This is even better - RIP / OSPF redistribution [7:66057]
Again, a CCIE practice lab - R5 - the task calls for mutual redistribution of OSPF and RIP The next task says that no routes are to be advertised out the RIP interface - only in. So tell me, why are we even bothering with the OSPF into RIP redistribution? I'm not sure I can fall asleep tonight, I'm laughing so hard. Goodnight. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66057t=66057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
More ISDN Practice Labs - You gotta see this one [7:66056]
Another CCIE practice lab. You gotta see this. What's wrong with this picture? Router 1 ( relevant configurations ) interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-ni isdn spid1 0101 isdn spid2 11120101 1112 ppp multilink ! interface Dialer1 ip address 170.100.12.1 255.255.255.240 encapsulation ppp dialer pool 1 dialer string dialer watch-group 1 dialer-group 1 ppp multilink ! access-list 101 deny ospf any any access-list 101 permit ip any any dialer watch-list 1 ip 170.100.124.2 255.255.255.255 dialer-list 1 protocol ip list 101 Router 2 ( relevant configurations ) interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-ni isdn spid1 22210101 2221 isdn spid2 0101 ppp multilink ! interface Dialer1 ip address 170.100.12.2 255.255.255.240 encapsulation ppp dialer pool 1 dialer string dialer-group 1 ppp multilink ! interface Serial1.124 multipoint backup delay 10 30 backup interface Dialer1 ip address 170.100.124.2 255.255.255.0 ip ospf network point-to-multipoint ip ospf priority 100 frame-relay interface-dlci 203 frame-relay interface-dlci 204 ! access-list 101 deny ospf any any access-list 101 permit ip any any dialer-list 1 protocol ip list 101 hint - one side uses a dialer watch for an interface that is on a frame relay link ( physical interface ) the other side uses a backup interface tracking a frame relay link. So if R1 no longer sees the OSPF route for R2's frame, it tries to dial. So sorry, but since R2 has backup interface in place, which disables the dialer interface, it will not take R1's call. Real well thought out. Wonder how the Proctors would grade this one? Good night, everyone -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66056t=66056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Setting up dial-in [7:66058]
Greetings gurus, I have a Cisco 2600 router with an 8 port analog modem card mod. I need to setup dial in on the router. I have searched the cco site, I think I am using the wrong keywords because I can't seem to find what I am looking for. Does anyone have a link to a doc I can download? Regards PK Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66058t=66058 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Setting up dial-in [7:66058]
Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66059t=66058 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN remote access via analog modem?? [7:65991]
to 1): PIX 515 can terminate 1000 tunnels (SW) or 2000 (HW)at max 10Mps VPN Performance. to 2): analog is no problem (same as ISDN). ISP gives you the physical address. If connecting to your VPN site you will be given a tunnel address from your central site. Both physical and tunnel IP's are activ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66061t=65991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP header [7:66060]
Dear all I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects Such long packets are impractical for most host and networks. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes Thanks kws Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66060t=66060 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IGRP Metric calculation [7:66062]
When calculating the metric of an IGRP route (with non-default 'K' values) which load and reliability values does one use? Do you use the highest, lowest or average value for the entire route? Also if anyone could point me to a document on the above it would be appreciated. Many thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66062t=66062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP header [7:66060]
KW S wrote: I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words The IHL is 4 bits long, and thus can have a maximum value of 2^4-1=15. Which, in turn, means that the IP header could in theory be a maximum of 15 32-bit(=4 byte) units ('words') long, or 60 bytes. Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects 2^16-1. Such long packets are impractical for most host and networks. Think MTU and fragmentation. An *IP packet* can be up to 64KB large, but that does no mean that the underlying network must be able to transmit or receive *frames* that long. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes See above. The length is a *16-bit value*, not 16 bits itself. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66063t=66060 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN as Firewall zones [7:65938]
Whie I agree that by compriming the switch, the intruder can bypass the firewall, I dont feel that it is of siginificant concern to warrant the purchase of an addiitianal switch to seperate the two. The big drive here is that you must secure your switch at L2, and if you do so, I feel that is is perfectly adequate. In the last Cisco Packet maganize there was an article addressing exactly this issue. And listed some of the common exploits and how to circumvent then. Obvious ones are, by default all ports are left on autop (with regard to runks),.so a user could jack in, request to form a trunk port and then captures all the VLAN etc details, and in effect be able to vlan hop. Enabling port security and restricting the nunber of ACL's seen on one port ia another way to do it. Look at using 802.11x for MAC based port sauthentication, especially on server vlans! You can even go as far as private vlans and ACL's to stipulate which ports and MAC's are allowed to speak to each other .. very usefull when using your switch for a simple connection point (eg /30 between firewall and router or something). http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/about_cisco_packet_feature09186a0080142deb.html and make your own mind up. GO and check out the article # Andrew Dorsett wrote: On Fri, 21 Mar 2003, Paulo Roque wrote: I usually separate firewall zone with different physical LAN in different switches. What do you think of separating firewall zone with VLANs in the same switch/chassis? Generally a very bad idea! I fully agree with physical seperation. Because if it's based on VLANs then they only have to compromise the switch to compromise the entire network. Also because there are new layer 2 techniques that can allow a packet to hop across VLANs. These are the only things that worry me about the FW module for the 6500 chassis. It's based on VLANs. So if I can hop VLANs somewhere then I can bypass the firewall. Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66064t=65938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT overload as security [7:66015]
