Re: DLCI value range issue(dependency with LMI) [7:61608]
Thanx Priscilla /Dave for clearing my doubts about these lmi dependency with dlci Thanx once again Priscilla Oppenheimer wrote: I think he had a typo and meant to say 16-991 for everything except LMI Rev 1 (Cisco). With LMI Rev 1 (which is the same as cisco), the DLCI range is 16 - 1007. He was agreeing with your list. As far as why does a Cisco router still say that DLCIs 16 - 1007 are available even after you configre the LMI type to ANSI, who knows? It even lets you use 992 - 1007. It's one of about a million little idiosynchracies in IOS. It's one of those things that just aren't worth many processing cycles in your brain. Your DLCI is assigned by your service provider anyway. If they are using ANSI, presumably they wouldln't give you a DLCI past 991. That's my 2 cents anyway. (Does that silly idiom translate to other languages/cultures? I hope! :-) Priscilla Simmi Singla wrote: Hi Dave, Thanx for the reply,but I am still not clear been revised in the new LMI specifications that we will use 16-1007 dlci now. Can U tell me some doc if so this is what u wanted to say or any other answer anybody like to comment. Please do give your valuable answers MADMAN wrote: Sounds about right. In the Lucent 9000 frame realy switch doc, this is a carrier class switch, it list the range of 16-001 as available for all LMI types and 16-1007 for LMI Rev1 which is the same a Cisco LMI. 1-15 and 1008-1023 are reserved. Dave Simmi Singla wrote: Hi all, I have read in one of the books and internet also that dlci value range is dependent on lmi type configured. Example The following DLCI ranges are based on LMI protocol: ANSI: 16 - 991 CISCO: 16 - 1007 Q933a: 16 - 991 But when we configure LMI type as example take ansi so after this when we confgure dlci value ut still shows the dlci range of 16-1007 why is it so .it should show range of this in cisco router 16-991 any comments on above problems Thanx in advance -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61758t=61608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay config [7:61757]
Hi Julian yes u can do that by using ip unnumbered and using subinterfaces point to pint I cant get u properly from ur question what u mean but see U can have many sub interfaces and all of them can use ip unnumbered If anybody other will comenst lets wait for answers ,and if possible please mail ur question in little detail Julian P wrote: Hi guys I am wandering if it is possible to configure my cisco 2610 for seperate frame relay point to point subinterfaces with the ip terminating on the 2610,and have the 2610 frame switch some other dlci`s and terminate the ip on another frame relay device at the same time. Any advice is appreciated Thanks Julian Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61759t=61757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco uBR924 and Internet problems... [7:61754]
Hi Leonardo, Basically, you're answering your own question: the provider lets you download a file that disables your service. Normally, this file specifies the Class Of Service you get from your provider, like upstream and downstream bandwidth. Now for some reason, the provider doesn't want to give you any service and therefore let you download a file which denies access. There is one thing that I don't understand, though. If you didn't buy this modem from your provider (or did you?) then the modem's MAC address is not registered with them. Therefore, why would they allow the DHCP server to give your modem an IP address? That doesn't make sense. On the other hand, if you did buy the modem from the ISP, then like I said, they just doesn't want to give you access for some reason (not paying your subscription fee springs to mind ;)) Bottom line: you have to contact them. Good luck Peter -Original Message- From: Leonardo FUK [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: Cisco uBR924 and Internet problems... [7:61754] Hello everyone!! I have a question here, I need your help! Recently I bought a Cisco uBR924 and I've been trying to connect it at home, so I can expand my home lab capabilities. My service provider is Time Warner (Road Runner) and I simply can't connect it to the Internet. This router has one cable-modem interface, four ethernet ports (represented as 1 ethernet interface) and two FXS voice-ports. According to the Cisco's documentation, the service establishment process of a cable-modem-router like this one is as follows: - Scan for a downstream channel and establish synchronization with the CMTS. - Obtain upsteam channel parameters. - Start ranging for power adjustments. - Establish IP connectivity - Establish the time of day - Establish security - Transfer operational parameters - Perform registration - Comply with baseline privacy - Enter the operational maintenance state When I issue show int cable-modem 0, I notice a lot of interface resets displayed by the output. Further investigation required me to run some debug commands and - I love this one - show controllers cable-modem 0 mac log, which probably identified the problem. I could see almost all CMAC_LOG_STATE_CHANGE events, but during the registration process (registration_state), the modem received a RESET_AUTHENTICATION_FAILURE. I pasted part of the output so my question may be answered by someone: The steps from scanning downstream to establish security seem to be fine: 1041.159 CMAC_LOG_STATE_CHANGE wait_for_link_up_state 1041.159 CMAC_LOG_STATE_CHANGE ds_channel_scanning_stat 1043.540 CMAC_LOG_STATE_CHANGE wait_ucd_state 1046.319 CMAC_LOG_STATE_CHANGE wait_map_state 1046.371 CMAC_LOG_STATE_CHANGE ranging_1_state 1047.337 CMAC_LOG_STATE_CHANGE ranging_2_state 1048.112 CMAC_LOG_STATE_CHANGE dhcp_state 1048.404 CMAC_LOG_DHCP_ASSIGNED_IP_ADDRESS 10.47.170.200 1048.404 CMAC_LOG_DHCP_TFTP_SERVER_ADDRESS 24.29.99.72 1048.404 CMAC_LOG_DHCP_TOD_SERVER_ADDRESS24.29.99.72 1048.404 CMAC_LOG_DHCP_SET_GATEWAY_ADDRESS 1048.404 CMAC_LOG_DHCP_TZ_OFFSET 0 1048.404 CMAC_LOG_DHCP_CONFIG_FILE_NAME disabled.bin 1048.404 CMAC_LOG_DHCP_ERROR_ACQUIRING_SEC_SVR_ADDR 1048.404 CMAC_LOG_DHCP_LOG_SERVER_ADDRESS24.29.99.57 1048.404 CMAC_LOG_DHCP_COMPLETE 1059.956 CMAC_LOG_STATE_CHANGE establish_tod_state 1059.956 CMAC_LOG_TOD_REQUEST_SENT 24.29.99.72 1059.964 CMAC_LOG_TOD_REPLY_RECEIVED 3252376461 1059.968 CMAC_LOG_TOD_COMPLETE 1059.968 CMAC_LOG_STATE_CHANGE security_association_state 1059.968 CMAC_LOG_SECURITY_BYPASSED But when the modem downloaded de DOCSIS configuration (the config file), I noticed something weird: 1059.968 CMAC_LOG_STATE_CHANGE configuration_file_state 1059.968 CMAC_LOG_LOADING_CONFIG_FILEdisabled.bin 1063.988 CMAC_LOG_CONFIG_FILE_PROCESS_COMPLETE Did you noticed the filename received by the Cisco uBR924? Its name is DISABLED.BIN. It doesn't sound good.. After that, the next step is registration. Now I noticed that the CTMS has, for an unknown reason, rejected the registration process. Therefore, the router is unable to proceed with other steps toward the Internet connection. 977.130 CMAC_LOG_STATE_CHANGE registration_state 977.130 CMAC_LOG_REG_REQ_MSG_QUEUED 977.138 CMAC_LOG_REG_REQ_TRANSMITTED 977.142 CMAC_LOG_REG_RSP_MSG_RCVD 977.142 CMAC_LOG_RESET_AUTHENTICATION_FAILURE 977.142 CMAC_LOG_STATE_CHANGE reset_interface_state 977.142 CMAC_LOG_STATE_CHANGE reset_hardware_state I
Re: frame relay config [7:61757]
Hi I want to configure my 2610 for frame relay into my telco. Then clients from all over will connect with frame relay through the telco into my 2610. Now i need to have 2 pvc`s per client.One will terminate on my 2610 and the other pvc needs to be switched through my 2610 and terminated on another router.The clients routers will not be cisco though. I will obviously have to use sub interfaces for the different clients. I am just unsure how i will terminate the 1 pvc on my 2610 and at the same time frame switch the other pvc to another router Thanks Julian P wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys I am wandering if it is possible to configure my cisco 2610 for seperate frame relay point to point subinterfaces with the ip terminating on the 2610,and have the 2610 frame switch some other dlci`s and terminate the ip on another frame relay device at the same time. Any advice is appreciated Thanks Julian Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61761t=61757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Merging configs [7:61664]
Thanks. Makes complete sense. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61762t=61664 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay config [7:61757]
From what i can find, you will need to configure the interface as an NNI, and then you frame-relay switch between 2 pvc you have on the router. the problem is that subinterfaces are not supported by an NNI interface. it can only be implemented on the main interface so u will need 2 serial interfaces for your 2 pvc that you will configure independently Frame-relay switching int se 0 encapsulation frame-relay frame-relay intf-type nni frame-relay interface-dlci 101 frame-relay route 101 interface serial 2 201 int se 1 encapsulation frame-relay ip address x.x.x.x frame-relay lmi-type ansi frame-relay interface-dlci 301 int se 2 encapsulation frame-relay ietf frame-relay interface-dlci 201 frame-relay lmi-type ansi frame-relay intf-type nni frame-relay route 201 interface serial 0 101 I should tell u that i have not tried this, i don't really have the time, but it might just work, you can achive the same thing, but differently with the need to do frame switching by using simple a policy based routing, which are quit easy to configure. hope the above helps regards Julian P a icrit dans le message de news: [EMAIL PROTECTED] Hi I want to configure my 2610 for frame relay into my telco. Then clients from all over will connect with frame relay through the telco into my 2610. Now i need to have 2 pvc`s per client.One will terminate on my 2610 and the other pvc needs to be switched through my 2610 and terminated on another router.The clients routers will not be cisco though. I will obviously have to use sub interfaces for the different clients. I am just unsure how i will terminate the 1 pvc on my 2610 and at the same time frame switch the other pvc to another router Thanks Julian P wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys I am wandering if it is possible to configure my cisco 2610 for seperate frame relay point to point subinterfaces with the ip terminating on the 2610,and have the 2610 frame switch some other dlci`s and terminate the ip on another frame relay device at the same time. Any advice is appreciated Thanks Julian Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61763t=61757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
