date:20021005

Re: Route-map question (urgent) [7:54910]

2002-10-05 Thread ccnp ccnp2002


Hi,

I suggest that you study again about access-lists and route-maps. This is
the best answer to your question because once you go through it again, you
will be fine.

I kindly ask you to spend just a little time and it will be very clear.

Cheers!!


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54926&t=54910
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Unable to configure Ciscosecure ACS [7:54927]

2002-10-05 Thread Mr piyush shah


Hello all
I am having CiscoSecure ACS ver.3.0 which I am
planning to configure for Authentication,I have also
created users on ACS server but the users created are
unable to logon to routers as they get the message
authentication failed. I am using Cisco 2600 router
having IOS 12.0(7)T. 
I am forwarding the set of commands I have configured
on router as well the debug message while loging using
Debug aaa authentication command


version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Ciscosecure
!
aaa new-model
enable secret 5 $1$SPn7$M6Fn.fHp/UlAXP8Zcid6P0
aaa authentication login group1 local group tacacs+
aaa authentication login group1 group tacacs+
!
username vicky password 0 vino12
!
!
!
memory-size iomem 25
ip subnet-zero
!
tacacs-server host 172.18.1.2
tacacs-server attempts 4
tacacs-server timeout 10
tacacs-server key ciscosecure

The debug output on the screen as follows and user
does not get authenticated.


04:35:24: AAA/MEMORY: create_user (0x80D7E7D8) user=''
ruser='' port='tty67' rem
_addr='129.1.32.193' authen_type=ASCII service=LOGIN
priv=1
04:35:24: AAA/AUTHEN/START (2000200146): port='tty67'
list='group1' action=LOGIN
 service=LOGIN
04:35:24: AAA/AUTHEN/START (2000200146): found list
group1
04:35:24: AAA/AUTHEN/START (2000200146):
Method=tacacs+ (tacacs+)
04:35:24: TAC+: send AUTHEN/START packet ver=192
id=2000200146
04:35:24: TAC+: ver=192 id=2000200146 received AUTHEN
status = GETUSER
04:35:24: AAA/AUTHEN (2000200146): status = GETUSER
04:35:28: AAA/AUTHEN/CONT (2000200146): continue_login
(user='(undef)')
04:35:28: AAA/AUTHEN (2000200146): status = GETUSER
04:35:28: AAA/AUTHEN (2000200146): Method=tacacs+
(tacacs+)
04:35:28: TAC+: send AUTHEN/CONT packet id=2000200146
04:35:28: TAC+: ver=192 id=2000200146 received AUTHEN
status = GETPASS
04:35:28: AAA/AUTHEN (2000200146): status = GETPASS
04:35:31: AAA/AUTHEN/CONT (2000200146): continue_login
(user='satish')
04:35:31: AAA/AUTHEN (2000200146): status = GETPASS
04:35:31: AAA/AUTHEN (2000200146): Method=tacacs+
(tacacs+)
04:35:31: TAC+: send AUTHEN/CONT packet id=2000200146
04:35:31: TAC+: ver=192 id=2000200146 received AUTHEN
status = FAIL
04:35:31: AAA/AUTHEN (2000200146): status = FAIL
04:35:33: AAA/MEMORY: free_user (0x80D7E7D8)
user='satish' ruser='' port='tty67'
 rem_addr='172.18.1.10' authen_type=ASCII
service=LOGIN priv=1
04:35:33: AAA: parse name=tty67 idb type=-1 tty=-1
04:35:33: AAA: name=tty67 flags=0x11 type=5 shelf=0
slot=0 adapter=0 port=67 cha
nnel=0
04:35:33: AAA/MEMORY: create_user (0x80D7E7D8) user=''
ruser='' port='tty67' rem
_addr='172.18.1.10' authen_type=ASCII service=LOGIN
priv=1
04:35:33: AAA/AUTHEN/START (220479): port='tty67'
list='group1' action=LOGIN
 service=LOGIN
04:35:33: AAA/AUTHEN/START (220479): found list
group1
04:35:33: AAA/AUTHEN/START (220479):
Method=tacacs+ (tacacs+)
04:35:33: TAC+: send AUTHEN/START packet ver=192
id=220479
04:35:33: TAC+: ver=192 id=220479 received AUTHEN
status = GETUSER







Can somebody pls help me on this.
Thanks in advance.


Parag C.


Missed your favourite TV serial last night? Try the new, Yahoo! TV.
   visit http://in.tv.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54927&t=54927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Route-map question (urgent) [7:54910]

2002-10-05 Thread YASSER ALY


No, you need to do the follwoing

access-list 101 permit tcp any any eq 80

route-map http_traffic permit 10

match ip address 101

set next-hop 10.10.10.141

route-map nttp_traffic permit 20

!

int fa2/0

ip policy route-map http_traffic

 

>From: "[EMAIL PROTECTED]" >Greetings, > >Need help with a
route-map question. I need to force all http traffic >to go to
10.10.10.141 address, does my config below allow me to do just >that? > >
>access-list extended 101 permit tcp any host 10.10.10.141 eq 80
>access-list extended 101 permit ip any any > >route-map http_traffic
permit 10 > match ip address 101 > >int fa2/0 (10.10.10.141 address is
behind this interface) >ip policy route-map http_traffic >
>Thanks...Nabil > >"I have never let my schooling interfere
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Join the worlds largest e-mail service with MSN Hotmail. Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54928&t=54910
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: FS IBM SX GBIC's work fine with Cisco 3500 series switches [7:54929]

2002-10-05 Thread Tim Medley


I have a bunch of IBM SX GBIC's for sale i anyone is interested for use in
your labs. I have tested these in several 3500 XL series switches as well as
in a 6500 and they work fine.

Selling them for $25 each plus shipping. Simple inexpensive way to use Gig E
in your home lab.

I do not believe that these are on the approved Cisco third party GBIC list,
so I wouldn't use them on a production network.

Tim


Tim Medley, CCNP+Voice, CCDP, CWNA
Sr. Network Architect
VoIP Group
iReadyWorld




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54929&t=54929
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: GBIC's - Cisco and otherwise [7:51148]

2002-10-05 Thread seadon


I've bought over 100 of these from Cisco, and the simple fact was that there
was no one Cisco model.  I saw at least three different versions from Cisco
and some definitely did not have the Cisco name on them.  It is possible the
Agilent unit did come from Cisco.  My advice is that if it works, it
probably is fine.  If I understand correctly, a GBIC is built to the GMII
Gigabit Media Independent Interface standard so interchange should be
implied.
Don