A couple of reasons why its not enough .. imagine you inadvertently run and execute a trojan on your home pc. This will then connect out to the internet and would be valid remote control access. Often these trojans head out to IRC, where peolpe can actually access / manage your computer user various DCC commands. Since the irc connection is initiated from your PC, all the return traffic will be allowed and excuted locally. Just one example. Some other to think about are those special traffic that have control ports and data ports, eg FTP, multilmedia apps etC? dave petit wrote: That,s not enough, download and read the cisco security executive summary at the link below for good tips on hardening your router. http://www.nsa.gov/snac/cisco/download.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Doug S Sent: Saturday, March 22, 2003 11:35 PM To: [EMAIL PROTECTED] Subject: NAT overload as security [7:66015] On my home network, I rely almost exclusively on NAT overload for security. Even though I know it's not a security measure, I've yet to hear anyone with a good explanation of why it's not enough, at least for a home network. I know there's a bunch of really bright people here, so if anyone would point out the flaws in my reasoning, I'd love to hear it. Below are some exerpts from an email converstation with a friend that explain how I think about it: --- I mostly rely on NAT overload for security. The only traffic that will be allowed in is traffic for which a translation has been created. Since these translations are only created by outbound traffic, no one from the outside can initiate a connection unless they bypass NAT by using the actual private ip addresses configured on the workstation. To do that, they'de have to have no routers between them and my router (meaning my ATT segment only) as any other router would drop packets for these addresses. To protect against that, I deny traffic for the ip's configured behind the router. access-list 151 deny any 192.168.0.0 0.0.0.255 access-list 151 permit any any (this whole acl could just as well be: access-list 165 permit any host (outside int IP address) access-list 50 permit 192.168.0.0 0.0.0.255 Int e0 ip address 192.168.0.1 255.255.255.0 ip nat inside Int e1 ip address dhcp ip nat outside ip access-group 51 in ip nat inside source list 50 int e1 overload Even though NAT isn't a security feature, I think overload works pretty well for security because no traffic will be allowed in unless an inside host has created a NAT entry by originating the flow. All legitimate flows on a home network are going to be created by CLIENT processes running on the machine, so what do I care if someone tries to connect to that port. What I mean is: 1) I go to surf the web at 200.200.200.200, my workstation uses tcp port 1456 to connect to tcp port 80 2a) tcp port 1456 is taking in traffic only for web browser, which is a client application that's only going to display what's sent back to my browser. 2b) as this traffic passes through the router a NAT entry is created: INSIDE LOCAL INSIDE GLOBAL OUSIDE GLOBAL 192.168.0.100:145612.228.99.129:1456 200.200.200.200:80 3) A 'hole' has been created that now allows traffic to my workstation. 4) A really good hacker wants to exploit this hole. To do this, s/he's going to have to do a few tricky things: First, since this translation is only going allow traffic only from 200.200.200.200:80 to be sent to 192.168.0.100:1456, s/he's going to have to figure out how to spoof that address/port pair AND get the return traffic back to his machine (if he wants any return traffic there might be) Second, since it's only my web browser, and not some service that's running on port 1456, the only traffic that could possibly even be interpreted on that port would be html. And since that port is maintaining the tcp stream info from the original connection (seq #'s ack's) s/he's going to have to accurately spoof that too. If all this is sucessful, I guess there is malicious html code that s/he could run, but wouldn't it have been easier for the hacker just to put it up on a website and let me click on it myself? To me it seems like NAT overload on home computers meets the security idea of making it more difficult than what it's worth for the hacker. There is no way I would ever rely on this on a production network with services available, themselves initiating connections. I'd really like to hear a security expert's views about these ideas, but so far, no one I've talked to has explained to me a way that a hacker could get past NAT overload. The only two ways I can think of are
Re: Problem with 7206 router [7:66036]
You really ought to send the actual configs. The problem could have something to do with multicast and ATM, but that's just a guess, without seeing configs. Tom Larus, CCIE #10,014 Hien Le wrote in message news:[EMAIL PROTECTED] Hi everyone, I have a very unique problem with this particular 7206 which I can't solve it for the last 2 weeks!!! I can only ping the local interfaces of this router but it won't communicate with any other routers connected to it!!! The show ip interface atm2/0 output show that the broadcast address is 255.255.255.255 and determined by setup, while other routers connect to it all stated that: Address determined by non-volatile memory. Here are the examples of the 2 ATM interfaces' output show ip int connected via an ATM switch: r9#sh ip int atm1/0 ATM1/0 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by non-volatile memory (THIS ROUTER WOULD WORK) MTU is 4470 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.5 224.0.0.6 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP Fast switching turbo vector IP Normal CEF switching turbo vector IP multicast fast switching is enabled r9# R3#sh ip int atm2/0 ATM2/0 is up, line protocol is up Internet address is 10.1.1.2/24 Broadcast address is 255.255.255.255 Address determined by setup command (THIS ROUTER WILL FAIL) MTU is 4470 bytes Helper address is not set Directed broadcast forwarding is disabled Multicast reserved groups joined: 224.0.0.5 224.0.0.6 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is disabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Fast switching turbo vector IP Null turbo vector IP multicast fast switching is disabled IP multicast distributed fast switching is disabled IP route-cache flags are None Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled R3# Any member with experience on this particular problem or any idea will help tremendously, and I thank you all in advance. Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66066t=66036 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IGRP Metric calculation [7:66062]
Try the following Cisco link on IGRP metrics: http://www.cisco.com/en/US/tech/tk826/tk365/technologies_tech_note09186a0080 09405c.shtml Tim Champion wrote in message news:[EMAIL PROTECTED] When calculating the metric of an IGRP route (with non-default 'K' values) which load and reliability values does one use? Do you use the highest, lowest or average value for the entire route? Also if anyone could point me to a document on the above it would be appreciated. Many thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66067t=66062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Farm Site [7:66068]
Any Comments for the following network requirement? It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA FETCH and OSA ATM), 215 other server (Windows 2000 and Unix) and 31 serial interfaces. There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and 1Mbps serial links to small sites (31 sites). The idea was using a 6509 with FlexWan and ATM interfaces to provide high access to the most high speed requirement corporate sites. The 6509 would also provide 215 FaEthernet interfaces to the servers. For small office, routers 7507 would be used. The 7507 would also provide interfaces to the Channels and to the OSA interfaces of a Mainframe. Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215 FastEthernet interfaces || || | 7507 15 serial interfaces | | |_channel CX-CIP2-ECAP1 | |__to OSA FETCH | | 7507---16 serial interfaces | |_channel CX-CIP2-ECAP1 |__to OSA ATM Redundancy is not a concernment. Its is a mirror site and will be used during the recovery time of the main Farm site Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66068t=66068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IGRP Metric calculation [7:66062]
Take a look at this document. Hope this helps Reza http://www.cisco.com/en/US/tech/tk826/tk365/technologies_tech_note09186a0080 09405c.shtml#topic1 Tim Champion wrote in message news:[EMAIL PROTECTED] When calculating the metric of an IGRP route (with non-default 'K' values) which load and reliability values does one use? Do you use the highest, lowest or average value for the entire route? Also if anyone could point me to a document on the above it would be appreciated. Many thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66069t=66062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Log files [7:66070]
On Cisco routers and switches are there log files? How do I view them? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66070t=66070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Self-Employment [7:62394]
