WIC 2A/S working at speeds greater than 128kbps. [7:66733]
We have a Cisco 1750 router with a WIC2A/S card installed..According to Cisco's documentation, the WIC card supports speeds upto 128kbps. But i have seen the serial port working at speeds of 250kbps.How??? Is Cisco's documentation wrong or am i missing something?? Thanks and Regards Simon K. Carvalho Sr. Network Engineer Network Solutions Ltd. , Bangalore Email: :[EMAIL PROTECTED] Web : www.netsol.co.in Phone : +91 80 5535228 ext 433 Mobile : +91 9845349843 "Tomorrow's Networks.Today." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66733&t=66733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VLAN Trunk Question and spanning tree [7:66730]
John, This is from one my 6509's with an MSFC router module, which is similar to your 4006...we do use the trunk allow to put our trunks in the native vlan and the vlans for data/voice...we also use portfast bpdu-guard on the access ports in the floor switches..it stops the potential of loops in the floor/main switches... I am not sure about the flap error, since its between two uplinks going to two different places.. interface GigabitEthernet3/1 description to sjc5-fxs-sw1 no ip address udld enable mls qos trust cos switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,159,1002-1005 switchport mode trunk switchport nonegotiate ! interface GigabitEthernet3/2 description to sjc5-11-sw1 no ip address udld enable mls qos trust cos switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,151,154,200,1002-1005 switchport mode trunk switchport nonegotiate Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > John Brandis > Sent: Wednesday, April 02, 2003 7:05 PM > To: [EMAIL PROTECTED] > Subject: VLAN Trunk Question and spanning tree [7:66730] > > > hi All, > > Please tell me if I am wrong and best practices > > A trunk link, by default, is a member of all VLANS > > Would it be best practice, to place your trunk ports in a particualr VLAN, > then define what you want pruned/not pruned ? > > Reason I ask is that I am getting the hostflapping error every > now and then, > which first made me believe I had a developer plugging in hubs around the > place. However, now I think its a question of my design/config. Here is an > example of the error on my cat-4006 gig ports which trunk to my floor > switchs. > > Host 00:06:29:F9:75:A2 in vlan 23 is flapping between port Gi2/12 and port > Gi2/11 > > NOTE: 2/12 go's to sw2 and 2/11 go's to sw1, which are connected to one > another as you can see below > > I checked it out, there are no hubs any where that could do this, > and I have > spanning tree in place to stop the redundant links on my floor switch;s > coming back into the core. Here is the config of my trunk ports > on the floor > switch > > SW1 > interface GigabitEthernet0/1 > description link to core > switchport mode trunk > no ip address > ! > interface GigabitEthernet0/2 > description link to sw2 floor switch > switchport mode trunk > no ip address > > SW2 > interface GigabitEthernet0/1 > description link to core > switchport mode trunk > no ip address > ! > interface GigabitEthernet0/2 > description link to sw1 floor switch > switchport mode trunk > no ip address > > If any one can suggest anything, I would appreciate it > (I am interested in the use of the bpdu-port guard, would this > help here ?) > > Thanks > John > Sydney Australia > > > ** > > This email message (and attachments) may contain information that is > confidential to Solution 6. If you are not the intended recipient > you cannot > use, distribute or copy the message or attachments. In such a > case, please > notify the sender by return email immediately and erase all copies of the > message and attachments. Opinions, conclusions and other information in > this message and attachments that do not relate to the official > business of > Solution 6 are neither given nor endorsed by it. > > * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66735&t=66730 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PAT AFTER NAT (confused) [7:66734]
Hello friends, Thankyou for your answeres, but I have more doubts: Config: ip nat inside source list 1 pool POOL overload If have understood your answers, the router start doing PAT with the first IP address and doesn't takes the next avalaible public IP address until PAT is exhausted with the first IP address, right?? But if this is the way it works I think we never use the rest of the public IP's in the pool because there are not enough clients to exhaust PAT with the first IP... I think it will be much better if the router starts doing PAT and after the pool is exhausted. I cannot do NAT 1:1 and reserve one public IP to do PAT, because I don't want to give the same IP to a set of clients and not to another... Is it really the way that "overlad" works inside a pool??? Please, I am very curious... I don't have a router to play, so I cannot test this on myself. Thanks friends... Por favor, responda a "Adam" Enviado por:[EMAIL PROTECTED] Destinatarios: [EMAIL PROTECTED] CC: Asunto: Re: Re: PAT AFTER NAT...IS IT POSSIBLE??? [7:66672 This is what I have run into in the past and I was almost certain that it was not possible. I set it up in the lab here with various configs and had the same result. As far as I was told in the last routing update I attended at our local cisco office, the SE's there confirmed that the PIX can be defined with a NAT Pool of addresses and then have the same pool statement entered only this time specifying the same address (ie. PAT) as an overload. They confirmed that the IOS router code does not function like this and that you would have to statically NAT those addresses that you wanted 1:1 on and then have a blanket PAT (overload) statement in to cover the rest. In the case of the original question with wanting to NAT 128 clients 1:1 and then have PAT for the rest, this would require a lot of configuration and to guarantee that 1:1 would occur (or to at least keep track of it) you would require static IPs on the clients wishing to 1:1 NAT. Hope I'm not flying way offline here but I believe this is the only way possible with an IOS router. Cheers > I've found that you cannot do this, at least not when you do nat to a pool > of addresses. You have to do static nat, then overload the rest. I tried > adding overload to the end of my existing nat statment with the pool, it > started PATing the addresses from the beginning. Instead of using the 1:1 > from the pool, then pating anything beyond that. > > ""Lee Carter"" wrote in message > news:[EMAIL PROTECTED] > > Yes you can just take your nat statement (ip nat inside source list 1...) > > and add the word overload on the end of the command. > > > > You will use a 1:1 NAT for the first set of users. Once your IP's are used > > up you will use PAT. It is important to note that some issues arise with > PAT > > versus NAT like IPSEC or DLSW. > > > > just an fyi. -- Composed with Newz Crawler 1.3 http://www.newzcrawler.com/ [EMAIL PROTECTED] ___ Yahoo! Messenger - Nueva versisn GRATIS Super Webcam, voz, caritas animadas, y mas... http://messenger.yahoo.es Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66734&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Order of packet processing on an interface - NAT vs Access-list [7:66738]
HI all, I remember seeing something on CCO yesterday while searching for something else, but for the life of me I can't find it again. I need a refresher! Does anyone know the order that packets are processed on an interface. Basically, with respect to outgoing traffic from an interface, does it NAT first, or check the outgoing access list ?? Thanks in advance Andrew Larkins BCom, CCNP, CCDP, CSS1 Bytes Technology Networks A Division of Bytes Technology Group : Registration No: 1911/003874/06 A Member of the Altron Group P O Box 748, Rivonia, 2128 3 Eglin Rd, The Crescent, Sunninghill, South Africa Tel : +27 11 800 9336 Fax : +27 11 800 9496 Mobile : +27 83 656 7214 Email: [EMAIL PROTECTED] [EMAIL PROTECTED] DISCLAIMER: This e-mail and its attachments may contain information that is confidential and that may be subject to legal privilege and copyright. If you are not the intended recipient you may not peruse, use, disclose, distribute, copy or retain this message. If you have received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and return and thereafter destroy the original message. Please note that e-mails are subject to viruses, data corruption, delay, interception and unauthorised amendment, and that the sender does not accept liability for any damages that may be incurred as a result of communication by e-mail. No employee or intermediary is authorised to conclude a binding agreement on behalf of the sender by e-mail without express written confirmation by a duly authorised representative of the sender. By transmitting this e-mail message over the Internet the sender does not intend to allow the contents hereof to become part of the public domain, and the confidential nature of the contents shall not be altered or diminished from by such transmission. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66738&t=66738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WIC 2A/S working at speeds greater than 128kbps. [7:66733]
I noticed the same thing. From my understanding it works great but the problem comes in when the second link is connected. Once that is done, only then do the problems start. Something to do with the capabilities on the WIC itself. Regards Andrew CCNP, CCDP, CSS1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 08:57 To: [EMAIL PROTECTED] Subject: WIC 2A/S working at speeds greater than 128kbps. [7:66733] We have a Cisco 1750 router with a WIC2A/S card installed..According to Cisco's documentation, the WIC card supports speeds upto 128kbps. But i have seen the serial port working at speeds of 250kbps.How??? Is Cisco's documentation wrong or am i missing something?? Thanks and Regards Simon K. Carvalho Sr. Network Engineer Network Solutions Ltd. , Bangalore Email: :[EMAIL PROTECTED] Web : www.netsol.co.in Phone : +91 80 5535228 ext 433 Mobile : +91 9845349843 "Tomorrow's Networks.Today." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66737&t=66733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Computer for ISP [7:66736]