""Chuck's Long Road""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I took a bit of a risk, and purchased some GBIC;s off That Auction Site.
Of
> the four, three are Cisco branded, and the fourth is labeled "Agilent" (
> used to be HP )
>
> I had done a bit of investigation prior to purchase. I see that the
Auction
> Site has listings for Agilent, IBM, and Extreme GBIC's, as well as Cisco.
> However, I was unable to find any direct and clearly stated indication
that
> all GBIC's are interchangeable.
>
> IBM and Agilent GBIC's cost few pretty pennies less than Cisco BTW,
although
> I suspect now that the same source OEM's for all these manufacturers.
>
> So I paid my money, took my chance, and have an Agilent GBIC on one switch
> connected to a Cisco GBIC on another. No connectivity problems. Came right
> up. Is passing traffic even as I write.
>
> Thinking logically, why should GBIC's be any different that NIC's or patch
> cables, transceivers of various sorts and brands, or CSU/DSU's? They are
all
> build to industry specifications and industry standards. They all do the
> same thing.
>
> Just thought I'd pass that along to those trying to stretch their practice
> lab or network upgrade dollars.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54930&t=51148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Off Topic - DQoS Training humor [7:54931]

2002-10-05 Thread Chuck's Long Road


Recently I completed the DQoS class offered by Knowledge Net (
www.knowledgenet,com )

Let me first say this is the second class I have taken from them. Web for
video, 800 call for audio. Works great. I've enjoyed both classes immensely.
Good teachers, even if they do all sound like a.m. radio disk jockeys. I've
even had the pleasure of meeting a couple of Groupstudy regulars in the
classes I've taken.

Any case, as part of the price, a student gets to access labs ( simulated
routers, so there are some limitations )

Since this is QoS, a few of the labs showed effects of voice, video, and
data with and without various classification, marking, and queuing features
configured.

Once in a while, after you observe the results of your configs, a question
will pop up, asking what happened and why.

Of course the audio video, having to come through not only the lab ware, but
also across the net and through my corporate VPN, often is totally without
merit, so that it is completely accidental if anything actually observed
resembles anything you are supposed to have observed.

For example, the video is an endless loop of John Chambers introducing
himself. It suffers all the characteristics of jitter and delay no matter
what QoS features are or are not configured. Just like the proverbial
samurai movie. Sometimes the telephone voice works, sometimes it doesn't,
not matter what the configuration. Voice calls would go through ( with very
poor quality ) even if the correct answer to the question was that they did
not.

Well, I thought it was funny. I guess you have to be there. :->
--
TANSTAAFL
there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54931&t=54931
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sniffing Async/Serial Ports on the Router [7:54919]

2002-10-05 Thread s vermill

I've been working on this on and off for a month or so now.  I've got a
steep learning curve when it comes to the internal workings of Windows
machines, so I doubt that I fully appreciate all of the nuances of what I've
discovered.  So far...

Ethereal, a free open-source protocol analyzer, claims to support Cisco
HDLC.  I was in touch with the developers and they informed me that Ethereal
could support ISO HDLC only if WinPcap supports it.  I was next in touch
with the developers of WinPcap, who informed me that WinPcap could support
ISO HDLC only if Windows supports it (i.e. if it is part of NDIS).  Far as I
can tell, it doesn't and it isn't.

Elan Digital Systems, Ltd. makes a PCMCIA card that claims to support ISO
HDLC and comes with it's own drivers.  How to interface those drivers to a
protocol analyzer application is beyond my current know-how.  The WinPcap
folks suggested that if the drivers exported HDLC as "an ethernet adapter"
it could possibly be made to work.  Elan offered me a 30-day trial period to
try to make something happen.  I'm leaving on another extended business trip
soon, so it'll have to wait I suppose.

In the mean time, I thought I'd share what little I've learned thus far in
hopes that some brilliant individual(s) might have something a little more
insightful to add.  Is there a much easier way to go about this with a Unix
or Linux box?

There are, of course, hardware-based protocol analyzers, such as the Agilent
Advisor, that do a great job of decoding serial protocols.  We bought a few
several years ago.  Seem to recall that they were between $10k and $20k,
depending on options.

Hamid Ali Asgari wrote:
> 
> Hi group,
> 
> I am looking for a solution to monitor/sniff the traffic on
> Serial/Async
> ports.
> Any suggestions would be appreciated,
> 
> Hamid
> 
> 

Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54932&t=54919
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FS IBM SX GBIC's work fine with Cisco 3500 series switches [7:54933]

2002-10-05 Thread William Pearch

I can vouch for the IBM GBICs working in the 3550 switches as well.

TTFN,
Bill

-Original Message-
From: Tim Medley [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, October 05, 2002 7:26 AM
To: [EMAIL PROTECTED]
Subject: OT: FS IBM SX GBIC's work fine with Cisco 3500 series switches
[7:54929]

I have a bunch of IBM SX GBIC's for sale i anyone is interested for use
in your labs. I have tested these in several 3500 XL series switches as
well as in a 6500 and they work fine.

Selling them for $25 each plus shipping. Simple inexpensive way to use
Gig E in your home lab.

I do not believe that these are on the approved Cisco third party GBIC
list, so I wouldn't use them on a production network.

Tim

Tim Medley, CCNP+Voice, CCDP, CWNA
Sr. Network Architect
VoIP Group
iReadyWorld

[GroupStudy.com removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]

Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54933&t=54933
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: GBIC's - Cisco and otherwise [7:51148]

2002-10-05 Thread Ken Diliberto


If they're all built to the standard, why does Cisco require different
OS versions to support different GBICs?  I have a 1000TX GBIC Cisco says
isn't supported in a 5500.

Maybe I'm just not meant to understand things like this...  :-)

>>> "seadon"  10/05/02 09:38AM >>>
I've bought over 100 of these from Cisco, and the simple fact was that
there
was no one Cisco model.  I saw at least three different versions from
Cisco
and some definitely did not have the Cisco name on them.  It is
possible the
Agilent unit did come from Cisco.  My advice is that if it works, it
probably is fine.  If I understand correctly, a GBIC is built to the
GMII
Gigabit Media Independent Interface standard so interchange should be
implied.
Don


""Chuck's Long Road""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I took a bit of a risk, and purchased some GBIC;s off That Auction
Site.
Of
> the four, three are Cisco branded, and the fourth is labeled
"Agilent" (
> used to be HP )
>
> I had done a bit of investigation prior to purchase. I see that the
Auction
> Site has listings for Agilent, IBM, and Extreme GBIC's, as well as
Cisco.
> However, I was unable to find any direct and clearly stated
indication
that
> all GBIC's are interchangeable.
>
> IBM and Agilent GBIC's cost few pretty pennies less than Cisco BTW,
although
> I suspect now that the same source OEM's for all these
manufacturers.
>
> So I paid my money, took my chance, and have an Agilent GBIC on one
switch
> connected to a Cisco GBIC on another. No connectivity problems. Came
right
> up. Is passing traffic even as I write.
>
> Thinking logically, why should GBIC's be any different that NIC's or
patch
> cables, transceivers of various sorts and brands, or CSU/DSU's? They
are
all
> build to industry specifications and industry standards. They all do
the
> same thing.
>
> Just thought I'd pass that along to those trying to stretch their
practice
> lab or network upgrade dollars.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54934&t=51148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: router boots in to rommon [7:54591]

2002-10-05 Thread nettable_walker


I replaced the RAM with known good RAM & got the same result.
I took out all modules & got the same result.