I recently did some work in Wichita, Kansas. This tech at an Insurance company went and bought some gear from his buddy that works at a reseller. When he got the gear he asked his reseller buddy if he knew if anyone could install it for him. The reseller calls up Ingram Micro, from who he purchased, and asked them if they had anybody. Their reply was that you need a CCIE to do that. Reseller guy calls up WSU, which has a CCIE lab, and speaks to someone there that says they can do it. However, they never called him back. Reseller guy knows my brother and my brother told him that I could do it, but I was not a CCIE. Your probably wondering what was this mysterious work to be done? They had a 2620 with a fe int and a serial int. They wanted to add a third interface for a dmz, use the IOS firewall and setup a remote VPN. Of course he didn't have enough flash or memory or the right IOS. The moral of the story is that I charged him $125 an hour to get him setup. He was more than happy to pay it because they couldn't find anybody in the area that could do it. I live in Kansas City, so it's a 3 hour drive down there. I would think that in the larger cities your going to have that competition that is going to drive rates down. But a place like Wichita, you can still demand a decent rate$ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66074t=62394 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP header [7:66060]
KWS, Question: what do u mean by the 4 bits and 32 bits words. The IHL is 4 bits in size, this normally has the value of 5 decimal or 0101 binary. Read the terminology 32 bit words as meaning 32 bit amounts. Therefore if the value in the IHL field is 5 then the size of the IP Header is 5 x 32 bit amounts or 160 bits. 160 bits divided by 8 (bits in an Octet) yields 20 octets, which is the standard IP Header Length. Question: How do we arrive to the figure 65,535 octects ? The total length FIELD is 16 bits wide. The maximum positive integer that can be represented in a 16 bit field is ((2 raised to the power of 16) -1) or 65536 -1 i.e 65535. Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes. You appear to be confused here. The CONTENTS of the 16 bit field is the size of the headers and data that are about to follow. So you have a total length field that has a value within it of, for example 576 or in binary (00100100) This is the total length of the Data and Headers that are about to follow the IP Datagram. Regards, Phil. --- KW S wrote: Dear all I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects Such long packets are impractical for most host and networks. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes Thanks kws [EMAIL PROTECTED] --- KW S wrote: Dear all I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects Such long packets are impractical for most host and networks. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes Thanks kws [EMAIL PROTECTED] __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66075t=66060 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Redistribution question [7:66071]
I have a network with approximately 20 VLANs, running EIGRP as my routing protocol. One of my VLANs, VLAN12, runs RIP for connectivity to another organization. The others do not need to receive RIP updates. So, the solution I came up with is to make the other 19 VLANs passive interfaces so that RIP updates are not sent out interfaces that do not have any RIP routers. I also have 3 VLANs where I only need a static route, so I have added those as passive interfaces for EIGRP too. My question is: is this the most efficient way to do it? I imagine that in a very large network, adding every single interface as a passive interface would get old rather quickly. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66071t=66071 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP header [7:66060]
KWS, Question: what do u mean by the 4 bits and 32 bits words. The IHL is 4 bits in size, this normally has the value of 5 decimal or 0101 binary. Read the terminology 32 bit words as meaning 32 bit amounts. Therefore if the value in the IHL field is 5 then the size of the IP Header is 5 x 32 bit amounts or 160 bits. 160 bits divided by 8 (bits in an Octet) yields 20 octets, which is the standard IP Header Length. Question: How do we arrive to the figure 65,535 octects ? The total length FIELD is 16 bits wide. The maximum positive integer that can be represented in a 16 bit field is ((2 raised to the power of 16) -1) or 65536 -1 i.e 65535. Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes. You appear to be confused here. The CONTENTS of the 16 bit field is the size of the headers and data that are about to follow. So you have a total length field that has a value within it of, for example 576 or in binary (00100100) This is the total length of the Data and Headers that are about to follow the IP Datagram. Regards, Phil. --- KW S wrote: Dear all I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects Such long packets are impractical for most host and networks. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes Thanks kws [EMAIL PROTECTED] --- KW S wrote: Dear all I am reading RFC760 (IP protocol) and have the following questions. IHL : 4 bits Internet header length is the length of the internet header in 32 bits words Question: what do u mean by the 4 bits and 32 bits words Total length :16 bits Total length is the length of the IP packets in octect including the internet headers and data. This field allows the length of a packet to be up to 65,535 octets. Question: How do we arrive to the figure 65,535 octects Such long packets are impractical for most host and networks. All hosts must be prepared to accept datagram of up to 576 octects Question : 576 octects is the same as 576 bytes and how can it fit into the total length of 16 bits which is 2 bytes Thanks kws [EMAIL PROTECTED] __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66073t=66060 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help on Catalyst 3550 [7:66072]
Hi all, I have a router IBM that has 2 ethernet ports. The IBM router connect to Cisco Catalyst 3550 that is not configured. When the router IBM connect to the switch one of the ethernet port from the IBM router got block by the Cisco Switch. All you have to know is that I need to ethernet ports from the IBM router active. How to counteract with this. Thank you in advance. Best Regards, HATO _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66072t=66072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Log files [7:66070]
The best way to accomplish this is to setup your switches and routers to send all syslog messages to a designated syslog server. Check out this application... http://www.kiwisyslog.com Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66077t=66070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: More ISDN Practice Labs - You gotta see this one [7:66056]
Chuck, Where did you get this solution lab from ? Regards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66076t=66056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
any other listserver for discussing Cisco related issue [7:66081]
Hi Listers: Are there any other listserver for Cisco related issues? Thanks YC Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66081t=66081 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IGRP Metric calculation [7:66062]
