BSCI - 640-900 [7:42343]
I sat this exam in March. You should be able to find my opinions of it in the archives - can't remember the thread name. Basically, it follows the exam outline pretty well. I haven't done the 640-503 exam, so I can't compare, but I reckon the BSCI was much easier than the old ACRC exam. Exam objectives, in case you haven't already come across them, are here... (watch wrap) http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/640-900.html JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 24/04/2002 04:57 pm - "Paulo Cesar Buerger" Sent by: [EMAIL PROTECTED] 24/04/2002 03:41 am Please respond to "Paulo Cesar Buerger" To: [EMAIL PROTECTED] cc: Subject:BSCI - 640-900 [7:42343] Hi all, There's just one test missing for me for CCNP - which is routing. I was thinking about the BSCI which opens a new path towards CCIP. Does anybody know about the contents of this test ? Is it much similar to 640-503 ? Does anybody know some good practice test ? Thanks, Paulo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42415&t=42343 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how much 10720? [7:42331]
Thank you, unfortunately Not everyone is authorized to view the Pricing = Tool. I'm one of them. Teresa =20 =20 - Original Message -=20 From: MADMAN=20 To: [EMAIL PROTECTED]=20 Sent: Tuesday, April 23, 2002 7:28 PM Subject: Re: how much 10720? [7:42331] Go here and grab the price list for everything. The chassis is 13k which you have to fill up... = http://www.cisco.com/cgi-bin/front.x/pricing?Request=3DViewDownloadListPa= ge Dave TP wrote: >=20 > Anybody knows how much a new 10720? >=20 > Just a rough price >=20 > Thank you. > Teresa --=20 David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" [GroupStudy.com removed an attachment of type image/gif which had a name of spacer.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42414&t=42331 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IVR for conducting phone surveys [7:42405]
Mike- I have not, but if you find more detail on it off-line, I'd love to learn what you do to accomplish this. I've always wanted to know how you make the IVR connect with the backend database (what's technically involved). I used to work for a leading advertising company that used Unix and Windows NT-based IVRs that worked with Dialogic Voice cards (Voice T1s connected directly to the card), and the systems used a custom "carrousel" application to run through the prompts. The application would create a text file record of all options chosen during each call, and then export or "roll" the log file out for a remote process to come retrieve the log file and parse it into a SQL DB. And with that, they generated "call count" reports. If Call Manager has a part of it that you can configure through a GUI to "link" up with a back-end Database for doing a task such as the survey stuff your talking about (which I assume would be both Voice answers and Touch-Tone responses), that would be awesome. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael L. Williams Sent: Tuesday, April 23, 2002 10:55 PM To: [EMAIL PROTECTED] Subject: IVR for conducting phone surveys [7:42405] Hello all Has any ever used or have any information on using Call Manager and it's IVR functions to conduct phone surveys? Perhaps with an ODBC or Oracle back-end? The place I'm working uses phone surveys fairly often and wants to use them more often. But they're expensive (they pay someone for the service). Just from what I've seen, we could easily buy a full Call Manager setup with IVR functionality some servers for database and save them a TON of money and they could conduct surveys to their hearts content Any info is greatly appreciated Thanks! Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42413&t=42405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE 350-001 [7:42344]
I enquired about this with the CCIE Team. They explained the beta runs to May 7th, after that time it will take serveral weeks to evaluate the exam and results. I'd say the new exam will take effect in about 6-8 weeks. I will be sitting the old one Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42412&t=42344 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Please help!!! [7:42411]
I have an OSPF connectivity problem. I have 3 routers as follows: OSPF Area 203.147.188.0 OSPF Area 0 Gw1.bne2 Gw2.bne ---Gw1.bne Gw1.bne2 is connecting to Gw2.bne with Serial 0/0:0 (203.147.255.186 /30) Gw2.bne is connecting back to Gw1.bne2 with Serial 0/0:0 (203.147.255.185 /30) Gw2.bne is also connected to Gw1.bne with FastEth 0/0 (202.139.236.2 /24) Gw1.bne is connecting back to Gw2.bne with FastEth 0/1 (202.139.236.254 /24) Now I have 5 static routes at Gw1.bne2 (the left most Router) that I want to redistributed into OSPF. ip route 203.147.154.0 255.255.255.128 203.147.188.65 ip route 203.147.154.128 255.255.255.248 203.147.188.68 ip route 203.147.154.136 255.255.255.248 203.147.188.69 ip route 203.147.154.144 255.255.255.252 203.147.188.66 ip route 203.147.154.148 255.255.255.252 203.147.188.67 controller E1 0/0 channel-group 0 timeslots 1-31 ! ! interface Tunnel0 description BNE2->Avior ip address 10.255.255.2 255.255.255.252 no ip route-cache cef tunnel source 203.147.255.186 tunnel destination 203.147.190.4 ! interface FastEthernet0/0 no ip address ip route-cache flow speed 100 full-duplex ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ! interface FastEthernet0/0.10 encapsulation dot1Q 10 ip address 10.15.15.254 255.255.255.0 secondary ip address 203.147.188.254 255.255.255.0 ip access-group pfilter in ip accounting access-violations ip nbar protocol-discovery ! interface FastEthernet0/0.999 encapsulation dot1Q 999 ip address 10.2.101.1 255.255.0.0 ! interface Serial0/0:0 description N7065870L to 96 Lytton Rd ip address 203.147.255.186 255.255.255.252 ip nbar protocol-discovery ip route-cache flow load-interval 30 service-policy output voippol ! router ospf 7496 log-adjacency-changes redistribute connected redistribute static subnets passive-interface FastEthernet0/0.999 network 203.147.188.0 0.0.0.255 area 203.147.188.0 network 203.147.255.184 0.0.0.3 area 203.147.188.0 At Gw1.bne2, it shows the subnets are learned via "statics" gw1.bne2#sh ip route 203.147.154.136 Routing entry for 203.147.154.136/29 Known via "static", distance 1, metric 0 Redistributing via ospf 7496 Advertised by ospf 7496 subnets Routing Descriptor Blocks: * 203.147.188.69 Route metric is 0, traffic share count is 1 When I goto Gw2.bne (middle router), I can see the routes in the OSPF Topology Table (all of them are learned from 203.147.255.186 - Gw1.bne2), but not the its routing table:- N.B: I also tried to do a clear ip route 203.147.144.0/20, but no help. The same route came straight back Type-5 AS External Link States 203.147.154.0 203.147.255.186 572 0x8002 0xAC01 0 203.147.154.128 203.147.255.186 573 0x8002 0xA40D 0 203.147.154.136 203.147.255.186 573 0x8002 0x6246 0 203.147.154.144 203.147.255.186 573 0x8002 0xFF9F 0 203.147.154.148 203.147.255.186 573 0x8002 0xE5B4 0 gw2.bne# sh ip route 203.147.154.136 Routing entry for 203.147.144.0/20, supernet Known via "ospf 7496", distance 110, metric 3, type inter area Last update from 202.139.236.254 on FastEthernet0/0, 00:17:48 ago < 202.139.236.254 is Gw1.bne, so wrong way!!! Routing Descriptor Blocks: * 202.139.236.254, from 203.147.255.156, 00:17:48 ago, via FastEthernet0/0 Route metric is 3, traffic share count is 1 However, if I goto Gw1.bne (the rightmost router), it can see all 5 subnets in the OSPF Topoloy Table and Routing Table Type-5 AS External Link States 203.147.154.0 203.147.255.186 867 0x8002 0xAC01 0 203.147.154.128 203.147.255.186 867 0x8002 0xA40D 0 203.147.154.136 203.147.255.186 867 0x8002 0x6246 0 203.147.154.144 203.147.255.186 867 0x8002 0xFF9F 0 203.147.154.148 203.147.255.186 867 0x8002 0xE5B4 0 gw1.bne#sh ip route 203.147.154.136 Routing entry for 203.147.154.136/29 Known via "ospf 7496", distance 110, metric 20, type extern 2, forward metric 52 Redistributing via ospf 7496 Last update from 202.139.236.2 on FastEthernet0/1, 00:49:30 ago <---202.139.236.2 is Gw2.bne, so right way!!! Routing Descriptor Blocks: * 202.139.236.2, from 203.147.255.186, 00:49:30 ago, via FastEthernet0/1 Route metric is 20, traffic share count is 1 As a result, when I do a trace from Gw1.bne (the rightmost router), it points it to Gw2.bne, but Gw2.bne points it back - Routing Loop :( gw1.bne#trace 203.147.154.136 Type escape sequence to abort. Tracing the route to 203.147.154.136 1 fa0-0.gw2.bne.webcentral.com.au (202.139.236.2) 0 msec 4 msec 0 msec 2 fa0-1.gw1.bne.webcentral.com.au (202.139.236.254) 4 msec 4 msec 0 msec 3 fa0-0.gw2.bne.webcentral.com.au (202.139.236.2) 0 msec 4 msec 4 msec 4 fa0-1.gw1.bne.webcentral.com.au (202.139.236.254) 4 msec 4 msec 4 msec 5 fa0-0.gw2.bne.webcentral.com.au (202.139.236.2) 4 msec 4 msec 4
Fiber Certificate [7:42410]
Hello All Is there any certificate regarding the knowledge in fiber optics? if there is some good certificate then please enhance me with your comments. Thanks Allot Ismail Al-shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42410&t=42410 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Networkers in San Diego [7:42402]
Yes. ""Steven A. Ridder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Is anyone attending Networkers in San Diego this year? Just curious. > > -- > RFC 1149 Compliant > > Get in my head: > http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42409&t=42402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIP Certification (MPLS) [7:42407]
IS-IS, IS-IS, IS-IS. Just know it. "Kevin Jones" Sent by: [EMAIL PROTECTED] 04/24/2002 01:17 PM Please respond to "Kevin Jones" To: [EMAIL PROTECTED] cc: Subject:CCIP Certification (MPLS) [7:42407] I was wondering if anyone had an opinion on the CCIP certification and if it would be worthwhile for me to pursue. I was thinking about taking the MPLS elective. I currently have the CCNP and CCDP, but I don't have enough hands-on knowledge yet to attempt the CCIE lab. Do employers even know what CCIP is at this point? Also, how much different is the CCIP routing exam from the CCNP routing exam? I have read the objectives on Cisco's site, but only see the main difference being more emphasis on IS-IS. Can anyone who has taken this exam suggest other areas I might need to brush up on? Thank you, Kevin Jones CCNA, CCDA, CCNP, CCDP A+, Net+, I-Net+ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42408&t=42407 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIP Certification (MPLS) [7:42407]
I was wondering if anyone had an opinion on the CCIP certification and if it would be worthwhile for me to pursue. I was thinking about taking the MPLS elective. I currently have the CCNP and CCDP, but I don't have enough hands-on knowledge yet to attempt the CCIE lab. Do employers even know what CCIP is at this point? Also, how much different is the CCIP routing exam from the CCNP routing exam? I have read the objectives on Cisco's site, but only see the main difference being more emphasis on IS-IS. Can anyone who has taken this exam suggest other areas I might need to brush up on? Thank you, Kevin Jones CCNA, CCDA, CCNP, CCDP A+, Net+, I-Net+ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42407&t=42407 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP - Reliability and Load Dynamic? [7:42406]
Hello everyone, I have a question that I have been struggling with for quite some time. Are the reliability and load metrics in EIGRP (or IGRP for that matter) dynamically learned? If so, why do we manually assign values like we do for bandwidth and delay. I have searched numerous Cisco white papers and have found only one article where it mentions the two as being dynamically learned. Since I have not found any others that mention it, I am starting to feel that the one article is a typo (or I am just not understanding it the way it is worded). I would think that if they were dynamically learned, then there would be more information about the process. No other routing protocol is able to detect such statistics on the fly (to my knowledge). I understand that dynamic detection might not be a good thing, esp. if the reliability and load were constantly changing, but never-the-less there should be more info somewhere. If you can find more than one specific white paper and lead me to them, I would appreciate it. Thank you, Kevin Jones CCNA, CCDA, CCNP, CCDP A+, Net+, I-Net+ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42406&t=42406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IVR for conducting phone surveys [7:42405]
Hello all Has any ever used or have any information on using Call Manager and it's IVR functions to conduct phone surveys? Perhaps with an ODBC or Oracle back-end? The place I'm working uses phone surveys fairly often and wants to use them more often. But they're expensive (they pay someone for the service). Just from what I've seen, we could easily buy a full Call Manager setup with IVR functionality some servers for database and save them a TON of money and they could conduct surveys to their hearts content Any info is greatly appreciated Thanks! Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42405&t=42405 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: I need help with a BVI and MIBs on a Catalyst 8540 [7:42404]
Does an instance found under 1.3.6.1.2.1.2.2.1 exist that corresponds to the BVI? My guess is yes, but guesses have funny ways of turning on their owners. If so, what is the value found in 1.3.6.1.2.1.2.2.1.5 for that instance_ID? It might be constructive to compare that value to the ones found in cisco-proprietary mibs. - Original Message - From: "SNMP2002" To: Sent: Tuesday, April 23, 2002 4:10 PM Subject: I need help with a BVI and MIBs on a Catalyst 8540 [7:42370] > We have an Catalyst 8540 with a BVI. > There are numerous ports on the switch that are in this bridge group. > If you look at the BVI interface, > sh int bvi2: > > MTU 1500 bytes, BW 1 Kbit, DLY 5000 usec, rely 255/255, load 1/255 > > The true speed of the devices plugged into the ports is manually set to > 100Mbps. But > using our network management software which reads the MIB in the switch > interfaces, > it reads the devices as a speed of 10Mbps. I think the MIB is using the > data from > the BVI (BW 1 Kbit) and not the real port/interface speed. > > Does the BVI2 have a true speed of only 10Mbps? What would it do to change > the > BW from 1 Kbit to 10 Kbit (10Mbps to 100Mbps) manually? > > Thanks for any ideas. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42404&t=42404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPv6 Reference [7:42403]