A computer is to be purchased for an Internet Service Provider (ISP) that is to be used as one of the server at the network backbone. What may be the role of this server for the ISP? Can this server be put for other server related applications? What will be configuration of this server giving reason for selection of various components ( economicaly wise and performance wise ) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66736&t=66736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IOS Download to the new flash [7:66739]
Dear All, While tring to download an IOS to the new (Clear) flash of a 3662 router using the xmodem method, and after finishing the download and reload, we got the following message, device does not contain a valid magic number boot: cannot open "flash:" boot: cannot determine first file name on device "flash:" Erasing flash at 0x3000sector erase failed at location 0x3000, status 0x 20202020 Please advise what we sould do to download the IOS, Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66739&t=66739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PAT AFTER NAT (confused) [7:66734]
You should be able to use your normal pool and overload command, eg ip nat inside source list 1 pool POOL overload, You pool, for eg is 192.168.0.60->10.168.0.99, then the first 39 IP's would be used for NAT, and the last will be use for PAT =?iso-8859-1?q?ciscoGo2002?= wrote: > > Hello friends, > > Thankyou for your answeres, but I have more doubts: > >Config: > > ip nat inside source list 1 pool POOL overload > > If have understood your answers, the router start > doing PAT with the first IP address and doesn't takes > the next avalaible public IP address until PAT is > exhausted with the first IP address, right?? But if > this is the way it works I think we never use the rest > of the public IP's in the pool because there are not > enough clients to exhaust PAT with the first IP... I > think it will be much better if the router starts > doing PAT and after the pool is exhausted. > >I cannot do NAT 1:1 and reserve one public IP to do > PAT, because I don't want to give the same IP to a set > of clients and not to another... > >Is it really the way that "overlad" works inside a > pool??? Please, I am very curious... > >I don't have a router to play, so I cannot test > this on myself. > >Thanks friends... > > > > Por favor, responda a "Adam" > Enviado por: [EMAIL PROTECTED] > Destinatarios:[EMAIL PROTECTED] > CC: > Asunto: Re: Re: PAT AFTER NAT...IS IT POSSIBLE??? > [7:66672 > > This is what I have run into in the past and I was > almost certain that it > was not possible. I set it up in the lab here with > various configs and had > the same result. > As far as I was told in the last routing update I > attended at our local > cisco office, the SE's there confirmed that the PIX > can be defined with a > NAT Pool of addresses and then have the same pool > statement entered only > this time specifying the same address (ie. PAT) as an > overload. They > confirmed that the IOS router code does not function > like this and that you > would have to statically NAT those addresses that you > wanted 1:1 on and then > have a blanket PAT (overload) statement in to cover > the rest. > In the case of the original question with wanting to > NAT 128 clients 1:1 and > then have PAT for the rest, this would require a lot > of configuration and to > guarantee that 1:1 would occur (or to at least keep > track of it) you would > require static IPs on the clients wishing to 1:1 NAT. > Hope I'm not flying way offline here but I believe > this is the only way > possible with an IOS router. > > Cheers > > > I've found that you cannot do this, at least not > when you do nat to a pool > > of addresses. You have to do static nat, then > overload the rest. I tried > > adding overload to the end of my existing nat > statment with the pool, it > > started PATing the addresses from the beginning. > Instead of using the 1:1 > > from the pool, then pating anything beyond that. > > > > ""Lee Carter"" wrote in message > > news:[EMAIL PROTECTED] > > > Yes you can just take your nat statement (ip nat > inside source list 1...) > > > and add the word overload on the end of the > command. > > > > > > You will use a 1:1 NAT for the first set of users. > Once your IP's are > used > > > up you will use PAT. It is important to note that > some issues arise with > > PAT > > > versus NAT like IPSEC or DLSW. > > > > > > just an fyi. > -- > Composed with Newz Crawler 1.3 > http://www.newzcrawler.com/ > [EMAIL PROTECTED] > > > ___ > Yahoo! Messenger - Nueva versisn GRATIS > Super Webcam, voz, caritas animadas, y mas... > http://messenger.yahoo.es > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66740&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Errata of TCP/IP Volume I by Jeff [7:66668]
Many thanx! Friend ! It seems that there is few errata in the book :)) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66741&t=8 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS Download to the new flash [7:66739]
Looks like a bad flash card..try another flash card.. if it wont erase correctly, I dont think it will copy the file and be usable... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Mamoon Dawood > Sent: Thursday, April 03, 2003 12:36 AM > To: [EMAIL PROTECTED] > Subject: IOS Download to the new flash [7:66739] > > > Dear All, > > While tring to download an IOS to the new (Clear) flash of a 3662 router > using the xmodem method, and after finishing the download and reload, we > got the following message, > > > device does not contain a valid magic number > boot: cannot open "flash:" > boot: cannot determine first file name on device "flash:" > > > > Erasing flash at 0x3000sector erase failed at location 0x3000, > status 0x > 20202020 > > > Please advise what we sould do to download the IOS, > > Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66742&t=66739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Order of packet processing on an interface - NAT vs [7:66744]
Done some more digging here and found the following: 1. Incoming access-list 2. NAT 3. Outgoing access-list 4. CBAC -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 10:34 To: [EMAIL PROTECTED] Subject: Order of packet processing on an interface - NAT vs Access-list [7:66738] HI all, I remember seeing something on CCO yesterday while searching for something else, but for the life of me I can't find it again. I need a refresher! Does anyone know the order that packets are processed on an interface. Basically, with respect to outgoing traffic from an interface, does it NAT first, or check the outgoing access list ?? Thanks in advance Andrew Larkins BCom, CCNP, CCDP, CSS1 Bytes Technology Networks A Division of Bytes Technology Group : Registration No: 1911/003874/06 A Member of the Altron Group P O Box 748, Rivonia, 2128 3 Eglin Rd, The Crescent, Sunninghill, South Africa Tel : +27 11 800 9336 Fax : +27 11 800 9496 Mobile : +27 83 656 7214 Email: [EMAIL PROTECTED] [EMAIL PROTECTED] DISCLAIMER: This e-mail and its attachments may contain information that is confidential and that may be subject to legal privilege and copyright. If you are not the intended recipient you may not peruse, use, disclose, distribute, copy or retain this message. If you have received this message in error, please notify the sender immediately by e-mail, facsimile or telephone and return and thereafter destroy the original message. Please note that e-mails are subject to viruses, data corruption, delay, interception and unauthorised amendment, and that the sender does not accept liability for any damages that may be incurred as a result of communication by e-mail. No employee or intermediary is authorised to conclude a binding agreement on behalf of the sender by e-mail without express written confirmation by a duly authorised representative of the sender. By transmitting this e-mail message over the Internet the sender does not intend to allow the contents hereof to become part of the public domain, and the confidential nature of the contents shall not be altered or diminished from by such transmission. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66744&t=66744 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT AFTER NAT (confused) [7:66734]
According to my experience you have got it the wrong way round. Cisco IOS will do NAT until the pool runs out, then do PAT on the last IP. This was a major issue when then documentation suggested the opposite. Not sure if this is still the case though. Peter --On 03 April 2003 07:50 + ciscoGo2002 wrote: > Hello friends, > > Thankyou for your answeres, but I have more doubts: > >Config: > > ip nat inside source list 1 pool POOL overload > > If have understood your answers, the router start > doing PAT with the first IP address and doesn't takes > the next avalaible public IP address until PAT is > exhausted with the first IP address, right?? But if > this is the way it works I think we never use the rest > of the public IP's in the pool because there are not > enough clients to exhaust PAT with the first IP... I > think it will be much better if the router starts > doing PAT and after the pool is exhausted. > >I cannot do NAT 1:1 and reserve one public IP to do > PAT, because I don't want to give the same IP to a set > of clients and not to another... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66743&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Need a Management Software [7:66666]
Have a look at What's Up Gold. Best regards, Dom Stocqueler CTO - SysDom Technologies === IMPORTANT: This email is intended for the use of the individual addressee(s)named above and may contain information that is confidential privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the poodle next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites and place it in a warm oven for 40 minutes. Whisk briefly and let it stand for 2 hours before icing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 02 April 2003 10:11 To: [EMAIL PROTECTED] Subject: Need a Management Software [7:6] Hello Group One of my customers need a Management software. The management software should mail / page / sms network admin of CISCO switch port status UP / Down and switch down status. Can any body advise me a good cheap commercial SNMP management software with these features. Thanks You in advance Regards jagan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66745&t=6 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT AFTER NAT (confused) [7:66734]