I am trying to get Cisco to replace the router.



rommon 1 >
rommon 1 >
rommon 1 >
rommon 1 > dev
Devices in device table:
id  name
flash:  flash
bootflash:  boot flash
eprom:  eprom
rommon 2 > dir flash:
 File size   Checksum   File name
   4704832 bytes (0x47ca40)   0xdcecc4500-is-mz.120-7.bin
rommon 3 >
System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
C4500 processor with 32768 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x2b01c4

*** Cache Error Exception ***
Cache Err Reg = 0xa0280108
data reference, primary cache, data field error , error not on SysAD Bus
PC = 0x80008b00, Cause = 0x0, Status Reg = 0x30408405

monitor: command "boot" aborted due to exception*(Hh.MQ.5Bootstrap, Version
5.3
(10) [tamb 10], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
C4500 processor with 32768 Kbytes of main memory

rommon 1 > boot flash:
program load complete, entry point: 0x80008000, size: 0x47c924

*** Cache Error Exception ***
Cache Err Reg = 0xa0080108
data reference, primary cache, data field error , error not on SysAD Bus
PC = 0x800083d0, Cause = 0x8000, Status Reg = 0x30408405

monitor: command "boot" aborted due to exception
rommon 2 >
rommon 1 >
rommon 1 >
rommon 1 >
rommon 1 > dev
Devices in device table:
id  name
flash:  flash
bootflash:  boot flash
eprom:  eprom
rommon 2 > dir bootflash:
 File size   Checksum   File name
   2818784 bytes (0x2b02e0)   0xb62fc4500-boot-mz.122-1.bin
rommon 3 > dir flash:
 File size   Checksum   File name
   4704832 bytes (0x47ca40)   0xdcecc4500-is-mz.120-7.bin
rommon 4 > boot flash:c4500-is-mz.120-7.bin
program load complete, entry point: 0x80008000, size: 0x47c924

*** Cache Error Exception ***
Cache Err Reg = 0xa0080108
data reference, primary cache, data field error , error not on SysAD Bus
PC = 0x800083d0, Cause = 0x0, Status Reg = 0x30408405

monitor: command "boot" aborted due to exception
rommon 5 > boot flash:
program load complete, entry point: 0x80008000, size: 0x47c924

*** Cache Error Exception ***
Cache Err Reg = 0xa0080108
data reference, primary cache, data field error , error not on SysAD Bus
PC = 0x800083d0, Cause = 0x0, Status Reg = 0x30408405

monitor: command "boot" aborted due to exception
rommon 6 > x
System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.

Bad RAM at location 0xA000: wrote 0xA000, read 0x
the above was a boot attempt with NO RAM


System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
C4500 processor with 32768 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x2b01c4

*** Cache Error Exception ***
Cache Err Reg = 0xa4280118
data reference, primary cache, data field error , error on SysAD Bus
PC = 0x80008b00, Cause = 0x0, Status Reg = 0x30408405

monitor: command "boot" aborted due to exception*(Hh.MQ.5Bootstrap, Version
5.3
(10) [tamb 10], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
C4500 processor with 32768 Kbytes of main memory

rommon 1 >
//
""Marc Thach Xuan Ky""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
> I had a very similar message, I changed the cache and main RAM, but I
> just got different error messages.  I concluded that I had a bad
> backplane.  However, I swapped around the NP modules, and it's been
> working fine since 
> rgds
> Marc
>
> nettable_walker wrote:
> >
> > Thank you
> > I already swapped memory once, but I will try it again.
> >
> > ""Kim Graham""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Check your flash for crash info files. You can read through these and
or
> > > download them to add to your TAC case.  You have a memory error and
may
> > need
> > > to swap out a stick of memory.
> > >
> > > Searching "Cache Error Exception 4700" and "Cache Parity Exception
4500"
> > > separately gives you many links that will help you to understand what
is
> > > happening.  You do not need a CCO account to do this search.
> > >
> > > Kim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54935&t=54591
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Anyone want a small Telco Systems brand rack for $20? For [7:54936]

2002-10-05 Thread Thomas Larus


I have sold so much of my lab that I no longer need this small, stackable
and wall- mountable rack.  It has nice big rubber feet for standing on a
surface.  Wall mountable with door, but I cannot find the key.  I have the
door off for easy Lab access and because the door could cramp the
wiring/cabling situation.

approx 21" width 18" height by 17" depth

Has handles on the side. Good for Cisco 2600s and 2500s.

Pickups only.  Do not ask about shipping.


Also, I have a bunch of (5 or 6 or so) RJ-45 Token ring MAUs that I am
giving away FREE to anyone who wants to pick them up (as-is).


Tom Larus, CCIE #10,104
540-368-2601




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54936&t=54936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread John Zaggat


I am just trying to think of how to restrict Hubs from being used in the
LAN. Politically it's a mess and despite a lot of discussions certain people
are able to add hubs at will where ever they want. So I was trying to think
of a way to stop that within the switch. Now normally these ports that the
hubs are connected to show several mac addresses when I do "show cam" which
gives me an idea is there any way to restrict host ports to only accept one
mac-address. I don't want to hardcode the mac-address because that would be
too much a administrative burden. But if I could restrict the port to accept
just one mac-address then that will make these hubs useless. Well anyways
let me know  if I am way off here but are there any other tricks in use by
any of you guys. I'll appreciate any pointers.
JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54937&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

=======> FIREWALL <======== [7:54938]

2002-10-05 Thread Joupin


Hi all

Would u tell me any website that contain materials and concept of firewall
implementation with different brands like cisco and checkpoint


Appreciated
Joupin
www.joupin.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54938&t=54938
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread Daren Presbitero


John,

You can enable port security on the switch ports to only allow a specific #
of macs.  See below:

LILO#config t
Enter configuration commands, one per line.  End with CNTL/Z.
LILO(config)#int fa0/1
LILO(config-if)#port ?
  block  Forwarding of unknown uni/multi cast addresses
  group  Place this interface in a port group
  monitorMonitor another interface
  networkConfigure an interface to be a network port
  protected  Configure an interface to be a protected port
  security   Configure an interface to be a secure port
  storm-control  Configure storm control parameters

LILO(config-if)#port security ?
  action action to take for security violation
  aging  Enable Port-security aging
  max-mac-count  maximum mac address count
  

LILO(config-if)#port security max-mac-count ?
Maximum mac address count for this secure port

LILO(config-if)#port security max-mac-count 1

LILO(config-if)#port security action ?
  shutdown  shut down the port from which security violation is detected
  trap  send snmp trap for security violaiton

LILO(config-if)#port security action shutdown


Hope this helps,
Daren

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Zaggat
Sent: Saturday, October 05, 2002 11:02 AM
To: [EMAIL PROTECTED]
Subject: How to restrict hubs in a LAN [7:54937]


