FR SVCs [7:40893]
Has anyone worked with FR SVC's on 7200s and 1700's? Any known issues? Love it? Hate it? Wish it came is yellow? A coworker has opened a case with the TAC regarding configuring multiple FR SVCs on a single physical interface. I was wondering if anyone else has run into the same or similar issues. Thanks, Bill in AK [GroupStudy.com removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40893t=40893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bridge Problem [7:40894]
Hi Group I have a Cisco 3660 Router with a NM-4T and a NM-8AS modoules. 128 MB memory and 16Mb Flash mem. I have 2 DSL modems on 8-AS module runing in bridge mode (irb) I am using cisco IOS Version 12.0(7)XK2 I want to upgrade my IOS , I tried to install 12.2(3) IOS , installation successed and everything seems normal , but bridged customers on 8AS module could'nt work. I could ping them but they could not. my IOS file is : c3660-is-mz.120-7.XK2.bin and I installed : c3660-is-mz.122-1.T.bin I tried to install other IOS , like 12.2.3 , 12.2.5 and others but the problem did not solve. is there any function in my old IOS that does'nt support in new IOSs ? plz help me Reza Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40894t=40894 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Please confirm (conf#c217b7a4fcf9a99614a38be8d3f86545) [7:40895]
--- [EMAIL PROTECTED] wrote: Hi, You have tried to post to GroupStudy.com's Professional mailing list. Because the server does not recognize you as a confirmed poster, you will be required to authenticate that you are using a valid e-mail address and are not a spammer. By confirming this e-mail you certify that you are not sending Unsolicited Bulk Email (UBE). PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN! BY CONFIRMING THIS EMAIL YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE SERVER) WILL BE POSTED. By confirming this e-mail you also certify the following: 1. The message does NOT break Cisco's Non-Disclosure requirements. 2. The message is NOT designed to advertise a commercial product. 3. You understand all postings become property of GroupStudy.com 4. You have searched the archives prior to posting. 5. The message is NOT inflammatory. 6. The message is NOT a test message. To confirm, simply reply to this message. No editing is necessary. Once confirmed, you will be able to post without additional confirmations. Welcome to GroupStudy.com! --ORIGINAL MESSAGE- From [EMAIL PROTECTED] Wed Mar 27 09:04:47 2002 Received: from web14704.mail.yahoo.com (web14704.mail.yahoo.com [216.136.224.121]) by groupstudy.com (8.9.3/8.9.3) with SMTP id BAA23076 GroupStudy Mailer; Wed, 27 Mar 2002 01:17:16 -0500 Message-ID: Received: from [12.253.88.51] by web14704.mail.yahoo.com via HTTP; Tue, 26 Mar 2002 22:18:28 PST Date: Tue, 26 Mar 2002 22:18:28 -0800 (PST) From: Imran Moin Subject: Taking BCRAN this monday !!! To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi gang, I am planning to take my BCRAN exam this monday. I have already passed my BCMSN and BSCN exams from the CCNP track. I need some advice on BCRAN, and especially from someone who took the exam recently. Also, if anyone has any material to share, then i would greatly appreciate it. I am planning to nail down CIT after this and then CCIE written by the june hopefully. Thanks in advance, Imran Moin Network Engineer University of colorado CCNA, MCP, CCNP/2 = Imran Moin Network Engineering and Operations University of Colorado, Boulder CCNA, CCNP (switching) __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards. http://movies.yahoo.com/ = Imran Moin Network Engineering and Operations University of Colorado, Boulder CCNA, CCNP (switching) __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40895t=40895 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Please confirm (conf#25ae7d8cbbdcbab1847847d75c268b9a) [7:40896]
--- [EMAIL PROTECTED] wrote: Hi, You have tried to post to GroupStudy.com's Professional mailing list. Because the server does not recognize you as a confirmed poster, you will be required to authenticate that you are using a valid e-mail address and are not a spammer. By confirming this e-mail you certify that you are not sending Unsolicited Bulk Email (UBE). PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN! BY CONFIRMING THIS EMAIL YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE SERVER) WILL BE POSTED. By confirming this e-mail you also certify the following: 1. The message does NOT break Cisco's Non-Disclosure requirements. 2. The message is NOT designed to advertise a commercial product. 3. You understand all postings become property of GroupStudy.com 4. You have searched the archives prior to posting. 5. The message is NOT inflammatory. 6. The message is NOT a test message. To confirm, simply reply to this message. No editing is necessary. Once confirmed, you will be able to post without additional confirmations. Welcome to GroupStudy.com! --ORIGINAL MESSAGE- From [EMAIL PROTECTED] Fri Mar 29 07:42:37 2002 Received: from web14703.mail.yahoo.com (web14703.mail.yahoo.com [216.136.224.120]) by groupstudy.com (8.9.3/8.9.3) with SMTP id HAA04698 GroupStudy Mailer; Fri, 29 Mar 2002 07:42:36 -0500 Message-ID: Received: from [12.253.88.106] by web14703.mail.yahoo.com via HTTP; Fri, 29 Mar 2002 04:43:52 PST Date: Fri, 29 Mar 2002 04:43:52 -0800 (PST) From: Imran Moin Subject: Taking BCRAN this tueday To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi gang, I am taking my BCRAN exam this tuesday. I have already nailed down the CCNP Ruting and switching exams. I need some advice from you all about this exam. Has anyone taken it recently? What kind of questions are they asking? Has anyone got any materials to share with me? I would really appreciate if someone can share soft copy of some exam material with me. Thanks a bunch Imran Moin CCNA, CCNP/2 = Imran Moin Network Engineering and Operations University of Colorado, Boulder CCNA, CCNP (switching) __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ = Imran Moin Network Engineering and Operations University of Colorado, Boulder CCNA, CCNP (switching) __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40896t=40896 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
connection to VPN server concentrator 3005 only 9.6kbps [7:40897]
hi all, I seems to only able to connect to a CISCO vpn server 3005 at 9.6kbps using win98 vpn pptp connection while my pstn connection to internet is 56kbps . However connection to a microsoft VPN server will not have a problem anyone knows why is that so? any forms of inputs will be greatly appreciated regards, suaveguru __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40897t=40897 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Puzzles - WAS RE: My interview story [7:40553]
Well, if you want to get that nit-picky, it's not even an accurate technicality. What if the rope is attached by drilling a hole through the poles, for example - any method so that the rope is not wrapped around the pole? Then you can put the poles side by side without the rope getting in the way. JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 09/04/2002 05:05 pm - Dusty Harper Sent by: [EMAIL PROTECTED] 09/04/2002 05:08 am Please respond to Dusty Harper To: [EMAIL PROTECTED] cc: Subject:RE: Puzzles - WAS RE: My interview story [7:40553] Actually 0' is physically impossible due to the width of the rope needing to be taken into account, but that's just a technicality. -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Friday, April 05, 2002 9:58 PM To: [EMAIL PROTECTED] Subject: Re: Puzzles - WAS RE: My interview story [7:40553] Part A: I heard this one where the friend also has a key that will open his lock, but not yours. Also, the condition is that no destructive techniques are allowed, so breaking or cutting wasn't a possible solution. Part B: He never states that the rope is attached to the top of the pole, just that it's attached to the pole. So, the answer is that the poles are somewhere between 0 and 32 feet apart. Craig At 11:33 PM 4/5/2002 -0500, you wrote: I'll bite. a) Boxes and diamond. Gordian Knot technique. Lock the diamond in your box and send it to your friend. He breaks the lock or cuts open the box. b) Poles and rope. The poles are touching. -Original Message- From: Dusty Harper [mailto:[EMAIL PROTECTED]] Sent: Friday, April 05, 2002 4:55 PM To: [EMAIL PROTECTED] Subject: RE: My interview story [7:40553] The goal is to determine how you think. Most real world solutions to problems can be applied to technological hurdles, or problems. As an example: Prep: You have an empty box, a lock, a key for your lock, and a diamond. Your friend has an empty box, and a lock for his box. Goal: You want to get the diamond to your friend via courier. However the courier will steal anything that is not locked. How do you do this? Another example: If you have 2 20' poles, a 32' rope strung between them, and the lowest point of the rope is 4' off of the ground, how far apart are the poles? It gauges how one thinks and handles situations. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40898t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP CLASS KIT FOR SALE [7:40899]
Just reposting it again. Brand new class training materials for the 3 OF 4 exams for CCNP. These are brand new materials and each comes with two volumes of materials. These training materials that you get when you enroll in a training class are meant for easy understanding and MEANT for you to study and pass the exams. Books are meant for reference mostly. BCRAN - REMOTE ACCESS =$80.00 CIT -TROUBLESHOOTING = $80.00 BCMSN - SWITCHING = $80.00 Email me privately if you are interested. Thanks _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40899t=40899 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco ATA 186 (One Way or Two Way) [7:40900]
Dear All, I have configured Cisco ATA 186 with one of its UID0 set to 300 and other 301 . Using a VOIP Module having 2 FXS Ports connected on 3600 Route using as an IOS Gateway. With One FXS Setting to destination pattern 1 and Other destination pattern set to 2 . The ATA able to put call towards FXS port 1 and FXS port 2 .But When I tried to dial from FXS port to ATA Adapter ports 300 or 301 it gives busy tone and it never gives me connecting tone. Are Cisco ATA one way device able to dial using Voice Gateway or Calls can be accepted to its phone like regular phones. My ATA Configuration is as under: UID0: 300UID 1:301 Gateway : 192.168.0.223 (IP of 3660 Gateway Router) NO GateKeeper or SIP (value =0) AuthMethod: (0x00040004) DialPlan (Default) Cisco 3660 Configuration: dial-peer voice 1 pots destination-pattern 1 port 4/1/0 dial-peer voice 2 pots destination-pattern 2 port 4/1/1 dial-peer voice 3000 voip destination-pattern 300. session target ipv4:192.168.0.242(IP of ATA) Thanks in Advance - Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40900t=40900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the extra vowel !!!) and advertised the networks. I got the BGP table working but nothing was promoted to the main routing table, and therefore could4nt ping non directly connected interfaces. I tried various approaches like putting a default route in and running an IGP but still no promotion to the main table. Should this be possible with iBGP ? or is it a matter of loop avoidance i.e the AS Numbers won4t be prepended for the case of iBGP peers. Phil. __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40902t=40741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
On Aug 29, 7:34am, Priscilla Oppenheimer wrote: } } NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should } supposedly work over the Internet. For example, can't you do file sharing } over the Internet? That uses NetBIOS and SMB of CIFS. If you want to be pedantic (and, on this list we should be), discussing the routability of NetBIOS is non-sensical. NetBIOS is a session layer protocol. It would be like discussing the routability of TCP or UDP. By themselves, these protocols only have port numbers, they don't have node addresses. As someone else has mentioned, you really need to look at the underlying protocol. NetBIOS over TCP/IP (aka NBT) is, of course, completely routable, since TCP/IP is a routable protocol. NetBIOS over NetBEUI isn't routable as NetBEUI is a datalink layer protocol (i.e. it has hosts addresses and doesn't have any way of doing network addressing, so its addresses are for the local segment only, ala Ethernet MAC addresses) and must be bridged. }-- End of excerpt from Priscilla Oppenheimer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40901t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN and VPN (IPSEC 3DES) [7:40807]
Are the ISDN routers NATing? I don't believe you can terminate a NATed IPSec VPN connection at a PIX. Cisco VPN concentrators support this, but the PIX doesn't. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: ISDN and VPN (IPSEC 3DES) [7:40807] Guys Any of you familier with issues between ISDN and Cisco VPN Client (IPSEC 3DES). All of my ISDN users unable to VPN using Cisco VPN Client, and we have pICX 515. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40903t=40807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help with extended access lists [7:40904]
Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40904t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Hi, The one which you mentioned is not the right one, A simple technique to get the Inverse mask is as 1.From you example let say you want to aggregate 192.168.1.10 to 192.168.1.15,First of all aggregate this addresses and find the summarized mask. The summarized mask in this case is 192.168.8/29 (ie 255.255.255.248) 2.To get the inverse mask subtract 255.255.255.248 from 255.255.255.255 which comes out 0.0.0.7 3.The result is 192.168.1.8 0.0.0.7 Kind Regards /Thangavel -- CCIE (qual),CCS,CCDP,CCNP,MCSE 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall . -- Nelson Mandela r Paul cc: Sent by: Fax to: nobody@groupsSubject: Help with extended access lists [7:40904] tudy.com 09/04/2002 10:12 Please respond to r Paul Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40905t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Sample Configuration for Basic-5ess ISDN Switch environment [7:40906]
Hi Does anyone have sample config the the above environment? Thanks in advance. Best regards, William Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40906t=40906 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with extended access lists [7:40904]
Thangavel What a great method - Thank you Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40907t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 trunk to 3524? Any suggestions [7:40908]
MX Extender? How far apart are the devices. A ZX GBIC will go 70km over single mode fiber, and 100km over dispersion shifted fiber. If you are using an extender and over driving the receive you could be killing the GBIC's. I had a customer use ZX GBIC's over a 15km link and had to add attenuators on the transmit side in order to not over drive the receive. You'll need to set the interface to nonegotiate dot1q, instead of on. Per the cisco instructions. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ouellette, Tim Sent: Tuesday, April 09, 2002 12:30 AM To: 'David Siwula' Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: RE: 6509 trunk to 3524? Any suggestions Thanks for the quick response guys. Found a faulty mx extender between the 6509 and the 3524. Does the 3524 support pagp? I did receive a message from David mentioning something about having the 6509 being set to negotiate the dot1q. I'll have to look into this a little more. Anyone one else a lot of problems with these extenders as well as aobut 3-5% of all gbic's we put into production fail. Again, thanks for the help! Tim -Original Message- From: Ouellette, Tim [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 7:55 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: 6509 trunk to 3524? Any suggestions Team, can anyone help out. I am seeing the following messages on one of our 6509's. Port 7/2 is connected via fiber to a 3524 closet switch. We've tried replacing the gbic's on both the 6509 and 3524. The port keeps going from connected state to non-connect stat and the trunk port messages underneath is what we see. Can anyone offer any suggestions? distribution 6509 port 7/2 -fiber- cisco3524 2002 Apr 08 22:26:26 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk 2002 Apr 08 22:26:52 %DTP-5-NONTRUNKPORTON:Port 7/2 has become non-trunk 2002 Apr 08 22:30:19 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk 2002 Apr 08 22:30:23 %DTP-5-NONTRUNKPORTON:Port 7/2 has become non-trunk 2002 Apr 08 22:30:28 %DTP-5-TRUNKPORTON:Port 7/2 has become dot1q trunk distribution6509 (enable) sh port 7/2 Port Name Status Vlan Duplex Speed Type - -- -- -- -- - 7/2 Tk1382014101-0/1 notconnect 1full 1000 1000BaseSX Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex - - - --- 7/2 disabled shutdown 001 enabled 95 Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left - - - -- 7/2 0 -- -- - _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40908t=40908 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question on upgrading Memory Software on a AS5300 [7:40909]
Hi Guys I hope you can help me. A client has a AS5300 with old Modem cards in it, who are going to upgrade to the new CC2 Modem module.To upgrade to the new module the Boot Rom, System Flash,DRAM SIMMS,IOS Modem Software will need to be upgraded. The client is asking me in what order shall I start the upgrade?? (i.e put in the new boot Rom first then the DRAM SIMMS etc) as they want a worst case scenario(i.e if there is a problem to re-install the original kit) As my AS5300 Knowledge is pretty rusty, in what order do you think I should proceed with the upgrade ??. What precautions should I take (presumerly copying the config to a tftp server springs to mind) Many Thanks Simon.CCNP Get your FREE download of MSN Explorer at http://explorer.msn.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40909t=40909 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Firewall without NAT [7:40871]
If I have a Mail server inside the Network. Let's say IP is192.168.0.2. How should I configure the Static, could I configure it as follows: static (inside, outside) 192.168.0.2 192.168.0.2 netmask 255.255.255.255 And I configure port Redirect on Cayman router, direct port 25 traffic to 192.168.0.2. Thanks, Daniel yangchun wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... hello daniel : you can do it Daniel Ma wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am trying to configure a PIX firewall behind the Cayman DSL router. Because we only have one Public IP address which is used by Cayman router. I will use 192.168.1.x and 192.168.0.x for the two segments of PIX. Cayman router does NAT job for all users. In this case, could I configure the PIX without NAT, i.e., NAT (inside) 0 0.0.0.0 0.0.0.0 I wonder whether it works, internal users are still able to connect to internet. Thanks, Daniel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40910t=40871 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Audio Files [7:40911]
Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40911t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Audio Files [7:40911]
I too would also be intrested, after attending Networkers in Brisbane, id love the MPLS stuff! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40912t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with extended access lists [7:40904]
Paul, You need to understand the wildcard format for access-lists. The best way to do this is to convert your ip addresses to binary. The beginning range address is 192.168.1.10 The ending range address is 192.168.1.15 We can quickly see that the first three octets are the same, so lets concentrate on the fourth. Range is: 10 : 1010 11 : 1011 12 : 1100 13 : 1101 14 : 1110 15 : As you can see, the left five bits stays the same, so you have to tell the access-list not to care about the right three bits. In a wildcard mask, the 0's represent that the bit value MUST be as specified, and the 1's represent that is doesn't care about the bit value. So we must create a wildcard for the fourth octet that looks like this: 0111 = 7 As for the first three octets, they must all match, so that's easy: 0.0.0 Now you have a wildcard mask that looks like this: 0.0.0.7 Since the left five bits were the same for range 10-15, lets take those five bits 1 and fill zero's to the right 000 = 1000 or 8. That's the value we want to use for the fourth octet in the ip address. And the access-list would look like this: access-list 110 permit tcp 192.168.1.8 0.0.0.7 The only problem with this, is that this will also allow .8 and .9, so if you wish to deny those two addresses, you must do some more match: .8 = 1000 .9 = 1001 As you can see, the only bit that changes is the right one, so if you do a wildcard octet of: 0001 You can test for that. Let's correct our access-list statements: access-list 110 deny tcp 192.168.1.8 0.0.0.1 .. access-list 110 permit tcp 192.168.1.8 0.0.0.7 .. As you can see, it's a little tricky to calculate, but once you have it down, it can be almost a fun little task to do. The best thing to do in the beginning, is to write the whole address range down in binary and look at the bits. That way you can see which ones change, and which ones stays the same. Sometimes you can cut a lot of statements down by looking at the pattern and creating some good wildcard masks, but that is both good and bad. It is good because it makes the acecss-list filter faster, but it's bad because it can be hard to read the next time you need to reconfigure something. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: r Paul [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 3:12 AM To: [EMAIL PROTECTED] Subject: Help with extended access lists [7:40904] Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc I want to make a single entry for every consequtive block. I do not own the whole range or subnet. Can I do something like this. access list 101 permit tcp 192.168.1.10 0.0.0.6 193.26.1.52 eq www What I am wanting to clarify is if I have the wildard bit right. In above example was hoping that 0.0.0.6 would be 6 addresses (192.168.1.10 to 15)...have I understood this right?. do not want to match whole subnet with 0.0.0.255 but that is the only other examples I have seen. Many thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40913t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP Training kit [7:40915]
Just wanted to say that anyone who bought the CCNP Training kit Software, ISBN 1587200422, you can return it, and they will give you a completely new CD VS 2.0. I bought this Training kit, it has so many wrong answers, and so many bugs I though I was on candid camera. They did offer a SP1 update right after the product was released, but that didn't help much. This is a first time that I have heard of a total recall of a software product. I really could write like 20 pages about what was wrong with the kit, it was that bad. Well, just thought I would share this, if anyone bought it, because I didn't know. I am on the Cisco press mailing list, and I registered my product, but they never bothered to contact me concerning this. This is the very last time I buy software without asking anyone else if they used it. Well, I guess I am going to send away for the version 2, to see if it is any better. It's a little late now, especially since I am half way though my CCNP. Ciscopress really dropped the ball on this one, especially since most of the people who bought it didn't know any better about the answers being mostly wrong, myself included. Ironically I failed routing using the kit. I passed routing and switching since then, using other material. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40915t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Audio Files [7:40911]
Is this what you are looking for: http://recording.safeshopper.com/index.htm?648? Andy -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:07 AM To: [EMAIL PROTECTED] Subject: Cisco Audio Files [7:40911] Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40917t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Audio Files [7:40911]
Sure, go here http://recording.safeshopper.com/ I am thinking of getting the security ones. I have some of the other ones. They send them to you on MP3s. Each lesson takes about 2 CDs. -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:07 AM To: [EMAIL PROTECTED] Subject: Cisco Audio Files [7:40911] Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40916t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WAY OT: Cisco Alternative? [7:40918]
I'm a huge Cisco fan. 90% of our customers have Cisco networks and I'm definitely most familiar with installing and maintaining Cisco. However, I have a new customer who's fed up with Cisco and wants an alternative. The customer has a 3640 at the edge terminating a 6Mb/s fractional T3 ATM circuit. They're going to replace this router with another vender. Who's the obvious choice for this type of termination (IP only, legacy support not important)? Anyone have good things to say about Extreme or Imagestream? Are there any others that come to mind? I'm particularly interested in hearing about reliability, ease of use of the command line (for example, I always hated Cabletron because it never seemed intuitive), and of the company technical support capabilities. Any feedback is definitely appreciated. Thanks, Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40918t=40918 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX problem [7:40919]
