RE: 2v Voice card [7:45747]

[Phil Lorenz]

You need @ least 12.0(5)T software and preferably you'd want something
in the 12.1 line-up... and if you have onboard memory, regular
Enterprise encompasses the voice stuff starting in 12.1.

All the best !!!
Phil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Amir Aziz
Sent: Tuesday, June 04, 2002 2:56 AM
To: [EMAIL PROTECTED]
Subject: 2v Voice card [7:45747]

Hello Everyone,

I am having problems with my Cisco router the router fails to recognise
the
card and the "en" light intially shows red when the router boots then it
turns
off and remains off and the FXO and FXS card red lights remain lit. my
IOS
version is as follows

Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3620-I-M), Version 12.0(7), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Thu 14-Oct-99 14:26 by phanguye

Kindly inform if it has to do with IOS or my card is faulty. any help
will be
apprciated

Regards,
Amir Aziz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45748&t=45747
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Overhead [7:45719]

[[EMAIL PROTECTED]]

What is the bandwidth of you DSL?







"Elijah Savage" 
Sent by: [EMAIL PROTECTED]
06/04/2002 11:47 AM
Please respond to "Elijah Savage"

 
To: [EMAIL PROTECTED]
cc: 
Subject:Re: VPN Overhead [7:45719]


We have 2 3030 concentrators setup in a load balancing fashion and it
works very well. We have rolled this out to about 3000 users and have done
all types of testing with different applications and different types of
access. Over dialup we notice that there is about 12% overhead with the
cisco vpn client, with broadband it makes less of an impact. We noticed on
broadband that it was about 7% on dsl and about 5% on cable access. Hope
that helps out.
> We are currently using a VPN provider to get into the network but want
> to take more control and bring it in house. I did some testing though
> and found that the VPN was adding about 27% overhead compared to
> bypassing VPN and going direct to a server.
>
> I'm wondering if others have done testing and what were your results.
> We are currently using V-One but I will be looking at Cisco's solution.
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45736&t=45719
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Dialback problem [7:45749]

[Shane Stockman]

I have a problem with isdn dialback in that when you dial in it cuts you off 
but you wait until the call cuts off.Analog dialback works fine on the same 
router.

Here is a config ,maybe some one can see some thing I cannot:

IOS (tm) 3600 Software (C3640-IS-M), Version 12.1(5)T6,  RELEASE SOFTWARE 
(fc1)

boot system flash c3640-is-mz.121-5.T6.bin
logging buffered 1600 debugging
logging rate-limit console 10 except errors
no logging console
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default local group tacacs+
aaa authorization exec default local group tacacs+
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
!
clock timezone sast 2
modem country mica south-africa
ip subnet-zero
!
!
no ip finger
ip name-server 172.16.73.73
!
isdn switch-type primary-net5
chat-script callback ABORT ERROR ABORT BUSY "" "ATDT \T" TIMEOUT 60 CONNECT 
\C
chat-script offhook "" "ATH1" OK
call rsvp-sync
!
controller E1 0/0
framing NO-CRC4
pri-group timeslots 1-31
!
controller E1 0/1
shutdown
!
interface Loopback0
ip address 172.16.168.1 255.255.255.0
shutdown
!
interface Serial0/0:15
no ip address
encapsulation ppp
ip tcp header-compression passive
dialer rotary-group 0
dialer-group 1
isdn switch-type primary-net5
isdn incoming-voice modem
isdn sending-complete
ppp callback accept
!
interface FastEthernet1/0
ip address 172.16.63.3 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet1/0.1
!
interface Group-Async1
bandwidth 64
ip unnumbered FastEthernet1/0
ip directed-broadcast
encapsulation ppp
autodetect encapsulation ppp
async mode interactive
peer default ip address pool PRI
no fair-queue
ppp callback accept
ppp authentication pap chap
group-range 65 94
!
interface Dialer0
ip unnumbered FastEthernet1/0
ip directed-broadcast
encapsulation ppp
ip tcp header-compression passive
dialer-group 1
peer default ip address pool PRI
ppp callback accept
ppp authentication pap chap
ppp multilink
!
router eigrp 328
passive-interface Dialer1
network 172.16.0.0
no auto-summary
no eigrp log-neighbor-changes
!
ip local pool PRI 172.16.63.65 172.16.63.94
ip classless
no ip http server
!
logging 172.16.75.75
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
tacacs-server host 193.23.42.131
tacacs-server key 1_x12=2
snmp-server community 1nf0rm1x RO
snmp-server community sybase_ver1tas RW
!
dial-peer cor custom
!
line con 0
transport input none
line 65 94
autoselect during-login
autoselect ppp
script dialer micout
script modem-off-hook offhook
script callback callback
modem InOut
modem autoconfigure discovery
transport input all
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 15 0
password tpop
!
ntp clock-period 17179998



_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45749&t=45749
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CAT 5000 simulator for BCMSN [7:45735]

[Ole Drews Jensen]

Sure Hitesh,

That would be my simulator, found on my RouterChief site under Free
Software.

Good luck,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: Hitesh Pathak R [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 03, 2002 9:06 PM
To: [EMAIL PROTECTED]
Subject: CAT 5000 simulator for BCMSN [7:45735]


Dear Group

I remember there was some url posted for cat 5000 command simulator. I am
preparing for my BCMSN. Would anybody be able to help me .

Many thanks
Hitesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45751&t=45735
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: show version? [7:45730]

[brian kastor]

or the guy that was hired two years after 24 2610's went out to their
sites.  these guys wrote down the serial numbers, they just don't know which
ones go with which ones!!!

Thanks for the replies everyone!

bk


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45752&t=45730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Security hazard?? [7:45731]

[Craig Columbus]

Do I understand you correctly that your 6808s have both internal (secure) 
and external (unsecure) traffic on them, separated only by VLAN?

At 09:30 PM 6/3/2002 -0400, you wrote:
>All,
>
>We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
>The two 3640's are doing IBGP between them on each of their eth0's.  I
>have created a vlan on the Extremes called 'unsecure'(there are only 2
>ports on each Extreme in this vlan... one coming in from the 3640 and
>the other going into the firewall).  I am getting some complaints from
>the 'uppers' that bringing the 3640's into the Extreme's is a security
>hazard.
>
>I am sure someone is now working on a way to hack from one vlan to the
>next, but for now, I don't see the difference between putting a hub in
>there and using a couple of ports on these monster
>'almost-never-go-down' switches.  I just don't want another unmanaged
>piece of equipment in the flow.
>
>Has anyone ever heard of this being a leak.  I worked in a datacenter
>before and this is what we did with 6509's and we didn't blink!  I know
>these are Extreme switches... which is probably taboo in the group, but
>I am pretty sure this would be platform independent... right
>
>Thanks,
>
>bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45753&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Chassis Serial Number -> WAS show version? [7:45730]

[Daniel Cotts]

Some while ago someone posted the idea of using a named access-list and
remark to record the serial number. Obviously it is not applied to any
interface.

ip access-list standard Serial_Number
 remark This router's S/N JAB035x

> -Original Message-
> From: Mark Odette II [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 04, 2002 12:05 AM
> To: [EMAIL PROTECTED]
> Subject: RE: show version? [7:45730]
> 
> 
> You are correct the only way to have the serial number of the
> chassis in the startup-config of the router is to put it 
> there under the
> one of the Banners, or in the description of one of the interfaces.
> This obviously requires planning ahead. :)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45755&t=45730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Remote Shell [7:45757]

[Michalis Palis]

Hello all

I am trying to send commands to a cisco router using
remote shell from a unix machine. My problem is that i
con not send configuration commands, but only show
commands. When i send configuration commands i.e
config t, ip finger i get a reply with permition
denied.

Can anybody has an idea of the problem.

Thanks

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45757&t=45757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Robert A. McIntire]

If I understand what you're describing, it sounds like you've pretty well
by-passed the firewall.  As a general comment, it seems pointless to have a
firewall if you're not going to utilize it with sound network security
design.
I think I understand what you're trying to do, but you may want to rethink
the reasoning.
You're VLANs ( on the same devices ) are a very thin security veil between
the trusted and untrusted networks.  Without a net diagram, we can only
speculate.  But, I'm guessing that the most secure you can be with this
physical config is to pin strong ACLs to the outside interfaces of the 3640
access routers.  You could also pin ACLs to the VLAN interfaces to filter
unwanted traffic.  What kind of capability do these switches have?  Have you
considered the IOS firewall ( CBAC ) for the edge routers?

I think a tech support call to your firewall vendor may be an eye-opening
experience.  Send them a diagram of what you've got and see if it's a
network design scenario that they support.  I assume the 2 3640s are being
used redundantly with HSRP?  If so, why not consider a second, redundant
firewall and place them both in-line between the edge routers and the
internal LANs?

HTH,  Bob McIntire


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Craig Columbus
Sent: Tuesday, June 04, 2002 9:42 AM
To: [EMAIL PROTECTED]
Subject: Re: Security hazard?? [7:45731]


Do I understand you correctly that your 6808s have both internal (secure)
and external (unsecure) traffic on them, separated only by VLAN?

At 09:30 PM 6/3/2002 -0400, you wrote:
>All,
>
>We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
>The two 3640's are doing IBGP between them on each of their eth0's.  I
>have created a vlan on the Extremes called 'unsecure'(there are only 2
>ports on each Extreme in this vlan... one coming in from the 3640 and
>the other going into the firewall).  I am getting some complaints from
>the 'uppers' that bringing the 3640's into the Extreme's is a security
>hazard.
>
>I am sure someone is now working on a way to hack from one vlan to the
>next, but for now, I don't see the difference between putting a hub in
>there and using a couple of ports on these monster
>'almost-never-go-down' switches.  I just don't want another unmanaged
>piece of equipment in the flow.
>
>Has anyone ever heard of this being a leak.  I worked in a datacenter
>before and this is what we did with 6509's and we didn't blink!  I know
>these are Extreme switches... which is probably taboo in the group, but
>I am pretty sure this would be platform independent... right
>
>Thanks,
>
>bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45756&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Seems to me... [7:45664]

[Chris Charlebois]

The error says the source and destination are the same.  Since the source
and destination ip addresses are obviously different, I would guess the
complaint is that the last-hop and next-hop gateways are the same.  The IDS
is complaining because some packets are trying to hairpin in your router. 
This could be because of some malicious spoofing or it could simply be a bad
route at your ISP.  I'd inform the ISP as a heads up and see what they have
to say.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45758&t=45664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: static route for port 21 [7:45682]

[Alex Lee]

Yes, I do remember seeing that thread when I first joined the group. Just
can't find it now.

""Daniel Cotts""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Time to restart the blueberry thread.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45759&t=45682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Peter van Oene]

Assuming the untrusted VLAN offers no IP connectivity to it's control 
engine (ie the routed aspects are not reachable therein) what 
vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly 
sure how one gets from untrusted to trusted without traversing the 
Firewall.  The only limitation I see here would be one of either poorly 
implemented VLAN technology on the part of the vendor, and fat fingering on 
the part of the admimistrator.

