Re: DLCI value range issue(dependency with LMI) [7:61608]

[Simmi Singla]

Thanx Priscilla /Dave
for clearing my doubts about these lmi dependency with dlci
Thanx once again

Priscilla Oppenheimer wrote:
 
 I think he had a typo and meant to say 16-991 for everything
 except LMI Rev 1 (Cisco). With LMI Rev 1 (which is the same as
 cisco), the DLCI range is 16 - 1007. He was agreeing with
 your list.
 
 As far as why does a Cisco router still say that DLCIs 16 -
 1007 are available even after you configre the LMI type to
 ANSI, who knows? It even lets you use 992 - 1007. It's one of
 about a million little idiosynchracies in IOS. It's one of
 those things that just aren't worth many processing cycles in
 your brain.
 
 Your DLCI is assigned by your service provider anyway. If they
 are using ANSI, presumably they wouldln't give you a DLCI past
 991.
 
 That's my 2 cents anyway. (Does that silly idiom translate to
 other languages/cultures? I hope! :-)
 
 Priscilla
 
 Simmi Singla wrote:
  
  Hi Dave,
  Thanx for the reply,but I am still not clear   been revised in the new
LMI specifications that we will use
  16-1007 dlci now.
  Can U tell me some doc if so this is what u wanted to say or
  any other answer anybody like to comment. Please do give your
  valuable answers
  MADMAN wrote:
   
   Sounds about right.  In the Lucent 9000 frame realy switch
  doc,
   this
   is a carrier class switch, it list the range of 16-001 as
   available for
   all LMI types and 16-1007 for LMI Rev1 which is the same a
   Cisco LMI.
   1-15 and 1008-1023 are reserved.
   
  Dave
   
   Simmi Singla wrote:
Hi all, 
I have read in one of the books and internet also  that
 dlci
   value range is
dependent on lmi type configured.
Example 
The following DLCI ranges are based on LMI protocol: 

ANSI: 16 - 991 

CISCO: 16 - 1007 

Q933a: 16 - 991 

But when we configure LMI type as example take ansi so
 after
   this when we
confgure dlci value ut still shows the dlci range of
 16-1007
why is it so .it should show range of this in cisco router
   16-991
any comments on above problems 
Thanx in advance 
   -- 
   David Madland
   CCIE# 2016
   Sr. Network Engineer
   Qwest Communications
   612-664-3367
   
   You don't make the poor richer by making the rich poorer.
   --Winston
   Churchill
   
   
  
  
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61758t=61608
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay config [7:61757]

[Munit Singla]

Hi Julian
yes u can do that by using ip unnumbered and using subinterfaces point to
pint
I cant get u properly from ur question what u mean
but see U can have many sub interfaces and all of them can use ip unnumbered
If anybody other will comenst lets wait for answers ,and if possible please
mail ur
question in little detail


Julian P wrote:

 Hi guys

 I am wandering if it is possible to configure my cisco 2610 for seperate
 frame relay point to point subinterfaces with the ip terminating on the
 2610,and have the 2610 frame switch some other dlci`s and terminate the ip
 on another frame relay device at the same time.

 Any advice is appreciated

 Thanks
 Julian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61759t=61757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco uBR924 and Internet problems... [7:61754]

[Peter van der Voort]

Hi Leonardo,

Basically, you're answering your own question: the provider lets you
download a file that disables your service.
Normally, this file specifies the Class Of Service you get from your
provider, like upstream and downstream bandwidth.

Now for some reason, the provider doesn't want to give you any service and
therefore let you download a file which denies access.

There is one thing that I don't understand, though. If you didn't buy this
modem from your provider (or did you?) then the modem's MAC address is not
registered with them. Therefore, why would they allow the DHCP server to
give your modem an IP address? That doesn't make sense.

On the other hand, if you did buy the modem from the ISP, then like I said,
they just doesn't want to give you access for some reason (not paying your
subscription fee springs to mind ;))

Bottom line: you have to contact them.

Good luck
Peter

 -Original Message-
 From: Leonardo FUK [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 7:29 AM
 To: [EMAIL PROTECTED]
 Subject: Cisco uBR924 and Internet problems... [7:61754]
 
 
 Hello everyone!!
 
 I have a question here, I need your help!
 Recently I bought a Cisco uBR924 and I've been trying to 
 connect it at home,
 so I can expand my home lab capabilities. My service provider 
 is Time Warner
 (Road Runner) and I simply can't connect it to the Internet. 
 This router has
 one cable-modem interface, four ethernet ports (represented 
 as 1 ethernet
 interface) and two FXS voice-ports.
 
 According to the Cisco's documentation, the service 
 establishment process of
 a
 cable-modem-router like this one is as follows:
 
 - Scan for a downstream channel and establish synchronization 
 with the CMTS.
 - Obtain upsteam channel parameters.
 - Start ranging for power adjustments.
 - Establish IP connectivity
 - Establish the time of day
 - Establish security
 - Transfer operational parameters
 - Perform registration
 - Comply with baseline privacy
 - Enter the operational maintenance state
 
 When I issue show int cable-modem 0, I notice a lot of  
 interface resets
 displayed by the output. Further investigation required me to 
 run some debug
 commands and - I love this one - show controllers 
 cable-modem 0 mac log,
 which probably identified the problem. I could see almost all
 CMAC_LOG_STATE_CHANGE events, but during the registration process
 (registration_state), the modem received a 
 RESET_AUTHENTICATION_FAILURE.
 I pasted part of the output so my question may be answered by someone:
 
 The steps from scanning downstream to establish security 
 seem to be
 fine:
 
 1041.159 CMAC_LOG_STATE_CHANGE   
 wait_for_link_up_state
 1041.159 CMAC_LOG_STATE_CHANGE
 ds_channel_scanning_stat
 1043.540 CMAC_LOG_STATE_CHANGE   wait_ucd_state
 1046.319 CMAC_LOG_STATE_CHANGE   wait_map_state
 1046.371 CMAC_LOG_STATE_CHANGE   ranging_1_state
 1047.337 CMAC_LOG_STATE_CHANGE   ranging_2_state
 1048.112 CMAC_LOG_STATE_CHANGE   dhcp_state
 1048.404 CMAC_LOG_DHCP_ASSIGNED_IP_ADDRESS   10.47.170.200
 1048.404 CMAC_LOG_DHCP_TFTP_SERVER_ADDRESS   24.29.99.72
 1048.404 CMAC_LOG_DHCP_TOD_SERVER_ADDRESS24.29.99.72
 1048.404 CMAC_LOG_DHCP_SET_GATEWAY_ADDRESS
 1048.404 CMAC_LOG_DHCP_TZ_OFFSET 0
 1048.404 CMAC_LOG_DHCP_CONFIG_FILE_NAME  disabled.bin
 1048.404 CMAC_LOG_DHCP_ERROR_ACQUIRING_SEC_SVR_ADDR
 1048.404 CMAC_LOG_DHCP_LOG_SERVER_ADDRESS24.29.99.57
 1048.404 CMAC_LOG_DHCP_COMPLETE
 1059.956 CMAC_LOG_STATE_CHANGE   
 establish_tod_state
 1059.956 CMAC_LOG_TOD_REQUEST_SENT   24.29.99.72
 1059.964 CMAC_LOG_TOD_REPLY_RECEIVED 3252376461
 1059.968 CMAC_LOG_TOD_COMPLETE
 1059.968 CMAC_LOG_STATE_CHANGE
 security_association_state
 1059.968 CMAC_LOG_SECURITY_BYPASSED
 
 But when the modem downloaded de DOCSIS configuration (the 
 config file), I
 noticed something weird:
 
 1059.968 CMAC_LOG_STATE_CHANGE
 configuration_file_state
 1059.968 CMAC_LOG_LOADING_CONFIG_FILEdisabled.bin
 1063.988 CMAC_LOG_CONFIG_FILE_PROCESS_COMPLETE
 
 Did you noticed the filename received by the Cisco uBR924? Its name is
 DISABLED.BIN. It doesn't sound good..
 
 After that, the next step is registration. Now I noticed 
 that the CTMS
 has, for an unknown reason, rejected the registration 
 process. Therefore,
 the router is unable to proceed with other steps toward the Internet
 connection.
 
 977.130 CMAC_LOG_STATE_CHANGE   registration_state
977.130 CMAC_LOG_REG_REQ_MSG_QUEUED
977.138 CMAC_LOG_REG_REQ_TRANSMITTED
977.142 CMAC_LOG_REG_RSP_MSG_RCVD
977.142 CMAC_LOG_RESET_AUTHENTICATION_FAILURE
977.142 CMAC_LOG_STATE_CHANGE   
 reset_interface_state
977.142 CMAC_LOG_STATE_CHANGE   
 reset_hardware_state
 
 I 

Re: frame relay config [7:61757]

[Julian P]

Hi

I want to configure my 2610 for frame relay into my telco.
Then clients from all over will connect with frame relay through the telco
into my 2610.
Now i need to have 2 pvc`s per client.One will terminate on my 2610 and the
other pvc needs to be switched through my 2610 and terminated on another
router.The clients routers will not be cisco though.
I will obviously have to use sub interfaces for the different clients.
I am just unsure how i will terminate the 1 pvc  on my 2610 and at the same
time frame switch the other pvc to another router

Thanks


Julian P  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi guys

 I am wandering if it is possible to configure my cisco 2610 for seperate
 frame relay point to point subinterfaces with the ip terminating on the
 2610,and have the 2610 frame switch some other dlci`s and terminate the ip
 on another frame relay device at the same time.

