Re: Dropped Packet on 6506 switch [7:63053]
- Original Message - From: "MADMAN" To: "The Long and Winding Road" Cc: Sent: Tuesday, 18 February, 2003 6:50 AM Subject: Re: Dropped Packet on 6506 switch [7:63053] > > > The Long and Winding Road wrote: > > hey, Dave, request for clarification > > > > > > whenever I run my config tools ( either CCO or NetFormX, which validates > > against Cisco's config server anyway ), the requirement is CAT OS plus IOS. > > I can go CAT OS only, but I cannot get a validation using IOS only. > >I Don't use the config tool, sounds like it is probably just as well:) > > > > > So is that an error in the validation engine? or is something else going on > > that I don't understand. > >Send me the URL you use for this tool, I'll take a look at it. in case anyone is still wondering, I've been doing some more work involving configuring 65xx switches using the config tools. I think I get it now. a 65xx switch can run native IOS on a regular old sup with MSFC OR it can run Cat OS ( on a regular old supervisor ) OR it can run hybrid mode, using Cat OS on the sup and an L3 IOS on the MSFC card does that match with what you know, Dave? > > > > > on a 3550, I can configure all ports as routed ports, or I can configure all > > ports as switched ports, or any combination. > >6500 running native you can do the same. > > > > > The 4xxx boxes with sup 3 or better can go IOS only. > >6500 in native mode looks like the 4000 with a supIII except the 4000 > with a supIII, all ports are L2 by default and on a 6500 runing native > they are L3, go figure. With the introduction of the 4500 switch the > 6500 is the only platform running catOS that is being produced. > > > > > The 65xx seems to be the problem child, as anyone who has stumbled through > > either tool mentioned above can attest to. > >Check out this URL: > > http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_tech _note09186a00801350b8.shtml > >Dave > > > > > > > any clarifications you can offer? > > > > > > > > ""MADMAN"" wrote in message > > news:[EMAIL PROTECTED] > > > >>The Long and Winding Road wrote: > >> > >> > >>>65xx without the MSFC card run Cat OS mode. Add the MSCF card, and you > >> > > have > > > >>>hybrid mode. unless somethng has changed recently, you cannot run a 65xx > >> > > in > > > >>>native IOS mode only - it has to be an L2 box alone, or a hybrid box, > >>>running IOS and Cat OS. > >> > >> Actually you can run a 6500 in native only. In native mode all ports > >>are layer 3 ports. In fact in order to run most of the OSM cards you > >>must run native mode, the inverse is true for most voice modules. > >> > >> Dave > >> > >>Native6506#sh ver > >>Cisco Internetwork Operating System Software > >>IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > >>DEPLOYMEN > >>T RELEASE SOFTWARE (fc1) > >>TAC Support: http://www.cisco.com/tac > >>Copyright (c) 1986-2002 by cisco Systems, Inc. > >>Compiled Wed 04-Sep-02 18:45 by eaarmas > >>Image text-base: 0x40008C00, data-base: 0x41A68000 > >> > >>ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) > >>BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > >>DEPLOYMEN > >>T RELEASE SOFTWARE (fc1) > >> > >>Native6506 uptime is 6 weeks, 3 days, 23 hours, 24 minutes > >>Time since Native6506 switched to active is 6 weeks, 3 days, 23 hours, > >>23 minute > >>s > >>System returned to ROM by power-on (SP by power-on) > >>System image file is "slot0:c6sup12-js-mz.121-13.E.bin" > >> > >>cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. > >>Processor board ID SAD05020HUX > >>R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache > >>Last reset from power-on > >>Bridging software. > >>X.25 software, Version 3.0.0. > >>SuperLAT software (copyright 1990 by Meridian Technology Corp). > >>TN3270 Emulation software. > >>8 Virtual Ethernet/IEEE 802.3 interface(s) > >>120 FastEthernet/IEEE 802.3 interface(s) > >>4 Gigabit Ethernet/IEEE 802.3 interface(s) > >>381K bytes of non-volatile configuration memory. > >> > >>16384K bytes of Flash internal SIMM (Sector size 512K). > >>Standby is up > >>Standby has 112640K/18432K bytes of memory. > >> > >>Configuration register is 0x2102 > >> > >>Native6506# > >> > >>Native6506#sh conf > >>Using 8122 out of 391160 bytes > >>! > >>version 12.1 > >>service timestamps debug uptime > >>service timestamps log uptime > >>no service password-encryption > >>! > >>hostname Native6506 > >>! > >>boot system flash slot0:c6sup12-js-mz.121-13.E.bin > >>boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 > >>enable password cisco > >>! > >>ip subnet-zero > >>! > >>! > >>no ip domain-lookup > >>! > >>mls flow ip destination > >>mls flow ipx destination > >>! > >>redundancy > >> mode rpr-plus > >> main-cpu > >> auto-sync running-config > >> auto-sync standard > >>! > >>! > >>! > >>interface GigabitEthernet1/1 > >> no ip address > >> switchport > >>
Re: MRTG [7:64133]
Here - http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Almost everything you need to know can be found there. The comp.dcom.net-management newsgroup is a good forum for getting it set up the way you want it. Both MRTG and RRD Tool (comes with MRTG). If you want to run it on a Windows server, you might want to check this out too. Its the Win NT guide to MRTG. http://people.ee.ethz.ch/~oetiker/webtools/mrtg/nt-guide.html http://www.activestate.com is a good source for Win32 version of Perl (needed for MRTG). You can still get slightly older version of their code, up through build 522, for free from: ftp://ftp.activestate.com/ActivePerl/Windows/5.005/Intel/ Its not the newest code out there but its free and it works just fine. Possibly more stable. FYI, search engines like google are a good place to look for info like this. Faster than asking. Hope this helps! Karen *** REPLY SEPARATOR *** On 3/1/2003 at 4:55 AM milind tare wrote: >hi buddy, > > > Need information about the MRTG. can anyone tell me >from which site i can download, and wht is the >hardware requirment and any technical documentation >URL. > >Thanks & Regards, >milind > >__ >Do you Yahoo!? >Yahoo! Tax Center - forms, calculators, tips, more >http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64139&t=64133 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FCS Errors between 2 5500's [7:64072]
Did you replace the cable with a known good one? Or with the one that your predeccessor replaced because he jammed it in the door and had problems with bad FCS :) just kidding! Make sure you replaced it with a new or known good cable, rather than a "spare". Symon -Original Message- From: Elijah Savage [mailto:[EMAIL PROTECTED] Sent: 28 February 2003 20:27 To: [EMAIL PROTECTED] Subject: RE: FCS Errors between 2 5500's [7:64072] Thank you all for the replies, but I checked the duplex between them and made sure everything was hard coded on both sides, there are no media filters or anything in place just direct cross connect sc to sc fiber. I appreciate the feedback. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: FCS Errors between 2 5500's [7:64072] Is there any chance there's a duplex mismatch? I doubt anyone uses half-duplex on Gigabit Ethernet, so this may be a clueless suggestion. However, that's the symptoms you would get. The side set to half would sense someone else sending while it was sending, stop, backoff and try again. The result of the thwarted transmission would be a runt with an FCS at the recipient. Since you replaced the fiber already, I guess you better start swapping hardware. But it's really hard to tell which side to replace. The sender could be sending bad data. I think that's more likely than the recipient having some problem with receiving the data and reporting FCSs. So I would start on the sender (the one not reporting errors, despite possibly being the culprit.) Are there any media filters or other components in this link that could be causing a problem?? Priscilla Elijah Savage wrote: > > There is no fiber running through a ceiling. They are sitting right > next to each other in the cabinets so a real short 3 meter fiber > jumper is > being used. > > > > -Original Message- > From: Larry Letterman [mailto:[EMAIL PROTECTED] > Sent: Friday, February 28, 2003 1:09 PM > To: Elijah Savage; [EMAIL PROTECTED] > Subject: Re: FCS Errors between 2 5500's [7:64072] > > > > are there any fiber running thru the ceiling ? > > I'd replace both ends of the 5500 hardware.. > > > Larry Letterman > Network Engineer > Cisco Systems > > > > > > - Original Message - > > From: Elijah Savage > > To: [EMAIL PROTECTED] > > Sent: Friday, February 28, 2003 5:26 AM > > Subject: FCS Errors between 2 5500's [7:64072] > > > > All, > > > > Last night I had to shutdown a gig fiber trunk between 2 5500's to > run > on a 100M trunk we setup as a backup. The FCS errors are only showing > up > on one side the fiber between the 2 cats were replaced but the errors > are still showing up. Which side would you all say you would > replace the > fiber daughter card the one with the errors or the side without > the > errors? > [EMAIL PROTECTED] = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64140&t=64072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Prioritizing certain types of traffic. [7:64070]