What's the best book on IPv6 out there? Anyone? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42403&t=42403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Networkers in San Diego [7:42402]
Is anyone attending Networkers in San Diego this year? Just curious. -- RFC 1149 Compliant Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42402&t=42402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CVOICE [7:42398]
Boson 2. Know it all, as it's an extensive, broad test. Steve ""Dave Luancing"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > does anyone have any insight to which Boson is good > for CVOICE > > Thanks > > __ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42401&t=42398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
In such a situation, authorization would be achieved by writing a bunch of access-lists on the Pix. Then, you designate those particular access-lists within the radius server for individual users. For example, let's say you have a user called billclinton, and you want to restrict his access to certain websites. So you write an access-list that does that, and then in his radius profile, you "call" that access-list. This works when you are doing straight authentication through the Pix directly. I have never tried it through a VPN. ""Darren Mitchelmore"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > NRF. > > I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( > WIN2K RADIUS SERVER ). From my understanding the VPN client has a group > login then the user will be prompted for a username/password that the > PIX will pass to the IAS server using Radius. That will be authenticated > against the Win username / password database (used to be called SAM ??) on > the IAS server. > > I believe that this is authentication. Not sure how authorisation is > achieved. How do you tie in the access-list > to that individual user ?? > > Is this the setup you have got going ?? > > Do you have any problems implementing it ?? > > PS - I have setup PIXs before but only with simple policies... > > Best Regards, > Darren M > > > > > > -Original Message- > > From: nrf [SMTP:[EMAIL PROTECTED]] > > Sent: Wednesday, April 24, 2002 3:57 AM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX and AAA [7:42302] > > > > Well, actually, the Pix does support a very limited amount of Radius > > authorization. It's only for users going through the Pix, not > > administrators of the Pix. And the authorization 'capabilities' only > > allow > > you to invoke existing access-lists on the Pix for certain users, so, like > > I > > said, it's very limited. Still, the capability exists. > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > > ga > > cl.htm#xtocid10 > > > > > > ""Georg Pauwen"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Paul, Tim, Patrick, > > > > > > you guys are good ! You are right, I wasn4t specific enough in what I > > said: > > > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > > > > > Regards, > > > > > > Georg > > > > > > > > > >From: "Paul Borghese" > > > >To: "Georg Pauwen" , > > > >Subject: Re: PIX and AAA [7:42302] > > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > > > >The pix does support radius. I am using it for a small client to > > > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > > > > > >Paul Borghese > > > >- Original Message - > > > >From: "Georg Pauwen" > > > >To: > > > >Sent: Tuesday, April 23, 2002 7:16 AM > > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > > > > Hi Patrick, > > > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the > > PIX > > > >does > > > > > not support RADIUS). Follow this link for a command overview of aaa > > on > > > >the > > > > > PIX: > > > > > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > > b. > > h > > > >tm#xtocid3 > > > > > > > > > > Regards, > > > > > > > > > > Georg > > > _ > > > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42400&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Layer2 Layer3 or Hardware problem? [7:42391]
Joe, I had the exact same problem but in a larger environment. Some client on one subnet would get disconnected while other did not. After hours and days of troubleshooting and this is what we found out. 1.) As400 needed some PTF files applied for the TCP/IP stack (Basically applied patches to the AS400) 2.) Also the NIC on the 400 was running 2 frame types 802.2 and 802.3. What we found in the sniffer trace was the AS400 would send out a 802.3 frame every once and a while and cause the switch to re-arp and client would lose the telnet session to the 400. I cannot pin point a single client or segment I did not know how it dropped this person and not this one. Once we remove one of the frame type to stop the re-arp. No more problem. No I cannot say the PTF applied to the 400 did not fix the problem also. Some thing to look at. I am curious to see if anyone else has had a problem? Ronnie ""Joe Morabito"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all. I have a real world problem and would like some thoughts, here it > goes. > > Client has a central site with 7 remote locations. Central site has a 6513 > with MSFC2, all sites have T1 in. Eigrp is used between sites and is fine. > At the central site lies an AS/400 that all remote sites connect into (users > use IBM client access). All is IP no SNA anywhere. What happens is at one > and only one location users get bounced out of there session about 4 or 5 > times a day. They have full connectivity to the central site, just no > AS/400. > > So I was at the remote site where the problem exists, could ping the as400 > fine. So I waited for a "blackout", it came. When the users were bounced I > tried to ping the as400 and was unsuccessful. I tried to ping the central > router and was good, I tried to ping the vlan ip address that the as400 was > in, that was good. I even tried to ping other computers in the same subnet > as > the as400 and that was good. Tried to ping the as400 again and that was NO > good. These outages only last a couple of minutes and then it comes back up. > > There is NO route flapping. All eigrp neighbors stay put and all routes stay > put. > > What is really strange is that this happens only from one remote location, > all > other locations are fine. The as400 has only one NIC (ehternet) and all > other > sites connect to the same IP address. > > So where is the problem? I checked the port the as400 was plugged into and > found some errors, I found out that the port was set to 100/full and the > as400 > nic was set to 100/half, so I adjusted the port on the switch to 100/half. > But if this was the problem, wouldn't all sites have trouble? Could the > switch possibly be aging out its cam table to the remote site that is having > problems? > > I don't remember if they blacked out again after changing the duplex (I had > been staring at debugs for about 8 hours). > > I called TAC and bumped up the outbound queue size to the site that is having > problems, but haven't had a chance to call them back. > > Any suggestions? > > Thanks. > > -Joe > > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42399&t=42391 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CVOICE [7:42398]
does anyone have any insight to which Boson is good for CVOICE Thanks __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42398&t=42398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IOS upgrade on 2900 failing [7:42397]
I'm getting an unusual error while tring to upgrade IOS on several of my 2900XL series switches. After doing the copy tftp flash command, I get the response from the IOS "copy to or from flash not implemented". TAC site does not have anything on this that I could find. Any ideas? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42397&t=42397 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need Information About Cable purchase [7:42378]
Just buy a single db60 dte to db60 dce cable: www.kg2.com >From: "Justin M. Clark" >Reply-To: "Justin M. Clark" >To: [EMAIL PROTECTED] >Subject: Need Information About Cable purchase [7:42378] >Date: Tue, 23 Apr 2002 17:14:56 -0400 > >I have 2 cisco 2501 routers and just purchased another one. The first >routers came with a serial cable, (DB-60, i think) I need to order another >2-3 ft serial cable to connect my new router to the first. Does anyone >have >any idea where a good place to purchase this is. I've found a couple >places >and they get pretty pricey. > >Thanks, >Justin _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42396&t=42378 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX and AAA [7:42302]
NRF. I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( WIN2K RADIUS SERVER ). From my understanding the VPN client has a group login then the user will be prompted for a username/password that the PIX will pass to the IAS server using Radius. That will be authenticated against the Win username / password database (used to be called SAM ??) on the IAS server. I believe that this is authentication. Not sure how authorisation is achieved. How do you tie in the access-list to that individual user ?? Is this the setup you have got going ?? Do you have any problems implementing it ?? PS - I have setup PIXs before but only with simple policies... Best Regards, Darren M > -Original Message- > From: nrf [SMTP:[EMAIL PROTECTED]] > Sent: Wednesday, April 24, 2002 3:57 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX and AAA [7:42302] > > Well, actually, the Pix does support a very limited amount of Radius > authorization. It's only for users going through the Pix, not > administrators of the Pix. And the authorization 'capabilities' only > allow > you to invoke existing access-lists on the Pix for certain users, so, like > I > said, it's very limited. Still, the capability exists. > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn > ga > cl.htm#xtocid10 > > > ""Georg Pauwen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Paul, Tim, Patrick, > > > > you guys are good ! You are right, I wasn4t specific enough in what I > said: > > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > > > Regards, > > > > Georg > > > > > > >From: "Paul Borghese" > > >To: "Georg Pauwen" , > > >Subject: Re: PIX and AAA [7:42302] > > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > > > >The pix does support radius. I am using it for a small client to > > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > > > >Paul Borghese > > >- Original Message - > > >From: "Georg Pauwen" > > >To: > > >Sent: Tuesday, April 23, 2002 7:16 AM > > >Subject: RE: PIX and AAA [7:42302] > > > > > > > > > > Hi Patrick, > > > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the > PIX > > >does > > > > not support RADIUS). Follow this link for a command overview of aaa > on > > >the > > > > PIX: > > > > > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a > b. > h > > >tm#xtocid3 > > > > > > > > Regards, > > > > > > > > Georg > > _ > > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42395&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list performance degradation [7:42327]
Agree with the first response post. there's no definite answer. depends on the amount of traffic going through etc... However, what interested me is that you said that most of the packets match the last entry. Do you mean the last access-list entry you enter or the implicit deny at the end? Just curious. Your best bet is to jam traffic through your router (access-list) and do a 'show proc cpu' and see what the load is on the processor. A "cheap" way to measure the delay would be to ping through the router to a destination on the other end with no traffic going through it, then attempt the same ping to the same destination while loading the router down with traffic and see what the difference in the results are. Mike W. "ira" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hallo, > > I wonder what is is performance degradation on a 26xx > Cisco router if I apply an acl (outbound) with 30 > lines (mostly permit) and most of the packets match > the last entry. I mean CPU and DELAY degradation. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42394&t=42327 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT - VPN and use of public address space [7:42362]
Interesting question you bring up! For my exposure, it has only been setting up VPNs between company locations that are taking advantage of Frame Relay or xDSL connections to the Internet and then VPN-Connecting those regionally-separate offices. In these situations, they are using RFC 1918 addresses on their private networks, but are having to use the Public addresses for end point to end point termination of the VPNs. Keep in mind though that these same scenarios have been done with the customers only being given between 5 and 30 usable addresses at each site for their Public blocks to NAT with. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kane, Christopher A. Sent: Tuesday, April 23, 2002 2:47 PM To: [EMAIL PROTECTED] Subject: OT - VPN and use of public address space [7:42362] For those of us that work for NSPs/ISPs or some other form of provider functionality, what are the thoughts in regards to use of public address space within VPNs? I've seen several networks that are using public address space within their VPNs, hence preventing the use of that space on the net. Several clients have large netblocks routing in their VPNs rather than renumbering to RFC 1918 address space. To me, this seems like a horrible waste of address space. I'd tend to think that it would be the provider's responsibility to strongly encourage the clients to relinquish their public space if all traffic is to remain in the VPN. Using NAT to allow Internet access as required. Also, I thought I had heard (perhaps just a rumor) that ARIN or some other similar authority watches for use of address space. In other words, if someone's been assigned a /16 and no hosts of that /16 are publicly visible, a 'nasty-gram' would arrive questioning the lack of use. Sorry for the off-topic thread but since I've seen several people post questions about building VPNs, I was hoping to see some discussion on the matter. -chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42393&t=42362 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Layer2 Layer3 or Hardware problem? [7:42391]