No Access-group on 7200 Eth/Fa Interfaces [7:61764]
Hello, Can someone pls tell me why I wont have the access-group command on eth and fa interfaces of a router? I was trying to configure NBAR on a 7200 Internet router. I upgraded from 12.0(5) to 12.2(6), did ip cef, defined a class-map and applied it to a policy-map, I applied the map as service policy to the Internet interface s0/0, I then defined an acl to match the policy; all successfully. When I tried to apply the acl to the LAN interface fa0/0, I discovered I only have access-expression and no access-group, ditto all other fa and eth interfaces. While I figure a workaround using access-expression, I will appreciate some insight into why of the missing access-group command. Regards Tunji _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61764t=61764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay config [7:61757]
actually come to think about it, u don't have the conditions for NNI switching, u can't even do Hybrid switching, if the PVC through witch u wana switch is DTE, i see only the option of frame switching over an ip tunnel, but then again u have to have an ip segment available: as far as configuration goes it will be easy, check it out: u might be able to do this int se 0 ip address x.x.x.x encapsulation frame-relay frame-relay route 101 interface tunnel 1 201 int tunnel1 ip address x.x.x.x tunnel source x.x.x.x tunnel destination x.x.x.x the tunnel must be configured at the other end not all versions support switching to a tunnel, u will need to look it up oh yeah here is a link that some info about the switching ways that cisco supports: http://www.cisco.com/en/US/products/sw/iosswrel/ps1818/products_configuratio n_guide_chapter09186a00800878c7.html hope the above helps regards Juntao a icrit dans le message de news: [EMAIL PROTECTED] From what i can find, you will need to configure the interface as an NNI, and then you frame-relay switch between 2 pvc you have on the router. the problem is that subinterfaces are not supported by an NNI interface. it can only be implemented on the main interface so u will need 2 serial interfaces for your 2 pvc that you will configure independently Frame-relay switching int se 0 encapsulation frame-relay frame-relay intf-type nni frame-relay interface-dlci 101 frame-relay route 101 interface serial 2 201 int se 1 encapsulation frame-relay ip address x.x.x.x frame-relay lmi-type ansi frame-relay interface-dlci 301 int se 2 encapsulation frame-relay ietf frame-relay interface-dlci 201 frame-relay lmi-type ansi frame-relay intf-type nni frame-relay route 201 interface serial 0 101 I should tell u that i have not tried this, i don't really have the time, but it might just work, you can achive the same thing, but differently with the need to do frame switching by using simple a policy based routing, which are quit easy to configure. hope the above helps regards Julian P a icrit dans le message de news: [EMAIL PROTECTED] Hi I want to configure my 2610 for frame relay into my telco. Then clients from all over will connect with frame relay through the telco into my 2610. Now i need to have 2 pvc`s per client.One will terminate on my 2610 and the other pvc needs to be switched through my 2610 and terminated on another router.The clients routers will not be cisco though. I will obviously have to use sub interfaces for the different clients. I am just unsure how i will terminate the 1 pvc on my 2610 and at the same time frame switch the other pvc to another router Thanks Julian P wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys I am wandering if it is possible to configure my cisco 2610 for seperate frame relay point to point subinterfaces with the ip terminating on the 2610,and have the 2610 frame switch some other dlci`s and terminate the ip on another frame relay device at the same time. Any advice is appreciated Thanks Julian Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61765t=61757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: No Access-group on 7200 Eth/Fa Interfaces [7:61764]
the command is ip access-group # Then it will work -Original Message- From: Tunji Suleiman [mailto:[EMAIL PROTECTED]] Sent: 24 January 2003 12:44 To: [EMAIL PROTECTED] Subject: No Access-group on 7200 Eth/Fa Interfaces [7:61764] Hello, Can someone pls tell me why I wont have the access-group command on eth and fa interfaces of a router? I was trying to configure NBAR on a 7200 Internet router. I upgraded from 12.0(5) to 12.2(6), did ip cef, defined a class-map and applied it to a policy-map, I applied the map as service policy to the Internet interface s0/0, I then defined an acl to match the policy; all successfully. When I tried to apply the acl to the LAN interface fa0/0, I discovered I only have access-expression and no access-group, ditto all other fa and eth interfaces. While I figure a workaround using access-expression, I will appreciate some insight into why of the missing access-group command. Regards Tunji _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61766t=61764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't use outside inf IP as PAT global IP [7:61755]
What ver of IOS are you running? also the command is: global (outside) 1 interface Josh -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: can't use outside inf IP as PAT global IP [7:61755] Hi.. I want to ask why I can't use outside interface IP as the PAT global IP? See below? I recall that I can do that with Checkpoint. Why PIX can't? What if I have no other global IP available for me? So, I should specify 60.8.200.115 as the PAT global IP? So will IP know how to come back? ip address outside 60.8.200.114 255.255.255.240 ip address inside 192.168.10.2 255.255.255.240 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pixfw1(config)# global (outside) 1 60.8.200.114 Start and end addresses overlap with outside interface address Thanks a lot _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61767t=61755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't use outside inf IP as PAT global IP [7:61755]
Use the command below: global (outside) 1 interface -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: can't use outside inf IP as PAT global IP [7:61755] Hi.. I want to ask why I can't use outside interface IP as the PAT global IP? See below? I recall that I can do that with Checkpoint. Why PIX can't? What if I have no other global IP available for me? So, I should specify 60.8.200.115 as the PAT global IP? So will IP know how to come back? ip address outside 60.8.200.114 255.255.255.240 ip address inside 192.168.10.2 255.255.255.240 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pixfw1(config)# global (outside) 1 60.8.200.114 Start and end addresses overlap with outside interface address Thanks a lot _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61768t=61755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't use outside inf IP as PAT global IP [7:61755]
Thanks.. any disadvantage to do this compare with choosing a different IP? pixfw1(config)# global (outside) 1 interface Warning: Start and End addresses overlap with broadcast address. outside interface address added to PAT pool pixfw1(config)# exit I am using the following version.. pixfw1# sh ver Cisco PIX Firewall Version 6.2(2) Cisco PIX Device Manager Version 2.1(1) Compiled on Fri 07-Jun-02 17:49 by morlee pixfw1 up 4 hours 43 mins From: Joshua Vince Reply-To: Joshua Vince To: [EMAIL PROTECTED] Subject: RE: can't use outside inf IP as PAT global IP [7:61755] Date: Fri, 24 Jan 2003 11:28:56 GMT What ver of IOS are you running? also the command is: global (outside) 1 interface Josh -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:51 AM To: [EMAIL PROTECTED] Subject: can't use outside inf IP as PAT global IP [7:61755] Hi.. I want to ask why I can't use outside interface IP as the PAT global IP? See below? I recall that I can do that with Checkpoint. Why PIX can't? What if I have no other global IP available for me? So, I should specify 60.8.200.115 as the PAT global IP? So will IP know how to come back? ip address outside 60.8.200.114 255.255.255.240 ip address inside 192.168.10.2 255.255.255.240 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 pixfw1(config)# global (outside) 1 60.8.200.114 Start and end addresses overlap with outside interface address Thanks a lot _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61769t=61755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]
