Re: Security CCIE lab preparation [7:45524]
www.hellocomputers.com sells a great CCIE security lab prep book and 24 hour rack access. Dain. . . wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What is a good lab preparation course for the Security CCIE? i am aware about the ACP4 by Global knowledge and Security prepartion from ccbootcamp. Anyone has taken them and what do you think about this? And any other lab bootcamp besides these two? _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45609t=45524 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how to filter a MAC packet at 6509 or 4006 and [7:45350]
Hey, I work on a very large coporate network and we see this kind of thing constantly. The issue here is almost always an uneducated end-user enabling a DHCP server on their system. Its pretty easy to do this with certain OS's especially with the advent of laptops and internet connection sharing. I do not think that filtering an offending MAC is a long term solution to this type of issue. Especially since there is no way to proactively stop this type of activity on a broadcast domain considering that every host connected is a potential violator. The best solution I have for rogue dhcp servers is to track down the offending system's MAC address, trace his MAC to the switchport, and shutodwn the port until you can track the physical location. There are some pretty good security uses for MAC address filtering though and so here are your options for frame filtering based on MAC addresses... There are a couple of things you could do to limit traffic based on MAC addresses. 1. You can enable port security on the offending MAC addresses switchport and simply filter his MAC address. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cnfg_gd/sec_port.htm However, this would only limit the users current port unless you wanted to block his MAC on every switchport throughout your network and the administration overhead in this situation would be horrendous. The Better option... 2. Configure Dynamic VLANs throughout your switched network. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vmps.htm This is actually pretty effective for MAC filtering. For example what if the offender is moving from switchport to switchport with a laptop and or wireless connection. You could simply add the MAC address to an offenders list which would auto assign him to a non-routed VLAN and then just kick back and wait for him to call helpdesk instead of tracking the offender down, they would have to come to you(if they ever wanted to get access back). Of course the upfront work is possibly a little greater in this case. You have to track every MAC address in your network but the results are a much tighter and more proactive security counter-measures. The bottom line here is you just cant stop broadcast frames with ACL's and until you can, see above. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45616t=45350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DHCP [7:45338]
Do you want to use DHCP to assign addresses to the clients behind the 1700 or are you trying to set up a negotiated IP address for the ISDN interface on the 1700? If you need to have your devices behind the 1700 get IPs from a dhcp server on the far end(in this case the 3640) then just add a scope for the network on the back end of the 1700 and assign the 3640's IP to your backend interface as an ip helper-address. for example lets say you have the following: your 1700's ethernet interface configured to use 192.168.1.1 255.255.255.0 your 3640 has loopback 1 configured as 10.1.2.1 255.255.255.255 you would add the following to your 1700's ethernet interface paragraph... conf t service dhcp interface Fastethernet1/0 ip helper-address 10.1.2.1 255.255.255.255 ! and this to the 3640's config conf t service dhcp ip dhcp excluded-address 192.168.1.1 ip dhcp pool 1700_Back_End_LAN network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server x.x.x.x x.x.x.x x.x.x.x netbios name-server x.x.x.x x.x.x.x ! Of course you will need a route to reach 10.1.2.1 ip route 0.0.0.0 0.0.0.0 dialerx (x=your DDR for your ISDN BRI) ! That about covers it... Once you fill in the x's you would be ready to tele-commute and leave your bosses at work where they belong... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45617t=45338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written passed - Boson [7:45535]
Nic said that he used both Boson 1 and 3. That's about $80.00 for questions/topics that are covered in other materials for $29.95. I could safely say that all the topics in all three Boson exams (about $120.00) are covered in other materials for only $29.95. If someone's got all three Bosons and wants to match topic for topic with CCxx materials, contact me offline. Shawn, no offence, but we get the point. Boson is good and expensive, CCxx is good and cheap. Boson has a test engine, CCxx doesn't. Boson has a name, CCxx is making it. Summed up, Boson wins in many people's book. Why don't you use Zyxel routers in everyday life? Boy, they are cheaper than Cisco and they route, too! Marko. P.S. I'm just a satisfied Boson customer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45618t=45535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Another BGP attribute question [7:45619]
All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? thanks, Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45619t=45619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - inauspicious beginning [7:45592]