Hello group... Let's put an example: PUBLIC POOL: X.X.X.0 X.X.X.4 Four public ip addresses (it's only an example!!) Supppose that the first three clients arrives(clients are computers that try to get internet), the router does NAT (1:1), ok?? Now the fourth client arrives, so if you are right the router does PAT with the last IP public address. In this situation imagine the following cases: 1) The first translation time-outs, what happens if another client arrives?? does the router do PAT or NAT with this new client?? If the router does PAT... does it take the free public IP address or continues doing PAT with the forth IP public address?? 2) Now suppose this: The router has 3 public IP's doing NAT, the fourth doing PAT.. Now one translation time-outs, what happens with the four PAT translation?? does it keep on doing PAT or start doing NAT??? I'm still confused... I really appreciate all the answers to this question, but some answers says the opposite can we make it clear?? Thank you!!! --- Peter Walker escribis: > According to my experience you have got it the wrong > way round. > > Cisco IOS will do NAT until the pool runs out, then > do PAT on the last IP. > > This was a major issue when then documentation > suggested the opposite. Not > sure if this is still the case though. > > Peter > > > --On 03 April 2003 07:50 + ciscoGo2002 > wrote: > > > Hello friends, > > > > Thankyou for your answeres, but I have more > doubts: > > > >Config: > > > > ip nat inside source list 1 pool POOL overload > > > > If have understood your answers, the router > start > > doing PAT with the first IP address and doesn't > takes > > the next avalaible public IP address until PAT is > > exhausted with the first IP address, right?? But > if > > this is the way it works I think we never use the > rest > > of the public IP's in the pool because there are > not > > enough clients to exhaust PAT with the first IP... > I > > think it will be much better if the router starts > > doing PAT and after the pool is exhausted. > > > >I cannot do NAT 1:1 and reserve one public IP > to do > > PAT, because I don't want to give the same IP to a > set > > of clients and not to another... > > > ___ Yahoo! Messenger - Nueva versisn GRATIS Super Webcam, voz, caritas animadas, y mas... http://messenger.yahoo.es Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66746&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WIC 2A/S working at speeds greater than 128kbp [7:66733]
You are correct, the card can aggregate the dandwidth as long as you dont use the second port .. you can also do this on 8 port sync/async cards...have used this for high speed frame-relay ! Andrew Larkins wrote: > > I noticed the same thing. From my understanding it works great > but the > problem comes in when the second link is connected. Once that > is done, only > then do the problems start. Something to do with the > capabilities on the WIC > itself. > > Regards > > Andrew > CCNP, CCDP, CSS1 > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 03 April 2003 08:57 > To: [EMAIL PROTECTED] > Subject: WIC 2A/S working at speeds greater than 128kbps. > [7:66733] > > > We have a Cisco 1750 router with a WIC2A/S card > installed..According to > Cisco's documentation, the WIC card supports speeds upto > 128kbps. But i have > seen the serial port working at speeds of 250kbps.How??? Is > Cisco's > documentation wrong or am i missing something?? > > Thanks and Regards > > Simon K. Carvalho > Sr. Network Engineer > Network Solutions Ltd. , Bangalore > Email: :[EMAIL PROTECTED] > Web : www.netsol.co.in > Phone : +91 80 5535228 ext 433 > Mobile : +91 9845349843 > > "Tomorrow's Networks.Today." > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66747&t=66733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PAT AFTER NAT (confused) [7:66734]
I have been following this thread with great interest, for I had problems with PAT/NAT in IOS recently. It looks to me that many people have the same confusions (hopes) as I had. I have a case where I have many users on private address space (around 1000 or so) which must be NAT-ed through a pool of 768 "real" addresses. This are all, mostly, heavy users (xDSL customers). I have foolishly hoped that if I configure pool with overload, IOS will do 1:1 and when it runs out of addresses, it will do PAT. Well, I was wrong. And that's wrong at a price. Not only that IOS is immediately performing PAT, but PAT is *much* more CPU intensive than 1:1 NAT. Also, it is not possible to define multiple address ranges or pools for the same translation (I would greatly appreciate if someone corrects me here). So, from my experience with this matter: * it is not easily possible to do NAT and switch to PAT when addresses run out * if you define overload, IOS automatically does PAT, with more CPU usage One way of getting away from running out of NAT addresses is to lower translation timeout (default is I think 24h). This timeout defines how long NAT relationship remains between real and private IP. You can lower this to one hour by doing: ip nat translation timeout 3600 In my experience, this proved to be useful in this, far from 1:1 scenario. Further lowering this to some 15 minutes or so, could cause more load on router (guesswork), but hugely decrease your chances of running out of translation addresses. Kind regards, Marko. Tolvupostur ?essi er fra Margmi?lun hf., Su?urlandsbraut 4, Reykjavik. Fyrirvara og lei?beiningar til vi?takenda tolvuposts fra Margmi?lun hf. er a? finna a vefsi?unni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66748&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: New CCIE revised exam preparation [7:66706]
Until now I could not find out if the number of questions also decreased. It seems not to be documented anywhere. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66749&t=66706 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Order of packet processing on an interface - N [7:66744]
Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66751&t=66744 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question about the Revised R&S CCIE Writte [7:66715]
When the last exam format was introduced (September if I am right) the pass mark was 70%. Lately I heard it was around 57% (it was my grade when I failed in September - life needs to go on). Maybe the new exam also started at 70%. Does it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66752&t=66715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT AFTER NAT...IS IT POSSIBLE??? [7:66672]
May I suggest a quick and dirty lab to test the various theories that have been described in this thread. 1) Take a router, create four loopbacks with /32 masks out of the same /29 range. 2) set up your NAT pool with only two outside addresses. Then set the outside interface. Maybe shorten the timeouts. 3) set each of the loopbacks as inside addresses. 4) do an extended ping to the other router - but use the default number of tries ( 5 ). This will set up the first translation 5) do extended pings from two other loopbacks, but this time with large numbers of repeats, so as to keep the NAT translations active. 6) at some point the first translation will time out when this happens, do an extended ping from the fourth loopback. try to time this so all the pings stop about the same time ( good luck ) when the pings stop, you should be able to do a "show ip nat trans" to see what addresses got what. the outside address used by the fourth loopback provides the answer to the mechanics of NAT/PAT. Cisco documentation cannot be relied upon to be detailed enough provide the actual mechanics of how this works. Nor may the actual mechanics be consistent from IOS to IOS, let alone platform to platform or vendor to vendor. My own opinion is that NAT assigns from the static pool as long as there is an open address, and operates PAT only if there are no open addresses, but just because that is logical doesn't mean that's the way it is. In answer to a different part of the question below, you can create multiple NAT/PAT pools, and assign portions of your inside space to difference source pools via access-lists. access-list 1 permit 100.100.100.0 0.0.0.128 access-list 2 permit 100.100.100.129 0.0.0.128 ip nat pool NAT_1 10.1.1.1 10.1.1.31 netmask 255.255.255.224 ip nat pool NAT_2 10.1.1.33 10.1.1.63 netmask 255.255.255.224 ip nat inside source list 1 pool NAT_1 overload ip nat inside source list 2 pool NAT_2 overload This segments your inside users into groups and each group uses a different NAT pool. This may relieve some of your CPU usage problems. Or you could stop being a cheapskate and buy a real firewall to do the job. :-> -- - Bullwinkle: Hey, Rocky, watch me pull a CCIE out of my hat! Rocky: Bullwinkle, that trick NEVER works Bullwinkle: This time FOR SURE!!! ""ciscoGo2002"" wrote in message news:[EMAIL PROTECTED] > Thanks Symon, > > We really want to know more about the way the overload > works... > Maybe we were not so exactly as we wanted... We want > to know how can we use PAT when any others publics ips > are exhausted after using NAT? > For example, if we configure this: > ip nat inside source list pool > overload > > How does it work?? The router uses NAT with every > public IP in the pool and when the pool is exhausted > the router begins doing PATH with first IP address of > the pool,and so on..?? Can you please respond to this > question??? (be more specific, thx) > > Thanks people... > > > > > > > > > --- Symon Thurlow escribis: > > Yes, this is a typical setup. > > > > Search cisco.com and you will find a sample config. > > > > Symon > > > > -Original Message- > > From: ciscoGo2002 [mailto:[EMAIL PROTECTED] > > Sent: 02 April 2003 11:58 > > To: [EMAIL PROTECTED] > > Subject: PAT AFTER NAT...IS IT POSSIBLE??? [7:66672] > > > > > > Hello folks, > > I have question for you, we want to do dynamic NAT > > with a pool of 128 public ip addresses (we haven't > > got > > more public IP addresses :( ). Now, when the router > > does 128 translation no one can access internet... > > We > > would like to do PAT when NAT public addresses are > > exhausted.. is it possible? Can we do a mix of PAT > > and > > NAT configuration? Any ideas? Any configs? > > > > Thanks to all of you clever man and ladyies!!! > > > > > > > > > > ___ > > Yahoo! Messenger - Nueva versisn GRATIS > > Super Webcam, voz, caritas animadas, y mas... > > http://messenger.yahoo.es > > [EMAIL PROTECTED] > > > > = > > > > This email has been content filtered and > > subject to spam filtering. If you consider > > this email is unsolicited please forward > > the email to [EMAIL PROTECTED] and > > request that the sender's domain be > > blocked from sending any further emails. > > > > = > > > > > > > > = > > ___ > Yahoo! Messenger - Nueva versisn GRATIS > Super Webcam, voz, caritas animadas, y mas... > http://messenger.yahoo.es Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66750&t=66672 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Question about the Revised R&S CCIE Written Exam [7:66715]