Pete




At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
>If I understand what you're describing, it sounds like you've pretty well
>by-passed the firewall.  As a general comment, it seems pointless to have a
>firewall if you're not going to utilize it with sound network security
>design.
>I think I understand what you're trying to do, but you may want to rethink
>the reasoning.
>You're VLANs ( on the same devices ) are a very thin security veil between
>the trusted and untrusted networks.  Without a net diagram, we can only
>speculate.  But, I'm guessing that the most secure you can be with this
>physical config is to pin strong ACLs to the outside interfaces of the 3640
>access routers.  You could also pin ACLs to the VLAN interfaces to filter
>unwanted traffic.  What kind of capability do these switches have?  Have you
>considered the IOS firewall ( CBAC ) for the edge routers?
>
>I think a tech support call to your firewall vendor may be an eye-opening
>experience.  Send them a diagram of what you've got and see if it's a
>network design scenario that they support.  I assume the 2 3640s are being
>used redundantly with HSRP?  If so, why not consider a second, redundant
>firewall and place them both in-line between the edge routers and the
>internal LANs?
>
> HTH,  Bob McIntire
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Craig Columbus
>Sent: Tuesday, June 04, 2002 9:42 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Security hazard?? [7:45731]
>
>
>Do I understand you correctly that your 6808s have both internal (secure)
>and external (unsecure) traffic on them, separated only by VLAN?
>
>At 09:30 PM 6/3/2002 -0400, you wrote:
> >All,
> >
> >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> >The two 3640's are doing IBGP between them on each of their eth0's.  I
> >have created a vlan on the Extremes called 'unsecure'(there are only 2
> >ports on each Extreme in this vlan... one coming in from the 3640 and
> >the other going into the firewall).  I am getting some complaints from
> >the 'uppers' that bringing the 3640's into the Extreme's is a security
> >hazard.
> >
> >I am sure someone is now working on a way to hack from one vlan to the
> >next, but for now, I don't see the difference between putting a hub in
> >there and using a couple of ports on these monster
> >'almost-never-go-down' switches.  I just don't want another unmanaged
> >piece of equipment in the flow.
> >
> >Has anyone ever heard of this being a leak.  I worked in a datacenter
> >before and this is what we did with 6509's and we didn't blink!  I know
> >these are Extreme switches... which is probably taboo in the group, but
> >I am pretty sure this would be platform independent... right
> >
> >Thanks,
> >
> >bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45760&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dropping Characters on Reverse Telnet [7:45729]

[Shawn Heisey]

Every character that is processed by an AUX port creates an interrupt,
so the AUX port hits the CPU harder than any other port running at the
same speed.  CPU utilization at 35% shouldn't be enough to cause the
problem you're seeing.

One thing you'd want to make sure of is that you are not trying to use a
baud rate higher than 9600, and that you have set flow control to none,
stop bits to 1, and configured 'no exec' on the aux port.  Similar
settings should be configured on the console port at the other end,
though it does of course need 'exec'.  Make sure that none of the router
lines include the command "logging synchronous."

Console ports run at 9600 baud by default because they have no flow
control lines.  Higher speeds cannot be guaranteed to work reliably,
though they often do.

It's always possible that you've run into a bug.  My personal favorites
for IOS version are 12.1(15) if you can run it, 12.0(22) or 11.3(11c) if
memory isn't sufficient.

Recommended config:

2514 aux port:
!
line aux 0
 speed 9600
 flowcontrol none
 stopbits 1
 no exec
!

25xx router:
!
line con 0
 speed 9600
 flowcontrol none
 stopbits 1
 exec
!
config-register 0x2102
!

Thanks,
Shawn

Michael Gunnels wrote:
> 
> I've been having a strange problem.  When reverse
> telnetting from my 2514's AUX port to my 25xx's
> console port (I've tried multiple routers).  I am
> sometimes losing packets during show commands.  The
> router that initiates the reverse telnet cpu is at
> most 35%.  I've tried using variations of flow control
> on both routers, but it doesn't seem to make much
> difference.  Has anyone else experienced this?  It's
> driving me nuts!  It skips and jumbles things
> together.  It only shows up when reverse telnetting.
> If I'm consoled in or regular telnet ting their is no
> problem.  Please help.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45761&t=45729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Eric Rivard]

if you do not have Ip routing on the VLANs you can still hope from one VLAN
to another. See this artical for more info:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

-Original Message-
From: Peter van Oene [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 8:41 AM
To: [EMAIL PROTECTED]
Subject: RE: Security hazard?? [7:45731]


Assuming the untrusted VLAN offers no IP connectivity to it's control 
engine (ie the routed aspects are not reachable therein) what 
vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly 
sure how one gets from untrusted to trusted without traversing the 
Firewall.  The only limitation I see here would be one of either poorly 
implemented VLAN technology on the part of the vendor, and fat fingering on 
the part of the admimistrator.

Pete




At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
>If I understand what you're describing, it sounds like you've pretty well
>by-passed the firewall.  As a general comment, it seems pointless to have a
>firewall if you're not going to utilize it with sound network security
>design.
>I think I understand what you're trying to do, but you may want to rethink
>the reasoning.
>You're VLANs ( on the same devices ) are a very thin security veil between
>the trusted and untrusted networks.  Without a net diagram, we can only
>speculate.  But, I'm guessing that the most secure you can be with this
>physical config is to pin strong ACLs to the outside interfaces of the 3640
>access routers.  You could also pin ACLs to the VLAN interfaces to filter
>unwanted traffic.  What kind of capability do these switches have?  Have you
>considered the IOS firewall ( CBAC ) for the edge routers?
>
>I think a tech support call to your firewall vendor may be an eye-opening
>experience.  Send them a diagram of what you've got and see if it's a
>network design scenario that they support.  I assume the 2 3640s are being
>used redundantly with HSRP?  If so, why not consider a second, redundant
>firewall and place them both in-line between the edge routers and the
>internal LANs?
>
> HTH,  Bob McIntire
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Craig Columbus
>Sent: Tuesday, June 04, 2002 9:42 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Security hazard?? [7:45731]
>
>
>Do I understand you correctly that your 6808s have both internal (secure)
>and external (unsecure) traffic on them, separated only by VLAN?
>
>At 09:30 PM 6/3/2002 -0400, you wrote:
> >All,
> >
> >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> >The two 3640's are doing IBGP between them on each of their eth0's.  I
> >have created a vlan on the Extremes called 'unsecure'(there are only 2
> >ports on each Extreme in this vlan... one coming in from the 3640 and
> >the other going into the firewall).  I am getting some complaints from
> >the 'uppers' that bringing the 3640's into the Extreme's is a security
> >hazard.
> >
> >I am sure someone is now working on a way to hack from one vlan to the
> >next, but for now, I don't see the difference between putting a hub in
> >there and using a couple of ports on these monster
> >'almost-never-go-down' switches.  I just don't want another unmanaged
> >piece of equipment in the flow.
> >
> >Has anyone ever heard of this being a leak.  I worked in a datacenter
> >before and this is what we did with 6509's and we didn't blink!  I know
> >these are Extreme switches... which is probably taboo in the group, but
> >I am pretty sure this would be platform independent... right
> >
> >Thanks,
> >
> >bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45762&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SYSLOG time stamp problem [7:44949]

[dayo olabisi]

service timestamps log datetime msec localtime
show-timezone (watch the wrap).

keywords to note: localtime show-timezone

dayo
--- "R. Benjamin Kessler"
 wrote:
> I know on RedHat you have to ensure that syslogd is
> started with the -r
> flag so that it accepts syslog messages from
> "remote" systems.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> Steven A. Ridder
> Sent: Friday, May 24, 2002 10:16 AM
> To: [EMAIL PROTECTED]
> Subject: Re: SYSLOG time stamp problem [7:44949]
> 
> Speaking of syslog, if a syslog daemon is running on
> a unix machine, is
> that
> all that needs to happen for it to collect messages.
>  I can get a Kiwi
> syslog program to work, but if I have a customer set
> up syslog on unix,
> nothing is in the logs, even though the router
> claims to have sent him
> messages (and all connectivity is working).
> 
> --
> 
> RFC 1149 Compliant.
> 
> 
> 
> ""Jeffrey Reed""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I set up a syslog server and have a problem with
> the time stamp in a
> sys
> log
> > message. When a message is sent to my syslog
> server (using solar
> winds
> > syslog monitor) the date/time field is correct,
> but the time stamp
> with
> the
> > message itself is not, its 4 hours ahead. I show
> calendar and clock on
> the
> > 6500 MSFC and they are both set correctly. I have
> the system set up
> for
> EST
> > and daylight savings, so I think the syslog
> facility is not factoring
> in
> > those settings.
> >
> > How can I get the syslog message to display the
> correct time?
> >
> > Thanks!!
> >
> > Jeff Reed
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45763&t=44949
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Peter van Oene]

Interesting indeed.  I hadn't seen that before. This is obviously an 
architecturally flawed implementation.  Ideally, the CAM (MAC) table should 
be fully isolated to prevent unwanted forwarding and ports not considered 
trunks shouldn't accept tagged packets.  I assume folks are working on 
this, but at this time, it would look like securing a topology of this 
nature requires some additional effort.

Thanks for the link

Pete


At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
>if you do not have Ip routing on the VLANs you can still hope from one VLAN
>to another. See this artical for more info:
>http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
>
>-Original Message-
>From: Peter van Oene [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 04, 2002 8:41 AM
>To: [EMAIL PROTECTED]
>Subject: RE: Security hazard?? [7:45731]
>
>
>Assuming the untrusted VLAN offers no IP connectivity to it's control
>engine (ie the routed aspects are not reachable therein) what
>vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
>sure how one gets from untrusted to trusted without traversing the
>Firewall.  The only limitation I see here would be one of either poorly
>implemented VLAN technology on the part of the vendor, and fat fingering on
>the part of the admimistrator.
>
>Pete
>
>
>
>
>At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> >If I understand what you're describing, it sounds like you've pretty well
> >by-passed the firewall.  As a general comment, it seems pointless to have
a
> >firewall if you're not going to utilize it with sound network security
> >design.
> >I think I understand what you're trying to do, but you may want to rethink
> >the reasoning.
> >You're VLANs ( on the same devices ) are a very thin security veil between
> >the trusted and untrusted networks.  Without a net diagram, we can only
> >speculate.  But, I'm guessing that the most secure you can be with this
> >physical config is to pin strong ACLs to the outside interfaces of the
3640
> >access routers.  You could also pin ACLs to the VLAN interfaces to filter
> >unwanted traffic.  What kind of capability do these switches have?  Have
you
> >considered the IOS firewall ( CBAC ) for the edge routers?
> >
> >I think a tech support call to your firewall vendor may be an eye-opening
> >experience.  Send them a diagram of what you've got and see if it's a
> >network design scenario that they support.  I assume the 2 3640s are being
> >used redundantly with HSRP?  If so, why not consider a second, redundant
> >firewall and place them both in-line between the edge routers and the
> >internal LANs?
> >
> > HTH,  Bob McIntire
> >
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Craig Columbus
> >Sent: Tuesday, June 04, 2002 9:42 AM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Security hazard?? [7:45731]
> >
> >
> >Do I understand you correctly that your 6808s have both internal (secure)
> >and external (unsecure) traffic on them, separated only by VLAN?
> >
> >At 09:30 PM 6/3/2002 -0400, you wrote:
> > >All,
> > >
> > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> > >The two 3640's are doing IBGP between them on each of their eth0's.  I
> > >have created a vlan on the Extremes called 'unsecure'(there are only 2
> > >ports on each Extreme in this vlan... one coming in from the 3640 and
> > >the other going into the firewall).  I am getting some complaints from
> > >the 'uppers' that bringing the 3640's into the Extreme's is a security
> > >hazard.
> > >
> > >I am sure someone is now working on a way to hack from one vlan to the
> > >next, but for now, I don't see the difference between putting a hub in
> > >there and using a couple of ports on these monster
> > >'almost-never-go-down' switches.  I just don't want another unmanaged
> > >piece of equipment in the flow.
> > >
> > >Has anyone ever heard of this being a leak.  I worked in a datacenter
> > >before and this is what we did with 6509's and we didn't blink!  I know
> > >these are Extreme switches... which is probably taboo in the group, but
> > >I am pretty sure this would be platform independent... right
> > >
> > >Thanks,
> > >
> > >bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45764&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Remote shell [7:45765]

[Michalis Palis]

Hello all

I am trying to send commands to a cisco router using
remote shell from a unix machine. My problem is that i
con not send configuration commands, but only show
commands. When i send configuration commands i.e
config t, ip finger i get a reply with permition
denied.

