Re: Good PIX book? [7:60039]

2003-01-03 Thread Matrix_pk 
yeah ill second this opinion.. deal's book is awesome.
 cheekin  wrote:I have not actually gone through Chapman's book. I think
Deal did a
good job writing the PIX Firewall book. Covers PIX v6.2 too.

cheekin

Mark Smith wrote:
> Cisco PIX Firewalls - Richard Deal
> ISBN: 0072225238
> Osborne/McGraw Hill
> 
> or
> 
> Cisco PIX Firewalls - David Chapman
> ISBN: 1587050358
> Cisco Press
> 
> Deal hangs around this group some too. Not sure about Chapman.
> Both are good. The CiscoPress book is a little more geared towards Cisco
> firewall certification. Deal's book starts from basic Firewall 101 and
> continues on thru some pretty advanced configuration of the PIX. Lots of
> good troubleshooting/show command info in there too. I have 'em both on my
> desk at work but use Deal's a lot more as a day to day reference.
> 
> There's probably other good ones aout there too. I know about these two.
> 
> Mark
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Sam Sneed
> Sent: Tuesday, December 31, 2002 2:28 PM
> To: [EMAIL PROTECTED]
> Subject: Good PIX book? [7:60039]
> 
> 
> Can anyone recommend a good PIX book for a PIX beginner. i
> ve got good understanding of TCP/IP and firewalls/pack filters but no PIX
> experience.
> 
> Thanks
> 
> P.S. HAPPY NEW YEARS from NYC!
Shahid Muhammad Shafi
"Every man dies; not every man really lives"

remember, if God bringz u 2 it, He WILL bring u thru it!!!-

Please help feed hungry people worldwide http://www.hungersite.com/
A small thing each of us can do to help others less fortunate than ourselves


-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60198&t=60039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: O/T more campus design issues [7:60136]

2003-01-03 Thread William 
Hi Priscilla

Maybe you can try this:

ip forward-protocol udp 137
ip forward-protocol udp 138
ip forward-protocol spanning-tree

Best regards,

William
""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> bergenpeak wrote:
>
> Thanks. I always like hearing from you, bergenpeak. DHCP is working and
the
> DHCP server is on the other net so we think inter-VLAN routing and the
> helper address are behaving and that STP forwarding delay isn't biting us.
>
> We tried having the helper address point to a broadcast just in case that
> would help Windows. It didn't break DHCP but it didn't help Windows
either.
> ;-)
>
> Most things are working, just not Windows. Luckly the customer is a
Windows
> type, unlike me, so we'll get it working hopefully.
>
> THANKS!
>
> Priscilla
>
> >
> > If you only have hosts connected to the switch (not L2
> > devices),
> > enable port-fast on the host ports.   This eliminates the
> > spanning tree states on the port and thus the port begins
> > forwarding packets with a few seconds of the link coming online.
> > This might be the problem if static IPs are assigned to the
> > hosts.  If DHCP is being used and DHCP is working, I'd expect
> > it is not a problem with the port and spanning tree.
> >
> > One other possible gotcha is regarding routing and the VLAN
> > interface.
> > If no devices are active on the VLAN, the router might consider
> > the
> > VLAN subnet "down" and withdraw the route from its
> > advertisements.
> >
> >
> >
> >
> >
> > Priscilla Oppenheimer wrote:
> > >
> > > You all remember my very simple campus network re-design that
> > I've been
> > > helping out with? It sure has been keeping me humble. ;-)
> > >
> > > So we upgraded the single subnet to two subnets and two VLANs.
> > >
> > > Everything is working OK except for Windows networking. The
> > PCs on the new
> > > subnet can't find a domain controller for authentication.
> > >
> > > So, you can feel free to yell at me for not gathering more
> > information on
> > > the symptoms, but the client hasn't told me much. ;-) But
> > does this ring a
> > > bell with anyone? Are there standard recommendations on how
> > to handle this
> > > in a subnetted VLANed internetwork.
> > >
> > > I'm not too well informed on Windows networking. My co-author
> > wrote that
> > > chapter in my troubleshooting book.
> > >
> > > Thank-you so much!
> > >
> > > Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60199&t=60136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: O/T more campus design issues [7:60136]

2003-01-03 Thread mjans001 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Priscilla,

For startup (win 9x) you must put wins in place. The Netbios node type is
covered in a prev thread.

You can do a include statement in the client lmhosts file that refers to a
lmhosts file at the DC for (example the netlogon share or on a random
server) for scaling issues.

Browsing:
Older Windows boxes make lousy browsing masters. They elect all the time,
startup/shut. Also the LANMAN processes are not that tuned for that role.

So putting NT on the segment (for file/print) trough multi-home or vlan tags
is recommended, sure when there are al lot of win 9x clients. Make that
WINS, and you are OK.

I've seen that work fine.

My 2 eurocents

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Verzonden: donderdag 2 januari 2003 23:16
Aan: [EMAIL PROTECTED]
Onderwerp: O/T more campus design issues [7:60136]


You all remember my very simple campus network re-design that I've been
helping out with? It sure has been keeping me humble. ;-)

So we upgraded the single subnet to two subnets and two VLANs.

Everything is working OK except for Windows networking. The PCs on the new
subnet can't find a domain controller for authentication.

So, you can feel free to yell at me for not gathering more information on
the symptoms, but the client hasn't told me much. ;-) But does this ring a
bell with anyone? Are there standard recommendations on how to handle this
in a subnetted VLANed internetwork.

I'm not too well informed on Windows networking. My co-author wrote that
chapter in my troubleshooting book.

Thank-you so much!

Priscilla
Version: PGP 8.0

iQA/AwUBPhVcXndq56XWk+VyEQJtxACfTnxxXhn1VNAYEa5IO9YXPwQBLc4AoPkR
4Hx1X4WCHL0K29snGvn3agg/
=8zm5
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60200&t=60136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread [EMAIL PROTECTED] 
Someone, somewhere along this thread mentioned quantum
computing/programmingin my effort to add tangents to an already
fragmented thread (although I am immensely enjoying the nrf/Berkowitz
segment, even if I can't even begin to answer the questions posed), here ya
go!

http://www.technologyreview.com/articles/voss1202.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60204&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

MPLS VPN [7:60205]

2003-01-03 Thread [EMAIL PROTECTED] 
I know how to set MPLS VPN in a network with 7507 as the Core routers.

But what is necessary to integrate a 6500 switch with FlexWan module and
PA-HSSI/PA-ATM cards in the Core and keep the MPLS VPN service in the
location served by the switch?

The network is like that:

2500-vpn-A--7500=7500-vpn-A---2500
   ||||
   ||||
2500vpn-A---6509===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60205&t=60205
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS process scheduler algorithm [7:60206]

2003-01-03 Thread Marc Thach Xuan Ky 
Hi all,
I am reading Cisco Press "Inside Cisco IOS Software Architecture" and
have some outstanding questions about the scheduler, maybe somebody can
help me.  The text describes how the low priority queue is only skipped
15 times before it is serviced even when there are processes queuing at
higher priorities.
Does this count up to 15 include the times that both medium and low
priority queues are skipped?
There seems to be no similar counter for the medium queue, am I correct
then in assuming that the only failsafe servicing of the medium priority
queue is acheived via the "interleaving" occuring during failsafe
servicing of the low priority queue, which would imply the answer to the
first question?
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60206&t=60206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MPLS VPN [7:60205]

2003-01-03 Thread John Murphy 
Currently the 6500/7600 can only function as a PE with an OSM.   Assuming
you have one, you would configure the ethernet port your 2500 is connecting
to into a unique vlan, then configure one of the Gig-E ports on the OSM as
your 'upstream' using dot1q encapsulation, and terminate your VRF there.
I've included an example below, HTH.

Best Regards,

John


interface GE-WAN4/1.10

 description 2500-MPLS-VPN-A

 encapsulation dot1Q 10

 ip vrf forwarding vpnA

 ip address 10.1.2.3 255.255.255.252

 mpls label protocol both

end







- Original Message -
From: 
To: 
Sent: Friday, January 03, 2003 7:12 AM
Subject: MPLS VPN [7:60205]


> I know how to set MPLS VPN in a network with 7507 as the Core routers.
>
> But what is necessary to integrate a 6500 switch with FlexWan module and
> PA-HSSI/PA-ATM cards in the Core and keep the MPLS VPN service in the
> location served by the switch?
>
> The network is like that:
>
> 2500-vpn-A--7500=7500-vpn-A---2500
>||||
>||||
> 2500vpn-A---6509===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60207&t=60205
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routable IP network in 2 locations [7:60185]

2003-01-03 Thread [EMAIL PROTECTED] 
I have never bridged connections across a Wan before. is that simple to do?

Robert
""The Long and Winding Road""  wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hello,
> >
> > I am having trouble with what appears to be a simple problem. I have a
> small
> > office and I
> > have a friend who owns a building not to far away. I am goin to order a
T1
> > to the internet from my location and
> > a PPP T1 to his location. He has 6 customers in his location and I have
5
> in
> > mine. I want to give internet acess to
> >  everybody and give them a routable IP address. My ISP gave me 32
> addresses
> > so i am not going to run out.
> > BUT I can figure out how to make it work.
> >
> > the setup is
> >
> > INternet---T1---2611 ---T1---2611
> > ||
> > ||
> > 29122912
> >
>
>
> two thoughts come to mind.
>
> 1) bridge between the two locations, putting everyone on the same subnet.
>
> 2) use private IP addressing on the inside - each location retains it's
> original scheme, then do static nat to the internet. access-lists on the
> appropriate interfaces to keep the two networks alien to eachother.
>
>
>
>
> > thanks for your help
> >
> > Robert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60208&t=60185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

New Technologies [7:60209]

2003-01-03 Thread 
Hi all,

  I was wanting to hear from you as to what you guys see as some up and
coming
technologies and perhaps what are some players in that space.  Thanks.

JunoGuy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60209&t=60209
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routable IP network in 2 locations [7:60185]

2003-01-03 Thread Murat Yilmaz 
Hi,
Well, assuming you have an extra /30 block for the T1 link to your isp, you
can make such a design..
Assume your 32 block is 10.10.10.0/27

INternet---T1---2611 (192.168.0.1/30)---T1---(192.168.0.2/30) 2611
(10.10.10.1/28)
   (10.10.10.17/29)
|   |||||
 |||| |
|   |||||   (6 PCs)
 |||| |  (5PCs)
10.10.10.2  3   4   5   6   7
10.10.10.18  19 20 21 22

On your router give static route to 192.168.0.2 for 10.10.10.0/28 block.
Since 6 customers exist on the other side you will have to reserve a 16 ip
block so 12 ip will be burn at other side as Brian said. Still
10.10.10.24/29 is available.
Nat would be a more effective solution.

Regards..
Murat

- Original Message -
From: 
To: 
Sent: Friday, January 03, 2003 7:09 AM
Subject: Routable IP network in 2 locations [7:60185]


> Hello,
>
> I am having trouble with what appears to be a simple problem. I have a
small
> office and I
> have a friend who owns a building not to far away. I am goin to order a T1
> to the internet from my location and
> a PPP T1 to his location. He has 6 customers in his location and I have 5
in
> mine. I want to give internet acess to
>  everybody and give them a routable IP address. My ISP gave me 32
addresses
> so i am not going to run out.
> BUT I can figure out how to make it work.
>
> the setup is
>
> INternet---T1---2611 ---T1---2611
> ||
> ||
> 29122912
>
> thanks for your help
>
> Robert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60210&t=60185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Xmodem download problem [7:60211]

2003-01-03 Thread [EMAIL PROTECTED] 
Hello
Please help me!
I've a problem to download the IOS (c3500XL-c3h2s-mz-120.5.2-XU.bin ) from
my Xmodem following your procedure at
http://www.cisco.com/warp/public/473/corrupt_or_missing_image.html.
My catalyst is a 3500 XL. The prompt is "switch:". and when i make dir
commande, it's give me that: flash[0]: (read-write)
  xmodem[1]: (read-only)
null[2]: (read-write)
  bs[3]: (read-only)
I don't know how to modify the Xmodem option in read-write.
It's urgent for me. Please !!!
Regards !
 


Download NeoPlanet at http://www.neoplanet.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60211&t=60211
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fwd: Re: CCIE Vs. BS or MS dergree [7:59481]

2003-01-03 Thread Mr piyush shah 

Missed your favourite TV serial last night? Try the new, Yahoo! TV.
   visit http://in.tv.yahoo.com
Received: from [202.144.27.171] by web8004.mail.in.yahoo.com via HTTP;
  Fri, 03 Jan 2003 04:29:54 GMT
Date: Fri, 3 Jan 2003 04:29:54 + (GMT)
From: =?iso-8859-1?q?Mr=20piyush=20shah?= 
Subject: Fwd: Re: CCIE Vs. BS or MS dergree [7:59481]
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Length: 1803
X-Converted-To-Plain-Text: from multipart/mixed by GroupStudy.com
X-Converted-To-Plain-Text: Alternative section used was text/plain

Dear all
I thing it is now a real high time someone should take
initiative in stoping the subject of CCIE vs BS or MS
degree. Why are we here for ? to discuss and share
problems faced on networking front or discusing
whether BS is SUPERIOROR ccie . Let me tell you both
the degreees are best in their unique ways . Who the
heil are we to decide it's superioritY ? lIKE i
MENTIONED WE ALL ARE INDIRECTLY SUPPORTING THE one
whosoever raised this querry by getting involved in
this question-answer forum . I thing we should stop
it.There are lot many imp things on which we need to
condcentrate more.
Hope so the message is loud and clear to all those
participant to these group .

Regards


Note: forwarded message attached. 


Missed your favourite TV serial last night? Try the new, Yahoo! TV.
   visit http://in.tv.yahoo.com
X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com;
  03 Jan 2003 03:45:39 +0500 (IST)
X-Track: 1: 100
Return-Path: 
Received: from groupstudy.com (66.220.63.9) by mta101.in.mail.yahoo.com
  with SMTP; 03 Jan 2003 03:45:37 +0500 (IST)
Received: from localhost (mail@localhost) by groupstudy.com
  (8.9.3/8.9.3) with SMTP id VAA30437; Thu, 2 Jan 2003 21:52:13 GMT
Received: by groupstudy.com (bulk_mailer v1.13); Thu, 2 Jan 2003
  21:16:19 +
Received: (from listserver@localhost) by groupstudy.com (8.9.3/8.9.3) id
  VAA17958 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:18 GMT
Received: (from mail@localhost) by groupstudy.com (8.9.3/8.9.3) id
  VAA17954 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:17 GMT
Date: Thu, 2 Jan 2003 21:16:17 GMT
From: "l0stbyte" 
X-GroupStudy-Version: 3.1.1a
X-GroupStudy: Network Technical
To: [EMAIL PROTECTED]
Subject: Re: CCIE Vs. BS or MS dergree [7:59481]
Sender: [EMAIL PROTECTED]
Reply-To: "l0stbyte" 
Precedence: bulk
Content-Length: 731

Ladrach, Daniel E. wrote:

> I have an MIS degree from The Ohio State University Max Fisher College of
> Business. I see some posts out there saying that a CS degree is no 
> more than
> a vocational degree. Obviously this person has not been to college! 
> College
> is not there to prepare you to step in and do a Sr. Engineer job, it is
> there to give you a base understanding of IT. I however, have a business
> degree with an IT focus. So, when you have been through the classes I have
> you form a level of respect for anyone who has been down the same road.
>
> When the CCIE gets as challenging as the following let me know.
>
> Calculus
> Physics
> Finance
> Accounting
> Economics
> CS-programming
> CS-operating systems
> CS-networking
>
>
>
> Daniel Ladrach
> CCNA, CCNP
> WorldCom
All of the listed should be thought in high school. Unless it's some 
kind of quantum programming (is it still a concept?), CCIE should be by 
far more challenging. My two cents..
:)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60201&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Catalyst 6xxx switches and 2 firewall in cluster mode with [7:60213]

2003-01-03 Thread Hitesh Pathak R 
Dear Group,

Need your help in setting up the following :-

SETUP :- There are 2 core switches SW1 & Sw2 (connected back to back with
both
the SUP GE ports Fiber uplink (Channeld and trunk). On one of the switch
(SW1)
I have 2 firewalls connected in cluster mode. For this clustered firewall  I
have bind the multicast mac address on the switch SW1 as the recommended
method by the firewall vendor by the command (set cam permanent ).

Now the problem faced here is since they have only bind the mac address to 2
ports on SW1 (switch one ONLY) there seems to be some multicast packets
flooding on my  second core switch SW2 for that multicast address.

The customer wants to stop this broadcast from hapening on 2nd switch SW2 and
hence wants to bind the same multicast mac address on the 2nd Switch with the
trunk ports going to SW1 from SW2.

Has anybody faced similar situation ?? Is this configuration supported. Can I
bind the cam entry to my trunk port on the SW2 as well with the same
multicast
mac address??

Many thanks in advance.

Thanks
Hitesh
DISCLAIMER:
Information contained and transmitted by this E-MAIL is proprietary to Wipro
Limited and is intended for use only by the individual or entity to which it
is addressed, and may contain information that is privileged, confidential
or exempt from disclosure under applicable law. If this is a forwarded
message, the content of this E-MAIL may not have been sent with the
authority of the Company. If you are not the intended recipient, an agent of
the intended recipient or a  person responsible for delivering the
information to the named recipient,  you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited. If you have
received this communication in error, please delete this mail & notify us
immediately at [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60213&t=60213
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Possible CDP bug? Check it out! [7:59929]

2003-01-03 Thread steve 
hey..


AT Last i think i can try and properly help someone yippe..

on your switches type this message

no cdp advertise V2

i have had this all over my network ..and you are correct it is a bug in CDP
..

according to cisco ,this isn`t a fix just a work around

H(and i mean HOPE)TH

steve skinner
(CCxx MCxx HPxx SCxx CSxx.you know i wish i had some proper certs and
not just the xx ones)
- Original Message -
From: "The Long and Winding Road" 
To: 
Sent: Sunday, December 29, 2002 9:06 AM
Subject: Possible CDP bug? Check it out! [7:59929]


> I've run into this situation while doing some practicing with the 3550s
and
> some routers
>
> 2611--3550---35503640
>
> all ethernet ports are set at full duplex 10 megabit speed.
>
> the 2611 and the 3640 are connected via a vlan tunnel.
>
> everything is working fine, until I turn on l2protocol-tunnel cdp on both
> switches, at which point I get the following error:
>
> 3640
> FrameSwitch#
> 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
(not
> hal
> f duplex), with Router_14_2611 Ethernet0/1 (half duplex).
>
> 2611
> 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
(not
> ful
> l duplex), with FrameSwitch Ethernet0/1 (full duplex).
>
> as near as I can tell, there are no errors on any of the interfaces. no
> collisions, etc. not that I'm sending a lot of traffic during these
studies,
> but extended pings don't come up with anything either.
>
> relevant configurations for all interfaces. as you can see, everything
> agrees all along the line. everyone is set for speed 10 and duplex full.
if
> I turn off l2protocol-tuinnel cdp on the interfaces, the error messages
> disappear. I suspect a bug in CDP, but I'm wondering if I have missed
> anything.
>
> 2611
> ---
> interface Ethernet0/1
>  no ip address
>  full-duplex
> !
> interface Ethernet0/1.1
>  encapsulation dot1Q 121
>  ip address 122.1.1.1 255.255.255.0
> !
> interface Ethernet0/1.2
>  encapsulation dot1Q 122
>  ip address 122.1.2.1 255.255.255.0
> !
> interface Ethernet0/1.3
>  encapsulation dot1Q 123
>  ip address 122.1.3.1 255.255.255.0
> !
> interface Ethernet0/1.4
>  encapsulation dot1Q 124
>  ip address 122.1.4.1 255.255.255.0
> !
>
> Switch_24#sri f0/1
> Building configuration...
>
> Current configuration : 200 bytes
> !
> interface FastEthernet0/1
>  switchport access vlan 100
>  switchport mode dot1q-tunnel
>  no ip address
>  duplex full
>  speed 10
>  l2protocol-tunnel cdp
>  no cdp enable
>  spanning-tree bpdufilter enable
> end
>
> interface FastEthernet0/26
>  switchport access vlan 100
>  switchport mode dot1q-tunnel
>  no ip address
>  duplex full
>  speed 10
>  l2protocol-tunnel cdp
>  no cdp enable
>  spanning-tree bpdufilter enable
> end
>
> 3640
> ---
> interface Ethernet0/1
>  no ip address
>  no ip redirects
>  full-duplex
>  priority-group 1
> !
> interface Ethernet0/1.1
>  encapsulation dot1Q 121
>  ip address 122.1.1.2 255.255.255.0
> !
> interface Ethernet0/1.2
>  encapsulation dot1Q 122
>  ip address 122.1.2.2 255.255.255.0
> !
> interface Ethernet0/1.3
>  encapsulation dot1Q 123
>  ip address 122.1.3.2 255.255.255.0
> !
> interface Ethernet0/1.4
>  encapsulation dot1Q 124
>  ip address 122.1.4.2 255.255.255.0
> !
>
> Chuck
> --
> TANSTAAFL
> "there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60212&t=59929
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSS/NM (was CCIE Vs. BS or MS degree [7:59481]) [7:60215]

2003-01-03 Thread bergenpeak 
NRF makes a very good point below about OSS systems.   Pulling this
off from the original thread to take the discussion in a differnent
direction.

As we probably all would agree, the largest cost in running a
network is not the engineering cost or the capital costs, but
rather the cost of operating the network (NOC, call center, 
tier 1-(N-1) support, etc.)

In the world I live in, the engineering group, when introducing
new gear, design, service, or architecture, is reponsible to also
provide the OIDs to monitor, how often to poll, what each OID means,
what are key thresholds, and what it means (or one should do) when
an OID value passes one of these thresholds.   The NM folks than update
their tools (OSSs) and processes based on this information.

The engineering involved in this portion of the design can either make
or break the cost effectiveness of a design.

So two points:

1) It would seem that any CCIE-type training/testing should include NM
information into the material to be learned.  From what I can tell, it
does
not.  I'm not suggesting that one would need to memorize every OID
in every MIB, but it would seem important to know key OIDs in each
functional area and what useful information they provide.

2) For the folks on this list that write books in this space, it would
seem very appropriate if NM topics where covered as well.   Take a
book which talks about the many different routing protocols.   All of
them
explain how the protocol operates, the format of messages, and and how
to configure and debug a router running the protocol.  There's
only so many ways one can explain OSPF type 1-4,5 and 7 LSAs and 
stub/TSA/NSSAs.  One way to differentiate the contents of a book would
be to include key OIDs one should consider putting in their NM systems
to make sure OSPF/IS-IS/BGP/etc. is operating as expected (or not).

