Re: Help with pix firewall logging [7:61902]
Hello I think you did not open port on pix to send log information to server when you install pfss software it shows what ports it is using on TCP and UDP check it and modify this commnad on pix logging host inside 192.168.11.254 tcp/the port number by default is uses 1468 but some time it use 1470 so confirm port number and configure it i thin it will work Bye Usman Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61943t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to stop SYN Flood with Pix firewall? [7:61891]
If it wasn't for those Crappy Windows machines, we would have jobs. -Original Message- From: d tran [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 9:18 PM To: [EMAIL PROTECTED] Subject: Re: How to stop SYN Flood with Pix firewall? [7:61891] I am not sure how many Packets/Sec hping2 generate but I don't think 100BaseT was saturated because the whole thing is connected to a Cisco 2924-XL Enterprise switch (running 12.05(T)) IOS. Furthermore, while machines on 172.16.1.0/24 network have problem connecting to the linux web server via NATed address 172.16.1.71, they have NO problems surfing the Internet or any other network. In fact, I am writing you this email as my other two linux servers are sending SYN flood to the web server and the CPU on the Pix firewall is at 99%. You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT Przemyslaw Karwasiecki wrote:How many packet per second hping2 generates? If it saturates 100BaseT, maybe you had just reached performance limit of PIX520? I am not trying to say that PIX will not handle traffic in proximity of 150,000-200,000 pps. I simply don't know that. But, if it needs to analyze 150,000 SYN packets per second, I can easily imagine that it will crawl. BTW -- very interesting experiment. Przemek (fighting with udp 1434 now) On Sat, 2003-01-25 at 16:40, d tran wrote: Guys, I have the following scenario: I have a pix 520 firewall (750MHz with 512MB of RAM) in the lab. The inside interface is 10.100.0.254/24 and the outside interface is 172.16.1.253/24. I have a linux server residing on the inside network with IP 10.100.0.71 running Apache Server and it is NATed to the outside with IP 172.16.1.71. I would like to make this web server availabe to outside world. My pix configuration looks like this: static (inside,outside) 172.16.1.71 10.100.0.71 access-list 100 permit tcp any host 172.16.1.71 eq 80 access-list 100 deny ip any any access-group 100 in interface outside floodguard enable Now on the outside network I have two linux servers, (172.16.1.67 and 172.16.1.7), running hping2 program that is capable of generating a lot of SYN connection to address 172.16.1.71. Now, when I run the hping2 program, I am seeing the cpu utilization on the firewall reaching 99% like this: pix1(config)# sh cpu usage CPU utilization for 5 seconds = 99%; 1 minute: 98%; 5 minutes: 98% However, the connection is less than 200 pix1(config)# sh conn count 125 in use, 7926 most used Other machines on the 172.16.1.0/24 network have problem reaching the webserver, 172.16.1.71, when hping2 is bombarding the webserver with SYN Flood. Fair enough, I decided to modify the access-list 100 to limit both the maximum connections and half-open connections to 500 and 250, respectively, as follows: static (inside,outside) 172.16.1.71 10.100.0.71 255.255.255.255 500 250 and I do clear xlate after that. That didn't help. The cpu utilization is still 99% and machines on the outside network still have problems accessing the website. My question is this. How do I defend against SYN flood like this? From what I've heard, Cisco Pix has an improved TCP intercept to defend against SYN attack. Why is it not working in my case? To make the matter worse, the CPU also reaches 99% when hping2 SYN flood port 22 even though the firewall does not allow port 22 to 172.16.1.71. I am testing with both version 6.2(2) and 6.3(0) build 131 on this Pix520 firewall. I would like to know how to defend against not only SYN flood but also from other attacks. It looks to me like Pix is not doing its jobs. Regards, DT - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61944t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
R/S Study group in Spain [7:61945]
Hello friends! I currently have CCNP certification and looking forward to get CCIE in the next months. I'd love to create a study group in Madrid, Spain. Or, at least in Spain : -). I have a lab, with Cat5k, several 2500, MC3810, etc, accesible via telnet. Anybody here interested? Best regards, Francisco Sedano. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61945t=61945 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bandwidth Restriction [7:61916]
hi, by using cisco catalyst 3550 switch you can do .. in 8 K interval you can adjust rate limit of port Lupi, Guy wrote: Packeteer makes a great product, the Packetshaper. It works very well, check it out: www.packeteer.com -Original Message- From: Chris Headings [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 3:33 PM To: [EMAIL PROTECTED] Subject: Bandwidth Restriction [7:61916] Hey all... Are there any ISP's out there with co-location clients located in their NOC??? If so, how do you effectively rate-limit their bandwidth. We currently use CAR on our switches/routers to accomplish this task but wondered if there is a better, more manageable way to accomplish this task. Maybe with some other form of hardware? Regards, Chris Virus taramasi Vexira AV programi kullanilarak Is Net tarafindan yapilmistir. This e-mail is checked by Is Net against all known types of viruses using Vexira AV. Is Net'in Bayram/Karne hediyeli kampanyasini duymus muydunuz? http://www.isnet.net.tr/hediyesepeti/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61946t=61916 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MPLS Traffic Engineering - 2500 router reset [7:61947]
After the command tunnel mpls traffic-eng path-option 1 dynamic, the router reloads. The same happen with explicit path. The following message appear after reload: RSVP: must configure RSVP Bandwidth first. Any idea? R3 ip cef mpls traffic-eng tunnels ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ip router isis ! interface Serial0 no ip address encapsulation frame-relay fair-queue 64 64 64 ip rsvp signalling dscp 0 ! interface Serial0.32 point-to-point bandwidth 1000 ip address 192.168.23.2 255.255.255.0 ip router isis mpls traffic-eng tunnels frame-relay interface-dlci 132 ip rsvp bandwidth 500 500 ! interface Tunnel0 ip unnumbered Loopback0 tunnel destination 2.2.2.2 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng priority 7 7 tunnel mpls traffic-eng bandwidth 100 ! router isis net 47....0003.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! end R2 ip cef mpls traffic-eng tunnels ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ip router isis ! interface Serial0 no ip address encapsulation frame-relay fair-queue 64 64 64 ip rsvp signalling dscp 0 ! interface Serial0.23 point-to-point bandwidth 1000 ip address 192.168.23.1 255.255.255.0 ip router isis mpls traffic-eng tunnels frame-relay interface-dlci 123 ip rsvp bandwidth 500 500 ! interface Tunnel0 ip unnumbered Loopback0 tunnel destination 3.3.3.3 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng priority 7 7 tunnel mpls traffic-eng bandwidth 100 ! router isis net 47....0002.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! end R3(config-if)#tunnel mpls traffic-eng path-option 1 dynamic R3(config-if)# Buffered messages: 00:00:06: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Ethernet1, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Serial0, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Serial1, changed state to down 00:00:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed sta te to up 00:00:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed s tate to up 00:00:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1, changed s tate to down 00:00:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed sta te to down 00:00:21: %LINK-5-CHANGED: Interface Ethernet0, changed state to administrativ ely down 00:00:22: %LINK-5-CHANGED: Interface Ethernet1, changed state to administrativ ely down 00:00:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed sta te to up 00:00:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed s tate to down 00:00:25: %LINK-5-CHANGED: Interface Serial1, changed state to administrativel y down 00:00:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed sta te to down 00:00:27: %SYS-5-CONFIG_I: Configured from memory by console 00:01:12: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-P-L), Experimental Version 12.0(20011017:155337) [rraszuk-New_reorg_oct17 109] Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Sat 20-Oct-01 04:12 by rraszuk 00:03:41: %SYS-5-CONFIG_I: Configured from console by console Queued messages: System Bootstrap, Version 11.0(10c)XB2, PLATFORM SPECIFIC RELEASE SOFTWARE (fc 1) Copyright (c) 1986-1998 by cisco Systems 2500 processor with 14336 Kbytes of main memory %SYS-4-CONFIG_NEWER: Configurations from version 12.0 may not be correctly und erstood. %FR-5-DLCICHANGE: Interface Serial0 - DLCI 132 state changed to ACTIVE %FR-5-DLCICHANGE: Interface Serial0 - DLCI 134 state changed to ACTIVE %FR-5-DLCICHANGE: Interface Serial0 - DLCI 139 state changed to ACTIVE F3: 7712092+591256+933136 at 0x360 Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and
Multipoint/point-to-point(Fr ame-Relay) [7:61948]
Hi all, Generally what are mostly used in customer scenarios point to point or multipoint subinterfaces while confguring frame-relay.As U know all point -to point sub interface consumes lot no.of addreses all different subnets,although ip unnumbered is way to avoid this(ip unnumbered has the limitation of managing wan links which isp dont like) but still what isps prefer to suggest thier customers point to point or multipoint as of now.what is the general trend followed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61948t=61948 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multipoint/point-to-point(Fr ame-Relay) [7:61948]
from what i've seen in enterprises, the trend seems to be going towards P2P with sub interfaces and ip unnumbered when needed, as it implies some trouble shooting constraints. i'm sure u know the issues that imply when using P2M(spilt horizon must be disabled, if your using EIGRP the bandwith command must reflrect the lowest cir of the pvc's used.) i'm sure others will comment on this hope the above helps Simmi Singla a icrit dans le message de news: [EMAIL PROTECTED] Hi all, Generally what are mostly used in customer scenarios point to point or multipoint subinterfaces while confguring frame-relay.As U know all point -to point sub interface consumes lot no.of addreses all different subnets,although ip unnumbered is way to avoid this(ip unnumbered has the limitation of managing wan links which isp dont like) but still what isps prefer to suggest thier customers point to point or multipoint as of now.what is the general trend followed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61949t=61948 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Muticast and RP [7:61950]