Can anybody has an idea of the problem.

Thanks


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45765&t=45765
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Priscilla Oppenheimer]

My quick analysis of the VLAN testing published by SANs Institute:

"In a default configuration it is possible to inject 802.1q frames into 
non-trunk ports on a switch and have these frames delivered to the 
destination."
As Peter says, a non-trunk port shouldn't accept a tagged frame. Also, it 
appears from the testing that a trunk port accepts a frame with the tag 
already on it. It shouldn't do this? (Is there any case where it would need 
to do this???) These seems like things that Cisco could fix pretty easily.

"It is possible to get 802.1q frames to hop from one VLAN to another if the 
frames are injected into a switch port belonging to the native VLAN of the 
trunk port. It is also necessary for the source and destination Ethernet 
devices to be on different switches." And "The attacker [must have ] access 
to a switch port on the same VLAN as the native VLAN of the trunk port."
Sounds like another good reason to change the native VLAN from the default 
of 1 and not to use it for ports that attach end nodes.

"Recommendations: Try not to use VLANs as a mechanism for enforcing 
security policy. They are great for segmenting networks, reducing 
broadcasts and collisions and so forth, but not as a security tool."

I think that was already well known. VLANs aren't a very good security 
measure. Comments?

Priscilla


At 01:17 PM 6/4/02, Peter van Oene wrote:
>Interesting indeed.  I hadn't seen that before. This is obviously an
>architecturally flawed implementation.  Ideally, the CAM (MAC) table should
>be fully isolated to prevent unwanted forwarding and ports not considered
>trunks shouldn't accept tagged packets.  I assume folks are working on
>this, but at this time, it would look like securing a topology of this
>nature requires some additional effort.
>
>Thanks for the link
>
>Pete
>
>
>At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
> >if you do not have Ip routing on the VLANs you can still hope from one
VLAN
> >to another. See this artical for more info:
> >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> >
> >-Original Message-
> >From: Peter van Oene [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, June 04, 2002 8:41 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: Security hazard?? [7:45731]
> >
> >
> >Assuming the untrusted VLAN offers no IP connectivity to it's control
> >engine (ie the routed aspects are not reachable therein) what
> >vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
> >sure how one gets from untrusted to trusted without traversing the
> >Firewall.  The only limitation I see here would be one of either poorly
> >implemented VLAN technology on the part of the vendor, and fat fingering
on
> >the part of the admimistrator.
> >
> >Pete
> >
> >
> >
> >
> >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> > >If I understand what you're describing, it sounds like you've pretty
well
> > >by-passed the firewall.  As a general comment, it seems pointless to
have
>a
> > >firewall if you're not going to utilize it with sound network security
> > >design.
> > >I think I understand what you're trying to do, but you may want to
rethink
> > >the reasoning.
> > >You're VLANs ( on the same devices ) are a very thin security veil
between
> > >the trusted and untrusted networks.  Without a net diagram, we can only
> > >speculate.  But, I'm guessing that the most secure you can be with this
> > >physical config is to pin strong ACLs to the outside interfaces of the
>3640
> > >access routers.  You could also pin ACLs to the VLAN interfaces to
filter
> > >unwanted traffic.  What kind of capability do these switches have?  Have
>you
> > >considered the IOS firewall ( CBAC ) for the edge routers?
> > >
> > >I think a tech support call to your firewall vendor may be an
eye-opening
> > >experience.  Send them a diagram of what you've got and see if it's a
> > >network design scenario that they support.  I assume the 2 3640s are
being
> > >used redundantly with HSRP?  If so, why not consider a second, redundant
> > >firewall and place them both in-line between the edge routers and the
> > >internal LANs?
> > >
> > > HTH,  Bob McIntire
> > >
> > >
> > >-Original Message-
> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > >Craig Columbus
> > >Sent: Tuesday, June 04, 2002 9:42 AM
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Security hazard?? [7:45731]
> > >
> > >
> > >Do I understand you correctly that your 6808s have both internal
(secure)
> > >and external (unsecure) traffic on them, separated only by VLAN?
> > >
> > >At 09:30 PM 6/3/2002 -0400, you wrote:
> > > >All,
> > > >
> > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> > > >The two 3640's are doing IBGP between them on each of their eth0's.  I
> > > >have created a vlan on the Extremes called 'unsecure'(there are only 2
> > > >ports on each Extreme in this vlan... one coming in from the 3640 and
> > > >the other going into the firewal

Re: Cisco Remote shell [7:45765]

[Priscilla Oppenheimer]

Did you try the enable command to get into privileged mode? Do you have the 
enable password? Being able to enter only show commands is a symptom that 
you are still in user mode.

Priscilla

At 01:31 PM 6/4/02, Michalis Palis wrote:
>Hello all
>
>I am trying to send commands to a cisco router using
>remote shell from a unix machine. My problem is that i
>con not send configuration commands, but only show
>commands. When i send configuration commands i.e
>config t, ip finger i get a reply with permition
>denied.
>
>Can anybody has an idea of the problem.
>
>Thanks
>
>
>__
>Do You Yahoo!?
>Yahoo! - Official partner of 2002 FIFA World Cup
>http://fifaworldcup.yahoo.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45767&t=45765
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Rik Guyler]

Pete, bear in mind that this document is 2 years old.  The IOS version on
the switch was 11.2.  Anybody care to speculate on how much has changed
since 11.2?  How about the changes in Dot1Q since then?

Nonetheless, I don't get a warm and fuzzy feeling with separating external
and internal traffic with VLANs.  I like physical separation coupled with
firewall protection.  I believe it's not just protecting what has been
hacked already but minimizing what can be hacked in the future.

Rik

-Original Message-
From: Peter van Oene [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 1:18 PM
To: [EMAIL PROTECTED]
Subject: RE: Security hazard?? [7:45731]


Interesting indeed.  I hadn't seen that before. This is obviously an 
architecturally flawed implementation.  Ideally, the CAM (MAC) table should 
be fully isolated to prevent unwanted forwarding and ports not considered 
trunks shouldn't accept tagged packets.  I assume folks are working on 
this, but at this time, it would look like securing a topology of this 
nature requires some additional effort.

Thanks for the link

Pete


At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
>if you do not have Ip routing on the VLANs you can still hope from one VLAN
>to another. See this artical for more info:
>http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
>
>-Original Message-
>From: Peter van Oene [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 04, 2002 8:41 AM
>To: [EMAIL PROTECTED]
>Subject: RE: Security hazard?? [7:45731]
>
>
>Assuming the untrusted VLAN offers no IP connectivity to it's control
>engine (ie the routed aspects are not reachable therein) what
>vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
>sure how one gets from untrusted to trusted without traversing the
>Firewall.  The only limitation I see here would be one of either poorly
>implemented VLAN technology on the part of the vendor, and fat fingering on
>the part of the admimistrator.
>
>Pete
>
>
>
>
>At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> >If I understand what you're describing, it sounds like you've pretty well
> >by-passed the firewall.  As a general comment, it seems pointless to have
a
> >firewall if you're not going to utilize it with sound network security
> >design.
> >I think I understand what you're trying to do, but you may want to
rethink
> >the reasoning.
> >You're VLANs ( on the same devices ) are a very thin security veil
between
> >the trusted and untrusted networks.  Without a net diagram, we can only
> >speculate.  But, I'm guessing that the most secure you can be with this
> >physical config is to pin strong ACLs to the outside interfaces of the
3640
> >access routers.  You could also pin ACLs to the VLAN interfaces to filter
> >unwanted traffic.  What kind of capability do these switches have?  Have
you
> >considered the IOS firewall ( CBAC ) for the edge routers?
> >
> >I think a tech support call to your firewall vendor may be an eye-opening
> >experience.  Send them a diagram of what you've got and see if it's a
> >network design scenario that they support.  I assume the 2 3640s are
being
> >used redundantly with HSRP?  If so, why not consider a second, redundant
> >firewall and place them both in-line between the edge routers and the
> >internal LANs?
> >
> > HTH,  Bob McIntire
> >
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Craig Columbus
> >Sent: Tuesday, June 04, 2002 9:42 AM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Security hazard?? [7:45731]
> >
> >
> >Do I understand you correctly that your 6808s have both internal (secure)
> >and external (unsecure) traffic on them, separated only by VLAN?
> >
> >At 09:30 PM 6/3/2002 -0400, you wrote:
> > >All,
> > >
> > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> > >The two 3640's are doing IBGP between them on each of their eth0's.  I
> > >have created a vlan on the Extremes called 'unsecure'(there are only 2
> > >ports on each Extreme in this vlan... one coming in from the 3640 and
> > >the other going into the firewall).  I am getting some complaints from
> > >the 'uppers' that bringing the 3640's into the Extreme's is a security
> > >hazard.
> > >
> > >I am sure someone is now working on a way to hack from one vlan to the
> > >next, but for now, I don't see the difference between putting a hub in
> > >there and using a couple of ports on these monster
> > >'almost-never-go-down' switches.  I just don't want another unmanaged
> > >piece of equipment in the flow.
> > >
> > >Has anyone ever heard of this being a leak.  I worked in a datacenter
> > >before and this is what we did with 6509's and we didn't blink!  I know
> > >these are Extreme switches... which is probably taboo in the group, but
> > >I am pretty sure this would be platform independent... right
> > >
> > >Thanks,
> > >
> > >bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45

RE: Security hazard?? [7:45731]

[Priscilla Oppenheimer]

At 02:04 PM 6/4/02, Priscilla Oppenheimer wrote:
>My quick analysis of the VLAN testing published by SANs Institute:
>
>"In a default configuration it is possible to inject 802.1q frames into
>non-trunk ports on a switch and have these frames delivered to the
>destination."
>As Peter says, a non-trunk port shouldn't accept a tagged frame. Also, it
>appears from the testing that a trunk port accepts a frame with the tag
>already on it. It shouldn't do this? (Is there any case where it would need
>to do this???)

Yes, if the switch had more than one trunk port, a trunk port could receive 
a frame with a tag already inserted. Say a frame comes into Trunk A, 
already tagged. (It came from another switch or a VLAN-aware router). The 
switch looks into its MAC table and determines that the destination port is 
Trunk B. It would just leave the tag as is. I'm going to answer my own 
question! ;-)

Just trying to determine why the trunk port in the testing forwarded a 
frame that already had a tag. (Usually the trunk port adds the tag). More 
input from anyone else?

