Re: STP and 7 hops [7:44408]

[Chuck]

sorry to keep harping on this one, but I'm actually learning something here.
Besides, my big project at work these days is working with a large
university, replacing their campus physical and switch infrastructure. I'm
finding the this discussion fascinating for that reason as well.

If I read my source correctly, the max age field is supposed to be 2 bytes,
and is supposed to be a time value, with the min being 1/256 second and the
max being 256 seconds. other than in the initial STP process ( or
recalculation ) the BPDU would for all practical purposes be time from the
root. Correct? My source tells me only the fields and their values, and
nothing about functionality. It would appear that the max age field tells
the local switch how old a message can be before it is disregarded, or
causes some other action to be taken. The message age field is the actual
age as per the process you describe below - incremented by each bridge along
the way.

The root path cost is used to advertise how far this bridge is from the
root? hops?

counting on my fingers, a max distance of 20 from the root is a whole lot
different than a max diameter of 7.

Chuck


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 There's nothing in the STP frames to enforce a 7 hop diameter. But there
is
 the Message Age field in the BPDUs. Each bridge (switch) adds one to the
 Message Age when the switch propagates the BPDU downstream.

 The Maximum Age threshold is 20. If a BPDU gets to a switch with the
 Message Age already at 20, it will think that the tree needs reconverging.
 This would get ugly if switches on the edges were always trying to
 reconverge. So, the max size from that viewpoint is 20 from the root.

 But 7? I really think DEC threw that in as a precaution. It's interesting
 that IBM was saying the same thing about source route bridging at the time
 (max bridges is 7). (But try finding 7 in IEEE 802.1D Annex C, the
official
 standardization of source-route transparent bridging. The RIF can actually
 hold info for 14 rings and 13 bridges.)

 Back to the real subject at hand, the 7 max for STP is mentioned as a
 recommended value in Table 8.2 Maximum Bridge Diameter of IEEE 802.1D and
 is defined as The maximum number of Bridges between any two points of
 attachment of end stations.

 Then it's discussed again in Appendix B B.3.1.2 Basis of choice. This
 section is pretty incomprehensible, but, as far as I can tell, the main
 reason for the choice of parameters is to minimize the lifetime of a data
 (user) frame travelling across the switched network.

 Regarding gigastack, it sounds like the answer that Steven got from Cisco
 is that each switch counts as a hop, so if STP is enabled, each counts
 toward the _theorectical_ 7 hop count limit.

 But I bet you're right also that STP could be disabled with gigastack. It
 sounds like the topology is already a single linear branch (stack) with no
 loops. There's no need to prune it into a tree. But I'm way out on a limb
 now. ;-)

 Priscilla

 At 06:34 PM 5/19/02, Chuck wrote:
 you know, it suddenly occurs to me that I have been barking up the wrong
 [spanning] tree, so to speak.
 
 Let me guess - there is no maximum STP diameter in actuality because
there
 is mechanism for enforcing a max diameter. The BPDU's apparently contain
a
 field which shows distance from the root, and this value is incremented
each
 time it crosses a bridge. If that field is the root path cost field, then
 this is a four byte value and that means a spanning tree could
theoretically
 have a max distance from the root of  64000 or so?
 
 It's just that the recommendation in terms of best practice is diameter
of
 7.
 
 thanks to Marty A. for providing the link that was the spike that finally
 began to sink through this thick head.
 
 
 Chuck  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   STP is really not an issue in the kind of application where gigastack
 makes
   sense. For example, take an office of 400 users plus servers and
 printers,
   occupying a contiguous space. Basic file and print sharing plus an
 internet
   connection. Rather than buy a honking 65xx, you throw in a few
3550-48's
 and
   gigastack them. The electronics work in conjunction with the switch OS
to
   create a half duplex bus between the switches. ( The interesting thing
is
   that electronics are apparently smart enough to determine if there are
 only
   two devices stacked, in which case the bus is full duplex. )
  
   That's the question about gigastack - whether the entire stack is
treated
 as
   one switch, the way it is for management purposes, or if standard STP
   applies. We had a thread on this a few weeks ago, but none of us could
 find
   an answer in the Cisco documentation.  that's why I asked Steven ( who
 asked
   Cisco ) what Cisco had to say about spanning tree over a gigastack
setup.
   I'm willing to bet that in a gigastack situation, that STP is disabled
(
   

RE: EIGRP NBMA and multicast together.. [7:44603]

[Stefan Razeshu]

The idea is :the router make a copy of the hello packet and send this packet
on each VC.So if you have 10 VC you will send 10 hello packeges and this
pacheges are multicast (destination address 224.0.0.10).
Anyway you can see a document on Cisco 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/mcst_sol/frm_rlay.htm

Best regards 

Stefan 
CCNA CCNP (1/4)...:-) 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44691t=44603
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Security on Router Switches [7:44692]

[Kerry]

Morning,
  I am trying to deny access to our Router on the network, but allow access
on the switches only. I am Tacacs, is there a way of grouping switches
different from routers and assigning defferent security setting to them

Cheers




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44692t=44692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reloading Cisco 7204 [7:44693]

[Kerry]

Morning,
  I have a cisco 7204 that was alright until 4 weeks ago. It started
rebooting itself every 12 hours, upon checking the Crashinfo file, nothing
in it suggests something was wrong. Flash was full with crashinfo files,
after deleting files, the router stopped rebooting for about too weeks. So I
thought it was a memory problem, and case sloved and closed!
Only to find out today that the problem has resufaced. Thought of upgrading
IOS from 12.1 to 12.2, ran IOS 12.2 on a test 7204 with the same modules as
in the production 7402. Ran ok for 2 days, and reloaded. I cannot find
anything on cisco pages
Any suggestions would be appriciated

Cheers
Kerry




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44693t=44693
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logic and Lab Rats [7:44653]

[Kevin Cullimore]

wow.

(attention G-S moderators: I know you always hoped I'd be at a loss for
words at some point. Nota Bene: this post came closer than most. I apologize
for the tease)

please note that I'm using this thread in a vain hope to render dormant all
sub-threads.

I say wow, partially because where purely non-tangible matters are
concerned, I usually applaud extreme tactics, but in this case I'm
profoundly stumped. Paul Feyerabend is certainly one of my favorite
non-fiction authors, but even he wielded reason against itself. I'm
impressed (and I'm not often impressed by how/the-manner-in-which/ people
think-or at least pretend to), but this post raised the stakes a bit, albeit
unwittingly, refuting reason BY EXAMPLE, therefore providing the only
potentially compelling counterargument to the modification of the subject
line wherein the string Logic suddenly plays a part..

taxomonical breakdown:

2 questions contrasted with the output of a 3rd, whereupon the outcome
solves nothing, and the group of two bear a tenuous relation to the third.

The 4th question is profoundly subject to the whims of fortune, temporality,
and the instincts of the poor fellow who would dare use the L word on this
newsgroup: based upon the past couple of hundred years of western
civilization or so, I'd say that the intended target has a better chance
than most, especially if he is allowed to draw upon past experience.

Question 5 ignores the public record on the subject, and improperly
contrasts the potential answers of the first set with it's own solution
space.

Whether or not someone remembers cretaceous technologies they have worked
with does not provide a useful predictive measure of their ability to adapt
to change or assimilate new technologies and their nuances.

I'm not sure where the equation between familiarity with the specifics of
predecessor technologies and the practice of perpetuating their continued
usage came from, but certainly not from a sample size relevant enough to
settle this issue.

I'm going to skip a bit, because my potential point of insight has not been
posted by anyone else as best my time-warner internet access point can
reveal.

Taking us to the matter of appreciation: I'm not sure this admonishment is
best directed at someone who provides materials whereby individuals may
study and aspire to be the best, since

A) his materials are profoundly superior to many other competitive products
B) he offers advice from a career marked by a profound lack of stagnation
and a level of maintaining familiarity with emerging standards so extreme
that he would up participating in the development process itself for various
extant standards.

Since your observations don't match the public record, and since the past
100 years of USA public schooling and the profession of psychology have
profoundly failed humanity, I'll not directly address the last comment
except to note that the noun is undescriptive at best.

To address the previous replies:

Peter had excellent insight  wording, but just in case his analysis is not
100% correct (as in, what if he did NOT lose a job to such an individual),
I offer mine in order to force the available quibble space to converge to 0.

Tomas Larus elagantly outlines the issues which concern me.

Ms. McLeod adroitly points out the balance between no testing  too much of
the same.

Adam Lee re-emphasizes the ongoing need for support of the technologies
dismissed out-of-hand by the original poster.

Priscilla provides factual clarification  some fundamental insight.

nrf posts a call for balance as a strategy for intellectual succes in this
industry that binds us. His subsequent posts come the closest to a better
way.

in all cases, the matter boils down to this: your cognitive dualism won't
stand.

to abruptly divide the world between experienced, stubborn, older folk
unfamiliar with the past 7 years of digital computing research, and newly
matriculated folk who lack any exposure to large scale implementations of
the technologies they would purpport to support, is to reduce yourself to
the level of performance that many HR times are unjustly relegated to
(DISCLAIMER: I'm aware of the cases where this is justified . . .).

As the SLJ character in pulp fiction might start it out, THE TRUTH IS, the
one common characteristic people afraid of new things, incapable of testing,
and unfriendly to new ideas have is precisely the following:

the characteristics I just described.

Sure, there exist seasoned veterans who never learned to troubleshoot and
can't handle changing LAN topologies any better than they manage their
waning vitality.

However, there also exist individuals straight out of accredited programs
who know all kinds of nuances regarding C programming  assembler theory.
They coast through college complete and fulfilled based upon the realization
that this background COMPLETELY prepares them for desktop, server AND
network/intermediate systems support. these individuals are typically

Re: BGP load balancing [7:44697]

[[EMAIL PROTECTED]]

Need some advices from BGP experts : Does BGP do load balancing by default?
Says there are 4 parallel paths between the source and destination, will
the traffic be distributed among the 4 paths? If it does not support load
balancing by default, how to turn it on? How many parallel paths can it
handle maximum?

Thanks in advance!

Maurice




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44697t=44697
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Port number on Catalyst 3500XL [7:44533]

[Jose Celestino]

Ok, but I see a mac-address jumping to port 10 (and 11) and spanning-tree
ports start at 13.

Words by Larry Letterman [Mon, May 20, 2002 at 12:52:38PM -0400]:
 That looks like it is using the spanning tree port numbers, not the
 physical switch port numbers.
 
 
 Larry Letterman
 Cisco Systems
 [EMAIL PROTECTED] 
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Jose Celestino
 Sent: Monday, May 20, 2002 9:18 AM
 To: [EMAIL PROTECTED]
 Subject: Port number on Catalyst 3500XL [7:44533]
 
 
 The following error message got me to think what is port 51 on a 48
 port catalyst:
 
 May 20 16:38:46 aaa.bbb.ccc.ddd 368176: 1y9w: 00d0.b709.1f02 has moved from
 port 51 to port 14 in vlan 1
 May 20 16:38:49 aaa.bbb.ccc.ddd 368177: 1y9w: Addaddress
00d0.b709.1f02,
 on port 51 vlan 1
 May 20 16:38:49 aaa.bbb.ccc.ddd 368178: 1y9w: 00d0.b709.1f02 has moved from
 port 14 to port 51 in vlan 1
 May 20 16:38:49 aaa.bbb.ccc.ddd 368179: 1y9w: Addaddress
00d0.b709.1f02,
 on port 14 vlan 1
 May 20 16:38:49 aaa.bbb.ccc.ddd 368180: 1y9w: 00d0.b709.1f02 has moved from
 port 51 to port 14 in vlan 1
 May 20 16:38:54 aaa.bbb.ccc.ddd 368181: 1y9w: Addaddress
0050.8be1.54f3,
 on port 51 vlan 1
 
 What rules does this numeration follows, where can I find docs about it?
 
 TIA.
 
 --
 Jose Celestino  SAPO.pt::Systems http://www.sapo.pt
 -
 Quod licet Iovi non licet bovi.
 (What Jove may do, is not permitted to a cow.)
-- 
Jose Celestino  SAPO.pt::Systems http://www.sapo.pt
-
Quod licet Iovi non licet bovi.
(What Jove may do, is not permitted to a cow.)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44698t=44533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DHCP NACK problems [7:44671]

[Brian Hill]

Is it always NACKing for the same IP lease? Normally, the DHCP process works
like this: The client sends a DHCPDISCOVER to find a DHCP server, the server
responds with a DHCPOFFER, offering the client an IP, the client responds
with a DHCPREQUEST to choose the IP address (in case it gets an offer for
more than 1), and the server responds with a DHCPACK, sealing the deal.
However, MS DHCP servers have a feature that allows them to detect IP
address conflicts before responding with an ACK. What I would check is a few
things:

First, if this is happening due to a conflict detection, you should see
under active leases in DHCP a BAD ADDRESS listed by the IP. If you see
that, ping the IP in question. If you get a response, track down the PC, and
do an ipconfig to find it's DHCP server. Then track down that server and
kill it :)

Hope this helps,

Brian Hill
CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), 
MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
Lead Technology Architect, TechTrain
Author: Cisco, The Complete Reference
http://www.alfageek.com


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44699t=44671
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dumb Access-List question [7:44588]

[Brian Hill]

There are two differences. The first is that in the first example you are
using a standard ACL, and in the second you are using an extended ACL. The
second is that in the first example, you are using a numbered ACL, while in
the second, you are using a named ACL. The primary differences in the two
are that a numbered ACL has a finite number of ACL's you can create, while a
named ACL (supposedly) has no such limit. The second is that you can remove
individual lines from a named ACL.

Hope this helps,

Brian Hill
CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), 
MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
Lead Technology Architect, TechTrain
Author: Cisco, The Complete Reference
http://www.alfageek.com


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44700t=44588
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP load balancing [7:44697]

[cebuano]

Maurice,
BGP defaults to using only the BEST path, hence ONE.
Check CCO for path determination in BGP.
The other protocols default to maximum of four, but can
be extended to 6 with maximum-paths.
To turn on load-balancing in BGP, a few steps are needed:
1. enable eBGP multihop
2. use update-source loopback
3. enter the static routes to be used for load-balancing

If there's something i'm forgetting, please correct my post.
HTH,
Elmer

- Original Message -
From: 
To: 
Sent: Wednesday, May 22, 2002 6:03 AM
Subject: Re: BGP load balancing [7:44697]


 Need some advices from BGP experts : Does BGP do load balancing by
default?
 Says there are 4 parallel paths between the source and destination, will
 the traffic be distributed among the 4 paths? If it does not support load
 balancing by default, how to turn it on? How many parallel paths can it
 handle maximum?

 Thanks in advance!

 Maurice




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44701t=44697
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

set password problem [7:44702]

[Stuart Laubstein]

I have just bought a new WS-X5013  for my cat 5000  and I have been trying
the passowrd recovery--it will not let me change the set password...the set
enablepass works though. As the set password seems to have the console
locked apart from the first 30 seconds after every reset I would like to
remove it or change it--any idea's? 

thanks

stuart




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44702t=44702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ppp multilink over adsl????? [7:44704]

[George Siaw]

Guys,

Will anybody know is ppp multilink is possible over an adsl link and
does it work similar to isdn?

