RE: WLAN security matters [7:57160]

[Yonkerbonk]

As far as I know Cisco does support AES on the
Concentrators. It's on the roadmap for the router and
PIX, but already out for the Concentrators.

Michael

--- mike greenberg  wrote:
> paul,
> When I talked about IPSec, I mean to say that AES is
> not currently supported
> on
> on Pix Firewalls on any VPN concentrator.  After I
> established connection
> via
> EAP/TLS on the wireless network, I have to make
> another IPSec connection via
> Cisco VPN client to make a secure connection to the
> internal network or
> surfing
> the Internet from my wireless "DMZ" segment.  At the
> moment, I know that
> Pix does NOT support AES, only 3DES.  CheckPoint has
> beaten Cisco to 
> the punch with SecureRemote (CheckPoint Client that
> is similar to Cisco VPN
> client) that supports AES.  Now if you know where I
> can get AES for Pix
> firewall
> from Cisco, please let me know so that I can contact
> Cisco for support.
> Mike G.
>  Paul Forbes  wrote:Some notes/opinions:
> 
> 1. A stolen laptop should trigger an employee to
> contact Human
> Resources, Security and/or IS. Anything less on the
> part of said
> employee is cause for termination - period.
> Alternatively, if the
> perceived threat is via corporate/military
> espionage, then the
> short-term solution is IPsec (IMO defeating the
> valuable properties of
> wireless) and long-term PEAP. Better yet, no
> wireless access at all and
> lock the your wired ports down via URT or some such.
> 
> 2. ACS v3.1 was released and is orderable, but I
> can't find a single
> thing regarding CRL support by the authentication
> server. I'm digging
> around within my Cisco contacts for an answer. If I
> hear anything on
> this front, I'll be sure to toss a up a comment.
> 
> 3. Mike G. mentioned in a previous email the absence
> of AES in Cisco's
> product plans. This is NOT the case - the AP1200
> product line was
> created so that, among other reasons, the CPU was
> capable of 256-bit
> AES. This was addressed in some detail at the San
> Diego Networkers'
> evening Product Session by Mike McAndrews, the
> Director of Product
> Management for the Wireless Networking BU.
> 
> Cheers all.
> 
> Paul
> 
> > -Original Message-
> > From: Roberts, Larry
> [mailto:Larry.Roberts@;expanets.com] 
> > Sent: Monday, November 11, 2002 4:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: WLAN security matters [7:57160]
> > 
> > 
> > Going back to the original e-mail question.
> > 
> > I disagree that EAP-TLS is not a solution for
> sniffing. 
> > Technically any
> > wireless data can be sniffed, regardless of
> encryption. 
> > However, it will be
> > garbage until decoded. If you use EAP-TLS and set
> the 
> > rekeying to a very
> > short interval ( say 1 minute ) you would not be
> passing 
> > enough data for the
> > person to be able to decrypt using the weakness in
> the IV. 
> > I'm not saying
> > rekey every 1 minute, just that rekeying at 1
> minute would 
> > assure you that
> > not enough data had passed. You need to weigh the
> load on the 
> > server/the
> > amount of wireless traffic/the amount of security
> that you 
> > need, to come up
> > with the rekeying interval. 
> > 
> > The biggest drawback to EAP-TLS has been lack of
> support at 
> > the OS level.
> > Windows XP supports it natively, but all other
> Microsoft OS's require
> > additional software. Supposedly Microsoft is going
> to back 
> > fit W2K , but
> > they haven't released when. If you want vendor
> neutrality as 
> > I am looking to
> > do , you either need to be assured that all the
> vendors 
> > release software
> > that allows you to run EAP-TLS on your PC, or wait
> until MS 
> > does it at the
> > OS level.
> > I know that Cisco and Lucent have EAP-TLS aware
> clients, 
> > although I have
> > only used Cisco's. Cisco and Lucent/Orinoco also
> have EAP-TLS 
> > aware AP's,
> > but I have yet to get the spare time to actually
> install my AP-500. 
> > 
> > With EAP-TLS, you must worry about stolen laptops,
> which will have the
> > Certificate stored automatically allowing access
> to the 
> > network. CSACS 3.0
> > doesn't't support CRL's , so until 3.1 comes out
> which I was 
> > told will have
> > CRL support, you will need to just disable the
> username on 
> > the certificate.
> > 
> > The more obstacles that the end user must jump
> over, the more 
> > likely that a
> > rogue AP will pop up on the network.
> > It is critical IMO that the authentication to the
> network be 
> > as smooth and
> > transparent as possible. LEAP does an excellent
> job of that, but its
> > proprietary :(
> > 
> > Just my opinion though
> > 
> > Thanks
> > 
> > Larry
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive medley & videos from
> Greatest Hits CD
[EMAIL PROTECTED]


__
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57275&t=57160
-

Re: CVoice 9E0-423 [7:42952]

[Aryo Handoko]

Has anybody have CVOICE Materials??


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57276&t=42952
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Is my VPN module bad - look at my show diag please - field [7:57277]

[H Howard Lewis Bloom]

show ver
Cisco Internetwork Operating System Software 
IOS (tm) C1700 Software (C1700-K2O3SV3Y-M), Version 12.1(3)T,  RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 19-Jul-00 22:02 by ccai
Image text-base: 0x800080DC, data-base: 0x80ADBC78

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Router uptime is 6 minutes
System returned to ROM by power-on
System image file is "flash:c1700-k2o3sv3y-mz.121-3.T.bin"

cisco 1750 (MPC860) processor (revision 0x601) with 24576K/8192K bytes
of memory.
Processor board ID JAD04170506 (3972583204), with hardware revision

M860 processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
1 Virtual Private Network (VPN) Module(s)
WIC T1-DSU
 --More-- 32K bytes of non-volatile
configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x142

Router#show diag
Slot 0:
C1750 1FE VE Mainboard Port adapter, 2 ports
Port adapter is analyzed 
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision: 6.1
PCB Serial Number: JAD04170506
Part Number  : 73-3743-06
Board Revision   : A0
Fab Version  : 04
EEPROM format version 4
EEPROM contents (hex):
  0x00: 04 FF 40 00 C9 41 06 01 C1 8B 4A 41 44 30 34 31
  0x10: 37 30 35 30 36 82 49 0E 9F 06 42 41 30 02 04 FF
  0x20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Packet Voice DSP Module:
Hardware Revision: 2.2
 --More-- Part Number  :
73-3815-01
Board Revision   : A0
Deviation Number : 0-0
Fab Version  : 02
PCB Serial Number: ICP0431005U
RMA Test History : 00
RMA Number   : 0-0-0-0
RMA History  : 00
Processor type   : 02 
Number of DSP's  : 2
Type of DSP  : TMS320C549
EEPROM format version 4
EEPROM contents (hex):
0x00:   04 FF 40 01 5B 41 02 02 82 49 0E E7 01 42 41 30 
0x10:   80 00 00 00 00 02 02 C1 8B 49 43 50 30 34 33 31 
0x20:   30 30 35 55 03 00 81 00 00 00 00 04 00 09 02 FF 

WIC Slot 1:
FT1 WAN daughter card
Hardware revision 1.3   Board revision C0
Serial number 0016181676Part number800-03279-03
Test history  0x00  RMA number 00-00-00
Connector typeWAN Module
 --More-- EEPROM format version 2
EEPROM contents (hex):
0x20:   02 11 01 03 00 F6 E9 AC 50 0C CF 03 00 00 00 00 
0x30:   60 00 00 00 99 10 15 01 FF FF FF FF FF FF FF FF 

Slot 1:
Virtual Private Network (VPN) Module Port adapter, 1 port
Port adapter is analyzed 
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision: 2.1
Part Number  : 73-4586-02
Board Revision   : A0
Deviation Number : 0-0
Fab Version  : 03
PCB Serial Number: JAB043706H8
RMA Test History : 00
RMA Number   : 0-0-0-0
RMA History  : 00
Unknown Field (type 01FF): FF FF 00 FF 00 00 00 00 
   00 00 00 00 00 00 00 00 
   00 00 00 00 00 00 00 00 
   00 00 00 00 00 00 00 00 
 --More--    00
00 00 00 00 00 00 00 
   00 00 00 00 00 00 00 00 
   00 00 00 00 00 00 00 00 
   00 00 00 00 00 00 00 
IDPROM FIELD FORMAT ERROR, index 0x6D
EEPROM format version 4
EEPROM contents (hex):
  0x00: 04 FF 40 01 79 41 02 01 82 49 11 EA 02 42 41 30
  0x10: 80 00 00 00 00 02 03 C1 8B 4A 41 42 30 34 33 37
  0x20: 30 36 48 38 03 00 81 00 00 00 00 04 00 00 FF FF
  0x30: FF FF 00 FF 00 00 00 00 00 00 00 00 00 00 00 00
  0x40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Rout

Copying NVRAM Startup file to NVRAM Other name file [7:57278]

[[EMAIL PROTECTED]]

Hi,

On a 2500 router with 12.0 experimental version I can copy the
nvram:startup-config to, for example, nvram:teste1.txt

On a 2500 router with 12.1(17) I got the following error:


R4#copy nvram:startup-config nvram:teste1.txt
Destination filename [teste1.txt]?
%Error opening nvram:teste1.txt (No such file or directory)

Any tips ?