Tim Champion wrote: When calculating the metric of an IGRP route (with non-default 'K' values) which load and reliability values does one use? Do you use the highest, lowest or average value for the entire route? When calculating the composite metric, IGRP and EIGRP use the heaviest load on any segment in the route. The concern is any bottlenecks. You wouldn't want a router to select a path that on average has a reasonable load, but also has one link that is overloaded. This could happen if you used an average. And you definitely wouldn't want it to choose a path with the highest load. So they use the lowest load of any segment, which they pass to each other in Update packets. As you probably know, load isn't used at all unless you configure the metric weights command. Reliability is similar. It's the worst reliability of any segment in the path. You wouldn't want a router to select a path that on average had good reliability, but also had a link in the middle somewhere that was dropping packets like crazy. As you probably know, by default reliability is not used unelss you use the metric weights command. IGRP and EIGRP also use the lowest-bandwidth segment on the route to a network. The concern, again, is any bottlenecks. You wouldn't want a router to select a path that had some high-bandwidth links if there was still a dial-up modem connection somewhere in the path. Each router reports the bandwidth (which is configurable at router interfaces) in Update packets. The lowest is selected and passed on. Delay, on the other hand, is a sum of all the delays for outgoing interfaces in the path to the network. Did you already find this paper on IGRP by Rutgers: http://www.cisco.com/warp/public/103/5.html It doesn't have all the details, but is still a good read. Priscilla Also if anyone could point me to a document on the above it would be appreciated. Many thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66082t=66062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help on Catalyst 3550 [7:66072]
Juli, Make sure you don't have bridging turned up on the IBM, spanning tree may be shutting down one of the ports. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Juli Hato Sent: Monday, March 24, 2003 10:57 AM To: [EMAIL PROTECTED] Subject: Help on Catalyst 3550 [7:66072] Hi all, I have a router IBM that has 2 ethernet ports. The IBM router connect to Cisco Catalyst 3550 that is not configured. When the router IBM connect to the switch one of the ethernet port from the IBM router got block by the Cisco Switch. All you have to know is that I need to ethernet ports from the IBM router active. How to counteract with this. Thank you in advance. Best Regards, HATO _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66079t=66072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help on Catalyst 3550 [7:66072]
sounds like the router you have is a switch running spanning tree...if thats the case, then turn off span-tree on the IBM device..is that device a Blade center server? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Juli Hato To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 7:56 AM Subject: Help on Catalyst 3550 [7:66072] Hi all, I have a router IBM that has 2 ethernet ports. The IBM router connect to Cisco Catalyst 3550 that is not configured. When the router IBM connect to the switch one of the ethernet port from the IBM router got block by the Cisco Switch. All you have to know is that I need to ethernet ports from the IBM router active. How to counteract with this. Thank you in advance. Best Regards, HATO _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66078t=66072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
1720 crashing every week [7:66080]
Hi Folks, I got two 1720's connected with a two bri's. I am running PPP multilink on them, it is basic ISDN setup with PPP Multilink,Also I have set up a very high idle-timer on the dialer interface just to keep them up indefinitely, but the routers crash every week and I have to manually reset them and, then they work fine for a week.Any help will be highly appreciated. Thanks, neil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66080t=66080 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is 'troubleshooting campus netwroks' enough for C [7:66083]
Hello I was looking at purchasing this book and want to make sure that I have the correct one. ISBN = 0471428094 If not can someone give me the correct one? Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED] Newell Ryan D SrA 18 CS/SCBT wrote: I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Did you retransmit the message or did Group Study send it again by mistake? Unfortunately, due to no marketing by the publisher, not very many people know that the Troubleshooting Campus Networks book exists and that it's a great tool for studying for the Support (CIT) test. So you may not get an answer from anyone but me, the main author. :-) It makes me sad to see you post the question and not get an answer, because it's evidence of the poor sales. Joseph Bardwell and I went to a huge amount of effort to produce high-quality, targetted content. The result is a terrific book. It doesn't matter that it's terrific. With no marketing, it might as well not exist. Also the title is not quite right. It covers more than campus networks, including tons of info on routing protocols and a chapter on WAN troubleshooting. The Amazon description that the publisher wrote is laughable, but sad. :-( So, it has a lot going against it despite its great content. Anyway, Troubleshooting Campus Networks should be enough to pass the Support Test. That was one of my main goals for writing the book. I was one of the devleopers of the CIT course and have a good feel for what's in it. I was the developer for version 3.0, but a revierwer for the more recent versions. I have take the Support test a couple times to get a good feel for what's on it. Troubleshooting Campus Networks covers more than you will need for the test. To make your studying more efficient, be sure to spend time with the tables that describe the Cisco show and debug commands. The Support exam has a big focus on those. Also study the output from these commands and the descriptions of what they mean. If your goal is just to pass the test, don't spend a lot of time on the wireless chapter. The current test doesn't have any wireless questions. Don't spend a lot of time with the protocol analyzer output. Although I think a troubleshooter should have to know that level of detail, Cisco does not. :-) To pass the Support exam, about all you have to know about TCP is that there's a 3-way handshake. A lot of Cisco people think that's the only relevant thing to know about TCP. In Chapter 2, I wrote a lot about troubleshooting methods. Cisco, of course, expects you just to know their method, which I did cover. :-) I didn't spend much time on Cisco troubleshooting tools. That's one thing you may want to get from the official Cisco book or read up on these topics on CCO, (if you can still find them. The test is outdated). Gain some familiarity with what the following tools do for a troubleshooter: CiscoWorks CWSI Netsys TrafficDirector VLANDirector WAN Manager StackDecoder Core Dump CCO MarketPlace CCO Software Center CCO Bug Toolkit CCO Troubleshooting Engine CCO Open Forum The only other topic that my book doesn't cover in much detail that you may see on the test is the internal architecture of the Catalyst 5000 and troubleshooting with the LEDs on the 5000. The test is not very hard, by the way, not nearly as hard as BSCI, from what I hear. Good luck with it! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66083t=66083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This is even better - RIP / OSPF redistribution [7:66057]
hmm, don't know the whole story, but once you redistribute ospf into rip and you mess up filtering on the interface, wouldn't that allow you to see the redistributed routes on the router connecting to that interface ? It's just another way to see whether what you implemented actually does work... The Long and Winding Road wrote in message news:[EMAIL PROTECTED] Again, a CCIE practice lab - R5 - the task calls for mutual redistribution of OSPF and RIP The next task says that no routes are to be advertised out the RIP interface - only in. So tell me, why are we even bothering with the OSPF into RIP redistribution? I'm not sure I can fall asleep tonight, I'm laughing so hard. Goodnight. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66084t=66057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Redistribution question [7:66071]
