Re: STP and 7 hops [7:44408]
sorry to keep harping on this one, but I'm actually learning something here. Besides, my big project at work these days is working with a large university, replacing their campus physical and switch infrastructure. I'm finding the this discussion fascinating for that reason as well. If I read my source correctly, the max age field is supposed to be 2 bytes, and is supposed to be a time value, with the min being 1/256 second and the max being 256 seconds. other than in the initial STP process ( or recalculation ) the BPDU would for all practical purposes be time from the root. Correct? My source tells me only the fields and their values, and nothing about functionality. It would appear that the max age field tells the local switch how old a message can be before it is disregarded, or causes some other action to be taken. The message age field is the actual age as per the process you describe below - incremented by each bridge along the way. The root path cost is used to advertise how far this bridge is from the root? hops? counting on my fingers, a max distance of 20 from the root is a whole lot different than a max diameter of 7. Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... There's nothing in the STP frames to enforce a 7 hop diameter. But there is the Message Age field in the BPDUs. Each bridge (switch) adds one to the Message Age when the switch propagates the BPDU downstream. The Maximum Age threshold is 20. If a BPDU gets to a switch with the Message Age already at 20, it will think that the tree needs reconverging. This would get ugly if switches on the edges were always trying to reconverge. So, the max size from that viewpoint is 20 from the root. But 7? I really think DEC threw that in as a precaution. It's interesting that IBM was saying the same thing about source route bridging at the time (max bridges is 7). (But try finding 7 in IEEE 802.1D Annex C, the official standardization of source-route transparent bridging. The RIF can actually hold info for 14 rings and 13 bridges.) Back to the real subject at hand, the 7 max for STP is mentioned as a recommended value in Table 8.2 Maximum Bridge Diameter of IEEE 802.1D and is defined as The maximum number of Bridges between any two points of attachment of end stations. Then it's discussed again in Appendix B B.3.1.2 Basis of choice. This section is pretty incomprehensible, but, as far as I can tell, the main reason for the choice of parameters is to minimize the lifetime of a data (user) frame travelling across the switched network. Regarding gigastack, it sounds like the answer that Steven got from Cisco is that each switch counts as a hop, so if STP is enabled, each counts toward the _theorectical_ 7 hop count limit. But I bet you're right also that STP could be disabled with gigastack. It sounds like the topology is already a single linear branch (stack) with no loops. There's no need to prune it into a tree. But I'm way out on a limb now. ;-) Priscilla At 06:34 PM 5/19/02, Chuck wrote: you know, it suddenly occurs to me that I have been barking up the wrong [spanning] tree, so to speak. Let me guess - there is no maximum STP diameter in actuality because there is mechanism for enforcing a max diameter. The BPDU's apparently contain a field which shows distance from the root, and this value is incremented each time it crosses a bridge. If that field is the root path cost field, then this is a four byte value and that means a spanning tree could theoretically have a max distance from the root of 64000 or so? It's just that the recommendation in terms of best practice is diameter of 7. thanks to Marty A. for providing the link that was the spike that finally began to sink through this thick head. Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... STP is really not an issue in the kind of application where gigastack makes sense. For example, take an office of 400 users plus servers and printers, occupying a contiguous space. Basic file and print sharing plus an internet connection. Rather than buy a honking 65xx, you throw in a few 3550-48's and gigastack them. The electronics work in conjunction with the switch OS to create a half duplex bus between the switches. ( The interesting thing is that electronics are apparently smart enough to determine if there are only two devices stacked, in which case the bus is full duplex. ) That's the question about gigastack - whether the entire stack is treated as one switch, the way it is for management purposes, or if standard STP applies. We had a thread on this a few weeks ago, but none of us could find an answer in the Cisco documentation. that's why I asked Steven ( who asked Cisco ) what Cisco had to say about spanning tree over a gigastack setup. I'm willing to bet that in a gigastack situation, that STP is disabled (
RE: EIGRP NBMA and multicast together.. [7:44603]
The idea is :the router make a copy of the hello packet and send this packet on each VC.So if you have 10 VC you will send 10 hello packeges and this pacheges are multicast (destination address 224.0.0.10). Anyway you can see a document on Cisco http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/mcst_sol/frm_rlay.htm Best regards Stefan CCNA CCNP (1/4)...:-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44691t=44603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Security on Router Switches [7:44692]
Morning, I am trying to deny access to our Router on the network, but allow access on the switches only. I am Tacacs, is there a way of grouping switches different from routers and assigning defferent security setting to them Cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44692t=44692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Reloading Cisco 7204 [7:44693]
Morning, I have a cisco 7204 that was alright until 4 weeks ago. It started rebooting itself every 12 hours, upon checking the Crashinfo file, nothing in it suggests something was wrong. Flash was full with crashinfo files, after deleting files, the router stopped rebooting for about too weeks. So I thought it was a memory problem, and case sloved and closed! Only to find out today that the problem has resufaced. Thought of upgrading IOS from 12.1 to 12.2, ran IOS 12.2 on a test 7204 with the same modules as in the production 7402. Ran ok for 2 days, and reloaded. I cannot find anything on cisco pages Any suggestions would be appriciated Cheers Kerry Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44693t=44693 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logic and Lab Rats [7:44653]
wow. (attention G-S moderators: I know you always hoped I'd be at a loss for words at some point. Nota Bene: this post came closer than most. I apologize for the tease) please note that I'm using this thread in a vain hope to render dormant all sub-threads. I say wow, partially because where purely non-tangible matters are concerned, I usually applaud extreme tactics, but in this case I'm profoundly stumped. Paul Feyerabend is certainly one of my favorite non-fiction authors, but even he wielded reason against itself. I'm impressed (and I'm not often impressed by how/the-manner-in-which/ people think-or at least pretend to), but this post raised the stakes a bit, albeit unwittingly, refuting reason BY EXAMPLE, therefore providing the only potentially compelling counterargument to the modification of the subject line wherein the string Logic suddenly plays a part.. taxomonical breakdown: 2 questions contrasted with the output of a 3rd, whereupon the outcome solves nothing, and the group of two bear a tenuous relation to the third. The 4th question is profoundly subject to the whims of fortune, temporality, and the instincts of the poor fellow who would dare use the L word on this newsgroup: based upon the past couple of hundred years of western civilization or so, I'd say that the intended target has a better chance than most, especially if he is allowed to draw upon past experience. Question 5 ignores the public record on the subject, and improperly contrasts the potential answers of the first set with it's own solution space. Whether or not someone remembers cretaceous technologies they have worked with does not provide a useful predictive measure of their ability to adapt to change or assimilate new technologies and their nuances. I'm not sure where the equation between familiarity with the specifics of predecessor technologies and the practice of perpetuating their continued usage came from, but certainly not from a sample size relevant enough to settle this issue. I'm going to skip a bit, because my potential point of insight has not been posted by anyone else as best my time-warner internet access point can reveal. Taking us to the matter of appreciation: I'm not sure this admonishment is best directed at someone who provides materials whereby individuals may study and aspire to be the best, since A) his materials are profoundly superior to many other competitive products B) he offers advice from a career marked by a profound lack of stagnation and a level of maintaining familiarity with emerging standards so extreme that he would up participating in the development process itself for various extant standards. Since your observations don't match the public record, and since the past 100 years of USA public schooling and the profession of psychology have profoundly failed humanity, I'll not directly address the last comment except to note that the noun is undescriptive at best. To address the previous replies: Peter had excellent insight wording, but just in case his analysis is not 100% correct (as in, what if he did NOT lose a job to such an individual), I offer mine in order to force the available quibble space to converge to 0. Tomas Larus elagantly outlines the issues which concern me. Ms. McLeod adroitly points out the balance between no testing too much of the same. Adam Lee re-emphasizes the ongoing need for support of the technologies dismissed out-of-hand by the original poster. Priscilla provides factual clarification some fundamental insight. nrf posts a call for balance as a strategy for intellectual succes in this industry that binds us. His subsequent posts come the closest to a better way. in all cases, the matter boils down to this: your cognitive dualism won't stand. to abruptly divide the world between experienced, stubborn, older folk unfamiliar with the past 7 years of digital computing research, and newly matriculated folk who lack any exposure to large scale implementations of the technologies they would purpport to support, is to reduce yourself to the level of performance that many HR times are unjustly relegated to (DISCLAIMER: I'm aware of the cases where this is justified . . .). As the SLJ character in pulp fiction might start it out, THE TRUTH IS, the one common characteristic people afraid of new things, incapable of testing, and unfriendly to new ideas have is precisely the following: the characteristics I just described. Sure, there exist seasoned veterans who never learned to troubleshoot and can't handle changing LAN topologies any better than they manage their waning vitality. However, there also exist individuals straight out of accredited programs who know all kinds of nuances regarding C programming assembler theory. They coast through college complete and fulfilled based upon the realization that this background COMPLETELY prepares them for desktop, server AND network/intermediate systems support. these individuals are typically
Re: BGP load balancing [7:44697]
Need some advices from BGP experts : Does BGP do load balancing by default? Says there are 4 parallel paths between the source and destination, will the traffic be distributed among the 4 paths? If it does not support load balancing by default, how to turn it on? How many parallel paths can it handle maximum? Thanks in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44697t=44697 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Port number on Catalyst 3500XL [7:44533]
Ok, but I see a mac-address jumping to port 10 (and 11) and spanning-tree ports start at 13. Words by Larry Letterman [Mon, May 20, 2002 at 12:52:38PM -0400]: That looks like it is using the spanning tree port numbers, not the physical switch port numbers. Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jose Celestino Sent: Monday, May 20, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: Port number on Catalyst 3500XL [7:44533] The following error message got me to think what is port 51 on a 48 port catalyst: May 20 16:38:46 aaa.bbb.ccc.ddd 368176: 1y9w: 00d0.b709.1f02 has moved from port 51 to port 14 in vlan 1 May 20 16:38:49 aaa.bbb.ccc.ddd 368177: 1y9w: Addaddress 00d0.b709.1f02, on port 51 vlan 1 May 20 16:38:49 aaa.bbb.ccc.ddd 368178: 1y9w: 00d0.b709.1f02 has moved from port 14 to port 51 in vlan 1 May 20 16:38:49 aaa.bbb.ccc.ddd 368179: 1y9w: Addaddress 00d0.b709.1f02, on port 14 vlan 1 May 20 16:38:49 aaa.bbb.ccc.ddd 368180: 1y9w: 00d0.b709.1f02 has moved from port 51 to port 14 in vlan 1 May 20 16:38:54 aaa.bbb.ccc.ddd 368181: 1y9w: Addaddress 0050.8be1.54f3, on port 51 vlan 1 What rules does this numeration follows, where can I find docs about it? TIA. -- Jose Celestino SAPO.pt::Systems http://www.sapo.pt - Quod licet Iovi non licet bovi. (What Jove may do, is not permitted to a cow.) -- Jose Celestino SAPO.pt::Systems http://www.sapo.pt - Quod licet Iovi non licet bovi. (What Jove may do, is not permitted to a cow.) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44698t=44533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DHCP NACK problems [7:44671]
Is it always NACKing for the same IP lease? Normally, the DHCP process works like this: The client sends a DHCPDISCOVER to find a DHCP server, the server responds with a DHCPOFFER, offering the client an IP, the client responds with a DHCPREQUEST to choose the IP address (in case it gets an offer for more than 1), and the server responds with a DHCPACK, sealing the deal. However, MS DHCP servers have a feature that allows them to detect IP address conflicts before responding with an ACK. What I would check is a few things: First, if this is happening due to a conflict detection, you should see under active leases in DHCP a BAD ADDRESS listed by the IP. If you see that, ping the IP in question. If you get a response, track down the PC, and do an ipconfig to find it's DHCP server. Then track down that server and kill it :) Hope this helps, Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44699t=44671 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dumb Access-List question [7:44588]
There are two differences. The first is that in the first example you are using a standard ACL, and in the second you are using an extended ACL. The second is that in the first example, you are using a numbered ACL, while in the second, you are using a named ACL. The primary differences in the two are that a numbered ACL has a finite number of ACL's you can create, while a named ACL (supposedly) has no such limit. The second is that you can remove individual lines from a named ACL. Hope this helps, Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44700t=44588 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP load balancing [7:44697]
Maurice, BGP defaults to using only the BEST path, hence ONE. Check CCO for path determination in BGP. The other protocols default to maximum of four, but can be extended to 6 with maximum-paths. To turn on load-balancing in BGP, a few steps are needed: 1. enable eBGP multihop 2. use update-source loopback 3. enter the static routes to be used for load-balancing If there's something i'm forgetting, please correct my post. HTH, Elmer - Original Message - From: To: Sent: Wednesday, May 22, 2002 6:03 AM Subject: Re: BGP load balancing [7:44697] Need some advices from BGP experts : Does BGP do load balancing by default? Says there are 4 parallel paths between the source and destination, will the traffic be distributed among the 4 paths? If it does not support load balancing by default, how to turn it on? How many parallel paths can it handle maximum? Thanks in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44701t=44697 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
set password problem [7:44702]
I have just bought a new WS-X5013 for my cat 5000 and I have been trying the passowrd recovery--it will not let me change the set password...the set enablepass works though. As the set password seems to have the console locked apart from the first 30 seconds after every reset I would like to remove it or change it--any idea's? thanks stuart Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44702t=44702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ppp multilink over adsl????? [7:44704]
Guys, Will anybody know is ppp multilink is possible over an adsl link and does it work similar to isdn? Regards, George. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44704t=44704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: set password problem [7:44702]
