RE: Simple Ip issue (need help) [7:62728]
Thanx, for instant reply. I am referring to have same ip on the serial interfaces of client router. Again I will show u my topolgy client-routerserver-router(isp) 2serial intf 2 serial intf serial 0 -ip add- 1.1.1.1 serial 0 ip add- 1.1.1.2 serial 1 -ip add- 1.1.1.1 serial 1 ip add- 1.1.1.2 I am using here duplicate ips on serial interfaces, is this connection correct or what design issues this has. We can use dulicate ip on serial with themselves but not duplicate with ethernet or loopback why ? any reason. -- Mark Tinka wrote: i am not sure i understand your question, but from what u are saying, u want your central and client router to have the same IP address on their serial interfaces... why would u want that.. just having the IP address in the same subnet should do e.g 1.1.1.0/30 ... anyway, i think u may have a routing issue.. since 1.1.1.1/24 is directly connected on both routers, how would u tell the local router that 1.1.1.1/24 is on the other [destination router] side of the serial link, yet it knows its a local address...?.. please provide more information for the solution u need, and we can help work with something more scalable.. good luck.. - Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62733t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Terminal server session timeouts (PIX VPN) [7:62734]
Hi all, I have two PIX 501's, one at head office one at remote end, linked together using IPSec VPN. The problem I have is that users at the remote site, have timeout issues using MS Terminal Server client. It is very random too. Sometimes users can be connected for 5-6 hours without getting disconnected from the terminal server, other times their connection drops after only 20-30 minutes. The TS server is located at the head office, and the LAN users at the HQ do not have timeout issues, only the remote users do. At first I thought the VPN idle-time value may have something to do with it (originally set to vpngroup VPN-TO-HQ idle-time 1200 seconds), so I increased that to 86400 seconds, but that did not fix the problem. I then tried to adjust the xlate timeout values. I increased the timeout xlate value to 3:00:00, that did not fix it either. So here I am, at a loss as to what else I can try. Oh, the PIX software versions are: Headoffice: 6.2(2) Remote: 6.1(4) If anyone has similar experience, and you found some fix for it, please let me know. Cheers Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62734t=62734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
logging question. [7:62735]
Hello Group, On a router you have the following logging available, alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) If you type : logging buffered debug You log severity 7 and all lower levels on ie, 6,5,4,3...0 Is it possible to logging particular severity levels, say you wanted to log severity 7,4,1 only can this be achived on a router, Any help appreciated, Kind regards. Paul. This E-mail is from O2. The E-mail and any files transmitted with it are confidential and may also be privileged and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised direct or indirect dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received the E-mail in error please notify [EMAIL PROTECTED] or telephone ++ 353 1 6095000. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62735t=62735 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP help needed., [7:62736]
Hello, I have the practise lab I am working on. 3 routers in lab, AS100 --AS200-AS300 I have a loopback 1.1.1.1 in AS100 and I want to advertise it to AS200 who in turn will advertise it to AS300. When it arrives in AS300 it has to look like it originated in AS200 and NOT for AS300. This needs be achieved with 1 command on AS200. Anyone any idea how to do get this to work, Can this be done,..?? Kind regards, Paul. This E-mail is from O2. The E-mail and any files transmitted with it are confidential and may also be privileged and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised direct or indirect dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received the E-mail in error please notify [EMAIL PROTECTED] or telephone ++ 353 1 6095000. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62736t=62736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix: ssh - warning: remote host identification has changed [7:62737]
Greetings, [jens@workstation jens]$ ssh @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is ba:07:12:e4:ed:21:7f:d3:45:07:6b:37:fc:36:0a:04. Please contact your system administrator. Add correct host key in /home/jens/.ssh/known_hosts to get rid of this message. Offending key in /home/jens/.ssh/known_hosts:2 RSA1 host key for cf17.jhb.nha.co.za has changed and you have requested strict checking. Host key verification failed. I am not sure under what conditions the ssh key for a PIX 515 would change - I have confirmed that it is not a DNS problem and confirmed that there are no private machines in between the workstation and the PIX firewall. I do know that we hade maintenance work done on the power in the computer room over the weekend = a reboot of the PIX - but why would that cause a change to its identification? Any clues/pointers? Thanks Regards Jens Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62737t=62737 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Password recovery [7:62738]
Hi I need to recover the password for a CISCO 2611 without wiping the config? Any idea's? Philip Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62738t=62738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Password recovery [7:62738]
Philip van Dalen wrote: I need to recover the password for a CISCO 2611 without wiping the config? Any idea's? http://www.cisco.com/warp/public/474/pswdrec_2600.shtml Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62739t=62738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
E3 bandwidth issue. [7:62740]
If a client were to take an E3 (T3) would they be able to cap/restrict the bandwidth at lets say 20Mbps? could something be done to the router to allow this? Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62740t=62740 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fast Ethernet and ATM won't play nicely? [7:62741]
I have an interesting problem with an attempt to add an ATM card (an ATM-1AE3) into a 3640. I'm using 12.2.13a Enterprise Plus IOS (ie most recent available). Router 1 is my test 3600. Slot 0 - 2E2W dual ethernet / dual WIC (nothing in the WIC slots) Slot 1 - Serial 4T Slot 2 - empty Slot 3 - ATM 1A E3 Router 2 is the live network 3600. Slot 0 - 2FE2W dual fast ethernet / dual WIC (nothing in the WIC slots) Slot 1 - Serial 4T Slot 2 - PRI 1CE1U Slot 3 - ATM 1A E3 Both routers report bootstrap 11.1(19)AA. Both had 12.2.13a installed from the same image file. Installed in Slot 3, the test router sees the ATM card, but the live router doesn't. I wondered if there might be a problem with the slot rather than the card, so I tried putting a spare 2E2W card in slot 3 - that's seen with no problems. The only differences between the two setups are that the live router has dual fast ethernet rather than ethernet, and it has the PRI card installed. To see if it's the PRI card that makes the difference, I took it out and rebooted - that made no difference, so it looks like the problem must have something to do with the fast ethernet card. Has anybody seen a similar problem or have any suggestions what I should try next? I don't have a spare 2FE2W to try in the test router, sadly (and I can't take the live one down until next weekend). Cisco tell me that the ATM and Fast Ethernet should definitely work togther (makes sense... wouldn't be terribly clever to bring a 34Mb ATM circuit into a router then provide a nice 10M half duplex bottleneck onwards!). I've opened a TAC call but do far I don't have an answer from Cisco... [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62741t=62741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MPEG Filesharing Traffic [7:62742]
Hello, has anybody an idea, how to filter the new Media-Sharing-Tools like Kazaa V.2.02, which ist tunneling it's data over an individual TCP-Port or Port 80. The pix would only filter to OSI-Level 5 i guess. I tried to filter the whole subnet of kazaa.com, but this won't work well. Any ideas welcome. Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62742t=62742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ssh - warning: remote host identification has changed [7:62743]
This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of attack -Original Message- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 12:41 To: [EMAIL PROTECTED] Subject: pix: ssh - warning: remote host identification has changed [7:62737] Greetings, [jens@workstation jens]$ ssh @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is ba:07:12:e4:ed:21:7f:d3:45:07:6b:37:fc:36:0a:04. Please contact your system administrator. Add correct host key in /home/jens/.ssh/known_hosts to get rid of this message. Offending key in /home/jens/.ssh/known_hosts:2 RSA1 host key for cf17.jhb.nha.co.za has changed and you have requested strict checking. Host key verification failed. I am not sure under what conditions the ssh key for a PIX 515 would change - I have confirmed that it is not a DNS problem and confirmed that there are no private machines in between the workstation and the PIX firewall. I do know that we hade maintenance work done on the power in the computer room over the weekend = a reboot of the PIX - but why would that cause a change to its identification? Any clues/pointers? Thanks Regards Jens Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62743t=62743 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Password recovery [7:62738]
Hello Philip Van Dalen, Try this link for details.Hope this may be usefull. http://www.cisco.com/warp/public/474/pswdrec_2600.shtml Best Regards, R.S.Sundar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Philip van Dalen Sent: Monday, February 10, 2003 4:23 PM To: [EMAIL PROTECTED] Subject: Password recovery [7:62738] Hi I need to recover the password for a CISCO 2611 without wiping the config? Any idea's? Philip *** This message is proprietary to Future Software Limited (FSL) and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. FSL accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62744t=62738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ssh - warning: remote host identification has changed [7:62745]
That is what I suspect or perhaps an overzealous engineer. Does one specify the RSA key for SSH (is it the same as the one for the IPSEC stuff) How would one change such a thing? I don't remember having to ever create one during the initial installation? PS: I rebooted the box and noticed that the key once again changed - could this problem be as a result of a corrupt flash card? -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 01:48 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of attack Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62745t=62745 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall [7:62746]
Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62746t=62746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ssh - warning: remote host identification has changed [7:62747]
