Re: Question [7:59637]
I'm running Native IOS on 6509's and 6513's. The 6509's have been running native for about a year without any issues, both with SUP-2 and MSCF. One thing to remember is that you need to copy off the VLAN database (VLAN.DAT file). The one dilema is redundancy. With native IOS it's best to run redundant chassis' and HSRP between the two. you can build redundancy within a single chassis, but to reload a config from a standby SUP / MSFC it takes about 5 minutes. In an enterprise environment it's not acceptable. Cisco is also moving towards a single IOS. To install new gear with native IOS from the start would be the best. You can convert to native down the road but it's not painless. ""Greg Rend"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I had a quick question, on which IOS for the Catalyst (Hybrid, or Native) > is better. And why? I am getting ready to roll out some 6 of them, and > was wondering if anyone has had any issues with the Native. Thanks. -- > Get your free email from www.uymail.com Powered by Outblaze Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59681&t=59637 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fwd: RE: CCIE Vs. BS or MS dergree [7:59481]
It is amazing to me how some individuals feel that they have a "right" to have their questions answered. This without even indicating that they have done any independent research on their own prior to querying the list. Oh well, Happy Holidays to all, and to all a good night! Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy "Cunctando restituit rem" "Howard C. Berkowitz" wrote: At 1:37 PM + 12/20/02, Mr piyush shah wrote: >Dear friends >It has been quite long that I have been hearing >whether CCIE is superior or MS. I thing it is high >time we should wrap the topic.I dont understand >,whether why this forum for ? It should b a purely >technical. For a typically type of questioning like >this, there are resposes which lasts for weeks but >there are some questions for whom nobody seems to be >bothered ? >There was a queation which was thrown on this on >TACACS ACS whether What could the issue that I am >able to authenticate and not authorisation ,not a >single person on this site bothered to answered ,not >even Priscilla . Let's consider whether people "bother to respond." First, remember that everyone who does so is volunteering their time. They are not a substitute for the TAC or reference materials. Have you considered that at the time you asked the question, Priscilla might be on vacation, another expert has limited list access while on business travel (perhaps behind a strict firewall), and two others are trying to finish projects for which they are paid? The latter might scan the list, but not have 10-30 minutes to write a post. Indeed, many of those experts do not have the answer memorized, but would have to look it up -- admittedly much faster than would a beginner. >Which sounds to be very starnge. There are so many >people who r new to networking tech ,hence comes with >some querry which might b stupid to some of our >colleages but pls ensure that u were also like them >during your initial phase , The following is not meant to be a put-down, but a reality of how some people started in networking technology. I was first responsible for a network in 1970, using Bell 100 series modems (300 bps) to a PDP-11 running critical medical applications. Most links were acoustically coupled dialups, but we did have a few dedicated lines (again at 300 bps). With about 10 user ports on the machine, we sometimes just ran out. Since one of the dedicated lines was only needed for backups at night, and another for reporting, I realized I could switch them to dialup during the day. There was no Black Box Catalog or the like. I needed to get a copy of RS-232 and learn the wiring, decide how many pins I had to switch, go to the electronics store and get an appropriate rotary switch and other components, and physically build the box, soldering the wires to the switch. I made some incorrect assumptions the first time, and had to use electronic test instruments to find what I had done wrong -- it turned out I wasn't clear about the functions of the Pin 1 and Pin 7 grounds. At the same time all of this was going on, I was the head of software development for the medical applications, so needed to both design, write, and manage development, as well as researching expert system rules for blood banking and clinical chemistry. So no, not everyone had the luxury of a list or even colleagues. >hence try to rectify the >querry rather than spending your precious time on >stupid questions like " ccie is superior or MS , what >is the salary of CCIE ? " And I will be perfectly honest. Sometimes, I may be in a hurry when reading the list, and there's a "stupid question" that I can answer from personal experience. Even when I answer a technical question with which I am very familiar, I often check the documentation -- Cisco or IETF -- to be sure I'm referring to the right document. On another list, for example, there was a DNS question. I knew the answer was in RFC 1033, 1034, or 1035, but wasn't sure which, and didn't have time to look it up. I cited the three documents, and said I _thought_ it was 1034. Looking it up later, it was 1035. >I hope the message is clear to everybody >Regards > >PIYUSH > > > > >Note: forwarded message attached. > > >Missed your favourite TV serial last night? Try the new, Yahoo! TV. >visit http://in.tv.yahoo.com >X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com; > 20 Dec 2002 07:36:38 +0500 (IST) >Return-Path: >X-Track: 1: 100 >Return-Path: >Received: from groupstudy.com (66.220.63.9) by mta102.in.mail.yahoo.com > with SMTP; 20 Dec 2002 07:34:44 +0500 (IST) >Received: from localhost (mail@localhost) by groupstudy.com > (8.9.3/8.9.3) with SMTP id C
Re: problem with initiating PPTP connection behind [7:59663]
Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and > it > > > > costs me $20 for that old system. > > > > I think PPTP will work with static NAT but I don't have an extra public IP > to spare. > > > > If anyone has PPTP works through PAT, please reply. Thanks. > > > > Eric. > > > > Here is my Pix configuration > > > > HERNDON-PIX# wr t > > > > Building configuration... > > > > : Saved > > > > : > > > > PIX Version 6.2(2) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security99 > > > > nameif ethernet3 dmz2 security98 > > > > enable password * encrypted > > > > passwd * encrypted > > > > hostname HOME-PIX > > > > domain-name home.com > > > > clock timezone est -5 > > > > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 h225 1720 > > > > fixup protocol h323 ras 1718-1719 > > > > fixup protocol ils 389 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list compiled > > > > access-list 100 permit icmp any any > > > > access-list 100 permit ip any any > > > > access-list 100 permit gre any any > > > > access-list 101 permit ip any any > > > > access-list 101 permit icmp any any > > > > access-list 101 permit gre any any > > > > access-list 200 permit ip any any > > > > access-list 200 permit icmp any any > > > > access-list 200 permit gre any any > > > > pager lines 24 > > > > logging on > > > > logging timestamp > >
Re: problem with initiating PPTP connection behind [7:59673]
You know, IPSec is far more secure than PPTP, especially if you're dealing with an MS PPTP server. Sound's like you need a PIX at work... Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: eric nguyen To: [EMAIL PROTECTED] ; 'Chuck Church' ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, December 20, 2002 10:27 PM Subject: RE: problem with initiating PPTP connection behind a Pix Firewall via PAT Thanks for the info. This absolutely sucks. I am sure there are many folks out there with broadband connection like myself, cable modem or DSL, that has only one external IP address. Those folks might be using Cisco Pix501, Pix506 or Pix506E for their home firewall. I am sure they need to connect to their corporate network via PPTP just like myself. Now I have no choice but to switch back to my Linux firewall. Pix firewall, what a piece of shit. For an expensive product like that, you would think that Cisco makes an effort to make PPTP work via PAT. Enough of me venting off my frustration. Thanks everyone for your help. Eric "Raymond Jett (rajett)" wrote: Hmmm To quote cisco.com... PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE. That was from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a0080094a5a.shtml This URL shows you how to do it with NAT... Although, interestingly enough... You can do it with IOS: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xample09186a00800949c0.shtml Watch the word wrap on the URLs! Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of eric nguyen Sent: Friday, December 20, 2002 8:59 PM To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with I! PSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xamp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > ! I just replace my home linux "iptables" firewall fwith a "franken" > > pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of > > the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. > > I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of > > 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering > > for > both the "inside" > > >! ; > and "outside" interface. I use Websense server to filter out > > traffics > that I don't want > > > > my children to see. Everything is working great w
Re: problem with initiating PPTP connection behind [7:59672]