Try passive-interface default no passive-interface s0 (or whatever) Works for EIGRP. Not sure about RIP. -Original Message- From: Robert Edmonds [mailto:[EMAIL PROTECTED] Sent: Monday, March 24, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: Redistribution question [7:66071] I have a network with approximately 20 VLANs, running EIGRP as my routing protocol. One of my VLANs, VLAN12, runs RIP for connectivity to another organization. The others do not need to receive RIP updates. So, the solution I came up with is to make the other 19 VLANs passive interfaces so that RIP updates are not sent out interfaces that do not have any RIP routers. I also have 3 VLANs where I only need a static route, so I have added those as passive interfaces for EIGRP too. My question is: is this the most efficient way to do it? I imagine that in a very large network, adding every single interface as a passive interface would get old rather quickly. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66085t=66071 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Farm Site [7:66090]
This is a network requirement: It is a Farm Site, with Channel interfaces, connection to Mainframe (OSA FETCH and OSA ATM), 215 other server (Windows 2000 and Unix) and 31 serial interfaces. There will be one 10 Mbps ATM PVCs to each big site (5 PVCs total) and 1Mbps serial links to small sites (31 sites). The idea was using a 6509 with FlexWan and ATM interfaces to provide high access to the most high speed requirement corporate sites. The 6509 would also provide 215 FaEthernet interfaces to the servers. For small office, routers 7507 would be used. The 7507 would also provide interfaces to the Channels and to the OSA interfaces of a Mainframe. Corporate Sites ATM Cloud-- 6509 com FlexWan e PA ATM ---215 FastEthernet interfaces || || | 7507 15 serial interfaces | | |_channel CX-CIP2-ECAP1 | |__to OSA FETCH | | 7507---16 serial interfaces | |_channel CX-CIP2-ECAP1 |__to OSA ATM Redundancy is not a concernment. Its is a mirror site and will be used during the recovery time of the main Farm site Any Thought ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66090t=66090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
type 4 LSA updates OSPF question [7:66089]
Hi everyone, Can someone tell me that only ABR will ORIGINATE type 4 LSA in OSPF or both ABR and ASBR do? Thanks Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66089t=66089 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Multilink PPP [7:66087]
Anyone have a sample config for Multilink PPP w/ 2 serial ports (WIC-1T). Thanks. Josh Vince Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66087t=66087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2501 and 2503 Lab [7:65942]
you can accomplish many of the things you're looking for, the trick is to have the correct IOS image. if your routers only has a basic IP image you might not be able to do some of these functions. the other thing to conssider is the amount of memory you have to implement everything using verion 12, you'll basically need 16MB of flash and 8-16MB of DRAM. scott Pete Nugent wrote in message news:[EMAIL PROTECTED] Just got a small Lab fo home 2 x 2501 and a 2503 here's what I really need to know. As the MCNS is fo router security mainly will this be OK. Will these run BGP, OSPF, ISIS IPSec/DES/3DES. Basically what are the limitations. They all have V12 IOS. Seems like an easy question but I dont wanna start trying something I cant do. Also if I want to look at the CSSP at a later date are 2 PIX 501's enough. Any advice on additions to my Lab will be appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66086t=65942 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PDM Question [7:65954]
I agree, they are a few aspects missing from PDM, such as the mentioned VPN/cryptology, but I find that it helps when you need to configure a basic firewall quickly. I find that I'll put the basic interface commands in CLI and then I'll setup NAT through the PDM interface. scott Steve Wilson wrote in message news:[EMAIL PROTECTED] the PDM is a useful tool for a graphical view of the configuration. If you are using your PIX to terminate VPN clients or tunnels you may stillned to use the command line to administer and configure them. This might be improved in the next release of the Operating System. Personally i agree that the CLI is still the best way to program the beast. Best of luck Steve -Original Message- From: Hartnell, George To: [EMAIL PROTECTED] Sent: 21/03/2003 20:34 Subject: PDM Question [7:65954] Hi there, I've got a 515UR failover I jus' upgraded from 5.3(1) to 6.1(4). I'd like to pop PDM on that system(s) and try that interface out. I'm a command line kind of guy, so am comfortable with CLI, but, I've heard that PDM is a worthy utility. Any words of wisdom on PDM installation? Best, G. Nations have recently been led to borrow billions for war; no nation has ever borrowed largely for education... no nation is rich enough to pay for both war and civilization. We must make our choice; we cannot have both. -- Abraham Flexner Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66088t=65954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 1720 crashing every week [7:66080]
Do you have a sh ver, sh stack and a sh logg?? Dave neil K. wrote: Hi Folks, I got two 1720's connected with a two bri's. I am running PPP multilink on them, it is basic ISDN setup with PPP Multilink,Also I have set up a very high idle-timer on the dialer interface just to keep them up indefinitely, but the routers crash every week and I have to manually reset them and, then they work fine for a week.Any help will be highly appreciated. Thanks, neil -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me. --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66092t=66080 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is 'troubleshooting campus netwroks' enough for C [7:66091]
If you are looking for Priscilla,s book the ISBN is 0471210137 HTH Reza Mike Reilly wrote in message news:[EMAIL PROTECTED] Hello I was looking at purchasing this book and want to make sure that I have the correct one. ISBN = 0471428094 If not can someone give me the correct one? Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED] Newell Ryan D SrA 18 CS/SCBT wrote: I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Did you retransmit the message or did Group Study send it again by mistake? Unfortunately, due to no marketing by the publisher, not very many people know that the Troubleshooting Campus Networks book exists and that it's a great tool for studying for the Support (CIT) test. So you may not get an answer from anyone but me, the main author. :-) It makes me sad to see you post the question and not get an answer, because it's evidence of the poor sales. Joseph Bardwell and I went to a huge amount of effort to produce high-quality, targetted content. The result is a terrific book. It doesn't matter that it's terrific. With no marketing, it might as well not exist. Also the title is not quite right. It covers more than campus networks, including tons of info on routing protocols and a chapter on WAN troubleshooting. The Amazon description that the publisher wrote is laughable, but sad. :-( So, it has a lot going against it despite its great content. Anyway, Troubleshooting Campus Networks should be enough to pass the Support Test. That was one of my main goals for writing the book. I was one of the devleopers of the CIT course and have a good feel for what's in it. I was the developer for version 3.0, but a revierwer for the more recent versions. I have take the Support test a couple times to get a good feel for what's on it. Troubleshooting Campus Networks covers more than you will need for the test. To make your studying more efficient, be sure to spend time with the tables that describe the Cisco show and debug commands. The Support exam has a big focus on those. Also study the output from these commands and the descriptions of what they mean. If your goal is just to pass the test, don't spend a lot of time on the wireless chapter. The current test doesn't have any wireless questions. Don't spend a lot of time with the protocol analyzer output. Although I think a troubleshooter should have to know that level of detail, Cisco does not. :-) To pass the Support exam, about all you have to know about TCP is that there's a 3-way handshake. A lot of Cisco people think that's the only relevant thing to know about TCP. In Chapter 2, I wrote a lot about troubleshooting methods. Cisco, of course, expects you just to know their method, which I did cover. :-) I didn't spend much time on Cisco troubleshooting tools. That's one thing you may want to get from the official Cisco book or read up on these topics on CCO, (if you can still find them. The test is outdated). Gain some familiarity with what the following tools do for a troubleshooter: CiscoWorks CWSI Netsys TrafficDirector VLANDirector WAN Manager StackDecoder Core Dump CCO MarketPlace CCO Software Center CCO Bug Toolkit CCO Troubleshooting Engine CCO Open Forum The only other topic that my book doesn't cover in much detail that you may see on the test is the internal architecture of the Catalyst 5000 and troubleshooting with the LEDs on the 5000. The test is not very hard, by the way, not nearly as hard as BSCI, from what I hear. Good luck with it! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66091t=66091 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF Hellos on ATM interface Disappear [7:66096]
