FR SVCs [7:40893]

[William Pearch]

Has anyone worked with FR SVC's on 7200s and 1700's?  Any known issues?
Love it?  Hate it?  Wish it came is yellow? 

A coworker has opened a case with the TAC regarding configuring multiple
FR SVCs on a single physical interface.  I was wondering if anyone else
has run into the same or similar issues.

Thanks,
Bill in AK

[GroupStudy.com removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40893t=40893
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Bridge Problem [7:40894]

[Reza]

Hi Group
I have a Cisco 3660 Router with a  NM-4T and a NM-8AS  modoules. 128 MB
memory and 16Mb Flash mem.
I have 2 DSL modems on 8-AS module runing in bridge mode (irb)
I am using cisco IOS Version 12.0(7)XK2
I want to upgrade my IOS , I tried to install 12.2(3) IOS , installation
successed and everything seems normal , but bridged customers on 8AS module
could'nt work. I could ping them but they could not.
my IOS file is : c3660-is-mz.120-7.XK2.bin
and I installed : c3660-is-mz.122-1.T.bin

I tried to install other IOS , like 12.2.3 , 12.2.5 and others but the
problem did not solve.

is there any function in my old IOS that does'nt support in new IOSs ?

plz help me

Reza




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40894t=40894
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Please confirm (conf#c217b7a4fcf9a99614a38be8d3f86545) [7:40895]

[Imran Moin]

--- [EMAIL PROTECTED] wrote:
 Hi,
 
 You have tried to post to GroupStudy.com's
 Professional mailing list. Because
 the server does not recognize you as a confirmed
 poster, you will be required
 to authenticate that you are using a valid e-mail
 address and are not a
 spammer. By confirming this e-mail you certify that
 you are not sending
 Unsolicited Bulk Email (UBE).  
 
 PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN!  BY
 CONFIRMING THIS EMAIL
 YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE
 SERVER) WILL BE POSTED.
 
 
 By confirming this e-mail you also certify the
 following:
 
 1. The message does NOT break Cisco's Non-Disclosure
 requirements.
 
 2. The message is NOT designed to advertise a
 commercial product.
 
 3. You understand all postings become property of
 GroupStudy.com
 
 4. You have searched the archives prior to posting.
 
 5. The message is NOT inflammatory.
 
 6. The message is NOT a test message.
 
 To confirm, simply reply to this message.  No
 editing is necessary.  Once
 confirmed, you will be able to post without
 additional confirmations.
 
 
 Welcome to GroupStudy.com!
 
 
 --ORIGINAL MESSAGE-
 
 From [EMAIL PROTECTED]  Wed Mar 27 09:04:47 2002
 Received: from web14704.mail.yahoo.com
 (web14704.mail.yahoo.com [216.136.224.121])
   by groupstudy.com (8.9.3/8.9.3) with SMTP id
 BAA23076
   GroupStudy Mailer; Wed, 27 Mar 2002 01:17:16 -0500
 Message-ID:
 
 Received: from [12.253.88.51] by
 web14704.mail.yahoo.com via HTTP; Tue, 26 Mar 2002
 22:18:28 PST
 Date: Tue, 26 Mar 2002 22:18:28 -0800 (PST)
 From: Imran Moin 
 Subject: Taking BCRAN this monday !!!
 To: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: text/plain; charset=us-ascii
 
 Hi gang,
 
 I am planning to take my BCRAN exam this monday. I
 have already passed my BCMSN and BSCN exams from the
 CCNP track. 
 
 I need some advice on BCRAN, and especially from
 someone who took the exam recently. Also, if anyone
 has any material to share, then i would greatly
 appreciate it.
 
 I am planning to nail down CIT after this and then
 CCIE written by the june hopefully. 
 
 Thanks in advance,
 
 Imran Moin
 Network Engineer
 University of colorado
 CCNA, MCP, CCNP/2
 
 
 =
 Imran Moin
 Network Engineering and Operations
 University of Colorado, Boulder
 CCNA, CCNP (switching)
 
 __
 Do You Yahoo!?
 Yahoo! Movies - coverage of the 74th Academy Awards.
 http://movies.yahoo.com/
 


=
Imran Moin
Network Engineering and Operations
University of Colorado, Boulder
CCNA, CCNP (switching)

__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40895t=40895
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Please confirm (conf#25ae7d8cbbdcbab1847847d75c268b9a) [7:40896]

[Imran Moin]

--- [EMAIL PROTECTED] wrote:
 Hi,
 
 You have tried to post to GroupStudy.com's
 Professional mailing list. Because
 the server does not recognize you as a confirmed
 poster, you will be required
 to authenticate that you are using a valid e-mail
 address and are not a
 spammer. By confirming this e-mail you certify that
 you are not sending
 Unsolicited Bulk Email (UBE).  
 
 PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN!  BY
 CONFIRMING THIS EMAIL
 YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE
 SERVER) WILL BE POSTED.
 
 
 By confirming this e-mail you also certify the
 following:
 
 1. The message does NOT break Cisco's Non-Disclosure
 requirements.
 
 2. The message is NOT designed to advertise a
 commercial product.
 
 3. You understand all postings become property of
 GroupStudy.com
 
 4. You have searched the archives prior to posting.
 
 5. The message is NOT inflammatory.
 
 6. The message is NOT a test message.
 
 To confirm, simply reply to this message.  No
 editing is necessary.  Once
 confirmed, you will be able to post without
 additional confirmations.
 
 
 Welcome to GroupStudy.com!
 
 
 --ORIGINAL MESSAGE-
 
 From [EMAIL PROTECTED]  Fri Mar 29 07:42:37 2002
 Received: from web14703.mail.yahoo.com
 (web14703.mail.yahoo.com [216.136.224.120])
   by groupstudy.com (8.9.3/8.9.3) with SMTP id
 HAA04698
   GroupStudy Mailer; Fri, 29 Mar 2002 07:42:36 -0500
 Message-ID:
 
 Received: from [12.253.88.106] by
 web14703.mail.yahoo.com via HTTP; Fri, 29 Mar 2002
 04:43:52 PST
 Date: Fri, 29 Mar 2002 04:43:52 -0800 (PST)
 From: Imran Moin 
 Subject: Taking BCRAN this tueday 
 To: [EMAIL PROTECTED]
 MIME-Version: 1.0
 Content-Type: text/plain; charset=us-ascii
 
 Hi gang,
 
 I am taking my BCRAN exam this tuesday. I have
 already
 nailed down the CCNP Ruting and switching exams. I
 need some advice from you all about this exam. Has
 anyone taken it recently? What kind of questions are
 they asking?
 
 Has anyone got any materials to share with me? I
 would
 really appreciate if someone can share soft copy of
 some exam material with me.
 
 Thanks a bunch
 Imran Moin
 CCNA, CCNP/2
 
 =
 Imran Moin
 Network Engineering and Operations
 University of Colorado, Boulder
 CCNA, CCNP (switching)
 
 __
 Do You Yahoo!?
 Yahoo! Greetings - send holiday greetings for
 Easter, Passover
 http://greetings.yahoo.com/
 


=
Imran Moin
Network Engineering and Operations
University of Colorado, Boulder
CCNA, CCNP (switching)

__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40896t=40896
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

connection to VPN server concentrator 3005 only 9.6kbps [7:40897]

[suaveguru]

hi all,

I seems to only able to connect to a CISCO vpn server
3005 at 9.6kbps using win98 vpn pptp connection while
my pstn connection to internet is 56kbps . However
connection to a microsoft VPN server will not have a
problem anyone knows why is that so?

any forms of inputs will be greatly appreciated

regards,
suaveguru

__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40897t=40897
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Puzzles - WAS RE: My interview story [7:40553]

[[EMAIL PROTECTED]]

Well, if you want to get that nit-picky, it's not even an accurate 
technicality.  What if the rope is attached by drilling a hole through the 
poles, for example - any method so that the rope is not wrapped around the 
pole?  Then you can put the poles side by side without the rope getting in 
the way.

JMcL 
- Forwarded by Jenny Mcleod/NSO/CSDA on 09/04/2002 05:05 pm -


Dusty Harper 
Sent by: [EMAIL PROTECTED]
09/04/2002 05:08 am
Please respond to Dusty Harper

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: Puzzles - WAS RE: My interview story [7:40553]


Actually 0' is physically impossible due to the width of the rope
needing to be taken into account, but that's just a technicality.

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 05, 2002 9:58 PM
To: [EMAIL PROTECTED]
Subject: Re: Puzzles - WAS RE: My interview story [7:40553]

Part A:  I heard this one where the friend also has a key that will open

his lock, but not yours.  Also, the condition is that no destructive 
techniques are allowed, so breaking or cutting wasn't a possible
solution.

Part B:
He never states that the rope is attached to the top of the pole, just
that 
it's attached to the pole.  So, the answer is that the poles are
somewhere 
between 0 and 32 feet apart.

Craig

At 11:33 PM 4/5/2002 -0500, you wrote:
I'll bite.
a) Boxes and diamond. Gordian Knot technique. Lock the diamond in your
box
and send it to your friend. He breaks the lock or cuts open the box.
b) Poles and rope. The poles are touching.

  -Original Message-
  From: Dusty Harper [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 05, 2002 4:55 PM
  To: [EMAIL PROTECTED]
  Subject: RE: My interview story [7:40553]

  The goal is to determine how you think.  Most real world solutions
to
  problems can be applied to technological hurdles, or problems.
 
  As an example:
 
  Prep:
You have an empty box, a lock, a key for your lock, and a
  diamond.
Your friend has an empty box, and a lock for his box.
 
  Goal:
You want to get the diamond to your friend via courier.
However
  the   courier will steal anything that is not locked.  How do you do
  this?
 
 
  Another example:
 
If you have 2 20' poles, a 32' rope strung between them, and
the
  lowest point of the rope is 4' off of the ground, how far apart are
  the poles?
 
  It gauges how one thinks and handles situations.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40898t=40553
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCNP CLASS KIT FOR SALE [7:40899]

[dawn davis]

Just reposting it again.  Brand new class training materials for the 3 OF 4 
exams for CCNP.  These are brand new materials and each comes with two 
volumes of materials.  These training materials that you get when you enroll 
in a training class are meant for easy understanding and MEANT for you to 
study and pass the exams.  Books are meant for reference mostly.

BCRAN - REMOTE ACCESS =$80.00
CIT -TROUBLESHOOTING = $80.00
BCMSN - SWITCHING = $80.00

Email me privately if you are interested.  Thanks

_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40899t=40899
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco ATA 186 (One Way or Two Way) [7:40900]

[Hasan Abbas]

Dear All,

I have configured Cisco ATA 186 with one of its UID0 set to 300 and other
301 .

Using a VOIP Module having 2 FXS Ports connected on 3600 Route using as an
IOS Gateway. With One FXS Setting to destination pattern 1 and Other
destination pattern set to 2 . The ATA able to put call towards FXS port 1
and FXS port 2 .But When I tried to dial from FXS port to ATA Adapter ports
300 or 301 it gives busy tone and it never gives me connecting tone.

Are Cisco ATA one way device able to dial using Voice Gateway or Calls can
be accepted to its phone like regular phones.

My ATA Configuration is as under:

UID0: 300UID 1:301

Gateway : 192.168.0.223 (IP of 3660 Gateway Router)

NO GateKeeper or SIP (value =0)

AuthMethod: (0x00040004)

DialPlan (Default)

Cisco 3660 Configuration:

dial-peer voice 1 pots

destination-pattern 1

port 4/1/0

dial-peer voice 2 pots

destination-pattern 2

port 4/1/1

 

dial-peer voice 3000 voip

destination-pattern 300.

session target ipv4:192.168.0.242(IP of ATA)

Thanks in Advance

 



-
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40900t=40900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP full mesh ? [7:40741]

[Peter van Oene]

I don't disagree with most of your points, but really think synch should be 
disabled in all cases at all times along with auto summary.  It should be 
disabled by default and indeed shouldn't even be included as a configurable 
option.

At 11:28 AM 4/8/2002 -0400, you wrote:
It's not default for the same reason why unicast rpf (antispoofing) is
not default in ISO; because people are stupid, and under poor design, it
could produce very undesirable and hard to troubleshoot results.  In
other words, if you don't know why you are disabling synchronization,
don't do it.

Take the following scenario:  A multihop iBGP link between routers (A)
and (B) in which a non-bgp IGP router (C) is routing packets between
them.  Both BGP links are advertising full tables to each other, and,
under your suggested default config, would attempt to forward packets to
destinations that router C has no clue about.  Then what does router C
do with these destinations?

The answer, of course, is to set up a iBGP full mesh, and then to
disable synchronization , and if you are smart, design your network so
that your IGP learns only about downstream routes and set a default
route up to the core of your network.

Anyway, the point being, sync is enabled by default because you really
should know what you are doing before you disable it.

On Mon, 2002-04-08 at 10:44, MADMAN wrote:
  I can think one one good reason why you would disable sync, you can't
  redistribute 100K routes into ANY IGP.  Why are you so concerned about
  disabling sync??  It should be default.
 
Dave
 
  Jay wrote:
  
   BGP Rules of thumb:
  
   BGP advertised prefix must also exist in local IGP table.
   iBGP learned prefix must also exist in local IGP table
 -or use #no sync on iBGP learning router, but if you do, you'd sure
as
   hell better know why you disabled it.
  
   On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
Hi Group,
   
Hope someone can help out with this as I don4t have
access to my kit at the moment.
   
I tried to set up my first BGP lab last week.
I configured a full iBGP mesh, three routers connected
in a triangle via serial lines.
   
I set up (neighbour( statements on each router (Hope
Radia can forgive the extra vowel !!!) and advertised
the networks.
   
I got the BGP table working but nothing was promoted
to the main routing table, and therefore could4nt ping
non directly connected interfaces. I tried various
approaches like putting a default route in and running
an IGP but still no promotion to the main table.
   
Should this be possible with iBGP ? or is it a matter
of loop avoidance i.e the AS Numbers won4t be
prepended for the case of iBGP peers.
   
Phil.
   
__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
  --
  David Madland
  Sr. Network Engineer
  CCIE# 2016
  Qwest Communications Int. Inc.
  [EMAIL PROTECTED]
  612-664-3367
 
  Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40902t=40741
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: netbios over internet [7:40784]

[[EMAIL PROTECTED] (John Nemeth)]

On Aug 29,  7:34am, Priscilla Oppenheimer wrote:
}
} NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should 
} supposedly work over the Internet. For example, can't you do file sharing 
} over the Internet? That uses NetBIOS and SMB of CIFS.

 If you want to be pedantic (and, on this list we should be),
discussing the routability of NetBIOS is non-sensical.  NetBIOS is a
session layer protocol.  It would be like discussing the routability of
TCP or UDP.  By themselves, these protocols only have port numbers,
they don't have node addresses.  As someone else has mentioned, you
really need to look at the underlying protocol.  NetBIOS over TCP/IP
(aka NBT) is, of course, completely routable, since TCP/IP is a
routable protocol.  NetBIOS over NetBEUI isn't routable as NetBEUI is a
datalink layer protocol (i.e. it has hosts addresses and doesn't have
any way of doing network addressing, so its addresses are for the local
segment only, ala Ethernet MAC addresses) and must be bridged.