Hi all I'm sure there's a simple answer to this but I can't see what it is ... I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in order to manage them from HP openview. I get a response from the interface I'm connected to but not from the rest I've used the debug icmp trace command and can see the echo requests but there are no replies and nothing gets logged. I can ping all the interfaces when from the telnet console and I can ping devices across the PIX any ideas ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40919t=40919 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Audio Files [7:40911]
does anyone have the routing and switching bundle from this site. i was thinking of buying it but i wanted to get the groups opinion first. -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: RE: Cisco Audio Files [7:40911] Sure, go here http://recording.safeshopper.com/ I am thinking of getting the security ones. I have some of the other ones. They send them to you on MP3s. Each lesson takes about 2 CDs. -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:07 AM To: [EMAIL PROTECTED] Subject: Cisco Audio Files [7:40911] Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40920t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Audio Files [7:40911]
Yea, I have them. They are pretty good. I would describe them as advanced, and not for the new user. The cost 300$ is kinda high, but you will not find this much Cisco audio for this price anywhere. It is good for the car, say if you were going on a long trip. Also, There are powerpoints that go with each MP3 and they refer to them. So sometimes its not that easy in the car. I guess if you looked at the power points before hand, Or brought them with you. Hard to read while driving though :) -Original Message- From: Wright, Jeremy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:10 AM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Cisco Audio Files [7:40911] does anyone have the routing and switching bundle from this site. i was thinking of buying it but i wanted to get the groups opinion first. -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: RE: Cisco Audio Files [7:40911] Sure, go here http://recording.safeshopper.com/ I am thinking of getting the security ones. I have some of the other ones. They send them to you on MP3s. Each lesson takes about 2 CDs. -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:07 AM To: [EMAIL PROTECTED] Subject: Cisco Audio Files [7:40911] Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40921t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40919]
Have you allowed ping replies to return back to you? conduit permit icmp any any 0 Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: dk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:00 AM To: [EMAIL PROTECTED] Subject: PIX problem [7:40919] Hi all I'm sure there's a simple answer to this but I can't see what it is ... I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in order to manage them from HP openview. I get a response from the interface I'm connected to but not from the rest I've used the debug icmp trace command and can see the echo requests but there are no replies and nothing gets logged. I can ping all the interfaces when from the telnet console and I can ping devices across the PIX any ideas ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40922t=40919 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Dialout Utility!!Urgent! [7:40923]
Hi all, Does anyone have the Cisco Dialout Utility ? Does anyone can give the software to me?? because I can't download it from cisco now Thanks regards, Ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40923t=40923 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WAY OT: Cisco Alternative? [7:40918]
I heard Netgear makes some good high end stuff. -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:00 AM To: [EMAIL PROTECTED] Subject: WAY OT: Cisco Alternative? [7:40918] I'm a huge Cisco fan. 90% of our customers have Cisco networks and I'm definitely most familiar with installing and maintaining Cisco. However, I have a new customer who's fed up with Cisco and wants an alternative. The customer has a 3640 at the edge terminating a 6Mb/s fractional T3 ATM circuit. They're going to replace this router with another vender. Who's the obvious choice for this type of termination (IP only, legacy support not important)? Anyone have good things to say about Extreme or Imagestream? Are there any others that come to mind? I'm particularly interested in hearing about reliability, ease of use of the command line (for example, I always hated Cabletron because it never seemed intuitive), and of the company technical support capabilities. Any feedback is definitely appreciated. Thanks, Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40924t=40918 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MS Security Operation Guide for Windows 2000 Server - [Was [7:40926]
Where is the link??? Bac Nguyen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Charlie, FYI, Microsoft just release the Security Operation Guide for Windows 2000 server. Here is the link to it Hope this help! Bac -Original Message- From: Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 2:12 PM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Patrick - I was refering to TCP/IP ports. Thanks for your reply. Sam's message came in very handy and answered my question as well. Thanks again. Charlie Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... do you men ethernet ports or tcpip ports? Ethernet ports are done in the driver autonegotiate/speed/duplex settings locking down tcpip ports is entirely different. TCPwrappers will wrap daemons and applications under *nix... not so sure there is an equivalent for microsoft or novellTCPWrappers just handles the negotiation really between the client and daemon. -Patrick Charlie 04/08/02 03:50PM Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40926t=40926 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they
Re: Hardening Ports? [7:40852]
Dude!!! Thanks for the info. TCP/IP Filtering is EXACTLY what I was looking for. Thanks a whole lot. Charlie Chee Kin wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You can also try using the IP Filtering feature from Windows NT/2000. It should be under the advanced configuration for TCP/IP. cheekin - Original Message - From: Charlie To: Sent: Tuesday, April 09, 2002 4:40 AM Subject: Re: Hardening Ports? [7:40852] Thank you, Sam. Your instructions were clear and simple to follow. I was refering to a Windows system. I gave it a try and already idenitified open ports (which I also learned from using WS PingPro). I will now attempt to close/end some services. Thanks again. Charlie sam sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Which operating systems? On windows the most common way to to disable services from the control panel. Do a netstat -an to see which ports are open. Then you can shutdown services that have those ports open. On UNIX/LINUX you can do the same netstat -an. Most of the services can be disabled in inetd.conf or xinted.conf. Just comment them out and restart inetd daemon. Also services are started from startup scripts which are in different locations on different versions of UNIX and Linux. Charlie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40927t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hardening Ports? [7:40852]
Thanks, Kent. Chee Kin and Sam actually answered my question already. Nonetheless, thanks for your advice. Google is where I will also check in the future (although this newsgroup is proving to be very helpful). Charlie Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for your OS+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40929t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Dialout Utility!!Urgent! [7:40923]
Here you can find trial software that works with cisco access servers http://www.tactical-sw.com/products.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40930t=40923 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX problem [7:40928]
Hi! See http://www.cisco.com/warp/customer/110/31.html According to this document Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default. So you can ping every PIX interface from the PIX and from the directly connected LAN, but can't ping through the pix. I think you should not ping through the PIX default, just from the PIX (from Telnet console). According to this document: In PIX Software versions 4.1(6) until 5.2.1, ICMP traffic to the PIX's own interface is permitted; the PIX cannot be configured to not respond. Beginning in PIX Software version 5.2.1, ICMP is still permitted by default, but PIX ping responses from its own interfaces can be disabled with the icmp command (that is, a stealth PIX) By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40928t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent:
RE: MS Security Operation Guide for Windows 2000 Server - [Was [7:40935]
ity/prodtech/windows/windows2000/staysecure/default.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of sam sneed Sent: Tuesday, April 09, 2002 7:56 AM To: [EMAIL PROTECTED] Subject: Re: MS Security Operation Guide for Windows 2000 Server - [Was [7:40926] Where is the link??? Bac Nguyen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Charlie, FYI, Microsoft just release the Security Operation Guide for Windows 2000 server. Here is the link to it Hope this help! Bac -Original Message- From: Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 2:12 PM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Patrick - I was refering to TCP/IP ports. Thanks for your reply. Sam's message came in very handy and answered my question as well. Thanks again. Charlie Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... do you men ethernet ports or tcpip ports? Ethernet ports are done in the driver autonegotiate/speed/duplex settings locking down tcpip ports is entirely different. TCPwrappers will wrap daemons and applications under *nix... not so sure there is an equivalent for microsoft or novellTCPWrappers just handles the negotiation really between the client and daemon. -Patrick Charlie 04/08/02 03:50PM Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40935t=40935 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40919]
If you are pinging an INSIDE interface from a device on the OUTSIDE, or in other words, if you are pinging from a lower security interface to a higher security interface, you must create a conduit that allows a ping request. If you are pinging an OUTSIDE interface from a device on the INSIDE, or in other words, if you are pinging from a higher security interface to a lower security interface, you must create a conduit that allows a ping reply. If you want both, you must allow all ping. This allows a ping request: conduit permit icmp any any 8 This allows a ping reply: conduit permit icmp any any 0 This allows any ping: conduit permit icmp any any If this still doesn't work, try to send me the config and a description where you're pinging from and to. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: dk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:16 AM To: Ole Drews Jensen Cc: [EMAIL PROTECTED] Subject: Re: PIX problem [7:40919] Thanks for the suggestion but no joy .. I applied the conduit you specified, tried pinging the interface but still got the timeout, it made no difference and the conduit has a hit count of 0 ! - Original Message - From: Ole Drews Jensen To: 'dk' ; Sent: Tuesday, April 09, 2002 3:27 PM Subject: RE: PIX problem [7:40919] Have you allowed ping replies to return back to you? conduit permit icmp any any 0 Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: dk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:00 AM To: [EMAIL PROTECTED] Subject: PIX problem [7:40919] Hi all I'm sure there's a simple answer to this but I can't see what it is ... I'm trying to ping the all the Ethernet interfaces on my PIX (5.2) in order to manage them from HP openview. I get a response from the interface I'm connected to but not from the rest I've used the debug icmp trace command and can see the echo requests but there are no replies and nothing gets logged. I can ping all the interfaces when from the telnet console and I can ping devices across the PIX any ideas ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40936t=40919 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Training kit [7:40915]
To add to this comment, for giggles I went over one of these *cheet sheets* that folks seem to so in love with.. 100 questions.. 4 not usable due to missing exibits and the caption *use your best judgement*... another 3 were just plain wrong(verified by looking up in books instead of memory) and several more were suspect... Cheating doesnt pay.. So where does that leave us where the dark side is incorrect AND the good guys put out such a shoddy product? I used Transcender with ok results, Beachhead had errors on their CCNA.. might be corrected now, Boson was spotty in quality but my experience is limited with their product and may not respresentive of their current product. Exam Prep is now toast unless picked up by someone else. I do like the material by CCxx Productions. I used the Cisco Academy semester 5-6 books and materials. That seems to be pretty good but I did find many *small* errors in the labs.. things like printing 172. when they meant 192.. I did find a few missing commands but in most cases they worked as they should. MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40937t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Training kit [7:40915]