Regards,
George.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44704t=44704
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: set password problem [7:44702]

[Richard Botham]

Stuart,
You can press enter during the 1st 30 seconds ( No later) which will get you
into the CAT and then you can reset the password(s)
HTH
Richard


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44705t=44702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Logic and Lab Rats [7:44653]

[Mark Odette II]

Unfortunately, the gals in the U.S. are less apt to shrug it off their
shoulders if a co-worker is checking out Female Porn... They're, shall
we say, a bit sensitive to the subject... and usually immediately
complain of Sexual Harassment... even if it's not involving them in
any way.

In other cultures, or at least in other countries, it's more acceptable
for female porn to be prevalent... I suspect this is due to two factors
though... 1. a higher male-dominating society, and/or 2. more liberal
attitudes after all, it's illegal to run a brothel in the U.S., but
correct me if I'm wrong... I believe this is not the case in Australia
or New Zealand.

Of course, if a female was caught surfing Male Porn in the U.S., she'd
probably be hit on by half a dozen guys within the hour... that is, the
guys that aren't with their head stuck in a Server or Network Appliance
trying to solve a problem. :)

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 22, 2002 12:01 AM
To: [EMAIL PROTECTED]
Subject: Re: Logic and Lab Rats [7:44653]

On the other hand, who's more likely to show up to work late?  Or show
up
drunk or high?  Or get into a fight with his coworkers?  Or surf porn in
front of female coworkers?   The guy who's been in the working world for

25
years or a new kid?

Umm, off-topic, but enlighten me, please.  Why is it worse to surf porn
in 
front of female coworkers than it is to surf porn in front of male 
coworkers?

What if it was a woman surfing porn in front of coworkers?  Do your 
opinions change?  ;-)

JMcL


Important:  This e-mail is intended for the use of the addressee and may
contain information that is confidential, commercially valuable or
subject
to legal or parliamentary privilege.  If you are not the intended
recipient
you are notified that any review, re-transmission, disclosure, use or
dissemination of this communication is strictly prohibited by several
Commonwealth Acts of Parliament.  If you have received this
communication in
error please notify the sender immediately and delete all copies of this
transmission together with any attachments.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44690t=44653
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logic and quot;Lab Ratsquot; [7:44653]

[cebuano]

Gang,
To put a closure to the thread, allow me to repeat the saying...
When a man with money meets a man with experience,
the man with experience ends up with the money, and
the man with money ends up with experience.
(Gals, no flame please.)

So please give these newbies a break. After all, didn't
ALL subscribers start from square one at some point in time?
Does it mean your employer let you handle the backbone
links from day 1? or 2? or 3?...In my case though, I got
fed to the wolves right from the get go. And with just my
CCNA, yes I had to learn everything there was i could
find on OSPF. Three weeks to research on and test BGP
and report to the boss about this protocol before we went live.
But I never claimed to be an expert. I did the best that I could.
And guess what? All those theories I gathered from the books
came back to me when time came to work out problems.
Again, I'm not saying I knew everything there was to know
about network troubleshooting.
I've been in the same situation as many, many aspiring
individuals who just want to enter into the profession that
ALL of us applied for in the past. Has experience given
people too much money that they can't remember where
they came from?

Thanks for all respondents.

Elmer

- Original Message -
From: nrf 
To: 
Sent: Tuesday, May 21, 2002 11:24 PM
Subject: Re: Logic and Lab Rats [7:44653]


 Amen to that.  Humility is called for on both sides.

 Apparently I've been tagged around here as the 'King Experience' guy.
The
 very ironic thing is that on another message board, I was the person who
was
 arguing that experience was NOT as important as other posters had
indicated
 (this was an experience vs. college degree argument).  Basically it boiled
 down to the fact that while experience is indeed extremely valuable,
 particularly nowadays, even experience can sometimes be taken too far.
For
 example, one guy said that experience always wins no matter what (which is
 patently false), so I gave him the example of 2 guys, whereas both guys
had
 good experience, but the first guy had stellar degrees from the most
famous
 schools, all kinds of certs, a killer personality, and everything else,
 whereas the second guy had none of that (besides the experience ), but he
 had a day's more experience.  Hey, if experience really beat everything
all
 the time, then companies should always pick the second guy, because after
 all, he had more experience (one additional day).   Clearly this is false.

 My point is simply this.  Experience, education, certs, work attitude,
etc.
 etc., they all form your suite of qualifications.  None of them should be
 pursued at the exclusion of all others.  In fact, the best strategy seems
to
 be to work on your weaknesses.  For example, if you have lots of certs and
 education, but no experience, then get experience.  Conversely, if you
have
 lots of experience, but no certs and no education, then go get certs and
 education.


 Thomas Larus  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I thought the experience versus certification debate had finally died
a
  few days ago, but now it resurfaces over on the professional list.  I
may
 as
  well weigh in.
 
  The problem here is clear.  Some folks with lots of experience are
scared
  (or merely offended) that some manager or client might think some
relative
  newbie with great-sounding certs is as good or better (or even nearly as
  good) as the more experienced folks.  Many of these experienced people
  gained their experience in difficult or underpaid conditions.  The last
  thing they want is some ambitious upstart invaders studying hard in the
 lab,
  then walking into their field and being treated as their peers. The
  experience is everything crowd should relax right now, because in this
  economy,  they are in the driver's seat.
 
  One the other hand, the lab rats, myself included, are justifiably
scared.
  We knew that if by studying hard we managed to reach a higher position
 than
  our experience alone would justify, we might face some hostility from
 those
  with lots of experience.  Now, however, we are given to understand that
 for
  employers right now, experience is king, since there are plenty of folks
  with lots of experience and good certs to fill all positions that HAVE
to
 be
  filled (as opposed to those positions that employers advertise but are
in
 no
  hurry to fill).
 
  Then, there's the common complaint that, I'm always having to fix the
  networks screwed up by the paper-CCNAs, paper-MCSEs, Lab Rats, etc.
I
  have enough experience to know that plenty of the screwing-up of
networks
 is
  done by folks with lots of experience.  It doesn't take long in the
field
 to
  run across an arrogant but extremely experienced guy who thinks he is
the
  only person in his company who knows anything, and then proceeds to
break
  things that he then cannot fix.
 
  A little humility is called for in a field where almost no one can know
  

Re: VPN ERROR %CRYPTO-6-IKMP_MODE_FAILURE [7:44374]

[Alfredo Pulido]

Hello people, I have solutioned the problem for connect VPN Fully Meshed.

 The solution: You have to add all peers in all crypto map  Sample:


 BAD CONFIGURATION
  crypto map vpn 10 ipsec-isakmp
   set peer 100.100.100.249
   set transform-set rtpset
   match address 102
  crypto map vpn 20 ipsec-isakmp
   set peer 100.100.100.170
   set transform-set rtpset
   match address 101

 GOOD CONFIGURATION
  crypto map vpn 10 ipsec-isakmp
  set peer 100.100.100.249
  - set peer 100.100.100.170
   set transform-set rtpset
   match address 102
  crypto map vpn 20 ipsec-isakmp
   set peer 100.100.100.170
 -  set peer 100.100.100.249
   set transform-set rtpset
   match address 101

 Now the VPN between A-B,A-C and B-C is OK.


With this solutions,  seemingly the next error it's solutioned, so that
 peer address xxx.xxx.xxx.xxx not found now is found.


 11:32:20: IPSEC(validate_proposal_request): proposal part #1,
   (key eng. msg.) dest= 100.100.100.249, src= 100.100.100.169,
 dest_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4),
 src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
 protocol= ESP, transform= esp-des esp-md5-hmac ,
 lifedur= 0s and 0kb,
 spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
 11:32:20: IPSEC(validate_transform_proposal): peer address 100.100.100.169
 not found
 11:32:20: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with
 peer at 100.100.100.169


 Thanks for you help.


 --
 --
  Alfredo Pulido   [EMAIL PROTECTED]
  Dept. Sistemas, IdecNet S.A.
  Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria,
  Las Palmas // SPAIN
  Tel: +34 828 111 000   Fax: +34 828 111 112
  http://www.idecnet.com/
 --

Steven A. Ridder  escribis en el mensaje
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Looks like the devices aren't configured with same properties.


 Alfredo Pulido  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hello,
 
  I'm trying make a Fully Meshed VPN connections between 3 (Ra,Rb,Rc)
 routers
  827-4V,
 
  The used IOS is: c820-k8osv6y6-mz.122-2.T4.bin - IP/FW/VOICE PLUS IPSEC
 56
 
  When I configure the VPN (Ra-Rb), the VPN it's established OK. But I
  configure VPN (Ra-Rb and Ra-Rc), the system report a error with the peer
 Rc,
  and the VPN it's not established between (Ra-Rc),however, the VPN
(Ra-Rb)
 is
  OK.
 
  I had trying conjugations (Rb-Ra ,Rb-Rc) and (Rc-Ra,Rc-Rb) and
  (Rb-Rc,Rb-Ra) and (Rc-Rb,Rc-Ra), and I had received the same ERROR.
 
 
 
 
  The system error is:
 
  %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed
with
  peer at xxx.xxx.xxx.xxx
 
  In Cisco I had see only this information:
 
 
  Error Message
 
  %CRYPTO-6-IKMP_MODE_FAILURE: Processing of [chars] mode failed with peer
 at
  [IP_address]
  Explanation   Negotiation with the remote peer has failed.
 
  Recommended Action   If this situation persists, contact the remote
peer.
 
 
 
  I had locked many documents in Cisco, but I don't know how to solve this
  problem. I shearched a document in Cisco for this type VPN
  http://www.cisco.com/warp/public/707/ios_meshed.html
 
 
  Flash Configuration:
  Ra:   IP VPN: 100.100.100.170  IP LAN: 10.0.1.1
  Rb:   IP VPN: 100.100.100.169  IP LAN: 192.168.0.2
  Rc:   IP VPN: 100.100.100.249  IP LAN: 10.0.0.1
 
 
  Debug Information router (Ra)  when I try connect (Rc-Ra) (debug crypto
  isakmp)
 
  02:35:37: ISAKMP (0:0): received packet from 100.100.100.249 (N) NEW SA
  02:35:37: ISAKMP: local port 500, remote port 500
  02:35:37: ISAKMP (0:2): processing SA payload. message ID = 0
  02:35:37: ISAKMP (0:2): found peer pre-shared key matching
100.100.100.249
  02:35:37: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1
  policy
  02:35:37: ISAKMP:  encryption DES-CBC
  02:35:37: ISAKMP:  hash MD5
  02:35:37: ISAKMP:  default group 1
  02:35:37: ISAKMP:  auth pre-share
  02:35:37: ISAKMP (0:2): atts are acceptable. Next payload is 0
  02:35:37: ISAKMP (0:2): SA is doing pre-shared key authentication using
id
  type ID_IPV4_ADDR
  02:35:37: ISAKMP (0:2): sending packet to 100.100.100.249 (R)
MM_SA_SETUP
  02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R)
 MM_SA_SETUP
  02:35:38: ISAKMP (0:2): processing KE payload. message ID = 0
  02:35:38: ISAKMP (0:2): processing NONCE payload. message ID = 0
  02:35:38: ISAKMP (0:2): found peer pre-shared key matching
100.100.100.249
  02:35:38: ISAKMP (0:2): SKEYID state generated
  02:35:38: ISAKMP (0:2): processing vendor id payload
  02:35:38: ISAKMP (0:2): speaking to another IOS box!
  02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R)
MM_KEY_EXCH
  02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R)
 MM_KEY_EXCH
  02:35:38: ISAKMP (0:2): processing ID payload. message ID = 0
  02:35:38: ISAKMP (0:2): processing HASH payload. message ID = 0
  02:35:38: ISAKMP (0:2): SA has been authenticated with 100.100.100.249
  02:35:38: ISAKMP (2): ID payload
  next-payload 

RE: Dumb Access-List question [7:44588]

[[EMAIL PROTECTED]]

More importantly -

Autonomous switching is not used when you have extended access lists.

Dom Stocqueler






Brian Hill 
Sent by: [EMAIL PROTECTED]
22/05/2002 12:06
Please respond to Brian Hill

 
To: [EMAIL PROTECTED]
cc: 
Subject:RE: Dumb Access-List question [7:44588]


There are two differences. The first is that in the first example you are
using a standard ACL, and in the second you are using an extended ACL. The
second is that in the first example, you are using a numbered ACL, while 
in
the second, you are using a named ACL. The primary differences in the two
are that a numbered ACL has a finite number of ACL's you can create, while 
a
named ACL (supposedly) has no such limit. The second is that you can 
remove
individual lines from a named ACL.

Hope this helps,

Brian Hill
CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), 
MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
Lead Technology Architect, TechTrain
Author: Cisco, The Complete Reference
http://www.alfageek.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44706t=44588
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

AW: set password problem [7:44702]

[Stuart Laubstein]

I tried that but it tells me incorrect password--the enablepass seems to
work though

-Urspr|ngliche Nachricht-
Von: Richard Botham [mailto:[EMAIL PROTECTED]]
Gesendet am: Wednesday, May 22, 2002 2:17 PM
An: [EMAIL PROTECTED]
Betreff: RE: set password problem [7:44702]

Stuart,
You can press enter during the 1st 30 seconds ( No later) which will get you
into the CAT and then you can reset the password(s)
HTH
Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44708t=44702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

WS-X5013 another problem [7:44707]

[Stuart Laubstein]

I loaded the WS-X5013 (24 10bT RJ45) into my Cat 5k but it show some errors

booting it shows this

module 2 is not supported  

afterward with a show mod is shows 0 ports and status unknown or it will not
see the module at all.

Bootrom is version 2.2 and version is 4.5

I checked on Cisco and the module appears to be supported by the software.
I have tried clear config and reset but they both require the module to be
online. Any idea's

thanks

stuart




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44707t=44707
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

no lmi - dlci inactive - telco says my problem? [7:44709]

[beth shriver]

Hello friends, I am having a little problem getting a
new long distance frame relay circuit going and
getting the ol its your equipment answer from telco
and not sure if this is the case or not. I have
checked cables and tsu/router config and all seems ok
. when the telco loops my csu/tsu it causes my
interface to bounce but interface then stays in
interface UP protocol DOWN state. Telco is saying they
see no LMI from my equipment. In the past when i seen
no LMI it always turned out to be something on the
telco side. I dont do frame relays much so i am kind
of at the mercy of tech who is turning this circuit up
so can someone give me some pointers on what i can
look for to make sure it is not in my equipment ? or
how i can tell if it is a telco issue with circuit?
any replies would be greatly appreciated! fast replies
appreciated even more!!! :)

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44709t=44709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: no lmi - dlci inactive - telco says my problem? [7:44709]

[Jason Owens]

This link should help.







http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr1918.htm

beth shriver wrote:
 
 Hello friends, I am having a little problem getting a
 new long distance frame relay circuit going and
 getting the ol its your equipment answer from telco
 and not sure if this is the case or not. I have
 checked cables and tsu/router config and all seems ok
 . when the telco loops my csu/tsu it causes my
 interface to bounce but interface then stays in
 interface UP protocol DOWN state. Telco is saying they
 see no LMI from my equipment. In the past when i seen
 no LMI it always turned out to be something on the
 telco side. I dont do frame relays much so i am kind
 of at the mercy of tech who is turning this circuit up
 so can someone give me some pointers on what i can
 look for to make sure it is not in my equipment ? or
 how i can tell if it is a telco issue with circuit?
 any replies would be greatly appreciated! fast replies
 appreciated even more!!! :)
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44710t=44709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Operation Firmware is invalid? Please help...Urgent [7:44711]

[John Dorffler]

Your problem is spooky, I just had the exact same problem with a 1924 the
other day. Same symptoms, same inability to use XMODEM to upgrade the flash.
I discovered that not all null modem cables are made the same, strangely
enough. Do a search on CCO and you will find a variety of pinouts. I finally
found a null modem cable with the same pinout that is specified in the 1900
documentation for release 5.x:

http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v5x/icg5x/c
sspec.htm

When I use the correct(!) null modem it cable it works fine.