Eric, I just checked it with an ACL. GRE is used incoming from a PPTP server, at least from my work PIX it does. But the trick is getting the incoming GRE (with a destination of your PATing PIX) to the client inside. Can you try putting a 1-to-1 static from the PIX address pointing to the inside client? I don't have a PIX here to try it. I think anything then without a translation will be sent to your inside client. But it's not really the PIX's fault. What you're trying to do is PAT a protocol that for the most part is incompatible with it. Give it a shot. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: eric nguyen To: Chuck Church ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, December 20, 2002 9:59 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote: Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_ex amp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCI! E#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation> > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since m! y laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does it > even work > > > > at all with PAT? I am startin
Re: problem with initiating PPTP connection behind [7:59663]
Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and > it > > > > costs me $20 for that old system. > > > > I think PPTP will work with static NAT but I don't have an extra public IP > to spare. > > > > If anyone has PPTP works through PAT, please reply. Thanks. > > > > Eric. > > > > Here is my Pix configuration > > > > HERNDON-PIX# wr t > > > > Building configuration... > > > > : Saved > > > > : > > > > PIX Version 6.2(2) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security99 > > > > nameif ethernet3 dmz2 security98 > > > > enable password * encrypted > > > > passwd * encrypted > > > > hostname HOME-PIX > > > > domain-name home.com > > > > clock timezone est -5 > > > > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > > > > fixup protocol h323 h225 1720 > > > > fixup protocol h323 ras 1718-1719 > > > > fixup protocol ils 389 > > > > fixup protocol rsh 514 > > > > fixup protocol rtsp 554 > > > > fixup protocol smtp 25 > > > > fixup protocol sqlnet 1521 > > > > fixup protocol sip 5060 > > > > fixup protocol skinny 2000 > > > > names > > > > access-list compiled > > > > access-list 100 permit icmp any any > > > > access-list 100 permit ip any any > > > > access-list 100 permit gre any any > > > > access-list 101 permit ip any any > > > > access-list 101 permit icmp any any > > > > access-list 101 permit gre any any > > > > access-list 200 permit ip any any > > > > access-list 200 permit icmp any any > > > > access-list 200 permit gre any any > > > > pager lines 24 > > > > logging on > > > > logging timestamp > >
Re: PIX and Cryptochecksum [7:59650]
Sounds like the nvram or flash took a dump to me. Did you load a new config on there? What happened when you did? thanks, -Brad Ellis CCIE#5796 (R&S / Security) Network Learning Inc [EMAIL PROTECTED] www.ccbootcamp.com ""David Cooper"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hey folks, I just saw a strange incident with a pix 501 in china. To be > breif, > this pix was doing ipsec to a site in america, PAT and smtp port > redirection. > > One day out of the blue, all the access-list entries and crypto match rules > were gone.. poof! all the access-groups were too. The static commands were > still there and everything else. > > I think this is possibly a security violation. The one thing I noticed was > the > Cryptochecksum was _ALL_ zeros in the sh config. > > A little birdie at tac told me that it is possible that the cryptochecksum > could be zeros but that strongly goes against my tuition. > > Does anyone have any idea on this? Afaik that should never be 0. > > Thanks in advance, > eo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59676&t=59650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: problem with initiating PPTP connection behind [7:59670]
Thanks for the info. This absolutely sucks. I am sure there are many folks out there with broadband connection like myself, cable modem or DSL, that has only one external IP address. Those folks might be using Cisco Pix501, Pix506 or Pix506E for their home firewall. I am sure they need to connect to their corporate network via PPTP just like myself. Now I have no choice but to switch back to my Linux firewall. Pix firewall, what a piece of shit. For an expensive product like that, you would think that Cisco makes an effort to make PPTP work via PAT. Enough of me venting off my frustration. Thanks everyone for your help. Eric "Raymond Jett (rajett)" wrote:Hmmm To quote cisco.com... PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE. That was from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a0080094a5a.shtml This URL shows you how to do it with NAT... Although, interestingly enough... You can do it with IOS: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xample09186a00800949c0.shtml Watch the word wrap on the URLs! Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of eric nguyen Sent: Friday, December 20, 2002 8:59 PM To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xamp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" > > pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of > > the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. > > I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of > > 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering > > for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out > > traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" > > network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my > > laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the > > "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the > > firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I > > replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading wh
Re: problem with initiating PPTP connection behind [7:59667]
Michael, Perhap you didn't read my previous email carefully. I only have one static external IP address and that IP address is used by the external interface of the firewall. Therefore, I don't have any extra public IP addresses to use for static NAT. Any other suggestions. Thanks. Eric Michael Shavrov wrote:Eric, According to Cisco's recomendations you should do following steps: 1. Create static address translation for your laptop: static (inside,outside) netmask 255.255.255.255 0 0 2. Configure access-list to permit GRE (you have it enabled for ALLALL, but it may be better idea to permit only for specific hosts: access-list acl-out permit gre host host 3. Apply Access-List to Interface (you have it done). access-group acl-out in interface outside So, all what you should do - create static NAT Translation for your laptop. Good luck, Michael Shavrov - Original Message - From: "eric nguyen" To: ; Sent: Friday, December 20, 2002 4:47 PM Subject: problem with initiating PPTP connection behind a Pix Firewall via PAT > I just replace my home linux "iptables" firewall fwith a "franken" pix firewall > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > My internal network is 172.16.1.0/24 with the "inside" interface of the firewall is > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I also have > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. Machines > on both the "inside" and "dmz" access the Internet via Port Address Translation > (PAT) to the "outside" interface and it seems to work OK. On the "inside" network, > I have a Websense filter server (IP 172.16.1.2) to do url filtering for both the "inside" > and "outside" interface. I use Websense server to filter out traffics that I don't want > my children to see. Everything is working great with a minor exception: > I need to make a PPTP connection from a laptop on the "inside" network (IP > 172.16.1.100) to a PPTP server at my work place. The problem is that the > connection keeps timing out. The connection time out at the "verify username and > password". To make sure that this is not a problem with my laptop, I hook my > laptop directly to the cable modem (I have roadrunner). Since my laptop has a valid > external IP address, PPTP works. If I place the laptop on the "inside" network > behind the "franken" pix, PPTP doesn't work. I even make the firewall "wide-open" for > both inbound and outbound and it still doesn't work. Now if I replace the "franken" > pix firewall with a linux firewall, PPTP works just fine through IP masquerading which > is equivalent to PAT. > > My question is this: has anyone been able to successfully initiate a PPTP > from behind a Pix firewall via Port Address Translation (PAT)? Does it even work > at all with PAT? I am starting to have serious doubt with Cisco Pix firewall. It costs > me $500 to build this "franken" pix firewall. With the CPU, memory and flash, this > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit Interface) and it can > not even do a simple thing like allowing PPTP through PAT. My linux firewall is > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and it > costs me $20 for that old system. > I think PPTP will work with static NAT but I don't have an extra public IP to spare. > If anyone has PPTP works through PAT, please reply. Thanks. > > Eric. > > Here is my Pix configuration > > HERNDON-PIX# wr t > Building configuration... > : Saved > : > PIX Version 6.2(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security99 > nameif ethernet3 dmz2 security98 > enable password * encrypted > passwd * encrypted > > hostname HOME-PIX > domain-name home.com > > clock timezone est -5 > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > > names > > access-list compiled > access-list 100 permit icmp any any > access-list 100 permit ip any any > access-list 100 permit gre any any > > access-list 101 permit ip any any > access-list 101 permit icmp any any > access-list 101 permit gre any any > > access-list 200 permit ip any any > access-list 200 permit icmp any any > access-list 200 permit gre any any > > pager lines 24 > > logging on > logging timestamp > logging monitor debugging > logging trap notifications > logging facility 23 > logging queue 1024 > logging host inside 172.16.1.2 > > interface ethernet0 auto > interface ethernet1 100full > interface ethernet2 100full > interface ethernet3 100full shutdown > > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > mtu dmz2 1500 > ip address ou