70% On Wednesday 02 April 2003 05:11 pm, Mirza, Timur wrote: > do you know what the pass mark is? > > -Original Message- > From: Karsten [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 02, 2003 3:43 PM > To: [EMAIL PROTECTED] > Subject: Re: Question about the Revised R&S CCIE Written Exam [7:66715] > > > A ccie at Boson told me it was 120. > > -Karsten > > On Wednesday 02 April 2003 02:07 pm, Zahid Hassan wrote: > > Dear All, > > > > Could someone please confirm about the number of questions in the new R&S > > written > > exam after March 28 2003 as it is not mentioned on CCIE information page. > > > > Thanks in advance. > > > > Regards, > > > > Zahid > > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66754&t=66715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP route to Null0? [7:66755]
I am trying to understand some IP route commands on our router. Several of them go to Null0 - what does that mean? For example, I have ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 What is this doing? I need to add another block of class Cs from the same provider. Do I need a similar statement to the above? Thanx for your help. Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66755&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
Depending on the servers you could do it in 5 min. There is an annonamys account that runs over netbios in the 130's port area. If there isn't a firewall in place to filer this port you can use the "net use" command and have access to the box. After this you can download the backup copy of the SAM off the server run a crack program like lophtcrack and BLING BLING. You have every user name and password on the system. All to easy. I would recommend the Hacking Exposed book. If you want to protect your system from cracker / hackers. You need to know what they can and will do to get what they want. However don't let a firewall be your end all do all solution. Look into hardening you Server OS, if its Win2k try learning about group policy's they are a wonderful addition. If it's Novell or Linux, sorry I can't be much help. But the rule applies Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66753&t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
What's sloppy about it ? Would you prefer the overhead of an acl ? Please suggest a better way.. But with the AD in there set to 200, it looks like a route in a "holding pattern" for bgp redistribution. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66759&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Vs. Linux engineer (not Ph.d) [7:66669]
nrf you make an excellent point, as always. As an example, I just got a job (can you believe it in this economy? ;-) teaching at Southern Oregeon University. The networking classes don't have many people in them, partly because students know that the labs aren't great. We have some Cisco gear, which nobody had touched until I got there. I got a nice little lab up and running, but it's not really sufficient. We can't afford to get much more though. Now, on the other hand, the Linux classes are overflowing. And the Linux lab has litterally walls and walls of 133 MHz PCs all running Linux. The students gobble that stuff up. One of the Linux classes is at night over the dinner hour and it still gets an excellent turn-out. It doesn't matter to these students that the hour is inconvenient. Linux is more important than food, beer, family time, watching TV, or sleep. :-) You may not want to compete with these young 'uns, as nrf says. Stay ahead of the game and do what they don't have as much opportunity to do: networking, especially Cisco networking. Priscilla nrf wrote: > > > Linux is very difficult to learn really well. True, CCIE lab > equipment is > > expensive, but I think it may take less time for some people > to become a > > CCIE than to get the kind of facility with Linux that the > Linux-guru jobs > > require. > > I think a far bigger problem with choosing Linux as a > financially stable > career is something you just hit on the head right there - > barriers to > entry. Financially speaking, there are none. Anybody can just > piece > together a couple of old PC's and fire up Linux and start > learning. And > right now, there are literally tens of thousands of high school > and college > kids playing with Linux - and, I don't want to sound morbid, > but they're > going to be your job competition in a few years. Do you really > have much to > work with if you know Linux, but so does every college student > graduating > with a CS degree in the future (and they will)? Not to > mention all those > people in countries like China, India, and Russia who are short > on cash but > long on brains and tenacity? > > That therefore means that if you want to remain employable in > the Linux > space, you will always need to stay ahead of the Jones's, and > the Jones's in > this case are obsessed high-school nerds who think it's > actually fun to code > for 100 hours a week. Hey, if you have the brains and the > tenacity to keep > pace, then more power to you. Or, if you happen to like Linux > (I gotta > admit, it is pretty cool), then by all means. But if you're > seeing Linux > just as an opportunity to make money, then unless you possess > Herculean > fortitude, I think you'll be disappointed. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66760&t=9 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP route to Null0? [7:66755]
Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > I am trying to understand some IP route commands on our router. Several of > them go to Null0 - what does that mean? > > For example, I have > ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > > What is this doing? > > I need to add another block of class Cs from the same provider. Do I need > a similar statement to the above? > > Thanx for your help. > Anil Gupte > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66757&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
Wilmes, Rusty wrote: > > this is a general question for the security specialists. > > Im trying to convince a client that they need a firewall > > so hypothetically, > > if you had telnet via the internet open to a router (with an > access list > that allowed smtp and telnet) (assuming you didn't know the > telnet password > or the enable password)that had a bunch of nt servers on > another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said "to" above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. "Mission-Critical Security Planner." New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetwinc/104-9901005-4572707 Priscilla > how long would it take a determined hacker a) cause some kind > of network > downtime and b) to map a network drive to a share on a file > server over the > internet. > > Thanks, > Rusty > > > -Original Message- > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 1:44 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VLAN loop problem [7:66656] > > > > > > Yes, > > it prevents loops in spanning tree on layer 2 switches from > > causing a loop > > by disabling the port on a cisco switch... > > > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > > Thomas N. > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > interfaces with > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > ""Larry Letterman"" wrote in message > > > news:[EMAIL PROTECTED] > > > > > > > port mac address security might work, altho its a lot of > admin > > > > overhead..are you running portfast bpdu-guard on the > access ports? > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > - Original Message - > > > > From: Thomas N. > > > > To: [EMAIL PROTECTED] > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > Hi All, > > > > > > > > I got a problem in the production campus LAN here > between > > > VLANs. Please > > > > help me out! Below is the scenario: > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) > subnets. > > > Routing is > > > > enable/allowed between the two subnets using MSFC of > > the 6500. Each > > > subnet > > > > has a DHCP server to assign IP address to devices on > its subnet. > > > > Spanning-tree is enable; however, portfast is turned on > on all > > > > non-trunking/uplink ports. Recently, devices on VLAN > 10 got > > > assigned an > > > IP > > > > address of 10.20.x.x , which is from the DHCP on the > > other scope and > > > also > > > > from 10.10.x.x scope, and vice versa. It seems that we > a > > > loop somewhere > > > > between the 2 subnets but we don't know where. I > > noticed lots of end > > > users > > > > have a little unmanged hub/switch hang off the network > > jacks in their > > > > cubicals and potentially cause loop. > > > > > > > > Is there any way that we can block the loop on the > > Cisco switches > > > without > > > > visiting cubicals taking those little umanaged > > hubs/switches? Thanks! > > > > > > > > Thomas > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66758&t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Debug display to VTY [7:66762]
Um, probably a silly one for you all. I have a 1721 router at either end of a leased line. I telnet into the router and: Router#debug serial int Serial network interface debugging is on Router#terminal monitor And nothing. Shouldn't I get some debug messages here, keep alives and such between the CSU and my router? It's a live connection and the line works, as far as I knew this was all I needed to enter to view debug output from a telnet session? In fact I don't appear to be getting debug output for anything so I'm missing something silly here but I thought 'terminal monitor' was sufficient? Regards, James. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66762&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
