RE: Cat6500 PSU interoperability [7:60949]
Many thanks to all that responded. Andrew -Original Message- From: Frank Jimenez [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 18:36 To: 'Andrew Larkins'; [EMAIL PROTECTED] Subject: RE: Cat6500 PSU interoperability [7:60949] Yes and no. In combined mode they may be different wattages. In redundant mode wattages must be identical. More detail at: http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_c onfiguration_guide_chapter09186a008007e6f6.html Frank Jimenez, CCIE #5738 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Larkins Sent: Monday, January 13, 2003 6:29 AM To: [EMAIL PROTECTED] Subject: Cat6500 PSU interoperability [7:60949] Hi all, The cat 6500 power supplies - 1300W and 2500W. Can these 2 types be mixed in the same chassis or must they be the same type? Andrew Larkins BCom, CCNP, CCDP Bytes Technology Networks A Division of the Bytes Technology Group A Member of the Altron Group www.btgroup.co.za visit the press office @ www.itweb.co.za/office/bytes Tel : +27 11 800 9336 Fax : +27 11 800 9496 Mobile : +27 83 656 7214 Email : [EMAIL PROTECTED] OR [EMAIL PROTECTED] "This e-mail and its attachments may contain information that is confidential and that may be subject to legal privilege and copyright. If you are not the intended recipient you may not peruse, use, disclose, distribute, copy or retain this message. If you have received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and return and thereafter destroy the original message. Please note that e-mails are subject to viruses, data corruption, delay, interception and unauthorised amendment, and that the sender does not accept liability for any damages that may be incurred as a result of communication by e-mail. No employee or intermediary is authorised to conclude a binding agreement on behalf of the sender by e-mail without express written confirmation by a duly authorised representative of the sender. By transmitting this e-mail message over the Internet the sender does not intend to allow the contents hereof to become part of the public domain, and the confidential nature of the contents shall not be altered or diminished from by such transmission." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61003&t=60949 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ICMP [7:61004]
Hi All, Quick question- When a router sends a redirect to a particular host, how does the host remember to use this in the future, does the ICMP place an entry into the hosts routing table? Thanks in advance. -DJ - With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61004&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICMP [7:61004]
Yes,the host places this entry into its routing table. -Original Message- From: maine dude [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:56 PM To: [EMAIL PROTECTED] Subject: ICMP [7:61004] Hi All, Quick question- When a router sends a redirect to a particular host, how does the host remember to use this in the future, does the ICMP place an entry into the hosts routing table? Thanks in advance. -DJ - With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs **Disclaimer** Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61005&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How many tunnels [7:61006]
Hi Group, Does any one know offhand how many simultaneous tunnels a Cisco 3620 can handle (des and 3des)?? I can't find any hard evidence of this information on the cisco site... Thanks, CG ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. For more information contact [EMAIL PROTECTED] phone + 353 1 4093000 fax + 353 1 4093001 ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61006&t=61006 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How many tunnels [7:61006]
Maximum Number of Encrypted Tunnels Up to 100 encrypted tunnel on a 1700, up to 300 tunnels on Cisco 2600, up to 800 for 2650 with AIM-VPN/ EP, up to 800 tunnels for the Cisco 2600XMs, 2691, and 3725, up to 800 tunnels on Cisco 3620 and 3640, and up to 2,000 tunnels on Cisco 3660 and 3745. http://www.cisco.com/en/US/partner/products/hw/routers/ps274/products_data_sheet09186a0080088750.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61007&t=61006 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61008&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX commands- add ports [7:60976]
This is a fairly good link on object groups. There is not an awful lot of information on them as of yet but possibly an advanced search off of the Cisco TAC website may pull some hits. I had asked my Cisco rep the same type of questions and this is what I was given. http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61009&t=60976 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61010&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How many tunnels [7:61006]
At 10:19 AM + 1/14/03, Michael Tan wrote: >Maximum Number of Encrypted Tunnels >Up to 100 encrypted tunnel on a 1700, up to 300 tunnels on Cisco 2600, up to >800 for 2650 with AIM-VPN/ EP, up to 800 tunnels for the Cisco 2600XMs, >2691, and 3725, up to 800 tunnels on Cisco 3620 and 3640, and up to 2,000 >tunnels on Cisco 3660 and 3745. > >http://www.cisco.com/en/US/partner/products/hw/routers/ps274/products_data_sheet09186a0080088750.html > Of course, since tunneling tends to be processor intensive, these numbers are unlikely to be reachable in practice unless the router is running no dynamic routing, access lists, or other CPU intensive tasks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61011&t=61006 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Cisco Cache Engine Capabilities [7:61012]
Dear All, Anybody knows if any of Cisco Cache engines capable of caching read audio, read video, mp3 and exe files ? MSN 8 with e-mail virus protection service: 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61012&t=61012 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Learning PIX [7:60919]
The following script that you must put when inside network 172.16.1.0 want to access HTTP to outside and ping to outside: access-list inside_access_in permit tcp 172.16.1.0 255.255.255.0 any eq 80 access-list inside_access_in permit udp 172.16.1.0 255.255.255.0 any eq 53 access-list inside_access_in permit icmp 172.16.1.0 255.255.255.0 any access-list outside_access_in permit icmp any any echo-reply access-group outside_access_in in interface outside access-group inside_access_in in interface inside "Symon Thurlow" To: [EMAIL PROTECTED] Fax to: Sent by: Subject: RE: Learning PIX [7:60919] nobody@groupst udy.com 01/14/2003 10:40 AM Please respond to "Symon Thurlow" Yes to all! -Original Message- From: Daniel Cotts [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 18:05 To: Symon Thurlow; [EMAIL PROTECTED] Subject: RE: Learning PIX [7:60919] Can the PIX ping hosts out on the Internet? Can the ping ping an internal host? Can that host ping the internal interface of the PIX? > -Original Message- > From: Symon Thurlow [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 13, 2003 11:31 AM > To: Daniel Cotts; [EMAIL PROTECTED] > Subject: RE: Learning PIX [7:60919] > > > Hi, > > I have done both, and it still does not work! I have a linux > box on the > external segment, and I can ping the external interface of > the PIX from > it. I can also ping the Linux box from the PIX, but not through it. > > I get the feeling the answer to this will be a doh!, but I > can't see it > at the moment. > > Symon > > -Original Message- > From: Daniel Cotts [mailto:[EMAIL PROTECTED]] > Sent: 13 January 2003 15:31 > To: Symon Thurlow; [EMAIL PROTECTED] > Subject: RE: Learning PIX [7:60919] > > > Good to do a "show interface" to make sure they are up. > Might want to do a "conduit permit icmp any any" to do some > ping tests. > I'm assuming that your outside interface is reachable from > the Internet. > Verified? > > > -Original Message- > > From: Symon Thurlow [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, January 12, 2003 7:57 PM > > To: [EMAIL PROTECTED] > > Subject: Learning PIX [7:60919] > > > > > > Hi guys, > > > > I have begun to study the PIX. I have had exposure to them recently, > > through a couple of 515e's, and had no problem configuring them > > (with PDM...). I > > have plenty of Firewall experience, but very little with PIX. > > > > I now have a 520 with a 2MB flash card that I am using for > study. This > > > machine came with the 5.1(2) code, so no PDM. This is good, > as I want > > to learn to configure and troubleshoot them via command line anyway. > > > > I am following a Cisco Press PIX book, just to cut my teeth and > > start to learn the commands. I have 3 interfaces in the 520. > > > > I have created a very simple configuration, that should > allow anyone > > internally to get access to the Internet, globally nating > to one valid > > > address. I want to get this working before getting in to > more detail. > > > > When I try to gain access to the Internet through the PIX, it does > > not work. I have put a packet sniffer on the external segment and > > can not see any > > traffic coming from the PIX. If I do a show xlate I see > nothing. I am > > sending debug info to a SYSLOG server, but again see nothing > > (except for > > when I wr mem etc). > > > > I have pasted the config below, can any of you see where I might be > > going wrong. I have tried a few different ways to make this happen, > > even copying > > sample configs from CCO, but I can't seem to make it work. > > > > I am not looking for the answer, more a helping hand to point me in > > the right direction. > > > > Cheers, > > > > Symon > > > > PIX Version 5.1(2) > > nameif ethernet0 outside security0 > > nameif ethernet1 inside security100 > > nameif ethernet2 DMZ security50 > > enable password x > > passwd x > > hostname PIX1E > > fixup protocol ftp 21 > > fixup protocol http 80 > > fixup protocol h323 1720 > > fixup protocol rsh 514 > > fixup protocol smtp 25 > > fixup protocol sqlnet 1521 > > names > > pager lines 24 > > logging on > > logging timestamp > > no l
RE: CSIDS - 9E0-100 [7:60920]