The RSA key pair is generated when you want to enable SSH access to the unit Command for this is ca generate rsa key . You need to have configured the hostname and domain name before using this command. remember to do the ca save all afterwards. Try that and see if the key changes again after a reload. As far as I remember (rather rusty here), the RSA key pair is saved to some other memory on the PIX (anyone correct me if I am wrong) As for your IPSec question - are you using certificates or preshared keys. If you are using certificates, then I think it is the same key - depends on how you set it up originally (There are 2 key type - general and special) if you never specified this, then a general key is created. let us know how it goes Andrew -Original Message- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 14:06 To: Andrew Larkins; [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] That is what I suspect or perhaps an overzealous engineer. Does one specify the RSA key for SSH (is it the same as the one for the IPSEC stuff) How would one change such a thing? I don't remember having to ever create one during the initial installation? PS: I rebooted the box and noticed that the key once again changed - could this problem be as a result of a corrupt flash card? -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 01:48 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of attack Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62747t=62747 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CiscoView and HP OpenView [7:62748]
I have the following inquiries and need some advise : 1) Does CiscoView supports voice port ? 2) How many devices can CiscoView supports ? 3) Can CiscoView support non-Cisco product ? Can HP OpenView performs all task that CiscoView do ? thanks in advance. regards Jimmy _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62748t=62748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet to 2501 through a linksys router [7:62654]
ahh i see i did not specify the gefault gatway command on my cisco 2501 for the linksys. all i did was make the external port for my sun box 2323 and for my cisco 23 to activate the port forwarding from my linksys over my NAT internally to my 2511 router. Actually mine is also a 2511. Sorry whoops i actually have a siemens router. It works the same was as the linksys with port forwarding. So all i'am doing is port forarding port 23 and 2323 to seperate internal IP's Router#show run Building configuration... Current configuration : 997 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 $1$Tn.K$eTsahgNCkNWMWaSFRMa/A1 ! username all ip subnet-zero no ip domain-lookup ! ip ssh time-out 120 ip ssh authentication-retries 3 ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.0 ip ospf network point-to-point ! interface Ethernet0 ip address 192.168.254.119 255.255.255.0 (interface i'am telneting too) ! interface Serial0 ip address 192.168.3.3 255.255.255.0 ! interface Serial1 no ip address shutdown ! ip default-gateway 192.168.254.254 (I just added it) ip classless ip http server ip pim bidir-enable ! logging trap debugging logging 192.168.254.176 snmp-server user internal internal v3 snmp-server group internal v3 noauth notify *tv.. snmp-server community internal RO snmp-server host 192.168.254.176 version 3 noauth internal ! line con 0 exec-timeout 0 0 logging synchronous line 1 16 line aux 0 line vty 0 4 password login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62674t=62654 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Partial Connectivity [7:62639]
Hi, You mentioned that you were doing static nat on the router, this could effect it if the vpn client terminates on the router. The ip addresses that you have statics for is translated to the global IP address, and doesn't go through your vpn, since the access-list in your crypto map doesn't identify it as traffic needing to be encrypted. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Deutschman Sent: Saturday, February 08, 2003 3:49 AM To: [EMAIL PROTECTED] Subject: VPN Partial Connectivity [7:62639] Hi, When connecting a vpn via VPN Client 3.x I am able to ping only certain addresses... 192.168.1.180 Server 192.168.1.10 LAN Station But Not Others... 192.168.1.1 Inside Interface Of PIX 192.168.1.2 Mail Server 192.168.1.3 CSU/DSU management address I have a vpn setup as follows: Vpn Client--INTERNET--1721Router--PIX--LAN *The 1721 router is doing static nat to the outside interface of the pix. The vpn terminates at the pix. *I'm using vpngroup to assign ip info to the client. * The LAN ip scheme is 192.168.1.0/24 where the first 9 addresses are left out of the local dhcp pool *The vpn client is getting assigned from local-pool range 192.168.2.1-50 *I have a route on the pix route inside 192.168.2.0 255.255.255.0 192.168.1.1 *The inside interface of the pix is 192.168.1.1 Here is my config... PIX(config)# wr t Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 172.16.2.2 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool NEWMEX 192.168.2.1-192.168.2.50 pdm history enable arp timeout 14400 global (outside) 1 172.16.2.3 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any echo-reply conduit permit icmp any any echo route outside 0.0.0.0 0.0.0.0 172.16.2.1 1 route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 1 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn address-pool NEWMEX vpngroup vpn dns-server x.x.x.y x.x.x.z vpngroup vpn default-domain domain.com vpngroup vpn split-tunnel 101 vpngroup vpn idle-time 1800 vpngroup vpn password telnet timeout 5 ssh timeout 5 dhcpd address 192.168.1.10-192.168.1.42 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:a71ebfc24ae Any ideas?? I'm sort of stumped at this point. Thanks! -- Dain Deutschman CCNP, CSS-1, CCNA, MCP, CNA Data Communications Manager Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62684t=62639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ssh - warning: remote host identification has changed [7:62749]
Andrew, Of interest is that the RSA key was generated sometime after my reboot of the router. It looks like PDM (because this was the only way I could access the device) created a new key for me or at some point... Not sure when... Anyway, I ca zeroize rsa, ca generate rsa key and ca save alled my ca stuff. It now behaves as expected through a reboot. One question though? How do I trust my PIX again? (FWIW - We archive the configs of the PIX on a regular basis and the config hasn't changed) Anybody else ever seen their ca configs break during a power cycle? Regards Jens -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 02:24 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62747] The RSA key pair is generated when you want to enable SSH access to the unit Command for this is ca generate rsa key . You need to have configured the hostname and domain name before using this command. remember to do the ca save all afterwards. Try that and see if the key changes again after a reload. As far as I remember (rather rusty here), the RSA key pair is saved to some other memory on the PIX (anyone correct me if I am wrong) As for your IPSec question - are you using certificates or preshared keys. If you are using certificates, then I think it is the same key - depends on how you set it up originally (There are 2 key type - general and special) if you never specified this, then a general key is created. let us know how it goes Andrew -Original Message- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 14:06 To: Andrew Larkins; [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] That is what I suspect or perhaps an overzealous engineer. Does one specify the RSA key for SSH (is it the same as the one for the IPSEC stuff) How would one change such a thing? I don't remember having to ever create one during the initial installation? PS: I rebooted the box and noticed that the key once again changed - could this problem be as a result of a corrupt flash card? -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 01:48 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of attack Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62749t=62749 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CiscoView and HP OpenView [7:62748]
[EMAIL PROTECTED] wrote: I have the following inquiries and need some advise : 1) Does CiscoView supports voice port ? 2) How many devices can CiscoView supports ? 3) Can CiscoView support non-Cisco product ? Can HP OpenView performs all task that CiscoView do ? thanks in advance. regards Jimmy CiscoView is a single device manager. There is CiscoView that comes with CiscoWorks CDOne, and an embedded version that is available on most Catalyst products in images with CV. It is a web based view of the device in question, that allows monitoring and configuration. In a multi-vendor environment HP OpenView would be required, none of the CiscoWorks Management products are multi-vendor. Although the CiscoWorks products can enhance HP OpenView. -- David C Prall [EMAIL PROTECTED] http://dcp.dcptech.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62750t=62748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP help needed., [7:62736]
Don't have any gear to test this on, but what if you put a network 1.1.1.1 mask 255.255.255.255 in your AS 200--AS300 eBGP peer? The route received from AS100 will populate the routing table and thus cause AS200's network statement to be satisfied and thus advertised. This may make 1.1.1.1 to appear, at AS300, to originate from both AS100 and AS200... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62751t=62736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ssh - warning: remote host identification has changed [7:62752]
My RSA keys never change during reload etc. Based on that I get the feeling that someone(engineer) changed something and told no-one. Just my 2 cents -Original Message- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 15:31 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62749] Andrew, Of interest is that the RSA key was generated sometime after my reboot of the router. It looks like PDM (because this was the only way I could access the device) created a new key for me or at some point... Not sure when... Anyway, I ca zeroize rsa, ca generate rsa key and ca save alled my ca stuff. It now behaves as expected through a reboot. One question though? How do I trust my PIX again? (FWIW - We archive the configs of the PIX on a regular basis and the config hasn't changed) Anybody else ever seen their ca configs break during a power cycle? Regards Jens -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 02:24 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62747] The RSA key pair is generated when you want to enable SSH access to the unit Command for this is ca generate rsa key . You need to have configured the hostname and domain name before using this command. remember to do the ca save all afterwards. Try that and see if the key changes again after a reload. As far as I remember (rather rusty here), the RSA key pair is saved to some other memory on the PIX (anyone correct me if I am wrong) As for your IPSec question - are you using certificates or preshared keys. If you are using certificates, then I think it is the same key - depends on how you set it up originally (There are 2 key type - general and special) if you never specified this, then a general key is created. let us know how it goes Andrew -Original Message- From: Jens von B|low [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 14:06 To: Andrew Larkins; [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] That is what I suspect or perhaps an overzealous engineer. Does one specify the RSA key for SSH (is it the same as the one for the IPSEC stuff) How would one change such a thing? I don't remember having to ever create one during the initial installation? PS: I rebooted the box and noticed that the key once again changed - could this problem be as a result of a corrupt flash card? -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: 10 February 2003 01:48 To: [EMAIL PROTECTED] Subject: RE: ssh - warning: remote host identification has changed [7:62743] This means that someone changed the rsa key on the PIX and that is only became active after the reboot. Verify with your guys that they changed nothing - otherwise it could be a sort of attack Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62752t=62752 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