Hi all. I have a real world problem and would like some thoughts, here it goes. Client has a central site with 7 remote locations. Central site has a 6513 with MSFC2, all sites have T1 in. Eigrp is used between sites and is fine. At the central site lies an AS/400 that all remote sites connect into (users use IBM client access). All is IP no SNA anywhere. What happens is at one and only one location users get bounced out of there session about 4 or 5 times a day. They have full connectivity to the central site, just no AS/400. So I was at the remote site where the problem exists, could ping the as400 fine. So I waited for a "blackout", it came. When the users were bounced I tried to ping the as400 and was unsuccessful. I tried to ping the central router and was good, I tried to ping the vlan ip address that the as400 was in, that was good. I even tried to ping other computers in the same subnet as the as400 and that was good. Tried to ping the as400 again and that was NO good. These outages only last a couple of minutes and then it comes back up. There is NO route flapping. All eigrp neighbors stay put and all routes stay put. What is really strange is that this happens only from one remote location, all other locations are fine. The as400 has only one NIC (ehternet) and all other sites connect to the same IP address. So where is the problem? I checked the port the as400 was plugged into and found some errors, I found out that the port was set to 100/full and the as400 nic was set to 100/half, so I adjusted the port on the switch to 100/half. But if this was the problem, wouldn't all sites have trouble? Could the switch possibly be aging out its cam table to the remote site that is having problems? I don't remember if they blacked out again after changing the duplex (I had been staring at debugs for about 8 hours). I called TAC and bumped up the outbound queue size to the site that is having problems, but haven't had a chance to call them back. Any suggestions? Thanks. -Joe [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42391&t=42391 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame-relay [7:42350]
I think the reason no LMI sent/received is showing is because he's turned keepalive (LMI) off. But what's this service connected to? If it's a frame relay service from a telco, start talking to them. Have you configured the correct type of LMI? Have they finished provisioning the service properly? If you aren't even talking to the FR switch correctly, it doesn't matter much whether your PVCs are provisioned correctly. Try turning your keepalives back on and debug frame lmi. You should see LMI packets being sent from your router to the switch, and being received by your router from the switch. If this is a lab setup where you've configured the frame relay switch, then start looking at your configs for the switch. JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 24/04/2002 09:37 am - "MADMAN" Sent by: [EMAIL PROTECTED] 24/04/2002 05:51 am Please respond to "MADMAN" To: [EMAIL PROTECTED] cc: Subject:Re: frame-relay [7:42350] The interface may say up up but if you can't get any traffic across it... your just spoofing the interface. Do a show frame-relay pvc, is your PVC active. You also appear to be missing part of the show serial output, where is your LMI sent and received??? ROUTER>sh frame-rela pvc PVC Statistics for interface Serial5/0 (Frame Relay DTE) Active Inactive Deleted Static Local 4000 Switched 0000 Unused 0000 DLCI = 16, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial5/0.16 input pkts 9579930 output pkts 9799989 in bytes 3594749594 out bytes 3653765588 dropped pkts 114 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 2 out DE pkts 0 out bcast pkts 9729374out bcast bytes 3647281854 pvc create time 17w0d, last time pvc status changed 17w0d mid-7206-b>sh int s5/0 Serial5/0 is up, line protocol is up Hardware is M4T Description: ROUTER MTU 1500 bytes, BW 2048 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 1032897, LMI stat recvd 1032903, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE Dave Naafi Matovu wrote: > > Hi all > > I've been configuring a cisco 2600 dual wic with three subinterfaces on > serial 0/1. > If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 > keeps coming up but going down after a couple of seconds. The only way i can > keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure > whether this is the best way of sorting out this problem.Here is the current > config on this serial port > > Serial0/1 is up, line protocol is up > Hardware is PowerQUICC Serial > MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation FRAME-RELAY IETF, loopback not set > Keepalive not set > Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts > 96 > Last input 00:00:17, output 00:00:12, output hang never > Last clearing of "show interface" counters 01:26:53 > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: weighted fair > Output queue: 0/1000/64/0 (size/max total/threshold/drops) > Conversations 0/2/256 (active/max active/max total) > Reserved Conversations 0/0 (allocated/max allocated) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 11467 packets input, 876671 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort > 11125 packets output, 799491 bytes, 0 underruns > 0 output errors, 0 collisions, 45 interface resets > 0 output buffer failures, 0 output buffers swapped out > 2 carrier transitions > DCD=up DSR=up DTR=up RTS=up CTS=up -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42392&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: data vs voice traffic [7:42324]
Another good link showing the delays that voice goes through from end to end.. things to consider in your end-to-end delay budget http://www.cisco.com/warp/public/788/voip/delay-details.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42390&t=42324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: data vs voice traffic [7:42324]
You can only apply traffic-shaping to outbound traffic.. The best you could do is setup policing to limit incoming traffic.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c /qcpart4/qcpolts.htm (watch for URL wrap) To get to you question, Ira, voice traffic should be using RTP protocol, so you can differentiate between voice and regular data using that fact. There are different queueing methods you could use, i.e. you could setup a Priority Queue with voice traffic having the highest priority (even at the expense of other traffic), or you could setup LLQ that has a strict priority queue for voice and then uses CBWFQ for the rest of the data (if you define any other classes). Although this document is called "Congestion Management", it covers virtually all of the queueing methods you may want to use for your purpose. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos _c/fqcprt2/qcfconmg.htm (again, watch for URL wrap) Depending on the bandwidth of the WAN link (if it's under 2Mbps), then WFQ is enabled by default. You should be able to use the 'ip rtp priority' to configure a strict priority queue for RTP (voice) traffic. Also, depending on the bandwidth (if its less than 768Kbps) you'll want to (need to) use some kind of Link Fragmentation and Interleaving (LFI). If your WAN connection is Frame Relay, you can use FRF.12 to do this, although check the archives and you'll see people had problems getting it to work as advertised (there was simple solution but I can't remember it offhand). However, the other method for LFI is to configure the WAN link as a Multilink PPP connection (even if it's only one line) because Multilink PPP has a LFI facility built-in. The reason you want LFI on links less than 768Kbps is because smaller (40-80byte) voice packets can be delayed too much when they get in the queue behind a 1500 byte packet of regular traffic (because of the slow speed, the serialization delay for 1500 byte packets get large). Here are some links to help you get started. (watch for URL wrap on any of the below links) General QoS overview with chart showing serialization delay for various packet sizes and link speeds (good stuff) http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/avvidqos/qosin tro.htm Description of LFI http://www.cisco.com/warp/public/732/Tech/link/ FRF.12 http://www.cisco.com/warp/public/788/vofr/fr_frag.html VoIP over FR with QoS (LFI, Traffic Shaping, and IP RTP Priority) http://www.cisco.com/warp/public/788/voice-qos/voip-ov-fr-qos.html VoIP over PPP with QoS (LFI, LLQ/IP RTP Priority) http://www.cisco.com/warp/public/788/voice-qos/voip-mlppp.html You've got alot of reading to do.. Enjoy!! =) Mike W. "Chris Charlebois" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sure, you could setup traffic shaping on the inbound connection Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42389&t=42324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and [7:42333]
""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Not to be picky, but AH doesn't support NAT/PAT so a FW can pass it, but it > doesn't do much good if NAT/PAT is taking place. Ah yes - that's right, forgot about that. Hence, even less reason to do AH. > > > Thanks > > Larry > > -Original Message- > From: nrf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 23, 2002 1:57 PM > To: [EMAIL PROTECTED] > Subject: Re: Security advice - opening ports other than 80 and [7:42333] > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 > > for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or > > running unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For > > a > web > > server using SSL you only have to allow inbound traffic to port 443, > > you don't need port 80 open unless it also serves up unencrypted > > pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the > > UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > Or generally just protocol 50. Because after all, how many people really > use AH? Even the standards bodies are thinking of dropping AH because it > really doesn't do very much - ESP can also do authentication, and while AH > does also does authentication of parts of the packet header, is that really > worth the overhead of creating another 2 SA's? > > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42388&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS - WRED and FRTS [7:42284]
Sigh. IOS 12.1. As far as I can see, the useful stuff for this comes in at 12.2. I don't seem to be able to configure a service policy in the FR map class. Thanks for the hint, though. JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 24/04/2002 08:01 am - "Lupi, Guy" 23/04/2002 11:50 am To: [EMAIL PROTECTED] cc: Subject:RE: QoS - WRED and FRTS [7:42284] If your IOS supports it, you can configure a service policy within your frame relay map class, and specify WRED or RED within it. Take a look at CBWFQ on CCO, it may be what you are looking for. ~-Original Message- ~From: [EMAIL PROTECTED] ~[mailto:[EMAIL PROTECTED]] ~Sent: Monday, April 22, 2002 9:16 PM ~To: [EMAIL PROTECTED] ~Subject: QoS - WRED and FRTS [7:42284] ~ ~ ~Hi all, ~I'm looking at the pros and cons of WRED as an option in our ~network, but ~I've come across a bit of a stumbling block. ~ ~We use frame relay traffic shaping to prevent traffic from ~large-bandwidth ~frame relay accesses (at aggregating sites) from flooding ~smaller accesses ~(at regional sites). But it appears you can't configure WRED on an ~interface that has FRTS configured. ~Does anyone know a workaround to this? We're using point to point ~sub-interfaces for the PVCs. ~ ~Or, is there another useful way of shaping traffic (including non-IP ~traffic) on a per-pvc basis? ~ ~Thanks, ~JMcL ~ ~ ~ ~ ~Report misconduct ~and Nondisclosure violations to [EMAIL PROTECTED] ~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42387&t=42284 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Assistance Needed [7:42351]
First off, you caught a typo. That should have been 198.x.x.5, not 192.x.x.5. Secondly, going back to your first reposte... from your original post, it was not clear that the 198.x.x.x was being routed to you from the ISP. Ideally, you would have a /248 address space from the ISP, so you can assign one to the remote router, one to the local router, one for overloaded NAT, one for the static NAT, and still have 2 addresses let over. I agree the secondary address is something of a cludge. On reflection, I suppose it is not needed; the router *should* respond to the 198.x.x.5 address if there is a static route from the ISP. Oh, and overload to the interface is the same as overload to a pool of one, which is what we want, correct? When the interface is used (instead of a pool), it simply uses the ip address of the specified interface. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42385&t=42351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: data vs voice traffic [7:42324]
You can use QoS to prioritize traffic outbound, but unless you have control of both ends (you made it sound like this is a connection to an ISP), you can't prioritize traffic inbound. Sure, you could setup traffic shaping on the inbound connection, but that would just be closing the barn doors after the cows have gone. If you need prioritization, you need to talk to your ISP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42384&t=42324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42333]
I agree with Sam. You can (and should) limit access as much as possible; if server A needs TCP port 100 open, then TCP port 100 should *only* be open to server A's ip address. That way, the only packets that get it will be dropped into the waiting arms of your vendors program. And if there's a security issue there, you will know who to talk to. You want to make sure you know what ports can get in to what addresses, and what applications are listening at those ports. That will give you a list (hopefully short) of application you need to keep updated with security patches. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42383&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Syslog setup [7:42381]
Cisco syslog can be directed at *any* syslog deamon. NT and *nix come with syslog deamons, but you can add one to other OSes, too. I did a quick look on Tucows and found one that will run on XP. You can check it out at http://www.kiwisyslog.com/products.htm. And it's freeware. (Note: I haven't used that package, so it could be complete crap. But whaddya expect from freeware.) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42382&t=42381 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Syslog setup [7:42381]