Look into CBWFQ. Search on CCO for Class based weighted fair queuing...This will give you the finest granularity of control over the type of traffic your dealing with. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Pittwood Sent: Friday, February 28, 2003 4:41 AM To: [EMAIL PROTECTED] Subject: Prioritizing certain types of traffic. [7:64070] Hi all, We have a 1Mb link between two offices, 90% of the traffic crossing this link is from Wyse terminals (remote) to citrix servers (local) is it possible to give the ICA traffic priority over everything else? If so can someone point me in the right direction of how to go about this? Thanks Stu Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64141&t=64070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT order of operation [7:64037]
I had a look at the link, and this is the flow for inside-outside: If IPSec then check input access list decryption - for CET (Cisco Encryption Technology) or IPSec check input access list check input rate limits input accounting policy routing routing redirect to web cache NAT inside to outside (local to global translation) crypto (check map and mark for encryption) check output access list inspect (Context-based Access Control (CBAC)) TCP intercept encryption It makes sense to me to route first and NAT later, because until the router has performed the routing function, it can't know what interface to send the packet out. Once it knows the interface to send the packet out, it will know if NAT is required or not, and no further routing decisions are required. For outside-inside, this is the flow: If IPSec then check input access list decryption - for CET or IPSec check input access list check input rate limits input accounting NAT outside to inside (global to local translation) policy routing routing redirect to web cache crypto (check map and mark for encryption) check output access list inspect CBAC TCP intercept Encryption The router must perform NAT first, so that it will know the real destination address, and then it can make a routing decision based on the real destination address. So a very simplified (some detail left out) example would be a simple NAT to the internet for internal traffic such as this: Internal_PC(192.168.1.100)--(192.168.1.1 int e0)Router(int e1 217.217.217.217)--Internet Lets say that the router is performing NAT on all outbound traffic so that it appears to come from IP address 217.217.217.217. Lets pretend the PC is sending an HTTP request to a website (and that it has already performed a DNS lookup etc). 1.The PC will send an HTTP request for the website address (1.2.3.4). 2.The HTTP packet will be received by the router on INT e0. 3.The router will look at the destination address of the packet, realise that it is not on the local subnet, so it will look in it's routing tables for where to send the packet. 4.In our example the router will only have one route, which is a default to the Internet. 5.The router will therefore send the packet out it's INT e1 interface, but it will change the source address to be 217.217.217.217. This is the route first then NAT behaviour in your original question. Lets say that things are good today so the HTTP request made it to the web server, and the reply is coming back. 1.The router will receive the packet on it's external interface (INT e1) with a destination address of 217.217.217.217. 2.The router will realise that this is return traffic for the request that came out, so will NAT the packet back, changing the destination address back to 182.168.1.100, then look in it's routing tables to see where to send the packet. 3.It will realise that 192.168.1.100 is directly connected, so it will transmit the packet out it's INT e0 interface. I know I have simplified the process a lot and left some detail out, but that should explain why the flows are different depending on which way the traffic is going. Cheers, Symon -Original Message- From: Masaru Umetsu [mailto:[EMAIL PROTECTED] Sent: 28 February 2003 01:16 To: [EMAIL PROTECTED] Subject: NAT order of operation [7:64037] Regading NAT order of operaion,I looked the URL below. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a 0080133ddd.shtml routing ↓ NAT inside to outside(local to global) NAT outside to inside(global to local) ↓ routing I don't understand the flow of above. Please teach me the meaning of above easily by using example. :-) = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64142&t=64037 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cat4006 - Prompt [7:63984]
Set prompt :> -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 22:11 To: [EMAIL PROTECTED] Subject: Re: Cat4006 - Prompt [7:63984] FWIW The system name clears but not the prompt. I'm running 7.2.2: C4006A (enable) set system name System name cleared. C4006A (enable) set prompt Usage: set prompt C4006A (enable) Dave ericbrouwers wrote: > Hostnames and prompts can be changed by just entering the command with > no string; hit enter after command: > > Switch(enable) set system name >or > Switch(enable) set prompt > > Eric > > - Original Message - > From: "Eagles Fan" > To: > Sent: Thursday, February 27, 2003 3:32 PM > Subject: Cat4006 - Prompt [7:63984] > > > >>is it possible to clear the prompt after manually setting it? >> >>_ >>Protect your PC - get McAfee.com VirusScan Online >>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64143&t=63984 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX-Checkpoin (was RE: Cat4006 - Prompt [7:63984]) [7:64144]
I replaced a couple of Checkpoint boxes that were handling about 700 concurrent inbound connections (trading system). The Checkpoint boxes (I think one was a PIII 500, the other a dual PIII 700) both PC's, handled it easy, no real CPU load, and they only need about 192MB RAM, 256 MAX. The PIX boxes (515e) show about the same amount of load. Is yours a 515 or a 515e? I think even a 515 would handle it easily. Were you terminating any VPN's etc? Whilst I prefer the PIX over Checkpoint on a server or PC, earlier PIX versions have (IMHO) some major limitations compared to Checkpoint, such as port translation (incoming port 25 send it to port 2500) which were not available until later versions. For what you need, I would certainly ditch the Checkpoint box and put the PIX in. What version of the OS is on it? Symon -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 28 February 2003 00:37 To: [EMAIL PROTECTED] Subject: RE: Cat4006 - Prompt [7:63984] on this you are spot on, I use to have a 5505 that was in the same boat you are in. I love my supIII I just found a pix 515 in my bottom draw. Does any one know, how the pix 515, would compare to a checkpoint firewall on a PIII 800hmz on Win2k 1G RAM with 600 users behind it just handling web surfing, email and the like ? I am guessing the PC based checkpoint model would win that race, but has any one here becnhmarked it ??? Thanks Jb -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED] Sent: Friday, 28 February 2003 11:25 AM To: John Brandis Cc: [EMAIL PROTECTED] Subject: Re: Cat4006 - Prompt [7:63984] Not if you have a supII. You obviously have only worked with supIII's and supIVs Dave John Brandis wrote: > Cat 4006 is IOS based from my experience > > Cat4006> en > Blah blah > Cat4006# conf t > then try the hostname eaglesfan > > Should work -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 "You don't make the poor richer by making the rich poorer." --Winston Churchill ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64144&t=64144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re[2]: NAT order of operation [7:64037]
Thanks. symon. Would anybody answer my question titled 'NAT definition' ? (I sent it to this ML in 25 Feb.) regards. On Sat, 1 Mar 2003 08:44:08 - "Symon Thurlow" wrote: > I had a look at the link, and this is the flow for inside-outside: > > If IPSec then check input access list > decryption - for CET (Cisco Encryption Technology) or IPSec > check input access list > check input rate limits > input accounting > policy routing > routing > redirect to web cache > NAT inside to outside (local to global translation) > crypto (check map and mark for encryption) > check output access list > inspect (Context-based Access Control (CBAC)) > TCP intercept > encryption > > It makes sense to me to route first and NAT later, because until the > router has performed the routing function, it can't know what interface > to send the packet out. Once it knows the interface to send the packet > out, it will know if NAT is required or not, and no further routing > decisions are required. > > For outside-inside, this is the flow: > > If IPSec then check input access list > decryption - for CET or IPSec > check input access list > check input rate limits > input accounting > NAT outside to inside (global to local translation) > policy routing > routing > redirect to web cache > crypto (check map and mark for encryption) > check output access list > inspect CBAC > TCP intercept > Encryption > > The router must perform NAT first, so that it will know the real > destination address, and then it can make a routing decision based on > the real destination address. > > So a very simplified (some detail left out) example would be a simple > NAT to the internet for internal traffic such as this: > > Internal_PC(192.168.1.100)--(192.168.1.1 int e0)Router(int e1 > 217.217.217.217)--Internet > > Lets say that the router is performing NAT on all outbound traffic so > that it appears to come from IP address 217.217.217.217. Lets pretend > the PC is sending an HTTP request to a website (and that it has already > performed a DNS lookup etc). > > 1.The PC will send an HTTP request for the website address (1.2.3.4). > 2.The HTTP packet will be