Don't waste your time or efforts. Version 2 is terrible. -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:40 AM To: [EMAIL PROTECTED] Subject: CCNP Training kit [7:40915] Just wanted to say that anyone who bought the CCNP Training kit Software, ISBN 1587200422, you can return it, and they will give you a completely new CD VS 2.0. I bought this Training kit, it has so many wrong answers, and so many bugs I though I was on candid camera. They did offer a SP1 update right after the product was released, but that didn't help much. This is a first time that I have heard of a total recall of a software product. I really could write like 20 pages about what was wrong with the kit, it was that bad. Well, just thought I would share this, if anyone bought it, because I didn't know. I am on the Cisco press mailing list, and I registered my product, but they never bothered to contact me concerning this. This is the very last time I buy software without asking anyone else if they used it. Well, I guess I am going to send away for the version 2, to see if it is any better. It's a little late now, especially since I am half way though my CCNP. Ciscopress really dropped the ball on this one, especially since most of the people who bought it didn't know any better about the answers being mostly wrong, myself included. Ironically I failed routing using the kit. I passed routing and switching since then, using other material. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40938t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX problem [7:40928]
Thanks for the input, I have allowed the required icmp access ... To try and clarify ... I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through pix interface E0 (ip address 10.222.33.1) from my workstation (ip address 10.222.32.100) I can successfully ping the PIX E0 interface and any devices on the 10.222.62.0 network going through the PIX E1 interface. but when I try to ping the PIX E1 interface itself I get no response no error is logged and the conduit hitcount is not incremented. Is it a feature? - Original Message - From: HORVATH TAMAS To: Sent: Tuesday, April 09, 2002 4:04 PM Subject: Re: PIX problem [7:40928] Hi! See http://www.cisco.com/warp/customer/110/31.html According to this document Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default. So you can ping every PIX interface from the PIX and from the directly connected LAN, but can't ping through the pix. I think you should not ping through the PIX default, just from the PIX (from Telnet console). According to this document: In PIX Software versions 4.1(6) until 5.2.1, ICMP traffic to the PIX's own interface is permitted; the PIX cannot be configured to not respond. Beginning in PIX Software version 5.2.1, ICMP is still permitted by default, but PIX ping responses from its own interfaces can be disabled with the icmp command (that is, a stealth PIX) By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40940t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40928]
Kent! You can ping through the PIX (from E0 NET to E1 net (10.222.62.0) if you permit this with an access-list statement (conduit in earlier release). You can ping the PIX' interface from the directly connetced net, if you didn't disabeled that feature with the icmp command. You can't ping throught the PIX to the other PIX' interface unless you specify it with an access-list statement. THIS IS A FEAUTURE (I don't like to call this things 'feature')! HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40941t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
NetBIOS is a session-layer protocol and API. Of course, it is able to be routed (routable), just as RPC and NFS and TCP and UDP are also routable, as are HTTP, FTP, etc. In comparison, LLC, is a data-link-layer protocol. It is not routable without some major shenanigans. NetBEUI resides right on top of LLC and doesn't make any calls to a network layer. Also, NetBEUI does all its own reliability, etc. It doesn't rely on TCP, for example. NetBEUI handles all of the communication work relative to NetBIOS. This is different from the other implementations of NetBIOS. NetBIOS refers to the programming interface in all implementations. In the NetBIOS/TCP environment, it also refers to the portion of the packet that carries NetBIOS commands, replies, and data. In the NetBIOS/NetBEUI environment, NetBIOS refers only to the API, and NetBEUI refers to the protocol. In the NetBIOS/IPX environment, NetBIOS refers to both the API and to the protocol. To understand the details of terminology use, it's worthwhile to examine the three different frame structures for TCP, NetBEUI, and IPX. Priscilla At 03:54 AM 4/9/02, [EMAIL PROTECTED] (John Nemeth) wrote: On Aug 29, 7:34am, Priscilla Oppenheimer wrote: } } NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should } supposedly work over the Internet. For example, can't you do file sharing } over the Internet? That uses NetBIOS and SMB of CIFS. If you want to be pedantic (and, on this list we should be), discussing the routability of NetBIOS is non-sensical. NetBIOS is a session layer protocol. It would be like discussing the routability of TCP or UDP. By themselves, these protocols only have port numbers, they don't have node addresses. As someone else has mentioned, you really need to look at the underlying protocol. NetBIOS over TCP/IP (aka NBT) is, of course, completely routable, since TCP/IP is a routable protocol. NetBIOS over NetBEUI isn't routable as NetBEUI is a datalink layer protocol (i.e. it has hosts addresses and doesn't have any way of doing network addressing, so its addresses are for the local segment only, ala Ethernet MAC addresses) and must be bridged. }-- End of excerpt from Priscilla Oppenheimer Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40942t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Training kit [7:40915]
Matt- Can you define *terrible*?? bad questions? incorrect? Inquiring minds would like to know MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40943t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco Audio Files [7:40911]
I played around with making a cool (but low quality ;-) MP3 training file on troubleshooting WANs. It's free here, as are some other troubleshooting resources I put together: http://www.troubleshootingnetworks.com/resources.html Priscilla At 09:06 AM 4/9/02, Sam Deckert wrote: Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40944t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
Comments inline At 11:19 AM 4/9/2002 -0400, Chuck wrote: Ah, but there is this little thing called the standard, and the standard requires that it be done the way it is because BGP SHOULD be advertising only REACHABLE nets. What would the internet be, if unreachable nets were advertised willy nilly? ;- Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP standards track for a while. I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am paraphrasing ) A BGP route is a promise. Putting BGP into the your IGP would be a threat I haven't researched, but I would wager a guess that the no synch option was added in a later revision of the BGP standard based on real world experience. It is a concession to human frailty in a protocol that requires perfection. It is also the start of the proverbial primrose path that can lead you to hell in a handbasket real fast, if you don't understand the differences between BGP operation and the behaviour of the other routing protocols. I think synch, beyond OSPF-BGP interaction, is a vendor implementation issue, and not actually described in BGPv4 (or v3 for that matter if i recall correctly) See what happens when you read too much Raymond Chandler? :- Chuck Peter van Oene wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the extra vowel !!!) and advertised the networks. I got the BGP table working but nothing was promoted to the main routing table, and therefore could4nt ping non directly connected interfaces. I tried various approaches like putting a default route in and running an IGP but still no promotion to the main table. Should this be possible with iBGP ? or is it a matter of loop avoidance i.e the AS Numbers won4t be prepended for the case of iBGP peers. Phil. __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40945t=40741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hardening Ports? [7:40852]
Hello all, The absolute best info (IMHO) is www.sans.orgthey are up to the minute, and OS savvy beyond belief.SANS has the uncanny ability to have gray hackers who 'contribute' to their security efforts. Forget google, go to the source. After you harden your system don't forget to scan it heavily to see what is still open. If you have a linux/solaris box available go to www.nessus.org and use their scanner. (Good stuff, but you can kill a server with it if you scan too heavily.) It is my firm belief that you cannot do network security effectively without knowledge of OS platforms and what processes/daemons they have running. Have a good day. Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Charlie cc: Sent by: Subject: Re: Hardening Ports? [7:40852] nobody 04/09/2002 10:04 AM Please respond to Charlie Thanks, Kent. Chee Kin and Sam actually answered my question already. Nonetheless, thanks for your advice. Google is where I will also check in the future (although this newsgroup is proving to be very helpful). Charlie Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for your OS+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40946t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hardening Ports? [7:40852]
You also might want to try Retina from eEye. It's the best scanner on the market. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:26 AM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Hello all, The absolute best info (IMHO) is www.sans.orgthey are up to the minute, and OS savvy beyond belief.SANS has the uncanny ability to have gray hackers who 'contribute' to their security efforts. Forget google, go to the source. After you harden your system don't forget to scan it heavily to see what is still open. If you have a linux/solaris box available go to www.nessus.org and use their scanner. (Good stuff, but you can kill a server with it if you scan too heavily.) It is my firm belief that you cannot do network security effectively without knowledge of OS platforms and what processes/daemons they have running. Have a good day. Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Charlie cc: Sent by: Subject: Re: Hardening Ports? [7:40852] nobody 04/09/2002 10:04 AM Please respond to Charlie Thanks, Kent. Chee Kin and Sam actually answered my question already. Nonetheless, thanks for your advice. Google is where I will also check in the future (although this newsgroup is proving to be very helpful). Charlie Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for your OS+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40948t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Identify 1750 models [7:40857]
I have several voice modules and I wanted to use them in my study pod. Going through the archives and the CCO it looks like the cheapest solution is using 1750's, and what I need are 2v's or 4v's (not the basic model). Here is my problem... None of the 1750's I've seen on ebay say what model they are, and the sellers I've e-mailed haven't seen any designation on the outside of the chassis. Not having ever seen any 1750's myself, I don't know how to tell them apart. I'm hoping someone here can help my identify the specific model designations, and perhaps alternatively, tell me where I could just buy the units at a reasonable price... Thanks all --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40857t=40857 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Puzzles -gt; WAS RE: My interview story [7:40553]
If you have 2 20' poles, a 32' rope strung between them, and the lowest point of the rope is 4' off of the ground, how far apart are the poles? If I understand correctly, I think the answer to this one is 16'. If the rope is attached to the ends of the poles, then the drop of the rope is 20' - 4' = 16'. The rope has total length of 32', the total length is composed of a drop and a horizontal span. So even though the shape of the rope is a parabola, we can just subtract the drop from the total length to get the span. Alex Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40839t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Identify 1750 models [7:40862]