 Any advice is appreciated

 Thanks
 Julian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61761t=61757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Merging configs [7:61664]

[Peter P]

Thanks. Makes complete sense.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61762t=61664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay config [7:61757]

[Juntao]

From what i can find, you will need to configure the interface as an NNI,
and then you frame-relay switch between 2 pvc you have on the router.
the problem is that subinterfaces are not supported by an NNI interface.
it can only be implemented on the main interface
so  u will need 2 serial interfaces for your 2 pvc that you will configure
independently

Frame-relay switching

int se 0
encapsulation frame-relay
frame-relay intf-type nni
frame-relay interface-dlci 101
frame-relay route 101 interface serial 2 201

int se 1
encapsulation frame-relay
ip address x.x.x.x
frame-relay lmi-type ansi
frame-relay interface-dlci 301

int se 2
encapsulation frame-relay ietf
frame-relay  interface-dlci 201
frame-relay lmi-type ansi
frame-relay intf-type nni
frame-relay route 201 interface serial 0 101

I should tell u that i have not tried this, i don't really have the time,
but it might just work,
you can achive the same thing, but differently with the need to do frame
switching by using simple a policy based routing, which are quit easy to
configure.

hope the above helps
regards

Julian P  a icrit dans le message de news:
[EMAIL PROTECTED]
 Hi

 I want to configure my 2610 for frame relay into my telco.
 Then clients from all over will connect with frame relay through the telco
 into my 2610.
 Now i need to have 2 pvc`s per client.One will terminate on my 2610 and
the
 other pvc needs to be switched through my 2610 and terminated on another
 router.The clients routers will not be cisco though.
 I will obviously have to use sub interfaces for the different clients.
 I am just unsure how i will terminate the 1 pvc  on my 2610 and at the
same
 time frame switch the other pvc to another router

 Thanks


 Julian P  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi guys
 
  I am wandering if it is possible to configure my cisco 2610 for seperate
  frame relay point to point subinterfaces with the ip terminating on the
  2610,and have the 2610 frame switch some other dlci`s and terminate the
ip
  on another frame relay device at the same time.
 
  Any advice is appreciated
 
  Thanks
  Julian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61763t=61757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

No Access-group on 7200 Eth/Fa Interfaces [7:61764]

[Tunji Suleiman]

Hello,

Can someone pls tell me why I wont have the access-group command on eth and 
fa interfaces of a router? I was trying to configure NBAR on a 7200 Internet 
router. I upgraded from 12.0(5) to 12.2(6), did ip cef, defined a class-map 
and applied it to a policy-map, I applied the  map as service policy to the 
Internet interface s0/0, I then defined an acl to match the policy; all 
successfully. When I tried to apply the acl to the LAN interface fa0/0, I 
discovered I only have access-expression and no access-group, ditto all 
other fa and eth interfaces.

While I figure a workaround using access-expression, I will appreciate some 
insight into why of the missing access-group command.

Regards

Tunji






_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61764t=61764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay config [7:61757]

[Juntao]

actually come to think about it, u don't have the conditions for NNI
switching, u can't even do Hybrid switching, if the PVC through witch u wana
switch is DTE, i see only the option of frame switching over an ip tunnel,
but then again u have to have an ip segment available:
as far as configuration goes it will be easy, check it out:
u might be able to do this

int se 0
ip address x.x.x.x
encapsulation frame-relay
frame-relay route 101 interface tunnel 1 201

int tunnel1
ip address x.x.x.x
tunnel source x.x.x.x
tunnel destination x.x.x.x

the tunnel must be configured at the other end
not all versions support switching to a tunnel, u will need to look it up
oh yeah here is a link that some info about the switching ways that cisco
supports:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuratio
n_guide_chapter09186a00800878c7.html


hope the above helps
regards



Juntao  a icrit dans le message de news:
[EMAIL PROTECTED]
 From what i can find, you will need to configure the interface as an NNI,
 and then you frame-relay switch between 2 pvc you have on the router.
 the problem is that subinterfaces are not supported by an NNI interface.
 it can only be implemented on the main interface
 so  u will need 2 serial interfaces for your 2 pvc that you will configure
 independently

 Frame-relay switching

 int se 0
 encapsulation frame-relay
 frame-relay intf-type nni
 frame-relay interface-dlci 101
 frame-relay route 101 interface serial 2 201

 int se 1
 encapsulation frame-relay
 ip address x.x.x.x
 frame-relay lmi-type ansi
 frame-relay interface-dlci 301

 int se 2
 encapsulation frame-relay ietf
 frame-relay  interface-dlci 201
 frame-relay lmi-type ansi
 frame-relay intf-type nni
 frame-relay route 201 interface serial 0 101

 I should tell u that i have not tried this, i don't really have the time,
 but it might just work,
 you can achive the same thing, but differently with the need to do frame
 switching by using simple a policy based routing, which are quit easy to
 configure.

 hope the above helps
 regards

 Julian P  a icrit dans le message de news:
 [EMAIL PROTECTED]
  Hi
 
  I want to configure my 2610 for frame relay into my telco.
  Then clients from all over will connect with frame relay through the
telco
  into my 2610.
  Now i need to have 2 pvc`s per client.One will terminate on my 2610 and
 the
  other pvc needs to be switched through my 2610 and terminated on another
  router.The clients routers will not be cisco though.
  I will obviously have to use sub interfaces for the different clients.
  I am just unsure how i will terminate the 1 pvc  on my 2610 and at the
 same
  time frame switch the other pvc to another router
 
  Thanks
 
 
  Julian P  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hi guys
  
   I am wandering if it is possible to configure my cisco 2610 for
seperate
   frame relay point to point subinterfaces with the ip terminating on
the
   2610,and have the 2610 frame switch some other dlci`s and terminate
the
 ip
   on another frame relay device at the same time.
  
   Any advice is appreciated
  
   Thanks
   Julian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61765t=61757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: No Access-group on 7200 Eth/Fa Interfaces [7:61764]

[Andrew Larkins]

the command is ip access-group #

Then it will work

-Original Message-
From: Tunji Suleiman [mailto:[EMAIL PROTECTED]]
Sent: 24 January 2003 12:44
To: [EMAIL PROTECTED]
Subject: No Access-group on 7200 Eth/Fa Interfaces [7:61764]


Hello,

Can someone pls tell me why I wont have the access-group command on eth and 
fa interfaces of a router? I was trying to configure NBAR on a 7200 Internet

router. I upgraded from 12.0(5) to 12.2(6), did ip cef, defined a class-map 
and applied it to a policy-map, I applied the  map as service policy to the 
Internet interface s0/0, I then defined an acl to match the policy; all 
successfully. When I tried to apply the acl to the LAN interface fa0/0, I 
discovered I only have access-expression and no access-group, ditto all 
other fa and eth interfaces.

While I figure a workaround using access-expression, I will appreciate some 
insight into why of the missing access-group command.

Regards

Tunji






_
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61766t=61764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: can't use outside inf IP as PAT global IP [7:61755]

[Joshua Vince]

What ver of IOS are you running?  

also the command is:

global (outside) 1 interface

Josh

-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 1:51 AM
To: [EMAIL PROTECTED]
Subject: can't use outside inf IP as PAT global IP [7:61755]


Hi.. I want to ask why I can't use outside interface IP as the PAT global 
IP? See below?  I recall that I can do that with Checkpoint. Why PIX can't? 
What if I have no other global IP available for me? So, I should specify 
60.8.200.115 as the PAT global IP?  So will IP know how to come back?

ip address outside 60.8.200.114 255.255.255.240
ip address inside 192.168.10.2 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfw1(config)# global (outside) 1 60.8.200.114
Start and end addresses overlap with outside interface address

Thanks a lot


_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61767t=61755
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: can't use outside inf IP as PAT global IP [7:61755]

[Andrew Larkins]

Use the command below:

global (outside) 1 interface


-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 1:51 AM
To: [EMAIL PROTECTED]
Subject: can't use outside inf IP as PAT global IP [7:61755]


Hi.. I want to ask why I can't use outside interface IP as the PAT global 
IP? See below?  I recall that I can do that with Checkpoint. Why PIX can't? 
What if I have no other global IP available for me? So, I should specify 
60.8.200.115 as the PAT global IP?  So will IP know how to come back?

ip address outside 60.8.200.114 255.255.255.240
ip address inside 192.168.10.2 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfw1(config)# global (outside) 1 60.8.200.114
Start and end addresses overlap with outside interface address

Thanks a lot


_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61768t=61755
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: can't use outside inf IP as PAT global IP [7:61755]

[Richard Campbell]

Thanks..  any disadvantage to do this compare with choosing a different IP?

pixfw1(config)# global (outside) 1 interface
Warning: Start and End addresses overlap with broadcast address.
outside interface address added to PAT pool
pixfw1(config)# exit


I am using the following version..

pixfw1# sh ver

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

pixfw1 up 4 hours 43 mins



From: Joshua Vince 
Reply-To: Joshua Vince 
To: [EMAIL PROTECTED]
Subject: RE: can't use outside inf IP as PAT global IP [7:61755]
Date: Fri, 24 Jan 2003 11:28:56 GMT

What ver of IOS are you running?

also the command is:

global (outside) 1 interface

Josh

-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 1:51 AM
To: [EMAIL PROTECTED]
Subject: can't use outside inf IP as PAT global IP [7:61755]


Hi.. I want to ask why I can't use outside interface IP as the PAT global
IP? See below?  I recall that I can do that with Checkpoint. Why PIX can't?
What if I have no other global IP available for me? So, I should specify
60.8.200.115 as the PAT global IP?  So will IP know how to come back?

ip address outside 60.8.200.114 255.255.255.240
ip address inside 192.168.10.2 255.255.255.240

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

pixfw1(config)# global (outside) 1 60.8.200.114
Start and end addresses overlap with outside interface address

Thanks a lot


_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
_
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61769t=61755
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]

[[EMAIL PROTECTED]]

Could you tell me the behavior with FlexWan?





Cohen, Michael @groupstudy.com em 23/01/2003
17:53:54

Favor responder a Cohen, Michael 

Enviado Por:  [EMAIL PROTECTED]


Para:  [EMAIL PROTECTED]
cc:

Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]


Thanks to everyone who responded.  I also double-checked with Cisco TAC and
you guys are right.  No LLQ on MSFC's or RSM's unless you're using
FLEXWAN's.  Thanks again...