received by the router on INT e0. > 3.The router will look at the destination address of the packet, realise > that it is not on the local subnet, so it will look in it's routing > tables for where to send the packet. > 4.In our example the router will only have one route, which is a default > to the Internet. > 5.The router will therefore send the packet out it's INT e1 interface, > but it will change the source address to be 217.217.217.217. > > This is the route first then NAT behaviour in your original question. > > Lets say that things are good today so the HTTP request made it to the > web server, and the reply is coming back. > > 1.The router will receive the packet on it's external interface (INT e1) > with a destination address of 217.217.217.217. > 2.The router will realise that this is return traffic for the request > that came out, so will NAT the packet back, changing the destination > address back to 182.168.1.100, then look in it's routing tables to see > where to send the packet. > 3.It will realise that 192.168.1.100 is directly connected, so it will > transmit the packet out it's INT e0 interface. > > I know I have simplified the process a lot and left some detail out, but > that should explain why the flows are different depending on which way > the traffic is going. > > Cheers, > > Symon > -Original Message- > From: Masaru Umetsu [mailto:[EMAIL PROTECTED] > Sent: 28 February 2003 01:16 > To: [EMAIL PROTECTED] > Subject: NAT order of operation [7:64037] > > > Regading NAT order of operaion,I looked the URL below. > > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a > 0080133ddd.shtml > > > routing > ↓ > NAT inside to outside(local to global) > > > NAT outside to inside(global to local) > ↓ > routing > > I don't understand the flow of above. > Please teach me the meaning of above easily by using example. > > :-) > = > > This email has been content filtered and > subject to spam filtering. If you consider > this email is unsolicited please forward > the email to [EMAIL PROTECTED] and > request that the sender's domain be > blocked from sending any further emails. > > = > -- Masaru Umetsu Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64145&t=64037 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Howto log failed login attempts? [7:64146]
I would like to log all failed (and maybe even all successful) login attempts on a router to my syslog server, but I can't find a way to do this. Since I'm using a local user database, with login local on the VTY, I would like to see what user acconts are beeing tried at the logon prompt. Can anyone tell me if this is possible to do and also howto do it. Thanks /Johan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64146&t=64146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Clock rate 64000 = Bandwidth 64000 - ? [7:64147]
Hello,If the clock rate has been configured for 64000 on one side of the link (home lab), does that mean that the bandwidth needs to be set to 64000 on both sides of the link using the bandwidth command so that routing protocols like Ospf correctly compute the metrics? After all, isn't the default bandwidth (1.544M) cosmetic inspite of the link having been configured with clock rate = 64000?Thanks for the clarification.Sincerely,CN Add photos to your e-mail with MSN 8. Get 2 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64147&t=64147 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Howto log failed login attempts? [7:64146]
Kiwi makes a good Syslog server. -dlb ""Johan Hjalmarsson"" wrote in message news:[EMAIL PROTECTED] > I would like to log all failed (and maybe even all successful) login > attempts on a router to my syslog server, but I can't find a way to do this. > Since I'm using a local user database, with login local on the VTY, I would > like to see what user acconts are beeing tried at the logon prompt. > > Can anyone tell me if this is possible to do and also howto do it. > > Thanks > /Johan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64148&t=64146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MRTG [7:64133]
Google is your friend :) But here is the site and everything you need is there on the site http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ Also here is what a sample looks like of mrtg running graphing my pix and web server and mail server for my home network. http://www.digitalrage.org/mrtg -Original Message- From: milind tare [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 11:55 PM To: [EMAIL PROTECTED] Subject: MRTG [7:64133] hi buddy, Need information about the MRTG. can anyone tell me from which site i can download, and wht is the hardware requirment and any technical documentation URL. Thanks & Regards, milind __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64149&t=64133 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Howto log failed login attempts? [7:64146]
Hi, the solution to this is the Cisco Security Server ACS. If you authenticate the users via this AAA Server it will log the successful and failed attempts. One server will do it for all routers and switches on the network. AAA means authentication, authorisation and accounting. This means you can define WHO can do WHAT and log WHEN they did it. This can include all commands entered on a router console with date and time. You find more information in the Cisco BCRAN taining course and the Remote access books. The ACS server is also part of Wireless LAN and other security solutions and VoIP accounting. With kind regards Jens Neelsen --- Johan Hjalmarsson wrote: > I would like to log all failed (and maybe even all successful) > login > attempts on a router to my syslog server, but I can't find a > way to do this. > Since I'm using a local user database, with login local on the > VTY, I would > like to see what user acconts are beeing tried at the logon > prompt. > > Can anyone tell me if this is possible to do and also howto do > it. > > Thanks > /Johan [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64150&t=64146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
Isn't it standard practice for two entities, when setting up a peering, transit, or partial transit relationship, to agree on what routes will be sent over the links and then develop route filters on each side accordingly? If this is done properly, then a misconfiguration on one side should not impact folks upstream or peering, no? Of course, if misconfiguration happens at multiple levels, then damage might affect multiple levels. Is there ever a time when one can't setup predefined routing filters on an eBGP connection because the set of advertisements expected over the link would be unknown? The Long and Winding Road wrote: > > ""Edwin R. Gonzalez"" wrote in message > news:[EMAIL PROTECTED] > > > http://news.com.com/2100-1009-990608.html > > > > > yada yada yada :-> > > the big point seems to be the misconfigured router incident, > and it is > highly unlikely that any system or protocol could have > prevented that from > happening. afterall, that router was trusted by it's neighbors, > as it should > have been. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64151&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
That's actually an accurate statement. From the White House's 'National Strategy to Secure Cyberspace', "(iii) Border Gateway Protocol. Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale." BGP, along with IP and DNS were identified in their document as three "key protocols" whose security and reliability are "Essential to the security of the Internet infrastructure." There has been a significant amount of work/discussion over the last few years to find ways to secure BGP so that some malicious/incompetent BGP-speaker couldn't create substantial black holes in the internet. As there is no global standard for using the Routing Registries, or any other registry-like entity, there is no global method in place for validating an announcer's authority for an AS, nor a prefix. Of course, like nearly anything else in our industry, there are a number of schools of thought on the Best Way (tm). There is also a new iteration of this discussion over on NANOG, I'm sure it will turn into yet another entertaining thread. -jm - Original Message - From: "Amazing" To: Sent: Friday, February 28, 2003 9:30 PM Subject: Re: Who likes BGP? [7:64123] > LMAO > > "the Bush Administration recently pointed to BGP as critical technology that > needs to be secured. > > > ""The Long and Winding Road"" wrote in > message news:[EMAIL PROTECTED] > > ""Edwin R. Gonzalez"" wrote in message > > news:[EMAIL PROTECTED] > > > I came across this article about BGP earlier today, > > > check it out; > > > > > > http://news.com.com/2100-1009-990608.html > > > > > > > > > yada yada yada :-> > > > > the big point seems to be the misconfigured router incident, and it is > > highly unlikely that any system or protocol could have prevented that from > > happening. afterall, that router was trusted by it's neighbors, as it > should > > have been. > > > > against stupidity the gods themselves contend in vain. > > > > ( OK, I agree in concept. but the article fails to make it's case by > citing > > idiocy as a driving factor ) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64152&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Who likes BGP? [7:64132]