I think something is being lost in the translation... This confuses me, too. --T Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62753t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: URGENT Frame Relay Encapsulation Failing [7:62614]
When studying for the CCIE with friends, we decided that if you forget the broadcast keyword, the terrorists win. --T Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62754t=62614 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
AUX port and modems [7:62755]
I need to connect to the AUX port using a modem. The only problem is that I do not want to use an external telephone line. Is there a way to simulate : host--modemAUX (router) Where can I find the information? Thanks in advance. MO Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62755t=62755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Lab - I have seen he future and it is..... we [7:62756]
Been spending this weekend on what was once the Cisco Advanced SE Training ( ASET ) set of labs. These are available for those whose Cisco account team approves - there are a few conditions which can be found in the wee places of certification training. The program is run by Lab Gear ( the only link I have is www.labgear.net, but this is a login page ) There are a number of labs of CCIE level, look, and feel. Supposed to be real equipment, but the access is via java script windows, not terminal emulation. This makes for some interesting situations. The windows show or provide output only when they are active. So if you had two router sessions open, and you made changes on one router that would generate systems messages of one sort or another you would not see those messages on the other. also, I have yet to find a way to generate output from debugging commands. Things like term mon and logging of one kind or another have not been successful. so no debug ip routing and debug ip ospf adj. As with the real lab, there are a series of tasks to be completed. Grading is done via a script. This is the point of most interest. Actually, I suspect a lot of the current CCIE Lab grading is done using scripting tools. I believe the proctors still physically examine equipment configurations for some things, but I could be wrong. It is of interest because to judge from the script outputs I am seeing, there appears to be an assumption that there is one and only one way to do things. I'm not sure this is always true. I am not sure that this results in an entirely accurate grade. But more importantly, given my experience with the java consoles and the manner in which these labs must be done, I am not sure I like where this is headed. Something Brian Dennis and Brad Ellis and some other people started talking about back when the CCIE Lab went from two days to one - something about the longer term goal being to do the test remotely, and having people show up at Sylvan or some other testing center and log in remotely. If the Lab Gear approach is any indication, this is not ready for real live testing. I experienced far too many problems with terminal ( javascript ) sessions disconnecting mysteriously. With 8 open windows, it sometimes got to be very hard to find the session ( router ) I was looking for. Cut and paste is a real pain. You have to open a scratchpad window, which is associated with the javascript console window. cutting and pasting is done to this wind. there are scratchpad windows associated with each java wind, so if you had a scratchpad open for every router session, that makes for a LOT of junk to fight your way through looking for what you want. then there is the problem of actually moving what you want to copy and paste. highlight and control c control v or alt e paste don't work. you have to click on buttons on the java consoles to copy to and from routers. beyond that, there is the problems of whether or not the script answer is the right answer. For example, in one lab, a particular instruction requires that the rip routers on a particular segment have to use the neighbor statement to see eachother ( and prevent other routers on that segment from joining into the RIP domain ) well, the problem is, one of those routers is connected to another RIP router via a different interface. need a neighbor statement there too, but the script does not cover this, nor does the answer configuration show this. anyway, I have seen the future, and the CCIE Lab future looks like it may be heading to these kinds of remote lab settings. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62756t=62756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Password recovery [7:62738]
Try the following Break into router, next copy start to run, change password, copy run to start, change config register back. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Philip van Dalen [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 5:53 AM To: [EMAIL PROTECTED] Subject: Password recovery [7:62738] Hi I need to recover the password for a CISCO 2611 without wiping the config? Any idea's? Philip Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62757t=62738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: E3 bandwidth issue. [7:62740]
Look at CAR Router Kid @groupstudy.com em 10/02/2003 08:22:44 Favor responder a Router Kid Enviado Por: [EMAIL PROTECTED] Para: [EMAIL PROTECTED] cc: Assunto:E3 bandwidth issue. [7:62740] If a client were to take an E3 (T3) would they be able to cap/restrict the bandwidth at lets say 20Mbps? could something be done to the router to allow this? Best Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62758t=62740 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Simple Ip issue (need help) [7:62728]
If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62759t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62760t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX firewall [7:62761]
Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62761t=62761 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62762t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Written Prep [7:62763]
I'm preparing for the written, any last minute advice on the new test? David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62763t=62763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Why disable cdp for back-to-back serial connection? [7:62764]
Dear all, From cisco configuration example http://www.cisco.com/en/US/tech/tk713/tk317/technologies_configuration_examp le09186a00800944ff.shtml I'm wondering that the line no cdp enable is required for both router in order to make a serial connection up for back-to-back connection. Regards, Lawrence Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62764t=62764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
If you ping you are probably pinging the Local IP.Try debug ip icmp to verify what you are pinging. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Monu Sekhon [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: Simple Ip issue (need help) [7:62728] Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62765t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Why disable cdp for back-to-back serial connection [7:62764]
Cisco Discovery Protocol (CDP) is a managment protocol that allows routers and switches to tell each other about their IOS version, hardware platform, and basic config info. Some security experts say to disable it because it tells too much. It has nothing to do with bringing the serial interface up/up. You could use it or you could not. The two routers on the HDLC link don't have to agree. One could send CDP while the other doesn't and the link should still come up/up, assuming everything is OK at the physical and data-link layers. It's too bad they used no cdp enable in that simple example with no explanation. I don't think it's the default? So someone had to type it in, so they should have explained it. Priscilla Lawrence Law wrote: Dear all, From cisco configuration example http://www.cisco.com/en/US/tech/tk713/tk317/technologies_configuration_examp le09186a00800944ff.shtml I'm wondering that the line no cdp enable is required for both router in order to make a serial connection up for back-to-back connection. Regards, Lawrence Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62766t=62764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
You can't have duplicate IP addresses anywhere. They have to be unique. The only exceptions would be if you were doing some sort of NAT or tunneling or something and the duplicates were hidden from each other. You don't get an error when you try to configure it because it's a lot harder for IOS to detect this on a serial interface than on an Ethernet interface. On Ethernet, a Cisco router ARPs for the address you give it. If it receives a reply, then it gives you an error and won't let you use the address. There's no ARP in serial land. You think you're pinging successfully, but how do you know who is really replying? Even if you could assign duplicate IP addresses, you shouldn't. You would wreak havoc with all sorts of things. There's no reason to do it either. If you're concerned with running out of addresses, just use private address. The 10.0.0.0 network has 16 million possibilities. Someone had to get blunt here! :-) ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Ladrach, Daniel E. wrote: If you ping you are probably pinging the Local IP.Try debug ip icmp to verify what you are pinging. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Monu Sekhon [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: Simple Ip issue (need help) [7:62728] Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62767t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX firewall [7:62761]
hanan wrote: Hello Could you please tell me in the PIX Cisco firewall their clients need to be firewall clients or not? PIX isn't a client/server architecture. Firewalls generally aren't. The term firewall client isn't used usually. PIX is a network firewall that protects an inside network from the outside. It examines all TCP/IP traffic, in and out. It doesn't care who is sending the traffic. It works on any ordinary network where the clients and servers run a variety of operating systems. Now, if you are concerned with VPNs, then the terms client and server do get used. I think it's still true, though, that PIX would work with a variety of VPN clients. Someone correct me if I'm wrong. Thanks. Priscilla Hanan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62768t=62761 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access-group difference [7:62769]