Good morning, Im working on multicast scenarios at home in preparation for the CCNP switching exam. I feel comfortable and can make work most of the concepts work, but Im having difficulty with the PIM sparse and sparse-dense modes. I have a setup like this; Sender --E-- Cat5000 --FE-- 2620 --S-- 2514 --E-- 1912 --E Receiver E stands for Ethernet, FE for fast and S for serial. The sender is a multicast server sending out a stream via Windows Media Server on .Net. The receiver is an XP pro client. When I configure all the router ports as dense-mode Im successful connecting to the streaming video from the client. However, when I try using either the sparse or sparse-dense mode, Im having trouble understanding the RP concept as explained in the CiscoPress books or CCO. Of course the client cannot see the video stream. I know that I have to define an RP server or use AutoRP but I cant quite figure out how. Help? Richard Burdette Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61950t=61950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bandwidth Restriction [7:61916]
We have a few of these (ISP models) and they are very good at what they do. Very powerful CLI as well as the HTTP GUI. J -Original Message- From: Lupi, Guy [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: Bandwidth Restriction [7:61916] Packeteer makes a great product, the Packetshaper. It works very well, check it out: www.packeteer.com -Original Message- From: Chris Headings [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 3:33 PM To: [EMAIL PROTECTED] Subject: Bandwidth Restriction [7:61916] Hey all... Are there any ISP's out there with co-location clients located in their NOC??? If so, how do you effectively rate-limit their bandwidth. We currently use CAR on our switches/routers to accomplish this task but wondered if there is a better, more manageable way to accomplish this task. Maybe with some other form of hardware? Regards, Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61951t=61916 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
Thanks everyone for the replies but I have it working now but what gets me I have no clue what did it. I took all of the logging info that was posted in my original email off of the pix and put it back on after doing so it started working. Usman I am not using the pfss software from Cisco I am using a real syslog server on a Freebsd box. Once again thank you for your replies. -Original Message- From: Usman Ali [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:56 AM To: [EMAIL PROTECTED] Subject: Re: Help with pix firewall logging [7:61902] Hello I think you did not open port on pix to send log information to server when you install pfss software it shows what ports it is using on TCP and UDP check it and modify this commnad on pix logging host inside 192.168.11.254 tcp/the port number by default is uses 1468 but some time it use 1470 so confirm port number and configure it i thin it will work Bye Usman Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61952t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help,token ring connection without a MAU [7:61953]
hi can 2 token ring interface direct connected with a crcoss cable.i've carefully read the pinout at CCO and make sure it's right,but it did not work. must i buy a MAU to let them work correctly? thanks for your help Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61953t=61953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help,token ring connection without mau [7:61954]
hi can 2 token ring interface direct connected with a crcoss cable.i've carefully read the pinout at CCO and make sure it's right,but it did not work. must i buy a MAU to let them work correctly? thanks for your help Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61954t=61954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How Much This User Router [7:61939]
New list price is $2325 USD. For used go to ebay.com and search on Cisco +2511 in the completed auctions. Pay particular attention to auctions with no bids - no buyer was willing to pay the starting price. -Original Message- From: Steiven Poh-(Jaring MailBox) [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 26, 2003 9:52 PM To: [EMAIL PROTECTED] Subject: How Much This User Router [7:61939] Can any one tell me how much below used router and a brand new unit? Thanks Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS40-L), Version 11.3(11b), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 02-Mar-01 18:47 by cmong Image text-base: 0x030383FC, data-base: 0x1000 ROM: System Bootstrap, Version 11.0(10c), SOFTWARE BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c), RELEASE SOFTWARE (fc1) LOCUG uptime is 2 minutes System restarted by power-on System image file is flash:c2500-is40-l.113-11b.bin, booted via flash cisco 2511 (68030) processor (revision M) with 2048K/2048K bytes of memory. Processor board ID 10297453, with hardware revision Bridging software. X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 16 terminal line(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61955t=61939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Best online racks and workbooks [7:61956]
Hey all, I was wanting to get people's feedback as to their opinions on the various CCIE Lab workbooks and online racks. I've heard good things about the IPExpert ($500), but assuming their online e-scenarios are as good as their workbook, it seems the Gold subscription ($400) would give me access to more situations to work through. I've also heard some good things about the CCBootCamp scenarios ($650). Also, as you probably know, the different online rack places have different things that are good and bad. Some only sell 12 hour blocks, but others charge alot more per hour than others. Any input on their likes/dislikes would be greatly appreciated. Thanks! Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61956t=61956 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UPDATE: Looking for Cisco practice rack [7:61630]
www.racktimerentals.com has both ATm and voice. Shahid John C wrote:Thanks for the responses everyone! To those who don't know, here is a list of good Cisco racks that you can use over the net. All of these seem CCIE ready (I'm not sure about true ATM and Voice though, I think ccbootcamp and RouterX were the only ones that had it all - double check this though). www.ccbootcamp.com www.cconlinelabs.com www.fatkid.com www.racktimerentals.com www.routerx.com John C wrote:Anyone know of a good Cisco practice rack? I haven't seen one that meets my needs for the CCIE. Thx. - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Shahid Muhammad Shafi Every man dies; not every man really lives remember, if God bringz u 2 it, He WILL bring u thru it!!!- Please help feed hungry people worldwide http://www.hungersite.com/ A small thing each of us can do to help others less fortunate than ourselves - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61942t=61630 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VO/IP Study [7:61957]
Guys Tell me the best place to learn / certify on VO/IP in New York City / NJ area. -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61957t=61957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PBX knowledge for VoIP [7:61958]
Hi Guys, Need your help. How much PBX knowledge / Voice networking knowledge is necessary to be a good VoIP Engineer. Any suggestions on books to go through or any web sites. Thanks, neil K. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61958t=61958 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help with pix firewall logging [7:61902]
Elijah, I would add 'logging buffered debug' and see if you get any error messages in the local log file. You check the local using 'show log'. You may see traffic being blocked by an ACL. Secondly version 6.2(2) does have the packet capture feature. It is too long to go into but check the CCO on how to enable this. I have used it and it works well. Basically you do the following: 1. Define an ACL to capture the traffic you are looking for, in your case any traffic going to the syslog server. 2. Use the 'capture' comand assigning the ACL to an interface and starting the capture. 3. Use the 'show capture' command to see the results. Hope this helps, Scott --- On Sun 01/26, Elijah Savage III wrote: From: Elijah Savage III [mailto: [EMAIL PROTECTED]] To: [EMAIL PROTECTED] Date: Sun, 26 Jan 2003 18:21:10 GMT Subject: RE: Help with pix firewall logging [7:61902] As a last resort I did reboot the pix also but still no logging, what am I missing? -Original Message- From: Elijah Savage III Sent: Sunday, January 26, 2003 1:11 PM To: [EMAIL PROTECTED] Subject: Help with pix firewall logging [7:61902] All, I have a pix running 6.2 it is logging to a freebsd server on the local network. It was logging at one time to syslog no problem but all of a sudden it stopped and I can't get it working. Here is the logging config I turned up logging to see if it would help and nothing. Yes I am sure syslog is running on the box if I do a tcpdump on the freebsd server I see nothing coming from the pix. logging on logging timestamp logging trap warnings logging history debugging logging facility 23 logging host inside 192.168.11.254 ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61959t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VO/IP Study [7:61957]
Curious, The following will be a start for your goal.. CIPT 9E0-402 Cisco IP Telephony by ciscopress - David Lovell Cisco IP Telephony Network Design Guide http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/network/ Cisco IP Telephony Solution Guide http://www.cisco.com/warp/public/788/solution_guide/index.html DQoS 9E0-601 DQoS is all QoS, pretty straight forward. Hands on experience helped quite a bit. There is a QoS book from Cisco Press, the book is a few years old and is poorly layed out. The IOS 12.2 QoS guide follows the exam blueprint pretty closely and is a great reference. Cisco AVVID QoS Guide http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/avvidqos/index .htm Cisco IOS QoS Solutions Guide 12.2 http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos _c/ CVOICE 9E0423 Cisco Voice over Frame relay, ATM and IP by ciscopress - Steve McQuery http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/voice _c/vcprt1/index.htm Be aware that for this kind of certification you need to find as many pdfs as possible related to the topic because the technology is still going trough many changes The order of taking the test I recommend is the following: DQoS --- CVOICE --- CIPT Good luck, Juan Blanco -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 11:12 AM To: [EMAIL PROTECTED] Subject: VO/IP Study [7:61957] Guys Tell me the best place to learn / certify on VO/IP in New York City / NJ area. -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61961t=61957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Muticast and RP [7:61950]