> However don't let a firewall be your end all > do all solution. Look into hardening you Server OS, if its Win2k try > learning about group policy's they are a wonderful addition. If it's > Novell or Linux, sorry I can't be much help. But the rule applies If you're looking for security on Win2k then here's some advice. Close it off to the world. Completely. Run a PIX of PF firewall in front of your networks behind a router. If you want a secure OS then move to a Linux or xBSD. This is getting off topic. -Karsten On Thursday 03 April 2003 07:29 am, Steven Aiello wrote: > Depending on the servers you could do it in 5 min. There is an > annonamys account that runs over netbios in the 130's port area. If > there isn't a firewall in place to filer this port you can use the "net > use" command and have access to the box. After this you can download > the backup copy of the SAM off the server run a crack program like > lophtcrack and BLING BLING. You have every user name and password on > the system. All to easy. > > I would recommend the Hacking Exposed book. If you want to protect your > system from cracker / hackers. You need to know what they can and will > do to get what they want. However don't let a firewall be your end all > do all solution. Look into hardening you Server OS, if its Win2k try > learning about group policy's they are a wonderful addition. If it's > Novell or Linux, sorry I can't be much help. But the rule applies > > Steve > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66763&t=66720 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
Rusty, I'm not clear from your question if there is an acl blocking everything inbound to the nt servers except smtp and telnet or if the acl is for inbound to the router itself. In the former case, unless your client is forcing their users to use good passwords, it's likely that a brute force telnet attempt would succeed in anywhere from a few hours to a few days, ditto for brute force on the router. If they're not logging failed login attempts, they would never know this was occurring. If they have no filtering if any kind inbound to their servers, there are many netbios/nt vulnerabilities that they could be susceptible to, without knowing more specifics about the patches applied and the services being run I can't give you anything more specific. You can search on securityfocus.com to see what might be applicable to your client. One thing to keep in mind, for a small site the Cisco firewall feature set may be adequate. At the very least, a correctly configured access-list provides some rudimentary protection. See the cisco site or Phrack issue 52 for info on Cisco router security. (phrack.com) Also, security works best when applied in layers. It's not enough to have a firewall, enabling centralized logging, patching and hardening servers, backup procedures and implementing change control procedures are just a few of the things that need to be done as well. A firewall is just the beginning. HTH, Kent PS If your trying to get your client to take security seriously, you should probably begin by asking business questions like: "What is the worth of the information contained on your servers? How long could you operate without that information? If you lost all of the information on your servers, could your business operate? Are you aware of how much money businesses lost last year due to security breaches according to the FBI/CSI annual report? Are you aware of the potential legal issues related to not following "due care" practices for securing your information infrastructure, etc. etc." On Wed, 2003-04-02 at 19:09, Wilmes, Rusty wrote: > this is a general question for the security specialists. > > Im trying to convince a client that they need a firewall > > so hypothetically, > > if you had telnet via the internet open to a router (with an access list > that allowed smtp and telnet) (assuming you didn't know the telnet password > or the enable password)that had a bunch of nt servers on another interface, > how long would it take a determined hacker a) cause some kind of network > downtime and b) to map a network drive to a share on a file server over the > internet. > > Thanks, > Rusty > > > -Original Message- > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 1:44 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VLAN loop problem [7:66656] > > > > > > Yes, > > it prevents loops in spanning tree on layer 2 switches from > > causing a loop > > by disabling the port on a cisco switch... > > > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > > Thomas N. > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent interfaces with > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > ""Larry Letterman"" wrote in message > > > news:[EMAIL PROTECTED] > > > > > > > port mac address security might work, altho its a lot of admin > > > > overhead..are you running portfast bpdu-guard on the access ports? > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > - Original Message - > > > > From: Thomas N. > > > > To: [EMAIL PROTECTED] > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > Hi All, > > > > > > > > I got a problem in the production campus LAN here between > > > VLANs. Please > > > > help me out! Below is the scenario: > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. > > > Routing is > > > > enable/allowed between the two subnets using MSFC of > > the 6500. Each > > > subnet > > > > has a DHCP server to assign IP address to devices on its subnet. > > > > Spanning-tree is enable; however, portfast is turned on on all > > > > non-trunking/uplink ports. Recently, devices on VLAN 10 got > > > assigned an > > > IP > > > > address of 10.20.x.x , which is from the DHCP on the > > other scope and > > > also > > > > from 10.10.x.x scope, and vice versa. It seems that we a > > > loop somewhere > > > > between the 2 subnets but we don't know where. I > > noticed lots of end > > > users > > > > have a little unmanged hub/switch hang off the network > > jack
SNMP in Router [7:66764]
How i configure SNMP mensages in 1700 series router ??? Tanks Frederico Madeira Coordenador de Suporte N. Landim Comircio Ltda PABX: 81. 3497.3029 e-mail: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66764&t=66764 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question about the Revised R&S CCIE Writte [7:66715]
when i failed in november, it was 150 questions/3 hours/58% pass mark -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 6:58 AM To: [EMAIL PROTECTED] Subject: RE: Question about the Revised R&S CCIE Writte [7:66715] When the last exam format was introduced (September if I am right) the pass mark was 70%. Lately I heard it was around 57% (it was my grade when I failed in September - life needs to go on). Maybe the new exam also started at 70%. Does it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66765&t=66715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
cisco just told me that [7:66767]
there are 100 questions on the new r & s written...pass mark is 70 % & fluctuates based on "statistics" Timur Mirza Principal Network Engineer Enterprise Core Network Verizon Wireless 15505-B Sand Canyon Avenue Irvine, California 92618 949.286.6623 (o) 949.697.7964 (c) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66767&t=66767 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP Recertification Exam Review [7:66644]
Priscilla Oppenheimer wrote: > The CCNP Recertification Exam was gruelling, and that's no April Fool's > joke. But I survived it! ;-) > > Exam number: 640-851 (the current one) > Number of questions: 112 > Time: 2 hours > Passing Score 732 > My score: 834 > > Is anyone else taking it soon? Here's some advice: Another piece of advice: make sure you take the exam BEFORE your certification expires or you will be wasting your money. Early in 2002 I foolishly sat for and passed both the CCNPR and the CCDPR *after* mine had expired. I waited and waited for the confirmation of recertification. I finally emailed Cisco who wrote back with the bad news: the exams didn't count because my certifications had already expired when I sat for them. I ended up paying again for all the exams and sitting them over again, so to speak. I did take the FRS exam and saved a few dollars. BTW, the FRS exam was considerably more difficult than either recertification exam, IMHO. The CCIE qualification exam was much easier by comparison (at least in April 2002 it was). -Jonathan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66768&t=66644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
Easy, show them RFC 3514 and let them know you would need a firewall to block the "Evil" bit...cash, check or charge? -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 11:46 AM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] Wilmes, Rusty wrote: > > this is a general question for the security specialists. > > Im trying to convince a client that they need a firewall > > so hypothetically, > > if you had telnet via the internet open to a router (with an > access list > that allowed smtp and telnet) (assuming you didn't know the > telnet password > or the enable password)that had a bunch of nt servers on > another interface, Do you actually mean that you are allowing Telnet and SMTP to go through the router? You said "to" above which is confusing. Allowing Telnet to the router unrestricted would be a horrible security hole, even for people who don't know the password because passwords are often guessable. But I don't think that's what you meant... Allowing Telnet and SMTP through the router is more common, especially SMTP. You have to allow SMTP if you have an e-mail server that gets mail from the outside world. Avoid Telnet, though, if you can. It sends all text as clear text, including passwords. The question is really how vulnerable is the operating system that the SMTP server is running on? It's probably horribly vulnerable if your client hasn't kept up with the latest patches, and it sounds like your client is the type that hasn't? In fact, the server is probably busy attacking the rest of us right now! ;-0 So, as far as convicing your customer The best way may be to put a free firewall, like Zone Alarm, on the decision maker's computer and show her/him all the attacks happening all the time. Or if she already has a firewall, walk her through the log. Good luck. I have a good book to recommend on this topic: Greenberg, Eric. "Mission-Critical Security Planner." New York, New York, Wiley Publishing, Inc., 2003. Here's an Amazon link: http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetwinc/104-99 01005-4572707 Priscilla > how long would it take a determined hacker a) cause some kind > of network > downtime and b) to map a network drive to a share on a file > server over the > internet. > > Thanks, > Rusty > > > -Original