Stuart, You can press enter during the 1st 30 seconds ( No later) which will get you into the CAT and then you can reset the password(s) HTH Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44705t=44702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Logic and Lab Rats [7:44653]
Unfortunately, the gals in the U.S. are less apt to shrug it off their shoulders if a co-worker is checking out Female Porn... They're, shall we say, a bit sensitive to the subject... and usually immediately complain of Sexual Harassment... even if it's not involving them in any way. In other cultures, or at least in other countries, it's more acceptable for female porn to be prevalent... I suspect this is due to two factors though... 1. a higher male-dominating society, and/or 2. more liberal attitudes after all, it's illegal to run a brothel in the U.S., but correct me if I'm wrong... I believe this is not the case in Australia or New Zealand. Of course, if a female was caught surfing Male Porn in the U.S., she'd probably be hit on by half a dozen guys within the hour... that is, the guys that aren't with their head stuck in a Server or Network Appliance trying to solve a problem. :) Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 22, 2002 12:01 AM To: [EMAIL PROTECTED] Subject: Re: Logic and Lab Rats [7:44653] On the other hand, who's more likely to show up to work late? Or show up drunk or high? Or get into a fight with his coworkers? Or surf porn in front of female coworkers? The guy who's been in the working world for 25 years or a new kid? Umm, off-topic, but enlighten me, please. Why is it worse to surf porn in front of female coworkers than it is to surf porn in front of male coworkers? What if it was a woman surfing porn in front of coworkers? Do your opinions change? ;-) JMcL Important: This e-mail is intended for the use of the addressee and may contain information that is confidential, commercially valuable or subject to legal or parliamentary privilege. If you are not the intended recipient you are notified that any review, re-transmission, disclosure, use or dissemination of this communication is strictly prohibited by several Commonwealth Acts of Parliament. If you have received this communication in error please notify the sender immediately and delete all copies of this transmission together with any attachments. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44690t=44653 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logic and quot;Lab Ratsquot; [7:44653]
Gang, To put a closure to the thread, allow me to repeat the saying... When a man with money meets a man with experience, the man with experience ends up with the money, and the man with money ends up with experience. (Gals, no flame please.) So please give these newbies a break. After all, didn't ALL subscribers start from square one at some point in time? Does it mean your employer let you handle the backbone links from day 1? or 2? or 3?...In my case though, I got fed to the wolves right from the get go. And with just my CCNA, yes I had to learn everything there was i could find on OSPF. Three weeks to research on and test BGP and report to the boss about this protocol before we went live. But I never claimed to be an expert. I did the best that I could. And guess what? All those theories I gathered from the books came back to me when time came to work out problems. Again, I'm not saying I knew everything there was to know about network troubleshooting. I've been in the same situation as many, many aspiring individuals who just want to enter into the profession that ALL of us applied for in the past. Has experience given people too much money that they can't remember where they came from? Thanks for all respondents. Elmer - Original Message - From: nrf To: Sent: Tuesday, May 21, 2002 11:24 PM Subject: Re: Logic and Lab Rats [7:44653] Amen to that. Humility is called for on both sides. Apparently I've been tagged around here as the 'King Experience' guy. The very ironic thing is that on another message board, I was the person who was arguing that experience was NOT as important as other posters had indicated (this was an experience vs. college degree argument). Basically it boiled down to the fact that while experience is indeed extremely valuable, particularly nowadays, even experience can sometimes be taken too far. For example, one guy said that experience always wins no matter what (which is patently false), so I gave him the example of 2 guys, whereas both guys had good experience, but the first guy had stellar degrees from the most famous schools, all kinds of certs, a killer personality, and everything else, whereas the second guy had none of that (besides the experience ), but he had a day's more experience. Hey, if experience really beat everything all the time, then companies should always pick the second guy, because after all, he had more experience (one additional day). Clearly this is false. My point is simply this. Experience, education, certs, work attitude, etc. etc., they all form your suite of qualifications. None of them should be pursued at the exclusion of all others. In fact, the best strategy seems to be to work on your weaknesses. For example, if you have lots of certs and education, but no experience, then get experience. Conversely, if you have lots of experience, but no certs and no education, then go get certs and education. Thomas Larus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I thought the experience versus certification debate had finally died a few days ago, but now it resurfaces over on the professional list. I may as well weigh in. The problem here is clear. Some folks with lots of experience are scared (or merely offended) that some manager or client might think some relative newbie with great-sounding certs is as good or better (or even nearly as good) as the more experienced folks. Many of these experienced people gained their experience in difficult or underpaid conditions. The last thing they want is some ambitious upstart invaders studying hard in the lab, then walking into their field and being treated as their peers. The experience is everything crowd should relax right now, because in this economy, they are in the driver's seat. One the other hand, the lab rats, myself included, are justifiably scared. We knew that if by studying hard we managed to reach a higher position than our experience alone would justify, we might face some hostility from those with lots of experience. Now, however, we are given to understand that for employers right now, experience is king, since there are plenty of folks with lots of experience and good certs to fill all positions that HAVE to be filled (as opposed to those positions that employers advertise but are in no hurry to fill). Then, there's the common complaint that, I'm always having to fix the networks screwed up by the paper-CCNAs, paper-MCSEs, Lab Rats, etc. I have enough experience to know that plenty of the screwing-up of networks is done by folks with lots of experience. It doesn't take long in the field to run across an arrogant but extremely experienced guy who thinks he is the only person in his company who knows anything, and then proceeds to break things that he then cannot fix. A little humility is called for in a field where almost no one can know
Re: VPN ERROR %CRYPTO-6-IKMP_MODE_FAILURE [7:44374]
Hello people, I have solutioned the problem for connect VPN Fully Meshed. The solution: You have to add all peers in all crypto map Sample: BAD CONFIGURATION crypto map vpn 10 ipsec-isakmp set peer 100.100.100.249 set transform-set rtpset match address 102 crypto map vpn 20 ipsec-isakmp set peer 100.100.100.170 set transform-set rtpset match address 101 GOOD CONFIGURATION crypto map vpn 10 ipsec-isakmp set peer 100.100.100.249 - set peer 100.100.100.170 set transform-set rtpset match address 102 crypto map vpn 20 ipsec-isakmp set peer 100.100.100.170 - set peer 100.100.100.249 set transform-set rtpset match address 101 Now the VPN between A-B,A-C and B-C is OK. With this solutions, seemingly the next error it's solutioned, so that peer address xxx.xxx.xxx.xxx not found now is found. 11:32:20: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 100.100.100.249, src= 100.100.100.169, dest_proxy= 10.0.0.0/255.255.255.0/0/0 (type=4), src_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 11:32:20: IPSEC(validate_transform_proposal): peer address 100.100.100.169 not found 11:32:20: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 100.100.100.169 Thanks for you help. -- -- Alfredo Pulido [EMAIL PROTECTED] Dept. Sistemas, IdecNet S.A. Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria, Las Palmas // SPAIN Tel: +34 828 111 000 Fax: +34 828 111 112 http://www.idecnet.com/ -- Steven A. Ridder escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Looks like the devices aren't configured with same properties. Alfredo Pulido wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I'm trying make a Fully Meshed VPN connections between 3 (Ra,Rb,Rc) routers 827-4V, The used IOS is: c820-k8osv6y6-mz.122-2.T4.bin - IP/FW/VOICE PLUS IPSEC 56 When I configure the VPN (Ra-Rb), the VPN it's established OK. But I configure VPN (Ra-Rb and Ra-Rc), the system report a error with the peer Rc, and the VPN it's not established between (Ra-Rc),however, the VPN (Ra-Rb) is OK. I had trying conjugations (Rb-Ra ,Rb-Rc) and (Rc-Ra,Rc-Rb) and (Rb-Rc,Rb-Ra) and (Rc-Rb,Rc-Ra), and I had received the same ERROR. The system error is: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at xxx.xxx.xxx.xxx In Cisco I had see only this information: Error Message %CRYPTO-6-IKMP_MODE_FAILURE: Processing of [chars] mode failed with peer at [IP_address] Explanation Negotiation with the remote peer has failed. Recommended Action If this situation persists, contact the remote peer. I had locked many documents in Cisco, but I don't know how to solve this problem. I shearched a document in Cisco for this type VPN http://www.cisco.com/warp/public/707/ios_meshed.html Flash Configuration: Ra: IP VPN: 100.100.100.170 IP LAN: 10.0.1.1 Rb: IP VPN: 100.100.100.169 IP LAN: 192.168.0.2 Rc: IP VPN: 100.100.100.249 IP LAN: 10.0.0.1 Debug Information router (Ra) when I try connect (Rc-Ra) (debug crypto isakmp) 02:35:37: ISAKMP (0:0): received packet from 100.100.100.249 (N) NEW SA 02:35:37: ISAKMP: local port 500, remote port 500 02:35:37: ISAKMP (0:2): processing SA payload. message ID = 0 02:35:37: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249 02:35:37: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy 02:35:37: ISAKMP: encryption DES-CBC 02:35:37: ISAKMP: hash MD5 02:35:37: ISAKMP: default group 1 02:35:37: ISAKMP: auth pre-share 02:35:37: ISAKMP (0:2): atts are acceptable. Next payload is 0 02:35:37: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 02:35:37: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_SA_SETUP 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_SA_SETUP 02:35:38: ISAKMP (0:2): processing KE payload. message ID = 0 02:35:38: ISAKMP (0:2): processing NONCE payload. message ID = 0 02:35:38: ISAKMP (0:2): found peer pre-shared key matching 100.100.100.249 02:35:38: ISAKMP (0:2): SKEYID state generated 02:35:38: ISAKMP (0:2): processing vendor id payload 02:35:38: ISAKMP (0:2): speaking to another IOS box! 02:35:38: ISAKMP (0:2): sending packet to 100.100.100.249 (R) MM_KEY_EXCH 02:35:38: ISAKMP (0:2): received packet from 100.100.100.249 (R) MM_KEY_EXCH 02:35:38: ISAKMP (0:2): processing ID payload. message ID = 0 02:35:38: ISAKMP (0:2): processing HASH payload. message ID = 0 02:35:38: ISAKMP (0:2): SA has been authenticated with 100.100.100.249 02:35:38: ISAKMP (2): ID payload next-payload
RE: Dumb Access-List question [7:44588]
More importantly - Autonomous switching is not used when you have extended access lists. Dom Stocqueler Brian Hill Sent by: [EMAIL PROTECTED] 22/05/2002 12:06 Please respond to Brian Hill To: [EMAIL PROTECTED] cc: Subject:RE: Dumb Access-List question [7:44588] There are two differences. The first is that in the first example you are using a standard ACL, and in the second you are using an extended ACL. The second is that in the first example, you are using a numbered ACL, while in the second, you are using a named ACL. The primary differences in the two are that a numbered ACL has a finite number of ACL's you can create, while a named ACL (supposedly) has no such limit. The second is that you can remove individual lines from a named ACL. Hope this helps, Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44706t=44588 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
AW: set password problem [7:44702]
I tried that but it tells me incorrect password--the enablepass seems to work though -Urspr|ngliche Nachricht- Von: Richard Botham [mailto:[EMAIL PROTECTED]] Gesendet am: Wednesday, May 22, 2002 2:17 PM An: [EMAIL PROTECTED] Betreff: RE: set password problem [7:44702] Stuart, You can press enter during the 1st 30 seconds ( No later) which will get you into the CAT and then you can reset the password(s) HTH Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44708t=44702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WS-X5013 another problem [7:44707]
I loaded the WS-X5013 (24 10bT RJ45) into my Cat 5k but it show some errors booting it shows this module 2 is not supported afterward with a show mod is shows 0 ports and status unknown or it will not see the module at all. Bootrom is version 2.2 and version is 4.5 I checked on Cisco and the module appears to be supported by the software. I have tried clear config and reset but they both require the module to be online. Any idea's thanks stuart Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44707t=44707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
no lmi - dlci inactive - telco says my problem? [7:44709]
Hello friends, I am having a little problem getting a new long distance frame relay circuit going and getting the ol its your equipment answer from telco and not sure if this is the case or not. I have checked cables and tsu/router config and all seems ok . when the telco loops my csu/tsu it causes my interface to bounce but interface then stays in interface UP protocol DOWN state. Telco is saying they see no LMI from my equipment. In the past when i seen no LMI it always turned out to be something on the telco side. I dont do frame relays much so i am kind of at the mercy of tech who is turning this circuit up so can someone give me some pointers on what i can look for to make sure it is not in my equipment ? or how i can tell if it is a telco issue with circuit? any replies would be greatly appreciated! fast replies appreciated even more!!! :) __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44709t=44709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: no lmi - dlci inactive - telco says my problem? [7:44709]
This link should help. http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/tr1918.htm beth shriver wrote: Hello friends, I am having a little problem getting a new long distance frame relay circuit going and getting the ol its your equipment answer from telco and not sure if this is the case or not. I have checked cables and tsu/router config and all seems ok . when the telco loops my csu/tsu it causes my interface to bounce but interface then stays in interface UP protocol DOWN state. Telco is saying they see no LMI from my equipment. In the past when i seen no LMI it always turned out to be something on the telco side. I dont do frame relays much so i am kind of at the mercy of tech who is turning this circuit up so can someone give me some pointers on what i can look for to make sure it is not in my equipment ? or how i can tell if it is a telco issue with circuit? any replies would be greatly appreciated! fast replies appreciated even more!!! :) __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44710t=44709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Operation Firmware is invalid? Please help...Urgent [7:44711]
Your problem is spooky, I just had the exact same problem with a 1924 the other day. Same symptoms, same inability to use XMODEM to upgrade the flash. I discovered that not all null modem cables are made the same, strangely enough. Do a search on CCO and you will find a variety of pinouts. I finally found a null modem cable with the same pinout that is specified in the 1900 documentation for release 5.x: http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v5x/icg5x/c sspec.htm When I use the correct(!) null modem it cable it works fine. Sincerely, John Dorffler CCIE #6677 Justin M. Clark wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Cisco ws-c1900 switch. Using db9F-rollover-db9F or null modem cable I can connect to the console port and get into Diag Console fine, but when I try to just plug in and configure the switch it just starts spitting out ATQ0H0 in hyperterminal PE. I hunted around and a couple places that I found said try updating the firmware. So I hit cisco's site and downloaded cat1900A.9.00.04.bin which was the only 1900 firmware I could find, The previous version was 5.34. So anyway, I did the XModem firmware upgrade, as soon as it asks me to send the file it kicks back an error that says Transfer cancelled by remote system (convenietly after it has erased existing firmware) and then prints out: Operation firmware version: 0.00Status: Invalid Boot firmware version: 1.10 WARNING!!! Operation Firmware is invalid. Upgrade firmware to enable switch operation. Im stuck at this point, does anyone know what to do or how to get a copy of the firmware that works on this switch? and then at that point what kind of cables, etc do i need to configure the darn thing. If anyone can get back to me in a hurry or has a version of the firmware that DOES work on this model it would be greatly apprecieated as this switch is dead in the water, along with the LAN that is suppost to be connected to it. Thanks, Justin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44711t=44711 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Errata for Coriolis books? [7:44638]