Is there a way to setup a syslog server on Win XP without buying one of Cisco's Resource Management products? TIA Adam Hickey [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42381&t=42381 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Assistance Needed [7:42351]
I appreciate your assistance. Assuming that this the secondary interface is required. Can the same be achieved by overloading to a POOL instead? I dont understand why you need to have a secondary IP address when the ISP is already routing traffic to the 198 subnet. Also, say that traffic reaches the router that is intended to go to the PCa. I see that your access-list states: access-list 102 deny tcp host 192.x.x.5 any eq 0 access-list 102 deny udp host 192.x.x.5 any eq 0 Why do you specify the internal PCa address versus the global address that it is using? Does this mean that IP nat statements are looked at before access-list deny statements are? Thanks for the explanation. JunoGuy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42380&t=42351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list performance degradation [7:42327]
I don't have a definitive answer, but there are facts that come into play that you haven't revealed. First of all, there is no definitive answer. What you are looking for is a "Yeah, it'll work fine" or a "You'll run into serious problems". That depends alot on what you're doing with the line and the router. - If you are handling 90% ftp and http traffic, the cpu delay won't matter. If you are running VoIP or VidoIP, that delay could put you over the recommended limit and effect quality. - If the utilization of the line is low, the extra queuing probably won't matter. If you are overloaded the bandwidth, queuing becomes critical. - If the router is just routing packets, and hence has low cpu utilization, the extra cycles won't be missed. If it's running BGP, NAT, and auditing, you'll probably hit a snag. And you also didn't specify what kind of access list it was. Extended access lists use alot more processor cycles than standard lists. All this being said, I find it hard to beleive that the list cannot be adjusted to optimize it a bit. I assume you have taken a look at the "show ip access-list" command to see what rules are getting hit the most. If you need help optimizing it, post the output for that command here and we can help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42379&t=42327 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Need Information About Cable purchase [7:42378]
I have 2 cisco 2501 routers and just purchased another one. The first routers came with a serial cable, (DB-60, i think) I need to order another 2-3 ft serial cable to connect my new router to the first. Does anyone have any idea where a good place to purchase this is. I've found a couple places and they get pretty pricey. Thanks, Justin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42378&t=42378 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF over ISDN demand circuit [7:42348]
I have seen this b4 when I configured Demand circut. First of all, OSPF will attempt send an update accross that ISDN line when somthing changs in the ospf database. So my guess is somthin is changing in the database (i.e. a route flap) Now, when I had this problem the router that was running OSPF /w demand circut and intiating the ISDN call was Mutally redistributing between 2 protocols (ospf and igrp)and because I was using a classess RP, IGRP, and running the same major NET on the eth and ISDN, IGRP was adv. the ISDN network. I was also running PPP over the ISDN link. Here was my problem: OSPF dials the adjacent router to update. When a PPP session is estab. a host route gets installed on both PPP talkers (it's just the way PPP works do ask me why) When OSPF is done the BRI will go down. Here is the fun part :) That host route dissapears so that route is pulled from the ospf database adn from IGRP, but IGRP redistrbutes back to OSPF that the host route is gone and the MAXAGE of the OSPF DB changes and that is why OSPF dials again. The way that cisco recommends fixing this is to filter that host route from being redistributed into OSPF. That should fix the problem. I hope this helps :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42377&t=42348 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Assistance Needed [7:42351]
OK, if we assume that the ISP has also assigned 198.x.x.4/30 to this client and has the apropriate routing in place... ip nat inside source list 1 interface serial 0 overload ip nat inside source static 192.168.10.5 198.0.0.5 interface e0 ip address 192.168.10.1 255.255.255.0 ip nat inside interface s0 ip address 200.x.x.1 255.255.255.252 ip address 198.x.x.6 255.255.255.252 secondary ip access-group 102 in ip nat outside access-list 1 deny host 192.168.10.5 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 102 deny tcp host 192.x.x.5 any eq 0 access-list 102 deny udp host 192.x.x.5 any eq 0 access-list 102 permit ip any any I don't have the equipment on hand to test this, but I beleive this would work. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42376&t=42351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security advice - opening ports other than 80 and [7:42333]
Not to be picky, but AH doesn't support NAT/PAT so a FW can pass it, but it doesn't do much good if NAT/PAT is taking place. Thanks Larry -Original Message- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Security advice - opening ports other than 80 and [7:42333] ""Don Nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its generally a good idea only to open ports that necesarry (eg. 80 > for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or > running unnecesarry services just opens your server up to security vulnerabilities. > In your case I don't really understand what you're trying to do. For > a web > server using SSL you only have to allow inbound traffic to port 443, > you don't need port 80 open unless it also serves up unencrypted > pages. If you > want/need to use IPSEC you will need to allow inbound traffic on the > UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). Or generally just protocol 50. Because after all, how many people really use AH? Even the standards bodies are thinking of dropping AH because it really doesn't do very much - ESP can also do authentication, and while AH does also does authentication of parts of the packet header, is that really worth the overhead of creating another 2 SA's? > > HTH, > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42375&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS - WRED and FRTS [7:42284]
Jenny, One workaround that I'm aware off is to use CB-WFQ and create a simple default class with WRED queueing enabled within your policy map. From there, you just need to add the policy map associated with the CB-WFQ to your frame relay traffic shaping class and that should be it.. helpful link: http://www.cisco.com/warp/public/105/cbwfq_frpvs.html greg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42374&t=42284 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access-list Assistance Needed [7:42351]
First of all, this won't work, unless you have the 198.x.x.x subnet setup as a secondary address on the serial interface of the 1720. The global address have to be available to the outside interface of the NAT router. If you have those addresses available, then, yes, it is possible. I will work out the configs and post them here shortly. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42373&t=42351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP Forwarding [7:42353]
That's what I thought... Thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42372&t=42353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP Forwarding [7:42353]
Sure, it's called NAT. I think that's the only way you can do what you wnat it to do. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42371&t=42353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SNA/IP Support specialist [7:42369]
Hello I was wondering if someone knows the passing score for the 640-456 and 640-445 I'm also looking for some practice tests but i didn't find any any help would be apreciated regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42369&t=42369 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
I need help with a BVI and MIBs on a Catalyst 8540 [7:42370]
We have an Catalyst 8540 with a BVI. There are numerous ports on the switch that are in this bridge group. If you look at the BVI interface, sh int bvi2: MTU 1500 bytes, BW 1 Kbit, DLY 5000 usec, rely 255/255, load 1/255 The true speed of the devices plugged into the ports is manually set to 100Mbps. But using our network management software which reads the MIB in the switch interfaces, it reads the devices as a speed of 10Mbps. I think the MIB is using the data from the BVI (BW 1 Kbit) and not the real port/interface speed. Does the BVI2 have a true speed of only 10Mbps? What would it do to change the BW from 1 Kbit to 10 Kbit (10Mbps to 100Mbps) manually? Thanks for any ideas. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42370&t=42370 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: All-In-One CCIE Study Guide - Second Edition [7:42292]
Are we talking about the same book? I am referring to this one. (watch for wrap) http://www.amazon.com/exec/obidos/ASIN/0072127600/qid=1019592419/sr=8-3/ref=sr_8_7_3/104-8586207-1795929 Not sure though if that's the one you mean. On Tue, 23 Apr 2002, Pierre-Alex GUANEL wrote: | Good luck to you, .. one more question. Are the mistakes in the second | edition of Giles in the multiple choice questions or in the text itself? | | Pierre-Alex | | | | -Original Message- | From: Koen Zeilstra [mailto:[EMAIL PROTECTED]]On Behalf Of Koen Zeilstra | Sent: Tuesday, April 23, 2002 3:10 AM | To: Pierre-Alex GUANEL | Cc: [EMAIL PROTECTED] | Subject: Re: All-In-One CCIE Study Guide - Second Edition [7:42292] | | | Pierre, | | I am reading the second edition at the moment. Will go for the written | tomorrow. Until so far I like the book very much, although it still | contains errors. | | K. | | Koen Zeilstra | Legian | --- | Trying to define yourself is like trying to bite your own teeth. | -- Alan Watts | | On Mon, 22 Apr 2002, Pierre-Alex GUANEL wrote: | | | Is the second edition of Giles' book a reliable study source. | | | | I read that the first edition was crippled with mistakes and I would like | to | | know if all of them got fixed in the Second Edition. | | | | | | Thank you! | | | | Pierre-Alex | | | | | | | | | | | | | | | Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42368&t=42292 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Comment on ccbootcamp ccie testengine [7:42365]
Some earlier communication between dennis l. and myself about the ccbootcamp test. May I say Upfront that the quality of the bookcontent itself and the content of the questions is GOOD, compared to the rest. Also the service I enjoyed as an european from ccbootcamp sofar has been GOOD. The reason I post is because I maybe can help the listmembers help choosing the right gear for their quest. >> To straighten out a misunderstanding, I was not having problems with the registration, but with the engine as a whole. After about 30 mcp and ccxx cert's, beta's for selftest and as an ex- mcp trainer, I hope can say the engine is not what it supposed to be. THE OPPOSITE of what is one the inside of the book, thanks to you. Monday I graduated the old written (tried the 351 Friday, is a huge one), with a little luck but lots of hard work. Have bought my set of 4 foot green cpress books, some discounted because of the move to second editions and new covers. Thanks, boson 3 helped. Martijn jansen -Oorspronkelijk bericht- Van: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Verzonden: dinsdag 23 april 2002 2:07 Aan: mjans001 Onderwerp: Re: Comment on ccbootcamp test I'm sorry that you had problems with the CD that came with the book. I understand this has been a problem for many people. I was not aware the company that published the book wes going to require customers to go through so much work to get the license activated, and I've asked them to change this for any future projects we do together. I did notice that the Boson exam you registered is an older one, and I would recommend you take advantage of the free download to update your questions. The newest version will have over twice as many questions, and have a lot of early bugs worked out. To get the update, simply download the newest version from the Boson page and it will install automatically and your licensing should be maintain. If it gives you any trouble, please feel free to contact either [EMAIL PROTECTED] or myself. Lastly, I maintain a webpage with some documents specific to the 350-001 exam. Again it's free, and you'll find the most updated materials on RIFs and the boot sequence. The webpage is at www.laganiere.net Thank you, and good luck with your studies... --- Dennis - Original Message - From: "mjans001" To: Sent: Sunday, April 21, 2002 3:54 PM Subject: Comment on ccbootcamp test >I am of course pleased with the test 3 350-001 from you. > >What I do not like too much is I felt (my decision of course) why I had >to buy it because the test I bought with the ccbootcamp 350-001 book >wasn't that user friendly etc. Not the quality I am used to. >For about the same amount of money, which I feel is wasted. > >I am a repeating customer, hope we can keep it that way. > >Martijn Jansen > >SNIPSNIPSNIP my test regnumber, sorry..> > > > > _ Chat online met je vrienden en probeer MSN Messenger uit: http://messenger.msn.nl Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42365&t=42365 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42333]
This depends on the application and the OS. Make sure you have the OS security patches up to date. Older unpatched OS's allow attacks at the TCP/IP layers. Aside form that there can be bugs on the application level (ex. MS IIS, older snedmail, etc ). Keep up with the vendor's patches and subscribe to cert.org to get the latest on bugs in major applications. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In my case, a third-party application requires port TCP 100 open. I used a > conduit from the PIX allowing in/outbound traffic to that specific server IP > address where the application resides. > > My question is, how can I make sure this TCP 100 port is going to be secure > as possible... I would like to know what kind of threats I would face with > that port TCP 100 open and how I could minimize those threats. > > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 for > > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > > unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For a > web > > server using SSL you only have to allow inbound traffic to port 443, you > > don't need port 80 open unless it also serves up unencrypted pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the UDP > > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42339&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42333]