My $0.02.





nrf wrote:
> 
> Yet at the same time we have the opposite phenomena - guys who can
configure
> routers in a Sunday minute, but can't even spell RFC.  What I'm talking
> about is guys who might know what all the commands are, but have no
> grounding in routing protocol theory or any such higher concepts.  All they
> know is - they see this problem, they type in this command.  Such guys are
> useful if you need to troubleshoot your network at 3 in the morning, not so
> useful if you want to do something that isn't in a textbook.  And besides,
I
> hate to say it, but these guys are destined to be replaced by a good OSS.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60215&t=60215
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SNMP Filter [7:60100]

2003-01-03 Thread steve 
also one thing to point out is that even with a config of the like that has
been correcetly recommended you still have problems with wasted bandwidth
and CPU resource because someone is trying to send the request`s to you in
the first place ...
and also if you have any syslog logging setup they will be reported in
thatas well

ALSO someone could be trying to Hack you (snmp isnt that secure )...as has
happened to me


ANYWAY
here is a pretty locked down snmp config form one of my 7500`s



logging source-interface Loopback0
logging 10.*.*.*
logging 164.*.*.*
logging 10.*.*.*
access-list 1 permit 10.*.*.*
access-list 1 permit 164.*.*.*
snmp-server community  "snmp read-only community" RO 1
snmp-server community  "snmp read-write community" RW 1
snmp-server trap-source Loopback0
snmp-server location London Bridge
snmp-server host 10.*.*.*"snmp read-only community"
snmp-server host 164.*.*.*  "snmp read-only community"

HTH

steve


- Original Message -
From: "Frank" 
To: 
Sent: Thursday, January 02, 2003 2:57 PM
Subject: Re: SNMP Filter [7:60100]


> Hi,
>
> you can create an "snmp view" and secure this with an access-list. This
way
> you can deny any snmp requests to your box and allow your own ranges.
>
> Another way ( the hard way ;-) is to configure the snmp responses to come
> from the loopback address and then start filtering outbound traffic from
> that address on port 161. This is what you mean I think but I would advise
> you to use the first example.
>
> cheers
>
> Frank
>
> On Thu, 2 Jan 2003 13:52:53 GMT, Michael wrote:
> >Dear All
> >
> >I have a few C7507 sereis routers with a lot of
> >fram-relay and ll customers. How can I filter SNMP
> >requests  on the C7507 comming from the FR/LL
> >customers? I get a lot of SNMP Authentication Failed
> >on the router LOG. What I was wondering is wether SNMP
> >uses a specific IP address from the router in order to
> >answer to SNMP requests or whether all IP addresses on
> >the router answer to SNMP request. I dont want to
> >filter SNMP bettween customer sides therefore i can
> >not use Access-lists on all router interfaces in order
> >to deny SNMP. But in case SNMP n the router uses a
> >specific IP to answer to request then it is possible
> >to use access list and deny SNMP requests to the
> >specific IP.
> >
> >Any help will be appreciated
> >
> >__
> >Do you Yahoo!?
> >Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> >http://mailplus.yahoo.com
> --
> Frank




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60216&t=60100
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

basic IS-IS questions [7:60217]

2003-01-03 Thread bergenpeak 
Been reading Doyvle V1 IS-IS chapter.  Also been reading the
PDF on cisco's web site regarding IS-IS.

Some questions based on this reading.

1) Why is it that the IS-IS model of having the router be in
only a single area, as opposed to where an OSPF router can be in
multiple areas results in significantly fewer LSPs?  This
reason is than used to suggest that IS-IS has better scaling
properties than OSPF.  It might, I'm just trying to understand
why the different area demarc location would result in fewer
LSA-type advertisements.  If, in OSPF, any ABR router was limited
to be in just two areas, would this equate to the same number of
LSPs in IS-IS, and hence scale accordingly with IS-IS?

2) Is it possible for IS-IS to support the equivalent
of an OSPF NSSA?  In an OSPF NSSA, the area sees no
external area routes, but ASBRs can be present
in the area.  In IS-IS, the ASBR equivalent would be
a L1/L2 router.  And it appears that all routers which
perform L2 function must be interconnected, which means:

* the ASBR (L1/L2 router) would see all of the AS routes.
This breaks one aspect of an NSSA in that only routes
within the areas are present (LSA type 1, 2 and 7)

* in order to satisfy the L2 connectivity requirement,
there would need to be a string of routers in the area
which are L2 that connect the ASBR (L1/L2) back to
the L2 backbone.  This sort of defeats the concept of
an area, which is isolated from the backbone as the
backbone needs to be pulled into the area to the ASBR
(L1/L2)

3) Why is it that by limiting the possible metric values
to be between [0, 1023] allows SPF to be more efficient?

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60217&t=60217
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New Technologies [7:60209]

2003-01-03 Thread Howard C. Berkowitz 
At 3:16 PM + 1/3/03, " JunoGuy " wrote:
>Hi all,
>
>   I was wanting to hear from you as to what you guys see as some up and
>coming
>technologies and perhaps what are some players in that space.  Thanks.
>
>JunoGuy

I have to ask what time frame you have in mind, and whether or not 
you want to limit to the discussion to commercial products that are 
shipping -- as opposed to getting in more on the ground floor of 
unsolved problems.

For example, there is a very real and unsolved problem of global 
Internet routing stability and scalability.  No one really has an 
answer, although some of the problem space is being defined in the 
IRTF. The IETF PTOMAINE Working Group is dealing with short-term 
fixes that you may very well see in product.

I see GMPLS as a very important way to provide a consistent IP 
interface to an assortment of transmission system, both packet and 
non-packet oriented.

Storage area networking is entering the market. I'd comment that it 
is being treated as somewhat of a technology island.  The more one 
thinks of how a storage router is architecturally similar to a 
high-end carrier router, the better one understands the problem. 
Content networking will also be intimately involved here, and he or 
she that can relate the various technologies is at an advantage.

Survivablility and security - not quite the same thing - are very big 
issues.  One of the problems in deploying solutions, I believe, is 
much more design and understanding than the physical products.  My 
colleague Annlee Hines has written "Planning for Survivable 
Networks," which gives an excellent view at a level many people don't 
think of.  It's worth listening to a person that was first thrown out 
of her chair by a terrorist attack, over 20 years ago.

Another aspect of security is that it is far too difficult to manage 
and use.  Now, I'm not suggesting that there is only one technology 
for security.  A firewall is not a SSL proxy is not an IDS is not a 
PKI server...  But how to make these usable for Joe User is a real 
challenge.

Multimedia/voice/whatever is making rapid inroads. Cisco has a 
certain number of applications in this area, but they are often 
middleware on which third-party, industry-specific solutions will be 
built.  Those third-party applications will be important.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60219&t=60209
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSS/NM (was CCIE Vs. BS or MS degree [7:60220]

2003-01-03 Thread Howard C. Berkowitz 
At 4:31 PM + 1/3/03, bergenpeak wrote:
>NRF makes a very good point below about OSS systems.   Pulling this
>off from the original thread to take the discussion in a differnent
>direction.
>
>As we probably all would agree, the largest cost in running a
>network is not the engineering cost or the capital costs, but
>rather the cost of operating the network (NOC, call center,
>tier 1-(N-1) support, etc.)
>
>In the world I live in, the engineering group, when introducing
>new gear, design, service, or architecture, is reponsible to also
>provide the OIDs to monitor, how often to poll, what each OID means,
>what are key thresholds, and what it means (or one should do) when
>an OID value passes one of these thresholds.   The NM folks than update
>their tools (OSSs) and processes based on this information.

This brings up interesting issues of basic software architecture. 
 From all I know, IOS is not built on an OID structure. Nortel, in 
many of its products -- certainly the derivatives of Bay RS -- used 
the OID structure as its fundamental internal data structuring.  Not 
all products -- Passport isn't just spaghettti code--it needs angel 
hair pasta to get even more twisty.

>
>The engineering involved in this portion of the design can either make
>or break the cost effectiveness of a design.

Another aspect is that there is constant confusion among station, 
layer, and system management.  People with a proper understanding of 
layer management rarely struggle with where ARP fits.  Frankly, this 
is extremely valuable to understanding the context even for basic 
certifications.

>
>So two points:
>
>1) It would seem that any CCIE-type training/testing should include NM
>information into the material to be learned.  From what I can tell, it
>does
>not.  I'm not suggesting that one would need to memorize every OID
>in every MIB, but it would seem important to know key OIDs in each
>functional area and what useful information they provide.

A question:  how much OO experience does someone need to enter the 
OID space?  I kind of grew up with it (well, more OSI management), so 
it's hard for me to judge what it's like for a newbie. Conceptually, 
it's very different than teaching configuration and troubleshooting, 
so I would be really interested in good ways to introduce it to 
non-programmers.

>
>2) For the folks on this list that write books in this space, it would
>seem very appropriate if NM topics where covered as well.   Take a
>book which talks about the many different routing protocols.   All of
>them
>explain how the protocol operates, the format of messages, and and how
>to configure and debug a router running the protocol.  There's
>only so many ways one can explain OSPF type 1-4,5 and 7 LSAs and
>stub/TSA/NSSAs.  One way to differentiate the contents of a book would
>be to include key OIDs one should consider putting in their NM systems
>to make sure OSPF/IS-IS/BGP/etc. is operating as expected (or not).

Having done some design in that area, first, we don't necessarily 
have OIDs defined for the information always needed. Second, we don't 
have halfway user-friendly pattern recognizers to deal with these 
issues.

There are conceptual things that don't get mentioned, yet are 
amazingly simplifying once you understand that.  We go on and on 
about the various LSA types and where they are permitted, but I've 
found relatively few people that can explain why intra-area is 
preferable to inter-area, inter-area to external, and why both 
external type 1 and 2 are there.

In a third aspect, I'd rather design it right in the first place than 
be stuck in infinite troubleshooting purgatory. The night of BGP 
turned into a bright dawn when I started first defining routing 
policies in RPSL, and then configuring from the policy definition. 
There are even tools that automate some of this, such as RtConfig. 
(see www.radb.net)

To be fair about it, RPSL isn't very user-friendly to people without 
substantial programming experience, especially at an abstract level. 
A graphic, object-oriented front end, with extensions to IGPs and 
defining NM points, would be tremendously helpful.

>
>My $0.02.
>
>
>
>
>
>nrf wrote:
>>
>>  Yet at the same time we have the opposite phenomena - guys who can
>configure
>>  routers in a Sunday minute, but can't even spell RFC.  What I'm talking
>>  about is guys who might know what all the commands are, but have no
>>  grounding in routing protocol theory or any such higher concepts.  All
they
>>  know is - they see this problem, they type in this command.  Such guys
are
>>  useful if you need to troubleshoot your network at 3 in the morning, not
so
>>  useful if you want to do something that isn't in a textbook.  And
besides,
>I
>>  hate to say it, but these guys are destined to be replaced by a good OSS.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60220&t=60220
--
FAQ, list archives, and subscriptio

Re: Routable IP network in 2 locations [7:60185]

2003-01-03 Thread The Long and Winding Road 
""[EMAIL PROTECTED]""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

> I have never bridged connections across a Wan before. is that simple to
do?


yes, bridging across a WAN link is pretty basic.

but I believe you need to back up a second and make a couple of other
decisions first.

you say the net result will be two buildings, each with a handful of
customers, sharing a common internet connection. I am assuming that the only
reason for linking the two buildings is to share internet. There are no
other services that all parties will be using. Is that correct?

so my specific questions to you:

1) do you want everyone involved to use a public ip address on their
equipment? you sure about this?

2) how are people numbered now? does your building, your customers, all use
addresses in the same subnet? same question for the other building. the
question in my own mind is the wisdom of having several unrelated units on a
common subnet, potentially with full visibility to eachother.

if internet connectivity is the only consideration, I don't believe internal
numbering is an issue. bridge or route internally, and use NAT on the router
with the internet access. place a couple of access lists on the appropriate
interfaces to protect the two separate networks.

I would be more concerned about visibility between and among all of the
entities involved here. "customers" means what? unrelated people renting
offices in each building? in which case I would want to take steps to assure
that I have taken reasonable precautions to keep visibility limited. vlans
on the 29xx's or some other means such as access lists.

this is probably more than you asked for. I just think you need to start at
the toop and work your way down. Just my opinion.

HTH

Chuck



>
> Robert
> ""The Long and Winding Road""  wrote in
> message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > I am having trouble with what appears to be a simple problem. I have a
> > small
> > > office and I
> > > have a friend who owns a building not to far away. I am goin to order
a
> T1
> > > to the internet from my location and
> > > a PPP T1 to his location. He has 6 customers in his location and I
have
> 5
> > in
> > > mine. I want to give internet acess to
> > >  everybody and give them a routable IP address. My ISP gave me 32
> > addresses
> > > so i am not going to run out.
> > > BUT I can figure out how to make it work.
> > >
> > > the setup is
> > >
> > > INternet---T1---2611 ---T1---2611
> > > ||
> > > ||
> > > 29122912
> > >
> >
> >
> > two thoughts come to mind.
> >
> > 1) bridge between the two locations, putting everyone on the same
subnet.
> >
> > 2) use private IP addressing on the inside - each location retains it's
> > original scheme, then do static nat to the internet. access-lists on the
> > appropriate interfaces to keep the two networks alien to eachother.
> >
> >
> >
> >
> > > thanks for your help
> > >
> > > Robert




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60221&t=60185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

WHY CCIE Vs. BS or MS degree discussion is broadly [7:60218]

2003-01-03 Thread Howard C. Berkowitz 
At 3:53 PM + 1/3/03, Mr piyush shah wrote:
>
>
>Dear all
>I thing it is now a real high time someone should take
>initiative in stoping the subject of CCIE vs BS or MS
>degree. Why are we here for ? to discuss and share
>problems faced on networking front

All joking aside, I think this is the key point, and something that a 
lot of people miss.  I do know, partially from private email, that 
there are a substantial number of people that lose track of the 
relevance of academic (not necessarily ATTENDING college or getting 
degrees) material and focus completely on certification.

A couple of personal observations: I have no interest in getting into 
top corporate management, but I have and will be in senior technology 
management.  nrf, it seems, distinguishes simply between management 
and non-management. In Cisco's case, I'd have no interest in John 
Chambers' job, but I might in Christine Hemrick's -- a former 
colleague at GTE.

Much of the drive for certification (and indeed degrees) is getting 
into the door for the first job.  While, admittedly, I am having some 
fun with certain people, I'm deadly serious that some of the more 
formal technical skills need to be understood if you stay technical 
but move out of support.

>or discusing
>whether BS is SUPERIOROR ccie . Let me tell you both
>the degreees are best in their unique ways . Who the
>heil are we to decide it's superioritY ? lIKE i
>MENTIONED WE ALL ARE INDIRECTLY SUPPORTING THE one
>whosoever raised this querry by getting involved in
>this question-answer forum . I thing we should stop
>it.There are lot many imp things on which we need to
>condcentrate more.
>Hope so the message is loud and clear to all those
>participant to these group .
>
>Regards
>
>
>Note: forwarded message attached.
>
>
>Missed your favourite TV serial last night? Try the new, Yahoo! TV.
>visit http://in.tv.yahoo.com
>X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com;
>   03 Jan 2003 03:45:39 +0500 (IST)
>X-Track: 1: 100
>Return-Path:
>Received: from groupstudy.com (66.220.63.9) by mta101.in.mail.yahoo.com
>   with SMTP; 03 Jan 2003 03:45:37 +0500 (IST)
>Received: from localhost (mail@localhost) by groupstudy.com
>   (8.9.3/8.9.3) with SMTP id VAA30437; Thu, 2 Jan 2003 21:52:13 GMT
>Received: by groupstudy.com (bulk_mailer v1.13); Thu, 2 Jan 2003
>   21:16:19 +
>Received: (from listserver@localhost) by groupstudy.com (8.9.3/8.9.3) id
>   VAA17958 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:18 GMT
>Received: (from mail@localhost) by groupstudy.com (8.9.3/8.9.3) id
>   VAA17954 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:17 GMT
>Date: Thu, 2 Jan 2003 21:16:17 GMT
>From: "l0stbyte"
>X-GroupStudy-Version: 3.1.1a
>X-GroupStudy: Network Technical
>To: [EMAIL PROTECTED]
>Subject: Re: CCIE Vs. BS or MS dergree [7:59481]
>Sender: [EMAIL PROTECTED]
>Reply-To: "l0stbyte"
>Precedence: bulk
>Content-Length: 731
>
>Ladrach, Daniel E. wrote:
>
>>  I have an MIS degree from The Ohio State University Max Fisher College of
>>  Business. I see some posts out there saying that a CS degree is no
>>  more than
>>  a vocational degree. Obviously this person has not been to college!
>>  College
>>  is not there to prepare you to step in and do a Sr. Engineer job, it is
>>  there to give you a base understanding of IT. I however, have a business
>>  degree with an IT focus. So, when you have been through the classes I
have
>>  you form a level of respect for anyone who has been down the same road.
>>
>>  When the CCIE gets as challenging as the following let me know.
>>
>>  Calculus
>>  Physics
>>  Finance
>>  Accounting
>>  Economics
>>  CS-programming
>>  CS-operating systems
>>  CS-networking
>>
>>
>>
>>  Daniel Ladrach
>>  CCNA, CCNP
>>  WorldCom
>All of the listed should be thought in high school. Unless it's some
>kind of quantum programming (is it still a concept?), CCIE should be by
>far more challenging. My two cents..
>:)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60218&t=60218
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread John Neiberger 
A quick search on www.symantec.com shows that this is a variant of the
W32.Yaha.K@mm worm.  Go to
http:[EMAIL PROTECTED]
to get more details, including removal instructions.

Good luck,
John

>>> "Richard Campbell"  1/2/03 11:10:26 PM >>>
Below is original E-mail, and attachment file is Love.scr

>From: Lovers Screensavers
>To: [EMAIL PROTECTED] 
>Subject: Free Screenavers of Love
>Date: Wed,01 Jan 2003 00:53:38 PM
>Attachment: Love.scr
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this
software
to your friends using your account ID and for each person who
registers
with us through your account, we will pay you $1.5.Once your account
reaches
the limit of $50, your payment will be send to your registration
address by
check or draft.

Please note that the registration process is completely free which
means
by participating in this program you will only gain without loosing 
anything.

Best Regards,
Admin,
&

Besides, the "Hacker" also send her a mail from this e-mail address

>From: [EMAIL PROTECTED] 
>To: [EMAIL PROTECTED] 
>Subject: Visit us
>Date: Tue,31 Dec 2002 23:25:58 PM
#
Below is what happen when she installed the screen saver.. Any
suggestion 
for me??

yes...when i download that file fr hotmail...it has been scanned . but
no 
virus is detected. then i download and put in my System folder in my
Window 
folder. as screen saver will only can run after save into the System
folder. 
so after i save it in the folder and install itit has shown in my
screen 
saver - Desktop display..but nothing show..means no screen saver. But i
have 
found a file (notepad) named "yEaHa" something like this..that the
contents 
stated that the main purpose is to spread the yEaHa and they didnt
state 
that he/she is hacker. just that at the bottom stated a email add which
is 
something like [EMAIL PROTECTED]

then i have found that all my files in "My Documents" have bcame 
transparent. and other files in C drive also bcame transparent. and it
has 
ticked "Hidden" in the file property. but i hav unclick it but it still
in 
transparent . In my System folder has a lot of Love icons with diff
names 
like "girls" , "Love xxx" etc. all in Love icons, after i hav installed
the 
file (Love
icon) screen svaer file which is named "Friends Happy".



>From: "Kazan, Naim" 
>To: "'Richard Campbell'" 
>Subject: RE: Is a Virus or Hacker attack?? [7:60114]
>Date: Thu, 2 Jan 2003 21:43:31 -0500
>
>A friend of mine ran into the same problem downloading some screen
saver he
>thought his friend sent him. He ended up having the same problem. I
think 
>it
>is a hacker installing some kind of worm using your email to send it
out on
>the internet.
>
>-Original Message-
>From: Richard Campbell [mailto:[EMAIL PROTECTED]] 
>Sent: Thursday, January 02, 2003 9:04 PM
>To: [EMAIL PROTECTED] 
>Subject: Re: Is a Virus or Hacker attack?? [7:60114]
>
>
>thanks for your info..  the strange thing is.. I found she actually
get the
>attachment from her hotmail not yahoo mail.  I thought hotmail scan
all the
>attachment with latest McAfee AntiVirus???  Besides, she actually 
>downloaded
>
>the Norton AntiVirus defination file last month, but now its norton
fail to
>start
>
>
> >From: "John Neiberger"
> >Reply-To: "John Neiberger"
> >To: [EMAIL PROTECTED] 
> >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> >Date: Thu, 2 Jan 2003 17:51:00 GMT
> >
> >The solution, which both of you really should know, is to have
> >up-to-date antivirus software running on any machine that connects
to
> >the internet in any way.  :-)
> >
> >In the meantime, she could browse to www.symantec.com and run the
> >web-based antivirus detection that they have available.  Once you
> >determine which virus she is infected with you can get more details
> >about how to remove it correctly.  Regardless, she should run--not
> >walk--to the nearest computer store and buy Norton AntiVirus of
some
> >other AV software, and make sure she keeps her virus definitions
> >up-to-date.
> >
> >Regards,
> >John
> >
> > >>> "Richard Campbell"  1/2/03 10:34:01 AM >>>
> >Hi... Group,
> >
> >I have a friend who received a mail containing screen saver
attachment
> >in
> >her yahoo mail account when she is surf net at home.  She
downloaded
> >the
> >screen saver and install it.  After installing , she found that her
> >files in
> >the my document become transparent in color and there are many
extra
> >files
> >in many places.  Besides, she also found a notepad file in the
desktop,
> >
> >stating that she had been hacked,

RE: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread Priscilla Oppenheimer 
Hopefully you trained her not to open attachemnts in the future unless she
knows the sender and is expecting an attachment from that sender. It's an
obvious point, but nobody had brought it up yet! :-)

Priscilla

Richard Campbell wrote:
> 
> Below is original E-mail, and attachment file is Love.scr
> 
> >From: Lovers Screensavers
> >To: [EMAIL PROTECTED]
> >Subject: Free Screenavers of Love
> >Date: Wed,01 Jan 2003 00:53:38 PM
> >Attachment: Love.scr
> Hello,
> The attached product is send as a part of our official campaign
> for the popularity of our product.
> You have been chosen to try a free fully functional sample of
> our
> product.If you are satified then you can send it to your
> friends.
> All you have to do is to install the software and register an
> account
> with us using the links provided in the software. Then send
> this software
> to your friends using your account ID and for each person who
> registers
> with us through your account, we will pay you $1.5.Once your
> account reaches
> the limit of $50, your payment will be send to your
> registration address by
> check or draft.
> 
> Please note that the registration process is completely free
> which means
> by participating in this program you will only gain without
> loosing
> anything.
> 
> Best Regards,
> Admin,
>
&
> 
> Besides, the "Hacker" also send her a mail from this e-mail
> address
> 
> >From: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED]
> >Subject: Visit us
> >Date: Tue,31 Dec 2002 23:25:58 PM
>
#
> Below is what happen when she installed the screen saver.. Any
> suggestion
> for me??
> 
> yes...when i download that file fr hotmail...it has been
> scanned . but no
> virus is detected. then i download and put in my System folder
> in my Window
> folder. as screen saver will only can run after save into the
> System folder.
> so after i save it in the folder and install itit has shown
> in my screen
> saver - Desktop display..but nothing show..means no screen
> saver. But i have
> found a file (notepad) named "yEaHa" something like this..that
> the contents
> stated that the main purpose is to spread the yEaHa and they
> didnt state
> that he/she is hacker. just that at the bottom stated a email
> add which is
> something like [EMAIL PROTECTED]
> 
> then i have found that all my files in "My Documents" have
> bcame
> transparent. and other files in C drive also bcame transparent.
> and it has
> ticked "Hidden" in the file property. but i hav unclick it but
> it still in
> transparent . In my System folder has a lot of Love icons with
> diff names
> like "girls" , "Love xxx" etc. all in Love icons, after i hav
> installed the
> file (Love
> icon) screen svaer file which is named "Friends Happy".
> 
> 
> 
> >From: "Kazan, Naim" 
> >To: "'Richard Campbell'" 
> >Subject: RE: Is a Virus or Hacker attack?? [7:60114]
> >Date: Thu, 2 Jan 2003 21:43:31 -0500
> >
> >A friend of mine ran into the same problem downloading some
> screen saver he
> >thought his friend sent him. He ended up having the same
> problem. I think
> >it
> >is a hacker installing some kind of worm using your email to
> send it out on
> >the internet.
> >
> >-Original Message-
> >From: Richard Campbell [mailto:[EMAIL PROTECTED]]
> >Sent: Thursday, January 02, 2003 9:04 PM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> >
> >
> >thanks for your info..  the strange thing is.. I found she
> actually get the
> >attachment from her hotmail not yahoo mail.  I thought hotmail
> scan all the
> >attachment with latest McAfee AntiVirus???  Besides, she
> actually
> >downloaded
> >
> >the Norton AntiVirus defination file last month, but now its
> norton fail to
> >start
> >
> >
> > >From: "John Neiberger"
> > >Reply-To: "John Neiberger"
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> > >Date: Thu, 2 Jan 2003 17:51:00 GMT
> > >
> > >The solution, which both of you really should know, is to
> have
> > >up-to-date antivirus software running on any machine that
> connects to
> > >the internet in any way.  :-)
> > >
> > >In the meantime, she could browse to www.symantec.com and
> run the
> > >web-based antivirus detection that they have available. 
> Once you
> > >determine which virus she is infected with you can get more
> details
> > >about how to remove it correctly.  Regardless, she should
> run--not
> > >walk--to the nearest computer store and buy Norton AntiVirus
> of some
> > >other AV software, and make sure she keeps her virus
> definitions
> > >up-to-date.
> > >
> > >Regards,
> > >John
> > >
> > > >>> "Richard Campbell"  1/2/03 10:34:01 AM >>>
> > >Hi... Group,
> > >
> > >I have a friend who received a mail containing screen saver
> attachment
> > >in
> > >her yahoo mail account when she is surf net at home.  She
> downloaded
> >

RE: why this caused whole network hang? [7:60090]

2003-01-03 Thread Priscilla Oppenheimer 
Portfast doesn't turn off STP and state changes can still happen. It just
puts the port into forwarding mode right away. The port still listens and
reacts to BPDUs.