-Michael Cohen

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 1/23/03 10:41 AM
Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]

Once I tried to use LLQ on the MSFC to priorize audio multicast traffic.

The command 'sh mls ip multicast' (a tip from a groupstudy guy) showed
that
the multicast traffic was going through the PFC, so the LLQ was not
helping.






John Humphrey @groupstudy.com em 22/01/2003 19:47:44

Favor responder a John Humphrey

Enviado Por:  [EMAIL PROTECTED]


Para:  [EMAIL PROTECTED]
cc:

Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]


I've encountered this issue in our production environment with
policy-maps.
Here's the answer Cisco's TAC gave me. Since the msfc interfaces are
software based, the MLS engine will bypass the route processor on most
of
your layer 3 packets. This prevents the shaping/policing policy from
being
applied on all egress traffic. You can, however, successfully apply the
policies to all ingress traffic because it must travel thru the Layer 3
process before it is sent to the destination node. So, if you're
applying a
service-policy to a msfc interface it must be applied with input as
the
direction. I'm not sure what effect disabling MLS would have on this
process
but I'm sure the benefits (if there would be any) would not be worth it.
You
can however use QoS policies on the layer 2 modules with acl mapping to
achieve much of the same benefits.

jh
Note:  The information contained in this message may be privileged and
confidential and protected from disclosure.  If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from
your computer. Thank you.  ThruPoint, Inc.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61770t=61575
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]

[Cohen, Michael]

Cisco TAC states that traffic to and from the FlexWan has to be routed
through the MSFC and not just the PFC.  This allows for the use of LLQ. 

-Original Message-
From: [EMAIL PROTECTED]
To: Cohen, Michael
Cc: [EMAIL PROTECTED]
Sent: 1/24/03 8:43 AM
Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]


Could you tell me the behavior with FlexWan?





Cohen, Michael @groupstudy.com em 23/01/2003
17:53:54

Favor responder a Cohen, Michael 

Enviado Por:  [EMAIL PROTECTED]


Para:  [EMAIL PROTECTED]
cc:

Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]


Thanks to everyone who responded.  I also double-checked with Cisco TAC
and
you guys are right.  No LLQ on MSFC's or RSM's unless you're using
FLEXWAN's.  Thanks again...

-Michael Cohen

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 1/23/03 10:41 AM
Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]

Once I tried to use LLQ on the MSFC to priorize audio multicast traffic.

The command 'sh mls ip multicast' (a tip from a groupstudy guy) showed
that
the multicast traffic was going through the PFC, so the LLQ was not
helping.






John Humphrey @groupstudy.com em 22/01/2003 19:47:44

Favor responder a John Humphrey

Enviado Por:  [EMAIL PROTECTED]


Para:  [EMAIL PROTECTED]
cc:

Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]


I've encountered this issue in our production environment with
policy-maps.
Here's the answer Cisco's TAC gave me. Since the msfc interfaces are
software based, the MLS engine will bypass the route processor on most
of
your layer 3 packets. This prevents the shaping/policing policy from
being
applied on all egress traffic. You can, however, successfully apply the
policies to all ingress traffic because it must travel thru the Layer 3
process before it is sent to the destination node. So, if you're
applying a
service-policy to a msfc interface it must be applied with input as
the
direction. I'm not sure what effect disabling MLS would have on this
process
but I'm sure the benefits (if there would be any) would not be worth it.
You
can however use QoS policies on the layer 2 modules with acl mapping to
achieve much of the same benefits.

jh
Note:  The information contained in this message may be privileged and
confidential and protected from disclosure.  If the reader of this
message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby
notified
that any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from
your computer. Thank you.  ThruPoint, Inc.
Note:  The information contained in this message may be privileged and
confidential and protected from disclosure.  If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify us immediately by replying to the message and deleting it from
your computer. Thank you.  ThruPoint, Inc.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61771t=61575
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

guaranteeing bandwidth [7:61772]

[Barbu Alexandru]

Thanks a lot! Looks like i was barking at the
wrong tree... It wasn't about CBWFQ. Rate-limiting did
the trick.


Thanks a lot!
Alexandru Barbu
CCAI

=
'there is no such thing as a free meal'

__
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61772t=61772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Question? [7:61716]

[Ladrach, Daniel E.]

I have done this several times and never experienced the issue below. As
long as you are on the console port this should not be an issue. I would be
curious to know what type of modem you are using and dip switch settings. I
generally use US robotics.

-Original Message-
From: Charles D Hammonds [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 12:45 AM
To: [EMAIL PROTECTED]
Subject: RE: Question? [7:61716]

I have not been able to perfrom password recovery via a modem connected
directly to console. When the router reloads, you get disconnected and have
to re-dial which by that time is too late to break. In my experience, I have
had to dial up to a 2511 and connect to console of the problem router that
way...

Charles

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Michael Williams
Sent: Thursday, January 23, 2003 2:24 PM
To: [EMAIL PROTECTED]
Subject: RE: Question? [7:61716]


Uh... if he could get into enable mode to issue a 'reload' command, he could
just change the password and there wouldn't be any need to do a password
recovery?!?!?

Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61773t=61716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Question? [7:61716]

[Alan Cowan]

It is possible to do a password recovery by a modem connection to the
console port. The same conditions apply as when you perform this
procedure locally at the router. When you perform a router password
recovery, you have to physically power cycle the router... The only way
to do this if you do not already have the enable password is to have
someone physically at the router. The reload command only works when
you have entered enable mode on the router.

The answer is that if you do not have the router passwords for the
router and want to perform password recovery, someone needs to power
cycle the router, though the person performing the IOS password recovery
procedure can be remote via a modem through the console port.

-Original Message-
From: Charles D Hammonds [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 12:45 AM
To: [EMAIL PROTECTED]
Subject: RE: Question? [7:61716]

I have not been able to perfrom password recovery via a modem connected
directly to console. When the router reloads, you get disconnected and
have to re-dial which by that time is too late to break. In my
experience, I have had to dial up to a 2511 and connect to console of
the problem router that way...

Charles

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Michael Williams
Sent: Thursday, January 23, 2003 2:24 PM
To: [EMAIL PROTECTED]
Subject: RE: Question? [7:61716]


Uh... if he could get into enable mode to issue a 'reload' command, he
could just change the password and there wouldn't be any need to do a
password recovery?!?!?

Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61774t=61716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question? [7:61716]

[J.D. Chaiken]

I have 2 thoughts on this.

The first is that on my test rack; where I'm reverse telnetting into the
console ports;  If I power cycle certain models of router my telnet session
is dropped.  (MC3810, and 3620 that I'm aware of.)  I can only assume that
this is teh same thing that happening to the modem.

The second, also on my home rack, but I've used these in production
environments, are X-10 PLC appliance modules (also available by many other
manufacturers) .  which can Physically power cycle devices remotely.  I've
found these type devices to be a life saver for remote offices, or
co-located servers where you need to power cycle a server and no one is
available to push  a button for you.  The X-10 Boxes are reasonably
reliable, and I haven't had too many problems with them over the years.  But
there are better more expensive devices available for critical applications.


Jarett

Alan Cowan  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 It is possible to do a password recovery by a modem connection to the
 console port. The same conditions apply as when you perform this
 procedure locally at the router. When you perform a router password
 recovery, you have to physically power cycle the router... The only way
 to do this if you do not already have the enable password is to have
 someone physically at the router. The reload command only works when
 you have entered enable mode on the router.

 The answer is that if you do not have the router passwords for the
 router and want to perform password recovery, someone needs to power
 cycle the router, though the person performing the IOS password recovery
 procedure can be remote via a modem through the console port.

 -Original Message-
 From: Charles D Hammonds [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 12:45 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Question? [7:61716]

 I have not been able to perfrom password recovery via a modem connected
 directly to console. When the router reloads, you get disconnected and
 have to re-dial which by that time is too late to break. In my
 experience, I have had to dial up to a 2511 and connect to console of
 the problem router that way...

 Charles

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Michael Williams
 Sent: Thursday, January 23, 2003 2:24 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Question? [7:61716]


 Uh... if he could get into enable mode to issue a 'reload' command, he
 could just change the password and there wouldn't be any need to do a
 password recovery?!?!?

 Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61775t=61716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Policing traffic - Normal burst, Maximum burst etc?? [7:61776]

[Cisco Nuts]

Hello,Had a question on policing traffic.If I wanted the average traffic
flow to be 8MB, the normal burst to be 10MB and the maximum burst to be
12MB would my police cmd. be: #police 8000 1 12 conform-action
transmit  OR #police 8000 2000 4000 conform-action transmit Thank you for
your help.Sincerely,CN



The new MSN 8: smart spam protection and 2 months FREE*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61776t=61776
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft Exchange/UMS and Firewall [7:61747]

[Aaron Ajello]

I've gone through an issue like this before and remember some issue about
Exchange using constantly changing ports.  But this link might be able to
help you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61777t=61747
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT:Hey Chuck, tax question on certs [7:61778]

[Scott]

Chuck,

I remember sometime last year that you mentioned a way to deduct
certification expenses from your taxes.  I was wondering if you could
enlighten the masses on how this works and what is deductible?  Can we
deduct all travel expenses and cost of exams?  Any loopholes to look out
for?

Would usually do this offline, but since it affects everybody here I thought
it would be a constructive discussion for all.