RE: problem with initiating PPTP connection behind [7:59669]
Hmmm To quote cisco.com... PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE. That was from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a0080094a5a.shtml This URL shows you how to do it with NAT... Although, interestingly enough... You can do it with IOS: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xample09186a00800949c0.shtml Watch the word wrap on the URLs! Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of eric nguyen Sent: Friday, December 20, 2002 8:59 PM To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xamp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" > > pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of > > the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. > > I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of > > 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering > > for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out > > traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" > > network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my > > laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the > > "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the > > firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I > > replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does > > it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory > > and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just
Re: problem with initiating PPTP connection behind [7:59668]
Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being "ripped-off" by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Neil Moore" To: "eric nguyen" ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT > Its all broken... I will give you 500 bux for that pix ..no problem! > > Neil Moore CCIE#10044 > - Original Message - > From: "eric nguyen" > To: ; > Sent: Friday, December 20, 2002 4:47 PM > Subject: problem with initiating PPTP connection behind a Pix Firewall via > PAT > > > > I just replace my home linux "iptables" firewall fwith a "franken" pix > firewall > > > > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > > > > My internal network is 172.16.1.0/24 with the "inside" interface of the > firewall is > > > > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I > also have > > > > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. > Machines > > > > on both the "inside" and "dmz" access the Internet via Port Address > Translation > > > > (PAT) to the "outside" interface and it seems to work OK. On the "inside" > network, > > > > I have a Websense filter server (IP 172.16.1.2) to do url filtering for > both the "inside" > > > > and "outside" interface. I use Websense server to filter out traffics > that I don't want > > > > my children to see. Everything is working great with a minor exception: > > > > I need to make a PPTP connection from a laptop on the "inside" network (IP > > > > 172.16.1.100) to a PPTP server at my work place. The problem is that the > > > > connection keeps timing out. The connection time out at the "verify > username and > > > > password". To make sure that this is not a problem with my laptop, I hook > my > > > > laptop directly to the cable modem (I have roadrunner). Since my laptop > has a valid > > > > external IP address, PPTP works. If I place the laptop on the "inside" > network > > > > behind the "franken" pix, PPTP doesn't work. I even make the firewall > "wide-open" for > > > > both inbound and outbound and it still doesn't work. Now if I replace the > "franken" > > > > pix firewall with a linux firewall, PPTP works just fine through IP > masquerading which > > > > is equivalent to PAT. > > > > My question is this: has anyone been able to successfully initiate a PPTP > > > > from behind a Pix firewall via Port Address Translation (PAT)? Does it > even work > > > > at all with PAT? I am starting to have serious doubt with Cisco Pix > firewall. It costs > > > > me $500 to build this "franken" pix firewall. With the CPU, memory and > flash, this > > > > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit > Interface) and it can > > > > not even do a simple thing like allowing PPTP through PAT. My linux > firewall is > > > > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and > it > > > > costs me $20 for that old system. > > > > I think PPTP will work with static NAT but I don't have an extra public IP > to spare. > > > > If anyone has PPTP works through PAT, please reply. Thanks. > > > > Eric. > > > > Here is my Pix configuration > > > > HERNDON-PIX# wr t > > > > Building configuration... > > > > : Saved > > > > : > > > > PIX Version 6.2(2) > > > > nameif ethernet0 outside security0 > > > > nameif ethernet1 inside security100 > > > > nameif ethernet2 dmz security99 > > > > nameif ethernet3 dmz2 security98 > > > > enable password * encrypted > > > > passwd * encrypted > > > > hostname HOME-PIX > > > > domain-name home.com > > > > clock timezone est -5 > > > > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > > > fixup protocol ftp 21 > > > > fixup protocol http 80 > >
Re: problem with initiating PPTP connection behind [7:59662]
Eric, According to Cisco's recomendations you should do following steps: 1. Create static address translation for your laptop: static (inside,outside) netmask 255.255.255.255 0 0 2. Configure access-list to permit GRE (you have it enabled for ALLALL, but it may be better idea to permit only for specific hosts: access-list acl-out permit gre host host 3. Apply Access-List to Interface (you have it done). access-group acl-out in interface outside So, all what you should do - create static NAT Translation for your laptop. Good luck, Michael Shavrov - Original Message - From: "eric nguyen" To: ; Sent: Friday, December 20, 2002 4:47 PM Subject: problem with initiating PPTP connection behind a Pix Firewall via PAT > I just replace my home linux "iptables" firewall fwith a "franken" pix firewall > (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM 2.1(1). > My internal network is 172.16.1.0/24 with the "inside" interface of the firewall is > 172.16.1.254. The "outside" interface of the firewall is 4.64.1.100. I also have > a "dmz" 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254. Machines > on both the "inside" and "dmz" access the Internet via Port Address Translation > (PAT) to the "outside" interface and it seems to work OK. On the "inside" network, > I have a Websense filter server (IP 172.16.1.2) to do url filtering for both the "inside" > and "outside" interface. I use Websense server to filter out traffics that I don't want > my children to see. Everything is working great with a minor exception: > I need to make a PPTP connection from a laptop on the "inside" network (IP > 172.16.1.100) to a PPTP server at my work place. The problem is that the > connection keeps timing out. The connection time out at the "verify username and > password". To make sure that this is not a problem with my laptop, I hook my > laptop directly to the cable modem (I have roadrunner). Since my laptop has a valid > external IP address, PPTP works. If I place the laptop on the "inside" network > behind the "franken" pix, PPTP doesn't work. I even make the firewall "wide-open" for > both inbound and outbound and it still doesn't work. Now if I replace the "franken" > pix firewall with a linux firewall, PPTP works just fine through IP masquerading which > is equivalent to PAT. > > My question is this: has anyone been able to successfully initiate a PPTP > from behind a Pix firewall via Port Address Translation (PAT)? Does it even work > at all with PAT? I am starting to have serious doubt with Cisco Pix firewall. It costs > me $500 to build this "franken" pix firewall. With the CPU, memory and flash, this > "franken" pix is equivalent to a Cisco Pix525 (minus the Gigabit Interface) and it can > not even do a simple thing like allowing PPTP through PAT. My linux firewall is > running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine, and it > costs me $20 for that old system. > I think PPTP will work with static NAT but I don't have an extra public IP to spare. > If anyone has PPTP works through PAT, please reply. Thanks. > > Eric. > > Here is my Pix configuration > > HERNDON-PIX# wr t > Building configuration... > : Saved > : > PIX Version 6.2(2) > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security99 > nameif ethernet3 dmz2 security98 > enable password * encrypted > passwd * encrypted > > hostname HOME-PIX > domain-name home.com > > clock timezone est -5 > clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00 > > fixup protocol ftp 21 > fixup protocol http 80 > fixup protocol h323 h225 1720 > fixup protocol h323 ras 1718-1719 > fixup protocol ils 389 > fixup protocol rsh 514 > fixup protocol rtsp 554 > fixup protocol smtp 25 > fixup protocol sqlnet 1521 > fixup protocol sip 5060 > fixup protocol skinny 2000 > > names > > access-list compiled > access-list 100 permit icmp any any > access-list 100 permit ip any any > access-list 100 permit gre any any > > access-list 101 permit ip any any > access-list 101 permit icmp any any > access-list 101 permit gre any any > > access-list 200 permit ip any any > access-list 200 permit icmp any any > access-list 200 permit gre any any > > pager lines 24 > > logging on > logging timestamp > logging monitor debugging > logging trap notifications > logging facility 23 > logging queue 1024 > logging host inside 172.16.1.2 > > interface ethernet0 auto > interface ethernet1 100full > interface ethernet2 100full > interface ethernet3 100full shutdown > > mtu outside 1500 > mtu inside 1500 > mtu dmz 1500 > mtu dmz2 1500 > ip address outside 4.64.1.100 255.255.252.0 > ip address inside 172.16.1.254 255.255.255.0 > ip address dmz 172.17.1.254 255.255.255.0 > ip address dmz2 127.0.0.1 255.255.255.255 > ip verify reverse-path interface outside > ip verify reverse-path interface inside > ip audit name inside-attack