Don't be tempted to disable STP. It leaves the network too vulnerable to
loops. Even if you have a perfectly-shaped physical tree network already, a
user or newbie technician could install a switch in such a way that your
tree gets tangled. (I don't think you are tempted to turn it off, but I just
thought I would add that recommendation just FYI.)

Portfast is the right config to have on your access ports. I'm not sure you
really want to have it on the switch-to-switch port, though. There are other
features to speed up spanning tree resolution for switch-to-switch ports,
such as Uplink Fast and Backbone Fast. Those may not be supported on the
low-end switches though.

What fixed the problem or did it just stop happening after 10 minutes?

I don't think you'll ever know for sure what happened, unless you could
reproduce the problem, which you wouldn't want to do! :-)

Priscilla

Kenny Smith wrote:
> 
> Thanks Priscilla, I understand what you mean now.  That's why
> those ports
> which directly connected to PCs need to configured as
> spanning-tree portfast
> to minimize the STP state change.
> 
> 
> >From: "Priscilla Oppenheimer" 
> >Reply-To: "Priscilla Oppenheimer" 
> >To: [EMAIL PROTECTED]
> >Subject: RE: why this caused whole network hang? [7:60090]
> >Date: Fri, 3 Jan 2003 04:01:41 GMT
> >
> >Kenny Smith wrote:
> > >
> > > Hi.. Priscilla and Dear all,
> > >
> > > Thanks for your explaination and sorry for my ignorance.
> But I
> > > don't
> > > understand one part about "it doesn't hear BPDUs from the
> other
> > > side. This
> > > can result in it setting one of its ports into fowarding
> mode
> > > when it
> > > souldn't."  But my switch has only one connection to my
> > > backbone switch. So
> > > I don't understand how it will creat STP loop?
> >
> >Well maybe it wasn't a loop. But a duplex mismatch problem
> will cause BPDUs
> >to flow inconsistently which could cause STP to reconverge
> incessantly or
> >other problems. I wasn't there and I don't know your topology,
> so I can't
> >say for sure what happened.
> >
> >Priscilla
> > >
> > >
> > > >From: "Priscilla Oppenheimer"
> > > >Reply-To: "Priscilla Oppenheimer"
> > > >To: [EMAIL PROTECTED]
> > > >Subject: RE: why this caused whole network hang? [7:60090]
> > > >Date: Thu, 2 Jan 2003 21:44:06 GMT
> > > >
> > > >A duplex mismatch problem somewhere in the network can
> indeed
> > > cause
> > > >problems
> > > >for STP. It's an example of the infamous unidirectional
> link
> > > problem, which
> > > >is also known as the one-way connectivity failure.
> > > >
> > > >The side that is using full-duplex can send OK because it
> > > ignores the fact
> > > >that the other side is sending at the same time. The side
> that
> > > is using
> > > >half-duplex gets excessive collisions and gets so busy
> > > handling those that
> > > >it can't send or receive frames reliably. So it doesn't
> hear
> > > BPDUs from the
> > > >other side. This can result in it setting one of its ports
> > > into fowarding
> > > >mode when it souldn't.
> > > >
> > > >Cisco has a feature to avoid unidirectional link problems.
> Try
> > > looking up
> > > >their Unidirectional Link Detection protocol, although the
> > > real fix in this
> > > >situation isn't to use the protocol, but, rather to fix the
> > > duplex problem,
> > > >as you know.
> > > >
> > > >Priscilla
> > > >
> > > >
> > > >Kenny Smith wrote:
> > > > >
> > > > > Hi.. I have one of my 2900 switch connected to my
> backbone
> > > > > switch(5500). A
> > > > > few day ago, I found that the switch to switch
> connection
> > > has
> > > > > duplex
> > > > > mismatch error.  The 2900 sw interface was set to 100
> full
> > > dpx.
> > > > > But the 5505
> > > > > sw interface was set to auto neg, but they fail to
> negotiate
> > > > > properly.
> > > > > Therefore, I tried to set the 5505 sw interface to 100
> full
> > > > > dx.  But
> > > > > immediately after I set, the whole company network
> hang. All
> > > > > users lost
> > > > > connection for more than 10 minutes.
> > > > >
> > > > > I really can't understand why??  The 2900 sw has only
> one
> > > > > connection to the
> > > > > 5505 sw and both interface set to portfast (faststart)
> > > > > disable.  I think it
> > > > > is related to spanning-tree but why spanning-tree loop
> will
> > > > > happen in this
> > > > > case. Can one explain to me.
> > > > >
> > > > > Thanks a lot
> > > > >
> > > > >
> > > > >
> > >
> _
> > > > > Protect your PC - get McAfee.com VirusScan Online
> > > > >
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > >
> _
> > > MSN 8 with e-mail virus protection service: 2 months FREE*
> > > http://join.msn.com/?page=features/virus
> ___

Re: Cisco career advice needed [7:60013]

2003-01-03 Thread Marc Thach Xuan Ky 
In the last place I worked, rumour has it that one of my colleagues was
interviewed and thus obtained a UK visa on the basis of his CCIE, and
this later turned out to be written only.  HR departments / technical
management aren't always as rigorous as you may think :-)
If this is true then I think you could definitely say that it can be of
benefit.
rgds
Marc

Frank Jimenez wrote:
> 
> Where I *have* seen it helpful is in specific cases where a company was
> anticipating needing a CCIE-level applicant at a future date.
> 
> So the following:
> 
> CCIE Routing/Switching - Lab Scheduled 6/2003
> 
> Might be helpful.  The CCIE written qualification alone hasn't helped
> anybody that I know of.
> 
> Frank Jimenez, CCIE #5738
> Systems Engineer
> Cisco Systems, Inc.
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> irfan siddiqui
> Sent: Tuesday, December 31, 2002 3:23 AM
> To: [EMAIL PROTECTED]
> Subject: Cisco career advice needed [7:60013]
> 
> Hi,
> Does the CCIE qualification exam itself have any worth. I know that your
> not
> a CCIE without giving the actual Lab part of the exam, but how does the
> CCIE
> written exam scale on its own, career wise. Does it help improve job
> prospects. What are the benefits of this exam on its own, or is it
> totally
> useless without the LAB part.
> Say if i never appear for the LAB, for any reason, would the written
> exam be
> any worth of mention, like say on my resume or as a credential. Thanks
> for all your advice in advance. Irfan
> 
> _
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60224&t=60013
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco career advice needed [7:60013]

2003-01-03 Thread Brian 
lying on a visa app, lovely...

bri


On Fri, 3 Jan 2003, Marc Thach Xuan Ky wrote:

> In the last place I worked, rumour has it that one of my colleagues was
> interviewed and thus obtained a UK visa on the basis of his CCIE, and
> this later turned out to be written only.  HR departments / technical
> management aren't always as rigorous as you may think :-)
> If this is true then I think you could definitely say that it can be of
> benefit.
> rgds
> Marc
>
> Frank Jimenez wrote:
> >
> > Where I *have* seen it helpful is in specific cases where a company was
> > anticipating needing a CCIE-level applicant at a future date.
> >
> > So the following:
> >
> > CCIE Routing/Switching - Lab Scheduled 6/2003
> >
> > Might be helpful.  The CCIE written qualification alone hasn't helped
> > anybody that I know of.
> >
> > Frank Jimenez, CCIE #5738
> > Systems Engineer
> > Cisco Systems, Inc.
> > [EMAIL PROTECTED]
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > irfan siddiqui
> > Sent: Tuesday, December 31, 2002 3:23 AM
> > To: [EMAIL PROTECTED]
> > Subject: Cisco career advice needed [7:60013]
> >
> > Hi,
> > Does the CCIE qualification exam itself have any worth. I know that your
> > not
> > a CCIE without giving the actual Lab part of the exam, but how does the
> > CCIE
> > written exam scale on its own, career wise. Does it help improve job
> > prospects. What are the benefits of this exam on its own, or is it
> > totally
> > useless without the LAB part.
> > Say if i never appear for the LAB, for any reason, would the written
> > exam be
> > any worth of mention, like say on my resume or as a credential. Thanks
> > for all your advice in advance. Irfan
> >
> > _
> > Protect your PC - get McAfee.com VirusScan Online
> > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60226&t=60013
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread Howard C. Berkowitz 
At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
>Hopefully you trained her not to open attachemnts in the future unless she
>knows the sender and is expecting an attachment from that sender. It's an
>obvious point, but nobody had brought it up yet! :-)
>
>Priscilla

May all such attackers get a personalized virus.  There's a wide 
range of choices of gastrointestinal ones.  Somehow, such people 
remind me of a baby's alimentary tract: a loud voice at one end and 
no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60227&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: the best forum for the tech of cisco [7:60193]

2003-01-03 Thread Johnny Routin 
Loser...

--
Johnny Routin



""Leo.Shen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> www.ciscofan.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60228&t=60193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread Priscilla Oppenheimer 
This discussion could tie into the "New Technologies" thread! Technologies
that do a better job of protecting users from viruses could be big. And an
even harder problem is protecing us from spam. None of the solutions to that
problem work very well yet. The do-gooders that black-list e-mail servers do
more harm than good. The mail applications that try to apply artificial
intelligence to the problem show some promise, but don't work very well yet.
Bill Gates and Steve Jobs are very smart people, but when they champion
software that thinks it's smarter than the user, most users just get
annoyed. ;-)

Priscilla


Howard C. Berkowitz wrote:
> 
> At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> >Hopefully you trained her not to open attachemnts in the
> future unless she
> >knows the sender and is expecting an attachment from that
> sender. It's an
> >obvious point, but nobody had brought it up yet! :-)
> >
> >Priscilla
> 
> May all such attackers get a personalized virus.  There's a
> wide
> range of choices of gastrointestinal ones.  Somehow, such
> people
> remind me of a baby's alimentary tract: a loud voice at one end
> and
> no sense of responsibility at the other.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60229&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Query on VOIP [7:59933]

2003-01-03 Thread Babak Farrokhi 
I suggest trying it without NAT. I have no good experience with voip behind
NAT.

""ss ss""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello all!!
>
> I am working for a carrier company who uses ip network consisting of Cisco
> Routers to transport voice calls.The company deals mainly with pre-paid
> calling cards.The customer buys the card and dials a toll free no. to make
a
> voice call or makes a call thro a dialer program(Installed on the pc)
which
> sends the calls thro the ip network.When i make a call from a dialer on a
pc
> which has a dialup connection,then absolutely there is no problem. But
when
> I make a call from a pc which is on the Home LAN then only the destination
> party is able to hear my voice.I am not able to hear their voice.We r not
> using any firewalls as of now in the home  but may go for it in the
> future.Nat has been configured on our home router and we hv a DSL
connection
> to the ISP.I am not able to figure out the problem.can someone help me in
> identifying the problem
>
> Thanx in advance..
>
> Cheers
> ss




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60232&t=59933
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco career advice needed [7:60013]

2003-01-03 Thread The Long and Winding Road 
""Brian""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> lying on a visa app, lovely...


I am shocked and amazed to learn that people lie on their resumes, their job
applications, their credit card applications, and their visa applications.

I am even more shocked and amazed to learn that those who process any of
this stuff never check the accuracy of any of the information provided.

what has become of this world..???



>
> bri
>
>
> On Fri, 3 Jan 2003, Marc Thach Xuan Ky wrote:
>
> > In the last place I worked, rumour has it that one of my colleagues was
> > interviewed and thus obtained a UK visa on the basis of his CCIE, and
> > this later turned out to be written only.  HR departments / technical
> > management aren't always as rigorous as you may think :-)
> > If this is true then I think you could definitely say that it can be of
> > benefit.
> > rgds
> > Marc
> >
> > Frank Jimenez wrote:
> > >
> > > Where I *have* seen it helpful is in specific cases where a company
was
> > > anticipating needing a CCIE-level applicant at a future date.
> > >
> > > So the following:
> > >
> > > CCIE Routing/Switching - Lab Scheduled 6/2003
> > >
> > > Might be helpful.  The CCIE written qualification alone hasn't helped
> > > anybody that I know of.
> > >
> > > Frank Jimenez, CCIE #5738
> > > Systems Engineer
> > > Cisco Systems, Inc.
> > > [EMAIL PROTECTED]
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> > > irfan siddiqui
> > > Sent: Tuesday, December 31, 2002 3:23 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Cisco career advice needed [7:60013]
> > >
> > > Hi,
> > > Does the CCIE qualification exam itself have any worth. I know that
your
> > > not
> > > a CCIE without giving the actual Lab part of the exam, but how does
the
> > > CCIE
> > > written exam scale on its own, career wise. Does it help improve job
> > > prospects. What are the benefits of this exam on its own, or is it
> > > totally
> > > useless without the LAB part.
> > > Say if i never appear for the LAB, for any reason, would the written
> > > exam be
> > > any worth of mention, like say on my resume or as a credential. Thanks
> > > for all your advice in advance. Irfan
> > >
> > > _
> > > Protect your PC - get McAfee.com VirusScan Online
> > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60234&t=60013
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Catalyst 6xxx switches and 2 firewall in cluster mode with [7:60235]

2003-01-03 Thread l0stbyte 
Hitesh Pathak R wrote:

> Dear Group,
>
> Need your help in setting up the following :-
>
> SETUP :- There are 2 core switches SW1 & Sw2 (connected back to back with
> both
> the SUP GE ports Fiber uplink (Channeld and trunk). On one of the switch
> (SW1)
> I have 2 firewalls connected in cluster mode. For this clustered 
> firewall  I
> have bind the multicast mac address on the switch SW1 as the recommended
> method by the firewall vendor by the command (set cam permanent ).
>
> Now the problem faced here is since they have only bind the mac 
> address to 2
> ports on SW1 (switch one ONLY) there seems to be some multicast packets
> flooding on my  second core switch SW2 for that multicast address.
>
> The customer wants to stop this broadcast from hapening on 2nd switch 
> SW2 and
> hence wants to bind the same multicast mac address on the 2nd Switch 
> with the
> trunk ports going to SW1 from SW2.
>
> Has anybody faced similar situation ?? Is this configuration 
> supported. Can I
> bind the cam entry to my trunk port on the SW2 as well with the same
> multicast
> mac address??
>
> Many thanks in advance.
>
> Thanks
> Hitesh
> DISCLAIMER:
> Information contained and transmitted by this E-MAIL is proprietary to 
> Wipro
> Limited and is intended for use only by the individual or entity to 
> which it
> is addressed, and may contain information that is privileged, confidential
> or exempt from disclosure under applicable law. If this is a forwarded
> message, the content of this E-MAIL may not have been sent with the
> authority of the Company. If you are not the intended recipient, an 
> agent of
> the intended recipient or a  person responsible for delivering the
> information to the named recipient,  you are notified that any use,
> distribution, transmission, printing, copying or dissemination of this
> information in any way or in any manner is strictly prohibited. If you 
> have
> received this communication in error, please delete this mail & notify us
> immediately at [EMAIL PROTECTED]
is it a checkpoint FWs cluster?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60235&t=60235
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSS/NM (was CCIE Vs. BS or MS degree [7:60220]

2003-01-03 Thread bergenpeak 
Hi Howard,

I'm not suggesting that one should write a book on network management.
Instead, it seems that most network routing books don't spend anytime
reviewing some of the key MIB objects relevant to the routing protocol
that should be considered when configuring the relevant NM tools.

It does seem naive thinking that one could "design it right in the first
place" and then not have to worry about network operations as if it's
not needed.  Maybe this is possible, if the gear being deployed never
has a
hardware failure, the OS never fails, your fiber never gets dug up, and
device misconfigurations never happen.   If you are seeing gear which
never fails, a carrier which never loses fiber, and operations folks who
never
make mistakes, let me know what vendors I should be switching too or
entity I should be hiring from...  :-)

In a post yesterday, you mentioned CALEA and E911. Good, lets think
about primary line VOIP and OSPF as your IGP.Lets assume that
customer
downtime for VOIP is a bad thing and something the operator is tryng to
avoid. Thus, it's crucial for the NM folks to be able to detect problems
before
pagers start buzzing and before the call center gets whacked

Given this, how can  NM tools determine that all links which should have
OSPF adjacencies active in fact do?   I've seen situations where this
sort of
problem doesn't get realized until there's a failure in one part of the
network.   The backup path with the adjcancey problem, but which wasn't
needed used during normal operation, then causes an outage.   There are
OIDs in the OSPF MIB or syslog messages which one can use to help
determine
when an adjacency is improperly down, but this information is not
covered in
the standard network book.  Sure, knowing "debug ip ospf XYZ" commands
is a
start, and useful for newbies, but there's more to support than running
debug
commands, and there's always the risk that you've just blown up the
router you
turned debug on 

And as you mention, there are things that would be useful to know
through the MIB, but which aren't currently supported.  Doesn't mean
they're not
worth talkng about.  One item that I ran into was related to the use of
"auto-cost reference bandwidth" to change the metric used to cost out
links. It's important that all devices use the same reference bandwidth
in
order for costs to be properly computed.  How does one verify all
devices,
across vendors, are using the same reference bandwidth?  Turns out that
this
one is not possible via the OSPF MIB as it stands today as the reference
bandwidth is not an object in the MIB, but is just a *comment* in the
MIB
definition.

Much like NRF mentioned which lead me to spin this new thread-- as NM
tools get more sophisticated, there will be less need for the CCNX
support
engineer who carries a pager to figure out problems in the middle of the
night. 
Instead more and more of the opertional support work will be done up
front as
part of the design engineering and this will include the OIDs and
thresholds
the NM folks and tools should be monitoring.  






"Howard C. Berkowitz" wrote:
> 
> At 4:31 PM ?? 1/3/03, bergenpeak wrote:
> >NRF makes a very good point below about OSS systems.   Pulling this
> >off from the original thread to take the discussion in a differnent
> >direction.
> >
> >As we probably all would agree, the largest cost in running a
> >network is not the engineering cost or the capital costs, but
> >rather the cost of operating the network (NOC, call center,
> >tier 1-(N-1) support, etc.)
> >
> >In the world I live in, the engineering group, when introducing
> >new gear, design, service, or architecture, is reponsible to also
> >provide the OIDs to monitor, how often to poll, what each OID means,
> >what are key thresholds, and what it means (or one should do) when
> >an OID value passes one of these thresholds.   The NM folks than update
> >their tools (OSSs) and processes based on this information.
> 
> This brings up interesting issues of basic software architecture.
>  From all I know, IOS is not built on an OID structure. Nortel, in
> many of its products -- certainly the derivatives of Bay RS -- used
> the OID structure as its fundamental internal data structuring.  Not
> all products -- Passport isn't just spaghettti code--it needs angel
> hair pasta to get even more twisty.
> 
> >
> >The engineering involved in this portion of the design can either make
> >or break the cost effectiveness of a design.
> 
> Another aspect is that there is constant confusion among station,
> layer, and system management.  People with a proper understanding of
> layer management rarely struggle with where ARP fits.  Frankly, this
> is extremely valuable to understanding the context even for basic
> certifications.
> 
> >
> >So two points:
> >
> >1) It would seem that any CCIE-type training/testing should include NM
> >information into the material to be learned.  From what I can tell, it
> >does
> >not.  I'm not suggesting t

RE: O/T more campus design issues [7:60136]

2003-01-03 Thread Symon Thurlow 
All you need to do is configure the clients in the DC-less subnet to use
a WINS server (anywhere, not necessarily in the same subnet) that has
the required domain records.

WINS servers hold more than just netbios-ip address tables, there are
lots of different WINS record types.

Here is a good link detailing what different types

http://www.lansys.buffalo.edu/wins99/wins.html

Cheers,

Symon

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: 02 January 2003 22:16
To: [EMAIL PROTECTED]
Subject: O/T more campus design issues [7:60136]


You all remember my very simple campus network re-design that I've been
helping out with? It sure has been keeping me humble. ;-)

So we upgraded the single subnet to two subnets and two VLANs.

Everything is working OK except for Windows networking. The PCs on the
new subnet can't find a domain controller for authentication.

So, you can feel free to yell at me for not gathering more information
on the symptoms, but the client hasn't told me much. ;-) But does this
ring a bell with anyone? Are there standard recommendations on how to
handle this in a subnetted VLANed internetwork.

I'm not too well informed on Windows networking. My co-author wrote that
chapter in my troubleshooting book.

Thank-you so much!

Priscilla
=

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to [EMAIL PROTECTED] and
 request that the sender's domain be
 blocked from sending any further emails.