Well, it's good to hear that there will be more choices to study from once I get to that point. From looking at review comments on Amazon, it appears that of the Exam Cram series, only the switching book by Deal was any good. I sent him an email message (found an old posting of his on Amazon where he gave his philosophy and background on testing) to find out if he knows of any errata for his book, now that Coriolis is gone. I'm more than half-way through Exam Prep Switching, and I'm not sure that I'm going to bother finishing it. While the grammar and spelling are fine, it's the technical stuff that keeps coming up and catching my attention. Examples where the text doesn't match the router/switch configs they're working through, test questions that don't make sense or have the wrong answer, questions where the correct answer is e, even though there are only 4 choices, questions where the correct answer is a,c,d, but no instruction or grammar hint to pick more than one answer, etc. I guess I'll try to sell the books on half.com while I still can. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44713t=44638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Vpn connection [7:44712]
Hi all, I have a 3002 trying to connect to my 3015. I set up the group name and the user name and it is setup on the 3002. From the 3015 icant ping the 3002 internet address. But I can ping other internet addresses. On the 3002 I can't ping the 3015's port but can ping other addresses. If I go on the net from my firewall I can ping both interfaces. Anyone have any ideas? The default port of 1 is being used for connectivity. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44712t=44712 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logic and Lab Rats [7:44714]
I'm not saying to close the thread or not, although I think the moderators (I am one) are starting to block messages that come across as personal attacks. What I see is the fundamental misperception in this thread is an assumption there is a binary choice between experience and new training. I freely admit there are experienced people that have had 1 year of experience 20 times. But other experienced people have BOTH the experience and the in-depth protocol knowledge, which puts them in a position to learn even faster -- if they want to. Earlier in the thread, someone said would you put something in production without lab testing? As with everything else in networking, it depends. A large ISP, for example, will test a new IOS release in a lab, but they can't possibly have a lab that will let them see the effects of the change on tens of thousands of routers. This is true of router manufacturers as well. For very large networks, it may be possible to use true (i.e., Monte Carlo) simulation or mathematical analysis. But experience does have a major role in Internet backbone engineering. Let me simply say that backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44714t=44714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: no lmi - dlci inactive - telco says my problem? [7:44709]
send a sh conf and sh int from the serial interface. a sh frame pvc too. Dave beth shriver wrote: Hello friends, I am having a little problem getting a new long distance frame relay circuit going and getting the ol its your equipment answer from telco and not sure if this is the case or not. I have checked cables and tsu/router config and all seems ok . when the telco loops my csu/tsu it causes my interface to bounce but interface then stays in interface UP protocol DOWN state. Telco is saying they see no LMI from my equipment. In the past when i seen no LMI it always turned out to be something on the telco side. I dont do frame relays much so i am kind of at the mercy of tech who is turning this circuit up so can someone give me some pointers on what i can look for to make sure it is not in my equipment ? or how i can tell if it is a telco issue with circuit? any replies would be greatly appreciated! fast replies appreciated even more!!! :) __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44715t=44709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: set password problem [7:44702]
Since this is a Sup. Blade that you just acquired, what about just wiping the config completely?? Either a write erase or a clear config all after you've gotten on the thing in enable mode might be your best bet. When you reload the switch afterwards, it should come up with factory default settings/config... which means your passwords will be blank. Just a thought... Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stuart Laubstein Sent: Wednesday, May 22, 2002 7:39 AM To: [EMAIL PROTECTED] Subject: AW: set password problem [7:44702] I tried that but it tells me incorrect password--the enablepass seems to work though -Urspr|ngliche Nachricht- Von: Richard Botham [mailto:[EMAIL PROTECTED]] Gesendet am: Wednesday, May 22, 2002 2:17 PM An: [EMAIL PROTECTED] Betreff: RE: set password problem [7:44702] Stuart, You can press enter during the 1st 30 seconds ( No later) which will get you into the CAT and then you can reset the password(s) HTH Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44716t=44702 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DHCP NACK problems [7:44671]
Also, to add to this... if you have a WINS server with a corrupt database, that could be adding to the confusion for Duplicate IPs. I've had this happen to me before, and didn't realize it until I decided to just look at the WINS server to see what it thought was true of the LAN topology. It's just something to keep in mind. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Hill Sent: Wednesday, May 22, 2002 6:01 AM To: [EMAIL PROTECTED] Subject: RE: DHCP NACK problems [7:44671] Is it always NACKing for the same IP lease? Normally, the DHCP process works like this: The client sends a DHCPDISCOVER to find a DHCP server, the server responds with a DHCPOFFER, offering the client an IP, the client responds with a DHCPREQUEST to choose the IP address (in case it gets an offer for more than 1), and the server responds with a DHCPACK, sealing the deal. However, MS DHCP servers have a feature that allows them to detect IP address conflicts before responding with an ACK. What I would check is a few things: First, if this is happening due to a conflict detection, you should see under active leases in DHCP a BAD ADDRESS listed by the IP. If you see that, ping the IP in question. If you get a response, track down the PC, and do an ipconfig to find it's DHCP server. Then track down that server and kill it :) Hope this helps, Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44717t=44671 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: anybody ever try to make a token ring crossover cable ? [7:44718]
Maybe - but not successfully. You need a MAU between routers. -Original Message- From: nettable_walker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 9:06 PM To: [EMAIL PROTECTED] Subject: anybody ever try to make a token ring crossover cable ? [7:44682] 5/21/20029:00pm Tuesday Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44718t=44718 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Operation Firmware is invalid? Please help...Urgent [7:44719]
Two other things. This is only a problem (as far as I know) on the older 1900s with the DB-9 console port. The other issue, and I have sorta confirmed it, is that you can't load anything older than about 5.37 on the older 1900s. I was able to do that with my old 1924, but it gags when I try to upload 9.0. If anybody has any additional info on the limitations of the older 1900s, please post because I can't find anything more on CCO. Sincerely, John Dorffler CCIE #6677 Justin M. Clark wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Cisco ws-c1900 switch. Using db9F-rollover-db9F or null modem cable I can connect to the console port and get into Diag Console fine, but when I try to just plug in and configure the switch it just starts spitting out ATQ0H0 in hyperterminal PE. I hunted around and a couple places that I found said try updating the firmware. So I hit cisco's site and downloaded cat1900A.9.00.04.bin which was the only 1900 firmware I could find, The previous version was 5.34. So anyway, I did the XModem firmware upgrade, as soon as it asks me to send the file it kicks back an error that says Transfer cancelled by remote system (convenietly after it has erased existing firmware) and then prints out: Operation firmware version: 0.00Status: Invalid Boot firmware version: 1.10 WARNING!!! Operation Firmware is invalid. Upgrade firmware to enable switch operation. Im stuck at this point, does anyone know what to do or how to get a copy of the firmware that works on this switch? and then at that point what kind of cables, etc do i need to configure the darn thing. If anyone can get back to me in a hurry or has a version of the firmware that DOES work on this model it would be greatly apprecieated as this switch is dead in the water, along with the LAN that is suppost to be connected to it. Thanks, Justin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44719t=44719 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Errata for Coriolis books? [7:44638]
Well, Richard Deal just sent me an email. Coriolis was maintaining all the errata. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44720t=44638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 501 rack mount [7:44722]
Does anybody know a way to rack mount a PIX 501? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44722t=44722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Why do my switches keep pinging their default gateways!? [7:44723]
I have 4 2948g's in 4 different wiring closets all wired to a core 6509 through gig uplinks. The interfaces on the switches are all assigned to VLAN 2, my management VLAN. The only way to access VLAN 2 is through a checkpoint firewall running NG. All switches have the firewall interface address as their default gateway. I am able to telnet to all switches and manage them remotely just fine. I am able to ping all other subnets in my network from the switches, routing seems fine. My firewall logs show that all five switches are constantly pinging the firewall interface, icmp-type 8 icmp-code 0. No one is connected to my switches issuing a ping. These are echos, not echo-replies. When I run a sniffer on the VLAN, I show nothing going to the swithes in the way of IP traffic, just the echos coming from the switches. Each 2948g has about 15 2924-xl-en's attached to it through trunking. None of the 2924's are trying to ping the firewall, although they all have the same VLAN assignment on their mgmt interfaces, the same default gateway, and are in the same subnet. There is no CGMP enabled, no DNS, no IP redirects. The icmp packets have a TTL of 1, the sniffer reporting a TTL expired message. The icmp traffic is constant, one every second. How can I stop this? Why is it happening? Why don't my 2924's ping but my 2948g's and 6509 do? Please help! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44723t=44723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ppp multilink over adsl????? [7:44704]
I'm going to hazzard a guess here and see what others think of my theory. For PPP Multilink to work you need it enabled at both ends. with point-to-point T1s or ISDN this isn't a problem because you (usually) control both ends But with ADSL, you only control one end (unless this is the wierd point-to-point DSL that's being offered that I've just never heard of). So I don't think this would be possible, because your DSL provider would treat each connection separately (attempt to give an IP, etc).. Anyone's thoughts? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44724t=44704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Centillion to Catalyst 5K [7:44727]
I looked in the archives and it appears that some have successfully connected a Centillion 100 and a Catalyst 5000. What I am looking for is specifics and caveats for using these two in my CCIE rack. What versions of software/firmware will work together? Appreciate any help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44727t=44727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Errata for Coriolis books? [7:44638]
My calendar is marked. Priscilla Oppenheimer wrote: I have a new book coming out soon for the Support Test. And I plan to manage my own errata sheet (which hopefully will be very small ;-) rather than let the publisher do it. There's more info here: http://www.troubleshootingnetworks.com/ Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44726t=44638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test [7:44728]
test Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44728t=44728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why do my switches keep pinging their default gateways!? [7:44729]
Hi, Even I have observed this on the pix firewall which act as a default gateway to all our switches...the switches used are catalyst 4000 series. any explanation why it does so ? Kind Regards /Thangavel 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall . -- Nelson Mandela Wilson, Christian cc: Sent by: Fax to: [EMAIL PROTECTED] Subject: Why do my switches keep pinging their default gateways!? [7:44723] 22/05/2002 16:53 Please respond to Wilson, Christian I have 4 2948g's in 4 different wiring closets all wired to a core 6509 through gig uplinks. The interfaces on the switches are all assigned to VLAN 2, my management VLAN. The only way to access VLAN 2 is through a checkpoint firewall running NG. All switches have the firewall interface address as their default gateway. I am able to telnet to all switches and manage them remotely just fine. I am able to ping all other subnets in my network from the switches, routing seems fine. My firewall logs show that all five switches are constantly pinging the firewall interface, icmp-type 8 icmp-code 0. No one is connected to my switches issuing a ping. These are echos, not echo-replies. When I run a sniffer on the VLAN, I show nothing going to the swithes in the way of IP traffic, just the echos coming from the switches. Each 2948g has about 15 2924-xl-en's attached to it through trunking. None of the 2924's are trying to ping the firewall, although they all have the same VLAN assignment on their mgmt interfaces, the same default gateway, and are in the same subnet. There is no CGMP enabled, no DNS, no IP redirects. The icmp packets have a TTL of 1, the sniffer reporting a TTL expired message. The icmp traffic is constant, one every second. How can I stop this? Why is it happening? Why don't my 2924's ping but my 2948g's and 6509 do? Please help! ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44729t=44729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE written Commands [7:44730]
Just curious Do I need to review all my routing and switching commands for the CCIE written? Boson #3 have no emphasis on commands but Boson #1 does. Thank you, Pierre-Alex P.S. I assume this question does not violate the NDA . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44730t=44730 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Looking for people preparing for BCMSN 650-504Exam [7:44731]
Hi I would like to contact with people who are preparing or recently did 650-504 Exam, for dicusing subjects. [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44731t=44731 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX 501 rack mount [7:44722]
Buy a shelf for the rack. Sandra Carr wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anybody know a way to rack mount a PIX 501? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44732t=44722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX 501 rack mount [7:44722]
I don't think there is a problem in the world good old duct tape can't fix. Sandra Carr wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anybody know a way to rack mount a PIX 501? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44733t=44722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP load balancing [7:44697]