Thanks,

Scott
CCIE #9340




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61778t=61778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dynamic Natting [7:61584]

[Hyman, Craig]

thanks

Craig Hyman
SRS Implementation Team
Tier 2 Support
[EMAIL PROTECTED]
Broomfield Office 303-272-2661
Virtual Office Phone Number 303-604-0037
SkyPager Number 1-888-860-5913


-Original Message-
From: mjans001 [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 23, 2003 2:03 PM
To: Hyman, Craig; [EMAIL PROTECTED]
Subject: RE: Dynamic Natting [7:61584]


 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

For example:

Internet nat outside
E1 nat outside
Router 1600
E0 nat inside
Network inside
DG 10.x.99.100
Internal customers lans



ip nat inside source list 100 interface Ethernet1 overload

Nat list
access-list 100 permit ip 10.x.99.0 0.0.0.255 any
access-list 100 permit ip 10.x.100.0 0.0.0.255 any
access-list 100 permit ip 10.x.101.0 0.0.0.255 any
access-list 100 permit ip 10.x.102.0 0.0.0.255 any

Customer LANs
ip route 10.x.100.0 255.255.255.0 10.x.99.100
ip route 10.x.101.0 255.255.255.0 10.x.99.100
ip route 10.x.102.0 255.255.255.0 10.x.99.100



- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Hyman,
Craig
Verzonden: woensdag 22 januari 2003 17:13
Aan: [EMAIL PROTECTED]
Onderwerp: Dynamic Natting [7:61584]


ALL-

Has anybody been able to do dynamic natting with a 1601R router using IOS
120221a?

Have you been able to use multiple subnets( customer IP;s) and run them
through one Nat address?



Craig Hyman
SRS Implementation Team
Tier 2 Support
[EMAIL PROTECTED]
Broomfield Office 303-272-2661
Virtual Office Phone Number 303-604-0037
SkyPager Number 1-888-860-5913


- -Original Message-
From: Silju Pillai [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 02, 2002 3:40 PM
To: [EMAIL PROTECTED]
Subject: RE: How to setup Pix site-to-site VPN with overlapping [7:50255]


HI David,

I have a link for you. It may help you a bit. It says NAT the existing
addresses to a different address at both sites (although the document says
one bcoz of the concentrator).

http://www.cisco.com/warp/public/707/vpn_pix_private.html.

If you are trying this ust tell me if it works or not.

regards
Silju
Version: PGP 8.0

iQA/AwUBPjBYdHdq56XWk+VyEQLpjgCbB3oFZ5RXaO+rXphAaFZIPQExc9MAoPWy
w00hZZlvoka9CV4zwuscI0By
=dOl9
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61779t=61584
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft Exchange/UMS and Firewall [7:61747]

[Arnold, Jamie]

Exchange will use 135 to discover (portmapper) and then use dynamically
assigned ports for the actual conversations.  Your best bet is to statically
map the ports in Exchange and then you don't have a moving target from the
firewall point of view.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952

The other option (not a good one IMHO) is to open 135 only to the Exchange
host and then leave a range of ports open to that host as well.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 23, 2003 9:04 PM
To: [EMAIL PROTECTED]
Subject: Microsoft Exchange/UMS and Firewall [7:61747]


Hi All,

Need your advice on the following situation: I have a Active Voice Unified
Messaging System on Location A, and a Microsoft Exchange Server at Location
B. Both Location A and B are protected by Checkpoint firewall. Please advice
how the firewall be configured such that it will allow MAPI to be used
between these two sites.

Thanks a lot in advance!

Maurice




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61780t=61747
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CSIDS 855/1000 [7:61655]

[Kim Graham]

Congrats as well.  I hope to be writing this one mid February.
By CSIDS i am understanding you wrote the 9E0-100 correct? and not the
earlier version of this exam.

Kim / Zukee


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61781t=61655
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

show cdp neighbors command [7:61782]

[Kaminski, Shawn G]

We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone
know why I see all the switches in the daisy-chain when I do a show cdp
neighbors command on any one of the switches? I thought this command only
showed directly connected devices. I was told that there are no other
connections between the switches (they are remote). No luck finding anything
on CCO or archives.
 
Switch1
 |
Switch2
 |
Switch3
 |
Switch4
 |
Switch5
 
For example, if I do a show cdp neighbors on Switch3, I get (hopefully the
formatting will look OK):
 
Switch3#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
  S - Switch, H - Host, I - IGMP, r - Repeater
 
Device IDLocal Intrfce HoldtmeCapability  Platform  Port ID
Switch4 Gig 0/8163 T S   WS-C3508G-Gig
0/8
Switch5 Gig 0/8177 T S   WS-C3508G-Gig
0/8
Switch2 Gig 0/8162 T S   WS-C3524-PGig
0/2
Switch1 Gig 0/8131 T S   WS-C3524-PGig
0/2
 
I would think that this command would only show Switch2 and Switch 4 as
neighbors.
 
Thanks,
Shawn G. Kaminski
EDS - GTO Capability Center
Dow Chemical Test Facilities - Network Support




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61782t=61782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Bri2/1 !!!Check clock source!!! (Help needed) [7:61783]

[Antero Vasconcelos]

Hi have a problem with a BriS0 (with 2 Voice Port) in a NM-2V.
I can only have 2 voice calls in one port and everytime that i need a 3rd
call the router send the message  BRI2/1: !!!Check clock source!!! and the
the interface is disabled due to lost framming count of 41 in the past 16
msec. 
here goes an output of the configuration.

version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xpto
!
clock summer-time PT recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
!
!
no ip domain-lookup
!
frame-relay switching
isdn switch-type basic-net3
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 duplex auto
 speed auto
!
interface Serial0/0
 bandwidth 384
 no ip address
 encapsulation frame-relay
 frame-relay traffic-shaping
 frame-relay interface-dlci 200
  class voz
  vofr cisco
 frame-relay route 80 interface Serial0/1 80
!
interface Serial0/0.16 point-to-point
 bandwidth 144
 ip address y.y.y.y 255.255.255.252
 frame-relay interface-dlci 16
  class dados
!
interface BRI0/0
 no ip address
 encapsulation hdlc
 shutdown
 isdn switch-type basic-qsig
 cdapi buffers regular 0
 cdapi buffers raw 0
 cdapi buffers large 0
!
!
interface BRI1/0
 no ip address
 shutdown
 isdn switch-type basic-net3
 isdn protocol-emulate network
 isdn layer1-emulate network
 isdn incoming-voice voice
 isdn skipsend-idverify
!
interface BRI1/1
 no ip address
 isdn switch-type basic-net3
 isdn protocol-emulate network
 isdn layer1-emulate network
 isdn incoming-voice voice
 isdn skipsend-idverify
!
ip classless
no ip http server
!
!
!
voice-port 1/0/0
 compand-type a-law
 cptone PT
!
voice-port 1/0/1
 compand-type a-law
 cptone PT
!
dial-peer cor custom
!
!
!
dial-peer voice 2400 pots
 destination-pattern 4..
 direct-inward-dial
 port 1/0/0
 forward-digits all
!
dial-peer voice 2401 pots
 destination-pattern 4..
 direct-inward-dial
 port 1/0/1
 forward-digits all
!
dial-peer voice 1500 vofr
 destination-pattern 15..
 session target Serial0/0 200
 no vad 

The PBX is a Siemens Hicom 100E

If anyone as ideas please write.

Thx in advance

Best regards

Antero Vasconcelos




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61783t=61783
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: show cdp neighbors command [7:61782]

[Captian Lance]

I would guess that this whole network is a layer 2 network.  Therefore the
layer 2 broadcasts (CDP) would be forwarded to and through all switches.


Kaminski, Shawn G  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 We have five 3500-series switches daisy-chained with Gigastack GBICs.
Anyone
 know why I see all the switches in the daisy-chain when I do a show cdp
 neighbors command on any one of the switches? I thought this command only
 showed directly connected devices. I was told that there are no other
 connections between the switches (they are remote). No luck finding
anything
 on CCO or archives.

 Switch1
  |
 Switch2
  |
 Switch3
  |
 Switch4
  |
 Switch5

 For example, if I do a show cdp neighbors on Switch3, I get (hopefully
the
 formatting will look OK):

 Switch3#sh cdp neigh
 Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
   S - Switch, H - Host, I - IGMP, r - Repeater

 Device IDLocal Intrfce HoldtmeCapability  Platform  Port
ID
 Switch4 Gig 0/8163 T S   WS-C3508G-Gig
 0/8
 Switch5 Gig 0/8177 T S   WS-C3508G-Gig
 0/8
 Switch2 Gig 0/8162 T S   WS-C3524-PGig
 0/2
 Switch1 Gig 0/8131 T S   WS-C3524-PGig
 0/2

 I would think that this command would only show Switch2 and Switch 4 as
 neighbors.

 Thanks,
 Shawn G. Kaminski
 EDS - GTO Capability Center
 Dow Chemical Test Facilities - Network Support




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61784t=61782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: show cdp neighbors command [7:61782]

[Priscilla Oppenheimer]

Captian Lance wrote:
 
 I would guess that this whole network is a layer 2 network. 
 Therefore the
 layer 2 broadcasts (CDP) would be forwarded to and through all
 switches.

On Layer 2 networks broadcasts and multicasts do indeed get forwarded, but
CDP is usually an exception. Normally CDP is processed specially and not
forwarded. Usually you just learn about your actual physical neighbors.

But the Gigastack must change that.

Priscilla

 
 
 Kaminski, Shawn G  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  We have five 3500-series switches daisy-chained with
 Gigastack GBICs.
 Anyone
  know why I see all the switches in the daisy-chain when I do
 a show cdp
  neighbors command on any one of the switches? I thought this
 command only
  showed directly connected devices. I was told that there are
 no other
  connections between the switches (they are remote). No luck
 finding
 anything
  on CCO or archives.
 
  Switch1
   |
  Switch2
   |
  Switch3
   |
  Switch4
   |
  Switch5
 
  For example, if I do a show cdp neighbors on Switch3, I get
 (hopefully
 the
  formatting will look OK):
 
  Switch3#sh cdp neigh
  Capability Codes: R - Router, T - Trans Bridge, B - Source
 Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
 
  Device IDLocal Intrfce HoldtmeCapability 
 Platform  Port
 ID
  Switch4 Gig 0/8163 T S  
 WS-C3508G-Gig
  0/8
  Switch5 Gig 0/8177 T S  
 WS-C3508G-Gig
  0/8
  Switch2 Gig 0/8162 T S  
 WS-C3524-PGig
  0/2
  Switch1 Gig 0/8131 T S  
 WS-C3524-PGig
  0/2
 
  I would think that this command would only show Switch2 and
 Switch 4 as
  neighbors.
 