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57278&t=57278
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: please help with vlan scenario [7:57245]

[Peter van der Voort]

Barry,

You can enable a trunk on the 3548, and create subinterfaces on the 3550 at
site A.
I don't know the exact configuration details about a 3550, but it should be
something like:

interface gigabitethernet 0/2
no switchport
!
interface gigabitethernet 0/2.10
encapsulation dot1q 10   -Original Message-
> From: Barry Warrick [mailto:nobody@;groupstudy.com]
> Sent: Monday, November 11, 2002 11:23 PM
> To: [EMAIL PROTECTED]
> Subject: please help with vlan scenario [7:57245]
> 
> 
> I have Site A which acts as a host for incoming fiber connections from
> Site's B,C, and D. All 4 sites are on different subnets. At Site A a
> Catalyst 3550G with 12 available fiber GBIC connections is what the 3
> incoming sites B,C, and D connect to on GBIC interfaces 1,2, and 3,
> respectively.. The 3550G also has two Ethernet ports on it, 
> one which has a
> crossover to a Catalyst 3548 switch, which feeds the local 
> LAN users at Site
> A itself.
> 
> Interface GBIC 4 on the 3550G has a fiber link connecting to 
> Site E, which
> is then routed over ATM. So basically the 3550 at Site A 
> routes traffic
> between itself and the B,C, and D sites and over to Site E.  Site E is
> actually our core router site (Cisco 3540) but Site A was 
> chosen to hosts
> the other 3 sites (B,C,and D) due to logistics.
> 
> Now what I need to do back at Site A is segment the local LAN 
> on the 3548
> switch into two vlans. Both vlans need to pass traffic across 
> the network.
> Remember one port on the 3548 has a crossover to the 3550G 
> switch. The 3550G
> is not set up with vlans. If I break the ports on the 3548 to 
> the vlan's I
> want, I assume I set the crossover port to be a trunk? And if 
> so, do I need
> to setup the other end of the crossover on the 3550 with any vlan's or
> trunking??? No other subnets will be broken into vlan's so I 
> want to make
> sure any change I may have to make on the 3550 to support the 
> local vlans on
> the 3548 do not hinder traffic flow to and from the other 
> sites interfaces
> on the 3550. Am I over complicating this setup? I know my description
> probably is confusing. I guess in simple terms I just need to 
> make sure how
> I set up vlans on the local Site A without affecting the 
> other sites that
> Site A supports?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57279&t=57245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

3DES license on Pix 6.1(2) [7:57280]

Folks

I am going to be activating 3DES on a pix 506 running 6.1(2) tommorow
and I am a little unclear on the procedure.  I know I cant use the
activation-key command as that wasnt added until 6.2.

The only real documentation I have found seems to say that I have to
reinstall the software image through monitor mode and that I cant use
the "copy tftp flash" command.

Could someone confirm this for me.

Thanks

Peter




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57280&t=57280
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3DES license on Pix 6.1(2) [7:57280]

[Ciaron Gogarty]

Yes thats correct.  You must boot into ROMMON and re-load your software (use
the same image), at some point it also asks you if you want to install a new
activation key, to which you obviously answer yes.  Thats the only way to
get it on their prior to the new code.

from rommon use the following commands:

server 
interface e1 
address 
file 
tftp

good luck.


CG

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 12/11/02 12:47
Subject: 3DES license on Pix 6.1(2) [7:57280]

Folks

I am going to be activating 3DES on a pix 506 running 6.1(2) tommorow
and I am a little unclear on the procedure.  I know I cant use the
activation-key command as that wasnt added until 6.2.

The only real documentation I have found seems to say that I have to
reinstall the software image through monitor mode and that I cant use
the "copy tftp flash" command.

Could someone confirm this for me.

Thanks

Peter
**
 This email and any files transmitted with it are confidential and
 intended solely for the use of the individual or entity to whom they
 are addressed. If you have received this email in error please notify
 the system manager.
 
 This footnote also confirms that this email message has been swept for
 the
 presence of computer viruses.
 
 For more information contact [EMAIL PROTECTED]
 
 phone + 353 1 4093000
 
 fax + 353 1 4093001
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57281&t=57280
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: dot1x? [7:57109]

[alaerte Vidali]

Hi,

Just two more questions about 801.1x.

If a user moves from one city to another, how does the process handle it ? 

Are there no concerns about using TACACS+ to access control, and Radius for
dot1x ?

Thanks


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57282&t=57109
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3DES license on Pix 6.1(2) [7:57280]

[Ciaron Gogarty]

Yes, you must go into rommon to load an activation key prior to 6.2
software.  Boot into rommon and use the following commands:

server 
address 
file 
tftp = starts the transfer.

At some point it will ask you if you want to enter a new activation key.

rgds,

C

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 12/11/02 12:47
Subject: 3DES license on Pix 6.1(2) [7:57280]

Folks

I am going to be activating 3DES on a pix 506 running 6.1(2) tommorow
and I am a little unclear on the procedure.  I know I cant use the
activation-key command as that wasnt added until 6.2.

The only real documentation I have found seems to say that I have to
reinstall the software image through monitor mode and that I cant use
the "copy tftp flash" command.

Could someone confirm this for me.

Thanks

Peter
**
 This email and any files transmitted with it are confidential and
 intended solely for the use of the individual or entity to whom they
 are addressed. If you have received this email in error please notify
 the system manager.
 
 This footnote also confirms that this email message has been swept for
 the
 presence of computer viruses.
 
 For more information contact [EMAIL PROTECTED]
 
 phone + 353 1 4093000
 
 fax + 353 1 4093001
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57283&t=57280
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP and convergence when failure happens [7:57255]

[Peter van Oene]

One clarification below.

On Mon, 2002-11-11 at 21:51, The Long and Winding Road wrote:
> a couple of things - in line below
> 
> 
> 
> ""bergenpeak""  wrote in message
> news:200211120028.AAA03239@;groupstudy.com...
> > Suppose I have several routers making up an iBGP mesh.  Lets
> > suppose I have two routers (R1 and R2) which are advertising the same
> > set of networks: N1, N2, ... Nk.
> >
> > OSPF is running underneath BGP (assume area 0).  All of the N
> > networks are being advertised with a next-hop set to the respective
> > loopback's from R1 and R2.
> >
> > Now consider some other BGP router in the network.  It will have
> > received a BGP announcement for each of N1, N2, .. Nk from R1 and R2.
> >
> > This third router will select one of the paths to N1, N2, etc.
> > and insert it into the routing table.  I'd expect to see something
> > like:
> >
> > subnet  next-hop
> > --- ---
> > N1  R1-lo0
> > N2  R1-lo0
> > ... ...
> > Nk  R1-lo0
> >
> > R1-lo0
> > R2-lo0
> >
> > Now, suppose R1 goes belly up.  OSPF will quickly inform all
> > other routers that R1 and its loopback no longer exist.   I'm assuming
> > that this will invalidate all the routes in the routing table which
> > have R1-lo0 as next hop.  This will therefore cause the removal of all
> > occurences of routes to N1, N2, ... Nk from the routing table.
> >
> > The question is this:  what event will trigger BGP to re-evaluate
> > the routes it knows about and add in routes for N1, N2, ... Nk via
> > R2-lo0?  Will the removal of the N1 route from the routing table
> > inform BGP to re-evaluate?  Or will the BGP timers need to timeout
> > and detect that R1 is dead before re-evaluating?
> >
> 
> detecting a link down, or dead timer expired.
> 
> 
> > One other question-- does "no sync" in BGP have a role here or is that
> > related only to determining when to advertise a route via eBGP?
> 
> 
> iBGP will not install a route into the BGP table unless it can verify
> reachability. I.e. unless there is a valid path to the advertiser in the
> routing table. This is "synchronization. the "no synch" command allows BGP
> to bypass this validation step. in the case you mention, with full mesh,
and
> full IGP connectivity, "no sync" is not not necessary.

Just wanted to clarify a point that might be ambiguous to some.  BGP,
sync or otherwise, must verify reachability to the BGP Next-Hop of each
path advertised prior to considering a path valid.  This is normal BGP
blackhole prevention.  With sync, BGP must verify that the actual NLRI
for advertised in the path are otherwise reachable.   

> 
> HTH
> 
> 
> 
> >
> > Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57284&t=57255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP and convergence when failure happens [7:57255]

[bergenpeak]

Thanks.  So the removal of a BGP route from the routing table will not
cause the BGP process to be tickled to run and possibly re-insert a new
route for N1, N2, .. Nk through R2?   

Does the "no sync" apply here?  The book examples always mention "no
sync"
in conjunction with eBGP and sending advertisements.  Here it's iBGP and
when to re-evaluate putting routes into the routing table. 

It would seem that load balancing, if possible, might help.  That is, if
routes to N1 via R1 and R2 are both in the routing table, the loss of
routes
to R1 would cause those routes to be removed, but not prevent traffic
from
being forwarded to N1.  

So, besides the questions above, a few more:

* Is it possible, in an iBGP configuration, to have BGP install multiple
routes to the same destination?  If so, how is this done so that loops
do not ocurr in the hops towards R1 and R2?  (That is, if each
intermediate
router randomly picks R1 or R2 as the target for N1, loops might
develop)

* I've never tried, but can I use local pref in iBGP to indicate a
course
level of load balancing by network prefix destination?  I want to make
sure
that packet re-ordering is very unlikely and this seems like this would
prevent
the loop problem.  It would seem this might provide prefix load
balancing,
but does not install two routes in the routing table for N1?












The Long and Winding Road wrote:
> 
> a couple of things - in line below
> 
> ""bergenpeak""  wrote in message
> news:200211120028.AAA03239@;groupstudy.com...
> > Suppose I have several routers making up an iBGP mesh.  Lets
> > suppose I have two routers (R1 and R2) which are advertising the same
> > set of networks: N1, N2, ... Nk.
> >
> > OSPF is running underneath BGP (assume area 0).  All of the N
> > networks are being advertised with a next-hop set to the respective
> > loopback's from R1 and R2.
> >
> > Now consider some other BGP router in the network.  It will have
> > received a BGP announcement for each of N1, N2, .. Nk from R1 and R2.
> >
> > This third router will select one of the paths to N1, N2, etc.
> > and insert it into the routing table.  I'd expect to see something
> > like:
> >
> > subnet  next-hop
> > --- ---
> > N1  R1-lo0
> > N2  R1-lo0
> > ... ...
> > Nk  R1-lo0
> >
> > R1-lo0
> > R2-lo0
> >
> > Now, suppose R1 goes belly up.  OSPF will quickly inform all
> > other routers that R1 and its loopback no longer exist.   I'm assuming
> > that this will invalidate all the routes in the routing table which
> > have R1-lo0 as next hop.  This will therefore cause the removal of all
> > occurences of routes to N1, N2, ... Nk from the routing table.
> >
> > The question is this:  what event will trigger BGP to re-evaluate
> > the routes it knows about and add in routes for N1, N2, ... Nk via
> > R2-lo0?  Will the removal of the N1 route from the routing table
> > inform BGP to re-evaluate?  Or will the BGP timers need to timeout
> > and detect that R1 is dead before re-evaluating?
> >
> 
> detecting a link down, or dead timer expired.
> 
> > One other question-- does "no sync" in BGP have a role here or is that
> > related only to determining when to advertise a route via eBGP?
> 
> iBGP will not install a route into the BGP table unless it can verify
> reachability. I.e. unless there is a valid path to the advertiser in the
> routing table. This is "synchronization. the "no synch" command allows BGP
> to bypass this validation step. in the case you mention, with full mesh,
and
> full IGP connectivity, "no sync" is not not necessary.
> 
> HTH
> 
> >
> > Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57286&t=57255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: please help with vlan scenario [7:57245]

[Barry Warrick]

Thanks Peter for your help. That makes sense.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57287&t=57245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID exam 640-025 [7:57268]

[Kaminski, Shawn G]

You have to be careful here because Cisco likes to add (to their blueprints)
the famous "The following topics are general guidelines for the content
likely to be included on the Cisco Internetwork Design exam. However, other
related topics may also appear on any specific delivery of the exam." I
haven't heard of any SNA showing up on the CID exam, but sometimes I find it
hard to trust Cisco when it comes to the exams! :-)

Shawn K.