}-- End of excerpt from Priscilla Oppenheimer




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40901t=40784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN and VPN (IPSEC 3DES) [7:40807]

[Jay Dunn]

Are the ISDN routers NATing? I don't believe you can terminate a NATed
IPSec VPN connection at a PIX. Cisco VPN concentrators support this, but
the PIX doesn't. 

Jay Dunn
IPI*GrammTech, Ltd.
www.ipi-gt.com
Nunquam Facilis Est

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Monday, April 08, 2002 8:38 AM
To: [EMAIL PROTECTED]
Subject: ISDN and VPN (IPSEC 3DES) [7:40807]

Guys
Any of you familier with issues between ISDN and Cisco VPN Client (IPSEC
3DES). All of my ISDN users unable to VPN using Cisco VPN Client, and we
have pICX 515.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40903t=40807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Help with extended access lists [7:40904]

[r Paul]

Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40904t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with extended access lists [7:40904]

[[EMAIL PROTECTED]]

Hi,

The one which you mentioned is not the right one,

A simple technique to get the Inverse mask  is as

1.From you example let say you want to aggregate 192.168.1.10 to
192.168.1.15,First of all aggregate this addresses and find the summarized
mask.
The summarized mask in this case is 192.168.8/29 (ie 255.255.255.248)

2.To get the inverse mask subtract 255.255.255.248 from 255.255.255.255
which comes out 0.0.0.7

3.The result is 192.168.1.8 0.0.0.7


Kind Regards /Thangavel
--
CCIE (qual),CCS,CCDP,CCNP,MCSE

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall .
 -- Nelson Mandela




   
   
r
Paul
  
cc:
Sent by: Fax
to:
nobody@groupsSubject: Help with extended
access lists [7:40904]
   
tudy.com
   
   
   
   
   
09/04/2002
   
10:12
   
Please
respond to
r
   
Paul
   
   
   
   




Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not
all
consequtive. What I want to do is use the minimum entry to cover each
block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul
**
This e-mail is from 186k Ltd and is intended only for the 
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named 
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England 
 Wales No. 3751494 Registered Office 130 Jermyn Street 
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40905t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Sample Configuration for Basic-5ess ISDN Switch environment [7:40906]

[William]

Hi

Does anyone have sample config the the above environment?


Thanks in advance.


Best regards,


William




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40906t=40906
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with extended access lists [7:40904]

[Richard Botham]

Thangavel 
What a great method - Thank you


Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40907t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 6509 trunk to 3524? Any suggestions [7:40908]

[David C Prall]

MX Extender? How far apart are the devices. A ZX GBIC will go 70km over
single mode fiber, and 100km over dispersion shifted fiber. If you are using
an extender and over driving the receive you could be killing the GBIC's. I
had a customer use ZX GBIC's over a 15km link and had to add attenuators on
the transmit side in order to not over drive the receive.

You'll need to set the interface to nonegotiate dot1q, instead of on. Per
the cisco instructions.

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Ouellette, Tim
 Sent: Tuesday, April 09, 2002 12:30 AM
 To: 'David Siwula'
 Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
 Subject: RE: 6509 trunk to 3524? Any suggestions


 Thanks for the quick response guys.

 Found a faulty mx extender between the 6509 and the 3524.

 Does the 3524 support pagp? I did receive a message from David mentioning
 something about having the 6509 being set to negotiate the dot1q.
 I'll have
 to look into this a little more.

 Anyone one else a lot of problems with these extenders as well as
 aobut 3-5%
 of all gbic's we put into production fail.

 Again, thanks for the help!

 Tim



 -Original Message-
 From: Ouellette, Tim [mailto:[EMAIL PROTECTED]]
 Sent: Monday, April 08, 2002 7:55 PM
 To: '[EMAIL PROTECTED]'
 Cc: '[EMAIL PROTECTED]'
 Subject: 6509 trunk to 3524? Any suggestions

 Team,

 can anyone help out. I am seeing the following messages on one of our
 6509's.   Port 7/2 is connected via fiber to a 3524 closet switch.  We've
 tried replacing the gbic's on both the 6509 and 3524.  The port
 keeps going
 from connected state to non-connect stat and the trunk port messages
 underneath is what we see.  Can anyone offer any suggestions?



 distribution 6509 port 7/2 -fiber- cisco3524



 2002 Apr 08 22:26:26 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk
 2002 Apr 08 22:26:52 %DTP-5-NONTRUNKPORTON:Port 7/2 has become non-trunk
 2002 Apr 08 22:30:19 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk
 2002 Apr 08 22:30:23 %DTP-5-NONTRUNKPORTON:Port 7/2 has become non-trunk
 2002 Apr 08 22:30:28 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk

 distribution6509 (enable) sh port 7/2
 Port  Name   Status Vlan   Duplex Speed Type
 - -- -- -- -- - 
  7/2  Tk1382014101-0/1   notconnect 1full  1000 1000BaseSX


 Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
 -  - -    ---
  7/2  disabled  shutdown 001  enabled  95

 Port  Num-Addr Secure-Src-Addr   Age-Left Last-Src-Addr
 Shutdown/Time-Left
 -  -  -
 --
  7/2 0 -- --
 -
 _
 Commercial lab list: http://www.groupstudy.com/list/commercial.html
 Please discuss commercial lab solutions on this list.
 _
 Commercial lab list: http://www.groupstudy.com/list/commercial.html
 Please discuss commercial lab solutions on this list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40908t=40908
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Question on upgrading Memory Software on a AS5300 [7:40909]

[Simon Watson]

Hi Guys I hope you can help me. A client has a AS5300 with old Modem
cards in it, who are going to upgrade to the new CC2 Modem module.To
upgrade to the new module the Boot Rom, System Flash,DRAM SIMMS,IOS 
Modem Software will need to be upgraded. The client is asking me in what
order shall I start the upgrade?? (i.e put in the new boot Rom first then
the DRAM SIMMS etc) as they want a worst case scenario(i.e if there is a
problem to re-install the original kit) As my AS5300 Knowledge is pretty
rusty, in what order do you think I should proceed with the upgrade ??. What
precautions should I take (presumerly copying the config to a tftp server
springs to mind) Many Thanks Simon.CCNP



Get your FREE download of MSN Explorer at http://explorer.msn.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40909t=40909
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Firewall without NAT [7:40871]

[Daniel Ma]

If I have a Mail server inside the Network. Let's say IP is192.168.0.2. How
should I configure the Static, could I configure it as follows:
static (inside, outside) 192.168.0.2 192.168.0.2 netmask 255.255.255.255
And I configure port Redirect on Cayman router, direct port 25 traffic to
192.168.0.2.

Thanks,

Daniel
yangchun  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 hello daniel :
 you can do it
 Daniel Ma  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I am trying to configure a PIX firewall behind the Cayman DSL router.
  Because we only have one Public IP address which is used by Cayman
router.
 I
  will use 192.168.1.x and 192.168.0.x for the two segments of PIX. Cayman
  router does NAT job for all users. In this case, could I configure the
PIX
  without NAT, i.e.,
  NAT (inside) 0 0.0.0.0 0.0.0.0
 
  I wonder whether it works, internal users are still able to connect to
  internet.
 
  Thanks,
 
  Daniel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40910t=40871
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Audio Files [7:40911]

[Sam Deckert]

Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files, such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40911t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Audio Files [7:40911]

[Kris Keen]

I too would also be intrested, after attending Networkers in Brisbane, id
love the MPLS stuff!


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40912t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Help with extended access lists [7:40904]

[Ole Drews Jensen]

Paul,

You need to understand the wildcard format for access-lists. The best way to
do this is to convert your ip addresses to binary.

The beginning range address is 192.168.1.10
The ending range address is 192.168.1.15

We can quickly see that the first three octets are the same, so lets
concentrate on the fourth.

Range is:

10  :  1010
11  :  1011
12  :  1100
13  :  1101
14  :  1110
15  :  

As you can see, the left five bits stays the same, so you have to tell the
access-list not to care about the right three bits.

In a wildcard mask, the 0's represent that the bit value MUST be as
specified, and the 1's represent that is doesn't care about the bit value.

So we must create a wildcard for the fourth octet that looks like this:

 0111 = 7

As for the first three octets, they must all match, so that's easy: 0.0.0

Now you have a wildcard mask that looks like this: 0.0.0.7

Since the left five bits were the same for range 10-15, lets take those five
bits 1 and fill zero's to the right 000 =  1000 or 8. That's the
value we want to use for the fourth octet in the ip address.

And the access-list would look like this:

access-list 110 permit tcp 192.168.1.8 0.0.0.7 

The only problem with this, is that this will also allow .8 and .9, so if
you wish to deny those two addresses, you must do some more match:

.8  =  1000
.9  =  1001

As you can see, the only bit that changes is the right one, so if you do a
wildcard octet of:

 0001

You can test for that.

Let's correct our access-list statements:

access-list 110 deny tcp 192.168.1.8 0.0.0.1 ..
access-list 110 permit tcp 192.168.1.8 0.0.0.7 ..

As you can see, it's a little tricky to calculate, but once you have it
down, it can be almost a fun little task to do. The best thing to do in the
beginning, is to write the whole address range down in binary and look at
the bits. That way you can see which ones change, and which ones stays the
same. Sometimes you can cut a lot of statements down by looking at the
pattern and creating some good wildcard masks, but that is both good and
bad. It is good because it makes the acecss-list filter faster, but it's bad
because it can be hard to read the next time you need to reconfigure
something.

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: r Paul [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 3:12 AM
To: [EMAIL PROTECTED]
Subject: Help with extended access lists [7:40904]


Hello wondered if anyone can explain.

I have extended access lists working fine.

I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e

Say I had several like this 192.168.1.10 to 15 etc etc

I want to make a single entry for every consequtive block. I do not own the
whole range or subnet. Can I do something like this.

access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www

What I am wanting to clarify is if I have the wildard bit right. In above
example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to
15)...have I understood this right?. do not want to match whole subnet with
0.0.0.255 but that is the only other examples I have seen.

Many thanks

Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40913t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCNP Training kit [7:40915]

[Brian Zeitz]

Just wanted to say that anyone who bought the CCNP Training kit
Software, ISBN 1587200422, you can return it, and they will give you a
completely new CD VS 2.0. I bought this Training kit, it has so many
wrong answers, and so many bugs I though I was on candid camera. They
did offer a SP1 update right after the product was released, but that
didn't help much. This is a first time that I have heard of a total
recall of a software product. I really could write like 20 pages about
what was wrong with the kit, it was that bad.  Well, just thought I
would share this, if anyone bought it, because I didn't know. I am on
the Cisco press mailing list, and I registered my product, but they
never bothered to contact me concerning this. This is the very last time
I buy software without asking anyone else if they used it. Well, I guess
I am going to send away for the version 2, to see if it is any better.
It's a little late now, especially since I am half way though my CCNP.
Ciscopress really dropped the ball on this one, especially since most of
the people who bought it didn't know any better about the answers being
mostly wrong, myself included. Ironically I failed routing using the
kit. I passed routing and switching since then, using other material.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40915t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Audio Files [7:40911]

[[EMAIL PROTECTED]]

Is this what you are looking for:
http://recording.safeshopper.com/index.htm?648?

Andy

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject: Cisco Audio Files [7:40911]


Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files, such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40917t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Audio Files [7:40911]

[Brian Zeitz]

Sure, go here

http://recording.safeshopper.com/

I am thinking of getting the security ones. I have some of the other
ones. They send them to you on MP3s. Each lesson takes about 2 CDs.

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject: Cisco Audio Files [7:40911]

Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files,
such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40916t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

WAY OT: Cisco Alternative? [7:40918]

[Craig Columbus]

I'm a huge Cisco fan.  90% of our customers have Cisco networks and I'm 
definitely most familiar with installing and maintaining Cisco.  However, I 
have a new customer who's fed up with Cisco and wants an alternative.
The customer has a 3640 at the edge terminating a 6Mb/s fractional T3 ATM 
circuit.  They're going to replace this router with another vender.
Who's the obvious choice for this type of termination (IP only, legacy 
support not important)?  Anyone have good things to say about Extreme or 
Imagestream?  Are there any others that come to mind?
I'm particularly interested in hearing about reliability, ease of use of 
the command line (for example, I always hated Cabletron because it never 
seemed intuitive), and of the company technical support capabilities.
Any feedback is definitely appreciated.

Thanks,
Craig




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40918t=40918
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX problem [7:40919]

[dk]

Hi all

I'm sure there's a simple answer to this but I can't  see what it is ...

I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in order
to
manage them from HP openview.

I get a response from the interface I'm connected to but not from the rest

I've used the debug icmp trace command  and can see the echo requests but
there are no replies and nothing gets logged.  I can ping all the interfaces
when from the telnet console and I can ping devices across the PIX  any
ideas ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40919t=40919
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Audio Files [7:40911]

[Wright, Jeremy]

does anyone have the routing and switching bundle from this site. i was
thinking of buying it but i wanted to get the groups opinion first.

-Original Message-
From: Brian Zeitz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 8:42 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco Audio Files [7:40911]


Sure, go here

http://recording.safeshopper.com/

I am thinking of getting the security ones. I have some of the other
ones. They send them to you on MP3s. Each lesson takes about 2 CDs.

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject: Cisco Audio Files [7:40911]

Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files,
such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40920t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Audio Files [7:40911]

[Brian Zeitz]

Yea, I have them. They are pretty good. I would describe them as
advanced, and not for the new user. The cost 300$ is kinda high, but you
will not find this much Cisco audio for this price anywhere. It is good
for the car, say if you were going on a long trip. Also, There are
powerpoints that go with each MP3 and they refer to them. So sometimes
its not that easy in the car. I guess if you looked at the power points
before hand, Or brought them with you. Hard to read while driving though
:)

-Original Message-
From: Wright, Jeremy [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 10:10 AM
To: Brian Zeitz; [EMAIL PROTECTED]
Subject: RE: Cisco Audio Files [7:40911]

does anyone have the routing and switching bundle from this site. i was
thinking of buying it but i wanted to get the groups opinion first.

-Original Message-
From: Brian Zeitz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 8:42 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco Audio Files [7:40911]


Sure, go here

http://recording.safeshopper.com/

I am thinking of getting the security ones. I have some of the other
ones. They send them to you on MP3s. Each lesson takes about 2 CDs.

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject: Cisco Audio Files [7:40911]

Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files,
such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40921t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX problem [7:40919]

[Ole Drews Jensen]

Have you allowed ping replies to return back to you?

conduit permit icmp any any 0

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: dk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 8:00 AM
To: [EMAIL PROTECTED]
Subject: PIX problem [7:40919]


Hi all

I'm sure there's a simple answer to this but I can't  see what it is ...

I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in order
to
manage them from HP openview.

I get a response from the interface I'm connected to but not from the rest

I've used the debug icmp trace command  and can see the echo requests but
there are no replies and nothing gets logged.  I can ping all the interfaces
when from the telnet console and I can ping devices across the PIX  any
ideas ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40922t=40919
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Dialout Utility!!Urgent! [7:40923]

[Ivan]

Hi all,

Does anyone have the Cisco Dialout Utility ?
Does anyone can give the software to me?? because I can't download it from
cisco now

Thanks  regards,
Ivan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40923t=40923
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAY OT: Cisco Alternative? [7:40918]

[Brian Zeitz]

I heard Netgear makes some good high end stuff.