  Thanks,
  Shawn G. Kaminski
  EDS - GTO Capability Center
  Dow Chemical Test Facilities - Network Support
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61785t=61782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Strange ACL problems [7:61786]

[[EMAIL PROTECTED]]

Is there a limit as to how many ACL entries can be in one group?

Reason for asking...  I have quite a few hosts blocked at one of our borders
(yes, I'm going to have to sit down and start compiling the list) and after
entering in one additional host all the others disappear.  I'm currently
running 12.2.11T

Has anyone seen this?  Please let me know, it's rather urgent! 

Cheers,
mkj




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61786t=61786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Strange ACL problems [7:61786]

[MADMAN]

That sounds quite odd, I have seen some pretty long lists but never 
seen what your describing.  How many entries are you talking?  Is there 
something peculiar about this particular entry or does this happen even 
if you add some bogus address.  Can you make this list shorter, 
aggregate some addresses?

   Dave

[EMAIL PROTECTED] wrote:
 Is there a limit as to how many ACL entries can be in one group?
 
 Reason for asking...  I have quite a few hosts blocked at one of our
borders
 (yes, I'm going to have to sit down and start compiling the list) and after
 entering in one additional host all the others disappear.  I'm currently
 running 12.2.11T
 
 Has anyone seen this?  Please let me know, it's rather urgent! 
 
 Cheers,
 mkj
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

You don't make the poor richer by making the rich poorer. --Winston
Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61792t=61786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: show cdp neighbors command [7:61782]

[Kaminski, Shawn G]

Unfortunately, these switches are not using clustering.

Shawn K.

-Original Message-
From: Daniel Cotts [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 2:33 PM
To: 'Kaminski, Shawn G'; [EMAIL PROTECTED]
Subject: RE: show cdp neighbors command [7:61782]

By using CDP, a command switch can discover switches up to seven CDP hops
away (the default is three hops) from the edge
of the cluster.
Watch the wrap:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc6/scg/swc
lus.htm#xtocid7

 -Original Message-
 From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 11:41 AM
 To: [EMAIL PROTECTED]
 Subject: show cdp neighbors command [7:61782]
 
 
 We have five 3500-series switches daisy-chained with 
 Gigastack GBICs. Anyone
 know why I see all the switches in the daisy-chain when I do 
 a show cdp
 neighbors command on any one of the switches? I thought this 
 command only
 showed directly connected devices. I was told that there are no other
 connections between the switches (they are remote). No luck 
 finding anything
 on CCO or archives.
  
 Switch1
  |
 Switch2
  |
 Switch3
  |
 Switch4
  |
 Switch5
  
 For example, if I do a show cdp neighbors on Switch3, I get 
 (hopefully the
 formatting will look OK):
  
 Switch3#sh cdp neigh
 Capability Codes: R - Router, T - Trans Bridge, B - Source 
 Route Bridge
   S - Switch, H - Host, I - IGMP, r - Repeater
  
 Device IDLocal Intrfce HoldtmeCapability  
 Platform  Port ID
 Switch4 Gig 0/8163 T S   
 WS-C3508G-Gig
 0/8
 Switch5 Gig 0/8177 T S   
 WS-C3508G-Gig
 0/8
 Switch2 Gig 0/8162 T S   
 WS-C3524-PGig
 0/2
 Switch1 Gig 0/8131 T S   
 WS-C3524-PGig
 0/2
  
 I would think that this command would only show Switch2 and 
 Switch 4 as
 neighbors.
  
 Thanks,
 Shawn G. Kaminski
 EDS - GTO Capability Center
 Dow Chemical Test Facilities - Network Support




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61793t=61782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Strange ACL problems [7:61786]

[[EMAIL PROTECTED]]

It's about 65 entries long.  I'm running a 3640 with max ram and flash.  I
use Terra-Term SSH to access the router.  I've also tried consoling in via
terra term and the same thing happened

Another paculiar thing I noticed, one entry is an entire subnet (x.x.x.0
0.0.0.255); after pasting in the back-up this entry show's up after the
permit any statement.  I tried to re-enter them, but the same thing
happens.  

tcp/ip gremlins I have many

Cheers,
mkj


-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 1:39 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Strange ACL problems [7:61786]



   That sounds quite odd, I have seen some pretty long lists but never 
seen what your describing.  How many entries are you talking?  Is there 
something peculiar about this particular entry or does this happen even 
if you add some bogus address.  Can you make this list shorter, 
aggregate some addresses?

   Dave

[EMAIL PROTECTED] wrote:
 Is there a limit as to how many ACL entries can be in one group?
 
 Reason for asking...  I have quite a few hosts blocked at one of our
borders
 (yes, I'm going to have to sit down and start compiling the list) and
after
 entering in one additional host all the others disappear.  I'm currently
 running 12.2.11T
 
 Has anyone seen this?  Please let me know, it's rather urgent! 
 
 Cheers,
 mkj
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

You don't make the poor richer by making the rich poorer. --Winston
Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61794t=61786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: test don't read [7:61795]

[Chris]

Test




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61795t=61795
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Group,

I sometimes remember things that never happened.  Do I remember that there
is a simple commad that allows you to block STP, VTP, HSRP, etc. from
hitting access ports?

Thanks much!

Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61796t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Larry Letterman]

disable STP on the port...

--

Larry Letterman
Network Engineer
Cisco Systems


s vermill  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Group,

 I sometimes remember things that never happened.  Do I
remember that there
 is a simple commad that allows you to block STP, VTP,
HSRP, etc. from
 hitting access ports?

 Thanks much!

 Scott
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61797t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: show cdp neighbors command [7:61782]

[Daniel Cotts]

By using CDP, a command switch can discover switches up to seven CDP hops
away (the default is three hops) from the edge
of the cluster.
Watch the wrap:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc6/scg/swc
lus.htm#xtocid7

 -Original Message-
 From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 11:41 AM
 To: [EMAIL PROTECTED]
 Subject: show cdp neighbors command [7:61782]
 
 
 We have five 3500-series switches daisy-chained with 
 Gigastack GBICs. Anyone
 know why I see all the switches in the daisy-chain when I do 
 a show cdp
 neighbors command on any one of the switches? I thought this 
 command only
 showed directly connected devices. I was told that there are no other
 connections between the switches (they are remote). No luck 
 finding anything
 on CCO or archives.
  
 Switch1
  |
 Switch2
  |
 Switch3
  |
 Switch4
  |
 Switch5
  
 For example, if I do a show cdp neighbors on Switch3, I get 
 (hopefully the
 formatting will look OK):
  
 Switch3#sh cdp neigh
 Capability Codes: R - Router, T - Trans Bridge, B - Source 
 Route Bridge
   S - Switch, H - Host, I - IGMP, r - Repeater
  
 Device IDLocal Intrfce HoldtmeCapability  
 Platform  Port ID
 Switch4 Gig 0/8163 T S   
 WS-C3508G-Gig
 0/8
 Switch5 Gig 0/8177 T S   
 WS-C3508G-Gig
 0/8
 Switch2 Gig 0/8162 T S   
 WS-C3524-PGig
 0/2
 Switch1 Gig 0/8131 T S   
 WS-C3524-PGig
 0/2
  
 I would think that this command would only show Switch2 and 
 Switch 4 as
 neighbors.
  
 Thanks,
 Shawn G. Kaminski
 EDS - GTO Capability Center
 Dow Chemical Test Facilities - Network Support




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61790t=61782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Policing traffic - Normal burst, Maximum burst etc [7:61776]

[Michael Williams]

IIRC, your second statement would be right.  You speficy those burst
bandwidths as additions to the first one.  i.e.  8000, 2000, and 4000 would
give you avg. 8000, burst of 1 and max burst of 12000.

See here:  (watch for wrap)

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ee.html#xtocid5

Mike W.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61798t=61776
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Larry Letterman wrote:
 
 disable STP on the port...
 
 --
 
 Larry Letterman
 Network Engineer
 Cisco Systems
 
Thanks Larry.  I've never claimed to be a security expert.  I generally get
the network going and let the local policy folk implement what they see
fit.  I guess turning off STP is a start, but I thought that I once ran
across a simple command that made an access port truly an access port.  As
part of a turnover process, a security audit was conducted on a network
we’ve recently built.  One of the red flags thrown at us was that STP, HSRP,
and VTP information could be passively collected.  All true.  So are L2 ACLs
the only answer?  I thought Cisco addressed this in some way, but again, I
sometimes remember things that never happened.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61799t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Strange ACL problems [7:61786]

[MADMAN]

Well a 65 line access list should not be the problem!!  try 12.2.13T :)

   Dave

[EMAIL PROTECTED] wrote:
 It's about 65 entries long.  I'm running a 3640 with max ram and flash.  I
 use Terra-Term SSH to access the router.  I've also tried consoling in via
 terra term and the same thing happened
 
 Another paculiar thing I noticed, one entry is an entire subnet (x.x.x.0
 0.0.0.255); after pasting in the back-up this entry show's up after the
 permit any statement.  I tried to re-enter them, but the same thing
 happens.  
 
 tcp/ip gremlins I have many
 
 Cheers,
 mkj
 
 
 -Original Message-
 From: MADMAN [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, January 24, 2003 1:39 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: Strange ACL problems [7:61786]
 
 
 
That sounds quite odd, I have seen some pretty long lists but never 
 seen what your describing.  How many entries are you talking?  Is there 
 something peculiar about this particular entry or does this happen even 
 if you add some bogus address.  Can you make this list shorter, 
 aggregate some addresses?
 
Dave
 
 [EMAIL PROTECTED] wrote:
 
Is there a limit as to how many ACL entries can be in one group?