Yes it does if you are doing EBGP and your router has two or more directly conneted links to your EBGP peer. The the default load balancing will work if static routes or an IGP is used for your subnets linking your neighbors. You see it is not BGP performing the load balancing but the normal behavior of load balancing across equal cost paths (if exists) regardless if you are using static or IGP routes.. EBGP multihop also does this however, you are still using the behavior of the static and IGP routes for equal cost paths but do not need to have your neighbors directly connected... Lab it you will see... Have fun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44735t=44697 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridge and switch [7:44649]
I was under the impression that, while a switch is often termed a multiport bridge, there is one fundamental difference in the way the two devices forward frames. While my source is not always the most credible or reliable (Course Technology Networks Plus book), it does cause me to stop and think for a minute. Anyway, the difference (as described in the book) is as follows: If a multiport bridge determines (based on the destination MAC address) that the destination node is on another subnet, it will broadcast the frame out all ports except the originating port. A switch, on the other hand, is smart enough to only forward the frame out the destination port. Both devices handle unknown frames and broadcasts the same way, ie. they will forward the packets out all ports except the one the frame was received on. Any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44736t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logic and Lab Rats [7:44714]
Could you elaborate on the backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. I would love to know more about what you actuall mean? Thank you. Regards. From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: Logic and Lab Rats [7:44714] Date: Wed, 22 May 2002 09:49:09 -0400 I'm not saying to close the thread or not, although I think the moderators (I am one) are starting to block messages that come across as personal attacks. What I see is the fundamental misperception in this thread is an assumption there is a binary choice between experience and new training. I freely admit there are experienced people that have had 1 year of experience 20 times. But other experienced people have BOTH the experience and the in-depth protocol knowledge, which puts them in a position to learn even faster -- if they want to. Earlier in the thread, someone said would you put something in production without lab testing? As with everything else in networking, it depends. A large ISP, for example, will test a new IOS release in a lab, but they can't possibly have a lab that will let them see the effects of the change on tens of thousands of routers. This is true of router manufacturers as well. For very large networks, it may be possible to use true (i.e., Monte Carlo) simulation or mathematical analysis. But experience does have a major role in Internet backbone engineering. Let me simply say that backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44737t=44714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP load balancing [7:44697]
And add cef per-packet or per-destination From: cebuano Reply-To: cebuano To: [EMAIL PROTECTED] Subject: Re: BGP load balancing [7:44697] Date: Wed, 22 May 2002 07:17:07 -0400 Maurice, BGP defaults to using only the BEST path, hence ONE. Check CCO for path determination in BGP. The other protocols default to maximum of four, but can be extended to 6 with maximum-paths. To turn on load-balancing in BGP, a few steps are needed: 1. enable eBGP multihop 2. use update-source loopback 3. enter the static routes to be used for load-balancing If there's something i'm forgetting, please correct my post. HTH, Elmer - Original Message - From: To: Sent: Wednesday, May 22, 2002 6:03 AM Subject: Re: BGP load balancing [7:44697] Need some advices from BGP experts : Does BGP do load balancing by default? Says there are 4 parallel paths between the source and destination, will the traffic be distributed among the 4 paths? If it does not support load balancing by default, how to turn it on? How many parallel paths can it handle maximum? Thanks in advance! Maurice _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44738t=44697 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Looking for people preparing for BCMSN 650-504Exam [7:44739]
Yes , I have started from yesterday, after passing my BSCN. We can discuss thes subject as we go forward. Thanks Ravi Antonio Malker wrote: Hi I would like to contact with people who are preparing or recently did 650-504 Exam, for dicusing subjects. [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44739t=44739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridge and switch [7:44649]
There are a few things wrong with that description. First, switches and/or bridges are layer two devices and wouldn't be aware of different IP subnets in the first place. A switch or bridge will forward a frame out all ports except the originating port if it has not yet learned the correct port for the destination. It has nothing to do with subnets whatsoever. A switch is nothing more than a marketing term for a bridge on steroids. From a layer two perspective there is no difference in their operation. This entire thread seems analagous to arguing that a square is not a rectangle. I can see it now... Originally all we had were rectangles but when we offered a slightly different rectangle we decided to call it a square to differentiate it from the previous rectangles. However, it's still a rectangle when you get right down to it. Kevin Jones 5/22/02 12:58:37 PM I was under the impression that, while a switch is often termed a multiport bridge, there is one fundamental difference in the way the two devices forward frames. While my source is not always the most credible or reliable (Course Technology Networks Plus book), it does cause me to stop and think for a minute. Anyway, the difference (as described in the book) is as follows: If a multiport bridge determines (based on the destination MAC address) that the destination node is on another subnet, it will broadcast the frame out all ports except the originating port. A switch, on the other hand, is smart enough to only forward the frame out the destination port. Both devices handle unknown frames and broadcasts the same way, ie. they will forward the packets out all ports except the one the frame was received on. Any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44741t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Errata for Coriolis books? [7:44638]
Hope it comes out before the start of our fall semester. Who's publishing it? Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy Priscilla Oppenheimer wrote: I have a new book coming out soon for the Support Test. And I plan to manage my own errata sheet (which hopefully will be very small ;-) rather than let the publisher do it. There's more info here: http://www.troubleshootingnetworks.com/ Priscilla At 01:13 PM 5/21/02, Robert Kulagowski wrote: I was hoping that wasn't going to be the case (in that they apparently never did anything with the feedback). Does anyone have recommendations for a publisher that 1) Has good reading material for CCNP and 2) Actually maintains an errata page that incorporates feedback? As far as #2, I've had good results with Sybex, at least on the CCNA material. The support person answered emails quickly, and a few days later I would see that the errata page had been updated. One thing that the support person told me was that errata had to be checked with the authors, so this might also factor in. I see from the archive that Priscilla O. is still an active contributor; do any other authors of CCXX material frequent this or other lists? Thanks. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44740t=44638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Provider backbone engineering (was: Logic and Lab Rats) [7:44743]
At 7:03 PM + 5/22/02, Cisco Nuts wrote: Could you elaborate on the backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. I would love to know more about what you actually mean? Thank you. Regards. :-) well, my book on the subject, Building Service Provider Networks, should be about to ship. Seriously, let's talk about several areas, beginning with BGP. Every BGP scenario I've seen or or heard of in the CCIE context, at best, looks at an extremely simple configuration with rules NEVER used in the real world. A few contrasts: -- in the real world, it's VERY rare to redistribute between a dynamic IGP and BGP. Sure, there are exceptions, but they are VERY carefully chosen. A provider backbone CANNOT survive having 100,000-plus routes in its IGP, nor should it. -- In provider use, the main purpose of the IGP (or multiple instances of an IGP) is to maintain connectivity among BGP routers. You may have a separate IGP instance for each POP or group of POPs. -- To connect customers, there is MUCH more use of static and default routes. You could not possibly run a provider network with the CCIE lab rule of no statics or defaults. -- AS paths are longer and more complex than you can create with six or so routers. -- There's a HUGE amount of things to be concerned with that aren't strictly configuration, such as justifying/obtaining/managing address space, intercarrier relationships involving both economics and cooperative troubleshooting, DNS management, protecting against distributed denial of service, etc. -- BGP communities are far more important than in typical scenarios. You need to know why and when to set up your own, learn the values of communities set by other AS and under what circumstances you should act on them, etc. -- You may be dealing literally thousands of routers in your own network, interconnected with thousands of enterprise networks. You may also have a complex ATM, SONET, MPLS, or other intelligent sub-IP technology that must coordinate with the IP. -- There's a different viewpoint on convergence. It's generally accepted among large providers and researchers that the worldwide BGP table never truly converges -- changes come too fast. We have to work in that environment. -- Customers frequently multihome in ways that require coordinating between their providers, even when those providers are competitors. -- As opposed to an enterprise network where SOMEBODY is in control, the provider space involves cooperative anarchy. One AS fouling up its configuration can and has had worldwide effects. These are just a start. There are other people that can comment on some of the differences. Peter van Oene (yes, I'm volunteering you) is one with lots of good experience. There are others, and this actually might be an interesting thread. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44743t=44743 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Content Switches [7:44742]
All, I have a quick question regarding content switches. Should the content switched be placed inside or outside of a firewall. I can not find any documentation to support which is better. Thanks, Jason Forrester CCIE 8748 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44742t=44742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logic and Lab Rats [7:44714]
My interpretation of what he meant by that is you have to understand everything that encompasses a campus network. you have to first understand what the data is that the user what's, where it is and how it is that he going to get that information. I.E. There is data on the mainframe that some user needs, it gets pushed to an Oracle/Sun server every night. The user has a PC that logs into a NT domain via his PC and accesses the service, and then the user needs to update the information to the mainframe. When the user has a problem, where do you start to look? Oh and by the way it is a Cisco network, so do you bring in a CCIE to solve the problem? Maybe... - Original Message - From: Cisco Nuts To: Sent: Wednesday, May 22, 2002 3:03 PM Subject: Re: Logic and Lab Rats [7:44714] Could you elaborate on the backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. I would love to know more about what you actuall mean? Thank you. Regards. From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: Logic and Lab Rats [7:44714] Date: Wed, 22 May 2002 09:49:09 -0400 I'm not saying to close the thread or not, although I think the moderators (I am one) are starting to block messages that come across as personal attacks. What I see is the fundamental misperception in this thread is an assumption there is a binary choice between experience and new training. I freely admit there are experienced people that have had 1 year of experience 20 times. But other experienced people have BOTH the experience and the in-depth protocol knowledge, which puts them in a position to learn even faster -- if they want to. Earlier in the thread, someone said would you put something in production without lab testing? As with everything else in networking, it depends. A large ISP, for example, will test a new IOS release in a lab, but they can't possibly have a lab that will let them see the effects of the change on tens of thousands of routers. This is true of router manufacturers as well. For very large networks, it may be possible to use true (i.e., Monte Carlo) simulation or mathematical analysis. But experience does have a major role in Internet backbone engineering. Let me simply say that backbone engineering is at a level far more specialized and complex than the CCIE level, and there haven't been formalized ways to learn it. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44745t=44714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: no lmi - dlci inactive - telco says my problem? [7:44709]
Find out what lmi the telco is using and ensure your lmi is configured properly. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44747t=44709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 515E routing issue [7:44746]
Just recently installed a PIX 515E. I can ping from the PIX to an outside address (and inside box to ethernet on PIX); but trying to ping through the PIX comes back as unreachable. Basic layout as follows: Netopia DSL Router -- PIX 515E-- LAN I'm using the default allow rule, along with the following access list... everything else is pretty much default for now. (just want to try and get connectivity) access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.6 255.255.255.252 ip address inside 192.168.200.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.5 1 timeout xlate 0:05:00 no sysopt route dnat I've tried running RIP on it; didn't solve the problem. Seems like the PIX doesn't understand the default route. I've cleared the arp table still no luck Any help is GREATLY appreciated thanx ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44746t=44746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Content Switches [7:44742]
If your not using the CSS to load balance between firewalls I see now reason to put it outside. The CSS constantly sends keepalives to the servers it load balances for. I don't see any reason the packets should be inspected by the firewall. If the firewall gets overloaded and drops packets the CSS will mark some services as down or dying and will not send requests to that server even though it could handle the requests. Jason Forrester wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... All, I have a quick question regarding content switches. Should the content switched be placed inside or outside of a firewall. I can not find any documentation to support which is better. Thanks, Jason Forrester CCIE 8748 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44748t=44742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Content Switches [7:44742]
My understanding is that for firewall loadbalancing they are installed on the inside and outside otherwise they are most often installed on the DMZ. Dave Jason Forrester wrote: All, I have a quick question regarding content switches. Should the content switched be placed inside or outside of a firewall. I can not find any documentation to support which is better. Thanks, Jason Forrester CCIE 8748 -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44751t=44742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Content Switches [7:44742]