Re: Fwd: RE: CCIE Vs. BS or MS dergree [7:59481]
Thank you Howard for laying the foundation for us to grow on.. -Kevin - Original Message - From: "Howard C. Berkowitz" To: Sent: Friday, December 20, 2002 10:22 AM Subject: Re: Fwd: RE: CCIE Vs. BS or MS dergree [7:59481] > At 1:37 PM + 12/20/02, Mr piyush shah wrote: > >Dear friends > >It has been quite long that I have been hearing > >whether CCIE is superior or MS. I thing it is high > >time we should wrap the topic.I dont understand > >,whether why this forum for ? It should b a purely > >technical. For a typically type of questioning like > >this, there are resposes which lasts for weeks but > >there are some questions for whom nobody seems to be > >bothered ? > >There was a queation which was thrown on this on > >TACACS ACS whether What could the issue that I am > >able to authenticate and not authorisation ,not a > >single person on this site bothered to answered ,not > >even Priscilla . > > Let's consider whether people "bother to respond." First, remember > that everyone who does so is volunteering their time. They are not a > substitute for the TAC or reference materials. Have you considered > that at the time you asked the question, Priscilla might be on > vacation, another expert has limited list access while on business > travel (perhaps behind a strict firewall), and two others are trying > to finish projects for which they are paid? > > The latter might scan the list, but not have 10-30 minutes to write a > post. Indeed, many of those experts do not have the answer memorized, > but would have to look it up -- admittedly much faster than would a > beginner. > > >Which sounds to be very starnge. There are so many > >people who r new to networking tech ,hence comes with > >some querry which might b stupid to some of our > >colleages but pls ensure that u were also like them > >during your initial phase , > > The following is not meant to be a put-down, but a reality of how > some people started in networking technology. I was first > responsible for a network in 1970, using Bell 100 series modems (300 > bps) to a PDP-11 running critical medical applications. Most links > were acoustically coupled dialups, but we did have a few dedicated > lines (again at 300 bps). > > With about 10 user ports on the machine, we sometimes just ran out. > Since one of the dedicated lines was only needed for backups at > night, and another for reporting, I realized I could switch them to > dialup during the day. > > There was no Black Box Catalog or the like. I needed to get a copy > of RS-232 and learn the wiring, decide how many pins I had to switch, > go to the electronics store and get an appropriate rotary switch and > other components, and physically build the box, soldering the wires > to the switch. > > I made some incorrect assumptions the first time, and had to use > electronic test instruments to find what I had done wrong -- it > turned out I wasn't clear about the functions of the Pin 1 and Pin 7 > grounds. > > At the same time all of this was going on, I was the head of software > development for the medical applications, so needed to both design, > write, and manage development, as well as researching expert system > rules for blood banking and clinical chemistry. > > So no, not everyone had the luxury of a list or even colleagues. > > >hence try to rectify the > >querry rather than spending your precious time on > >stupid questions like " ccie is superior or MS , what > >is the salary of CCIE ? " > > And I will be perfectly honest. Sometimes, I may be in a hurry when > reading the list, and there's a "stupid question" that I can answer > from personal experience. Even when I answer a technical question > with which I am very familiar, I often check the documentation -- > Cisco or IETF -- to be sure I'm referring to the right document. On > another list, for example, there was a DNS question. I knew the > answer was in RFC 1033, 1034, or 1035, but wasn't sure which, and > didn't have time to look it up. I cited the three documents, and > said I _thought_ it was 1034. Looking it up later, it was 1035. > > >I hope the message is clear to everybody > >Regards > > > >PIYUSH > > > > > > > > > >Note: forwarded message attached. > > > > > >Missed your favourite TV serial last night? Try the new, Yahoo! TV. > >visit http://in.tv.yahoo.com > >X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com; > > 20 Dec 2002 07:36:38 +0500 (IST) > >Return-Path: > >X-Track: 1: 100 > >Return-Path: > >Received: from groupstudy.com (66.220.63.9) by mta102.in.mail.yahoo.com > > with SMTP; 20 Dec 2002 07:34:44 +0500 (IST) > >Received: from localhost (mail@localhost) by groupstudy.com > > (8.9.3/8.9.3) with SMTP id CAA32069; Fri, 20 Dec 2002 02:04:32 GMT > >Received: by groupstudy.com (bulk_mailer v1.13); Fri, 20 Dec 2002 > > 01:26:50 + > >Received: (from listserver@localhost) by groupstudy.com (8
CCIE Lab Study Materials - including 3550 labs [7:59683]
Appears to be freely available. At least, I found the link after a google search on "Bruce Caslow", found a link to the study site, and was able to download these with no problems. Authored by the good folks at netmasters / netcraftsmen, some of whom we know as Caslow, Pavlichenko, and Inghram, good folks all. http://www.netmasterclass.net/site/lib.php Also - don't forget the for-profit folks - NLI / b.o.o.t.c.a.m.p, Lamer Networks, various auctions on you know where, IP Expert, Hello Computers, Gett Labs, and of course Cert Zone, where my own materials for which I was paid are available. Don't forget to take some time for yourselves and for your families and friends these next couple of weeks! Chuck -- TANSTAAFL "there ain't no such thing as a free lunch" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59683&t=59683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: campus LAN design w/DHCP server [7:59578]
Priscilla, I havent forsaken you (yet). But heres the deal: My 2610 only has 24M of memory. I ignored the recommendation for at least 40M to run 12.1 IP Plus only to meet with disastrous results. I need IP Plus on this old clunker to enable dot1q (and Im pretty sure at least 12.1 also). So...I found what appears to be a 2620 in one of our labs. Theres a 2900XL nearby. I suspect I can fire the two up and get em going. However, the only module in the 2900 uplink slot is GigE. So does anyone know if I can configure one of the 24 access ports to trunk? I have minimal experience with the 2900XL and that was over a year ago. The real problem is that I dont have any servers in that lab at the moment. Does anyone know of a simple stand-alone DHCP application that will run on a Windows machine? If not, the best I can do at the moment using a 2600 would be to put a sniffer on 192.168.1.0 and a client on 192.168.2.0. The captured DHCP client requests should show whether or not the pertinent subinterface address is being plugged into giaddr. Regards, Scott s vermill wrote: > > Priscilla, > > I'm sure someone can verify this with a 2600 specifically. As > far as DHCP in general, yes. We just did this with a much > larger 6509-based network. No problems. The only difference, > of course, is that the MSFC has virtual router interfaces per > VLAN - not subinterfaces on a router on a stick. Can't see why > DHCP itself would know or care. But I guess you can't know for > sure what that subinterface on the 2600 will do until someone > specifically verifies it. If you don't get such a response, > I've got a 2600 laying around at the moment. I'll dig up a > switch, set up a DHCP server, and mock 'er up for ya. Won't > take long at all. > > Regards, > > Scott > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59684&t=59578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
QOS via ACL on the 3550 ?? [7:59680]
Hello,Now that I've finally got my hands on 2 3550's, I am diving straight into the QOS section ( the one I fear the most in the Lab), had a question on classifying traffic via acl.On CCO, I see the following examples:mls qosaccess-list 100 permit ip any any dscp 32access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5access-list 102 permit pim any 224.0.0.2 dscp Question is: Once you created these acl's, do you have to apply it to an interface like on a router? I don't see any except when it is created for applying it under a class-map. Please advise.Thank you.Sincerely,CN MSN 8: advanced junk mail protection and 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59680&t=59680 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: New to vlans...HELP [7:59655]