I currently only have IDS (9E0-572) to go and am booked for next week Thursday at 10am and then I am CSS1 - apparently still valid until end Feb 2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. After that a short break and then onto CCIE - somehow I think with the kid on the way in 2 months, I will have plenty of sleepless nights and thus, time to study!!! This should be interesting! Andrew -Original Message- From: Hanna, Keith [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 13:26 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61013&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
HIDS [7:61014]
USing Cisco HIDS. I have 5 agents installed and running on 5 pcs, I have the console installed and running. All agents and console are fully licensed. I am running Version 2.5.3. the problem Iam expreiencing is that none of the agents show up in the console. If I do a network sniff I can see all 5 agents communicating with the Server (Console Machine) every 30 seconds on port 5000 which is what both the agent and the console are set to (by default) but I still can't see the agents listed in the console. Any help would be greatly appreciated. Thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61014&t=61014 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Hi, Me to appearing for CSIDS (9E0-572) .. do u know what sort of questions wud appear. I mean wud there be Match the following, Fill in the blanks or is it stimulation based one? I don't see much of commands (lots appeared in my MCNS exam though). What all topics to be prepared on CSPM and IDS module for sure I feel wud be tested a lot but other than that will there be any? How much is the pass mark? Any info is apprecitated, Thanks. Murali -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 4:13 PM To: [EMAIL PROTECTED] Subject:RE: CSIDS - 9E0-100 [7:60920] I currently only have IDS (9E0-572) to go and am booked for next week Thursday at 10am and then I am CSS1 - apparently still valid until end Feb 2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. After that a short break and then onto CCIE - somehow I think with the kid on the way in 2 months, I will have plenty of sleepless nights and thus, time to study!!! This should be interesting! Andrew -Original Message- From: Hanna, Keith [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 13:26 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61015&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
I have no idea what sort of questions - I am not really a fan of these total outlines that say what exactly you need to know - step by step. I feel that you must understand the concepts and be able to work it out - then you are OK. I am using the Cisco Press book at the moment and all is great EXCEPT for chapter 10 - IDS signatures. Who in their right mind knows ALL the IDS signatures by ID - sure we need to know the basic classes etc (1000 - 1), but not 156 pages of specifics!! Anyway I hope not. So far there is nothing that is too complicated, just lots to remember. It is at times like this I wish I had a CSPM box to play on - I have no real ambition to be a qualified person who has never touched the goods - defeats the object. My 2 cents worth!! Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 14:30 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Hi, Me to appearing for CSIDS (9E0-572) .. do u know what sort of questions wud appear. I mean wud there be Match the following, Fill in the blanks or is it stimulation based one? I don't see much of commands (lots appeared in my MCNS exam though). What all topics to be prepared on CSPM and IDS module for sure I feel wud be tested a lot but other than that will there be any? How much is the pass mark? Any info is apprecitated, Thanks. Murali -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 4:13 PM To: [EMAIL PROTECTED] Subject:RE: CSIDS - 9E0-100 [7:60920] I currently only have IDS (9E0-572) to go and am booked for next week Thursday at 10am and then I am CSS1 - apparently still valid until end Feb 2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. After that a short break and then onto CCIE - somehow I think with the kid on the way in 2 months, I will have plenty of sleepless nights and thus, time to study!!! This should be interesting! Andrew -Original Message- From: Hanna, Keith [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 13:26 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61017&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Low Latency Queue on ATM Subinterface [7:61018]
The following LLQ is configured but no packets are going to the priority queue; all packets go to the default class: class-map match-all Priority-Queue match access-group name TV ! policy-map Policy class Priority-Queue priority 200 class class-default random-detect fair-queue ! interface ATM6/0/0.213 point-to-point bandwidth 1 ip address 192.168.255.177 255.255.255.252 ip pim version 1 ip pim sparse-dense-mode ip ospf cost 8 atm pvc 100 1 201 aal5snap service-policy output Policy ! ip access-list extended TV permit udp host 1.1.1.1 host 239.192.10.22 eq 6 router#sh policy-map int atm 6/0/0.213 output ATM6/0/0.213 service-policy output: Policy queue stats for all priority classes: queue size 0, queue limit 50 packets output 0, packet drops 0 tail/random drops 0, no buffer drops 0, other drops 0 class-map: Priority-Queue (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps match: access-group name TV 0 packets, 0 bytes 5 minute rate 0 bps Priority: kbps 200, burst bytes 5000, b/w exceed drops: 0 class-map: class-default (match-any) 474896 packets, 516105147 bytes 5 minute offered rate 1623000 bps, drop rate 0 bps match: any 474896 packets, 516105147 bytes 5 minute rate 1623000 bps queue size 0, queue limit 5838 packets output 477559, packet drops 4 tail/random drops 0, no buffer drops 0, other drops 4 random-detect: Exp-weight-constant: 9 (1/512) Mean queue depth: 0 Class Random Tail Minimum Maximum Mark Output drop drop threshold threshold probability packets 0 0 0 1459 2919 1/10 429315 1 0 0 1641 2919 1/100 2 0 0 1823 2919 1/100 3 0 0 2006 2919 1/100 4 0 0 2188 2919 1/100 5 0 0 2370 2919 1/1048467 6 0 0 2553 2919 1/100 7 0 0 2735 2919 1/100 fair-queue: per-flow queue limit 1459 Any clue? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61018&t=61018 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Basic free training on the Switch 3550 [7:60989]
The IPExpert.net tutorial is pretty good combined with the docs from CCO. http://www.ipexpert.net/downloads/Catalyst_3550_Tutorial.zip TTFN Lauren Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61019&t=60989 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Good luck!! (for the exam and the kid ) -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 12:13 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] I currently only have IDS (9E0-572) to go and am booked for next week Thursday at 10am and then I am CSS1 - apparently still valid until end Feb 2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. After that a short break and then onto CCIE - somehow I think with the kid on the way in 2 months, I will have plenty of sleepless nights and thus, time to study!!! This should be interesting! Andrew -Original Message- From: Hanna, Keith [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 13:26 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61020&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: Confusion on CISSP requirements [7:60997]
I'm studying for the CISSP test right now and have wondered the same thing. I've talked to two people that have taken and passed the test (and been confirmed by ISC2) and their jobs never were entirely security based but always had some degree of security responsibility, as you're saying. So I believe your experience meets the requirement. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61021&t=60997 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Pass mark for me was 800 (back in November) There were no simulation questions on mine, but a combination of all others. I was asked about signatures, but tended to be general type questions rather than absolute specifics. more info can be found at: http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/9E0-572.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 12:29 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Hi, Me to appearing for CSIDS (9E0-572) .. do u know what sort of questions wud appear. I mean wud there be Match the following, Fill in the blanks or is it stimulation based one? I don't see much of commands (lots appeared in my MCNS exam though). What all topics to be prepared on CSPM and IDS module for sure I feel wud be tested a lot but other than that will there be any? How much is the pass mark? Any info is apprecitated, Thanks. Murali -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 4:13 PM To: [EMAIL PROTECTED] Subject:RE: CSIDS - 9E0-100 [7:60920] I currently only have IDS (9E0-572) to go and am booked for next week Thursday at 10am and then I am CSS1 - apparently still valid until end Feb 2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. After that a short break and then onto CCIE - somehow I think with the kid on the way in 2 months, I will have plenty of sleepless nights and thus, time to study!!! This should be interesting! Andrew -Original Message- From: Hanna, Keith [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 13:26 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Thinking about it at the minute. I completed CSS1 the same week Cisco announced the CCSP, so I only need to take the SAFE exam, but I'm not sure yet if I'll bother. My current position doesn't deal as much with security as I'd like (corporate team to do that), and if I changed positions/company, I suppose it would depend on what I was doing in the new one. I am tempted to 'just do it', but I tend not to be very motivated when there's no reward KEith -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 10:38 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Maybe I should have asked if anyone is studying for the CCSP? What exams have you accomplished and what is your next step? I may be amungst the group of first participants in this set of exams (v3) and others are waiting to get information concerning the exams before attempting. *grins* Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61022&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IAS Authentication with Pix 515 [7:61023]