Could you tell me the behavior with FlexWan? Cohen, Michael @groupstudy.com em 23/01/2003 17:53:54 Favor responder a Cohen, Michael Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] Thanks to everyone who responded. I also double-checked with Cisco TAC and you guys are right. No LLQ on MSFC's or RSM's unless you're using FLEXWAN's. Thanks again... -Michael Cohen -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 1/23/03 10:41 AM Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] Once I tried to use LLQ on the MSFC to priorize audio multicast traffic. The command 'sh mls ip multicast' (a tip from a groupstudy guy) showed that the multicast traffic was going through the PFC, so the LLQ was not helping. John Humphrey @groupstudy.com em 22/01/2003 19:47:44 Favor responder a John Humphrey Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] I've encountered this issue in our production environment with policy-maps. Here's the answer Cisco's TAC gave me. Since the msfc interfaces are software based, the MLS engine will bypass the route processor on most of your layer 3 packets. This prevents the shaping/policing policy from being applied on all egress traffic. You can, however, successfully apply the policies to all ingress traffic because it must travel thru the Layer 3 process before it is sent to the destination node. So, if you're applying a service-policy to a msfc interface it must be applied with input as the direction. I'm not sure what effect disabling MLS would have on this process but I'm sure the benefits (if there would be any) would not be worth it. You can however use QoS policies on the layer 2 modules with acl mapping to achieve much of the same benefits. jh Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61770t=61575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575]
Cisco TAC states that traffic to and from the FlexWan has to be routed through the MSFC and not just the PFC. This allows for the use of LLQ. -Original Message- From: [EMAIL PROTECTED] To: Cohen, Michael Cc: [EMAIL PROTECTED] Sent: 1/24/03 8:43 AM Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] Could you tell me the behavior with FlexWan? Cohen, Michael @groupstudy.com em 23/01/2003 17:53:54 Favor responder a Cohen, Michael Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] Thanks to everyone who responded. I also double-checked with Cisco TAC and you guys are right. No LLQ on MSFC's or RSM's unless you're using FLEXWAN's. Thanks again... -Michael Cohen -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 1/23/03 10:41 AM Subject: RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] Once I tried to use LLQ on the MSFC to priorize audio multicast traffic. The command 'sh mls ip multicast' (a tip from a groupstudy guy) showed that the multicast traffic was going through the PFC, so the LLQ was not helping. John Humphrey @groupstudy.com em 22/01/2003 19:47:44 Favor responder a John Humphrey Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:RE: Traffic Shaping and LLQ on MSFC's and RSM's [7:61575] I've encountered this issue in our production environment with policy-maps. Here's the answer Cisco's TAC gave me. Since the msfc interfaces are software based, the MLS engine will bypass the route processor on most of your layer 3 packets. This prevents the shaping/policing policy from being applied on all egress traffic. You can, however, successfully apply the policies to all ingress traffic because it must travel thru the Layer 3 process before it is sent to the destination node. So, if you're applying a service-policy to a msfc interface it must be applied with input as the direction. I'm not sure what effect disabling MLS would have on this process but I'm sure the benefits (if there would be any) would not be worth it. You can however use QoS policies on the layer 2 modules with acl mapping to achieve much of the same benefits. jh Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc. Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61771t=61575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
guaranteeing bandwidth [7:61772]
Thanks a lot! Looks like i was barking at the wrong tree... It wasn't about CBWFQ. Rate-limiting did the trick. Thanks a lot! Alexandru Barbu CCAI = 'there is no such thing as a free meal' __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61772t=61772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question? [7:61716]
I have done this several times and never experienced the issue below. As long as you are on the console port this should not be an issue. I would be curious to know what type of modem you are using and dip switch settings. I generally use US robotics. -Original Message- From: Charles D Hammonds [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 12:45 AM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] I have not been able to perfrom password recovery via a modem connected directly to console. When the router reloads, you get disconnected and have to re-dial which by that time is too late to break. In my experience, I have had to dial up to a 2511 and connect to console of the problem router that way... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Williams Sent: Thursday, January 23, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] Uh... if he could get into enable mode to issue a 'reload' command, he could just change the password and there wouldn't be any need to do a password recovery?!?!? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61773t=61716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question? [7:61716]
It is possible to do a password recovery by a modem connection to the console port. The same conditions apply as when you perform this procedure locally at the router. When you perform a router password recovery, you have to physically power cycle the router... The only way to do this if you do not already have the enable password is to have someone physically at the router. The reload command only works when you have entered enable mode on the router. The answer is that if you do not have the router passwords for the router and want to perform password recovery, someone needs to power cycle the router, though the person performing the IOS password recovery procedure can be remote via a modem through the console port. -Original Message- From: Charles D Hammonds [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 12:45 AM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] I have not been able to perfrom password recovery via a modem connected directly to console. When the router reloads, you get disconnected and have to re-dial which by that time is too late to break. In my experience, I have had to dial up to a 2511 and connect to console of the problem router that way... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Williams Sent: Thursday, January 23, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] Uh... if he could get into enable mode to issue a 'reload' command, he could just change the password and there wouldn't be any need to do a password recovery?!?!? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61774t=61716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question? [7:61716]
I have 2 thoughts on this. The first is that on my test rack; where I'm reverse telnetting into the console ports; If I power cycle certain models of router my telnet session is dropped. (MC3810, and 3620 that I'm aware of.) I can only assume that this is teh same thing that happening to the modem. The second, also on my home rack, but I've used these in production environments, are X-10 PLC appliance modules (also available by many other manufacturers) . which can Physically power cycle devices remotely. I've found these type devices to be a life saver for remote offices, or co-located servers where you need to power cycle a server and no one is available to push a button for you. The X-10 Boxes are reasonably reliable, and I haven't had too many problems with them over the years. But there are better more expensive devices available for critical applications. Jarett Alan Cowan wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It is possible to do a password recovery by a modem connection to the console port. The same conditions apply as when you perform this procedure locally at the router. When you perform a router password recovery, you have to physically power cycle the router... The only way to do this if you do not already have the enable password is to have someone physically at the router. The reload command only works when you have entered enable mode on the router. The answer is that if you do not have the router passwords for the router and want to perform password recovery, someone needs to power cycle the router, though the person performing the IOS password recovery procedure can be remote via a modem through the console port. -Original Message- From: Charles D Hammonds [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 12:45 AM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] I have not been able to perfrom password recovery via a modem connected directly to console. When the router reloads, you get disconnected and have to re-dial which by that time is too late to break. In my experience, I have had to dial up to a 2511 and connect to console of the problem router that way... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Williams Sent: Thursday, January 23, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] Uh... if he could get into enable mode to issue a 'reload' command, he could just change the password and there wouldn't be any need to do a password recovery?!?!? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61775t=61716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policing traffic - Normal burst, Maximum burst etc?? [7:61776]