Richard Burdette wrote: Good morning, Im working on multicast scenarios at home in preparation for the CCNP switching exam. I feel comfortable and can make work most of the concepts work, but Im having difficulty with the PIM sparse and sparse-dense modes. I have a setup like this; Sender --E-- Cat5000 --FE-- 2620 --S-- 2514 --E-- 1912 --E Receiver E stands for Ethernet, FE for fast and S for serial. The sender is a multicast server sending out a stream via Windows Media Server on .Net. The receiver is an XP pro client. When I configure all the router ports as dense-mode Im successful connecting to the streaming video from the client. However, when I try using either the sparse or sparse-dense mode, Im having trouble understanding the RP concept as explained in the CiscoPress books or CCO. Of course the client cannot see the video stream. I know that I have to define an RP server or use AutoRP but I cant quite figure out how. Help? Richard Burdette It's easier than you think. Every Sparse Mode router needs to know the RP. So on your 2514, you need 'ip pim rp-address x.x.x.x' where x.x.x.x is the address of your 2620. The 2620 needs the same command so that it knows it's the RP (I think). Optionally, the 2514 could be the RP. It doesn't matter. The RP only sets up the initial state. Cisco routers by default join the shortest path tree to the source after receiving the first mcast packet via the shared tree. In your topology, both the shared and shortest path trees are the same, so it doesn't really matter. All an RP does is allow sources to register their mcast offerings, and allows receivers to find those sources and join the group. Once receivers have joined the group, they can join towards the source directly and the RP is (usually) no longer in the path. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61964t=61950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multipoint/point-to-point(Fr ame-Relay) [7:61948]
Hi Juntao, Thanx for the input, what about the existing Frame-relay networks u mean to say that they will be migrating to point-point sub-interfaces(networks). Might be more Input is required from experts here.Thanx once again. :) Juntao wrote: from what i've seen in enterprises, the trend seems to be going towards P2P with sub interfaces and ip unnumbered when needed, as it implies some trouble shooting constraints. i'm sure u know the issues that imply when using P2M(spilt horizon must be disabled, if your using EIGRP the bandwith command must reflrect the lowest cir of the pvc's used.) i'm sure others will comment on this hope the above helps Simmi Singla a icrit dans le message de news: [EMAIL PROTECTED] Hi all, Generally what are mostly used in customer scenarios point to point or multipoint subinterfaces while confguring frame-relay.As U know all point -to point sub interface consumes lot no.of addreses all different subnets,although ip unnumbered is way to avoid this(ip unnumbered has the limitation of managing wan links which isp dont like) but still what isps prefer to suggest thier customers point to point or multipoint as of now.what is the general trend followed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61967t=61948 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Len Lee/CHI/NTRS is out of the office. [7:61968]
I will be out of the office starting January 27, 2003 and will not return until February 3, 2003. I will respond to your message when I return. If this is an emergency, Please contact Joe Pappalardo at extention. 312-444-5365 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61968t=61968 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Prisiclla Amazing wrote: what's amazing are the assumptions that people are making--who says tht BoA servers or any BoA database were comprimised? who says they are even running MS-SQL? Read how the worm is spreading and you will understand that you dont have to be running anything that can be affected by the worm. my guess is that a company with LARGE blocks of routable addresses and probably very high speed connections to the Internet might have bigger problems with this worm which in effect becomes a denial of service attack on their edge devices even if they are filtering out udp 1494 at the edge. take a look at the post by Ken and observe what is happening to the CPU of one of his router blades. i definitely agree with your comment about the security con artist comparison the y2k consultants l0stbyte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... the dumb butts are allowing access to SQL from public networks. how difficult is it to filter stuff out? SQL boxes should be on private networks, no routes to public, second or third tier, etc. Y2K all over... This time in security business. Bunch of con artists claiming to be security experts. Cheers... P.S. There was a news clip that BofA networks were effected. this is scary. l0stbyte Symon Thurlow wrote: Cheers, Symon -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 26 January 2003 20:02 To: [EMAIL PROTECTED] Subject: UDP port 1434 [7:61891] d tran wrote: You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT I don't think that's true. He could have been a victim of other people running Windows SQL Server 2000. From what I understand about the worm, it not only repicated itself to other unpatched systems, but it send gazillions of packets to random IP addresses to port 1434. Many ISPs and companies were affected by it, not just the dumb butts who don't patch their systems. Here, we didn't seem to be affected by it, though. Maybe because I didn't check until Saturday afternoon? But no complaints came in. Are others willing to share their experiences? It could be a good learning opportunity. Anyone have a link to a good technical document about the worm? Thanks, Priscilla = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61969t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Muticast and RP [7:61950]
Just before I got your reply, I finally found a document on CCO that explained that I had to have the 'ip pim rp-address ...' configured on both routers which I did. No I'm not seeing the earlier problem about not being able to join the Auto-RP router. As I was seeing before, I can see the multicast entry in the mroute table on the RP sever, but it is Pruned by the looks of it and it is not sending out the serial port to the other router... What could it be now? 2620 Mroute 2620#sho ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, s - SSM Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.255.255.250), 00:18:05/00:03:13, RP 10.1.1.1, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Serial0/0, Forward/Sparse-Dense, 00:18:05/00:03:13 (*, 224.0.1.40), 19:06:50/00:00:00, RP 10.1.1.1, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Serial0/0, Forward/Sparse-Dense, 00:55:50/00:02:57 FastEthernet0/0, Forward/Sparse-Dense, 19:06:50/00:02:45 (*, 239.192.47.232), 00:00:04/00:02:59, RP 10.1.1.1, flags: SP Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Null (10.1.1.2, 239.192.47.232), 00:00:06/00:02:59, flags: PT Incoming interface: FastEthernet0/0, RPF nbr 0.0.0.0 Outgoing interface list: Null 2514 Mroute 2514#sho ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, s - SSM Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.255.255.250), 00:19:03/00:01:59, RP 10.1.1.1, flags: SJC Incoming interface: Serial0, RPF nbr 20.1.1.1 Outgoing interface list: Ethernet0, Forward/Sparse-Dense, 00:19:03/00:01:59 (*, 224.0.1.40), 00:34:45/00:00:00, RP 10.1.1.1, flags: SJCL Incoming interface: Serial0, RPF nbr 20.1.1.1 Outgoing interface list: Ethernet0, Forward/Sparse-Dense, 00:34:45/00:02:03 As you can see the 2620 is aware of the multicast stream from FE0/0, but it's Pruned and it's not putting it ouot to the 2514? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61970t=61950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
Maybe this is a silly question considering where I work, but is it common for huge banks to connect their ATMs to their data centers over the Internet? We certainly don't do that, and wouldn't even consider doing it, so I was surprised that BofA appears to be doing just that. Then again, they probably have twenty times more ATMs than we do, so perhaps they have different issues to be considered. John Priscilla Oppenheimer 1/27/03 11:24:42 AM Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Prisiclla Amazing wrote: what's amazing are the assumptions that people are making--who says tht BoA servers or any BoA database were comprimised? who says they are even running MS-SQL? Read how the worm is spreading and you will understand that you dont have to be running anything that can be affected by the worm. my guess is that a company with LARGE blocks of routable addresses and probably very high speed connections to the Internet might have bigger problems with this worm which in effect becomes a denial of service attack on their edge devices even if they are filtering out udp 1494 at the edge. take a look at the post by Ken and observe what is happening to the CPU of one of his router blades. i definitely agree with your comment about the security con artist comparison the y2k consultants l0stbyte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... the dumb butts are allowing access to SQL from public networks. how difficult is it to filter stuff out? SQL boxes should be on private networks, no routes to public, second or third tier, etc. Y2K all over... This time in security business. Bunch of con artists claiming to be security experts. Cheers... P.S. There was a news clip that BofA networks were effected. this is scary. l0stbyte Symon Thurlow wrote: Cheers, Symon -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 26 January 2003 20:02 To: [EMAIL PROTECTED] Subject: UDP port 1434 [7:61891] d tran wrote: You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT I don't think that's true. He could have been a victim of other people running Windows SQL Server 2000. From what I understand about the worm, it not only repicated itself to other unpatched systems, but it send gazillions of packets to random IP addresses to port 1434. Many ISPs and companies were affected by it, not just the dumb butts who don't patch their systems. Here, we didn't seem to be affected by it, though. Maybe because I didn't check until Saturday afternoon? But no complaints came in. Are others willing to share their experiences? It could be a good learning opportunity. Anyone have a link to a good technical document about the worm? Thanks, Priscilla = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61971t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Muticast and RP [7:61950]
Richard Burdette wrote: Just before I got your reply, I finally found a document on CCO that explained that I had to have the 'ip pim rp-address ...' configured on both routers which I did. No I'm not seeing the earlier problem about not being able to join the Auto-RP router. Unless you are interested in practicing with Auto-RP, I would just turn it off. It certainly isn't necessary or beneficial in your configuration. Static RP will do just fine. I would remove any Auto-RP config from both routers (at the very least until you get things working statically). As I was seeing before, I can see the multicast entry in the mroute table on the RP sever, but it is Pruned by the looks of it and it is not sending out the serial port to the other router... What could it be now? It would help if we knew the IP scheme of your setup. Maybe even configs. But start with static RP and see what that does for you. 2620 Mroute 2620#sho ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, s - SSM Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.255.255.250), 00:18:05/00:03:13, RP 10.1.1.1, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Serial0/0, Forward/Sparse-Dense, 00:18:05/00:03:13 (*, 224.0.1.40), 19:06:50/00:00:00, RP 10.1.1.1, flags: SJCL Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Serial0/0, Forward/Sparse-Dense, 00:55:50/00:02:57 FastEthernet0/0, Forward/Sparse-Dense, 19:06:50/00:02:45 (*, 239.192.47.232), 00:00:04/00:02:59, RP 10.1.1.1, flags: SP Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Null (10.1.1.2, 239.192.47.232), 00:00:06/00:02:59, flags: PT Incoming interface: FastEthernet0/0, RPF nbr 0.0.0.0 Outgoing interface list: Null 2514 Mroute 2514#sho ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, s - SSM Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.255.255.250), 00:19:03/00:01:59, RP 10.1.1.1, flags: SJC Incoming interface: Serial0, RPF nbr 20.1.1.1 Outgoing interface list: Ethernet0, Forward/Sparse-Dense, 00:19:03/00:01:59 (*, 224.0.1.40), 00:34:45/00:00:00, RP 10.1.1.1, flags: SJCL Incoming interface: Serial0, RPF nbr 20.1.1.1 Outgoing interface list: Ethernet0, Forward/Sparse-Dense, 00:34:45/00:02:03 As you can see the 2620 is aware of the multicast stream from FE0/0, but it's Pruned and it's not putting it ouot to the 2514? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61972t=61950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multipoint/point-to-point(Fr ame-Relay) [7:61948]