Hi All, Does anyone know how to make IAS use Active directory to authenticate VPN users.. I have the sample from cisco but that only displays local authentication.. Thanks a bunch, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61023&t=61023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS suggestion [7:60994]
You've got a few options. The most basic (and most limited) is using IP RTP Priority. The will prioritize all RTP traffic on the applied interface. The best solution (IMHO) is to use LLQ. Low Latency Queueing can be thought of as CB-WFQ with the added benefit of a priority queue. This is probably what you want to do. Create a class-map (or map-class if it's a frame relay interface) and apply the voice traffic to the priority queue with the "priority" command, and then assign all your other traffic to a "fair queue". CB-WFQ does provide minimum bandwidth guarantee but it does not give you the priority queue that voice traffic likes so much. Hope this helps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61024&t=60994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS suggestion [7:60994]
forgot to add one thing you probably already know this but if you decide to use LLQ for a PPP serial connection (like a t1 or frac t1) you will want to implement LFI (link fragmentation and interleave). this means that your config will be implemented on a "multilink1" interface rather than a physical interface. LFI allows you circumvent excessive serialization delays on slow WAN connections. This does not apply to frame relay interfaces. Cisco has some really good docs on this topic. Let me know if you would like more info. Hope this helps Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61025&t=60994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Written Study Material [7:61026]
All, What is a good Book to use as a basis for studying for the CCIE written exam 350-001. I see this one on Amazon. 1) NLI's Study Guide for The CCIE R&S Written Exam Please Advise, Bob __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61026&t=61026 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IAS Authentication with Pix 515 [7:61023]
I used the following document and it worked great - Very easy. Logs all VPN access in both the IAS log files and on the Domain Controller running AD. The 3rd part of the document explains the Win2k/IAS portion of the config. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a00800b6099.shtml ""Kevin O'Gilvie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Does anyone know how to make IAS use Active directory to authenticate VPN > users.. > I have the sample from cisco but that only displays local authentication.. > > Thanks a bunch, > > Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61027&t=61023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IAS Authentication with Pix 515 (Disregard) [7:61028]
I found it.. Thanks, Kevin - Original Message - From: Kevin O'Gilvie To: [EMAIL PROTECTED] Sent: Monday, January 13, 2003 10:16 PM Subject: IAS Authentication with Pix 515 Hi All, Does anyone know how to make IAS use Active directory to authenticate VPN users.. I have the sample from cisco but that only displays local authentication.. Thanks a bunch, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61028&t=61028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS suggestion [7:60994]
Do you have experience with LLQ and MSFC that you can share? I configured LLQ but it seems packets are not going to the priority queue: class-map match-all Priority-Queue match access-group name TV ! policy-map Policy class Priority-Queue priority 200 class class-default random-detect fair-queue ! interface ATM6/0/0.213 point-to-point bandwidth 1 ip address 192.168.255.177 255.255.255.252 ip pim version 1 ip pim sparse-dense-mode ip ospf cost 8 atm pvc 100 1 201 aal5snap service-policy output Policy ! ip access-list extended TV permit udp host 1.1.1.1 host 239.192.10.22 eq 6 router#sh policy-map int atm 6/0/0.213 output ATM6/0/0.213 service-policy output: Policy queue stats for all priority classes: queue size 0, queue limit 50 packets output 0, packet drops 0 tail/random drops 0, no buffer drops 0, other drops 0 class-map: Priority-Queue (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps match: access-group name TV 0 packets, 0 bytes 5 minute rate 0 bps Priority: kbps 200, burst bytes 5000, b/w exceed drops: 0 class-map: class-default (match-any) 474896 packets, 516105147 bytes 5 minute offered rate 1623000 bps, drop rate 0 bps match: any 474896 packets, 516105147 bytes 5 minute rate 1623000 bps queue size 0, queue limit 5838 packets output 477559, packet drops 4 tail/random drops 0, no buffer drops 0, other drops 4 random-detect: Exp-weight-constant: 9 (1/512) Mean queue depth: 0 Class Random Tail Minimum Maximum Mark Output drop drop threshold threshold probability packets 0 0 0 1459 2919 1/10 429315 1 0 0 1641 2919 1/100 2 0 0 1823 2919 1/100 3 0 0 2006 2919 1/100 4 0 0 2188 2919 1/100 5 0 0 2370 2919 1/1048467 6 0 0 2553 2919 1/100 7 0 0 2735 2919 1/100 fair-queue: per-flow queue limit 1459 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61029&t=60994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS suggestion [7:60994]
i don't see any obvious problems with your configuration. I can, however,
offer a couple of troubleshooting tips. I would start by checking out the
access list ("show access-list") to make sure you have packets that qualify.
Second (and this is where I think your problem is), I would lose the
"match-all" in your class-map. Since you're only searching one criterion,
there's no need for the match-all (which is the default match clause
anyways). Here's a quote from Cisco's web site to confirm:
"The match all and match any options need to be specified only if more than
one match criterion is configured in the traffic class. The class-map
match-all command is used when all of the match criteria in the traffic
class must be met in order for a packet to match the specified traffic
class. The class-map match-any command is used when only one of the match
criterion in the traffic class must be met in order for a packet to match
the specified traffic class. If neither the match-all nor match-any keyword
is specified, the traffic class will behave in a manner consistent with
class-map match-all command"
Let me know what you find out. Hope this helps
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61030&t=60994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bridging and STP issue [7:61031]
Does anyone know which version of IEEE STP bridge-groups use? Switches use the PVST+ (one spanning tree per vlan). However, I can't determine if router bridge-groups use PVST+ or the IEEE standard CST (one spanning tree instance for all vlans). Here's my delimna: I've got a 4006 (Sup II) with a Layer 3 (WS-X4232-L3) module. I want to implement bridging on the subinterfaces on the routing engine. The subinterfaces are running dot1q encap. for inter-vlan routing (similar to how the 2600 series implements inter-vlan routing). Anyway, I want to bridge IPX between two vlans while routing IP (CRB will do this just fine, I don't need a BVI with IRB). My only concern is having the bridges STP calculation interfere with my other Catalyst STP instances. Any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61031&t=61031 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written Study Material [7:61026]
I highly recommend Bruce Caslow's "Bridges, Routers & Switches for CCIEs". This book is the best I've seen. I've also heard good things about "Internet Routing Architectures" and "Routing TCP/IP" by Jeff Doyle. Hope this helps and GOOD LUCK on your studies. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61032&t=61026 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add "access-list from-internet permit ip any host 10.10.10.2" before "access-list from-internet permit ip any host 10.10.10.4". What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61033&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE READING [7:61034]
Is this a good reading list a.. Routing TCP/IP Volume I (CCIE Professional Development) and Vol 2 by Jeff Doyle (Textbook Binding) b.. Internet Routing Architectures (2nd Edition) by Sam Halabi, Danny McPherson (Contributor) (Hardcover) c.. CCIE Practical Studies, Volume I by Karl Solie (Hardcover) d.. Cisco Certification: Bridges, Routers and Switches for CCIEs (2nd Edition) by Andrew Bruce Caslow, et al (Hardcover) e.. Cisco CCIE Fundamentals: Network Design & Case Studies by Mark McGregor (Textbook Binding) Regards, Manny Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61034&t=61034 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Confusion on CISSP requirements [7:60997]