I must concur. This sounds like the most logical answer. Perhaps the Allow Break Sequence bit was disabled from a previous change in the confreg setting!?!? If this was the case, you had to pop the top of your Frame Switch router and do temp. jumper change that resets the config register settings back to factory defaults. I'll be interested to know what the answer was :) Have a great weekend to all! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Sent: Saturday, June 01, 2002 1:32 PM To: [EMAIL PROTECTED] Subject: Off Topic - inauspicious beginning [7:45592] 183 days and counting. like the Flying Dutchman, I'll pass the Lab if... nope - better not make that threat. you never can tell.. actually, the gods of the Lab have already started with me. I haven't had the routers on in quite a few weeks. Been busy at work. Had some big projects to keep me out of my own lab for a while. So I have a customer network that I need to clean up a few things on. I set up a model in my own lab, cable everything up to emulate the customer's situation, and begin. First step - configure the frame relay switch. try to get into enable mode. Keep getting asked for a password. Rats! What is the enable password? I try the usual suspects, and come up empty. no problem. I'll just do a quick password recovery. I do a search on CCO, quickly locate the procedure, and begin... power off. power on. control break. no luck - the router just boots as normal. hhm I've done recoveries before. no biggie. why am I having the problem? Now I know the smart guys among you will tell me it's because I use hyper terminal. so I close HT, and load up my copy of Tera Term. repeat the power off power on sequence, try alt b, and no luck. the router loads as usual. now I'm panicking. I have been trying this via my term server. I go directly into the router, replacing the term server cable with a direct connection. still no luck. alt b with Tera term, control break with hyper term. the router still loads as normal. Well, I've figured out the problem. I've gotten into the router. I'm happily working on my customer simulation. the frame switch is configured as I wish. the question to all of you - what was the problem? what was the solution? regards Chuck December 2 - 183 days and counting the gods of the Lab permitting ;- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45620t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written passed - Boson [7:45535]
Marko Milivojevic wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Nic said that he used both Boson 1 and 3. That's about $80.00 for questions/topics that are covered in other materials for $29.95. I could safely say that all the topics in all three Boson exams (about $120.00) are covered in other materials for only $29.95. If someone's got all three Bosons and wants to match topic for topic with CCxx materials, contact me offline. Shawn, no offence, but we get the point. Boson is good and expensive, CCxx is good and cheap. Boson has a test engine, CCxx doesn't. Boson has a name, CCxx is making it. Summed up, Boson wins in many people's book. Why don't you use Zyxel routers in everyday life? Boy, they are cheaper than Cisco and they route, too! CL: AND you don't have to waste a lot of time and money getting certified! ;- hahahahahahahaha! Marko. P.S. I'm just a satisfied Boson customer. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45621t=45535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Another BGP attribute question [7:45619]
At 7:00 AM -0400 6/2/02, Nigel Taylor wrote: All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. DPA keeps coming up, at least for end-to-end route selection. Its basic problem is that only ISPs with whom you have an economic relationship have any motivation to respect it. Geoff Huston's NOPEER is a simpler way to accomplish the same thing (probably coupled with class of service request communities). Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. You can really solve LOTS of operational issues with creative use of communities. While RFC2547 was one driver for creating an extended community attribute, there are various ideas floating around for other applications thereof. Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? As far as I know, it's never been implemented in operations. I'm reasonably certain that some versions of Bay RS could generate it, but I don't know of anyone that listens for it. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45622t=45619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - inauspicious beginning [7:45592]
Not worth dragging this one out much longer. the router model is 36xx, which alone should be a big clue. the router is situated so I can easily get to the serial ports, leaving the aux and con ports up against the wall, so I have to reach behind, feel around with my fingers, find the port, and fumble around some more to plug in. all other models I have worked with have the con and aux port on the same side of the box as the data ports. I guess the last time I used it I was fooling around with aux port settings. it just never occurred to me that I was in the aux. DOH! On the other hand, all was not lost. I've had a good time simulating my customer network, checking out my policy routing etc. interesting design. on the clever side if I do say so myself. works like a charm, which means the implementation people either aren't getting it, or the vlans are not configured correctly on the switch. more on that another time. Chuck 182 and counting down. Kaminski, Shawn G wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Out of curiosity, what model router is the frame switch? Shawn K. -Original Message- From: Chuck [SMTP:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: Off Topic - inauspicious beginning [7:45592] 183 days and counting. like the Flying Dutchman, I'll pass the Lab if... nope - better not make that threat. you never can tell.. actually, the gods of the Lab have already started with me. I haven't had the routers on in quite a few weeks. Been busy at work. Had some big projects to keep me out of my own lab for a while. So I have a customer network that I need to clean up a few things on. I set up a model in my own lab, cable everything up to emulate the customer's situation, and begin. First step - configure the frame relay switch. try to get into enable mode. Keep getting asked for a password. Rats! What is the enable password? I try the usual suspects, and come up empty. no problem. I'll just do a quick password recovery. I do a search on CCO, quickly locate the procedure, and begin... power off. power on. control break. no luck - the router just boots as normal. hhm I've done recoveries before. no biggie. why am I having the problem? Now I know the smart guys among you will tell me it's because I use hyper terminal. so I close HT, and load up my copy of Tera Term. repeat the power off power on sequence, try alt b, and no luck. the router loads as usual. now I'm panicking. I have been trying this via my term server. I go directly into the router, replacing the term server cable with a direct connection. still no luck. alt b with Tera term, control break with hyper term. the router still loads as normal. Well, I've figured out the problem. I've gotten into the router. I'm happily working on my customer simulation. the frame switch is configured as I wish. the question to all of you - what was the problem? what was the solution? regards Chuck December 2 - 183 days and counting the gods of the Lab permitting ;- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45623t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Interface process - order of operation links wanted [7:45624]
anyone know some good links of Cisco router order of operation for packets hitting an interface, both into and out of? I found this one yesterday while trying to figure out why policy routing was not being engaged: http://www.cisco.com/warp/public/556/5.html however the example does not equate to my situation, which is: packet---interface_in---interface_out-next_hop policy routingNAT outside NAT inside what would be nice would be if policy routing occurs, then NAT takes place. However, based on my observations, what really happens is that NAT occurs, the packet is then placed into the routing process, and policy routing is never engaged it occurs to me that a lot of design problems could be avoided if one were cognizant of the order in which processing occurs both at the entrance and the egress. thanks Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45624t=45624 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Silly Boson question [7:45625]
Does anyone know why they picked boson as a subatomic particle name for the product? I would have thought gluon would have been much more suggestive of attaching information to students. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45625t=45625 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - inauspicious beginning [7:45592]
I win! I win! Thanks Larry -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: Re: Off Topic - inauspicious beginning [7:45592] Not worth dragging this one out much longer. the router model is 36xx, which alone should be a big clue. the router is situated so I can easily get to the serial ports, leaving the aux and con ports up against the wall, so I have to reach behind, feel around with my fingers, find the port, and fumble around some more to plug in. all other models I have worked with have the con and aux port on the same side of the box as the data ports. I guess the last time I used it I was fooling around with aux port settings. it just never occurred to me that I was in the aux. DOH! On the other hand, all was not lost. I've had a good time simulating my customer network, checking out my policy routing etc. interesting design. on the clever side if I do say so myself. works like a charm, which means the implementation people either aren't getting it, or the vlans are not configured correctly on the switch. more on that another time. Chuck 182 and counting down. Kaminski, Shawn G wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Out of curiosity, what model router is the frame switch? Shawn K. -Original Message- From: Chuck [SMTP:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: Off Topic - inauspicious beginning [7:45592] 183 days and counting. like the Flying Dutchman, I'll pass the Lab if... nope - better not make that threat. you never can tell.. actually, the gods of the Lab have already started with me. I haven't had the routers on in quite a few weeks. Been busy at work. Had some big projects to keep me out of my own lab for a while. So I have a customer network that I need to clean up a few things on. I set up a model in my own lab, cable everything up to emulate the customer's situation, and begin. First step - configure the frame relay switch. try to get into enable mode. Keep getting asked for a password. Rats! What is the enable password? I try the usual suspects, and come up empty. no problem. I'll just do a quick password recovery. I do a search on CCO, quickly locate the procedure, and begin... power off. power on. control break. no luck - the router just boots as normal. hhm I've done recoveries before. no biggie. why am I having the problem? Now I know the smart guys among you will tell me it's because I use hyper terminal. so I close HT, and load up my copy of Tera Term. repeat the power off power on sequence, try alt b, and no luck. the router loads as usual. now I'm panicking. I have been trying this via my term server. I go directly into the router, replacing the term server cable with a direct connection. still no luck. alt b with Tera term, control break with hyper term. the router still loads as normal. Well, I've figured out the problem. I've gotten into the router. I'm happily working on my customer simulation. the frame switch is configured as I wish. the question to all of you - what was the problem? what was the solution? regards Chuck December 2 - 183 days and counting the gods of the Lab permitting ;- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45626t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP traffic engineering [7:45627]