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60237&t=60136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: getpass!.exe [7:25270]

2003-01-03 Thread Symon Thurlow 
This always works for me:

http://www.kazmier.com/computer/cisco-noswing.html

Symon

-Original Message-
From: l0stbyte [mailto:[EMAIL PROTECTED]] 
Sent: 02 January 2003 21:05
To: [EMAIL PROTECTED]
Subject: Re: getpass!.exe [7:25270]


cswan wrote:

> Hi guys..
>
> Where can I get a copy of  getpass!.exe . I need it to decrpyt the 
> enable secret password.
>
> Thanks
good luck
:)
=

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to [EMAIL PROTECTED] and
 request that the sender's domain be
 blocked from sending any further emails.

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60238&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MPLS VPN [7:60205]

2003-01-03 Thread [EMAIL PROTECTED] 
And as a P router, can it?   I do not have a OSM.





"John Murphy" @groupstudy.com em 03/01/2003
11:24:41

Favor responder a "John Murphy" 

Enviado Por:  [EMAIL PROTECTED]


Para:  [EMAIL PROTECTED]
cc:

Assunto:Re: MPLS VPN [7:60205]


Currently the 6500/7600 can only function as a PE with an OSM.   Assuming
you have one, you would configure the ethernet port your 2500 is connecting
to into a unique vlan, then configure one of the Gig-E ports on the OSM as
your 'upstream' using dot1q encapsulation, and terminate your VRF there.
I've included an example below, HTH.

Best Regards,

John


interface GE-WAN4/1.10

 description 2500-MPLS-VPN-A

 encapsulation dot1Q 10

 ip vrf forwarding vpnA

 ip address 10.1.2.3 255.255.255.252

 mpls label protocol both

end







- Original Message -
From:
To:
Sent: Friday, January 03, 2003 7:12 AM
Subject: MPLS VPN [7:60205]


> I know how to set MPLS VPN in a network with 7507 as the Core routers.
>
> But what is necessary to integrate a 6500 switch with FlexWan module and
> PA-HSSI/PA-ATM cards in the Core and keep the MPLS VPN service in the
> location served by the switch?
>
> The network is like that:
>
> 2500-vpn-A--7500=7500-vpn-A---2500
>||||
>||||
> 2500vpn-A---6509===




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60239&t=60205
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: WHY CCIE Vs. BS or MS degree discussion is bro [7:60231]

2003-01-03 Thread nrf 
""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 3:53 PM + 1/3/03, Mr piyush shah wrote:
> >
> >
> >Dear all
> >I thing it is now a real high time someone should take
> >initiative in stoping the subject of CCIE vs BS or MS
> >degree. Why are we here for ? to discuss and share
> >problems faced on networking front

And is the difficult decision about whether to get a networking
certification in the first place not a problem worthy of discussion? I would
venture to say that it perhaps is the most important problem of all.

>
> All joking aside, I think this is the key point, and something that a
> lot of people miss.  I do know, partially from private email, that
> there are a substantial number of people that lose track of the
> relevance of academic (not necessarily ATTENDING college or getting
> degrees) material and focus completely on certification.

There it is.  You hit it right on the head.

I think a lot of people are emotionally invested in the cert process and
have lost the forest for the trees.  One especially ugly manifestation of
this is the phenomena that people who are certified automatically think they
know everything about everything and therefore don't need to continue
learning.

>
> A couple of personal observations: I have no interest in getting into
> top corporate management, but I have and will be in senior technology
> management.  nrf, it seems, distinguishes simply between management
> and non-management. In Cisco's case, I'd have no interest in John
> Chambers' job, but I might in Christine Hemrick's -- a former
> colleague at GTE.

 There is no hard and fast rule.  Just like anything in life, it's not all
black-and-white.  I concede that even some people can enter top management
with no degree.  But what I'm saying is that  the higher you go, the harder
slogging it gets.   You need to do more and more things to compensate for
that lack of a degree that higher up you go.  This is why the higher up you
look in any company, the higher the percentage of grads.   By the way, Ms.
Hemrick is a grad.

 And again,  I would reiterate that perhaps the most important facet of a
degree is that it gives you flexibility to change your career.  Do you wanna
stay technical forever, or might you feel like doing something else sometime
in your life?  There's a reason why the Wall Street banks, for example,
recruit at college campuses , but not at the local high school.  Bankers, by
the way, are another group of people who make more money in a week than we
make in a year.

>
> Much of the drive for certification (and indeed degrees) is getting
> into the door for the first job.  While, admittedly, I am having some
> fun with certain people, I'm deadly serious that some of the more
> formal technical skills need to be understood if you stay technical
> but move out of support.
>
> >or discusing
> >whether BS is SUPERIOROR ccie . Let me tell you both
> >the degreees are best in their unique ways . Who the
> >heil are we to decide it's superioritY ? lIKE i
> >MENTIONED WE ALL ARE INDIRECTLY SUPPORTING THE one
> >whosoever raised this querry by getting involved in
> >this question-answer forum . I thing we should stop
> >it.There are lot many imp things on which we need to
> >condcentrate more.

And what important things would that be?  Certain guys who come here who are
clearly posting questions that they saw from their CCIE written/lab that
they didn't know and want somebody to give them the answer instead of
researching it themselves?  Others who are simply too lazy to RTFM and want
somebody to do their job for them?

> >Hope so the message is loud and clear to all those
> >participant to these group .
> >
> >Regards
> >
> >
> >Note: forwarded message attached.
> >
> >
> >Missed your favourite TV serial last night? Try the new, Yahoo! TV.
> >visit http://in.tv.yahoo.com
> >X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com;
> >   03 Jan 2003 03:45:39 +0500 (IST)
> >X-Track: 1: 100
> >Return-Path:
> >Received: from groupstudy.com (66.220.63.9) by mta101.in.mail.yahoo.com
> >   with SMTP; 03 Jan 2003 03:45:37 +0500 (IST)
> >Received: from localhost (mail@localhost) by groupstudy.com
> >   (8.9.3/8.9.3) with SMTP id VAA30437; Thu, 2 Jan 2003 21:52:13 GMT
> >Received: by groupstudy.com (bulk_mailer v1.13); Thu, 2 Jan 2003
> >   21:16:19 +
> >Received: (from listserver@localhost) by groupstudy.com (8.9.3/8.9.3) id
> >   VAA17958 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:18 GMT
> >Received: (from mail@localhost) by groupstudy.com (8.9.3/8.9.3) id
> >   VAA17954 GroupStudy Mailer; Thu, 2 Jan 2003 21:16:17 GMT
> >Date: Thu, 2 Jan 2003 21:16:17 GMT
> >From: "l0stbyte"
> >X-GroupStudy-Version: 3.1.1a
> >X-GroupStudy: Network Technical
> >To: [EMAIL PROTECTED]
> >Subject: Re: CCIE Vs. BS or MS dergree [7:59481]
> >Sender: [EMAIL PROTECTED]
> >Reply-To: "l0stbyte"
> >Pr

Re: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread The Long and Winding Road 
""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This discussion could tie into the "New Technologies" thread! Technologies
> that do a better job of protecting users from viruses could be big. And an
> even harder problem is protecing us from spam. None of the solutions to
that
> problem work very well yet. The do-gooders that black-list e-mail servers
do
> more harm than good. The mail applications that try to apply artificial
> intelligence to the problem show some promise, but don't work very well
yet.


the fundamental problem is determining what is spam and what is not. today's
approach is one of examining content, matching keywords against "spam"
words. for example "mortgage" or "enlarge" or the many variants that would
lead one to p..o..r..n sites.

as an aside, when warned that Groupstudy was the source of so much spam, I
set up a special e-mail address that is advertised only to Groupstudy. I
have yet ( knock on wood ) to receive a single spam message on that account.
On the other hand, my primary account is now getting tons of spam, and I am
now convinced this is the direct result of my using that e-mail address as
the contact point for my web domain. forget hotmail. the folks there have
demonstrated no interest at all in solving the spam problem. yahoo mail does
a far better job of spam filtering. I have also notied that every ISP I have
ever contacted about spam claims that the headers are forged, and that the
spam did not originate from their servers. I still say the "solution" is to
charge 10 cents for every e-mail sent out over a certain threshold - say
2000 per month. ISP people I have talked to about this say this would be
impossible to track and enforce. so in the end, it is left to the recipient
to do all the work.


> Bill Gates and Steve Jobs are very smart people, but when they champion
> software that thinks it's smarter than the user, most users just get
> annoyed. ;-)


I disagree with your implication here. The whole point of the PC revolution
was to make computing easy for the end user. I think apple and eventually
mircrosoft have done wonderful things in that respect. however, as with
anything else, the law of unintended consequences comes into play. they made
it easy for businesses to develope templates to make employees more
effective in their work. the unintended consequence is they made it easy for
malicious people to use those tools to create maco viruses. they made it
easy for you and I to send dfocumnets or pictures to our friends and
relatives, and for those people to pen the docs and see the content. the
unintended consequence is that they made it easy for malicious people to
spread their wickedness.

to bring this back into the Cisco realm, Cisco NBAR ( network based
application recognition ) I believe was intended to provide another
dimension to the QoS classification process. now it can also be used as a
filter against certain virus / macro virus attacks.


>
> Priscilla
>
>
> Howard C. Berkowitz wrote:
> >
> > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > >Hopefully you trained her not to open attachemnts in the
> > future unless she
> > >knows the sender and is expecting an attachment from that
> > sender. It's an
> > >obvious point, but nobody had brought it up yet! :-)
> > >
> > >Priscilla
> >
> > May all such attackers get a personalized virus.  There's a
> > wide
> > range of choices of gastrointestinal ones.  Somehow, such
> > people
> > remind me of a baby's alimentary tract: a loud voice at one end
> > and
> > no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60233&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Possible CDP bug? Check it out! [7:59929]

2003-01-03 Thread The Long and Winding Road 
""steve""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> hey..
>
>
> AT Last i think i can try and properly help someone yippe..
>
> on your switches type this message
>
> no cdp advertise V2
>
> i have had this all over my network ..and you are correct it is a bug in
CDP


yep - changing to ver 1 eliminates the problem. interesting.

the other part of this is the duplex issue on the 2611.  CDP ver 2 claims
the port is half duplex. the router and the switch claim it is full duplex.
I know that originally the 2610/11 were 10 meg half, and that IOS
12.something allowed one to bring this up to full. I suspect there is still
an IOS bug someplace that is involved. I do not recall this issue when I was
writing my VPN tunnel lab for Cert Zone. At the time I was using my
employer's engineering lab, and IIRC the routers in question were 2621 -
different hardware beast.

live and learn.



> ..
>
> according to cisco ,this isn`t a fix just a work around
>
> H(and i mean HOPE)TH
>
> steve skinner
> (CCxx MCxx HPxx SCxx CSxx.you know i wish i had some proper certs and
> not just the xx ones)
> - Original Message -
> From: "The Long and Winding Road"
> To:
> Sent: Sunday, December 29, 2002 9:06 AM
> Subject: Possible CDP bug? Check it out! [7:59929]
>
>
> > I've run into this situation while doing some practicing with the 3550s
> and
> > some routers
> >
> > 2611--3550---35503640
> >
> > all ethernet ports are set at full duplex 10 megabit speed.
> >
> > the 2611 and the 3640 are connected via a vlan tunnel.
> >
> > everything is working fine, until I turn on l2protocol-tunnel cdp on
both
> > switches, at which point I get the following error:
> >
> > 3640
> > FrameSwitch#
> > 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
> (not
> > hal
> > f duplex), with Router_14_2611 Ethernet0/1 (half duplex).
> >
> > 2611
> > 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
> (not
> > ful
> > l duplex), with FrameSwitch Ethernet0/1 (full duplex).
> >
> > as near as I can tell, there are no errors on any of the interfaces. no
> > collisions, etc. not that I'm sending a lot of traffic during these
> studies,
> > but extended pings don't come up with anything either.
> >
> > relevant configurations for all interfaces. as you can see, everything
> > agrees all along the line. everyone is set for speed 10 and duplex full.
> if
> > I turn off l2protocol-tuinnel cdp on the interfaces, the error messages
> > disappear. I suspect a bug in CDP, but I'm wondering if I have missed
> > anything.
> >
> > 2611
> > ---
> > interface Ethernet0/1
> >  no ip address
> >  full-duplex
> > !
> > interface Ethernet0/1.1
> >  encapsulation dot1Q 121
> >  ip address 122.1.1.1 255.255.255.0
> > !
> > interface Ethernet0/1.2
> >  encapsulation dot1Q 122
> >  ip address 122.1.2.1 255.255.255.0
> > !
> > interface Ethernet0/1.3
> >  encapsulation dot1Q 123
> >  ip address 122.1.3.1 255.255.255.0
> > !
> > interface Ethernet0/1.4
> >  encapsulation dot1Q 124
> >  ip address 122.1.4.1 255.255.255.0
> > !
> >
> > Switch_24#sri f0/1
> > Building configuration...
> >
> > Current configuration : 200 bytes
> > !
> > interface FastEthernet0/1
> >  switchport access vlan 100
> >  switchport mode dot1q-tunnel
> >  no ip address
> >  duplex full
> >  speed 10
> >  l2protocol-tunnel cdp
> >  no cdp enable
> >  spanning-tree bpdufilter enable
> > end
> >
> > interface FastEthernet0/26
> >  switchport access vlan 100
> >  switchport mode dot1q-tunnel
> >  no ip address
> >  duplex full
> >  speed 10
> >  l2protocol-tunnel cdp
> >  no cdp enable
> >  spanning-tree bpdufilter enable
> > end
> >
> > 3640
> > ---
> > interface Ethernet0/1
> >  no ip address
> >  no ip redirects
> >  full-duplex
> >  priority-group 1
> > !
> > interface Ethernet0/1.1
> >  encapsulation dot1Q 121
> >  ip address 122.1.1.2 255.255.255.0
> > !
> > interface Ethernet0/1.2
> >  encapsulation dot1Q 122
> >  ip address 122.1.2.2 255.255.255.0
> > !
> > interface Ethernet0/1.3
> >  encapsulation dot1Q 123
> >  ip address 122.1.3.2 255.255.255.0
> > !
> > interface Ethernet0/1.4
> >  encapsulation dot1Q 124
> >  ip address 122.1.4.2 255.255.255.0
> > !
> >
> > Chuck
> > --
> > TANSTAAFL
> > "there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60230&t=59929
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Possible CDP bug? Check it out! [7:59929]

2003-01-03 Thread The Long and Winding Road 
""steve""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> hey..
>
>
> AT Last i think i can try and properly help someone yippe..
>
> on your switches type this message
>
> no cdp advertise V2
>
> i have had this all over my network ..and you are correct it is a bug in
CDP


yep - changing to ver 1 eliminates the problem. interesting.

the other part of this is the duplex issue on the 2611.  CDP ver 2 claims
the port is half duplex. the router and the switch claim it is full duplex.
I know that originally the 2610/11 were 10 meg half, and that IOS
12.something allowed one to bring this up to full. I suspect there is still
an IOS bug someplace that is involved. I do not recall this issue when I was
writing my VPN tunnel lab for Cert Zone. At the time I was using my
employer's engineering lab, and IIRC the routers in question were 2621 -
different hardware beast.

live and learn.



> ..
>
> according to cisco ,this isn`t a fix just a work around
>
> H(and i mean HOPE)TH
>
> steve skinner
> (CCxx MCxx HPxx SCxx CSxx.you know i wish i had some proper certs and
> not just the xx ones)
> - Original Message -
> From: "The Long and Winding Road"
> To:
> Sent: Sunday, December 29, 2002 9:06 AM
> Subject: Possible CDP bug? Check it out! [7:59929]
>
>
> > I've run into this situation while doing some practicing with the 3550s
> and
> > some routers
> >
> > 2611--3550---35503640
> >
> > all ethernet ports are set at full duplex 10 megabit speed.
> >
> > the 2611 and the 3640 are connected via a vlan tunnel.
> >
> > everything is working fine, until I turn on l2protocol-tunnel cdp on
both
> > switches, at which point I get the following error:
> >
> > 3640
> > FrameSwitch#
> > 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
> (not
> > hal
> > f duplex), with Router_14_2611 Ethernet0/1 (half duplex).
> >
> > 2611
> > 1w0d: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on Ethernet0/1
> (not
> > ful
> > l duplex), with FrameSwitch Ethernet0/1 (full duplex).
> >
> > as near as I can tell, there are no errors on any of the interfaces. no
> > collisions, etc. not that I'm sending a lot of traffic during these
> studies,
> > but extended pings don't come up with anything either.
> >
> > relevant configurations for all interfaces. as you can see, everything
> > agrees all along the line. everyone is set for speed 10 and duplex full.
> if
> > I turn off l2protocol-tuinnel cdp on the interfaces, the error messages
> > disappear. I suspect a bug in CDP, but I'm wondering if I have missed
> > anything.
> >
> > 2611
> > ---
> > interface Ethernet0/1
> >  no ip address
> >  full-duplex
> > !
> > interface Ethernet0/1.1
> >  encapsulation dot1Q 121
> >  ip address 122.1.1.1 255.255.255.0
> > !
> > interface Ethernet0/1.2
> >  encapsulation dot1Q 122
> >  ip address 122.1.2.1 255.255.255.0
> > !
> > interface Ethernet0/1.3
> >  encapsulation dot1Q 123
> >  ip address 122.1.3.1 255.255.255.0
> > !
> > interface Ethernet0/1.4
> >  encapsulation dot1Q 124
> >  ip address 122.1.4.1 255.255.255.0
> > !
> >
> > Switch_24#sri f0/1
> > Building configuration...
> >
> > Current configuration : 200 bytes
> > !
> > interface FastEthernet0/1
> >  switchport access vlan 100
> >  switchport mode dot1q-tunnel
> >  no ip address
> >  duplex full
> >  speed 10
> >  l2protocol-tunnel cdp
> >  no cdp enable
> >  spanning-tree bpdufilter enable
> > end
> >
> > interface FastEthernet0/26
> >  switchport access vlan 100
> >  switchport mode dot1q-tunnel
> >  no ip address
> >  duplex full
> >  speed 10
> >  l2protocol-tunnel cdp
> >  no cdp enable
> >  spanning-tree bpdufilter enable
> > end
> >
> > 3640
> > ---
> > interface Ethernet0/1
> >  no ip address
> >  no ip redirects
> >  full-duplex
> >  priority-group 1
> > !
> > interface Ethernet0/1.1
> >  encapsulation dot1Q 121
> >  ip address 122.1.1.2 255.255.255.0
> > !
> > interface Ethernet0/1.2
> >  encapsulation dot1Q 122
> >  ip address 122.1.2.2 255.255.255.0
> > !
> > interface Ethernet0/1.3
> >  encapsulation dot1Q 123
> >  ip address 122.1.3.2 255.255.255.0
> > !
> > interface Ethernet0/1.4
> >  encapsulation dot1Q 124
> >  ip address 122.1.4.2 255.255.255.0
> > !
> >
> > Chuck
> > --
> > TANSTAAFL
> > "there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60230&t=59929
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DTE/DCE [7:60240]

2003-01-03 Thread Duncan 
Hi

I am busy studying for the CCNP Remote Access exam and am really stuck
on the modem signalling bits. I think that the key to my problem is that I
don't understand the definitions of a DCE & DTE properly and how they relate
to the EIA/TIA-232 cabling pinouts. (which for some unknown reason you must
learn) I  hate learning anything parrot fashion, I would rather understand
it. I have looked through the archives and there are some pretty useful
pointers but I am still not all the way there.

Does any one have a comprehensive description that they can point me to,
preferably with examples of set-ups and how it all relates to the OSI model.

Thanks
Duncan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60240&t=60240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

revisited: OSPF stub/stub no-summary O*IA routing table entry [7:60242]

2003-01-03 Thread The Long and Winding Road 
hope you don't mind me bringing this back public. I saw no other responses
and I was curious so I've done some further research based on your
configuration. The major difference in my setup and yours is frame relay. I
am using two point-to-point serial links. too complicated for me to tear
down my current setup to emulate your frame.

methodology:

1) set everything up as best I can based on your configurations. At this
point, just plain old ordinary OSPF areas.

C   222.222.222.8 is directly connected, Loopback1001
 172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E2172.16.10.0/24 [110/20] via 192.168.1.18, 00:04:47, Serial0
   [110/20] via 192.168.1.34, 00:04:47, Serial1
O E2172.16.11.0/24 [110/20] via 192.168.1.18, 00:04:47, Serial0
   [110/20] via 192.168.1.34, 00:04:47, Serial1
 10.0.0.0/16 is subnetted, 1 subnets
O IA10.1.0.0 [110/74] via 192.168.1.34, 00:04:48, Serial1
 [110/74] via 192.168.1.18, 00:04:48, Serial0
 192.168.1.0/28 is subnetted, 4 subnets
C   192.168.1.64 is directly connected, Loopback2
C   192.168.1.32 is directly connected, Serial1
C   192.168.1.48 is directly connected, Loopback1
C   192.168.1.16 is directly connected, Serial0
Router_8#

as you can see, all routes are shown as reachable via both of the serial
ports.

2) turn area 1 into a stub area:

 10.0.0.0/16 is subnetted, 1 subnets
O IA10.1.0.0 [110/74] via 192.168.1.34, 00:01:50, Serial1
 [110/74] via 192.168.1.18, 00:01:50, Serial0
 192.168.1.0/28 is subnetted, 4 subnets
C   192.168.1.64 is directly connected, Loopback2
C   192.168.1.32 is directly connected, Serial1
C   192.168.1.48 is directly connected, Loopback1
C   192.168.1.16 is directly connected, Serial0
O*IA 0.0.0.0/0 [110/65] via 192.168.1.34, 00:01:51, Serial1
   [110/65] via 192.168.1.18, 00:01:51, Serial0
Router_8#

exactly as expected. the two external routes in the 172 range are not passed
into the stub area.

3) turn area 1 into a totally subby area ( love that term! I can still hear
my ACRC instructor intoning it just like a Valley Girl )

show ip ospf

Area 1
Number of interfaces in this area is 2
It is a stub area, no summary LSA in this area
  generates stub default route with cost 1

 192.168.1.0/28 is subnetted, 4 subnets
C   192.168.1.64 is directly connected, Loopback2
C   192.168.1.32 is directly connected, Serial1
C   192.168.1.48 is directly connected, Loopback1
C   192.168.1.16 is directly connected, Serial0
O*IA 0.0.0.0/0 [110/65] via 192.168.1.34, 00:01:01, Serial1
   [110/65] via 192.168.1.18, 00:01:01, Serial0
Router_8#

again - everything is as expected

4) change from totally stubby to NSSA ( kinda sorta stubby :-> )

router ospf 200
 log-adjacency-changes
 area 1 nssa
 network 10.0.0.0 0.255.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 1
!

 10.0.0.0/16 is subnetted, 1 subnets
O IA10.1.0.0 [110/74] via 192.168.1.34, 00:00:25, Serial1
 [110/74] via 192.168.1.18, 00:00:25, Serial0
 192.168.1.0/28 is subnetted, 4 subnets
C   192.168.1.64 is directly connected, Loopback2
C   192.168.1.32 is directly connected, Serial1
C   192.168.1.48 is directly connected, Loopback1
C   192.168.1.16 is directly connected, Serial0
Router_8#

again - completely as expected. the inter-area route in the 10. network is
seen, but the two external routes in the 172 network are not seen.