Not necessarily Scott. You've got to be able to prove (in others words have documentable proof), that you've worked for a cumulative total of 4 years in the security field. Now, the caveat is that your work can be spread amongst the ten domains or relegated to one as long as your total time meets the minimum criteria. Then you are eligible to test. Once you test and pass, you must then be sponsored by a CISSP in good standing. Shoot me a note with any questions, Will Gragido CISSP CCNP CIPTSS CCNA CCDA MCP blah blah blah NSC www.ins.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Sent: Monday, January 13, 2003 6:44 PM To: [EMAIL PROTECTED] Subject: OT: Confusion on CISSP requirements [7:60997] I'm a CCIE with over 4 years of experience in networking and a college degree. Each position I have had required a small percentage of security related work. Does that satisfy the requirements or are they asking for 100% security work? Any help greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61035&t=60997 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Great to know I am not alone. I noticed you all were doing the earlier exam and not the new one. Any particular reason? From my understanding you can mix versions of tests to come to the same conclusion. Andrew I follow your same thought patterns to a point. It would not feel right getting a cert without the hands on knowledge or the knowledge that you will use the cert once you obtain it. But there are many that enjoy the challenge just to see if they can do it. Personally I cannot fault anyone that enjoys those challenges in life. But using what you learn is satisfying. Keith if you do attempt the SAFE exam make sure you know the SAFE whitepaper. From what I have heard the blueprint and that document help you get past the exam. As for an award the extra signature could be one, or the satisfaction that you passed? How about taking yourself out to dinner or enjoying a new "toy".No one ever said you could not reward yourself for a job well done. *grins* Good luck to everyone on their exams. Congrats to Andrew are on the way for the new baby. There are others that have taken that same time to accomplish their CCIE. Maybe check up with them to see how they handled the 1 hour study sessions inbetween baby watch. Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61036&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Sam, I used to copy my list out to notepad and add the new line. Do a 'no access-list from-internet', then cut and paste the new one back in. Keep in mind this will briefly leave you with no access list on that interface. Then re-enter the 'access-group from-internet in interface outside' command, as it will remove it when you do the no access-list command. You can also use subnet masks if you have a group of IP's, for example adding 10.10.10.0/29 would grant access to hosts 10.10.10.1 - 7 Someone here also posted a good link to some new features that are available in 6.2 that might be useful, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00800d641d.shtml Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add "access-list from-internet permit ip any host 10.10.10.2" before "access-list from-internet permit ip any host 10.10.10.4". What is the best way to do this? I thought maybe I would create a new list : access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61037&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CSIDS - 9E0-100 [7:60920]
Andrew Larkins wrote: >I currently only have IDS (9E0-572) to go and am booked for next week >Thursday at 10am and then I am CSS1 - apparently still valid until end Feb >2003. I will write the SAFE exam my early Feb 2003. Then I should be CCSP. > > just my 0.02 euro: i completed CSS1 and passed some months ago ccie sec written now in 2..maybe 3 weeks i will try CSI. and in paraller im studying for lab with ccbootcamp labs -- Marcin Strzyzewski Warsaw University of Technology Faculty of Electronics and Information Technology Institute of Telecommunication Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61016&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Switching LAB [7:61038]
I've completed the BCSI and BCRAN exams toward the CCNP. I'm now working on the Switching test and wonder if my home lab is robust enough for the task. What I have is an old Cat5000 (w/ 12 port 10/100 blade) with a SUP I engine and a 1912. I know that I can play lab rat with many of the switching features with these switches and some FE interfaced routers I have, but I think I could miss out on some of the more complex STP type of scenario's. What additional devices or upgrades might I get that would be most beneficial? Upgrade the Sup engine add a RSM or buy some additional switches? I would like to spend as little as possible and I realize the 3550's are a hot item, but I may or may not attempt the CCIE. What's the best way to spend my money? Thank you. Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61038&t=61038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Logging [7:61039]
I have a PIX 525 with 6.1(1) version. I have setup a kiwi syslog server for logging. What is the best choice out of 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs Thanks, Teza ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61039&t=61039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE READING [7:61034]
Add Cisco LAN switching to it. I would also recommend to have a William Parkhurst's BGP and OPSF Configuration books.--- On Tue 01/14, Manny < [EMAIL PROTECTED] > wrote: From: Manny [mailto: [EMAIL PROTECTED]]To: [EMAIL PROTECTED]: Tue, 14 Jan 2003 17:10:32 GMTSubject: CCIE READING [7:61034]Is this a good reading lista.. Routing TCP/IP Volume I (CCIE Professional Development) and Vol 2 byJeff Doyle (Textbook Binding)b.. Internet Routing Architectures (2nd Edition) by Sam Halabi, DannyMcPherson (Contributor) (Hardcover)c.. CCIE Practical Studies, Volume I by Karl Solie (Hardcover)d.. Cisco Certification: Bridges, Routers and Switches for CCIEs (2ndEdition) by Andrew Bruce Caslow, et al (Hardcover)e.. Cisco CCIE Fundamentals: Network Design & Case Studies by MarkMcGregor (Textbook Binding)Regards,MannyMessage Posted at:http://www.groupstudy.com/form/read.php?f=7&i=61034&t=61034--FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.htmlReport misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61040&t=61034 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Low Latency Queue on ATM Subinterface [7:61018]
Add the keyword "log" at the end of your access list and check whether there are really hits matching the ACL or not. Maybe everything is right and u are just sending another traffic not matching with the ACL. >From: "alaerte Vidali" > >The following LLQ is configured but no packets are going to the priority >queue; all packets go to the default class: > >class-map match-all Priority-Queue > match access-group name TV >! >policy-map Policy > class Priority-Queue > priority 200 > class class-default > random-detect > fair-queue >! >interface ATM6/0/0.213 point-to-point > bandwidth 1 > ip address 192.168.255.177 255.255.255.252 > ip pim version 1 > ip pim sparse-dense-mode > ip ospf cost 8 > atm pvc 100 1 201 aal5snap > service-policy output Policy >! >ip access-list extended TV > permit udp host 1.1.1.1 host 239.192.10.22 eq 6 > > >router#sh policy-map int atm 6/0/0.213 output > > ATM6/0/0.213 > > service-policy output: Policy > > queue stats for all priority classes: > queue size 0, queue limit 50 > packets output 0, packet drops 0 > tail/random drops 0, no buffer drops 0, other drops 0 > > class-map: Priority-Queue (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > match: access-group name TV > 0 packets, 0 bytes > 5 minute rate 0 bps > Priority: kbps 200, burst bytes 5000, b/w exceed drops: 0 > >class-map: class-default (match-any) > 474896 packets, 516105147 bytes > 5 minute offered rate 1623000 bps, drop rate 0 bps > match: any > 474896 packets, 516105147 bytes > 5 minute rate 1623000 bps > queue size 0, queue limit 5838 > packets output 477559, packet drops 4 > tail/random drops 0, no buffer drops 0, other drops 4 > random-detect: > Exp-weight-constant: 9 (1/512) > Mean queue depth: 0 > Class Random Tail Minimum Maximum Mark Output > drop drop threshold threshold probability packets > 0 0 0 1459 2919 1/10 429315 > 1 0 0 1641 2919 1/10 0 > 2 0 0 1823 2919 1/10 0 > 3 0 0 2006 2919 1/10 0 > 4 0 0 2188 2919 1/10 0 > 5 0 0 2370 2919 1/10 48467 > 6 0 0 2553 2919 1/10 0 > 7 0 0 2735 2919 1/10 0 > fair-queue: per-flow queue limit 1459 > > >Any clue? misconduct and Nondisclosure violations to [EMAIL PROTECTED] The new MSN 8 is here: Try it free* for 2 months Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61042&t=61018 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX access-list problem [7:61043]
I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61043&t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICMP [7:61004]
=?iso-8859-1?q?maine=20dude?= wrote: > > Hi All, > > Quick question- > > When a router sends a redirect to a particular host, how does > the host > > remember to use this in the future, does the ICMP place an > entry into the > > hosts routing table? Yes, the host places the new routing info in its routing table. On a Windows machine, you can see this with the "route print" command. There are some caveats, however. One caveat is that the entry stays in the table for a limited time. Windows seems to only keep it in the table for 10 minutes. Another caveat is that Windows doesn't enter a route for the entire network, even if the ICMP Redirect that comes back is Redirct for the Network (Type 5, Code 0). Instead, Windows (and probably other operating systems) place a host specific route in the routing table. For example: 1) PC sends to 10.0.0.1 using router ABC 2) Router ABC sends back an ICMP redirect saying use router XYZ for that network. (Redirect for Net, Type 5, Code 0) 3) PC places in its routing table 10.0.0.1 255.255.255.255 XYZ So, why didn't it place the following entry in its table, considering that it received a Redirect for the network and not a Redirect for the host? 10.0.0.0 255.0.0.0 XYZ Give it some thought. more thought. do you have an idea. trying not to give it away before you give it some thought Answer: The host can't know about subnet masks being used elsewhere. Also, with classless addressing, it can't assume a Class A mask for network 10.0.0.0. The host can't know for sure that ALL of 10.0.0.0/8 is reachable by the router that claims that it is. With variable-length subnet masking, classless addressing, discontiguous subnets and all the other things people do to their network designs, the safest thing for the host to do is to place a host-specific route into its table. Just thought I'd turn this into a more advanced "lesson." :-) ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > > > > Thanks in advance. > > -DJ > > > > > - > With Yahoo! Mail you can get a bigger mailbox -- choose a size > that fits your needs > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61048&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Voip / Blocking special service numbers [7:61049]