Sincerely,
John Dorffler
CCIE #6677

Justin M. Clark  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Cisco ws-c1900 switch.  Using db9F-rollover-db9F or null modem cable I can
 connect to the console port and get into Diag Console fine, but when I try
 to just plug in and configure the switch it just starts spitting out
 ATQ0H0 in hyperterminal PE.  I hunted around and a couple places that I
 found said try updating the firmware.  So I hit cisco's site and
downloaded
 cat1900A.9.00.04.bin which was the only 1900 firmware I could find,  The
 previous version was 5.34.  So anyway, I did the XModem firmware upgrade,
as
 soon as it asks me to send the file it kicks back an error that says
 Transfer cancelled by remote system (convenietly after it has erased
 existing firmware) and then prints out:
 Operation firmware version:  0.00Status: Invalid
 Boot firmware version:  1.10
 WARNING!!! Operation Firmware is invalid.
 Upgrade firmware to enable switch operation.

 Im stuck at this point, does anyone know what to do or how to get a copy
of
 the firmware that works on this switch?  and then at that point what kind
of
 cables, etc do i need to configure the darn thing.

 If anyone can get back to me in a hurry or has a version of the firmware
 that DOES work on this model it would be greatly apprecieated as this
switch
 is dead in the water, along with the LAN that is suppost to be connected
to
 it.

 Thanks,
 Justin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44711t=44711
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Errata for Coriolis books? [7:44638]

[Robert Kulagowski]

Well, it's good to hear that there will be more choices to study from once I
get to that point.

From looking at review comments on Amazon, it appears that of the Exam
Cram series, only the switching book by Deal was any good.  I sent him an
email message (found an old posting of his on Amazon where he gave his
philosophy and background on testing) to find out if he knows of any errata
for his book, now that Coriolis is gone.

I'm more than half-way through Exam Prep Switching, and I'm not sure that
I'm going to bother finishing it.  While the grammar and spelling are fine,
it's the technical stuff that keeps coming up and catching my attention. 
Examples where the text doesn't match the router/switch configs they're
working through, test questions that don't make sense or have the wrong
answer, questions where the correct answer is e, even though there are
only 4 choices, questions where the correct answer is a,c,d, but no
instruction or grammar hint to pick more than one answer, etc.

I guess I'll try to sell the books on half.com while I still can.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44713t=44638
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Vpn connection [7:44712]

[Johnson, Richard (NY Int)]

Hi all,

I have a 3002 trying to connect to my 3015. I set up the group name and the
user name and it is setup on the 3002. From the 3015 icant ping the 3002
internet address. But I can ping other internet addresses. On the 3002 I
can't ping the 3015's port but can ping other addresses. If I go on the net
from my firewall I can ping both interfaces. Anyone have any ideas? The
default port of 1 is being used for connectivity. 

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44712t=44712
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logic and Lab Rats [7:44714]

[Howard C. Berkowitz]

I'm not saying to close the thread or not, although I think the 
moderators (I am one) are starting to block messages that come across 
as personal attacks.

What I see is the fundamental misperception in this thread is an 
assumption there is a binary choice between experience and new 
training. I freely admit there are experienced people that have had 1 
year of experience 20 times.  But other experienced people have BOTH 
the experience and the in-depth protocol knowledge, which puts them 
in a position to learn even faster -- if they want to.

Earlier in the thread, someone said would you put something in 
production without lab testing?  As with everything else in 
networking, it depends.  A large ISP, for example, will test a new 
IOS release in a lab, but they can't possibly have a lab that will 
let them see the effects of the change on tens of thousands of 
routers.  This is true of router manufacturers as well.

For very large networks, it may be possible to use true (i.e., Monte 
Carlo) simulation or mathematical analysis. But experience does have 
a major role in Internet backbone engineering.  Let me simply say 
that backbone engineering is at a level far more specialized and 
complex than the CCIE level, and there haven't been formalized ways 
to learn it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44714t=44714
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: no lmi - dlci inactive - telco says my problem? [7:44709]

[MADMAN]

send a sh conf and sh int from the serial interface.  a sh frame pvc
too.

  Dave

beth shriver wrote:
 
 Hello friends, I am having a little problem getting a
 new long distance frame relay circuit going and
 getting the ol its your equipment answer from telco
 and not sure if this is the case or not. I have
 checked cables and tsu/router config and all seems ok
 . when the telco loops my csu/tsu it causes my
 interface to bounce but interface then stays in
 interface UP protocol DOWN state. Telco is saying they
 see no LMI from my equipment. In the past when i seen
 no LMI it always turned out to be something on the
 telco side. I dont do frame relays much so i am kind
 of at the mercy of tech who is turning this circuit up
 so can someone give me some pointers on what i can
 look for to make sure it is not in my equipment ? or
 how i can tell if it is a telco issue with circuit?
 any replies would be greatly appreciated! fast replies
 appreciated even more!!! :)
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44715t=44709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: set password problem [7:44702]

[Mark Odette II]

Since this is a Sup. Blade that you just acquired, what about just
wiping the config completely??

Either a write erase or a clear config all after you've gotten on
the thing in enable mode might be your best bet.  When you reload the
switch afterwards, it should come up with factory default
settings/config... which means your passwords will be blank.

Just a thought...

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Stuart Laubstein
Sent: Wednesday, May 22, 2002 7:39 AM
To: [EMAIL PROTECTED]
Subject: AW: set password problem [7:44702]

I tried that but it tells me incorrect password--the enablepass seems to
work though

-Urspr|ngliche Nachricht-
Von: Richard Botham [mailto:[EMAIL PROTECTED]]
Gesendet am: Wednesday, May 22, 2002 2:17 PM
An: [EMAIL PROTECTED]
Betreff: RE: set password problem [7:44702]

Stuart,
You can press enter during the 1st 30 seconds ( No later) which will get
you
into the CAT and then you can reset the password(s)
HTH
Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44716t=44702
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DHCP NACK problems [7:44671]

[Mark Odette II]

Also, to add to this... if you have a WINS server with a corrupt
database, that could be adding to the confusion for Duplicate IPs.  I've
had this happen to me before, and didn't realize it until I decided to
just look at the WINS server to see what it thought was true of the LAN
topology.  It's just something to keep in mind.

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Brian Hill
Sent: Wednesday, May 22, 2002 6:01 AM
To: [EMAIL PROTECTED]
Subject: RE: DHCP NACK problems [7:44671]

Is it always NACKing for the same IP lease? Normally, the DHCP process
works
like this: The client sends a DHCPDISCOVER to find a DHCP server, the
server
responds with a DHCPOFFER, offering the client an IP, the client
responds
with a DHCPREQUEST to choose the IP address (in case it gets an offer
for
more than 1), and the server responds with a DHCPACK, sealing the deal.
However, MS DHCP servers have a feature that allows them to detect IP
address conflicts before responding with an ACK. What I would check is a
few
things:

First, if this is happening due to a conflict detection, you should see
under active leases in DHCP a BAD ADDRESS listed by the IP. If you see
that, ping the IP in question. If you get a response, track down the PC,
and
do an ipconfig to find it's DHCP server. Then track down that server and
kill it :)

Hope this helps,

Brian Hill
CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), 
MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
Lead Technology Architect, TechTrain
Author: Cisco, The Complete Reference
http://www.alfageek.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44717t=44671
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: anybody ever try to make a token ring crossover cable ? [7:44718]

[Daniel Cotts]

Maybe - but not successfully.
You need a MAU between routers.

 -Original Message-
 From: nettable_walker [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, May 21, 2002 9:06 PM
 To: [EMAIL PROTECTED]
 Subject: anybody ever try to make a token ring crossover cable ?
 [7:44682]
 
 
 5/21/20029:00pm   Tuesday




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44718t=44718
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Operation Firmware is invalid? Please help...Urgent [7:44719]

[John Dorffler]

Two other things. This is only a problem (as far as I know) on the older
1900s with the DB-9 console port. The other issue, and I have sorta
confirmed it, is that you can't load anything older than about 5.37 on the
older 1900s. I was able to do that with my old 1924, but it gags when I try
to upload 9.0. If anybody has any additional info on the limitations of the
older 1900s, please post because I can't find anything more on CCO.

Sincerely,
John Dorffler
CCIE #6677

Justin M. Clark  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Cisco ws-c1900 switch.  Using db9F-rollover-db9F or null modem cable I can
 connect to the console port and get into Diag Console fine, but when I try
 to just plug in and configure the switch it just starts spitting out
 ATQ0H0 in hyperterminal PE.  I hunted around and a couple places that I
 found said try updating the firmware.  So I hit cisco's site and
downloaded
 cat1900A.9.00.04.bin which was the only 1900 firmware I could find,  The
 previous version was 5.34.  So anyway, I did the XModem firmware upgrade,
as
 soon as it asks me to send the file it kicks back an error that says
 Transfer cancelled by remote system (convenietly after it has erased
 existing firmware) and then prints out:
 Operation firmware version:  0.00Status: Invalid
 Boot firmware version:  1.10
 WARNING!!! Operation Firmware is invalid.
 Upgrade firmware to enable switch operation.

 Im stuck at this point, does anyone know what to do or how to get a copy
of
 the firmware that works on this switch?  and then at that point what kind
of
 cables, etc do i need to configure the darn thing.

 If anyone can get back to me in a hurry or has a version of the firmware
 that DOES work on this model it would be greatly apprecieated as this
switch
 is dead in the water, along with the LAN that is suppost to be connected
to
 it.

 Thanks,
 Justin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44719t=44719
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Errata for Coriolis books? [7:44638]

[Robert Kulagowski]

Well, Richard Deal just sent me an email.  Coriolis was maintaining all the
errata.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44720t=44638
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX 501 rack mount [7:44722]

[Sandra Carr]

Does anybody know a way to rack mount a PIX 501?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44722t=44722
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Why do my switches keep pinging their default gateways!? [7:44723]

[Wilson, Christian]

I have 4 2948g's in 4 different wiring closets all wired to a core 6509
through gig uplinks.  The interfaces on the switches are all assigned to
VLAN 2, my management VLAN.  The only way to access VLAN 2 is through a
checkpoint firewall running NG.  All switches have the firewall interface
address as their default gateway.  I am able to telnet to all switches and
manage them remotely just fine.  I am able to ping all other subnets in my
network from the switches, routing seems fine.

My firewall logs show that all five switches are constantly pinging the
firewall interface, icmp-type 8 icmp-code 0.  No one is connected to my
switches issuing a ping.  These are echos, not echo-replies.  When I run a
sniffer on the VLAN, I show nothing going to the swithes in the way of IP
traffic, just the echos coming from the switches.  Each 2948g has about 15
2924-xl-en's attached to it through trunking.  None of the 2924's are trying
to ping the firewall, although they all have the same VLAN assignment on
their mgmt interfaces, the same default gateway, and are in the same subnet.
There is no CGMP enabled, no DNS, no IP redirects.  The icmp packets have a
TTL of 1, the sniffer reporting a TTL expired message.  The icmp traffic is
constant, one every second.  How can I stop this?  Why is it happening?  Why
don't my 2924's ping but my 2948g's and 6509 do?  Please help!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44723t=44723
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ppp multilink over adsl????? [7:44704]

[Michael Williams]

I'm going to hazzard a guess here and see what others think of my theory.

For PPP Multilink to work you need it enabled at both ends. with
point-to-point T1s or ISDN this isn't a problem because you (usually)
control both ends But with ADSL, you only control one end (unless this
is the wierd point-to-point DSL that's being offered that I've just never
heard of).  So I don't think this would be possible, because your DSL
provider would treat each connection separately (attempt to give an IP,
etc)..

Anyone's thoughts?

Mike W.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44724t=44704
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Centillion to Catalyst 5K [7:44727]

[Sandra Carr]

I looked in the archives and it appears that some have successfully
connected a Centillion 100 and a Catalyst 5000.  What I am looking for is
specifics and caveats for using these two in my CCIE rack.  What versions of
software/firmware will work together?
Appreciate any help.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44727t=44727
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Errata for Coriolis books? [7:44638]

[s vermill]

My calendar is marked.

Priscilla Oppenheimer wrote:
 
 I have a new book coming out soon for the Support Test. And I
 plan to
 manage my own errata sheet (which hopefully will be very small
 ;-) rather
 than let the publisher do it. There's more info here:
 
 http://www.troubleshootingnetworks.com/
 
 Priscilla



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44726t=44638
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

test [7:44728]

[sam sneed]

test




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44728t=44728
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why do my switches keep pinging their default gateways!? [7:44729]

[[EMAIL PROTECTED]]

Hi,

Even I have observed this on the pix firewall which act as a default
gateway to all our switches...the switches used are catalyst 4000 series.

any explanation why it does so ?

Kind Regards /Thangavel

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall .
 -- Nelson Mandela




   

Wilson,
Christian
   
cc:
Sent by:  Fax
to:
[EMAIL PROTECTED] Subject: Why do my
switches keep pinging their default
  gateways!?
[7:44723]
   

22/05/2002
16:53
Please respond to
Wilson,
   
Christian
   

   





I have 4 2948g's in 4 different wiring closets all wired to a core 6509
through gig uplinks.  The interfaces on the switches are all assigned to
VLAN 2, my management VLAN.  The only way to access VLAN 2 is through a
checkpoint firewall running NG.  All switches have the firewall interface
address as their default gateway.  I am able to telnet to all switches and
manage them remotely just fine.  I am able to ping all other subnets in my
network from the switches, routing seems fine.

My firewall logs show that all five switches are constantly pinging the
firewall interface, icmp-type 8 icmp-code 0.  No one is connected to my
switches issuing a ping.  These are echos, not echo-replies.  When I run a
sniffer on the VLAN, I show nothing going to the swithes in the way of IP
traffic, just the echos coming from the switches.  Each 2948g has about 15
2924-xl-en's attached to it through trunking.  None of the 2924's are
trying
to ping the firewall, although they all have the same VLAN assignment on
their mgmt interfaces, the same default gateway, and are in the same
subnet.
There is no CGMP enabled, no DNS, no IP redirects.  The icmp packets have a
TTL of 1, the sniffer reporting a TTL expired message.  The icmp traffic is
constant, one every second.  How can I stop this?  Why is it happening?
Why
don't my 2924's ping but my 2948g's and 6509 do?  Please help!
**
This e-mail is from 186k Ltd and is intended only for the 
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named 
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England 
 Wales No. 3751494 Registered Office 130 Jermyn Street 
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44729t=44729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE written Commands [7:44730]

[Pierre-Alex Guanel]

Just curious 

Do I need to review all my routing and switching commands for the CCIE
written? Boson #3 have no  emphasis on commands but Boson #1 does.

Thank you,

Pierre-Alex


P.S. I assume this question does not violate the NDA .



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44730t=44730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Looking for people preparing for BCMSN 650-504Exam [7:44731]

[Antonio Malker]

Hi I would like to contact with people who are preparing or recently did
650-504 Exam, for dicusing subjects. [EMAIL PROTECTED]


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44731t=44731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 rack mount [7:44722]

[Steven A. Ridder]

Buy a shelf for the rack.


Sandra Carr  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Does anybody know a way to rack mount a PIX 501?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44732t=44722
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 rack mount [7:44722]

[sam sneed]

I don't think there is a problem in the world good old duct tape can't fix.