In my uneducated opinion, it seems to me like there are much larger concerns out there than BGP security. I say uneducated because I haven't worked for an ISP, nor have I worked for any other organization that would run BGP. My BGP experience consists of reading and lab work, that's it. I'm a Cisco Network Academy instructor, and the majority of my experience is from lab work and consulting. I'm teaching my first CCNP Routing class starting next week, so any input from those in the know would be appreciated. Hell, I'll appreciate input from those not in the know, I'm not picky... just don't expect me to take it as gospel truth. When I tell a router to peer with another BGP speaker, I can put restrictions on it. I can tell it what AS paths I'll accept from that peer, and what prefixes I'll accept from that peer. If I'm an ISP peering with a customer who has the class C network 210.5.5.0 assigned to them, do I not have a responsibility to configure my BGP router to ignore any BGP advertisements from that customer that are not advertising 210.5.5.0? I know that no one is going to hold me to it, it's not like the IETF has a squad of mercenaries who are going to kick the door in and check my configs, but doesn't that responsibility fall to both the customer and the ISP? Sorry if I'm off base here, but that's my basic understanding of how things work; the customer has a responsibility to only advertise their networks, and the ISP has a responsibility to only accept advertisements for that customer's networks. Does the same relationship exist among ISPs, or do things get too complex to filter updates at that point? It seems like the "security hole" in BGP is the human that configures a BGP router to accept any route it gets. Thoughts? Hal Logan CCAI, CCDP, CCNP: Voice Network Specialist / Adjunct Faculty Computing & Engineering Technology Manatee Community College > -Original Message- > From: Edwin R. Gonzalez [mailto:[EMAIL PROTECTED] > Sent: Friday, February 28, 2003 11:39 PM > To: [EMAIL PROTECTED] > Subject: Who likes BGP? [7:64132] > > > Hey, > > It's your friendly neighborhood CISCO MAN! > Sorry, it's Friday night, I'm still at work with a coffee > buzz that might last me until the morning. > > I came across this article that might be of interest to > some people, check it out; > http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed > > > > -- > _ > The harder you work, the luckier you get! > _ > The only place success comes before > work is in the dictionary!!! > _ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64153&t=64132 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Clock rate 64000 = Bandwidth 64000 - ? [7:64147]
Yes, in order for OSPF or EIGRP to have a more precise computation of costs and metrics, you should match the bandwidth with the port speed. However, if this is frame relay, you may want to match the bandwidth with the link's CIR. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64154&t=64147 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Networking problem [7:64012]
Adeboye Onifade wrote: > Server. > The > server is a Pentium 3, 128MB changed to 256, it's also on full > duplex on the switch/ hubs etc could anyone advise on how > to make the server more efficient! You can't configure full-duplex when connecting to a hub. Probably explains the problems you're having. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64155&t=64012 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: two 1900 catalyst switches cannot exchange VLA [7:63937]
I presume you've configured one of them as a vtp server, while the other as a vtp client? Likewise, they should both have the same vtp domain name. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64156&t=63937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Scheduling Timed FTP [7:63886]
You can use the time-range command together with an access-list and Modular QoS CLI (MQC) to accomplish this. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64157&t=63886 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Clock rate 64000 = Bandwidth 64000 - ? [7:64147]
On Sat, 1 Mar 2003, Cisco Nuts wrote: > Hello,If the clock rate has been configured for 64000 on one side of the > link (home lab), does that mean that the bandwidth needs to be set to > 64000 on both sides of the link using the bandwidth command so that > routing protocols like Ospf correctly compute the metrics? After all, > isn't the default bandwidth (1.544M) cosmetic inspite of the link having > been configured with clock rate = 64000?Thanks for the > clarification.Sincerely,CN Yes, you're correct. Clocking (on the DCE side) specifies the bandwidth of a link while the 'bandwidth' statement is used for calculating routing netrics, the 'show int' load counter, etc. I can think of a few reasons why IOS doesn't just use the clocked amount as the bandwidth statement: - some interfaces (namely subinterfaces - ATM VCs, Frame VCs, etc) don't get a clock per se, but still need a concept of bandwidth. - A dodgy hack to allow people to easily modify routing metrics. - The DCE device may provide a clock that is higher than the actual link speed. A good example is an Async interface with a modem - the speed between the router and modem is 115Kbit, but the modem may only connect at 56Kbit. Rgds, - I. -- Ian Henderson CCNA, CCNP Senior Network Engineer, Chime Communications Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64159&t=64147 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
At 2:24 AM + 3/1/03, Edwin R. Gonzalez wrote: >I came across this article about BGP earlier today, >check it out; > >http://news.com.com/2100-1009-990608.html > The Stephen Dugan quoted in the article has not, AFAIK, made any contributions to IETF or NANOG. Blackhat's bio says he has presented at NANOG, but I can't find him in the NANOG author directory or in the last year or two on the NANOG mailing list. Sorry, this article really seems to have keyed on one presentation and doesn't refer to any of the top experts on BGP security, much less routing policy or BGP scalability. I _know_ he hasn't been involved in the IRTF-RR discussions on alternatives to BGP. At 3:30 AM + 3/1/03, Amazing wrote: >LMAO > >"the Bush Administration recently pointed to BGP as critical technology that >needs to be secured. > Your point? I don't think that you'd find anyone in NANOG or the IETF to agree it isn't critical. Now, whether digital signatures are necessary and sufficient is quite a different matter. I think the article is referring to the AS 7007 incident (a "small Virginia ISP", and simple digital signatures would not have prevented that. Requiring use of a routing registry and generating acceptance policy from validity-checked registry information is probably a much stronger technique. AS 7007 would have been preventable with prefix-limit. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64160&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
At 3:15 AM + 3/1/03, The Long and Winding Road wrote: >""Edwin R. Gonzalez"" wrote in message >news:[EMAIL PROTECTED] >> I came across this article about BGP earlier today, >> check it out; >> >> http://news.com.com/2100-1009-990608.html >> > > >yada yada yada :-> > >the big point seems to be the misconfigured router incident, and it is >highly unlikely that any system or protocol could have prevented that from >happening. afterall, that router was trusted by it's neighbors, as it should >have been. Most clueful providers won't accept ANYTHING that comes from BGP peers, other than perhaps major default-free providers. In any case, there are other safety mechanisms than validating BGP updates themselves. I'm really unimpressed with this article. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64161&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
Thanks for the replies...
My TAC case worker believes the same to be true, although he's still
trying to verify this with absolute certainty.
I'll have to cross my fingers and hope that they add it in the future,
although by then, it won't matter for this project. We're going to
have to go another route for now.
- Original Message -
From: "Erick B."
To:
Sent: Saturday, March 01, 2003 1:28 AM
Subject: Re: Policy Routing on the 3550? [7:64074]
> route-map isn't listed as a command in the
> documentation so it's probably something from full IOS
> that isn't supported. They may add support in the
> future.
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/355
0scg/swuncli.htm#xtocid24
>
> Unsupported route map commands on 3550 (latest code):
>
> match route-type {level-1 | level-2}
> set as-path {tag | prepend as-path-string}
> set automatic-tag
> set dampening
> set ip destination ip-address mask
> set ip next-hop
> set ip precedence value
> set ip qos-group
> set metric-type internal
> set metric-type internal
> set tag tag-value
>
>
> --- "W. Alan Robertson"
> wrote:
> > Howdy folks...
> >
> > I need to set the next hop on a 3550 (with the EMI
> > Image) based on the
> > protocol type. We've got a number of transparent
> > proxy servers, each
> > one handling a different type of traffic (One for
> > HTTP... One for
> > SMTP... Etc.).
> >
> > No problem, right? Wrong.
> >
> > Merrily, I configured my access-lists to identify
> > the various traffic
> > types. I then created the route-map statements to
> > set ip next-hop for
> > each of the types of traffic. I then went to my
> > vlan interface to
> > apply the route-maps, but lo and behold, no "ip
> > policy" command.
> >
> > How can I apply the route-maps to my interface?
> >
> > Is there another way to accomplish this?