Hello All How can I block some special service numbers (like adult services ) on voice "termination"router which is As 5300 with 1 E1 for outgoing call through pots. thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61049&t=61049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IAS Authentication with Pix 515 [7:61023]
By default, it should authenticate to AD first if it is part of the domain and you have to enable the user object to have remote connective. I did it three months ago. Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick Matthews Sent: Tuesday, January 14, 2003 9:34 AM To: [EMAIL PROTECTED] Subject: Re: IAS Authentication with Pix 515 [7:61023] I used the following document and it worked great - Very easy. Logs all VPN access in both the IAS log files and on the Domain Controller running AD. The 3rd part of the document explains the Win2k/IAS portion of the config. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a00800b6099.shtml ""Kevin O'Gilvie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi All, > > Does anyone know how to make IAS use Active directory to authenticate VPN > users.. > I have the sample from cisco but that only displays local authentication.. > > Thanks a bunch, > > Kevin [GroupStudy.com removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61050&t=61023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list problem [7:61043]
Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61051&t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICMP [7:61004]
Hmm...that suggests that a VLSM-aware redirect would be useful. Send the mask along with the network address in other words. Does such a thing exist, or has it ever been proposed? > Answer: The host can't know about subnet masks being used > elsewhere. Also, with classless addressing, it can't assume a > Class A mask for network 10.0.0.0. > > The host can't know for sure that ALL of 10.0.0.0/8 is > reachable by the router that claims that it is. With > variable-length subnet masking, classless addressing, > discontiguous subnets and all the other things people do to > their network designs, the safest thing for the host to do is > to place a host-specific route into its table. > > Just thought I'd turn this into a more advanced "lesson." :-) > > ___ > > Priscilla Oppenheimer > www.troubleshootingnetworks.com > www.priscilla.com > > > > > > > > > > Thanks in advance. > > > > -DJ > > > > > > > > > > - > > With Yahoo! Mail you can get a bigger mailbox -- choose a size > > that fits your needs > > > > > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61052&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Low Latency Queue on ATM Subinterface [7:61018]
Trying to use the log keywork, I got the following message: class-map TV : access-list with 'log' not supported class-map Policy : access-list with 'log' not supported "YASSER ALY" @groupstudy.com em 2003-01-14 15:47:54 Favor responder a "YASSER ALY" Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:Re: Low Latency Queue on ATM Subinterface [7:61018] Add the keyword "log" at the end of your access list and check whether there are really hits matching the ACL or not. Maybe everything is right and u are just sending another traffic not matching with the ACL. >From: "alaerte Vidali" > >The following LLQ is configured but no packets are going to the priority >queue; all packets go to the default class: > >class-map match-all Priority-Queue > match access-group name TV >! >policy-map Policy > class Priority-Queue > priority 200 > class class-default > random-detect > fair-queue >! >interface ATM6/0/0.213 point-to-point > bandwidth 1 > ip address 192.168.255.177 255.255.255.252 > ip pim version 1 > ip pim sparse-dense-mode > ip ospf cost 8 > atm pvc 100 1 201 aal5snap > service-policy output Policy >! >ip access-list extended TV > permit udp host 1.1.1.1 host 239.192.10.22 eq 6 > > >router#sh policy-map int atm 6/0/0.213 output > > ATM6/0/0.213 > > service-policy output: Policy > > queue stats for all priority classes: > queue size 0, queue limit 50 > packets output 0, packet drops 0 > tail/random drops 0, no buffer drops 0, other drops 0 > > class-map: Priority-Queue (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > match: access-group name TV > 0 packets, 0 bytes > 5 minute rate 0 bps > Priority: kbps 200, burst bytes 5000, b/w exceed drops: 0 > >class-map: class-default (match-any) > 474896 packets, 516105147 bytes > 5 minute offered rate 1623000 bps, drop rate 0 bps > match: any > 474896 packets, 516105147 bytes > 5 minute rate 1623000 bps > queue size 0, queue limit 5838 > packets output 477559, packet drops 4 > tail/random drops 0, no buffer drops 0, other drops 4 > random-detect: > Exp-weight-constant: 9 (1/512) > Mean queue depth: 0 > Class Random Tail Minimum Maximum Mark Output > drop drop threshold threshold probability packets > 0 0 0 1459 2919 1/10 429315 > 1 0 0 1641 2919 1/10 0 > 2 0 0 1823 2919 1/10 0 > 3 0 0 2006 2919 1/10 0 > 4 0 0 2188 2919 1/10 0 > 5 0 0 2370 2919 1/10 48467 > 6 0 0 2553 2919 1/10 0 > 7 0 0 2735 2919 1/10 0 > fair-queue: per-flow queue limit 1459 > > >Any clue? misconduct and Nondisclosure violations to [EMAIL PROTECTED] The new MSN 8 is here: Try it free* for 2 months Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61053&t=61018 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX access-list problem [7:61043]
This type of NAT is required for incoming connections. I can't get access going out so I haven't even looked at that yet. Even worse is from 83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is outside of the PIX. If you look at my access-list , this should not be a problem. I am stumped on this. ""Waters, Kristina"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sam, > > Do you have any sort of statement that's translating the addresses in your > DMZ? For example, > > static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 > > If you aren't nat'ing I believe you still have to translate the address. > > HTH, > Kris. > > -Original Message- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 14, 2003 2:08 PM > To: [EMAIL PROTECTED] > Subject: PIX access-list problem [7:61043] > > > I cannot seem to get the following config to work and am clueless why. My > incoming access lists for DMZ and outside are wide open. The goal is not to > NAT DMZ ever since its public addressing. I can't even ping hosts on the > outside network from PIX. Why am I having these problems? > > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > > access-list internal permit ip 172.19.90.0 255.255.255.0 any > > access-list test permit ip any any > access-list test permit icmp any any > > access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 > 255.255.255.0 > > ip address outside 83.23.44.60 255.255.255.192 > ip address inside 172.19.90.1 255.255.255.0 > ip address dmz 83.23.43.250 255.255.255.0 > > global (outside) 1 83.23.44.58 > nat (inside) 0 access-list int-dmz > nat (inside) 1 172.19.90.0 255.255.255.0 0 0 > nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 > access-group test in interface outside > access-group test in interface dmz > route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 > ** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender by email, delete and destroy this message and its > attachments. > ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61054&t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
route-map deny_lo1 - now working?? [7:61055]
Hello, I have a loopback interface 1 that I am trying to deny under redistribute connected under ospf but am having no luck? What am I doing wrong? Please advise. Thank you. Config: TS# interface Loopback1 ip address 1.1.1.1 255.255.255.255 router ospf 100 redistribute connected subnets route-map deny_lo1 route-map deny_lo1 deny 10 match ip address 99 ! route-map deny_lo1 permit 20 match ip address 98 access-list 98 permit any access-list 99 permit 1.1.1.0 On the neighboring router: RTE#r 1.0.0.0/32 is subnetted, 1 subnets O E21.1.1.1 [110/20] via 110.99.100.1, 00:05:02, Serial0.100 It does not matter if I change the access-list to permit 1.0.0.0 or host 1.1.1.1 !!! I just cannot seem to figure out why I cannot deny this route from being entered into the routing table!! _ Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61055&t=61055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Logging [7:61039]
depends what you want, you want it all pick 7 :) Dave Azhar Teza wrote: > I have a PIX 525 with 6.1(1) version. I have setup a kiwi syslog server for > logging. What is the best choice out of > 0-emergencies-System unusable messages > 1-alerts-Take immediate action > 2-critical-Critical condition > 3-errors-Error message > 4-warnings-Warning message > 5-notifications-Normal but significant condition > 6-informational-Information message > 7-debugging-Debug messages and log FTP commands and WWW URLs > > Thanks, > Teza > > ___ > Join Excite! - http://www.excite.com > The most personalized portal on the Web! -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61056&t=61039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Global Address and the Static command [7:61057]
Say I set up a global pool: Example - global 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192 - NAT the inside LAN addresses. On my DMZ or internal network I want to create a static mapping to the mail server. My Question: Can I use one of the globally assigned address or do I re-arrange the pool to free up an address? Revision Example - global 1 199.199.199.3-199.199.199.61 netmask 255.255.255.192 - static (inside, outside) 192.168.0.1 199.199.199.62 netmask 255.255.255.255 - conduit permit tcp host 192.168.0.1 eq smtp any Thanks in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61057&t=61057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route-map deny_lo1 - now working?? [7:61055]