5) tweak the NSSA

router ospf 200
 log-adjacency-changes
 area 1 nssa default-information-originate
 network 10.0.0.0 0.255.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 1
!

 10.0.0.0/16 is subnetted, 1 subnets
O IA10.1.0.0 [110/74] via 192.168.1.34, 00:00:01, Serial1
 [110/74] via 192.168.1.18, 00:00:01, Serial0
 192.168.1.0/28 is subnetted, 4 subnets
C   192.168.1.64 is directly connected, Loopback2
C   192.168.1.32 is directly connected, Serial1
C   192.168.1.48 is directly connected, Loopback1
C   192.168.1.16 is directly connected, Serial0
O*N2 0.0.0.0/0 [110/1] via 192.168.1.34, 00:00:02, Serial1
   [110/1] via 192.168.1.18, 00:00:02, Serial0
Router_8#


as you can see, step by step, I get the expected result every time.

variables - things that differ in my setup -

1) point-to-point serial links instead of frame relay

2) secondary address in the ethernet port of the area 1 router - R8 in my
case, R3 in your case. I use loopbacks instead.

So - I am unable to duplicate your problem in my setup. you don't indicate
the configurations of the interfaces, but I am now thinking something in
your frame relay setup. I did not see anything resembling this problem in
the TAC bug database. Not that I read all of them :->

I don't have a solution, but I certainly admire the problem.

Chuck




- Original Message -
From: "Wei Zhu" 
To: "The Long and W

Re: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread Priscilla Oppenheimer 
The Long and Winding Road wrote:
> 
> ""Priscilla Oppenheimer""  wrote in
>> 
> 
> > Bill Gates and Steve Jobs are very smart people, but when
> they champion
> > software that thinks it's smarter than the user, most users
> just get
> > annoyed. ;-)
> 
> 
> I disagree with your implication here. 

You didn't understand my implication.

> The whole point of the
> PC revolution
> was to make computing easy for the end user. I think apple and
> eventually
> mircrosoft have done wonderful things in that respect. 

I'm not talking about computers being easy to use; I'm talking about
artificial intelligence and expert systems. I'm talking about spam filters
that learn what you consider spam, for example. Both Mac OS and Microsoft
have a lot of this type of software built into their operating systems and
applications. In some cases it works well. For example, I think the
Microsoft Word spell checker is a beautiful piece of software unparalleled
by any other spell checker I've used. What makes it superior is that it
learns about the current user. But I think Internet Explorer deciding that
it should hijack your ability to play video or music is awful. It decides to
do things on its own, sometimes without user input. That's not a great
example, but if I gave it more thought I could come up with lots of cases
where Microsoft (and Apple) software does things behind your back, in some
cases because expert-system-type software is making decisions without your
input.

Sorry that this is way O/T and even off-topic from what we were discussing
and not really related to the off-topic point you are trying to make about
unintended consequences. :-)

Priscilla


> however,
> as with
> anything else, the law of unintended consequences comes into
> play. they made
> it easy for businesses to develope templates to make employees
> more
> effective in their work. the unintended consequence is they
> made it easy for
> malicious people to use those tools to create maco viruses.
> they made it
> easy for you and I to send dfocumnets or pictures to our
> friends and
> relatives, and for those people to pen the docs and see the
> content. the
> unintended consequence is that they made it easy for malicious
> people to
> spread their wickedness.
> 
> to bring this back into the Cisco realm, Cisco NBAR ( network
> based
> application recognition ) I believe was intended to provide
> another
> dimension to the QoS classification process. now it can also be
> used as a
> filter against certain virus / macro virus attacks.
> 
> 
> >
> > Priscilla
> >
> >
> > Howard C. Berkowitz wrote:
> > >
> > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > > >Hopefully you trained her not to open attachemnts in the
> > > future unless she
> > > >knows the sender and is expecting an attachment from that
> > > sender. It's an
> > > >obvious point, but nobody had brought it up yet! :-)
> > > >
> > > >Priscilla
> > >
> > > May all such attackers get a personalized virus.  There's a
> > > wide
> > > range of choices of gastrointestinal ones.  Somehow, such
> > > people
> > > remind me of a baby's alimentary tract: a loud voice at one
> end
> > > and
> > > no sense of responsibility at the other.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60243&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: WHY CCIE Vs. BS or MS [7:60244]

2003-01-03 Thread Howard C. Berkowitz 
At 9:10 PM + 1/3/03, nrf wrote:
>
>
>There it is.  You hit it right on the head.
>
>I think a lot of people are emotionally invested in the cert process and
>have lost the forest for the trees.  One especially ugly manifestation of
>this is the phenomena that people who are certified automatically think they
>know everything about everything and therefore don't need to continue
>learning.

And part of that is that if they do feel they need to learn more, 
it's along the same lines of product-specific material.

>
>>
>>  A couple of personal observations: I have no interest in getting into
>>  top corporate management, but I have and will be in senior technology
>>  management.  nrf, it seems, distinguishes simply between management
>>  and non-management. In Cisco's case, I'd have no interest in John
>>  Chambers' job, but I might in Christine Hemrick's -- a former
>>  colleague at GTE.
>
>  There is no hard and fast rule.  Just like anything in life, it's not all
>black-and-white.  I concede that even some people can enter top management
>with no degree.  But what I'm saying is that  the higher you go, the harder
>slogging it gets.   You need to do more and more things to compensate for
>that lack of a degree that higher up you go.  This is why the higher up you
>look in any company, the higher the percentage of grads.   By the way, Ms.
>Hemrick is a grad.

Yep. But, having spent time in the same lab in early to mid-career, 
it wasn't the only determinant.  Doug Humphries was also in the 
group, and, IIRC, was a dropout -- at least, he had sufficient 
battles with the University of Maryland administration that it would 
surprise me that he finished.  Doug went on to found and sell Digex, 
and is now both doing advanced content distribution and venture 
capital.

>
>  And again,  I would reiterate that perhaps the most important facet of a
>degree is that it gives you flexibility to change your career.  Do you wanna
>stay technical forever, or might you feel like doing something else sometime
>in your life?  There's a reason why the Wall Street banks, for example,
>recruit at college campuses , but not at the local high school.  Bankers, by
>the way, are another group of people who make more money in a week than we
>make in a year.

You seem to be making an assumption that career changes are 
necessarily to make more money.  Personally, if I were going to 
change careers, it would variously be in some aspect of medicine, 
fine art photography, politicomilitary strategy or professional 
cooking. (I do have one friend that has worked for both CIA's, the 
Culinary Institute of America and the Central Intelligence Agency. 
Do NOT make her angry when she has a knife.)

As it is, I do some things in all of these.  Obviously, I might write 
full time -- I'm working on some projects not in the networking area. 
Now, I'm too old to go through a full MD program, but I can (and do) 
participate in medical research as long as there's some MD around to 
sign the right legal forms.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60244&t=60244
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DTE/DCE [7:60240]

2003-01-03 Thread s vermill 
Duncan wrote:
> 
> Hi
> 
> I am busy studying for the CCNP Remote Access exam and am
> really stuck
> on the modem signalling bits. I think that the key to my
> problem is that I
> don't understand the definitions of a DCE & DTE properly and
> how they relate
> to the EIA/TIA-232 cabling pinouts. (which for some unknown
> reason you must
> learn) I  hate learning anything parrot fashion, I would rather
> understand
> it. I have looked through the archives and there are some
> pretty useful
> pointers but I am still not all the way there.
> 
> Does any one have a comprehensive description that they can
> point me to,
> preferably with examples of set-ups and how it all relates to
> the OSI model.
> 
> Thanks
> Duncan
> 
> 

I'm not sure exactly what you mean by "modem signalling bits."  Since you
mentioned the pinout, I'm thinking maybe you're asking about DTR/DSR, etc? 
I think the TIA-EIA-232 spec does a pretty good job of going over all that
but it'll cost you some $$ to get your hands on a legal copy.

There are actually a few generally accepted breakdowns of the acronyms DTE
and DCE.  These days I mostly see Data Communications Equipment and Data
Terminal Equipment.  The 232 spec actually goes with Data
Circuit-terminating Equipment for DCE.  A DCE is generally a "modem-like"
piece of equipment whereas a DTE is pretty much a "terminal" or "user"
device that can't interface directly to a circuit.  The signals such as
DTR/DSR are actually pretty straight-forward, but I seem to recall that most
CP books on the subject manage to mangle it pretty badly.  As an example,
working strictly from memory, I recall that one or more CP book stated that
asserting DSR means a modem is ready to send data to the DTE.  I've never
seen that in any implementation.  The most common sequence that I see is this:

Carrier Detect (pin 8) is asserted by the DCE when it is synchronized to the
circuit or distant end (this behaviore is often strapable in that the DCE
can be made to assert CD immediately upon powerup and self-check).

Data Terminal Ready (pin 20) is set by the DTE upon power up and
self-check.

Data Set Ready (pin 6) is set by the DCE either upon power up or in response
to DTR having been asserted by the DTE (this behavior is often strapable one
way or the other)

RTS (pin 4) is asserted by the DTE when it has data to send (this behavior
is often strapable in that the DTE can be made to always assert RTS).  One
other use is where half-duplex circuits are present, asserting RTS can
signal the DCE to switch to tx mode and de-asserting RTS can signal the DCE
to switch to rx mode

CTS (pin 5) is asserted by the DCE when it has allocated the resourse in
response to having received RTS from the DTE (this behavior is often
strapable in that the DCE can be made to respond to RTS immediately or over
some delay after detecting RTS regarless of what is going on with the circuit)

Sometimes the sequence of all this matters, other times it doesn't.  I work
with some equipment that absolutely requires that the DTE first assert DTR
before RTS.  If both happen at about the same time, the RTS is ignored by
the DCE and a CTS is never given.  Also, there are, of course, variations
and additional uses.  For example, some modems (DCE) refuse to answer an
incoming call if a connected DTE hasn't asserted DTR.

Sorry if I missed the point.  You might have been asking about scripts or
something?

Scott  


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60246&t=60240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: WHY CCIE Vs. BS or MS degree discussion is bro [7:60231]

2003-01-03 Thread The Long and Winding Road 
""nrf""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

> > At 3:53 PM + 1/3/03, Mr piyush shah wrote:
> > >
>snip some things>

> > >this question-answer forum . I thing we should stop
> > >it.There are lot many imp things on which we need to
> > >condcentrate more.
>
> And what important things would that be?  Certain guys who come here who
are
> clearly posting questions that they saw from their CCIE written/lab that
> they didn't know and want somebody to give them the answer instead of
> researching it themselves?  Others who are simply too lazy to RTFM and
want
> somebody to do their job for them?


uh oh, now you stepped in it! :->

>snip the rest>




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60247&t=60231
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Catalyst 6xxx switches and 2 firewall in clust [7:60235]

2003-01-03 Thread Priscilla Oppenheimer 
Can you help us understand the situation better? Thanks.
See some questions inline.

l0stbyte wrote:
> 
> Hitesh Pathak R wrote:
> 
> > Dear Group,
> >
> > Need your help in setting up the following :-
> >
> > SETUP :- There are 2 core switches SW1 & Sw2 (connected back
> to back with
> > both
> > the SUP GE ports Fiber uplink (Channeld and trunk). On one of
> the switch
> > (SW1)
> > I have 2 firewalls connected in cluster mode. For this
> clustered
> > firewall  I
> > have bind the multicast mac address on the switch SW1 as the
> recommended
> > method by the firewall vendor by the command (set cam
> permanent ).

On SW1, you have a permanent cam entry for the multicast address used by the
firewall cluster? Why? How is that permanent entry used and why is it
necessary? Sorry if this is a stupid question, but I think it will help us
understand what you are trying to accomplish.

> >
> > Now the problem faced here is since they have only bind the
> mac
> > address to 2
> > ports on SW1 (switch one ONLY) there seems to be some
> multicast packets
> > flooding on my  second core switch SW2 for that multicast
> address.

Switches flood multicasts by default. So it makes sense that the multicast
is flowing over to SW2 also.

> >
> > The customer wants to stop this broadcast from hapening on
> 2nd switch
> > SW2 and
> > hence wants to bind the same multicast mac address on the 2nd
> Switch
> > with the
> > trunk ports going to SW1 from SW2.

The multicast will come across the trunk, so you should be able to put a
permanent cam entry mapping the multicast address to the trunk port. But
what problem will that solve? Are you trying to stop the multicast from
flowing out the other ports on SW2? How does a permanent cam entry help with
that?

Maybe you should look into CGMP or IGMP snooping. They can stop multicasts
on switches, if the applications send IGMP joins.

Anyone else have any suggestions or understand his situation?

Priscilla

> >
> > Has anybody faced similar situation ?? Is this configuration 
> > supported. Can I
> > bind the cam entry to my trunk port on the SW2 as well with
> the same
> > multicast
> > mac address??
> >
> > Many thanks in advance.
> >
> > Thanks
> > Hitesh
> > DISCLAIMER:
> > Information contained and transmitted by this E-MAIL is
> proprietary to
> > Wipro
> > Limited and is intended for use only by the individual or
> entity to
> > which it
> > is addressed, and may contain information that is privileged,
> confidential
> > or exempt from disclosure under applicable law. If this is a
> forwarded
> > message, the content of this E-MAIL may not have been sent
> with the
> > authority of the Company. If you are not the intended
> recipient, an
> > agent of
> > the intended recipient or a  person responsible for
> delivering the
> > information to the named recipient,  you are notified that
> any use,
> > distribution, transmission, printing, copying or
> dissemination of this
> > information in any way or in any manner is strictly
> prohibited. If you
> > have
> > received this communication in error, please delete this mail
> & notify us
> > immediately at [EMAIL PROTECTED]
> is it a checkpoint FWs cluster?
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60248&t=60235
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

2003-01-03 Thread The Long and Winding Road 
maybe we can get nfr to weigh in here, and this thread can perpetuate itself
at least as long as the Cert versus Degree thread :->


""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The Long and Winding Road wrote:
> >
> > ""Priscilla Oppenheimer""  wrote in
> >>
> >
> > > Bill Gates and Steve Jobs are very smart people, but when
> > they champion
> > > software that thinks it's smarter than the user, most users
> > just get
> > > annoyed. ;-)
> >
> >
> > I disagree with your implication here.
>
> You didn't understand my implication.
>
> > The whole point of the
> > PC revolution
> > was to make computing easy for the end user. I think apple and
> > eventually
> > mircrosoft have done wonderful things in that respect.
>
> I'm not talking about computers being easy to use; I'm talking about
> artificial intelligence and expert systems. I'm talking about spam filters
> that learn what you consider spam, for example. Both Mac OS and Microsoft
> have a lot of this type of software built into their operating systems and
> applications. In some cases it works well. For example, I think the
> Microsoft Word spell checker is a beautiful piece of software unparalleled
> by any other spell checker I've used. What makes it superior is that it
> learns about the current user. But I think Internet Explorer deciding that
> it should hijack your ability to play video or music is awful. It decides
to
> do things on its own, sometimes without user input. That's not a great
> example, but if I gave it more thought I could come up with lots of cases
> where Microsoft (and Apple) software does things behind your back, in some
> cases because expert-system-type software is making decisions without your
> input.
>
> Sorry that this is way O/T and even off-topic from what we were discussing
> and not really related to the off-topic point you are trying to make about
> unintended consequences. :-)
>
> Priscilla
>
>
> > however,
> > as with
> > anything else, the law of unintended consequences comes into
> > play. they made
> > it easy for businesses to develope templates to make employees
> > more
> > effective in their work. the unintended consequence is they
> > made it easy for
> > malicious people to use those tools to create maco viruses.
> > they made it
> > easy for you and I to send dfocumnets or pictures to our
> > friends and
> > relatives, and for those people to pen the docs and see the
> > content. the
> > unintended consequence is that they made it easy for malicious
> > people to
> > spread their wickedness.
> >
> > to bring this back into the Cisco realm, Cisco NBAR ( network
> > based
> > application recognition ) I believe was intended to provide
> > another
> > dimension to the QoS classification process. now it can also be
> > used as a
> > filter against certain virus / macro virus attacks.
> >
> >
> > >
> > > Priscilla
> > >
> > >
> > > Howard C. Berkowitz wrote:
> > > >
> > > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > > > >Hopefully you trained her not to open attachemnts in the
> > > > future unless she
> > > > >knows the sender and is expecting an attachment from that
> > > > sender. It's an
> > > > >obvious point, but nobody had brought it up yet! :-)
> > > > >
> > > > >Priscilla
> > > >
> > > > May all such attackers get a personalized virus.  There's a
> > > > wide
> > > > range of choices of gastrointestinal ones.  Somehow, such
> > > > people
> > > > remind me of a baby's alimentary tract: a loud voice at one
> > end
> > > > and
> > > > no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60249&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DTE/DCE [7:60240]

2003-01-03 Thread s vermill 
Duncan wrote:
> 
> Hi
> 
> I am busy studying for the CCNP Remote Access exam and am
> really stuck
> on the modem signalling bits. I think that the key to my
> problem is that I
> don't understand the definitions of a DCE & DTE properly and
> how they relate
> to the EIA/TIA-232 cabling pinouts. (which for some unknown
> reason you must
> learn) I  hate learning anything parrot fashion, I would rather
> understand
> it. I have looked through the archives and there are some
> pretty useful
> pointers but I am still not all the way there.
> 
> Does any one have a comprehensive description that they can
> point me to,
> preferably with examples of set-ups and how it all relates to
> the OSI model.
> 
> Thanks
> Duncan
> 
> 

I forgot to address you question about how it all relates to the OSI model. 
I've always thought of specs such as 232, 422, etc. as being entirely
physical-layer specs (max p-t-p voltage, impedance, connector body, etc). 
However, given the interaction that takes place over the signals that we
just discussed, I suppose an argument could be made that there is some layer
2 taking place.  To a limited extent, I guess you could say that there is
some arbitration for the circuit taking place.  I wonder if any of the
group's big brains will weigh in on that...






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60251&t=60240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSS/NM (was CCIE Vs. BS or MS degree [7:60220]

2003-01-03 Thread Howard C. Berkowitz 
At 8:33 PM + 1/3/03, bergenpeak wrote:
>Hi Howard,
>
>I'm not suggesting that one should write a book on network management.
>Instead, it seems that most network routing books don't spend anytime
>reviewing some of the key MIB objects relevant to the routing protocol
>that should be considered when configuring the relevant NM tools.

For proprietary reasons, I can't get into all the work I've done in 
this area. Suffice it to say that this sort of real-time verification 
needs its own processors, typically workstation based, much as an IDS 
needs to be on a special processor.  Typically, this would be 
economic only in a carrier environment. There are other strategies 
for making extensive use of multiprocessing in routers that by and 
large have not been widely discussed, although you can see some shape 
of things in the IRTF and the IETF FORCES working group, as well as 
some things from the pure researchers.

>
>It does seem naive thinking that one could "design it right in the first
>place" and then not have to worry about network operations as if it's
>not needed.

Perhaps I overstated. I'm not suggesting that one can design 
error-free operational networks.  I am suggesting that better, more 
abstract, design and provisioning tools can make operations much more 
reliable.  Some of this is trivial, such as using macros and 
databases to generate configs and then load them.  For some examples, 
see my presentation at NANOG, 
http://www.nanog.org/mtg-9811/ppt/berk/index.htm.  I have a slightly 
updated version given at the ARIN October 1999 meeting, but I have to 
get the new URL.

>Maybe this is possible, if the gear being deployed never
>has a
>hardware failure, the OS never fails, your fiber never gets dug up, and
>device misconfigurations never happen.

You can get into such things as redundant processors with majority 
voter logic, topology checkers for dealing with Byzantine corruption, 
etc.  Again, not economically feasible for low-end enterprise gear.

>If you are seeing gear which
>never fails, a carrier which never loses fiber, and operations folks who
>never
>make mistakes, let me know what vendors I should be switching too or
>entity I should be hiring from...  :-)

There's much wisdom both in military and traditional telco networks 
designed to degrade rather than hard-fail.  Some interesting papers 
on survivability are at the Carnegie Mellon Software Engineering 
Institute, reachable off the www.cert.org webpage.

>
>In a post yesterday, you mentioned CALEA and E911. Good, lets think
>about primary line VOIP and OSPF as your IGP.Lets assume that
>customer
>downtime for VOIP is a bad thing and something the operator is tryng to
>avoid. Thus, it's crucial for the NM folks to be able to detect problems
>before
>pagers start buzzing and before the call center gets whacked
>
>Given this, how can  NM tools determine that all links which should have
>OSPF adjacencies active in fact do?   I've seen situations where this
>sort of
>problem doesn't get realized until there's a failure in one part of the
>network.

One trick I've used, which is really not much more than a hack, is 
periodically dumping the LSDB and doing diffs against consecutive 
shots, with some extra code that rules out false alarms due to known 
changes, can be simpler than it looks -- but I've rarely seen anyone 
do it.  Even keeping a weekly hard copy of the LSDB at the NOC can be 
enormously helpful.

>  The backup path with the adjcancey problem, but which wasn't
>needed used during normal operation, then causes an outage.   There are
>OIDs in the OSPF MIB or syslog messages which one can use to help
>determine
>when an adjacency is improperly down, but this information is not
>covered in
>the standard network book.

A lot of mechanisms for this are evolving in the (G)MPLS failover 
work.  See, for example:

http://www.ietf.org/internet-drafts/draft-ietf-mpls-recovery-frmwrk-08.txt 
http://www.ietf.org/internet-drafts/draft-ietf-mpls-bundle-04.txt
http://www.ietf.org/internet-drafts/draft-ietf-mpls-rsvp-lsp-fastreroute-01.txt
http://www.ietf.org/internet-drafts/draft-ietf-mpls-lsp-ping-01.txt


>Sure, knowing "debug ip ospf XYZ" commands
>is a
>start, and useful for newbies, but there's more to support than running
>debug
>commands, and there's always the risk that you've just blown up the
>router you
>turned debug on
>
>And as you mention, there are things that would be useful to know
>through the MIB, but which aren't currently supported.  Doesn't mean
>they're not
>worth talkng about.  One item that I ran into was related to the use of
>"auto-cost reference bandwidth" to change the metric used to cost out
>links. It's important that all devices use the same reference bandwidth
>in
>order for costs to be properly computed.  How does one verify all
>devices,
>across vendors, are using the same reference bandwidth?  Turns out that
>this
>one is not possible via the OSPF MIB as it stands today as the refer

PIX 520 and PIX-4FE [7:60250]

2003-01-03 Thread Symon Thurlow 
Hi,

Trying to find out if the PIX-4FE will work in a 520. Cisco's site no
longer has any 520 info because it is EOL.

Anyone help?

Cheers,

Symon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60250&t=60250
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routable IP network in 2 locations [7:60185]

2003-01-03 Thread Priscilla Oppenheimer 
Chuck makes some really good points. I would add that it probably makes more
sense to route, rather than bridge. That way you can avoid broadcasts
flowing between the two networks and more easily put in some access lists
based on IP subnet numbers. I agree with Chuck that you're going to want to
be careful here. It doesn't sound like you would want these two entities to
see each other's resources, (printers and file servers and the like).