Can someone explain the difference between the following access-group commands and the impact of each access-list binded with those interfaces? access-list acl_in permit tcp any any access-group acl_out in interface outside and Access-list acl_in permit tcp any any access-group acl_in in interface inside Regards, Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62769t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group difference [7:62769]
access-list acl_in permit tcp any any - creates an access list which permits all tcp from any source to any destination access-group acl_out in interface outside - binds the acl_out access list to the outside interface (for inbound traffic). You must determine what the acl_out access list contains before determining the impact of this access-group command. and Access-list acl_in permit tcp any any - creates an access list which permits all tcp from any source to any destination access-group acl_in in interface inside - binds the acl_in access list (created above) to the outside interface (for inbound traffic). The access-list command creates your access lists and the access-group command binds the list to an interface. You can have multiple access-lists and never bind them to an interface, however you can't have an access-group command without an associated access-list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62770t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group difference [7:62769]
This must be on PIX? The syntax isn't quite right for IOS. Ismail Al-Shelh wrote: Can someone explain the difference between the following access-group commands and the impact of each access-list binded with those interfaces? access-list acl_in permit tcp any any The acl_in is just a name for the access list. You can call it anything you want. This is permitting TCP with any source and destination address. access-group acl_out in interface outside This wouldn't do anything because the name acl_out doesn't exist. Was that a typo? and Access-list acl_in permit tcp any any access-group acl_in in interface inside PIX access lists are always for traffic coming into the specified interface, from what I can tell. The in interface is part of the comamnd. It's not optional. So, do you want to permit TCP traffic coming into the outside interface, or do you want to permit TCP traffic coming into the inside interface? Coming into refers to traffic from the connected network entering the interface, as opposed to traffic sent by the interface, which would be out on Cisco IOS. Your fist example permits TCP coming into the outside interface. The second example permits traffic coming into the inside interface. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Regards, Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62771t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group difference [7:62769]
oops, one mistake I meant to say this access-group acl_in in interface inside - binds the acl_in access list (created above) to the inside interface . instead of this access-group acl_in in interface inside - binds the acl_in access list (created above) to the outside interface (for inbound traffic). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62772t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Books new lab format. [7:62774]
Hi all, Anybody help me with the most complete books to prepare for the new lab format? In this moment i use All-In-One Cisco CCIE Lab Sudy Guide 2nd Edition and Cisco CCIE Lab Practice Kit. Are any more completing book in the field? tks all _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62774t=62774 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Router delay/latency issue [7:62775]
Background I have two sites connected via 2600 series routers and a point-to-point T1. Recently we were able to piggy-back on a faster connection using two Pix 515's and a VPN tunnel. I'd like to keep the T1 for load-balancing and fault-tolerance. To do this, the clients have to go to the router first, because if they go to the Pix and the link is down, the Pix won't route the requests. Problem The delay going from the client to the router and then to the Pix is quite large, yielding a throughput of about 83% of that found when going from the client to the router across the T1. In contrast, going from the client to the Pix directly yields a throughput of about 130% over the router/T1 combo. Question Of course, there is latency involved in going up to the router first. But is there a way to reduce the latency on the router and/or allow the Pix to redirect the traffic in the event that the route is unavailable? I understand that the Pix doesn't do routing, so I'm thinking that it isn't, but I'm looking for suggestions. Terry Terrance M. Schmitt [EMAIL PROTECTED] CCNP,CCDA,NNCSS,NNCDS,MCSE,CNA,CCA,A+ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62775t=62775 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Partial Connectivity [7:62639]
VPN Terminates at the PIX. The problem ended up being that a few internal hosts did not have thier gateway setup...also...the mail server was a Team Internet ( appliance )...and it refused to see any other gateway other than itself...hmmm. Anywaywe are providing a work around for the remote user to get his mailbut after adding a gateway ip and static route to the novell server...it works. And the adtran TSU had no gateway also... Thanks for your input though.. Cheers Albert Lu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, You mentioned that you were doing static nat on the router, this could effect it if the vpn client terminates on the router. The ip addresses that you have statics for is translated to the global IP address, and doesn't go through your vpn, since the access-list in your crypto map doesn't identify it as traffic needing to be encrypted. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Deutschman Sent: Saturday, February 08, 2003 3:49 AM To: [EMAIL PROTECTED] Subject: VPN Partial Connectivity [7:62639] Hi, When connecting a vpn via VPN Client 3.x I am able to ping only certain addresses... 192.168.1.180 Server 192.168.1.10 LAN Station But Not Others... 192.168.1.1 Inside Interface Of PIX 192.168.1.2 Mail Server 192.168.1.3 CSU/DSU management address I have a vpn setup as follows: Vpn Client--INTERNET--1721Router--PIX--LAN *The 1721 router is doing static nat to the outside interface of the pix. The vpn terminates at the pix. *I'm using vpngroup to assign ip info to the client. * The LAN ip scheme is 192.168.1.0/24 where the first 9 addresses are left out of the local dhcp pool *The vpn client is getting assigned from local-pool range 192.168.2.1-50 *I have a route on the pix route inside 192.168.2.0 255.255.255.0 192.168.1.1 *The inside interface of the pix is 192.168.1.1 Here is my config... PIX(config)# wr t Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password encrypted passwd encrypted hostname PIX fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside 172.16.2.2 255.255.255.240 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool NEWMEX 192.168.2.1-192.168.2.50 pdm history enable arp timeout 14400 global (outside) 1 172.16.2.3 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any echo-reply conduit permit icmp any any echo route outside 0.0.0.0 0.0.0.0 172.16.2.1 1 route inside 192.168.2.0 255.255.255.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 1 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn address-pool NEWMEX vpngroup vpn dns-server x.x.x.y x.x.x.z vpngroup vpn default-domain domain.com vpngroup vpn split-tunnel 101 vpngroup vpn idle-time 1800 vpngroup vpn password telnet timeout 5 ssh timeout 5 dhcpd address 192.168.1.10-192.168.1.42 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:a71ebfc24ae Any ideas?? I'm sort of stumped at this point. Thanks! -- Dain Deutschman CCNP, CSS-1, CCNA, MCP, CNA Data Communications Manager Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62773t=62639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Study group in Chicago? [7:62777]
Any CCIE study groups here in the Chicago area? Regards, David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62777t=62777 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Dynamic MultiPoint VPN [7:62779]
Hi, im posting to inquire about the new feature introduced in rev 12.2(13)T1 called DMVPN. Has anyone had any experience configuring it? Good, bad? I have a scenario where im about to deploy 36 1760 bundles (CISCO1760-VPN/K9) with some 2611XM's and a 7204 at the hub connected to a DS3. We are going to be using the full CiscoWorks package, including VMS for administration. So the scenario plays out like this: 36 sites (1760's (with VPN mods) 2611XM's (with VPN mods), All remote sites have 6 usable Internet routable IP's, hub site has a 7204 and 2611XM, the 7204 has a DS3, 2611XM has 2 T1's, HUB site running BGP advertising 2 class C's. All remote office connections will be dumped into a DMZ and ACL'ed to the internal network (PIX is the firewall). Comments questions? Advice? Welcome. --Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62779t=62779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab - I have seen he future and it is.... [7:62776]
Chuck, Your post reminds me of those weird little ice cream stands that I sometimes see at the mall and various carnivals. It's called something like Dipping Dots - The Ice Cream of the Future. The initial human instinct is much like the Cro-Magnon humanoids encountering the monolith at the beginning of 2001: A Space Odyssey (sp): jump up and down with excitement until you realize it's just freeze dried ice cream. Rounding out that analogy, the CCIE of the future will probably be reduced to being the CCNP of today. Regardless, I have spent too much time and money to abandon the quest for CCIE now, but frankly, if I hadn't invested as much as I have, I would most likely abandon the quest in favor of broadening into other areas. I really don't see much market value for the CCIE anymore, especially with Cisco hellbent on making it a meatgrinding cash cow. Your java console and one way only to configure experience kind of bears this out. Sorry for the depressing post, just wanted to share. Charles The Long and Winding Road wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Been spending this weekend on what was once the Cisco Advanced SE Training ( ASET ) set of labs. These are available for those whose Cisco account team approves - there are a few conditions which can be found in the wee places of certification training. The program is run by Lab Gear ( the only link I have is www.labgear.net, but this is a login page ) There are a number of labs of CCIE level, look, and feel. Supposed to be real equipment, but the access is via java script windows, not terminal emulation. This makes for some interesting situations. The windows show or provide output only when they are active. So if you had two router sessions open, and you made changes on one router that would generate