Hello,Had a question on policing traffic.If I wanted the average traffic flow to be 8MB, the normal burst to be 10MB and the maximum burst to be 12MB would my police cmd. be: #police 8000 1 12 conform-action transmit OR #police 8000 2000 4000 conform-action transmit Thank you for your help.Sincerely,CN The new MSN 8: smart spam protection and 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61776t=61776 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
I've gone through an issue like this before and remember some issue about Exchange using constantly changing ports. But this link might be able to help you. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61777t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT:Hey Chuck, tax question on certs [7:61778]
Chuck, I remember sometime last year that you mentioned a way to deduct certification expenses from your taxes. I was wondering if you could enlighten the masses on how this works and what is deductible? Can we deduct all travel expenses and cost of exams? Any loopholes to look out for? Would usually do this offline, but since it affects everybody here I thought it would be a constructive discussion for all. Thanks, Scott CCIE #9340 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61778t=61778 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dynamic Natting [7:61584]
thanks Craig Hyman SRS Implementation Team Tier 2 Support [EMAIL PROTECTED] Broomfield Office 303-272-2661 Virtual Office Phone Number 303-604-0037 SkyPager Number 1-888-860-5913 -Original Message- From: mjans001 [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 2:03 PM To: Hyman, Craig; [EMAIL PROTECTED] Subject: RE: Dynamic Natting [7:61584] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For example: Internet nat outside E1 nat outside Router 1600 E0 nat inside Network inside DG 10.x.99.100 Internal customers lans ip nat inside source list 100 interface Ethernet1 overload Nat list access-list 100 permit ip 10.x.99.0 0.0.0.255 any access-list 100 permit ip 10.x.100.0 0.0.0.255 any access-list 100 permit ip 10.x.101.0 0.0.0.255 any access-list 100 permit ip 10.x.102.0 0.0.0.255 any Customer LANs ip route 10.x.100.0 255.255.255.0 10.x.99.100 ip route 10.x.101.0 255.255.255.0 10.x.99.100 ip route 10.x.102.0 255.255.255.0 10.x.99.100 - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Hyman, Craig Verzonden: woensdag 22 januari 2003 17:13 Aan: [EMAIL PROTECTED] Onderwerp: Dynamic Natting [7:61584] ALL- Has anybody been able to do dynamic natting with a 1601R router using IOS 120221a? Have you been able to use multiple subnets( customer IP;s) and run them through one Nat address? Craig Hyman SRS Implementation Team Tier 2 Support [EMAIL PROTECTED] Broomfield Office 303-272-2661 Virtual Office Phone Number 303-604-0037 SkyPager Number 1-888-860-5913 - -Original Message- From: Silju Pillai [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 3:40 PM To: [EMAIL PROTECTED] Subject: RE: How to setup Pix site-to-site VPN with overlapping [7:50255] HI David, I have a link for you. It may help you a bit. It says NAT the existing addresses to a different address at both sites (although the document says one bcoz of the concentrator). http://www.cisco.com/warp/public/707/vpn_pix_private.html. If you are trying this ust tell me if it works or not. regards Silju Version: PGP 8.0 iQA/AwUBPjBYdHdq56XWk+VyEQLpjgCbB3oFZ5RXaO+rXphAaFZIPQExc9MAoPWy w00hZZlvoka9CV4zwuscI0By =dOl9 -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61779t=61584 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
Exchange will use 135 to discover (portmapper) and then use dynamically assigned ports for the actual conversations. Your best bet is to statically map the ports in Exchange and then you don't have a moving target from the firewall point of view. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952 The other option (not a good one IMHO) is to open 135 only to the Exchange host and then leave a range of ports open to that host as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 9:04 PM To: [EMAIL PROTECTED] Subject: Microsoft Exchange/UMS and Firewall [7:61747] Hi All, Need your advice on the following situation: I have a Active Voice Unified Messaging System on Location A, and a Microsoft Exchange Server at Location B. Both Location A and B are protected by Checkpoint firewall. Please advice how the firewall be configured such that it will allow MAPI to be used between these two sites. Thanks a lot in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61780t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CSIDS 855/1000 [7:61655]
Congrats as well. I hope to be writing this one mid February. By CSIDS i am understanding you wrote the 9E0-100 correct? and not the earlier version of this exam. Kim / Zukee Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61781t=61655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
show cdp neighbors command [7:61782]
We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone know why I see all the switches in the daisy-chain when I do a show cdp neighbors command on any one of the switches? I thought this command only showed directly connected devices. I was told that there are no other connections between the switches (they are remote). No luck finding anything on CCO or archives. Switch1 | Switch2 | Switch3 | Switch4 | Switch5 For example, if I do a show cdp neighbors on Switch3, I get (hopefully the formatting will look OK): Switch3#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal Intrfce HoldtmeCapability Platform Port ID Switch4 Gig 0/8163 T S WS-C3508G-Gig 0/8 Switch5 Gig 0/8177 T S WS-C3508G-Gig 0/8 Switch2 Gig 0/8162 T S WS-C3524-PGig 0/2 Switch1 Gig 0/8131 T S WS-C3524-PGig 0/2 I would think that this command would only show Switch2 and Switch 4 as neighbors. Thanks, Shawn G. Kaminski EDS - GTO Capability Center Dow Chemical Test Facilities - Network Support Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61782t=61782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bri2/1 !!!Check clock source!!! (Help needed) [7:61783]
Hi have a problem with a BriS0 (with 2 Voice Port) in a NM-2V. I can only have 2 voice calls in one port and everytime that i need a 3rd call the router send the message BRI2/1: !!!Check clock source!!! and the the interface is disabled due to lost framming count of 41 in the past 16 msec. here goes an output of the configuration. version 12.2 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname xpto ! clock summer-time PT recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero ! ! no ip domain-lookup ! frame-relay switching isdn switch-type basic-net3 call rsvp-sync ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address x.x.x.x 255.255.255.0 no ip redirects duplex auto speed auto ! interface Serial0/0 bandwidth 384 no ip address encapsulation frame-relay frame-relay traffic-shaping frame-relay interface-dlci 200 class voz vofr cisco frame-relay route 80 interface Serial0/1 80 ! interface Serial0/0.16 point-to-point bandwidth 144 ip address y.y.y.y 255.255.255.252 frame-relay interface-dlci 16 class dados ! interface BRI0/0 no ip address encapsulation hdlc shutdown isdn switch-type basic-qsig cdapi buffers regular 0 cdapi buffers raw 0 cdapi buffers large 0 ! ! interface BRI1/0 no ip address shutdown isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify ! interface BRI1/1 no ip address isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify ! ip classless no ip http server ! ! ! voice-port 1/0/0 compand-type a-law cptone PT ! voice-port 1/0/1 compand-type a-law cptone PT ! dial-peer cor custom ! ! ! dial-peer voice 2400 pots destination-pattern 4.. direct-inward-dial port 1/0/0 forward-digits all ! dial-peer voice 2401 pots destination-pattern 4.. direct-inward-dial port 1/0/1 forward-digits all ! dial-peer voice 1500 vofr destination-pattern 15.. session target Serial0/0 200 no vad The PBX is a Siemens Hicom 100E If anyone as ideas please write. Thx in advance Best regards Antero Vasconcelos Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61783t=61783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: show cdp neighbors command [7:61782]
I would guess that this whole network is a layer 2 network. Therefore the layer 2 broadcasts (CDP) would be forwarded to and through all switches. Kaminski, Shawn G wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone know why I see all the switches in the daisy-chain when I do a show cdp neighbors command on any one of the switches? I thought this command only showed directly connected devices. I was told that there are no other connections between the switches (they are remote). No luck finding anything on CCO or archives. Switch1 | Switch2 | Switch3 | Switch4 | Switch5 For example, if I do a show cdp neighbors on Switch3, I get (hopefully the formatting will look OK): Switch3#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal Intrfce HoldtmeCapability Platform Port ID Switch4 Gig 0/8163 T S WS-C3508G-Gig 0/8 Switch5 Gig 0/8177 T S WS-C3508G-Gig 0/8 Switch2 Gig 0/8162 T S WS-C3524-PGig 0/2 Switch1 Gig 0/8131 T S WS-C3524-PGig 0/2 I would think that this command would only show Switch2 and Switch 4 as neighbors. Thanks, Shawn G. Kaminski EDS - GTO Capability Center Dow Chemical Test Facilities - Network Support Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61784t=61782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: show cdp neighbors command [7:61782]