Troubles with OSPF routing over an ATM interface. After about 15 - 20 minutes the hellos from one of my routers disappear (w/ attendant chaos). Tried swapping boards, same problem. I have three routers (7000 - 11.2.15 2 RSP7000s - 12.2.x) running classical IP through a Madge Collage 750 ATM switch. The 7000 and the hub RSP7000 work fine. The second RSP7000 works fine immediately after a shut/no shut on the interface, but after 15 minutes I no longer see hello messages from it at the hub router. I still see hello messages from the hub RSP7000 router at the affected one. It's hard to tell for sure but it appears that the svc is reset at about the same time - may be incidental. ILMI works fine. This is a pretty plain configuration - I'm using ospf priority and ospf broadcast on the atm sub-if. Another thing that puzzles me is the fact that the highest ospf priority does not seem to set the DR. Rather it still seems to follow the highest loopback address. Reading books like Doyle led me to believe it would follow the highest priority. Seems pretty brutal to have to reboot an entire network to get the ATM DR in the correct location. Thoughts??? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66096t=66096 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: type 4 LSA updates OSPF question [7:66089]
LSA type 1 originated by ASBR, and ABR will change the LSA type 1 to LSA type 4 in area 0. Catherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Xy Hien Le Sent: Monday, March 24, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: type 4 LSA updates OSPF question [7:66089] Hi everyone, Can someone tell me that only ABR will ORIGINATE type 4 LSA in OSPF or both ABR and ASBR do? Thanks Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66093t=66089 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: type 4 LSA updates OSPF question [7:66089]
At 08:25 PM 3/24/2003 +, Xy Hien Le wrote: Hi everyone, Can someone tell me that only ABR will ORIGINATE type 4 LSA in OSPF or both ABR and ASBR do? Only ABRs originate type 4 summaries. Pete Thanks Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66094t=66089 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT overload as security [7:66015]
I work with a lot of different vendors firewalls and IMO PAT is a security feature (to a degree). like many other security features its not perfect by itself, but when combined with other features its creates a full firewall. technically PAT alone would be an aspect of stateful inspection/translation, which is a first generation firewall. as you already stated though, you have no idea whats in the incoming packets above layer 4, so thats the risk. of course if you had a static translation or regular NAT, thats a whole different story. scott Doug S wrote in message news:[EMAIL PROTECTED] On my home network, I rely almost exclusively on NAT overload for security. Even though I know it's not a security measure, I've yet to hear anyone with a good explanation of why it's not enough, at least for a home network. I know there's a bunch of really bright people here, so if anyone would point out the flaws in my reasoning, I'd love to hear it. Below are some exerpts from an email converstation with a friend that explain how I think about it: --- I mostly rely on NAT overload for security. The only traffic that will be allowed in is traffic for which a translation has been created. Since these translations are only created by outbound traffic, no one from the outside can initiate a connection unless they bypass NAT by using the actual private ip addresses configured on the workstation. To do that, they'de have to have no routers between them and my router (meaning my ATT segment only) as any other router would drop packets for these addresses. To protect against that, I deny traffic for the ip's configured behind the router. access-list 151 deny any 192.168.0.0 0.0.0.255 access-list 151 permit any any (this whole acl could just as well be: access-list 165 permit any host (outside int IP address) access-list 50 permit 192.168.0.0 0.0.0.255 Int e0 ip address 192.168.0.1 255.255.255.0 ip nat inside Int e1 ip address dhcp ip nat outside ip access-group 51 in ip nat inside source list 50 int e1 overload Even though NAT isn't a security feature, I think overload works pretty well for security because no traffic will be allowed in unless an inside host has created a NAT entry by originating the flow. All legitimate flows on a home network are going to be created by CLIENT processes running on the machine, so what do I care if someone tries to connect to that port. What I mean is: 1) I go to surf the web at 200.200.200.200, my workstation uses tcp port 1456 to connect to tcp port 80 2a) tcp port 1456 is taking in traffic only for web browser, which is a client application that's only going to display what's sent back to my browser. 2b) as this traffic passes through the router a NAT entry is created: INSIDE LOCAL INSIDE GLOBAL OUSIDE GLOBAL 192.168.0.100:1456 12.228.99.129:1456 200.200.200.200:80 3) A 'hole' has been created that now allows traffic to my workstation. 4) A really good hacker wants to exploit this hole. To do this, s/he's going to have to do a few tricky things: First, since this translation is only going allow traffic only from 200.200.200.200:80 to be sent to 192.168.0.100:1456, s/he's going to have to figure out how to spoof that address/port pair AND get the return traffic back to his machine (if he wants any return traffic there might be) Second, since it's only my web browser, and not some service that's running on port 1456, the only traffic that could possibly even be interpreted on that port would be html. And since that port is maintaining the tcp stream info from the original connection (seq #'s ack's) s/he's going to have to accurately spoof that too. If all this is sucessful, I guess there is malicious html code that s/he could run, but wouldn't it have been easier for the hacker just to put it up on a website and let me click on it myself? To me it seems like NAT overload on home computers meets the security idea of making it more difficult than what it's worth for the hacker. There is no way I would ever rely on this on a production network with services available, themselves initiating connections. I'd really like to hear a security expert's views about these ideas, but so far, no one I've talked to has explained to me a way that a hacker could get past NAT overload. The only two ways I can think of are 1)bypass NAT by using the actual configured ip's of the workstations inside 2)Get you to install software on you're machine that will both create a nat translation to the outside and let them connect back through that translation to a SERVICE that's listening on that port. If they are able to do that, even CBAC isn't going to stop them anyhow. Access lists trying to protect home workstations that are being NAT'ed seem for the most part redundant to me.