I am just trying to think of how to restrict Hubs from being used in the
LAN. Politically it's a mess and despite a lot of discussions certain people
are able to add hubs at will where ever they want. So I was trying to think
of a way to stop that within the switch. Now normally these ports that the
hubs are connected to show several mac addresses when I do "show cam" which
gives me an idea is there any way to restrict host ports to only accept one
mac-address. I don't want to hardcode the mac-address because that would be
too much a administrative burden. But if I could restrict the port to accept
just one mac-address then that will make these hubs useless. Well anyways
let me know  if I am way off here but are there any other tricks in use by
any of you guys. I'll appreciate any pointers.
JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54939&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread Kevin Wigle


take a look into Port Security.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
_guide_chapter09186a008007f2dd.html

In the event of a security violation, you can configure the port to go into
shutdown mode or restrictive mode. The shutdown mode option allows you to
specify whether the port is permanently disabled or disabled for only a
specified time. The default is for the port to shut down permanently. The
restrictive mode allows you to configure the port to remain enabled during a
security violation and drop only packets that are coming in from insecure
hosts.

Kevin Wigle


- Original Message -
From: "John Zaggat" 
To: 
Sent: Saturday, October 05, 2002 5:01 PM
Subject: How to restrict hubs in a LAN [7:54937]


> I am just trying to think of how to restrict Hubs from being used in the
> LAN. Politically it's a mess and despite a lot of discussions certain
people
> are able to add hubs at will where ever they want. So I was trying to
think
> of a way to stop that within the switch. Now normally these ports that the
> hubs are connected to show several mac addresses when I do "show cam"
which
> gives me an idea is there any way to restrict host ports to only accept
one
> mac-address. I don't want to hardcode the mac-address because that would
be
> too much a administrative burden. But if I could restrict the port to
accept
> just one mac-address then that will make these hubs useless. Well anyways
> let me know  if I am way off here but are there any other tricks in use by
> any of you guys. I'll appreciate any pointers.
> JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54940&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: =======> FIREWALL <======== [7:54938]

2002-10-05 Thread Gaz


In article , [EMAIL PROTECTED] says...
> Hi all
> 
> Would u tell me any website that contain materials and concept of firewall
> implementation with different brands like cisco and checkpoint
> 
> 
> Appreciated
> Joupin
> www.joupin.com
I've done more Pix than Checkpoint, although I haven't gone for the 
qualifications in Cisco yet. The best place I have found for Firewall-1 
is www.phoneboy.com.
He is excellent.
The best place for the Pix is still CCO as far as I know.

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54941&t=54938
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Anyone want a small Telco Systems brand rack for $20? For [7:54942]

2002-10-05 Thread Thomas Larus


Sorry.  The Fredericksburg, VA location got cut off.


""Thomas Larus""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have sold so much of my lab that I no longer need this small, stackable
> and wall- mountable rack.  It has nice big rubber feet for standing on a
> surface.  Wall mountable with door, but I cannot find the key.  I have the
> door off for easy Lab access and because the door could cramp the
> wiring/cabling situation.
>
> approx 21" width 18" height by 17" depth
>
> Has handles on the side. Good for Cisco 2600s and 2500s.
>
> Pickups only.  Do not ask about shipping.
>
>
> Also, I have a bunch of (5 or 6 or so) RJ-45 Token ring MAUs that I am
> giving away FREE to anyone who wants to pick them up (as-is).
>
>
> Tom Larus, CCIE #10,104
> 540-368-2601




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54942&t=54942
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: GBIC's - Cisco and otherwise [7:51148]

2002-10-05 Thread Chuck's Long Road


""Ken Diliberto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If they're all built to the standard, why does Cisco require different
> OS versions to support different GBICs?  I have a 1000TX GBIC Cisco says
> isn't supported in a 5500.


CL: think of GBIC's in the same way you think about NIC's. You can pop any
old NIC into your PC or server, but it won't help you until the proper
drivers are installed and loaded.

CL: with the 5xxx boxes essentially EOL, it may be that Cisco doesn't want
to devote resources to adding the hardware support. So get out your
checkbook and help out the old economy by springing for some 65xx's ;->


>
> Maybe I'm just not meant to understand things like this...  :-)
>
> >>> "seadon"  10/05/02 09:38AM >>>
> I've bought over 100 of these from Cisco, and the simple fact was that
> there
> was no one Cisco model.  I saw at least three different versions from
> Cisco
> and some definitely did not have the Cisco name on them.  It is
> possible the
> Agilent unit did come from Cisco.  My advice is that if it works, it
> probably is fine.  If I understand correctly, a GBIC is built to the
> GMII
> Gigabit Media Independent Interface standard so interchange should be
> implied.
> Don
>
>
> ""Chuck's Long Road""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I took a bit of a risk, and purchased some GBIC;s off That Auction
> Site.
> Of
> > the four, three are Cisco branded, and the fourth is labeled
> "Agilent" (
> > used to be HP )
> >
> > I had done a bit of investigation prior to purchase. I see that the
> Auction
> > Site has listings for Agilent, IBM, and Extreme GBIC's, as well as
> Cisco.
> > However, I was unable to find any direct and clearly stated
> indication
> that
> > all GBIC's are interchangeable.
> >
> > IBM and Agilent GBIC's cost few pretty pennies less than Cisco BTW,
> although
> > I suspect now that the same source OEM's for all these
> manufacturers.
> >
> > So I paid my money, took my chance, and have an Agilent GBIC on one
> switch
> > connected to a Cisco GBIC on another. No connectivity problems. Came
> right
> > up. Is passing traffic even as I write.
> >
> > Thinking logically, why should GBIC's be any different that NIC's or
> patch
> > cables, transceivers of various sorts and brands, or CSU/DSU's? They
> are
> all
> > build to industry specifications and industry standards. They all do
> the
> > same thing.
> >
> > Just thought I'd pass that along to those trying to stretch their
> practice
> > lab or network upgrade dollars.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54943&t=51148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: router boots in to rommon [7:54591]

2002-10-05 Thread Chuck's Long Road


This might seem dumb, but could some prankster have the command "rommon" in
the startup config?

Have you watched the boot process to see if it might be doing things
normally until a certain point?

Have you gone through the password recovery process to see if you can get to
the config to look?