Both- they call it sandwich-ing the firewall. We had call for a design awhile back using the Cisco CSSs (ArrowPoints). The firewall portion called for us to use the CSSs to advertise the CheckPoint cluster IP address coming in and going out of the network. Instead of buying 1 or 2 fire breathing firewalls boxes, the virtual address/ cluster (along with CheckPoint's ability to share state across the cluster) allowed us to scale the firewall pool slower and more affordably. Internet/ASP--BGP Router--CSS--CheckPoint(s)--CSS--Intranet With the PIXs and Raptor(Symantec 6.5) boxes, we had to pass a hash within each packet (again coming in and going out of the network) so that the CSS receiving the traffic (after it had been processed through the firewall) could build a state table, allowing it to know which firewall packets were sent through and which firewall to send them back through(effectively- keeping track of state across the cluster). This is also an alternative to deploying PIXs in a primary and backup scenario, though it also means you don't get the backup firewall discount. Raptor/PIX Internet/ASP--Router--CSS-Raptor/PIX--CSS--Intranet Raptor/PIX Pretty high level, but this is pretty much how it works. Big IP, Nortel's recently purchased Alteon, RadWare, Rainfinity, StoneBeat, Cisco's CSS, they all will do the job for a price. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Forrester Sent: Wednesday, May 22, 2002 3:41 PM To: [EMAIL PROTECTED] Subject: Content Switches [7:44742] All, I have a quick question regarding content switches. Should the content switched be placed inside or outside of a firewall. I can not find any documentation to support which is better. Thanks, Jason Forrester CCIE 8748 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44752t=44742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridge and switch [7:44649]
At 02:58 PM 5/22/02, Kevin Jones wrote: If a multiport bridge determines (based on the destination MAC address) that the destination node is on another subnet, Stop right there. It can't figure out that the destination is on a different subnet from the MAC address. Subnets are differentiated by network-layer information. MAC addresses are at the data-link layer. If the destination is on a different subnet, the destination MAC will be a router's MAC address, although the bridge (switch) wouldn't recognize that (unless it had some weird feature that did this, which is unlikely). If the bridge (switch) has learned which port reaches that MAC address, then it will forward the frame out that port and no other. If it hasn't learned how to reach that address yet, then it will flood the frame out all ports. Bridges and switches behave exactly the same. Priscilla it will broadcast the frame out all ports except the originating port. A switch, on the other hand, is smart enough to only forward the frame out the destination port. Both devices handle unknown frames and broadcasts the same way, ie. they will forward the packets out all ports except the one the frame was received on. Any thoughts? Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44753t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPSEC question [7:44754]
If I want to setup a VPN connection PIX (on cable modem) at the remote and IOS firewall / IPSEC 3640 on a T1 to ISP at the central site since I don't have static address on PIX can I just use the below line and replace the 95.95.95.2 with 0.0.0.0 and then the rest of my config? crypto isakmp key cisco123 address 95.95.95.2 Thanks Cory Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44754t=44754 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515E routing issue [7:44746]
Check the default gateway of your PC. Enable debug icmp trace on the PIX to troubleshoot... -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jablonski, Michael Sent: Wednesday, May 22, 2002 3:42 PM To: [EMAIL PROTECTED] Subject: PIX 515E routing issue [7:44746] Just recently installed a PIX 515E. I can ping from the PIX to an outside address (and inside box to ethernet on PIX); but trying to ping through the PIX comes back as unreachable. Basic layout as follows: Netopia DSL Router -- PIX 515E-- LAN I'm using the default allow rule, along with the following access list... everything else is pretty much default for now. (just want to try and get connectivity) access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.6 255.255.255.252 ip address inside 192.168.200.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.5 1 timeout xlate 0:05:00 no sysopt route dnat I've tried running RIP on it; didn't solve the problem. Seems like the PIX doesn't understand the default route. I've cleared the arp table still no luck Any help is GREATLY appreciated thanx ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44756t=44746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ppp multilink over adsl????? [7:44704]
I think your correct. Most people that have DSL terminate at a provider and I know of no providers that provide DSL-ppp-multilink. We do have several customers that do control both sides, use DSL for employee remote access and some use it for backup but again none have tried the multilink but I suspect it's possible. Dave Michael Williams wrote: I'm going to hazzard a guess here and see what others think of my theory. For PPP Multilink to work you need it enabled at both ends. with point-to-point T1s or ISDN this isn't a problem because you (usually) control both ends But with ADSL, you only control one end (unless this is the wierd point-to-point DSL that's being offered that I've just never heard of). So I don't think this would be possible, because your DSL provider would treat each connection separately (attempt to give an IP, etc).. Anyone's thoughts? Mike W. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44757t=44704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridge and switch [7:44649]
John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... However, it's still a rectangle when you get right down to it. Hey. A square isn't a rectangle!!! (just kidding I just thought I'd be stubborn... hehe) Good analogy.. Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44758t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Netlock VPN Client for Mac to PIX [7:44744]
I have configured PIX for remote VPN client. It works for Cisco VPN client, however Cisco does not have support to Mac 8-9. I downloaded the software from Netlock. However it failed in Phase 1. Then I upgraded the PIX to 6.2(1), it seems making some progress. However the connection is killed in the end of Phase 2 (I guess) with return status is IKMP_NO_ERR_NO_TRANS . Is anybody have experience in configuring VPN for Mac? I am attaching the log file, I do appreciate if someone could help me. Daniel crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226 VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN Peers: 1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: extended auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: extended auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing vendor id payload ISAKMP (0): received xauth v6 vendor id ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to a Unity client ISAKMP: Created a peer node for 63.11.28.147 ISAKMP (0): ID payload next-payload : 10 type : 2 protocol : 17 port : 500 length : 16 ISAKMP (0): Total payload length: 20 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226 OAK_AG exchange ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even t... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147 ISAKMP (0): SA has been authenticated return status is IKMP_NO_ERROR ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3752133894 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-SHA ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 2 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-MD5 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147, dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 3752133894 ISAKMP (0): processing ID payload. message ID = 3752133894 ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 3752133894 ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port 0IPSEC(key_engine ): got a queue event... IPSEC(spi_response): getting spi 0xbc74b5c1(3161765313) for SA from 63.11.28.147 to 67.32.141.226 for prot 3 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226 OAK_QM exchange oakley_process_quick_mode: OAK_QM_AUTH_AWAIT ISAKMP (0): Creating IPSec SAs inbound
Re: Bridge and switch [7:44649]
I was oblivious to the fact that I was using the word subnet. What I should have used is the word segment. Anyway, I went back to what I thought was the source and was unable to find the description I had read. I'll look again. Not sure where I read it now. Anyway, this thread has confirmed what I have always understood, ie. that switches are multiport bridges. If I find that description again, I'll post it here for you to take a look at. Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 02:58 PM 5/22/02, Kevin Jones wrote: If a multiport bridge determines (based on the destination MAC address) that the destination node is on another subnet, Stop right there. It can't figure out that the destination is on a different subnet from the MAC address. Subnets are differentiated by network-layer information. MAC addresses are at the data-link layer. If the destination is on a different subnet, the destination MAC will be a router's MAC address, although the bridge (switch) wouldn't recognize that (unless it had some weird feature that did this, which is unlikely). If the bridge (switch) has learned which port reaches that MAC address, then it will forward the frame out that port and no other. If it hasn't learned how to reach that address yet, then it will flood the frame out all ports. Bridges and switches behave exactly the same. Priscilla it will broadcast the frame out all ports except the originating port. A switch, on the other hand, is smart enough to only forward the frame out the destination port. Both devices handle unknown frames and broadcasts the same way, ie. they will forward the packets out all ports except the one the frame was received on. Any thoughts? Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44759t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515E routing issue [7:44749]
Try to explicitly permit ICMP from the inside to the outside and see if that helps. Thanks Larry -Original Message- From: Jablonski, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 4:14 PM To: [EMAIL PROTECTED] Subject: FW: PIX 515E routing issue [7:44749] Oh yeah I'm running PIX 6.1(2) -Original Message- From: Jablonski, Michael Sent: Wednesday, May 22, 2002 3:35 PM To: 'Cisco Study List (E-mail)' Subject: PIX 515E routing issue Just recently installed a PIX 515E. I can ping from the PIX to an outside address (and inside box to ethernet on PIX); but trying to ping through the PIX comes back as unreachable. Basic layout as follows: Netopia DSL Router -- PIX 515E-- LAN I'm using the default allow rule, along with the following access list... everything else is pretty much default for now. (just want to try and get connectivity) access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.6 255.255.255.252 ip address inside 192.168.200.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.5 1 timeout xlate 0:05:00 no sysopt route dnat I've tried running RIP on it; didn't solve the problem. Seems like the PIX doesn't understand the default route. I've cleared the arp table still no luck Any help is GREATLY appreciated thanx ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44760t=44749 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Standby Preempt [7:44762]
I'm a little confused by configs I see in production that appear to be contrary to how I think HSRP works. What is the significance of the preempt statement on Switch #2 in this example below ??? Is it- without the preempt statement on the second switch (even though it has the lower priority), the HSRP priority would not change back if Switch #1 flapped a few times ??? ex: Switch #1 inter vlan 1 10.10.10.1 255.255.255.0 standbye priority 255 preempt standbye IP 10.10.10.3 standby track vlan 101 Switch #2 inter vlan 1 10.10.10.2 255.255.255.0 standbye priority 254 standbye IP 10.10.10.3 standby track vlan 102 Thanks Phil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44762t=44762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Standby Preempt [7:44762]
Phil, Thanks for posting this, I was'nt even aware that you could use hsrp on switches/vlans, if you have an url or more info on using hsrp on switches that would be great. As for your question, if hsrp works on switches in the same way it does on routers, than yes switch #2 should also have a preempt statement. If vlan 101 on switch #1 fails its priority decrements by the default value (10 I think) switch #2 picks up on this when it recieves the next hello packet from switch #1, switch #2 than becomes the active switch, but sence there is no preempt on switch #2 it has no way of returning back to standby once switch #1 returns to its original state. This is assuming that hsrp operates the same on switches as it does on routers, if not than please disregaurd. James Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44764t=44762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bridge and switch [7:44649]
At 06:11 PM 5/22/02, Kevin Jones wrote: I was oblivious to the fact that I was using the word subnet. What I should have used is the word segment. Ah. That makes more sense. When a frame arrives, both bridges and switches send the frame on its way without sending it back onto the originating segment. If the bridge (switch) has learned which specific port to use, it sends the frame out just that port. If it hasn't learned yet, then it floods it out all ports except the originating port. That's the unknown frames that you mentioned in the first message. (It means unknown destination, as in not knowing which port to use.) You get the picture, I'm sure, but it's still good to clarify the concepts. Priscilla Anyway, I went back to what I thought was the source and was unable to find the description I had read. I'll look again. Not sure where I read it now. Anyway, this thread has confirmed what I have always understood, ie. that switches are multiport bridges. If I find that description again, I'll post it here for you to take a look at. Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 02:58 PM 5/22/02, Kevin Jones wrote: If a multiport bridge determines (based on the destination MAC address) that the destination node is on another subnet, Stop right there. It can't figure out that the destination is on a different subnet from the MAC address. Subnets are differentiated by network-layer information. MAC addresses are at the data-link layer. If the destination is on a different subnet, the destination MAC will be a router's MAC address, although the bridge (switch) wouldn't recognize that (unless it had some weird feature that did this, which is unlikely). If the bridge (switch) has learned which port reaches that MAC address, then it will forward the frame out that port and no other. If it hasn't learned how to reach that address yet, then it will flood the frame out all ports. Bridges and switches behave exactly the same. Priscilla it will broadcast the frame out all ports except the originating port. A switch, on the other hand, is smart enough to only forward the frame out the destination port. Both devices handle unknown frames and broadcasts the same way, ie. they will forward the packets out all ports except the one the frame was received on. Any thoughts? Priscilla Oppenheimer http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44765t=44649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Standby Preempt [7:44762]
Precisely without the 'preempt', the first router (RSM, MSFC, etc) would never take control back from #2 after coming back up I would also be suspect of all of the lines that say 'standbye' hehe =) Seriously tho, just for overkill, we always put preempt on all HSRP groups.. it won't allow a lower priority router to take over, but keeps things in order (if there are more than 2 involved) BTW, why are you tracking VLANs? Not to say that it's not possible or needed, but I've not seen that. Mike W. Phil Lorenz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm a little confused by configs I see in production that appear to be contrary to how I think HSRP works. What is the significance of the preempt statement on Switch #2 in this example below ??? Is it- without the preempt statement on the second switch (even though it has the lower priority), the HSRP priority would not change back if Switch #1 flapped a few times ??? ex: Switch #1 inter vlan 1 10.10.10.1 255.255.255.0 standbye priority 255 preempt standbye IP 10.10.10.3 standby track vlan 101 Switch #2 inter vlan 1 10.10.10.2 255.255.255.0 standbye priority 254 standbye IP 10.10.10.3 standby track vlan 102 Thanks Phil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44766t=44762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider backbone engineering (was: Logic and Lab Rats) [7:44768]
Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... :-) well, my book on the subject, Building Service Provider Networks, should be about to ship. Seriously, let's talk about several areas, beginning with BGP. Every BGP scenario I've seen or or heard of in the CCIE context, at best, looks at an extremely simple configuration with rules NEVER used in the real world. A few contrasts: The way Cisco teaches BGP irks me as well. They just don't cover anything except the basics. -- in the real world, it's VERY rare to redistribute between a dynamic IGP and BGP. Sure, there are exceptions, but they are VERY carefully chosen. A provider backbone CANNOT survive having 100,000-plus routes in its IGP, nor should it. I wouldn't say it's VERY rare. Take Philip Smiths' NANOG presentation on Multihoming as an example. Many Enterprises may want to get peering routes or partial routes and inject them into their IGP. Many ISP's may want to inject their IGP into their BGP for customer static routes (using a route-map to filter out all the junk). I would say this is VERY common. What's not common (and what you are referring to) is redistributing everything (IGP to BGP; BGP to IGP) for full routes (the 112,000 routes today). -- In provider use, the main purpose of the IGP (or multiple instances of an IGP) is to maintain connectivity among BGP routers. You may have a separate IGP instance for each POP or group of POPs. Next-hop information for BGP, correct. It holds the infrastructure addresses, and I'm pretty sure you are familiar with this term since I think you invented it. So basically, a bunch of routed transit links (/30's or /31's if you can use them) and loopback interfaces (/32's) and not much else, if anything else at all. -- To connect customers, there is MUCH more use of static and default routes. You could not possibly run a provider network with the CCIE lab rule of no statics or defaults. Service providers typically implement tons of statics and defaults, correct. Most don't like it, though, and try to design around it for any alternatives. -- AS paths are longer and more complex than you can create with six or so routers. Most people cannot create/simulate the Internet in their house, very true. -- There's a HUGE amount of things to be concerned with that aren't strictly configuration, such as justifying/obtaining/managing address space, intercarrier relationships involving both economics and cooperative troubleshooting, DNS management, protecting against distributed denial of service, etc. This stuff is pretty easy, actually. At least once you start doing it and getting your head around the problems. CCIE doesn't teach ARIN/RIPE/APNIC justification. But ARIN's/RIPE's/APNIC's websites teach it pretty well. The RIR's and IRR's aren't complex, they are just black art (sort of like DNS is). You have to know where to go to get the information, and you can't just sit down one day and learn it (well maybe you can). But there are a lot of good resources out there on RPSL, etc, that will let you pick this up fairly quickly. RFC 2622 and RFC 2650 are a fairly good start. Learning about Inter-Provider relationships is easy, too, once you get involved. The best way, IMO, to get really involved quickly is to start talking to your local Exchange Point (EP) people. They understand these concepts and are normally willing to share the information very in-depth to any person who needs to know. http://www.ep.net/ for information about your local exchange points. As for the other two black-arts, DNS and handling DDoS/DoS, there *are* many resources out there *and* the IETF has these topics well-defined. Cisco doesn't teach these concepts (at least, not IMO), but they aren't difficult to learn. Most people can just start reading the following list of RFC's and Internet-Drafts and understand 99% of what's needed in these two areas: DNS: RFC 1034 (Updated by RFC1101, RFC1183, RFC1348, RFC1876, RFC1982, RFC2065, RFC2181, RFC2308, RFC2535) DNS: RFC 1035 (Updated by RFC1101, RFC1183, RFC1348, RFC1876, RFC1982, RFC1995, RFC1996, RFC2065, RFC2136, RFC2181, RFC2137, RFC2308, RFC2535, RFC2845) DNS: http://www.ietf.org/ids.by.wg/dnsext.html http://www.ietf.org/ids.by.wg/dnsop.html Internet-Drafts at the above URL's DNS: http://www.isc.org/products/BIND/ http://www.ultradns.com/ DDoS/DoS: RFC 2196, RFC 2827, RFC 3013, RFC 2979, RFC 1858, RFC 3128 DDoS/DoS: http://packetstorm.dnsi.info/DoS/ http://packetstorm.dnsi.info/distributed/ Which will require in-depth knowledge of RFC 791, RFC 792, RFC 793, RFC 768 and/or TCP/IP Illustrated Volume I, and anything else applicable -- BGP communities are far more important than in typical scenarios. You need to know why and when to set up your own, learn the values of communities set by other AS and under what circumstances
Re: Logic and amp;quot;Lab Ratsamp;quot; [7:44653]
nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On the other hand, who's more likely to show up to work late? Or show up drunk or high? Or get into a fight with his coworkers? Or surf porn in front of female coworkers? The guy who's been in the working world for 25 years or a new kid? Experience is not just about knowing which command does what. It's also about general work attitudes and maturity. Again, I say this is not a valid conclusion.. What you're implying is that people with experience cannot also be slakers, alcoholics, drug addits, racist, sexist, assholes or someone who in any way is inappropriate. That's a very flawed and very illogical conclusion. Who's more likely to show up for work late? Depends on who worked at places that were more relaxed on their schedules.. The last place I worked, you were yelled at for being 5 minutes late, the place I'm at now, you could show up pretty much anytime from 8 to 8 or so and no one would say a thing. Someone could easily get experience at a relaxed place, and then after years move to a place with little tolerance and perhaps find it hard to break the habit of coming in whenever.. Or show up drunk or high? People from all walks of life, with both good work records and very happy employers, are able to come in drunk and/or high and not be suspected (i.e. functional alcoholics)... Trust me, I lived in a college town and knew plenty of people that would go to work a bit drunk or stoned or whatnot. This kind of thing happens alot (even people who aren't 'alcoholics' per se that go out until 4am, then drag in at 8 still a bit tipsy). This affects people of all ages and experience levels.. Again, nothing to do with 'experience' with routers/routing protocols/networks, etc.. Or get into a fight with his coworkers? This one is laughable Personality conflicts are wide and varied. To assume that because someone has even a sparkling clean work history that a personality conflict won't or can't happen when brought into your workplace is flawed from it's roots. I've been working 'professionally in the IT field for 10+ years now, and *never* wanted to clock a co-worker until I got to my current job. There's this guy who thinks all women are stupid, etc etc. he's the epitomy of 'an @!#$' in every regard, and my patience has never been tested like it has with this guy.. Point being, again, that experience can in no way predict personality conflicts. Checking personal and professional references perhaps, but not the sheer fact they have had a job and have experience. Or surf porn in front of female coworkers? Anyone that would do this in front of anyone that they don't know well enough to know it won't offend them is just an idiot again nothing to do with experience (or lack of).. I've said it once, and I'll say it again. you're equating experience with good work habits, good skills, and good personal habits, and experience is a reflection on none of these (IMHO). Expereince isn't even meant to measure those things.. So people ask the question Do you have experience with coming in on time? Do you have experience with not starting fights? Do you have any experience in a drug-free workplace? No those are absurd questions. I would offer up that anyone that doesn't have the knowledge that they shouldn't show up to work drunk/high, shouldn't start fights, and should show up on time is not a good job candidate.. So ruling those bozos out, then one can consider experience, certifications, references, etc. Experience is another word for knowledge and/or skill, period. As seen in the following definition: Experience a. Active participation in events or activities, leading to the accumulation of knowledge or skill. b. The knowledge or skill so derived So attributing any other good qualities (being on time, not showing up drunk/high, not starting fights, etc) of a person (employee or potential employee) simply because of experience (or lack of) is a fallacy. I mean, I knew on my very first job, cutting grass at a hospital, that I was s'posed to show up on time, etc etc and I did that as well as anyone else, even without experience to prove it.. Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44761t=44653 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN BRI Simulator Comparison - way to expensi [7:44767]
For that price you might as well order 2 ISDN lines from your local telco. That should only cost you about $80.00 a month as you don't need to get ISP service with it. You would be able to use those for 17 months until coming up even. Georg Treptow -Original Message- From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 6:34 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: RE: ISDN BRI Simulator Comparison Earlier today I proposed putting together some comparative information on the various ISDN Simulators available. Since the question which simulator do I buy? comes up regularly on the list, I though a cooperative effort to develop an answer would be an interesting exercise for the group. Just to start the conversation, here's a review of the two that I have in my home pod... Arca Emutel Lite Recent e-bay sales: $1,250 - $1,400 Features: * 2 port BRI * Switch types supported: NAT-1, DMS100 and 5ESS Default settings (just because I think its useful): PortB-channel DN SPID 1 1 384000 384001 1 2 384010 384002 2 1 384020 384021 2 2 384030 384022 The default ISDN switch-type is basic-dms100 Pro: * Been using it for a year without a problem * Built-in battery backup means you can use it without AC power for a quick demonstration * Supports either S (4-wire) or U (2-wire) interfaces (selected through software) * Simple console-like configuration Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Power supply is an external brick. Minor thing, but kind of annoying. Teltone ILS-B-01 ISDN Demonstrator Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00) Features: * 2 port BRI * Switch types supported: NAT-1, ATT Custom Default settings (just because I think its useful): PortB-channel DN SPID 1 1 835-86610835866101 1 2 835-86630835866301 2 1 835-86620835866201 2 2 835-86640835866401 The default ISDN switch-type is basic-nil Pro: * Built in power supply. * Windows-based configuration (I haven't tried it yet, but the book makes it look easy) Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Only has U Interfaces I look forward to seeing what other people have used... Thanks... --- Dennis -Original Message- From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:36 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:ISDN BRI Simulator Comparison This brings to mind an interesting side-project, if anybody has the time and inclination to help out. I've not seen a comprehensive comparison between the various simulators that are available, factoring in features and approximate cost. Myself personality, I've got an Emutel Lite at home that I've had a for while, and I just picked up a Teltone ISDN Demonstrator that I'm going to start playing with this weekend. I could probably put together a quick write up on those if it were a conversation that other people would like to contribute too. Anybody what to play? Let me know... --- Dennis From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:48 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:RE: ISDN BRI Simulator Um... I'll pay $125... Next bidder... :) I don't believe you'll find too many in this range, but I'd love to learn that I'm wrong... Thanks... --- Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:16 PM To: [EMAIL PROTECTED] Subject:ISDN BRI Simulator I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone know where I can get one? Thanks, Bill Cook, Network Project Manager _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44767t=44767 -- FAQ, list
RE: ISDN BRI Simulator Comparison [7:44763]
Earlier today I proposed putting together some comparative information on the various ISDN Simulators available. Since the question which simulator do I buy? comes up regularly on the list, I though a cooperative effort to develop an answer would be an interesting exercise for the group. Just to start the conversation, here's a review of the two that I have in my home pod... Arca Emutel Lite Recent e-bay sales: $1,250 - $1,400 Features: * 2 port BRI * Switch types supported: NAT-1, DMS100 and 5ESS Default settings (just because I think its useful): PortB-channel DN SPID 1 1 384000 384001 1 2 384010 384002 2 1 384020 384021 2 2 384030 384022 The default ISDN switch-type is basic-dms100 Pro: * Been using it for a year without a problem * Built-in battery backup means you can use it without AC power for a quick demonstration * Supports either S (4-wire) or U (2-wire) interfaces (selected through software) * Simple console-like configuration Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Power supply is an external brick. Minor thing, but kind of annoying. Teltone ILS-B-01 ISDN Demonstrator Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00) Features: * 2 port BRI * Switch types supported: NAT-1, ATT Custom Default settings (just because I think its useful): PortB-channel DN SPID 1 1 835-86610835866101 1 2 835-86630835866301 2 1 835-86620835866201 2 2 835-86640835866401 The default ISDN switch-type is basic-nil Pro: * Built in power supply. * Windows-based configuration (I haven't tried it yet, but the book makes it look easy) Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Only has U Interfaces I look forward to seeing what other people have used... Thanks... --- Dennis -Original Message- From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:36 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:ISDN BRI Simulator Comparison This brings to mind an interesting side-project, if anybody has the time and inclination to help out. I've not seen a comprehensive comparison between the various simulators that are available, factoring in features and approximate cost. Myself personality, I've got an Emutel Lite at home that I've had a for while, and I just picked up a Teltone ISDN Demonstrator that I'm going to start playing with this weekend. I could probably put together a quick write up on those if it were a conversation that other people would like to contribute too. Anybody what to play? Let me know... --- Dennis From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:48 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:RE: ISDN BRI Simulator Um... I'll pay $125... Next bidder... :) I don't believe you'll find too many in this range, but I'd love to learn that I'm wrong... Thanks... --- Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:16 PM To: [EMAIL PROTECTED] Subject:ISDN BRI Simulator I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone know where I can get one? Thanks, Bill Cook, Network Project Manager _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44763t=44763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: STP and 7 hops [7:44408]