Message- > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 1:44 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VLAN loop problem [7:66656] > > > > > > Yes, > > it prevents loops in spanning tree on layer 2 switches from > > causing a loop > > by disabling the port on a cisco switch... > > > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > > Thomas N. > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > interfaces with > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > ""Larry Letterman"" wrote in message > > > news:[EMAIL PROTECTED] > > > > > > > port mac address security might work, altho its a lot of > admin > > > > overhead..are you running portfast bpdu-guard on the > access ports? > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > - Original Message - > > > > From: Thomas N. > > > > To: [EMAIL PROTECTED] > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > Hi All, > > > > > > > > I got a problem in the production campus LAN here > between > > > VLANs. Please > > > > help me out! Below is the scenario: > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) > subnets. > > > Routing is > > > > enable/allowed between the two subnets using MSFC of > > the 6500. Each > > > subnet > > > > has a DHCP server to assign IP address to devices on > its subnet. > > > > Spanning-tree is enable; however, portfast is turned on > on all > > > > non-trunking/uplink ports. Recently, devices on VLAN > 10 got > > > assigned an > > > IP > > > > address of 10.20.x.x , which is from the DHCP on the > > other scope and > > > also > > > > from 10.10.x.x scope, and vice versa. It seems that we > a > > > loop somewhere > > > > between the 2 subnets but we don't know where. I > > noticed lots of end > > > users > > > > have a little unmanged hub/switch hang off the network > > jacks in their > > > > cubicals and potentially cause loop. > > > > > > > > Is there any way that we can block the loop on the > > Cisco switches > > > without > > > > visiting cubicals taking those little umanaged > > hubs/switches? Thanks! > > > > > > > > Thomas Mess
Access-List Usage: Can I do this?? [7:66769]
I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the following funky looking access-list to mark voice packets for the high priority queue. This access-list logically works, but my question is: Is this legal? access-list 101 permit ip any 10.10.X.201 0.0.255.248 precedence critical I have 8 IP phones at each remote site starting at 4th octet IP address of 201 (thru 208). Each remote site is on a class C network, where the 3rd octet IP address labeled X is designated as the site location. eg: 10.10.1.0/24 is site 1; 10.10.2.0/24 is site 2;10.10.3.0/24 is site 3, etc. Will the IOS allow this non-conventional access-list to work per my intensions? regards, dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66769&t=66769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Debug display to VTY [7:66762]
Do a "show log" and see if logging is disabled You might need to do a "logging on" -Original Message- From: James Gosnold [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: Debug display to VTY [7:66762] Um, probably a silly one for you all. I have a 1721 router at either end of a leased line. I telnet into the router and: Router#debug serial int Serial network interface debugging is on Router#terminal monitor And nothing. Shouldn't I get some debug messages here, keep alives and such between the CSU and my router? It's a live connection and the line works, as far as I knew this was all I needed to enter to view debug output from a telnet session? In fact I don't appear to be getting debug output for anything so I'm missing something silly here but I thought 'terminal monitor' was sufficient? Regards, James. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66771&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Hybrid vs. Native [7:66766]
We have a 6509 and I have heard talk about native vs. Hybrid mode of operation. What is the difference? Is there a link to a white paper or something? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66766&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP route to Null0? [7:66755]
Sloppy!? why?? Dave Karsten wrote: > Either a sloppy way to drop traffic for a /24, or bgp > summarization using null routing. > > -Karsten > > On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > >>I am trying to understand some IP route commands on our router. Several of >>them go to Null0 - what does that mean? >> >>For example, I have >>ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 >> >>What is this doing? >> >>I need to add another block of class Cs from the same provider. Do I need >>a similar statement to the above? >> >>Thanx for your help. >>Anil Gupte >>Nondisclosure violations to [EMAIL PROTECTED] -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66773&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 8:46 AM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > > Wilmes, Rusty wrote: > > > > this is a general question for the security specialists. > > > > Im trying to convince a client that they need a firewall > > > > so hypothetically, > > > > if you had telnet via the internet open to a router (with an > > access list > > that allowed smtp and telnet) (assuming you didn't know the > > telnet password > > or the enable password)that had a bunch of nt servers on > > another interface, > > Do you actually mean that you are allowing Telnet and SMTP to > go through the > router? You said "to" above which is confusing. Allowing Telnet to the > router unrestricted would be a horrible security hole, even > for people who > don't know the password because passwords are often guessable. > > But I don't think that's what you meant... > > Allowing Telnet and SMTP through the router is more common, > especially SMTP. > You have to allow SMTP if you have an e-mail server that gets > mail from the > outside world. Avoid Telnet, though, if you can. It sends all > text as clear > text, including passwords. > > The question is really how vulnerable is the operating system > that the SMTP > server is running on? It's probably horribly vulnerable if your client > hasn't kept up with the latest patches, and it sounds like > your client is > the type that hasn't? In fact, the server is probably busy > attacking the > rest of us right now! ;-0 > > So, as far as convicing your customer > > The best way may be to put a free firewall, like Zone Alarm, > on the decision > maker's computer and show her/him all the attacks happening > all the time. Or > if she already has a firewall, walk her through the log. > > Good luck. I have a good book to recommend on this topic: > > Greenberg, Eric. "Mission-Critical Security Planner." New > York, New York, > Wiley Publishing, Inc., 2003. > > Here's an Amazon link: > > http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw > inc/104-9901005-4572707 > > Priscilla > > > how long would it take a determined hacker a) cause some kind > > of network > > downtime and b) to map a network drive to a share on a file > > server over the > > internet. > > > > Thanks, > > Rusty > > > > > -Original Message- > > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, April 02, 2003 1:44 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: VLAN loop problem [7:66656] > > > > > > > > > Yes, > > > it prevents loops in spanning tree on layer 2 switches from > > > causing a loop > > > by disabling the port on a cisco switch... > > > > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > Thomas N. > > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > > interfaces with > > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > > > > ""Larry Letterman"" wrote in message > > > > news:[EMAIL PROTECTED] > > > > > > > > > port mac address security might work, altho its a lot of > > admin > > > > > overhead..are you running portfast bpdu-guard on the > > access ports? > > > > > > > > > > > > > > > Larry Letterman > > > > > Network Engineer > > > > > Cisco Systems > > > > > > > > > > > > > > > - Original Message - > > > > > From: Thomas N. > > > > > To: [EMAIL PROTECTED] > > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > I got a problem in the production campus LAN here > > between > > > > VLANs. Please > > > > > help me out! Below is the scenario: > > > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) > > subnets. > > > > Routing is > > > > > enable/allowed between the two subnets using MSFC of > > > the 6500. Each > > > > subnet > > > > >
RE: Debug display to VTY [7:66762]
Hi Robert, This is what I have. Router#show log Syslog logging: enabled (0 messages dropped, 0 messages rate-l Console logging: level debugging, 413770 messages logged Monitor logging: level debugging, 285 messages logged Logging to: vty6(0) Buffer logging: disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 36 message lines logged Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66772&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT domain access after connecting through VPN [7:66618]
The Shiva client is pretty good, kicks off domain authentication after the tunnel is up. -Original Message- From: Doug Korell [mailto:[EMAIL PROTECTED] Sent: 02 April 2003 19:06 To: [EMAIL PROTECTED] Subject: Re: NT domain access after connecting through VPN [7:66618] Thanks for your input. I'm looking around at other vendors to see what they offer with this. One thing I don't like with the PIX vpn is the lack of logging capabilites. I want to know when someone logged in, when the logged out, where they went, etc. I'm looking at the concentrators but don't remember seeing this. As far as I can see, AAA can do some of this but you have to use http, ftp, or telnet. = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66776&t=66618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS Download to the new flash [7:66739]
Can you format flash in a 3600? -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 10:49 To: [EMAIL PROTECTED] Subject: RE: IOS Download to the new flash [7:66739] Looks like a bad flash card..try another flash card.. if it wont erase correctly, I dont think it will copy the file and be usable... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Mamoon Dawood > Sent: Thursday, April 03, 2003 12:36 AM > To: [EMAIL PROTECTED] > Subject: IOS Download to the new flash [7:66739] > > > Dear All, > > While tring to download an IOS to the new (Clear) flash of a 3662 > router using the xmodem method, and after finishing the download and > reload, we got the following message, > > > device does not contain a valid magic number > boot: cannot open "flash:" > boot: cannot determine first file name on device "flash:" > > > > Erasing flash at 0x3000sector erase failed at location 0x3000, > status 0x 20202020 > > > Please advise what we sould do to download the IOS, > > Thanks, = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66777&t=66739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Debug display to VTY [7:66762]