actually, what i meant to say, is the coworkers and i when we had projects that output design comes out to be either P2M or P2P on subints, we usally choose the latter. if a corp already has P2M, then i would think that whoever designed the net had enough good reasons that out weighted the benefits of P2P with subints. u know sub ints came as another resolution to the issues of P2M. Simmi Singla a icrit dans le message de news: [EMAIL PROTECTED] Hi Juntao, Thanx for the input, what about the existing Frame-relay networks u mean to say that they will be migrating to point-point sub-interfaces(networks). Might be more Input is required from experts here.Thanx once again. :) Juntao wrote: from what i've seen in enterprises, the trend seems to be going towards P2P with sub interfaces and ip unnumbered when needed, as it implies some trouble shooting constraints. i'm sure u know the issues that imply when using P2M(spilt horizon must be disabled, if your using EIGRP the bandwith command must reflrect the lowest cir of the pvc's used.) i'm sure others will comment on this hope the above helps Simmi Singla a icrit dans le message de news: [EMAIL PROTECTED] Hi all, Generally what are mostly used in customer scenarios point to point or multipoint subinterfaces while confguring frame-relay.As U know all point -to point sub interface consumes lot no.of addreses all different subnets,although ip unnumbered is way to avoid this(ip unnumbered has the limitation of managing wan links which isp dont like) but still what isps prefer to suggest thier customers point to point or multipoint as of now.what is the general trend followed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61973t=61948 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
Well, that's a good point. The UDP traffic jam probably didn't spread out to the edges of the network, where the ATMs are, as I had been thinking. The ATMs probably use private, non-routable addresses (non-routable over the Internet anyway). The bottleneck was probably more in the core of BoA's network. Then again, mabye they do use some sort of VPN solution for their ATMs, but I doubt that Well, I better get back to work. The worm is becoming even more of a DoS because so many network engineers are wasting time guessing about its effects, rather than offering the services they should be! Just kidding. Priscilla John Neiberger wrote: Maybe this is a silly question considering where I work, but is it common for huge banks to connect their ATMs to their data centers over the Internet? We certainly don't do that, and wouldn't even consider doing it, so I was surprised that BofA appears to be doing just that. Then again, they probably have twenty times more ATMs than we do, so perhaps they have different issues to be considered. John Priscilla Oppenheimer 1/27/03 11:24:42 AM Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Prisiclla Amazing wrote: what's amazing are the assumptions that people are making--who says tht BoA servers or any BoA database were comprimised? who says they are even running MS-SQL? Read how the worm is spreading and you will understand that you dont have to be running anything that can be affected by the worm. my guess is that a company with LARGE blocks of routable addresses and probably very high speed connections to the Internet might have bigger problems with this worm which in effect becomes a denial of service attack on their edge devices even if they are filtering out udp 1494 at the edge. take a look at the post by Ken and observe what is happening to the CPU of one of his router blades. i definitely agree with your comment about the security con artist comparison the y2k consultants l0stbyte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... the dumb butts are allowing access to SQL from public networks. how difficult is it to filter stuff out? SQL boxes should be on private networks, no routes to public, second or third tier, etc. Y2K all over... This time in security business. Bunch of con artists claiming to be security experts. Cheers... P.S. There was a news clip that BofA networks were effected. this is scary. l0stbyte Symon Thurlow wrote: Cheers, Symon -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 26 January 2003 20:02 To: [EMAIL PROTECTED] Subject: UDP port 1434 [7:61891] d tran wrote: You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT I don't think that's true. He could have been a victim of other people running Windows SQL Server 2000. From what I understand about the worm, it not only repicated itself to other unpatched systems, but it send gazillions of packets to random IP addresses to port 1434. Many ISPs and companies were affected by it, not just the dumb butts who don't patch their systems. Here, we didn't seem to be affected by it, though. Maybe because I didn't check until Saturday afternoon? But no complaints came in. Are others willing to share their experiences? It could be a good learning opportunity. Anyone have a link to a good technical document about the worm? Thanks, Priscilla = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61975t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL
Re: UDP port 1434 [7:61891]
No, it is relatively unheard of. Transaction data almost always (and I say that because I cannot categorically say always) travels on dedicated circuits. A lot has been made over this for some reason, and I have not seen an official explanation from Bof Afor all I know it could have been routine work on BofA's part that knocked them out of service, like a code upgrade or somethingwe all know THAT never happens...(admittedly it's probably not the case, the timing is too coincidental, but all the facts aren't in yet, or if they are, they haven't been made available as far as I know) John Neiberger cc: Sent by:Subject: Re: UDP port 1434 [7:61891] [EMAIL PROTECTED] 01/27/2003 01:51 PM Please respond to John Neiberger Maybe this is a silly question considering where I work, but is it common for huge banks to connect their ATMs to their data centers over the Internet? We certainly don't do that, and wouldn't even consider doing it, so I was surprised that BofA appears to be doing just that. Then again, they probably have twenty times more ATMs than we do, so perhaps they have different issues to be considered. John Priscilla Oppenheimer 1/27/03 11:24:42 AM Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Prisiclla Amazing wrote: what's amazing are the assumptions that people are making--who says tht BoA servers or any BoA database were comprimised? who says they are even running MS-SQL? Read how the worm is spreading and you will understand that you dont have to be running anything that can be affected by the worm. my guess is that a company with LARGE blocks of routable addresses and probably very high speed connections to the Internet might have bigger problems with this worm which in effect becomes a denial of service attack on their edge devices even if they are filtering out udp 1494 at the edge. take a look at the post by Ken and observe what is happening to the CPU of one of his router blades. i definitely agree with your comment about the security con artist comparison the y2k consultants l0stbyte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... the dumb butts are allowing access to SQL from public networks. how difficult is it to filter stuff out? SQL boxes should be on private networks, no routes to public, second or third tier, etc. Y2K all over... This time in security business. Bunch of con artists claiming to be security experts. Cheers... P.S. There was a news clip that BofA networks were effected. this is scary. l0stbyte Symon Thurlow wrote: Cheers, Symon -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 26 January 2003 20:02 To: [EMAIL PROTECTED] Subject: UDP port 1434 [7:61891] d tran wrote: You wouldn't have to fight the udp 1434 problem had you decided to scrap the shitty MS SQL server, running on crappy Windows machine and replace it MySQL (freeware) or real commercial database products like Oracle, running on Linux platform. Enjoy fighting udp1434. LOL DT I don't think that's true. He could have been a victim of other people running Windows SQL Server 2000. From what I understand about the worm, it not only repicated itself to other unpatched systems, but it send gazillions of packets to random IP addresses to port 1434. Many ISPs and companies were affected by it, not just the dumb butts who don't patch their systems. Here, we didn't seem to be affected by it, though. Maybe because I didn't check until Saturday afternoon? But no complaints came in. Are others willing to share their experiences? It could be a good learning opportunity. Anyone have a link to a good
Re: OSPF to Internet Q [7:61823]