I've been reading about the extensions to OSPF and IS-IS that enable traffic engineering in MPLS networks. Is there any documentation on the experimental application of EIGRP to TE? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45627t=45627 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy routing - directly connected interfaces [7:45628]
Continued policy routing testing of a customer network simulation in my lab has revealed something of interest to me. Can't find a revelation in the config and command references on CCO. I have a policy set up such that packets with a particular source address and a particular destination address are treated in various manners. debug ip policy is showing me that the policy is doing exactly what I want it to do EXCEPT when the destination address is a directly connected network. that is, if the destination is a network on some other router, with a route in the routing table, everything is fine. the next hop is set appropriately, and the debug shows that policy is applied properly. however, when the destination is a directly connected network ( either a loopback or a LAN interface ) policy routing is not engaged. true? experience? reference? as I said, can't find anything in the documentation on CCO. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45628t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP questions Answered.. for the most part [7:45629]
All, I was do some research which led to the following link and I figured that some of you might find it useful. I know on the list Howard always tries to define his solutions by stating.. What is the problem, you're trying to solve? So I figured this would answer some of those questions which in turn may provide the solution. http://info.connect.com.au/docs/routing/general/multi-faq.shtml The last bookmark in the TOC on the page links to the sources like RFC2260 and RFC 2650 among others. Enjoy! Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45629t=45629 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MRTG and ISDN [7:45421]
Hello! Check the interfaces indices mrtg uses in the mrtg.conf, and check the indices the router knows of via a snmpwalk ip.add.re.ss community ifDescr (that's how you would do it with ucd-snmp on Linux, as an example) Cheers Mohannad Khuffash wrote: Dear All, I have the MRTG since a long time worked well for monitoring my 60 remote sites where most of them 1601 sereis routers(11.2 IOS), when i decide to have a backup link for some sites i install BRI WIC and make the configuration, the probem that the MTRG being confused for monitoring the primary link which is a TDM or a RF(the ISDN is not active) , it give me either zero traffic or a little steady traffic, where either didn't reflect the true traffic !! Any one have an idea ? Thanks -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45631t=45421 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - inauspicious beginning [7:45592]
I believe, Chuck, that the appropriate music might have been Lookin' for Love in all the wrong places. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45632t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - inauspicious beginning [7:45592]
That makes sense, since the AUX port is not active during bootup and sending a break sequence wouldn't work. Shawn K. -Original Message- From: Chuck [SMTP:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 11:22 AM To: [EMAIL PROTECTED] Subject: Re: Off Topic - inauspicious beginning [7:45592] Not worth dragging this one out much longer. the router model is 36xx, which alone should be a big clue. the router is situated so I can easily get to the serial ports, leaving the aux and con ports up against the wall, so I have to reach behind, feel around with my fingers, find the port, and fumble around some more to plug in. all other models I have worked with have the con and aux port on the same side of the box as the data ports. I guess the last time I used it I was fooling around with aux port settings. it just never occurred to me that I was in the aux. DOH! On the other hand, all was not lost. I've had a good time simulating my customer network, checking out my policy routing etc. interesting design. on the clever side if I do say so myself. works like a charm, which means the implementation people either aren't getting it, or the vlans are not configured correctly on the switch. more on that another time. Chuck 182 and counting down. Kaminski, Shawn G wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Out of curiosity, what model router is the frame switch? Shawn K. -Original Message- From: Chuck [SMTP:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: Off Topic - inauspicious beginning [7:45592] 183 days and counting. like the Flying Dutchman, I'll pass the Lab if... nope - better not make that threat. you never can tell.. actually, the gods of the Lab have already started with me. I haven't had the routers on in quite a few weeks. Been busy at work. Had some big projects to keep me out of my own lab