Reason for asking...  I have quite a few hosts blocked at one of our
 
 borders
 
(yes, I'm going to have to sit down and start compiling the list) and
 
 after
 
entering in one additional host all the others disappear.  I'm currently
running 12.2.11T

Has anyone seen this?  Please let me know, it's rather urgent! 

Cheers,
mkj
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

You don't make the poor richer by making the rich poorer. --Winston
Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61800t=61786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

access-list compiled on Pix firewall [7:61801]

[eric nguyen]

Has anyone used the access-list compiled on the pix firewall?  Cisco says
that

it optimizes the access-list and make things run smoother if your
access-list is

at least 20 lines long.  Has anyone actually measured this on a production

environment?

Advise please.



-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61801t=61801
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Daniel Cotts]

On CatOS switches there is the set port host command.
To optimize the port configuration, the set port host command sets channel
mode to off, enables spanning tree PortFast, sets the trunk mode to off, and
disables the dot1q tunnel feature. Only an end station can accept this
configuration.

 -Original Message-
 From: s vermill [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 24, 2003 2:17 PM
 To: [EMAIL PROTECTED]
 Subject: How to Block STP, VTP, etc. on Access Ports? [7:61796]
 
 
 Group,
 
 I sometimes remember things that never happened.  Do I 
 remember that there
 is a simple commad that allows you to block STP, VTP, HSRP, etc. from
 hitting access ports?
 
 Thanks much!
 
 Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61802t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access-list compiled on Pix firewall [7:61803]

[Stong, Ian C [GMG]]

I've used the turbo acl function and it seems like a nice feature but didn't
notice any real difference performance wise.  Had 29 lines of filters.


Thanks,

Ian
www.ccie4u.com
Rack Rentals and Lab Scenarios



-Original Message-
From: eric nguyen [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 3:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: access-list compiled on Pix firewall


Has anyone used the access-list compiled on the pix firewall?  Cisco says
that

it optimizes the access-list and make things run smoother if your
access-list is

at least 20 lines long.  Has anyone actually measured this on a production

environment?

Advise please.



-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61803t=61803
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Re:Hey Chuck, tax question on certs [7:61778]

[J.D. Chaiken]

From the IRS Website:
(http://www.irs.gov/taxtopics/page/0,,id%3D105559,00.html -- watch for wrap)
Generally, you cannot deduct education and training expenses for yourself,
your spouse (if married) or your dependent as a business expense unless the
education or training:

a.. Maintains or improves a skill required in a trade or business you are
currently engaged in,
a.. Meets the express requirements of your employer, or
a.. Meets the requirements of law or regulations which are conditions of
continuing your employment.

There are 2 caveats that I should point out.

1.  If you were reimbursed for the certifcation  you cannot deduct it.
Unless you were repaid in a subsequent tax year than when you spent the
money.  Then you would be to deduct from the first year, and then pay for it
in the second year.

2.   If you are getting certified to obtain a raise or to get another job,
the expenses are not deductable.

Hope this helps
Jarett

Scott  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Chuck,

 I remember sometime last year that you mentioned a way to deduct
 certification expenses from your taxes.  I was wondering if you could
 enlighten the masses on how this works and what is deductible?  Can we
 deduct all travel expenses and cost of exams?  Any loopholes to look out
 for?

 Would usually do this offline, but since it affects everybody here I
thought
 it would be a constructive discussion for all.

 Thanks,

 Scott
 CCIE #9340




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61804t=61778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DDR on AS [7:61805]

[Tony]

I have an AS3640 with one PRI.  The PRI handles both incoming and outgoing
data calls.  Has anyone configured an Acess Server to use DDR for outbound
calls (not using a com redirect)?
Example: I need to take an internal telnet session, route it to the AS and
the trigger an async call to a remote location.

Any help would be greatly appreciated.

Tony




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61805t=61805
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Daniel Cotts wrote:
 
 On CatOS switches there is the set port host command.
 To optimize the port configuration, the set port host command
 sets channel
 mode to off, enables spanning tree PortFast, sets the trunk
 mode to off, and
 disables the dot1q tunnel feature. Only an end station can
 accept this
 configuration.
 

Thanks Daniel.  I'll give that a try and light off an analyzer to see what
gets through.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61806t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NT4.0 password crack tool [7:61807]

[Kazan, Naim]

I am trying to recover my password that someone set on my sniffer box
running on NT4.0. Any help will be greatly appreciated.

Naim Kazan
FISC-SDS
WORK: 201-915-7347
HOME: 973-492-1466
CELL: 917-559-0591
EMAIL: [EMAIL PROTECTED] 
PAGER: 800-759-8352 Pin 1145361




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61807t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re:Hey Chuck, tax question on certs [7:61778]

[Eric Rogers]

Another big thing on deducting and or itemizing for this is if you do W-2
work or 1099. I've been writing this stuff off since '98 doing 1099 work
including the Cisco equipment. If your going to do this though get an
accountant. These types of things become an IRS red flag for an audit.
There's a fine line in what the IRS will allow and will not. Cross your
T's and dot your I's and be sure to have receipts and documentation for
everything. Best bet is to get a CPA to see if you can do it as this will be
applied to your individual situation.

-Eric R.

- Original Message -
From: J.D. Chaiken 
To: 
Sent: Friday, January 24, 2003 1:10 PM
Subject: OT: Re:Hey Chuck, tax question on certs [7:61778]


 From the IRS Website:
 (http://www.irs.gov/taxtopics/page/0,,id%3D105559,00.html -- watch for
wrap)
 Generally, you cannot deduct education and training expenses for yourself,
 your spouse (if married) or your dependent as a business expense unless
the
 education or training:

 a.. Maintains or improves a skill required in a trade or business you are
 currently engaged in,
 a.. Meets the express requirements of your employer, or
 a.. Meets the requirements of law or regulations which are conditions of
 continuing your employment.

 There are 2 caveats that I should point out.

 1.  If you were reimbursed for the certifcation  you cannot deduct it.
 Unless you were repaid in a subsequent tax year than when you spent the
 money.  Then you would be to deduct from the first year, and then pay for
it
 in the second year.

 2.   If you are getting certified to obtain a raise or to get another job,
 the expenses are not deductable.

 Hope this helps
 Jarett

 Scott  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Chuck,
 
  I remember sometime last year that you mentioned a way to deduct
  certification expenses from your taxes.  I was wondering if you could
  enlighten the masses on how this works and what is deductible?  Can we
  deduct all travel expenses and cost of exams?  Any loopholes to look out
  for?
 
  Would usually do this offline, but since it affects everybody here I
 thought
  it would be a constructive discussion for all.
 
  Thanks,
 
  Scott
  CCIE #9340




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61809t=61778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Priscilla Oppenheimer]

On Catalyst switches, you can use the set port host macro. It turns a
bunch of stuff off.

That won't help with HSRP, though. HSRP is definitely hackable. If you can
see the packets, you can see the unencrypted authentication string, and then
you can claim to be the active router yourself and all traffic will go to
you instead of where it should go. I've done it! :-)

You should check to see if Cisco ever fixed this, though. Maybe they use a
stronger authenticaton method now. I'll see if I can find out.

___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com



s vermill wrote:
 
 Larry Letterman wrote:
  
  disable STP on the port...
  
  --
  
  Larry Letterman
  Network Engineer
  Cisco Systems
  
 Thanks Larry.  I've never claimed to be a security expert.  I
 generally get the network going and let the local policy folk
 implement what they see fit.  I guess turning off STP is a
 start, but I thought that I once ran across a simple command
 that made an access port truly an access port.  As part of a
 turnover process, a security audit was conducted on a network
 we’ve recently built.  One of the red flags thrown at us was
 that STP, HSRP, and VTP information could be passively
 collected.  All true.  So are L2 ACLs the only answer?  I
 thought Cisco addressed this in some way, but again, I
 sometimes remember things that never happened.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61810t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NT4.0 password crack tool [7:61807]

[Juntao]

u'r talking about nt4 login passwords, the SAM database?
lophtcrack works,  it takes a long time though
systernals has tools to login to the box, and change things.
u can also change cmd.exe to the default screen savec name, the command line
will pope up after a while, after reboot.
and change the password with the net user command
if the server or the box is part of the global admin group, i'm sure u know
u can change the password or reset it, even just with, user manager for
domains.
and there is of course a lot of other things that can be done, depending on
ur situation.

hope the above helps
regards

Kazan, Naim  a icrit dans le message de news:
[EMAIL PROTECTED]
 I am trying to recover my password that someone set on my sniffer box
 running on NT4.0. Any help will be greatly appreciated.

 Naim Kazan
 FISC-SDS
 WORK: 201-915-7347
 HOME: 973-492-1466
 CELL: 917-559-0591
 EMAIL: [EMAIL PROTECTED]
 PAGER: 800-759-8352 Pin 1145361




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61808t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Priscilla Oppenheimer]

Priscilla Oppenheimer wrote:
 
 On Catalyst switches, you can use the set port host macro. It
 turns a bunch of stuff off.
 
 That won't help with HSRP, though. HSRP is definitely hackable.
 If you can see the packets, you can see the unencrypted
 authentication string, and then you can claim to be the active
 router yourself and all traffic will go to you instead of where
 it should go. I've done it! :-)
 
 You should check to see if Cisco ever fixed this, though. Maybe
 they use a stronger authenticaton method now. I'll see if I can
 find out.

They don't seem to have fixed this! Unbelievable. It's a gaping hole,
(although to exploit it you have to have access to the LAN.)

P.

 
 ___
 
 Priscilla Oppenheimer
 www.troubleshootingnetworks.com
 www.priscilla.com
 
 
 
 s vermill wrote:
  
  Larry Letterman wrote:
   
   disable STP on the port...
   