As far as the addressing, you just need to twiddle the bits and you'll get
it. :-) The message from Murat laid it for you. Good luck with it.

Priscilla


The Long and Winding Road wrote:
> 
> ""[EMAIL PROTECTED]""  wrote
> in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> 
> > I have never bridged connections across a Wan before. is that
> simple to
> do?
> 
> 
> yes, bridging across a WAN link is pretty basic.
> 
> but I believe you need to back up a second and make a couple of
> other
> decisions first.
> 
> you say the net result will be two buildings, each with a
> handful of
> customers, sharing a common internet connection. I am assuming
> that the only
> reason for linking the two buildings is to share internet.
> There are no
> other services that all parties will be using. Is that correct?
> 
> so my specific questions to you:
> 
> 1) do you want everyone involved to use a public ip address on
> their
> equipment? you sure about this?
> 
> 2) how are people numbered now? does your building, your
> customers, all use
> addresses in the same subnet? same question for the other
> building. the
> question in my own mind is the wisdom of having several
> unrelated units on a
> common subnet, potentially with full visibility to eachother.
> 
> if internet connectivity is the only consideration, I don't
> believe internal
> numbering is an issue. bridge or route internally, and use NAT
> on the router
> with the internet access. place a couple of access lists on the
> appropriate
> interfaces to protect the two separate networks.
> 
> I would be more concerned about visibility between and among
> all of the
> entities involved here. "customers" means what? unrelated
> people renting
> offices in each building? in which case I would want to take
> steps to assure
> that I have taken reasonable precautions to keep visibility
> limited. vlans
> on the 29xx's or some other means such as access lists.
> 
> this is probably more than you asked for. I just think you need
> to start at
> the toop and work your way down. Just my opinion.
> 
> HTH
> 
> Chuck
> 
> 
> 
> >
> > Robert
> > ""The Long and Winding Road""  wrote in
> > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Hello,
> > > >
> > > > I am having trouble with what appears to be a simple
> problem. I have a
> > > small
> > > > office and I
> > > > have a friend who owns a building not to far away. I am
> goin to order
> a
> > T1
> > > > to the internet from my location and
> > > > a PPP T1 to his location. He has 6 customers in his
> location and I
> have
> > 5
> > > in
> > > > mine. I want to give internet acess to
> > > >  everybody and give them a routable IP address. My ISP
> gave me 32
> > > addresses
> > > > so i am not going to run out.
> > > > BUT I can figure out how to make it work.
> > > >
> > > > the setup is
> > > >
> > > > INternet---T1---2611 ---T1---2611
> > > > ||
> > > > ||
> > > > 29122912
> > > >
> > >
> > >
> > > two thoughts come to mind.
> > >
> > > 1) bridge between the two locations, putting everyone on
> the same
> subnet.
> > >
> > > 2) use private IP addressing on the inside - each location
> retains it's
> > > original scheme, then do static nat to the internet.
> access-lists on the
> > > appropriate interfaces to keep the two networks alien to
> eachother.
> > >
> > >
> > >
> > >
> > > > thanks for your help
> > > >
> > > > Robert
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60253&t=60185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread Thomas Larus 
While Mr. Ladrach is almost certainly correct in his statement that the CCIE
is less challenging that physics and calculus, he might be able to speak
more authoritatively once he has passed the Lab Exam.

As for being easier than accounting and economics classes, if you are
reasonably intelligent and do all the homework, you will almost certainly
pass most accounting and economics classes.  You can be reasonably
intelligent, do all the right things in preparation for the CCIE lab, and
fail and fail and fail again.

While I would certainly say that the CCIE material is less difficult to
learn than some  other subjects I have studied, I can honestly say that I
have never studied so hard for one test in my life, or gotten myself into a
state where I had such an "edge"-- a certain sharpness and facility with a
given subject matter that I fear I may never experience again (unless I go
for a second CCIE).  It is not rocket science, but you have to execute VERY
well.

As for nrf, - his contributions to groupstudy have been almost entirely
negative. While it is helpful to have some discussion of things like the job
market and the question of whether it is better to invest time and effort in
a degree versus certification is useful, constantly chiming in with negative
thoughts and assessments is not very helpful.  This is something of a
support group, and in these difficult times, those of us who have already
set out to achieve certification goals need encouragement and technical
advice.

I do not know if nrf is one of these people (he could just be negative for
no particular reason), there are some people who come to these discussion
groups to discourage others from pursuing dreams the achievement of which
might bring about a greater number of certified IT professionals and perhaps
exert downward pressure on salaries.

For the record, I studied and practiced hard, and passed the CCIE lab with
precious little "industry experience."  I found a great job in a great
company within two months of passing the CCIE Lab, and I had a few other
interested folks contact me for interviews.

I certainly cannot make any promises about the future, but my point is that
if you can get all the way to passing the CCIE lab, you will probably not
regret it.  This journey is worthwhile, and don't let a bunch of naysayers
get you down.

That said, if you are very young and considering certification as an
alternative to a college degree, understand that the college degree (even a
BA) and what you should learn in the process of gaining it, can be very
helpful.

Tom Larus, CCIE #10,014

""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 9:16 PM + 1/2/03, l0stbyte wrote:
> >Ladrach, Daniel E. wrote:
> >
> >>  I have an MIS degree from The Ohio State University Max Fisher College
of
> >>  Business. I see some posts out there saying that a CS degree is no
> >>  more than
> >>  a vocational degree. Obviously this person has not been to college!
> >>  College
> >>  is not there to prepare you to step in and do a Sr. Engineer job, it
is
> >>  there to give you a base understanding of IT. I however, have a
business
> >>  degree with an IT focus. So, when you have been through the classes I
> have
> >>  you form a level of respect for anyone who has been down the same
road.
> >>
> >>  When the CCIE gets as challenging as the following let me know.
> >>
> >>  Calculus
> >>  Physics
> >>  Finance
> >>  Accounting
> >>  Economics
> >>  CS-programming
> >>  CS-operating systems
> >>  CS-networking
> >>
> >>
> >>
> >>  Daniel Ladrach
> >>  CCNA, CCNP
> >>  WorldCom
> >All of the listed should be thought in high school. Unless it's some
> >kind of quantum programming (is it still a concept?), CCIE should be by
> >far more challenging. My two cents..
> >:)
>
> I hope the smiley means you aren't serious.  Let me pose some CS
> questions, which I swear are off the top of my head.  In all
> fairness, I'm not sure if some of these will be advanced
> undergraduate or graduate level, but we have been talking about CCIE
> vs. PhD... I have tried to select questions that bear on real
> networks.
>
> CS-programming.
> Compare and contrast NP-hard, NP-complete, and NP-incomplete
algorithms
> Review the optimal search and update algorithms for trees and tries.
> Identify four major searching and sorting algorithms and describe
their
>   advantages and disadvantages
> Extract a square root using Newton-Raphson iteration, or select a
> different
>   method and explain why it is superior.
> Describe a strategy for change control in a programming team.  The
> software
>   library will include documentation, source, linkable elements, and
>   executables.
> What record locking mechanisms are needed to ensure integrity of a
>   hierarchical linked list?
> What are the types of commitment protocols and the basic ACID
properties
>   of transactions?
> How can a buffer overflo

RE: getpass!.exe [7:25270]

2003-01-03 Thread Mossburg, Geoff (MAN-Corporate) 
Can you say "google"?
http://www.boson.com/promo/utilities/getpass/getpass_utility.htm


-Original Message-
From: Symon Thurlow [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 3:38 PM
To: [EMAIL PROTECTED]
Subject: RE: getpass!.exe [7:25270]


This always works for me:

http://www.kazmier.com/computer/cisco-noswing.html

Symon

-Original Message-
From: l0stbyte [mailto:[EMAIL PROTECTED]] 
Sent: 02 January 2003 21:05
To: [EMAIL PROTECTED]
Subject: Re: getpass!.exe [7:25270]


cswan wrote:

> Hi guys..
>
> Where can I get a copy of  getpass!.exe . I need it to decrpyt the 
> enable secret password.
>
> Thanks
good luck
:)
=

 This email has been content filtered and
 subject to spam filtering. If you consider
 this email is unsolicited please forward
 the email to [EMAIL PROTECTED] and
 request that the sender's domain be
 blocked from sending any further emails.

=




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60241&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread Rajesh Kumar 
Hello everybody.

I am working on Lab 2 of ccbootcamp and am confused with the following.
Can somebody clarify on that please?


Item 2b says Configure R1's ethernet in OSPF area 1.  .

Item 2i says Configure the router R1 with EIGRP and redistribute with
OSPF ( Here I thought I can only configure R1's s0.1 for EIGRP
and leave the Ethernet and S0.2 to OSPF. ).

Item 2j says Configure the router R1 so that it only listens to EIGRP
updates on Ethernet 0 and interface serial 0.2.

The network diagram points that Ethernet 0 of R1 is in Area 1 and EIGRP
domain surrounds it.


Where I am going wrong?

Thanks,
rajesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60245&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Catalyst 6xxx switches and 2 firewall in clust [7:60235]

2003-01-03 Thread l0stbyte 
It could be related to the problem described here:
http://www.firewall-1.org/2002-05/msg00646.html

l0stbyte

Priscilla Oppenheimer wrote:

> Can you help us understand the situation better? Thanks.
> See some questions inline.
>
> l0stbyte wrote:
>
> >Hitesh Pathak R wrote:
> >
> >
> >>Dear Group,
> >>
> >>Need your help in setting up the following :-
> >>
> >>SETUP :- There are 2 core switches SW1 & Sw2 (connected back
> >
> >to back with
> >
> >>both
> >>the SUP GE ports Fiber uplink (Channeld and trunk). On one of
> >
> >the switch
> >
> >>(SW1)
> >>I have 2 firewalls connected in cluster mode. For this
> >
> >clustered
> >
> >>firewall  I
> >>have bind the multicast mac address on the switch SW1 as the
> >
> >recommended
> >
> >>method by the firewall vendor by the command (set cam
> >
> >permanent ).
>
>
> On SW1, you have a permanent cam entry for the multicast address used 
> by the
> firewall cluster? Why? How is that permanent entry used and why is it
> necessary? Sorry if this is a stupid question, but I think it will help us
> understand what you are trying to accomplish.
>
>
> >>Now the problem faced here is since they have only bind the
> >
> >mac
> >
> >>address to 2
> >>ports on SW1 (switch one ONLY) there seems to be some
> >
> >multicast packets
> >
> >>flooding on my  second core switch SW2 for that multicast
> >
> >address.
>
>
> Switches flood multicasts by default. So it makes sense that the multicast
> is flowing over to SW2 also.
>
>
> >>The customer wants to stop this broadcast from hapening on
> >
> >2nd switch
> >
> >>SW2 and
> >>hence wants to bind the same multicast mac address on the 2nd
> >
> >Switch
> >
> >>with the
> >>trunk ports going to SW1 from SW2.
>
>
> The multicast will come across the trunk, so you should be able to put a
> permanent cam entry mapping the multicast address to the trunk port. But
> what problem will that solve? Are you trying to stop the multicast from
> flowing out the other ports on SW2? How does a permanent cam entry 
> help with
> that?
>
> Maybe you should look into CGMP or IGMP snooping. They can stop multicasts
> on switches, if the applications send IGMP joins.
>
> Anyone else have any suggestions or understand his situation?
>
> Priscilla
>
>
> >>Has anybody faced similar situation ?? Is this configuration
> >>supported. Can I
> >>bind the cam entry to my trunk port on the SW2 as well with
> >
> >the same
> >
> >>multicast
> >>mac address??
> >>
> >>Many thanks in advance.
> >>
> >>Thanks
> >>Hitesh
> >>DISCLAIMER:
> >>Information contained and transmitted by this E-MAIL is
> >
> >proprietary to
> >
> >>Wipro
> >>Limited and is intended for use only by the individual or
> >
> >entity to
> >
> >>which it
> >>is addressed, and may contain information that is privileged,
> >
> >confidential
> >
> >>or exempt from disclosure under applicable law. If this is a
> >
> >forwarded
> >
> >>message, the content of this E-MAIL may not have been sent
> >
> >with the
> >
> >>authority of the Company. If you are not the intended
> >
> >recipient, an
> >
> >>agent of
> >>the intended recipient or a  person responsible for
> >
> >delivering the
> >
> >>information to the named recipient,  you are notified that
> >
> >any use,
> >
> >>distribution, transmission, printing, copying or
> >
> >dissemination of this
> >
> >>information in any way or in any manner is strictly
> >
> >prohibited. If you
> >
> >>have
> >>received this communication in error, please delete this mail
> >
> >& notify us
> >
> >>immediately at [EMAIL PROTECTED]
> >
> >is it a checkpoint FWs cluster?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60256&t=60235
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread The Long and Winding Road 
where you are going wrong is that you are pursuing your CCIE when you should
be pursuing your degree ;->
refer to that other thread that just won't die.

sorry, I can't resist.

comment or two below:

""Rajesh Kumar""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello everybody.
>
> I am working on Lab 2 of ccbootcamp and am confused with the following.
> Can somebody clarify on that please?
>
>
> Item 2b says Configure R1's ethernet in OSPF area 1.  .

yes.


>
> Item 2i says Configure the router R1 with EIGRP and redistribute with
> OSPF ( Here I thought I can only configure R1's s0.1 for EIGRP
> and leave the Ethernet and S0.2 to OSPF. ).

yes. only the particular subinterface on the frame cloud is configured for
eigrp.


>
> Item 2j says Configure the router R1 so that it only listens to EIGRP
> updates on Ethernet 0 and interface serial 0.2.


yes. I believe this is an error in the lab. but I could be wrong. if the
question is, as I suspect, speak eigrp only on those two interfaces, that is
one thing. listen only on those two interfaces. well - newer versions of the
IOS havea knob that places only interfaces, and not networks, into the eigrp
process. you should look that up.


>
> The network diagram points that Ethernet 0 of R1 is in Area 1 and EIGRP
> domain surrounds it.
>

yes


>
> Where I am going wrong?

see my smart ass comment at the head of this response.

you are not going wrong. you are starting to understand the twisted mind of
Marc Russell and his cohorts.

actually, I am looking at the answer key for that router, and the answer is
wrong. I believe the lab meant to say "advertise eigrp", not "listen for
eigrp"




>
> Thanks,
> rajesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60257&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: getpass!.exe [7:25270]

2003-01-03 Thread l0stbyte 
I think he is asking for MD5 password cracking. He can try brute force..

l0stbyte

Mossburg, Geoff (MAN-Corporate) wrote:

> Can you say "google"?
> http://www.boson.com/promo/utilities/getpass/getpass_utility.htm
>
>
> -Original Message-
> From: Symon Thurlow [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 03, 2003 3:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: getpass!.exe [7:25270]
>
>
> This always works for me:
>
> http://www.kazmier.com/computer/cisco-noswing.html
>
> Symon
>
> -Original Message-
> From: l0stbyte [mailto:[EMAIL PROTECTED]]
> Sent: 02 January 2003 21:05
> To: [EMAIL PROTECTED]
> Subject: Re: getpass!.exe [7:25270]
>
>
> cswan wrote:
>
>
> >Hi guys..
> >
> >Where can I get a copy of  getpass!.exe . I need it to decrpyt the
> >enable secret password.
> >
> >Thanks
>
> good luck
> :)
> =
>
>  This email has been content filtered and
>  subject to spam filtering. If you consider
>  this email is unsolicited please forward
>  the email to [EMAIL PROTECTED] and
>  request that the sender's domain be
>  blocked from sending any further emails.
>
> =




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60255&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Catalyst 6xxx switches and 2 firewall in clust [7:60235]

2003-01-03 Thread Priscilla Oppenheimer 
l0stbyte wrote:
> 
> It could be related to the problem described here:
> http://www.firewall-1.org/2002-05/msg00646.html

That page describes two routers that are on the same segment as each other
and also on the same segment as the firewalls. For some unexlained reason
the routers are forwarding multicasts. Routers don't normally do that so
they must have been misconfigured in some way.

You have switches and your firewalls are only connected to one of the
switches, isn't that so? I think your topology is completely different.

In that URL, every packet was arriving at the firewall a couple hundred
times, until the IP time-to-live (TTL) timed out. Is that what is happening
on your network?

What problem are you trying to solve? What are the symptoms of the problem?
I realize language may be a barrier, but can you tell us more about this?
It's essential for you to understand the problem. Perhaps writing about it,
despite the difficulties, would help you understand it and and would help us
help you.

Also, maybe you could tell us more about what your firewall vendor said.
What kind of firewall is it anyway? What model switches are you using?

Definitely look into IGMP snooping and/or CGMP. One of those might solve
your problem. They both have the same goal, which is to make switches
multicast-aware and smarter about which multicasts they do and don't forward.

Maybe issues with firewall clustering, multicasts, and Cisco switches will
ring a bell for someone else? Anyone else have some ideas?

Priscilla

> 
> l0stbyte
> 
> Priscilla Oppenheimer wrote:
> 
> > Can you help us understand the situation better? Thanks.
> > See some questions inline.
> >
> > l0stbyte wrote:
> >
> > >Hitesh Pathak R wrote:
> > >
> > >
> > >>Dear Group,
> > >>
> > >>Need your help in setting up the following :-
> > >>
> > >>SETUP :- There are 2 core switches SW1 & Sw2 (connected back
> > >
> > >to back with
> > >
> > >>both
> > >>the SUP GE ports Fiber uplink (Channeld and trunk). On one
> of
> > >
> > >the switch
> > >
> > >>(SW1)
> > >>I have 2 firewalls connected in cluster mode. For this
> > >
> > >clustered
> > >
> > >>firewall  I
> > >>have bind the multicast mac address on the switch SW1 as the
> > >
> > >recommended
> > >
> > >>method by the firewall vendor by the command (set cam
> > >
> > >permanent ).
> >
> >
> > On SW1, you have a permanent cam entry for the multicast
> address used
> > by the
> > firewall cluster? Why? How is that permanent entry used and
> why is it
> > necessary? Sorry if this is a stupid question, but I think it
> will help us
> > understand what you are trying to accomplish.
> >
> >
> > >>Now the problem faced here is since they have only bind the
> > >
> > >mac
> > >
> > >>address to 2
> > >>ports on SW1 (switch one ONLY) there seems to be some
> > >
> > >multicast packets
> > >
> > >>flooding on my  second core switch SW2 for that multicast
> > >
> > >address.
> >
> >
> > Switches flood multicasts by default. So it makes sense that
> the multicast
> > is flowing over to SW2 also.
> >
> >
> > >>The customer wants to stop this broadcast from hapening on
> > >
> > >2nd switch
> > >
> > >>SW2 and
> > >>hence wants to bind the same multicast mac address on the
> 2nd
> > >
> > >Switch
> > >
> > >>with the
> > >>trunk ports going to SW1 from SW2.
> >
> >
> > The multicast will come across the trunk, so you should be
> able to put a
> > permanent cam entry mapping the multicast address to the
> trunk port. But
> > what problem will that solve? Are you trying to stop the
> multicast from
> > flowing out the other ports on SW2? How does a permanent cam
> entry
> > help with
> > that?
> >
> > Maybe you should look into CGMP or IGMP snooping. They can
> stop multicasts
> > on switches, if the applications send IGMP joins.
> >
> > Anyone else have any suggestions or understand his situation?
> >
> > Priscilla
> >
> >
> > >>Has anybody faced similar situation ?? Is this configuration
> > >>supported. Can I
> > >>bind the cam entry to my trunk port on the SW2 as well with
> > >
> > >the same
> > >
> > >>multicast
> > >>mac address??
> > >>
> > >>Many thanks in advance.
> > >>
> > >>Thanks
> > >>Hitesh
> > >>DISCLAIMER:
> > >>Information contained and transmitted by this E-MAIL is
> > >
> > >proprietary to
> > >
> > >>Wipro
> > >>Limited and is intended for use only by the individual or
> > >
> > >entity to
> > >
> > >>which it
> > >>is addressed, and may contain information that is
> privileged,
> > >
> > >confidential
> > >
> > >>or exempt from disclosure under applicable law. If this is a
> > >
> > >forwarded
> > >
> > >>message, the content of this E-MAIL may not have been sent
> > >
> > >with the
> > >
> > >>authority of the Company. If you are not the intended
> > >
> > >recipient, an
> > >
> > >>agent of
> > >>the intended recipient or a  person responsible for
> > >
> > >delivering the
> > >
> > >>information to the named recipient,  you are notified that
> > >
> > >any use,
> > >
> > >>distribution, tra

VPN 3000 series [7:60261]

2003-01-03 Thread Edward Sohn 
Anyone using these concentrators?  I am specifically looking at either
the 3060 or 3080.  If you have any experience with these guys, please
let me know of any "gotchas" or recommended configurations.

I guess, specifically:

1. What is the recommended software client to go with these guys?
2. Where is it recommended to place these guys?  I know you can put them
alongside a firewall, in front of one, or behind one, but what are you
doing and why?
3. Anyone using RSA secure key authentication?  What are you using and
how are you implementing?

Any help would be greatly appreciated.

Thanks,

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60261&t=60261
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: getpass!.exe [7:25270]

2003-01-03 Thread John Cianfarani 
Boson makes the getpass.exe program even though many others have it
through webpages and such they also have some other little things that
could come in handy like config register calculator and IP Subnet
calculator for those early mornings when the brain isn't working.

http://www.boson.com/promo/utilities.htm#utilities

John



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
l0stbyte
Sent: Thursday, January 02, 2003 4:05 PM
To: [EMAIL PROTECTED]
Subject: Re: getpass!.exe [7:25270]

cswan wrote:

> Hi guys..
>
> Where can I get a copy of  getpass!.exe . I need it to decrpyt the
enable
> secret password.
>
> Thanks
good luck
:)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60260&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread nrf 
""Thomas Larus""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> While Mr. Ladrach is almost certainly correct in his statement that the
CCIE
> is less challenging that physics and calculus, he might be able to speak
> more authoritatively once he has passed the Lab Exam.
>
> As for being easier than accounting and economics classes, if you are
> reasonably intelligent and do all the homework, you will almost certainly
> pass most accounting and economics classes.  You can be reasonably
> intelligent, do all the right things in preparation for the CCIE lab, and
> fail and fail and fail again.
>
> While I would certainly say that the CCIE material is less difficult to
> learn than some  other subjects I have studied, I can honestly say that I
> have never studied so hard for one test in my life, or gotten myself into
a
> state where I had such an "edge"-- a certain sharpness and facility with a
> given subject matter that I fear I may never experience again (unless I go
> for a second CCIE).  It is not rocket science, but you have to execute
VERY
> well.
>
> As for nrf, - his contributions to groupstudy have been almost entirely
> negative. While it is helpful to have some discussion of things like the
job
> market and the question of whether it is better to invest time and effort
in
> a degree versus certification is useful, constantly chiming in with
negative
> thoughts and assessments is not very helpful.  This is something of a
> support group, and in these difficult times, those of us who have already
> set out to achieve certification goals need encouragement and technical
> advice.
>
> I do not know if nrf is one of these people (he could just be negative for
> no particular reason), there are some people who come to these discussion
> groups to discourage others from pursuing dreams the achievement of which
> might bring about a greater number of certified IT professionals and
perhaps
> exert downward pressure on salaries.