-Original Message-
From: Tim Metz [mailto:timmetz@;hotmail.com] 
Sent: Tuesday, November 12, 2002 12:01 AM
To: [EMAIL PROTECTED]
Subject: Re: CID exam 640-025 [7:57268]


No SNA on the blueprint means no SNA on the test. I took it a few months ago
and didn't have any either.

Tim

""David""  wrote in message news:200211120415.EAA12014@;groupstudy.com...
> Hi folks,
>
> The CID exam. The Cisco has a lot of SNA content in it, however I 
> can't find any SNA stuff at (excuse wrapping)
>
http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exam
s/640-025.html
>
>
> I can't find anything about changes on Cisco's website, so...does the 
> CID have any SNA?
>
> Cheers,
>
> David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57289&t=57268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

List Problems [7:57290]

[[EMAIL PROTECTED]]

Haven't received any mail since November 5th;  something going on with the
list?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57290&t=57290
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

off Topic--pricewatch.com etc [7:57291]

[Stuart Laubstein]

There had been some good websites mentioned where one could compares prices
of different new devices. I have found a few but one that was really good I
cannot find..I do ot remember its name. It was similar to pricewatch.com
anyone have any ideas on what it might be?

thanks

stuart




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57291&t=57291
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

remote access advice [7:57288]

[Robert Kimble]

Hello everyone,

It's been a while since I've posted anything here.

I'm on the last chapter of Cisco's remote access exam cert guide. I was
planning on using Boson and Exam cram but was wondering if anyone had other
recomendations...

So far I've read nothing but bad reviews of the Exam cram remote access book.

Thanks in advance for the input!

-Bobby


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57288&t=57288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Telephony Questions [7:57293]

[r34rv13wm1rr0r]

Hello,

I am trying to put together a case study pertaining to Cisco Telephony,
if
any of you experience with this subject matter would respond I would greatly
appreciate it.

Thanks.


1.  Does Cisco use IP Telephony?  If so, how?

2.  What are the major business capabilities to Cisco that are achieved by
using IP Telephony?  i.e. increased productivity, lower long distance costs

3.  What are the advantages of using IP Telephony over traditional voice
systems?  i.e. shared network/phone equipment, support costs, more features
(if so, what)

4.  What are the disadvantages of using IP Telephony? i.e. network congestion
causing latency

5.  How does it perform over Frame Relay?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57293&t=57293
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID exam 640-025 [7:57268]

[Steve Smith]

Tim/Shawn,

In regards to the CID 640-025 exam...I have heard rumors that AT and IPX
have been somewhat removed as well? The current exam objectives on CCO
would indicate this, but like others, I doubt Cisco's honesty on their
exam objectives a bit. Can you confirm or deny this rumor of AT & IPX
being removed from the DP exam? Thanks.

Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57294&t=57268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Has Anyone used Global Knowledge? [7:57297]

[David Vital]

Wondering if anyone here has experience with Global Knowledge and the
classes they offer.

Thanks, 

David


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57297&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Happy Christmas from QA [7:57296]

[Giles Funnell]

Dear Cisco

 

HAPPY CHRISTMAS

 

&

 

HAPPY NEW YEAR




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57296&t=57296
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Recall: Happy Christmas from QA [7:57298]

[Giles Funnell]

Giles Funnell would like to recall the message, "Happy Christmas from QA".

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57298&t=57298
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco 26xx image with MPLS support? [7:57299]

[neal rauhauser]

I just heard a viscious rumor on the nanog mailing list - there are 
some images for the 26xx that support MPLS!@!@!@!@!


 
   I am mostly done with studies for the BSCI and QoS+Mcast - only 
barrier to me getting CCIP was getting my sticky little paws on routers 
that support MPLS - if there is a 26xx image that is decent I have a 
whole network I can turn to MPLS after I test it on this spare 2620 :-) 
:-) :-)


I would greatly appreciate if someone can name the image that does 
this - the fellow writing about it said 12.2.(12.6) and I am not sure 
which image/train he means.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57299&t=57299
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Has Anyone used Global Knowledge? [7:57297]

[steve]

hi,


I have recently done a CWFUN course ...

this was at global knowledge in the UK

the instructor was very experienced and the facilities were good 

loads of kit ...loads of software ...

and on this occasion i was the ONLY student...i would recommend them to
anyone

cheers

Steve
- Original Message -
From: "David Vital" 
To: 
Sent: Tuesday, November 12, 2002 4:16 PM
Subject: Has Anyone used Global Knowledge? [7:57297]


> Wondering if anyone here has experience with Global Knowledge and the
> classes they offer.
>
> Thanks,
>
> David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57301&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Receiving 2 calls simultaneously on a BRI interface [7:57302]

[BASSOLE Rock]

Hello group !  

 

I would like to configure a router to connect to 2 sites with ISDN. The
router's configuration should be able to accept 2 incoming calls
simultaneously from the sites on a single BRI.

Is it possible to assign a channel B to 2 different destinations at the same
time (when the call is initiated by the sites). Any information is welcome.

Thank you in advance.

Rock.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57302&t=57302
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Has Anyone used Global Knowledge? [7:57297]

[s vermill]

David Vital wrote:
> 
> Wondering if anyone here has experience with Global Knowledge
> and the classes they offer.
> 
> Thanks, 
> 
> David

Not within the last year or so but over the years I have sat probably half a
dozen classes with Global Knowledge.  They always seem to find true experts
for instructors.  Never had a bad experience.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57303&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Receiving 2 calls simultaneously on a BRI interface [7:57305]

[MADMAN]

yes you can do this

  remote siteA:


BASSOLE Rock wrote:
> 
> Hello group !
> 
> 
> interface BRI0
 description ISDN backup to ASAG BRI1/0:2
 ip address 2.1.1.2 255.255.255.248
 encapsulation ppp
 dialer string 2912345
 dialer-group 1
 isdn spid1 225664 xxx
 isdn spid2 225664 xxx
 ppp authentication pap chap
 ppp pap sent-username ASD-Router password 7 030752180500

  host site:

interface BRI1/0
 ip address 2.1.1.1 255.255.255.248
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no logging event subif-link-status
 isdn spid1 2252912345 2912345
 isdn spid2 22529x xxx
 dialer idle-timeout 2147483
 dialer map ip 2.1.1.3 name ASN-NissR broadcast
 dialer map ip 2.1.1.2 name ASD-Router broadcast
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap
 hold-queue 75 in




> I would like to configure a router to connect to 2 sites with ISDN. The
> router's configuration should be able to accept 2 incoming calls
> simultaneously from the sites on a single BRI.
> 
> Is it possible to assign a channel B to 2 different destinations at the
same
> time (when the call is initiated by the sites). Any information is welcome.
> 
> Thank you in advance.
> 
> Rock.
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

"You don't make the poor richer by making the rich poorer." --Winston
Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57305&t=57305
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: CCDA Certification Updates [7:57295]

[Marko Milivojevic]

After reading this, I suppose that first step in new CCD* studies
should be getting familiar with Cisco's SAFE Blueprints (as someone noted
few weeks ago). 


Marko.

-Original Message-
From: Cisco Systems Inc [mailto:CiscoCCDA@;mail.ciscomessage.com]
Sent: ~ripjudagur, 12. nsvember 2002. 16:03
To: [EMAIL PROTECTED]
Subject: CCDA Certification Updates


On November 12, 2002 Cisco announces its redesigned CCDA(r) 
certification track, which features the new CCDA exam # 640-861 and 
the new course, Designing for Cisco Internetwork Solutions (DESGN). 
The new DESGN five-day, instructor-led course will teach how to design 
Cisco network infrastructures. 

The existing DCN course will retire on January 6, 2003, and the 
existing DCN exam #640-441 will retire on March 5, 2003.

A CCDA certification is achieved upon successful completion of the 
DESGN exam, and is valid for two years. The recommended training 
includes CCNA Basics and DESGN.
 
The CCDA program is the first step toward achieving CCDP(r) 
certification (CCNA(r) certification is also required), and a 
redesigned CCDP track exam and course will be released around February 
2003.  The CCDP related course, Designing Cisco Network Service 
Architectures (ARCH), builds upon the DESGN foundation, teaching 
designers how to architect network services and solutions using that 
infrastructure. While the DESGN course addresses mainly infrastructure 
and network service issues, the ARCH will address mainly network 
services and solutions.

What's New in DESGN

Because networks and network services are growing exponentially 
complex, designing a network separately becomes impossible. Instead, 
the network is divided into modules such as the enterprise edge, 
campus, and service provider edge, with each module designed 
separately. Designers must ensure the entire solution responds 
optimally to business and technical needs, and that the network is 
highly available.  A strategic network solution requires content 
networking, storage application networking, and voice applications. 
Successful network designs require critical modern infrastructure 
services (such as wireless access) and network services (such as 
security and management, quality of service, and multicast).

For more information on CCDA certification visit 
http://www.cisco.com/go/training

Copyright (2002, Cisco Systems, Inc. All rights reserved. CCNA, CCDP, 
CCDA, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are 
registered trademarks or trademarks of Cisco Systems, Inc. and/or its 
affiliates in the U.S. and certain other countries. All other 
trademarks mentioned in this document are the property of their 
respective owners. The use of the word partner does not imply a 
partnership relationship between Cisco and any other company. (0210R)

You have been sent this message because you indicated that you wish
to receive updates on Cisco products and special offerings. If you
would prefer not to receive news about special promotions from Cisco
in the future, please click here: 
mailto:TRN_Unsubscribe@;mail.ciscomessage.com

You are subscribed as [EMAIL PROTECTED]


Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4, Reykjavmk.
Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra Margmiplun hf. er
ap finna a vefsmpunni http://www.mi.is/fyrirvari




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57295&t=57295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: remote access advice [7:57288]

[steve]

hi,


i used the boson and the exam cram to study for the test last year and
passed no problem ..

i think as you have already studied the subject you will be fine with JUST
the boson test`s

cheers

steve
- Original Message -
From: "Robert Kimble" 
To: 
Sent: Tuesday, November 12, 2002 3:40 PM
Subject: remote access advice [7:57288]


> Hello everyone,
>
> It's been a while since I've posted anything here.
>
> I'm on the last chapter of Cisco's remote access exam cert guide. I was
> planning on using Boson and Exam cram but was wondering if anyone had
other
> recomendations...
>
> So far I've read nothing but bad reviews of the Exam cram remote access
book.
>
> Thanks in advance for the input!
>
> -Bobby




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57300&t=57288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Book Recommendation/Relevance? [7:57131]

[s vermill]

Hamid Ali Asgari wrote:
> 
> Take a look at the following book. Haven't read it myself, but
> I have
> heard that's its a great book:
> Internetworking with TCP/IP: Principles, Protocols, and
> Architecture (4th
> Edition)by Douglas Comer
> 
> Hope this helps,
> Hamid
> 
> 

Thanks Hamid.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57304&t=57131
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco wireless classes [7:57306]

[Larry Roberts]

I'm also interested in second-hand copies of these courses or any of the
other Aironet courses. I have the new versions 3.0 of the security courses
(MCNS, CSPFA, CSVPN, IDS) or the IP Telephony courses (CVOICE, CIPT, IPTT,
DQoS, EVODD) to trade.