The 1750-2V and 1750-4V are just marketing bundles - there is no difference in the physical chassis of the 1750 with these. Look here for more details: http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1750_ds.htm Basically: 1750: 4MB Flash 16MB DRAM IOS IP Software 1750-2V 8MB Flash 32MB DRAM IOS IP+Voice Software 1 DSP 1750-4V 8MB Flash 32MB DRAM IOS IP+Voice Software 2 DSPs Be careful buying these used - make the seller at least give you a printout of the show version, so you won't be stuck with having to buy lots of extras to make it work in the environment you are planning. Good Luck! Frank Jimenez, CCIE #5738 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dennis Laganiere Sent: Monday, April 08, 2002 3:59 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: Identify 1750 models I have several voice modules and I wanted to use them in my study pod. Going through the archives and the CCO it looks like the cheapest solution is using 1750's, and what I need are 2v's or 4v's (not the basic model). Here is my problem... None of the 1750's I've seen on ebay say what model they are, and the sellers I've e-mailed haven't seen any designation on the outside of the chassis. Not having ever seen any 1750's myself, I don't know how to tell them apart. I'm hoping someone here can help my identify the specific model designations, and perhaps alternatively, tell me where I could just buy the units at a reasonable price... Thanks all --- Dennis _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40862t=40862 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco SmartNet [7:40795]
Find the part # on the CCO and search Ebay for it... My boss was able to get support for his clunky old 4500M that he was using as a frame-switch. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Widjaja Surja Kentjana Sent: Monday, April 08, 2002 3:26 AM To: [EMAIL PROTECTED] Subject: OT: Cisco SmartNet [7:40795] Hi all, I would like to find out some info about Cisco SmartNet. Can I buy a SmartNet (for a particular category) for EOL equipment? This is for cisco 2503 for example. Thanks. Widjaja Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40866t=40795 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco ATA 186 (One Way or Two Way) [7:40900]
Yeah, you can also receive calls on an ATA186. The only thing Im not sure if you can do or not is transfering a call after you have received it on the phone that is connected to the ATA186. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Hasan Abbas wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, I have configured Cisco ATA 186 with one of its UID0 set to 300 and other 301 . Using a VOIP Module having 2 FXS Ports connected on 3600 Route using as an IOS Gateway. With One FXS Setting to destination pattern 1 and Other destination pattern set to 2 . The ATA able to put call towards FXS port 1 and FXS port 2 .But When I tried to dial from FXS port to ATA Adapter ports 300 or 301 it gives busy tone and it never gives me connecting tone. Are Cisco ATA one way device able to dial using Voice Gateway or Calls can be accepted to its phone like regular phones. My ATA Configuration is as under: UID0: 300UID 1:301 Gateway : 192.168.0.223 (IP of 3660 Gateway Router) NO GateKeeper or SIP (value =0) AuthMethod: (0x00040004) DialPlan (Default) Cisco 3660 Configuration: dial-peer voice 1 pots destination-pattern 1 port 4/1/0 dial-peer voice 2 pots destination-pattern 2 port 4/1/1 dial-peer voice 3000 voip destination-pattern 300. session target ipv4:192.168.0.242(IP of ATA) Thanks in Advance - Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40947t=40900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF network command question [7:40939]
When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to advertise a network under OSPF. I wonder if anyone can explain the differences between the two. For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 or you can also use: router ospf 10 network 172.168.1.1 0.0.0.0 area 0 Please notice the second network command uses Exact IP address on the interface, instead of network numbers. Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40939t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF network command question [7:40939]
If you had additional interfaces on the listed subnet then they would also be included in OSPF. The second method will only include the specified interface. -Original Message- For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40950t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BSCI [7:40952]
I heard that BSCI is going to completely replace Routing, did anyone else hear that?? Get your FREE download of MSN Explorer at http://explorer.msn.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40952t=40952 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF network command question [7:40939]
Hi From what I heard and from my won experience, it is safer to use the exact interface, unless you end up writing 3 or 4 statements that could be grouped under one less specific iverse-mask. Tarek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lomker, Michael Sent: Tuesday, April 09, 2002 1:28 PM To: [EMAIL PROTECTED] Subject: RE: OSPF network command question [7:40939] If you had additional interfaces on the listed subnet then they would also be included in OSPF. The second method will only include the specified interface. -Original Message- For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40953t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MS Security Operation Guide for Windows 2000 Server - [Was [7:40951]
Sam, Sorry, here is the link Bac -Original Message- From: sam sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 7:56 AM To: [EMAIL PROTECTED] Subject: Re: MS Security Operation Guide for Windows 2000 Server - [Was [7:40926] Where is the link??? Bac Nguyen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Charlie, FYI, Microsoft just release the Security Operation Guide for Windows 2000 server. Here is the link to it Hope this help! Bac -Original Message- From: Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 2:12 PM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Patrick - I was refering to TCP/IP ports. Thanks for your reply. Sam's message came in very handy and answered my question as well. Thanks again. Charlie Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... do you men ethernet ports or tcpip ports? Ethernet ports are done in the driver autonegotiate/speed/duplex settings locking down tcpip ports is entirely different. TCPwrappers will wrap daemons and applications under *nix... not so sure there is an equivalent for microsoft or novellTCPWrappers just handles the negotiation really between the client and daemon. -Patrick Charlie 04/08/02 03:50PM Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40951t=40951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Training kit [7:40915]
They should allow people who bought it to trade it in for books or give credit for this on Ciscopress.com. I will admit I got scammed by it. It looked really good when they advertised it. The way they made it out, you would have though it was like the Sybex CCNP virtual Trainer. This was a major scam, and I am sure they sold thousands of these. It is probably funny to most, except for the people who paid over $100 for it. -Original Message- From: Matthew Meiers [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 11:56 AM To: [EMAIL PROTECTED] Subject: RE: CCNP Training kit [7:40915] Don't waste your time or efforts. Version 2 is terrible. -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:40 AM To: [EMAIL PROTECTED] Subject: CCNP Training kit [7:40915] Just wanted to say that anyone who bought the CCNP Training kit Software, ISBN 1587200422, you can return it, and they will give you a completely new CD VS 2.0. I bought this Training kit, it has so many wrong answers, and so many bugs I though I was on candid camera. They did offer a SP1 update right after the product was released, but that didn't help much. This is a first time that I have heard of a total recall of a software product. I really could write like 20 pages about what was wrong with the kit, it was that bad. Well, just thought I would share this, if anyone bought it, because I didn't know. I am on the Cisco press mailing list, and I registered my product, but they never bothered to contact me concerning this. This is the very last time I buy software without asking anyone else if they used it. Well, I guess I am going to send away for the version 2, to see if it is any better. It's a little late now, especially since I am half way though my CCNP. Ciscopress really dropped the ball on this one, especially since most of the people who bought it didn't know any better about the answers being mostly wrong, myself included. Ironically I failed routing using the kit. I passed routing and switching since then, using other material. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40955t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
Comments inline At 11:19 AM 4/9/2002 -0400, Chuck wrote: Ah, but there is this little thing called the standard, and the standard requires that it be done the way it is because BGP SHOULD be advertising only REACHABLE nets. What would the internet be, if unreachable nets were advertised willy nilly? ;- Agreed. That's one of the fundamental loop and thrashing mechanisms, with some minor exceptions for deliberate blackhole routes that relate to someone's own address block. Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP standards track for a while. I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am paraphrasing ) A BGP route is a promise. Putting BGP into the your IGP would be a threat I haven't researched, but I would wager a guess that the no synch option was added in a later revision of the BGP standard based on real world experience. The earlier versions of BGP (and, for that matter, OSPF), did allow for the possibility of mutual redistribution. Experience, of course, showed that was a bad idea. Pervasive iBGP works much better. I wouldn't be surprised if (1) Juniper didn't implement sync because it was recognized by then that it was a bad idea and (2) Cisco couldn't drop it because people were using it. It is a concession to human frailty in a protocol that requires perfection. It is also the start of the proverbial primrose path that can lead you to hell in a handbasket real fast, if you don't understand the differences between BGP operation and the behaviour of the other routing protocols. To the best of my recollection, synch is not in Draft 18 of the in-process RFC 1771 revision. I think synch, beyond OSPF-BGP interaction, is a vendor implementation issue, and not actually described in BGPv4 (or v3 for that matter if i recall correctly) Given that the OSPF-BGP interaction RFC has been declared Historic, meaning obsolete, that's probably not good evidence. Many of those See what happens when you read too much Raymond Chandler? :- Chuck Peter van Oene wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the extra vowel !!!) and advertised the networks. I got the BGP table working but nothing was promoted to the main routing table, and therefore could4nt ping non directly connected interfaces. I tried various approaches like putting a default route in and running an IGP but still no promotion to the main table. Should this be possible with iBGP ? or is it a matter of loop
RE: OSPF network command question [7:40939]
Also make note that network commands in IGPs (OSPF, EIGRP ect...) only spefiy what interfaces will participte in that IGP. This is different int BGP. The network command in BGP spefiy what networks will particaipte in BGP. Hope this clears things up. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40956t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hardening Ports? [7:40852]
Hi Ali, Nessus is free, Retina is 945.00 USD Thanks Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Ali Mesdaq Subject: RE: Hardening Ports? [7:40852] Sent by: nobody 04/09/2002 12:55 PM Please respond to Ali Mesdaq You also might want to try Retina from eEye. It's the best scanner on the market. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:26 AM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Hello all, The absolute best info (IMHO) is www.sans.orgthey are up to the minute, and OS savvy beyond belief.SANS has the uncanny ability to have gray hackers who 'contribute' to their security efforts. Forget google, go to the source. After you harden your system don't forget to scan it heavily to see what is still open. If you have a linux/solaris box available go to www.nessus.org and use their scanner. (Good stuff, but you can kill a server with it if you scan too heavily.) It is my firm belief that you cannot do network security effectively without knowledge of OS platforms and what processes/daemons they have running. Have a good day. Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Charlie cc: Sent by: Subject: Re: Hardening Ports? [7:40852] nobody 04/09/2002 10:04 AM Please respond to Charlie Thanks, Kent. Chee Kin and Sam actually answered my question already. Nonetheless, thanks for your advice. Google is where I will also check in the future (although this newsgroup is proving to be very helpful). Charlie Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for your OS+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40957t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