for a while. So I have a customer network that I need to clean up a few things on. I set up a model in my own lab, cable everything up to emulate the customer's situation, and begin. First step - configure the frame relay switch. try to get into enable mode. Keep getting asked for a password. Rats! What is the enable password? I try the usual suspects, and come up empty. no problem. I'll just do a quick password recovery. I do a search on CCO, quickly locate the procedure, and begin... power off. power on. control break. no luck - the router just boots as normal. hhm I've done recoveries before. no biggie. why am I having the problem? Now I know the smart guys among you will tell me it's because I use hyper terminal. so I close HT, and load up my copy of Tera Term. repeat the power off power on sequence, try alt b, and no luck. the router loads as usual. now I'm panicking. I have been trying this via my term server. I go directly into the router, replacing the term server cable with a direct connection. still no luck. alt b with Tera term, control break with hyper term. the router still loads as normal. Well, I've figured out the problem. I've gotten into the router. I'm happily working on my customer simulation. the frame switch is configured as I wish. the question to all of you - what was the problem? what was the solution? regards Chuck December 2 - 183 days and counting the gods of the Lab permitting ;- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45633t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISDN Simulator Question [7:45634]
If I have a NP 4B module on my 4500M, can I use it alone with an ISDN simulator? Or should I really have another ISDN capable router to practice ISDN configs. I was thinking I could use the 4 Bri ports to my advantage. I'm afraid it doesn't make sense to pass traffic to interfaces on the same router, but maybe for the sake of ISDN it doesn't matter that much. -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45634t=45634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP questions Answered.. for the most part [7:45629]
All, I was do some research which led to the following link and I figured that some of you might find it useful. I know on the list Howard always tries to define his solutions by stating.. What is the problem, you're trying to solve? So I figured this would answer some of those questions which in turn may provide the solution. http://info.connect.com.au/docs/routing/general/multi-faq.shtml The last bookmark in the TOC on the page links to the sources like RFC2260 and RFC 2650 among others. Enjoy! Nigel Good reference! Minor point -- 2270 updates 2260. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45635t=45629 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Another BGP attribute question [7:45619]
See Inline... - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, June 02, 2002 11:17 AM Subject: Re: Another BGP attribute question [7:45619] At 7:00 AM -0400 6/2/02, Nigel Taylor wrote: All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. DPA keeps coming up, at least for end-to-end route selection. Its basic problem is that only ISPs with whom you have an economic relationship have any motivation to respect it. Geoff Huston's NOPEER is a simpler way to accomplish the same thing (probably coupled with class of service request communities). Howard, thanks a lot for the info/insight of DPA and specifically pointing me to the NOPEER attribute draft. I was able to briefly read over the draft and I must say this does seem like a solution to the present problem. However, I was also doing some reading of the APNIC's (http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13 minutes and it's noted some of the present problems with the IRRs. The one that seems to apply here would be the statement that, About 50% of full routes are not registered to public IRRs. I have a question? Do you see the NOPEER as having a directory class in the RPSL and if so in doing some recent reading of RPSL, and RPSLng, the enhancements RPSL on the same site wouldn't the NOPEER attribute be limited to representing what is known in the IRRs. With this being the case how effective can the attribute be, when representing at best 50% of the global BGP FIB. Of course then there is the ever present security issues which seems to being getting some attention through the RPSS(rfc2725). Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. You can really solve LOTS of operational issues with creative use of communities. While RFC2547 was one driver for creating an extended community attribute, there are various ideas floating around for other applications thereof. Do you care to mention some of the other ideas..floating aeround? Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? As far as I know, it's never been implemented in operations. I'm reasonably certain that some versions of Bay RS could generate it, but I don't know of anyone that listens for it. I remebered in reading Sam Halabi's book - Internet Routing architectures (Pg. 118, 1st ed) he noted cisco's lack of support for attributes 11(DPA). However, it is noted as bieng MCI defined. As you pointed out I've yet to come across anything that suggest anyone is making use of the DPA attribute. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 thanks Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45637t=45619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix question [7:45639]