systems messages of one sort or another you would not see those messages on the other. also, I have yet to find a way to generate output from debugging commands. Things like term mon and logging of one kind or another have not been successful. so no debug ip routing and debug ip ospf adj. As with the real lab, there are a series of tasks to be completed. Grading is done via a script. This is the point of most interest. Actually, I suspect a lot of the current CCIE Lab grading is done using scripting tools. I believe the proctors still physically examine equipment configurations for some things, but I could be wrong. It is of interest because to judge from the script outputs I am seeing, there appears to be an assumption that there is one and only one way to do things. I'm not sure this is always true. I am not sure that this results in an entirely accurate grade. But more importantly, given my experience with the java consoles and the manner in which these labs must be done, I am not sure I like where this is headed. Something Brian Dennis and Brad Ellis and some other people started talking about back when the CCIE Lab went from two days to one - something about the longer term goal being to do the test remotely, and having people show up at Sylvan or some other testing center and log in remotely. If the Lab Gear approach is any indication, this is not ready for real live testing. I experienced far too many problems with terminal ( javascript ) sessions disconnecting mysteriously. With 8 open windows, it sometimes got to be very hard to find the session ( router ) I was looking for. Cut and paste is a real pain. You have to open a scratchpad window, which is associated with the javascript console window. cutting and pasting is done to this wind. there are scratchpad windows associated with each java wind, so if you had a scratchpad open for every router session, that makes for a LOT of junk to fight your way through looking for what you want. then there is the problem of actually moving what you want to copy and paste. highlight and control c control v or alt e paste don't work. you have to click on buttons on the java consoles to copy to and from routers. beyond that, there is the problems of whether or not the script answer is the right answer. For example, in one lab, a particular instruction requires that the rip routers on a particular segment have to use the neighbor statement to see eachother ( and prevent other routers on that segment from joining into the RIP domain ) well, the problem is, one of those routers is connected to another RIP router via a different interface. need a neighbor statement there too, but the script does not cover this, nor does the answer configuration show this. anyway, I have seen the future, and the CCIE Lab future looks like it may be heading to these kinds of remote lab settings. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62776t=62776 -- FAQ, list archives, and subscription info:
RE: Simple Ip issue (need help) [7:62728]
At 06:18 PM 2/10/2003 +, Priscilla Oppenheimer wrote: You can't have duplicate IP addresses anywhere. They have to be unique. The only exceptions would be if you were doing some sort of NAT or tunneling or something and the duplicates were hidden from each other. You don't get an error when you try to configure it because it's a lot harder for IOS to detect this on a serial interface than on an Ethernet interface. On Ethernet, a Cisco router ARPs for the address you give it. If it receives a reply, then it gives you an error and won't let you use the address. There's no ARP in serial land. You think you're pinging successfully, but how do you know who is really replying? Even if you could assign duplicate IP addresses, you shouldn't. You would wreak havoc with all sorts of things. There's no reason to do it either. If you're concerned with running out of addresses, just use private address. The 10.0.0.0 network has 16 million possibilities. For what it's worth, duplicating the same IP across a set of DNS servers in the same AS can provide an interesting spin on resiliency. So long as you configure unique IP's for normal communication. This sort of thing works good for protocols that are stateless (UDP DNS) Anycast-RP in PIM networks also uses the same IP on multiple boxes :-) Someone had to get blunt here! :-) Someone had to split some hair ! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Ladrach, Daniel E. wrote: If you ping you are probably pinging the Local IP.Try debug ip icmp to verify what you are pinging. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Monu Sekhon [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: Simple Ip issue (need help) [7:62728] Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62780t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Any help appreciated - Router will not route.... [7:62568]
Hmm, I don't think the problem lies with the ISDN or its capabiltiy to dial, as DW mentioned, pings are possible from router to router, so a route is possible, just not from the LAN. possibly a better debug would be debug ip icmp an then run either extended pings from the Fast Ether, or from the client on the LAN. HTH Keith Juntao wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'd check the isdn stuf, deb dialer, deb isdn q931, etc... DW a icrit dans le message de news: [EMAIL PROTECTED] When the primary is up the route table shows: 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks S 192.1.1.0/24 is directly connected, Serial0/0:1 C 192.1.1.25/32 is directly connected, Serial0/0:1 When the primary goes down it shows: 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks S 192.1.1.0/24 is directly connected, BRI1/1 C 192.1.1.25/32 is directly connected, BRI1/1 This is why I don't understand why it will not work !! Thanks, Derek wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What does your route table show on both routers? Mark I have a 3640 router (Pri rate Interface / backup ISDN interfaces) that is not performing as I thought it would...One of the channelised interfaces went down yesterday and the backup ISDN for that line kicked in, however I could no longer ping into the remote site once the backup came up - The remote router is a 1720. I could ping from router to router (In both directions). I could not ping from a client in Site A to router in Site B, or beyond. I could not ping from a client in Site B to router in Site A, or beyond. Below is part of the config: SITE A - 3640 interface FastEthernet0/0 ip address 192.168.25.25 255.255.255.0 duplex auto speed 100 no cdp enable interface Serial0/0:1 bandwidth 128 backup delay 20 20 backup interface BRI1/1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp fair-queue 64 256 0 no cdp enable interface BRI1/1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp dialer idle-timeout 300 dialer string dialer hold-queue 20 dialer-group 1 isdn switch-type basic-net3 no cdp enable ppp authentication chap ip route 192.1.1.0 255.255.255.0 Serial0/0:1 ip route 192.1.1.0 255.255.255.0 BRI1/1 50 access-list 100 permit ip any any access-list 100 permit icmp any any dialer-list 1 protocol ip list 100 SITE B - 1720 interface BRI0 ip unnumbered FastEthernet0 encapsulation ppp dialer idle-timeout 300 dialer string XXX dialer hold-queue 50 dialer-group 1 isdn switch-type basic-net3 ppp authentication chap ! interface FastEthernet0 ip address 192.1.1.25 255.255.255.0 speed auto ! interface Serial0 bandwidth 128 backup delay 20 20 backup interface BRI0 ip unnumbered FastEthernet0 ! ip classless ip route 192.168.25.0 255.255.255.0 Serial0 ip route 192.168.25.0 255.255.255.0 BRI0 50 no ip http server ! access-list 100 permit ip any any access-list 100 permit icmp any any dialer-list 1 protocol ip list 100 Can anyone out there see anything obviously wrong with the above config Thanks in advance. Derek Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62781t=62568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Study group in Chicago? [7:62777]
I'd be interested in joining one, or forming a new one. Nguyen, David wrote: Any CCIE study groups here in the Chicago area? Regards, David -- Chris Theiss IPG WAN Group [EMAIL PROTECTED] (312) 425-6624 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62782t=62777 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Forwarding traffic on port 80 [7:62723]
Did you check the commands ip nat outside and ip nat inside on the corresponding interfaces? I missed them more than once Regards, Jose McHugh Randy escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am looking for the command to forward traffic to port 80 from the outside public address to an inside private address on a 2514. This should do the trick but does not seem to be working ip nat inside source static tcp 192.168.1.4 80 68.85.x.x 80 extendable Any one have any other suggestions? thx Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62783t=62723 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP exam study recommendations [7:62784]
Folks I am wondering if anyone has any recommendations for BGP study. I am booked in for the BGP beta exam on Friday and still dont feel comfortable with my level of BGP knowledge. I have read the following over the last few months Halabi - Internet Routing Architectures. Doyle Vol 2 (BGP sections) John Stewart III (BGP4 book) William Parkhurst (The RFC stuff at the back and some of the command reference) I am going to go back and reread some of Halabi, all of the Parkhurst command reference chapters and probably some of the RFCs. Does anyone have any additional 'must-read' references that I should look at before Friday? I realise that I have all the basic info that I need and, to be honest, feel that I could pass the test already. However I am one of those people that want to understand things at the gut/instinct level and I really dont feel that I am at that point yet. Any other suggestions? Peter Walker CISSP, CSS1, CC[NID]P, etc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62784t=62784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Study group in Chicago? [7:62777]
Hey, what about a CCNP Study Group in Chicago? Timothy B. Fernandez Network Technician Technical Operations New York 2 Thomson Financial -Original Message- From: Chris Theiss [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 5:09 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Study group in Chicago? [7:62777] I'd be interested in joining one, or forming a new one. Nguyen, David wrote: Any CCIE study groups here in the Chicago area? Regards, David -- Chris Theiss IPG WAN Group [EMAIL PROTECTED] (312) 425-6624 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62785t=62777 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Any help appreciated - Router will not route.... [7:62568]