Peter, - Original Message - From: Peter van Oene To: Sent: Tuesday, April 09, 2002 3:55 AM Subject: Re: iBGP full mesh ? [7:40741] I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. I know that's how Juniper defaults its BGP synch. I agree that synch should be disabled by default, really do not think people will put a non-bgp speaking router in the middle of their network by design, of course, unless we are talking about using stuff like MPLS at the core and pushing BGP out to the edge. But I still do not like the fact that Juniper makes BGP synch non-configurable, why not giving users the knob? Thanks Kent At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the extra vowel !!!) and advertised the networks. I got the BGP table working but nothing was promoted to the main routing table, and therefore could4nt ping non directly connected interfaces. I tried various approaches like putting a default route in and running an IGP but still no promotion to the main table. Should this be possible with iBGP ? or is it a matter of loop avoidance i.e the AS Numbers won4t be prepended for the case of iBGP peers. Phil. __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40958t=40741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF network command question [7:40939]
Right, Think of the ospf network command as a range statement that you can interpret like this: If any of the interfaces falls within the given range, make that interface participate in the OSPF process under the given area. That means that you can either match the mask given on the interface, or specify 0.0.0.0, they do the same thing. Here's where you can minimize your configuration: Let's say you have the following 4 interfaces with the IP addresses listed, and you wanted them all to be in area0: int e0 192.168.0.0 255.255.255.0 int e1 192.168.1.0 255.255.255.0 int s0 192.168.2.0 255.255.255.0 int s1 192.168.3.0 255.255.255.0 Instead of typing: config# router ospf 10 config-router# network 192.168.0.0 0.0.0.255 area 0 config-router# network 192.168.1.0 0.0.0.255 area 0 config-router# network 192.168.2.0 0.0.0.255 area 0 config-router# network 192.168.3.0 0.0.0.255 area 0 config-router# exit config# ... You could type this: config# router ospf 10 config-router# network 192.168.0.0 0.0.3.255 area 0 ! the above command could even be network 192.168.0.0 0.0.255.255 area 0. ! It would have the exact same effect, assuming the router didn't have other ! interfaces in this range that were either not going to participate in OSPF, ! or are going to be assigned to a different area. config-router# exit config# The router will apply the If any of the interfaces falls within the given range, make that interface participate in the OSPF process under the given area. statement and e0, e1, s0, and s1 will all become OSPF interfaces in area 0 because the wildcard mask 0.0.3.255 is equivalent to the subnet mask of 255.255.252.0, which is the CIDR mask of the four subnets. HTH, Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I Network Engineer GRC International, Inc., an ATT company -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lomker, Michael Sent: Tuesday, April 09, 2002 2:28 PM To: [EMAIL PROTECTED] Subject: RE: OSPF network command question [7:40939] If you had additional interfaces on the listed subnet then they would also be included in OSPF. The second method will only include the specified interface. -Original Message- For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40959t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
inline At 03:37 PM 4/9/2002 -0400, Kent Yu wrote: Peter, - Original Message - From: Peter van Oene To: Sent: Tuesday, April 09, 2002 3:55 AM Subject: Re: iBGP full mesh ? [7:40741] I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. I know that's how Juniper defaults its BGP synch. I agree that synch should be disabled by default, really do not think people will put a non-bgp speaking router in the middle of their network by design, of course, unless we are talking about using stuff like MPLS at the core and pushing BGP out to the edge. But I still do not like the fact that Juniper makes BGP synch non-configurable, why not giving users the knob? Hi Kent. Juniper makes routers positioned to play in SP networks. These networks generally maintain routing information for thousands of prefixes. Pushing these large volumes of routing information into an IGP simply isn't a good idea. In general, any redistribution in either direction between BGP and IGP's is frowned upon. Many routing implementations will struggle greatly with 100k+ prefixes in OSPF (they don't fit in IS-IS).I expect the folks at Juniper who wrote the BGP implementation were mostly concerned with things people actually use. I'm personally not aware of any situation where BGP synchronization would represent the best solution to a given problem. To be honest, in the last bunch of years, the only place I've even heard the feature discussed has been in vendor certification forums where best practises (and reality for that matter) seem secondary to passing tests. Of note, building a BGP free core using MPLS for transport doesn't not create a situation where external routing information external to the AS needs to be passed into a non BGP routing domain in the same way that using an IGP in the core would. Pete Thanks Kent At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the extra vowel !!!) and advertised the networks. I got the BGP table working but nothing was promoted to the main routing table, and therefore could4nt ping non directly connected interfaces. I tried various approaches like putting a default route in and running an IGP but still no promotion to the main table. Should this be possible with iBGP ? or is it a matter of loop avoidance i.e the AS Numbers won4t be prepended for the case of iBGP peers. Phil. __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications
Re: iBGP full mesh ? [7:40741]
inline At 03:02 PM 4/9/2002 -0400, Howard C. Berkowitz wrote: Comments inline At 11:19 AM 4/9/2002 -0400, Chuck wrote: Ah, but there is this little thing called the standard, and the standard requires that it be done the way it is because BGP SHOULD be advertising only REACHABLE nets. What would the internet be, if unreachable nets were advertised willy nilly? ;- Agreed. That's one of the fundamental loop and thrashing mechanisms, with some minor exceptions for deliberate blackhole routes that relate to someone's own address block. Sure.. BGP synchronization (particularly with OSPF) hasn't been on the BGP standards track for a while. I think it was Avi Freeman ( sp? ) who put it so poetically: ( and I am paraphrasing ) A BGP route is a promise. Putting BGP into the your IGP would be a threat I haven't researched, but I would wager a guess that the no synch option was added in a later revision of the BGP standard based on real world experience. The earlier versions of BGP (and, for that matter, OSPF), did allow for the possibility of mutual redistribution. Experience, of course, showed that was a bad idea. Pervasive iBGP works much better. I wouldn't be surprised if (1) Juniper didn't implement sync because it was recognized by then that it was a bad idea and (2) Cisco couldn't drop it because people were using it. It is a concession to human frailty in a protocol that requires perfection. It is also the start of the proverbial primrose path that can lead you to hell in a handbasket real fast, if you don't understand the differences between BGP operation and the behaviour of the other routing protocols. To the best of my recollection, synch is not in Draft 18 of the in-process RFC 1771 revision. Was it ever discussed in any BGP spec? It's certainly not in 1771, nor 1267 as far as I know. I think synch, beyond OSPF-BGP interaction, is a vendor implementation issue, and not actually described in BGPv4 (or v3 for that matter if i recall correctly) Given that the OSPF-BGP interaction RFC has been declared Historic, meaning obsolete, that's probably not good evidence. Was just making the point that beyond OSPF-BGP interaction, I've never seen BGP-IGP synchronization described in any ietf documentation related to best practise BGP implementations. Many of those See what happens when you read too much Raymond Chandler? :- Chuck Peter van Oene wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I don't disagree with most of your points, but really think synch should be disabled in all cases at all times along with auto summary. It should be disabled by default and indeed shouldn't even be included as a configurable option. At 11:28 AM 4/8/2002 -0400, you wrote: It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: I can think one one good reason why you would disable sync, you can't redistribute 100K routes into ANY IGP. Why are you so concerned about disabling sync?? It should be default. Dave Jay wrote: BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: Hi Group, Hope someone can help out with this as I don4t have access to my kit at the moment. I tried to set up my first BGP lab last week. I configured a full iBGP mesh, three routers connected in a triangle via serial lines. I set up (neighbour( statements on each router (Hope Radia can forgive the
RE: CCNP Training kit [7:40915]
The kit is just way too small for the amount of information you are to know for CCNP. The entire section on BGP4 in the routing book is only 100 pages. I am telling you that there is no way that you will know BGP well enough to pass the exam after reading that section. I used CCIE study guides to pass my CCNP. The CCIE books from Cisco Press are much more complete, as well they should be, but you will KNOW the topic, not just know the topic. Does this clarify? -Original Message- From: Mike Sweeney [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 12:11 PM To: [EMAIL PROTECTED] Subject: RE: CCNP Training kit [7:40915] Matt- Can you define *terrible*?? bad questions? incorrect? Inquiring minds would like to know MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40964t=40915 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hardening Ports? [7:40852]
Yeah there is a price to be paid for performance and support. Try doing a scan of 50 machines in Nessus and do the same scan in Retina. Retina from my experience will do 50 machines in less than an hour. Nessus might be about a day. Plus the reviews have showed that Nessus doesnt see all the vulnerabilities that Retina sees. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 12:33 PM To: Ali Mesdaq Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Hardening Ports? [7:40852] Hi Ali, Nessus is free, Retina is 945.00 USD Thanks Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Ali Mesdaq Subject: RE: Hardening Ports? [7:40852] Sent by: nobody 04/09/2002 12:55 PM Please respond to Ali Mesdaq You also might want to try Retina from eEye. It's the best scanner on the market. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 10:26 AM To: [EMAIL PROTECTED] Subject: Re: Hardening Ports? [7:40852] Hello all, The absolute best info (IMHO) is www.sans.orgthey are up to the minute, and OS savvy beyond belief.SANS has the uncanny ability to have gray hackers who 'contribute' to their security efforts. Forget google, go to the source. After you harden your system don't forget to scan it heavily to see what is still open. If you have a linux/solaris box available go to www.nessus.org and use their scanner. (Good stuff, but you can kill a server with it if you scan too heavily.) It is my firm belief that you cannot do network security effectively without knowledge of OS platforms and what processes/daemons they have running. Have a good day. Kevin McCarty CCNA CCNP Computer Sciences Corporation Defense Sector Charlie cc: Sent by: Subject: Re: Hardening Ports? [7:40852] nobody 04/09/2002 10:04 AM Please respond to Charlie Thanks, Kent. Chee Kin and Sam actually answered my question already. Nonetheless, thanks for your advice. Google is where I will also check in the future (although this newsgroup is proving to be very helpful). Charlie Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for your OS+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40965t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Very Strange [7:40966]
I've got a 2501, that I cannot connect directly to the console port of, however, if using the same PC, same cable, and all settings the same, I can connect fine to all of my other routers. And if I use the AUX port on another router connected via rollover cable into the console port on this 2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any suggestions? Thanks, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40966t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Very Strange [7:40966]