Priscilla

>These seems like things that Cisco could fix pretty easily.
>
>"It is possible to get 802.1q frames to hop from one VLAN to another if the
>frames are injected into a switch port belonging to the native VLAN of the
>trunk port. It is also necessary for the source and destination Ethernet
>devices to be on different switches." And "The attacker [must have ] access
>to a switch port on the same VLAN as the native VLAN of the trunk port."
>Sounds like another good reason to change the native VLAN from the default
>of 1 and not to use it for ports that attach end nodes.
>
>"Recommendations: Try not to use VLANs as a mechanism for enforcing
>security policy. They are great for segmenting networks, reducing
>broadcasts and collisions and so forth, but not as a security tool."
>
>I think that was already well known. VLANs aren't a very good security
>measure. Comments?
>
>Priscilla
>
>
>At 01:17 PM 6/4/02, Peter van Oene wrote:
> >Interesting indeed.  I hadn't seen that before. This is obviously an
> >architecturally flawed implementation.  Ideally, the CAM (MAC) table
should
> >be fully isolated to prevent unwanted forwarding and ports not considered
> >trunks shouldn't accept tagged packets.  I assume folks are working on
> >this, but at this time, it would look like securing a topology of this
> >nature requires some additional effort.
> >
> >Thanks for the link
> >
> >Pete
> >
> >
> >At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
> > >if you do not have Ip routing on the VLANs you can still hope from one
>VLAN
> > >to another. See this artical for more info:
> > >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> > >
> > >-Original Message-
> > >From: Peter van Oene [mailto:[EMAIL PROTECTED]]
> > >Sent: Tuesday, June 04, 2002 8:41 AM
> > >To: [EMAIL PROTECTED]
> > >Subject: RE: Security hazard?? [7:45731]
> > >
> > >
> > >Assuming the untrusted VLAN offers no IP connectivity to it's control
> > >engine (ie the routed aspects are not reachable therein) what
> > >vulnerabilities exist here?   With no routing on the VLAN, I'm not
exactly
> > >sure how one gets from untrusted to trusted without traversing the
> > >Firewall.  The only limitation I see here would be one of either poorly
> > >implemented VLAN technology on the part of the vendor, and fat fingering
>on
> > >the part of the admimistrator.
> > >
> > >Pete
> > >
> > >
> > >
> > >
> > >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> > > >If I understand what you're describing, it sounds like you've pretty
>well
> > > >by-passed the firewall.  As a general comment, it seems pointless to
>have
> >a
> > > >firewall if you're not going to utilize it with sound network security
> > > >design.
> > > >I think I understand what you're trying to do, but you may want to
>rethink
> > > >the reasoning.
> > > >You're VLANs ( on the same devices ) are a very thin security veil
>between
> > > >the trusted and untrusted networks.  Without a net diagram, we can
only
> > > >speculate.  But, I'm guessing that the most secure you can be with
this
> > > >physical config is to pin strong ACLs to the outside interfaces of the
> >3640
> > > >access routers.  You could also pin ACLs to the VLAN interfaces to
>filter
> > > >unwanted traffic.  What kind of capability do these switches have? 
Have
> >you
> > > >considered the IOS firewall ( CBAC ) for the edge routers?
> > > >
> > > >I think a tech support call to your firewall vendor may be an
>eye-opening
> > > >experience.  Send them a diagram of what you've got and see if it's a
> > > >network design scenario that they support.  I assume the 2 3640s are
>being
> > > >used redundantly with HSRP?  If so, why not consider a second,
redundant
> > > >firewall and place them both in-line between the edge routers and the
> > > >internal LANs?
> > > >
> > > > HTH,  Bob McIntire
> > > >
> > > >
> > > >-Original Message-
> > > 

Re: VPN Overhead [7:45719]

[Elijah Savage]

The bandwidth of the dsl that the telco generously loaned us for 60 days
was 608 down 128 up, that is another thing if you have a good working
relation with your local telco ask them to get you a circuit for testing
and they will probably do it.
> What is the bandwidth of you DSL?
>
>
>
>
>
>
>
> "Elijah Savage" 
> Sent by: [EMAIL PROTECTED]
> 06/04/2002 11:47 AM
> Please respond to "Elijah Savage"
>
>
>To: [EMAIL PROTECTED]
>cc:
>Subject:Re: VPN Overhead [7:45719]
>
>
> We have 2 3030 concentrators setup in a load balancing fashion and it
> works very well. We have rolled this out to about 3000 users and have
> done all types of testing with different applications and different
> types of access. Over dialup we notice that there is about 12% overhead
> with the cisco vpn client, with broadband it makes less of an impact.
> We noticed on broadband that it was about 7% on dsl and about 5% on
> cable access. Hope that helps out.
>> We are currently using a VPN provider to get into the network but want
>> to take more control and bring it in house. I did some testing though
>> and found that the VPN was adding about 27% overhead compared to
>> bypassing VPN and going direct to a server.
>>
>> I'm wondering if others have done testing and what were your results.
>> We are currently using V-One but I will be looking at Cisco's
>> solution. Nondisclosure violations to [EMAIL PROTECTED]
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45750&t=45719
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Eric Rivard]

VLANs. Here is a good link to read about them:
http://www.cisco.com/warp/public/473/90.shtml . According to Cisco Private
VLANs can only communicate with the router. As we know, VLANs work like a
logical bridge. Hosts on any VLAN can communicate with other hosts on the
same VLAN (a broadcast segment). The idea behind Private VLANs is to turn
this broadcast segment in to non-broadcast segments within the same VLAN
thus requiring a host to go through the router to communicate with another
host on the same segment, thus allowing you to control hosts on a common
segment.

I have not had any experience with PVLANs so I cannot comment on how secure
they are, nor have a really researched them. Has anyone had experience
implementing PVLANs?

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 11:04 AM
To: [EMAIL PROTECTED]
Subject: RE: Security hazard?? [7:45731]


My quick analysis of the VLAN testing published by SANs Institute:

"In a default configuration it is possible to inject 802.1q frames into 
non-trunk ports on a switch and have these frames delivered to the 
destination."
As Peter says, a non-trunk port shouldn't accept a tagged frame. Also, it 
appears from the testing that a trunk port accepts a frame with the tag 
already on it. It shouldn't do this? (Is there any case where it would need 
to do this???) These seems like things that Cisco could fix pretty easily.

"It is possible to get 802.1q frames to hop from one VLAN to another if the 
frames are injected into a switch port belonging to the native VLAN of the 
trunk port. It is also necessary for the source and destination Ethernet 
devices to be on different switches." And "The attacker [must have ] access 
to a switch port on the same VLAN as the native VLAN of the trunk port."
Sounds like another good reason to change the native VLAN from the default 
of 1 and not to use it for ports that attach end nodes.

"Recommendations: Try not to use VLANs as a mechanism for enforcing 
security policy. They are great for segmenting networks, reducing 
broadcasts and collisions and so forth, but not as a security tool."

I think that was already well known. VLANs aren't a very good security 
measure. Comments?

Priscilla


At 01:17 PM 6/4/02, Peter van Oene wrote:
>Interesting indeed.  I hadn't seen that before. This is obviously an
>architecturally flawed implementation.  Ideally, the CAM (MAC) table should
>be fully isolated to prevent unwanted forwarding and ports not considered
>trunks shouldn't accept tagged packets.  I assume folks are working on
>this, but at this time, it would look like securing a topology of this
>nature requires some additional effort.
>
>Thanks for the link
>
>Pete
>
>
>At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
> >if you do not have Ip routing on the VLANs you can still hope from one
VLAN
> >to another. See this artical for more info:
> >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> >
> >-Original Message-
> >From: Peter van Oene [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, June 04, 2002 8:41 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: Security hazard?? [7:45731]
> >
> >
> >Assuming the untrusted VLAN offers no IP connectivity to it's control
> >engine (ie the routed aspects are not reachable therein) what
> >vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
> >sure how one gets from untrusted to trusted without traversing the
> >Firewall.  The only limitation I see here would be one of either poorly
> >implemented VLAN technology on the part of the vendor, and fat fingering
on
> >the part of the admimistrator.
> >
> >Pete
> >
> >
> >
> >
> >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> > >If I understand what you're describing, it sounds like you've pretty
well
> > >by-passed the firewall.  As a general comment, it seems pointless to
have
>a
> > >firewall if you're not going to utilize it with sound network security
> > >design.
> > >I think I understand what you're trying to do, but you may want to
rethink
> > >the reasoning.
> > >You're VLANs ( on the same devices ) are a very thin security veil
between
> > >the trusted and untrusted networks.  Without a net diagram, we can only
> > >speculate.  But, I'm guessing that the most secure you can be with this
> > >physical config is to pin strong ACLs to the outside interfaces of the
>3640
> > >access routers.  You could also pin ACLs to the VLAN interfaces to
filter
> > >unwanted traffic.  What kind of capability do these switches have?  Have
>you
> > >considered the IOS firewall ( CBAC ) for the edge routers?
> > >
> > >I think a tech support call to your firewall vendor may be an
eye-opening
> > >experience.  Send them a diagram of what you've got and see if it's a
> > >network design scenario that they support.  I assume the 2 3640s are
being
> > >used redundantly with HSRP?  If so, why not consider a second, redundant
> > >firewall and place them both in-lin

RE: Security hazard?? [7:45731]

[Priscilla Oppenheimer]

Also, doesn't the SANS Institute publish the papers that their 
certification candidates write? In other words, this may not have been 
written by a security guru. It may have been written by someone trying to 
pass the certification hurdles, one of which is the requirement to write a 
white paper. On the other hand, the testing seems quite valid (if old) and 
the paper is well written with good implications and recommendations (if a 
bit obvious). SANS is very strict, from what I hear.

Priscilla

At 02:39 PM 6/4/02, Rik Guyler wrote:
>Pete, bear in mind that this document is 2 years old.  The IOS version on
>the switch was 11.2.  Anybody care to speculate on how much has changed
>since 11.2?  How about the changes in Dot1Q since then?
>
>Nonetheless, I don't get a warm and fuzzy feeling with separating external
>and internal traffic with VLANs.  I like physical separation coupled with
>firewall protection.  I believe it's not just protecting what has been
>hacked already but minimizing what can be hacked in the future.
>
>Rik
>
>-Original Message-
>From: Peter van Oene [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 04, 2002 1:18 PM
>To: [EMAIL PROTECTED]
>Subject: RE: Security hazard?? [7:45731]
>
>
>Interesting indeed.  I hadn't seen that before. This is obviously an
>architecturally flawed implementation.  Ideally, the CAM (MAC) table should
>be fully isolated to prevent unwanted forwarding and ports not considered
>trunks shouldn't accept tagged packets.  I assume folks are working on
>this, but at this time, it would look like securing a topology of this
>nature requires some additional effort.
>
>Thanks for the link
>
>Pete
>
>
>At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
> >if you do not have Ip routing on the VLANs you can still hope from one
VLAN
> >to another. See this artical for more info:
> >http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> >
> >-Original Message-
> >From: Peter van Oene [mailto:[EMAIL PROTECTED]]
> >Sent: Tuesday, June 04, 2002 8:41 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: Security hazard?? [7:45731]
> >
> >
> >Assuming the untrusted VLAN offers no IP connectivity to it's control
> >engine (ie the routed aspects are not reachable therein) what
> >vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
> >sure how one gets from untrusted to trusted without traversing the
> >Firewall.  The only limitation I see here would be one of either poorly
> >implemented VLAN technology on the part of the vendor, and fat fingering
on
> >the part of the admimistrator.
> >
> >Pete
> >
> >
> >
> >
> >At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
> > >If I understand what you're describing, it sounds like you've pretty
well
> > >by-passed the firewall.  As a general comment, it seems pointless to
have
>a
> > >firewall if you're not going to utilize it with sound network security
> > >design.
> > >I think I understand what you're trying to do, but you may want to
>rethink
> > >the reasoning.
> > >You're VLANs ( on the same devices ) are a very thin security veil
>between
> > >the trusted and untrusted networks.  Without a net diagram, we can only
> > >speculate.  But, I'm guessing that the most secure you can be with this
> > >physical config is to pin strong ACLs to the outside interfaces of the
>3640
> > >access routers.  You could also pin ACLs to the VLAN interfaces to
filter
> > >unwanted traffic.  What kind of capability do these switches have?  Have
>you
> > >considered the IOS firewall ( CBAC ) for the edge routers?
> > >
> > >I think a tech support call to your firewall vendor may be an
eye-opening
> > >experience.  Send them a diagram of what you've got and see if it's a
> > >network design scenario that they support.  I assume the 2 3640s are
>being
> > >used redundantly with HSRP?  If so, why not consider a second, redundant
> > >firewall and place them both in-line between the edge routers and the
> > >internal LANs?
> > >
> > > HTH,  Bob McIntire
> > >
> > >
> > >-Original Message-
> > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > >Craig Columbus
> > >Sent: Tuesday, June 04, 2002 9:42 AM
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Security hazard?? [7:45731]
> > >
> > >
> > >Do I understand you correctly that your 6808s have both internal
(secure)
> > >and external (unsecure) traffic on them, separated only by VLAN?
> > >
> > >At 09:30 PM 6/3/2002 -0400, you wrote:
> > > >All,
> > > >
> > > >We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
> > > >The two 3640's are doing IBGP between them on each of their eth0's.  I
> > > >have created a vlan on the Extremes called 'unsecure'(there are only 2
> > > >ports on each Extreme in this vlan... one coming in from the 3640 and
> > > >the other going into the firewall).  I am getting some complaints from
> > > >the 'uppers' that bringing the 3640's into the Extreme's is a security
> > > >hazard.
> > > >
> > > >I am s

Building Service Provider Networks.. [7:45772]

[Nigel Taylor]

All,
I just received my copy of Howard's latest book and I'm excited to get
started
reading this title.  However, I'm in the midst of finishing reading his
previous book, WAN Survival Guide.  Interesting enough this book's
Introduction states,
"This book focuses on the service provider network, and ideally will be read
in concern with the more customer-oriented. WAN Survival Guide.