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 10:00 AM
To: [EMAIL PROTECTED]
Subject: WAY OT: Cisco Alternative? [7:40918]

I'm a huge Cisco fan.  90% of our customers have Cisco networks and I'm 
definitely most familiar with installing and maintaining Cisco.
However, I 
have a new customer who's fed up with Cisco and wants an alternative.
The customer has a 3640 at the edge terminating a 6Mb/s fractional T3
ATM 
circuit.  They're going to replace this router with another vender.
Who's the obvious choice for this type of termination (IP only, legacy 
support not important)?  Anyone have good things to say about Extreme or

Imagestream?  Are there any others that come to mind?
I'm particularly interested in hearing about reliability, ease of use of

the command line (for example, I always hated Cabletron because it never

seemed intuitive), and of the company technical support capabilities.
Any feedback is definitely appreciated.

Thanks,
Craig




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40924t=40918
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MS Security Operation Guide for Windows 2000 Server - [Was [7:40926]

[sam sneed]

Where is the link???


Bac Nguyen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Charlie,
 FYI, Microsoft just release the Security Operation Guide for Windows 2000
 server. Here is the link to it


 Hope this help!

 Bac

 -Original Message-
 From: Charlie [mailto:[EMAIL PROTECTED]]
 Sent: Monday, April 08, 2002 2:12 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Hardening Ports? [7:40852]


 Patrick -

 I was refering to TCP/IP ports.  Thanks for your reply.  Sam's message
came
 in very handy and answered my question as well.  Thanks again.

 Charlie

 Patrick Ramsey  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  do you men ethernet ports or tcpip ports?
 
  Ethernet ports are done in the driver autonegotiate/speed/duplex
settings
 
  locking down tcpip ports is entirely different.  TCPwrappers will wrap
  daemons and applications under *nix... not so sure there is an
equivalent
  for microsoft or novellTCPWrappers just handles the negotiation
really
  between the client and daemon.
 
  -Patrick
 
   Charlie  04/08/02 03:50PM 
  Hello, all :-)
 
  I was hoping one (or many) of you could help me with a question I have:
 how
  do I lock-down ports on a server?  I know how to lock them down on
 firewalls
  and routers, but how to do it on a server is my question.  I know it's a
  general question but any assistance would be most appreciated.
 
  Truly,
  Charlie
Confidentiality DisclaimerThis email and any files
 transmitted with it may contain confidential and
  /or proprietary information in the possession of WellStar Health System,
  Inc. (WellStar) and is intended only for the individual or entity to
 whom
  addressed.  This email may contain information that is held to be
  privileged, confidential and exempt from disclosure under applicable
law.
 If
  the reader of this message is not the intended recipient, you are hereby
  notified that any unauthorized access, dissemination, distribution or
  copying of any information from this email is strictly prohibited, and
may
  subject you to criminal and/or civil liability. If you have received
this
  email in error, please notify the sender by reply email and then delete
 this
  email and its attachments from your computer. Thank you.
 
  




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40926t=40926
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Kent Hundley]

Robert,

Ok, I'm more confused than before. :-)

You say I do want any outside host to access the web server and then you
say So, I do want everyone to access the web server at ip address
xxx.yyy.115.190, this seems like contradictory statements to me unless your
saying you want only _internal_ hosts to access the web server, but use its
external address?

Let's keep it simple:

1) What source IP addresses do you want to have access to the web server?
Are they on the inside of the PIX or the outside of the PIX or both?

2) Where is your DNS server?  It appears that it is on the outside of the
PIX, correct?

3) Are you saying that you cannot have the internal hosts access the web
server by its internal IP address? I don't see why that would be the case.
Using the alias command, the DNS replies would be doctored so that the web
servers IP would appear to internal clients as 172.20l.21.241 and they
should just go directly to that address without having to go to the PIX.
(this assumes the DNS is on the external interfaces of the PIX and the web
servers DNS resolves to xxx.yyy.115.190)

If you want an external host to access the web server, your going to have to
modify your conduit statement(s).

Regards,
Kent

-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Please don't think I'm being argumentative, I'm trying to explain the
configuration I have and what I'm trying to accomplish.  This is coming
from my understanding and concept, which I am starting to think is way off
base.  What really throws me is that this configuration is working at
another site and at this site with my PIX 506 running Ver 5.1, just not
with their PIX running Ver 4.1.4.  Maybe that's my problem, I saw this type
of a configuration first and just assumed it's the norm, when in fact it
may be a kludge.

Now to answer your questions.
I do want any outside host to access the web server.
The public address for the web server is xxx.yyy.115.190.  When someone
does a DNS lookup for the www.domainname it resolves to
xxx.yyy.115.190.  Therefore the host goes to xxx.yyy.115.190.  While the
domainname has a public address of xxx.yyy.115.190 the actual ip address of
the server is 172.20.21.241.  That's where the static and conduit commands
come in to play.  The PIX accepts the address of xxx.yyy.115.190 (because
of the static statement) and sends it to 172.20.21.241 (I would use the
term routes it to 172.20.21.241 but I am afraid it would cause further
confusion ... to me).  So, I do want everyone to access the web server at
ip address xxx.yyy.115.190.  But that one address goes to 172.20.21.241.

If I don't use the alias command then the internal hosts can not see the
servers for which I have a conduit built, ie: web and mail servers.  When
the internal host performs DNS on their own name they are unable to get to
that server.  With the alias they are able to get to the server.  I'm not
sure I understand why, I just know that is what's happening.

I don't know if that clarifies anything.

At 4/7/2002 06:31 PM, Kent Hundley reminisced:
Robert,

Your conduit command doesn't look right.  Typically you want to allow any
outside host to access the inside host specified in the conduit.  You can
specify 'any' by using 0.0.0.0 or 0:


conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0

Also, I'm not sure what your trying to accomplish with those alias
commands:

alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255

Your telling the PIX to translate dst address 172.20.21.241 to
xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190
back to the same inside address?  Typically the internal hosts would just
go
directly to the 172.20.21.241 address without having to go through the PIX
in the first place.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert T. Repko (R Squared Consultants)
Sent: Saturday, April 06, 2002 8:23 PM
To: [EMAIL PROTECTED]
Subject: Cisco PIX question, static, conduit, and alias [7:40722]


I am having a problem getting to the inside Mail/Web servers from the
outside and I can't determine why.

I'm replacing an old Cisco 7000 router with a new 7206 VXR.  I'm also
reconfiguring the way their PIX was setup.  The servers were configured
with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement)
which made them vulnerable.  I am moving them to an inside address and
building a conduit from the outside to the inside.

In order to leave their old network up and running while I configured the
7206VXR.  I used my PIX 506 (Ver 5.x) for configuration purposes.  I had
everything configured and working.  Then over the Easter holiday I
configured their PIX trying to use the same statements that I had in my PIX
506.  This is where I ran into problems.  Since they 

Re: Hardening Ports? [7:40852]

[Charlie]

Dude!!!

Thanks for the info.  TCP/IP Filtering is EXACTLY what I was looking for.
Thanks a whole lot.

Charlie

Chee Kin  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 You can also try using the IP Filtering feature from Windows NT/2000.  It
 should be under the advanced configuration for TCP/IP.

 cheekin

 - Original Message -
 From: Charlie
 To:
 Sent: Tuesday, April 09, 2002 4:40 AM
 Subject: Re: Hardening Ports? [7:40852]


  Thank you, Sam.  Your instructions were clear and simple to follow.  I
was
  refering to a Windows system.  I gave it a try and already idenitified
 open
  ports (which I also learned from using WS PingPro).  I will now attempt
to
  close/end some services.  Thanks again.
 
  Charlie
 
  sam sneed  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Which  operating systems?
  
   On windows the most common way to to disable services from the control
   panel. Do a netstat -an to see which ports are open. Then you can
 shutdown
   services that have those ports open.
  
   On UNIX/LINUX you can do the same netstat -an. Most of the services
can
 be
   disabled in inetd.conf or xinted.conf. Just comment them out and
restart
   inetd daemon. Also services are started from startup scripts  which
are
 in
   different locations on different versions of UNIX and Linux.
  
   Charlie  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello, all :-)
   
I was hoping one (or many) of you could help me with a question I
 have:
   how
do I lock-down ports on a server?  I know how to lock them down on
   firewalls
and routers, but how to do it on a server is my question.  I know
it's
 a
general question but any assistance would be most appreciated.
   
Truly,
Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40927t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Hardening Ports? [7:40852]

[Charlie]

Thanks, Kent.  Chee Kin and Sam actually answered my question already.
Nonetheless, thanks for your advice.  Google is where I will also check in
the future (although this newsgroup is proving to be very helpful).

Charlie

Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Charlie,

 As others noted, it depends on your OS.  I would recommend doing a search
on
 google for your OS+hardening.  You'll probably find what your looking
for.
 Also consult your vendors web site and http://www.sans.org for more info.

 HTH,
 Kent

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Charlie
 Sent: Monday, April 08, 2002 12:51 PM
 To: [EMAIL PROTECTED]
 Subject: Hardening Ports? [7:40852]


 Hello, all :-)

 I was hoping one (or many) of you could help me with a question I have:
how
 do I lock-down ports on a server?  I know how to lock them down on
firewalls
 and routers, but how to do it on a server is my question.  I know it's a
 general question but any assistance would be most appreciated.

 Truly,
 Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40929t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Dialout Utility!!Urgent! [7:40923]

[John Jackson]

Here you can find trial software that works with cisco access servers
http://www.tactical-sw.com/products.asp



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40930t=40923
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX problem [7:40928]

[HORVATH TAMAS]

Hi!
 
See http://www.cisco.com/warp/customer/110/31.html
 
 
According to this document Inbound ICMP through the PIX is denied by
default; outbound ICMP is permitted, but the incoming reply is denied by
default. So you can ping every PIX interface from the PIX and from the
directly connected LAN, but can't ping through the pix.
 
I think you should not ping through the PIX default, just from the PIX (from
Telnet console).
 
According to this document: In PIX Software versions 4.1(6) until 5.2.1,
ICMP traffic to the PIX's own interface is permitted; the PIX cannot be
configured to not respond. Beginning in PIX Software version 5.2.1, ICMP is
still permitted by default, but PIX ping responses from its own interfaces
can be disabled with the icmp command (that is, a stealth PIX)
 
 
By, HT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40928t=40928
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Mark Odette II]

Kent- What if you have your DNS Server(s) (resolving Public addresses for
the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the
PIX with all of them running RFC1918 addresses, and you want both inside and
outside sourced traffic (Any Any) to reach the Web or Mail Server?  Is the
Alias command used for the inside hosts to reach the servers when resolving
to the Public Addresses only??

Forgive my ignorance... I' just catching back up on my PIX studies, and see
where the above scenario comes into play on a regular basis for small/medium
networks where the Business/Organization hosts their own DNS and has their
ISP provide Secondary DNS for them.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kent Hundley
Sent: Tuesday, April 09, 2002 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Robert,

Ok, I'm more confused than before. :-)

You say I do want any outside host to access the web server and then you
say So, I do want everyone to access the web server at ip address
xxx.yyy.115.190, this seems like contradictory statements to me unless your
saying you want only _internal_ hosts to access the web server, but use its
external address?

Let's keep it simple:

1) What source IP addresses do you want to have access to the web server?
Are they on the inside of the PIX or the outside of the PIX or both?

2) Where is your DNS server?  It appears that it is on the outside of the
PIX, correct?

3) Are you saying that you cannot have the internal hosts access the web
server by its internal IP address? I don't see why that would be the case.
Using the alias command, the DNS replies would be doctored so that the web
servers IP would appear to internal clients as 172.20l.21.241 and they
should just go directly to that address without having to go to the PIX.
(this assumes the DNS is on the external interfaces of the PIX and the web
servers DNS resolves to xxx.yyy.115.190)

If you want an external host to access the web server, your going to have to
modify your conduit statement(s).

Regards,
Kent

-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Please don't think I'm being argumentative, I'm trying to explain the
configuration I have and what I'm trying to accomplish.  This is coming
from my understanding and concept, which I am starting to think is way off
base.  What really throws me is that this configuration is working at
another site and at this site with my PIX 506 running Ver 5.1, just not
with their PIX running Ver 4.1.4.  Maybe that's my problem, I saw this type
of a configuration first and just assumed it's the norm, when in fact it
may be a kludge.

Now to answer your questions.
I do want any outside host to access the web server.
The public address for the web server is xxx.yyy.115.190.  When someone
does a DNS lookup for the www.domainname it resolves to
xxx.yyy.115.190.  Therefore the host goes to xxx.yyy.115.190.  While the
domainname has a public address of xxx.yyy.115.190 the actual ip address of
the server is 172.20.21.241.  That's where the static and conduit commands
come in to play.  The PIX accepts the address of xxx.yyy.115.190 (because
of the static statement) and sends it to 172.20.21.241 (I would use the
term routes it to 172.20.21.241 but I am afraid it would cause further
confusion ... to me).  So, I do want everyone to access the web server at
ip address xxx.yyy.115.190.  But that one address goes to 172.20.21.241.

If I don't use the alias command then the internal hosts can not see the
servers for which I have a conduit built, ie: web and mail servers.  When
the internal host performs DNS on their own name they are unable to get to
that server.  With the alias they are able to get to the server.  I'm not
sure I understand why, I just know that is what's happening.

I don't know if that clarifies anything.

At 4/7/2002 06:31 PM, Kent Hundley reminisced:
Robert,

Your conduit command doesn't look right.  Typically you want to allow any
outside host to access the inside host specified in the conduit.  You can
specify 'any' by using 0.0.0.0 or 0:


conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0

Also, I'm not sure what your trying to accomplish with those alias
commands:

alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255

Your telling the PIX to translate dst address 172.20.21.241 to
xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190
back to the same inside address?  Typically the internal hosts would just
go
directly to the 172.20.21.241 address without having to go through the PIX
in the first place.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert T. Repko (R Squared Consultants)
Sent: 

RE: MS Security Operation Guide for Windows 2000 Server - [Was [7:40935]

[Andy Barkl]

ity/prodtech/windows/windows2000/staysecure/default.asp


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
sam sneed
Sent: Tuesday, April 09, 2002 7:56 AM
To: [EMAIL PROTECTED]
Subject: Re: MS Security Operation Guide for Windows 2000 Server - [Was
[7:40926]

Where is the link???


Bac Nguyen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Charlie,
 FYI, Microsoft just release the Security Operation Guide for Windows
2000
 server. Here is the link to it


 Hope this help!

 Bac

 -Original Message-
 From: Charlie [mailto:[EMAIL PROTECTED]]
 Sent: Monday, April 08, 2002 2:12 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Hardening Ports? [7:40852]


 Patrick -

 I was refering to TCP/IP ports.  Thanks for your reply.  Sam's message
came
 in very handy and answered my question as well.  Thanks again.

 Charlie

 Patrick Ramsey  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  do you men ethernet ports or tcpip ports?
 
  Ethernet ports are done in the driver autonegotiate/speed/duplex
settings
 
  locking down tcpip ports is entirely different.  TCPwrappers will
wrap
  daemons and applications under *nix... not so sure there is an
equivalent
  for microsoft or novellTCPWrappers just handles the negotiation
really
  between the client and daemon.
 
  -Patrick
 
   Charlie  04/08/02 03:50PM 
  Hello, all :-)
 
  I was hoping one (or many) of you could help me with a question I
have:
 how
  do I lock-down ports on a server?  I know how to lock them down on
 firewalls
  and routers, but how to do it on a server is my question.  I know
it's a
  general question but any assistance would be most appreciated.
 