Thanks,

Larry Roberts
CCIE #7886 (R&S / Security)

- Original Message -
From: "Dennis Laganiere" 
To: ; 
Sent: Monday, November 11, 2002 10:28 AM
Subject: Cisco wireless classes


> Does anybody have the documentation from the following Cisco courses?
>
> *  Aironet Wireless LAN Fundamentals (AWLF)
> *  Aironet Wireless LAN Fundamentals & Cisco Aironet Wireless Site Survey
> (AWFSS)
>
> If so, please contact me off-line, I'd like to get a look at them...
>
> Thanks...
>
> --- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57306&t=57306
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: List Problems [7:57290]

[Paul Borghese]

Check your anti-spam settings.  Sometimes they filter us as we send
e-mails using "bulk" as the priority.  If you are being filtered via
anti-spam, please tell me as I can sometimes correct.

Paul



-Original Message-
From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 12, 2002 10:19 AM
To: [EMAIL PROTECTED]
Subject: List Problems [7:57290]

Haven't received any mail since November 5th;  something going on with
the
list?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57307&t=57290
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Has Anyone used Global Knowledge? [7:57297]

[r34rv13wm1rr0r]

I used the one in Dallas for Advance BGP, great course and the receptionist
was hot.


- Original Message -
From: "David Vital" 
To: 
Sent: Tuesday, November 12, 2002 10:16 AM
Subject: Has Anyone used Global Knowledge? [7:57297]


> Wondering if anyone here has experience with Global Knowledge and the
> classes they offer.
>
> Thanks,
>
> David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57309&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routing and Design Problem [7:57193]

[Tunji Suleiman]

>
>sounds like you might want to hire a consultant.

Thanks for your suggestion, but I'm trying to play at being the consultant!

Since I'm getting no cooperation from the ISP, I have modified my config to:

1. Use global address 80.80.80.171-4/26 on router WAN link to ISP a la 
regular proxy connection with default-gateway as ISP router, with .1 on 
router fa0/0
2. Use rfc1918 address 172.16.10.1/24 on router fa0/1 internal int to PIX, 
and .2 on PIX e0/0 outside interface
3. On router, PAT all 172.16.10.0/24 addresses (except 172.16.10.3)  and 
overload on fa0/0, WAN interface to ISP.
4. On router, statically NAT 172.16.10.3 to 80.80.80.172 for Exchange
5. On PIX, Use rfc1918 VPN address 10.240.77.0/24 for inside ntwork; .1 as  
PIX inside interface, and .3 for Exchange.
6. On PIX, PAT all inside hosts to 172.16.10.4 for internet traffic and 
statically NAT Exchange at 10.240.77.3 to 172.16.10.3 excempted in 3 above.

With the config I have double NAT/PAT on router and PIX. Now, I can ping 
Internet hosts from router, but not PIX's directly connected interface. Same 
with PIX, ping succeeds from PIX to Exchange, but not to router.

My NAT/PAT on router and PIX are translating, but I cant get thru the PIX. I 
will solve this somehow if the problem is with the configs, but hope someone 
will kindly answer my  questions below:

1. Must my addressing on PIX outside be global? Is my use of 172.16.0.0 
invalid for the scenario? Can this be responsible for the ping failure? Can 
this be corrected by using "fake" global addresses?

2. Aside from latency due to the double NAT/PAT, which wont bode well for 
voice and other real-time traffic, what other potential issues can I expect 
from the config?

TIA



_
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57311&t=57193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Possible to Filter on Destination MAC-Address on a Router? [7:57312]

[Bucher Lars]

I'm trying to configure an input-access-list on 7204 Routers (IOS 12.2(10)),
which should filter on the destination (!) MAC-address but can't get it
work. Is this even possible?

The router should ignore all traffic with a destination-MAC (multicast) of
0100.5e7c.0006 and accept all other traffic. In my setup, this address is
used with Firewalls in a Stonebeat cluster.

Without filter my routers, by mistake, listen to this traffic, replicate it
and send it out again which causes multicast-storms.

I've read that this is quite a common behaviour observed with Cisco-Routers
that run HSRP. By mistake some Routers (depending on what?) sometimes listen
to all Layer2 Multicast-Traffic instead to just the HSRP-Multicasts.

Unfortunately, I can't configure any filters on the switch, which led me to
the idea to apply a filter on the routers.

It's no problem to configure an extended MAC Access-list (access-list
). But I struggle with applying it to the interface.
The 'bridge-group  input-address-list ' just allows standard MAC
Access-Lists, which would filter the source-address only.

So I tried the follwoing approach (CAR):

access-list 1100 permit .. .. 0100.5e7c.0006
..
access-list 101 permit ip any any

interface fastethernet0/0
rate-limit input access-group 1100 1 10 10 conform-action
drop exceed-action drop
rate-limit input access-group 101 1 10 10 conform-action
transmit exceed-action transmit

In the lab the router accepted the commands, but now it blocks all traffic
instead just the specified destination mac-address.

Any suggestions? Thanks in advance.

Lars Bucher




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57312&t=57312
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

question on isdn using PPP chap [7:57313]

[Connie Nie]

Hi, group!

I have been trying to figure out how "dialer remote-name" is used/or not
used in the ppp process but without success. Here is what I understand the
ppp chap process work:
R1 calls R2
R2 challenges R1. Together with the random no and seq. no, r2 also send its
hostname as specified by "Hostname" or "ppp chap hostname", in this case,
let's say it is R2
R1 looks up the password for R2, sends the response back with its own
hostname, in this case, R1
R2 looksup the password for R1, use the password as one of the elements to
generate hash value, compare it with R1's response, and makes decision.
---I didn't see "dialer remote-name" being used in this whole process. the
name exchanged are specified with either hostname, or ppp chap hostname, and
password lookup uses username ... password.

Yet Caslow book states that "dialer remote-name statement is critical for
the called party. It must match the calling parties' host name or ppp chap
hostname." Why is it so? Can someone shed some light on this?

Thank you. 

Connie Nie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57313&t=57313
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Possible to Filter on Destination MAC-Address on a [7:57312]

[Priscilla Oppenheimer]

Bucher Lars wrote:
> 
> I'm trying to configure an input-access-list on 7204 Routers
> (IOS 12.2(10)),
> which should filter on the destination (!) MAC-address but
> can't get it
> work. Is this even possible?
> 
> The router should ignore all traffic with a destination-MAC
> (multicast) of
> 0100.5e7c.0006 and accept all other traffic. In my setup, this
> address is
> used with Firewalls in a Stonebeat cluster.
> 
> Without filter my routers, by mistake, listen to this traffic,
> replicate it
> and send it out again which causes multicast-storms.

Wouldn't it be better to figure out why the router is doing this? Normally,
a router doesn't replicate multicast traffic and send it out again. Why is
it doing this? Can you send us your config??

Priscilla

> 
> I've read that this is quite a common behaviour observed with
> Cisco-Routers
> that run HSRP. By mistake some Routers (depending on what?)
> sometimes listen
> to all Layer2 Multicast-Traffic instead to just the
> HSRP-Multicasts.
> 
> Unfortunately, I can't configure any filters on the switch,
> which led me to
> the idea to apply a filter on the routers.
> 
> It's no problem to configure an extended MAC Access-list
> (access-list
> ). But I struggle with applying it to the interface.
> The 'bridge-group  input-address-list ' just allows
> standard MAC
> Access-Lists, which would filter the source-address only.
> 
> So I tried the follwoing approach (CAR):
> 
> access-list 1100 permit .. ..
> 0100.5e7c.0006
> ..
> access-list 101 permit ip any any
> 
> interface fastethernet0/0
> rate-limit input access-group 1100 1 10 10
> conform-action
> drop exceed-action drop
> rate-limit input access-group 101 1 10 10
> conform-action
> transmit exceed-action transmit
> 
> In the lab the router accepted the commands, but now it blocks
> all traffic
> instead just the specified destination mac-address.
> 
> Any suggestions? Thanks in advance.
> 
> Lars Bucher
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57314&t=57312
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Please confirm (conf#2391ce1acdad1bea6f054fd88c882aad) [7:57315]

[eric dickerson]

>
>Hi,
>
>You have tried to post to GroupStudy.com's Professional mailing list. 
>Because
>the server does not recognize you as a confirmed poster, you will be 
>required
>to authenticate that you are using a valid e-mail address and are not a
>spammer. By confirming this e-mail you certify that you are not sending
>Unsolicited Bulk Email (UBE).
>
>PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN!  BY CONFIRMING THIS EMAIL
>YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE SERVER) WILL BE POSTED.
>
>
>By confirming this e-mail you also certify the following:
>
>1. The message does NOT break Cisco's Non-Disclosure requirements.
>
>2. The message is NOT designed to advertise a commercial product.
>
>3. You understand all postings become property of GroupStudy.com
>
>4. You have searched the archives prior to posting.
>
>5. The message is NOT inflammatory.
>
>6. The message is NOT a test message.
>
>To confirm, simply reply to this message.  No editing is necessary.  Once
>confirmed, you will be able to post without additional confirmations.
>
>
>Welcome to GroupStudy.com!
>
>
>--ORIGINAL MESSAGE-
>
>From [EMAIL PROTECTED]  Tue Nov 12 02:38:14 2002
>Received: from hotmail.com (f35.law7.hotmail.com [216.33.237.35])
>   by groupstudy.com (8.9.3/8.9.3) with ESMTP id CAA25184
>   GroupStudy Mailer; Tue, 12 Nov 2002 02:38:14 GMT
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>Mon, 11 Nov 2002 18:37:43 -0800
>Received: from 216.62.102.129 by lw7fd.law7.hotmail.msn.com with HTTP;
>   Tue, 12 Nov 2002 02:37:43 GMT
>X-Originating-IP: [216.62.102.129]
>From: "eric dickerson" 
>To: [EMAIL PROTECTED]
>Subject: problem with groupstudy?
>Date: Tue, 12 Nov 2002 02:37:43 +
>Mime-Version: 1.0
>Content-Type: text/plain; format=flowed
>Message-ID: 
>X-OriginalArrivalTime: 12 Nov 2002 02:37:43.0831 (UTC) 
>FILETIME=[7A65C270:01C289F4]
>
>I have been recieving very few emails and a sent an email several days ago 
>i
>never seen come back to me. Is there a problem with the list?
>
>
>
>
>
>_
>Protect your PC - get McAfee.com VirusScan Online
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57315&t=57315
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Has Anyone used Global Knowledge? [7:57297]

[Adam Hickey]

I just finished Cisco MPLS at the San Jose facility last week. Great course!