Sandra Carr  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Does anybody know a way to rack mount a PIX 501?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44733t=44722
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP load balancing [7:44697]

[jeff sicuranza]

Yes it does if you are doing EBGP and your router has two or more directly
conneted links to your EBGP peer. The the default load balancing will work
if static routes or an IGP is used for your subnets linking your neighbors.
You see it is not BGP performing the load balancing but the normal behavior
of load balancing across equal cost paths (if exists) regardless if you are
using static or IGP routes.. EBGP multihop also does this however, you are
still using the behavior of the static and IGP routes for equal cost paths
but do not need to have your neighbors directly connected... Lab it you will
see... Have fun


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44735t=44697
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridge and switch [7:44649]

[Kevin Jones]

I was under the impression that, while a switch is often termed a multiport
bridge, there is one fundamental difference in the way the two devices
forward frames.  While my source is not always the most credible or reliable
(Course Technology Networks Plus book), it does cause me to stop and think
for a minute.  Anyway, the difference (as described in the book) is as
follows:

If a multiport bridge determines (based on the destination MAC address) that
the destination node is on another subnet, it will broadcast the frame out
all ports except the originating port.  A switch, on the other hand, is
smart enough to only forward the frame out the destination port.  Both
devices handle unknown frames and broadcasts the same way, ie. they will
forward the packets out all ports except the one the frame was received on.

Any thoughts?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44736t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logic and Lab Rats [7:44714]

[Cisco Nuts]

Could you elaborate on the backbone engineering is at a level far more 
specialized and complex than the CCIE level, and there haven't been 
formalized ways to learn it.

I would love to know more about what you actuall mean?

Thank you.

Regards.


From: Howard C. Berkowitz 
Reply-To: Howard C. Berkowitz 
To: [EMAIL PROTECTED]
Subject: Re: Logic and Lab Rats [7:44714]
Date: Wed, 22 May 2002 09:49:09 -0400

I'm not saying to close the thread or not, although I think the
moderators (I am one) are starting to block messages that come across
as personal attacks.

What I see is the fundamental misperception in this thread is an
assumption there is a binary choice between experience and new
training. I freely admit there are experienced people that have had 1
year of experience 20 times.  But other experienced people have BOTH
the experience and the in-depth protocol knowledge, which puts them
in a position to learn even faster -- if they want to.

Earlier in the thread, someone said would you put something in
production without lab testing?  As with everything else in
networking, it depends.  A large ISP, for example, will test a new
IOS release in a lab, but they can't possibly have a lab that will
let them see the effects of the change on tens of thousands of
routers.  This is true of router manufacturers as well.

For very large networks, it may be possible to use true (i.e., Monte
Carlo) simulation or mathematical analysis. But experience does have
a major role in Internet backbone engineering.  Let me simply say
that backbone engineering is at a level far more specialized and
complex than the CCIE level, and there haven't been formalized ways
to learn it.
_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44737t=44714
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP load balancing [7:44697]

[Cisco Nuts]

And add cef per-packet or per-destination


From: cebuano 
Reply-To: cebuano 
To: [EMAIL PROTECTED]
Subject: Re: BGP load balancing [7:44697]
Date: Wed, 22 May 2002 07:17:07 -0400

Maurice,
BGP defaults to using only the BEST path, hence ONE.
Check CCO for path determination in BGP.
The other protocols default to maximum of four, but can
be extended to 6 with maximum-paths.
To turn on load-balancing in BGP, a few steps are needed:
1. enable eBGP multihop
2. use update-source loopback
3. enter the static routes to be used for load-balancing

If there's something i'm forgetting, please correct my post.
HTH,
Elmer

- Original Message -
From:
To:
Sent: Wednesday, May 22, 2002 6:03 AM
Subject: Re: BGP load balancing [7:44697]


  Need some advices from BGP experts : Does BGP do load balancing by
default?
  Says there are 4 parallel paths between the source and destination, will
  the traffic be distributed among the 4 paths? If it does not support 
load
  balancing by default, how to turn it on? How many parallel paths can it
  handle maximum?
 
  Thanks in advance!
 
  Maurice
_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44738t=44697
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Looking for people preparing for BCMSN 650-504Exam [7:44739]

[rtiwari]

Yes , I have started from yesterday, after passing my BSCN.
We can discuss thes subject as we go forward.
Thanks
Ravi
Antonio Malker wrote:

 Hi I would like to contact with people who are preparing or recently did
 650-504 Exam, for dicusing subjects. [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44739t=44739
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridge and switch [7:44649]

[John Neiberger]

There are a few things wrong with that description.

First, switches and/or bridges are layer two devices and wouldn't be
aware of different IP subnets in the first place.  A switch or bridge
will forward a frame out all ports except the originating port if it has
not yet learned the correct port for the destination.  It has nothing to
do with subnets whatsoever.

A switch is nothing more than a marketing term for a bridge on
steroids.  From a layer two perspective there is no difference in their
operation.

This entire thread seems analagous to arguing that a square is not a
rectangle.   I can see it now...  Originally all we had were rectangles
but when we offered a slightly different rectangle we decided to call it
a square to differentiate it from the previous rectangles.  However,
it's still a rectangle when you get right down to it.

 Kevin Jones  5/22/02 12:58:37 PM 
I was under the impression that, while a switch is often termed a
multiport
bridge, there is one fundamental difference in the way the two devices
forward frames.  While my source is not always the most credible or
reliable
(Course Technology Networks Plus book), it does cause me to stop and
think
for a minute.  Anyway, the difference (as described in the book) is as
follows:

If a multiport bridge determines (based on the destination MAC address)
that
the destination node is on another subnet, it will broadcast the frame
out
all ports except the originating port.  A switch, on the other hand,
is
smart enough to only forward the frame out the destination port.  Both
devices handle unknown frames and broadcasts the same way, ie. they
will
forward the packets out all ports except the one the frame was received
on.

Any thoughts?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44741t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Errata for Coriolis books? [7:44638]

[Tom Lisa]

Hope it comes out before the start of our fall semester.  Who's publishing
it?

Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco ATC/Regional Networking Academy



Priscilla Oppenheimer wrote:

 I have a new book coming out soon for the Support Test. And I plan to
 manage my own errata sheet (which hopefully will be very small ;-) rather
 than let the publisher do it. There's more info here:

 http://www.troubleshootingnetworks.com/

 Priscilla

 At 01:13 PM 5/21/02, Robert Kulagowski wrote:
 I was hoping that wasn't going to be the case (in that they apparently
never
 did anything with the feedback).
 
 Does anyone have recommendations for a publisher that 1)  Has good reading
 material for CCNP and 2)  Actually maintains an errata page that
 incorporates feedback?
 
 As far as #2, I've had good results with Sybex, at least on the CCNA
 material.  The support person answered emails quickly, and a few days
later
 I would see that the errata page had been updated.  One thing that the
 support person told me was that errata had to be checked with the authors,
 so this might also factor in.
 
 I see from the archive that Priscilla O. is still an active contributor;
do
 any other authors of CCXX material frequent this or other lists?
 
 Thanks.
 

 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44740t=44638
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Provider backbone engineering (was: Logic and Lab Rats) [7:44743]

[Howard C. Berkowitz]

At 7:03 PM + 5/22/02, Cisco Nuts wrote:
Could you elaborate on the backbone engineering is at a level far 
more specialized and complex than the CCIE level, and there haven't 
been formalized ways to learn it.

I would love to know more about what you actually mean?

Thank you.

Regards.


:-) well, my book on the subject, Building Service Provider 
Networks, should be about to ship.

Seriously, let's talk about several areas, beginning with BGP.  Every 
BGP scenario I've seen or or heard of in the CCIE context, at best, 
looks at an extremely simple configuration with rules NEVER used in 
the real world.  A few contrasts:

-- in the real world, it's VERY rare to redistribute between a dynamic IGP
and BGP. Sure, there are exceptions, but they are VERY carefully chosen.
A provider backbone CANNOT survive having 100,000-plus routes in its
IGP, nor should it.
-- In provider use, the main purpose of the IGP (or multiple instances of an
IGP) is to maintain connectivity among BGP routers.  You may have a
separate IGP instance for each POP or group of POPs.
-- To connect customers, there is MUCH more use of static and default routes.
You could not possibly run a provider network with the CCIE lab rule of
no statics or defaults.
-- AS paths are longer and more complex than you can create with six or
so routers.
-- There's a HUGE amount of things to be concerned with that aren't strictly
configuration, such as justifying/obtaining/managing address space,
intercarrier relationships involving both economics and cooperative
troubleshooting, DNS management, protecting against distributed denial
of service, etc.
-- BGP communities are far more important than in typical scenarios.
You need to know why and when to set up your own, learn the values of
communities set by other AS and under what circumstances you should act
on them, etc.
-- You may be dealing literally thousands of routers in your own network,
interconnected with thousands of enterprise networks. You may also have
a complex ATM, SONET, MPLS, or other intelligent sub-IP technology that
must coordinate with the IP.
-- There's a different viewpoint on convergence.  It's generally accepted
among large providers and researchers that the worldwide BGP table
never truly converges -- changes come too fast. We have to work in that
environment.
-- Customers frequently multihome in ways that require coordinating between
their providers, even when those providers are competitors.
-- As opposed to an enterprise network where SOMEBODY is in control, the
provider space involves cooperative anarchy.  One AS fouling up its
configuration can and has had worldwide effects.


These are just a start.  There are other people that can comment on 
some of the differences.  Peter van Oene (yes, I'm volunteering you) 
is one with lots of good experience.  There are others, and this 
actually might be an interesting thread.
-- 
What Problem are you trying to solve?
***send Cisco questions to the list, so all can benefit -- not 
directly to me***

Howard C. Berkowitz  [EMAIL PROTECTED]
Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com
Technical Director, CertificationZone.com http://www.certificationzone.com
retired Certified Cisco Systems Instructor (CID) #93005




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44743t=44743
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Content Switches [7:44742]

[Jason Forrester]

All,

I have a quick question regarding content switches.  Should the content
switched be placed inside or outside of a firewall.  I can not find any
documentation to support which is better.

Thanks,

Jason Forrester
CCIE 8748




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44742t=44742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logic and Lab Rats [7:44714]

[Mike Mandulak]

My interpretation of what he meant by that  is you have to understand
everything that encompasses a campus network. you have to first understand
what the data is that the user what's, where it is and how it is that he
going to get that information.

I.E. There is data on the mainframe that some user needs, it gets pushed to
an Oracle/Sun server every night. The user has a PC that logs into a NT
domain via his PC and accesses the service, and then the user needs to
update the information to  the mainframe. When the user has a problem, where
do you start to look? Oh and by the way it is a Cisco network, so do you
bring in a CCIE to solve the problem? Maybe...


- Original Message -
From: Cisco Nuts 
To: 
Sent: Wednesday, May 22, 2002 3:03 PM
Subject: Re: Logic and Lab Rats [7:44714]


 Could you elaborate on the backbone engineering is at a level far more
 specialized and complex than the CCIE level, and there haven't been
 formalized ways to learn it.

 I would love to know more about what you actuall mean?

 Thank you.

 Regards.


 From: Howard C. Berkowitz
 Reply-To: Howard C. Berkowitz
 To: [EMAIL PROTECTED]
 Subject: Re: Logic and Lab Rats [7:44714]
 Date: Wed, 22 May 2002 09:49:09 -0400
 
 I'm not saying to close the thread or not, although I think the
 moderators (I am one) are starting to block messages that come across
 as personal attacks.
 
 What I see is the fundamental misperception in this thread is an
 assumption there is a binary choice between experience and new
 training. I freely admit there are experienced people that have had 1
 year of experience 20 times.  But other experienced people have BOTH
 the experience and the in-depth protocol knowledge, which puts them
 in a position to learn even faster -- if they want to.
 
 Earlier in the thread, someone said would you put something in
 production without lab testing?  As with everything else in
 networking, it depends.  A large ISP, for example, will test a new
 IOS release in a lab, but they can't possibly have a lab that will
 let them see the effects of the change on tens of thousands of
 routers.  This is true of router manufacturers as well.
 
 For very large networks, it may be possible to use true (i.e., Monte
 Carlo) simulation or mathematical analysis. But experience does have
 a major role in Internet backbone engineering.  Let me simply say
 that backbone engineering is at a level far more specialized and
 complex than the CCIE level, and there haven't been formalized ways
 to learn it.
 _
 Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44745t=44714
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: no lmi - dlci inactive - telco says my problem? [7:44709]

[Concetta Yates]

Find out what lmi the telco is using and ensure your lmi is configured
properly.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44747t=44709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX 515E routing issue [7:44746]

[Jablonski, Michael]

Just recently installed a PIX 515E.  I can ping from the PIX to an outside
address (and inside box to ethernet on PIX); but trying to ping through the
PIX comes back as unreachable.  Basic layout as follows:

Netopia DSL Router  --  PIX 515E--  LAN


I'm using the default allow rule, along with the following access list...
everything else is pretty much default for now. (just want to try and get
connectivity)

access-list 100 permit icmp any any echo-reply 
access-list 100 permit icmp any any time-exceeded 
access-list 100 permit icmp any any unreachable 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.6 255.255.255.252
ip address inside 192.168.200.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.5 1
timeout xlate 0:05:00
no sysopt route dnat

I've tried running RIP on it; didn't solve the problem.  Seems like the PIX
doesn't understand the default route.  I've cleared the arp table still no
luck
Any help is GREATLY appreciated
thanx

~~~
Michael Jablonski
ABN AMRO Asset Management Holdings, Inc.
161 North Clark St.
9th Flr
Chicago, IL  60601-2468
PH: 312.884.2996 
FAX: 312.278.5550
~~~


This message (including any attachments) is confidential and may be 
privileged. If you have received it by mistake please notify the sender 
by return e-mail and delete this message from your system. Any 
unauthorized use or dissemination of this message in whole or in part 
is strictly prohibited. Please note that e-mails are susceptible to 
change. ABN AMRO Bank N.V. (including its group companies) shall not be 
responsible nor liable for the proper and complete transmission of the 
information contained in this communication nor for any delay in its 
receipt or damage to your system. ABN AMRO Bank N.V. (or its group 
companies) does not guarantee that the integrity of this communication 
has been maintained nor that this communication is free of viruses, 
interceptions or interference.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44746t=44746
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switches [7:44742]

[sam sneed]

If your not using the CSS to load balance between firewalls I see now reason
to put it outside. The CSS constantly sends keepalives to the servers it
load balances for. I don't see any reason the packets should be inspected by
the firewall. If the firewall gets overloaded and drops packets the CSS will
mark some services as down or dying and will not send requests to that
server even though it could handle the requests.

Jason Forrester  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 All,

 I have a quick question regarding content switches.  Should the content
 switched be placed inside or outside of a firewall.  I can not find any
 documentation to support which is better.

 Thanks,

 Jason Forrester
 CCIE 8748




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44748t=44742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switches [7:44742]

[MADMAN]

My understanding is that for firewall loadbalancing they are installed
on the inside and outside otherwise they are most often installed on the
DMZ.

  Dave

Jason Forrester wrote:
 
 All,
 
 I have a quick question regarding content switches.  Should the content
 switched be placed inside or outside of a firewall.  I can not find any
 documentation to support which is better.
 
 Thanks,
 
 Jason Forrester
 CCIE 8748
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44751t=44742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Content Switches [7:44742]

[Phil Lorenz]

Both- they call it sandwich-ing the firewall.