Captian Lance wrote: I would guess that this whole network is a layer 2 network. Therefore the layer 2 broadcasts (CDP) would be forwarded to and through all switches. On Layer 2 networks broadcasts and multicasts do indeed get forwarded, but CDP is usually an exception. Normally CDP is processed specially and not forwarded. Usually you just learn about your actual physical neighbors. But the Gigastack must change that. Priscilla Kaminski, Shawn G wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone know why I see all the switches in the daisy-chain when I do a show cdp neighbors command on any one of the switches? I thought this command only showed directly connected devices. I was told that there are no other connections between the switches (they are remote). No luck finding anything on CCO or archives. Switch1 | Switch2 | Switch3 | Switch4 | Switch5 For example, if I do a show cdp neighbors on Switch3, I get (hopefully the formatting will look OK): Switch3#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal Intrfce HoldtmeCapability Platform Port ID Switch4 Gig 0/8163 T S WS-C3508G-Gig 0/8 Switch5 Gig 0/8177 T S WS-C3508G-Gig 0/8 Switch2 Gig 0/8162 T S WS-C3524-PGig 0/2 Switch1 Gig 0/8131 T S WS-C3524-PGig 0/2 I would think that this command would only show Switch2 and Switch 4 as neighbors. Thanks, Shawn G. Kaminski EDS - GTO Capability Center Dow Chemical Test Facilities - Network Support Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61785t=61782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Strange ACL problems [7:61786]
Is there a limit as to how many ACL entries can be in one group? Reason for asking... I have quite a few hosts blocked at one of our borders (yes, I'm going to have to sit down and start compiling the list) and after entering in one additional host all the others disappear. I'm currently running 12.2.11T Has anyone seen this? Please let me know, it's rather urgent! Cheers, mkj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61786t=61786 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Strange ACL problems [7:61786]
That sounds quite odd, I have seen some pretty long lists but never seen what your describing. How many entries are you talking? Is there something peculiar about this particular entry or does this happen even if you add some bogus address. Can you make this list shorter, aggregate some addresses? Dave [EMAIL PROTECTED] wrote: Is there a limit as to how many ACL entries can be in one group? Reason for asking... I have quite a few hosts blocked at one of our borders (yes, I'm going to have to sit down and start compiling the list) and after entering in one additional host all the others disappear. I'm currently running 12.2.11T Has anyone seen this? Please let me know, it's rather urgent! Cheers, mkj -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61792t=61786 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: show cdp neighbors command [7:61782]
Unfortunately, these switches are not using clustering. Shawn K. -Original Message- From: Daniel Cotts [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 2:33 PM To: 'Kaminski, Shawn G'; [EMAIL PROTECTED] Subject: RE: show cdp neighbors command [7:61782] By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. Watch the wrap: http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc6/scg/swc lus.htm#xtocid7 -Original Message- From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: show cdp neighbors command [7:61782] We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone know why I see all the switches in the daisy-chain when I do a show cdp neighbors command on any one of the switches? I thought this command only showed directly connected devices. I was told that there are no other connections between the switches (they are remote). No luck finding anything on CCO or archives. Switch1 | Switch2 | Switch3 | Switch4 | Switch5 For example, if I do a show cdp neighbors on Switch3, I get (hopefully the formatting will look OK): Switch3#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal Intrfce HoldtmeCapability Platform Port ID Switch4 Gig 0/8163 T S WS-C3508G-Gig 0/8 Switch5 Gig 0/8177 T S WS-C3508G-Gig 0/8 Switch2 Gig 0/8162 T S WS-C3524-PGig 0/2 Switch1 Gig 0/8131 T S WS-C3524-PGig 0/2 I would think that this command would only show Switch2 and Switch 4 as neighbors. Thanks, Shawn G. Kaminski EDS - GTO Capability Center Dow Chemical Test Facilities - Network Support Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61793t=61782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Strange ACL problems [7:61786]
It's about 65 entries long. I'm running a 3640 with max ram and flash. I use Terra-Term SSH to access the router. I've also tried consoling in via terra term and the same thing happened Another paculiar thing I noticed, one entry is an entire subnet (x.x.x.0 0.0.0.255); after pasting in the back-up this entry show's up after the permit any statement. I tried to re-enter them, but the same thing happens. tcp/ip gremlins I have many Cheers, mkj -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:39 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Strange ACL problems [7:61786] That sounds quite odd, I have seen some pretty long lists but never seen what your describing. How many entries are you talking? Is there something peculiar about this particular entry or does this happen even if you add some bogus address. Can you make this list shorter, aggregate some addresses? Dave [EMAIL PROTECTED] wrote: Is there a limit as to how many ACL entries can be in one group? Reason for asking... I have quite a few hosts blocked at one of our borders (yes, I'm going to have to sit down and start compiling the list) and after entering in one additional host all the others disappear. I'm currently running 12.2.11T Has anyone seen this? Please let me know, it's rather urgent! Cheers, mkj -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61794t=61786 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: test don't read [7:61795]
Test Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61795t=61795 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to Block STP, VTP, etc. on Access Ports? [7:61796]
Group, I sometimes remember things that never happened. Do I remember that there is a simple commad that allows you to block STP, VTP, HSRP, etc. from hitting access ports? Thanks much! Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61796t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
disable STP on the port... -- Larry Letterman Network Engineer Cisco Systems s vermill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Group, I sometimes remember things that never happened. Do I remember that there is a simple commad that allows you to block STP, VTP, HSRP, etc. from hitting access ports? Thanks much! Scott [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61797t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: show cdp neighbors command [7:61782]
By using CDP, a command switch can discover switches up to seven CDP hops away (the default is three hops) from the edge of the cluster. Watch the wrap: http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc6/scg/swc lus.htm#xtocid7 -Original Message- From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: show cdp neighbors command [7:61782] We have five 3500-series switches daisy-chained with Gigastack GBICs. Anyone know why I see all the switches in the daisy-chain when I do a show cdp neighbors command on any one of the switches? I thought this command only showed directly connected devices. I was told that there are no other connections between the switches (they are remote). No luck finding anything on CCO or archives. Switch1 | Switch2 | Switch3 | Switch4 | Switch5 For example, if I do a show cdp neighbors on Switch3, I get (hopefully the formatting will look OK): Switch3#sh cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal Intrfce HoldtmeCapability Platform Port ID Switch4 Gig 0/8163 T S WS-C3508G-Gig 0/8 Switch5 Gig 0/8177 T S WS-C3508G-Gig 0/8 Switch2 Gig 0/8162 T S WS-C3524-PGig 0/2 Switch1 Gig 0/8131 T S WS-C3524-PGig 0/2 I would think that this command would only show Switch2 and Switch 4 as neighbors. Thanks, Shawn G. Kaminski EDS - GTO Capability Center Dow Chemical Test Facilities - Network Support Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61790t=61782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policing traffic - Normal burst, Maximum burst etc [7:61776]
IIRC, your second statement would be right. You speficy those burst bandwidths as additions to the first one. i.e. 8000, 2000, and 4000 would give you avg. 8000, burst of 1 and max burst of 12000. See here: (watch for wrap) http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800bd8ee.html#xtocid5 Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61798t=61776 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Larry Letterman wrote: disable STP on the port... -- Larry Letterman Network Engineer Cisco Systems Thanks Larry. I've never claimed to be a security expert. I generally get the network going and let the local policy folk implement what they see fit. I guess turning off STP is a start, but I thought that I once ran across a simple command that made an access port truly an access port. As part of a turnover process, a security audit was conducted on a network weve recently built. One of the red flags thrown at us was that STP, HSRP, and VTP information could be passively collected. All true. So are L2 ACLs the only answer? I thought Cisco addressed this in some way, but again, I sometimes remember things that never happened. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61799t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Strange ACL problems [7:61786]