   --
   
   Larry Letterman
   Network Engineer
   Cisco Systems
   
  Thanks Larry.  I've never claimed to be a security expert.  I
  generally get the network going and let the local policy folk
  implement what they see fit.  I guess turning off STP is a
  start, but I thought that I once ran across a simple command
  that made an access port truly an access port.  As part of a
  turnover process, a security audit was conducted on a network
  we’ve recently built.  One of the red flags thrown at us was
  that STP, HSRP, and VTP information could be passively
  collected.  All true.  So are L2 ACLs the only answer?  I
  thought Cisco addressed this in some way, but again, I
  sometimes remember things that never happened.
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61811t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access-list compiled on Pix firewall [7:61803]

[[EMAIL PROTECTED]]

According to Cisco's site... The access-list compiled can only be used
with Turbo ACLs on the 7000 series routers.

Please lemme know if I'm wrong!  I'd like to use it on my 3640 with acl
gremlins.

-Original Message-
From: Stong, Ian C [GMG] [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 3:04 PM
To: [EMAIL PROTECTED]
Subject: RE: access-list compiled on Pix firewall [7:61803]


I've used the turbo acl function and it seems like a nice feature but didn't
notice any real difference performance wise.  Had 29 lines of filters.


Thanks,

Ian
www.ccie4u.com
Rack Rentals and Lab Scenarios



-Original Message-
From: eric nguyen [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 3:46 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: access-list compiled on Pix firewall


Has anyone used the access-list compiled on the pix firewall?  Cisco says
that

it optimizes the access-list and make things run smoother if your
access-list is

at least 20 lines long.  Has anyone actually measured this on a production

environment?

Advise please.



-
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61812t=61803
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Jens Neelsen]

Hi,

disabling STP is not recommended. Use Portfast instead. VTP is
only on trunk ports active. HSRP is configured per interface (on
router). What do you want to achieve? 

Jens Neelsen
CCNP, CCDP, CCSI

--- Larry Letterman  wrote:
 disable STP on the port...
 
 --
 
 Larry Letterman
 Network Engineer
 Cisco Systems
 
 
 s vermill  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Group,
 
  I sometimes remember things that never happened.  Do I
 remember that there
  is a simple commad that allows you to block STP, VTP,
 HSRP, etc. from
  hitting access ports?
 
  Thanks much!
 
  Scott
 [EMAIL PROTECTED]
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61813t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Priscilla Oppenheimer wrote:
 
 Priscilla Oppenheimer wrote:
  
  On Catalyst switches, you can use the set port host macro.
 It
  turns a bunch of stuff off.
  
  That won't help with HSRP, though. HSRP is definitely
 hackable.
  If you can see the packets, you can see the unencrypted
  authentication string, and then you can claim to be the active
  router yourself and all traffic will go to you instead of
 where
  it should go. I've done it! :-)
  
  You should check to see if Cisco ever fixed this, though.
 Maybe
  they use a stronger authenticaton method now. I'll see if I
 can
  find out.
 
 They don't seem to have fixed this! Unbelievable. It's a gaping
 hole, (although to exploit it you have to have access to the
 LAN.)
 
 P.
 
  
  ___
  
  Priscilla Oppenheimer
  www.troubleshootingnetworks.com
  www.priscilla.com
  
  
  

Thanks Priscilla.  I found it interesting that the security consultants made
note of these findings and made a strong recommendation that we fix them. 
No suggestions on how to do so were offered.  I imagine there is a L2 ACL
solution or something along those lines.  I was hoping for something clean,
but I guess it's time to earn our paycheck.

Regards,

Scott


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61814t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Automated Script for backing up Cisco configs and Image [7:61815]

[John Faulk]

Does it work with the cisco pix?

John


On Thu, Jan 23, 2003 at 11:02:03PM +, Jerry Deer wrote:
 Cattools by kiwi!
 
 -Original Message-
 From: Kerry Ogedegbe [ MTN - Portharcourt ] [mailto:[EMAIL PROTECTED]] 
 Sent: Thursday, January 16, 2003 3:12 AM
 To: [EMAIL PROTECTED]
 Subject: Automated Script for backing up Cisco configs and Image [7:61188]
 
 Hello People,
 Can anyone help me with were I can get an automated script / shareware
 application
  that I could use in backing up my cisco router  switches config
  
 Cheers
 
 ___
 
 Kerry 
 
 [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
 Clear Day Bkgrd.JPG]
--




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61815t=61815
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Jens Neelsen wrote:
 
 Hi,
 
 disabling STP is not recommended. Use Portfast instead. VTP is
 only on trunk ports active. HSRP is configured per interface (on
 router). What do you want to achieve? 
 
 Jens Neelsen
 CCNP, CCDP, CCSI
 


Jens,

Thanks.  I have no intention of turning off STP.  We are using Portfast. 
VTP advertisements were captured by the security consultant and pasted into
an appendix.  We controlled where they got access to the network, so it
isn't a sham.  They got to it.  I assumed that it was a multicast that IGMP
snooping didn't block.  Ditto for HSRP.  What I want to achieve is what I
asked:  prevent STP, VTP, and HSRP frames from finding thier way to access
ports.  Ideally, with a clean, single 'set' command.  Not looking good for
the home team though.

I do plan to trace thier steps with an analyzer and see what ideas I might
be able to come up with.  I'll post back what I learn if anything interesting.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61816t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re:Hey Chuck, tax question on certs [7:61778]

[s vermill]

Eric Rogers wrote:
 
 Another big thing on deducting and or itemizing for this is if
 you do W-2
 work or 1099. I've been writing this stuff off since '98 doing
 1099 work
 including the Cisco equipment. If your going to do this though
 get an
 accountant. These types of things become an IRS red flag for an
 audit.
 There's a fine line in what the IRS will allow and will not.
 Cross your
 T's and dot your I's and be sure to have receipts and
 documentation for
 everything. Best bet is to get a CPA to see if you can do it as
 this will be
 applied to your individual situation.
 
 -Eric R.
 

Eric,

I have it on good authority that dotting capital I's on a tax return leads
to an automatic, mandatory audit that is often fatal.

Regards,

Scott





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61817t=61778
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Priscilla Oppenheimer]

Oh, good point regarding fixing the HSRP hole. An access list solves the
problem.

For your other issues, though, you don't need an access list probably, just
set port host if your switch supports it (or something similar on other
switches).

The Center for Internet Security has some good info for Cisco routers, by
the way, but not much for switches. See here:

http://www.cisecurity.org/

P.

s vermill wrote:
 
 Priscilla Oppenheimer wrote:
  
  Priscilla Oppenheimer wrote:
   
   On Catalyst switches, you can use the set port host macro.
  It
   turns a bunch of stuff off.
   
   That won't help with HSRP, though. HSRP is definitely
  hackable.
   If you can see the packets, you can see the unencrypted
   authentication string, and then you can claim to be the
 active
   router yourself and all traffic will go to you instead of
  where
   it should go. I've done it! :-)
   
   You should check to see if Cisco ever fixed this, though.
  Maybe
   they use a stronger authenticaton method now. I'll see if I
  can
   find out.
  
  They don't seem to have fixed this! Unbelievable. It's a
 gaping
  hole, (although to exploit it you have to have access to the
  LAN.)
  
  P.
  
   
   ___
   
   Priscilla Oppenheimer
   www.troubleshootingnetworks.com
   www.priscilla.com
   
   
   
 
 Thanks Priscilla.  I found it interesting that the security
 consultants made note of these findings and made a strong
 recommendation that we fix them.  No suggestions on how to do
 so were offered.  I imagine there is a L2 ACL solution or
 something along those lines.  I was hoping for something clean,
 but I guess it's time to earn our paycheck.
 
 Regards,
 
 Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61818t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NT4.0 password crack tool [7:61807]

[Richard Burdette]

Try this link http://www.atstake.com/research/lc/download.html for what used
to be the lopht heavy industries web site.  It's a fair tool, especially if
the password can be found in the dictionary.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61819t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NT4.0 password crack tool [7:61807]

[Kazan, Naim]

Thanks

-Original Message-
From: Juntao [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 4:50 PM
To: [EMAIL PROTECTED]
Subject: Re: NT4.0 password crack tool [7:61807]


u'r talking about nt4 login passwords, the SAM database? lophtcrack works,
it takes a long time though systernals has tools to login to the box, and
change things. u can also change cmd.exe to the default screen savec name,
the command line will pope up after a while, after reboot. and change the
password with the net user command if the server or the box is part of the
global admin group, i'm sure u know u can change the password or reset it,
even just with, user manager for domains. and there is of course a lot of
other things that can be done, depending on ur situation.

hope the above helps
regards

Kazan, Naim  a icrit dans le message de news:
[EMAIL PROTECTED]
 I am trying to recover my password that someone set on my sniffer box 
 running on NT4.0. Any help will be greatly appreciated.

 Naim Kazan
 FISC-SDS
 WORK: 201-915-7347
 HOME: 973-492-1466
 CELL: 917-559-0591
 EMAIL: [EMAIL PROTECTED]
 PAGER: 800-759-8352 Pin 1145361




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61820t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[s vermill]

Priscilla Oppenheimer wrote:
 
 Oh, good point regarding fixing the HSRP hole. An access list
 solves the problem.
 
 For your other issues, though, you don't need an access list
 probably, just set port host if your switch supports it (or
 something similar on other switches).

These are 6509s.  'set port host' sounds like maybe what I was trying to
remember.  I plan to stick an analyzer on a port for a while, start a new
capture file, and then issue the above.  I'll post what I observe. 
Unfortunately, it won't be until at least next week before I get back to
that customer site.

Thanks again.

 
 The Center for Internet Security has some good info for Cisco
 routers, by the way, but not much for switches. See here:
 
 http://www.cisecurity.org/
 
 P.
 
 s vermill wrote:
  
  Priscilla Oppenheimer wrote:
   
   Priscilla Oppenheimer wrote:

On Catalyst switches, you can use the set port host
 macro.
   It
turns a bunch of stuff off.