conf t logging console - Original Message - From: "James Gosnold" To: Sent: Thursday, April 03, 2003 9:37 AM Subject: Debug display to VTY [7:66762] > Um, probably a silly one for you all. > > I have a 1721 router at either end of a leased line. I telnet into the > router and: > > Router#debug serial int > Serial network interface debugging is on > Router#terminal monitor > > And nothing. Shouldn't I get some debug messages here, keep alives and such > between the CSU and my router? It's a live connection and the line works, as > far as I knew this was all I needed to enter to view debug output from a > telnet session? In fact I don't appear to be getting debug output for > anything so I'm missing something silly here but I thought 'terminal > monitor' was sufficient? > > Regards, James. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66775&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Debug display to VTY [7:66762]
It looks good to me, All that is necessary is the following: Logging on Logging monitor debug Term mon (Each time you telnet in) Debug Traffic to your telnet session should now be generated. -Original Message- From: James Gosnold [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: RE: Debug display to VTY [7:66762] Hi Robert, This is what I have. Router#show log Syslog logging: enabled (0 messages dropped, 0 messages rate-l Console logging: level debugging, 413770 messages logged Monitor logging: level debugging, 285 messages logged Logging to: vty6(0) Buffer logging: disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 36 message lines logged Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66779&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
HYBRID, Especiall for someone like you who needs uptime/redundancy. In hybrid, if the MSFC dies, you don't loose the whole switch, just intervlan routing, etc. You can still telnet to the supervisor engine to get and and find out whats up. In native the whole switch dies and your burned. Cisco's answer- buy two sup2/msfc2/pfc2 boards and run high availability.. No thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66780&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
This prompts me to say something about a comment from a previous poster about how vulnerable Windows is compared to Linux/xBSD etc I see many, many vulnerability alerts weekly for *nix based systems. Probably just as many as you see for Windows. You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. I suggest that you go to some firewall vendor sites and plagiarise a bit of marketing guff if you want to sell the firewall idea to a sceptic, although just plonking a firewall in front of your unpatched sendmail server won't achieve a great deal. My 2c, YMMV Symon -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 20:05 To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 8:46 AM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > > Wilmes, Rusty wrote: > > > > this is a general question for the security specialists. > > > > Im trying to convince a client that they need a firewall > > > > so hypothetically, > > > > if you had telnet via the internet open to a router (with an access > > list that allowed smtp and telnet) (assuming you didn't know the > > telnet password > > or the enable password)that had a bunch of nt servers on > > another interface, > > Do you actually mean that you are allowing Telnet and SMTP to > go through the > router? You said "to" above which is confusing. Allowing Telnet to the > router unrestricted would be a horrible security hole, even > for people who > don't know the password because passwords are often guessable. > > But I don't think that's what you meant... > > Allowing Telnet and SMTP through the router is more common, > especially SMTP. > You have to allow SMTP if you have an e-mail server that gets > mail from the > outside world. Avoid Telnet, though, if you can. It sends all > text as clear > text, including passwords. > > The question is really how vulnerable is the operating system > that the SMTP > server is running on? It's probably horribly vulnerable if your client > hasn't kept up with the latest patches, and it sounds like > your client is > the type that hasn't? In fact, the server is probably busy > attacking the > rest of us right now! ;-0 > > So, as far as convicing your customer > > The best way may be to put a free firewall, like Zone Alarm, > on the decision > maker's computer and show her/him all the attacks happening > all the time. Or > if she already has a firewall, walk her through the log. > > Good luck. I have a good book to recommend on this topic: > > Greenberg, Eric. "Mission-Critical Security Planner." New > York, New York, > Wiley Publishing, Inc., 2003. > > Here's an Amazon link: > > http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw > inc/104-9901005-4572707 > > Priscilla > > > how long would it take a determined hacker a) cause some kind of > > network downtime and b) to map a network drive to a share on a file > > server over the > > internet. > > > > Thanks, > > Rusty > > > > > -Original Message- > > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, April 02, 2003 1:44 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: VLAN loop problem [7:66656] > > > > > > > > > Yes, > > > it prevents loops in spanning tree on layer 2 switches from > > > causing a loop > > > by disabling the port on a cisco switch... > > > > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > Thomas N. > > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > > interfaces with > > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > > > > ""Larry Letterman"" wrote in message > > > > news:[EMAIL PROTECTED] > > > > > > > > > port
Re: Hybrid vs. Native [7:66766]
DeVoe, Charles (PKI) wrote: > We have a 6509 and I have heard talk about native vs. Hybrid mode of > operation. What is the difference? Is there a link to a white paper or > something? That question comes up periodically but the in a nutshell a 6500 in native mode is a big router, no catOS commands, and if you are familiar with 2900/3500 switch commands native switch layer 2 stuff will be familiar and of coarse the L3 commands are your regualr old IOS commands. Here is a snap shot of a 6506 running native: Native6506#sh ha Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY DEPLOYMEN T RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Wed 04-Sep-02 18:45 by eaarmas Image text-base: 0x40008C00, data-base: 0x41A68000 ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY DEPLOYMEN T RELEASE SOFTWARE (fc1) Native6506 uptime is 5 weeks, 2 days, 43 minutes Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes System returned to ROM by power-on (SP by power-on) System image file is "slot0:c6sup12-js-mz.121-13.E.bin" cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. Processor board ID SAD05020HUX R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 8 Virtual Ethernet/IEEE 802.3 interface(s) 120 FastEthernet/IEEE 802.3 interface(s) 4 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 16384K bytes of Flash internal SIMM (Sector size 512K). Standby is up Standby has 112640K/18432K bytes of memory. Configuration register is 0x2102 Native6506# Native6506#sh conf Using 8789 out of 391160 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Native6506 ! boot system flash slot0:c6sup12-js-mz.121-13.E.bin boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 no logging console enable password cisco ! ip subnet-zero ! ! ip tcp intercept mode watch no ip domain-lookup ! mls flow ip destination mls flow ipx destination ! redundancy mode rpr-plus main-cpu auto-sync running-config auto-sync standard ! ! ! interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q ! interface GigabitEthernet1/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk native vlan 64 ! interface GigabitEthernet1/2 no ip address shutdown ! interface FastEthernet3/1 no ip address duplex full speed 100 switchport switchport access vlan 301 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet3/2 ip address 121.1.1.2 255.255.255.0 duplex full speed 100 ! interface FastEthernet3/3 ip address 30.1.1.1 255.255.255.0 ip access-group 199 in duplex half speed 100 ! interface FastEthernet3/4 no ip address duplex half speed 10 switchport switchport access vlan 304 switchport mode access !interface Vlan1 no ip address shutdown ! interface Vlan64 ip address 172.28.64.23 255.255.255.0 ! interface Vlan302 ip address 79.79.79.1 255.255.255.0 ip access-group 199 in ! interface Vlan303 ip address 99.13.13.1 255.255.255.0 shutdown ! interface Vlan304 ip address 79.79.80.1 255.255.255.0 ! interface Vlan305 ip address 99.15.15.1 255.255.255.0 shutdown ! interface Vlan306 no ip address shutdown ! interface Vlan307 no ip address ! router eigrp 1 network 172.28.0.0 no auto-summary eigrp log-neighbor-changes ! router eigrp 100 network 99.0.0.0 no auto-summary no eigrp log-neighbor-changes ! ip classless no ip http server -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66782&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