  Truly,
  Charlie
Confidentiality DisclaimerThis email and any
files
 transmitted with it may contain confidential and
  /or proprietary information in the possession of WellStar Health
System,
  Inc. (WellStar) and is intended only for the individual or entity
to
 whom
  addressed.  This email may contain information that is held to be
  privileged, confidential and exempt from disclosure under applicable
law.
 If
  the reader of this message is not the intended recipient, you are
hereby
  notified that any unauthorized access, dissemination, distribution
or
  copying of any information from this email is strictly prohibited,
and
may
  subject you to criminal and/or civil liability. If you have received
this
  email in error, please notify the sender by reply email and then
delete
 this
  email and its attachments from your computer. Thank you.
 
  




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40935t=40935
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX problem [7:40919]

[Ole Drews Jensen]

If you are pinging an INSIDE interface from a device on the OUTSIDE, or in
other words, if you are pinging from a lower security interface to a higher
security interface, you must create a conduit that allows a ping request.

If you are pinging an OUTSIDE interface from a device on the INSIDE, or in
other words, if you are pinging from a higher security interface to a lower
security interface, you must create a conduit that allows a ping reply.

If you want both, you must allow all ping.

This allows a ping request:

conduit permit icmp any any 8

This allows a ping reply:

conduit permit icmp any any 0

This allows any ping:

conduit permit icmp any any

If this still doesn't work, try to send me the config and a description
where you're pinging from and to.

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: dk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 9:16 AM
To: Ole Drews Jensen
Cc: [EMAIL PROTECTED]
Subject: Re: PIX problem [7:40919]


Thanks for the suggestion but no joy ..
I applied the conduit you specified, tried pinging the interface but still
got the timeout,  it made no difference and the conduit has a hit count of 0
!



- Original Message -
From: Ole Drews Jensen 
To: 'dk' ; 
Sent: Tuesday, April 09, 2002 3:27 PM
Subject: RE: PIX problem [7:40919]


 Have you allowed ping replies to return back to you?

 conduit permit icmp any any 0

 Hth,

 Ole

 ~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~
  http://www.RouterChief.com
 ~
  Need a Job?
  http://www.OleDrews.com/job
 ~




 -Original Message-
 From: dk [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, April 09, 2002 8:00 AM
 To: [EMAIL PROTECTED]
 Subject: PIX problem [7:40919]


 Hi all

 I'm sure there's a simple answer to this but I can't  see what it is ...

 I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in
order
 to
 manage them from HP openview.

 I get a response from the interface I'm connected to but not from the rest

 I've used the debug icmp trace command  and can see the echo requests but
 there are no replies and nothing gets logged.  I can ping all the
interfaces
 when from the telnet console and I can ping devices across the PIX 
any
 ideas ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40936t=40919
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Training kit [7:40915]

[Mike Sweeney]

To add to this comment, for giggles I went over one of these *cheet sheets*
that folks seem to so in love with.. 100 questions..  4 not usable due to
missing exibits and the caption *use your best judgement*... another 3 were
just plain wrong(verified by looking up in books instead of memory) and
several more were suspect...

Cheating doesnt pay..

So where does that leave us where the dark side is incorrect AND the good
guys put out such a shoddy product?

I used Transcender with ok results, Beachhead had errors on their CCNA..
might be corrected now, Boson was spotty in quality but my experience is
limited with their product and may not respresentive of their current
product. Exam Prep is now toast unless picked up by someone else.

I do like the material by CCxx Productions. 

I used the Cisco Academy semester 5-6 books and materials. That seems to be
pretty good but I did find many *small* errors in the labs.. things like
printing 172. when they meant 192..  I did find a few missing
commands but in most cases they worked as they should.

MikeS



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40937t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Training kit [7:40915]

[Matthew Meiers]

Don't waste your time or efforts.  Version 2 is terrible.  

-Original Message-
From: Brian Zeitz [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 8:40 AM
To: [EMAIL PROTECTED]
Subject: CCNP Training kit [7:40915]

Just wanted to say that anyone who bought the CCNP Training kit
Software, ISBN 1587200422, you can return it, and they will give you a
completely new CD VS 2.0. I bought this Training kit, it has so many
wrong answers, and so many bugs I though I was on candid camera. They
did offer a SP1 update right after the product was released, but that
didn't help much. This is a first time that I have heard of a total
recall of a software product. I really could write like 20 pages about
what was wrong with the kit, it was that bad.  Well, just thought I
would share this, if anyone bought it, because I didn't know. I am on
the Cisco press mailing list, and I registered my product, but they
never bothered to contact me concerning this. This is the very last time
I buy software without asking anyone else if they used it. Well, I guess
I am going to send away for the version 2, to see if it is any better.
It's a little late now, especially since I am half way though my CCNP.
Ciscopress really dropped the ball on this one, especially since most of
the people who bought it didn't know any better about the answers being
mostly wrong, myself included. Ironically I failed routing using the
kit. I passed routing and switching since then, using other material.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40938t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX problem [7:40928]

[dk]

Thanks for the input,   I have allowed the required icmp access ...

To try and clarify ...

I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through pix
interface E0 (ip address 10.222.33.1)  from my workstation (ip address
10.222.32.100) I can successfully ping the PIX E0 interface and any devices
on the 10.222.62.0 network going through the PIX E1 interface. but when I
try to ping the PIX E1 interface itself I get no response no error is logged
and the conduit hitcount is not incremented.

Is it a feature?






- Original Message -
From: HORVATH TAMAS 
To: 
Sent: Tuesday, April 09, 2002 4:04 PM
Subject: Re: PIX problem [7:40928]


 Hi!

 See http://www.cisco.com/warp/customer/110/31.html


 According to this document Inbound ICMP through the PIX is denied by
 default; outbound ICMP is permitted, but the incoming reply is denied by
 default. So you can ping every PIX interface from the PIX and from the
 directly connected LAN, but can't ping through the pix.

 I think you should not ping through the PIX default, just from the PIX
(from
 Telnet console).

 According to this document: In PIX Software versions 4.1(6) until 5.2.1,
 ICMP traffic to the PIX's own interface is permitted; the PIX cannot be
 configured to not respond. Beginning in PIX Software version 5.2.1, ICMP
is
 still permitted by default, but PIX ping responses from its own interfaces
 can be disabled with the icmp command (that is, a stealth PIX)


 By, HT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40940t=40928
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX problem [7:40928]

[HORVATH TAMAS]

Kent!

You can ping through the PIX (from E0 NET to E1 net (10.222.62.0) if you
permit this with an access-list statement (conduit in earlier release). You
can ping the PIX' interface from the directly connetced net, if you didn't
disabeled that feature with the icmp command. You can't ping throught the
PIX to the other PIX' interface unless you specify it with an access-list
statement. THIS IS A FEAUTURE (I don't like to call this things 'feature')!

HT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40941t=40928
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: netbios over internet [7:40784]

[Priscilla Oppenheimer]

NetBIOS is a session-layer protocol and API. Of course, it is able to be 
routed (routable), just as RPC and NFS and TCP and UDP are also routable, 
as are HTTP, FTP, etc. In comparison, LLC, is a data-link-layer protocol. 
It is not routable without some major shenanigans. NetBEUI resides right on 
top of LLC and doesn't make any calls to a network layer. Also, NetBEUI 
does all its own reliability, etc. It doesn't rely on TCP, for example. 
NetBEUI handles all of the communication work relative to NetBIOS. This is 
different from the other implementations of NetBIOS.

NetBIOS refers to the programming interface in all implementations. In the 
NetBIOS/TCP environment, it also refers to the portion of the packet that 
carries NetBIOS commands, replies, and data. In the NetBIOS/NetBEUI 
environment, NetBIOS refers only to the API, and NetBEUI refers to the 
protocol. In the NetBIOS/IPX environment,  NetBIOS refers to both the API 
and to the protocol. To understand the details of terminology use, it's 
worthwhile to examine the three different frame structures for TCP, 
NetBEUI, and IPX.

Priscilla

At 03:54 AM 4/9/02, [EMAIL PROTECTED] (John Nemeth) wrote:
On Aug 29,  7:34am, Priscilla Oppenheimer wrote:
}
} NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should
} supposedly work over the Internet. For example, can't you do file sharing
} over the Internet? That uses NetBIOS and SMB of CIFS.

  If you want to be pedantic (and, on this list we should be),
discussing the routability of NetBIOS is non-sensical.  NetBIOS is a
session layer protocol.  It would be like discussing the routability of
TCP or UDP.  By themselves, these protocols only have port numbers,
they don't have node addresses.  As someone else has mentioned, you
really need to look at the underlying protocol.  NetBIOS over TCP/IP
(aka NBT) is, of course, completely routable, since TCP/IP is a
routable protocol.  NetBIOS over NetBEUI isn't routable as NetBEUI is a
datalink layer protocol (i.e. it has hosts addresses and doesn't have
any way of doing network addressing, so its addresses are for the local
segment only, ala Ethernet MAC addresses) and must be bridged.

}-- End of excerpt from Priscilla Oppenheimer


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40942t=40784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Training kit [7:40915]

[Mike Sweeney]

Matt-

Can you define *terrible*??  bad questions? incorrect? 

Inquiring minds would like to know

MikeS


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40943t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Audio Files [7:40911]

[Priscilla Oppenheimer]

I played around with making a cool (but low quality ;-) MP3 training file 
on troubleshooting WANs. It's free here, as are some other troubleshooting 
resources I put together:

http://www.troubleshootingnetworks.com/resources.html

Priscilla

At 09:06 AM 4/9/02, Sam Deckert wrote:
Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files, such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40944t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP full mesh ? [7:40741]

[Peter van Oene]

Comments inline

At 11:19 AM 4/9/2002 -0400, Chuck wrote:
Ah, but there is this little thing called the standard, and the standard
requires that it be done the way it is because BGP SHOULD be advertising
only REACHABLE nets. What would the internet be, if unreachable nets were
advertised willy nilly? ;-


Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP 
standards track for a while.

I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am
paraphrasing ) A BGP route is a promise.

Putting BGP into the your IGP would be a threat

I haven't researched, but I would wager a guess that the no synch option
was added in a later revision of the BGP standard based on real world
experience.  It is a concession to human frailty in a protocol that requires
perfection. It is also the start of the proverbial primrose path that can
lead you to hell in a handbasket real fast, if you don't understand the
differences between BGP operation and the behaviour of the other routing
protocols.

I think synch, beyond OSPF-BGP interaction, is a vendor implementation 
issue, and not actually described in BGPv4 (or v3 for that matter if i 
recall correctly)


See what happens when you read too much Raymond Chandler? :-

Chuck



Peter van Oene  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I don't disagree with most of your points, but really think synch should
be
  disabled in all cases at all times along with auto summary.  It should be
  disabled by default and indeed shouldn't even be included as a
configurable
  option.
 
  At 11:28 AM 4/8/2002 -0400, you wrote:
  It's not default for the same reason why unicast rpf (antispoofing) is
  not default in ISO; because people are stupid, and under poor design, it
  could produce very undesirable and hard to troubleshoot results.  In
  other words, if you don't know why you are disabling synchronization,
  don't do it.
  
  Take the following scenario:  A multihop iBGP link between routers (A)
  and (B) in which a non-bgp IGP router (C) is routing packets between
  them.  Both BGP links are advertising full tables to each other, and,
  under your suggested default config, would attempt to forward packets to
  destinations that router C has no clue about.  Then what does router C
  do with these destinations?
  
  The answer, of course, is to set up a iBGP full mesh, and then to
  disable synchronization , and if you are smart, design your network so
  that your IGP learns only about downstream routes and set a default
  route up to the core of your network.
  
  Anyway, the point being, sync is enabled by default because you really
  should know what you are doing before you disable it.
  
  On Mon, 2002-04-08 at 10:44, MADMAN wrote:
I can think one one good reason why you would disable sync, you can't
redistribute 100K routes into ANY IGP.  Why are you so concerned
about
disabling sync??  It should be default.
   
  Dave
   
Jay wrote:

 BGP Rules of thumb:

 BGP advertised prefix must also exist in local IGP table.
 iBGP learned prefix must also exist in local IGP table
   -or use #no sync on iBGP learning router, but if you do, you'd
sure
  as
 hell better know why you disabled it.

 On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
  Hi Group,
 
  Hope someone can help out with this as I don4t have
  access to my kit at the moment.
 
  I tried to set up my first BGP lab last week.
  I configured a full iBGP mesh, three routers connected
  in a triangle via serial lines.
 
  I set up (neighbour( statements on each router (Hope
  Radia can forgive the extra vowel !!!) and advertised
  the networks.
 
  I got the BGP table working but nothing was promoted
  to the main routing table, and therefore could4nt ping
  non directly connected interfaces. I tried various
  approaches like putting a default route in and running
  an IGP but still no promotion to the main table.
 
  Should this be possible with iBGP ? or is it a matter
  of loop avoidance i.e the AS Numbers won4t be
  prepended for the case of iBGP peers.
 
  Phil.
 
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts
  http://uk.my.yahoo.com
--
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367
   
Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40945t=40741
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Hardening Ports? [7:40852]

[[EMAIL PROTECTED]]

Hello all,

The absolute best info (IMHO) is www.sans.orgthey are up to the minute,
and OS savvy beyond belief.SANS has the uncanny ability to have gray
hackers who 'contribute' to their security efforts.   Forget google, go to
the source.
After you harden your system don't forget to scan it heavily to see what is
still open. If you have a linux/solaris box available go to
www.nessus.org and use their scanner.  (Good stuff, but you can kill a
server with it if you scan too heavily.)   It is my firm belief that you
cannot do network security effectively without knowledge of OS platforms
and what processes/daemons they have running.
Have a good day.




Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector


   

   
Charlie
   
cc:
Sent by: Subject: Re: Hardening Ports?
[7:40852]
   
nobody
   

   

   
04/09/2002
10:04
AM
   
Please
respond
to
   
Charlie
   

   





Thanks, Kent.  Chee Kin and Sam actually answered my question already.
Nonetheless, thanks for your advice.  Google is where I will also check in
the future (although this newsgroup is proving to be very helpful).

Charlie

Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Charlie,

 As others noted, it depends on your OS.  I would recommend doing a search
on
 google for your OS+hardening.  You'll probably find what your looking
for.
 Also consult your vendors web site and http://www.sans.org for more info.

 HTH,
 Kent

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Charlie
 Sent: Monday, April 08, 2002 12:51 PM
 To: [EMAIL PROTECTED]
 Subject: Hardening Ports? [7:40852]


 Hello, all :-)

 I was hoping one (or many) of you could help me with a question I have:
how
 do I lock-down ports on a server?  I know how to lock them down on
firewalls
 and routers, but how to do it on a server is my question.  I know it's a
 general question but any assistance would be most appreciated.

 Truly,
 Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40946t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardening Ports? [7:40852]

[Ali Mesdaq]

You also might want to try Retina from eEye. It's the best scanner on the
market. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: Hardening Ports? [7:40852]

Hello all,

The absolute best info (IMHO) is www.sans.orgthey are up to the minute,
and OS savvy beyond belief.SANS has the uncanny ability to have gray
hackers who 'contribute' to their security efforts.   Forget google, go to
the source.
After you harden your system don't forget to scan it heavily to see what is
still open. If you have a linux/solaris box available go to
www.nessus.org and use their scanner.  (Good stuff, but you can kill a
server with it if you scan too heavily.)   It is my firm belief that you
cannot do network security effectively without knowledge of OS platforms
and what processes/daemons they have running.
Have a good day.




Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector


 

   
Charlie
   
cc:
Sent by: Subject: Re: Hardening Ports?
[7:40852]
   
nobody
 

 

   
04/09/2002
10:04
AM
   
Please
respond
to
   
Charlie
 

 





Thanks, Kent.  Chee Kin and Sam actually answered my question already.
Nonetheless, thanks for your advice.  Google is where I will also check in
the future (although this newsgroup is proving to be very helpful).

Charlie

Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Charlie,

 As others noted, it depends on your OS.  I would recommend doing a search
on
 google for your OS+hardening.  You'll probably find what your looking
for.
 Also consult your vendors web site and http://www.sans.org for more info.

 HTH,
 Kent

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Charlie
 Sent: Monday, April 08, 2002 12:51 PM
 To: [EMAIL PROTECTED]
 Subject: Hardening Ports? [7:40852]


 Hello, all :-)

 I was hoping one (or many) of you could help me with a question I have:
how
 do I lock-down ports on a server?  I know how to lock them down on
firewalls
 and routers, but how to do it on a server is my question.  I know it's a
 general question but any assistance would be most appreciated.

 Truly,
 Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40948t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Identify 1750 models [7:40857]

[Dennis Laganiere]

I have several voice modules and I wanted to use them in my study pod.
Going through the archives and the CCO it looks like the cheapest solution
is using 1750's, and what I need are 2v's or 4v's (not the basic model).
Here is my problem...

None of the 1750's I've seen on ebay say what model they are, and the
sellers I've e-mailed haven't seen any designation on the outside of the
chassis.  Not having ever seen any 1750's myself, I don't know how to tell
them apart.  I'm hoping someone here can help my identify the specific model
designations, and perhaps alternatively, tell me where I could just buy the
units at a reasonable price...

Thanks all

--- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40857t=40857
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Puzzles -gt; WAS RE: My interview story [7:40553]

[Alex Lei]

  If you have 2 20' poles, a 32' rope strung between them, and
 the
  lowest point of the rope is 4' off of the ground, how far
 apart are
  the poles?
  


If I understand correctly, I think the answer to this one is 16'.

If the rope is attached to the ends of the poles, then the drop of the rope
is 20' - 4' = 16'.

The rope has total length of 32', the total length is composed of a drop and
a horizontal span. So even though the shape of the rope is a parabola, we
can just subtract the drop from the total length to get the span.

Alex


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40839t=40553
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Identify 1750 models [7:40862]

[Frank Jimenez]

The 1750-2V and 1750-4V are just marketing bundles - there is no
difference in the physical chassis of the 1750 with these.

Look here for more details:
http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1750_ds.htm

Basically:
1750:
4MB Flash
16MB DRAM
IOS IP Software

1750-2V
8MB Flash
32MB DRAM
IOS IP+Voice Software
1 DSP

1750-4V
8MB Flash
32MB DRAM
IOS IP+Voice Software
2 DSPs

Be careful buying these used - make the seller at least give you a
printout of the show version, so you won't be stuck with having to buy
lots of extras to make it work in the environment you are planning.

Good Luck!
Frank Jimenez, CCIE #5738
[EMAIL PROTECTED]





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Dennis Laganiere
Sent: Monday, April 08, 2002 3:59 PM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: Identify 1750 models


I have several voice modules and I wanted to use them in my study pod.
Going through the archives and the CCO it looks like the cheapest
solution is using 1750's, and what I need are 2v's or 4v's (not the
basic model). Here is my problem...

None of the 1750's I've seen on ebay say what model they are, and the
sellers I've e-mailed haven't seen any designation on the outside of the
chassis.  Not having ever seen any 1750's myself, I don't know how to
tell them apart.  I'm hoping someone here can help my identify the
specific model designations, and perhaps alternatively, tell me where I
could just buy the units at a reasonable price...

Thanks all

--- Dennis
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40862t=40862
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco SmartNet [7:40795]

[Circusnuts_1999]

Find the part # on the CCO and search Ebay for it...

My boss was able to get support for his clunky old 4500M that he was
using as a frame-switch.  

All the best !!!
Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Widjaja Surja Kentjana
Sent: Monday, April 08, 2002 3:26 AM
To: [EMAIL PROTECTED]
Subject: OT: Cisco SmartNet [7:40795]

Hi all,

I would like to find out some info about Cisco SmartNet.  Can I buy a
SmartNet (for a particular category) for EOL equipment?  This is for
cisco
2503 for example.

Thanks.

Widjaja




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40866t=40795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco ATA 186 (One Way or Two Way) [7:40900]

[CiscoB]

Yeah, you can also receive calls on an ATA186.  The only thing Im not sure
if you can do or not is transfering a call after you have received it on the
phone that is connected to the ATA186.

thanks,
-Brad Ellis
CCIE#5796 (RS / Security)
Network Learning Inc
[EMAIL PROTECTED]
www.optsys.net (Cisco hardware)

Hasan Abbas  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Dear All,

 I have configured Cisco ATA 186 with one of its UID0 set to 300 and other
 301 .

 Using a VOIP Module having 2 FXS Ports connected on 3600 Route using as an
 IOS Gateway. With One FXS Setting to destination pattern 1 and Other
 destination pattern set to 2 . The ATA able to put call towards FXS port 1
 and FXS port 2 .But When I tried to dial from FXS port to ATA Adapter
ports
 300 or 301 it gives busy tone and it never gives me connecting tone.

 Are Cisco ATA one way device able to dial using Voice Gateway or Calls can
 be accepted to its phone like regular phones.

 My ATA Configuration is as under:

 UID0: 300UID 1:301

 Gateway : 192.168.0.223 (IP of 3660 Gateway Router)

 NO GateKeeper or SIP (value =0)

 AuthMethod: (0x00040004)

 DialPlan (Default)

 Cisco 3660 Configuration:

 dial-peer voice 1 pots

 destination-pattern 1

 port 4/1/0

 dial-peer voice 2 pots

 destination-pattern 2

 port 4/1/1



 dial-peer voice 3000 voip

 destination-pattern 300.

 session target ipv4:192.168.0.242(IP of ATA)

 Thanks in Advance





 -
 Do You Yahoo!?
 Yahoo! Tax Center - online filing with TurboTax




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40947t=40900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF network command question [7:40939]

[Ruihai An]

When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to
advertise a network under OSPF.   I wonder if anyone can explain the
differences between the two.

For example:
interface fa0/0
ip address 172.168.1.1 255.255.255.0

To advertise this network,  you can use two different commands and both works
router ospf 10
   network 172.168.1.0 0.0.0.255 area 0

or you can also use:
router ospf 10
network 172.168.1.1 0.0.0.0 area 0

Please notice the second network command uses Exact IP address on the
interface, instead of network numbers.

Thanks

Ruihai




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40939t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF network command question [7:40939]

[Lomker, Michael]

If you had additional interfaces on the listed subnet then they would also
be included in OSPF.  The second method will only include the specified
interface.

 -Original Message-
 For example:
 interface fa0/0
 ip address 172.168.1.1 255.255.255.0
 
 To advertise this network,  you can use two different 
 commands and both works
 router ospf 10
network 172.168.1.0 0.0.0.255 area 0




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40950t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BSCI [7:40952]

[Steven Crawford]

I heard that BSCI is going to completely replace Routing, did anyone else
hear that??

 



Get your FREE download of MSN Explorer at http://explorer.msn.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40952t=40952
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF network command question [7:40939]

[Tarek Sabry]

Hi

From what I heard and from my won experience, it is safer to use the exact
interface, unless you end up writing 3 or 4 statements that could be grouped
under one less specific iverse-mask.

Tarek

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Lomker, Michael
Sent: Tuesday, April 09, 2002 1:28 PM
To: [EMAIL PROTECTED]
Subject: RE: OSPF network command question [7:40939]


If you had additional interfaces on the listed subnet then they would also
be included in OSPF.  The second method will only include the specified
interface.

 -Original Message-
 For example:
 interface fa0/0
 ip address 172.168.1.1 255.255.255.0

 To advertise this network,  you can use two different
 commands and both works
 router ospf 10
network 172.168.1.0 0.0.0.255 area 0




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40953t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MS Security Operation Guide for Windows 2000 Server - [Was [7:40951]

[Bac Nguyen]

Sam,
Sorry, here is the link


Bac

-Original Message-
From: sam sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 7:56 AM
To: [EMAIL PROTECTED]
Subject: Re: MS Security Operation Guide for Windows 2000 Server - [Was
[7:40926]


Where is the link???


Bac Nguyen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Charlie,
 FYI, Microsoft just release the Security Operation Guide for Windows 2000
 server. Here is the link to it


 Hope this help!

 Bac

 -Original Message-
 From: Charlie [mailto:[EMAIL PROTECTED]]
 Sent: Monday, April 08, 2002 2:12 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Hardening Ports? [7:40852]


 Patrick -

 I was refering to TCP/IP ports.  Thanks for your reply.  Sam's message
came
 in very handy and answered my question as well.  Thanks again.

 Charlie

 Patrick Ramsey  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  do you men ethernet ports or tcpip ports?
 
  Ethernet ports are done in the driver autonegotiate/speed/duplex
settings
 
  locking down tcpip ports is entirely different.  TCPwrappers will wrap
  daemons and applications under *nix... not so sure there is an
equivalent
  for microsoft or novellTCPWrappers just handles the negotiation
really
  between the client and daemon.
 
  -Patrick
 
   Charlie  04/08/02 03:50PM 
  Hello, all :-)
 
  I was hoping one (or many) of you could help me with a question I have:
 how
  do I lock-down ports on a server?  I know how to lock them down on
 firewalls
  and routers, but how to do it on a server is my question.  I know it's a
  general question but any assistance would be most appreciated.
 
  Truly,
  Charlie
Confidentiality DisclaimerThis email and any files
 transmitted with it may contain confidential and
  /or proprietary information in the possession of WellStar Health System,
  Inc. (WellStar) and is intended only for the individual or entity to
 whom
  addressed.  This email may contain information that is held to be
  privileged, confidential and exempt from disclosure under applicable
law.
 If
  the reader of this message is not the intended recipient, you are hereby
  notified that any unauthorized access, dissemination, distribution or
  copying of any information from this email is strictly prohibited, and
may
  subject you to criminal and/or civil liability. If you have received
this
  email in error, please notify the sender by reply email and then delete
 this
  email and its attachments from your computer. Thank you.
 
  




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40951t=40951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Training kit [7:40915]

[Brian Zeitz]

They should allow people who bought it to trade it in for books or give
credit for this on Ciscopress.com. I will admit I got scammed by it. It
looked really good when they advertised it. The way they made it out,
you would have though it was like the Sybex CCNP virtual Trainer. This
was a major scam, and I am sure they sold thousands of these. It is
probably funny to most, except for the people who paid over $100 for it.



-Original Message-
From: Matthew Meiers [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: CCNP Training kit [7:40915]

Don't waste your time or efforts.  Version 2 is terrible.  

-Original Message-
From: Brian Zeitz [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 8:40 AM
To: [EMAIL PROTECTED]
Subject: CCNP Training kit [7:40915]

Just wanted to say that anyone who bought the CCNP Training kit
Software, ISBN 1587200422, you can return it, and they will give you a
completely new CD VS 2.0. I bought this Training kit, it has so many
wrong answers, and so many bugs I though I was on candid camera. They
did offer a SP1 update right after the product was released, but that
didn't help much. This is a first time that I have heard of a total
recall of a software product. I really could write like 20 pages about
what was wrong with the kit, it was that bad.  Well, just thought I
would share this, if anyone bought it, because I didn't know. I am on
the Cisco press mailing list, and I registered my product, but they
never bothered to contact me concerning this. This is the very last time
I buy software without asking anyone else if they used it. Well, I guess
I am going to send away for the version 2, to see if it is any better.
It's a little late now, especially since I am half way though my CCNP.
Ciscopress really dropped the ball on this one, especially since most of
the people who bought it didn't know any better about the answers being
mostly wrong, myself included. Ironically I failed routing using the
kit. I passed routing and switching since then, using other material.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40955t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP full mesh ? [7:40741]

[Howard C. Berkowitz]

Comments inline

At 11:19 AM 4/9/2002 -0400, Chuck wrote:
Ah, but there is this little thing called the standard, and the standard
requires that it be done the way it is because BGP SHOULD be advertising
only REACHABLE nets. What would the internet be, if unreachable nets were
  advertised willy nilly? ;-

Agreed. That's one of the fundamental loop and thrashing mechanisms, 
with some minor exceptions for deliberate blackhole routes that 
relate to someone's own address block.



Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP
standards track for a while.

I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am
paraphrasing ) A BGP route is a promise.

Putting BGP into the your IGP would be a threat

I haven't researched, but I would wager a guess that the no synch option
was added in a later revision of the BGP standard based on real world
  experience.

The earlier versions of BGP (and, for that matter, OSPF), did allow 
for the possibility of mutual redistribution.  Experience, of course, 
showed that was a bad idea.  Pervasive iBGP works much better.

I wouldn't be surprised if (1) Juniper didn't implement sync because 
it was recognized by then that it was a bad idea and (2) Cisco 
couldn't drop it because people were using it.

It is a concession to human frailty in a protocol that requires
  perfection. It is also the start of the proverbial primrose path that can
lead you to hell in a handbasket real fast, if you don't understand the
differences between BGP operation and the behaviour of the other routing
  protocols.

To the best of my recollection, synch is not in Draft 18 of the 
in-process RFC 1771 revision.


I think synch, beyond OSPF-BGP interaction, is a vendor implementation
issue, and not actually described in BGPv4 (or v3 for that matter if i
recall correctly)

Given that the OSPF-BGP interaction RFC has been declared Historic, 
meaning obsolete, that's probably not good evidence.

Many of those



See what happens when you read too much Raymond Chandler? :-

Chuck



Peter van Oene  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I don't disagree with most of your points, but really think synch
should
be
   disabled in all cases at all times along with auto summary.  It should
be
   disabled by default and indeed shouldn't even be included as a
configurable
   option.
  
   At 11:28 AM 4/8/2002 -0400, you wrote:
   It's not default for the same reason why unicast rpf (antispoofing) is
   not default in ISO; because people are stupid, and under poor design,
it
   could produce very undesirable and hard to troubleshoot results.  In
   other words, if you don't know why you are disabling synchronization,
   don't do it.
   
   Take the following scenario:  A multihop iBGP link between routers (A)
   and (B) in which a non-bgp IGP router (C) is routing packets between
   them.  Both BGP links are advertising full tables to each other, and,
   under your suggested default config, would attempt to forward packets
to
   destinations that router C has no clue about.  Then what does router C
   do with these destinations?
   
   The answer, of course, is to set up a iBGP full mesh, and then to
   disable synchronization , and if you are smart, design your network so
   that your IGP learns only about downstream routes and set a default
   route up to the core of your network.
   
   Anyway, the point being, sync is enabled by default because you really
   should know what you are doing before you disable it.
   
   On Mon, 2002-04-08 at 10:44, MADMAN wrote:
 I can think one one good reason why you would disable sync, you
can't
 redistribute 100K routes into ANY IGP.  Why are you so concerned
about
 disabling sync??  It should be default.