Hi all, I appreciate any feedback to my question: I am setting up a lab environment and intially trying to configure a router and a pix behind it. my router's outside interface is connected to a cable modem and have a live ip address assigned to it. cable modempix inside hosts. the router's inside interface has a private ip add. of 172.16.1.1 /24 and the pix' outside interface is 172.161.1.2 /24. the inside interface of the pix has an ip address of 10.1.1.1 /24 and all inside hosts have that as the default gateway. securities are set up correctly on the inside and outside interfaces. I am using a global pat address, different from the one on the router's interface connected to the cable modem (no statics going on in the pix). i am unable to reach the internet even when I use the statement: conduit permit ip any any and no packets are able to reach the 172.16.1.0 network from the inside hosts not even the 172.16.1.2 address which belongs to the pix's outside interface. I have a route outside 0 0 172.16.1.2 statement as well. from the router I can ping inside hosts, with the correct route statement. hope this is enough information. please help! thanks Tony __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45639t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP questions Answered.. for the most part [7:45629]
Howard, Thanks for the notice on rfc2260. I took a minute to read it and I can see the benefits in that the BGP metrics complied by the Routing Table Analysis(APNIC) shows that 25%(if I'm not mistaken) of the BGP FIB is made up of /24 prefixes. Rfc2270, does fall in line with rfc1930 assumptions of allowing only the provider's existing aggregate to be advertised upstream. the question is still relevant since the filtering by ISPs are based on IRRs information, which is at present not completely reliable. However, I remember reading recently(I can't remember the document), where the preference was to have the more specific route information as the primary whereas when this information no longer exist, then the aggregate prefix would provide NLRI to the desired network prefixes. For all interested.. here is another really good presentation on Multi-homed BGP. http://www.apnic.net/meetings/10/programme/presentations/4-Multihoming-6up.P DF you just gotta love the Internet and access to information of this kind. Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, June 02, 2002 3:16 PM Subject: Re: BGP questions Answered.. for the most part [7:45629] All, I was do some research which led to the following link and I figured that some of you might find it useful. I know on the list Howard always tries to define his solutions by stating.. What is the problem, you're trying to solve? So I figured this would answer some of those questions which in turn may provide the solution. http://info.connect.com.au/docs/routing/general/multi-faq.shtml The last bookmark in the TOC on the page links to the sources like RFC2260 and RFC 2650 among others. Enjoy! Nigel Good reference! Minor point -- 2270 updates 2260. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45640t=45629 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Booo! CSS1 [7:45498]
With a nod to my colleague Michael L. Williams, I promise I will not turn this into another cert vs. experience royal rumble. But let me see if I got this straight. I see two of youir quotes here. Quote#1 Soon everyone will be trying to get this cert and it will become a paper cert. All of my hard work will look like nothing. :-( ...Man, I need to specialize in something that people just don't want to study. Quote#2 ...I thought I could have a more unique Cisco cert without killing myself ie CCIE So from these two quotes, is it a fair interpretation to say that you want to hold a certification designation that distinguishes you from the next guy, but at the same time you don't want to work very hard for that designation? If this is not a fair interpretation, then please provide me with what you think is the proper interpretation. Because if this is a fair interpretation, then it seems as if you're simply asking to get something for nothing. You want to be considered special, but you don't want to put in the effort. Hey, believe me, I understand - everybody wants something for nothing. But the fact of the matter is that it's damn hard in this world to get something for nothing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45641t=45498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN Simulator Question [7:45634]
2 issues off the top of my head... 1)The physically one router creating one full network (2 points) will not work- it's called IP address overlap and you'll see the errors when you begin to configure this. I have seen this many times within my own goofing-ups. 2)I'm almost positive your 4500 BRI interfaces are S/T and will require an NTI. A second ISDN router should not be a huge investment. I have seen the 2524 and 2525s on Ebay sell for less than $200. With a little memory upgrade- it could run as a peer (Enterprise functions) to your 4500. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wayne Jang Sent: Sunday, June 02, 2002 3:11 PM To: [EMAIL PROTECTED] Subject: ISDN Simulator Question [7:45634] If I have a NP 4B module on my 4500M, can I use it alone with an ISDN simulator? Or should I really have another ISDN capable router to practice ISDN configs. I was thinking I could use the 4 Bri ports to my advantage. I'm afraid it doesn't make sense to pass traffic to interfaces on the same router, but maybe for the sake of ISDN it doesn't matter that much. -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45638t=45634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Booo! CSS1 [7:45498]