Adam


> - Original Message -
> From: "David Vital"
> To:
> Sent: Tuesday, November 12, 2002 4:16 PM
> Subject: Has Anyone used Global Knowledge? [7:57297]
>
>
> > Wondering if anyone here has experience with Global Knowledge and the
> > classes they offer.
> >
> > Thanks,
> >
> > David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57316&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Connecting Ls1010 and OmniSwitch [7:57317]

[David j]

Has anybody tried to connect a LS1010 and an Alcatel OmniSwitch using atm?
We are having a lot of problems with the following scenario

LS1010 --ATM OC3--- Omniswitch - Videoconference device
|
|
ATM OC3
|
|
Omniswitch
|
|
Videoconference device

The LS1010 has an atm address
47.0091.8100..0005.5e8f.4401.0005.5e8f.4401.00
on the other hand the omniswitches have atm addresses
39.0348.8001.bc90.0001.013d.6cc0....xx
39.0348.8001.bc90.0001.013d.2f20....yy
Due to the different AFI code I presume that I can't use PNNI, and I need to
use static atm routing, can anybody confirm this point?
The guys that manage the Videoconference devices say that they work
establishing SVCs through the ATM network, if we connect directly the
Omniswitches there is no problem, so I suppose that I am doing something
wrong, do I need to configure svcs on the LS1010?
Thanx in advance, and sorry for being so imprecise, but the situation it's a
bit difficult to explain and I'm quite lost.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57317&t=57317
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: List Problems [7:57290]

[Jerry Deer]

Paul , I may be having same problem and our email is being spam filtered
however I think our method is adding an XM to the header and those are then
sent to a folder called " possible spam " but I do not see any of the
groupstudy emails. I am receiving a small portion of emails though.












' 

-Original Message-
From: Paul Borghese [mailto:pborghese@;groupstudy.com] 
Sent: Tuesday, November 12, 2002 12:08 PM
To: [EMAIL PROTECTED]
Subject: RE: List Problems [7:57290]

Check your anti-spam settings.  Sometimes they filter us as we send
e-mails using "bulk" as the priority.  If you are being filtered via
anti-spam, please tell me as I can sometimes correct.

Paul



-Original Message-
From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, November 12, 2002 10:19 AM
To: [EMAIL PROTECTED]
Subject: List Problems [7:57290]

Haven't received any mail since November 5th;  something going on with
the
list?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57318&t=57290
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Possible to Filter on Destination MAC-Address on a [7:57320]

[Bucher Lars]

Hi Priscilla

Unfortunately, I'm not in the Office right now. So I've just got the
following information at the moment:

IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(10a), RELEASE SOFTWARE
(fc1)
cisco 7204VXR (NPE400) processor (revision A) with 114688K/16384K bytes of
memory

interface FastEthernet0/0
 ip address 10.241.207.197 255.255.255.240
 no ip redirects
 no ip proxy-arp
 duplex full
 speed 100
 ntp disable
 standby 1 ip 10.241.207.196
 standby 1 preempt
 standby 1 track ATM2/0.2010

arp 10.241.207.193 0100.5e7c.0006 ARPA

Otherwise, there's no special configuration.

The static arp entry is needed for the stonebeat solution. As you see, it's
just at Layer2 a multicast. At Layer 3 there's just Unicast. I know it
sounds silly, but that's the way stonebeat implements its cluster solution.

The interesting thing is, that in the LAN I have two other 7200 Routers with
the same config but with NPE 300 Processor board and IOS 12.2(4).
Those 2 Routers don't replicate the traffic.

The same behaviour has been reported by others as well. If you do a search
for 'stonebeat' or 'multicast storm' on Cisco's 'Networking Professionals
Connection' you can find those. It seems to be a general problem with some
Cisco routers, not a Configuration Problem. That's why I was looking for a
'filter-solution.

Regards
Lars Bucher

""Priscilla Oppenheimer""  schrieb im Newsbeitrag
news:200211121958.TAA22356@;groupstudy.com...
> Bucher Lars wrote:
> >
> > I'm trying to configure an input-access-list on 7204 Routers
> > (IOS 12.2(10)),
> > which should filter on the destination (!) MAC-address but
> > can't get it
> > work. Is this even possible?
> >
> > The router should ignore all traffic with a destination-MAC
> > (multicast) of
> > 0100.5e7c.0006 and accept all other traffic. In my setup, this
> > address is
> > used with Firewalls in a Stonebeat cluster.
> >
> > Without filter my routers, by mistake, listen to this traffic,
> > replicate it
> > and send it out again which causes multicast-storms.
>
> Wouldn't it be better to figure out why the router is doing this?
Normally,
> a router doesn't replicate multicast traffic and send it out again. Why is
> it doing this? Can you send us your config??
>
> Priscilla
>
> >
> > I've read that this is quite a common behaviour observed with
> > Cisco-Routers
> > that run HSRP. By mistake some Routers (depending on what?)
> > sometimes listen
> > to all Layer2 Multicast-Traffic instead to just the
> > HSRP-Multicasts.
> >
> > Unfortunately, I can't configure any filters on the switch,
> > which led me to
> > the idea to apply a filter on the routers.
> >
> > It's no problem to configure an extended MAC Access-list
> > (access-list
> > ). But I struggle with applying it to the interface.
> > The 'bridge-group  input-address-list ' just allows
> > standard MAC
> > Access-Lists, which would filter the source-address only.
> >
> > So I tried the follwoing approach (CAR):
> >
> > access-list 1100 permit .. ..
> > 0100.5e7c.0006
> > ..
> > access-list 101 permit ip any any
> >
> > interface fastethernet0/0
> > rate-limit input access-group 1100 1 10 10
> > conform-action
> > drop exceed-action drop
> > rate-limit input access-group 101 1 10 10
> > conform-action
> > transmit exceed-action transmit
> >
> > In the lab the router accepted the commands, but now it blocks
> > all traffic
> > instead just the specified destination mac-address.
> >
> > Any suggestions? Thanks in advance.
> >
> > Lars Bucher




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57320&t=57320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDA Certification Updates [7:57295]

[Gerhard Roets]

This is now just after I bought the CCDA certification kit from Cisco
press, and the Sybex book ... And a new car ... And and arrg guess I
have to find money ;)

-Original Message-
From: Marko Milivojevic [mailto:markom@;margmidlun.is] 
Sent: 12 November 2002 19:48
To: [EMAIL PROTECTED]
Subject: FW: CCDA Certification Updates [7:57295]


After reading this, I suppose that first step in new CCD* studies
should be getting familiar with Cisco's SAFE Blueprints (as someone
noted
few weeks ago). 


Marko.

-Original Message-
From: Cisco Systems Inc [mailto:CiscoCCDA@;mail.ciscomessage.com]
Sent: ~ripjudagur, 12. nsvember 2002. 16:03
To: [EMAIL PROTECTED]
Subject: CCDA Certification Updates


On November 12, 2002 Cisco announces its redesigned CCDA(r) 
certification track, which features the new CCDA exam # 640-861 and 
the new course, Designing for Cisco Internetwork Solutions (DESGN). 
The new DESGN five-day, instructor-led course will teach how to design 
Cisco network infrastructures. 

The existing DCN course will retire on January 6, 2003, and the 
existing DCN exam #640-441 will retire on March 5, 2003.

A CCDA certification is achieved upon successful completion of the 
DESGN exam, and is valid for two years. The recommended training 
includes CCNA Basics and DESGN.
 
The CCDA program is the first step toward achieving CCDP(r) 
certification (CCNA(r) certification is also required), and a 
redesigned CCDP track exam and course will be released around February 
2003.  The CCDP related course, Designing Cisco Network Service 
Architectures (ARCH), builds upon the DESGN foundation, teaching 
designers how to architect network services and solutions using that 
infrastructure. While the DESGN course addresses mainly infrastructure 
and network service issues, the ARCH will address mainly network 
services and solutions.

What's New in DESGN

Because networks and network services are growing exponentially 
complex, designing a network separately becomes impossible. Instead, 
the network is divided into modules such as the enterprise edge, 
campus, and service provider edge, with each module designed 
separately. Designers must ensure the entire solution responds 
optimally to business and technical needs, and that the network is 
highly available.  A strategic network solution requires content 
networking, storage application networking, and voice applications. 
Successful network designs require critical modern infrastructure 
services (such as wireless access) and network services (such as 
security and management, quality of service, and multicast).

For more information on CCDA certification visit 
http://www.cisco.com/go/training

Copyright (2002, Cisco Systems, Inc. All rights reserved. CCNA, CCDP, 
CCDA, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are 
registered trademarks or trademarks of Cisco Systems, Inc. and/or its 
affiliates in the U.S. and certain other countries. All other 
trademarks mentioned in this document are the property of their 
respective owners. The use of the word partner does not imply a 
partnership relationship between Cisco and any other company. (0210R)

You have been sent this message because you indicated that you wish
to receive updates on Cisco products and special offerings. If you
would prefer not to receive news about special promotions from Cisco
in the future, please click here: 
mailto:TRN_Unsubscribe@;mail.ciscomessage.com

You are subscribed as [EMAIL PROTECTED]


Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4, Reykjavmk.
Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra Margmiplun hf.
er
ap finna a vefsmpunni http://www.mi.is/fyrirvari




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57308&t=57295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

No fragmentation when you just gotta fragment [7:57322]

[JJ Angleton]

If you've set the flags in the IP header to not allow fragmentation, and
then you pass through in interface with a smaller MTU, what happens?