I'm truly looking forward to reading this book as all of us here on the list
knows of Howard's inapt sense of humor and diverse experience in this field,
among others.

In browsing the book, I noticed Geoff Huston has a book titled ISP Survival
Guide: "Strategies for running a Competitive ISP" and was wondering if anyone
had the opportunity to read it and cares to comment.

That's all folks...

Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45772&t=45772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-list question? [7:45585]

[Gaz]

It's very possible after a few beers that I'm not thinking straight, so I
won't linger on the point, but what is that wild card mask doing?

0.0.6.255

0110 

Won't this work for all the odd subnets within the specified range
(192.168.1.0, 192.168.3.0.192.168.7.0)

If it's still allowed...Are non contiguous wild card masks still allowed?
Dunno.. I seem to remember hearing they weren't any more.

Gaz

""Adams Josh""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If you are trying to limit access on connections to the vty lines then you
> should use a standard access list.
> Your config will look like the following:
>
> access-list 1 permit 192.168.1.0 0.0.6.255
> line vty 0 4
> transport input telnet
> access-class 1 in
>
>
> If you are trying to limit access for telnet sessions originating from
your
> router connecting to other devices; then your config will look like this:
>
> access-list 1 permit 192.168.1.0 0.0.6.255
> access-list 1 permit 192.168.1.0 0.0.6.255
> line vty 0 4
> transport input telnet
> transport output telnet
> access-class 1 out
>
> The reasoning here is that you dont need to go so far as to specify the
> transport protocol with an extended ACL when you can simply disable all
> other transport types on your VTYs and have fewer ACL headaches.
>
> You can combine these techniques to limit telnet sessions both inbound and
> outbound, but be careful not to "lock your keys in the car"!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45773&t=45585
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Secure VPN version??? [7:45774]

[Shoaib Waqar]

Hi guys,

Can anybody tell me that which version of Cisco Secure
VPN client (version 1.0/1.1 OR 3.0/3.51) comes in MCNS
exam. I have read the MCNS Cisco press book but i
could not find enough material. Later, I was just
seeing the Course Outline and found the objectives:

Confguring the Cisco secure VPN Client
---
1. Install the Cisco secure VPN client
2. Configure the Cisco secure VPN client
3. Operate the Cisco secure VPN client in a VPN
Session
4. Request and import CA Certificates

Any sort of help will be highly appreciated. Can
anybody tell me which topic to focus on and how much
deep we should go in it??

Thanks
Shoaib


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45774&t=45774
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Revised: Another BGP attribute question [7:45775]

[Nigel Taylor]

After posting to this thread, I realized that no one responded to my post,
so I decided to figure out why?  As it
would seem I was lost in my understanding of RIPE-181, now RPSL and boy do I
feel "stupid".  After spending
some time reading over RIPE-181, RFC2622, and RFC2650,  I do now have a much
better understanding
of IRR's, their functionality and the continually effort to maintain the
most accurate records possible.

In my zeal to understand the various objects that make up the IRR database,
I foolishly used my understanding
of various terms to provide clarity.  Terms like communities, ASXX, etc..
In realizing that these terms are not in
any way associated to what I related them to be, with respects to terms of
BGP attributes or values.

In obtaining a much better understanding of the IRR and routing policy, I do
now see the emphasis placed on
determining the routing policy before trying to configure or implement the
peering relationships.

Well, this was another great learning experience.  If this is where
stupidity takes me, I look forward to my next
encounter with stupidity.

Nigel
Still so much to learn...



- Original Message -
From: "Nigel Taylor" 
To: 
Sent: Sunday, June 02, 2002 4:24 PM
Subject: Re: Another BGP attribute question [7:45619]


> See Inline...
>
>  - Original Message -
> From: "Howard C. Berkowitz"
> To:
> Sent: Sunday, June 02, 2002 11:17 AM
> Subject: Re: Another BGP attribute question [7:45619]
>
>
> > At 7:00 AM -0400 6/2/02, Nigel Taylor wrote:
> > >All,
> > >   I was reading the old RIPE(22nd meeting minutes) and was
> wondering,
> > >what
> > >ever became of the BGP
> > >proposal from Tony Bates and Enke Chen for the use of the Destination
> > >Preference Attribute (DPA) for multi-homed sites.
> >
> > DPA keeps coming up, at least for end-to-end route selection. Its
> > basic problem is that only ISPs with whom you have an economic
> > relationship have any motivation to respect it.  Geoff Huston's
> > NOPEER is a simpler way to accomplish the same thing (probably
> > coupled with class of service request communities).
>
> Howard, thanks a lot for the info/insight of DPA and specifically pointing
> me to the "NOPEER"
> attribute draft.   I was able to briefly read over the draft and I must
say
> this does seem
> like a solution to the present problem.  However, I was also doing some
> reading of the
> APNIC's
(http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13
> minutes
> and it's noted some of the present problems with the IRRs. The one that
> seems to apply
> here would be the statement that, "About 50% of full routes are not
> registered to public
> IRRs.
>
> I have a question?  Do you see the "NOPEER" as having a directory class in
> the RPSL
> and if so in doing some recent reading of RPSL, and RPSLng, the
enhancements
> RPSL on the
> same site wouldn't the "NOPEER" attribute be limited to representing what
is
> known in
> the IRRs. With this being the case how effective can the attribute be,
when
> representing
> at best 50% of the global BGP FIB.
>
> Of course then there is the ever present security issues which seems to
> being getting some
> attention through the RPSS(rfc2725).
>
> >
> > >Based on our preivous thread with the known and unknown implications of
> > >"inconsistant routes", I would think
> > >this could've have been a step in the right direction.
> > >
> > >I did find a link where Enke Chen notes the use of the "LOCLA_PREF"
> > attribute
> > >by many providers, since the
> > >lack of the DPA and rfc1998 also notes how the use of "communities" aid
> in
> > >this process.
> >
> > You can really solve LOTS of operational issues with creative use of
> > communities.  While RFC2547 was one driver for creating an extended
> > community attribute, there are various ideas floating around for
> > other applications thereof.
>
> Do you care to mention some of the other ideas..floating aeround?
>
> >
> > >
> > >Anyone has any thoughts or suggestions on this as it applies to the use
> of
> > >DPA
> > >and where things stand on
> > >global/ISP-based implementation of this attribute?
> >
> >
> > As far as I know, it's never been implemented in operations.  I'm
> > reasonably certain that some versions of Bay RS could generate it,
> > but I don't know of anyone that listens for it.
>
> I remebered in reading Sam Halabi's book - Internet Routing architectures
> (Pg. 118, 1st ed)
> he noted cisco's lack of support for attributes 11(DPA). However, it is
> noted as bieng MCI defined.
> As you pointed out I've yet to come across anything that suggest anyone is
> making use of the DPA
> attribute.
>
> >
> > --
> > "What Problem are you trying to solve?"
> > ***send Cisco questions to the list, so all can benefit -- not
> > directly to me***
> >
>

> 
> > Howard C. Berkowitz  [EMAIL PROTECTED]
> > Chief Technology Officer, GettLab/Gett Commu

RE: Security hazard?? [7:45731]

[Ben Woltz]

I've seen some of Cisco's private VLAN setup.  The way I've seen it
implemented is on a DMZ switch.  Say you have 3 servers on your DMZ, web,
mail, and ftp.  If each of those servers is plugged into a different port on
the same switch and on the same network, you can configure each of them to
be on a private vlan.  Reason being if somebody compromises or hacks into
your web server, they will not be able to get access to the other two
servers.  Because to get there, they'd have to go through the firewall
first.  If the servers were not on a private vlan, the attacker could access
the other 2 servers via the switch.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45776&t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

640-605 BCRAN Beta PASSED!! [7:45777]

[Creighton Bill-BCREIGH1]

I'd like to thank EVERYONE in this group. Very difficult exam! but I somehow
feel prouder having passed this monster instead of the current 640-505.The
scenarios and ideas presented here are better than anything seen in a lab
and more diverse than anything seen in my workplace.
 
I was wondering if anyone could tell me if this will count toward the
existing CCNP track if my other exams are the current standard (640-50x) in
which case I'M DONE!!!
 
Finally, if I am in fact done, can anyone tell me if it's more advantageous
to go after CCDA/P or just chase the CCIE written (before the new version of
that exam is introduced).
 
Bill Creighton
Senior System Engineer CCNP(?)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45777&t=45777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

SRB and NetBEUI/SMB traffic [7:45778]

[Nelson Herron]

I have an Olicom switch configured with two rings under separate TrBRFs with
Win2k clients running NetBEUI attached to each ring.  I have tried a couple
of different methods of bridging starting with a simple SRB and then a
multi-port SRB.  I have "source 6 1 4094" and "source spanning" on one To
interface and "source 8 1 4094" and "source spanning" on the other in the
current configuration (I also threw in a "multiring all" to satisfy my
superstitious nature).  I can capture packets going through the bridge, but
I can't browse the network.  There is an SMB dialect negotiation packet
coming from the client (in the NetMon capture) but it never gets to the
target.  I see no evidence that the router is dropping it, it has
correctly-formed addresses and RIF, it carries a vanilla list of LanMan
dialects.  The only hint of trouble that I can see is that the N(R) and N(S)
values both show 0x01 in the packet decription part of the MS NetMon but the
hex printout shows a 0x02 for each byte.  Is this a problem?  Or have I
forgotten something really fundamental (I'm a newbie to IBM, but even so I
did feel like a right idiot when I finally remembered the "source spanning").


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45778&t=45778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 640-605 BCRAN Beta PASSED!! [7:45777]

[Frank Merrill]

>  
> I was wondering if anyone could tell me if this will count
> toward the
> existing CCNP track if my other exams are the current standard
> (640-50x) in
> which case I'M DONE!!!

Betas do indeed count, and if so, then you should be able to log into the
tracking syustem and see that you are indeed done.
Congratulations!

> Finally, if I am in fact done, can anyone tell me if it's more
> advantageous
> to go after CCDA/P or just chase the CCIE written (before the
> new version of
> that exam is introduced).

Advantage can be a relative thing, and it's something that you should
probably determine on your own in respect to what you want to do with your
career.

I think following any training/certification track, if done with the intent
of increasing ones knowledge, is a beneficial thing if you truly increase
your knowledge level.
Don't do it for the paper, do it for the knowledge you'll have and the
abilities you'll obtain from learning.

Good Luck!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45779&t=45777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Searching for CCIE Lab scenarios [7:45754]

[Ronald Dommelen]

Hi all,

Probably a frequently asked question but I'm asking it again:

I'm looking for CCIE lab scenario's. I already have some books covering all
the topics and issues but now I'm looking for Lab scenarios.

Can somebody also perhaps tell me if the document from CCBOOTCAMP a good
document is ?($150,-)


Best regards Ronald

The Netherlands


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45754&t=45754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 640-605 BCRAN Beta PASSED!! [7:45777]

[Creighton Bill-BCREIGH1]

>I think following any training/certification track, if done with the intent
of increasing ones knowledge, is a beneficial >thing if you truly increase
your knowledge level. Don't do it for the paper, do it for the knowledge
you'll have and the >>abilities you'll obtain from learning.