Yes, it is an Internet ASBR, there are others, and its only purpose is to advertise a default route + local DMZ into OSPF. The ASBR would get a default route from BGP. In turn the ISP is advertising a default route via BGP into the outside router. The plan is that if the ISP stops advertising at this point, then the default route advertisement from one of the other ISP connection points will take over. I see it that it really depends on how much equipment is between the real backbone and the ISP connection. Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 6:56 PM + 1/26/03, Steve Ringley wrote: I understand that there are many ways to, umm, do you-know-what to the cat, but what I am looking for is a higher guiding philosophy or rule to use as a foundation to guide the rest of the process. My understanding of the high-level OSPF process is that OSPF wants to route traffic from area a to area b via area 0. This in turn in part is why having destinations like the server farm in area 0 is bad in my mind. Completely true. Given that process, should OSPF have an area between area 0 and the ASBR point, or does it internally treat the ASBR as another area thus meaning the ASBR can be directly with area 0. Again, it depends on several factors. Is the ASBR going to the Internet? Is there more than one point of connection to the Internet? How much external information are you going to leak into your IGP? Just closest-exit default? Preferential default depending on provider? If you have multiple connection points, what's the cost of internal bandwidth? IN GENERAL, I put Internet ASBRs in Area 0.0.0.0, but I've also put them elsewhere for policy- and requirement-specific reasons. There really is no general rule for the real world. Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 8:56 PM + 1/25/03, Priscilla Oppenheimer wrote: Steve Ringley wrote: That is why I am asking the question - it is unclear! Let me try it this way: If we take the textbook Internet setup, we would have an outside router - BGP firewall inside router - OSPF ASBR to BGP core router - OSPF backbone On the inside router, would I create an ASBR with area 0 defined on the inside to core connection or Would I create an new OSPF area to define the connection between the inside router and the core router? Steve, this is rapidly becoming a question not of how the protocol works, but what you are trying to accomplish -- and a number of aspects of how you connect to the Internet, get address space, etc. I agree with Priscilla that there are various ways to do this -- just taking the textbook (well, not MY textbooks *g*) model isn't enough when you have multiple connections. I think you could do either one. Your core router connects (downwards in your picture) to Area 0 (the OSPF backbone), right? So, does your question boil down to whether the link between the inside router and the core router should be in Area 0 or a new Area? I think you could do it either way. There are several of these types of connections in the larger network, and there is an expectation that if one of these goes down the OSPF and BGP will figure it out and shift traffic to the working connections. OSPF should figure out which routes to the ASBRs are up. Your inside routers should inject an ASBR Summary LSA into Area 0 to make sure other routers know about the routes to the ASBRs. I don't think BGP is involved at this point. It sounds like you just run that to the outside world. You'll need to consider how traffic gets back in to. So, this is large-scale design, I'm realizing. You need more help than I can give! :-) Maybe Peter, Howard, Chuck, etc. could pipe in, or maybe do some paid consulting work for you!? Some of the questions that would need to be answered even to begin a coherent design include: -- To how many providers do you connect? -- Do you connect to any provider at more than one point? -- Does your registered address space come from provider(s), or is it provider-independent? -- How good is your address plan with respect to area summarization? -- What is your monetary cost for access to providers as opposed to internal bandwidth inside your network? For example, do you have enough bandwidth that it makes sense to backhaul to a distant provider access point, or should you always take the closest exit? -- Is the closest exit always the best exit? -- What are the bandwidths and monetary costs of your provider connections? -- What are your availability requirements? Cost of downtime, including a breakout of cost for mission-critical applications? Priscilla Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm afraid your question isn't clear. By definition, an
RE: Simple Question [7:61830]
It does look like cisco might be phasing out the set based interface. The newer sup engines come with the ios based int. Kristina L. Waters LAN/WAN Engineer www.absfirst.com Many of life's failures are people who did not realize how close they were to success when they gave up. Thomas A. Edison -Original Message- From: Steve Ringley [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 1:33 PM To: [EMAIL PROTECTED] Subject: Re: Simple Question [7:61830] As you have seen from the replies this is rather fluid. Many of the traditionally set-based switches are now getting software updates that convert them to IOS switches. What may be important here that seems to be missing from the discussion so far is that my CiscoPress CCNP/DP study material generally equated CLI to Set-Based, not IOS. Bill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a simple question. I am confused about hearing about these three things: 1) IOS-BASED SWITCHES 2) CLI-BASED SWITCHES 3) SET-BASED SWITCHES Now, can somebody very accurately classify what these mean and categorise the common switches into the three groups? Im not even sure if there are 3 groups or only 2. If its 2, then it means that two of the above groups mean one and the same. Thank You Bill [GroupStudy.com removed an attachment of type application/ms-tnef] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61978t=61830 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: UDP port 1434 [7:61891]
One interesting assumption (underline assumption) is that BofA's service providers were partially sharing facilities between their private (ATM/FR) and public (Internet) networks. If that's the case, once the CPU on some of those shared routers/switches went to 100%, BofA's automatic teller machines are going to disappear. Paul Forbes Network Engineer Trimble -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: Re: UDP port 1434 [7:61891] Maybe this is a silly question considering where I work, but is it common for huge banks to connect their ATMs to their data centers over the Internet? We certainly don't do that, and wouldn't even consider doing it, so I was surprised that BofA appears to be doing just that. Then again, they probably have twenty times more ATMs than we do, so perhaps they have different issues to be considered. John Priscilla Oppenheimer 1/27/03 11:24:42 AM Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61979t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ASBR in backbone area?? [7:61614]
I do not foresee any problems, maybe others do? I just find the design guideline below too strict. In small networks there may be only one OSPF area, but larger networks typically have more areas. Connections to the Internet or to other external networks like corporate networks, tend to be on routers in the edge/distribution layer of the network. Those routers are in OSPF areas different to zero (al least in the OSPF designs I have seen so far). Also Cisco advises to connect 'the Internet' in the distribution layer (in the DCN and CID courses). So for example for designs where three or four core routers are fully meshed in OSPF area 0, and the surrounding distribution layer devices belong the area x, with x/=0, the ASBR will not be connected to area 0. I also noticed a similar question in the thread called OSPF to Internet. Eric Brouwers - Original Message - From: To: ericbrouwers Sent: Thursday, January 23, 2003 6:05 PM Subject: Re: ASBR in backbone area?? [7:61614] What kind of problem do you see putting the ASBR on the backbone area? Just to think about. ericbrouwers @groupstudy.com em 22/01/2003 18:45:17 Favor responder a ericbrouwers Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:ASBR in backbone area?? [7:61614] Hi there, Cisco Press' CCNP Routing Exam Certification Guide advises to place an ASBR in the backbone area (p. 290, chapter 6): ... If there is any redistribution between other protocols to OSPF on a router, it will be an ASBR. Although you can place this router anywhere in the OSPF hierarchical design, it should reside in the backbone area. Because any traffic leaving the OSPF domain will also likely leave the router's area, it makes sense to place the ASBR in a central location that all traffic leaving its area must traverse... I find this a strange design guideline. I would rather prefer to connect an external network to the edge/distribution layer in an OSPF area different to the backbone area. As a consequence redistribution would happen outside the backbone area... What's your view on this? Eric Brouwers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61980t=61614 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BellSouth DSL /PIX [7:61981]
Is anyone successfully using a PIX to do NAT with BellSouth DSL service? If so can you PLEASE help me with my config? Steve Smith Enterprise Engineer TEKSELL [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61981t=61981 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF to Internet Q [7:61823]
Steve, Yes, it is an Internet ASBR, there are others, and its only purpose is to advertise a default route + local DMZ into OSPF. The ASBR would get a default route from BGP. In turn the ISP is advertising a default route via BGP into the outside router. The plan is that if the ISP stops advertising at this point, then the default route advertisement from one of the other ISP connection points will take over. I see it that it really depends on how much equipment is between the real backbone and the ISP connection. I had a similar question like you, see mail below, where a Cisco Press author proposes to connect an (Internet) ASBR to the OSPF backbone area. It's good to hear that there doesn't seem to be a general design guideline...Lots of freedom... ;-) Eric - Original Message - From: ericbrouwers To: Sent: Monday, January 27, 2003 9:05 PM Subject: Re: ASBR in backbone area?? [7:61614] I do not foresee any problems, maybe others do? I just find the design guideline below too strict. In small networks there may be only one OSPF area, but larger networks typically have more areas. Connections to the Internet or to other external networks like corporate networks, tend to be on routers in the edge/distribution layer of the network. Those routers are in OSPF areas different to zero (al least in the OSPF designs I have seen so far). Also Cisco advises to connect 'the Internet' in the distribution layer (in the DCN and CID courses). So for example for designs where three or four core routers are fully meshed in OSPF area 0, and the surrounding distribution layer devices belong the area x, with x/=0, the ASBR will not be connected to area 0. I also noticed a similar question in the thread called OSPF to Internet. Eric Brouwers - Original Message - From: To: ericbrouwers Sent: Thursday, January 23, 2003 6:05 PM Subject: Re: ASBR in backbone area?? [7:61614] What kind of problem do you see putting the ASBR on the backbone area? Just to think about. ericbrouwers @groupstudy.com em 22/01/2003 18:45:17 Favor responder a ericbrouwers Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:ASBR in backbone area?? [7:61614] Hi there, Cisco Press' CCNP Routing Exam Certification Guide advises to place an ASBR in the backbone area (p. 290, chapter 6): ... If there is any redistribution between other protocols to OSPF on a router, it will be an ASBR. Although you can place this router anywhere in the OSPF hierarchical design, it should reside in the backbone area. Because any traffic leaving the OSPF domain will also likely leave the router's area, it makes sense to place the ASBR in a central location that all traffic leaving its area must traverse... I find this a strange design guideline. I would rather prefer to connect an external network to the edge/distribution layer in an OSPF area different to the backbone area. As a consequence redistribution would happen outside the backbone area... What's your view on this? Eric Brouwers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61982t=61823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
One arm routing?? with a Cisco 2500 router and a Cicso catalyst [7:61983]