By the way, in a related question - I've looked all through the Cisco
website and can't find what the standard MTU is for Frame Relay.

 



-
Do you Yahoo!?
U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57322&t=57322
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Possible to Filter on Destination MAC-Address on a [7:57321]

[Logan, Harold]

You'll have to pardon a moment of nostalgia, but the first question I ever
asked on groupstudy was about applying a MAC filter to a router. (sniff sniff)

To apply a MAC ACL to an interface, you have to set it up to bridge, and
since you're routing you need to run IRB. Not that it was meant for such a
purpose, but I've had much better results using CAR on a router to filter by
MAC address rather than applying an access list. It's much simpler to just
use the rate-limit command, imo.

It sounds like the router is behaving normally for a router that has
multicast members located on an interface. If the switches are causing a
broadcast storm, that's a separate issue that should be addressed; the
default behavior of most switches is to flood multicasts out all ports. To
control that you need to enable either CGMP or IGMP snooping on the
appropriate switch ports.

hth,
Hal

> -Original Message-
> From: Priscilla Oppenheimer [mailto:nobody@;groupstudy.com]
> Sent: Tuesday, November 12, 2002 2:59 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible to Filter on Destination MAC-Address on a
> [7:57312]
> 
> 
> Bucher Lars wrote:
> > 
> > I'm trying to configure an input-access-list on 7204 Routers
> > (IOS 12.2(10)),
> > which should filter on the destination (!) MAC-address but
> > can't get it
> > work. Is this even possible?
> > 
> > The router should ignore all traffic with a destination-MAC
> > (multicast) of
> > 0100.5e7c.0006 and accept all other traffic. In my setup, this
> > address is
> > used with Firewalls in a Stonebeat cluster.
> > 
> > Without filter my routers, by mistake, listen to this traffic,
> > replicate it
> > and send it out again which causes multicast-storms.
> 
> Wouldn't it be better to figure out why the router is doing 
> this? Normally,
> a router doesn't replicate multicast traffic and send it out 
> again. Why is
> it doing this? Can you send us your config??
> 
> Priscilla
> 
> > 
> > I've read that this is quite a common behaviour observed with
> > Cisco-Routers
> > that run HSRP. By mistake some Routers (depending on what?)
> > sometimes listen
> > to all Layer2 Multicast-Traffic instead to just the
> > HSRP-Multicasts.
> > 
> > Unfortunately, I can't configure any filters on the switch,
> > which led me to
> > the idea to apply a filter on the routers.
> > 
> > It's no problem to configure an extended MAC Access-list
> > (access-list
> > ). But I struggle with applying it to the interface.
> > The 'bridge-group  input-address-list ' just allows
> > standard MAC
> > Access-Lists, which would filter the source-address only.
> > 
> > So I tried the follwoing approach (CAR):
> > 
> > access-list 1100 permit .. ..
> > 0100.5e7c.0006
> > ..
> > access-list 101 permit ip any any
> > 
> > interface fastethernet0/0
> > rate-limit input access-group 1100 1 10 10
> > conform-action
> > drop exceed-action drop
> > rate-limit input access-group 101 1 10 10
> > conform-action
> > transmit exceed-action transmit
> > 
> > In the lab the router accepted the commands, but now it blocks
> > all traffic
> > instead just the specified destination mac-address.
> > 
> > Any suggestions? Thanks in advance.
> > 
> > Lars Bucher




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57321&t=57321
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 Flash - Read Only [7:57323]

[DW]

Can I manually change the Flash memory on a 2500 to Read\Write in order to
load an image onto it. It is displaying as Read Only at the moment. I can
load images with the software loader so I am assuming there is a way of
changing the designation.

Sincerely,

DW




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57323&t=57323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[John Tafasi]

I tried this also and it did not work. He is what I did:


R5-2503#clear ip access-list count

R5-2503#show access-lists abc
Extended IP access list abc
Dynamic test permit ip any any
  permit ip host 10.10.110.16 any (38 matches) (time left 134)
permit tcp any host 10.10.110.3 eq telnet
R5-2503#

""Tim Metz""  wrote in message
news:200211120457.EAA20795@;groupstudy.com...
> although that should have worked, try clear ip access-list counter as
> well I just tested this on a 3662 and both commands worked (IOS 12.1)
>
> Tim
>
> ""John Tafasi""  wrote in message
> news:20022125.VAA01591@;groupstudy.com...
> > Can some one tell me how to clear access-list counters? I tried to use
the
> > command "clear access-list counters" but it did not work. Please see the
> > output of the show command below.
> >
> > R5-2503#show access-lis abc
> > Extended IP access list abc
> > Dynamic test permit ip any any
> >   permit ip any any (158 matches)
> > permit tcp any host 10.10.110.3 eq telnet
> > R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57325&t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDA Certification Updates [7:57295]

[Priscilla Oppenheimer]

Gerhard Roets wrote:
> 
> This is now just after I bought the CCDA certification kit from
> Cisco
> press, and the Sybex book ... And a new car ... And and arrg
> guess I
> have to find money ;)

The current version of the test won't expire until March. So you should
still be OK with the materials you bought. So enjoy the new car and don't
worry. ;-)

Priscilla


> 
> -Original Message-
> From: Marko Milivojevic [mailto:markom@;margmidlun.is] 
> Sent: 12 November 2002 19:48
> To: [EMAIL PROTECTED]
> Subject: FW: CCDA Certification Updates [7:57295]
> 
> 
> After reading this, I suppose that first step in new CCD*
> studies
> should be getting familiar with Cisco's SAFE Blueprints (as
> someone
> noted
> few weeks ago). 
> 
> 
> Marko.
> 
> -Original Message-
> From: Cisco Systems Inc [mailto:CiscoCCDA@;mail.ciscomessage.com]
> Sent: ~ripjudagur, 12. nsvember 2002. 16:03
> To: [EMAIL PROTECTED]
> Subject: CCDA Certification Updates
> 
> 
> On November 12, 2002 Cisco announces its redesigned CCDA(r) 
> certification track, which features the new CCDA exam # 640-861
> and
> the new course, Designing for Cisco Internetwork Solutions
> (DESGN).
> The new DESGN five-day, instructor-led course will teach how to
> design
> Cisco network infrastructures. 
> 
> The existing DCN course will retire on January 6, 2003, and the 
> existing DCN exam #640-441 will retire on March 5, 2003.
> 
> A CCDA certification is achieved upon successful completion of
> the
> DESGN exam, and is valid for two years. The recommended
> training
> includes CCNA Basics and DESGN.
>  
> The CCDA program is the first step toward achieving CCDP(r) 
> certification (CCNA(r) certification is also required), and a 
> redesigned CCDP track exam and course will be released around
> February
> 2003.  The CCDP related course, Designing Cisco Network Service 
> Architectures (ARCH), builds upon the DESGN foundation,
> teaching
> designers how to architect network services and solutions using
> that
> infrastructure. While the DESGN course addresses mainly
> infrastructure
> and network service issues, the ARCH will address mainly
> network
> services and solutions.
> 
> What's New in DESGN
> 
> Because networks and network services are growing exponentially 
> complex, designing a network separately becomes impossible.
> Instead,
> the network is divided into modules such as the enterprise
> edge,
> campus, and service provider edge, with each module designed 
> separately. Designers must ensure the entire solution responds 
> optimally to business and technical needs, and that the network
> is
> highly available.  A strategic network solution requires
> content
> networking, storage application networking, and voice
> applications.
> Successful network designs require critical modern
> infrastructure
> services (such as wireless access) and network services (such
> as
> security and management, quality of service, and multicast).
> 
> For more information on CCDA certification visit 
> http://www.cisco.com/go/training
> 
> Copyright (2002, Cisco Systems, Inc. All rights reserved. CCNA,
> CCDP,
> CCDA, Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems
> logo are
> registered trademarks or trademarks of Cisco Systems, Inc.
> and/or its
> affiliates in the U.S. and certain other countries. All other 
> trademarks mentioned in this document are the property of their 
> respective owners. The use of the word partner does not imply a 
> partnership relationship between Cisco and any other company.
> (0210R)
> 
> You have been sent this message because you indicated that you
> wish
> to receive updates on Cisco products and special offerings. If
> you
> would prefer not to receive news about special promotions from
> Cisco
> in the future, please click here: 
> mailto:TRN_Unsubscribe@;mail.ciscomessage.com
> 
> You are subscribed as [EMAIL PROTECTED]
> 
> 
> Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4,
> Reykjavmk.
> Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra
> Margmiplun hf.
> er
> ap finna a vefsmpunni http://www.mi.is/fyrirvari
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57324&t=57295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: No fragmentation when you just gotta fragment [7:57322]

[Priscilla Oppenheimer]

JJ Angleton wrote:
> 
> If you've set the flags in the IP header to not allow
> fragmentation, and then you pass through in interface with a
> smaller MTU, what happens?

When a router attempts to forward an IP packet onto an interface where the
MTU is smaller than the packet and the Don't Fragment bit is set, the router
sends back an ICMP Message:

Type = 3 = Destination Unreachable
Code = 4 = Fragmentation was needed and the Don't Fragment bit was set.

The router also drops the packet.

> 
> By the way, in a related question - I've looked all through the
> Cisco website and can't find what the standard MTU is for Frame
> Relay.

I found this in RFC 3090: To avoid packet discards on the Frame Relay
interface, the RECOMMENDED default Frame Relay MTU is 1564 based on a PPP
default MTU of 1500 bytes. That's the default. You could set it higher,
probably, but why bother if the end stations aren't sending anything bigger?
___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com
> 
>  
> 
> 
> 
> -
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57326&t=57322
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routing and Design Problem [7:57193]

[Howard C. Berkowitz]

Were I the consultant on this project, the first thing I'd do is get 
a clearly articulated routing policy, at least in rough RPSL. I might 
need to put in some informal constructs or add drawings to define the 
scopes of NAT.  Before that, I'd start with some rough drawings at 
the AS-to-AS level, and the NAT scopes within your AS.

 From experience, talking about configurations with more than a few 
Internet-connected routers doesn't scale.  It's far more important to 
get the requirements down and then see what configurations are needed.