> >
> > Thanks,
> >
> > Alan
>
>
> __
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
[EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64162&t=64074
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Howto log failed login attempts? [7:64146]
I don't know if this is doable since you are doing it locally. My advice to you is that this is not a scalable solution. What really want is TACACS+ server. If you are "cheap" like myself, you can build your own tacacs+ server running on an Intel 486 machine with 32MB of RAM with the OS being linux or FreeBSD. The tacacs server source code is located at ftp://ftp-eng.cisco.com/pub/tacacs If you are unix "illiterated", then you have to shell out money for Cisco ACS running on Winblows 2k Server platform (it sucks by the way). The tacacs+ server will let you do Authentication, Authorization and Accounting (logging successful and unsuccessful login attempts) and most important of all, it is scalable. Eric Johan Hjalmarsson wrote:I would like to log all failed (and maybe even all successful) login attempts on a router to my syslog server, but I can't find a way to do this. Since I'm using a local user database, with login local on the VTY, I would like to see what user acconts are beeing tried at the logon prompt. Can anyone tell me if this is possible to do and also howto do it. Thanks /Johan Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64168&t=64146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64132]
I agree with the part that there are many human related problems with BGP configs and policies implementations. But that's the case with other protocols as well. In BGP's case it's probably showing more of people's carelesness or misunderstanding of the working of the protocol since as you mentioned there are rare instances of protocol implementations besides the Internet. All the things you can implement facing the customer are fine and dandy, you can protect yourself and the customer has to adhere to certain policies as well. I think there is a problem with the scope of some networks, if you have to deal with filtering and such of hundreds or thousands of prefixes then you will see there is a good chance for mistakes. This is probably even more a case with inter-provider peerings, where you are really limited to what you can do as the work load on you would be quite substantial. Even if you did the proper work, there are cases for updates and revisiting where you can run into additional problems. All in all, I don't think the problem is with the protocol, it's the diveristy of the networks that need to be supported, lack of consistent information and obviously the human factor. ""Logan, Harold"" wrote in message news:[EMAIL PROTECTED] > In my uneducated opinion, it seems to me like there are much larger concerns > out there than BGP security. I say uneducated because I haven't worked for > an ISP, nor have I worked for any other organization that would run BGP. My > BGP experience consists of reading and lab work, that's it. I'm a Cisco > Network Academy instructor, and the majority of my experience is from lab > work and consulting. I'm teaching my first CCNP Routing class starting next > week, so any input from those in the know would be appreciated. Hell, I'll > appreciate input from those not in the know, I'm not picky... just don't > expect me to take it as gospel truth. > > When I tell a router to peer with another BGP speaker, I can put > restrictions on it. I can tell it what AS paths I'll accept from that peer, > and what prefixes I'll accept from that peer. If I'm an ISP peering with a > customer who has the class C network 210.5.5.0 assigned to them, do I not > have a responsibility to configure my BGP router to ignore any BGP > advertisements from that customer that are not advertising 210.5.5.0? I know > that no one is going to hold me to it, it's not like the IETF has a squad of > mercenaries who are going to kick the door in and check my configs, but > doesn't that responsibility fall to both the customer and the ISP? > > Sorry if I'm off base here, but that's my basic understanding of how things > work; the customer has a responsibility to only advertise their networks, > and the ISP has a responsibility to only accept advertisements for that > customer's networks. Does the same relationship exist among ISPs, or do > things get too complex to filter updates at that point? > > It seems like the "security hole" in BGP is the human that configures a BGP > router to accept any route it gets. Thoughts? > > Hal Logan CCAI, CCDP, CCNP: Voice > Network Specialist / Adjunct Faculty > Computing & Engineering Technology > Manatee Community College > > > > -Original Message- > > From: Edwin R. Gonzalez [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 28, 2003 11:39 PM > > To: [EMAIL PROTECTED] > > Subject: Who likes BGP? [7:64132] > > > > > > Hey, > > > > It's your friendly neighborhood CISCO MAN! > > Sorry, it's Friday night, I'm still at work with a coffee > > buzz that might last me until the morning. > > > > I came across this article that might be of interest to > > some people, check it out; > > http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed > > > > > > > > -- > > _ > > The harder you work, the luckier you get! > > _ > > The only place success comes before > > work is in the dictionary!!! > > _ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64167&t=64132 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CPU and memory usage on Pix firewall VPN setup with PFS [7:64169]
Hi, I have 10 different VPN tunnels from my Pix520 firewall (500Mhz PIII and 256MB of RAM) to other Firewalls (Pix and Checkpoint) and Cisco VPN Concentrators. At the moment, all of the tunnels are using 3des, sha and DH group 2 in phase 1. In phase 2, I use 3des and sha1. For security purposes, I would like to add Perfect Forward Secrecy (PFS) to all tunnels. However, I am concerned with the CPU load and memory resources on the pix520. This pix520 firewall will also be used to protect your company web and mail servers (DMZ1). The Oracle database servers are located on another DMZ segment (DMZ2) Furthermore, it will also be used to protect our internal network and as well as accessing the Internet. We don't have the budget to purchase any equipments, not even the VPN Acceleration Card (VAC). The pix is connected to a SDSL router (1.5Mbps up/down). During normal business hours, I notice that the cpu usage is about 40% and memory is usage is about 80MB. In the evening when there is a lot of backing up going on (the backup server is located on the internal network and it backs up all the web mail and database servers). While the servers are being backup, some database replication also takes place between the VPNs. I took a sample of that and the traffic on the "outside" interface maxes out at 1.5 mbps and the traffic between the "inside" and dmz is running at about 60mbps. The cpu usage is about 55% and the memory usage is about 85MB. My question is: should I enable PFS on all the tunnels without bringing down the Pix520 firewalls? Since the pix firewall is running on an Intel CPU, I can always replace the current PIII 500 with another PIII 850 but I don't think cisco would like that. By the way, I am running Pix OS version 6.3(0) build 144. Even when I am running version 6.2(2), the performance is about the same. Anyone has the pix VPN setup with PFS without bringing down the pix, please advise. On another unrelated question: has anyone ever seen the pix firewall using more than 160MB of RAM? My pix firewall has 256MB of RAM but I have never seen it use more than 160MB. Even in lab environment where I hit the firewall with a lot of connections, about 1 millions simutaneous connection of http, https, ftp, telnet, etc... but the pix never uses more than 160MB of RAM. So does it mean on firewall such as Pix535 that can have up to 1GB of RAM, it actually never uses more than 256MB of RAM? Eric - Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, and more Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64169&t=64169 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question concerning a new 2501 router in home lab [7:64170]
I recently acquired a used 2501 router for my home lab that is booting with no problem. There is no configuration so it asks if you want to auto config. I try to enter an N at this point and get nothing it seems as if the keystroke is not seen by the router. If I just run my hand across the keyboard the router responds with enter a yes or no to continue. Any suggestions to assist is greatly appreciated. Jim Valentine Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64170&t=64170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
Howard C. Berkowitz wrote: > > At 3:15 AM + 3/1/03, The Long and Winding Road wrote: > >""Edwin R. Gonzalez"" wrote in message > >news:[EMAIL PROTECTED] > >> I came across this article about BGP earlier today, > >> check it out; > >> > >> http://news.com.com/2100-1009-990608.html > >> > > > > > >yada yada yada :-> > > > >the big point seems to be the misconfigured router incident, > and it is > >highly unlikely that any system or protocol could have > prevented that from > >happening. afterall, that router was trusted by it's > neighbors, as it should > >have been. > > Most clueful providers won't accept ANYTHING that comes from > BGP > peers, other than perhaps major default-free providers. In any > case, > there are other safety mechanisms than validating BGP updates > themselves. > > I'm really unimpressed with this article. Me too. :-) It doesn't sound like he has any detailed information. Also, this sounds a little clueless: "The people who are writing the (Internet engineering) drafts are running out of financing because people aren't listening." What financing do they get??? I guess most of them are employed and their employers support their research, and the economic disaster that we're in right now could be a small factor. On the other hand, a lot of protocol designers are so dedicated to what they do, they would probaby do it for free. But I am impressed with the discussion we have had. It's been informative. Priscilla > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64172&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Endpoint mapper [7:64173]