This depends on the application and the OS. Make sure you have the OS security patches up to date. Older unpatched OS's allow attacks at the TCP/IP layers. Aside form that there can be bugs on the application level (ex. MS IIS, older snedmail, etc ). Keep up with the vendor's patches and subscribe to cert.org to get the latest on bugs in major applications. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In my case, a third-party application requires port TCP 100 open. I used a > conduit from the PIX allowing in/outbound traffic to that specific server IP > address where the application resides. > > My question is, how can I make sure this TCP 100 port is going to be secure > as possible... I would like to know what kind of threats I would face with > that port TCP 100 open and how I could minimize those threats. > > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 for > > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > > unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For a > web > > server using SSL you only have to allow inbound traffic to port 443, you > > don't need port 80 open unless it also serves up unencrypted pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the UDP > > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42339&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42349]
This depends on the application and the OS. Make sure you have the OS security patches up to date. Older unpatched OS's allow attacks at the TCP/IP layers. Aside form that there can be bugs on the application level (ex. MS IIS, older snedmail, etc ). Keep up with the vendor's patches and subscribe to cert.org to get the latest on bugs in major applications. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Certain application requires port other than 80 or 443 opened in the > firewall for inbound and outbound traffic. The firewall was configured to > allow traffic to that specific server ip address. > > The software vendor argues "that the worst scenario could be that hackers > could bring the server down. No other significant would be possible. " > > Is that true ? > > How risky is that to my network ? I would like to secure that connection > using CA from the company and IPSec. The software vendor argues that is not > necessary. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42349&t=42349 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP:neighbor soft-reconfiguration inbound [7:42367]
Hi gang. Please clarify this for me. On CCO it states... To generate new inbound updates from stored update information (rather than dynamically) without resetting the BGP session, you must preconfigure the local BGP router using "neighbor soft-reconfiguration inbound". Is this generating inbound updates "internally" from RAM? What is it referring to regarding "dynamically" generating new inbound updates? So when i do a "clear ip bgp *" this defaults to a soft-reset since the above command has been preconfigured on the routers? I can't test this right now since I've taken down my rack in preparation for the move this weekend. Thanks in advance. Elmer Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42367&t=42367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42333]
This depends on the application and the OS. Make sure you have the OS security patches up to date. Older unpatched OS's allow attacks at the TCP/IP layers. Aside form that there can be bugs on the application level (ex. MS IIS, older snedmail, etc ). Keep up with the vendor's patches and subscribe to cert.org to get the latest on bugs in major applications. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In my case, a third-party application requires port TCP 100 open. I used a > conduit from the PIX allowing in/outbound traffic to that specific server IP > address where the application resides. > > My question is, how can I make sure this TCP 100 port is going to be secure > as possible... I would like to know what kind of threats I would face with > that port TCP 100 open and how I could minimize those threats. > > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 for > > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > > unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For a > web > > server using SSL you only have to allow inbound traffic to port 443, you > > don't need port 80 open unless it also serves up unencrypted pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the UDP > > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42339&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 [7:42333]
This depends on the application and the OS. Make sure you have the OS security patches up to date. Older unpatched OS's allow attacks at the TCP/IP layers. Aside form that there can be bugs on the application level (ex. MS IIS, older snedmail, etc ). Keep up with the vendor's patches and subscribe to cert.org to get the latest on bugs in major applications. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In my case, a third-party application requires port TCP 100 open. I used a > conduit from the PIX allowing in/outbound traffic to that specific server IP > address where the application resides. > > My question is, how can I make sure this TCP 100 port is going to be secure > as possible... I would like to know what kind of threats I would face with > that port TCP 100 open and how I could minimize those threats. > > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 for > > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > > unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For a > web > > server using SSL you only have to allow inbound traffic to port 443, you > > don't need port 80 open unless it also serves up unencrypted pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the UDP > > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42339&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF over ISDN demand circuit [7:42348]
Are you trying the setup the circuit to use Dial on Demand Routing (DDR), such that that circuit only comes up when needed then disconnects? If so, what are you implementing? backup interface? floating static? dialer watch? Depending on your implementation of DDR you need to adjust your interesting traffic (dialer-list). Philip -Original Message- From: Ruihai An [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 2:18 PM To: Subject: OSPF over ISDN demand circuit [7:42348] Hi, Group, On an ISDN circuit running ospf , if I want to use "ip ospf demand-circuit" to keep it from being brought up by ospf update, do I need to define 224.0.0.5 as non-interesting traffic in dialer-list? I have configured "ip ospf demand-circuit" on one side of the ISDN, but routing update to 224.0.0.5 keeps activating the circuit? What is the problem? Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42363&t=42348 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame-relay [7:42350]
Take it for what it's worth, but I've had this happen to me in the past and it usually came down to a hardware issue, meaning the cable and/or interface in question...If you got another router swap it or change the cable. -Eric - Original Message - From: "Roberts, Larry" To: Sent: Tuesday, April 23, 2002 12:08 PM Subject: RE: frame-relay [7:42350] > Once it goes down, does it stay down or does it bounce ? > > Thanks > > Larry > > -Original Message- > From: Naafi Matovu [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 23, 2002 1:33 PM > To: [EMAIL PROTECTED] > Subject: frame-relay [7:42350] > > > Hi all > > I've been configuring a cisco 2600 dual wic with three subinterfaces on > serial 0/1. If i leave the the keepalive to 10 sec, the line protocol on the > serial 0/1 keeps coming up but going down after a couple of seconds. The > only way i can keep the line protocol up is (no keepalive) on seial 0/1. Iam > not sure whether this is the best way of sorting out this problem.Here is > the current config on this serial port > > > Serial0/1 is up, line protocol is up > Hardware is PowerQUICC Serial > MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation FRAME-RELAY IETF, loopback not set > Keepalive not set > Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts > 96 Last input 00:00:17, output 00:00:12, output hang never > Last clearing of "show interface" counters 01:26:53 > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: weighted fair > Output queue: 0/1000/64/0 (size/max total/threshold/drops) > Conversations 0/2/256 (active/max active/max total) > Reserved Conversations 0/0 (allocated/max allocated) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 11467 packets input, 876671 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort > 11125 packets output, 799491 bytes, 0 underruns > 0 output errors, 0 collisions, 45 interface resets > 0 output buffer failures, 0 output buffers swapped out > 2 carrier transitions > DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42366&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame-relay [7:42350]
The interface may say up up but if you can't get any traffic across it... your just spoofing the interface. Do a show frame-relay pvc, is your PVC active. You also appear to be missing part of the show serial output, where is your LMI sent and received??? ROUTER>sh frame-rela pvc PVC Statistics for interface Serial5/0 (Frame Relay DTE) Active Inactive Deleted Static Local 4000 Switched 0000 Unused 0000 DLCI = 16, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial5/0.16 input pkts 9579930 output pkts 9799989 in bytes 3594749594 out bytes 3653765588 dropped pkts 114 in FECN pkts 0 in BECN pkts 0 out FECN pkts 0 out BECN pkts 0 in DE pkts 2 out DE pkts 0 out bcast pkts 9729374out bcast bytes 3647281854 pvc create time 17w0d, last time pvc status changed 17w0d mid-7206-b>sh int s5/0 Serial5/0 is up, line protocol is up Hardware is M4T Description: ROUTER MTU 1500 bytes, BW 2048 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, crc 16, loopback not set Keepalive set (10 sec) LMI enq sent 1032897, LMI stat recvd 1032903, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 1023 LMI type is CISCO frame relay DTE Dave Naafi Matovu wrote: > > Hi all > > I've been configuring a cisco 2600 dual wic with three subinterfaces on > serial 0/1. > If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 > keeps coming up but going down after a couple of seconds. The only way i can > keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure > whether this is the best way of sorting out this problem.Here is the current > config on this serial port > > Serial0/1 is up, line protocol is up > Hardware is PowerQUICC Serial > MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation FRAME-RELAY IETF, loopback not set > Keepalive not set > Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts > 96 > Last input 00:00:17, output 00:00:12, output hang never > Last clearing of "show interface" counters 01:26:53 > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: weighted fair > Output queue: 0/1000/64/0 (size/max total/threshold/drops) > Conversations 0/2/256 (active/max active/max total) > Reserved Conversations 0/0 (allocated/max allocated) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 11467 packets input, 876671 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort > 11125 packets output, 799491 bytes, 0 underruns > 0 output errors, 0 collisions, 45 interface resets > 0 output buffer failures, 0 output buffers swapped out > 2 carrier transitions > DCD=up DSR=up DTR=up RTS=up CTS=up -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42364&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT - VPN and use of public address space [7:42362]
For those of us that work for NSPs/ISPs or some other form of provider functionality, what are the thoughts in regards to use of public address space within VPNs? I've seen several networks that are using public address space within their VPNs, hence preventing the use of that space on the net. Several clients have large netblocks routing in their VPNs rather than renumbering to RFC 1918 address space. To me, this seems like a horrible waste of address space. I'd tend to think that it would be the provider's responsibility to strongly encourage the clients to relinquish their public space if all traffic is to remain in the VPN. Using NAT to allow Internet access as required. Also, I thought I had heard (perhaps just a rumor) that ARIN or some other similar authority watches for use of address space. In other words, if someone's been assigned a /16 and no hosts of that /16 are publicly visible, a 'nasty-gram' would arrive questioning the lack of use. Sorry for the off-topic thread but since I've seen several people post questions about building VPNs, I was hoping to see some discussion on the matter. -chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42362&t=42362 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Ausente [7:42361]
Estarei ausente no periodo de 21/01/2002 a 25/01/2002. Favor encaminhar as questoes mais urgentes para o Luis Beu ([EMAIL PROTECTED]). Paulo Buerger Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42361&t=42361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE 350-001 [7:42344]
> is there anyone attended the ccie exam 350-001 lately, > i need to know they change the exam database or not > yet, especially after publishing the beta exam ?! > please advice which topic is important in the old exam I think that you can find very detailed description here: http://www.cisco.com/warp/public/625/ccie/certifications/rsblueprint.html Marko. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42360&t=42344 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: frame-relay [7:42350]