At 7:24 PM + 11/12/02, Tunji Suleiman wrote:
>  >
>>sounds like you might want to hire a consultant.
>
>Thanks for your suggestion, but I'm trying to play at being the consultant!
>
>Since I'm getting no cooperation from the ISP, I have modified my config to:
>
>1. Use global address 80.80.80.171-4/26 on router WAN link to ISP a la
>regular proxy connection with default-gateway as ISP router, with .1 on
>router fa0/0
>2. Use rfc1918 address 172.16.10.1/24 on router fa0/1 internal int to PIX,
>and .2 on PIX e0/0 outside interface
>3. On router, PAT all 172.16.10.0/24 addresses (except 172.16.10.3)  and
>overload on fa0/0, WAN interface to ISP.
>4. On router, statically NAT 172.16.10.3 to 80.80.80.172 for Exchange
>5. On PIX, Use rfc1918 VPN address 10.240.77.0/24 for inside ntwork; .1 as 
>PIX inside interface, and .3 for Exchange.
>6. On PIX, PAT all inside hosts to 172.16.10.4 for internet traffic and
>statically NAT Exchange at 10.240.77.3 to 172.16.10.3 excempted in 3 above.
>
>With the config I have double NAT/PAT on router and PIX. Now, I can ping
>Internet hosts from router, but not PIX's directly connected interface. Same
>with PIX, ping succeeds from PIX to Exchange, but not to router.
>
>My NAT/PAT on router and PIX are translating, but I cant get thru the PIX. I
>will solve this somehow if the problem is with the configs, but hope someone
>will kindly answer my  questions below:
>
>1. Must my addressing on PIX outside be global? Is my use of 172.16.0.0
>invalid for the scenario? Can this be responsible for the ping failure? Can
>this be corrected by using "fake" global addresses?
>
>2. Aside from latency due to the double NAT/PAT, which wont bode well for
>voice and other real-time traffic, what other potential issues can I expect
>from the config?
>
>TIA
>
>
>
>_
>Add photos to your e-mail with MSN 8. Get 2 months FREE*.
>http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57327&t=57193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE:CCIE R@S Lab [7:57292]

[Mike Peterson]

Hi Brad, Would you please, post again the URL about the questions that
were asked to CCIE team, because the other one does not working. Thanks
in advance, Mike   .. Here are questions that were asked to
the Cisco CCIE team.  There answers
are in this topic.

http://www.@;!#$.com/cgi-bin/ultimatebb.cgi?ubb=forum&f=60&DaysPrune=1000
&submit=Go

thanks,
-Brad Ellis
CCIE#5796 (R&S / Security)
Network Learning Inc
[EMAIL PROTECTED]
www.optsys.net (Cisco hardware)
Voice: 702-968-5100



The new MSN 8: smart spam protection and 2 months FREE*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57292&t=57292
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 2500 Flash - Read Only [7:57323]

[Biff Terrific]

configure your register to 0x2101.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57329&t=57323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: No fragmentation when you just gotta fragment [7:57322]

[JJ Angleton]

That's perfect.  Thank you very much.
 
 Priscilla Oppenheimer  wrote:JJ Angleton wrote:
> 
> If you've set the flags in the IP header to not allow
> fragmentation, and then you pass through in interface with a
> smaller MTU, what happens?

When a router attempts to forward an IP packet onto an interface where the
MTU is smaller than the packet and the Don't Fragment bit is set, the router
sends back an ICMP Message:

Type = 3 = Destination Unreachable
Code = 4 = Fragmentation was needed and the Don't Fragment bit was set.

The router also drops the packet.

> 
> By the way, in a related question - I've looked all through the
> Cisco website and can't find what the standard MTU is for Frame
> Relay.

I found this in RFC 3090: To avoid packet discards on the Frame Relay
interface, the RECOMMENDED default Frame Relay MTU is 1564 based on a PPP
default MTU of 1500 bytes. That's the default. You could set it higher,
probably, but why bother if the end stations aren't sending anything bigger?
___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com
> 
> 
> 
> 
> 
> -
> Do you Yahoo!?
> U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD
Do you Yahoo!?
U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57330&t=57322
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: question on isdn using PPP chap [7:57313]

[Jenny McLeod]

Connie Nie wrote:
> 
> Hi, group!
> 
> I have been trying to figure out how "dialer remote-name" is
> used/or not
> used in the ppp process but without success. Here is what I
> understand the
> ppp chap process work:
> R1 calls R2
> R2 challenges R1. Together with the random no and seq. no, r2
> also send its
> hostname as specified by "Hostname" or "ppp chap hostname", in
> this case,
> let's say it is R2
> R1 looks up the password for R2, sends the response back with
> its own
> hostname, in this case, R1
> R2 looksup the password for R1, use the password as one of the
> elements to
> generate hash value, compare it with R1's response, and makes
> decision.
> ---I didn't see "dialer remote-name" being used in this whole
> process. the
> name exchanged are specified with either hostname, or ppp chap
> hostname, and
> password lookup uses username ... password.
> 
> Yet Caslow book states that "dialer remote-name statement is
> critical for
> the called party. It must match the calling parties' host name
> or ppp chap
> hostname." Why is it so? Can someone shed some light on this?
> 
> Thank you. 
> 
> Connie Nie
> 
> 
I was going to make a smart-alec response and say "because otherwise it
doesn't work" (because I am sure I've seen calls fail for this reason), but
I thought I'd be more helpful, so I changed the remote-name on a test router
and dialled up with some debugs on.
Much to my surprise, the call worked (with the debugs indicating that CHAP
authenticated using the real router names).
I realised that the name I'd changed it to had a user-name statement
defined, so I removed that.  Still worked.  Wondered if there was something
left in a cache somewhere, so changed the remote-name to something daft. 
Still worked.

This is using 11.2 IOS calling 12.1 IOS, and it may well depend on the
precise configuration.

I will note, however, that the dialer remote-name can be used without using
PPP.  Many moons ago we had a setup where the dialer remote-name was used to
distinguish incoming calls and use the correct dialer interface.  An
incorrect dialer remote-name here certainly caused the call to fail (unless
there was only one dialer interface defined, in which case,due to a bug, the
remote-name was ignored).  This was probably using IOS 11.2 or 10.3.

JMcL


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57331&t=57313
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Possible to Filter on Destination MAC-Address [7:57320]

[Priscilla Oppenheimer]

Bucher Lars wrote:
> 
> Hi Priscilla
> 
> Unfortunately, I'm not in the Office right now. So I've just
> got the
> following information at the moment:
> 
> IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(10a), RELEASE
> SOFTWARE
> (fc1)
> cisco 7204VXR (NPE400) processor (revision A) with
> 114688K/16384K bytes of
> memory
> 
> interface FastEthernet0/0
>  ip address 10.241.207.197 255.255.255.240
>  no ip redirects
>  no ip proxy-arp
>  duplex full
>  speed 100
>  ntp disable
>  standby 1 ip 10.241.207.196
>  standby 1 preempt
>  standby 1 track ATM2/0.2010
> 
> arp 10.241.207.193 0100.5e7c.0006 ARPA
> 
> Otherwise, there's no special configuration.
> 
> The static arp entry is needed for the stonebeat solution. 

Yes, I've heard of this kludge. ;-)

> As
> you see, it's
> just at Layer2 a multicast. At Layer 3 there's just Unicast. 

Are you sure these aren't Layer 3 mutlicasts also? It's in the range of
multicast addresses reserved by IP Multicast. Regardless I stick to my
comment that a "normal" router wouldn't forward these. It would have to be
running ICMP and an IP multicast routing protocol. Of course, that's sort of
normal too, but not default behavior.

> I
> know it
> sounds silly, but that's the way stonebeat implements its
> cluster solution.
> 
> The interesting thing is, that in the LAN I have two other 7200
> Routers with
> the same config but with NPE 300 Processor board and IOS
> 12.2(4).
> Those 2 Routers don't replicate the traffic.

That's good. It confirms my belief that the behavior of the other router is
odd.

> 
> The same behaviour has been reported by others as well. If you
> do a search
> for 'stonebeat' or 'multicast storm' on Cisco's 'Networking
> Professionals
> Connection' you can find those. It seems to be a general
> problem with some
> Cisco routers, not a Configuration Problem. That's why I was
> looking for a
> 'filter-solution.

Did the other person's response solve the problem for you? The one that
talked abou IRB.

Also, didn't we discuss this just a few days ago? Someone sent a URL that
discussed something similar. Let's see if I can find the URL again

Oh, I found it. It has to do with routers not sending multicast when they
should! But it might have some hints for you. It's here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;223136

Wish I had more targetted advice for you! Anyone else want to help?

Good luck. Keep us posted on what you figure out. Thanks.

Priscilla

> 
> Regards
> Lars Bucher
> 
> ""Priscilla Oppenheimer""  schrieb im
> Newsbeitrag
> news:200211121958.TAA22356@;groupstudy.com...
> > Bucher Lars wrote:
> > >
> > > I'm trying to configure an input-access-list on 7204 Routers
> > > (IOS 12.2(10)),
> > > which should filter on the destination (!) MAC-address but
> > > can't get it
> > > work. Is this even possible?
> > >
> > > The router should ignore all traffic with a destination-MAC
> > > (multicast) of
> > > 0100.5e7c.0006 and accept all other traffic. In my setup,
> this
> > > address is
> > > used with Firewalls in a Stonebeat cluster.
> > >
> > > Without filter my routers, by mistake, listen to this
> traffic,
> > > replicate it
> > > and send it out again which causes multicast-storms.
> >
> > Wouldn't it be better to figure out why the router is doing
> this?
> Normally,
> > a router doesn't replicate multicast traffic and send it out
> again. Why is
> > it doing this? Can you send us your config??
> >
> > Priscilla
> >
> > >
> > > I've read that this is quite a common behaviour observed
> with
> > > Cisco-Routers
> > > that run HSRP. By mistake some Routers (depending on what?)
> > > sometimes listen
> > > to all Layer2 Multicast-Traffic instead to just the
> > > HSRP-Multicasts.
> > >
> > > Unfortunately, I can't configure any filters on the switch,
> > > which led me to
> > > the idea to apply a filter on the routers.
> > >
> > > It's no problem to configure an extended MAC Access-list
> > > (access-list
> > > ). But I struggle with applying it to the interface.
> > > The 'bridge-group  input-address-list ' just allows
> > > standard MAC
> > > Access-Lists, which would filter the source-address only.
> > >
> > > So I tried the follwoing approach (CAR):
> > >
> > > access-list 1100 permit .. ..
> > > 0100.5e7c.0006
> > > ..
> > > access-list 101 permit ip any any
> > >
> > > interface fastethernet0/0
> > > rate-limit input access-group 1100 1 10 10
> > > conform-action
> > > drop exceed-action drop
> > > rate-limit input access-group 101 1 10 10
> > > conform-action
> > > transmit exceed-action transmit
> > >
> > > In the lab the router accepted the commands, but now it
> blocks
> > > all traffic
> > > instead just the specified destination mac-address.
> > >
> > > Any suggestions? Thanks in advance.
> > >
> > > Lars Bucher
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57332&t=57320
--

FW: Multiple CCIE qualification exams then labs? [7:57019]

[HulaJoe]

Hello All,

I just purchased a 3810 to practice some Voice labs. I was hoping someone
could answer a quick question for me.