Just wanted to say I am NOT a paper-chaser, I was just hoping that maybe
someone with a CCDP and/or a CCIE written could tell me if the design
training helped in the CCIE or if maybe more advanced routing and switching
training for the CCIE is in order - THAT is my ultimate goal - R&S CCIE (not
for the paper but the opportunities that it will afford me).

Thanks,
Bill

-Original Message-
From: Frank Merrill [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 04, 2002 6:22 PM
To: [EMAIL PROTECTED]
Subject: RE: 640-605 BCRAN Beta PASSED!! [7:45777]


>  
> I was wondering if anyone could tell me if this will count toward the
> existing CCNP track if my other exams are the current standard
> (640-50x) in
> which case I'M DONE!!!

Betas do indeed count, and if so, then you should be able to log into the
tracking syustem and see that you are indeed done. Congratulations!

> Finally, if I am in fact done, can anyone tell me if it's more 
> advantageous to go after CCDA/P or just chase the CCIE written (before 
> the new version of
> that exam is introduced).

Advantage can be a relative thing, and it's something that you should
probably determine on your own in respect to what you want to do with your
career.

I think following any training/certification track, if done with the intent
of increasing ones knowledge, is a beneficial thing if you truly increase
your knowledge level. Don't do it for the paper, do it for the knowledge
you'll have and the abilities you'll obtain from learning.

Good Luck!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45780&t=45777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BETA exam results [7:45781]

[Jason Viera]

I recieved the results for the BCRAN beta exam, but haven't recieved a score
report or seen results on the web for the Support beta I had taken. Has
anyone else recieved their results for the Support beta? Any Ideas?
Cisco tells me to call Prometric and Prometric tells me to call Cisco.
Any help would be greatly appreciated!
Jason




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45781&t=45781
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Building Service Provider Networks.. [7:45772]

[Howard C. Berkowitz]

>All,
>I just received my copy of Howard's latest book and I'm excited to get
>started
>reading this title.  However, I'm in the midst of finishing reading his
>previous book, WAN Survival Guide.  Interesting enough this book's
>Introduction states,
>"This book focuses on the service provider network, and ideally will be read
>in concern with the more customer-oriented. WAN Survival Guide.
>
>I'm truly looking forward to reading this book as all of us here on the list
>knows of Howard's inapt sense of humor and diverse experience in this field,
>among others.
>
>In browsing the book, I noticed Geoff Huston has a book titled ISP Survival
>Guide: "Strategies for running a Competitive ISP" and was wondering if
anyone
>had the opportunity to read it and cares to comment.

Thanks for the kind thoughts, Nigel. I'm not sure I know what an 
inapt sense of humor is, but I'm weird enough to believe I could have 
one! :-)

Geoff and I write for the same series, so I think it's fair to say we 
are carefully watched to be sure we don't duplicate!  The book you 
mention is, I think, the best one on the business aspects of running 
an ISP, including pricing, market niches, etc.  It does go into some 
of the technical aspects, especially business-related things like 
access and authentication.

Geoff also has a book on quality of service in IP, which is an 
updated version of the one he coauthored with Paul Ferguson.

I have long held that Australians like Geoff are especially well 
equipped to deal with multivendor, multiprotocol networks. Anyone who 
grows up thinking that the collection of biological spare parts 
called a platypus is normal won't be frightened by CCIE lab scenarios 
or truly amazingly bad legacy networks.

I'll pass on one erratum I've caught.  On the dedication page, I do 
indeed dedicate to my departed colleague Abha Ahuja and my friend 
Lynn Acquaviva.  Contrary to the way it reads, everyone else on the 
dedication page is quite alive!

Howard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45782&t=45772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Building Service Provider Networks.. [7:45772]

[Priscilla Oppenheimer]

I read most of "ISP Survival Guide" by Geoff Huston. It's good, but I would 
imagine at a higher level than Howard's book. Higher-level as in the 
1000-ft view rather than the down-in-the trenches view. Huston's book is 
highly technical, don't get me wrong, but I think it's more for the 
technical manager type. Howard's book is probably for the engineers that 
actually do the design and implementation. I'm sure he covers some business 
issues too, (since you have to understand these to run an ISP), but I would 
imagine there's more technical depth. (I haven't seen Howard's book yet 
though.)

Priscilla

P.S. I disagree that Howard's sense of humor is inapt! ;-)


At 05:57 PM 6/4/02, Nigel Taylor wrote:
>All,
>I just received my copy of Howard's latest book and I'm excited to get
>started
>reading this title.  However, I'm in the midst of finishing reading his
>previous book, WAN Survival Guide.  Interesting enough this book's
>Introduction states,
>"This book focuses on the service provider network, and ideally will be read
>in concern with the more customer-oriented. WAN Survival Guide.
>
>I'm truly looking forward to reading this book as all of us here on the list
>knows of Howard's inapt sense of humor and diverse experience in this field,
>among others.
>
>In browsing the book, I noticed Geoff Huston has a book titled ISP Survival
>Guide: "Strategies for running a Competitive ISP" and was wondering if
anyone
>had the opportunity to read it and cares to comment.
>
>That's all folks...
>
>Nigel


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45784&t=45772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

trying to test ISDN [7:45786]

[Lee James]

Im trying to get ISDN backup to work, but as i am debugging dialer packets,
I am seeing this.

BRI0: Dialing cause ip (s=10.3.101.13, d=224.0.0.10)
BRI0: Already 255 call(s) in progress on BRI0, dialing not
allowed 

I have never seen this msg before. Anyone know what this means? Is there a
loop somewhere?

Thanks In Advance
James   


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45786&t=45786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Revised: Another BGP attribute question [7:45775]

[Howard C. Berkowitz]

"Nigel Taylor"  wrote,

>After posting to this thread, I realized that no one responded to my post,
>so I decided to figure out why?  As it
>would seem I was lost in my understanding of RIPE-181, now RPSL and boy do I
>feel "stupid".  After spending
>some time reading over RIPE-181, RFC2622, and RFC2650,  I do now have a much
>better understanding
>of IRR's, their functionality and the continually effort to maintain the
>most accurate records possible.

Also remember that while the public IRRs often have incomplete 
information due to commercial confidentiality, large ISPs often have 
additional information in their own IRR mirror/extended server. irrd 
is freeware.

>
>In my zeal to understand the various objects that make up the IRR database,
>I foolishly used my understanding
>of various terms to provide clarity.  Terms like communities, ASXX, etc..
>In realizing that these terms are not in
>any way associated to what I related them to be, with respects to terms of
>BGP attributes or values.

Don't feel bad -- I went throught exactly the same sort of doubletake.

>
>In obtaining a much better understanding of the IRR and routing policy, I do
>now see the emphasis placed on
>determining the routing policy before trying to configure or implement the
>peering relationships.
>
>Well, this was another great learning experience.  If this is where
>stupidity takes me, I look forward to my next
>encounter with stupidity.
>
>Nigel
>Still so much to learn...
>
>
>
>- Original Message -
>From: "Nigel Taylor"
>To:
>Sent: Sunday, June 02, 2002 4:24 PM
>Subject: Re: Another BGP attribute question [7:45619]
>
>
>>  See Inline...
>>
>>   - Original Message -
>>  From: "Howard C. Berkowitz"
>>  To:
>>  Sent: Sunday, June 02, 2002 11:17 AM
>>  Subject: Re: Another BGP attribute question [7:45619]
>>
>>
>>  > At 7:00 AM -0400 6/2/02, Nigel Taylor wrote:
>>  > >All,
>>  > >   I was reading the old RIPE(22nd meeting minutes) and was
>>  wondering,
>>  > >what
>>  > >ever became of the BGP
>>  > >proposal from Tony Bates and Enke Chen for the use of the Destination
>>  > >Preference Attribute (DPA) for multi-homed sites.
>>  >
>>  > DPA keeps coming up, at least for end-to-end route selection. Its
>>  > basic problem is that only ISPs with whom you have an economic
>>  > relationship have any motivation to respect it.  Geoff Huston's
>>  > NOPEER is a simpler way to accomplish the same thing (probably
>>  > coupled with class of service request communities).
>>
>>  Howard, thanks a lot for the info/insight of DPA and specifically
pointing
>>  me to the "NOPEER"
>>  attribute draft.   I was able to briefly read over the draft and I must
>say
>>  this does seem
>>  like a solution to the present problem.  However, I was also doing some
>>  reading of the
>>  APNIC's
>(http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13
>>  minutes
>>  and it's noted some of the present problems with the IRRs. The one that
>>  seems to apply
>>  here would be the statement that, "About 50% of full routes are not
>>  registered to public
>>  IRRs.
>>
>>  I have a question?  Do you see the "NOPEER" as having a directory class
in
>>  the RPSL
>>  and if so in doing some recent reading of RPSL, and RPSLng, the
>enhancements
>>  RPSL on the
>>  same site wouldn't the "NOPEER" attribute be limited to representing what
>is
>>  known in
>>  the IRRs. With this being the case how effective can the attribute be,
>when
>>  representing
>>  at best 50% of the global BGP FIB.
>>
>>  Of course then there is the ever present security issues which seems to
>>  being getting some
>>  attention through the RPSS(rfc2725).
>>
>>  >
>>  > >Based on our preivous thread with the known and unknown implications
of
>>  > >"inconsistant routes", I would think
>>  > >this could've have been a step in the right direction.
>>  > >
>>  > >I did find a link where Enke Chen notes the use of the "LOCLA_PREF"
>>  > attribute
>>  > >by many providers, since the
>>  > >lack of the DPA and rfc1998 also notes how the use of "communities"
aid
>  > in
>>  > >this process.
>>  >
>>  > You can really solve LOTS of operational issues with creative use of
>>  > communities.  While RFC2547 was one driver for creating an extended
>>  > community attribute, there are various ideas floating around for
>>  > other applications thereof.
>>
>>  Do you care to mention some of the other ideas..floating aeround?
>>
>>  >
>>  > >
>>  > >Anyone has any thoughts or suggestions on this as it applies to the
use
>>  of
>>  > >DPA
>>  > >and where things stand on
>>  > >global/ISP-based implementation of this attribute?
>>  >
>>  >
>>  > As far as I know, it's never been implemented in operations.  I'm
>>  > reasonably certain that some versions of Bay RS could generate it,
>>  > but I don't know of anyone that listens for it.
>>
>>  I remebered in reading Sam Halabi's book - Internet Routing architectures
>>  (Pg. 118, 1st ed)
>>  he noted cisco's lack of s

Re: SRB and NetBEUI/SMB traffic [7:45778]

[Priscilla Oppenheimer]

At 07:06 PM 6/4/02, Nelson Herron wrote:
>I have an Olicom switch configured with two rings

OK, got that.

>under separate TrBRFs with
>Win2k clients running NetBEUI attached to each ring.  I have tried a couple
>of different methods of bridging starting with a simple SRB and then a
>multi-port SRB.  I have "source 6 1 4094" and "source spanning" on one To
>interface and "source 8 1 4094" and "source spanning" on the other in the
>current configuration

So you have a router in addition to the Olicom switch? (A router doing 
bridging?) What are the ring numbers? Have you made sure that for the ring 
between the switch and router that the switch and router agree on the ring 
number?

Where are the clients? Where are the servers?

We need a picture or more precise textual description of the topology...

You probably don't need source spanning? I bet basic SRB would work. 
Definitely start with the simplest first. Don't do spanning or multi-port 
bridging until you get basic SRB working.