We had call for a design awhile back using the Cisco CSSs (ArrowPoints).
The firewall portion called for us to use the CSSs to advertise the
CheckPoint cluster IP address coming in and going out of the network.

Instead of buying 1 or 2 fire breathing firewalls boxes, the virtual
address/ cluster (along with CheckPoint's ability to share state across
the cluster) allowed us to scale the firewall pool slower and more
affordably.

Internet/ASP--BGP Router--CSS--CheckPoint(s)--CSS--Intranet

With the PIXs and Raptor(Symantec 6.5) boxes, we had to pass a hash
within each packet (again coming in and going out of the network) so
that the CSS receiving the traffic (after it had been processed through
the firewall) could build a state table, allowing it to know which
firewall packets were sent through and which firewall to send them back
through(effectively- keeping track of state across the cluster).  

This is also an alternative to deploying PIXs in a primary and backup
scenario, though it also means you don't get the backup firewall
discount.

Raptor/PIX
Internet/ASP--Router--CSS-Raptor/PIX--CSS--Intranet
Raptor/PIX

Pretty high level, but this is pretty much how it works.  

Big IP, Nortel's recently purchased Alteon, RadWare, Rainfinity,
StoneBeat, Cisco's CSS, they all will do the job for a price.

All the best !!!
Phil




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jason Forrester
Sent: Wednesday, May 22, 2002 3:41 PM
To: [EMAIL PROTECTED]
Subject: Content Switches [7:44742]

All,

I have a quick question regarding content switches.  Should the content
switched be placed inside or outside of a firewall.  I can not find any
documentation to support which is better.

Thanks,

Jason Forrester
CCIE 8748




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44752t=44742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridge and switch [7:44649]

[Priscilla Oppenheimer]

At 02:58 PM 5/22/02, Kevin Jones wrote:
If a multiport bridge determines (based on the destination MAC address) that
the destination node is on another subnet,

Stop right there. It can't figure out that the destination is on a 
different subnet from the MAC address. Subnets are differentiated by 
network-layer information. MAC addresses are at the data-link layer.

If the destination is on a different subnet, the destination MAC will be a 
router's MAC address, although the bridge (switch) wouldn't recognize that 
(unless it had some weird feature that did this, which is unlikely). If the 
bridge (switch) has learned which port reaches that MAC address, then it 
will forward the frame out that port and no other. If it hasn't learned how 
to reach that address yet, then it will flood the frame out all ports.

Bridges and switches behave exactly the same.

Priscilla



  it will broadcast the frame out
all ports except the originating port.  A switch, on the other hand, is
smart enough to only forward the frame out the destination port.  Both
devices handle unknown frames and broadcasts the same way, ie. they will
forward the packets out all ports except the one the frame was received on.

Any thoughts?


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44753t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IPSEC question [7:44754]

[Stull, Cory]

If I want to setup a VPN connection PIX (on cable modem) at the remote and
IOS firewall / IPSEC 3640 on a T1 to ISP at the central site since I don't
have static address on PIX can I just use the below line and replace the
95.95.95.2 with 0.0.0.0 and then the rest of my config?

crypto isakmp key cisco123 address 95.95.95.2 


Thanks
Cory




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44754t=44754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 515E routing issue [7:44746]

[Lidiya White]

Check the default gateway of your PC.
Enable debug icmp trace on the PIX to troubleshoot...

-- Lidiya White

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jablonski, Michael
Sent: Wednesday, May 22, 2002 3:42 PM
To: [EMAIL PROTECTED]
Subject: PIX 515E routing issue [7:44746]

Just recently installed a PIX 515E.  I can ping from the PIX to an
outside
address (and inside box to ethernet on PIX); but trying to ping through
the
PIX comes back as unreachable.  Basic layout as follows:

Netopia DSL Router  --  PIX 515E--  LAN


I'm using the default allow rule, along with the following access
list...
everything else is pretty much default for now. (just want to try and
get
connectivity)

access-list 100 permit icmp any any echo-reply 
access-list 100 permit icmp any any time-exceeded 
access-list 100 permit icmp any any unreachable 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.6 255.255.255.252
ip address inside 192.168.200.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.5 1
timeout xlate 0:05:00
no sysopt route dnat

I've tried running RIP on it; didn't solve the problem.  Seems like the
PIX
doesn't understand the default route.  I've cleared the arp table still
no
luck
Any help is GREATLY appreciated
thanx

~~~
Michael Jablonski
ABN AMRO Asset Management Holdings, Inc.
161 North Clark St.
9th Flr
Chicago, IL  60601-2468
PH: 312.884.2996 
FAX: 312.278.5550
~~~


This message (including any attachments) is confidential and may be 
privileged. If you have received it by mistake please notify the sender 
by return e-mail and delete this message from your system. Any 
unauthorized use or dissemination of this message in whole or in part 
is strictly prohibited. Please note that e-mails are susceptible to 
change. ABN AMRO Bank N.V. (including its group companies) shall not be 
responsible nor liable for the proper and complete transmission of the 
information contained in this communication nor for any delay in its 
receipt or damage to your system. ABN AMRO Bank N.V. (or its group 
companies) does not guarantee that the integrity of this communication 
has been maintained nor that this communication is free of viruses, 
interceptions or interference.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44756t=44746
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ppp multilink over adsl????? [7:44704]

[MADMAN]

I think your correct.  Most people that have DSL terminate at a
provider and I know of no providers that provide DSL-ppp-multilink.  We
do have several customers that do control both sides, use DSL for
employee remote access and some use it for backup but again none have
tried the multilink but I suspect it's possible.

  Dave

Michael Williams wrote:
 
 I'm going to hazzard a guess here and see what others think of my
theory.
 
 For PPP Multilink to work you need it enabled at both ends. with
 point-to-point T1s or ISDN this isn't a problem because you (usually)
 control both ends But with ADSL, you only control one end (unless this
 is the wierd point-to-point DSL that's being offered that I've just never
 heard of).  So I don't think this would be possible, because your DSL
 provider would treat each connection separately (attempt to give an IP,
 etc)..
 
 Anyone's thoughts?
 
 Mike W.
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44757t=44704
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridge and switch [7:44649]

[Michael L. Williams]

John Neiberger  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 However,
 it's still a rectangle when you get right down to it.


Hey. A square isn't a rectangle!!!


(just kidding I just thought I'd be stubborn... hehe)

Good analogy..

Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44758t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Netlock VPN Client for Mac to PIX [7:44744]

[Daniel Ma]

I have configured PIX for remote VPN client. It works for Cisco VPN client,
however Cisco does not have support to Mac 8-9. I downloaded the software
from Netlock. However it failed in Phase 1. Then I upgraded the PIX to
6.2(1), it seems making some progress. However the connection is killed in
the end of Phase 2 (I guess) with return status is IKMP_NO_ERR_NO_TRANS .

Is anybody have experience in configuring VPN for Mac? I am attaching the
log file, I do appreciate if someone could help me.

Daniel


crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN
Peers:
1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 63.11.28.147
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 16
ISAKMP (0): Total payload length: 20
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue
even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147

ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3752133894

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos
al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal
part
#1,
(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3752133894

ISAKMP (0): processing ID payload. message ID = 3752133894
ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 3752133894
ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port
0IPSEC(key_engine
): got a queue event...
IPSEC(spi_response): getting spi 0xbc74b5c1(3161765313) for SA
from 63.11.28.147 to 67.32.141.226 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound 

Re: Bridge and switch [7:44649]

[Kevin Jones]

I was oblivious to the fact that I was using the word subnet.  What I
should have used is the word segment.  Anyway, I went back to what I
thought was the source and was unable to find the description I had read.
I'll look again.  Not sure where I read it now.  Anyway, this thread has
confirmed what I have always understood, ie. that switches are multiport
bridges.  If I find that description again, I'll post it here for you to
take a look at.


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 At 02:58 PM 5/22/02, Kevin Jones wrote:
 If a multiport bridge determines (based on the destination MAC address)
that
 the destination node is on another subnet,

 Stop right there. It can't figure out that the destination is on a
 different subnet from the MAC address. Subnets are differentiated by
 network-layer information. MAC addresses are at the data-link layer.

 If the destination is on a different subnet, the destination MAC will be a
 router's MAC address, although the bridge (switch) wouldn't recognize that
 (unless it had some weird feature that did this, which is unlikely). If
the
 bridge (switch) has learned which port reaches that MAC address, then it
 will forward the frame out that port and no other. If it hasn't learned
how
 to reach that address yet, then it will flood the frame out all ports.

 Bridges and switches behave exactly the same.

 Priscilla



   it will broadcast the frame out
 all ports except the originating port.  A switch, on the other hand, is
 smart enough to only forward the frame out the destination port.  Both
 devices handle unknown frames and broadcasts the same way, ie. they will
 forward the packets out all ports except the one the frame was received
on.
 
 Any thoughts?
 

 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44759t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 515E routing issue [7:44749]

[Roberts, Larry]

Try to explicitly permit ICMP from the inside to the outside and see if that
helps.


Thanks

Larry 

-Original Message-
From: Jablonski, Michael [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 4:14 PM
To: [EMAIL PROTECTED]
Subject: FW: PIX 515E routing issue [7:44749]


Oh yeah I'm running PIX 6.1(2)

-Original Message-
From: Jablonski, Michael 
Sent: Wednesday, May 22, 2002 3:35 PM
To: 'Cisco Study List (E-mail)'
Subject: PIX 515E routing issue


Just recently installed a PIX 515E.  I can ping from the PIX to an outside
address (and inside box to ethernet on PIX); but trying to ping through the
PIX comes back as unreachable.  Basic layout as follows:

Netopia DSL Router  --  PIX 515E--  LAN


I'm using the default allow rule, along with the following access list...
everything else is pretty much default for now. (just want to try and get
connectivity)

access-list 100 permit icmp any any echo-reply 
access-list 100 permit icmp any any time-exceeded 
access-list 100 permit icmp any any unreachable 
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.6 255.255.255.252
ip address inside 192.168.200.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.5 1
timeout xlate 0:05:00
no sysopt route dnat

I've tried running RIP on it; didn't solve the problem.  Seems like the PIX
doesn't understand the default route.  I've cleared the arp table still no
luck Any help is GREATLY appreciated thanx

~~~
Michael Jablonski
ABN AMRO Asset Management Holdings, Inc.
161 North Clark St.
9th Flr
Chicago, IL  60601-2468
PH: 312.884.2996 
FAX: 312.278.5550
~~~


This message (including any attachments) is confidential and may be 
privileged. If you have received it by mistake please notify the sender 
by return e-mail and delete this message from your system. Any 
unauthorized use or dissemination of this message in whole or in part 
is strictly prohibited. Please note that e-mails are susceptible to 
change. ABN AMRO Bank N.V. (including its group companies) shall not be 
responsible nor liable for the proper and complete transmission of the 
information contained in this communication nor for any delay in its 
receipt or damage to your system. ABN AMRO Bank N.V. (or its group 
companies) does not guarantee that the integrity of this communication 
has been maintained nor that this communication is free of viruses, 
interceptions or interference.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44760t=44749
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Standby Preempt [7:44762]

[Phil Lorenz]

I'm a little confused by configs I see in production that appear to be
contrary to how I think HSRP works. 
 
What is the significance of the preempt statement on Switch #2 in this
example below ???  
 
Is it- without the preempt statement on the second switch (even though
it
has the lower priority), the HSRP priority would not change back if
Switch
#1 flapped a few times ??? 
 
ex:
Switch #1

inter vlan 1
10.10.10.1 255.255.255.0
standbye priority 255 preempt
standbye IP 10.10.10.3
standby track vlan 101

Switch #2

inter vlan 1
10.10.10.2 255.255.255.0
standbye priority 254
standbye IP 10.10.10.3
standby track vlan 102

Thanks
Phil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44762t=44762
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Standby Preempt [7:44762]

[James Hampton]

Phil, Thanks for posting this, I was'nt even aware that you could use hsrp
on switches/vlans, if you have an url or more info on using hsrp on switches
that would be great. As for your question, if hsrp works on switches in the
same way it does on routers, than yes switch #2 should also have a preempt
statement. If vlan 101 on switch #1 fails its priority decrements by the
default value (10 I think) switch #2 picks up on this when it recieves the
next hello packet from switch #1, switch #2 than becomes the active switch,
but sence there is no preempt on switch #2 it has no way of returning back
to standby once switch #1 returns to its original state. This is assuming
that hsrp operates the same on switches as it does on routers, if not than
please disregaurd.
James


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44764t=44762
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bridge and switch [7:44649]

[Priscilla Oppenheimer]

At 06:11 PM 5/22/02, Kevin Jones wrote:
I was oblivious to the fact that I was using the word subnet.  What I
should have used is the word segment.

Ah. That makes more sense. When a frame arrives, both bridges and switches 
send the frame on its way without sending it back onto the originating 
segment. If the bridge (switch) has learned which specific port to use, it 
sends the frame out just that port. If it hasn't learned yet, then it 
floods it out all ports except the originating port. That's the unknown 
frames that you mentioned in the first message. (It means unknown 
destination, as in not knowing which port to use.)

You get the picture, I'm sure, but it's still good to clarify the concepts.

Priscilla

Anyway, I went back to what I
thought was the source and was unable to find the description I had read.
I'll look again.  Not sure where I read it now.  Anyway, this thread has
confirmed what I have always understood, ie. that switches are multiport
bridges.  If I find that description again, I'll post it here for you to
take a look at.


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  At 02:58 PM 5/22/02, Kevin Jones wrote:
  If a multiport bridge determines (based on the destination MAC address)
that
  the destination node is on another subnet,
 
  Stop right there. It can't figure out that the destination is on a
  different subnet from the MAC address. Subnets are differentiated by
  network-layer information. MAC addresses are at the data-link layer.
 
  If the destination is on a different subnet, the destination MAC will be
a
  router's MAC address, although the bridge (switch) wouldn't recognize
that
  (unless it had some weird feature that did this, which is unlikely). If
the
  bridge (switch) has learned which port reaches that MAC address, then it
  will forward the frame out that port and no other. If it hasn't learned
how
  to reach that address yet, then it will flood the frame out all ports.
 
  Bridges and switches behave exactly the same.
 
  Priscilla
 
 
 
it will broadcast the frame out
  all ports except the originating port.  A switch, on the other hand, is
  smart enough to only forward the frame out the destination port.  Both
  devices handle unknown frames and broadcasts the same way, ie. they will
  forward the packets out all ports except the one the frame was received
on.
  
  Any thoughts?
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44765t=44649
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Standby Preempt [7:44762]

[Michael L. Williams]

Precisely without the 'preempt', the first router (RSM, MSFC, etc) would
never take control back from #2 after coming back up

I would also be suspect of all of the lines that say 'standbye' hehe
=)

Seriously tho, just for overkill, we always put preempt on all HSRP
groups..  it won't allow a lower priority router to take over, but keeps
things in order (if there are more than 2 involved)

BTW, why are you tracking VLANs?  Not to say that it's not possible or
needed, but I've not seen that.

Mike W.

Phil Lorenz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm a little confused by configs I see in production that appear to be
 contrary to how I think HSRP works.

 What is the significance of the preempt statement on Switch #2 in this
 example below ???