Well a 65 line access list should not be the problem!! try 12.2.13T :) Dave [EMAIL PROTECTED] wrote: It's about 65 entries long. I'm running a 3640 with max ram and flash. I use Terra-Term SSH to access the router. I've also tried consoling in via terra term and the same thing happened Another paculiar thing I noticed, one entry is an entire subnet (x.x.x.0 0.0.0.255); after pasting in the back-up this entry show's up after the permit any statement. I tried to re-enter them, but the same thing happens. tcp/ip gremlins I have many Cheers, mkj -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 1:39 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Strange ACL problems [7:61786] That sounds quite odd, I have seen some pretty long lists but never seen what your describing. How many entries are you talking? Is there something peculiar about this particular entry or does this happen even if you add some bogus address. Can you make this list shorter, aggregate some addresses? Dave [EMAIL PROTECTED] wrote: Is there a limit as to how many ACL entries can be in one group? Reason for asking... I have quite a few hosts blocked at one of our borders (yes, I'm going to have to sit down and start compiling the list) and after entering in one additional host all the others disappear. I'm currently running 12.2.11T Has anyone seen this? Please let me know, it's rather urgent! Cheers, mkj -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61800t=61786 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-list compiled on Pix firewall [7:61801]
Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61801t=61801 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]
On CatOS switches there is the set port host command. To optimize the port configuration, the set port host command sets channel mode to off, enables spanning tree PortFast, sets the trunk mode to off, and disables the dot1q tunnel feature. Only an end station can accept this configuration. -Original Message- From: s vermill [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 2:17 PM To: [EMAIL PROTECTED] Subject: How to Block STP, VTP, etc. on Access Ports? [7:61796] Group, I sometimes remember things that never happened. Do I remember that there is a simple commad that allows you to block STP, VTP, HSRP, etc. from hitting access ports? Thanks much! Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61802t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list compiled on Pix firewall [7:61803]
I've used the turbo acl function and it seems like a nice feature but didn't notice any real difference performance wise. Had 29 lines of filters. Thanks, Ian www.ccie4u.com Rack Rentals and Lab Scenarios -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: access-list compiled on Pix firewall Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61803t=61803 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Re:Hey Chuck, tax question on certs [7:61778]
From the IRS Website: (http://www.irs.gov/taxtopics/page/0,,id%3D105559,00.html -- watch for wrap) Generally, you cannot deduct education and training expenses for yourself, your spouse (if married) or your dependent as a business expense unless the education or training: a.. Maintains or improves a skill required in a trade or business you are currently engaged in, a.. Meets the express requirements of your employer, or a.. Meets the requirements of law or regulations which are conditions of continuing your employment. There are 2 caveats that I should point out. 1. If you were reimbursed for the certifcation you cannot deduct it. Unless you were repaid in a subsequent tax year than when you spent the money. Then you would be to deduct from the first year, and then pay for it in the second year. 2. If you are getting certified to obtain a raise or to get another job, the expenses are not deductable. Hope this helps Jarett Scott wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, I remember sometime last year that you mentioned a way to deduct certification expenses from your taxes. I was wondering if you could enlighten the masses on how this works and what is deductible? Can we deduct all travel expenses and cost of exams? Any loopholes to look out for? Would usually do this offline, but since it affects everybody here I thought it would be a constructive discussion for all. Thanks, Scott CCIE #9340 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61804t=61778 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DDR on AS [7:61805]
I have an AS3640 with one PRI. The PRI handles both incoming and outgoing data calls. Has anyone configured an Acess Server to use DDR for outbound calls (not using a com redirect)? Example: I need to take an internal telnet session, route it to the AS and the trigger an async call to a remote location. Any help would be greatly appreciated. Tony Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61805t=61805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Daniel Cotts wrote: On CatOS switches there is the set port host command. To optimize the port configuration, the set port host command sets channel mode to off, enables spanning tree PortFast, sets the trunk mode to off, and disables the dot1q tunnel feature. Only an end station can accept this configuration. Thanks Daniel. I'll give that a try and light off an analyzer to see what gets through. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61806t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NT4.0 password crack tool [7:61807]
I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61807t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re:Hey Chuck, tax question on certs [7:61778]
Another big thing on deducting and or itemizing for this is if you do W-2 work or 1099. I've been writing this stuff off since '98 doing 1099 work including the Cisco equipment. If your going to do this though get an accountant. These types of things become an IRS red flag for an audit. There's a fine line in what the IRS will allow and will not. Cross your T's and dot your I's and be sure to have receipts and documentation for everything. Best bet is to get a CPA to see if you can do it as this will be applied to your individual situation. -Eric R. - Original Message - From: J.D. Chaiken To: Sent: Friday, January 24, 2003 1:10 PM Subject: OT: Re:Hey Chuck, tax question on certs [7:61778] From the IRS Website: (http://www.irs.gov/taxtopics/page/0,,id%3D105559,00.html -- watch for wrap) Generally, you cannot deduct education and training expenses for yourself, your spouse (if married) or your dependent as a business expense unless the education or training: a.. Maintains or improves a skill required in a trade or business you are currently engaged in, a.. Meets the express requirements of your employer, or a.. Meets the requirements of law or regulations which are conditions of continuing your employment. There are 2 caveats that I should point out. 1. If you were reimbursed for the certifcation you cannot deduct it. Unless you were repaid in a subsequent tax year than when you spent the money. Then you would be to deduct from the first year, and then pay for it in the second year. 2. If you are getting certified to obtain a raise or to get another job, the expenses are not deductable. Hope this helps Jarett Scott wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, I remember sometime last year that you mentioned a way to deduct certification expenses from your taxes. I was wondering if you could enlighten the masses on how this works and what is deductible? Can we deduct all travel expenses and cost of exams? Any loopholes to look out for? Would usually do this offline, but since it affects everybody here I thought it would be a constructive discussion for all. Thanks, Scott CCIE #9340 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61809t=61778 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
On Catalyst switches, you can use the set port host macro. It turns a bunch of stuff off. That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com s vermill wrote: Larry Letterman wrote: disable STP on the port... -- Larry Letterman Network Engineer Cisco Systems Thanks Larry. I've never claimed to be a security expert. I generally get the network going and let the local policy folk implement what they see fit. I guess turning off STP is a start, but I thought that I once ran across a simple command that made an access port truly an access port. As part of a turnover process, a security audit was conducted on a network weve recently built. One of the red flags thrown at us was that STP, HSRP, and VTP information could be passively collected. All true. So are L2 ACLs the only answer? I thought Cisco addressed this in some way, but again, I sometimes remember things that never happened. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61810t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NT4.0 password crack tool [7:61807]
u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61808t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Priscilla Oppenheimer wrote: On Catalyst switches, you can use the set port host macro. It turns a bunch of stuff off. That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out. They don't seem to have fixed this! Unbelievable. It's a gaping hole, (although to exploit it you have to have access to the LAN.) P. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com s vermill wrote: Larry Letterman wrote: disable STP on the port... -- Larry Letterman Network Engineer Cisco Systems Thanks Larry. I've never claimed to be a security expert. I generally get the network going and let the local policy folk implement what they see fit. I guess turning off STP is a start, but I thought that I once ran across a simple command that made an access port truly an access port. As part of a turnover process, a security audit was conducted on a network weve recently built. One of the red flags thrown at us was that STP, HSRP, and VTP information could be passively collected. All true. So are L2 ACLs the only answer? I thought Cisco addressed this in some way, but again, I sometimes remember things that never happened. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61811t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list compiled on Pix firewall [7:61803]