Me Morpheus wrote: > > Hello. I am new to the list and glad I found it. I am just > starting out with vlans and I need some clarification. Can > someone clarify the following statement: > > I have the following layout: > > I have 1 DSLAM with 2 ethernet ports (UPLINK and MNGT) that are > both going into a Cisco 2650 switch. The switch is supposed to > have 2 vlans, (A and B). I also have a server that is connected > to this switch. The requirement that was told to me was that > the port connected to the server must be a member of both VLANs > and traffic sent from this port must be tagged (for both > vlans). The port connected to the UPLINK port must be an > untagged member of one of the VLANs. The port connected to the > MGMT port must be an untagged member of the other VLAN. > > I am interested to know about what it means to have a port be > part of an untagged vlan and what it means to have traffic > coming in from a port be tagged for both vlans? Essentially you're dealing with the difference between access ports and trunk ports. An access port is what you would typically connect a PC to. No VLAN tags are appended onto or inserted into the layer 2 frames. A trunk port would typically be found between switches or between a switch and a router. VLAN tags are used to differentiate the traffic. Having said all of that, some NICs are dot1q enabled. That must be the case where your server is concerned. > > Can someone answer these question and preferrably post an > example that would show me what it means? I can't think of any example that would be more illustrative than your own above. VLANs aren't terribly difficult once you get the basics. But keeping in mind where the traffic jumps layers will be critical when you start dealing with a lot of layer 2 / layer 3 boxes. > > Thanks. > > Dave > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59685&t=59655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: campus LAN design w/DHCP server [7:59646]
Priscilla Oppenheimer wrote: > > It's a fast Ethernet trunk, actually. I forgot to mention that. He does have > some internal servers. Do you think in and out of a Fast Ethernet trunk will > be less of a problem? The 2600 might be. > He had a broadcast meltdown last week. Perhaps that's why he's concerned. He > was using ghosting software. Symantec Ghost will kill a 2600, 4500, and RSP1 by itself if it is multicasting (which it should be, not broadcasting) and you are doing multicast routing (pim-sparse or pim-dense) and sometimes even when you disable MR. I know this from the school of hard knocks - you will have CPU starvation with a 100Mbps-capable LAN (maybe not at 10Mb, but then you would saturate the net). A 7200/NPE-300 can handle it nicely. DHCP isn't much of a problem, but when you enable the ip helper-address be sure to selectively disable (no ip forward-protocol) everything else you don't need (DNS, TFTP, NetBIOS, etc). Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59678&t=59646 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: campus LAN design w/DHCP server [7:59664]
Hey Priscilla, I feel about 10 times better knowing it's a fast ethernet :) If there's anyway to localize the traffic, such as putting department X's clients and servers on vlan 100, and department Y's clients/servers on the other, it'd be optimal. But even if you can't it should run pretty well. Worse comes to worse, they could always buy a 3550 and have that route between VLANs at like light speed. Which ghosting software is the client using? I thought that Ghost itself used multicast and was IGMP aware. Chuck Church CCIE #8776, MCNE, MCSE > > It's a fast Ethernet trunk, actually. I forgot to mention that. He does have > some internal servers. Do you think in and out of a Fast Ethernet trunk will > be less of a problem? > > You know my first reaction was also just move the subnet mask over. But he > didn't seem to want to do that. > > He had a broadcast meltdown last week. Perhaps that's why he's concerned. He > was using ghosting software. > > Thanks for the input! > > Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59664&t=59664 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routers multicast address 224.0.0.2 [7:59666]
HSRP uses 224.0.0.2, UDP port 1985. Any ACLs blocking this? Is IGMP snooping enabled all places between the two routers? Check out: http://www.cisco.com/en/US/tech/tk648/tk365/technologies_q_and_a_item09186a0 0800a9679.shtml for more info. Also, check the switch's multicast forwarding tables. HTH. Chuck Church CCIE #8776, MCNE, MCSE > > Mohannad Khuffash wrote: > > > > Hi ... > > > > I have tried to configure HSRP on two 3660 routers, I > > configured them > > straight forward where only a little commands needed.But HSRP > > don't worked > > well ! The reason simply was that they are not seeing the HSRP > > hello > > messages so every one act as the active one ! When I checked > > the problem > > more, I discovered that both of them are not seeing the > > 224.0.0.2 messages > > by using the SHOW IP INTERFACE command where none of the > > interfaces of the > > two routers are joined for this multicast group ! > > My question now is how I can make them joined to 224.0.0.2 > > which should be > > the default configuration ? Or may be I'm wrong in my > > investigation ?! > > > > Thanks for your help > > > > -- > > > > > > > > > > > > > > > > Mohannad Khuffash Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59666&t=59666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 7200 Router Questions... [7:59645]
thanks. it seems that the NSE-1 is made for service providers (according to the link you sent me). is there a way to determine if i need one? or even an NPE, for that matter? thanks, ed -Original Message- From: Reinhold Fischer [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 1:32 PM To: Edward Sohn Cc: [EMAIL PROTECTED] Subject: Re: 7200 Router Questions... [7:59645] Ed, all, 1. no clue. probably the usual marketing crap. 2. NPE has a single cpu that performs all the tasks. NSE has a PXF 'coprocessor' that can offload some tasks from the main CPU and therefore it could perform better in some cases. see: http://www.cisco.com/warp/public/cc/pd/ifaa/prossor/nse1/ There were a couple of issues as the NSEs came out. But in the meantime they should run quite well. 3. The actual NPE/NSE models do not work in non-VXR routers. VXR-Models have a better/faster backplane. see: http://www.cisco.com/en/US/products/hw/routers/ps341/ps348/ non-VXR 720x routers are end of sale ... hth, Reinhold On Fri, Dec 20, 2002 at 07:16:57PM +, Edward Sohn wrote: > Can anyone help me answer a few questions regarding this series > router? > > 1. The spec sheet says it performs multiprotocol routing over ipsec. > My question is: how? Is there some inherent technology that performs > this feature, or is it the IOS's ability to create a GRE over an IPSEC > tunnel? 2. What are the main differences between the NPE's and NSE's? > I can't decide which processor I need. > 3. What's the difference between the VXR models and the "normal" > models? > > That's it, for starters...any help would be greatly appreciated. > > Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59660&t=59645 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 7200 Router Questions... [7:59645]
thanks for the info. have you or anyone else any idea what configuration it takes for a 7200 router to be comparable in performance to a PIX 515 when it comes to a site-to-site VPN? for example, would a 7204VXR by itself be enough (over more than enough, for that matter) to meet the packet throughput performance of a PIX 515 on a 3DES ipsec tunnel set up site-to-site? i can't seem to find pps performance specs for the 7200 series... thanks, ed -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 1:46 PM To: Edward Sohn Cc: [EMAIL PROTECTED] Subject: Re: 7200 Router Questions... [7:59645] Edward Sohn wrote: > Can anyone help me answer a few questions regarding this series > router? > > 1. The spec sheet says it performs multiprotocol routing over ipsec. > My question is: how? Is there some inherent technology that performs > this feature, or is it the IOS's ability to create a GRE over an IPSEC > tunnel? 2. What are the main differences between the NPE's and NSE's? > I can't decide which processor I need. The primary differance is the NSE is it is only supported in the 7200VXR and incorporates the PXF processor for accelerated packet switching. > 3. What's the difference between the VXR models and the "normal" > models? To get VXR performance you must use at least a NPE300 and you get a MIX backplane, good for voice stuff. Also the VXR gives you increased backplane bandwidth capabilities. With the new NPE-1G you no longer have any bandwidth point limitations! Dave > > That's it, for starters...any help would be greatly appreciated. > > Ed -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59661&t=59645 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic but interesting - R&S networking future? [7:59657]
I agree...technology is converging more and moreyou need know r/s, security, unix, voip, databases, programming, etc Besides...why would one want to limit oneself only to R/S? -- Dain Deutschman CCNA, CSS-1, MCP, CNA Data Communications Manager New Star Sales and Service, Inc. 800.261.0475 ""nrf"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Definitely. Janitors now use vacuum-cleaners as well as brooms. > > Telephone operators now use keyboards, not patchcords. Networkers will > > need to know more than just layers 2 and 3. But there will be a > > continued demand for R/S as part of the networkers job. > > I think you just said the key word right there, the word "part" - it will > just be part of a job. Not like today or the recent past where R/S was a > job all in itself. > > > > > > Another point is that bandwidth is not necessarily cheap all over the > > world, Europe is more expensive than the US, and Asia even worse, so > > engineering is required, in fact surely "traffic engineering" is all the > > rage at the moment. > > Europe may be more expensive than the US, but European providers still have > far too much bandwidth than the market demands. After all, look at what > happened to KPNQwest. > > Actually I find traffic-engineering to be of little importance in today's > market as a whole, except in certain pockets like in Asia. Most providers > in the world just shrug their shoulders at traffic-engineering. > > > > > I guess what I want to say is that when an economy is booming, people > > unrealistically believe it's forever and they will be millionaires by > > next June. Conversely when the economy is in a trough then people get > > gloomy and believe that they'll never pay off their credit card bills. > > Neither view is realistic. R/S is not dead, it's sleeping and will wake > > up. Granted there will not be the insane rush into network builds that > > we saw a few years ago but the wireless boom is around the corner > > Is that the same wireless boom that has basically bankrupted every European > telco? > > > > > rgds > > Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59657&t=59657 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Very Strange Problem....Any Ideas? [7:59682]