 Is it- without the preempt statement on the second switch (even though
 it
 has the lower priority), the HSRP priority would not change back if
 Switch
 #1 flapped a few times ???

 ex:
 Switch #1

 inter vlan 1
 10.10.10.1 255.255.255.0
 standbye priority 255 preempt
 standbye IP 10.10.10.3
 standby track vlan 101

 Switch #2

 inter vlan 1
 10.10.10.2 255.255.255.0
 standbye priority 254
 standbye IP 10.10.10.3
 standby track vlan 102

 Thanks
 Phil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44766t=44762
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider backbone engineering (was: Logic and Lab Rats) [7:44768]

[dre]

Howard C. Berkowitz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

 :-) well, my book on the subject, Building Service Provider
 Networks, should be about to ship.

 Seriously, let's talk about several areas, beginning with BGP.  Every
 BGP scenario I've seen or or heard of in the CCIE context, at best,
 looks at an extremely simple configuration with rules NEVER used in
 the real world.  A few contrasts:

The way Cisco teaches BGP irks me as well.  They just don't cover
anything except the basics.

 -- in the real world, it's VERY rare to redistribute between a dynamic IGP
 and BGP. Sure, there are exceptions, but they are VERY carefully
chosen.
 A provider backbone CANNOT survive having 100,000-plus routes in its
 IGP, nor should it.

I wouldn't say it's VERY rare.  Take Philip Smiths' NANOG presentation
on Multihoming as an example.  Many Enterprises may want to get peering
routes or partial routes and inject them into their IGP.  Many ISP's may
want
to inject their IGP into their BGP for customer static routes (using a
route-map
to filter out all the junk).  I would say this is VERY common.  What's not
common
(and what you are referring to) is redistributing everything (IGP to BGP;
BGP to
IGP) for full routes (the 112,000 routes today).

 -- In provider use, the main purpose of the IGP (or multiple instances of
an
 IGP) is to maintain connectivity among BGP routers.  You may have a
 separate IGP instance for each POP or group of POPs.

Next-hop information for BGP, correct.  It holds the infrastructure
addresses,
and I'm pretty sure you are familiar with this term since I think you
invented it.
So basically, a bunch of routed transit links (/30's or /31's if you can use
them)
and loopback interfaces (/32's) and not much else, if anything else at all.

 -- To connect customers, there is MUCH more use of static and default
routes.
 You could not possibly run a provider network with the CCIE lab rule
of
 no statics or defaults.

Service providers typically implement tons of statics and defaults, correct.
Most don't like it, though, and try to design around it for any
alternatives.

 -- AS paths are longer and more complex than you can create with six or
 so routers.

Most people cannot create/simulate the Internet in their house, very true.

 -- There's a HUGE amount of things to be concerned with that aren't
strictly
 configuration, such as justifying/obtaining/managing address space,
 intercarrier relationships involving both economics and cooperative
 troubleshooting, DNS management, protecting against distributed denial
 of service, etc.

This stuff is pretty easy, actually.  At least once you start doing it and
getting
your head around the problems.  CCIE doesn't teach ARIN/RIPE/APNIC
justification.  But ARIN's/RIPE's/APNIC's websites teach it pretty well.

The RIR's and IRR's aren't complex, they are just black art (sort of like
DNS
is).  You have to know where to go to get the information, and you can't
just
sit down one day and learn it (well maybe you can).  But there are a lot of
good resources out there on RPSL, etc, that will let you pick this up fairly
quickly.  RFC 2622 and RFC 2650 are a fairly good start.

Learning about Inter-Provider relationships is easy, too, once you get
involved.
The best way, IMO, to get really involved quickly is to start talking to
your
local Exchange Point (EP) people.  They understand these concepts and are
normally willing to share the information very in-depth to any person who
needs
to know.  http://www.ep.net/ for information about your local exchange
points.

As for the other two black-arts, DNS and handling DDoS/DoS, there *are* many
resources out there *and* the IETF has these topics well-defined.  Cisco
doesn't
teach these concepts (at least, not IMO), but they aren't difficult to
learn.  Most
people can just start reading the following list of RFC's and
Internet-Drafts and
understand 99% of what's needed in these two areas:

DNS: RFC 1034 (Updated by RFC1101, RFC1183, RFC1348, RFC1876, RFC1982,
 RFC2065, RFC2181, RFC2308, RFC2535)
DNS: RFC 1035 (Updated by RFC1101, RFC1183, RFC1348,
 RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181,
 RFC2137, RFC2308, RFC2535, RFC2845)
DNS:  http://www.ietf.org/ids.by.wg/dnsext.html
http://www.ietf.org/ids.by.wg/dnsop.html
 Internet-Drafts at the above URL's
DNS: http://www.isc.org/products/BIND/ http://www.ultradns.com/
DDoS/DoS: RFC 2196, RFC 2827, RFC 3013, RFC 2979, RFC 1858, RFC 3128
DDoS/DoS: http://packetstorm.dnsi.info/DoS/
http://packetstorm.dnsi.info/distributed/
 Which will require in-depth knowledge of RFC 791, RFC 792, RFC 793, RFC
768
 and/or TCP/IP Illustrated Volume I, and anything else applicable

 -- BGP communities are far more important than in typical scenarios.
 You need to know why and when to set up your own, learn the values of
 communities set by other AS and under what circumstances 

Re: Logic and amp;quot;Lab Ratsamp;quot; [7:44653]

[Michael L. Williams]

nrf  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 On the other hand, who's more likely to show up to work late?  Or show up
 drunk or high?  Or get into a fight with his coworkers?  Or surf porn in
 front of female coworkers?   The guy who's been in the working world for
25
 years or a new kid?

 Experience is not just about knowing which command does what.  It's also
 about general work attitudes and maturity.

Again, I say this is not a valid conclusion..  What you're implying is
that people with experience cannot also be slakers, alcoholics, drug addits,
racist, sexist, assholes or someone who in any way is inappropriate.  That's
a very flawed and very illogical conclusion.

Who's more likely to show up for work late?  Depends on who worked at
places that were more relaxed on their schedules..  The last place I
worked, you were yelled at for being 5 minutes late, the place I'm at now,
you could show up pretty much anytime from 8 to 8 or so and no one would say
a thing.  Someone could easily get experience at a relaxed place, and
then after years move to a place with little tolerance and perhaps find it
hard to break the habit of coming in whenever..

Or show up drunk or high?  People from all walks of life, with both good
work records and very happy employers, are able to come in drunk and/or high
and not be suspected (i.e. functional alcoholics)... Trust me, I lived in a
college town and knew plenty of people that would go to work a bit drunk or
stoned or whatnot.  This kind of thing happens alot  (even people who aren't
'alcoholics' per se that go out until 4am, then drag in at 8 still a bit
tipsy).  This affects people of all ages and experience levels..  Again,
nothing to do with 'experience' with routers/routing protocols/networks,
etc..

Or get into a fight with his coworkers?  This one is laughable
Personality conflicts are wide and varied.  To assume that because someone
has even a sparkling clean work history that a personality conflict won't or
can't happen when brought into your workplace is flawed from it's roots.
I've been working 'professionally in the IT field for 10+ years now, and
*never* wanted to clock a co-worker until I got to my current job.  There's
this guy who thinks all women are stupid, etc etc. he's the epitomy of
'an @!#$' in every regard, and my patience has never been tested like it
has with this guy..  Point being, again, that experience can in no way
predict personality conflicts.  Checking personal and professional
references perhaps, but not the sheer fact they have had a job and have
experience.

Or surf porn in front of female coworkers?   Anyone that would do this in
front of anyone that they don't know well enough to know it won't offend
them is just an idiot again nothing to do with experience (or lack
of)..

I've said it once, and I'll say it again. you're equating experience
with good work habits, good skills, and good personal habits, and experience
is a reflection on none of these (IMHO).  Expereince isn't even meant to
measure those things..  So people ask the question Do you have
experience with coming in on time?  Do you have experience with not
starting fights?  Do you have any experience in a drug-free workplace?
No those are absurd questions.  I would offer up that anyone that
doesn't have the knowledge that they shouldn't show up to work drunk/high,
shouldn't start fights, and should show up on time is not a good job
candidate..  So ruling those bozos out, then one can consider
experience, certifications, references, etc.  Experience is another word
for knowledge and/or skill, period.  As seen in the following definition:

Experience

a. Active participation in events or activities, leading to the accumulation
of knowledge or skill.
b. The knowledge or skill so derived

So attributing any other good qualities (being on time, not showing up
drunk/high, not starting fights, etc) of a person (employee or potential
employee) simply because of experience (or lack of) is a fallacy.

I mean, I knew on my very first job, cutting grass at a hospital, that I was
s'posed to show up on time, etc etc and I did that as well as anyone
else, even without experience to prove it..

Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44761t=44653
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN BRI Simulator Comparison - way to expensi [7:44767]

[Treptow, Georg]

For that price you might as well order 2 ISDN lines from your local telco.
That should only cost you about $80.00 a month as you don't need to get ISP
service with it. You would be able to use those for 17 months until coming
up even. 

Georg Treptow

-Original Message-
From: Dennis Laganiere [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 6:34 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
Subject: RE: ISDN BRI Simulator Comparison


Earlier today I proposed putting together some comparative information on
the various ISDN Simulators available. Since the question which simulator
do I buy? comes up regularly on the list, I though a cooperative effort to
develop an answer would be an interesting exercise for the group.  Just to
start the conversation, here's a review of the two that I have in my home
pod... 

Arca Emutel Lite 
Recent e-bay sales: $1,250 - $1,400

Features:
* 2 port BRI 
* Switch types supported: NAT-1, DMS100 and 5ESS

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   384000  384001
1   2   384010  384002
2   1   384020  384021
2   2   384030  384022

The default ISDN switch-type is basic-dms100

Pro:
* Been using it for a year without a problem
* Built-in battery backup means you can use it without AC power for a quick
demonstration
* Supports either S (4-wire) or U (2-wire) interfaces (selected through
software)
* Simple console-like configuration

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Power supply is an external brick.  Minor thing, but kind of annoying.


Teltone ILS-B-01 ISDN Demonstrator
Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00)

Features:
* 2 port BRI
* Switch types supported: NAT-1, ATT Custom 

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   835-86610835866101
1   2   835-86630835866301
2   1   835-86620835866201
2   2   835-86640835866401

The default ISDN switch-type is basic-nil

Pro:
* Built in power supply.
* Windows-based configuration (I haven't tried it yet, but the book makes it
look easy)

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Only has U Interfaces

I look forward to seeing what other people have used...

Thanks...

--- Dennis


 -Original Message-
From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 2:36 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:ISDN BRI Simulator Comparison

This brings to mind an interesting side-project, if anybody has the time and
inclination to help out. I've not seen a comprehensive comparison between
the various simulators that are available, factoring in features and
approximate cost.  

Myself personality, I've got an Emutel Lite at home that I've had a for
while, and I just picked up a Teltone ISDN Demonstrator that I'm going to
start playing with this weekend. I could probably put together a quick write
up on those if it were a conversation that other people would like to
contribute too.

Anybody what to play?

Let me know...

--- Dennis  




From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:48 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:RE: ISDN BRI Simulator

Um... I'll pay $125... 

Next bidder... :)

I don't believe you'll find too many in this range, but I'd love to learn
that I'm wrong...

Thanks...

--- Dennis

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject:ISDN BRI Simulator

I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone 
know where I can get one?

Thanks,

Bill Cook, Network Project Manager
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44767t=44767
--
FAQ, list 

RE: ISDN BRI Simulator Comparison [7:44763]

[Dennis Laganiere]

Earlier today I proposed putting together some comparative information on
the various ISDN Simulators available. Since the question which simulator
do I buy? comes up regularly on the list, I though a cooperative effort to
develop an answer would be an interesting exercise for the group.  Just to
start the conversation, here's a review of the two that I have in my home
pod... 

Arca Emutel Lite 
Recent e-bay sales: $1,250 - $1,400

Features:
* 2 port BRI 
* Switch types supported: NAT-1, DMS100 and 5ESS

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   384000  384001
1   2   384010  384002
2   1   384020  384021
2   2   384030  384022

The default ISDN switch-type is basic-dms100

Pro:
* Been using it for a year without a problem
* Built-in battery backup means you can use it without AC power for a quick
demonstration
* Supports either S (4-wire) or U (2-wire) interfaces (selected through
software)
* Simple console-like configuration

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Power supply is an external brick.  Minor thing, but kind of annoying.


Teltone ILS-B-01 ISDN Demonstrator
Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00)

Features:
* 2 port BRI
* Switch types supported: NAT-1, ATT Custom 

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   835-86610835866101
1   2   835-86630835866301
2   1   835-86620835866201
2   2   835-86640835866401

The default ISDN switch-type is basic-nil

Pro:
* Built in power supply.
* Windows-based configuration (I haven't tried it yet, but the book makes it
look easy)

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Only has U Interfaces

I look forward to seeing what other people have used...

Thanks...

--- Dennis


 -Original Message-
From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 2:36 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:ISDN BRI Simulator Comparison

This brings to mind an interesting side-project, if anybody has the time and
inclination to help out. I've not seen a comprehensive comparison between
the various simulators that are available, factoring in features and
approximate cost.  

Myself personality, I've got an Emutel Lite at home that I've had a for
while, and I just picked up a Teltone ISDN Demonstrator that I'm going to
start playing with this weekend. I could probably put together a quick write
up on those if it were a conversation that other people would like to
contribute too.

Anybody what to play?

Let me know...

--- Dennis  




From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:48 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:RE: ISDN BRI Simulator

Um... I'll pay $125... 

Next bidder... :)

I don't believe you'll find too many in this range, but I'd love to learn
that I'm wrong...

Thanks...

--- Dennis

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject:ISDN BRI Simulator

I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone 
know where I can get one?

Thanks,

Bill Cook, Network Project Manager
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44763t=44763
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: STP and 7 hops [7:44408]

[Priscilla Oppenheimer]

At 02:51 AM 5/22/02, Chuck wrote:
sorry to keep harping on this one, but I'm actually learning something here.
Besides, my big project at work these days is working with a large
university, replacing their campus physical and switch infrastructure. I'm
finding the this discussion fascinating for that reason as well.

Well, it might not have any real-world relevance. ;-)


If I read my source correctly, the max age field is supposed to be 2 bytes,
and is supposed to be a time value,

That sounds like Message Age actually. Message Age times the age of a BPDU. 
The root sends a BPDU with Message Age set to zero. Each bridge adds 1. So 
it is sort of a hop count.

In a functioning network, the bridges don't pay much attention to this 
since BPDUs are refreshed every 2 seconds.

with the min being 1/256 second and the
max being 256 seconds. other than in the initial STP process ( or
recalculation )

In a non-functioning network, the Maximum Age threshold comes into play. 
Its default is 20. You can change it (at the root bridge only; the others 
learn it from the root). The Maximum Age controls the size of the network, 
but it also has a much more important purpose, which is to start 
reconvergence. As I understand it, the BPDU arrives with the Message Age = 
to hop count. But the BPDU continues to age until it reaches Maximum Age.

If the Root Bridge fails, another bridge will notice the Message Age reach 
the Maximum Age and start the process of taking over as the Root Bridge.

If the Root Bridge doesn't fail, but a path to the Root Bridge fails, if an 
alternate path exists, a blocking port on a downstream bridge transitions 
to listening, learning, and forwarding after it notices Message Age reach 
Maximum Age. If a Root Port fails, another port on the bridge where the 
failure occurred may transition directly into the listening and learning 
states without waiting for Maximum Age.