According to Cisco's site... The access-list compiled can only be used with Turbo ACLs on the 7000 series routers. Please lemme know if I'm wrong! I'd like to use it on my 3640 with acl gremlins. -Original Message- From: Stong, Ian C [GMG] [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:04 PM To: [EMAIL PROTECTED] Subject: RE: access-list compiled on Pix firewall [7:61803] I've used the turbo acl function and it seems like a nice feature but didn't notice any real difference performance wise. Had 29 lines of filters. Thanks, Ian www.ccie4u.com Rack Rentals and Lab Scenarios -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 3:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: access-list compiled on Pix firewall Has anyone used the access-list compiled on the pix firewall? Cisco says that it optimizes the access-list and make things run smoother if your access-list is at least 20 lines long. Has anyone actually measured this on a production environment? Advise please. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61812t=61803 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Hi, disabling STP is not recommended. Use Portfast instead. VTP is only on trunk ports active. HSRP is configured per interface (on router). What do you want to achieve? Jens Neelsen CCNP, CCDP, CCSI --- Larry Letterman wrote: disable STP on the port... -- Larry Letterman Network Engineer Cisco Systems s vermill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Group, I sometimes remember things that never happened. Do I remember that there is a simple commad that allows you to block STP, VTP, HSRP, etc. from hitting access ports? Thanks much! Scott [EMAIL PROTECTED] [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61813t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Priscilla Oppenheimer wrote: Priscilla Oppenheimer wrote: On Catalyst switches, you can use the set port host macro. It turns a bunch of stuff off. That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out. They don't seem to have fixed this! Unbelievable. It's a gaping hole, (although to exploit it you have to have access to the LAN.) P. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Thanks Priscilla. I found it interesting that the security consultants made note of these findings and made a strong recommendation that we fix them. No suggestions on how to do so were offered. I imagine there is a L2 ACL solution or something along those lines. I was hoping for something clean, but I guess it's time to earn our paycheck. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61814t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Automated Script for backing up Cisco configs and Image [7:61815]
Does it work with the cisco pix? John On Thu, Jan 23, 2003 at 11:02:03PM +, Jerry Deer wrote: Cattools by kiwi! -Original Message- From: Kerry Ogedegbe [ MTN - Portharcourt ] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 3:12 AM To: [EMAIL PROTECTED] Subject: Automated Script for backing up Cisco configs and Image [7:61188] Hello People, Can anyone help me with were I can get an automated script / shareware application that I could use in backing up my cisco router switches config Cheers ___ Kerry [GroupStudy.com removed an attachment of type image/jpeg which had a name of Clear Day Bkgrd.JPG] -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61815t=61815 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Jens Neelsen wrote: Hi, disabling STP is not recommended. Use Portfast instead. VTP is only on trunk ports active. HSRP is configured per interface (on router). What do you want to achieve? Jens Neelsen CCNP, CCDP, CCSI Jens, Thanks. I have no intention of turning off STP. We are using Portfast. VTP advertisements were captured by the security consultant and pasted into an appendix. We controlled where they got access to the network, so it isn't a sham. They got to it. I assumed that it was a multicast that IGMP snooping didn't block. Ditto for HSRP. What I want to achieve is what I asked: prevent STP, VTP, and HSRP frames from finding thier way to access ports. Ideally, with a clean, single 'set' command. Not looking good for the home team though. I do plan to trace thier steps with an analyzer and see what ideas I might be able to come up with. I'll post back what I learn if anything interesting. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61816t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re:Hey Chuck, tax question on certs [7:61778]
Eric Rogers wrote: Another big thing on deducting and or itemizing for this is if you do W-2 work or 1099. I've been writing this stuff off since '98 doing 1099 work including the Cisco equipment. If your going to do this though get an accountant. These types of things become an IRS red flag for an audit. There's a fine line in what the IRS will allow and will not. Cross your T's and dot your I's and be sure to have receipts and documentation for everything. Best bet is to get a CPA to see if you can do it as this will be applied to your individual situation. -Eric R. Eric, I have it on good authority that dotting capital I's on a tax return leads to an automatic, mandatory audit that is often fatal. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61817t=61778 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Oh, good point regarding fixing the HSRP hole. An access list solves the problem. For your other issues, though, you don't need an access list probably, just set port host if your switch supports it (or something similar on other switches). The Center for Internet Security has some good info for Cisco routers, by the way, but not much for switches. See here: http://www.cisecurity.org/ P. s vermill wrote: Priscilla Oppenheimer wrote: Priscilla Oppenheimer wrote: On Catalyst switches, you can use the set port host macro. It turns a bunch of stuff off. That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out. They don't seem to have fixed this! Unbelievable. It's a gaping hole, (although to exploit it you have to have access to the LAN.) P. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Thanks Priscilla. I found it interesting that the security consultants made note of these findings and made a strong recommendation that we fix them. No suggestions on how to do so were offered. I imagine there is a L2 ACL solution or something along those lines. I was hoping for something clean, but I guess it's time to earn our paycheck. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61818t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
Try this link http://www.atstake.com/research/lc/download.html for what used to be the lopht heavy industries web site. It's a fair tool, especially if the password can be found in the dictionary. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61819t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
Thanks -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61820t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block STP, VTP, etc. on Access Ports? [7:61796]
Priscilla Oppenheimer wrote: Oh, good point regarding fixing the HSRP hole. An access list solves the problem. For your other issues, though, you don't need an access list probably, just set port host if your switch supports it (or something similar on other switches). These are 6509s. 'set port host' sounds like maybe what I was trying to remember. I plan to stick an analyzer on a port for a while, start a new capture file, and then issue the above. I'll post what I observe. Unfortunately, it won't be until at least next week before I get back to that customer site. Thanks again. The Center for Internet Security has some good info for Cisco routers, by the way, but not much for switches. See here: http://www.cisecurity.org/ P. s vermill wrote: Priscilla Oppenheimer wrote: Priscilla Oppenheimer wrote: On Catalyst switches, you can use the set port host macro. It turns a bunch of stuff off. That won't help with HSRP, though. HSRP is definitely hackable. If you can see the packets, you can see the unencrypted authentication string, and then you can claim to be the active router yourself and all traffic will go to you instead of where it should go. I've done it! :-) You should check to see if Cisco ever fixed this, though. Maybe they use a stronger authenticaton method now. I'll see if I can find out. They don't seem to have fixed this! Unbelievable. It's a gaping hole, (although to exploit it you have to have access to the LAN.) P. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Thanks Priscilla. I found it interesting that the security consultants made note of these findings and made a strong recommendation that we fix them. No suggestions on how to do so were offered. I imagine there is a L2 ACL solution or something along those lines. I was hoping for something clean, but I guess it's time to earn our paycheck. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61821t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
I have no idea if these work, but... Try this: LC4 demo (formerly L0phtCrack) http://www.atstake.com/research/lc/download.html or this: LC3 L0phtCrack 3.02 http://www.atstake.com/research/lc3/application/lc3setup02.exe -Original Message- From: Kazan, Naim [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:37 PM To: [EMAIL PROTECTED] Subject: NT4.0 password crack tool [7:61807] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61822t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to Block STP, VTP, etc. on Access Ports? [7:61796]