No argument here =) Mike W. nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... With a nod to my colleague Michael L. Williams, I promise I will not turn this into another cert vs. experience royal rumble. But let me see if I got this straight. I see two of youir quotes here. Quote#1 Soon everyone will be trying to get this cert and it will become a paper cert. All of my hard work will look like nothing. :-( ...Man, I need to specialize in something that people just don't want to study. Quote#2 ...I thought I could have a more unique Cisco cert without killing myself ie CCIE So from these two quotes, is it a fair interpretation to say that you want to hold a certification designation that distinguishes you from the next guy, but at the same time you don't want to work very hard for that designation? If this is not a fair interpretation, then please provide me with what you think is the proper interpretation. Because if this is a fair interpretation, then it seems as if you're simply asking to get something for nothing. You want to be considered special, but you don't want to put in the effort. Hey, believe me, I understand - everybody wants something for nothing. But the fact of the matter is that it's damn hard in this world to get something for nothing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45642t=45498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix question [7:45639]
With the assumption that all set correctly, nat cooralates to global, etc, etc. and you cleared all caches after set up;which I would say somewhere they are not, I would run icmp debugs, take all acl's off except the one's needed for the nat/pat, and watch the packets, you'll find it. -TV Anthony Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I appreciate any feedback to my question: I am setting up a lab environment and intially trying to configure a router and a pix behind it. my router's outside interface is connected to a cable modem and have a live ip address assigned to it. cable modempix inside hosts. the router's inside interface has a private ip add. of 172.16.1.1 /24 and the pix' outside interface is 172.161.1.2 /24. the inside interface of the pix has an ip address of 10.1.1.1 /24 and all inside hosts have that as the default gateway. securities are set up correctly on the inside and outside interfaces. I am using a global pat address, different from the one on the router's interface connected to the cable modem (no statics going on in the pix). i am unable to reach the internet even when I use the statement: conduit permit ip any any and no packets are able to reach the 172.16.1.0 network from the inside hosts not even the 172.16.1.2 address which belongs to the pix's outside interface. I have a route outside 0 0 172.16.1.2 statement as well. from the router I can ping inside hosts, with the correct route statement. hope this is enough information. please help! thanks Tony __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45643t=45639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Booo! CSS1 [7:45498]
HaHaHa Thomas Larus Sent by: [EMAIL PROTECTED] 06/01/2002 12:30 AM Please respond to Thomas Larus To: [EMAIL PROTECTED] cc: Subject:Re: Booo! CSS1 [7:45498] If you think a Lammle book is so great that it will make it easy to anyone to get the cert that you worked so hard for, then you are giving Todd Lammle more credit than he deserves. [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Man this bums me out. Lammle has a CSS1/CCIP book coming out. Soon everyone will be trying to get this cert and it will become a paper cert. All of my hard work will look like nothing. :-( Man, I need to specialize in something that people just don't want to study. For a few moments in time I had it here in Japan but once this book comes out, even more clones will appear. Soon I can get a CSS1 with my soba and Sushi down at the 7/11. Booo! Theo hmmm forensics.and I already have training scheduled and materials herehum Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45644t=45498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy routing - directly connected interfaces [7:45628]
Check out page 819 of Doyle Vol 1. ip local policy route-map HTH -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 12:36 PM To: [EMAIL PROTECTED] Subject: Policy routing - directly connected interfaces [7:45628] Continued policy routing testing of a customer network simulation in my lab has revealed something of interest to me. Can't find a revelation in the config and command references on CCO. I have a policy set up such that packets with a particular source address and a particular destination address are treated in various manners. debug ip policy is showing me that the policy is doing exactly what I want it to do EXCEPT when the destination address is a directly connected network. that is, if the destination is a network on some other router, with a route in the routing table, everything is fine. the next hop is set appropriately, and the debug shows that policy is applied properly. however, when the destination is a directly connected network ( either a loopback or a LAN interface ) policy routing is not engaged. true? experience? reference? as I said, can't find anything in the documentation on CCO. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45645t=45628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Interface process - order of operation links wanted [7:45646]