It's horridly complex. ;-)

the BPDU would for all practical purposes be time from the
root. Correct? My source tells me only the fields and their values, and
nothing about functionality. It would appear that the max age field tells
the local switch how old a message can be before it is disregarded, or
causes some other action to be taken. The message age field is the actual
age as per the process you describe below - incremented by each bridge along
the way.

Yes, that sounds right.


The root path cost is used to advertise how far this bridge is from the
root? hops?

No, cost like in OSPF. Each interface has a cost:

Link Speed  Recommended Cost Value
4 Mbps  250
10 Mbps 100
16 Mbps 62
100 Mbps19
1 Gbps  4
10 Gbps 2



counting on my fingers, a max distance of 20 from the root is a whole lot
different than a max diameter of 7.

The 7 is a recommended value. Try even finding it in Radia Perlman's book!?
;-)

I hope I didn't just confuse matters even more. In addition to the Perlman 
bible, try the Clark and Hamilton holy writ.

Priscilla


Chuck


Priscilla Oppenheimer  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  There's nothing in the STP frames to enforce a 7 hop diameter. But there
is
  the Message Age field in the BPDUs. Each bridge (switch) adds one to the
  Message Age when the switch propagates the BPDU downstream.
 
  The Maximum Age threshold is 20. If a BPDU gets to a switch with the
  Message Age already at 20, it will think that the tree needs
reconverging.
  This would get ugly if switches on the edges were always trying to
  reconverge. So, the max size from that viewpoint is 20 from the root.
 
  But 7? I really think DEC threw that in as a precaution. It's interesting
  that IBM was saying the same thing about source route bridging at the
time
  (max bridges is 7). (But try finding 7 in IEEE 802.1D Annex C, the
official
  standardization of source-route transparent bridging. The RIF can
actually
  hold info for 14 rings and 13 bridges.)
 
  Back to the real subject at hand, the 7 max for STP is mentioned as a
  recommended value in Table 8.2 Maximum Bridge Diameter of IEEE 802.1D and
  is defined as The maximum number of Bridges between any two points of
  attachment of end stations.
 
  Then it's discussed again in Appendix B B.3.1.2 Basis of choice. This
  section is pretty incomprehensible, but, as far as I can tell, the main
  reason for the choice of parameters is to minimize the lifetime of a data
  (user) frame travelling across the switched network.
 
  Regarding gigastack, it sounds like the answer that Steven got from Cisco
  is that each switch counts as a hop, so if STP is enabled, each counts
  toward the _theorectical_ 7 hop count limit.
 
  But I bet you're right also that STP could be disabled with gigastack. It
  sounds like the topology is already a single linear branch (stack) with
no
  loops. There's no need to prune it into a tree. But I'm way out on a limb
  now. ;-)
 
  Priscilla
 
  At 06:34 PM 5/19/02, Chuck wrote:
  you know, it suddenly 

RE: Looking for people preparing for BCMSN 650-504Exam [7:44731]

[Kevin Hunt]

I passed switching today.  Will pass Support tomorrow and then I'll be a NP.
This test is more theory than any others and there are at least 15 gimmee
questions that would be better served on a CompTia N+ test.  There are about
12 really hard questions, and the rest are not very difficult if you know
the material.  REALLY know the difference's between the command's on CatOS
and IOS.  REALLY know VTP, trunking, etc
It's longer but easier than routing and remote access.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44772t=44731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN BRI Simulator Comparison [7:44763]

[Michael Witte]

I bought a adtran 550 for $1600 from someone who appropriated it when they
got laid off at a dot com. Anyway it work real good and you can get POTS
modules for it. I haven't been able to get PPP multilink to work with it
anyone have thoughts? Its a real bitch to set upo too. But it is the one
they use in the LAB! My thinking is that we are really just renting this
stuff anyway and after we get our 4 numbers we will sell it back on Ebay for
as much or greater than what we paid. I have around $4000 in equipment and I
know if need be I can get it back. Then I am thinking that in the future I
would like to consult and do design and installs for companies. If I have
all this equipment it would be very easy to simulate whatever their
requirements were and then just implement with configs you did at home. just
my 2 cents


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44771t=44763
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: no lmi - dlci inactive - telco says my problem? [7:44709]

[Kevin Hunt]

What router/ios are you running?
IOS 11.2 and above will autodetect the LMI type.
If you're IOS is lower you'll need to get the telco to tell you what kind of
LMI their frame switch is using and then set that type on the interface.
Have you set the encapsulation type to frame-relay on the interface?



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44773t=44709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN BRI Simulator Comparison - way to expensi [7:44770]

[Dennis Laganiere]

I'd agree, especially if you've got a study buddy to split the cost with...

On the other hand, the prices I found were from e-bay - so provided Cisco
doesn't drop ISDN from the lab, you can always resell the unit once you're
done and the only thing you're out is the delta in the prices and any
interest you might have lost by not investing in Enron stock... Ummm, forget
that last part... :)

--- Dennis

 -Original Message-
From:   Treptow, Georg [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 4:58 PM
To: 'Dennis Laganiere'; '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
'[EMAIL PROTECTED]'
Subject:RE: ISDN BRI Simulator Comparison - way to expensive!!

For that price you might as well order 2 ISDN lines from your local telco.
That should only cost you about $80.00 a month as you don't need to get ISP
service with it. You would be able to use those for 17 months until coming
up even. 

Georg Treptow

-Original Message-
From: Dennis Laganiere [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 6:34 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
Subject: RE: ISDN BRI Simulator Comparison


Earlier today I proposed putting together some comparative information on
the various ISDN Simulators available. Since the question which simulator
do I buy? comes up regularly on the list, I though a cooperative effort to
develop an answer would be an interesting exercise for the group.  Just to
start the conversation, here's a review of the two that I have in my home
pod... 

Arca Emutel Lite 
Recent e-bay sales: $1,250 - $1,400

Features:
* 2 port BRI 
* Switch types supported: NAT-1, DMS100 and 5ESS

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   384000  384001
1   2   384010  384002
2   1   384020  384021
2   2   384030  384022

The default ISDN switch-type is basic-dms100

Pro:
* Been using it for a year without a problem
* Built-in battery backup means you can use it without AC power for a quick
demonstration
* Supports either S (4-wire) or U (2-wire) interfaces (selected through
software)
* Simple console-like configuration

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Power supply is an external brick.  Minor thing, but kind of annoying.


Teltone ILS-B-01 ISDN Demonstrator
Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00)

Features:
* 2 port BRI
* Switch types supported: NAT-1, ATT Custom 

Default settings (just because I think its useful):

PortB-channel   DN  SPID
1   1   835-86610835866101
1   2   835-86630835866301
2   1   835-86620835866201
2   2   835-86640835866401

The default ISDN switch-type is basic-nil

Pro:
* Built in power supply.
* Windows-based configuration (I haven't tried it yet, but the book makes it
look easy)

Con: 
* Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay)
* Only has U Interfaces

I look forward to seeing what other people have used...

Thanks...

--- Dennis


 -Original Message-
From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 2:36 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:ISDN BRI Simulator Comparison

This brings to mind an interesting side-project, if anybody has the time and
inclination to help out. I've not seen a comprehensive comparison between
the various simulators that are available, factoring in features and
approximate cost.  

Myself personality, I've got an Emutel Lite at home that I've had a for
while, and I just picked up a Teltone ISDN Demonstrator that I'm going to
start playing with this weekend. I could probably put together a quick write
up on those if it were a conversation that other people would like to
contribute too.

Anybody what to play?

Let me know...

--- Dennis  




From:   Dennis Laganiere [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:48 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject:RE: ISDN BRI Simulator

Um... I'll pay $125... 

Next bidder... :)

I don't believe you'll find too many in this range, but I'd love to learn
that I'm wrong...

Thanks...

--- Dennis

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 22, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject:ISDN BRI Simulator

I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone 
know where I can get one?

Thanks,

Bill Cook, Network Project Manager
_
Commercial lab list: http://www.groupstudy.com/list/commercial.html
Please discuss commercial lab solutions on this list.

Fwd: no lmi - dlci inactive - telco says my problem? [7:44774]

[Daniel Skripka]

No LMI indicates the telco frame switch is not seeing the frame
keepalives from the cisco.
1. Are both sides confirmed as using same frame relay encapsulation
[ietf/cisco]
2. What is the output of 'debug frame lmi'?
3. What is the output of debug serial interface?
4. Have you tried to do a shut/no_shut or a clear on the physical
interface after the loop test?

beth shriver wrote:
 
 Hello friends, I am having a little problem getting a
 new long distance frame relay circuit going and
 getting the ol its your equipment answer from telco
 and not sure if this is the case or not. I have
 checked cables and tsu/router config and all seems ok
 . when the telco loops my csu/tsu it causes my
 interface to bounce but interface then stays in
 interface UP protocol DOWN state. Telco is saying they
 see no LMI from my equipment. In the past when i seen
 no LMI it always turned out to be something on the
 telco side. I dont do frame relays much so i am kind
 of at the mercy of tech who is turning this circuit up
 so can someone give me some pointers on what i can
 look for to make sure it is not in my equipment ? or
 how i can tell if it is a telco issue with circuit?
 any replies would be greatly appreciated! fast replies
 appreciated even more!!! :)
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44774t=44774
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Standby Preempt [7:44762]

[Phil Lorenz]

Sorry- it was a router, a MSFC1 to be specific.

Thanks 
Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, May 22, 2002 7:51 PM
To: [EMAIL PROTECTED]
Subject: RE: Standby Preempt [7:44762]

Phil, Thanks for posting this, I was'nt even aware that you could use
hsrp
on switches/vlans, if you have an url or more info on using hsrp on
switches
that would be great. As for your question, if hsrp works on switches in
the
same way it does on routers, than yes switch #2 should also have a
preempt
statement. If vlan 101 on switch #1 fails its priority decrements by the
default value (10 I think) switch #2 picks up on this when it recieves
the
next hello packet from switch #1, switch #2 than becomes the active
switch,
but sence there is no preempt on switch #2 it has no way of returning
back
to standby once switch #1 returns to its original state. This is
assuming
that hsrp operates the same on switches as it does on routers, if not
than
please disregaurd.
James




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44775t=44762
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

filter snmp MIB send out on a router [7:44777]

[Adam Wang]

Hi group,

Is there a way to filter the SNMP MIB sned out on a
cisco router.

For example, I want a community string only send out
router interface status info.  

How would I accomplish this?

Thanks

Adam

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44777t=44777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider backbone engineering [7:44778]

[Howard C. Berkowitz]

At 7:58 PM -0400 5/22/02, dre wrote:
Howard C. Berkowitz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

  :-) well, my book on the subject, Building Service Provider
  Networks, should be about to ship.

  Seriously, let's talk about several areas, beginning with BGP.  Every
  BGP scenario I've seen or or heard of in the CCIE context, at best,
  looks at an extremely simple configuration with rules NEVER used in
  the real world.  A few contrasts:

The way Cisco teaches BGP irks me as well.  They just don't cover
anything except the basics.

  -- in the real world, it's VERY rare to redistribute between a dynamic
IGP
  and BGP. Sure, there are exceptions, but they are VERY carefully
chosen.
  A provider backbone CANNOT survive having 100,000-plus routes in its
  IGP, nor should it.

I wouldn't say it's VERY rare.

There's something as key as OSI (actually more so) in this technology 
area that often doesn't get mentioned: the abstraction of routing 
policy (which is distinct from Cisco policy routing). I only started 
understanding what backbones actually were doing when I began to grok 
RIPE-181, which has been superceded by RPSL.

Take Philip Smiths' NANOG presentation
on Multihoming as an example.  Many Enterprises may want to get peering
routes or partial routes and inject them into their IGP.

The first key question to ask here:  what is the broad routing 
paradigm?  Cold potato/closest exit or hot potato/best exit?

The second key question is how one should try for optimal Internet 
routing at the small to medium enterprise level. It may not really be 
that important.

Many ISP's may
want
to inject their IGP into their BGP for customer static routes (using a
route-map
to filter out all the junk).

With considerable aggregation, yes. Alternatively, though, 
redistributing blackhole statics for their allocations is common 
enough.

We've been learning a lot about that IGP metric direct translation to 
MED can be dangerous, and produce persistent oscillation. Those route 
maps may be the better way to set MED.

I would say this is VERY common.  What's not
common
(and what you are referring to) is redistributing everything (IGP to BGP;
BGP to
IGP) for full routes (the 112,000 routes today).

  -- In provider use, the main purpose of the IGP (or multiple instances of
an
  IGP) is to maintain connectivity among BGP routers.  You may have a
  separate IGP instance for each POP or group of POPs.

Next-hop information for BGP, correct.  It holds the infrastructure
addresses,
and I'm pretty sure you are familiar with this term since I think you
invented it.
So basically, a bunch of routed transit links (/30's or /31's if you can use
them)
and loopback interfaces (/32's) and not much else, if anything else at all.

  -- To connect customers, there is MUCH more use of static and default
routes.
  You could not possibly run a provider network with the CCIE lab rule
of
  no statics or defaults.

Service providers typically implement tons of statics and defaults, correct.
Most don't like it, though, and try to design around it for any
alternatives.

Well, it depends.  If you look at my NANOG and ARIN presentations on 
address management, this lends itself to being automated. A provider 
certainly has to keep a database of the address space it hands out. 
Once you have this database, writing a Perl script or even the DBMS 
reporting system can be used to generate ip route, DNS A/PTR, etc., 
records, which then get merged into .cfg files for routers and/or 
sent directly to the devices, using telnet/TCL/expect.


  -- AS paths are longer and more complex than you can create with six or
  so routers.

Most people cannot create/simulate the Internet in their house, very true.

  -- There's a HUGE amount of things to be concerned with that aren't
strictly
  configuration, such as justifying/obtaining/managing address space,
  intercarrier relationships involving both economics and cooperative
   troubleshooting, DNS management, protecting against distributed
denial
  of service, etc.

This stuff is pretty easy, actually.  At least once you start doing it and
getting
your head around the problems.

Ummm...isn't that about what you say to a virgin about sex? :-)

CCIE doesn't teach ARIN/RIPE/APNIC
justification.  But ARIN's/RIPE's/APNIC's websites teach it pretty well.

The RIR's and IRR's aren't complex, they are just black art (sort of like
DNS
is).  You have to know where to go to get the information, and you can't
just
sit down one day and learn it (well maybe you can).  But there are a lot of
good resources out there on RPSL, etc, that will let you pick this up fairly
quickly.  RFC 2622 and RFC 2650 are a fairly good start.

Yep. A lot of tutorials as well at www.radb.net.  I use extensive 
RPSL and pseudo-RPSL in explaining provider problem analysis in the 
new book.


Learning about Inter-Provider relationships is easy, too, once you get
involved.

Fwd: no lmi - dlci inactive - telco says my problem? [7:44774]

[[EMAIL PROTECTED]]

Another possible problem (although the outputs that people have asked for 
would help...)
Do you have no keepalive set?  If you turn off keepalives, you will turn 
off LMI from your router to the telco switch - which won't help your 
connectivity much...

Could be worth checking with your telco how often they expect to see 
keepalives and make sure your keepalive interval matches that - I think 
the default is ten seconds.