That won't help with HSRP, though. HSRP is definitely
   hackable.
If you can see the packets, you can see the unencrypted
authentication string, and then you can claim to be the
  active
router yourself and all traffic will go to you instead of
   where
it should go. I've done it! :-)

You should check to see if Cisco ever fixed this, though.
   Maybe
they use a stronger authenticaton method now. I'll see if
 I
   can
find out.
   
   They don't seem to have fixed this! Unbelievable. It's a
  gaping
   hole, (although to exploit it you have to have access to the
   LAN.)
   
   P.
   

___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com



  
  Thanks Priscilla.  I found it interesting that the security
  consultants made note of these findings and made a strong
  recommendation that we fix them.  No suggestions on how to do
  so were offered.  I imagine there is a L2 ACL solution or
  something along those lines.  I was hoping for something
 clean,
  but I guess it's time to earn our paycheck.
  
  Regards,
  
  Scott
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61821t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NT4.0 password crack tool [7:61807]

[Mossburg, Geoff (MAN-Corporate)]

I have no idea if these work, but...

Try this: LC4 demo (formerly L0phtCrack)
http://www.atstake.com/research/lc/download.html
or this: LC3 L0phtCrack 3.02
http://www.atstake.com/research/lc3/application/lc3setup02.exe

-Original Message-
From: Kazan, Naim [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 24, 2003 4:37 PM
To: [EMAIL PROTECTED]
Subject: NT4.0 password crack tool [7:61807]


I am trying to recover my password that someone set on my sniffer box
running on NT4.0. Any help will be greatly appreciated.

Naim Kazan
FISC-SDS
WORK: 201-915-7347
HOME: 973-492-1466
CELL: 917-559-0591
EMAIL: [EMAIL PROTECTED] 
PAGER: 800-759-8352 Pin 1145361




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61822t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]

[Daniel Cotts]

It appears that the Security Consultants then didn't earn their fee. Must
be a company run by Dogbert.
Consulting truism: The higher up the chain of command you sell your
services - the less you have to know and the higher you can charge.

 -Original Message-
 From: s vermill [mailto:[EMAIL PROTECTED]]

 Thanks Priscilla.  I found it interesting that the security 
 consultants made
 note of these findings and made a strong recommendation 
 that we fix them. 
 No suggestions on how to do so were offered.  I imagine there 
 is a L2 ACL
 solution or something along those lines.  I was hoping for 
 something clean,
 but I guess it's time to earn our paycheck.
 
 Regards,
 
 Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61824t=61796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF to Internet Q [7:61823]

[Steve Ringley]

I have an OSPF network, and I have my Internet connections.  Do I:

ASBR where traffic goes from area 0 to the Internet

or

ASBR where traffic goes to an area x then to the Internet?

This was never clear to me from my reading.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61823t=61823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft Exchange/UMS and Firewall [7:61747]

[Jim Brown]

Does your checkpoint licensing support VPN? If so it is very easy to
build a secure tunnel between sites that is encrypted. If you send me
the feature portion of the licensing string I can tell you if it
supports encryption.

-Original Message-
From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 10:18 AM
To: [EMAIL PROTECTED]
Subject: RE: Microsoft Exchange/UMS and Firewall [7:61747]


Exchange will use 135 to discover (portmapper) and then use dynamically
assigned ports for the actual conversations.  Your best bet is to
statically
map the ports in Exchange and then you don't have a moving target from
the
firewall point of view.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952

The other option (not a good one IMHO) is to open 135 only to the
Exchange
host and then leave a range of ports open to that host as well.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 23, 2003 9:04 PM
To: [EMAIL PROTECTED]
Subject: Microsoft Exchange/UMS and Firewall [7:61747]


Hi All,

Need your advice on the following situation: I have a Active Voice
Unified
Messaging System on Location A, and a Microsoft Exchange Server at
Location
B. Both Location A and B are protected by Checkpoint firewall. Please
advice
how the firewall be configured such that it will allow MAPI to be used
between these two sites.

Thanks a lot in advance!

Maurice




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61825t=61747
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Read Administering QoS in Cisco IP Networks? [7:61826]

[s vermill]

I've offered my opinion on the Cisco Press title on QoS on more than one
occasion.  Anyone care to offer their own on the above title from Syngress? 
I've not yet finished chapter 1 and I already have suspicions.  And why such
extensive coverage of EIGRP (something like 70 or 80 pages)?  I wasn't aware
that EIGRP was so QoS-capable that it would deserve such a showcasing.  QoS
coverage doesn't even begin until around page 120.

I would also be very grateful for any suggestions.  I see that CP is coming
out with a new title but no release date (actually, it isn't even mentioned
on the CP website but it's listed as pending on barnesandnoble.com).  I see
that Sybex has a CCIP QoS / multicast study guide, but I've never been a
huge fan of Sybex.  Maybe this one is worthwhile?

Thanks all.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61826t=61826
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Broadcast keyword in subinterface [7:61829]

[Simmi Singla]

Hi all,
Can anybody explain me when i use the broadcast keyword in sub
interface(fram-relay interface-dlci 16 broadcast) then if i have only static
routing will it affect that.I read that it is used only for OSPF to pass
broadcasts , if multicasting disabled.But In a scenario if I have no dynamic
routing and give this command what will happen.
will it pass unknown broadcasts on frame-relay.
moreover exactly how it is used in point-to-point sub interfaces.
Thanx a lot in advance--:)


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61829t=61829
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Simple Question [7:61830]

[Bill]

I have a simple question.

I am confused about hearing about these three things:
1) IOS-BASED SWITCHES
2) CLI-BASED SWITCHES
3) SET-BASED SWITCHES

Now, can somebody very accurately classify what these mean and categorise
the common switches into the three groups?

Im not even sure if there are 3 groups or only 2. If its 2, then it means
that two of the above groups mean one and the same.

Thank You
Bill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61830t=61830
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF to Internet Q [7:61823]

[Priscilla Oppenheimer]

I'm afraid your question isn't clear.

By definition, an ASBR connects two unlike networks, one that is running
OSPF and one that isn't. So, the ASBR will connect to the Internet in your
example.

Steve Ringley wrote:
 
 I have an OSPF network, and I have my Internet connections.  Do
 I:
 
 ASBR where traffic goes from area 0 to the Internet

Is that where your Internet connection is? In area 0? Often, it is, and
that's where your ASBR will be.

 
 or
 
 ASBR where traffic goes to an area x then to the Internet?

Goes from where to an Area x and then to the Internet?? This is where your
question gets unclear. But if you are considering putting an ASBR between
Area x and Area 0, then that doesn't make sense. It's not an ASBR because
it's connecting two OSPF networks. If your Internet connection is in Area X,
you will have an ASBR that connects the OSPF world to the Internet, sitting
on the edge of Area X.

Are you asking if the ASBR should be in Area 0? I think the answer is yes,
if it can, but sometimes that's simply not possible on large internetworks
with multiple egress points.

If I completely missed what you're getting at, sorry!

Priscilla


 
 This was never clear to me from my reading.
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61831t=61823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Simple Question [7:61830]

[Charles]

I believe   #2=#3  hope that helps!


Bill  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a simple question.

 I am confused about hearing about these three things:
 1) IOS-BASED SWITCHES
 2) CLI-BASED SWITCHES
 3) SET-BASED SWITCHES

 Now, can somebody very accurately classify what these mean and categorise
 the common switches into the three groups?

 Im not even sure if there are 3 groups or only 2. If its 2, then it means
 that two of the above groups mean one and the same.

 Thank You
 Bill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61832t=61830
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Simple Question [7:61830]

[Asad Javid]

Nops #1=#2


-Original Message-
From: Charles [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 25, 2003 5:43 AM
To: [EMAIL PROTECTED]
Subject: Re: Simple Question [7:61830]

I believe   #2=#3  hope that helps!


Bill  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a simple question.

 I am confused about hearing about these three things:
 1) IOS-BASED SWITCHES
 2) CLI-BASED SWITCHES
 3) SET-BASED SWITCHES

 Now, can somebody very accurately classify what these mean and categorise
 the common switches into the three groups?

 Im not even sure if there are 3 groups or only 2. If its 2, then it means
 that two of the above groups mean one and the same.

 Thank You
 Bill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61834t=61830
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Simple Question [7:61830]

[Larry Letterman]

The grouping is :
IOS based switches which are cli commands
Set based switches which are cli as well...

CLI means it is config'd on a command line as opposed to a
menu or GUI..

4000, 5000 and 6000 chassis based switches are set based or
CatOs switches..
29xx, 35xx switches are ios/cli based. interfaces are
configured similar to routers.

Larry Letterman
Network Engineer
Cisco Systems


- Original Message -
From: Bill 
To: 
Sent: Friday, January 24, 2003 5:18 PM
Subject: Simple Question [7:61830]


 I have a simple question.

 I am confused about hearing about these three things:
 1) IOS-BASED SWITCHES
 2) CLI-BASED SWITCHES
 3) SET-BASED SWITCHES

 Now, can somebody very accurately classify what these mean
and categorise
 the common switches into the three groups?

 Im not even sure if there are 3 groups or only 2. If its
2, then it means
 that two of the above groups mean one and the same.

 Thank You
 Bill
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61835t=61830
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Virtual-Token Ring Interface [7:61836]

[Juan Blanco]

Team,
There is a way to assign an IP address to a Virtual Token Ring Interface. I
want to simulate some Token Ring Networks
Thanks,

Juan Blanco

The greatest glory in living lies not in never falling,
 but in rising every time we fall .
 -- Nelson Mandela





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61836t=61836
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

password recovery for ATM Light Stream LS 100 [7:61838]

[XY HIEN LE]

Does any one know the procedure of how to do the password recovery for
an ATM LightStream LS 100?
Any help is appreciated. Can't find any link on CCO.
Xy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61838t=61838
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

password recovery for ATM Light Stream LS 100 [7:61837]

[XY HIEN LE]

Does any one know the procedure of how to do the password recovery for
an ATM LightStream LS 100?
Any help is appreciated. Can't find any link on CCO.
Xy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61837t=61837
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]