Let's say that your network around the router/bridge looks like this:

ring 6--To0 Router/Bridge To1--ring 8

The config should be really simple, unless I'm missing something. Let's 
call the Router/Bridge Bridge #1 (assuming you aren't already using that 
for the Olicom switch.)

int to0
source-bridge 6 1 8
int to0
source-bridge 8 1 6

>(I also threw in a "multiring all" to satisfy my
>superstitious nature).  I can capture packets going through the bridge, but
>I can't browse the network.  There is an SMB dialect negotiation packet
>coming from the client (in the NetMon capture) but it never gets to the
>target.  I see no evidence that the router is dropping it, it has
>correctly-formed addresses and RIF, it carries a vanilla list of LanMan
>dialects.  The only hint of trouble that I can see is that the N(R) and N(S)
>values both show 0x01 in the packet decription part of the MS NetMon but the
>hex printout shows a 0x02 for each byte.  Is this a problem?

That's probably not a problem. The NR and NS numbers are actually only 
seven bits. So maybe the decoding is getting confused by that.

On the other hand, you should see the send sequence number (NS) keep 
progressing one by one from each side. You should also see the NR 
progressing one by one from each side. LLC2 uses a forward acknowledgement, 
like TCP does. So the NR should state the next expected sequence. For 
example an NR of 1 means I got 0 and I'm expecting 1 next.

>  Or have I
>forgotten something really fundamental (I'm a newbie to IBM, but even so I
>did feel like a right idiot when I finally remembered the "source
spanning").

It may be me that's forgetting something fundamental. ;-) Like, I said 
before, though, I bet you don't need the spanning tree. (Does the Olicom 
expect it? Do you actually have any redundant links that would cause loops 
if not pruned into a tree?)

Priscilla


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45788&t=45778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Secure VPN version??? [7:45774]

[fahim]

Hi
It should be 1.0/1.1

fahim
""Shoaib Waqar""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi guys,
>
> Can anybody tell me that which version of Cisco Secure
> VPN client (version 1.0/1.1 OR 3.0/3.51) comes in MCNS
> exam. I have read the MCNS Cisco press book but i
> could not find enough material. Later, I was just
> seeing the Course Outline and found the objectives:
>
> Confguring the Cisco secure VPN Client
> ---
> 1. Install the Cisco secure VPN client
> 2. Configure the Cisco secure VPN client
> 3. Operate the Cisco secure VPN client in a VPN
> Session
> 4. Request and import CA Certificates
>
> Any sort of help will be highly appreciated. Can
> anybody tell me which topic to focus on and how much
> deep we should go in it??
>
> Thanks
> Shoaib
>
>
> __
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45789&t=45774
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: trying to test ISDN [7:45786]

[Frank Merrill]

> 
> BRI0: Dialing cause ip (s=10.3.101.13, d=224.0.0.10)
> BRI0: Already 255 call(s) in progress on BRI0, dialing not
> allowed 
> 
> I have never seen this msg before. Anyone know what this means?
> Is there a loop somewhere?

I would guess that you have EIGRP running seeing as that is the multicast
address for EIGRP (or is that IGRP??!!)

The number of calls IN PROGRESS for the interface is set to a maximum of
255, and hence you've reached that number.
You need to filter or do the appropriate control to stop EIGRP from bringing
up that dialer interface!
You might want to start here:
http://www.cisco.com/warp/public/471/

Good Luck!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45790&t=45786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SRB and NetBEUI/SMB traffic [7:45778]

[Priscilla Oppenheimer]

Should have said:

int to0
source-bridge 6 1 8
int to1
source-bridge 8 1 6

(In the previous version I forgot to change one of them to to1! ;-)

Priscilla

At 08:43 PM 6/4/02, Priscilla Oppenheimer wrote:
>At 07:06 PM 6/4/02, Nelson Herron wrote:
> >I have an Olicom switch configured with two rings
>
>OK, got that.
>
> >under separate TrBRFs with
> >Win2k clients running NetBEUI attached to each ring.  I have tried a
couple
> >of different methods of bridging starting with a simple SRB and then a
> >multi-port SRB.  I have "source 6 1 4094" and "source spanning" on one To
> >interface and "source 8 1 4094" and "source spanning" on the other in the
> >current configuration
>
>So you have a router in addition to the Olicom switch? (A router doing
>bridging?) What are the ring numbers? Have you made sure that for the ring
>between the switch and router that the switch and router agree on the ring
>number?
>
>Where are the clients? Where are the servers?
>
>We need a picture or more precise textual description of the topology...
>
>You probably don't need source spanning? I bet basic SRB would work.
>Definitely start with the simplest first. Don't do spanning or multi-port
>bridging until you get basic SRB working.
>
>Let's say that your network around the router/bridge looks like this:
>
>ring 6--To0 Router/Bridge To1--ring 8
>
>The config should be really simple, unless I'm missing something. Let's
>call the Router/Bridge Bridge #1 (assuming you aren't already using that
>for the Olicom switch.)
>
>int to0
>source-bridge 6 1 8
>int to0
>source-bridge 8 1 6
>
> >(I also threw in a "multiring all" to satisfy my
> >superstitious nature).  I can capture packets going through the bridge,
but
> >I can't browse the network.  There is an SMB dialect negotiation packet
> >coming from the client (in the NetMon capture) but it never gets to the
> >target.  I see no evidence that the router is dropping it, it has
> >correctly-formed addresses and RIF, it carries a vanilla list of LanMan
> >dialects.  The only hint of trouble that I can see is that the N(R) and
N(S)
> >values both show 0x01 in the packet decription part of the MS NetMon but
the
> >hex printout shows a 0x02 for each byte.  Is this a problem?
>
>That's probably not a problem. The NR and NS numbers are actually only
>seven bits. So maybe the decoding is getting confused by that.
>
>On the other hand, you should see the send sequence number (NS) keep
>progressing one by one from each side. You should also see the NR
>progressing one by one from each side. LLC2 uses a forward acknowledgement,
>like TCP does. So the NR should state the next expected sequence. For
>example an NR of 1 means I got 0 and I'm expecting 1 next.
>
> >  Or have I
> >forgotten something really fundamental (I'm a newbie to IBM, but even so I
> >did feel like a right idiot when I finally remembered the "source
>spanning").
>
>It may be me that's forgetting something fundamental. ;-) Like, I said
>before, though, I bet you don't need the spanning tree. (Does the Olicom
>expect it? Do you actually have any redundant links that would cause loops
>if not pruned into a tree?)
>
>Priscilla
>
>
>Priscilla Oppenheimer
>http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45791&t=45778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

GBIC to 100mb FX [7:45792]

[Will K.]

Does anyone know of a converter or transceiver that would allow me to
connect a SH GBIC to a 100mb FX port?

Will




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45792&t=45792
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: trying to test ISDN [7:45786]

[Lee James]

Yes, we are running EIGRP, and someone put in an permit any any statement
in. I removed that but ISDN is still not dialing. if i look at the history,
it shows it has dialed successfully a few weeks ago. The IOS is 11.2(5)P so
i cannot force a call to test connectivity with the carrier switch. layer 1
is active, spids are assigned, Im pretty much at a loss. The person on the
other end did say that on the external NT1 the LP LED was lit. I will follow
through with the carrier. Thanks


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45794&t=45786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: show version? [7:45730]

[Chris Camplejohn]

It is platform dependent...newer boxes now habe the Electronic Serial
Numbers that are retrievable.

You best bet is to use the "snmp-server chassid-id" command.  That is what
it was intended for and what CW2K queries for the serial number if it is in
the config.

Of course, you need to do the one-time physical inventory and remember to
change the config if you swap hardware :-(

Chris

""brian kastor""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> or the guy that was hired two years after 24 2610's went out to their
> sites.  these guys wrote down the serial numbers, they just don't know
which
> ones go with which ones!!!
>
> Thanks for the replies everyone!
>
> bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45793&t=45730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Identifying Hosts [7:45795]

[Kevin Wigle]

Dear Group,

A large organization wants to begin a "user pay" cost recovery accounting
method in an attempt to get proper funding for services the central IT
service support provider has delivered "free" for a long time.

They would like to charge a "per port" fee which includes everything they
provide rolled up.

One of the interesting questions is how to identify that a host belongs to a
certain level 1 organization.

With proper naming standards something like:

Collect a list of host names/MACs.  Such info can be easily collected with
various tools.

Port security would be turned on with a address list of 1 configured.

Then permanent MAC addresses could be collected from the access switches.

Then a correlation made...

A bit labour intensive - at least at first.

Is there a product that can relate host name to Catalyst port that would
make this idea easier?

Or other ideas??

Kevin Wigle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45795&t=45795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: trying to test ISDN [7:45786]

[Kris Keen]

what about a passive interface for eigrp for your bri0, maybe use a floating
static if its an option to dial your remote end


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45796&t=45786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: static route for port 21-theory rules. [7:45682]

[Kris Keen]

You could match traffic on a particular port, set its next hop to a ip addr
or a interface, that way you can avoid the issue..


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45798&t=45682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: static route for port 21 [7:45682]

[Kris Keen]

how about a route map to send traffic out a particular interface?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45797&t=45682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - directly connected interfaces [7:45628]

[Kris Keen]

You asking if its directly connected would it be switched and not effected
by policy routing? i think not. To my understanding any packet destined for
a remote desination that is directly connected or via a next hop would be
routed and subject to your policy. This is strange.

Ip local policy will only effect packets orginated by the router, this
wouldnt effect the directly connected scenario.
Perhaps you can add another match for packets going to a directly connected
interface to be subjected to the policy?
I'd be intrested to see how you get on


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45799&t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF synchronize [7:45801]

[thinkworker]

In the master/slave synchronize procedure, the master will send its DDP
(database description packet) while slave only accept and reply with
LDR(linkstate database request).

OK, if there is some LSA in slave's databse while not in master's database,
how do they come to full state while in fact their database are not the same?




thinkworker
[EMAIL PROTECTED]2002-06-05




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45801&t=45801
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: trying to test ISDN [7:45786]

[Lee James]

WE have serveral branches that have passive int on the bri0 and we do use
floating static routes. What i ended up doing was removing the config from
the bri, reloading the router, entered the switch type and spids and it
dialed fine. Thanks all for the suggestions.

James 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45800&t=45786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: teaching CCNA [7:45489]

[Kris Keen]

Multicasts in TR, hell yes.
Switch in 607? unsure, i got 1 question in the old 507 exam.
cop r st, definately not. I did Cisco's online sim tool and it marked me
wrong (wanted to see how they tested it!) so I'd say definately recommend
the full command.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45802&t=45489
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Welcome Aboard kit? [7:45454]

[Kris Keen]

Which is very very cheap. Looks like a card you get from a cornflakes
packets, shows you how much Cisco value us. Far out, I was really
disappointed to find my CCNP card exactly like the CCNA.

what a joke, my CNE card kicks the CCNP card


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45805&t=45454
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Policy routing - directly connected interfaces [7:45628]

[Chuck]

my results seem to disagree with your thought.


172.31.1.1  loop0---router--WAN--172.31.5.0 network
 |
 --WAN--
172.31.3.0 network



the route-map I used went something like this

access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.1.0 0.0.0.255
access-list 101 permit ip 172.31.5.0 0.0.0.255 172.31.3.0 0.0.0.255

route-map filter permit 10
match ip address 101
set interface null0

when I pinged from the 172.31.5.0 net to 172.31.3.0 net, the debug ip policy
showed packets matching the policy and being forwarded to null0

when I pinged from 172.31.1.1 there was no debug generated, and the
172.31.5.0 network received ICMP replies.

that's why I asked the question.