At 02:51 AM 5/22/02, Chuck wrote: sorry to keep harping on this one, but I'm actually learning something here. Besides, my big project at work these days is working with a large university, replacing their campus physical and switch infrastructure. I'm finding the this discussion fascinating for that reason as well. Well, it might not have any real-world relevance. ;-) If I read my source correctly, the max age field is supposed to be 2 bytes, and is supposed to be a time value, That sounds like Message Age actually. Message Age times the age of a BPDU. The root sends a BPDU with Message Age set to zero. Each bridge adds 1. So it is sort of a hop count. In a functioning network, the bridges don't pay much attention to this since BPDUs are refreshed every 2 seconds. with the min being 1/256 second and the max being 256 seconds. other than in the initial STP process ( or recalculation ) In a non-functioning network, the Maximum Age threshold comes into play. Its default is 20. You can change it (at the root bridge only; the others learn it from the root). The Maximum Age controls the size of the network, but it also has a much more important purpose, which is to start reconvergence. As I understand it, the BPDU arrives with the Message Age = to hop count. But the BPDU continues to age until it reaches Maximum Age. If the Root Bridge fails, another bridge will notice the Message Age reach the Maximum Age and start the process of taking over as the Root Bridge. If the Root Bridge doesn't fail, but a path to the Root Bridge fails, if an alternate path exists, a blocking port on a downstream bridge transitions to listening, learning, and forwarding after it notices Message Age reach Maximum Age. If a Root Port fails, another port on the bridge where the failure occurred may transition directly into the listening and learning states without waiting for Maximum Age. It's horridly complex. ;-) the BPDU would for all practical purposes be time from the root. Correct? My source tells me only the fields and their values, and nothing about functionality. It would appear that the max age field tells the local switch how old a message can be before it is disregarded, or causes some other action to be taken. The message age field is the actual age as per the process you describe below - incremented by each bridge along the way. Yes, that sounds right. The root path cost is used to advertise how far this bridge is from the root? hops? No, cost like in OSPF. Each interface has a cost: Link Speed Recommended Cost Value 4 Mbps 250 10 Mbps 100 16 Mbps 62 100 Mbps19 1 Gbps 4 10 Gbps 2 counting on my fingers, a max distance of 20 from the root is a whole lot different than a max diameter of 7. The 7 is a recommended value. Try even finding it in Radia Perlman's book!? ;-) I hope I didn't just confuse matters even more. In addition to the Perlman bible, try the Clark and Hamilton holy writ. Priscilla Chuck Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... There's nothing in the STP frames to enforce a 7 hop diameter. But there is the Message Age field in the BPDUs. Each bridge (switch) adds one to the Message Age when the switch propagates the BPDU downstream. The Maximum Age threshold is 20. If a BPDU gets to a switch with the Message Age already at 20, it will think that the tree needs reconverging. This would get ugly if switches on the edges were always trying to reconverge. So, the max size from that viewpoint is 20 from the root. But 7? I really think DEC threw that in as a precaution. It's interesting that IBM was saying the same thing about source route bridging at the time (max bridges is 7). (But try finding 7 in IEEE 802.1D Annex C, the official standardization of source-route transparent bridging. The RIF can actually hold info for 14 rings and 13 bridges.) Back to the real subject at hand, the 7 max for STP is mentioned as a recommended value in Table 8.2 Maximum Bridge Diameter of IEEE 802.1D and is defined as The maximum number of Bridges between any two points of attachment of end stations. Then it's discussed again in Appendix B B.3.1.2 Basis of choice. This section is pretty incomprehensible, but, as far as I can tell, the main reason for the choice of parameters is to minimize the lifetime of a data (user) frame travelling across the switched network. Regarding gigastack, it sounds like the answer that Steven got from Cisco is that each switch counts as a hop, so if STP is enabled, each counts toward the _theorectical_ 7 hop count limit. But I bet you're right also that STP could be disabled with gigastack. It sounds like the topology is already a single linear branch (stack) with no loops. There's no need to prune it into a tree. But I'm way out on a limb now. ;-) Priscilla At 06:34 PM 5/19/02, Chuck wrote: you know, it suddenly
RE: Looking for people preparing for BCMSN 650-504Exam [7:44731]
I passed switching today. Will pass Support tomorrow and then I'll be a NP. This test is more theory than any others and there are at least 15 gimmee questions that would be better served on a CompTia N+ test. There are about 12 really hard questions, and the rest are not very difficult if you know the material. REALLY know the difference's between the command's on CatOS and IOS. REALLY know VTP, trunking, etc It's longer but easier than routing and remote access. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44772t=44731 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN BRI Simulator Comparison [7:44763]
I bought a adtran 550 for $1600 from someone who appropriated it when they got laid off at a dot com. Anyway it work real good and you can get POTS modules for it. I haven't been able to get PPP multilink to work with it anyone have thoughts? Its a real bitch to set upo too. But it is the one they use in the LAB! My thinking is that we are really just renting this stuff anyway and after we get our 4 numbers we will sell it back on Ebay for as much or greater than what we paid. I have around $4000 in equipment and I know if need be I can get it back. Then I am thinking that in the future I would like to consult and do design and installs for companies. If I have all this equipment it would be very easy to simulate whatever their requirements were and then just implement with configs you did at home. just my 2 cents Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44771t=44763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: no lmi - dlci inactive - telco says my problem? [7:44709]
What router/ios are you running? IOS 11.2 and above will autodetect the LMI type. If you're IOS is lower you'll need to get the telco to tell you what kind of LMI their frame switch is using and then set that type on the interface. Have you set the encapsulation type to frame-relay on the interface? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44773t=44709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN BRI Simulator Comparison - way to expensi [7:44770]
I'd agree, especially if you've got a study buddy to split the cost with... On the other hand, the prices I found were from e-bay - so provided Cisco doesn't drop ISDN from the lab, you can always resell the unit once you're done and the only thing you're out is the delta in the prices and any interest you might have lost by not investing in Enron stock... Ummm, forget that last part... :) --- Dennis -Original Message- From: Treptow, Georg [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 4:58 PM To: 'Dennis Laganiere'; '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject:RE: ISDN BRI Simulator Comparison - way to expensive!! For that price you might as well order 2 ISDN lines from your local telco. That should only cost you about $80.00 a month as you don't need to get ISP service with it. You would be able to use those for 17 months until coming up even. Georg Treptow -Original Message- From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 6:34 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: RE: ISDN BRI Simulator Comparison Earlier today I proposed putting together some comparative information on the various ISDN Simulators available. Since the question which simulator do I buy? comes up regularly on the list, I though a cooperative effort to develop an answer would be an interesting exercise for the group. Just to start the conversation, here's a review of the two that I have in my home pod... Arca Emutel Lite Recent e-bay sales: $1,250 - $1,400 Features: * 2 port BRI * Switch types supported: NAT-1, DMS100 and 5ESS Default settings (just because I think its useful): PortB-channel DN SPID 1 1 384000 384001 1 2 384010 384002 2 1 384020 384021 2 2 384030 384022 The default ISDN switch-type is basic-dms100 Pro: * Been using it for a year without a problem * Built-in battery backup means you can use it without AC power for a quick demonstration * Supports either S (4-wire) or U (2-wire) interfaces (selected through software) * Simple console-like configuration Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Power supply is an external brick. Minor thing, but kind of annoying. Teltone ILS-B-01 ISDN Demonstrator Recent e-bay sales: $1,225 - $1,599 (New from the manufacture, $1,855.00) Features: * 2 port BRI * Switch types supported: NAT-1, ATT Custom Default settings (just because I think its useful): PortB-channel DN SPID 1 1 835-86610835866101 1 2 835-86630835866301 2 1 835-86620835866201 2 2 835-86640835866401 The default ISDN switch-type is basic-nil Pro: * Built in power supply. * Windows-based configuration (I haven't tried it yet, but the book makes it look easy) Con: * Since I'm using 2503's, it requires 2 x NT1 (approx $30 each on ebay) * Only has U Interfaces I look forward to seeing what other people have used... Thanks... --- Dennis -Original Message- From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 2:36 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:ISDN BRI Simulator Comparison This brings to mind an interesting side-project, if anybody has the time and inclination to help out. I've not seen a comprehensive comparison between the various simulators that are available, factoring in features and approximate cost. Myself personality, I've got an Emutel Lite at home that I've had a for while, and I just picked up a Teltone ISDN Demonstrator that I'm going to start playing with this weekend. I could probably put together a quick write up on those if it were a conversation that other people would like to contribute too. Anybody what to play? Let me know... --- Dennis From: Dennis Laganiere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:48 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject:RE: ISDN BRI Simulator Um... I'll pay $125... Next bidder... :) I don't believe you'll find too many in this range, but I'd love to learn that I'm wrong... Thanks... --- Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 1:16 PM To: [EMAIL PROTECTED] Subject:ISDN BRI Simulator I am looking for a 2 port ISDN BRI Simulator for under $100. Does anyone know where I can get one? Thanks, Bill Cook, Network Project Manager _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list.
Fwd: no lmi - dlci inactive - telco says my problem? [7:44774]
No LMI indicates the telco frame switch is not seeing the frame keepalives from the cisco. 1. Are both sides confirmed as using same frame relay encapsulation [ietf/cisco] 2. What is the output of 'debug frame lmi'? 3. What is the output of debug serial interface? 4. Have you tried to do a shut/no_shut or a clear on the physical interface after the loop test? beth shriver wrote: Hello friends, I am having a little problem getting a new long distance frame relay circuit going and getting the ol its your equipment answer from telco and not sure if this is the case or not. I have checked cables and tsu/router config and all seems ok . when the telco loops my csu/tsu it causes my interface to bounce but interface then stays in interface UP protocol DOWN state. Telco is saying they see no LMI from my equipment. In the past when i seen no LMI it always turned out to be something on the telco side. I dont do frame relays much so i am kind of at the mercy of tech who is turning this circuit up so can someone give me some pointers on what i can look for to make sure it is not in my equipment ? or how i can tell if it is a telco issue with circuit? any replies would be greatly appreciated! fast replies appreciated even more!!! :) __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44774t=44774 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Standby Preempt [7:44762]
Sorry- it was a router, a MSFC1 to be specific. Thanks Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 7:51 PM To: [EMAIL PROTECTED] Subject: RE: Standby Preempt [7:44762] Phil, Thanks for posting this, I was'nt even aware that you could use hsrp on switches/vlans, if you have an url or more info on using hsrp on switches that would be great. As for your question, if hsrp works on switches in the same way it does on routers, than yes switch #2 should also have a preempt statement. If vlan 101 on switch #1 fails its priority decrements by the default value (10 I think) switch #2 picks up on this when it recieves the next hello packet from switch #1, switch #2 than becomes the active switch, but sence there is no preempt on switch #2 it has no way of returning back to standby once switch #1 returns to its original state. This is assuming that hsrp operates the same on switches as it does on routers, if not than please disregaurd. James Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44775t=44762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
filter snmp MIB send out on a router [7:44777]
Hi group, Is there a way to filter the SNMP MIB sned out on a cisco router. For example, I want a community string only send out router interface status info. How would I accomplish this? Thanks Adam __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44777t=44777 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider backbone engineering [7:44778]
At 7:58 PM -0400 5/22/02, dre wrote: Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... :-) well, my book on the subject, Building Service Provider Networks, should be about to ship. Seriously, let's talk about several areas, beginning with BGP. Every BGP scenario I've seen or or heard of in the CCIE context, at best, looks at an extremely simple configuration with rules NEVER used in the real world. A few contrasts: The way Cisco teaches BGP irks me as well. They just don't cover anything except the basics. -- in the real world, it's VERY rare to redistribute between a dynamic IGP and BGP. Sure, there are exceptions, but they are VERY carefully chosen. A provider backbone CANNOT survive having 100,000-plus routes in its IGP, nor should it. I wouldn't say it's VERY rare. There's something as key as OSI (actually more so) in this technology area that often doesn't get mentioned: the abstraction of routing policy (which is distinct from Cisco policy routing). I only started understanding what backbones actually were doing when I began to grok RIPE-181, which has been superceded by RPSL. Take Philip Smiths' NANOG presentation on Multihoming as an example. Many Enterprises may want to get peering routes or partial routes and inject them into their IGP. The first key question to ask here: what is the broad routing paradigm? Cold potato/closest exit or hot potato/best exit? The second key question is how one should try for optimal Internet routing at the small to medium enterprise level. It may not really be that important. Many ISP's may want to inject their IGP into their BGP for customer static routes (using a route-map to filter out all the junk). With considerable aggregation, yes. Alternatively, though, redistributing blackhole statics for their allocations is common enough. We've been learning a lot about that IGP metric direct translation to MED can be dangerous, and produce persistent oscillation. Those route maps may be the better way to set MED. I would say this is VERY common. What's not common (and what you are referring to) is redistributing everything (IGP to BGP; BGP to IGP) for full routes (the 112,000 routes today). -- In provider use, the main purpose of the IGP (or multiple instances of an IGP) is to maintain connectivity among BGP routers. You may have a separate IGP instance for each POP or group of POPs. Next-hop information for BGP, correct. It holds the infrastructure addresses, and I'm pretty sure you are familiar with this term since I think you invented it. So basically, a bunch of routed transit links (/30's or /31's if you can use them) and loopback interfaces (/32's) and not much else, if anything else at all. -- To connect customers, there is MUCH more use of static and default routes. You could not possibly run a provider network with the CCIE lab rule of no statics or defaults. Service providers typically implement tons of statics and defaults, correct. Most don't like it, though, and try to design around it for any alternatives. Well, it depends. If you look at my NANOG and ARIN presentations on address management, this lends itself to being automated. A provider certainly has to keep a database of the address space it hands out. Once you have this database, writing a Perl script or even the DBMS reporting system can be used to generate ip route, DNS A/PTR, etc., records, which then get merged into .cfg files for routers and/or sent directly to the devices, using telnet/TCL/expect. -- AS paths are longer and more complex than you can create with six or so routers. Most people cannot create/simulate the Internet in their house, very true. -- There's a HUGE amount of things to be concerned with that aren't strictly configuration, such as justifying/obtaining/managing address space, intercarrier relationships involving both economics and cooperative troubleshooting, DNS management, protecting against distributed denial of service, etc. This stuff is pretty easy, actually. At least once you start doing it and getting your head around the problems. Ummm...isn't that about what you say to a virgin about sex? :-) CCIE doesn't teach ARIN/RIPE/APNIC justification. But ARIN's/RIPE's/APNIC's websites teach it pretty well. The RIR's and IRR's aren't complex, they are just black art (sort of like DNS is). You have to know where to go to get the information, and you can't just sit down one day and learn it (well maybe you can). But there are a lot of good resources out there on RPSL, etc, that will let you pick this up fairly quickly. RFC 2622 and RFC 2650 are a fairly good start. Yep. A lot of tutorials as well at www.radb.net. I use extensive RPSL and pseudo-RPSL in explaining provider problem analysis in the new book. Learning about Inter-Provider relationships is easy, too, once you get involved.