I worked on a network move for a brokerage company last week and encountered a VERY strange problem. We moved a bunch of equipment to a new office building. During the process, we changed the internal network from 192.168.100.0/24 to 172.31.4.0/22. There company has 4 Cisco 3500XL 48 port switches, with no VLANs and plain vanilla configurations. The fanciest thing is portfast on the client machine ports. Switches are linked via GBICs in a cascade. There is one client maintained router that sits before the firewall with only static routes and no routing protocols. There are multiple outside vendor routers for specific applications (real-time quotes, clearinghouse mainframe, etc.), but these too also have only static routes and no routing protocols. After installing all of the network equipment and servers, we started to turn on clients and get new DHCP addresses. Since the new network was 172.31.4.0/22, 172.31.4.1 - 172.31.4.255 was reserved for servers, printers, switches, and routers. The remaining 172.31.5.0 - 172.31.7.254 was reserved for clients...though there are only about 100 clients at the moment and thus they only took 5.0 - 5.100 or so in DHCP. After installing maybe 20 clients or so, we started to see mass slowdowns on the network. Pings between clients and servers were very irregular and intermittent. There was no discernable pattern to when pings would succeed and when they'd fail. We exhaustively went through all devices and made sure that they'd been correctly set to the new mask and that all server functions (DNS, WINS, AD, etc.) had been correctly setup for the new subnet. Everything looked fine. In an effort to troubleshoot, we unhooked the switch stack and put core servers and a few clients on a single switch. Again, communication was irregular and unpredictable, whether with static or DHCP addresses on the clients. Sometimes things would be fine, other times clients could ping the server, but not the switch to which they were attached. Sometimes clients could ping the switch, but not the server. Sometimes the clients could ping neither. Again, there seemed to be no pattern. Thinking there might have been some IOS bug, we erased nvram, upgraded the switches to current IOS code, and put in a completely plain configuration. This had no effect on the problem. After 4 of us (with probably 50 years of industry experience between us) spent 15 hours or so trying to resolve the issue, I finally suggested we try moving the clients from the 172.31.5.x/22 block to the 172.31.4.x/22 block. This solved all problems, and all clients were able to ping both switches and servers 100% of the time. Again, we didn't change the mask on anything, only the third octet of the client ip range. We then went back and triple checked every device attached to the networkservers, routers, switches, printers, clients, etc. Every single device had the correct mask (/22) except for two vendor maintained UNIX boxes...they had 172.31.4.x/24. We suspected as much earlier since clients couldn't communicate with the UNIX boxes from the beginning, but the other servers could communicate with the UNIX boxes without issue. These UNIX servers weren't running RIP(or any other RP)...and besides, there aren't any other network devices listening for RIPso we weren't really concerned about them causing the network connectivity issues. At the time, I couldn't see how a bad mask on these boxes could effectively make the whole network unusable, so I didn't bother correcting it early in the day. At this point, I've had a week to think about the issue and I still don't have a logical reason for why this problem might have occurred. Anyone out there have any thoughts? I'm going back to put in a 3550EMI as the core in a couple of weeks. At that point, we're going to investigate more and try to move the clients back to the 172.31.5.x range. I'd like to test theories at that time if anyone can put one forward that we didn't already testas I said, we spent a lot of time on this and I didn't put every test we did in this email. All I can offer is that it wasn't IOS code (we tried more than one version), it wasn't the switches (we tried several, including non-Cisco), it wasn't DNS, WINS, DHCP, or any other server side issue (we thoroughly examined and ruled those out...beside, this was even happening at the IP level between switches). Everything had worked correctly at the old building...the only two things that changed significantly during the move were the IP range and the building wiring. AND, the wiring in the new building was brand new Cat6...I even dug out the WireScope and verified that the drops passed spec. Thanks! Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59682&t=59682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.
Re: Terminate a session [7:59656]
On Fri, 2002-12-20 at 16:01, John McCartney wrote: > I'm looking for the deinitive answer on who can terminate a session in > IP/IPX/Appletalk networks. [my apologies for the long-winded reply] Well... it depends. In the strictest sence, all of the protocols you mentioned are connectionless, so there's nothing to break. Any state added is added at the transport layer immediately above. In the case of IP, the connection-oriented general-purpose transport layer protocol is TCP. Narrowing it down to TCP/IP (because I have mostly forgotten about session-related stuff on top of appletalk and ipx and it's too late to look it up ;)... TCP is connection-oriented. Only one side can initiate a connection (duh) but either side can break it. There are several ways. Each application protocol defines the way connections are broken if they spec a connection-orient transport. Also, TCP can break its own connections. In one common scenario, the client will connect, do its thing, and initiate the disconnect. This is the way protocols such as SMTP, POP3, TELNET, SSH, and most others work. The "I'm ready to close" signal gets sent from client to server. In one notable exception to this practice, HTTP is often handled differently. The client connects to the server, and the server, after sending back the full response, initiates the disconnection. Also, in a slight warping of the terms client and server, FTP servers close data connections. Also, TCP can close its own connections by sending a RST packet to the peer. This is usually done when state gets screwed up, but it can be done for any reason, really. It is not the nice way to close a connection, though, as it implies an error condition. Also, this can't (usually) be done by a program; rather, this is done by an OS. Also, I've been imprecise up to now on the meaning of "close". TCP connection termination involves a "four-way disconnect". Each end sends a FIN packet, ack'd by the opposite end. Only when all four segments have been sent/received will both ends consider the connection to be closed. There's an intermediate state that a connection can be in called "half-closed". This is where one end has sent its FIN (and possibly had that FIN ack'd by the other side), but the other end is still sending data. Programmatically, this is accomplished by a call to shutdown(). For example, a web browser might send its full request (something like "GET / HTTP/1.0\r\n\r\n") and then call shutdown() and wait for the response. The server would then send back its data and the client would just be able to ACK, until the server finally closes its half. In a more abstract sense, a connection is just an agreement between two end systems to communicate together with some operational parameters. Connections over connectionless protocols (such as IP) require additional state to keep things straight - they have to manage flow control, data integrity, and so on. People do occasionally re-impliment the ideas behind TCP using other protocols. Several routing protocols implement their own network protocols. Real-time streams are inappropriate for TCP due to its retransmission and segmentation behaviors (among other things), but they still maintain the concept of a connection. You occasionally hear of ATM, Frame Relay, X.25, and kin referred to as connection-oriented protocols. They are, but in a much different sense. These are connection-oriented *network* protocols. Connectionless network protocols rely on communication endpoints to maintain state of connections (done with transport protocols like TCP). A packet is a packet on the network. Other than for the sake of optimization, no state exists in the network for a given pair of hosts in an IP network. This makes packet forwarding (relatively) expensive but is not sensitive to the number of hosts or the number of communicating hosts (which, if you think about it, is in the neighborhood of the square of the number of hosts on the network ( O(N^2) ), and would be hard to keep up with). The downside is the expense of figuring out the next hop for a given packet. Tons of optimizations have been made here, but they generally involve a trade-off between RAM and CPU. In the best case, you could have O(log N) lookup times (N is the number of IP addresses on the network), but it'd cost O(N) bytes of RAM. In fact, a trivial implementation would be 8 bytes per address (address and next hop, 32 bits each), leading to a 32GB memory requirement, which is not feasible in current routers. Perhaps Howard or someone else could comment on the state of the art with regard to the CPU vs. RAM compromise. In contrast, a frame relay network (for example) requires state in every switch between communicating endpoints. Specific signalling protocols have to set these connections up and tear them down, or (commonly) the connections have to be hard-coded in switches. This makes for a different problem - you have a O(N^2) scal