I am working on a home network lab and I was wondering is it possible to take my DSL connection and connect it though my switch to my router then back to my switch via a one routing type setup? I have been playing with it for a couple days and can't get the vlans setup and working properly on my switch or router to route the traffic via two vlans...any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61983t=61983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF to Internet Q [7:61823]
Yes, it is an Internet ASBR, there are others, and its only purpose is to advertise a default route + local DMZ into OSPF. The ASBR would get a default route from BGP. In turn the ISP is advertising a default route via BGP into the outside router. The plan is that if the ISP stops advertising at this point, then the default route advertisement from one of the other ISP connection points will take over. I see it that it really depends on how much equipment is between the real backbone and the ISP connection. Can I assume, then, that you only want one active access point at a given time, OR that you want any given area to take the closest default based on OSPF internal cost? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61984t=61823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Inquiring Minds want to know [7:61985]
What kind of problems if any will occur if we had a nic card set to auto-sense along with the cat port? Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61985t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquiring Minds want to know [7:61985]
Kazan, Naim wrote: What kind of problems if any will occur if we had a nic card set to auto-sense along with the cat port? In principle, none. In practice, you run the risk of a duplex mismatch, where either the NIC or the switch port goes to full duplex, and the other to half. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61986t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquiring Minds want to know [7:61985]
If you have a relatively new NIC with updated drivers, and assuming that both devices conform to the FastEthernet specs, they should autonegotiate to 100Mbps, full duplex. John Kazan, Naim 1/27/03 2:23:08 PM What kind of problems if any will occur if we had a nic card set to auto-sense along with the cat port? Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61987t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:61988]
that type of setup should be done with an ISL/Dot1q trunk, I dont believe 2500 routers are capable of that type of function on 10Bt interfaces... You could however split the DSL connection by aggregating the dsl into one vlan on the switch, then connecting a crossover to other vlans. That will allow several networks to use the DSL at the same time, providing you have more than one IP... Larry Letterman Network Engineer Cisco Systems - Original Message - From: tafnap To: Sent: Monday, January 27, 2003 1:13 PM Subject: One arm routing?? with a Cisco 2500 router and a Cicso catalyst [7:61983] I am working on a home network lab and I was wondering is it possible to take my DSL connection and connect it though my switch to my router then back to my switch via a one routing type setup? I have been playing with it for a couple days and can't get the vlans setup and working properly on my switch or router to route the traffic via two vlans...any thoughts? [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61988t=61988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquiring Minds want to know [7:61985]
Exactly. I don't have it off the top of my head, but there's an article on Cisco site talking about this. Basically, if both ends are autodetect, you should get 100/Full. The main thing to be careful of is when one end if auto and the other is forced to full duplex (regardless of speed). There's a problem with duplex autodetection when the other end is forced, and so the autodetect will default to half, which is fine if the end that's forced is forced to half, but not if it's forced to full. So basically, the main scenario where you can get bit is if one end if auto and the other is forced to full (i.e. you *will* end up with a duplex mismatch). All other situations will resolve themselves properly. Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61989t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Show me the meaning [7:61787]
Steve Sewa wrote: Drew, H shows you the list of neighbors in the order in which they were learned. Or should we say the horder in which they were learned? :-) Seriously, what was Cisco thinking to label a column H with no explanation in any of their documentation what H means. I still can't figure out what it's short for, though thank-you for telling us what the column means. Maybe hierarchy?? Sometimes they take their philosophy of no need to consider user friendliness just a bit too far (see John N.'s rant too). Anyway, thank-you for the information. Priscilla Routing TCP/IP Volume 1, Pg. 334. Regards, - Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ellis, Andrew Sent: Saturday, January 25, 2003 11:55 AM To: [EMAIL PROTECTED] Subject: Show me the meaning [7:61787] Hi folks, In looking at the following, can anyone tell me the meaning of the H (to the left of Address) in this display? I cannot find it on Cisco's website. They explain everything else but that. Router-1#show ip eigrp neighbors IP-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq Type (sec) (ms) Cnt Num 1 172.20.1.4 Fa10/0/0 10 01:37:561 200 0 17 0 172.20.1.3 Fa10/0/0 12 1w0d1 300 0 10972 3 172.27.10.16Gi0/0/7 14 8w5d6 200 0 10979 2 192.192.3.9 Gi0/0/0 10 10w2d 13 200 0 11357 Thanks Drew Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61974t=61787 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
Why not use LinNT? ... boot off of a linux floppy, reset admin password and boot up with new password. Since you are (presumably) not trying to be sneaky _and_ you have direct access to the machine changing the PW should not be a problem, yes? Oh - and it is free, and works with WinNT4 - WinXP. Thanks! TJ -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why do a command line? Just rename user manager to logon.scr and reboot (you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root perms. Imagination is more important than knowledge Albert Einstein -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61960t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RADIUS command accounting [7:61990]
I know that for the longest time Cisco didn't support aaa accounting of commands to be sent to a RADIUS server. It was supported via TACACS+ but not RADIUS. I have seen recently that this has changed (in O'Reilly's book on hardening routers and in a couple different lists). Does anyone have any information on this? Is it true? What is the minimum version of IOS (I have heard 12.2)? Do you need a specific RADIUS server? I know that moving to TACACS+ would fix my problem, but staying with Radius would be preferable. TIA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61990t=61990 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: can't fix 100 speed on 3550 gigabite switch [7:61933]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The WS-C3550-12T 10-10/100/1000BaseT ports and 2 GBIC ports Has no 100 setting on the GBIC. What do you have on the other side to want to set the speed at 100? Martijn - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Richard Campbell Verzonden: maandag 27 januari 2003 2:42 Aan: [EMAIL PROTECTED] Onderwerp: can't fix 100 speed on 3550 gigabite switch [7:61933] Hi.. I found that I can't set my gigabit switch port speed to 100? Why?? How to do it??? cat35-L8-1#conf t Enter configuration commands, one per line. End with CNTL/Z. cat35-L8-1(config)#int gi0/12 cat35-L8-1(config-if)#speed 100 ^ % Invalid input detected at '^' marker. cat35-L8-1(config-if)#speed ? nonegotiate Do not negotiate speed cat35-L8-1(config-if)#speed cat35-L8-1#sh ver Cisco Internetwork Operating System Software IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(6)EA1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Tue 09-Oct-01 21:46 by devgoyal Image text-base: 0x3000, data-base: 0x00617E14 ROM: Bootstrap program is C3550 boot loader cat35-L8-1 uptime is 3 weeks, 5 days, 16 hours, 46 minutes System returned to ROM by power-on System image file is flash:c3550-i5q3l2-mz.121-6.EA1/c3550-i5q3l2-mz.121-6.EA1.bin cisco WS-C3550-12T (PowerPC) processor (revision A0) with 65526K/8192K bytes of memory. Processor board ID FAA0611V022 _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Version: PGP 8.0 iQA/AwUBPjWxGHdq56XWk+VyEQJU9ACgk8hvlt0MZ+iBS49l0pExfhSyT6MAnR+1 a462f5sKQwtuut9a1vKMkN3W =7Ip4 -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61992t=61933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ciscoworks2000 [7:61362]
Try to make the logging source to the loopback of ur router But in this case do u mean the ciscoview or you are trying to get a log from the router Better check with router log if it already catches the snmp auth. Request from the ciscoworks If it doesn't so there is a problem on the server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of milind tare Sent: Monday, January 20, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: ciscoworks2000 [7:61362] hi ciscobuddy's how r u doing all? i phasing 1 problem at the time of CiscoWorks2000 installation.. i installed cd1 and campusmanager 3.1. install patch for CD1. at the time of Discovery icisco devices getting unreachable.. Trying to discover 6509 3 core switch's. 1 ore switch is VTP Server and 2 are clients.Ciscoserver is connected to Client Core. Following is the conf for SNMP snmp-server community ro . snmp-server trpa enable logging on logging server ip address please advise me..it's very urgent.. Thanks Regards, Milind __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61994t=61362 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Inquiring Minds want to know [7:61985]
Thank you guys for your help. I did a search on Cisco and came up with a good article. -Original Message- From: Michael Williams [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:52 PM To: [EMAIL PROTECTED] Subject: Re: Inquiring Minds want to know [7:61985] Exactly. I don't have it off the top of my head, but there's an article on Cisco site talking about this. Basically, if both ends are autodetect, you should get 100/Full. The main thing to be careful of is when one end if auto and the other is forced to full duplex (regardless of speed). There's a problem with duplex autodetection when the other end is forced, and so the autodetect will default to half, which is fine if the end that's forced is forced to half, but not if it's forced to full. So basically, the main scenario where you can get bit is if one end if auto and the other is forced to full (i.e. you *will* end up with a duplex mismatch). All other situations will resolve themselves properly. Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61995t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: One arm routing?? with a Cisco 2500 router and a Cicso [7:61997]