Hi Kevin, this is from the Cisco site: Console Port Problem on Cisco 2500 Symptom Output from the router on the console screen can be seen, but anything which is typed in is not seen. Problem The terminal is set to use Ready To Send/Clear To Send (RTS/CTS) flow control. On all other routers, the console port is wired to connect RTS and CTS so even though we don't do real flow control, the terminal sees CTS in response to asserting RTS. Due to the RJ45 - DB25 adapter wiring for the 2500, this is not possible. Solution Disable hardware flowcontrol or strap CTS high. Hope this helps, Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40968t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Very Strange [7:40966]
Is your 2501 router booting correctly? If it is booting in rommon, then you will not be able to access the router through console with the standard settings. What you need to do is to change your baud rate to 38400, and keep increasing unless it sees it. Don't change the baud rate and then expect it will work. If it doesn't work with 38400, then close it and reopen hyper terminal with the new baud rate and so on. Believe me I have been through this. Abbas -Original Message- From: Kevin Corbin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 1:36 PM To: [EMAIL PROTECTED] Subject: Very Strange [7:40966] I've got a 2501, that I cannot connect directly to the console port of, however, if using the same PC, same cable, and all settings the same, I can connect fine to all of my other routers. And if I use the AUX port on another router connected via rollover cable into the console port on this 2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any suggestions? Thanks, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40970t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: New CCNP Exam [7:40967]
It appears to be soon. Cisco is already listing the old 500 series exams as no longer applicable on the tracking page. -Original Message- From: Tony Chen [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 3:48 PM To: [EMAIL PROTECTED] Subject: New CCNP Exam [7:40967] Cisco has finished the beta testing to CCNP exams. Does anyone know when are they going to roll out and replace the current CCNP 2.0? Tony *** This message is a private communication. If you are not the intended recipient, please do not read, copy, or use it, and do not disclose it to others. Please notify the sender of the delivery error by replying to this message, and then delete it from your system. Thank you. - Visit http://www.ballfoundation.org for our latest news. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40971t=40967 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ethernet [7:40886]
Get a sniffer. If you're good, you can use Etherreal to see if you can spot the offender, otherwise, use Sniffer, as it will do it for you. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com kaushalender wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi group , we have around 400 computers in the building on the lan .I have one 2610 router which is our gateway router on the ethernet of the router i am recieving huge amount of multicast and crc4 errors . I have one more Telendus router which connected with my customer on serial .The problem is that on the cutomers link after some time the ms get increase and then it chockes the link .What i am guessing is that one or more ethernetdevice is malfuntioning problem is how to find those devices which r malfuntioning .PLz help to solve this problem Thanx Kaushslender Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40972t=40886 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Very Strange [7:40966]
Check the archives. I went through this exact scenario with a router that I sold to someone a couple of months ago. It worked fine when I had it, but when it got to their site, they couldn't connect. I used Teraterm, they used Hyperterm. They didn't want to use Teraterm (I don't know why) and we ended up resolving the problem by replacing the flash. Strange, but true. Craig At 04:35 PM 4/9/2002 -0400, you wrote: I've got a 2501, that I cannot connect directly to the console port of, however, if using the same PC, same cable, and all settings the same, I can connect fine to all of my other routers. And if I use the AUX port on another router connected via rollover cable into the console port on this 2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any suggestions? Thanks, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40973t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Mark, Typically the alias command is used when: 1) You have overlapping addresses, ie. your using 10 net addressing and you have to connect to someone else who is also using 10 net addressing (this is done through DNS doctoring) Or you have a split DNS. (see below) 2) You want to translate the dst address of packets going from inside to outside on the PIX. If you have a situation where your DNS is external and your servers are internal, you probably don't want the internal hosts accessing the internal servers using their external address. In order for the DNS replies to give the internal hosts the internal address of the servers, you would use the alias command to alter the reply to the internal hosts. This comes into play when you have what is typically called a split-brain DNS. The external DNS can only resolve hosts which are accessible from the outside. The internal DNS forwards to the external for name resolution of externally accessible hosts. Since the DNS resolution yeilds an externally reachable address, you would use the alias to make sure that the internal hosts use the internal IP while the external hosts use the external IP. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Tuesday, April 09, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say I do want any outside host to access the web server and then you say So, I do want everyone to access the web server at ip address xxx.yyy.115.190, this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be doctored so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So,
RE: Cisco Audio Files [7:40911]
That's great - thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 9 April 2002 11:42 PM To: [EMAIL PROTECTED] Subject: RE: Cisco Audio Files [7:40911] Is this what you are looking for: http://recording.safeshopper.com/index.htm?648? Andy -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 9:07 AM To: [EMAIL PROTECTED] Subject: Cisco Audio Files [7:40911] Hello all, Just wondering if anyone has (or knows where to get) Cisco audio files, such as from sessions at Networkers? I would like to be able to listen to them in the car Thanks for any help anyone is able to provide... Sam. [GroupStudy.com removed an attachment of type text/x-vcard which had a name of Sam Deckert.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40975t=40911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX problem [7:40928]
You'll never be able to ping interface of the PIX that is not directly connected to you (like in your case). Not access-list, not icmp commands can enable that 'feature'. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of dk Sent: Tuesday, April 09, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: Re: PIX problem [7:40928] Thanks for the input, I have allowed the required icmp access ... To try and clarify ... I'm trying to ping the pix interface E1 (ip address 10.222.62.1) through pix interface E0 (ip address 10.222.33.1) from my workstation (ip address 10.222.32.100) I can successfully ping the PIX E0 interface and any devices on the 10.222.62.0 network going through the PIX E1 interface. but when I try to ping the PIX E1 interface itself I get no response no error is logged and the conduit hitcount is not incremented. Is it a feature? - Original Message - From: HORVATH TAMAS To: Sent: Tuesday, April 09, 2002 4:04 PM Subject: Re: PIX problem [7:40928] Hi! See http://www.cisco.com/warp/customer/110/31.html According to this document Inbound ICMP through the PIX is denied by default; outbound ICMP is permitted, but the incoming reply is denied by default. So you can ping every PIX interface from the PIX and from the directly connected LAN, but can't ping through the pix. I think you should not ping through the PIX default, just from the PIX (from Telnet console). According to this document: In PIX Software versions 4.1(6) until 5.2.1, ICMP traffic to the PIX's own interface is permitted; the PIX cannot be configured to not respond. Beginning in PIX Software version 5.2.1, ICMP is still permitted by default, but PIX ping responses from its own interfaces can be disabled with the icmp command (that is, a stealth PIX) By, HT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40976t=40928 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Interautomomous systems for MPLS VPNs [7:40977]
Hello everyone: This forum has probably some of the best minds in the area of networking and we have been benefiting from this forum big time.I have a question on configuring MPLS based VPNs spanning more than one AS. The ASBRs are not provider or provider edge routers.I am trying to replicate the scenario given on this link at cisco'swebsite. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120st/120st17/intras17.htm I have been able to get the routes belonging to the same VPn on both sides , but unable to ping anynetwork on both sides.Does anyone have any idea on whats missing . Thank you Salman. __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40977t=40977 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF network command question [7:40939]
The first command will advertise the entire block. If you have other interfaces in that block, they will be included. The second command says to just advertise that interface. HTH, Scott Ruihai An wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to advertise a network under OSPF. I wonder if anyone can explain the differences between the two. For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 or you can also use: router ospf 10 network 172.168.1.1 0.0.0.0 area 0 Please notice the second network command uses Exact IP address on the interface, instead of network numbers. Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40949t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Identify 1750 models [7:40857]
Dennis- Unfortunately, the 1750's don't say on the outside of them if they are a 2V or 4V model. The only way to tell, short of crackin' the baby open, is to have the seller issue the following command from the console: C1750#Show Diag ... and from the output, you should look for: Packet Voice DSP Module Slot 0: Number of DSPs :1 or Number of DSPs :2 1 = 2V Voice Router 2 = 4V Voice Router Then, you can start choosing between your choice of FXS/FXO/EM VIC. Note that you can only put two VICs total into the 1750, and Slot 0 is the only slot you don't put these cards in. As far as where to buy... Ebay still seems to be the least expensive from my perspective... but perhaps somebody knows of a better source. Good Luck. -Mark Odette II -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Laganiere Sent: Tuesday, April 09, 2002 1:11 PM To: [EMAIL PROTECTED] Subject: Identify 1750 models [7:40857] I have several voice modules and I wanted to use them in my study pod. Going through the archives and the CCO it looks like the cheapest solution is using 1750's, and what I need are 2v's or 4v's (not the basic model). Here is my problem... None of the 1750's I've seen on ebay say what model they are, and the sellers I've e-mailed haven't seen any designation on the outside of the chassis. Not having ever seen any 1750's myself, I don't know how to tell them apart. I'm hoping someone here can help my identify the specific model designations, and perhaps alternatively, tell me where I could just buy the units at a reasonable price... Thanks all --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40962t=40857 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF network command question [7:40939]
When I do a CCIE lab from CCIEBootCamp, I noticed two different ways to advertise a network under OSPF. I wonder if anyone can explain the differences between the two. For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 or you can also use: router ospf 10 network 172.168.1.1 0.0.0.0 area 0 Please notice the second network command uses Exact IP address on the interface, instead of network numbers. Thanks Ruihai I always use the exact IP address form, as do many of the OSPF old-timers. In my opinion, it makes troubleshooting and documentation easier. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40963t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 trunk to 3524? Any suggestions [7:40880]