Did you figure out how Windows RPC tells the client the new port to come back on or find a URL? I'm dying to know! :-) I bumped this up as a new message so it wouldn't get buried. For those of who do this on the Web, threads that were started days ago don't tend to get much attention even if there's a new reply, because they are buried many clicks away. Thanks for any info you can supply. Priscilla Author: COULOMBE, TROY (---.safeco.com) Date: 02-26-03 22:53 Anyone know of a good resource on RPC endpoint mapper? I trying to find where in the packet the server tells the client which [new] port to come back on. Using a sniffer, but I cant seem to nail down where in the payload the "future" port is passed to the client. a google search of "rpc endpoint mapper sniffer" has resulted in a lot of conversations about how RPC works, but not at the packet level :( don't mind RTFMing...but so far I can't find a good URL at least the FTP protocol "states" which port :) Thanks, TroyC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64173&t=64173 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MPLS on 2500 [7:64174]
Someone gave me a better link for the special IOS, so I updated the document on www.laganiere.net I'd be curious if anybody has tried to run a TE configuration using this version. I played a bit, but then got distracted with wireless over the last few months... Thanks all... --- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64174&t=64174 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question concerning a new 2501 router in home lab [7:64170]
""Jim"" wrote in message news:[EMAIL PROTECTED] > I recently acquired a used 2501 router for my home lab that is booting with > no problem. There is no configuration so it asks if you want to auto config. > I try to enter an N at this point and get nothing it seems as if the > keystroke is not seen by the router. If I just run my hand across the > keyboard the router responds with enter a yes or no to continue. Any > suggestions to assist is greatly appreciated. just for kicks, does it respond to the carriage return ( or the "Y" key?? ) ?? at least if it does, then you could see if it is just a broken key on your terminal ;-> > > Jim Valentine Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64175&t=64170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF neighbor problem [7:64176]
Hello, I have an ospf problem. Two neighbors on a nbma network who have connectivity are unable to go in the two state, but have establish adjacency with the DR. I include the configurations and ospf neighbor states. Perhaps have I done a mistake or don't know ospf enough. Can u help please. Thanks in advance __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ R2 interface Serial1/0 no ip address encapsulation frame-relay IETF no fair-queue frame-relay traffic-shaping frame-relay class R2-ts ! interface Serial1/0.1 point-to-point ip address 150.50.24.1 255.255.255.252 ip ospf message-digest-key 1 md5 cisco frame-relay interface-dlci 204 ! interface Serial1/0.2 multipoint ip address 150.50.100.1 255.255.255.224 ip ospf message-digest-key 1 md5 cisco ip ospf network non-broadcast ip ospf priority 0 frame-relay map ip 150.50.100.2 205 broadcast frame-relay map ip 150.50.100.3 203 broadcast ! router ospf 1 log-adjacency-changes area 0 authentication message-digest redistribute connected subnets network 150.50.24.0 0.0.0.3 area 0 network 150.50.100.0 0.0.0.127 area 0 ROUTERp1R2#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 172.32.1.11 FULL/ -00:00:38150.50.24.2 Serial1/0.1 N/A 0 ATTEMPT/DROTHER-150.50.100.3Serial1/0.2 5.5.5.5 255 FULL/DR 00:01:39150.50.100.2Serial1/0.2 - ROUTERp1R2#sh ip ospf int Serial1/0.1 is up, line protocol is up Internet Address 150.50.24.1/30, Area 0 Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 48 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Index 1/1, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 6 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 172.32.1.1 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 Serial1/0.2 is up, line protocol is up Internet Address 150.50.100.1/27, Area 0 Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 48 Transmit Delay is 1 sec, State DROTHER, Priority 0 Designated Router (ID) 5.5.5.5, Interface address 150.50.100.2 No backup designated router on this network Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:10 Index 2/2, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 6 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 5.5.5.5 (Designated Router) Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 FastEthernet4/0 is up, line protocol is up Internet Address 150.50.17.2/24, Area 3 Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_MULTIPOINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT, Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in 00:00:07 Index 1/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 0, maximum is 0 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 0, Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) R3 interface Serial2/0 ip address 150.50.100.3 255.255.255.224 encapsulation frame-relay IETF ip ospf message-digest-key 1 md5 cisco ip ospf priority 0 clockrate 2015232 frame-relay map ip 150.50.100.1 302 broadcast frame-relay map ip 150.50.100.2 305 broadcast frame-relay map ip 150.50.100.3 302 no frame-relay inverse-arp router ospf 1 log-adjacency-changes area 0 authentication message-digest network 150.50.100.0 0.0.0.127 area 0 - routerp1R3#sh ip ospf neigh Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 INIT/DROTHER00:00:57150.50.100.1Serial2/0 5.5.5.5 255 FULL/DR 00:01:48150.50.100.2Serial2/0 - routerp1R3#sh ip ospf int Serial2/0 is up, line protocol is up Internet Address 150.50.100.3/27, Area 0 Process ID 1, Router ID 3.3.3.3, Network Type NON_BROADCAST, Cost: 48 Transmit Delay is 1 sec, State DROTHER, Priority 0 Designated Router (ID) 5.5.5.5, Interface address 150.50.100.2 No backup designated router on this network Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 Hello due in
Re: Who likes BGP? [7:64123]
At 7:55 PM + 3/1/03, Priscilla Oppenheimer wrote: >Howard C. Berkowitz wrote: >> > > > >> I'm really unimpressed with this article. > >Me too. :-) It doesn't sound like he has any detailed information. Let's put it this way -- BGP authentication has more options than just an MD5 signature on an update, which is really more authorization than authentication. The more comprehensive route authentication mechanisms call for a chain of digital signatures at every AS on the path, allowing authentication back to the originator. Even comprehensive authentication doesn't protect against incorrect origination. Protection there lies much more in validating routing policy, in using sanity checks like prefix limit and flap dampening, etc. >Also, >this sounds a little clueless: "The people who are writing the (Internet >engineering) drafts are running out of financing because people aren't >listening." What financing do they get??? I guess most of them are employed >and their employers support their research, and the economic disaster that >we're in right now could be a small factor. On the other hand, a lot of >protocol designers are so dedicated to what they do, they would probaby do >it for free. Funny you should mention that -- I just got off a teleconference doing what we hope is the final draft of the BGP Control Plane Convergence before RFC acceptance. Two of the four people on the call were laid off by the companies that directly supported their work (one is still going to the San Francisco IETF using her frequent flyer miles), while another's new employer really doesn't support the work. Attendance at an IETF meeting costs around $500, which covers the facility expense (with a fair bit of sponsorship), as well as contributions toward the upkeep of the secretariat. People or their employers pay their own way. If I were to single out one person as the top expert on BGP cryptosecurity, I'd mention Sandy Murphy, who does work for a security company. Obviously, they have a motivation for sponsoring her research. See http://www.cymru.com/Documents/barry2.pdf for some pretty recent work on noncryptographic (mostly) BGP security from Cisco. It updates the Cisco Press book on ISP Essentials. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64177&t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF neighbor problem [7:64176]
""Arnaud V."" wrote in message news:[EMAIL PROTECTED] > Hello, > > I have an ospf problem. Two neighbors on a nbma > network who have connectivity are unable to go in the > two state, but have establish adjacency with the DR. > I include the configurations and ospf neighbor > states. the problem is that the router with the multipoint subinterface considers that it is on an NMBA, and therefore considers itself as the DR, while the router using the point-to-point subinterface considers that it is on a point-to-point link, and therefore does not believe in the necessity for a DR. if you look at the "show ip ospf neigh" result, your see the "attempt/DRother" the DR is expecting a response from it's partner indicating the partner is neither a DR or BDR. in L2 terms, a multipoint subinterface connected to point-to-point subinterfaces treats all connections as a series of point-to-point links. due to the manner in which OSPF interacts with frame relay, you can easily get situations like this. off the top of my head, without knowing the partciulars, I would advise that you change the ospf network type to NMBA on the spokes, and use neighbor statements on the hub. Also, don't forget to manipulate the priorities so that the hub router becomes the DR. > Perhaps have I done a mistake or don't know ospf > enough. Can u help please. > > Thanks in advance > > __ > Do you Yahoo!? > Yahoo! Tax Center - forms, calculators, tips, more > http://taxes.yahoo.com/ > R2 > > interface Serial1/0 > no ip address > encapsulation frame-relay IETF > no fair-queue > frame-relay traffic-shaping > frame-relay class R2-ts > ! > interface Serial1/0.1 point-to-point > ip address 150.50.24.1 255.255.255.252 > ip ospf message-digest-key 1 md5 cisco > frame-relay interface-dlci 204 > ! > interface Serial1/0.2 multipoint > ip address 150.50.100.1 255.255.255.224 > ip ospf message-digest-key 1 md5 cisco > ip ospf network non-broadcast > ip ospf priority 0 > frame-relay map ip 150.50.100.2 205 broadcast > frame-relay map ip 150.50.100.3 203 broadcast > ! > router ospf 