JMcL
- Forwarded by Jenny Mcleod/NSO/CSDA on 23/05/2002 12:26 pm -


Daniel Skripka 
Sent by: [EMAIL PROTECTED]
23/05/2002 10:33 am
Please respond to Daniel.Skripka

 
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: 
Subject:Fwd: no lmi - dlci inactive - telco says my problem?
[7:44774]
Is this part of a business decision process?: 


No LMI indicates the telco frame switch is not seeing the frame
keepalives from the cisco.
1. Are both sides confirmed as using same frame relay encapsulation
[ietf/cisco]
2. What is the output of 'debug frame lmi'?
3. What is the output of debug serial interface?
4. Have you tried to do a shut/no_shut or a clear on the physical
interface after the loop test?

beth shriver wrote:
 
 Hello friends, I am having a little problem getting a
 new long distance frame relay circuit going and
 getting the ol its your equipment answer from telco
 and not sure if this is the case or not. I have
 checked cables and tsu/router config and all seems ok
 . when the telco loops my csu/tsu it causes my
 interface to bounce but interface then stays in
 interface UP protocol DOWN state. Telco is saying they
 see no LMI from my equipment. In the past when i seen
 no LMI it always turned out to be something on the
 telco side. I dont do frame relays much so i am kind
 of at the mercy of tech who is turning this circuit up
 so can someone give me some pointers on what i can
 look for to make sure it is not in my equipment ? or
 how i can tell if it is a telco issue with circuit?
 any replies would be greatly appreciated! fast replies
 appreciated even more!!! :)
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
Important:  This e-mail is intended for the use of the addressee and may
contain information that is confidential, commercially valuable or subject
to legal or parliamentary privilege.  If you are not the intended recipient
you are notified that any review, re-transmission, disclosure, use or
dissemination of this communication is strictly prohibited by several
Commonwealth Acts of Parliament.  If you have received this communication in
error please notify the sender immediately and delete all copies of this
transmission together with any attachments.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44782t=44774
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ppp multilink over adsl????? [7:44704]

[Chuck]

I heard someplace, maybe on this list, about using dry pair for DSL
connections between two points. Attach a DSL device like an 827 at each end
and voila! In such a case, I wonder. Especially now that you can create a
virtual multilink interface, rather than have to go through the old virtual
template method.  Why not?


MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think your correct.  Most people that have DSL terminate at a
 provider and I know of no providers that provide DSL-ppp-multilink.  We
 do have several customers that do control both sides, use DSL for
 employee remote access and some use it for backup but again none have
 tried the multilink but I suspect it's possible.

   Dave

 Michael Williams wrote:
 
  I'm going to hazzard a guess here and see what others think of my
 theory.
 
  For PPP Multilink to work you need it enabled at both ends. with
  point-to-point T1s or ISDN this isn't a problem because you (usually)
  control both ends But with ADSL, you only control one end (unless
this
  is the wierd point-to-point DSL that's being offered that I've just
never
  heard of).  So I don't think this would be possible, because your
DSL
  provider would treat each connection separately (attempt to give an IP,
  etc)..
 
  Anyone's thoughts?
 
  Mike W.
 --
 David Madland
 Sr. Network Engineer
 CCIE# 2016
 Qwest Communications Int. Inc.
 [EMAIL PROTECTED]
 612-664-3367

 Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44784t=44704
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP load balancing [7:44697]

[Chuck]

I love these how to load balance using BGP threads.

Everyone who wants to load balance across the internet should be aware
that you may be creating a situation where you are hurting your performance.
Lets say that you have two AS Paths that are the same length. How do you
know how many hops there are along each of those AS Paths? Maybe one path
crosses 37 routers and the other one only crosses 3. Think that might have
potential issues?

Just because you want to do it, just because you can do it, doesn't mean you
should do it. As someone wiser than I likes to ask: what problem are you
trying to solve?


jeff sicuranza  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Yes it does if you are doing EBGP and your router has two or more directly
 conneted links to your EBGP peer. The the default load balancing will work
 if static routes or an IGP is used for your subnets linking your
neighbors.
 You see it is not BGP performing the load balancing but the normal
behavior
 of load balancing across equal cost paths (if exists) regardless if you
are
 using static or IGP routes.. EBGP multihop also does this however, you are
 still using the behavior of the static and IGP routes for equal cost paths
 but do not need to have your neighbors directly connected... Lab it you
will
 see... Have fun




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44785t=44697
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passed 350-001 today [7:43574]

[Hosui Tse]

Hi all,

Which book/document must read before the exam?


- Original Message -
From: Kerry 
To: 
Sent: Thursday, May 09, 2002 12:26 AM
Subject: Re: Passed 350-001 today [7:43574]


 congrats

 Kris Keen  wrote in message
 news:[EMAIL PROTECTED]...
  Hi All,
 
  I sat the CCIE RS Written today at Vue in Sydney. I passed with 79%
  I sat the original exam..
  I used the NLI Study Guide (spot on), Boson 2/3, Rossi's paper and the
 CCIE
  Lan switching LANE chapter along with the OSPF Section outta  Routing
 TCPIP
  Vol 1.
 
  I thought this was a great exam, and enjoyed it alot. Quite difficult
but
  really tested me..! Stressing ATM/Bridging and OSPF heavily!
 
  Now onto the BIG BOY!  Best of luck to everyone!
 
  Cheers
  Kris
 
  CNE, CCNP, CCIE Written




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44786t=43574
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Boson CCIE BootCamp [7:44780]

[Dave Shine]

Does anyone have any input on the CCIE bootcamps for
the lab. Is this worth the money?  I dont want to dish
out $8000 large for nothing.

- Me

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44780t=44780
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider backbone engineering [7:44778]

[dre]

Howard C. Berkowitz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   -- in the real world, it's VERY rare to redistribute between a dynamic
  IGP and BGP. Sure, there are exceptions, but they are VERY carefully
  chosen.
  A provider backbone CANNOT survive having 100,000-plus routes in its
  IGP, nor should it.
 
 I wouldn't say it's VERY rare.

 There's something as key as OSI (actually more so) in this technology
 area that often doesn't get mentioned: the abstraction of routing
 policy (which is distinct from Cisco policy routing). I only started
 understanding what backbones actually were doing when I began to grok
 RIPE-181, which has been superceded by RPSL.

RPSL is a great way of explaining routing policy.  Even stranger I found it
holds a lot of programming concepts like object-oriented-ness.  But the
language only goes as far as the real world implementations.  Learning RPSL
was one thing, but downloading all of the radb.db files over the years and
reading through them was the real experience of a lifetime.

 The first key question to ask here:  what is the broad routing
 paradigm?  Cold potato/closest exit or hot potato/best exit?

For a peering routes example, yes best-exit/closest-exist problems
are super high on the agenda.  However, that seems to be more of
an IGP problem, and that's where regular knowledge of say, OSPF,
is taken to a whole new level.  And one that is never taught in any
course or material in any classroom or even online.  You learn that
on the job at an ISP (does anybody else have any resources for this?).

 Many ISP's may want to inject their IGP into their BGP for
 customer static routes (using a route-map to filter out all the junk).

 With considerable aggregation, yes. Alternatively, though,
 redistributing blackhole statics for their allocations is common
 enough.

Reversal routing concepts are common in the workplace and unheard
of in any labs/certification courses.

 We've been learning a lot about that IGP metric direct translation to
 MED can be dangerous, and produce persistent oscillation. Those route
 maps may be the better way to set MED.

Where is there information available in-print/online about the MED's
topic?  Another one completely skipped over.  Most people are using
IGP metrics alone these days, no need to try to translate.  At least in
the environments I've seen.  This is a part of that whole closest-/best-
exit argument above.  I've never really seen any configs or designs for
translating IGP metrics to MED, something like that would interesting
to see - even if it produces oscillatory routing.  Do you know why this
happens?  Can you try to explain the problems more effectively?

 Service providers typically implement tons of statics and defaults,
correct.
 Most don't like it, though, and try to design around it for any
 alternatives.

 Well, it depends.  If you look at my NANOG and ARIN presentations on
 address management, this lends itself to being automated. A provider
 certainly has to keep a database of the address space it hands out.
 Once you have this database, writing a Perl script or even the DBMS
 reporting system can be used to generate ip route, DNS A/PTR, etc.,
 records, which then get merged into .cfg files for routers and/or
 sent directly to the devices, using telnet/TCL/expect.

Don't forget to automate the billing, RWhois/SWIP changes, and the rest. ;

Makes me wonder why anyone bothers to continue to get PA space ever.
It might be easier to pick up some swamp space on eBay for $10,000, then
to pay out to some ISP's and have to renumber in the end anyways.  RIR's
need to fix this.  RIPE is doing a much better job.

 This stuff is pretty easy, actually.  At least once you start doing it
and
 getting your head around the problems.

 Ummm...isn't that about what you say to a virgin about sex? :-)

Luckily there are lots of good books and even real-life experiences that
you can purchase.  And there's lots of people willing to share their
experiences.  There's a whole different industry and market there, Howard ;
I don't think you need to go to school or have certifications, at least my
wife
didn't ask for any credentials.

 Yep. A lot of tutorials as well at www.radb.net.  I use extensive
 RPSL and pseudo-RPSL in explaining provider problem analysis in the
 new book.

That sounds really cool.  Got any examples for those of us who can't wait?

 Exactly. But the point here is that the certification programs aren't
 enough to get started.  This is one of the reasons people on this
 list keep emphasizing that proficient network engineers MUST learn to
 research on their own.

I would never argue against that concept! =]  I thought the point of the
thread
was to identify places where there isn't *any* information out there, and
stuff
that's totally black-art.  Cisco certs clearly don't have the whole
ball-of-wax,
but a lot of this can be easily incorporated into their curriculum.

 Olivier Bonaventure, whom I believe 

Re: Passed 350-001 today [7:43574]

[Michael L. Williams]

Congrats!  Good luck on the lab

Mike W.

  Kris Keen  wrote in message
  news:[EMAIL PROTECTED]...
   Hi All,
  
   I sat the CCIE RS Written today at Vue in Sydney. I passed with 79%
   I sat the original exam..
   I used the NLI Study Guide (spot on), Boson 2/3, Rossi's paper and the
  CCIE
   Lan switching LANE chapter along with the OSPF Section outta  Routing
  TCPIP
   Vol 1.
  
   I thought this was a great exam, and enjoyed it alot. Quite difficult
 but
   really tested me..! Stressing ATM/Bridging and OSPF heavily!
  
   Now onto the BIG BOY!  Best of luck to everyone!
  
   Cheers
   Kris
  
   CNE, CCNP, CCIE Written




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44787t=43574
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed the written... Now on to the lab!! [7:44442]

[Frank Merrill]

Michael L. Williams wrote:
 


 (just to echo what others have said) If you're anywhere close
 to ready to
 take the written, do it now!  I took the beta for the new
 written, and it's
 much different.  Aside from information on routing protocols,



I assume this means you took the Beta, and then also took the current
version (maybe assuming you didn't pass the Beta??) and passed that?

fm



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44788t=2
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Provider backbone engineering [7:44778]

[Howard C. Berkowitz]

At 11:27 PM -0400 5/22/02, dre wrote:
Howard C. Berkowitz  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
-- in the real world, it's VERY rare to redistribute between a
dynamic
   IGP and BGP. Sure, there are exceptions, but they are VERY carefully
   chosen.
   A provider backbone CANNOT survive having 100,000-plus routes in its
   IGP, nor should it.
  
  I wouldn't say it's VERY rare.

  There's something as key as OSI (actually more so) in this technology
  area that often doesn't get mentioned: the abstraction of routing
  policy (which is distinct from Cisco policy routing). I only started
  understanding what backbones actually were doing when I began to grok
  RIPE-181, which has been superceded by RPSL.

RPSL is a great way of explaining routing policy.  Even stranger I found it
holds a lot of programming concepts like object-oriented-ness.  But the
language only goes as far as the real world implementations.  Learning RPSL
was one thing, but downloading all of the radb.db files over the years and
reading through them was the real experience of a lifetime.

  The first key question to ask here:  what is the broad routing
  paradigm?  Cold potato/closest exit or hot potato/best exit?

For a peering routes example, yes best-exit/closest-exist problems
are super high on the agenda.  However, that seems to be more of
an IGP problem, and that's where regular knowledge of say, OSPF,
is taken to a whole new level.

Not necessarily an IGP problem, but possibly an edge router that 
classifies traffic, possibly with communities signaled to an 
aggregating router, or using policy routing to MPLS tunnels.

And one that is never taught in any
course or material in any classroom or even online.  You learn that
on the job at an ISP (does anybody else have any resources for this?).

Most of my knowledge of this approach came from IETF mailing lists, 
some of the MPLS drafts, and informal discussions with protocol 
implementers (well, I was doing some of the cancelled Nortel router 
architecture for this).


  Many ISP's may want to inject their IGP into their BGP for
  customer static routes (using a route-map to filter out all the junk).

  With considerable aggregation, yes. Alternatively, though,
  redistributing blackhole statics for their allocations is common
  enough.

Reversal routing concepts are common in the workplace and unheard
of in any labs/certification courses.

Are you mentioning reverse path verification as well?


  We've been learning a lot about that IGP metric direct translation to
  MED can be dangerous, and produce persistent oscillation. Those route
  maps may be the better way to set MED.

Where is there information available in-print/online about the MED's
topic?  Another one completely skipped over.

http://www.ietf.org/internet-drafts/draft-ietf-idr-route-oscillation-01.txt

Most people are using
IGP metrics alone these days, no need to try to translate.  At least in
the environments I've seen.  This is a part of that whole closest-/best-
exit argument above.  I've never really seen any configs or designs for
translating IGP metrics to MED, something like that would interesting
to see - even if it produces oscillatory routing.  Do you know why this
happens?  Can you try to explain the problems more effectively?

There also some unusual uses of MED, where IOS has knobs to implement 
certain behavior.  Always-compare-MED can compare the MEDs of 
different AS, as long as they are adjacent.  Avi Freedman had a 
presentation on an informal standard for exchange-point MED values, 
based on delay, at the Denver NANOG.


  Service providers typically implement tons of statics and defaults,
correct.
  Most don't like it, though, and try to design around it for any
  alternatives.

  Well, it depends.  If you look at my NANOG and ARIN presentations on
  address management, this lends itself to being automated. A provider
   certainly has to keep a database of the address space it hands out.
  Once you have this database, writing a Perl script or even the DBMS
  reporting system can be used to generate ip route, DNS A/PTR, etc.,
  records, which then get merged into .cfg files for routers and/or
  sent directly to the devices, using telnet/TCL/expect.

Don't forget to automate the billing, RWhois/SWIP changes, and the rest. ;

  This stuff is pretty easy, actually.  At least once you start doing it
and
  getting your head around the problems.

  Ummm...isn't that about what you say to a virgin about sex? :-)

Luckily there are lots of good books and even real-life experiences that
you can purchase.  And there's lots of people willing to share their
experiences.  There's a whole different industry and market there, Howard ;
I don't think you need to go to school or have certifications, at least my
wife
didn't ask for any credentials.

I shudder to think what thread drift here into certification versus 
experience versus academic arguments might bring. I will recount one 
of 

Len Lee/CHI/NTRS is out of the office. [7:44790]

[Len Lee]

I will be out of the office starting  May 23, 2002 and will not return
until June 10, 2002.

I will respond to your message when I return.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44790t=44790
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Interface Resets [7:44791]

[Sujal G. Ajmera]

Hi,

Is there any acceptable limit for this?

Thanks,

Sujal

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44791t=44791
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN BRI Simulator Comparison [7:44763]

[Mike Sweeney]

I have an older Arca Emutel which is ST only. No external NT1's required on
the older 2500s. Works great and about the only difference between the new
one and this one is the U interface.

Default numbers are 55 and 66

Switch type default is Basic-dms100

Bought it used from one of the guys on the boards here :)

MikeS



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44792t=44763
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]