It's a /32 and you are denying a /24. Try this: interface lo1 ip ospf network point-to-point or access-list 99 permit host 1.1.1.1 HTH, Scott ""Cisco Nuts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > I have a loopback interface 1 that I am trying to deny under redistribute > connected under ospf but am having no luck? What am I doing wrong? Please > advise. Thank you. > > Config: > > TS# > interface Loopback1 > ip address 1.1.1.1 255.255.255.255 > > router ospf 100 > redistribute connected subnets route-map deny_lo1 > > route-map deny_lo1 deny 10 > match ip address 99 > ! > route-map deny_lo1 permit 20 > match ip address 98 > > access-list 98 permit any > access-list 99 permit 1.1.1.0 > > On the neighboring router: > > RTE#r > 1.0.0.0/32 is subnetted, 1 subnets > O E21.1.1.1 [110/20] via 110.99.100.1, 00:05:02, Serial0.100 > > It does not matter if I change the access-list to permit 1.0.0.0 or host > 1.1.1.1 !!! > > I just cannot seem to figure out why I cannot deny this route from being > entered into the routing table!! > > > > > > > > > _ > Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61058&t=61055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route-map deny_lo1 - now working?? [7:61055]
>Hello, >I have a loopback interface 1 that I am trying to deny under redistribute >connected under ospf but am having no luck? What am I doing wrong? Please >advise. Thank you. > >Config: > >TS# >interface Loopback1 >ip address 1.1.1.1 255.255.255.255 > >router ospf 100 >redistribute connected subnets route-map deny_lo1 > >route-map deny_lo1 deny 10 >match ip address 99 >! >route-map deny_lo1 permit 20 >match ip address 98 > >access-list 98 permit any >access-list 99 permit 1.1.1.0 > >On the neighboring router: > >RTE#r >1.0.0.0/32 is subnetted, 1 subnets >O E21.1.1.1 [110/20] via 110.99.100.1, 00:05:02, Serial0.100 > >It does not matter if I change the access-list to permit 1.0.0.0 or host >1.1.1.1 !!! > >I just cannot seem to figure out why I cannot deny this route from being >entered into the routing table!! > Have you tried using a wildcard mask in your access list? John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61059&t=61055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add "access-list from-internet permit ip any host 10.10.10.2" before "access-list from-internet permit ip any host 10.10.10.4". What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61060&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICMP [7:61004]
I think Priscilla gives some good reason why a "VLSM-aware" redirect may not be very effective. Also redirects for default route or networks outside of your IGP would be problomatic. Dave Black Jack wrote: > Hmm...that suggests that a VLSM-aware redirect would be useful. Send the > mask along with the network address in other words. Does such a thing exist, > or has it ever been proposed? > > > >>Answer: The host can't know about subnet masks being used >>elsewhere. Also, with classless addressing, it can't assume a >>Class A mask for network 10.0.0.0. >> >>The host can't know for sure that ALL of 10.0.0.0/8 is >>reachable by the router that claims that it is. With >>variable-length subnet masking, classless addressing, >>discontiguous subnets and all the other things people do to >>their network designs, the safest thing for the host to do is >>to place a host-specific route into its table. >> >>Just thought I'd turn this into a more advanced "lesson." :-) >> >>___ >> >>Priscilla Oppenheimer >>www.troubleshootingnetworks.com >>www.priscilla.com >> >> >> >>> >>> >>>Thanks in advance. >>> >>>-DJ >>> >>> >>> >>> >>>- >>>With Yahoo! Mail you can get a bigger mailbox -- choose a size >>>that fits your needs -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61061&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was "hit" as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Why don't you try removing the line you want it to be below (as well as the > deny ip any any at the end) then put in the new line, the next line(s) and > the deny line? > > ie > no access-list from-internet permit ip any host 10.10.10.4 > no access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > That should leave you with > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > Its a little shuffling but it gets you there ;) Is there any reason other > than numerical order that the 10.10.10.2 line needs to be above the > 10.10.10.2 line since they're all permits anyway? > > Also, for my own interest, is the deny ip any any required? I was of the > impression that everything was closed until you opened it which means there > should already be an implicit deny ip any any.. ? > > Em > > > > > -Original Message- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 15 January 2003 3:29 AM > To: [EMAIL PROTECTED] > Subject: applying PIX access-lists [7:61033] > > > I am new to PIX and have a simple question. What methods do you (PIX Admins) > use to change and apply access-lists. Unlike IOS access-lists it seems you > can remove statements from the middle of the list. When you do this does the > change occur immediately or do you have to reapply the access-group? Do you > need to do clear xlate after changing access-lists? > > how about the following scenatio: > > I have PIX that has interface outside with the follwoing access-list: > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > and > > access-group from-internet in interface outside > > now I want to add "access-list from-internet permit ip any host 10.10.10.2" > before "access-list from-internet permit ip any host 10.10.10.4". > > What is the best way to do this? > I thought maybe I would create a new list : > > access-list from-internet2 permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet2 permit ip any host 10.10.10.4 > access-list from-internet2 permit ip any host 10.10.10.5 > access-list from-internet2 deny ip any any > > than remove the old and apply the new one in successive commands. > Is this the standard way of amking changes or do you more experienced admins > have a better way. I'm migrating from a checkpoint environment so this > wasn't an issue when administering them. > > How about this for a good question Why aren't the access-lists on the > PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and > easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61062&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Prep Tests [7:61044]
I know when I used to follow this group on a regular basis my following question was one of the most annoying... but I just looked back through the archives and didn't see anything recent. My CCNP has come up for recert and was looking for someone's opinion on the best prep tests for all 4 exams. Is Boson still top dog for the Cisco exams? I haven't even thought about this stuff for 3 years or so... Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61044&t=61044 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Call Manager CIPT Device Weights [7:61064]
I have a question for anyone with updated information on the Device weights for IPT devices. In looking through CIPT 3.1x course materials I am unable to locate the information/table that says how the devices are weighted. I am able to find the information in the CIPT 3.0x materials. Are the device weights the same for all four versions of Call Manager 3.0x, 3.1x 3.2x 3.3x? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61064&t=61064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICMP [7:61004]
Black Jack wrote: > > Hmm...that suggests that a VLSM-aware redirect would be useful. > Send the mask along with the network address in other words. > Does such a thing exist, or has it ever been proposed? I don't think such a thing has been proposed. Also, it may not be practical. The router sending the Redirect might not know about the subnet masking being used elsewhere on the network either? I guess it would depend on the routing protocol. There are always tradeoffs. It's probably a good thing that the host receiving the "Redirect for Network" places a host-specific route into its routing table, for all the reasons already mentioned (classless addressing, VLSM, discontiguous subnets.) But what's the tradeoff? ? give it some thought don't want to give it away right away think. analyze ideas? It might be obvious, but the tradeoff is that the host could end up with a bunch of host-specific routes in its table. It sends to 10.0.0.1, gets a redirect, places the host-speficic route in its table. It sends to 10.0.0.2, gets a redirect, places the host-specific route in its table. Etc. So, what's so bad about that? Well, it's extra processing and it uses a little extra memory (not a big deal these days, granted!) But as the list gets longer, lookups and placing new entries will take longer and longer. So some delay might occur. Just some more thoughts to get y'all thinking! :-) Priscilla > > > > Answer: The host can't know about subnet masks being used > > elsewhere. Also, with classless addressing, it can't assume a > > Class A mask for network 10.0.0.0. > > > > The host can't know for sure that ALL of 10.0.0.0/8 is > > reachable by the router that claims that it is. With > > variable-length subnet masking, classless addressing, > > discontiguous subnets and all the other things people do to > > their network designs, the safest thing for the host to do is > > to place a host-specific route into its table. > > > > Just thought I'd turn this into a more advanced "lesson." :-) > > > > ___ > > > > Priscilla Oppenheimer > > www.troubleshootingnetworks.com > > www.priscilla.com > > > > > > > > > > > > > > > > Thanks in advance. > > > > > > -DJ > > > > > > > > > > > > > > > - > > > With Yahoo! Mail you can get a bigger mailbox -- choose a > size > > > that fits your needs > > > > > > > > > > > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61063&t=61004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list problem [7:61043]