Looking for Study partners in N.J [7:66097]
Hey Guys, I live in Central New Jersey and I'm looking for some serious studying partners to hammer out the CCIE Written. Please shoot me an email to [EMAIL PROTECTED] if interested. Thanks rbx10 MCP,CCNA,CCNP CCIE-N-Training Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66097t=66097 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF Hellos on ATM interface Disappear [7:66096]
This sounds like a problem that was discussed here (or on the groupstudy ccielab list) in the last few days. The problem then was EIGRP over ATM. Now it's OSPF over ATM. Try specifying your OSPF neighbors manually, so unicasting occurs. There may be a better solution, but try this until someone chimes in with something better. Tom Larus Nelson Herron wrote in message news:[EMAIL PROTECTED] Troubles with OSPF routing over an ATM interface. After about 15 - 20 minutes the hellos from one of my routers disappear (w/ attendant chaos). Tried swapping boards, same problem. I have three routers (7000 - 11.2.15 2 RSP7000s - 12.2.x) running classical IP through a Madge Collage 750 ATM switch. The 7000 and the hub RSP7000 work fine. The second RSP7000 works fine immediately after a shut/no shut on the interface, but after 15 minutes I no longer see hello messages from it at the hub router. I still see hello messages from the hub RSP7000 router at the affected one. It's hard to tell for sure but it appears that the svc is reset at about the same time - may be incidental. ILMI works fine. This is a pretty plain configuration - I'm using ospf priority and ospf broadcast on the atm sub-if. Another thing that puzzles me is the fact that the highest ospf priority does not seem to set the DR. Rather it still seems to follow the highest loopback address. Reading books like Doyle led me to believe it would follow the highest priority. Seems pretty brutal to have to reboot an entire network to get the ATM DR in the correct location. Thoughts??? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66100t=66096 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multilink PPP [7:66087]
interface Serial0/0 no ip address encapsulation ppp keepalive 10 ppp multilink multilink-group 1 ! interface Serial0/1 no ip address encapsulation ppp keepalive 10 ppp multilink multilink-group 1 ! interface Multilink1 ip address x.x.x.x m.m.m.m ppp multilink multilink-group 1 Joshua Vince wrote in message news:[EMAIL PROTECTED] Anyone have a sample config for Multilink PPP w/ 2 serial ports (WIC-1T). Thanks. Josh Vince Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66098t=66087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Network Management Software whats hot and whats not [7:66099]
Does anyone have any good advice on choice of network management/monitoring software? I am looking to monitor roughly 25 servers 20 routers (mostly VPN to a 3000 Concentrator) 8 or so pix firewalls and various other switches and network devices. I have tried the Cisco works ver 6.0 eval and although it is a few thousand pounds cheaper than cisco works I have not been that impressed with the interface or functionality. Monitoring is going to be the main function but it would be nice to have some diagnostics tools and config delivery also. Considering the WAN is fairly small does anyone have any suggestions? Regards Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66099t=66099 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Management Software whats hot and whats no [7:66099]
This is a great piece of software... http://www.solarwinds.net Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66101t=66099 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Eigrp neighbor loss [7:63925]
I have a lab set up with three routers connected to a Madge 750 switch and I have been having a similar problem. I have only done a detailed eval with OSPF because I basically have to sit and watch for the failure - lacking a decent syslogger. I have been finding a neighbor/hello loss on one of my RSP7000 machines after about 15 - 20 minutes. I had a similar problem with EIGRP, but switched it over to OSPF to see if I still had the problem before I tested the neighbor links. It is an RSP7000 w/ CX-AIP. I posted it earlier today - 3/24/2003. The only other thing that appears to happen along the way is an SVC reset on the hub router, but that should be transparent. I don't know if this will give you any ideas, but if it does can you give me some feedback on the cure? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66102t=63925 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID 640-025 [7:66103]
Alan Joseph wrote: Reposting... Does anyone out there in the wild vast yonder of Cisco Cert Land know if Atalk and IPX are still on the CID 3.0 (640-025) test ? It doesn't show up on the exam desciription... I just took the CCDP recertification test and they were on there, if that's helpful, since you haven't gotten an answer from anyone else. Priscilla http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exam s/640-025.html Mahalo! Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 1:10 PM To: [EMAIL PROTECTED] Subject: RE: What is a distributed/collapsed backbone? [7:65225] According to CID lingo a collapsed backbone is a single router or switch acting as a backbone in a campus design model. It contrasts with a distributed backbone where routers or switches are spread out among floors or buildings, all connected together via something like FDDI. (Yes, CID still has FDDI in it!) Maybe that picture you are looking at is an error. Good luck with CID. It's a fun one! :-) Priscilla Marc Thach Xuan Ky wrote: Hi all, I thought I'd do 640-025 CID before it disappears, so I started reading the Ciscopress book, CID exam certification guide. Now in chapter 2, section Issues facing campus LAN designers (I'm using Safari books online so I don't know the page number) it shows figs 2.4 and 2.5 distributed and collapsed backbones respectively. The distributed backbone shows per floor, one router and one switch, the collapsed backbone shows a single router for the building fanning out to one switch per floor. Fair enough I guess, but the scenario 1, Q2 in the same chapter asks what backbone to use in a particular case and then answers it with distributed backbone and a picture fig 2.8 that looks rather like the collapsed backbone shown earlier. I obviously have to learn Ciscospeak for the exam so can anybody tell me, which is it? rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66104t=66103 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID 640-025 [7:66103]
Reposting... Does anyone out there in the wild vast yonder of Cisco Cert Land know if Atalk and IPX are still on the CID 3.0 (640-025) test ? It doesn't show up on the exam desciription... http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exam s/640-025.html Mahalo! Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 1:10 PM To: [EMAIL PROTECTED] Subject: RE: What is a distributed/collapsed backbone? [7:65225] According to CID lingo a collapsed backbone is a single router or switch acting as a backbone in a campus design model. It contrasts with a distributed backbone where routers or switches are spread out among floors or buildings, all connected together via something like FDDI. (Yes, CID still has FDDI in it!) Maybe that picture you are looking at is an error. Good luck with CID. It's a fun one! :-) Priscilla Marc Thach Xuan Ky wrote: Hi all, I thought I'd do 640-025 CID before it disappears, so I started reading the Ciscopress book, CID exam certification guide. Now in chapter 2, section Issues facing campus LAN designers (I'm using Safari books online so I don't know the page number) it shows figs 2.4 and 2.5 distributed and collapsed backbones respectively. The distributed backbone shows per floor, one router and one switch, the collapsed backbone shows a single router for the building fanning out to one switch per floor. Fair enough I guess, but the scenario 1, Q2 in the same chapter asks what backbone to use in a particular case and then answers it with distributed backbone and a picture fig 2.8 that looks rather like the collapsed backbone shown earlier. I obviously have to learn Ciscospeak for the exam so can anybody tell me, which is it? rgds Marc Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66103t=66103 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is 'troubleshooting campus netwroks' enough f [7:66083]