From the Cisco site: Dynamic Trunk Protocol (DTP) Note: 2900 XL/3500 XL /2950 Switches do not support DTP There are different types of trunking protocols. If a port can become a trunk, it may also have the ability to trunk automatically, and in some cases even negotiate what type of trunking to use on the port. This ability to negotiate the trunking method with the other device is called DTP. The 2900 XL/3500 XL/2950 switches do support EtherChannel and trunking, but they do not support dynamic EtherChannel creation (Port Aggregation Protocol (PAgP) ) or dynamic trunk negotiation Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40978t=40880 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN Client PIX [7:40670]
I didn't see an update on this, but unless there has been an upgrade to the linksys, it will only pass 1 Ipsec tunnel. If there is an existing connection, and another is attempted, the original one will be dropped. there are some higher end (higher priced) firewall devices, that will pass large number of tunnels. How many clients are you trying to terminate? you might think about pix 501 hope this helps From: Curious Reply-To: Curious To: [EMAIL PROTECTED] Subject: Re: Cisco VPN Client PIX [7:40670] Date: Sat, 6 Apr 2002 12:48:48 -0500 Clients are behind Linksys Cable/DSL router and in the office we have PIX 515. PIX assigns IP address from Local IP address Pool. Curious wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am using Cisco VPN Client to connect with my Office PIX 515 firwall over IPSEC 3DES encryption. My connection is droping automatically. It is not because of idle time out or maximum time out. it happens on radomly. If some one has any information on it. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40979t=40670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: CCIE Lab for Sale [7:40980]
Hello Group, I have the following equipment for sale from my Lab after passing my CCIE: Cisco 2503 16Flash/16DRAM Cisco 2503 16Flash/16DRAM Cisco 2503 16Flash/16DRAM Cisco 2501 16Flash/16DRAM Cisco 2501 16Flash/16DRAM Cisco 2509 16Flash/16DRAM Catalyst 5000 WS-5009 Supervisor Engine I WS-5213a 12 RJ45 port 10/100 Ethernet Module WS-5213a 12 RJ45 port 10/100 Ethernet Module WS-5010 24-Port 10BaseT Module (will provide 1 breakout cable) WS-X5155 ATM LANE Module Prefer buyers in Australia. Make me a serious offer. Albert Lu CCIE #8705 [EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40980t=40980 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF network command question [7:40939]
Just Like to Add that: These are Connected Network on the router for OSPF to advertis out other OSPF Neighbours Sarkis Karagozian Corporate Network Engineering EarthLink Inc. (ELNK) Tel. 626 345-2828, X 52828, Cell 626 676-3723 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lomker, Michael Sent: Tuesday, April 09, 2002 11:28 AM To: [EMAIL PROTECTED] Subject: RE: OSPF network command question [7:40939] If you had additional interfaces on the listed subnet then they would also be included in OSPF. The second method will only include the specified interface. -Original Message- For example: interface fa0/0 ip address 172.168.1.1 255.255.255.0 To advertise this network, you can use two different commands and both works router ospf 10 network 172.168.1.0 0.0.0.255 area 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40981t=40939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
cnr [7:40984]
dear all: when i install the CNR5.5 on sun ,how can i remove my data of CNR5.0 install in the WINNT . THANKS VERY MUCH! -- Regards Yangchun --- Telindus Ltd. Beijing Office RM408/410, Office Tower, Beijing Capital Times Square, No.88 West Changan Ave., Beijing, P.R.C. --- mailto: [EMAIL PROTECTED] tel: +86 (10) 8391 5323~5330 Ext: 6015 fax: +86 (10) 8391 5321 --- For more information about our products and services, please visit our website: --- Secure connectivity mobility Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40984t=40984 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ac-path access list [7:40983]
Is there any difference in these two commands? A. ip as-path access-list deny _10_ B. ip as-path access-list deny ^10$ If I understand corerctly, they both deny AS 10, and only 10. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40983t=40983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
4006 w/SUPII and WS-X4019 [7:40985]
If youre running the CAT4000 with a SUPII, how many PPS is it capable of switching? If you add the WS-X4019, it says its wire-speed so I was wondering what you loose without it. Anyone notice any problems with 5 blades of 10/100 in a CAT4000 with SUPII? Thanks!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40985t=40985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Very Strange [7:40966]
Craig - Thanks for the input, I downloaded Teraterm, and it works fine with that, however, I am still bugged by the fact that hyperterminal doesn't work. I'm going to try different flash and see what happens. Thanks for the input. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40982t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: positions' names [7:40986]
Hi to the group I am working to make my resume. I am a little confused with the positions I should put on the resume. It is because I read a lot of job descriptions on Monster.com, Workopolis and other sites like these. The questions is : which are the differences between network analyst, network engineer, network support engineer, system administrator and many others. Mainly it seems that the same duties are covered by different titles on different companies. Could you help me or give me some useful links for this matter ? Thanks in advance for any clue Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40986t=40986 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
a may b simple prob [7:40987]
Hi, I want to do some sort of content based data filtering on either Cisco 4500 or AS 5300. I want to connect some of my servers via a 2900 to this 4500. So that, as soon as some special traffic (which I have predefined such as if I want web traffic) comes to the router it throws it to those servers (which may be running some sort of caching). I know that there r dediated stuff available from cisco too ( as cisco has everything for everything) for the said purpose, so if u wanna advice me to buy that , plz send in your credit card info along with too :). If you can give me any idea on how to accomplish this. Im all ears Regards, MHA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40987t=40987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Now What???????? [7:40988]
Team, After your pass the written what do you do in reference to the following: 1) Do you mention it in your resume and if you do any suggestions (I know it is not a certification). CCIE Lab(schedule for xx-xx-xx) Passed CCIE Written, Lab(schedule for xx-xx-xx) Working on the CCIE Lab Put nothing because the written is not a certification.. 2) Any book which will help you to put together a very organize and structure plan of studding for the lab(very similar to Caslow's book) I already have the following books: CASLOW, HUTNIX, DOYLE 3) How similar are the labs and hardware layout from the FATKID to the real thing.I planning to use the same format (what is your recommendation) Wow, the more we think we know the less we know...I feel very goodsome people are saying that I don't have a life because all I talk about is Cisco...Cisco...routersswitchesbridges Thanks, JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40988t=40988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCRAN question [7:37481]
Dear Friends, My name is HAI NGUYEN DUC, I live in Viet Nam. Now, I am on track to take CCNP certificate. Please help me to send all documents that is relative with this exam. Thanks a lots Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40989t=37481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
content based switching?? [7:40990]
Hi, I want to do some sort of content based data filtering on either Cisco 4500 or AS 5300. I want to connect some of my servers via a 2900 to this 4500. So that, as soon as some special traffic (which I have predefined such as if I want web traffic) comes to the router it throws it to those servers (which may be running some sort of caching). I know that there r dediated stuff available from cisco too ( as cisco has everything for everything) for the said purpose, so if u wanna advice me to buy that , plz send in your credit card info along with too :). If you can give me any idea on how to accomplish this. Im all ears Regards, MHA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40990t=40990 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
bonehead move [7:40991]
hey all i was trying to upgrade my flash on my Cat5/SupIII to the latest version, when I decided to delete the old flash first...well, ater rebooting--DUH--the Cat booted into rommon mode...i didn't have an image on file, and i couldn't do an xmodem via rommon mode, because the CCO site says i have to have version 5 rommon or later, which i don't (4.2). thus, according to the CCO site, the only ways to restore an image is to (1) use a flash card with an image (which i don't have); (2) install a flash chip with the image already on it; or (3) upgrade the ROM to version 5 and do an xmodem via the console port. ugggh...i knew i was reckless going into this, but i guess i didn't think ahead enough...anyway, i'm just sending this out in hopes that one of you has encountered this situation before and has a solution...otherwise, i gotta dig into the pockets again... please help... thanks, eddie _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40991t=40991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: bonehead move [7:40991]
The boot ROM's are free from Cisco except for the cost of shipping. The part number is WS-X5530-BOOT=. You need to call customer service at Cisco to get this. If you call the TAC they'll want a Smartnet contract covering the item in question. I don't have the customer service number in front of me. Search the Cisco site for the number. -Eric - Original Message - From: Edward Sohn To: Sent: Tuesday, April 09, 2002 9:10 PM Subject: bonehead move [7:40991] hey all i was trying to upgrade my flash on my Cat5/SupIII to the latest version, when I decided to delete the old flash first...well, ater rebooting--DUH--the Cat booted into rommon mode...i didn't have an image on file, and i couldn't do an xmodem via rommon mode, because the CCO site says i have to have version 5 rommon or later, which i don't (4.2). thus, according to the CCO site, the only ways to restore an image is to (1) use a flash card with an image (which i don't have); (2) install a flash chip with the image already on it; or (3) upgrade the ROM to version 5 and do an xmodem via the console port. ugggh...i knew i was reckless going into this, but i guess i didn't think ahead enough...anyway, i'm just sending this out in hopes that one of you has encountered this situation before and has a solution...otherwise, i gotta dig into the pockets again... please help... thanks, eddie _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40992t=40991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: bonehead move [7:40991]
If all else fails, I'll send you a flash card. Let me know if you need it(assuming you dont get something else) Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Edward Sohn Sent: Tuesday, April 09, 2002 9:11 PM To: [EMAIL PROTECTED] Subject: bonehead move [7:40991] hey all i was trying to upgrade my flash on my Cat5/SupIII to the latest version, when I decided to delete the old flash first...well, ater rebooting--DUH--the Cat booted into rommon mode...i didn't have an image on file, and i couldn't do an xmodem via rommon mode, because the CCO site says i have to have version 5 rommon or later, which i don't (4.2). thus, according to the CCO site, the only ways to restore an image is to (1) use a flash card with an image (which i don't have); (2) install a flash chip with the image already on it; or (3) upgrade the ROM to version 5 and do an xmodem via the console port. ugggh...i knew i was reckless going into this, but i guess i didn't think ahead enough...anyway, i'm just sending this out in hopes that one of you has encountered this situation before and has a solution...otherwise, i gotta dig into the pockets again... please help... thanks, eddie _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40993t=40991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test [7:40994]
test -- Regards Yangchun --- Telindus Ltd. Beijing Office RM408/410, Office Tower, Beijing Capital Times Square, No.88 West Changan Ave., Beijing, P.R.C. --- mailto: [EMAIL PROTECTED] tel: +86 (10) 8391 5323~5330 Ext: 6015 fax: +86 (10) 8391 5321 --- For more information about our products and services, please visit our website: --- Secure connectivity mobility Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40994t=40994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]