Is your outside link up, and plugged into an enabled switch port that is on the correct vlan/segment and set to correct speed/duplex? Can other devices on same switch communicate with anyone else? Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 3:43 PM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] This type of NAT is required for incoming connections. I can't get access going out so I haven't even looked at that yet. Even worse is from 83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is outside of the PIX. If you look at my access-list , this should not be a problem. I am stumped on this. ""Waters, Kristina"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sam, > > Do you have any sort of statement that's translating the addresses in your > DMZ? For example, > > static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 > > If you aren't nat'ing I believe you still have to translate the address. > > HTH, > Kris. > > -Original Message- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 14, 2003 2:08 PM > To: [EMAIL PROTECTED] > Subject: PIX access-list problem [7:61043] > > > I cannot seem to get the following config to work and am clueless why. My > incoming access lists for DMZ and outside are wide open. The goal is not to > NAT DMZ ever since its public addressing. I can't even ping hosts on the > outside network from PIX. Why am I having these problems? > > nameif ethernet0 outside security0 > nameif ethernet1 inside security100 > nameif ethernet2 dmz security50 > > access-list internal permit ip 172.19.90.0 255.255.255.0 any > > access-list test permit ip any any > access-list test permit icmp any any > > access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 > 255.255.255.0 > > ip address outside 83.23.44.60 255.255.255.192 > ip address inside 172.19.90.1 255.255.255.0 > ip address dmz 83.23.43.250 255.255.255.0 > > global (outside) 1 83.23.44.58 > nat (inside) 0 access-list int-dmz > nat (inside) 1 172.19.90.0 255.255.255.0 0 0 > nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 > access-group test in interface outside > access-group test in interface dmz > route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 > ** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender by email, delete and destroy this message and its > attachments. > ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61065&t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP 640-604 switching exam [7:60987]
The exam that I take on Monday 13/1/03 still got a few HSRP question. -Original Message- From: David Ristau [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 06:03 To: [EMAIL PROTECTED] Subject: CCNP 640-604 switching exam [7:60987] Taking the 640-604 switching exam within the next week or two and my research shows, from the cisco site, although there was HSRP and ATM LANE questions on the 640-503 exam, these topis are not included on the 640-604 exam. Just wanted to confirm, thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61066&t=60987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route-map deny_lo1 - now working?? [7:61055]
i think there is no way to deny that route when using ACLs because ACLs doesn't filter LSAs. make your area an NSSA, then do a no-redistribute, to filter out redistributed routes (your TS router will be an ASBR). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61067&t=61055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP issues [7:61068]
Can anyone figure out why my dial backup solution is not establishing EIGRP routes? The routers don't peer up, though everything else looks and works fine. After the dialup establishes, I am able to ping each Serial Interface, as well. Thanks, Ed Here are the configs: ROUTER A hostname HQ-3640-TUNNEL1 ! enable secret 5 $1$u.BJ$uI2eMjAcagFatXHMmpE9l1 ! username EM-1720-TUNNEL1 password 0 decore username quest password 0 decore ! ! ! ! ip subnet-zero ! ip audit notify log ip audit po max-events 100 ipx routing 0050.0f02.6ec5 ! ! ! ! ! interface Loopback0 ip address 10.64.64.2 255.255.255.0 ! interface Tunnel64 description PRIMARY VPN TO HQ bandwidth 200 ip address 10.10.64.2 255.255.255.252 ipx network 64 tunnel source 10.254.4.4 tunnel destination 10.254.6.6 ! interface Serial0 physical-layer async ip address 10.10.56.1 255.255.255.0 encapsulation ppp no ip route-cache no ip mroute-cache dialer in-band dialer map ip 10.10.56.2 name EM-1720-TUNNEL1 broadcast 9,16264469732 dialer-group 1 async dynamic address async dynamic routing async mode dedicated ipx network 56 peer default ip address 10.10.56.2 no fair-queue ppp authentication chap callin ! interface FastEthernet0 backup interface Serial0 ip address 10.9.0.7 255.255.0.0 speed auto full-duplex ipx network 900 ! router eigrp 1 network 10.0.0.0 no auto-summary eigrp log-neighbor-changes ! ip classless ip route 0.0.0.0 0.0.0.0 10.10.56.2 no ip http server ! dialer-list 1 protocol ip permit ! ! ipx router eigrp 10 network 64 log-neighbor-changes ! ! ipx router rip no network 64 ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line 1 modem InOut modem autoconfigure discovery transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 login ROUTER B** hostname EM-1720-TUNNEL1 ! enable password decore ! username HQ-3640-TUNNEL1 password 0 decore username quest password 0 decore username all ! ! ! ! ip subnet-zero no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ipx routing 00b0.c289.838f ! ! ! ! ! interface Loopback0 ip address 10.0.1.1 255.255.255.0 ! interface Serial0 physical-layer async ip address 10.10.56.2 255.255.255.0 encapsulation ppp no ip route-cache no ip mroute-cache dialer in-band dialer-group 1 async dynamic address async dynamic routing async mode dedicated ipx network 56 peer default ip address 10.10.56.1 no fair-queue ppp authentication chap ! interface FastEthernet0 ip address 10.6.100.200 255.255.0.0 speed auto full-duplex ipx network 600 ! router eigrp 1 network 10.0.0.0 no auto-summary eigrp log-neighbor-changes ! ip classless no ip http server ! ! ! ipx router eigrp 10 network 56 ! ! ipx router rip no network 56 ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line 1 modem InOut modem autoconfigure discovery transport input all stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 logging synchronous login local ! no scheduler allocate end Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61068&t=61068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Nope, wouldn't work well in that situation, but if you're only talking a few entries then its not a problem Also, in that sort of situation if you wanted to put a deny before a permit (where order really does matter other than aesthetically), you remove the line permitting the traffic, add the deny, then put in the permit again and you're back to where you were. The most you'd have to readd after that would be a deny ip any any :) -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 8:38 AM To: [EMAIL PROTECTED] Subject: Re: applying PIX access-lists [7:61033] The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was "hit" as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. ""Emilia Lambros"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Why don't you try removing the line you want it to be below (as well as the > deny ip any any at the end) then put in the new line, the next line(s) and > the deny line? > > ie > no access-list from-internet permit ip any host 10.10.10.4 > no access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > no access-list from-internet deny ip any any > > That should leave you with > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > Its a little shuffling but it gets you there ;) Is there any reason other > than numerical order that the 10.10.10.2 line needs to be above the > 10.10.10.2 line since they're all permits anyway? > > Also, for my own interest, is the deny ip any any required? I was of the > impression that everything was closed until you opened it which means there > should already be an implicit deny ip any any.. ? > > Em > > > > > -Original Message- > From: Sam Sneed [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 15 January 2003 3:29 AM > To: [EMAIL PROTECTED] > Subject: applying PIX access-lists [7:61033] > > > I am new to PIX and have a simple question. What methods do you (PIX Admins) > use to change and apply access-lists. Unlike IOS access-lists it seems you > can remove statements from the middle of the list. When you do this does the > change occur immediately or do you have to reapply the access-group? Do you > need to do clear xlate after changing access-lists? > > how about the following scenatio: > > I have PIX that has interface outside with the follwoing access-list: > > access-list from-internet permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.4 > access-list from-internet permit ip any host 10.10.10.5 > access-list from-internet deny ip any any > > and > > access-group from-internet in interface outside > > now I want to add "access-list from-internet permit ip any host 10.10.10.2" > before "access-list from-internet permit ip any host 10.10.10.4". > > What is the best way to do this? > I thought maybe I would create a new list : > > access-list from-internet2 permit ip any host 10.10.10.1 > access-list from-internet permit ip any host 10.10.10.2 > access-list from-internet2 permit ip any host 10.10.10.4 > access-list from-internet2 permit ip any host 10.10.10.5 > access-list from-internet2 deny ip any any > > than remove the old and apply the new one in successive commands. > Is this the standard way of amking changes or do you more experienced admins > have a better way. I'm migrating from a checkpoint environment so this > wasn't an issue when administering them. > > How about this for a good question Why aren't the access-lists on the > PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and > easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61070&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
Sam, you can do 2 method ie: CLI based and GUI based (PDM). If you using PDM, you just insert add rule it. CLI based: 1. access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet2 permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any 2. no access-group from-internet in interface outside access-group from-internet2 in interface outside 3. Clear Xlate. Hope this can help you. regards, Sugianto Sho "Sam Sneed" cc: Sent by: Fax to: nobody@groupst Subject: applying PIX access-lists [7:61033] udy.com 01/14/2003 11:58 PM Please respond to "Sam Sneed" I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add "access-list from-internet permit ip any host 10.10.10.2" before "access-list from-internet permit ip any host 10.10.10.4". What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61071&t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: EIGRP issues [7:61068]