It appears that the Security Consultants then didn't earn their fee. Must be a company run by Dogbert. Consulting truism: The higher up the chain of command you sell your services - the less you have to know and the higher you can charge. -Original Message- From: s vermill [mailto:[EMAIL PROTECTED]] Thanks Priscilla. I found it interesting that the security consultants made note of these findings and made a strong recommendation that we fix them. No suggestions on how to do so were offered. I imagine there is a L2 ACL solution or something along those lines. I was hoping for something clean, but I guess it's time to earn our paycheck. Regards, Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61824t=61796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF to Internet Q [7:61823]
I have an OSPF network, and I have my Internet connections. Do I: ASBR where traffic goes from area 0 to the Internet or ASBR where traffic goes to an area x then to the Internet? This was never clear to me from my reading. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61823t=61823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft Exchange/UMS and Firewall [7:61747]
Does your checkpoint licensing support VPN? If so it is very easy to build a secure tunnel between sites that is encrypted. If you send me the feature portion of the licensing string I can tell you if it supports encryption. -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 10:18 AM To: [EMAIL PROTECTED] Subject: RE: Microsoft Exchange/UMS and Firewall [7:61747] Exchange will use 135 to discover (portmapper) and then use dynamically assigned ports for the actual conversations. Your best bet is to statically map the ports in Exchange and then you don't have a moving target from the firewall point of view. http://support.microsoft.com/default.aspx?scid=kb;EN-US;155831 http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b194952 The other option (not a good one IMHO) is to open 135 only to the Exchange host and then leave a range of ports open to that host as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 9:04 PM To: [EMAIL PROTECTED] Subject: Microsoft Exchange/UMS and Firewall [7:61747] Hi All, Need your advice on the following situation: I have a Active Voice Unified Messaging System on Location A, and a Microsoft Exchange Server at Location B. Both Location A and B are protected by Checkpoint firewall. Please advice how the firewall be configured such that it will allow MAPI to be used between these two sites. Thanks a lot in advance! Maurice Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61825t=61747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Read Administering QoS in Cisco IP Networks? [7:61826]
I've offered my opinion on the Cisco Press title on QoS on more than one occasion. Anyone care to offer their own on the above title from Syngress? I've not yet finished chapter 1 and I already have suspicions. And why such extensive coverage of EIGRP (something like 70 or 80 pages)? I wasn't aware that EIGRP was so QoS-capable that it would deserve such a showcasing. QoS coverage doesn't even begin until around page 120. I would also be very grateful for any suggestions. I see that CP is coming out with a new title but no release date (actually, it isn't even mentioned on the CP website but it's listed as pending on barnesandnoble.com). I see that Sybex has a CCIP QoS / multicast study guide, but I've never been a huge fan of Sybex. Maybe this one is worthwhile? Thanks all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61826t=61826 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Broadcast keyword in subinterface [7:61829]
Hi all, Can anybody explain me when i use the broadcast keyword in sub interface(fram-relay interface-dlci 16 broadcast) then if i have only static routing will it affect that.I read that it is used only for OSPF to pass broadcasts , if multicasting disabled.But In a scenario if I have no dynamic routing and give this command what will happen. will it pass unknown broadcasts on frame-relay. moreover exactly how it is used in point-to-point sub interfaces. Thanx a lot in advance--:) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61829t=61829 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Simple Question [7:61830]
I have a simple question. I am confused about hearing about these three things: 1) IOS-BASED SWITCHES 2) CLI-BASED SWITCHES 3) SET-BASED SWITCHES Now, can somebody very accurately classify what these mean and categorise the common switches into the three groups? Im not even sure if there are 3 groups or only 2. If its 2, then it means that two of the above groups mean one and the same. Thank You Bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61830t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF to Internet Q [7:61823]
I'm afraid your question isn't clear. By definition, an ASBR connects two unlike networks, one that is running OSPF and one that isn't. So, the ASBR will connect to the Internet in your example. Steve Ringley wrote: I have an OSPF network, and I have my Internet connections. Do I: ASBR where traffic goes from area 0 to the Internet Is that where your Internet connection is? In area 0? Often, it is, and that's where your ASBR will be. or ASBR where traffic goes to an area x then to the Internet? Goes from where to an Area x and then to the Internet?? This is where your question gets unclear. But if you are considering putting an ASBR between Area x and Area 0, then that doesn't make sense. It's not an ASBR because it's connecting two OSPF networks. If your Internet connection is in Area X, you will have an ASBR that connects the OSPF world to the Internet, sitting on the edge of Area X. Are you asking if the ASBR should be in Area 0? I think the answer is yes, if it can, but sometimes that's simply not possible on large internetworks with multiple egress points. If I completely missed what you're getting at, sorry! Priscilla This was never clear to me from my reading. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61831t=61823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Simple Question [7:61830]
I believe #2=#3 hope that helps! Bill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a simple question. I am confused about hearing about these three things: 1) IOS-BASED SWITCHES 2) CLI-BASED SWITCHES 3) SET-BASED SWITCHES Now, can somebody very accurately classify what these mean and categorise the common switches into the three groups? Im not even sure if there are 3 groups or only 2. If its 2, then it means that two of the above groups mean one and the same. Thank You Bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61832t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Question [7:61830]
Nops #1=#2 -Original Message- From: Charles [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 5:43 AM To: [EMAIL PROTECTED] Subject: Re: Simple Question [7:61830] I believe #2=#3 hope that helps! Bill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a simple question. I am confused about hearing about these three things: 1) IOS-BASED SWITCHES 2) CLI-BASED SWITCHES 3) SET-BASED SWITCHES Now, can somebody very accurately classify what these mean and categorise the common switches into the three groups? Im not even sure if there are 3 groups or only 2. If its 2, then it means that two of the above groups mean one and the same. Thank You Bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61834t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Simple Question [7:61830]
The grouping is : IOS based switches which are cli commands Set based switches which are cli as well... CLI means it is config'd on a command line as opposed to a menu or GUI.. 4000, 5000 and 6000 chassis based switches are set based or CatOs switches.. 29xx, 35xx switches are ios/cli based. interfaces are configured similar to routers. Larry Letterman Network Engineer Cisco Systems - Original Message - From: Bill To: Sent: Friday, January 24, 2003 5:18 PM Subject: Simple Question [7:61830] I have a simple question. I am confused about hearing about these three things: 1) IOS-BASED SWITCHES 2) CLI-BASED SWITCHES 3) SET-BASED SWITCHES Now, can somebody very accurately classify what these mean and categorise the common switches into the three groups? Im not even sure if there are 3 groups or only 2. If its 2, then it means that two of the above groups mean one and the same. Thank You Bill [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61835t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Virtual-Token Ring Interface [7:61836]
Team, There is a way to assign an IP address to a Virtual Token Ring Interface. I want to simulate some Token Ring Networks Thanks, Juan Blanco The greatest glory in living lies not in never falling, but in rising every time we fall . -- Nelson Mandela Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61836t=61836 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
password recovery for ATM Light Stream LS 100 [7:61838]
Does any one know the procedure of how to do the password recovery for an ATM LightStream LS 100? Any help is appreciated. Can't find any link on CCO. Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61838t=61838 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
password recovery for ATM Light Stream LS 100 [7:61837]
Does any one know the procedure of how to do the password recovery for an ATM LightStream LS 100? Any help is appreciated. Can't find any link on CCO. Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61837t=61837 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]