1 > log-adjacency-changes > area 0 authentication message-digest > redistribute connected subnets > network 150.50.24.0 0.0.0.3 area 0 > network 150.50.100.0 0.0.0.127 area 0 > -- -- > > ROUTERp1R2#sh ip ospf neigh > > Neighbor ID Pri State Dead Time Address Interface > 172.32.1.11 FULL/ -00:00:38150.50.24.2 Serial1/0.1 > N/A 0 ATTEMPT/DROTHER-150.50.100.3 Serial1/0.2 > 5.5.5.5 255 FULL/DR 00:01:39150.50.100.2 Serial1/0.2 > -- --- > > ROUTERp1R2#sh ip ospf int > Serial1/0.1 is up, line protocol is up > Internet Address 150.50.24.1/30, Area 0 > Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_POINT, Cost: 48 > Transmit Delay is 1 sec, State POINT_TO_POINT, > Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 > Hello due in 00:00:02 > Index 1/1, flood queue length 0 > Next 0x0(0)/0x0(0) > Last flood scan length is 1, maximum is 6 > Last flood scan time is 0 msec, maximum is 0 msec > Neighbor Count is 1, Adjacent neighbor count is 1 > Adjacent with neighbor 172.32.1.1 > Suppress hello for 0 neighbor(s) > Message digest authentication enabled > Youngest key id is 1 > Serial1/0.2 is up, line protocol is up > Internet Address 150.50.100.1/27, Area 0 > Process ID 1, Router ID 2.2.2.2, Network Type NON_BROADCAST, Cost: 48 > Transmit Delay is 1 sec, State DROTHER, Priority 0 > Designated Router (ID) 5.5.5.5, Interface address 150.50.100.2 > No backup designated router on this network > Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 > Hello due in 00:00:10 > Index 2/2, flood queue length 0 > Next 0x0(0)/0x0(0) > Last flood scan length is 1, maximum is 6 > Last flood scan time is 0 msec, maximum is 0 msec > Neighbor Count is 1, Adjacent neighbor count is 1 > Adjacent with neighbor 5.5.5.5 (Designated Router) > Suppress hello for 0 neighbor(s) > Message digest authentication enabled > Youngest key id is 1 > FastEthernet4/0 is up, line protocol is up > Internet Address 150.50.17.2/24, Area 3 > Process ID 1, Router ID 2.2.2.2, Network Type POINT_TO_MULTIPOINT, Cost: 1 > Transmit Delay is 1 sec, State POINT_TO_MULTIPOINT, > Timer intervals configured, Hello 30, Dead 120, Wait 120, Retransmit 5 > Hello due in 00:00:07 > Index 1/3, flood queue length 0 > Next 0x0(0)/0x0(0) > Last flood scan length is 0, maximum is 0 > Last flood scan time is 0 msec, maximum is 0 msec > Neighbor Count is 0, Adjacent neighbor count is 0 > Suppress hello for 0 neighbor(s) > R3 > > interface Serial2/0 > ip address 150.50.100.3 255.255.255.224 > encapsulation fra
NDA Violation or NOT [7:64179]
hi everyone ,i have a question about NDA that i am not sure about ,hope someone can answer me . I was offered a job a small training company to write a ccie lab guide but due to the NDA aggrement i signed in the ccie lab a few months back ,my question is if i write about Cat3550 ,routing protocol stuff (NOT same question,diagram ,score ,time ... like in the real lab ) will i BREAK any NDA then ,for instance the lab had 2 CAT3550 and every one knew about it ,but if i write about a question like create vlan xx and connecting 2 cats toghether , will it fall under NDA violation if i write "NEXT TASK IS TO USE CONSOLE PORT TO CONNECT the switch , allow only VLAN xx to pass,and create some thing to put port in :-) " or i can write TRUNKING on port xx ... and create vlan xx. and about protocol , ospf ,eigrp ,rip ,bgp Or is it freely to write any thing but the question must not look like the lab but still contains same routing,switching protocol like in the lab . Like Mr Karl Solie books ,he also a ccie and his books got lots of stuff very close to the real lab according to amanzon feedback, how come cisco didnt NDA him yet ,or ciscopress can publish those NDA stuff any time they want ?,is it a time limit for NDA after the lab ? many thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64179&t=64179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FCS Errors between 2 5500's [7:64180]
Elijah, What kind of GBICs are you using? If they're LX and MM fiber, are you using mode-conditioning cables? Chuck Church CCIE #8776, MCNE, MCSE > From: Elijah Savage [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 8:27 AM To: [EMAIL PROTECTED] Subject: FCS Errors between 2 5500's [7:64072] All, Last night I had to shutdown a gig fiber trunk between 2 5500's to run on a 100M trunk we setup as a backup. The FCS errors are only showing up on one side the fiber between the 2 cats were replaced but the errors are still showing up. Which side would you all say you would replace the fiber daughter card the one with the errors or the side without the errors? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64180&t=64180 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question concerning a new 2501 router in home lab [7:64170]
When you run your hand across the keyboard, do you touch it or is this a psychic thing :-) I'd check the parity on your terminal. It may be setting the wrong parity for the router but ignoring incorrect received parity. Marc Jim wrote: > > I recently acquired a used 2501 router for my home lab that is booting with > no problem. There is no configuration so it asks if you want to auto config. > I try to enter an N at this point and get nothing it seems as if the > keystroke is not seen by the router. If I just run my hand across the > keyboard the router responds with enter a yes or no to continue. Any > suggestions to assist is greatly appreciated. > > Jim Valentine Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64181&t=64170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NDA Violation or NOT [7:64179]
forgive the format. my Outlook Express client is severely misbehaving, crashing randomly when I try to do in-line posting. >i have a question about NDA that i am not sure about ,hope > someone can answer me Cisco is the ultimate arbiter. you can contact them directly at [EMAIL PROTECTED] I have found that they will respond if you are specific. be aware that I have asked about potential NDA violation of specific training materials and received conflicting answers. >if i write about Cat3550 ,routing protocol stuff (NOT same > question,diagram ,score ,time ... like in the real lab ) will i BREAK any > NDA While having been through the Lab demands that you be a little more careful, the fact is that the equipment in the Lab and the equipment in the real world all works the same way and has similar capability. There is only so much that can be said. If you were to say "here is what I saw in the CCIE Lab when I was there" and provided information, that would be NDA. On the other hand, if you were to start by identifying core topics, core skill sets, and go from there, you are probably OK. Is Caslow a violation of NDA? NLI? IPXpert? Etc? Or maybe to put it another way, is it any real secret as to what the core topics are? >the lab had 2 CAT3550 and every one knew about it > ,but if i write about a question like create vlan xx and connecting 2 cats > together , will it fall under NDA violation if i write "NEXT TASK IS TO USE > CONSOLE PORT TO CONNECT the switch , allow only VLAN xx to pass,and create > some thing to put port in :-) " better way to put this might be to consider skill sets necessary to proclaim "expertise" and write around emphasizing those skill sets. So, for multiple switches in any environment, let alone the CCIE Lab, what are the expert level things one should know? for example, trunking? VTP? etherchannel? fallback bridging? vlan failover? various spanning tree functions? vlan tunnels? etc? >Like Mr Karl Solie books ,he also a ccie and his books got lots of stuff > very close to the real lab according to amanzon feedback, how come cisco > didnt NDA him yet ,or ciscopress can publish those NDA stuff any time they > want ?,is it a time limit for NDA after the lab ? I got a better one for you. Cisco publishes the ASET labs for Cisco employees and partners to use for CCIE preparation. Forget NDA. Is this fair? that working for a partner I can see practice materials written by Cisco that someone else who does not have that advantage cannot? that I can attend Cisco sponsored training that others may not? >Or is it freely to write any thing but the question must not look like the > lab but still contains same routing,switching protocol like in the lab . > I think you're OK if you stay clear of any implication that you are revealing what you saw in the Lab. When I wrote my white paper, available on Cert Zone, I had not yet seen the new Lab. Now that I've been through the new Lab, I make very sure that I do not make statements about whether or not the paper is close to what I saw in the lab. What I do say is that the topics covered are part of an expert skill set that I believe are required, especially now that I am doing a lot more big campus switching projects for customers. as such, the knowledge cannot hurt when one prepares for the Lab. note - the message below was cut in order for me to respond without my news client crashing. ""Nicky Lane Nicky Lane"" wrote in message news:[EMAIL PROTECTED] > hi everyone ,i have a question about NDA that i am not sure about ,hope > someone can answer me . snip Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64182&t=64179 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Some multicasting... [7:64130]
Look up "ip multicast helper-map"... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64183&t=64130 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Console, Telnet password [7:64184]
For Pix's, I know that 'enable password __' sets the enable password. Questions: 1) How do u set the telnet password? 2) How do u set the console password? I've heard that the command to set both telnet and console passwords are the same..please confirm. thank you Bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64184&t=64184 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
citrix session and VPN [7:64185]
Has anyone ever tunnelled a citrix session within a VPN tunnel? I know this is redundent as the citrix session is already encrypted but this is another story that I do not want to go into. I am having problems with I believe the packet size but I am wondering can anyone shed some light as to my client is not able to connect to the citrix server via the citrix client. This is a 3rd party connection between my company's internal client to connect to another company's Citrix server. thanks == This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64185&t=64185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Span Port on 5000 [7:64186]