Re: CCIE Vs. BS or MS dergree [7:59481]
The thing about comparing degrees to certs is that they aren't totally comparable because they serve different purposes. The degree is designed to teach you general knowledge - basically to teach you how to think. Let's face it. The vast majority of college graduate use very little of what they actually learned in college. How many English majors really get jobs where they do critical analyses of Elizabethan poetry? How many math majors really spend the rest of their lives doing proofs and theorems? Yes, there are some (particularly those who choose careers in academia) but they are in the minority. The majority go into the working world and take jobs that have very little association with whatever they studied. But that's not really the point. Unless you really are going to be a professor, the goal of an English degree is not so that you can memorize Chaucer. The goal is to provide you with a solid grounding of general knowledge and training in critical thinking and creativity - skills that improve your productivity as a worker.College graduates on average make more money than non-graduates and this is prima-facie evidence that the college education enhances one's value even when doing a job that has little to do with whatever you studied Certs, on the other hand, make no bones about trying to provide you with a broad education. Certs are designed, ideally, to measure your knowledge of specific skills. Period. As stated by someone else on this thread, the CCIE may prove to be valuable in the network engineering profession, but has essentially zero value in any other profession. For example, you can't get your CCIE and then decide you wanna be an investment banker.But you can do that with an MBA. ""J.D. Chaiken"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > If that were the real reading list for a BS degree, I would *LOVE* it. My > problem is that they make you read all the fluffy stuff that you never > wanted to read in the first place, and didnt go to college for, but they > make you read anyway. > > And further, lets say you were an english major, do you really think that > Calculus I would help you there? > > Jarett > > ""Charlie Wehner"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > What's more difficult? > > > > a) Memorizing configuration scenerios and commands on a Cisco router > > > > b) Understanding Calculus, Differential Equations, Numerical Analysis, > > Chemistry, Physics and Electrical Engineering well enough to create a > > "meaningful" experiment. > > > > One of my friends is working on his masters in Physics right now. What > he's > > working on makes the CCIE look like a walk through the park. > > > > Seriously, what if the recommended reading list for the CCIE exam looked > > like this: > > > > Physics I and II > > Calculus I,II,III > > Differential Equations > > Mechanics > > Circuit Analysis I and II > > Linear Systems > > Thermodynamics > > Quantum Mechanics > > Optics Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59679&t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: newbie on 3550 - some questions? [7:59633]
Sorry, allI attached the IPExpert Solution not the Netmaster class.. Here is the link to the solution: http://www.netmasterclass.net/site/articles/RS-NMC-1%20Extra%20Credit.%20Catalyst%203550%20VLAN%20configuration.pdf Thank you. >From: "Munit Singla" >Reply-To: "Munit Singla" >To: [EMAIL PROTECTED] >Subject: Re: newbie on 3550 - some questions? [7:59633] >Date: Fri, 20 Dec 2002 19:00:47 GMT > >Can You please update about this lab.Can I also test here...Please update >the new >joiness of this group regarding this. >Regards, >Munit > >Cisco Nuts wrote: > > > Hello,I've finally started studying the 3550's in my prep. for the Lab > > and I am very grateful to Bruce and Val for putting out a 3550 FREE lab > > to help us out ( NOT to forget IPExpert and NLI's). :-)Had a couple > > of questions on this Lab solution (if anyone has done it): 1. Vlan's 20 > > and 10 are part of int f0/2 and int f0/3 respectively but only int f0/3 > > has the switchport mode access on Switch 1. This is not the case on > > Switch 2.Question: Why? And when would I absolutely use the #switchport > > mode access cmd. on an intf? 2. Why is Switch 1's ip address configured > > for Vlan 20 and Switch 2's for Vlan 10? Why not the other way around? > > Could we possible use Vlan 30 or 40 for that matter? 3. Both the Switches > > are set to transparent? And both Vlans are created on both > > switches? Can VTP be created on one Switch and set to server mode? 4. On > > router R1, the #bridge irb cmd. is configured under Fe0/0 but not under > > Fe0/1? Should this cmd. also be configed under Fe0/1? Thank you for your > > help. I would appreciate any explanation as I continue to print 100's of > > pages from the CMD. and CONFIG guide and plough my way through it. Very > > soon, I hope to lay my hands on a 3550 but right nowlot's of writing, > > reading and diagrams!! :-) If there is anyone that will let me have a > > couple of hours on a 3550, please let me know. I am willing to kind of > > "trade" for a lot of router time on my rack of 10 routers at home. > > Sincerely,CN BTW: > > I have attached the solution along with this email for you to take a look > > at. > > ! > > version 12.1 > > no service pad > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname Switch > > ! > > aaa new-model > > aaa authentication dot1x default group radius local > > ! > > ip subnet-zero > > ip routing > > ! > > ! > > ! > > spanning-tree extend system-id > > spanning-tree vlan 70 priority 24576 > > ! > > ! > > ! > > interface FastEthernet0/1 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/2 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/3 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/4 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/5 > > switchport access vlan 56 > > switchport mode access > > switchport port-security > > switchport port-security mac-address sticky > > no ip address > > spanning-tree portfast > > spanning-tree guard root > > ! > > interface FastEthernet0/6 > > switchport access vlan 56 > > switchport mode access > > no ip address > > spanning-tree portfast > > spanning-tree guard root > > ! > > interface FastEthernet0/7 > > no switchport > > ip address 140.40.70.35 255.255.255.0 > > ! > > interface FastEthernet0/8 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/9 > > switchport access vlan 999 > > switchport mode access > > no ip address > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/10 > > switchport access vlan 999 > > switchport mode access > > switchport block multicast > > no ip address > > storm-control broadcast level 78.00 > > storm-control multicast level 78.00 > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/11 > > switchport access vlan 999 > > switchport mode access > > switchport block multicast > > no ip address > > storm-control broadcast level 78.00 > > storm-control multicast level 78.00 > > dot1x port-control force-unauthorized > > spanning-tree guard root > > ! > > interface FastEthernet0/12 > > switchport access vlan 999 > > switchport mode access > > switchport block multicast > > no ip address > > storm-control broadcast level 78.00 > > storm-control multicast level 78.00
E1 remote loopback [7:59704]
Hi all, How do I configure remote loopback for a E1 link on a cisco Router. I could do it for T1 using the FDL. But for E1 I can't find any commands for remote loopback configuration. Moreover can any body tell me that what these options are Can U explain me for what these loopback commands on D channel are used for : Example int serial 1/0:0 , loopback remote/local what these commands are used for although there are loopback commands in controller configuration of E1 for only local. Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59704&t=59704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: E1 remote loopback [7:59704]
csu internal to the router, the lack of commands suggests an external csu. Brian - Original Message - From: "Simmi Singla" To: Sent: Saturday, December 21, 2002 7:07 PM Subject: E1 remote loopback [7:59704] > Hi all, > How do I configure remote loopback for a E1 link on a cisco Router. I could > do it for T1 using the FDL. But for E1 I can't find any commands for remote > loopback configuration. > Moreover can any body tell me that what these options are > Can U explain me for what these loopback commands on D channel are used for : > Example int serial 1/0:0 , loopback remote/local > > what these commands are used for although there are loopback commands in > controller configuration of E1 for only local. > Regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59705&t=59704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Finally CCNP! [7:59706]
I wanted to say thanks to all who have posted to this board. I don't post much but I have learned alot from everyone and it helped me on my journey. Next the CCIE, special thanks to Priscilla Oppenheimer whos Troubleshooting page helped greatly! John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59706&t=59706 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Very Strange Problem....Any Ideas? [7:59682]