You may also want to have a look at this link NAT on a stick: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 094430.shtml It isn't one arm routing, but you should be able to connect your dsl to your switch, your router to your switch, and make this work without vlans while using multiple computers behind it. Let me know if you get it to work, I have never tried it but always wanted to. -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:61988] that type of setup should be done with an ISL/Dot1q trunk, I dont believe 2500 routers are capable of that type of function on 10Bt interfaces... You could however split the DSL connection by aggregating the dsl into one vlan on the switch, then connecting a crossover to other vlans. That will allow several networks to use the DSL at the same time, providing you have more than one IP... Larry Letterman Network Engineer Cisco Systems - Original Message - From: tafnap To: Sent: Monday, January 27, 2003 1:13 PM Subject: One arm routing?? with a Cisco 2500 router and a Cicso catalyst [7:61983] I am working on a home network lab and I was wondering is it possible to take my DSL connection and connect it though my switch to my router then back to my switch via a one routing type setup? I have been playing with it for a couple days and can't get the vlans setup and working properly on my switch or router to route the traffic via two vlans...any thoughts? [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61997t=61997 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help,token ring connection without mau [7:61954]
ha wrote: hi can 2 token ring interface direct connected with a crcoss cable.i've carefully read the pinout at CCO and make sure it's right,but it did not work. must i buy a MAU to let them work correctly? thanks for your help Token Ring uses an active repeater, i.e. a MAU. A NIC sends to its downstream neighbor and receives from its upstream neighbor. For this to happen, a relay, i.e. a MAU, must relay the bits. A MAU is basically a set of relays. Well, that's a convoluted way to say you need a MAU. You can probably get one really cheap on e-Bay. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61998t=61954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Internet Access Through Cisco VPN Concentrator? [7:61999]
Just curious Does anybody know how well the default gateway setting in the Cisco 3005 concentrator works? I want to make sure my VPN clients can access the internet while on VPN by having the concentrator route all the internet traffic through the default gateway. Thanks! - Tim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61999t=61999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
lab date --- 10/15/2003 [7:62000]
1/27/2003 5:55pm Monday Has anyone been to the CCIE R/S lab recently who might want to offer some general suggestions on what to study (besides the obvious BGP ISIS) ? Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62000t=62000 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internet Access Through Cisco VPN Concentrator? [7:61999]
Yes. Do it all the time. I also use it as a remote office router for other clients on the lan behind the 3005. It has great built in nat functionality (PAT REALLY !). Along with filter lists for security your set. But for clients, just enable split tunneling. Let them get to the internet directly. Saves you bandwidth and overhead. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62001t=61999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPLS Traffic Engineering - 2500 router reset [7:61947]
one of the things you have to do is use enable rsvp on all interfaces that will take part in the tunnel ... rsvp is used to 'reserve bandwidth for the tunnel' - the tunnel won't come up unless you do this I think the command is either 'rsvp bandwidth' or 'rsvp-bandwidth' wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... After the command tunnel mpls traffic-eng path-option 1 dynamic, the router reloads. The same happen with explicit path. The following message appear after reload: RSVP: must configure RSVP Bandwidth first. Any idea? R3 ip cef mpls traffic-eng tunnels ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ip router isis ! interface Serial0 no ip address encapsulation frame-relay fair-queue 64 64 64 ip rsvp signalling dscp 0 ! interface Serial0.32 point-to-point bandwidth 1000 ip address 192.168.23.2 255.255.255.0 ip router isis mpls traffic-eng tunnels frame-relay interface-dlci 132 ip rsvp bandwidth 500 500 ! interface Tunnel0 ip unnumbered Loopback0 tunnel destination 2.2.2.2 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng priority 7 7 tunnel mpls traffic-eng bandwidth 100 ! router isis net 47....0003.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! end R2 ip cef mpls traffic-eng tunnels ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ip router isis ! interface Serial0 no ip address encapsulation frame-relay fair-queue 64 64 64 ip rsvp signalling dscp 0 ! interface Serial0.23 point-to-point bandwidth 1000 ip address 192.168.23.1 255.255.255.0 ip router isis mpls traffic-eng tunnels frame-relay interface-dlci 123 ip rsvp bandwidth 500 500 ! interface Tunnel0 ip unnumbered Loopback0 tunnel destination 3.3.3.3 tunnel mode mpls traffic-eng tunnel mpls traffic-eng autoroute announce tunnel mpls traffic-eng priority 7 7 tunnel mpls traffic-eng bandwidth 100 ! router isis net 47....0002.00 is-type level-1 metric-style wide mpls traffic-eng router-id Loopback0 mpls traffic-eng level-1 ! end R3(config-if)#tunnel mpls traffic-eng path-option 1 dynamic R3(config-if)# Buffered messages: 00:00:06: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Ethernet1, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Serial0, changed state to up 00:00:06: %LINK-3-UPDOWN: Interface Serial1, changed state to down 00:00:07: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed sta te to up 00:00:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed s tate to up 00:00:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1, changed s tate to down 00:00:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed sta te to down 00:00:21: %LINK-5-CHANGED: Interface Ethernet0, changed state to administrativ ely down 00:00:22: %LINK-5-CHANGED: Interface Ethernet1, changed state to administrativ ely down 00:00:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0, changed sta te to up 00:00:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed s tate to down 00:00:25: %LINK-5-CHANGED: Interface Serial1, changed state to administrativel y down 00:00:26: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed sta te to down 00:00:27: %SYS-5-CONFIG_I: Configured from memory by console 00:01:12: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-P-L), Experimental Version 12.0(20011017:155337) [rraszuk-New_reorg_oct17 109] Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Sat 20-Oct-01 04:12 by rraszuk 00:03:41: %SYS-5-CONFIG_I: Configured from console by console Queued messages: System Bootstrap, Version 11.0(10c)XB2, PLATFORM SPECIFIC RELEASE SOFTWARE (fc 1) Copyright (c) 1986-1998 by cisco Systems 2500 processor with 14336 Kbytes of main memory %SYS-4-CONFIG_NEWER: Configurations from version 12.0 may not be correctly und erstood. %FR-5-DLCICHANGE: Interface Serial0 - DLCI 132 state changed to ACTIVE
Re: Help,token ring connection without mau [7:61954]
Not to mention that a TR card goes through a lobe test before attempting insertion into the ring. The lobe test is effectively a loopback at the MAU, a crossover cannot do this. rgds Marc Priscilla Oppenheimer wrote: ha wrote: hi can 2 token ring interface direct connected with a crcoss cable.i've carefully read the pinout at CCO and make sure it's right,but it did not work. must i buy a MAU to let them work correctly? thanks for your help Token Ring uses an active repeater, i.e. a MAU. A NIC sends to its downstream neighbor and receives from its upstream neighbor. For this to happen, a relay, i.e. a MAU, must relay the bits. A MAU is basically a set of relays. Well, that's a convoluted way to say you need a MAU. You can probably get one really cheap on e-Bay. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62003t=61954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Just want to know [7:62004]
Lot of custmers have been hit by SQL 2 virus regardless of having a PIX in their networks. I am just curios,if by default all packets are denied from outside to inside unless one opens it manually through conduit/access-list,what is it good to apply access-list to block such port 1433 and 1434. 2) Shouldn't these ports are disabled by default since traffic is coming from outside. If it is then how the virusentered the network. Please shed some lights. Teza ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62004t=62004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RADIUS command accounting [7:62005]
I am using radius and tacacs in different environments. The radius environments include pix 525's and 535's with 6.2.2(100) code. Some of the pix's are passing the authentication, authorization and accounting to Vacman (Vasco), and the rest to cisco ACS server (proxy the authentication to a radius server). The accounting commands on the pix's point to the ACS and Vacman servers. On these servers we are logging the accounting data. The management for the network gear is setup for AAA using tacacs to an ACS server. This is so much easier to setup than radius. Hope this helps. -Original Message- From: Jim Newton [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:07 PM To: Ccielab; Group Study Subject: RADIUS command accounting I know that for the longest time Cisco didn't support aaa accounting of commands to be sent to a RADIUS server. It was supported via TACACS+ but not RADIUS. I have seen recently that this has changed (in O'Reilly's book on hardening routers and in a couple different lists). Does anyone have any information on this? Is it true? What is the minimum version of IOS (I have heard 12.2)? Do you need a specific RADIUS server? I know that moving to TACACS+ would fix my problem, but staying with Radius would be preferable. TIA FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Just want to know [7:62004]
Azhar Teza wrote: Lot of custmers have been hit by SQL 2 virus regardless of having a PIX in their networks. I am just curios,if by default all packets are denied from outside to inside unless one opens it manually through conduit/access-list,what is it good to apply access-list to block such port 1433 and 1434. 2) Shouldn't these ports are disabled by default since traffic is coming from outside. If it is then how the virusentered the network. The virus might not have entered their network, but a huge amount of incoming traffic to port 1434 could have completely congested their Internet link and caused the PIX to have very high CPU utilization. Priscilla Please shed some lights. Teza ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62006t=62004 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
why I can't assign an ip address to virtual-TokenR [7:62007]
Hi. Now I take a test,The test Router is Cisco2611XM,I was upgraded the IOS.But why I can't assign an ip address to virtual-TokenRing 0 test(config)#inter virtual-TokenRing 0 test(config-if)#ip add test(config-if)#ip address 17 17:46:26: %LINK-3-UPDOWN: Interface Virtual-TokenRing0, changed state to up 17:46:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-TokenRing0, ch anged state to up test(config-if)#ip address 192.168.1.1 255.255.255.0 % IP addresses may not be configured on a Virtual-TokenRing interface. test(config-if)# BTW,The show version as below. test#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.1(14), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Mon 25-Mar-02 23:18 by kellythw Image text-base: 0x80008088, data-base: 0x80E4DE34 ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1) test uptime is 17 hours, 49 minutes System returned to ROM by power-on System image file is flash:c2600-do3s-mz.121-14.bin cisco 2611XM (MPC860) processor (revision 0x100) with 29696K/3072K bytes of memo ry. Processor board ID xxx M860 processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 2 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 thx. softmap Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62007t=62007 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