I didn't realize that I was supposed to be people's personal cheerleader.
Uh, since when exactly did that become part of my job?   I don't remember
seeing anything about 'emotional support' when I signed up for this NG.

We're all adults here (I hope).  I see no need to patronize anybody.  I'm
not your father and I'm not your shrink. You want support?  You should go
talk to your significant other.  You want the truth?  Come here and talk to
me or some of the other people here.  I don't see it as my job to pat people
on the back.  Like I said, we're all adults here and we shouldn't need that.

Look, I am here neither to encourage nor discourage.  I call it like I see
it, - and if that encourages or discourages people, then fine, but that's
not my goal. If things are good, then I'll say they're good, and  if things
are bad, I'm going to say they're bad.  To do otherwise is really to engage
in a pernicious form of censorship.  This would not be a far cry from a
situation where, before anybody asks a question on this NG, a person should
immediately and privately email everybody here and tell them exactly how
they should respond - therefore when he does ask the question, he will get
the exact answer he wants.  But if that's what this NG is all about, then
why even bother to post on the NG at all - why not just have a conversation
with yourself?  That way you will always get the exact answer that you are
looking for.  "Should I do this?" "Well, of course, and by the way, aren't
you wonderful and handsome...".

After all, if something is bad, especially as it pertains to the job market,
isn't it better to hear it now rather than find out later the hard way?
How exactly does it help anybody to tell people fantasies about how the CCIE
is the greatest thing since sliced bread when we all know that it is not?
In the long run, does this really help anybody?  Isn't it more helpful to
tell people the truth?  {And when exactly have I posted something that was a
lie?}

One funny phenomenom that I've discovered is that some people think that
through my posts I am encouraging people whereas others think, via those
exact same posts, that I am discouraging them.  Delicious irony.  Those
detractors should get together and figure it out amongst themselves and then
come back here and tell me what they've decided.








>
> For the record, I studied and practiced hard, and passed the CCIE lab with
> precious little "industry experience."  I found a great job in a great
> company within two months of passing the CCIE Lab, and I had a few other
> interested folks contact me for interviews.
>
> I certainly cannot make any promises about the future, but my point is
that
> if you can get all the way to passing the CCIE lab, you will probably not
> regret it.  This journey is worthwhile, and don't let a bunch of naysayers
> get you down.
>
> That said, if you are very young and considering certification as an
> alternative to a college degree, understand that the college degree (even
a
> BA

Route Map Question [7:60263]

2003-01-03 Thread Daren Presbitero 
Hello,

Had a question and been trying to figure this one out for a while now.
I have a router with an internal 205.10.1.0/24 network hanging off of fa0/0
and external connection to lots of other networks that start with 205.  I
want to create a 205.0.0.0/8 static route pointing everything to the
external gateway router, but will have problems when sending to an external
network (205.10.50.0/24) because the longest matched route will come up as
the internal 205.10.1.0 network's route, not the 205.0.0.0 static route.  I
need to force the packet to route through the 205 static route IF it does
not match the internal network.  How would I do this with a route-map?
NOTE: I need the route-map to check the dest.IP and IF it is not destined
for the 205.10.1.0 subnet then send it to the upstream default gateway.

Mahalo for your help,
Daren




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60263&t=60263
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Route Map Question [7:60263]

2003-01-03 Thread The Long and Winding Road 
--
TANSTAAFL
"there ain't no such thing as a free lunch"




""Daren Presbitero""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,
>
> Had a question and been trying to figure this one out for a while now.
> I have a router with an internal 205.10.1.0/24 network hanging off of
fa0/0
> and external connection to lots of other networks that start with 205.  I
> want to create a 205.0.0.0/8 static route pointing everything to the
> external gateway router, but will have problems when sending to an
external
> network (205.10.50.0/24) because the longest matched route will come up as
> the internal 205.10.1.0 network's route, not the 205.0.0.0 static route.
I
> need to force the packet to route through the 205 static route IF it does
> not match the internal network.  How would I do this with a route-map?
> NOTE: I need the route-map to check the dest.IP and IF it is not destined
> for the 205.10.1.0 subnet then send it to the upstream default gateway.

well, let's look at your first assumption. that is, that a destination to
205.10.50.x ( /24 ) will be matched by 205.10.1.0 during a route lookup. or
to put it another way, if you have two routes in your routing table:

S 205.0.0.0  (default gateway interface )
C 205.10.1.0 ( interface whatever )

which one will a destination of 205.10.50.x match?

that said, you can add policy routing, and give yourself a different kind of
flexibility.

let's look at the route-map structure, and see how it operates.

start with your access-lists.

access-list 1 permit 205.10.1.0 0.0.0.255
access-list 2 permit 205.0.0.0 0.255.255.255

I'm going to assume for argument's sake that at this time you have no other
destinations you want to reach.

route-map 205net permit 10
match ip addr which one?
set

now here you have a choice - interface or ip next-hop.

the flexibility gained is that you can modify this route-map to suit your
needs as they change - add more access-lists to reflect different subnets
and add more route-map clauses to reflect the policy requirements.

or you can resort to good old routing. which is easier on the brain. ;->


>
> Mahalo for your help,

the only thanks accepted is a two week stay in your town. living room floor
will be ok. couch better.  ;->



> Daren




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60265&t=60263
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: getpass!.exe [7:25270]

2003-01-03 Thread Anthony Mann 
Brute force for enable secret:

Too Many Secrets v0.7beta is a commandline tool to crack the enable
secret passwords on Cisco routers. You need the md5 password hash from
the config to run this tool. It contents dictionary and brute force
attacks and a nice feature to combine brute forcing with a partial known
password string.  Homepage: http://www.ernw.de. By Michael Thumann

http://packetstormsecurity.org/cisco/tomas.zip

I'll warn yah though...if they have any idea about secure passwords,
it'll take some time. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
l0stbyte
Sent: Thursday, January 02, 2003 4:05 PM
To: [EMAIL PROTECTED]
Subject: Re: getpass!.exe [7:25270]

cswan wrote:

> Hi guys..
>
> Where can I get a copy of  getpass!.exe . I need it to decrpyt the
enable
> secret password.
>
> Thanks
good luck
:)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60264&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Network Architect needed URGENT ! [7:60266]

2003-01-03 Thread Manjunath A P 
Please forward this to anybody you know !! Position: Network
ArchitectExperience
Level: 5-7 yrsLocation of Posting: JapanStart Date: January 15th 2003Contract
period: 9 monthsNo. Of People Required:3 Preferred Education: Bachelors
degree in Computer Science or related
discipline Job Description
7Network Architect  Network Design for
o WAN services using high speed optical network
o LAN design for Enterprise customer
o Datacenter Services Skills & Experience
Required (Candidate Profile)
7At least 6 years experience in design and implementation of Optical
networks, WANs and LANs
7Good knowledge of SONET, DWDM Ring
7Should have designed WANs & MANs using Leased Lines, Optical Ethernet,
VPNs, etc
7Should have worked with Multicasting, VLANs and Private VLANs
7Should have worked on Data Center and have experience in Network
Security, Firewalls, Network Management, Storage Area Networks.
7Excellent communication and interpersonal skills. Japanese language
familiarity preferred
7Able to handle pressure situations.
7Excellent organizational skills.
7Customer service oriented.
7Excellent problem solving skills.
7Able to interface effectively and decisively with other units,
departments and outside agencies.
7Goal oriented. International Languages
Japanese, English Do we have flexibility for telephonic interviews?YES
(In case Candidate will be unable to travel at short notices)  Send
resumes here: [EMAIL PROTECTED]  [EMAIL PROTECTED]
(412) 257-1884 Ext: 14
(412) 257-1887-FAX
www.datumamerica.com
www.datumbiz.info



The new MSN 8: smart spam protection and 2 months FREE*.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60266&t=60266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Way to filter out the "Emotional" emails [7:60267]

2003-01-03 Thread Daren Presbitero 
Hey folks,

I'm sure someone has some hints on how to better keep the "good technical"
emails from this study group in my INBOX, and filtering out the "overly
emotional" emails that people send on a daily basis.  That stuff clutters my
inbox and I end up wasting precious time reading them.  Please send any
useful utilities/information to me on how to do this.
Nuff said, sorry for adding to the clutter.

-D-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60267&t=60267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

I only boast about my humility [7:60268]

2003-01-03 Thread Howard C. Berkowitz 
At 1:13 AM + 1/4/03, nrf wrote:
>   But if that's what this NG is all about, then
>why even bother to post on the NG at all - why not just have a conversation
>with yourself?  That way you will always get the exact answer that you are
>looking for.  "Should I do this?" "Well, of course, and by the way, aren't
>you wonderful and handsome...".

Excuse me. That would be an incomplete answer. I am wonderful, 
handsome, and modest.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60268&t=60268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: getpass!.exe [7:25270]

2003-01-03 Thread Mossburg, Geoff (MAN-Corporate) 
Oh. If so, I haven't seen any software for MD5 passwords, but the link I
emailed is definitely for downloading getpass! from Boson.
GM

-Original Message-
From: l0stbyte [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 7:10 PM
To: [EMAIL PROTECTED]
Subject: Re: getpass!.exe [7:25270]


I think he is asking for MD5 password cracking. He can try brute force..

l0stbyte

Mossburg, Geoff (MAN-Corporate) wrote:

> Can you say "google"?
> http://www.boson.com/promo/utilities/getpass/getpass_utility.htm
>
>
> -Original Message-
> From: Symon Thurlow [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 03, 2003 3:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: getpass!.exe [7:25270]
>
>
> This always works for me:
>
> http://www.kazmier.com/computer/cisco-noswing.html
>
> Symon
>
> -Original Message-
> From: l0stbyte [mailto:[EMAIL PROTECTED]]
> Sent: 02 January 2003 21:05
> To: [EMAIL PROTECTED]
> Subject: Re: getpass!.exe [7:25270]
>
>
> cswan wrote:
>
>
> >Hi guys..
> >
> >Where can I get a copy of  getpass!.exe . I need it to decrpyt the
> >enable secret password.
> >
> >Thanks
>
> good luck
> :)
> =
>
>  This email has been content filtered and
>  subject to spam filtering. If you consider
>  this email is unsolicited please forward
>  the email to [EMAIL PROTECTED] and
>  request that the sender's domain be
>  blocked from sending any further emails.
>
> =




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60262&t=25270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread Howard C. Berkowitz 
At 12:08 AM + 1/4/03, The Long and Winding Road wrote:
>where you are going wrong is that you are pursuing your CCIE when you should
>be pursuing your degree ;->
>refer to that other thread that just won't die.
>
>sorry, I can't resist.

Chuck, are you saying that the error is going 180 degrees in the 
wrong direction?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60269&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread The Long and Winding Road 
""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 12:08 AM + 1/4/03, The Long and Winding Road wrote:
> >where you are going wrong is that you are pursuing your CCIE when you
should
> >be pursuing your degree ;->
> >refer to that other thread that just won't die.
> >
> >sorry, I can't resist.
>
> Chuck, are you saying that the error is going 180 degrees in the
> wrong direction?
>

more like 360.

but you're not suckering me into helping to perpetuate another discussion
that should have died long ago.

wait a minute..

DOH!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60270&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread Marc Thach Xuan Ky 
Thomas Larus wrote:
snip
> As for nrf, - his contributions to groupstudy have been almost entirely
> negative. While it is helpful to have some discussion of things like the
job
> market and the question of whether it is better to invest time and effort
in
> a degree versus certification is useful, constantly chiming in with
negative
> thoughts and assessments is not very helpful.  This is something of a
> support group, and in these difficult times, those of us who have already
> set out to achieve certification goals need encouragement and technical
> advice.

I have recently strongly disagreed with nrf, but I do not find him
negative as you suggest.  I think it's a shame if people cannot
contribute without being personally attacked in such a generalised
manner.
 
> I do not know if nrf is one of these people (he could just be negative for
> no particular reason), there are some people who come to these discussion
> groups to discourage others from pursuing dreams the achievement of which
> might bring about a greater number of certified IT professionals and
perhaps
> exert downward pressure on salaries.

I don't know nrf personally but I doubt that he's that influential. 
Anybody who gets put off the cert process by reading a discouraging
viewpoint on this list probably doesn't have the mettle to see it
through anyway.

rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60271&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread nrf 
""Marc Thach Xuan Ky""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thomas Larus wrote:
> snip
> > As for nrf, - his contributions to groupstudy have been almost entirely
> > negative. While it is helpful to have some discussion of things like the
> job
> > market and the question of whether it is better to invest time and
effort
> in
> > a degree versus certification is useful, constantly chiming in with
> negative
> > thoughts and assessments is not very helpful.  This is something of a
> > support group, and in these difficult times, those of us who have
already
> > set out to achieve certification goals need encouragement and technical
> > advice.
>
> I have recently strongly disagreed with nrf, but I do not find him
> negative as you suggest.  I think it's a shame if people cannot
> contribute without being personally attacked in such a generalised
> manner.
>
> > I do not know if nrf is one of these people (he could just be negative
for
> > no particular reason), there are some people who come to these
discussion
> > groups to discourage others from pursuing dreams the achievement of
which
> > might bring about a greater number of certified IT professionals and
> perhaps
> > exert downward pressure on salaries.
>
> I don't know nrf personally but I doubt that he's that influential.
> Anybody who gets put off the cert process by reading a discouraging
> viewpoint on this list probably doesn't have the mettle to see it
> through anyway.

Exactly.  I think Mr. Larus gives me far too much credit.

Besides, I doubt that I'm saying anything that people don't already know, or
at least suspect.  Certs have their good and bad points, and people who
elect to pursue them should  understand what those good and bad points are.
It's really as simple as that.
>
> rgds
> Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60272&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread Kazan, Naim 
Just when you thought you were out, they suck you back in. You just can't
resist the temptation to rage against the machine...Hey! isn't that a grunge
band? 

-Original Message-
From: The Long and Winding Road
[mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 9:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Q on Lab2 ccbootcamp. [7:60245]


""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 12:08 AM + 1/4/03, The Long and Winding Road wrote:
> >where you are going wrong is that you are pursuing your CCIE when you
should
> >be pursuing your degree ;->
> >refer to that other thread that just won't die.
> >
> >sorry, I can't resist.
>
> Chuck, are you saying that the error is going 180 degrees in the
> wrong direction?
>

more like 360.

but you're not suckering me into helping to perpetuate another discussion
that should have died long ago.

wait a minute..

DOH!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60274&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Q on Lab2 ccbootcamp. [7:60245]

2003-01-03 Thread Kazan, Naim 
This is hilarious guys. I am all alone at work a laughing in my chair. If
only someone was watching they would think I am crazy.

-Original Message-
From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 03, 2003 9:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Q on Lab2 ccbootcamp. [7:60245]


At 12:08 AM + 1/4/03, The Long and Winding Road wrote:
>where you are going wrong is that you are pursuing your CCIE when you
should
>be pursuing your degree ;->
>refer to that other thread that just won't die.
>
>sorry, I can't resist.

Chuck, are you saying that the error is going 180 degrees in the 
wrong direction?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60273&t=60245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Tonight's Homily - OSPF authenitcation - I didn't know that! [7:60275]

2003-01-03 Thread The Long and Winding Road 
As many of you know, I've been reading Parkhurst's OSPF book for a number of
reasons. So I'm fooling around in the chapter on interface commands, when
something hits me over the head.

authentication can be done on an interface by interface basis!

one of those things that I just never noticed before. Maybe because all the
practice labs always instruct you to use area authentication. Maybe cause
I'm just a Homer Simpson kind of guy.

So check this out. Topology will look strange, because I'm doing this over a
vlan tunnel.

router-vlan tunnel-router

each router has 4 subinterfaces, making four point-to-point links

FrameSwitch#o nei

Neighbor ID Pri   State   Dead Time   Address Interface
222.222.222.141   FULL/DR 00:00:33122.1.4.1
Ethernet0/1.4
222.222.222.141   FULL/DR 00:00:36122.1.3.1
Ethernet0/1.3
222.222.222.141   FULL/DR 00:00:36122.1.2.1
Ethernet0/1.2
222.222.222.141   FULL/DR 00:00:33122.1.1.1
Ethernet0/1.1
FrameSwitch#

FrameSwitch#ir os
O197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
O195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
FrameSwitch#

So let's play!

interface Ethernet0/1.1
 encapsulation dot1Q 121
 ip address 122.1.1.2 255.255.255.0
!
interface Ethernet0/1.2
 encapsulation dot1Q 122
 ip address 122.1.2.2 255.255.255.0
 ip ospf authentication
 ip ospf authentication-key sycon
!
interface Ethernet0/1.3
 encapsulation dot1Q 123
 ip address 122.1.3.2 255.255.255.0
 ip ospf authentication message-digest
 ip ospf authentication-key cisco
!
interface Ethernet0/1.4
 encapsulation dot1Q 124
 ip address 122.1.4.2 255.255.255.0
!

Ethernet0/1.3 is up, line protocol is up
  Internet Address 122.1.3.2/24, Area 1
  Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
  Message digest authentication enabled
  No key configured, using default key id 0

Ethernet0/1.2 is up, line protocol is up
  Internet Address 122.1.2.2/24, Area 1
  Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
  Simple password authentication enabled

FrameSwitch#o nei

Neighbor ID Pri   State   Dead Time   Address Interface
222.222.222.141   FULL/DR 00:00:33122.1.4.1
Ethernet0/1.4
222.222.222.141   FULL/DR 00:00:37122.1.3.1
Ethernet0/1.3
222.222.222.141   FULL/DR 00:00:37122.1.2.1
Ethernet0/1.2
222.222.222.141   FULL/DR 00:00:33122.1.1.1
Ethernet0/1.1
FrameSwitch#

FrameSwitch#ir os
O197.32.44.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
O195.100.3.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
[110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
[110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
[110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
FrameSwitch#

during the entirety, the following is the ospf configuration:

router ospf 1
 log-adjacency-changes
 network 100.36.0.0 0.0.255.255 area 1
 network 122.1.0.0 0.0.255.255 area 1
!

next, lets use area authentication

router ospf 1
 log-adjacency-changes
 area 1 authentication
 network 100.36.0.0 0.0.255.255 area 1
 network 122.1.0.0 0.0.255.255 area 1
!

FrameSwitch#o nei

Neighbor ID Pri   State   Dead Time   Address Interface
222.222.222.141   FULL/DR 00:00:33122.1.3.1
Ethernet0/1.3
222.222.222.141   FULL/DR 00:00:33122.1.2.1
Ethernet0/1.2
FrameSwitch#

note that the only two interfaces that are up are the two with
authentication configured. note also that it appears not to matter if the
authentication is plain text or md5.

Also, I should note that the other side does not have area authentication
enabled

router ospf 1
 log-adjacency-changes
 network 122.1.0.0 0.0.255.255 area 1
 network 195.100.3.0 0.0.0.255 area 1
 network 197.32.44.0 0.0.0.255 area 1
!

tells me that as far as either router is concerned, so long as the ospf
packets have authentication fields filled, nothing else matters. pretty
neat! of course there is a down side, but for purposes of illustration, this
is wonderful!

as long as I am on the topic, here's another knob:

interface Ethernet0/1.1
 encapsulation dot1Q 121
 ip address 122.1.1.2 255.255.255.0
 ip ospf authentication null > THIS ONE!

The Physiology of Thread Death [7:60276]

2003-01-03 Thread Howard C. Berkowitz 
At 2:54 AM + 1/4/03, The Long and Winding Road wrote:
>""Howard C. Berkowitz""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>  At 12:08 AM + 1/4/03, The Long and Winding Road wrote:
>>  >where you are going wrong is that you are pursuing your CCIE when you
>should
>>  >be pursuing your degree ;->
>>  >refer to that other thread that just won't die.
>>  >
>>  >sorry, I can't resist.
>>
>>  Chuck, are you saying that the error is going 180 degrees in the
>>  wrong direction?
>>
>
>more like 360.
>
>but you're not suckering me into helping to perpetuate another discussion
>that should have died long ago.
>
>wait a minute..
>
>DOH!

In an industry where vampire taps were once the standard of 
connecting to Ethernet cable, where zombies and daemons are common 
software constructs, can a thread truly be said to be dead?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60276&t=60276
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: revisited: OSPF stub/stub no-summary O*IA routing table [7:60277]

2003-01-03 Thread Wei Zhu 
Hi Chuck,
I tried point-to-point instead of frame relay and still could not get
through.(Everything is fine except nssa)
In my understanding, the External type LSA (E1 or E2) will flood everywhere,
while for NSSA area, it change from type 5 to type 7. When I tried "show ip
ospf database external" on R2, I could see the LSA with forward address
0.0.0.0, but on R5, the forward address changed to 192.168.1.33(or
192.168.1.17). How did this happen? I think that's the reason why I only can
see on O*N2 entry insteady of 2. I am using 2500 serial routers.