Usually this indicates problem with encapsulation or hardware (interface or cable). 1. Check on the frame-relay router, if you are using right encapsulation: frame-relay IETF !!! 2. Try switch to the second serial interface on your the router and see if the problem persist. 3. Try using HDLC encapsulation (the default one) and connect the serial interface to the router with a good serial interface. (Don't forget to set up clock rate on one of the end with DCE cable!!!) Debug interface: #debug serial interface The myseq, mineseen and yourseen should read the same. If not try using different cable. If the line protocol still goes up/down you have bad Serial interface on your router. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:33 PM To: [EMAIL PROTECTED] Subject: frame-relay [7:42350] Hi all I've been configuring a cisco 2600 dual wic with three subinterfaces on serial 0/1. If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 keeps coming up but going down after a couple of seconds. The only way i can keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure whether this is the best way of sorting out this problem.Here is the current config on this serial port Serial0/1 is up, line protocol is up Hardware is PowerQUICC Serial MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, loopback not set Keepalive not set Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts 96 Last input 00:00:17, output 00:00:12, output hang never Last clearing of "show interface" counters 01:26:53 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/2/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 11467 packets input, 876671 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort 11125 packets output, 799491 bytes, 0 underruns 0 output errors, 0 collisions, 45 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42359&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL - Let's put some numbers on... [7:41738]
Anthony Pace wrote: > > I thought on some platforms there was a way to cache the ACLs and or policy > route-maps so they could be fast/CEF/mls switched. Like the logic got > copiled and pushed into silicon (or something like that). Is there any > vlaidity to that? > > Anthony Pace > Actually on ALL platforms, ACLs are fast or CEF-switched by default. You can use netflow feature acceleration on models and IOS releases that support that as well. ACLs have been fast-switched both inbound and outbound since IOS 10.0 (quite a ways back :) Policy routing has been fast/CEF-switched for several major releases. Yes, ACLs cause impact and yes, how deep it has to search for a match does make the difference. So the only true answer is to benchmark a case with typical traffic mix both with and without the ACL. The final solution is to use turbo ACLs or Cat6500 ACLs. The former finds a match in three lookups for any length ACL. The one action that does cause IOS process CPU time is the generation of an ICMP administratively prohibited unreachable message sent back to the source. That's why those are rate-limited to one/sec per source. And you can disable them entirely to prevent a DoS with "no ip unreachables". - Marty > ""Brunner Joseph"" wrote in message > news:[EMAIL PROTECTED]... > > Just remember if you run CEF on this router or fast switching (as you > > should) it will process switch if you apply access-lists to interfaces. > > > > Any time you apply ip policy (policy routing) or access lists it really > > hammers the cpu. Do you run MRTG ? If you do consider graphing the CPU of > > your router. I used to run about 80 to 100 % without cef, (process > > switching) now I run around 10 to 20 % with cef. Consider using "routes to > > null" or the bit bucket instead of access lists (unless your using the > ACL's [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42358&t=41738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: data vs voice traffic [7:42324]
""ira"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > My company has a router w/ 1 WAN address. > I want to prioritize traffic so that voice is > preffered to data traffic. > > How can I do it? I mean haw can a differentiate > between data and voice traffic ? > > Ira. > > __ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42357&t=42324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security advice - opening ports other than 80 and 443 in[7: [7:42356]
Do you load balance traffic to your fire wall(s)? If so, what methodology
and more importantly, whose technology are you using. For example, if you
were utilizing Foundry Networks ServerIronXLs and are employing a sandwich
architecture, you could not only switch based on the protocol and in effect
load balance all port 80 and 443 traffic to different devices respectively,
you could also provide nimda/code red (sic Trojan) mitigation. I believe
that Cisco's CSS switches will allow you the same functionality but am not
quite up to speed on that gear. Security Policies gain legitimacy through
actions. Your Security Policy and Procedures should act as a point of
reference to for your Rulesets, however it will be up to you as the
administrator, working with your ITSEC team and business units to define and
streamline your identify the types of traffic you will need to allow entry
and exit from your network in order to maintain normal business conditions.
Remember the more complex a solution is, the greater the risk due to
learning curve, configuration etc. you are concerned about Worms and
viruses infiltrating hosts within or past a zone/dmz you may wish to explore
not only Network Based Intrusion Detection, but Host Based as well.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Tuesday, April 23, 2002 12:59 PM
To: [EMAIL PROTECTED]
Subject: Re: Security advice - opening ports other than 80 and 443 in[7:
[7:42347]
a good security policy would have had this matetr taken care of as soon as
it sprouted! :) (not directed to you Sam, just replying to thread) :)
that aside,
1) opening up every port on the firewall is not danegrous unless you have
something accesible via the firewall listening on a specific port.
2) it only takes one server to be hacked to bring a network to a stop
3) 1 should never happen because it is highly insecure.. :)
>>> "sam sneed" 04/23/02 12:41PM >>>
They can do more than just bring the server down. They can gain control of
the server and have it attack other servers on your network or outside
network. ex. the IIS code red worm only needed port 80 to be open on
Winblows servers to spread across the internet.
""Brown, M"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Certain application requires port other than 80 or 443 opened in the
> firewall for inbound and outbound traffic. The firewall was configured to
> allow traffic to that specific server ip address.
>
> The software vendor argues "that the worst scenario could be that hackers
> could bring the server down. No other significant would be possible. "
>
> Is that true ?
>
> How risky is that to my network ? I would like to secure that connection
> using CA from the company and IPSec. The software vendor argues that is
not
> necessary.
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42356&t=42356
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What are the first thing you do...?? [7:42276]
You could have some duplex mismatches. Do a clear counters then do a show int awhile later. Look for collisions and input output errors. There shouldn't be much, look for high errors rates. Then play with duplex/speed settings then check for errors again, maybe you may need to replace a couple cables to reduce errors. ""Luis Wiedemann"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hey all, > im new to the newsgroup, nad pretty new to real workd cisco. my experience > comes mainly from reading cisco press and sybex books along with a few > virtual labs. now im consulting for a small bank that just implemented a > swicthed network from thier old stacked hubs. everything is going OK but i > still feel that the network may be a bit laggy. not sure if its the switches > or what, so my real question is what are the first things you do when > confuring a new switch? I know I run the setup and configure IP, Netmask , > Default GW etcwe dont have any redundant links, so should i disable STP? > how about port fast? its only one vlan, and we only have one swicth per > subnet, except for the main branch which has one switch per dept, but they > all connect to the same server and there are no routers for internal > traffic, only to connect to the branches via fractional t1's. so i dont > think vlans are an option here...anyway...you guys/gals know of any special > things i should be looking for? > > tia > luis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42355&t=42276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: frame-relay [7:42350]
Once it goes down, does it stay down or does it bounce ? Thanks Larry -Original Message- From: Naafi Matovu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:33 PM To: [EMAIL PROTECTED] Subject: frame-relay [7:42350] Hi all I've been configuring a cisco 2600 dual wic with three subinterfaces on serial 0/1. If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 keeps coming up but going down after a couple of seconds. The only way i can keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure whether this is the best way of sorting out this problem.Here is the current config on this serial port Serial0/1 is up, line protocol is up Hardware is PowerQUICC Serial MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, loopback not set Keepalive not set Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts 96 Last input 00:00:17, output 00:00:12, output hang never Last clearing of "show interface" counters 01:26:53 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/2/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 11467 packets input, 876671 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort 11125 packets output, 799491 bytes, 0 underruns 0 output errors, 0 collisions, 45 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42354&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP Forwarding [7:42353]
Not sure on this, but can't you have a router take a packet destined for one location, take and forwared it to another location based on a mapping or ACL. For example, all requests that come in a serial interface destined for 10.0.0.15 can be forwarded to 10.1.1.10 without the requesting station knowing the new destination IP? We need to make some pretty large DNS changes and would like to use this in order for the DNS fairies to take their time to do their propogation. Thanks! Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42353&t=42353 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and [7:42333]
""Don Nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its generally a good idea only to open ports that necesarry (eg. 80 for > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > unnecesarry services just opens your server up to security vulnerabilities. > In your case I don't really understand what you're trying to do. For a web > server using SSL you only have to allow inbound traffic to port 443, you > don't need port 80 open unless it also serves up unencrypted pages. If you > want/need to use IPSEC you will need to allow inbound traffic on the UDP > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). Or generally just protocol 50. Because after all, how many people really use AH? Even the standards bodies are thinking of dropping AH because it really doesn't do very much - ESP can also do authentication, and while AH does also does authentication of parts of the packet header, is that really worth the overhead of creating another 2 SA's? > > HTH, > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42352&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access-list Assistance Needed [7:42351]
I have the following: PC ethernet1720---serial provider PC IP: 192.168.10.5 LAN Address: 192.168.10.0/24 Serial: 200.x.x.1/30 There are many other PCs on the LAN but only one of them (PCa) is running a specific program. I would like to be able to translate PCa to a unique global IP address (lets use 198.x.x.5) and have all the other LAN traffic to get overloaded / translated to the serial IP address on the router. In addition, I would like to redirect all incoming traffic destined to 198.x.x.5 (PCa Global IP Address) with ports greater than 0 (for both UDP and TCP) to the PCa internal 192.168.10.5 IP address. Please help. TIA! JunoGuy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42351&t=42351 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
frame-relay [7:42350]
Hi all I've been configuring a cisco 2600 dual wic with three subinterfaces on serial 0/1. If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 keeps coming up but going down after a couple of seconds. The only way i can keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure whether this is the best way of sorting out this problem.Here is the current config on this serial port Serial0/1 is up, line protocol is up Hardware is PowerQUICC Serial MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, loopback not set Keepalive not set Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts 96 Last input 00:00:17, output 00:00:12, output hang never Last clearing of "show interface" counters 01:26:53 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/2/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 11467 packets input, 876671 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort 11125 packets output, 799491 bytes, 0 underruns 0 output errors, 0 collisions, 45 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42350&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF over ISDN demand circuit [7:42348]
Hi, Group, On an ISDN circuit running ospf , if I want to use "ip ospf demand-circuit" to keep it from being brought up by ospf update, do I need to define 224.0.0.5 as non-interesting traffic in dialer-list? I have configured "ip ospf demand-circuit" on one side of the ISDN, but routing update to 224.0.0.5 keeps activating the circuit? What is the problem? Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42348&t=42348 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and 443 in[7: [7:42347]
a good security policy would have had this matetr taken care of as soon as
it sprouted! :) (not directed to you Sam, just replying to thread) :)
that aside,
1) opening up every port on the firewall is not danegrous unless you have
something accesible via the firewall listening on a specific port.
2) it only takes one server to be hacked to bring a network to a stop
3) 1 should never happen because it is highly insecure.. :)
>>> "sam sneed" 04/23/02 12:41PM >>>
They can do more than just bring the server down. They can gain control of
the server and have it attack other servers on your network or outside
network. ex. the IIS code red worm only needed port 80 to be open on
Winblows servers to spread across the internet.