Mike Reilly wrote: Hello I was looking at purchasing this book and want to make sure that I have the correct one. ISBN = 0471428094 The ISBN is 0471210137. There's just one book called Troubleshooting Campus Networks by Priscilla Oppenheimer and Joseph Bardwell, so it shouldn't be hard to find. :-) You can buy it hardback or as an e-book. Maybe that other ISBN is for the e-book. Wiley e-books are in a format that must be viewed with a file-reading program called Adobe Acrobat ebook Reader, which you can download from Adobe.com. I've never seen the e-book and can't comment on it. You probbaly want to get the hardback to be safe. Thanks for considering the book. I hope you like it if you do end up getting it. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com If not can someone give me the correct one? Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED] Newell Ryan D SrA 18 CS/SCBT wrote: I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Did you retransmit the message or did Group Study send it again by mistake? Unfortunately, due to no marketing by the publisher, not very many people know that the Troubleshooting Campus Networks book exists and that it's a great tool for studying for the Support (CIT) test. So you may not get an answer from anyone but me, the main author. :-) It makes me sad to see you post the question and not get an answer, because it's evidence of the poor sales. Joseph Bardwell and I went to a huge amount of effort to produce high-quality, targetted content. The result is a terrific book. It doesn't matter that it's terrific. With no marketing, it might as well not exist. Also the title is not quite right. It covers more than campus networks, including tons of info on routing protocols and a chapter on WAN troubleshooting. The Amazon description that the publisher wrote is laughable, but sad. :-( So, it has a lot going against it despite its great content. Anyway, Troubleshooting Campus Networks should be enough to pass the Support Test. That was one of my main goals for writing the book. I was one of the devleopers of the CIT course and have a good feel for what's in it. I was the developer for version 3.0, but a revierwer for the more recent versions. I have take the Support test a couple times to get a good feel for what's on it. Troubleshooting Campus Networks covers more than you will need for the test. To make your studying more efficient, be sure to spend time with the tables that describe the Cisco show and debug commands. The Support exam has a big focus on those. Also study the output from these commands and the descriptions of what they mean. If your goal is just to pass the test, don't spend a lot of time on the wireless chapter. The current test doesn't have any wireless questions. Don't spend a lot of time with the protocol analyzer output. Although I think a troubleshooter should have to know that level of detail, Cisco does not. :-) To pass the Support exam, about all you have to know about TCP is that there's a 3-way handshake. A lot of Cisco people think that's the only relevant thing to know about TCP. In Chapter 2, I wrote a lot about troubleshooting methods. Cisco, of course, expects you just to know their method, which I did cover. :-) I didn't spend much time on Cisco troubleshooting tools. That's one thing you may want to get from the official Cisco book or read up on these topics on CCO, (if you can still find them. The test is outdated). Gain some familiarity with what the following tools do for a troubleshooter: CiscoWorks CWSI Netsys TrafficDirector VLANDirector WAN Manager StackDecoder Core Dump CCO MarketPlace CCO Software Center CCO Bug Toolkit CCO Troubleshooting Engine CCO Open Forum The only other topic that my book doesn't cover in much detail that you may see on the test is the internal architecture of the Catalyst 5000 and troubleshooting with the LEDs on the 5000. The test is not very hard, by the way, not nearly as hard as BSCI, from what I hear. Good luck with it! ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66105t=66083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OOT War Analysis from Milan Technical University [7:66107]
FYI http://us.f1.yahoofs.com/users/80883606/bc/My+Documents/Gains+of+WAR.ppt?bchn8f.Ak5MtDaU_ My Mission To stop the death of innocent victims Don't worry the file is virus free regards, Taufik Kurniawan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66107t=66107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2950 with EMI any good for studying? [7:66106]
S! ALL! I am recieving 2 2950's (WS-2950T-24 as I recall) with the EMI for work at the end of this week. Are they comparable to the 3550 vis MLS capabilities? I need to bone up on the uses of the 3550 vis the CCIE Lab (I take the lab on 4/6 ) and I am hoping these 2950's will do the job. Also...any good links on configuring 3550 would be GREATLY appreciated. Prayers for me would not be refused either :) S! (Salute!) Brian Carroll CCNP, CCSE, MCSE, CCA --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.408 / Virus Database: 233 - Release Date: 11/8/02 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66106t=66106 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Router ID? [7:66108]
Hi all, Two routing protocols: OSPF and EIGRP DO need to have their own router ID reachable by other routers to have proper network connectivity, or am I incorrect? Any confirmation on this is much appreciated. Xy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66108t=66108 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OOT War Analysis from Milan Technical University [7:66107]
Is this on the new CCIE written? I don't remember this from CCNP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66109t=66107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Natting problem...help!!! [7:66111]
I have the following scenario 0---0--telnet application network3network 1 network 2 lan wan link I need all hosts on network 3 to telnet to my telnet application Problem is network 3 and network 2 both have the same ip range. My question is the following: Is there any way i can perform natting to allow network 3 hosts to telnet to the application and use an ip address other than the one assigned to the application as the destination address??? Any ideas appreciated Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66111t=66111 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help on Catalyst 3550 [7:66072]
Hi larry and all first I'd like to thank you for your quick response. Hm..the router we have is IBM 2210 series. How to know that the router is configured and running STP. What bout I turn off the STP from the Catalyst 3550. What is blade center. Sorry for my silly questions. Thanks in advance Best Regardss, HATO From: Larry Letterman Reply-To: Larry Letterman To: [EMAIL PROTECTED] Subject: Re: Help on Catalyst 3550 [7:66072] Date: Mon, 24 Mar 2003 17:49:47 GMT sounds like the router you have is a switch running spanning tree...if thats the case, then turn off span-tree on the IBM device..is that device a Blade center server? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Juli Hato To: [EMAIL PROTECTED] Sent: Monday, March 24, 2003 7:56 AM Subject: Help on Catalyst 3550 [7:66072] Hi all, I have a router IBM that has 2 ethernet ports. The IBM router connect to Cisco Catalyst 3550 that is not configured. When the router IBM connect to the switch one of the ethernet port from the IBM router got block by the Cisco Switch. All you have to know is that I need to ethernet ports from the IBM router active. How to counteract with this. Thank you in advance. Best Regards, HATO _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66112t=66072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OOT War Analysis from Milan Technical University [7:66110]
FYI http://us.f1.yahoofs.com/users/80883606/bc/My+Documents/Gains+of+WAR.ppt?bchn8f.Ak5MtDaU_ My Mission To stop the death of innocent victims Don't worry the file is virus free regards, Taufik Kurniawan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66110t=66110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]