   Dave

 Jay wrote:
 
  BGP Rules of thumb:
  
  BGP advertised prefix must also exist in local IGP table.
  iBGP learned prefix must also exist in local IGP table
-or use #no sync on iBGP learning router, but if you do, you'd
sure
   as
  hell better know why you disabled it.
 
  On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
   Hi Group,
  
   Hope someone can help out with this as I don4t have
   access to my kit at the moment.
  
   I tried to set up my first BGP lab last week.
   I configured a full iBGP mesh, three routers connected
   in a triangle via serial lines.
  
   I set up (neighbour( statements on each router (Hope
   Radia can forgive the extra vowel !!!) and advertised
   the networks.
  
   I got the BGP table working but nothing was promoted
   to the main routing table, and therefore could4nt ping
   non directly connected interfaces. I tried various
   approaches like putting a default route in and running
   an IGP but still no promotion to the main table.
  
   Should this be possible with iBGP ? or is it a matter
   of loop 

RE: OSPF network command question [7:40939]

[John Jackson]

Also make note that network commands in IGPs (OSPF, EIGRP ect...) only
spefiy what interfaces will participte in that IGP.
This is different int BGP.  The network command in BGP spefiy what networks
will particaipte in BGP.

Hope this clears things up.

John



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40956t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardening Ports? [7:40852]

[[EMAIL PROTECTED]]

Hi Ali,

Nessus is free, Retina is 945.00 USD


Thanks



Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector


   

Ali
Mesdaq
   Subject: RE: Hardening Ports?
[7:40852]
Sent
by:
   
nobody
   

   

   
04/09/2002
12:55
PM
   
Please
respond
to
Ali
Mesdaq
   

   





You also might want to try Retina from eEye. It's the best scanner on the
market.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: Hardening Ports? [7:40852]

Hello all,

The absolute best info (IMHO) is www.sans.orgthey are up to the minute,
and OS savvy beyond belief.SANS has the uncanny ability to have gray
hackers who 'contribute' to their security efforts.   Forget google, go to
the source.
After you harden your system don't forget to scan it heavily to see what is
still open. If you have a linux/solaris box available go to
www.nessus.org and use their scanner.  (Good stuff, but you can kill a
server with it if you scan too heavily.)   It is my firm belief that you
cannot do network security effectively without knowledge of OS platforms
and what processes/daemons they have running.
Have a good day.




Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector





Charlie

cc:
Sent by: Subject: Re: Hardening Ports?
[7:40852]

nobody





04/09/2002
10:04
AM

Please
respond
to

Charlie








Thanks, Kent.  Chee Kin and Sam actually answered my question already.
Nonetheless, thanks for your advice.  Google is where I will also check in
the future (although this newsgroup is proving to be very helpful).

Charlie

Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Charlie,

 As others noted, it depends on your OS.  I would recommend doing a search
on
 google for your OS+hardening.  You'll probably find what your looking
for.
 Also consult your vendors web site and http://www.sans.org for more info.

 HTH,
 Kent

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Charlie
 Sent: Monday, April 08, 2002 12:51 PM
 To: [EMAIL PROTECTED]
 Subject: Hardening Ports? [7:40852]


 Hello, all :-)

 I was hoping one (or many) of you could help me with a question I have:
how
 do I lock-down ports on a server?  I know how to lock them down on
firewalls
 and routers, but how to do it on a server is my question.  I know it's a
 general question but any assistance would be most appreciated.

 Truly,
 Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40957t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP full mesh ? [7:40741]

[Kent Yu]

Peter,

- Original Message -
From: Peter van Oene 
To: 
Sent: Tuesday, April 09, 2002 3:55 AM
Subject: Re: iBGP full mesh ? [7:40741]


 I don't disagree with most of your points, but really think synch should
be
 disabled in all cases at all times along with auto summary.  It should be
 disabled by default and indeed shouldn't even be included as a
configurable
 option.


I know that's how Juniper defaults its BGP synch. I agree that synch should
be disabled by default, really do not think people will put a non-bgp
speaking router in the middle of their network by design, of course, unless
we are talking about using stuff like MPLS at the core and pushing BGP out
to the edge.

But I still do not like the fact that Juniper makes BGP synch
non-configurable, why not giving users the knob?

Thanks
Kent


 At 11:28 AM 4/8/2002 -0400, you wrote:
 It's not default for the same reason why unicast rpf (antispoofing) is
 not default in ISO; because people are stupid, and under poor design, it
 could produce very undesirable and hard to troubleshoot results.  In
 other words, if you don't know why you are disabling synchronization,
 don't do it.
 
 Take the following scenario:  A multihop iBGP link between routers (A)
 and (B) in which a non-bgp IGP router (C) is routing packets between
 them.  Both BGP links are advertising full tables to each other, and,
 under your suggested default config, would attempt to forward packets to
 destinations that router C has no clue about.  Then what does router C
 do with these destinations?
 
 The answer, of course, is to set up a iBGP full mesh, and then to
 disable synchronization , and if you are smart, design your network so
 that your IGP learns only about downstream routes and set a default
 route up to the core of your network.
 
 Anyway, the point being, sync is enabled by default because you really
 should know what you are doing before you disable it.
 
 On Mon, 2002-04-08 at 10:44, MADMAN wrote:
   I can think one one good reason why you would disable sync, you can't
   redistribute 100K routes into ANY IGP.  Why are you so concerned about
   disabling sync??  It should be default.
  
 Dave
  
   Jay wrote:
   
BGP Rules of thumb:
   
BGP advertised prefix must also exist in local IGP table.
iBGP learned prefix must also exist in local IGP table
  -or use #no sync on iBGP learning router, but if you do, you'd
sure
 as
hell better know why you disabled it.
   
On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
 Hi Group,

 Hope someone can help out with this as I don4t have
 access to my kit at the moment.

 I tried to set up my first BGP lab last week.
 I configured a full iBGP mesh, three routers connected
 in a triangle via serial lines.

 I set up (neighbour( statements on each router (Hope
 Radia can forgive the extra vowel !!!) and advertised
 the networks.

 I got the BGP table working but nothing was promoted
 to the main routing table, and therefore could4nt ping
 non directly connected interfaces. I tried various
 approaches like putting a default route in and running
 an IGP but still no promotion to the main table.

 Should this be possible with iBGP ? or is it a matter
 of loop avoidance i.e the AS Numbers won4t be
 prepended for the case of iBGP peers.

 Phil.

 __
 Do You Yahoo!?
 Everything you'll ever need on one web page
 from News and Sport to Email and Music Charts
 http://uk.my.yahoo.com
   --
   David Madland
   Sr. Network Engineer
   CCIE# 2016
   Qwest Communications Int. Inc.
   [EMAIL PROTECTED]
   612-664-3367
  
   Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40958t=40741
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF network command question [7:40939]

[Kelly Cobean]

Right,
Think of the ospf network command as a range statement that you can
interpret like this: If any of the interfaces falls within the given range,
make that interface participate in the OSPF process under the given area.
That means that you can either match the mask given on the interface, or
specify 0.0.0.0, they do the same thing.  Here's where you can minimize your
configuration:

Let's say you have the following 4 interfaces with the IP addresses listed,
and you wanted them all to be in area0:

int e0 192.168.0.0 255.255.255.0
int e1 192.168.1.0 255.255.255.0
int s0 192.168.2.0 255.255.255.0
int s1 192.168.3.0 255.255.255.0

Instead of typing:
config# router ospf 10
config-router# network 192.168.0.0 0.0.0.255 area 0
config-router# network 192.168.1.0 0.0.0.255 area 0
config-router# network 192.168.2.0 0.0.0.255 area 0
config-router# network 192.168.3.0 0.0.0.255 area 0
config-router# exit
config#
...

You could type this:
config# router ospf 10
config-router# network 192.168.0.0 0.0.3.255 area 0
! the above command could even be network 192.168.0.0 0.0.255.255 area 0.
! It would have the exact same effect, assuming the router didn't have other
! interfaces in this range that were either not going to participate in
OSPF,
! or are going to be assigned to a different area.
config-router# exit
config#

The router will apply the If any of the interfaces falls within the given
range, make that interface participate in the OSPF process under the given
area. statement and e0, e1, s0, and s1 will all become OSPF interfaces in
area 0 because the wildcard mask 0.0.3.255 is equivalent to the subnet mask
of 255.255.252.0, which is the CIDR mask of the four subnets.

HTH,
Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
Network Engineer
GRC International, Inc., an ATT company




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Lomker, Michael
Sent: Tuesday, April 09, 2002 2:28 PM
To: [EMAIL PROTECTED]
Subject: RE: OSPF network command question [7:40939]


If you had additional interfaces on the listed subnet then they would also
be included in OSPF.  The second method will only include the specified
interface.

 -Original Message-
 For example:
 interface fa0/0
 ip address 172.168.1.1 255.255.255.0

 To advertise this network,  you can use two different
 commands and both works
 router ospf 10
network 172.168.1.0 0.0.0.255 area 0




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40959t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP full mesh ? [7:40741]

[Peter van Oene]

inline

At 03:37 PM 4/9/2002 -0400, Kent Yu wrote:
Peter,

- Original Message -
From: Peter van Oene 
To: 
Sent: Tuesday, April 09, 2002 3:55 AM
Subject: Re: iBGP full mesh ? [7:40741]


  I don't disagree with most of your points, but really think synch should
be
  disabled in all cases at all times along with auto summary.  It should be
  disabled by default and indeed shouldn't even be included as a
configurable
  option.
 

I know that's how Juniper defaults its BGP synch. I agree that synch should
be disabled by default, really do not think people will put a non-bgp
speaking router in the middle of their network by design, of course, unless
we are talking about using stuff like MPLS at the core and pushing BGP out
to the edge.

But I still do not like the fact that Juniper makes BGP synch
non-configurable, why not giving users the knob?

Hi Kent.  Juniper makes routers positioned to play in SP networks. These 
networks generally maintain routing information for thousands of 
prefixes.  Pushing these large volumes of routing information into an IGP 
simply isn't a good idea.  In general, any redistribution in either 
direction between BGP and IGP's is frowned upon.  Many routing 
implementations will struggle greatly with 100k+ prefixes in OSPF (they 
don't fit in IS-IS).I expect the folks at Juniper who wrote the BGP 
implementation were mostly concerned with things people actually use.

I'm personally not aware of any situation where BGP synchronization would 
represent the best solution to a given problem.  To be honest, in the last 
bunch of years, the only place I've even heard the feature discussed has 
been in vendor certification forums where best practises (and reality for 
that matter) seem secondary to passing tests.

Of note, building a BGP free core using MPLS for transport doesn't not 
create a situation where external routing information external to the AS 
needs to be passed into a non BGP routing domain in the same way that using 
an IGP in the core would.

Pete





Thanks
Kent


  At 11:28 AM 4/8/2002 -0400, you wrote:
  It's not default for the same reason why unicast rpf (antispoofing) is
  not default in ISO; because people are stupid, and under poor design, it
  could produce very undesirable and hard to troubleshoot results.  In
  other words, if you don't know why you are disabling synchronization,
  don't do it.
  
  Take the following scenario:  A multihop iBGP link between routers (A)
  and (B) in which a non-bgp IGP router (C) is routing packets between
  them.  Both BGP links are advertising full tables to each other, and,
  under your suggested default config, would attempt to forward packets to
  destinations that router C has no clue about.  Then what does router C
  do with these destinations?
  
  The answer, of course, is to set up a iBGP full mesh, and then to
  disable synchronization , and if you are smart, design your network so
  that your IGP learns only about downstream routes and set a default
  route up to the core of your network.
  
  Anyway, the point being, sync is enabled by default because you really
  should know what you are doing before you disable it.
  
  On Mon, 2002-04-08 at 10:44, MADMAN wrote:
I can think one one good reason why you would disable sync, you can't
redistribute 100K routes into ANY IGP.  Why are you so concerned
about
disabling sync??  It should be default.
   
  Dave
   
Jay wrote:

 BGP Rules of thumb:

 BGP advertised prefix must also exist in local IGP table.
 iBGP learned prefix must also exist in local IGP table
   -or use #no sync on iBGP learning router, but if you do, you'd
sure
  as
 hell better know why you disabled it.

 On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
  Hi Group,
 
  Hope someone can help out with this as I don4t have
  access to my kit at the moment.
 
  I tried to set up my first BGP lab last week.
  I configured a full iBGP mesh, three routers connected
  in a triangle via serial lines.
 
  I set up (neighbour( statements on each router (Hope
  Radia can forgive the extra vowel !!!) and advertised
  the networks.
 
  I got the BGP table working but nothing was promoted
  to the main routing table, and therefore could4nt ping
  non directly connected interfaces. I tried various
  approaches like putting a default route in and running
  an IGP but still no promotion to the main table.
 
  Should this be possible with iBGP ? or is it a matter
  of loop avoidance i.e the AS Numbers won4t be
  prepended for the case of iBGP peers.
 
  Phil.
 
  __
  Do You Yahoo!?
  Everything you'll ever need on one web page
  from News and Sport to Email and Music Charts
  http://uk.my.yahoo.com
--
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications 

Re: iBGP full mesh ? [7:40741]

[Peter van Oene]

inline

At 03:02 PM 4/9/2002 -0400, Howard C. Berkowitz wrote:
 Comments inline
 
 At 11:19 AM 4/9/2002 -0400, Chuck wrote:
 Ah, but there is this little thing called the standard, and the
standard
 requires that it be done the way it is because BGP SHOULD be advertising
 only REACHABLE nets. What would the internet be, if unreachable nets were
   advertised willy nilly? ;-

Agreed. That's one of the fundamental loop and thrashing mechanisms,
with some minor exceptions for deliberate blackhole routes that
relate to someone's own address block.

 
 
 Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP
 standards track for a while.
 
 I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am
 paraphrasing ) A BGP route is a promise.
 
 Putting BGP into the your IGP would be a threat
 
 I haven't researched, but I would wager a guess that the no synch
option
 was added in a later revision of the BGP standard based on real world
   experience.

The earlier versions of BGP (and, for that matter, OSPF), did allow
for the possibility of mutual redistribution.  Experience, of course,
showed that was a bad idea.  Pervasive iBGP works much better.

I wouldn't be surprised if (1) Juniper didn't implement sync because
it was recognized by then that it was a bad idea and (2) Cisco
couldn't drop it because people were using it.

 It is a concession to human frailty in a protocol that requires
   perfection. It is also the start of the proverbial primrose path that
can
 lead you to hell in a handbasket real fast, if you don't understand the
 differences between BGP operation and the behaviour of the other routing
   protocols.

To the best of my recollection, synch is not in Draft 18 of the
in-process RFC 1771 revision.

Was it ever discussed in any BGP spec?  It's certainly not in 1771, nor 
1267 as far as I know.



 
 I think synch, beyond OSPF-BGP interaction, is a vendor implementation
 issue, and not actually described in BGPv4 (or v3 for that matter if i
 recall correctly)

Given that the OSPF-BGP interaction RFC has been declared Historic,
meaning obsolete, that's probably not good evidence.

Was just making the point that beyond OSPF-BGP interaction, I've never seen 
BGP-IGP synchronization described in any ietf documentation related to best 
practise BGP implementations.



Many of those

 
 
 See what happens when you read too much Raymond Chandler? :-
 
 Chuck
 
 
 
 Peter van Oene  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I don't disagree with most of your points, but really think synch
should
 be
disabled in all cases at all times along with auto summary.  It
should
be
disabled by default and indeed shouldn't even be included as a
 configurable
option.
   