""nettable_walker""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I replaced the RAM with known good RAM & got the same result.
> I took out all modules & got the same result.
>
>
> I am trying to get Cisco to replace the router.
>
>
>
> rommon 1 >
> rommon 1 >
> rommon 1 >
> rommon 1 > dev
> Devices in device table:
> id  name
> flash:  flash
> bootflash:  boot flash
> eprom:  eprom
> rommon 2 > dir flash:
>  File size   Checksum   File name
>4704832 bytes (0x47ca40)   0xdcecc4500-is-mz.120-7.bin
> rommon 3 >
> System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
> Copyright (c) 1994 by cisco Systems, Inc.
> C4500 processor with 32768 Kbytes of main memory
>
> program load complete, entry point: 0x80008000, size: 0x2b01c4
>
> *** Cache Error Exception ***
> Cache Err Reg = 0xa0280108
> data reference, primary cache, data field error , error not on SysAD Bus
> PC = 0x80008b00, Cause = 0x0, Status Reg = 0x30408405
>
> monitor: command "boot" aborted due to exception*(Hh.MQ.5Bootstrap,
Version
> 5.3
> (10) [tamb 10], RELEASE SOFTWARE (fc1)
> Copyright (c) 1994 by cisco Systems, Inc.
> C4500 processor with 32768 Kbytes of main memory
>
> rommon 1 > boot flash:
> program load complete, entry point: 0x80008000, size: 0x47c924
>
> *** Cache Error Exception ***
> Cache Err Reg = 0xa0080108
> data reference, primary cache, data field error , error not on SysAD Bus
> PC = 0x800083d0, Cause = 0x8000, Status Reg = 0x30408405
>
> monitor: command "boot" aborted due to exception
> rommon 2 >
> rommon 1 >
> rommon 1 >
> rommon 1 >
> rommon 1 > dev
> Devices in device table:
> id  name
> flash:  flash
> bootflash:  boot flash
> eprom:  eprom
> rommon 2 > dir bootflash:
>  File size   Checksum   File name
>2818784 bytes (0x2b02e0)   0xb62fc4500-boot-mz.122-1.bin
> rommon 3 > dir flash:
>  File size   Checksum   File name
>4704832 bytes (0x47ca40)   0xdcecc4500-is-mz.120-7.bin
> rommon 4 > boot flash:c4500-is-mz.120-7.bin
> program load complete, entry point: 0x80008000, size: 0x47c924
>
> *** Cache Error Exception ***
> Cache Err Reg = 0xa0080108
> data reference, primary cache, data field error , error not on SysAD Bus
> PC = 0x800083d0, Cause = 0x0, Status Reg = 0x30408405
>
> monitor: command "boot" aborted due to exception
> rommon 5 > boot flash:
> program load complete, entry point: 0x80008000, size: 0x47c924
>
> *** Cache Error Exception ***
> Cache Err Reg = 0xa0080108
> data reference, primary cache, data field error , error not on SysAD Bus
> PC = 0x800083d0, Cause = 0x0, Status Reg = 0x30408405
>
> monitor: command "boot" aborted due to exception
> rommon 6 > x
> System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
> Copyright (c) 1994 by cisco Systems, Inc.
>
> Bad RAM at location 0xA000: wrote 0xA000, read 0x
> the above was a boot attempt with NO RAM
>
>
> System Bootstrap, Version 5.3(10) [tamb 10], RELEASE SOFTWARE (fc1)
> Copyright (c) 1994 by cisco Systems, Inc.
> C4500 processor with 32768 Kbytes of main memory
>
> program load complete, entry point: 0x80008000, size: 0x2b01c4
>
> *** Cache Error Exception ***
> Cache Err Reg = 0xa4280118
> data reference, primary cache, data field error , error on SysAD Bus
> PC = 0x80008b00, Cause = 0x0, Status Reg = 0x30408405
>
> monitor: command "boot" aborted due to exception*(Hh.MQ.5Bootstrap,
Version
> 5.3
> (10) [tamb 10], RELEASE SOFTWARE (fc1)
> Copyright (c) 1994 by cisco Systems, Inc.
> C4500 processor with 32768 Kbytes of main memory
>
> rommon 1 >
> //
> ""Marc Thach Xuan Ky""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi,
> > I had a very similar message, I changed the cache and main RAM, but I
> > just got different error messages.  I concluded that I had a bad
> > backplane.  However, I swapped around the NP modules, and it's been
> > working fine since 
> > rgds
> > Marc
> >
> > nettable_walker wrote:
> > >
> > > Thank you
> > > I already swapped memory once, but I will try it again.
> > >
> > > ""Kim Graham""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Check your flash for crash info files. You can read through these
and
> or
> > > > download them to add to your TAC case.  You have a memory error and
> may
> > > need
> > > > to swap out a stick of memory.
> > > >
> > > > Searching "Cache Error Exception 4700" and "Cache Parity Exception
> 4500"
> > > > separately gives you many links that will help you to understand
what
> is
> > > > happening.  You do not need a CCO account to do this search.
> > > >
> > > > Kim




Messa

Re: GBIC's - Cisco and otherwise [7:51148]

2002-10-05 Thread Ken Diliberto


OK.  That makes more sense.  I thought the GBIC had more guts, kinda
like an IDE drive having the controller on the drive.

Don't worry about our contribution to the economy...  we're buying
15-20 of those pesky 65xx's.

>>> "Chuck's Long Road"  10/05/02
03:25PM >>>
""Ken Diliberto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If they're all built to the standard, why does Cisco require
different
> OS versions to support different GBICs?  I have a 1000TX GBIC Cisco
says
> isn't supported in a 5500.


CL: think of GBIC's in the same way you think about NIC's. You can pop
any
old NIC into your PC or server, but it won't help you until the proper
drivers are installed and loaded.

CL: with the 5xxx boxes essentially EOL, it may be that Cisco doesn't
want
to devote resources to adding the hardware support. So get out your
checkbook and help out the old economy by springing for some 65xx's
;->


>
> Maybe I'm just not meant to understand things like this...  :-)
>
> >>> "seadon"  10/05/02 09:38AM >>>
> I've bought over 100 of these from Cisco, and the simple fact was
that
> there
> was no one Cisco model.  I saw at least three different versions
from
> Cisco
> and some definitely did not have the Cisco name on them.  It is
> possible the
> Agilent unit did come from Cisco.  My advice is that if it works, it
> probably is fine.  If I understand correctly, a GBIC is built to the
> GMII
> Gigabit Media Independent Interface standard so interchange should
be
> implied.
> Don
>
>
> ""Chuck's Long Road""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I took a bit of a risk, and purchased some GBIC;s off That Auction
> Site.
> Of
> > the four, three are Cisco branded, and the fourth is labeled
> "Agilent" (
> > used to be HP )
> >
> > I had done a bit of investigation prior to purchase. I see that
the
> Auction
> > Site has listings for Agilent, IBM, and Extreme GBIC's, as well as
> Cisco.
> > However, I was unable to find any direct and clearly stated
> indication
> that
> > all GBIC's are interchangeable.
> >
> > IBM and Agilent GBIC's cost few pretty pennies less than Cisco
BTW,
> although
> > I suspect now that the same source OEM's for all these
> manufacturers.
> >
> > So I paid my money, took my chance, and have an Agilent GBIC on
one
> switch
> > connected to a Cisco GBIC on another. No connectivity problems.
Came
> right
> > up. Is passing traffic even as I write.
> >
> > Thinking logically, why should GBIC's be any different that NIC's
or
> patch
> > cables, transceivers of various sorts and brands, or CSU/DSU's?
They
> are
> all
> > build to industry specifications and industry standards. They all
do
> the
> > same thing.
> >
> > Just thought I'd pass that along to those trying to stretch their
> practice
> > lab or network upgrade dollars.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54945&t=51148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: =======> FIREWALL <======== [7:54938]

2002-10-05 Thread Robert


I would also suggest checking out one of the many great books on firewalls
in general.  I used "Firewalls 24-7"  It talks about firewall concepts and
has descriptions of several popular firewalls with pro and cons of each.