Ok, I'm trying to capture TCP, specifically Telnet traffic going between two routers on 2 ports of the bridge. I have a protocol analyzer on port 1/2 (I've tried other bridge ports as well). The routers come in on 1/2 and 2/3. To start I enter the command 'set span 2/3 1/2 both' on the 5000 bridge. I do a 'show span' to check that the configuration took, all looks good. I fire up the analyzer on 1/2 and succesfully initiate telnet from one router to the other. My problem is that I see no TCP traffic at all, plenty of CDP, OSPF and STP traffic but no TCP. When I telnet from my box to the router I see plenty of the Telnet traffic. Why am I not able to see the traffic via the span command? Thanks. Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64186&t=64186 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Configuring CIR on a cisco 2522 FR switch [7:64187]
Hi group, I have a cisco 2522 router that is configured as a frame relay switch. I am trying to configure CIR on serial 4 so that if the router connected to s4 is sending more traffic than the configured CIR, packets will be dropped at fhe frame relay switch. I configured the CIR on the switch but it seems that the router connected to s4 can still send traffic at rates exceeding the CIR, and the FR switch will not drop any packet. Can some one give an advice here? Below is the configuration of the frame relay switch. Frame_Relay_Switch#show run Building configuration... Current configuration: ! version 11.2 no service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname Frame_Relay_Switch ! enable secret 5 $1$dzof$Eb3uuMoHCj2x4/dCZFZ5T. ! frame-relay switching ! interface Ethernet0 no ip address shutdown ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial2 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 104 interface Serial4 401 frame-relay route 105 interface Serial5 501 frame-relay route 106 interface Serial6 601 ! interface Serial3 no ip address shutdown ! interface Serial4 no ip address encapsulation frame-relay clockrate 64000 frame-relay class para frame-relay intf-type dce frame-relay route 401 interface Serial2 104 frame-relay route 405 interface Serial5 504 frame-relay route 406 interface Serial6 604 ! interface Serial5 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 501 interface Serial2 105 frame-relay route 504 interface Serial4 405 frame-relay route 506 interface Serial6 605 ! interface Serial6 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 601 interface Serial2 106 frame-relay route 604 interface Serial4 406 frame-relay route 605 interface Serial5 506 ! interface Serial7 no ip address shutdown ! interface Serial8 no ip address shutdown ! interface Serial9 no ip address shutdown ! interface BRI0 no ip address shutdown ! no ip classless ! map-class frame-relay parameters frame-relay cir 300 ! map-class frame-relay para frame-relay traffic-rate 1000 frame-relay cir 1000 frame-relay bc 1000 ! line con 0 exec-timeout 3 0 line aux 0 line vty 0 4 login ! end Frame_Relay_Switch# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64187&t=64187 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
routername(boot) ??? [7:64188]
I have recently received some routers for a home lab. When I boot one it displays the following. routername(boot)> what is this "(boot)" mean and how do I get ride of it? I've worked on routers before and never seen this. Thanks in advance. Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64188&t=64188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DOES MED TRAVEL IN I-BGP?? [7:63884]
MED is propagated throughout the iBGP peers. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64189&t=63884 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: routername(boot) ??? [7:64188]
You need to set the configuration register to 0x2102. This enables the router to boot from flash. This link might be of some help; http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun _c/ffcprt2/fcf010.htm#xtocid3 -- _ The harder you work, the luckier you get! _ The only place success comes before work is in the dictionary!!! _ ""Steven Aiello"" wrote in message news:[EMAIL PROTECTED] > I have recently received some routers for a home lab. When I boot one > it displays the following. > > routername(boot)> > > what is this "(boot)" mean > > and how do I get ride of it? I've worked on routers before and never > seen this. Thanks in advance. > > Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64190&t=64188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: routername(boot) ??? [7:64188]
Sorry about the link. This site has good info on boot process http://home.attbi.com/~blaga/index.htm -- _ The harder you work, the luckier you get! _ The only place success comes before work is in the dictionary!!! _ ""Steven Aiello"" wrote in message news:[EMAIL PROTECTED] > I have recently received some routers for a home lab. When I boot one > it displays the following. > > routername(boot)> > > what is this "(boot)" mean > > and how do I get ride of it? I've worked on routers before and never > seen this. Thanks in advance. > > Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64191&t=64188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question concerning a new 2501 router in home lab [7:64170]
Thanks to all that responded. The problem is solved. I found an article that related to this type of problems in 2502 routers that had an older version of the boot rom not exerting CTS to allow the term emulator to send information to the console port. By disabling flow control the problem was resolved. Again thanks to all who responded. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64192&t=64170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
atm topics in the lab? [7:64194]
Hello group, Hate to ask this (as this has been asked a million times before) but just wanted a confirmation on what I should cover for the atm portion of the lab?Sincerely,CN STOP MORE SPAM with the new MSN 8 and get 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64194&t=64194 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
atm topics in the lab? [7:64193]
Hello group, Hate to ask this (as this has been asked a million times before) but just wanted a confirmation on what I should cover for the atm portion of the lab?Sincerely,CN Add photos to your e-mail with MSN 8. Get 2 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64193&t=64193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Configuring CIR on a cisco 2522 FR switch [7:64195]
I dont beleive it will work on routers that are frame switching in the lab..I thought I read that it will only work with the real frame relay switches... Larry Letterman Network Engineer Cisco Systems - Original Message - From: John Tafasi To: Cisco Group Study ; ccielab Sent: Saturday, March 01, 2003 6:47 PM Subject: Configuring CIR on a cisco 2522 FR switch Hi group, I have a cisco 2522 router that is configured as a frame relay switch. I am trying to configure CIR on serial 4 so that if the router connected to s4 is sending more traffic than the configured CIR, packets will be dropped at fhe frame relay switch. I configured the CIR on the switch but it seems that the router connected to s4 can still send traffic at rates exceeding the CIR, and the FR switch will not drop any packet. Can some one give an advice here? Below is the configuration of the frame relay switch. Frame_Relay_Switch#show run Building configuration... Current configuration: ! version 11.2 no service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname Frame_Relay_Switch ! enable secret 5 $1$dzof$Eb3uuMoHCj2x4/dCZFZ5T. ! frame-relay switching ! interface Ethernet0 no ip address shutdown ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial2 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 104 interface Serial4 401 frame-relay route 105 interface Serial5 501 frame-relay route 106 interface Serial6 601 ! interface Serial3 no ip address shutdown ! interface Serial4 no ip address encapsulation frame-relay clockrate 64000 frame-relay class para frame-relay intf-type dce frame-relay route 401 interface Serial2 104 frame-relay route 405 interface Serial5 504 frame-relay route 406 interface Serial6 604 ! interface Serial5 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 501 interface Serial2 105 frame-relay route 504 interface Serial4 405 frame-relay route 506 interface Serial6 605 ! interface Serial6 no ip address encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 601 interface Serial2 106 frame-relay route 604 interface Serial4 406 frame-relay route 605 interface Serial5 506 ! interface Serial7 no ip address shutdown ! interface Serial8 no ip address shutdown ! interface Serial9 no ip address shutdown ! interface BRI0 no ip address shutdown ! no ip classless ! map-class frame-relay parameters frame-relay cir 300 ! map-class frame-relay para frame-relay traffic-rate 1000 frame-relay cir 1000 frame-relay bc 1000 ! line con 0 exec-timeout 3 0 line aux 0 line vty 0 4 login ! end Frame_Relay_Switch# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64195&t=64195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Span Port on 5000 [7:64186]
you have the analyzer and the router in the same port ? 1/2 according to the below text ? set span source-port dest-port in/out/both Larry Letterman Network Engineer Cisco Systems - Original Message - From: Richard Burdette To: [EMAIL PROTECTED] Sent: Saturday, March 01, 2003 6:48 PM Subject: Span Port on 5000 [7:64186] Ok, I'm trying to capture TCP, specifically Telnet traffic going between two routers on 2 ports of the bridge. I have a protocol analyzer on port 1/2 (I've tried other bridge ports as well). The routers come in on 1/2 and 2/3. To start I enter the command 'set span 2/3 1/2 both' on the 5000 bridge. I do a 'show span' to check that the configuration took, all looks good. I fire up the analyzer on 1/2 and succesfully initiate telnet from one router to the other. My problem is that I see no TCP traffic at all, plenty of CDP, OSPF and STP traffic but no TCP. When I telnet from my box to the router I see plenty of the Telnet traffic. Why am I not able to see the traffic via the span command? Thanks. Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64196&t=64186 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