Thanks
Wei
- Original Message - 
From: "The Long and Winding Road" 
To: 
Sent: Friday, January 03, 2003 4:59 PM
Subject: revisited: OSPF stub/stub no-summary O*IA routing table entry
[7:60242]


> hope you don't mind me bringing this back public. I saw no other responses
> and I was curious so I've done some further research based on your
> configuration. The major difference in my setup and yours is frame relay. I
> am using two point-to-point serial links. too complicated for me to tear
> down my current setup to emulate your frame.
> 
> methodology:
> 
> 1) set everything up as best I can based on your configurations. At this
> point, just plain old ordinary OSPF areas.
> 
> C   222.222.222.8 is directly connected, Loopback1001
>  172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
> O E2172.16.10.0/24 [110/20] via 192.168.1.18, 00:04:47, Serial0
>[110/20] via 192.168.1.34, 00:04:47, Serial1
> O E2172.16.11.0/24 [110/20] via 192.168.1.18, 00:04:47, Serial0
>[110/20] via 192.168.1.34, 00:04:47, Serial1
>  10.0.0.0/16 is subnetted, 1 subnets
> O IA10.1.0.0 [110/74] via 192.168.1.34, 00:04:48, Serial1
>  [110/74] via 192.168.1.18, 00:04:48, Serial0
>  192.168.1.0/28 is subnetted, 4 subnets
> C   192.168.1.64 is directly connected, Loopback2
> C   192.168.1.32 is directly connected, Serial1
> C   192.168.1.48 is directly connected, Loopback1
> C   192.168.1.16 is directly connected, Serial0
> Router_8#
> 
> as you can see, all routes are shown as reachable via both of the serial
> ports.
> 
> 2) turn area 1 into a stub area:
> 
>  10.0.0.0/16 is subnetted, 1 subnets
> O IA10.1.0.0 [110/74] via 192.168.1.34, 00:01:50, Serial1
>  [110/74] via 192.168.1.18, 00:01:50, Serial0
>  192.168.1.0/28 is subnetted, 4 subnets
> C   192.168.1.64 is directly connected, Loopback2
> C   192.168.1.32 is directly connected, Serial1
> C   192.168.1.48 is directly connected, Loopback1
> C   192.168.1.16 is directly connected, Serial0
> O*IA 0.0.0.0/0 [110/65] via 192.168.1.34, 00:01:51, Serial1
>[110/65] via 192.168.1.18, 00:01:51, Serial0
> Router_8#
> 
> exactly as expected. the two external routes in the 172 range are not
passed
> into the stub area.
> 
> 3) turn area 1 into a totally subby area ( love that term! I can still hear
> my ACRC instructor intoning it just like a Valley Girl )
> 
> show ip ospf
> 
> Area 1
> Number of interfaces in this area is 2
> It is a stub area, no summary LSA in this area
>   generates stub default route with cost 1
> 
>  192.168.1.0/28 is subnetted, 4 subnets
> C   192.168.1.64 is directly connected, Loopback2
> C   192.168.1.32 is directly connected, Serial1
> C   192.168.1.48 is directly connected, Loopback1
> C   192.168.1.16 is directly connected, Serial0
> O*IA 0.0.0.0/0 [110/65] via 192.168.1.34, 00:01:01, Serial1
>[110/65] via 192.168.1.18, 00:01:01, Serial0
> Router_8#
> 
> again - everything is as expected
> 
> 4) change from totally stubby to NSSA ( kinda sorta stubby :-> )
> 
> router ospf 200
>  log-adjacency-changes
>  area 1 nssa
>  network 10.0.0.0 0.255.255.255 area 0
>  network 192.168.1.0 0.0.0.255 area 1
> !
> 
>  10.0.0.0/16 is subnetted, 1 subnets
> O IA10.1.0.0 [110/74] via 192.168.1.34, 00:00:25, Serial1
>  [110/74] via 192.168.1.18, 00:00:25, Serial0
>  192.168.1.0/28 is subnetted, 4 subnets
> C   192.168.1.64 is directly connected, Loopback2
> C   192.168.1.32 is directly connected, Serial1
> C   192.168.1.48 is directly connected, Loopback1
> C   192.168.1.16 is directly connected, Serial0
> Router_8#
> 
> again - completely as expected. the inter-area route in the 10. network is
> seen, but the two external routes in the 172 network are not seen.
> 
> 5) tweak the NSSA
> 
> router ospf 200
>  log-adjacency-changes
>  area 1 nssa default-information-originate
>  network 10.0.0.0 0.255.255.255 area 0
>  network 192.168.1.0 0.0.0.255 area 1
> !
> 
>  10.0.0.0/16 is subnetted, 1 subnets
> O IA10.1.0.0 [110/74] via 192.168.1.34, 00:00:01, Serial1
>  [110/74] via 192.168.1.18, 00:00:01, Serial0
>  192.168.1.0/28 is subnetted, 4 subnets
> C   192.168.1.64 is directly connected, Loopback2
> C   192.168.1.32 is di

Re: Tonight's Homily - OSPF authenitcation - I didn't know [7:60279]

2003-01-03 Thread Eric Rogers 
For those who don't have the book in question -

Pg 17 of the Parkhurst OSPF book:

"...In Cisco IOS Software Release 12.X, the authentication used on an
interface can be different from the authentication enabled for an area. When
using Cisco IOS Software release 12.X, the authentication method used on
different interfaces in the same area does not need to be the same.
Authentication can be turned off on selected interfaces using the command ip
ospf authentication null (see section 19-1). The key and password do not
need to be the same on every interface, but both ends of a common link need
to use the same key and password. Authentication is enabled by area (Cisco
IOS Software Release 11.X and earlier) so it is possible to employ
authentication in other areas..."

CL - Thanks for the heads up the other day about the OSPF Parkhurst
book...Pulled it from my bookshelf and wiped off the dust just yesterday and
I'm currently on page105 going through it with my highlighter. I like the
way he's formatted it by pounding on the same example building on the
commands as he goes. After the third or forth example it all just all clicks
together with the little nuances he's placed in there. When I first got this
book I just thought of it as a command reference nothing more but it's
really a good book that I would have never delved into without your comment
the other day. I'll be finishing OSPF this weekend and moving into my other
currently unread Parkhurst book BGP.

Eric R

- Original Message -
From: "The Long and Winding Road" 
To: 
Sent: Friday, January 03, 2003 7:46 PM
Subject: Tonight's Homily - OSPF authenitcation - I didn't know that!
[7:60275]


> As many of you know, I've been reading Parkhurst's OSPF book for a number
of
> reasons. So I'm fooling around in the chapter on interface commands, when
> something hits me over the head.
>
> authentication can be done on an interface by interface basis!
>
> one of those things that I just never noticed before. Maybe because all
the
> practice labs always instruct you to use area authentication. Maybe cause
> I'm just a Homer Simpson kind of guy.
>
> So check this out. Topology will look strange, because I'm doing this over
a
> vlan tunnel.
>
> router-vlan tunnel-router
>
> each router has 4 subinterfaces, making four point-to-point links
>
> FrameSwitch#o nei
>
> Neighbor ID Pri   State   Dead Time   Address
Interface
> 222.222.222.141   FULL/DR 00:00:33122.1.4.1
> Ethernet0/1.4
> 222.222.222.141   FULL/DR 00:00:36122.1.3.1
> Ethernet0/1.3
> 222.222.222.141   FULL/DR 00:00:36122.1.2.1
> Ethernet0/1.2
> 222.222.222.141   FULL/DR 00:00:33122.1.1.1
> Ethernet0/1.1
> FrameSwitch#
>
> FrameSwitch#ir os
> O197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> O195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> FrameSwitch#
>
> So let's play!
>
> interface Ethernet0/1.1
>  encapsulation dot1Q 121
>  ip address 122.1.1.2 255.255.255.0
> !
> interface Ethernet0/1.2
>  encapsulation dot1Q 122
>  ip address 122.1.2.2 255.255.255.0
>  ip ospf authentication
>  ip ospf authentication-key sycon
> !
> interface Ethernet0/1.3
>  encapsulation dot1Q 123
>  ip address 122.1.3.2 255.255.255.0
>  ip ospf authentication message-digest
>  ip ospf authentication-key cisco
> !
> interface Ethernet0/1.4
>  encapsulation dot1Q 124
>  ip address 122.1.4.2 255.255.255.0
> !
>
> Ethernet0/1.3 is up, line protocol is up
>   Internet Address 122.1.3.2/24, Area 1
>   Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
>   Message digest authentication enabled
>   No key configured, using default key id 0
>
> Ethernet0/1.2 is up, line protocol is up
>   Internet Address 122.1.2.2/24, Area 1
>   Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
>   Simple password authentication enabled
>
> FrameSwitch#o nei
>
> Neighbor ID Pri   State   Dead Time   Address
Interface
> 222.222.222.141   FULL/DR 00:00:33122.1.4.1
> Ethernet0/1.4
> 222.222.222.141   FULL/DR 00:00:37122.1.3.1
> Ethernet0/1.3
> 222.222.222.141   FULL/DR 00:00:37122.1.2.1
> Ethernet0/1.2
> 222.222.222.141   FULL/DR 00:00:33122.1.1.1
> Ethernet0/1.1
> FrameSwitch#
>
> FrameSwitch#ir os
> O197.32.44.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
> [110/11] via 122.1.2.1,

Re: revisited: OSPF stub/stub no-summary O*IA routing table [7:60278]

2003-01-03 Thread The Long and Winding Road 
""Wei Zhu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Chuck,
> I tried point-to-point instead of frame relay and still could not get
> through.(Everything is fine except nssa)
> In my understanding, the External type LSA (E1 or E2) will flood
everywhere,
> while for NSSA area, it change from type 5 to type 7.

I'm not sure, but I believe that for routes INTO an NSSA, type 5's are
blocked, not changed to type 7. The ABR will change type 7's to type 5's OUT
of the NSSA ( into the rest of OSPF ) yeah - looking at the RFC, that's what
it states - external type-5's are not imported into the NSSA


When I tried "show ip
> ospf database external" on R2, I could see the LSA with forward address
> 0.0.0.0, but on R5, the forward address changed to 192.168.1.33(or
> 192.168.1.17). How did this happen? I think that's the reason why I only
can
> see on O*N2 entry insteady of 2. I am using 2500 serial routers.
>

For this experiment, I used 2500 routers as well.

when you do the show ip ospf neighbors, do you see neighbor relationships
over both links?

Router_8#o nei

Neighbor ID Pri   State   Dead Time   Address Interface
222.222.222.9 1   FULL/  -00:00:36192.168.1.34Serial1
222.222.222.9 1   FULL/  -00:00:36192.168.1.18Serial0
Router_8#

the relevant results from my show ip ospf database:

Router 9 ( area border router )

Router_9#o data

OSPF Router with ID (222.222.222.9) (Process ID 200)

Router Link States (Area 0)

Link ID ADV Router  Age Seq#   Checksum Link count
222.222.222.9   222.222.222.9   15950x8011 0xAF01   1
222.222.222.10  222.222.222.10  18730x800E 0x941F   1

Net Link States (Area 0)

Link ID ADV Router  Age Seq#   Checksum
10.1.1.1222.222.222.10  18730x800D 0xE14C

Summary Net Link States (Area 0)

Link ID ADV Router  Age Seq#   Checksum
192.168.1.16222.222.222.9   595 0x8010 0x1BC1
192.168.1.32222.222.222.9   595 0x8010 0x7A52
192.168.1.48222.222.222.9   15950x800C 0xEBD3
192.168.1.64222.222.222.9   15950x800C 0x4B64

Router Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum Link count
222.222.222.8   222.222.222.8   14680x8013 0x6FB2   6
222.222.222.9   222.222.222.9   15980x801A 0x2E31   4

Summary Net Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum
10.1.0.0222.222.222.9   15980x8010 0xCBA1

Type-7 AS External Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum Tag
0.0.0.0 222.222.222.9   15980x800C 0xDB25   0

Type-5 AS External Link States

Link ID ADV Router  Age Seq#   Checksum Tag
172.16.10.0 222.222.222.10  627 0x800E 0xB86D   0
172.16.11.0 222.222.222.10  627 0x800E 0xAD77   0
Router_9#

AND from router 8 ( the router that is NSSA only )

Router_8#o data

OSPF Router with ID (222.222.222.8) (Process ID 200)

Router Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum Link count
222.222.222.8   222.222.222.8   16660x8013 0x6FB2   6
222.222.222.9   222.222.222.9   17950x801A 0x2E31   4

Summary Net Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum
10.1.0.0222.222.222.9   17950x8010 0xCBA1

Type-7 AS External Link States (Area 1)

Link ID ADV Router  Age Seq#   Checksum Tag
0.0.0.0 222.222.222.9   17950x800C 0xDB25   0
Router_8#

As I said, I can't duplicate the problem. I keep coming back to a frame
relay issue 9 but for the life of my I can't see why. are the subinterfaces
point-to-point? )  or artifact.

have you blown away the config, reloaded, then started from scratch? hate to
suggest the microsoft answer, but I am at a loss.

HTH

Chuck


> Thanks
> Wei
> - Original Message -
> From: "The Long and Winding Road"
> To:
> Sent: Friday, January 03, 2003 4:59 PM
> Subject: revisited: OSPF stub/stub no-summary O*IA routing table entry
> [7:60242]
>
>
> > hope you don't mind me bringing this back public. I saw no other
responses
> > and I was curious so I've done some further research based on your
> > configuration. The major difference in my setup and yours is frame
relay. I
> > am using two point-to-point serial links. too complicated for me to tear
> > down my current setup to emulate your frame.
> >
> > methodology:
> >
> > 1) set everything up as best I can based on your configurations. At this
> > point, just plain old ordinary OSPF areas.
> >
> > C   22

Re: The Physiology of Thread Death [7:60276]

2003-01-03 Thread Steve Dispensa 
On Fri, 2003-01-03 at 21:52, Howard C. Berkowitz wrote:

> In an industry where vampire taps were once the standard of 
> connecting to Ethernet cable, where zombies and daemons are common 
> software constructs, can a thread truly be said to be dead?

you just have to wait() for zombies to die.  daemons, though, can
certainly be kill()ed.  

:-)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60280&t=60276
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Tonight's Homily - OSPF authentication - I didn't know [7:60281]

2003-01-03 Thread Kaminski, Shawn G 
I'm just curious, Chuck. When was the last time you had any sleep? :-)
Interesting subject tonight!

Shawn K.

> -Original Message-
> From: The Long and Winding Road [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, January 03, 2003 10:46 PM
> To:   [EMAIL PROTECTED]
> Subject:  Tonight's Homily - OSPF authenitcation - I didn't know that!
> [7:60275]
> 
> As many of you know, I've been reading Parkhurst's OSPF book for a number
> of
> reasons. So I'm fooling around in the chapter on interface commands, when
> something hits me over the head.
> 
> authentication can be done on an interface by interface basis!
> 
> one of those things that I just never noticed before. Maybe because all
> the
> practice labs always instruct you to use area authentication. Maybe cause
> I'm just a Homer Simpson kind of guy.
> 
> So check this out. Topology will look strange, because I'm doing this over
> a
> vlan tunnel.
> 
> router-vlan tunnel-router
> 
> each router has 4 subinterfaces, making four point-to-point links
> 
> FrameSwitch#o nei
> 
> Neighbor ID Pri   State   Dead Time   Address
> Interface
> 222.222.222.141   FULL/DR 00:00:33122.1.4.1
> Ethernet0/1.4
> 222.222.222.141   FULL/DR 00:00:36122.1.3.1
> Ethernet0/1.3
> 222.222.222.141   FULL/DR 00:00:36122.1.2.1
> Ethernet0/1.2
> 222.222.222.141   FULL/DR 00:00:33122.1.1.1
> Ethernet0/1.1
> FrameSwitch#
> 
> FrameSwitch#ir os
> O197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> O195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> FrameSwitch#
> 
> So let's play!
> 
> interface Ethernet0/1.1
>  encapsulation dot1Q 121
>  ip address 122.1.1.2 255.255.255.0
> !
> interface Ethernet0/1.2
>  encapsulation dot1Q 122
>  ip address 122.1.2.2 255.255.255.0
>  ip ospf authentication
>  ip ospf authentication-key sycon
> !
> interface Ethernet0/1.3
>  encapsulation dot1Q 123
>  ip address 122.1.3.2 255.255.255.0
>  ip ospf authentication message-digest
>  ip ospf authentication-key cisco
> !
> interface Ethernet0/1.4
>  encapsulation dot1Q 124
>  ip address 122.1.4.2 255.255.255.0
> !
> 
> Ethernet0/1.3 is up, line protocol is up
>   Internet Address 122.1.3.2/24, Area 1
>   Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
>   Message digest authentication enabled
>   No key configured, using default key id 0
> 
> Ethernet0/1.2 is up, line protocol is up
>   Internet Address 122.1.2.2/24, Area 1
>   Process ID 1, Router ID 222.222.222.11, Network Type BROADCAST, Cost: 10
>   Simple password authentication enabled
> 
> FrameSwitch#o nei
> 
> Neighbor ID Pri   State   Dead Time   Address
> Interface
> 222.222.222.141   FULL/DR 00:00:33122.1.4.1
> Ethernet0/1.4
> 222.222.222.141   FULL/DR 00:00:37122.1.3.1
> Ethernet0/1.3
> 222.222.222.141   FULL/DR 00:00:37122.1.2.1
> Ethernet0/1.2
> 222.222.222.141   FULL/DR 00:00:33122.1.1.1
> Ethernet0/1.1
> FrameSwitch#
> 
> FrameSwitch#ir os
> O197.32.44.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
> O195.100.3.0/24 [110/11] via 122.1.4.1, 00:03:18, Ethernet0/1.4
> [110/11] via 122.1.1.1, 00:03:18, Ethernet0/1.1
> [110/11] via 122.1.2.1, 00:03:18, Ethernet0/1.2
> [110/11] via 122.1.3.1, 00:03:18, Ethernet0/1.3
> FrameSwitch#
> 
> during the entirety, the following is the ospf configuration:
> 
> router ospf 1
>  log-adjacency-changes
>  network 100.36.0.0 0.0.255.255 area 1
>  network 122.1.0.0 0.0.255.255 area 1
> !
> 
> next, lets use area authentication
> 
> router ospf 1
>  log-adjacency-changes
>  area 1 authentication
>  network 100.36.0.0 0.0.255.255 area 1
>  network 122.1.0.0 0.0.255.255 area 1
> !
> 
> FrameSwitch#o nei
> 
> Neighbor ID Pri   State   Dead Time   Address
> Interface
> 222.222.222.141   FULL/DR 00:00:33122.1.3.1
> Ethernet0/1.3
> 222.222.222.141   FULL/DR 00:00:33122.1.2.1
> Ethernet0/1.2
> FrameSwitch#
> 
> note that the only two interfaces that are up are the two with
> authentication configured. note also that it appears not to matter if the
> authentication is plain text or md5.
> 
> Also, I should note that the other side does not have ar

Re: Tonight's Homily - OSPF authenitcation - I didn't know [7:60282]

2003-01-03 Thread The Long and Winding Road 
""Eric Rogers""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> For those who don't have the book in question -
>
> Pg 17 of the Parkhurst OSPF book:
>
> "...In Cisco IOS Software Release 12.X, the authentication used on an
> interface can be different from the authentication enabled for an area.
When
> using Cisco IOS Software release 12.X, the authentication method used on
> different interfaces in the same area does not need to be the same.
> Authentication can be turned off on selected interfaces using the command
ip
> ospf authentication null (see section 19-1). The key and password do not
> need to be the same on every interface, but both ends of a common link
need
> to use the same key and password. Authentication is enabled by area (Cisco
> IOS Software Release 11.X and earlier) so it is possible to employ
> authentication in other areas..."

Eric, I've been re-reading this passage, and thinking about it, and I am not
so sure that the intent was to completely divorce area authentication (
under the ospf process ) from interface authentication.

Consider that you can configure area authentication ( under the ospf
process ) on one side, along with the  approrpiate interface configuration,
and all that the other side needs is interface configuration. And it works!
Somehow that does not seem like an intended consequence.

Is that your understanding of the intent? The passage quoted above "appears"
to me to be saying that the intent is to allow the interface specific
configuration to be different than the general area configuration. Maybe a
concession to mixed vendor environments?

I just found it fascinating that one now has a number of options, and that
one can now introduce authentication without necessarily enforcing it on all
interfaces.

Anyone know any of the IOS progammer managers? I'm really curious about the
thought behind this.





>
> CL - Thanks for the heads up the other day about the OSPF Parkhurst
> book...Pulled it from my bookshelf and wiped off the dust just yesterday
and
> I'm currently on page105 going through it with my highlighter. I like the
> way he's formatted it by pounding on the same example building on the
> commands as he goes. After the third or forth example it all just all
clicks
> together with the little nuances he's placed in there. When I first got
this
> book I just thought of it as a command reference nothing more but it's
> really a good book that I would have never delved into without your
comment
> the other day. I'll be finishing OSPF this weekend and moving into my
other
> currently unread Parkhurst book BGP.
>
> Eric R
>
> - Original Message -
> From: "The Long and Winding Road"
> To:
> Sent: Friday, January 03, 2003 7:46 PM
> Subject: Tonight's Homily - OSPF authenitcation - I didn't know that!
> [7:60275]
>
>
> > As many of you know, I've been reading Parkhurst's OSPF book for a
number
> of
> > reasons. So I'm fooling around in the chapter on interface commands,
when
> > something hits me over the head.
> >
> > authentication can be done on an interface by interface basis!
> >
> > one of those things that I just never noticed before. Maybe because all
> the
> > practice labs always instruct you to use area authentication. Maybe
cause
> > I'm just a Homer Simpson kind of guy.
> >
> > So check this out. Topology will look strange, because I'm doing this
over
> a
> > vlan tunnel.
> >
> > router-vlan tunnel-router
> >
> > each router has 4 subinterfaces, making four point-to-point links
> >
> > FrameSwitch#o nei
> >
> > Neighbor ID Pri   State   Dead Time   Address
> Interface
> > 222.222.222.141   FULL/DR 00:00:33122.1.4.1
> > Ethernet0/1.4
> > 222.222.222.141   FULL/DR 00:00:36122.1.3.1
> > Ethernet0/1.3
> > 222.222.222.141   FULL/DR 00:00:36122.1.2.1
> > Ethernet0/1.2
> > 222.222.222.141   FULL/DR 00:00:33122.1.1.1
> > Ethernet0/1.1
> > FrameSwitch#
> >
> > FrameSwitch#ir os
> > O197.32.44.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> > [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> > [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> > [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> > O195.100.3.0/24 [110/11] via 122.1.4.1, 00:01:21, Ethernet0/1.4
> > [110/11] via 122.1.1.1, 00:01:21, Ethernet0/1.1
> > [110/11] via 122.1.2.1, 00:01:21, Ethernet0/1.2
> > [110/11] via 122.1.3.1, 00:01:21, Ethernet0/1.3
> > FrameSwitch#
> >
> > So let's play!
> >
> > interface Ethernet0/1.1
> >  encapsulation dot1Q 121
> >  ip address 122.1.1.2 255.255.255.0
> > !
> > interface Ethernet0/1.2
> >  encapsulation dot1Q 122
> >  ip address 122.1.2.2 255.255.255.0
> >  ip ospf authentication
> >  ip ospf authentication-key sycon
> > !
> > interface Ethernet0/1.3
> >  encapsulation dot1Q 123
> >  ip address 122.1.3.2 25

Re: CCIE Vs. BS or MS degree [7:59481]

2003-01-03 Thread Jack Handy 
Deep  Thoughts from  Jack Handy.
I

I personally enjoy posts by nrf!  Someone that has a sense of humor, its a 
good thing.

Thank you and God bless,
Jack Handy


>From: "nrf" 
>Reply-To: "nrf" 
>To: [EMAIL PROTECTED]
>Subject: Re: CCIE Vs. BS or MS degree [7:59481]
>Date: Sat, 4 Jan 2003 03:20:52 GMT
>
>""Marc Thach Xuan Ky""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Thomas Larus wrote:
> > snip
> > > As for nrf, - his contributions to groupstudy have been almost 
>entirely
> > > negative. While it is helpful to have some discussion of things like 
>the
> > job
> > > market and the question of whether it is better to invest time and
>effort
> > in
> > > a degree versus certification is useful, constantly chiming in with
> > negative
> > > thoughts and assessments is not very helpful.  This is something of a
> > > support group, and in these difficult times, those of us who have
>already
> > > set out to achieve certification goals need encouragement and 
>technical
> > > advice.
> >
> > I have recently strongly disagreed with nrf, but I do not find him
> > negative as you suggest.  I think it's a shame if people cannot
> > contribute without being personally attacked in such a generalised
> > manner.
> >
> > > I do not know if nrf is one of these people (he could just be negative
>for
> > > no particular reason), there are some people who come to these
>discussion
> > > groups to discourage others from pursuing dreams the achievement of
>which
> > > might bring about a greater number of certified IT professionals and
> > perhaps
> > > exert downward pressure on salaries.
> >
> > I don't know nrf personally but I doubt that he's that influential.
> > Anybody who gets put off the cert process by reading a discouraging
> > viewpoint on this list probably doesn't have the mettle to see it
> > through anyway.
>
>Exactly.  I think Mr. Larus gives me far too much credit.
>
>Besides, I doubt that I'm saying anything that people don't already know, 
>or
>at least suspect.  Certs have their good and bad points, and people who
>elect to pursue them should  understand what those good and bad points are.
>It's really as simple as that.
> >
> > rgds
> > Marc
_
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60283&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]