""Brown, M"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Certain application requires port other than 80 or 443 opened in the
> firewall for inbound and outbound traffic. The firewall was configured to
> allow traffic to that specific server ip address.
>
> The software vendor argues "that the worst scenario could be that hackers
> could bring the server down. No other significant would be possible. "
>
> Is that true ?
>
> How risky is that to my network ? I would like to secure that connection
> using CA from the company and IPSec. The software vendor argues that is
not
> necessary.
> Confidentiality Disclaimer
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed. This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42347&t=42347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Well, actually, the Pix does support a very limited amount of Radius authorization. It's only for users going through the Pix, not administrators of the Pix. And the authorization 'capabilities' only allow you to invoke existing access-lists on the Pix for certain users, so, like I said, it's very limited. Still, the capability exists. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mnga cl.htm#xtocid10 ""Georg Pauwen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Paul, Tim, Patrick, > > you guys are good ! You are right, I wasn4t specific enough in what I said: > PIX does support RADIUS, but it does NOT support RADIUS Authorization :) > > Regards, > > Georg > > > >From: "Paul Borghese" > >To: "Georg Pauwen" , > >Subject: Re: PIX and AAA [7:42302] > >Date: Tue, 23 Apr 2002 10:03:43 -0400 > > > >The pix does support radius. I am using it for a small client to > >authenticate PPTP connections using the Microsoft 2000 Radius server. > > > >Paul Borghese > >- Original Message - > >From: "Georg Pauwen" > >To: > >Sent: Tuesday, April 23, 2002 7:16 AM > >Subject: RE: PIX and AAA [7:42302] > > > > > > > Hi Patrick, > > > > > > yes, aaa is fully supported on the PIX (remember, though, that the PIX > >does > > > not support RADIUS). Follow this link for a command overview of aaa on > >the > > > PIX: > > > > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab. h > >tm#xtocid3 > > > > > > Regards, > > > > > > Georg > _ > Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42346&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What are the first thing you do...?? [7:42276]
You did the most important thing, enabling portfast. That will speed up performance on startup. Also check for a duplex mismatch problem on every port. You may want to hard code everything as full duplex, (assuming the ports just connect a single device). Don't rely on auto-negotiation since it doesn't work a lot of the time. (On the other hand, there are cases where auto-negotiation works better than hard-coding, so do some testing first.) Keeping STP enabled shouldn't be a problem. It's the safest thing to do unless you are absolutely sure nobody is going to add any switches to the network in a redundant way. It's hard to ensure that. These days if you order a hub from some vendors, you get a switch anyway. End users could order a hub to add devices somewhere in the network and actually get a switch and possibly cause problems. STP won't affect the routers unless they are configured as bridges, which they probably aren't. STP does send BPDU packets every two seconds, which some people could consider a performance issue. These packets go to a multicast address. A good network interface card (in end devices or routers) will ignore those multicasts and not interrupt the CPU. Unfortunately, not all PC NICs are that good. Regarding testing the performance, do you have any before and after stats? How was the performance before you swapped out the hubs and put in switches? Maybe it was never so hot to start with. On the other hand, it is possible that the servers actually liked being in a shared Ethernet environment and are overwhelmed by a switched environment. In a shared environment, contention for the medium would slow down the requests to the server. Now the server may be getting requests much more quickly than before. What is the CPU on the servers? What protocols are you running? TCP/IP or IPX/NCP or NWLink (Novell's NetBIOS?) With TCP and NetBIOS you can often prove that the problem isn't with the network if you have a Sniffer. You can show that the server ACKs quickly but then takes a long time to process requests. If ACKs are getting through quickly, then the network is OK. Priscilla At 11:57 AM 4/23/02, Luis Wiedemann wrote: >Well...the branches dont have more than 24 hosts, including the server. all >branches with the exception of the main branch only consist of one novell >5.1 server, one 24 port wc-2950-24, and a 1720 router that connects the >branches to our main branch, which then go to the datacenter through a 2620. >we have nothing to do with the routers as the data center suppllies the >support and config for the routers. > >the main branch has 10 switches. mainly 2950-24's but we also have 2 >2950-48g's and a 3508 to connect a few switches via fiber gigbit. i did port >fast all of the client ports on all of the switches. im also hearing bad >things about STP. A co-worker has been saying that in his experience with >intel? and hp? switches that STP was a horrible thing to have on. of course >cisco says to keep it on. we dont have redundant links in our network so how >important is it? our datacenter says that it may also be affecting the >routers? > >So far this group has been awesome with some very useful info. i hope one >day i can help as much as you guys/gals do! > > > >thanks again > >Luis > >""Luis Wiedemann"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > hey all, > > im new to the newsgroup, nad pretty new to real workd cisco. my experience > > comes mainly from reading cisco press and sybex books along with a few > > virtual labs. now im consulting for a small bank that just implemented a > > swicthed network from thier old stacked hubs. everything is going OK but i > > still feel that the network may be a bit laggy. not sure if its the >switches > > or what, so my real question is what are the first things you do when > > confuring a new switch? I know I run the setup and configure IP, Netmask , > > Default GW etcwe dont have any redundant links, so should i disable >STP? > > how about port fast? its only one vlan, and we only have one swicth per > > subnet, except for the main branch which has one switch per dept, but they > > all connect to the same server and there are no routers for internal > > traffic, only to connect to the branches via fractional t1's. so i dont > > think vlans are an option here...anyway...you guys/gals know of any >special > > things i should be looking for? > > > > tia > > luis Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42345&t=42276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE 350-001 [7:42344]
is there anyone attended the ccie exam 350-001 lately, i need to know they change the exam database or not yet, especially after publishing the beta exam ?! please advice which topic is important in the old exam regards, khalid __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42344&t=42344 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BSCI - 640-900 [7:42343]
Hi all, There's just one test missing for me for CCNP - which is routing. I was thinking about the BSCI which opens a new path towards CCIP. Does anybody know about the contents of this test ? Is it much similar to 640-503 ? Does anybody know some good practice test ? Thanks, Paulo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42343&t=42343 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slight digression on Scenario 5 -- choices on real-world [7:42342]
At 7:49 AM -0400 4/23/02, Kevin Cullimore wrote: >Over time, worthwhile content tends to be read, and sometimes even purchased >first (though possibly not in a timeframe acceptable to the author, on both >counts). I've found that understanding design considerations for networks, >routing protocols & even "routed"protocols make it easier to remember the >concrete details so dear to the hearts & ideologies of the hardware/software >vendor "educational" community. > >If people are in it for more than yet another set of letters, or, if they >want to do "it" right, they'll be checking amazon in hopes of an expedited >publication date for this material every couple of days. I'm not sure what >the ratio of those types to the folk in need of more explicit/focused >training materials is, and how the practice of coping with ecomonic >overcorrections will influence that mix in the near future. > Thank you, Kevin. While people are waiting for my new book, the final proof pages for which arrived this morning, I have some other suggestions. Mine will be out sometime in June, although I don't have the exact date. Those of you that have not dug into the Cisco Press "Inside IOS Architecture" (IIRC the title) really should. A complementary book, which I recommend highly, is Alex Zinin's "Cisco IP Routing" from Addison-Wesley. Alex is a CCIE/CCSI, and was in tier 1 ISP support at Cisco, between TAC and engineering. He's at a new company now. Alex is also co-director of the Routing Area of the IETF, so he's in the heart of the new action. I know him, and he's also a nice guy. This book goes into the same sort of depth on the Cisco router control plane (i.e., routing protocols, routing table) that the Inside IOS book does on the operating system and forwarding. It's the first published (admittedly pseudocode) descriptions of the actual data structures of the various routing tables, the logic of the routines updating it, and the actual logic of redistribution. Highly recommended. I've always wanted such a book available when writing mine, because I have chosen to focus on the use, rather than the implementation, of the routing protocols. I suspect this will answer a lot of the "why" questions about redistribution and the like, if you lack, like most people, a background in protocol development and can make good guesses! -- "What Problem are you trying to solve?" ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com "retired" Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42342&t=42342 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how much 10720? [7:42331]
Go here and grab the price list for everything. The chassis is 13k which you have to fill up... http://www.cisco.com/cgi-bin/front.x/pricing?Request=ViewDownloadListPage Dave TP wrote: > > Anybody knows how much a new 10720? > > Just a rough price > > Thank you. > Teresa -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42341&t=42331 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What are the first thing you do...?? [7:42276]
I've seen STP cause problems with clients at bootup. Some clients boot too fast for the switch and then don't receive a DHCP address. Pretty soon people are yelling that the network is down. However, you say that you've enable portfast on the client ports, so that should prevent the above described problem. Can you provide more detail regarding the bad things you've been hearing about STP? I'd love to hear more. Craig At 11:57 AM 4/23/2002 -0400, you wrote: >Well...the branches dont have more than 24 hosts, including the server. all >branches with the exception of the main branch only consist of one novell >5.1 server, one 24 port wc-2950-24, and a 1720 router that connects the >branches to our main branch, which then go to the datacenter through a 2620. >we have nothing to do with the routers as the data center suppllies the >support and config for the routers. > >the main branch has 10 switches. mainly 2950-24's but we also have 2 >2950-48g's and a 3508 to connect a few switches via fiber gigbit. i did port >fast all of the client ports on all of the switches. im also hearing bad >things about STP. A co-worker has been saying that in his experience with >intel? and hp? switches that STP was a horrible thing to have on. of course >cisco says to keep it on. we dont have redundant links in our network so how >important is it? our datacenter says that it may also be affecting the >routers? > >So far this group has been awesome with some very useful info. i hope one >day i can help as much as you guys/gals do! > > > >thanks again > >Luis > >""Luis Wiedemann"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > hey all, > > im new to the newsgroup, nad pretty new to real workd cisco. my experience > > comes mainly from reading cisco press and sybex books along with a few > > virtual labs. now im consulting for a small bank that just implemented a > > swicthed network from thier old stacked hubs. everything is going OK but i > > still feel that the network may be a bit laggy. not sure if its the >switches > > or what, so my real question is what are the first things you do when > > confuring a new switch? I know I run the setup and configure IP, Netmask , > > Default GW etcwe dont have any redundant links, so should i disable >STP? > > how about port fast? its only one vlan, and we only have one swicth per > > subnet, except for the main branch which has one switch per dept, but they > > all connect to the same server and there are no routers for internal > > traffic, only to connect to the branches via fractional t1's. so i dont > > think vlans are an option here...anyway...you guys/gals know of any >special > > things i should be looking for? > > > > tia > > luis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42340&t=42276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and 443 in [7:42338]
They can do more than just bring the server down. They can gain control of the server and have it attack other servers on your network or outside network. ex. the IIS code red worm only needed port 80 to be open on Winblows servers to spread across the internet. ""Brown, M"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Certain application requires port other than 80 or 443 opened in the > firewall for inbound and outbound traffic. The firewall was configured to > allow traffic to that specific server ip address. > > The software vendor argues "that the worst scenario could be that hackers > could bring the server down. No other significant would be possible. " > > Is that true ? > > How risky is that to my network ? I would like to secure that connection > using CA from the company and IPSec. The software vendor argues that is not > necessary. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42338&t=42338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and [7:42333]