Do you have a traceroute at where it died at? Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Keith Campbell [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 5:58 PM To: [EMAIL PROTECTED] Subject: Re: Any help appreciated - Router will not route [7:62568] Hmm, I don't think the problem lies with the ISDN or its capabiltiy to dial, as DW mentioned, pings are possible from router to router, so a route is possible, just not from the LAN. possibly a better debug would be debug ip icmp an then run either extended pings from the Fast Ether, or from the client on the LAN. HTH Keith Juntao wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'd check the isdn stuf, deb dialer, deb isdn q931, etc... DW a icrit dans le message de news: [EMAIL PROTECTED] When the primary is up the route table shows: 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks S 192.1.1.0/24 is directly connected, Serial0/0:1 C 192.1.1.25/32 is directly connected, Serial0/0:1 When the primary goes down it shows: 192.1.1.0/24 is variably subnetted, 2 subnets, 2 masks S 192.1.1.0/24 is directly connected, BRI1/1 C 192.1.1.25/32 is directly connected, BRI1/1 This is why I don't understand why it will not work !! Thanks, Derek wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What does your route table show on both routers? Mark I have a 3640 router (Pri rate Interface / backup ISDN interfaces) that is not performing as I thought it would...One of the channelised interfaces went down yesterday and the backup ISDN for that line kicked in, however I could no longer ping into the remote site once the backup came up - The remote router is a 1720. I could ping from router to router (In both directions). I could not ping from a client in Site A to router in Site B, or beyond. I could not ping from a client in Site B to router in Site A, or beyond. Below is part of the config: SITE A - 3640 interface FastEthernet0/0 ip address 192.168.25.25 255.255.255.0 duplex auto speed 100 no cdp enable interface Serial0/0:1 bandwidth 128 backup delay 20 20 backup interface BRI1/1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp fair-queue 64 256 0 no cdp enable interface BRI1/1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp dialer idle-timeout 300 dialer string dialer hold-queue 20 dialer-group 1 isdn switch-type basic-net3 no cdp enable ppp authentication chap ip route 192.1.1.0 255.255.255.0 Serial0/0:1 ip route 192.1.1.0 255.255.255.0 BRI1/1 50 access-list 100 permit ip any any access-list 100 permit icmp any any dialer-list 1 protocol ip list 100 SITE B - 1720 interface BRI0 ip unnumbered FastEthernet0 encapsulation ppp dialer idle-timeout 300 dialer string XXX dialer hold-queue 50 dialer-group 1 isdn switch-type basic-net3 ppp authentication chap ! interface FastEthernet0 ip address 192.1.1.25 255.255.255.0 speed auto ! interface Serial0 bandwidth 128 backup delay 20 20 backup interface BRI0 ip unnumbered FastEthernet0 ! ip classless ip route 192.168.25.0 255.255.255.0 Serial0 ip route 192.168.25.0 255.255.255.0 BRI0 50 no ip http server ! access-list 100 permit ip any any access-list 100 permit icmp any any dialer-list 1 protocol ip list 100 Can anyone out there see anything obviously wrong with the above config Thanks in advance. Derek Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62786t=62568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
No problem with the splitting of hairs. :-) I have been wondering why Cisco lets you do what the original poster is doing, which most of us misunderstood. He is using the same IP address on 2 serial interfaces on the SAME router. If you try to use the same IP address on two Ethernet interfaces, you just get an error when you try to configure the second Ethernet interface. With two serial interfaces, you don't get an error. Is this just an oversight? There are many such oversights in Cisco IOS. :-) Or maybe there is a real reason to do it. I said in my original message that there's no ARP on serial interfaces so the router can't easily figure out if anyone else is using its address like it does on Ethernet. On Ethernet the router can send an ARP to see if someone else replies. But that's someone else on the LAN connected to the interface, not another interface on the same router. So, if it gives you an error on Ethernet when you use an address you have already used on another Ethernet interface, why doesn't it give you an error for serial interfaces? Maybe there's an actual technical reason, although probably it's just an oversight. By the way, it lets you configure an Ethernet interface to use an address already in use on a serial interface, but if you try to do it in the other order then you get an error. That's probably just another oversight. Cisco has always given you enough rope to hang yourself. Decent error messages have never been any more important than ease-of-use. :-) Priscilla Peter van Oene wrote: At 06:18 PM 2/10/2003 +, Priscilla Oppenheimer wrote: You can't have duplicate IP addresses anywhere. They have to be unique. The only exceptions would be if you were doing some sort of NAT or tunneling or something and the duplicates were hidden from each other. You don't get an error when you try to configure it because it's a lot harder for IOS to detect this on a serial interface than on an Ethernet interface. On Ethernet, a Cisco router ARPs for the address you give it. If it receives a reply, then it gives you an error and won't let you use the address. There's no ARP in serial land. You think you're pinging successfully, but how do you know who is really replying? Even if you could assign duplicate IP addresses, you shouldn't. You would wreak havoc with all sorts of things. There's no reason to do it either. If you're concerned with running out of addresses, just use private address. The 10.0.0.0 network has 16 million possibilities. For what it's worth, duplicating the same IP across a set of DNS servers in the same AS can provide an interesting spin on resiliency. So long as you configure unique IP's for normal communication. This sort of thing works good for protocols that are stateless (UDP DNS) Anycast-RP in PIM networks also uses the same IP on multiple boxes :-) Someone had to get blunt here! :-) Someone had to split some hair ! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Ladrach, Daniel E. wrote: If you ping you are probably pinging the Local IP.Try debug ip icmp to verify what you are pinging. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Monu Sekhon [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: Simple Ip issue (need help) [7:62728] Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial
Re: MPEG Filesharing Traffic [7:62742]
check this out http://www.packeteer.com/products/packetshaper/ Christian Seemueller wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, has anybody an idea, how to filter the new Media-Sharing-Tools like Kazaa V.2.02, which ist tunneling it's data over an individual TCP-Port or Port 80. The pix would only filter to OSI-Level 5 i guess. I tried to filter the whole subnet of kazaa.com, but this won't work well. Any ideas welcome. Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62791t=62742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Simple Ip issue (need help) [7:62728]
At 01:20 AM 2/11/2003 +, Priscilla Oppenheimer wrote: No problem with the splitting of hairs. :-) I have been wondering why Cisco lets you do what the original poster is doing, which most of us misunderstood. He is using the same IP address on 2 serial interfaces on the SAME router. Sonet APS comes to mind? I usually use a /29 with 4 addresses, but you could use the same address. If you try to use the same IP address on two Ethernet interfaces, you just get an error when you try to configure the second Ethernet interface. I can't think of a practical use for this myself. With two serial interfaces, you don't get an error. Is this just an oversight? There are many such oversights in Cisco IOS. :-) Or maybe there is a real reason to do it. The more I think about it (over the last two paragraphs of your msg) the more APS seems the likely candidate. If you couldn't, this would be restrictive in some cases. Of course I'm thinking APS capable interfaces. I said in my original message that there's no ARP on serial interfaces so the router can't easily figure out if anyone else is using its address like it does on Ethernet. On Ethernet the router can send an ARP to see if someone else replies. But that's someone else on the LAN connected to the interface, not another interface on the same router. So, if it gives you an error on Ethernet when you use an address you have already used on another Ethernet interface, why doesn't it give you an error for serial interfaces? Maybe there's an actual technical reason, although probably it's just an oversight. By the way, it lets you configure an Ethernet interface to use an address already in use on a serial interface, but if you try to do it in the other order then you get an error. That's probably just another oversight. Would agree here. Might be something to do with internal mechanisms to map macs to IPs. Ie, if an interface is added, check the mac/ip binding list for duplicates and error if there is one. Such a mechanism wouldn't be relevant in SONET and for the APS reasoning, it may be expected that some interfaces share the same address. Cisco has always given you enough rope to hang yourself. Decent error messages have never been any more important than ease-of-use. :-) Priscilla Peter van Oene wrote: At 06:18 PM 2/10/2003 +, Priscilla Oppenheimer wrote: You can't have duplicate IP addresses anywhere. They have to be unique. The only exceptions would be if you were doing some sort of NAT or tunneling or something and the duplicates were hidden from each other. You don't get an error when you try to configure it because it's a lot harder for IOS to detect this on a serial interface than on an Ethernet interface. On Ethernet, a Cisco router ARPs for the address you give it. If it receives a reply, then it gives you an error and won't let you use the address. There's no ARP in serial land. You think you're pinging successfully, but how do you know who is really replying? Even if you could assign duplicate IP addresses, you shouldn't. You would wreak havoc with all sorts of things. There's no reason to do it either. If you're concerned with running out of addresses, just use private address. The 10.0.0.0 network has 16 million possibilities. For what it's worth, duplicating the same IP across a set of DNS servers in the same AS can provide an interesting spin on resiliency. So long as you configure unique IP's for normal communication. This sort of thing works good for protocols that are stateless (UDP DNS) Anycast-RP in PIM networks also uses the same IP on multiple boxes :-) Someone had to get blunt here! :-) Someone had to split some hair ! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Ladrach, Daniel E. wrote: If you ping you are probably pinging the Local IP.Try debug ip icmp to verify what you are pinging. Daniel Ladrach CCNP, CCNA WorldCom -Original Message- From: Monu Sekhon [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 12:03 PM To: [EMAIL PROTECTED] Subject: RE: Simple Ip issue (need help) [7:62728] Hi All, Thanx again for all for contribution confusion still there , I am pinging remote side and I am able too. any comments from all(still confused with answers) Walker, James - Is wrote: Only problem is which side are you pinging -Original Message- From: John Murphy [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: Re: Simple Ip issue (need help) [7:62728] If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the
isdn scripts.. [7:62793]