From the link I posted yesterday I quote: (notice that policy routing is taking place before NAT) I believe from reading your followup post to this that you have already determined this to be the case. For those that missed it the link is: http://www.cisco.com/warp/public/707/static.html -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: Interface process - order of operation links wanted [7:45624] anyone know some good links of Cisco router order of operation for packets hitting an interface, both into and out of? I found this one yesterday while trying to figure out why policy routing was not being engaged: http://www.cisco.com/warp/public/556/5.html however the example does not equate to my situation, which is: packet---interface_in---interface_out-next_hop policy routingNAT outside NAT inside what would be nice would be if policy routing occurs, then NAT takes place. However, based on my observations, what really happens is that NAT occurs, the packet is then placed into the routing process, and policy routing is never engaged it occurs to me that a lot of design problems could be avoided if one were cognizant of the order in which processing occurs both at the entrance and the egress. thanks Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45646t=45646 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIP - who is doing this one? [7:45443]
I got Cisco's IS-IS network Design Solutions and am waiting for my bonus to get some more IS-IS related materials. I the mean time, I am looking for access at a ISP which is running IS-IS here in Tokyo. Getting Access is rather difficult. I have seen ISPs with OSPF based MPLS here. GMPLS is going to be huge. I like the possiblities that a MPLS based VPN could have for Security so that is why I am working with it. I can see a network environment in three years based on 10G MPLS and 100Meg wireless with transparent networking and three factor user authentication. I am currently working with that goal in mind. QoS was pretty straight forward. No complaints. It was a real life test. If you ready my other threads you will know that I don't like the CID. QoS uses everything from the CCNP. What can I say? Configure the routers, deliver the service to your customers, read the books, pass the tests, get paid...etc. I agree that the CCIP won't be big for a while. Now is the time to get into MPLS I think. Comparatively speaking, it is still young. Theo nrf Sent by: [EMAIL PROTECTED] 06/02/2002 12:33 PM Please respond to nrf To: [EMAIL PROTECTED] cc: Subject:Re: CCIP - who is doing this one? [7:45443] Tom Scott wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... [EMAIL PROTECTED] wrote: I am going to get the CCIP, only one test away BSCI and I can't pass it because I simply don't know IS-IS. I wonder if the new BSCI book by Todd Lammle does a good job on ISIS? How difficult were the other two parts (QoS/multicasting and whatever specialty you chose) in comparison to the CCNP/CCDP certs (BSCN, BCMSN, BCRAN, CIT, CID)? I am getting it just to get it. I hope one day to get more money from it but I know this year I won't. Despite my dark predictions about when or if the CCIP will be included in the Cisco Academy curriculum, I'm a huge fan of CCIP and MPLS. According to the large service providers who made presentations at MPLScon in Washington last month, MPLS is already deployed and its use in core networks will continue to grow and accelerate. I think the same holds true for GMPLS in the high-speed optical core. Well, the thing is, service-providers, and especially the larger service-providers that are using MPLS (MPLS makes little sense for a small providers) place little stock in the value of certs, any certs. We all know how difficult it is to find decent work (non-cable monkey work) in an enterprise if all you hold is a cert. Well, it's really really really hard to find decent work at a large-provider if all you're bringing to the table is a cert. Large providers tend to behave as something of an old-boy's club, where for their good positions, they'll only hire somebody who's well established. Now, I'm not saying that you should stop learning. Learning is always good. And indeed the CCIP technologies are very interesting ones. I'm just saying that as far as what you might expect that these provider-oriented certs might do for your career, you need to keep these expectations in check. Enterprises are not going to care about things like MPLS for awhile, and large providers don't care much about certs. -- TT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45647t=45443 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN Simulator Question [7:45634]
Phil, It depends what type of ISDN simulator he has if he will need an NT1 or not. If the simulator has S/T interfaces on it already, then he will NOT need an external NT1 for his router. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Phil Lorenz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 2 issues off the top of my head... 1)The physically one router creating one full network (2 points) will not work- it's called IP address overlap and you'll see the errors when you begin to configure this. I have seen this many times within my own goofing-ups. 2)I'm almost positive your 4500 BRI interfaces are S/T and will require an NTI. A second ISDN router should not be a huge investment. I have seen the 2524 and 2525s on Ebay sell for less than $200. With a little memory upgrade- it could run as a peer (Enterprise functions) to your 4500. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Wayne Jang Sent: Sunday, June 02, 2002 3:11 PM To: [EMAIL PROTECTED] Subject: ISDN Simulator Question [7:45634] If I have a NP 4B module on my 4500M, can I use it alone with an ISDN simulator? Or should I really have another ISDN capable router to practice ISDN configs. I was thinking I could use the 4 Bri ports to my advantage. I'm afraid it doesn't make sense to pass traffic to interfaces on the same router, but maybe for the sake of ISDN it doesn't matter that much. -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45648t=45634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