must I have aaa server to configure SSH on PIX? [7:62008]
Hi.. I want to configure SSH on PIX 515 which has DES enabled. I saw the configuration as follows. But the problem is I don't have the aaa server in my network? Can I still implement SSH without aaa server. I configured it without the aaa command line, but it doesn't works. How should I do? Thanks a lot..!! pix#conf t pix(config)# pix(config)#domain domain_name pix(config)#ca generate rsa key 1024 pix(config)# ca save all pix(config)# ssh ip_address subnet_mask interface pix(config)# aaa-server RadiusServer_name (inside) host ip_address MySecure --aaa pix(config)# aaa-server RadiusServer_name protocol radius ---aaa pix(config)# aaa authenticate ssh console RadiusServer_name ---aaa Pix(config)# exit _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62008t=62008 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Maybe this is a silly question considering where I work, but is it common for huge banks to connect their ATMs to their data centers over the Internet? We certainly don't do that, and wouldn't even consider doing it, so I was surprised that BofA appears to be doing just that. Then again, they probably have twenty times more ATMs than we do, so perhaps they have different issues to be considered. Well, let's apply some logic and reason to what we know about the saphire work and the BOA situation. Saphire is launched from compromised Microsoft SQL servers. The attach consists of generating IP traffic using UDP port 1434. The traffic consists of the inquiries to what is described as pseudo random ip addresses, and the ICMP replies to the traffic inquiries. Knowing these things, we might guess that BOA, like many other businesses, has Microsoft SQL servers. 1) Could those servers have been compromised? sure 2) could those compromised servers have been involved in generting tons of traffic internal to BOA, even without the internet being involved? sure. 3) could routers on the internal BOA network, routers that carry IP trraffic, also be carrying other traffic such as would be carrying ATM transactions? sure. 4) recognizing that router overloads were happening everywhere as a result of saphire, is it reasonable to think that the BOA network routers could have been adversely effect, even if the internet were not involved? sure. 5) add to that what was happening on the internet. rogue SQL servers sending their attacks randomly, and some of that traffic hitting the BOA internet edge, and maybe being NAT'ed inside to add to traffic problems happening already. Look, when Nimda hit a year or so ago, some organizations just started turning things off in order to control what was happening. I seem to recall BOA did so, but to be frank, I am not certain of that. I don't think it is a good idea to jump to a lot of conclusions here. I highly doubt that even a stupid organization like Bank of America would be running their ATM's across the internet ( just kidding, pals of mine who work for BOA ) It is all too easy for corporate networks to come down in situations created by Nimda or saphire. in an earlier message, Ken spoke about his own network, where there are few if any Microsoft SQL servers. Yet their internet links were saturated because of the attacks, and internal network replies. The key to protecting networks is understanding the nature of the threat. BTW, there is a serious suggestion from someone on NANOG about denying any and all Microsoft well known ports across the internet backbone. good idea? I'm starting to think so. What I hope is that attacks based on ports 80 and / or 53 aren't developed. Thin how devastating those might be :-O John Priscilla Oppenheimer 1/27/03 11:24:42 AM Good points. How much bandwidth goes to some of the remote ATMs? Probably very little. They probably got crunched by the huge number of UDP packets. Of course, better filtering would have prevented that. But there's no need to assume that BoA runs MS-SQL or to worry that private info was compromised, etc. DoS attacks usually have very little to do with privacy compromises. Not claiming to be a security expert, so just correct me if I'm way off base! :-) Prisiclla Amazing wrote: what's amazing are the assumptions that people are making--who says tht BoA servers or any BoA database were comprimised? who says they are even running MS-SQL? Read how the worm is spreading and you will understand that you dont have to be running anything that can be affected by the worm. my guess is that a company with LARGE blocks of routable addresses and probably very high speed connections to the Internet might have bigger problems with this worm which in effect becomes a denial of service attack on their edge devices even if they are filtering out udp 1494 at the edge. take a look at the post by Ken and observe what is happening to the CPU of one of his router blades. i definitely agree with your comment about the security con artist comparison the y2k consultants l0stbyte wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... the dumb butts are allowing access to SQL from public networks. how difficult is it to filter stuff out? SQL boxes should be on private networks, no routes to public, second or third tier, etc. Y2K all over... This time in security business. Bunch of con artists claiming to be security experts. Cheers... P.S. There was a news clip that BofA networks were effected. this is scary. l0stbyte Symon Thurlow wrote: Cheers, Symon -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: 26 January 2003 20:02 To: [EMAIL
Re: Too much Security Overkill on wireless network??? [7:62011]
Eric, Although encryption typically doesn't result in code expansion, the error correction overhead in an 802.11 wireless radio transmission takes up almost half the throughput! (11 Mbit/s becomes about 6.5 Mbit/s net, best case). Perhaps SSH, SSL and EAP/WEP are superfluous when used with IPSec, but I would imagine that you need SSH and SSL to support users coming in from the outside, or perhaps as an additional level of protection for individual users of sensitive applications from those with general network access (most attacks come from within...). Typically, WEP is done in hardware, so theoretically, there shouldn't be any overhead if that is the case. But if you want to eliminate it, why not force the use of EAP for wireless admission control but leave WEP off? (I think you can either not enter a key at all or enter one and then select 'No Encryption.) Users will need to know they will be exposed when surfing non-secure sites wirelessly...no worse than at a public hot-spot... Regards, Mas Kato https://ecardfile.com/id/mkato - Original Message - From: eric nguyen To: ; Sent: Thursday, January 23, 2003 8:51 AM Subject: Too much Security Overkill on wireless network??? Hi, I have assigned the task of setting up a wireless network for my company and I am wondering that I use too much security for the wireless. Currently, I am setting a test wireless network for about 5 users. Eventually, this network will have about 50 users. My set up is as follows: 1) The wireless network is sitting on the DMZ network. This DMZ network is hang off an interface of a pix firewall (Pix-525). Wireless users are required to use Protected Extensible Authentication Protocol (PEAP) in order to log onto the wireless DMZ network. 2) In order to access the company iternal network which hang off the inside interface of the pix firewall, wireless users must use Cisco VPN Client IPSec to establish a secure VPN tunnel between their device and the Pix firewall. 3) After succesfully establish the VPN tunnel between the wireless device and the Pix firewall, wireless can only access the company internal network applications via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application via SSH connections. Applications such as POP3, telnet and IMAP are not allowed from the DMZ network into the company internal network. So far the test is going well. However, my concern is that this will not scale well for a large number of wireless users. For example, let say for SSH connection, the traffic is encrypted by SSH. Below that, it is encrypted via IPSec. Finally, it is encrypted by PEAP. I've not done any analysis yet but it is possible that 50% of the traffic is just overhead traffic for encryption. Anyone has successfully implemented a secure wireless network on large scale? I would like to get your advise on this. I have to present a recommendation to my CTO in a next few days. By the way, my company did hire a CCIE security consultant to work with me on this project; however, this CCIE security is a f_cking moron. Not only he doesn't know anything about PEAP, but he even suggested that we use Cisco LEAP because LEAP is much more secure than PEAP. After he couldn't get PEAP to work, the SOB suggested that we switch to Cisco LEAP. When we don't want to use Cisco LEAP, he suggested that we just use shared (aka STATIC WEP) authentication because we are using IPSec and Secure applications to access the company internal network anyway. The problem with this idea is that once wireless users are on the dmz wireless network, they can surf the Internet without restrictions. I don't want strangers (if they get a hold of the STATIC WEP KEY) to use my company bandwith to use the Internet. I want PEAP because it is safe and secure. I am also testing EAP-TTLS but haven't had much luck with it. I am sure the CCIE security consultant that turned out to be a f_cking moron, pardon my language, is more of an exception rather than the rule. However, I am suprised that someone like that can pass the CCIE security lab. By the way, I checked with Cisco and he does have a CCIE Security certification #. Enough of me venting out my frustration. Please advise. Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62011t=62011 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 831 routers [7:61707]
Thanks Paul. Do you have any chance to test out for performance of GRE+IPSec? Is it better than that of software-based encryption on the 2600 routers? Paul Forbes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... They're available (we have four in house ready for deployment). I haven't tested them with all knobs on (GRE+IPsec, CBAC, IDS, QoS, EIGRP/OSPF, etc.), but VPN+CBAC has worked beautifully. Check with your VAR or Cisco account team for leadtimes. Cheers. Paul -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: Cisco 831 routers [7:61707] Hi All, I wonder if anyone here could get a hold of the new Cisco 831 VPN router? I am trying to get couple of these routers but being told they are onhold by Cisco. I am just curious why? and when they are available again? Thanks! Thomas. Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62012t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]