Fwd: no lmi - dlci inactive - telco says my problem? [7:44774]
Another possible problem (although the outputs that people have asked for would help...) Do you have no keepalive set? If you turn off keepalives, you will turn off LMI from your router to the telco switch - which won't help your connectivity much... Could be worth checking with your telco how often they expect to see keepalives and make sure your keepalive interval matches that - I think the default is ten seconds. JMcL - Forwarded by Jenny Mcleod/NSO/CSDA on 23/05/2002 12:26 pm - Daniel Skripka Sent by: [EMAIL PROTECTED] 23/05/2002 10:33 am Please respond to Daniel.Skripka To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:Fwd: no lmi - dlci inactive - telco says my problem? [7:44774] Is this part of a business decision process?: No LMI indicates the telco frame switch is not seeing the frame keepalives from the cisco. 1. Are both sides confirmed as using same frame relay encapsulation [ietf/cisco] 2. What is the output of 'debug frame lmi'? 3. What is the output of debug serial interface? 4. Have you tried to do a shut/no_shut or a clear on the physical interface after the loop test? beth shriver wrote: Hello friends, I am having a little problem getting a new long distance frame relay circuit going and getting the ol its your equipment answer from telco and not sure if this is the case or not. I have checked cables and tsu/router config and all seems ok . when the telco loops my csu/tsu it causes my interface to bounce but interface then stays in interface UP protocol DOWN state. Telco is saying they see no LMI from my equipment. In the past when i seen no LMI it always turned out to be something on the telco side. I dont do frame relays much so i am kind of at the mercy of tech who is turning this circuit up so can someone give me some pointers on what i can look for to make sure it is not in my equipment ? or how i can tell if it is a telco issue with circuit? any replies would be greatly appreciated! fast replies appreciated even more!!! :) __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Important: This e-mail is intended for the use of the addressee and may contain information that is confidential, commercially valuable or subject to legal or parliamentary privilege. If you are not the intended recipient you are notified that any review, re-transmission, disclosure, use or dissemination of this communication is strictly prohibited by several Commonwealth Acts of Parliament. If you have received this communication in error please notify the sender immediately and delete all copies of this transmission together with any attachments. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44782t=44774 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ppp multilink over adsl????? [7:44704]
I heard someplace, maybe on this list, about using dry pair for DSL connections between two points. Attach a DSL device like an 827 at each end and voila! In such a case, I wonder. Especially now that you can create a virtual multilink interface, rather than have to go through the old virtual template method. Why not? MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think your correct. Most people that have DSL terminate at a provider and I know of no providers that provide DSL-ppp-multilink. We do have several customers that do control both sides, use DSL for employee remote access and some use it for backup but again none have tried the multilink but I suspect it's possible. Dave Michael Williams wrote: I'm going to hazzard a guess here and see what others think of my theory. For PPP Multilink to work you need it enabled at both ends. with point-to-point T1s or ISDN this isn't a problem because you (usually) control both ends But with ADSL, you only control one end (unless this is the wierd point-to-point DSL that's being offered that I've just never heard of). So I don't think this would be possible, because your DSL provider would treat each connection separately (attempt to give an IP, etc).. Anyone's thoughts? Mike W. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44784t=44704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP load balancing [7:44697]
I love these how to load balance using BGP threads. Everyone who wants to load balance across the internet should be aware that you may be creating a situation where you are hurting your performance. Lets say that you have two AS Paths that are the same length. How do you know how many hops there are along each of those AS Paths? Maybe one path crosses 37 routers and the other one only crosses 3. Think that might have potential issues? Just because you want to do it, just because you can do it, doesn't mean you should do it. As someone wiser than I likes to ask: what problem are you trying to solve? jeff sicuranza wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes it does if you are doing EBGP and your router has two or more directly conneted links to your EBGP peer. The the default load balancing will work if static routes or an IGP is used for your subnets linking your neighbors. You see it is not BGP performing the load balancing but the normal behavior of load balancing across equal cost paths (if exists) regardless if you are using static or IGP routes.. EBGP multihop also does this however, you are still using the behavior of the static and IGP routes for equal cost paths but do not need to have your neighbors directly connected... Lab it you will see... Have fun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44785t=44697 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed 350-001 today [7:43574]
Hi all, Which book/document must read before the exam? - Original Message - From: Kerry To: Sent: Thursday, May 09, 2002 12:26 AM Subject: Re: Passed 350-001 today [7:43574] congrats Kris Keen wrote in message news:[EMAIL PROTECTED]... Hi All, I sat the CCIE RS Written today at Vue in Sydney. I passed with 79% I sat the original exam.. I used the NLI Study Guide (spot on), Boson 2/3, Rossi's paper and the CCIE Lan switching LANE chapter along with the OSPF Section outta Routing TCPIP Vol 1. I thought this was a great exam, and enjoyed it alot. Quite difficult but really tested me..! Stressing ATM/Bridging and OSPF heavily! Now onto the BIG BOY! Best of luck to everyone! Cheers Kris CNE, CCNP, CCIE Written Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44786t=43574 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Boson CCIE BootCamp [7:44780]
Does anyone have any input on the CCIE bootcamps for the lab. Is this worth the money? I dont want to dish out $8000 large for nothing. - Me __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44780t=44780 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider backbone engineering [7:44778]
Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... -- in the real world, it's VERY rare to redistribute between a dynamic IGP and BGP. Sure, there are exceptions, but they are VERY carefully chosen. A provider backbone CANNOT survive having 100,000-plus routes in its IGP, nor should it. I wouldn't say it's VERY rare. There's something as key as OSI (actually more so) in this technology area that often doesn't get mentioned: the abstraction of routing policy (which is distinct from Cisco policy routing). I only started understanding what backbones actually were doing when I began to grok RIPE-181, which has been superceded by RPSL. RPSL is a great way of explaining routing policy. Even stranger I found it holds a lot of programming concepts like object-oriented-ness. But the language only goes as far as the real world implementations. Learning RPSL was one thing, but downloading all of the radb.db files over the years and reading through them was the real experience of a lifetime. The first key question to ask here: what is the broad routing paradigm? Cold potato/closest exit or hot potato/best exit? For a peering routes example, yes best-exit/closest-exist problems are super high on the agenda. However, that seems to be more of an IGP problem, and that's where regular knowledge of say, OSPF, is taken to a whole new level. And one that is never taught in any course or material in any classroom or even online. You learn that on the job at an ISP (does anybody else have any resources for this?). Many ISP's may want to inject their IGP into their BGP for customer static routes (using a route-map to filter out all the junk). With considerable aggregation, yes. Alternatively, though, redistributing blackhole statics for their allocations is common enough. Reversal routing concepts are common in the workplace and unheard of in any labs/certification courses. We've been learning a lot about that IGP metric direct translation to MED can be dangerous, and produce persistent oscillation. Those route maps may be the better way to set MED. Where is there information available in-print/online about the MED's topic? Another one completely skipped over. Most people are using IGP metrics alone these days, no need to try to translate. At least in the environments I've seen. This is a part of that whole closest-/best- exit argument above. I've never really seen any configs or designs for translating IGP metrics to MED, something like that would interesting to see - even if it produces oscillatory routing. Do you know why this happens? Can you try to explain the problems more effectively? Service providers typically implement tons of statics and defaults, correct. Most don't like it, though, and try to design around it for any alternatives. Well, it depends. If you look at my NANOG and ARIN presentations on address management, this lends itself to being automated. A provider certainly has to keep a database of the address space it hands out. Once you have this database, writing a Perl script or even the DBMS reporting system can be used to generate ip route, DNS A/PTR, etc., records, which then get merged into .cfg files for routers and/or sent directly to the devices, using telnet/TCL/expect. Don't forget to automate the billing, RWhois/SWIP changes, and the rest. ; Makes me wonder why anyone bothers to continue to get PA space ever. It might be easier to pick up some swamp space on eBay for $10,000, then to pay out to some ISP's and have to renumber in the end anyways. RIR's need to fix this. RIPE is doing a much better job. This stuff is pretty easy, actually. At least once you start doing it and getting your head around the problems. Ummm...isn't that about what you say to a virgin about sex? :-) Luckily there are lots of good books and even real-life experiences that you can purchase. And there's lots of people willing to share their experiences. There's a whole different industry and market there, Howard ; I don't think you need to go to school or have certifications, at least my wife didn't ask for any credentials. Yep. A lot of tutorials as well at www.radb.net. I use extensive RPSL and pseudo-RPSL in explaining provider problem analysis in the new book. That sounds really cool. Got any examples for those of us who can't wait? Exactly. But the point here is that the certification programs aren't enough to get started. This is one of the reasons people on this list keep emphasizing that proficient network engineers MUST learn to research on their own. I would never argue against that concept! =] I thought the point of the thread was to identify places where there isn't *any* information out there, and stuff that's totally black-art. Cisco certs clearly don't have the whole ball-of-wax, but a lot of this can be easily incorporated into their curriculum. Olivier Bonaventure, whom I believe
Re: Passed 350-001 today [7:43574]
Congrats! Good luck on the lab Mike W. Kris Keen wrote in message news:[EMAIL PROTECTED]... Hi All, I sat the CCIE RS Written today at Vue in Sydney. I passed with 79% I sat the original exam.. I used the NLI Study Guide (spot on), Boson 2/3, Rossi's paper and the CCIE Lan switching LANE chapter along with the OSPF Section outta Routing TCPIP Vol 1. I thought this was a great exam, and enjoyed it alot. Quite difficult but really tested me..! Stressing ATM/Bridging and OSPF heavily! Now onto the BIG BOY! Best of luck to everyone! Cheers Kris CNE, CCNP, CCIE Written Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44787t=43574 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed the written... Now on to the lab!! [7:44442]
Michael L. Williams wrote: (just to echo what others have said) If you're anywhere close to ready to take the written, do it now! I took the beta for the new written, and it's much different. Aside from information on routing protocols, I assume this means you took the Beta, and then also took the current version (maybe assuming you didn't pass the Beta??) and passed that? fm Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44788t=2 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Provider backbone engineering [7:44778]
At 11:27 PM -0400 5/22/02, dre wrote: Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... -- in the real world, it's VERY rare to redistribute between a dynamic IGP and BGP. Sure, there are exceptions, but they are VERY carefully chosen. A provider backbone CANNOT survive having 100,000-plus routes in its IGP, nor should it. I wouldn't say it's VERY rare. There's something as key as OSI (actually more so) in this technology area that often doesn't get mentioned: the abstraction of routing policy (which is distinct from Cisco policy routing). I only started understanding what backbones actually were doing when I began to grok RIPE-181, which has been superceded by RPSL. RPSL is a great way of explaining routing policy. Even stranger I found it holds a lot of programming concepts like object-oriented-ness. But the language only goes as far as the real world implementations. Learning RPSL was one thing, but downloading all of the radb.db files over the years and reading through them was the real experience of a lifetime. The first key question to ask here: what is the broad routing paradigm? Cold potato/closest exit or hot potato/best exit? For a peering routes example, yes best-exit/closest-exist problems are super high on the agenda. However, that seems to be more of an IGP problem, and that's where regular knowledge of say, OSPF, is taken to a whole new level. Not necessarily an IGP problem, but possibly an edge router that classifies traffic, possibly with communities signaled to an aggregating router, or using policy routing to MPLS tunnels. And one that is never taught in any course or material in any classroom or even online. You learn that on the job at an ISP (does anybody else have any resources for this?). Most of my knowledge of this approach came from IETF mailing lists, some of the MPLS drafts, and informal discussions with protocol implementers (well, I was doing some of the cancelled Nortel router architecture for this). Many ISP's may want to inject their IGP into their BGP for customer static routes (using a route-map to filter out all the junk). With considerable aggregation, yes. Alternatively, though, redistributing blackhole statics for their allocations is common enough. Reversal routing concepts are common in the workplace and unheard of in any labs/certification courses. Are you mentioning reverse path verification as well? We've been learning a lot about that IGP metric direct translation to MED can be dangerous, and produce persistent oscillation. Those route maps may be the better way to set MED. Where is there information available in-print/online about the MED's topic? Another one completely skipped over. http://www.ietf.org/internet-drafts/draft-ietf-idr-route-oscillation-01.txt Most people are using IGP metrics alone these days, no need to try to translate. At least in the environments I've seen. This is a part of that whole closest-/best- exit argument above. I've never really seen any configs or designs for translating IGP metrics to MED, something like that would interesting to see - even if it produces oscillatory routing. Do you know why this happens? Can you try to explain the problems more effectively? There also some unusual uses of MED, where IOS has knobs to implement certain behavior. Always-compare-MED can compare the MEDs of different AS, as long as they are adjacent. Avi Freedman had a presentation on an informal standard for exchange-point MED values, based on delay, at the Denver NANOG. Service providers typically implement tons of statics and defaults, correct. Most don't like it, though, and try to design around it for any alternatives. Well, it depends. If you look at my NANOG and ARIN presentations on address management, this lends itself to being automated. A provider certainly has to keep a database of the address space it hands out. Once you have this database, writing a Perl script or even the DBMS reporting system can be used to generate ip route, DNS A/PTR, etc., records, which then get merged into .cfg files for routers and/or sent directly to the devices, using telnet/TCL/expect. Don't forget to automate the billing, RWhois/SWIP changes, and the rest. ; This stuff is pretty easy, actually. At least once you start doing it and getting your head around the problems. Ummm...isn't that about what you say to a virgin about sex? :-) Luckily there are lots of good books and even real-life experiences that you can purchase. And there's lots of people willing to share their experiences. There's a whole different industry and market there, Howard ; I don't think you need to go to school or have certifications, at least my wife didn't ask for any credentials. I shudder to think what thread drift here into certification versus experience versus academic arguments might bring. I will recount one of
Len Lee/CHI/NTRS is out of the office. [7:44790]
I will be out of the office starting May 23, 2002 and will not return until June 10, 2002. I will respond to your message when I return. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44790t=44790 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Interface Resets [7:44791]
Hi, Is there any acceptable limit for this? Thanks, Sujal [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44791t=44791 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN BRI Simulator Comparison [7:44763]
I have an older Arca Emutel which is ST only. No external NT1's required on the older 2500s. Works great and about the only difference between the new one and this one is the U interface. Default numbers are 55 and 66 Switch type default is Basic-dms100 Bought it used from one of the guys on the boards here :) MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44792t=44763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]