""Gaz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> In article , [EMAIL PROTECTED] says...
> > Hi all
> >
> > Would u tell me any website that contain materials and concept of
firewall
> > implementation with different brands like cisco and checkpoint
> >
> >
> > Appreciated
> > Joupin
> > www.joupin.com
> I've done more Pix than Checkpoint, although I haven't gone for the
> qualifications in Cisco yet. The best place I have found for Firewall-1
> is www.phoneboy.com.
> He is excellent.
> The best place for the Pix is still CCO as far as I know.
>
> Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54946&t=54938
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

I would like to connect the ATM blade on my Catalyst 5505 to a [7:54947]

2002-10-05 Thread nettable_walker


10/5/2002   9:50pm  Saturday




RLP_5505 (enable) sho module
Mod Slot Ports Module-Type   Model   Sub Status
---  - - --- --- 
1   12 1000BaseX Supervisor IIIG WS-X5550no  ok
2   22 MM OC-3 Dual-Phy ATM  WS-X5158no  ok
3   32410/100BaseTX Ethernet WS-X5224no  ok
4   42410/100BaseTX Ethernet WS-X5224no  ok
5   52410/100BaseTX Ethernet WS-X5224no  ok

Mod MAC-Address(es)Hw Fw Sw
--- -- -- -- ---
--
1   00-90-bf-23-ac-00 to 00-90-bf-23-af-ff 1.25.1(1) 6.3(9)
2   00-10-7b-42-b3-d6  2.11.312.0(22)W5(25)
3   00-10-7b-49-07-20 to 00-10-7b-49-07-37 1.43.1(1) 6.3(9)
4   00-10-7b-94-fb-30 to 00-10-7b-94-fb-47 1.43.1(1) 6.3(9)
5   00-10-7b-94-fc-20 to 00-10-7b-94-fc-37 1.43.1(1) 6.3(9)
RLP_5505 (enable)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54947&t=54947
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Catalyst ATM blade to Marconi ASX-200WG [7:54948]

2002-10-05 Thread nettable_walker


10/5/2002   9:50pm  Saturday


I would like to connect the ATM blade on my Catalyst 5505 to a Marconi/FORE
ASX-200WG

Can anyone guide me thru setting it up ?







RLP_5505 (enable) sho module
Mod Slot Ports Module-Type   Model   Sub Status
---  - - --- --- 
1   12 1000BaseX Supervisor IIIG WS-X5550no  ok
2   22 MM OC-3 Dual-Phy ATM  WS-X5158no  ok
3   32410/100BaseTX Ethernet WS-X5224no  ok
4   42410/100BaseTX Ethernet WS-X5224no  ok
5   52410/100BaseTX Ethernet WS-X5224no  ok

Mod MAC-Address(es)Hw Fw Sw
--- -- -- -- ---
--
1   00-90-bf-23-ac-00 to 00-90-bf-23-af-ff 1.25.1(1) 6.3(9)
2   00-10-7b-42-b3-d6  2.11.312.0(22)W5(25)
3   00-10-7b-49-07-20 to 00-10-7b-49-07-37 1.43.1(1) 6.3(9)
4   00-10-7b-94-fb-30 to 00-10-7b-94-fb-47 1.43.1(1) 6.3(9)
5   00-10-7b-94-fc-20 to 00-10-7b-94-fc-37 1.43.1(1) 6.3(9)
RLP_5505 (enable)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54948&t=54948
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread John Zaggat


Thanks guys that's pretty good information, but do you think in your opinion
is that good approach to deal with this problem. Do you see any caveats and
are there any other ways this can be dealt with.
""Kevin Wigle""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> take a look into Port Security.
>
>
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
> _guide_chapter09186a008007f2dd.html
>
> In the event of a security violation, you can configure the port to go
into
> shutdown mode or restrictive mode. The shutdown mode option allows you to
> specify whether the port is permanently disabled or disabled for only a
> specified time. The default is for the port to shut down permanently. The
> restrictive mode allows you to configure the port to remain enabled during
a
> security violation and drop only packets that are coming in from insecure
> hosts.
>
> Kevin Wigle
>
>
> - Original Message -
> From: "John Zaggat"
> To:
> Sent: Saturday, October 05, 2002 5:01 PM
> Subject: How to restrict hubs in a LAN [7:54937]
>
>
> > I am just trying to think of how to restrict Hubs from being used in the
> > LAN. Politically it's a mess and despite a lot of discussions certain
> people
> > are able to add hubs at will where ever they want. So I was trying to
> think
> > of a way to stop that within the switch. Now normally these ports that
the
> > hubs are connected to show several mac addresses when I do "show cam"
> which
> > gives me an idea is there any way to restrict host ports to only accept
> one
> > mac-address. I don't want to hardcode the mac-address because that would
> be
> > too much a administrative burden. But if I could restrict the port to
> accept
> > just one mac-address then that will make these hubs useless. Well
anyways
> > let me know  if I am way off here but are there any other tricks in use
by
> > any of you guys. I'll appreciate any pointers.
> > JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54949&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread Chuck's Long Road


as much of a rulemeister as I am, I still have to look at this from the user
standpoint. Why are users throwing their own hubs onto the network? Is there
a business case to be made? Is facilities too slow getting requested cable
pulls done?

what is the concern with a user plugging a hub in at the desk and then
connected a couple of extra PC's? if the problem is one of dual homing by
accident or otherwise, I can see the issue with spanning tree
recalculations. But in a single home situation,  what do you see as the
issues?

when you say that "politically, it's a mess" what does that mean? high
powered sales people throwing their weight around? management does not
respect your input or concerns? something bad is happening, and it's rolling
downhill?

I'm not questioning the wisdom or the necessity for doing what others have
suggested. I'm just wondering why it is necessary for the network manager /
network staff to unilaterally cut off user access.