i think you should do a dialer map broadcast on router b too just like what you did on the first router. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61072&t=61068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Global Address and the Static command [7:61057]
you can do both. if i wanted to use an ip in the middle of your pool, say 199.199.199.35: ip nat pool test prefix-lenth 26 199.199.199.3 199.199.199.34 199.199.199.36 199.199.199.62 - (i think this is the command, please verify) ip nat inside source list 1 pool test ip nat inside source static 192.168.0.1 199.199.199.35 that frees up the 199.199.199.35 that i would want to use for my static nat. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61073&t=61057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: QoS suggestion [7:60994]
Hi, I have the following testing setup but it looks like the LLQ does not work. Can you have a look on it? When the 256k link was congested. Why I ping the prec. 5 packet behind the 256k line it only have the same response time with default ping? 128k--- FR 256k Attached 256k router configuration below. class-map match-all voice-traffic match ip precedence 5 ! policy-map voice-policy class voice-traffic priority percent 75 class class-default fair-queue interface Serial0 bandwidth 256 no ip address encapsulation frame-relay IETF load-interval 30 no fair-queue frame-relay traffic-shaping frame-relay lmi-type ansi ! interface Serial0.10 point-to-point bandwidth 256 ip address 10.114.0.6 255.255.255.252 frame-relay interface-dlci 100 class llq ! map-class frame-relay llq frame-relay cir 256000 frame-relay bc 2560 frame-relay be 0 frame-relay mincir 256000 service-policy output voice-policy TIA rgds, ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61074&t=60994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP origin attribute type "e" - EGP? [7:61075]
In what condition is the EGP origin type generated? Thanks Wei Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61075&t=61075 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: EIGRP issues [7:61068]
Edward, Since you are using PPP Authentication Chap, it requires that both sides send (same) user name xx and Password .. to each other (Handsahing using chap) after dialup, to authenticate each other both ways, then start data transfer. So, on Router B, u need to add: username HQ-3640-TUNNEL1 password 0 decore (to authenticate w/side A using same password) dialer map ip 10.10.56.1 name HQ-3640-TUNNEL1 broadcast 9,Modem A # This is what I remember, When Iwas facing similar problem. Hope I am right. Sarkis CCNA/CCNP/MCNS/MCP/CNE Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61076&t=61068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco 3640 Router ATM PVC Problem [7:61077]
I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61077&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Cisco 3640 Router ATM PVC Problem [7:61077]
What commands are you typing in? To create a PVC the syntax is int atm 1 atm pvc 6 0 106 aal5snap I think you are missing the 'atm' before pvc. There are several ways to hook the 3640s back to back. If they are within fastethernet distance limitations you could use the fastethernet interfaces. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Cisco 3640 Router ATM PVC Problem [7:61077] I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61078&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
I am using a sample configuration from cisco that looks like this First command config t Second command ip routing Third command interface atm 1/0 Fourth command no shutdown Fifth command ip address 10.0.2.1 255.255.255.0 Sixth command pvc 1 32 Seventh command protocol ip 10.0.2.2 broadcast The sixth command is where it fails. It does not recognize the pvc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Newell Ryan D SrA 18 CS/SCBT Sent: Tuesday, January 14, 2003 11:32 PM To: [EMAIL PROTECTED] Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] What commands are you typing in? To create a PVC the syntax is int atm 1 atm pvc 6 0 106 aal5snap I think you are missing the 'atm' before pvc. There are several ways to hook the 3640s back to back. If they are within fastethernet distance limitations you could use the fastethernet interfaces. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Cisco 3640 Router ATM PVC Problem [7:61077] I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61079&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
Try to add atm in front of that. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 3:23 PM To: 'Newell Ryan D SrA 18 CS/SCBT'; [EMAIL PROTECTED] Subject: RE: Cisco 3640 Router ATM PVC Problem [7:61077] I am using a sample configuration from cisco that looks like this First command config t Second command ip routing Third command interface atm 1/0 Fourth command no shutdown Fifth command ip address 10.0.2.1 255.255.255.0 Sixth command pvc 1 32 Seventh command protocol ip 10.0.2.2 broadcast The sixth command is where it fails. It does not recognize the pvc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Newell Ryan D SrA 18 CS/SCBT Sent: Tuesday, January 14, 2003 11:32 PM To: [EMAIL PROTECTED] Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] What commands are you typing in? To create a PVC the syntax is int atm 1 atm pvc 6 0 106 aal5snap I think you are missing the 'atm' before pvc. There are several ways to hook the 3640s back to back. If they are within fastethernet distance limitations you could use the fastethernet interfaces. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Cisco 3640 Router ATM PVC Problem [7:61077] I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61080&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 3640 Router ATM PVC Problem [7:61077]
pvc x/y "should" work, which leads me to wonder about your IOS version. What are you running? what is the image name? I do not see an "atm pvc" command in the 12.1 command reference. also you mention something about connecting two 3640's back to back via an OC3 card? I'm not sure you can do that. someone smarter than I will provide a definitive answer, I'm sure. ""Ken Chipps"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am using a sample configuration from cisco that looks like this > > First command config t > Second command ip routing > Third command interface atm 1/0 > Fourth command no shutdown > Fifth command ip address 10.0.2.1 255.255.255.0 > Sixth command pvc 1 32 > Seventh command protocol ip 10.0.2.2 broadcast > > The sixth command is where it fails. It does not recognize the pvc. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Newell Ryan D SrA 18 CS/SCBT > Sent: Tuesday, January 14, 2003 11:32 PM > To: [EMAIL PROTECTED] > Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] > > What commands are you typing in? To create a PVC the syntax is > int atm 1 > atm pvc 6 0 106 aal5snap > I think you are missing the 'atm' before pvc. > > There are several ways to hook the 3640s back to back. If they are > within > fastethernet distance limitations you could use the fastethernet > interfaces. > > -Original Message- > From: Ken Chipps [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 1:40 PM > To: [EMAIL PROTECTED] > Subject: Cisco 3640 Router ATM PVC Problem [7:61077] > > > I am attempting to setup a PVC between two Cisco 3640 Routers connected > back > to back. The interface is an OC3 card. Whenever I issue the PVC command > on > the ATM interface it says a PVC is not supported. If I use the ? to see > for > supported commands for the interface, no PVC command is listed. Is there > some software upgrade I need for this? Or is there some other way to > conenct > two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61081&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSIDS - 9E0-100 [7:60920]
Only reason for the earlier exam from my side was the book we had. And also to get me off my butt - sometimes I can be a little lazy!!. At least with a deadline, I have to write!! -Original Message- From: Kim Graham [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 19:36 To: [EMAIL PROTECTED] Subject: RE: CSIDS - 9E0-100 [7:60920] Great to know I am not alone. I noticed you all were doing the earlier exam and not the new one. Any particular reason? From my understanding you can mix versions of tests to come to the same conclusion. Andrew I follow your same thought patterns to a point. It would not feel right getting a cert without the hands on knowledge or the knowledge that you will use the cert once you obtain it. But there are many that enjoy the challenge just to see if they can do it. Personally I cannot fault anyone that enjoys those challenges in life. But using what you learn is satisfying. Keith if you do attempt the SAFE exam make sure you know the SAFE whitepaper. From what I have heard the blueprint and that document help you get past the exam. As for an award the extra signature could be one, or the satisfaction that you passed? How about taking yourself out to dinner or enjoying a new "toy".No one ever said you could not reward yourself for a job well done. *grins* Good luck to everyone on their exams. Congrats to Andrew are on the way for the new baby. There are others that have taken that same time to accomplish their CCIE. Maybe check up with them to see how they handled the 1 hour study sessions inbetween baby watch. Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61082&t=60920 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Logging [7:61039]
Thats relative to what you want to see and also depends on the volume of traffic passing. You could choose level 7 and then turn off some messages on the PIX and revise later. -Original Message- From: Azhar Teza [mailto:[EMAIL PROTECTED]] Sent: 14 January 2003 20:37 To: [EMAIL PROTECTED] Subject: PIX Logging [7:61039] I have a PIX 525 with 6.1(1) version. I have setup a kiwi syslog server for logging. What is the best choice out of 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs Thanks, Teza ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61083&t=61039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