Hello- Anyone have a current script used to test isdn line availability? There are app's available, but scripting seems to be the way to go...anyone out there using their own scripts to test isdn call setups etc..? Thx! _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62793t=62793 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CBAC, PPTP and NAT Interaction [7:62727]
Thanks for that. I had read that previously and it helped somewhat. However, my problem comes from interaction of the various technologies. For instance, I want to use some static packet filtering to keep IP spoofing out, denying private IPs from coming in from the outside interface, but when I do it breaks my IPSec tunnel as it has 10 network inside and triggers the deny 10.0.0.0 rule I have. Now I opened the specific 10 network that I am using inside to solve that problem, but that opens up a hole. If I have a NAT'ed network, does the ACL get applied to the inside address or the Outside address? I guess there are a few other things, obviously I am going to play with it some more and learn, I am just in search of some good information about the subject so that I can get a good basis of knowledge. Thanks again for your help though, Tom -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 10, 2003 1:16 AM To: [EMAIL PROTECTED] Subject: RE: CBAC, PPTP and NAT Interaction [7:62727] Hi Tom! I think this article will help you resolve your problems. It is titled Nat Order of Operations but I think it may be called Order of Packet Processing ;-) http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 133ddd.shtml http://www.cisco.com/warp/public/556/5.pdf (PDF variant of the same article) Kind regards, Victor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62794t=62727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: isdn scripts.. [7:62793]
I have written expect scripts to test connectivity. Do you have backup interface applied or are you using dialer watch. Ronnie Rich Muller wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello- Anyone have a current script used to test isdn line availability? There are app's available, but scripting seems to be the way to go...anyone out there using their own scripts to test isdn call setups etc..? Thx! _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62795t=62793 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Books new lab format. [7:62774]
Nuno Lopes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Anybody help me with the most complete books to prepare for the new lab format? In this moment i use All-In-One Cisco CCIE Lab Sudy Guide 2nd Edition and Cisco CCIE Lab Practice Kit. Are any more completing book in the field? just because I'm in a bad mood tonight, I'll pick a fight. nothing personal, but I think you're misleading yourself by looking for books to prepare using the new lab format. as if any of the books out there now were the be all and end all for the old lab format. there are certain core topics you HAVE to know. no matter whose books you are reading, you have to pick out those core topics and master them. Caslow is as good a place to start as any. Soltie is good for this. you have to understand redistribution in all it's manifestations. the Lab has a way of screwing you with this. and not just in the ways you see in the various books. those lab writers are devious. you have to know how and where to find things using the doc CD. A couple of days ago someone asked is DVMRP in the Lab? the proper question to ask is if a DVMRP qustion came up in the Lab, where would I find out how to configure it? I've offered several other books as starting points in other posts. But when push comes to shove, all the materials out there are just starting points. They are not magic bullits. taking a certain course, or using a certain book, or set of practice labs is no guarantee of passing, no matter what the sellers of those materials ( or the users, for that matter ) might say. as you practice more and more, I assume it just starts to dawn on you how this stuff really works. at that point you have a good shot at passing. but don't rely on finding the perfect book, or the perfect set of practice labs. there ain't none. best wishes tks all _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62796t=62774 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab - I have seen he future and it is.... [7:62776]
Charles Riley wrote: I think you may have overreacted and scared everybody away! :-) Chuck, Rounding out that analogy, the CCIE of the future will probably be reduced to being the CCNP of today. They can still make CCIE much harder than CCNP and if it is much harder, it will be more valued (probably). Regardless, I have spent too much time and money to abandon the quest for CCIE now, but frankly, if I hadn't invested as much as I have, I would most likely abandon the quest in favor of broadening into other areas. I really don't see much market value for the CCIE anymore, especially with Cisco hellbent on making it a meatgrinding cash cow. They're just trying to save money, be more profitable. We are all trying to do that in these awful economic times. Your java console and one way only to configure experience kind of bears this out. But we don't know if it will be that bad. They could do a good job with this, even if it is somewhat automated. They've got some really smart people working for them. I would say, continue with your plans (as you said you were going to) and don't get depressed! Watch for black/white thinking, over-reacting, generalizing etc. Those can lead to depression Priscilla Sorry for the depressing post, just wanted to share. Charles The Long and Winding Road wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Been spending this weekend on what was once the Cisco Advanced SE Training ( ASET ) set of labs. These are available for those whose Cisco account team approves - there are a few conditions which can be found in the wee places of certification training. The program is run by Lab Gear ( the only link I have is www.labgear.net, but this is a login page ) There are a number of labs of CCIE level, look, and feel. Supposed to be real equipment, but the access is via java script windows, not terminal emulation. This makes for some interesting situations. The windows show or provide output only when they are active. So if you had two router sessions open, and you made changes on one router that would generate systems messages of one sort or another you would not see those messages on the other. also, I have yet to find a way to generate output from debugging commands. Things like term mon and logging of one kind or another have not been successful. so no debug ip routing and debug ip ospf adj. As with the real lab, there are a series of tasks to be completed. Grading is done via a script. This is the point of most interest. Actually, I suspect a lot of the current CCIE Lab grading is done using scripting tools. I believe the proctors still physically examine equipment configurations for some things, but I could be wrong. It is of interest because to judge from the script outputs I am seeing, there appears to be an assumption that there is one and only one way to do things. I'm not sure this is always true. I am not sure that this results in an entirely accurate grade. But more importantly, given my experience with the java consoles and the manner in which these labs must be done, I am not sure I like where this is headed. Something Brian Dennis and Brad Ellis and some other people started talking about back when the CCIE Lab went from two days to one - something about the longer term goal being to do the test remotely, and having people show up at Sylvan or some other testing center and log in remotely. If the Lab Gear approach is any indication, this is not ready for real live testing. I experienced far too many problems with terminal ( javascript ) sessions disconnecting mysteriously. With 8 open windows, it sometimes got to be very hard to find the session ( router ) I was looking for. Cut and paste is a real pain. You have to open a scratchpad window, which is associated with the javascript console window. cutting and pasting is done to this wind. there are scratchpad windows associated with each java wind, so if you had a scratchpad open for every router session, that makes for a LOT of junk to fight your way through looking for what you want. then there is the problem of actually moving what you want to copy and paste. highlight and control c control v or alt e paste don't work. you have to click on buttons on the java consoles to copy to and from routers. beyond that, there is the problems of whether or not the script answer is the right answer. For example, in one lab, a particular instruction requires that the rip routers on a particular segment have to use the neighbor statement to see eachother ( and prevent other routers on that segment from joining into the RIP domain ) well, the problem is, one of those routers is connected to another RIP router via a different interface. need a neighbor statement there too, but the script does not
Re: BGP exam study recommendations [7:62784]
At 11:40 PM 2/10/2003 +, Peter Walker wrote: Folks I am wondering if anyone has any recommendations for BGP study. I am booked in for the BGP beta exam on Friday and still dont feel comfortable with my level of BGP knowledge. I have read the following over the last few months Halabi - Internet Routing Architectures. Doyle Vol 2 (BGP sections) John Stewart III (BGP4 book) William Parkhurst (The RFC stuff at the back and some of the command reference) I am going to go back and reread some of Halabi, all of the Parkhurst command reference chapters and probably some of the RFCs. Does anyone have any additional 'must-read' references that I should look at before Friday? I realise that I have all the basic info that I need and, to be honest, feel that I could pass the test already. However I am one of those people that want to understand things at the gut/instinct level and I really dont feel that I am at that point yet. If you read all this stuff and still don't understand BGP the way you would like to, more books likely aren't what you need. I would focus more on hands on work. Many folks learn better by doing than reading (me for one :). If you are a Certificationzone subscriber, Howard Berkowitz has a three tutorial set on BGP that come with some labs to help illustrate points which might help. But I'm sure just working through some configs on a lab while following along with your reading material might be the best bet. Pete Any other suggestions? Peter Walker CISSP, CSS1, CC[NID]P, etc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62788t=62784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab - I have seen he future and it is.... [7:62776]