At 11:28 AM 4/8/2002 -0400, you wrote:
It's not default for the same reason why unicast rpf (antispoofing)
is
not default in ISO; because people are stupid, and under poor
design,
it
could produce very undesirable and hard to troubleshoot results.  In
other words, if you don't know why you are disabling
synchronization,
don't do it.

Take the following scenario:  A multihop iBGP link between routers
(A)
and (B) in which a non-bgp IGP router (C) is routing packets between
them.  Both BGP links are advertising full tables to each other,
and,
under your suggested default config, would attempt to forward
packets
to
destinations that router C has no clue about.  Then what does
router C
do with these destinations?

The answer, of course, is to set up a iBGP full mesh, and then to
disable synchronization , and if you are smart, design your network
so
that your IGP learns only about downstream routes and set a default
route up to the core of your network.

Anyway, the point being, sync is enabled by default because you
really
should know what you are doing before you disable it.

On Mon, 2002-04-08 at 10:44, MADMAN wrote:
  I can think one one good reason why you would disable sync, you
can't
  redistribute 100K routes into ANY IGP.  Why are you so concerned
 about
  disabling sync??  It should be default.
 
Dave
 
  Jay wrote:
  
   BGP Rules of thumb:
   
   BGP advertised prefix must also exist in local IGP table.
   iBGP learned prefix must also exist in local IGP table
 -or use #no sync on iBGP learning router, but if you do,
you'd
 sure
as
   hell better know why you disabled it.
  
   On Sun, 2002-04-07 at 09:22, Phil Barker wrote:
Hi Group,
   
Hope someone can help out with this as I don4t have
access to my kit at the moment.
   
I tried to set up my first BGP lab last week.
I configured a full iBGP mesh, three routers connected
in a triangle via serial lines.
   
I set up (neighbour( statements on each router (Hope
Radia can forgive the 

RE: CCNP Training kit [7:40915]

[Matthew Meiers]

The kit is just way too small for the amount of information you are to
know for CCNP.  The entire section on BGP4 in the routing book is only
100 pages.  I am telling you that there is no way that you will know BGP
well enough to pass the exam after reading that section.  I used CCIE
study guides to pass my CCNP.  The CCIE books from Cisco Press are much
more complete, as well they should be, but you will KNOW the topic, not
just know the topic.

Does this clarify?  

-Original Message-
From: Mike Sweeney [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: CCNP Training kit [7:40915]

Matt-

Can you define *terrible*??  bad questions? incorrect? 

Inquiring minds would like to know

MikeS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40964t=40915
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardening Ports? [7:40852]

[Ali Mesdaq]

Yeah there is a price to be paid for performance and support. Try doing a
scan of 50 machines in Nessus and do the same scan in Retina. Retina from my
experience will do 50 machines in less than an hour. Nessus might be about a
day. Plus the reviews have showed that Nessus doesnt see all the
vulnerabilities that Retina sees. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 12:33 PM
To: Ali Mesdaq
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Hardening Ports? [7:40852]



Hi Ali,

Nessus is free, Retina is 945.00 USD


Thanks



Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector


 

Ali Mesdaq

   Subject: RE: Hardening Ports?
[7:40852]   
Sent by:

nobody

 

 

04/09/2002

12:55 PM

Please

respond to

Ali Mesdaq

 

 





You also might want to try Retina from eEye. It's the best scanner on the
market.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 10:26 AM
To: [EMAIL PROTECTED]
Subject: Re: Hardening Ports? [7:40852]

Hello all,

The absolute best info (IMHO) is www.sans.orgthey are up to the minute,
and OS savvy beyond belief.SANS has the uncanny ability to have gray
hackers who 'contribute' to their security efforts.   Forget google, go to
the source.
After you harden your system don't forget to scan it heavily to see what is
still open. If you have a linux/solaris box available go to
www.nessus.org and use their scanner.  (Good stuff, but you can kill a
server with it if you scan too heavily.)   It is my firm belief that you
cannot do network security effectively without knowledge of OS platforms
and what processes/daemons they have running.
Have a good day.




Kevin McCarty
CCNA CCNP
Computer Sciences Corporation
Defense Sector





Charlie

cc:
Sent by: Subject: Re: Hardening Ports?
[7:40852]

nobody





04/09/2002
10:04
AM

Please
respond
to

Charlie








Thanks, Kent.  Chee Kin and Sam actually answered my question already.
Nonetheless, thanks for your advice.  Google is where I will also check in
the future (although this newsgroup is proving to be very helpful).

Charlie

Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Charlie,

 As others noted, it depends on your OS.  I would recommend doing a search
on
 google for your OS+hardening.  You'll probably find what your looking
for.
 Also consult your vendors web site and http://www.sans.org for more info.

 HTH,
 Kent

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Charlie
 Sent: Monday, April 08, 2002 12:51 PM
 To: [EMAIL PROTECTED]
 Subject: Hardening Ports? [7:40852]


 Hello, all :-)

 I was hoping one (or many) of you could help me with a question I have:
how
 do I lock-down ports on a server?  I know how to lock them down on
firewalls
 and routers, but how to do it on a server is my question.  I know it's a
 general question but any assistance would be most appreciated.

 Truly,
 Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40965t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Very Strange [7:40966]

[Kevin Corbin]

I've got a 2501, that I cannot connect directly to the console port of,
however, if using the same PC, same cable, and all settings the same, I can
connect fine to all of my other routers. And if I use the AUX port on
another router connected via rollover cable into the console port on this
2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any
suggestions?

Thanks,
Kevin


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40966t=40966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Very Strange [7:40966]

[Georg Pauwen]

Hi Kevin,

this is from the Cisco site:

Console Port Problem on Cisco 2500

Symptom
Output from the router on the console screen can be seen, but anything which
is typed in is not seen.

Problem
The terminal is set to use Ready To Send/Clear To Send (RTS/CTS) flow
control.

On all other routers, the console port is wired to connect RTS and CTS so
even though we don't do real flow control, the terminal sees CTS in response
to asserting RTS.

Due to the RJ45 - DB25 adapter wiring for the 2500, this is not possible.

Solution
Disable hardware flowcontrol or strap CTS high.

Hope this helps,

Georg


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40968t=40966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Very Strange [7:40966]

[Ali, Abbas]

Is your 2501 router booting correctly?  If it is booting in rommon, then you
will not be able to access the router through console with the standard
settings.  What you need to do is to change your baud rate to 38400, and
keep increasing unless it sees it.  Don't change the baud rate and then
expect it will work.  If it doesn't work with 38400, then close it and
reopen hyper terminal with the new baud rate and so on.  Believe me I have
been through this.

Abbas

-Original Message-
From: Kevin Corbin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 1:36 PM
To: [EMAIL PROTECTED]
Subject: Very Strange [7:40966]


I've got a 2501, that I cannot connect directly to the console port of,
however, if using the same PC, same cable, and all settings the same, I can
connect fine to all of my other routers. And if I use the AUX port on
another router connected via rollover cable into the console port on this
2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any
suggestions?

Thanks,
Kevin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40970t=40966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: New CCNP Exam [7:40967]

[Matthew Meiers]

It appears to be soon.  Cisco is already listing the old 500 series
exams as no longer applicable on the tracking page.

-Original Message-
From: Tony Chen [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April 09, 2002 3:48 PM
To: [EMAIL PROTECTED]
Subject: New CCNP Exam [7:40967]

Cisco has finished the beta testing to CCNP exams.  Does anyone know
when
are they going to roll out and replace the current CCNP 2.0?

Tony


***
This message is a private communication.  If you are not the intended
recipient, please do not read, copy, or use it, and do not disclose it
to others.  Please notify the sender of the delivery error by replying
to this message, and then delete it from your system.  Thank you.


-
Visit http://www.ballfoundation.org for our latest news.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40971t=40967
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Ethernet [7:40886]

[Steven A. Ridder]

Get a sniffer.  If you're good, you can use Etherreal to see if you can spot
the offender, otherwise, use Sniffer, as it will do it for you.

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com


kaushalender  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi group ,

 we have around 400 computers in the building on the lan .I have one 2610
 router which is our gateway router on the ethernet of the router i am
 recieving huge amount of multicast and crc4 errors . I have one more
 Telendus router which connected with my customer on serial .The problem
 is that on the cutomers link after some time the ms get increase and
 then it chockes the link .What i am guessing is that one or more
 ethernetdevice is malfuntioning problem is  how to find those devices
 which r malfuntioning .PLz help to solve this problem

 Thanx
 Kaushslender




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40972t=40886
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Very Strange [7:40966]

[Craig Columbus]

Check the archives.  I went through this exact scenario with a router that 
I sold to someone a couple of months ago.  It worked fine when I had it, 
but when it got to their site, they couldn't connect.  I used Teraterm, 
they used Hyperterm.  They didn't want to use Teraterm (I don't know why) 
and we ended up resolving the problem by replacing the flash.  Strange, but 
true.

Craig

At 04:35 PM 4/9/2002 -0400, you wrote:
I've got a 2501, that I cannot connect directly to the console port of,
however, if using the same PC, same cable, and all settings the same, I can
connect fine to all of my other routers. And if I use the AUX port on
another router connected via rollover cable into the console port on this
2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any
suggestions?

Thanks,
Kevin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40973t=40966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Kent Hundley]

Mark,

Typically the alias command is used when:

1) You have overlapping addresses, ie. your using 10 net addressing and you
have to connect to someone else who is also using 10 net addressing (this is
done through DNS doctoring) Or you have a split DNS. (see below)

2) You want to translate the dst address of packets going from inside to
outside on the PIX.

If you have a situation where your DNS is external and your servers are
internal, you probably don't want the internal hosts accessing the internal
servers using their external address. In order for the DNS replies to give
the internal hosts the internal address of the servers, you would use the
alias command to alter the reply to the internal hosts.

This comes into play when you have what is typically called a split-brain
DNS.  The external DNS can only resolve hosts which are accessible from the
outside.  The internal DNS forwards to the external for name resolution of
externally accessible hosts.  Since the DNS resolution yeilds an externally
reachable address, you would use the alias to make sure that the internal
hosts use the internal IP while the external hosts use the external IP.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mark Odette II
Sent: Tuesday, April 09, 2002 8:38 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Kent- What if you have your DNS Server(s) (resolving Public addresses for
the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the
PIX with all of them running RFC1918 addresses, and you want both inside and
outside sourced traffic (Any Any) to reach the Web or Mail Server?  Is the
Alias command used for the inside hosts to reach the servers when resolving
to the Public Addresses only??

Forgive my ignorance... I' just catching back up on my PIX studies, and see
where the above scenario comes into play on a regular basis for small/medium
networks where the Business/Organization hosts their own DNS and has their
ISP provide Secondary DNS for them.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kent Hundley
Sent: Tuesday, April 09, 2002 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Robert,

Ok, I'm more confused than before. :-)

You say I do want any outside host to access the web server and then you
say So, I do want everyone to access the web server at ip address
xxx.yyy.115.190, this seems like contradictory statements to me unless your
saying you want only _internal_ hosts to access the web server, but use its
external address?

Let's keep it simple:

1) What source IP addresses do you want to have access to the web server?
Are they on the inside of the PIX or the outside of the PIX or both?

2) Where is your DNS server?  It appears that it is on the outside of the
PIX, correct?

3) Are you saying that you cannot have the internal hosts access the web
server by its internal IP address? I don't see why that would be the case.
Using the alias command, the DNS replies would be doctored so that the web
servers IP would appear to internal clients as 172.20l.21.241 and they
should just go directly to that address without having to go to the PIX.
(this assumes the DNS is on the external interfaces of the PIX and the web
servers DNS resolves to xxx.yyy.115.190)

If you want an external host to access the web server, your going to have to
modify your conduit statement(s).

Regards,
Kent

-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Please don't think I'm being argumentative, I'm trying to explain the
configuration I have and what I'm trying to accomplish.  This is coming
from my understanding and concept, which I am starting to think is way off
base.  What really throws me is that this configuration is working at
another site and at this site with my PIX 506 running Ver 5.1, just not
with their PIX running Ver 4.1.4.  Maybe that's my problem, I saw this type
of a configuration first and just assumed it's the norm, when in fact it
may be a kludge.

Now to answer your questions.
I do want any outside host to access the web server.
The public address for the web server is xxx.yyy.115.190.  When someone
does a DNS lookup for the www.domainname it resolves to
xxx.yyy.115.190.  Therefore the host goes to xxx.yyy.115.190.  While the
domainname has a public address of xxx.yyy.115.190 the actual ip address of
the server is 172.20.21.241.  That's where the static and conduit commands
come in to play.  The PIX accepts the address of xxx.yyy.115.190 (because
of the static statement) and sends it to 172.20.21.241 (I would use the
term routes it to 172.20.21.241 but I am afraid it would cause further
confusion ... to me).  So, 

RE: Cisco Audio Files [7:40911]

[Sam Deckert]

That's great - thanks!


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 9 April 2002 11:42 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco Audio Files [7:40911]


Is this what you are looking for:
http://recording.safeshopper.com/index.htm?648?

Andy

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 09, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject: Cisco Audio Files [7:40911]


Hello all,

Just wondering if anyone has (or knows where to get) Cisco audio files, such
as from sessions at Networkers?

I would like to be able to listen to them in the car

Thanks for any help anyone is able to provide...

Sam.

[GroupStudy.com removed an attachment of type text/x-vcard which had a name
of Sam Deckert.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40975t=40911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX problem [7:40928]

[Lidiya White]

You'll never be able to ping interface of the PIX that is not directly
connected to you (like in your case). Not access-list, not icmp commands
can enable that 'feature'. 


-- Lidiya White

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
dk
Sent: Tuesday, April 09, 2002 10:14 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX problem [7:40928]

Thanks for the input,   I have allowed the required icmp access ...

To try and clarify ...

I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through
pix
interface E0 (ip address 10.222.33.1)  from my workstation (ip address
10.222.32.100) I can successfully ping the PIX E0 interface and any
devices
on the 10.222.62.0 network going through the PIX E1 interface. but when
I
try to ping the PIX E1 interface itself I get no response no error is
logged
and the conduit hitcount is not incremented.

Is it a feature?






- Original Message -
From: HORVATH TAMAS 
To: 
Sent: Tuesday, April 09, 2002 4:04 PM
Subject: Re: PIX problem [7:40928]


 Hi!

 See http://www.cisco.com/warp/customer/110/31.html


 According to this document Inbound ICMP through the PIX is denied by
 default; outbound ICMP is permitted, but the incoming reply is denied
by
 default. So you can ping every PIX interface from the PIX and from
the
 directly connected LAN, but can't ping through the pix.

 I think you should not ping through the PIX default, just from the PIX
(from
 Telnet console).

 According to this document: In PIX Software versions 4.1(6) until
5.2.1,
 ICMP traffic to the PIX's own interface is permitted; the PIX cannot
be
 configured to not respond. Beginning in PIX Software version 5.2.1,
ICMP
is
 still permitted by default, but PIX ping responses from its own
interfaces
 can be disabled with the icmp command (that is, a stealth PIX)


 By, HT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40976t=40928
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Interautomomous systems for MPLS VPNs [7:40977]

[Salman Zahid]

Hello everyone:

This forum has probably some of the best minds in the
area of networking and we have been benefiting from
this forum big time.I have a question on configuring
MPLS based VPNs spanning more than one AS. The ASBRs
are not provider or provider edge routers.I am trying
to replicate the scenario given on this link at
cisco'swebsite.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st17/intras17.htm


I have been able to get the routes belonging to the
same VPn on both sides , but unable to ping anynetwork
on both sides.Does anyone have any idea on whats
missing .