If I understand you correctly, I don't think we were seeing what you're describing. We had the problem I described even when all devices were attached to a single 3548. Also, someone else asked about the MAC addressesthey were all correct. Clearing MACs on the switch didn't help the issue. At 08:33 PM 12/21/2002 -0500, you wrote: >Craig, >This reminds me of a similar problem when I first got my 3550's where it >could ping one network but not another. I hope you don't see this when >you do upgrade to the 3550-EMI since you're in a production environment. > > >3550-A#config t >Enter configuration commands, one per line. End with CNTL/Z. >3550-A(config)#int vlan1 >3550-A(config-if)#ip add 192.168.10.2 255.255.255.0 >3550-A(config-if)#exit >3550-A(config)#ip default-gateway 192.168.10.1 >3550-A(config)#^Z >3550-A# >00:15:38: %SYS-5-CONFIG_I: Configured from console by console >3550-A#ping 192.168.10.1 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: >. >Success rate is 0 percent (0/5) >3550-A#config t >Enter configuration commands, one per line. End with CNTL/Z. >3550-A(config)#int vlan1 >3550-A(config-if)#ip add 192.168.250.2 255.255.255.0 >3550-A(config-if)#exit >3550-A(config)#ip default-gateway 192.168.250.1 >3550-A(config)#^Z >3550-A# >00:16:19: %SYS-5-CONFIG_I: Configured from console by console >3550-A#ping 192.168.10.1 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: >! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 >ms >3550-A#ping 192.168.250.1 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.250.1, timeout is 2 seconds: >! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms > > >3550-B(config-if)#int vlan 1 >3550-B(config-if)#ip add 192.168.0.2 255.255.255.0 >3550-B(config)#ip default-gateway 192.168.0.1 > >3550-B#ping 192.168.0.2 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds: >! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >3550-B#ping 192.168.0.1 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds: >. > > >Enter configuration commands, one per line. End with CNTL/Z. >3550-B(config)#int vlan 1 >3550-B(config-if)#ip add 192.168.10.2 255.255.255.0 >3550-B(config)#ip default-gateway 192.168.10.1 > > >3550-B#ping 192.168.10.2 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds: >! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms >3550-B#ping 192.168.10.1 > >Type escape sequence to abort. >Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds: >! >Success rate is 100 percent (5/5), round-trip min/avg/max = 1/200/1000 >ms >. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59707&t=59682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Very Strange Problem....Any Ideas? [7:59682]
Thanks for the reply. One of the guys with us actually put a sniffer (an actual hardware suitcase) on the network, but didn't notice anything unusual. Like you, I suspected that it might have been a poorly configured app or some broadcast traffic. If the trouble was showing up at the packet level, the guy looking at the sniffer couldn't see it. I didn't look at it personally since we were all looking at different potential problems and comparing notes. When we go to put in the 3550, I'll probably throw my own sniffer on the line to catch some traffic if the problem reoccurs. At 07:09 PM 12/21/2002 -0600, you wrote: >On Sat, 2002-12-21 at 13:10, Craig Columbus wrote: > > I worked on a network move for a brokerage company last week and > > encountered a VERY strange problem. > >sounds like a broadcast problem to me... did you happen to capture any >traffic? what were the interface counters like? when did the slowdown >start? suddenly or gradually? I'm betting on a poorly-configured or >poorly-designed app assuming a /24 subnet or something, but that's a >stretch too. > >My approach would be to capture some traffic with Ethereal and figure out >1) if it's a broadcast problem, and 2) if so, what app. > >If it's not broadcasts, the next question is whether or not it's a traffic >thing at all. Again, captures might provide a clue. Otherwise, you have >to narrow down *why* things slow down. find the bottleneck - is it really >on the wire between the computer and the first switch, or is it between >server and switch, etc. > >Sounds like fun! keep us posted. > > -sd Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59708&t=59682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Very Strange Problem....Any Ideas? [7:59682]
Craig, I looked through the other responses, but I wanted to offer something. I worked in brokerage for a number of years, most of which time I was in the beginner's level regarding networking. But I do recall some "strange" things happening, and I never did trust the answers particular venders were giving me. First question - when you say "vendor" Unix boxes, are you talking ILX systems? IP only box? no port to IPX, I assume. Second question - is there a firewall someplace in the mix? Third question - any other vendor equipment - say a Bloomberg router or a Bridge Networks server, or maybe a Telerate or two? Any other Thomson equipment in the mix? I had a problem once with what ILX told me was a routing loop. I'd have to sit back and think a long time about the topology I had in place. The problem only occurred with a particular branch that I was moving from a bridged to a routed WAN link. Another time, when I was testing using centralized ILX services ( servers at HQ, workstations in remote offices ), ILX used to blame the failure to operate properly on IP helpering which I had in place for DHCP purposes. They also used to claim that my RIP passive on my PIX firewall was interfering with their servers. I can buy the routing loop, but I never did buy their IP helpering and PIX finger pointing. Again, I'd have to sit back and think a while. It's been over three years now. I asked about other vendors, because you never can tell when a misconfigured redistribution or some static route from 3rd party equipment might creep into the mix. Let us all know. Especially me. I still have a soft spot in my heart for brokerage. Chuck -- TANSTAAFL "there ain't no such thing as a free lunch" ""Craig Columbus"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I worked on a network move for a brokerage company last week and > encountered a VERY strange problem. > > We moved a bunch of equipment to a new office building. During the > process, we changed the internal network from 192.168.100.0/24 to > 172.31.4.0/22. > There company has 4 Cisco 3500XL 48 port switches, with no VLANs and plain > vanilla configurations. The fanciest thing is portfast on the client > machine ports. > Switches are linked via GBICs in a cascade. There is one client maintained > router that sits before the firewall with only static routes and no routing > protocols. > There are multiple outside vendor routers for specific applications > (real-time quotes, clearinghouse mainframe, etc.), but these too also have > only static routes and no routing protocols. > > After installing all of the network equipment and servers, we started to > turn on clients and get new DHCP addresses. Since the new network was > 172.31.4.0/22, 172.31.4.1 - 172.31.4.255 was reserved for servers, > printers, switches, and routers. The remaining 172.31.5.0 - 172.31.7.254 > was reserved for clients...though there are only about 100 clients at the > moment and thus they only took 5.0 - 5.100 or so in DHCP. > > After installing maybe 20 clients or so, we started to see mass slowdowns > on the network. Pings between clients and servers were very irregular and > intermittent. There was no discernable pattern to when pings would succeed > and when they'd fail. We exhaustively went through all devices and made > sure that they'd been correctly set to the new mask and that all server > functions (DNS, WINS, AD, etc.) had been correctly setup for the new > subnet. Everything looked fine. In an effort to troubleshoot, we unhooked > the switch stack and put core servers and a few clients on a single > switch. Again, communication was irregular and unpredictable, whether with > static or DHCP addresses on the clients. Sometimes things would be fine, > other times clients could ping the server, but not the switch to which they > were attached. Sometimes clients could ping the switch, but not the > server. Sometimes the clients could ping neither. Again, there seemed to > be no pattern. Thinking there might have been some IOS bug, we erased > nvram, upgraded the switches to current IOS code, and put in a completely > plain configuration. This had no effect on the problem. > > After 4 of us (with probably 50 years of industry experience between us) > spent 15 hours or so trying to resolve the issue, I finally suggested we > try moving the clients from the 172.31.5.x/22 block to the 172.31.4.x/22 > block. This solved all problems, and all clients were able to ping both > switches and servers 100% of the time. Again, we didn't change the mask on > anything, only the third octet of the client ip range. We then went back > and triple checked every device attached to the networkservers, > routers, switches, printers, clients, etc. Every single device had the > correct mask (/22) except for two vendor maintained UNIX boxes...they had > 172.31.4.x/24. We suspected as much earlier since clients couldn't > communicate with the UNIX boxes from t
Re: Question [7:59637]
Depends on what you plan on doing on them. If you are going to be doing mostly layer 2 switching then I would leave them hybrid. If you plan on routing each port on each switch then definitely go native. ""Greg Rend"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I had a quick question, on which IOS for the Catalyst (Hybrid, or Native) > is better. And why? I am getting ready to roll out some 6 of them, and > was wondering if anyone has had any issues with the Native. Thanks. -- > Get your free email from www.uymail.com Powered by Outblaze Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59711&t=59637 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