actually, i think you have it backwardsthe CCNP of tomorrow will be the CCIE of todayCCC tests are getting harder...the bar is being raised if what you state is truly the way you truly feel, then you were in pursuit of the CCIE for the wrong reason in the first place. sorry you're so depressed. Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, Your post reminds me of those weird little ice cream stands that I sometimes see at the mall and various carnivals. It's called something like Dipping Dots - The Ice Cream of the Future. The initial human instinct is much like the Cro-Magnon humanoids encountering the monolith at the beginning of 2001: A Space Odyssey (sp): jump up and down with excitement until you realize it's just freeze dried ice cream. Rounding out that analogy, the CCIE of the future will probably be reduced to being the CCNP of today. Regardless, I have spent too much time and money to abandon the quest for CCIE now, but frankly, if I hadn't invested as much as I have, I would most likely abandon the quest in favor of broadening into other areas. I really don't see much market value for the CCIE anymore, especially with Cisco hellbent on making it a meatgrinding cash cow. Your java console and one way only to configure experience kind of bears this out. Sorry for the depressing post, just wanted to share. Charles The Long and Winding Road wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Been spending this weekend on what was once the Cisco Advanced SE Training ( ASET ) set of labs. These are available for those whose Cisco account team approves - there are a few conditions which can be found in the wee places of certification training. The program is run by Lab Gear ( the only link I have is www.labgear.net, but this is a login page ) There are a number of labs of CCIE level, look, and feel. Supposed to be real equipment, but the access is via java script windows, not terminal emulation. This makes for some interesting situations. The windows show or provide output only when they are active. So if you had two router sessions open, and you made changes on one router that would generate systems messages of one sort or another you would not see those messages on the other. also, I have yet to find a way to generate output from debugging commands. Things like term mon and logging of one kind or another have not been successful. so no debug ip routing and debug ip ospf adj. As with the real lab, there are a series of tasks to be completed. Grading is done via a script. This is the point of most interest. Actually, I suspect a lot of the current CCIE Lab grading is done using scripting tools. I believe the proctors still physically examine equipment configurations for some things, but I could be wrong. It is of interest because to judge from the script outputs I am seeing, there appears to be an assumption that there is one and only one way to do things. I'm not sure this is always true. I am not sure that this results in an entirely accurate grade. But more importantly, given my experience with the java consoles and the manner in which these labs must be done, I am not sure I like where this is headed. Something Brian Dennis and Brad Ellis and some other people started talking about back when the CCIE Lab went from two days to one - something about the longer term goal being to do the test remotely, and having people show up at Sylvan or some other testing center and log in remotely. If the Lab Gear approach is any indication, this is not ready for real live testing. I experienced far too many problems with terminal ( javascript ) sessions disconnecting mysteriously. With 8 open windows, it sometimes got to be very hard to find the session ( router ) I was looking for. Cut and paste is a real pain. You have to open a scratchpad window, which is associated with the javascript console window. cutting and pasting is done to this wind. there are scratchpad windows associated with each java wind, so if you had a scratchpad open for every router session, that makes for a LOT of junk to fight your way through looking for what you want. then there is the problem of actually moving what you want to copy and paste. highlight and control c control v or alt e paste don't work. you have to click on buttons on the java consoles to copy to and from routers. beyond that, there is the problems of whether or not the script answer is the right answer. For example, in one lab, a particular instruction requires that the rip routers on a particular segment have to use the neighbor statement to see eachother ( and prevent other routers on that segment from joining into the RIP domain ) well, the problem is, one of those routers is connected to another RIP router via a different interface. need a
IOS Feature question [7:62797]
Ladies n' Gentlemen, a quick question about the IOS feature set. Does anyone know of a way to configure an async serial port (either a sync/async WIC or the 8/16 port NM) on a 3600 platform to act as a point-to-multipoint FRAD? The application is for SCADA, so a single RS-232 based PC at 1200 bps needs to poll all devices (also RS-232) on the network simultaneously in a classic point-to-multipoint topology. All devices listen to the poll, but only the unit with the correct polled address will respond to the PC in a round-robin fashion. I have 30 of these RTUs, or SCADA devices scattered around all points of a frame-relay network. I would like to pull this off in the 3600 without having to add 2500s to the stack. Mapping an async port directly to a DLCI would be good. My lab only has async on a 2511 (other than AUX), so I can't experiment with it. Any ideas? Thanks in advance - Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62797t=62797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why disable cdp for back-to-back serial connection [7:62798]
Dear Priscilla, Thank you for your clear explaination. May be it is better to disable cdp for low speed link, and security issue. Regards, Lawrence Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Cisco Discovery Protocol (CDP) is a managment protocol that allows routers and switches to tell each other about their IOS version, hardware platform, and basic config info. Some security experts say to disable it because it tells too much. It has nothing to do with bringing the serial interface up/up. You could use it or you could not. The two routers on the HDLC link don't have to agree. One could send CDP while the other doesn't and the link should still come up/up, assuming everything is OK at the physical and data-link layers. It's too bad they used no cdp enable in that simple example with no explanation. I don't think it's the default? So someone had to type it in, so they should have explained it. Priscilla Lawrence Law wrote: Dear all, From cisco configuration example http://www.cisco.com/en/US/tech/tk713/tk317/technologies_configuration_examp le09186a00800944ff.shtml I'm wondering that the line no cdp enable is required for both router in order to make a serial connection up for back-to-back connection. Regards, Lawrence Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62798t=62798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: bandwidth [7:61552]
I would bundle the two serial interfaces together using Multilink PPP, then place access control on the router so customer's can't talk to each other, then apply rate limiting to each customer with guaranteed 64k, burst additional 64k and do rate limiting on bundle (if that's possible). This is generally what telco's are doing with Metro ethernet switches, except traffic is segregated by either VLAN or MPLS VPN. Rik -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Friday, 24 January 2003 12:54 AM To: [EMAIL PROTECTED] Subject: Re: bandwidth [7:61552] kaushalender wrote: Thanx mam , Thanx alot thanx very much .Yes both customers are on same router but Whew, that's good. :-) how i will tell the s1 to use that bandwidth wich is not utilized by s0 Plz help.because ihave restriction on s0 s1 both from rate limit command. The method I told you before is based on the link still in use approaching a certain bandwidth. At that point it can take over the other one. I realize that's not quite what you want. I don't think there is a way to have the link still in use take over the other link when that link utilization goes low. Anyone know? If we don't get an answer, start another thread and explain the situation with more detail. That will get people's attention. Good luck. Priscilla Thanx in advance Priscilla Oppenheimer wrote: kaushalender wrote: Hi group, I have a query Plz give anwserto it .Is it possible that if I have 2 customers which have circuits from me.Both having 64 Kbps bandwidth .If one customer is not utilizeing bandwidth than another customer can utilize that spare bandwidth whenever the another customer starts using bandwidth it gets back to normal. Where are the two customers? Aren't they physically in two different places? If yes, then there's no way to get this to work. It would be like saying if the road from New York to Miami has few cars, can we tell the extra cars travelling from New York to Boston to use the road from New York to Miami? If you had two serial interfaces between two sites, you can tell a router to use the second one when utilization gets to a certain point with the backup command. For example, let's say you had S0 and S1. S0 could start using S1's bandwidth when its utilization reached 60% and stop using it when it fell to 5% with the following command. int s0 backup int s1 backup load 60 5 But that's when the two interfaces go the same place. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Thanx In advance Kaushalender Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62799t=61552 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CBAC, PPTP and NAT Interaction [7:62727]
Tom@I-McNamara wrote: Thanks for that. I had read that previously and it helped somewhat. However, my problem comes from interaction of the various technologies. That article helped me a lot to understand interactions of various technologies and transformations of packets. I've used table from that article to play some what if scenarios with a pencil and a piece of paper ;-) For instance, I want to use some static packet filtering to keep IP spoofing out, denying private IPs from coming in from the outside interface, but when I do it breaks my IPSec tunnel as it has 10 network inside and triggers the deny 10.0.0.0 rule I have. Now I opened the specific 10 network that I am using inside to solve that problem, but that opens up a hole. No, this doesn't open up a hole. IOS checks all incoming packet against crypto map. If IOS receives unencrypted packet that should be encrypted (according to access-list associated with crypto map), IOS will definitely drop it. If I have a NAT'ed network, does the ACL get applied to the inside address or the Outside address? Which ACL are you talking about? Lets see what happens with packet from your network destined to the Internet. According to the artice, input access list on an input interface is applied to packet before NAT, so at this point packet has inside local address. Output access-list on an output interface is applied to packet after NAT, consequently at this point packet has inside global address. Therefore you should use inside global addresses in your output access list on an external interface. Packet destined to IPSec peer shouldn't be NAT'ed. I guess there are a few other things, obviously I am going to play with it some more and learn, I am just in search of some good information about the subject so that I can get a good basis of knowledge. I advise you to check some example configurations on cisco's site. There are tons of useful examples with explanations, configs, debug outputs etc... http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSecs=Implementation_and_Configuration#Samples_and_Tips Best regards, Victor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62801t=62727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