In my case, a third-party application requires port TCP 100 open. I used a conduit from the PIX allowing in/outbound traffic to that specific server IP address where the application resides. My question is, how can I make sure this TCP 100 port is going to be secure as possible... I would like to know what kind of threats I would face with that port TCP 100 open and how I could minimize those threats. ""Don Nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its generally a good idea only to open ports that necesarry (eg. 80 for > http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running > unnecesarry services just opens your server up to security vulnerabilities. > In your case I don't really understand what you're trying to do. For a web > server using SSL you only have to allow inbound traffic to port 443, you > don't need port 80 open unless it also serves up unencrypted pages. If you > want/need to use IPSEC you will need to allow inbound traffic on the UDP > port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > HTH, > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42337&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security advice - opening ports other than 80 and 443 in [7:42336]
Try to find out exactly which ports are needed, allowing all IP is dangerous. In terms of what the vendor said about only that box being affected- the hacker can gain control of that box and possibly have his way with your network from there or use you to spread his treachery. Key is to find out exaclty what is needed and allow nothing else to even reach the box. Jeff >From: "Brown, M" >Reply-To: "Brown, M" >To: [EMAIL PROTECTED] >Subject: Security advice - opening ports other than 80 and 443 in the >[7:42333] >Date: Tue, 23 Apr 2002 11:59:48 -0400 > >Certain application requires port other than 80 or 443 opened in the >firewall for inbound and outbound traffic. The firewall was configured to >allow traffic to that specific server ip address. > >The software vendor argues "that the worst scenario could be that hackers >could bring the server down. No other significant would be possible. " > > Is that true ? > >How risky is that to my network ? I would like to secure that connection >using CA from the company and IPSec. The software vendor argues that is not >necessary. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42336&t=42336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Remote access [7:42310]
If they can't use or a VPN solution is not viable you could look into a virtual modem bank from a telco that services your area. I used this as a solution for a customer that needed dial-up access. Basically you buy say 50-100 virtual modem lines(unless of course you think all 500 remote users will be on simultaneously, this should give you a modem line/remote user ratio of 10-1 to 5-1). The telco handles the calls and you can give a single number to your remote users. They route this traffic to your router/access server where you handle the authentication and access, usually thru an ATM pipe. However, I would recommend trying a VPN solution solution if possible first. HTH, Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42335&t=42310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security advice - opening ports other than 80 and [7:42333]
Its generally a good idea only to open ports that necesarry (eg. 80 for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or running unnecesarry services just opens your server up to security vulnerabilities. In your case I don't really understand what you're trying to do. For a web server using SSL you only have to allow inbound traffic to port 443, you don't need port 80 open unless it also serves up unencrypted pages. If you want/need to use IPSEC you will need to allow inbound traffic on the UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). HTH, Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42334&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: What are the first thing you do...?? [7:42276]
Well...the branches dont have more than 24 hosts, including the server. all branches with the exception of the main branch only consist of one novell 5.1 server, one 24 port wc-2950-24, and a 1720 router that connects the branches to our main branch, which then go to the datacenter through a 2620. we have nothing to do with the routers as the data center suppllies the support and config for the routers. the main branch has 10 switches. mainly 2950-24's but we also have 2 2950-48g's and a 3508 to connect a few switches via fiber gigbit. i did port fast all of the client ports on all of the switches. im also hearing bad things about STP. A co-worker has been saying that in his experience with intel? and hp? switches that STP was a horrible thing to have on. of course cisco says to keep it on. we dont have redundant links in our network so how important is it? our datacenter says that it may also be affecting the routers? So far this group has been awesome with some very useful info. i hope one day i can help as much as you guys/gals do! thanks again Luis ""Luis Wiedemann"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hey all, > im new to the newsgroup, nad pretty new to real workd cisco. my experience > comes mainly from reading cisco press and sybex books along with a few > virtual labs. now im consulting for a small bank that just implemented a > swicthed network from thier old stacked hubs. everything is going OK but i > still feel that the network may be a bit laggy. not sure if its the switches > or what, so my real question is what are the first things you do when > confuring a new switch? I know I run the setup and configure IP, Netmask , > Default GW etcwe dont have any redundant links, so should i disable STP? > how about port fast? its only one vlan, and we only have one swicth per > subnet, except for the main branch which has one switch per dept, but they > all connect to the same server and there are no routers for internal > traffic, only to connect to the branches via fractional t1's. so i dont > think vlans are an option here...anyway...you guys/gals know of any special > things i should be looking for? > > tia > luis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42332&t=42276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Security advice - opening ports other than 80 and 443 in the [7:42333]
Certain application requires port other than 80 or 443 opened in the firewall for inbound and outbound traffic. The firewall was configured to allow traffic to that specific server ip address. The software vendor argues "that the worst scenario could be that hackers could bring the server down. No other significant would be possible. " Is that true ? How risky is that to my network ? I would like to secure that connection using CA from the company and IPSec. The software vendor argues that is not necessary. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42333&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
how much 10720? [7:42331]
Anybody knows how much a new 10720? Just a rough price Thank you. Teresa Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42331&t=42331 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: mpls exam [7:42225]
"[EMAIL PROTECTED]" wrote:
> I passed it. Just read the 2 Cicso books, know ATM well, and use every
> other source you have.
I was hoping to get by with minimal ATM but I gather from what you say that
the
interworking of MPLS and ATM is considered a necessary part of the
ceritification.
According to the exam page, CEF is a topic to be tested. I have the
Pepelnjak/Guichard
book ("MPLS and VPN Architectures") but not the one by Alwayn ("Advanced
MPLS Design
and Implementation"). Pepelnjak and Guichard mention that "the CEF switching
mechanism
is a necessary prerequisite for successful MPLS/VPN data forwarding as label
imposition
is achieved through the CEF switching path" (p. 188). I can only guess the
details.
Were they discussed in the Alwayn book? If not, can you refer me to a
website or other
publication for details about how CEF supports MPLS?
-- TT
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42329&t=42225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Paul, Tim, Patrick, you guys are good ! You are right, I wasn4t specific enough in what I said: PIX does support RADIUS, but it does NOT support RADIUS Authorization :) Regards, Georg >From: "Paul Borghese" >To: "Georg Pauwen" , >Subject: Re: PIX and AAA [7:42302] >Date: Tue, 23 Apr 2002 10:03:43 -0400 > >The pix does support radius. I am using it for a small client to >authenticate PPTP connections using the Microsoft 2000 Radius server. > >Paul Borghese >- Original Message - >From: "Georg Pauwen" >To: >Sent: Tuesday, April 23, 2002 7:16 AM >Subject: RE: PIX and AAA [7:42302] > > > > Hi Patrick, > > > > yes, aaa is fully supported on the PIX (remember, though, that the PIX >does > > not support RADIUS). Follow this link for a command overview of aaa on >the > > PIX: > > > > >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.h >tm#xtocid3 > > > > Regards, > > > > Georg _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42330&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
TEST [7:42328]
Test rs Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42328&t=42328 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list performance degradation [7:42327]
Hallo, I wonder what is is performance degradation on a 26xx Cisco router if I apply an acl (outbound) with 30 lines (mostly permit) and most of the packets match the last entry. I mean CPU and DELAY degradation. Tks !!! Ira __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42327&t=42327 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Source Route Transparent Bridging [7:42326]
Hi All I have a question to try and straighten out source route transparent bridging r1 and r2 are connected to a 3920 r2 and r3 and connected by a cat5 --- - --- --- |r1 |---|tr bridge|---|r2 |--e/net--|r3 | --- - --- --- trcrf2trbrf 1 trcrf2bridge group 10 tr V/ring 1000 In the scenario above when we are using soure route transparent bridging the trbrf is 1 , the trcrf is 2 and the ethernet bridge group is 10. There is a Token ring Virtual ring of 1000 configured using source-bridge ring-group 1000 All numbers are in decimal! If I configure source-bridge transparent 1000 1 1000 10 I need to know if the first 1 in the config line is mean't to refer to the trbrf number confgured on the 3920 or is this just an arbitrary number to link the token ring source-bridge ring (1000) to the ethernet virtual ring (1000) in order that they can both talk. Hope someone can clear this up for me Regards Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42326&t=42326 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ospf-- default-information originate vs redist [7:42294]
You can not redistribute the default route into OSPF. You MUST use the "default information originate" command in order to redistribute a static default route into OSPF. Every other route (non-default) will be redistributed without any problems. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42325&t=42294 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
data vs voice traffic [7:42324]
My company has a router w/ 1 WAN address. I want to prioritize traffic so that voice is preffered to data traffic. How can I do it? I mean haw can a differentiate between data and voice traffic ? Ira. __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42324&t=42324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: show spanning-tree command and the port number [7:42239]
Hi all, as you already suspected, the #13 is the ifindex number. Actually I dont know the principle how the ifIndex can be converted into the pysical port. But I know an OID string, where you can ask the device to return the physical port name to a given ifIndex. So Bill, try to ask your 2900XL using snmpget and the OID 1.3.6.1.2.1.31.1.1.1.1.X where X is the ifIndex. I just tried it on a 2924XL and got the following reply: snmpget 10.0.10.5 1.3.6.1.2.1.31.1.1.1.1.13 SNMP++ Get to 10.0.10.5 SNMPV1 Retries=1 Timeout=100ms Community=public Oid = 1.3.6.1.2.1.31.1.1.1.1.13 Value = Fa0/12 Hope this helps Peter Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42323&t=42239 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: mpls exam [7:42225]
Foundry's MPLS is a completely solid, end-to-end solution Theodore. Its extrmely robust and well thought out. I believe that I have a whitepaper from Foundry on their solution from one of the seminars I attended, I will be happy to forward it if you would like. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 22, 2002 7:24 PM To: [EMAIL PROTECTED] Subject: Re: mpls exam [7:42225] I passed it. Just read the 2 Cicso books, know ATM well, and use every other source you have. I hear that Foundry's MPLS is better though "Dave Dunbar" Sent by: [EMAIL PROTECTED] 04/22/2002 11:35 PM Please respond to "Dave Dunbar" To: [EMAIL PROTECTED] cc: Subject:mpls exam [7:42225] Does anyone out there have any advice on what to study for the exam. Has anyone found a site where there are any practice exams. Any help would be appreciated. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42322&t=42225 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: remote access question - simple but difficult [7:42318]
Henrique, Have you checked the default gateways of the workstations? Dvass Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42321&t=42318 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
The pix does support radius. I am using it for a small client to authenticate PPTP connections using the Microsoft 2000 Radius server. Paul Borghese - Original Message - From: "Georg Pauwen" To: Sent: Tuesday, April 23, 2002 7:16 AM Subject: RE: PIX and AAA [7:42302] > Hi Patrick, > > yes, aaa is fully supported on the PIX (remember, though, that the PIX does > not support RADIUS). Follow this link for a command overview of aaa on the > PIX: > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.h tm#xtocid3 > > Regards, > > Georg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42320&t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy question. [7:42314]
Hi Mike, As you already assuming, deleted subinterfaces will be reported by a sh int command until the router is reloaded. Similarly, removed hardware interfaces will be reported as "removed" until next router reload. Bye, Peter Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42319&t=42314 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
remote access question - simple but difficult [7:42318]
192.168.2.250 --|*|--192.168.1.2 192.168.1.1 --|*|--192.168.0.1 router A T1--- routerB 192.168.2.10 Workstation A 192.168.0.10 Workstation B Message: Hello All, I'm encountering the following problem: I can ping from Router A to router B (both interfaces) I can ping from Router B to router A (both interfaces) I can ping from workstation A to router B (both interfaces) I can ping from workstation B to reouter A (both interfaces) I can ping from router A to workstation A I can ping from router B to workstation B however, I cannot ping from Workstation A to Workstation B. I cannot ping from Router A to Workstation B I cannot ping from Router B to Workstation A I've spent 8 hours trying to figure this out but no results. Any help is greatly appreciated. Thanks in advance, - Henrique _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42318&t=42318 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