The 3810 I'm getting has 32 MB of RAM - Is this enough to run the 3810 as a
VoIP GW ? Can someone give me some insight in regards to setting up the 3810
to support VoIP ?

Thanks in advance!

Joe

-Original Message-
From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of
Peter Walker : [EMAIL PROTECTED]
Sent: Wednesday, November 06, 2002 2:40 PM
To: [EMAIL PROTECTED]
Subject: Multiple CCIE qualification exams then labs? [7:57019]


Also posted at www.@!#$.com (apologies to readers of both)


Folks

I have a question that hopefully can lead to me receiving some good
advice.

Back in June (Just before I was laid off) I took and passed the CCIE
security written exam. Since then I have been unsuccessfully seeking
employment.

Due in part to the cost, I have chosen not to book the lab yet and
probably wont until I am back in work. Which leads me (finally :-) to my
question.

Would it be worthwhile to study for and take the routing and switching
qualification exam and/or perhaps even a communications and services
exam too (maybe the voice beta when it is released).

Does anyone have any experience of how much commonality there is between
the exam materials?

Also, following on from that, how about the labs. Assuming I find myself
back in employment in the not too distant future and can manage to
afford it, would it be worth practicing for two or more CCIE labs at the
same time and then booking the labs back to back (or at least close
together)?

I have a reasonable home lab that includes 3x2500, 3x4500, a 2600, a
3600, 2xMC3810, a 7500, 2xPix501 and cat 2820, etherswitch 2200 and 3920
(yeah,I purchased the last 2 a couple of months before the lab equipment
changes were announced). So with the addition of a 3550 EMI (or 2 :- eek
$$$) and some remote lab time I think I should be able to prepare for
the lab exam(s) for any of the above.

The real question is should I go ahead and go for multiple CCIE certs at
once or is this just a really foolish idea.

Thanks

Peter Walker
CISSP, CSS1, CIPTSS, CCNP, CCIP, CCDP.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57333&t=57019
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Clearing access lists counters [7:57241]

[Maximus]

Worked for me on 12.2(12a):

clear ip access-list counters

- Original Message -
From: "John Tafasi" 
To: 
Sent: Tuesday, November 12, 2002 5:22 PM
Subject: Re: Clearing access lists counters [7:57241]


> I tried this also and it did not work. He is what I did:
>
>
> R5-2503#clear ip access-list count
>
> R5-2503#show access-lists abc
> Extended IP access list abc
> Dynamic test permit ip any any
>   permit ip host 10.10.110.16 any (38 matches) (time left 134)
> permit tcp any host 10.10.110.3 eq telnet
> R5-2503#
>
> ""Tim Metz""  wrote in message
> news:200211120457.EAA20795@;groupstudy.com...
> > although that should have worked, try clear ip access-list counter as
> > well I just tested this on a 3662 and both commands worked (IOS
12.1)
> >
> > Tim
> >
> > ""John Tafasi""  wrote in message
> > news:20022125.VAA01591@;groupstudy.com...
> > > Can some one tell me how to clear access-list counters? I tried to use
> the
> > > command "clear access-list counters" but it did not work. Please see
the
> > > output of the show command below.
> > >
> > > R5-2503#show access-lis abc
> > > Extended IP access list abc
> > > Dynamic test permit ip any any
> > >   permit ip any any (158 matches)
> > > permit tcp any host 10.10.110.3 eq telnet
> > > R5-2503#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57334&t=57241
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2500 Flash - Read Only [7:57323]

[Dennis Laganiere]

I did a text capture of the whole process of coping a new version of IOS to
a 2500 as part of the MPLS for 2500's document on www.laganiere.net

Helpfully the helps...

Good luck...

--- Dennis

- Original Message -
From: "DW" 
To: 
Sent: Tuesday, November 12, 2002 2:10 PM
Subject: 2500 Flash - Read Only [7:57323]


> Can I manually change the Flash memory on a 2500 to Read\Write in order to
> load an image onto it. It is displaying as Read Only at the moment. I can
> load images with the software loader so I am assuming there is a way of
> changing the designation.
>
> Sincerely,
>
> DW




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57335&t=57323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ppp connection [7:57336]

[[EMAIL PROTECTED]]

Hi,

This might sound a bit unconventional but not so sure if it works.

Has anyone connect a Sun server running Solaris 2.6 to a 2511RJ access
server via PPP on a direct connection(i.e. connected just with a serial
cable)? Using Solstice PPP 3.0.1 to connect to the Async ports of the 2511
and running IP over it. Is CHAP/PAP still needed for authentication since
this is not a dial in connection?

I am trying this out so that I am able to coax another IP interface out of
the Sun box. Think this is somewhat related to an earlier thread on IP over
a serial interface.

Thanks,
/yck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57336&t=57336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: iBGP and convergence when failure happens [7:57255]

[The Long and Winding Road]

""bergenpeak""  wrote in message
news:200211121340.NAA13803@;groupstudy.com...
> Thanks.  So the removal of a BGP route from the routing table will not
> cause the BGP process to be tickled to run and possibly re-insert a new
> route for N1, N2, .. Nk through R2?


depends on how your are set up in the first place, nad the nature of the
failure. I have been going through some BGP exercises, so I had my pod set
up for some basic stuff when I saw your post.

in the case you mention, with all routes contained in and advertised through
OSPF, there are only two things that can happen - a directly connected OSPF
neighbor goes down, in which case SPF is run again and relatively quickly
order is re-established. BGP is not effected in this case ( you did say that
the loopbacks were advertised in OSPF? ) because of recursive routing. the
routing in the BGP table points to a loopback as the next hop. in the
regular routing table, the route to the loopback points to another network
( directly connected ) and it is this next hop that changes when OSPF
reconverges. BGP is fat and happy and doesn't know there was ever a problem.

the other thing that can happen is that some distant network is down ( do a
"shut" on the loopback or on some other link. OSPF might noty become aware
of the change for the holddown time, but BGP could become aware sooner,
because the keepalives fail. the n BGP would go into its routing, waiting
for the dead time to expire, before removing the route from the bgp table.

geez, I didn't realize how tired I am tonight. Hope I am not rambling too
much.


>
> Does the "no sync" apply here?  The book examples always mention "no
> sync"
> in conjunction with eBGP and sending advertisements.  Here it's iBGP and
> when to re-evaluate putting routes into the routing table.


the important thing is to be sure that the routes become part of the iBGP or
the BGP process of the router on which they originate.  eBGP will accept all
routes from eBGP peers so long as the neighbor relationship is formed. on
the other hand, an eBGP peer will not advertise a route unless it can verify
there is a path to that route via it's IGP. hence the "no sync" option


>
> It would seem that load balancing, if possible, might help.  That is, if
> routes to N1 via R1 and R2 are both in the routing table, the loss of
> routes
> to R1 would cause those routes to be removed, but not prevent traffic
> from
> being forwarded to N1.
>
> So, besides the questions above, a few more:
>
> * Is it possible, in an iBGP configuration, to have BGP install multiple
> routes to the same destination?  If so, how is this done so that loops
> do not ocurr in the hops towards R1 and R2?  (That is, if each
> intermediate
> router randomly picks R1 or R2 as the target for N1, loops might
> develop)
>
> * I've never tried, but can I use local pref in iBGP to indicate a
> course
> level of load balancing by network prefix destination?  I want to make
> sure
> that packet re-ordering is very unlikely and this seems like this would
> prevent
> the loop problem.  It would seem this might provide prefix load
> balancing,
> but does not install two routes in the routing table for N1?
>
>
>
>
>
>
>
>
>
>
>
>
> The Long and Winding Road wrote:
> >
> > a couple of things - in line below
> >
> > ""bergenpeak""  wrote in message
> > news:200211120028.AAA03239@;groupstudy.com...
> > > Suppose I have several routers making up an iBGP mesh.  Lets
> > > suppose I have two routers (R1 and R2) which are advertising the same
> > > set of networks: N1, N2, ... Nk.
> > >
> > > OSPF is running underneath BGP (assume area 0).  All of the N
> > > networks are being advertised with a next-hop set to the respective
> > > loopback's from R1 and R2.
> > >
> > > Now consider some other BGP router in the network.  It will have
> > > received a BGP announcement for each of N1, N2, .. Nk from R1 and R2.
> > >
> > > This third router will select one of the paths to N1, N2, etc.
> > > and insert it into the routing table.  I'd expect to see something
> > > like:
> > >
> > > subnet  next-hop
> > > --- ---
> > > N1  R1-lo0
> > > N2  R1-lo0
> > > ... ...
> > > Nk  R1-lo0
> > >
> > > R1-lo0
> > > R2-lo0
> > >
> > > Now, suppose R1 goes belly up.  OSPF will quickly inform all
> > > other routers that R1 and its loopback no longer exist.   I'm assuming
> > > that this will invalidate all the routes in the routing table which
> > > have R1-lo0 as next hop.  This will therefore cause the removal of all
> > > occurences of routes to N1, N2, ... Nk from the routing table.
> > >
> > > The question is this:  what event will trigger BGP to re-evaluate
> > > the routes it knows about and add in routes for N1, N2, ... Nk via
> > > R2-lo0?  Will the removal of the N1 route from the routing table
> > > inform BGP to re-evaluate?  Or will the BGP timers need to timeout
> >

debug for mtu size [7:57338]

[John Zaggat]

Can any one show me how can I debug mtu size issues. Is there debug command
I can use to monitor mtu mismatches.
Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57338&t=57338
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Has Anyone used Global Knowledge? [7:57297]

[Tim Metz]

just in case you need another reply, The Global Knowledge in Atlanta is also
recommended

Tim

""David Vital""  wrote in message
news:200211121616.QAA10750@;groupstudy.com...
> Wondering if anyone here has experience with Global Knowledge and the
> classes they offer.
>
> Thanks,
>
> David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57339&t=57297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2500 Flash - Read Only [7:57323]

[shuo ahn]

yes, I know it
in this case , 
 1. boot the router from any tftp server using 
boot system tftp
 2.  reload 
 
so, you can see the flash - sh  flash -and you find it "read/write" 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57340&t=57323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]