- Original Message -
From: ""Kris Keen"" 
Newsgroups: groupstudy.cisco
Sent: Tuesday, 04 June, 2002 8:34 PM
Subject: Re: Policy routing - directly connected interfaces [7:45628]


> You asking if its directly connected would it be switched and not effected
> by policy routing? i think not. To my understanding any packet destined
for
> a remote desination that is directly connected or via a next hop would be
> routed and subject to your policy. This is strange.
>
> Ip local policy will only effect packets orginated by the router, this
> wouldnt effect the directly connected scenario.
> Perhaps you can add another match for packets going to a directly
connected
> interface to be subjected to the policy?
> I'd be intrested to see how you get on
""Kris Keen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> You asking if its directly connected would it be switched and not effected
> by policy routing? i think not. To my understanding any packet destined
for
> a remote desination that is directly connected or via a next hop would be
> routed and subject to your policy. This is strange.
>
> Ip local policy will only effect packets orginated by the router, this
> wouldnt effect the directly connected scenario.
> Perhaps you can add another match for packets going to a directly
connected
> interface to be subjected to the policy?
> I'd be intrested to see how you get on




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45807&t=45628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Identifying Hosts [7:45795]

[Clayton Dukes]

A Url would probably help :-)

http://www.cisco.com/cic

http://www.micromuse.com

If you need to be contacted by an Account Manager, I can help locate one in
your region.


Clayton Dukes
CCNA, CCDA, CCDP, CCNP, NCC

- Original Message -
From: "Clayton Dukes" 
To: "Kevin Wigle" ; 
Sent: Tuesday, June 04, 2002 11:51 PM
Subject: Re: Identifying Hosts [7:45795]


> Hi Kevin,
> Take a look at Cisco Info Center, it can do exactly what you are trying to
> accomplish using CIC/USMs (Usage Service Monitors)
>
>
> Clayton Dukes
> CCNA, CCDA, CCDP, CCNP, NCC
>
>
> - Original Message -
> From: "Kevin Wigle" 
> To: 
> Sent: Tuesday, June 04, 2002 10:55 PM
> Subject: Identifying Hosts [7:45795]
>
>
> > Dear Group,
> >
> > A large organization wants to begin a "user pay" cost recovery
accounting
> > method in an attempt to get proper funding for services the central IT
> > service support provider has delivered "free" for a long time.
> >
> > They would like to charge a "per port" fee which includes everything
they
> > provide rolled up.
> >
> > One of the interesting questions is how to identify that a host belongs
to
> a
> > certain level 1 organization.
> >
> > With proper naming standards something like:
> >
> > Collect a list of host names/MACs.  Such info can be easily collected
with
> > various tools.
> >
> > Port security would be turned on with a address list of 1 configured.
> >
> > Then permanent MAC addresses could be collected from the access
switches.
> >
> > Then a correlation made...
> >
> > A bit labour intensive - at least at first.
> >
> > Is there a product that can relate host name to Catalyst port that would
> > make this idea easier?
> >
> > Or other ideas??
> >
> > Kevin Wigle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45804&t=45795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Identifying Hosts [7:45795]

[Kevin Wigle]

yeah - I was just surfing CCO in that area but the light descriptions aren't
saying much...

Kevin

- Original Message -
From: "Clayton Dukes" 
To: "Kevin Wigle" ; 
Sent: Tuesday, 04 June, 2002 23:51
Subject: Re: Identifying Hosts [7:45795]


> Hi Kevin,
> Take a look at Cisco Info Center, it can do exactly what you are trying to
> accomplish using CIC/USMs (Usage Service Monitors)
>
>
> Clayton Dukes
> CCNA, CCDA, CCDP, CCNP, NCC
>
>
> - Original Message -
> From: "Kevin Wigle" 
> To: 
> Sent: Tuesday, June 04, 2002 10:55 PM
> Subject: Identifying Hosts [7:45795]
>
>
> > Dear Group,
> >
> > A large organization wants to begin a "user pay" cost recovery
accounting
> > method in an attempt to get proper funding for services the central IT
> > service support provider has delivered "free" for a long time.
> >
> > They would like to charge a "per port" fee which includes everything
they
> > provide rolled up.
> >
> > One of the interesting questions is how to identify that a host belongs
to
> a
> > certain level 1 organization.
> >
> > With proper naming standards something like:
> >
> > Collect a list of host names/MACs.  Such info can be easily collected
with
> > various tools.
> >
> > Port security would be turned on with a address list of 1 configured.
> >
> > Then permanent MAC addresses could be collected from the access
switches.
> >
> > Then a correlation made...
> >
> > A bit labour intensive - at least at first.
> >
> > Is there a product that can relate host name to Catalyst port that would
> > make this idea easier?
> >
> > Or other ideas??
> >
> > Kevin Wigle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45806&t=45795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Identifying Hosts [7:45795]

[Clayton Dukes]

Hi Kevin,
Take a look at Cisco Info Center, it can do exactly what you are trying to
accomplish using CIC/USMs (Usage Service Monitors)


Clayton Dukes
CCNA, CCDA, CCDP, CCNP, NCC


- Original Message -
From: "Kevin Wigle" 
To: 
Sent: Tuesday, June 04, 2002 10:55 PM
Subject: Identifying Hosts [7:45795]


> Dear Group,
>
> A large organization wants to begin a "user pay" cost recovery accounting
> method in an attempt to get proper funding for services the central IT
> service support provider has delivered "free" for a long time.
>
> They would like to charge a "per port" fee which includes everything they
> provide rolled up.
>
> One of the interesting questions is how to identify that a host belongs to
a
> certain level 1 organization.
>
> With proper naming standards something like:
>
> Collect a list of host names/MACs.  Such info can be easily collected with
> various tools.
>
> Port security would be turned on with a address list of 1 configured.
>
> Then permanent MAC addresses could be collected from the access switches.
>
> Then a correlation made...
>
> A bit labour intensive - at least at first.
>
> Is there a product that can relate host name to Catalyst port that would
> make this idea easier?
>
> Or other ideas??
>
> Kevin Wigle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45803&t=45795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Identifying Hosts [7:45795]

[Kevin Wigle]

Unknown referrer
you should notify the [EMAIL PROTECTED]
or similar responsible person for the content or search feature of that
site,
of the incorrect link to http://www.cisco.com/cic

??



Kevin

- Original Message -
From: "Clayton Dukes" 
To: "Clayton Dukes" ; "Kevin Wigle"
; 
Sent: Tuesday, 04 June, 2002 23:54
Subject: Re: Identifying Hosts [7:45795]


> A Url would probably help :-)
>
> http://www.cisco.com/cic
>
> http://www.micromuse.com
>
> If you need to be contacted by an Account Manager, I can help locate one
in
> your region.
>
>
> Clayton Dukes
> CCNA, CCDA, CCDP, CCNP, NCC
>
> - Original Message -
> From: "Clayton Dukes" 
> To: "Kevin Wigle" ; 
> Sent: Tuesday, June 04, 2002 11:51 PM
> Subject: Re: Identifying Hosts [7:45795]
>
>
> > Hi Kevin,
> > Take a look at Cisco Info Center, it can do exactly what you are trying
to
> > accomplish using CIC/USMs (Usage Service Monitors)
> >
> >
> > Clayton Dukes
> > CCNA, CCDA, CCDP, CCNP, NCC
> >
> >
> > - Original Message -
> > From: "Kevin Wigle" 
> > To: 
> > Sent: Tuesday, June 04, 2002 10:55 PM
> > Subject: Identifying Hosts [7:45795]
> >
> >
> > > Dear Group,
> > >
> > > A large organization wants to begin a "user pay" cost recovery
> accounting
> > > method in an attempt to get proper funding for services the central IT
> > > service support provider has delivered "free" for a long time.
> > >
> > > They would like to charge a "per port" fee which includes everything
> they
> > > provide rolled up.
> > >
> > > One of the interesting questions is how to identify that a host
belongs
> to
> > a
> > > certain level 1 organization.
> > >
> > > With proper naming standards something like:
> > >
> > > Collect a list of host names/MACs.  Such info can be easily collected
> with
> > > various tools.
> > >
> > > Port security would be turned on with a address list of 1 configured.
> > >
> > > Then permanent MAC addresses could be collected from the access
> switches.
> > >
> > > Then a correlation made...
> > >
> > > A bit labour intensive - at least at first.
> > >
> > > Is there a product that can relate host name to Catalyst port that
would
> > > make this idea easier?
> > >
> > > Or other ideas??
> > >
> > > Kevin Wigle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45808&t=45795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 640-605 BCRAN Beta PASSED!! [7:45777]

[adam lee]

Hi Bill,

I am curious how the new test differs from the old exam.  I take the remote
exam almost a year ago.

Thanks.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Creighton Bill-BCREIGH1
Sent: Tuesday, June 04, 2002 4:03 PM
To: [EMAIL PROTECTED]
Subject: 640-605 BCRAN Beta PASSED!! [7:45777]


I'd like to thank EVERYONE in this group. Very difficult exam! but I somehow
feel prouder having passed this monster instead of the current 640-505.The
scenarios and ideas presented here are better than anything seen in a lab
and more diverse than anything seen in my workplace.

I was wondering if anyone could tell me if this will count toward the
existing CCNP track if my other exams are the current standard (640-50x) in
which case I'M DONE!!!

Finally, if I am in fact done, can anyone tell me if it's more advantageous
to go after CCDA/P or just chase the CCIE written (before the new version of
that exam is introduced).

Bill Creighton
Senior System Engineer CCNP(?)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45809&t=45777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SRB and NetBEUI/SMB traffic [7:45778]

[Nelson Herron]

I have the basic topology you conjecture, and I have configured the basic
SRB as you describe.  On my system it works in the same way as the ring
group model that I described - I get some bridging but no browsing.  The
clients are Win2k machines running MS NetBEUI - no IP.  As fas as I know
NetBEUI requires STEs, which is why I specified the "source spanning". 
Without that line I did not capture any traffic passing through the
bridge/router to the remote ring.  With that line in place I do see bridge
traffic specifying the "110" RIF, which I believe means STEs.  With the
configuration you prescribed (and also using a configuration including a
ring group), the SRB is working partially as I indicated.  That is, I get
name queries and name replies passing through the bridge.  I can also see
LLC packets (polls and finals) in a call and response pattern.  However, I
am unable to browse because the SMB dialect negotiation packet is not
passing through the bridge/router.  At least I surmise this is why I cannot
browse.  I see the client send an LLC packet that the NetMon agent describes
as an SMB packet that is attempting to negotiate a LanMan dialect.  However,
this packet never passes through the bridge/router to the target.  As a
result the target never sends a dialect agreement so there is no NetBEUI
session established.  When I hook all the machines up on the same ring or
bridged through an Olicom TrBRF, I do see a reply from the target machine -
usually saying it wants option #5 which is NT LM 0.12 or some such.  This
SMB packet has the same MAC addresses and RIF as other traffic that is
passing.  I can match the packets from two separate captures on either side
of the bridge - except for the SMB packets, of course.  I have gotten the
same results using a 7000 (11.2.15) and a 7010/RSP (12.2.?).  They are both
using the CX Token cards.  These are the only machines I have with multiple
token interfaces.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45811&t=45778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to check bandwidth [7:45812]

[Ashok C. Braganza]

Can anyone tell me, how to check bandwidth, here is my  router conf (
bandwidth 128)  How to verify? Is there any cisco command?

interface ATM0/0
 no ip address
 atm vc-per-vp 256
 no atm ilmi-keepalive
 atm voice aal2 aggregate-svc upspeed-number 0
 dsl operating-mode auto
 no fair-queue
!
interface ATM0/0.1 point-to-point
 description J***
 bandwidth 128
 ip address 10.100.1.1 255.255.255.252
 pvc 1/41
  protocol ip 10.100.1.2
  ubr 128
  oam-pvc manage
 !

Thanks

ashok braganza




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45812&t=45812
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Multiring All/Cat 3900 [7:45813]

[Nijhawan Akshay]

Does anyone know in what scenarios you need to configure 'multiring all' on
a token ring interface connected to the Cat 3900?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45813&t=45813
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]