""John Zaggat""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanks guys that's pretty good information, but do you think in your
opinion
> is that good approach to deal with this problem. Do you see any caveats
and
> are there any other ways this can be dealt with.
> ""Kevin Wigle""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > take a look into Port Security.
> >
> >
>
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
> > _guide_chapter09186a008007f2dd.html
> >
> > In the event of a security violation, you can configure the port to go
> into
> > shutdown mode or restrictive mode. The shutdown mode option allows you
to
> > specify whether the port is permanently disabled or disabled for only a
> > specified time. The default is for the port to shut down permanently.
The
> > restrictive mode allows you to configure the port to remain enabled
during
> a
> > security violation and drop only packets that are coming in from
insecure
> > hosts.
> >
> > Kevin Wigle
> >
> >
> > - Original Message -
> > From: "John Zaggat"
> > To:
> > Sent: Saturday, October 05, 2002 5:01 PM
> > Subject: How to restrict hubs in a LAN [7:54937]
> >
> >
> > > I am just trying to think of how to restrict Hubs from being used in
the
> > > LAN. Politically it's a mess and despite a lot of discussions certain
> > people
> > > are able to add hubs at will where ever they want. So I was trying to
> > think
> > > of a way to stop that within the switch. Now normally these ports that
> the
> > > hubs are connected to show several mac addresses when I do "show cam"
> > which
> > > gives me an idea is there any way to restrict host ports to only
accept
> > one
> > > mac-address. I don't want to hardcode the mac-address because that
would
> > be
> > > too much a administrative burden. But if I could restrict the port to
> > accept
> > > just one mac-address then that will make these hubs useless. Well
> anyways
> > > let me know  if I am way off here but are there any other tricks in
use
> by
> > > any of you guys. I'll appreciate any pointers.
> > > JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54950&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread Kevin Wigle


well, that's practically a "layer 8" problem.

Does your organization have a security policy that spells out to users that
no - you cannot attach a hub your port?

If it's not forbidden then why restrict it?

You speak of administrative burden, once the troops figure out what you've
done will they have recourse to a manager that can order you to let them
have their hub?

As is often asked here, what problem are you trying to solve?  If users need
more connectivity can they get it?

Do you need to be looking at putting in more switches/ports?

I have used port security and it works but we have a security policy that
spells out - no hubs.

Kevin Wigle

- Original Message -
From: "John Zaggat" 
To: 
Sent: Saturday, October 05, 2002 11:30 PM
Subject: Re: How to restrict hubs in a LAN [7:54937]


> Thanks guys that's pretty good information, but do you think in your
opinion
> is that good approach to deal with this problem. Do you see any caveats
and
> are there any other ways this can be dealt with.
> ""Kevin Wigle""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > take a look into Port Security.
> >
> >
>
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
> > _guide_chapter09186a008007f2dd.html
> >
> > In the event of a security violation, you can configure the port to go
> into
> > shutdown mode or restrictive mode. The shutdown mode option allows you
to
> > specify whether the port is permanently disabled or disabled for only a
> > specified time. The default is for the port to shut down permanently.
The
> > restrictive mode allows you to configure the port to remain enabled
during
> a
> > security violation and drop only packets that are coming in from
insecure
> > hosts.
> >
> > Kevin Wigle
> >
> >
> > - Original Message -
> > From: "John Zaggat"
> > To:
> > Sent: Saturday, October 05, 2002 5:01 PM
> > Subject: How to restrict hubs in a LAN [7:54937]
> >
> >
> > > I am just trying to think of how to restrict Hubs from being used in
the
> > > LAN. Politically it's a mess and despite a lot of discussions certain
> > people
> > > are able to add hubs at will where ever they want. So I was trying to
> > think
> > > of a way to stop that within the switch. Now normally these ports that
> the
> > > hubs are connected to show several mac addresses when I do "show cam"
> > which
> > > gives me an idea is there any way to restrict host ports to only
accept
> > one
> > > mac-address. I don't want to hardcode the mac-address because that
would
> > be
> > > too much a administrative burden. But if I could restrict the port to
> > accept
> > > just one mac-address then that will make these hubs useless. Well
> anyways
> > > let me know  if I am way off here but are there any other tricks in
use
> by
> > > any of you guys. I'll appreciate any pointers.
> > > JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54951&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

test [7:54952]

2002-10-05 Thread Tafasi John


test



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54952&t=54952
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

LightStream 100 atm switch [7:54953]

2002-10-05 Thread John Tafasi


I have a LightStream atm switch is it enough for practicing for the CCIE lab




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54953&t=54953
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread David j


See inline..
Chuck's Long Road wrote:
> 
> as much of a rulemeister as I am, I still have to look at this
> from the user
> standpoint. Why are users throwing their own hubs onto the
> network? Is there
> a business case to be made? Is facilities too slow getting
> requested cable
> pulls done?
> 
> what is the concern with a user plugging a hub in at the desk
> and then
> connected a couple of extra PC's? if the problem is one of dual
> homing by
> accident or otherwise, I can see the issue with spanning tree
> recalculations. But in a single home situation,  what do you
> see as the
> issues?
> 

I see one issue: collisions, if you have a switched network you don't want
to deal with collisions that hubs normally produce. I have to recognize,
though, that hubs sometimes are very convenient and I'm the first on using
them.

> when you say that "politically, it's a mess" what does that
> mean? high
> powered sales people throwing their weight around? management
> does not
> respect your input or concerns? something bad is happening, and
> it's rolling
> downhill?
>
In some environments it's politically unacceptable, I know some hospitals in
which you have to fill in a lot papers before being allowed to use a PC, so
in that environments this could perfectly be part of the policy.

> I'm not questioning the wisdom or the necessity for doing what
> others have
> suggested. I'm just wondering why it is necessary for the
> network manager /
> network staff to unilaterally cut off user access.
> 
> 
> 
> 
> ""John Zaggat""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Thanks guys that's pretty good information, but do you think
> in your
> opinion
> > is that good approach to deal with this problem. Do you see
> any caveats
> and
> > are there any other ways this can be dealt with.
> > ""Kevin Wigle""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > take a look into Port Security.
> > >
> > >
> >
>
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
> > > _guide_chapter09186a008007f2dd.html
> > >
> > > In the event of a security violation, you can configure the
> port to go
> > into
> > > shutdown mode or restrictive mode. The shutdown mode option
> allows you
> to
> > > specify whether the port is permanently disabled or
> disabled for only a
> > > specified time. The default is for the port to shut down
> permanently.
> The
> > > restrictive mode allows you to configure the port to remain
> enabled
> during
> > a
> > > security violation and drop only packets that are coming in
> from
> insecure
> > > hosts.
> > >
> > > Kevin Wigle
> > >
> > >
> > > - Original Message -
> > > From: "John Zaggat"
> > > To:
> > > Sent: Saturday, October 05, 2002 5:01 PM
> > > Subject: How to restrict hubs in a LAN [7:54937]
> > >
> > >
> > > > I am just trying to think of how to restrict Hubs from
> being used in
> the
> > > > LAN. Politically it's a mess and despite a lot of
> discussions certain
> > > people
> > > > are able to add hubs at will where ever they want. So I
> was trying to
> > > think
> > > > of a way to stop that within the switch. Now normally
> these ports that
> > the
> > > > hubs are connected to show several mac addresses when I
> do "show cam"
> > > which
> > > > gives me an idea is there any way to restrict host ports
> to only
> accept
> > > one
> > > > mac-address. I don't want to hardcode the mac-address
> because that
> would
> > > be
> > > > too much a administrative burden. But if I could restrict
> the port to
> > > accept
> > > > just one mac-address then that will make these hubs
> useless. Well
> > anyways
> > > > let me know  if I am way off here but are there any other
> tricks in
> use
> > by
> > > > any of you guys. I'll appreciate any pointers.
> > > > JZ
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54954&t=54937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Certification Digest V2 #2281 (Out of the Office) [7:54955]

2002-10-05 Thread Daniel Cevallos


I will on vacation starting October 5 and will be returning to the office on
October 15, 2002.



