm currently involved with a couple of universities, in the sales process.
of the three campuses with which I have been engaged, all are using public
IP space on their inside network, and from here in my study, using my
personal IP connection, I can ping just about every IP address I try on
their inside networks, supposedly behind firewalls...

It would appear, then, that these colleges have just such a policy -
forbidding NAT. ;-

I kid you not. I was speaking with one of my associates the other day about
one of these campuses, and he told me he was able to set up an OSPF
adjacency with one of the routers on the inside network.

Amazing!!

Chuck



Patrick Ramsey  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 dynamic nat a security breach?  I was under the impression that dynamic
was
 a security practice?and if you are speaking of static nat, well
 darn...that's you guys...

 -Patrick

  Kwame  02/22/02 02:04PM 
 Anyone know of a tool for detecting NAT activity on the network. I work in
a
 large university and we've instituted a policy against nat especially in
the
 dorms due to some very serious security breaches. Is there anything out
 there that can remotely detect a nat operation? Thanks.
   Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
 /or proprietary information in the possession of WellStar Health System,
 Inc. (WellStar) and is intended only for the individual or entity to
whom
 addressed.  This email may contain information that is held to be
 privileged, confidential and exempt from disclosure under applicable law.
If
 the reader of this message is not the intended recipient, you are hereby
 notified that any unauthorized access, dissemination, distribution or
 copying of any information from this email is strictly prohibited, and may
 subject you to criminal and/or civil liability. If you have received this
 email in error, please notify the sender by reply email and then delete
this
 email and its attachments from your computer. Thank you.

 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36294t=36248
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Please help me answer this question [7:36295]

[Love Cisco]

1. Which of the following customers can probably meet their security
requirements with a simple firewall system?
A. Company ABC wants to make sure customers can see public marketing data
but not proprietary sales figures.
B. University ABC want to make sure students can see but not change their
grades in administrative database.
C. Company XYZ wants to make sure employees do not download software from
unauthorized site.
D. University XYZ wants to make sure that public central software developed
at the university stops working after a period of time if the user does not
pay shareware fees.
=
I think C is right. But some people think A.

What do you think? Why?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36295t=36295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Please help me answer this question [7:36295]

[Chuck]

I think you're a bad boy, and you know exactly what I mean.

Chuck


Love Cisco  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 1. Which of the following customers can probably meet their security
 requirements with a simple firewall system?
 A. Company ABC wants to make sure customers can see public marketing data
 but not proprietary sales figures.
 B. University ABC want to make sure students can see but not change their
 grades in administrative database.
 C. Company XYZ wants to make sure employees do not download software from
 unauthorized site.
 D. University XYZ wants to make sure that public central software
developed
 at the university stops working after a period of time if the user does
not
 pay shareware fees.
 =
 I think C is right. But some people think A.

 What do you think? Why?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36296t=36295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re: Please help me answer this question [7:36295]

[John Neiberger]

Chuck,

I was thinking exactly the same thing!

John



Get your own 800 number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag


 On Fri, 22 Feb 2002, Chuck ([EMAIL PROTECTED]) wrote:

 I think you're a bad boy, and you know exactly what I 
mean.
 
 Chuck
 
 
 Love Cisco  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  1. Which of the following customers can probably meet their 
security
  requirements with a simple firewall system?
  A. Company ABC wants to make sure customers can see public 
marketing
 data
  but not proprietary sales figures.
  B. University ABC want to make sure students can see but 
not change
 their
  grades in administrative database.
  C. Company XYZ wants to make sure employees do not download 
software
 from
  unauthorized site.
  D. University XYZ wants to make sure that public central 
software
 developed
  at the university stops working after a period of time if 
the user
 does
 not
  pay shareware fees.
  =
  I think C is right. But some people think A.
 
  What do you think? Why?
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36297t=36295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CISCO INTERNSHIP.....CCIE..... [7:36091]

[MadMan]

The idiots never stop. Why waste your time and effort
on a wanker special like Mr. Lee advertises. For that kind of money
you can buy your own lab and pay for the lab exam several times and
even have money left over for headhunters or even moving expenses.
May ICTP truly go fast into bankruptcy!
On 21 Feb 2002 13:40:22 -0500, [EMAIL PROTECTED] (Jason Lee) wrote:

Hi all,

My name is Jason Lee I currently work for ICTP located in anaheim california
we are currently looking for few candidates to go through our very intense
cisco training, also to note that upon finishing the program CEA (cisco
expert academy)you can be eligible for an internship... we have information
session going on every other friday, so if this sounds interesting to you,
or if you need a lab to study for the ccie or ccnp please give me a call.

Jason Lee
IT specialist
714-783-1083
www.ICTP.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36298t=36091
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Wireless MAN coverage [7:36223]

[Jason]

Is this legal ? I would think that you could run into legal issues as 2.4Gig
is also used by lots of other devices and there is potential problem with
increase the power to deal with such a requirement.

Sites, Bob  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Has anyone setup or can you point me to a wireless solution for an entire
 metro area? I have a hospital that we would like to link 10+ offices
within
 a 15 mile radius.  I've had good success with the Aironet 340 series, but
at
 this point we need something more geared towards a wide coverage area,
 rather than point to point. Any ideas would be appreciated.

 Bob Sites
 System Engineer
 Valley Health System (IS)
 [EMAIL PROTECTED]


 Confidentiality Notice:

 This e-mail message, including any attachments, is for the sole use of the
 intended recipients and may contain confidential and privileged
information.
 Any unauthorized review, use, disclosure or distribution is prohibited. If
 you are not the intended recipient, please contact the sender by reply
 e-mail and destroy all copies of the original message.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36299t=36223
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]