Thank you
Salman.




__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40977t=40977
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF network command question [7:40939]

[Scott H.]

The first command will advertise the entire block.  If you have other
interfaces in that block, they will be included.  The second command says to
just advertise that interface.

HTH,
Scott

Ruihai An  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to
 advertise a network under OSPF.   I wonder if anyone can explain the
 differences between the two.

 For example:
 interface fa0/0
 ip address 172.168.1.1 255.255.255.0

 To advertise this network,  you can use two different commands and both
works
 router ospf 10
network 172.168.1.0 0.0.0.255 area 0

 or you can also use:
 router ospf 10
 network 172.168.1.1 0.0.0.0 area 0

 Please notice the second network command uses Exact IP address on the
 interface, instead of network numbers.

 Thanks

 Ruihai




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40949t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Identify 1750 models [7:40857]

[Mark Odette II]

Dennis- Unfortunately, the 1750's don't say on the outside of them if they
are a 2V or 4V model.

The only way to tell, short of crackin' the baby open, is to have the seller
issue the following command from the console:

C1750#Show Diag

... and from the output, you should look for:

Packet Voice DSP Module Slot 0:

Number of DSPs  :1
or
Number of DSPs  :2


1 = 2V Voice Router
2 = 4V Voice Router

Then, you can start choosing between your choice of FXS/FXO/EM VIC.

Note that you can only put two VICs total into the 1750, and Slot 0 is the
only slot you don't put these cards in.

As far as where to buy... Ebay still seems to be the least expensive from my
perspective... but perhaps somebody knows of a better source.

Good Luck.
-Mark Odette II

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dennis Laganiere
Sent: Tuesday, April 09, 2002 1:11 PM
To: [EMAIL PROTECTED]
Subject: Identify 1750 models [7:40857]


I have several voice modules and I wanted to use them in my study pod.
Going through the archives and the CCO it looks like the cheapest solution
is using 1750's, and what I need are 2v's or 4v's (not the basic model).
Here is my problem...

None of the 1750's I've seen on ebay say what model they are, and the
sellers I've e-mailed haven't seen any designation on the outside of the
chassis.  Not having ever seen any 1750's myself, I don't know how to tell
them apart.  I'm hoping someone here can help my identify the specific model
designations, and perhaps alternatively, tell me where I could just buy the
units at a reasonable price...

Thanks all

--- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40962t=40857
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF network command question [7:40939]

[Howard C. Berkowitz]

When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to
advertise a network under OSPF.   I wonder if anyone can explain the
differences between the two.

For example:
interface fa0/0
 ip address 172.168.1.1 255.255.255.0

To advertise this network,  you can use two different commands and both
works
router ospf 10
network 172.168.1.0 0.0.0.255 area 0

or you can also use:
router ospf 10
 network 172.168.1.1 0.0.0.0 area 0

Please notice the second network command uses Exact IP address on the
interface, instead of network numbers.

Thanks

Ruihai

I always use the exact IP address form, as do many of the OSPF 
old-timers. In my opinion, it makes troubleshooting and documentation 
easier.
-- 
What Problem are you trying to solve?
***send Cisco questions to the list, so all can benefit -- not 
directly to me***

Howard C. Berkowitz  [EMAIL PROTECTED]
Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com
Technical Director, CertificationZone.com http://www.certificationzone.com
retired Certified Cisco Systems Instructor (CID) #93005




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40963t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 6509 trunk to 3524? Any suggestions [7:40880]

[Tim Potier]

From the Cisco site:
Dynamic Trunk Protocol (DTP) 
Note: 2900 XL/3500 XL /2950 Switches do not support DTP 

There are different types of trunking protocols. If a port can become a
trunk, it may also have the ability to trunk automatically, and in some
cases even negotiate what type of trunking to use on the port. This ability
to negotiate the trunking method with the other device is called DTP.

The 2900 XL/3500 XL/2950 switches do support EtherChannel and trunking, but
they do not support dynamic EtherChannel creation (Port Aggregation Protocol
(PAgP) ) or dynamic trunk negotiation



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40978t=40880
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco VPN Client PIX [7:40670]

[Fly Ers]

I didn't see an update on this, but unless there has been an upgrade to the 
linksys, it will only pass 1 Ipsec tunnel.  If there is an existing 
connection, and another is attempted, the original one will be dropped.  
there are some higher end (higher priced) firewall devices, that will pass 
large number of tunnels.  How many clients are you trying to terminate?   
you might think about pix 501

hope this helps


From: Curious 
Reply-To: Curious 
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN Client  PIX [7:40670]
Date: Sat, 6 Apr 2002 12:48:48 -0500

Clients are behind Linksys Cable/DSL router and in the office we have PIX
515.
PIX assigns IP address from Local IP address Pool.

Curious  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I am using Cisco VPN Client to connect with my Office PIX 515 firwall 
over
  IPSEC 3DES encryption. My connection is droping automatically. It is not
  because of idle time out or maximum time out. it happens on radomly. If
some
  one has any information on it.
_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40979t=40670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: CCIE Lab for Sale [7:40980]

[Albert Lu]

Hello Group,

I have the following equipment for sale from my Lab after passing my CCIE:

Cisco 2503 16Flash/16DRAM   
Cisco 2503 16Flash/16DRAM   
Cisco 2503 16Flash/16DRAM   
Cisco 2501 16Flash/16DRAM   
Cisco 2501 16Flash/16DRAM   
Cisco 2509 16Flash/16DRAM   
Catalyst 5000   
WS-5009 Supervisor Engine I
WS-5213a 12 RJ45 port 10/100 Ethernet Module
WS-5213a 12 RJ45 port 10/100 Ethernet Module
WS-5010 24-Port 10BaseT Module (will provide 1 breakout cable)
WS-X5155 ATM LANE Module 

Prefer buyers in Australia.

Make me a serious offer.


Albert Lu
CCIE #8705
[EMAIL PROTECTED]

_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40980t=40980
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF network command question [7:40939]

[Sarkis Karagozian]

Just Like to Add that:

These are Connected Network on the router for OSPF to advertis out other OSPF
Neighbours


Sarkis Karagozian
Corporate Network Engineering
EarthLink Inc. (ELNK)
Tel. 626 345-2828, X 52828, Cell 626 676-3723
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Lomker, Michael
Sent: Tuesday, April 09, 2002 11:28 AM
To: [EMAIL PROTECTED]
Subject: RE: OSPF network command question [7:40939]


If you had additional interfaces on the listed subnet then they would also
be included in OSPF.  The second method will only include the specified
interface.

 -Original Message-
 For example:
 interface fa0/0
 ip address 172.168.1.1 255.255.255.0

 To advertise this network,  you can use two different
 commands and both works
 router ospf 10
network 172.168.1.0 0.0.0.255 area 0




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40981t=40939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

cnr [7:40984]

[yangchun]

dear all:
when i install the CNR5.5 on sun ,how can i remove my data of CNR5.0
install in the  WINNT .

THANKS VERY MUCH!

--
Regards

Yangchun

---
Telindus Ltd. Beijing Office
RM408/410, Office Tower, Beijing Capital Times Square,
No.88 West Changan Ave., Beijing, P.R.C.
---

mailto: [EMAIL PROTECTED]
tel: +86 (10) 8391 5323~5330 Ext: 6015
fax: +86 (10) 8391 5321
 ---
For more information about our products and services,
please visit our website: 
 ---
Secure connectivity  mobility




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40984t=40984
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ac-path access list [7:40983]

[Steven A. Ridder]

Is there any difference in these two commands?

A.  ip as-path access-list deny _10_

B.  ip as-path access-list deny ^10$

If I understand corerctly, they both deny AS 10, and only 10.

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40983t=40983
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

4006 w/SUPII and WS-X4019 [7:40985]

[Jeffrey Reed]

If youre running the CAT4000 with a SUPII, how many PPS is it capable of
switching? If you add the WS-X4019, it says its wire-speed so I was
wondering what you loose without it. Anyone notice any problems with 5
blades of 10/100 in a CAT4000 with SUPII?

Thanks!!

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40985t=40985
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Very Strange [7:40966]

[Kevin Corbin]

Craig - Thanks for the input, I downloaded Teraterm, and it works fine with
that, however, I am still bugged by the fact that hyperterminal doesn't
work.  I'm going to try different flash and see what happens.

Thanks for the input.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40982t=40966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: positions' names [7:40986]

[Forums Canada]

Hi to the group

I am working to make my resume. I am a little confused with 
the positions I should put on the resume. It is because I read 
a lot of job descriptions on Monster.com, Workopolis and other 
sites like these.

The questions is : which are the differences between network analyst,
network engineer, network support engineer, system administrator and
many others.

Mainly it seems that the same duties are covered by different titles on
different companies.
Could you help me or give me some useful links for this matter  ?

Thanks in advance for any clue




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40986t=40986
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

a may b simple prob [7:40987]

[Muhammad Hammad Alam]

Hi,
I want to do some sort of content based data filtering on either Cisco
4500 or AS 5300.
I want to connect some of my  servers via a 2900 to this 4500. So that,
as soon as some special traffic (which I have predefined such as if I
want web traffic) comes to the router it throws it to those servers
(which may be running some sort of caching).

I know that there r dediated stuff available from cisco too ( as cisco
has everything for everything) for the said purpose, so if u wanna
advice me to buy that , plz send in your credit card info along with too
:).

If you can give me any idea on how to accomplish this. Im all
ears

Regards,
MHA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40987t=40987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Now What???????? [7:40988]

[Juan Blanco]

Team,
After your pass the written what do you do in reference to the following:

1) Do you mention it in your resume and if you do any suggestions (I know it
is not a certification).
CCIE Lab(schedule for xx-xx-xx)
Passed CCIE Written, Lab(schedule for xx-xx-xx)
Working on the CCIE Lab
Put nothing because the written is not a certification..

2) Any book which will help you to put together a very organize and
structure plan of studding for the lab(very similar to Caslow's book)
I already have the following books:
CASLOW, HUTNIX, DOYLE
3) How similar are the labs and hardware layout from the FATKID to the real
thing.I planning to use the same format (what is your recommendation)

Wow, the more we think we know the less we know...I feel very
goodsome people are saying that I don't have a life because all I talk
about is Cisco...Cisco...routersswitchesbridges


Thanks,


JB




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40988t=40988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BCRAN question [7:37481]

[NGUYEN DUC HAI]

Dear Friends,
My name is HAI NGUYEN DUC, I live in Viet Nam. Now, I am on track to take
CCNP certificate. Please help me to send all documents that is relative with
this exam. Thanks a lots


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40989t=37481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

content based switching?? [7:40990]

[Muhammad Hammad Alam]

Hi,
I want to do some sort of content based data filtering on either Cisco
4500 or AS 5300.
I want to connect some of my  servers via a 2900 to this 4500. So that,
as soon as some special traffic (which I have predefined such as if I
want web traffic) comes to the router it throws it to those servers
(which may be running some sort of caching).

I know that there r dediated stuff available from cisco too ( as cisco
has everything for everything) for the said purpose, so if u wanna
advice me to buy that , plz send in your credit card info along with too

:).

If you can give me any idea on how to accomplish this. Im all
ears

Regards,
MHA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40990t=40990
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

bonehead move [7:40991]

[Edward Sohn]

hey all

i was trying to upgrade my flash on my Cat5/SupIII to the latest
version, when I decided to delete the old flash first...well, ater
rebooting--DUH--the Cat booted into rommon mode...i didn't have an image
on file, and i couldn't do an xmodem via rommon mode, because the CCO
site says i have to have version 5 rommon or later, which i don't (4.2).


thus, according to the CCO site, the only ways to restore an image is to
(1) use a flash card with an image (which i don't have); (2)  install a
flash chip with the image already on it; or (3) upgrade the ROM to
version 5 and do an xmodem via the console port.

ugggh...i knew i was reckless going into this, but i guess i didn't
think ahead enough...anyway, i'm just sending this out in hopes that one
of you has encountered this situation before and has a
solution...otherwise, i gotta dig into the pockets again...

please help...

thanks,

eddie



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40991t=40991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: bonehead move [7:40991]

[Eric]

The boot ROM's are free from Cisco except for the cost of shipping. The part
number is WS-X5530-BOOT=. You need to call customer service at Cisco to
get this. If you call the TAC they'll want a Smartnet contract covering the
item in question. I don't have the customer service number in front of me.
Search the Cisco site for the number.

-Eric

- Original Message -
From: Edward Sohn 
To: 
Sent: Tuesday, April 09, 2002 9:10 PM
Subject: bonehead move [7:40991]


 hey all

 i was trying to upgrade my flash on my Cat5/SupIII to the latest
 version, when I decided to delete the old flash first...well, ater
 rebooting--DUH--the Cat booted into rommon mode...i didn't have an image
 on file, and i couldn't do an xmodem via rommon mode, because the CCO
 site says i have to have version 5 rommon or later, which i don't (4.2).


 thus, according to the CCO site, the only ways to restore an image is to
 (1) use a flash card with an image (which i don't have); (2)  install a
 flash chip with the image already on it; or (3) upgrade the ROM to
 version 5 and do an xmodem via the console port.

 ugggh...i knew i was reckless going into this, but i guess i didn't
 think ahead enough...anyway, i'm just sending this out in hopes that one
 of you has encountered this situation before and has a
 solution...otherwise, i gotta dig into the pockets again...

 please help...

 thanks,

 eddie



 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40992t=40991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: bonehead move [7:40991]

[Larry Letterman]

If all else fails, I'll send you a flash card.
Let me know if you need it(assuming you dont get something else)



Larry Letterman
Cisco Systems
[EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Edward Sohn
Sent: Tuesday, April 09, 2002 9:11 PM
To: [EMAIL PROTECTED]
Subject: bonehead move [7:40991]


hey all

i was trying to upgrade my flash on my Cat5/SupIII to the latest
version, when I decided to delete the old flash first...well, ater
rebooting--DUH--the Cat booted into rommon mode...i didn't have an image
on file, and i couldn't do an xmodem via rommon mode, because the CCO
site says i have to have version 5 rommon or later, which i don't (4.2).


thus, according to the CCO site, the only ways to restore an image is to
(1) use a flash card with an image (which i don't have); (2)  install a
flash chip with the image already on it; or (3) upgrade the ROM to
version 5 and do an xmodem via the console port.

ugggh...i knew i was reckless going into this, but i guess i didn't
think ahead enough...anyway, i'm just sending this out in hopes that one
of you has encountered this situation before and has a
solution...otherwise, i gotta dig into the pockets again...

please help...

thanks,

eddie



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40993t=40991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

test [7:40994]

[yangchun]

test

--
Regards

Yangchun

---
Telindus Ltd. Beijing Office
RM408/410, Office Tower, Beijing Capital Times Square,
No.88 West Changan Ave., Beijing, P.R.C.
---

mailto: [EMAIL PROTECTED]
tel: +86 (10) 8391 5323~5330 Ext: 6015
fax: +86 (10) 8391 5321
 ---
For more information about our products and services,
please visit our website: 
 ---
Secure connectivity  mobility




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40994t=40994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]