Thanks,
Danny




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54955&t=54955
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to restrict hubs in a LAN [7:54937]

2002-10-05 Thread JohnZ


Well, when I wrote the orginal post I knew I will have these questions.
Basically the first layer of support or help desk if you will have more PCs
then the drops in their cubes. This is an old building not meant for an IS
staff so there is some frustration on their part. I am not going to question
if there is a legit need for folks to have 5 PCs when there is infact a
seperate staging area to set up and test pcs for users. Any ways they know
enough to be dangerous and there is no standard on hubs and I have seen
where folks have created loops. Now with Windows XP I have seen some configs
where 2 nics have been bridged via software I am not sure with what intent.
Although it's been made clear many times not to use hubs but this is never
enforced and I did not want to spend my time daily trying to hunt down the
lawless. So that's when I thought if I could config the switch this will
discourage the hub usage or bridging within pcs. I hope that answers most of
the questions here.
""David j""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> See inline..
> Chuck's Long Road wrote:
> >
> > as much of a rulemeister as I am, I still have to look at this
> > from the user
> > standpoint. Why are users throwing their own hubs onto the
> > network? Is there
> > a business case to be made? Is facilities too slow getting
> > requested cable
> > pulls done?
> >
> > what is the concern with a user plugging a hub in at the desk
> > and then
> > connected a couple of extra PC's? if the problem is one of dual
> > homing by
> > accident or otherwise, I can see the issue with spanning tree
> > recalculations. But in a single home situation,  what do you
> > see as the
> > issues?
> >
>
> I see one issue: collisions, if you have a switched network you don't want
> to deal with collisions that hubs normally produce. I have to recognize,
> though, that hubs sometimes are very convenient and I'm the first on using
> them.
>
> > when you say that "politically, it's a mess" what does that
> > mean? high
> > powered sales people throwing their weight around? management
> > does not
> > respect your input or concerns? something bad is happening, and
> > it's rolling
> > downhill?
> >
> In some environments it's politically unacceptable, I know some hospitals
in
> which you have to fill in a lot papers before being allowed to use a PC,
so
> in that environments this could perfectly be part of the policy.
>
> > I'm not questioning the wisdom or the necessity for doing what
> > others have
> > suggested. I'm just wondering why it is necessary for the
> > network manager /
> > network staff to unilaterally cut off user access.
> >
> >
> >
> >
> > ""John Zaggat""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Thanks guys that's pretty good information, but do you think
> > in your
> > opinion
> > > is that good approach to deal with this problem. Do you see
> > any caveats
> > and
> > > are there any other ways this can be dealt with.
> > > ""Kevin Wigle""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > take a look into Port Security.
> > > >
> > > >
> > >
> >
>
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration
> > > > _guide_chapter09186a008007f2dd.html
> > > >
> > > > In the event of a security violation, you can configure the
> > port to go
> > > into
> > > > shutdown mode or restrictive mode. The shutdown mode option
> > allows you
> > to
> > > > specify whether the port is permanently disabled or
> > disabled for only a
> > > > specified time. The default is for the port to shut down
> > permanently.
> > The
> > > > restrictive mode allows you to configure the port to remain
> > enabled
> > during
> > > a
> > > > security violation and drop only packets that are coming in
> > from
> > insecure
> > > > hosts.
> > > >
> > > > Kevin Wigle
> > > >
> > > >
> > > > - Original Message -
> > > > From: "John Zaggat"
> > > > To:
> > > > Sent: Saturday, October 05, 2002 5:01 PM
> > > > Subject: How to restrict hubs in a LAN [7:54937]
> > > >
> > > >
> > > > > I am just trying to think of how to restrict Hubs from
> > being used in
> > the
> > > > > LAN. Politically it's a mess and despite a lot of
> > discussions certain
> > > > people
> > > > > are able to add hubs at will where ever they want. So I
> > was trying to
> > > > think
> > > > > of a way to stop that within the switch. Now normally
> > these ports that
> > > the
> > > > > hubs are connected to show several mac addresses when I
> > do "show cam"
> > > > which
> > > > > gives me an idea is there any way to restrict host ports
> > to only
> > accept
> > > > one
> > > > > mac-address. I don't want to hardcode the mac-address
> > because that
> > would
> > > > be
> > > > > too much a administrative burden. But if I could restrict
> > the port to
> > > > accept
> > > > > just one mac-address then that will make these hubs
> > useless. Well
> > > anyways
> > > > > let me know  if I a

Re: Route-map question (urgent) [7:54910]

Re: Unable to configure Ciscosecure ACS [7:54927]

Re: Route-map question (urgent) [7:54910]

OT: FS IBM SX GBIC's work fine with Cisco 3500 series switches [7:54929]

Re: GBIC's - Cisco and otherwise [7:51148]

Off Topic - DQoS Training humor [7:54931]

RE: Sniffing Async/Serial Ports on the Router [7:54919]

RE: FS IBM SX GBIC's work fine with Cisco 3500 series switches [7:54933]

Re: GBIC's - Cisco and otherwise [7:51148]

Re: router boots in to rommon [7:54591]

OT: Anyone want a small Telco Systems brand rack for $20? For [7:54936]

How to restrict hubs in a LAN [7:54937]

=======> FIREWALL <======== [7:54938]

RE: How to restrict hubs in a LAN [7:54937]

Re: How to restrict hubs in a LAN [7:54937]

Re: =======> FIREWALL <======== [7:54938]

Re: Anyone want a small Telco Systems brand rack for $20? For [7:54942]

Re: GBIC's - Cisco and otherwise [7:51148]

Re: router boots in to rommon [7:54591]

Re: GBIC's - Cisco and otherwise [7:51148]

Re: =======> FIREWALL <======== [7:54938]

I would like to connect the ATM blade on my Catalyst 5505 to a [7:54947]

Catalyst ATM blade to Marconi ASX-200WG [7:54948]

Re: How to restrict hubs in a LAN [7:54937]

Re: How to restrict hubs in a LAN [7:54937]

Re: How to restrict hubs in a LAN [7:54937]

test [7:54952]

LightStream 100 atm switch [7:54953]

Re: How to restrict hubs in a LAN [7:54937]

Re: Cisco Certification Digest V2 #2281 (Out of the Office) [7:54955]

Re: How to restrict hubs in a LAN [7:54937]

31 matches

Site Navigation

Mail list logo

Footer information