So if I read this right, it is just a different set of commands. Are there operational differences? -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 3:44 PM To: DeVoe, Charles (PKI) Cc: [EMAIL PROTECTED] Subject: Re: Hybrid vs. Native [7:66766] DeVoe, Charles (PKI) wrote: > We have a 6509 and I have heard talk about native vs. Hybrid mode of > operation. What is the difference? Is there a link to a white paper or > something? That question comes up periodically but the in a nutshell a 6500 in native mode is a big router, no catOS commands, and if you are familiar with 2900/3500 switch commands native switch layer 2 stuff will be familiar and of coarse the L3 commands are your regualr old IOS commands. Here is a snap shot of a 6506 running native: Native6506#sh ha Cisco Internetwork Operating System Software IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY DEPLOYMEN T RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Wed 04-Sep-02 18:45 by eaarmas Image text-base: 0x40008C00, data-base: 0x41A68000 ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY DEPLOYMEN T RELEASE SOFTWARE (fc1) Native6506 uptime is 5 weeks, 2 days, 43 minutes Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes System returned to ROM by power-on (SP by power-on) System image file is "slot0:c6sup12-js-mz.121-13.E.bin" cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. Processor board ID SAD05020HUX R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache Last reset from power-on Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 8 Virtual Ethernet/IEEE 802.3 interface(s) 120 FastEthernet/IEEE 802.3 interface(s) 4 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 16384K bytes of Flash internal SIMM (Sector size 512K). Standby is up Standby has 112640K/18432K bytes of memory. Configuration register is 0x2102 Native6506# Native6506#sh conf Using 8789 out of 391160 bytes ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Native6506 ! boot system flash slot0:c6sup12-js-mz.121-13.E.bin boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 no logging console enable password cisco ! ip subnet-zero ! ! ip tcp intercept mode watch no ip domain-lookup ! mls flow ip destination mls flow ipx destination ! redundancy mode rpr-plus main-cpu auto-sync running-config auto-sync standard ! ! ! interface Port-channel1 no ip address switchport switchport trunk encapsulation dot1q ! interface GigabitEthernet1/1 no ip address switchport switchport trunk encapsulation dot1q switchport trunk native vlan 64 ! interface GigabitEthernet1/2 no ip address shutdown ! interface FastEthernet3/1 no ip address duplex full speed 100 switchport switchport access vlan 301 switchport trunk encapsulation dot1q switchport mode trunk ! interface FastEthernet3/2 ip address 121.1.1.2 255.255.255.0 duplex full speed 100 ! interface FastEthernet3/3 ip address 30.1.1.1 255.255.255.0 ip access-group 199 in duplex half speed 100 ! interface FastEthernet3/4 no ip address duplex half speed 10 switchport switchport access vlan 304 switchport mode access !interface Vlan1 no ip address shutdown ! interface Vlan64 ip address 172.28.64.23 255.255.255.0 ! interface Vlan302 ip address 79.79.79.1 255.255.255.0 ip access-group 199 in ! interface Vlan303 ip address 99.13.13.1 255.255.255.0 shutdown ! interface Vlan304 ip address 79.79.80.1 255.255.255.0 ! interface Vlan305 ip address 99.15.15.1 255.255.255.0 shutdown ! interface Vlan306 no ip address shutdown ! interface Vlan307 no ip address ! router eigrp 1 network 172.28.0.0 no auto-summary eigrp log-neighbor-changes ! router eigrp 100 network 99.0.0.0 no auto-summary no eigrp log-neighbor-changes ! ip classless no ip http server -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66784&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP Recertification Exam Review [7:66644]
thanks for the advice. seems like very good and concise info! I have to laugh though, I started my ccnp over two years ago, passing three of the four tests and then got caught up in work related projects (damn work!) and put my certificatiosn on the back burner. the funny thing is, my ccna was about to expire in less than a month, so I took my final ccnp test (CIT) and renewed my ccna at the same time. it almost seems like you can find a way to work the system; I was kinda even hoping that ccie would renew my ccnp/ccna and then I could wait the three years complete that and then forget about the renewal issue altogether. scott ""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > The CCNP Recertification Exam was gruelling, and that's no April Fool's > joke. But I survived it! ;-) > > Exam number: 640-851 (the current one) > Number of questions: 112 > Time: 2 hours > Passing Score 732 > My score: 834 > > Is anyone else taking it soon? Here's some advice: > > Do study. > Take each question one at a time. > There's plenty of time. > Despite some of the gruelling questions, there are some give-aways too. > Read carefully. > Don't guess unless you absolutely have to. > BREATHE! ;-) > > There's a variety of question types, including one right answer, multiple > right answers (they tell you how many), drag-and-drop, type in the command, > select a command from a list, and that new simulator thingie that Cisco uses. > > One reason the test is so hard is that it covers so many topics, in quite a > lot of depth. After a while, your brain gets fried and you forget, is it > OSPF that considers a high priority a good thing (for DR election) or it STP > that considers a high priority a good thing (for root bridge election?) > (It's OSPF). And with OSPF, does a 0 in a mask mean "must match" like in > access lists or does it mean "don't care" like in static routes (and OSPF > range commands?!) (0 means must match in OSPF network statements.) > > Those things may seem obvious, but by about question 72, you start to get > confused, if you're like me. You just have to relax and realize that you DO > know this stuff. Don't let your brain get into a Mobius strip like mine > almost did. > > The good news is that the questions from the different qualifying tests are > not merged. It's very clear when you move between the following tests: > > Routing: > It's based on BSCI actually, not Routing, and is quite hard. Know your BGP, > OSPF, and IS-IS. I used Doyle and papers at CertificationZone. You won't be > able to just use books that you read when you passed 3 years ago. > > Support: > This didn't seem to have changed. So you could use the Cisco Press CIT book, > but there is a new resource available too. (Troubleshooting Campus Networks. > :-) > > Remote Access: > This didn't seem to have changed. The Cisco Press book edited by Catherine > Pacquet is still an excellent resource. Yes, you may encounter BCRAN > questions from last millennium's technologies and products. > > Switching: > This had changed. So know the topics listed for the latest version. I'm not > sure what you should study. I guess the official BCMSN book? I studied with > Cisco LAN Switching, by Clark and Hamilton, which is excellent, but I still > couldn't answer a lot of the questions. I suspect you need a lesser book so > you know all Cisco's latest misconceptions about LAN technologies. ;-) > > For the switching exam, know your stuff because some of the questions are > unanswerable by anyone with a logical brain. You'll get things like: Which 3 > statements are true? > > IEEE 802.3 > FDDI > SONET > Gigabit Ethernet > > Notice, the answers aren't statements! ARGH. > > Finally a word about CertificationZone. I have written troubleshooting > guides for them but am no longer compensated by them, so I hope you won't > think this is biased. Their papers were extremely helpful. Also they have > practice exams for BSCI, Support, BCRAN, and Switching. The practice exams > are very helpful, with one exception: SWITCHING! (The bane of my existence.) > Their switching exam covers too many topics that aren't on the current exam. > > Well, that's all for now. I'm just happy to be certifiable for another 3 > years. > > ___ > > Priscilla Oppenheimer > www.troubleshootingnetworks.com > www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66781&t=66644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
I was just reading about this the other day and book-marked this link (watch for wrap): http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918 6a00801350b8.shtml Shawn K. -Original Message- From: DeVoe, Charles (PKI) [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: Hybrid vs. Native [7:66766] We have a 6509 and I have heard talk about native vs. Hybrid mode of operation. What is the difference? Is there a link to a white paper or something? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66783&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access-List Usage: Can I do this?? [7:66769]
should work fine. You can also test this out by sending a constant data stream via ftp or something and then start a voice conversation. ""dj"" wrote in message news:[EMAIL PROTECTED] > I'm setting up LLQ over hub-'n-spoke frame-relay WAN and want to use the > following funky looking access-list to mark voice packets for the high > priority queue. This access-list logically works, but my question is: > Is this legal? > access-list 101 permit ip any 10.10.X.201 0.0.255.248 precedence > critical > > I have 8 IP phones at each remote site starting at 4th octet IP address > of 201 (thru 208). > Each remote site is on a class C network, where the 3rd octet IP address > labeled X is designated as the site location. > eg: 10.10.1.0/24 is site 1; 10.10.2.0/24 is site 2;10.10.3.0/24 is > site 3, etc. > > Will the IOS allow this non-conventional access-list to work per my > intensions? > > regards, > dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66785&t=66769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
So ... doesn't that give them enough supporting evidence all by itself? If not, maybe it is a lost cause? As an aside - a pix, if it was permitting the offending port through as well, may not have stopped the worm either. Think "Defense in Depth". A firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a piece of a very large, very complex puzzle (even for a small network!). .. Have someone in a Decision-making position there read "Hacking __(pick an os - Windows2k, Linux, etc.)", or attend a SANS course (or just visit their reading room - TONS of articles). Read Eric Cole's or Ed Skoudis's books. .. or, teach him/her to use google ... Thanks! TJ -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 2:05 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 8:46 AM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > > Wilmes, Rusty wrote: > > > > this is a general question for the security specialists. > > > > Im trying to convince a client that they need a firewall > > > > so hypothetically, > > > > if you had telnet via the internet open to a router (with an > > access list > > that allowed smtp and telnet) (assuming you didn't know the > > telnet password > > or the enable password)that had a bunch of nt servers on > > another interface, > > Do you actually mean that you are allowing Telnet and SMTP to > go through the > router? You said "to" above which is confusing. Allowing Telnet to the > router unrestricted would be a horrible security hole, even > for people who > don't know the password because passwords are often guessable. > > But I don't think that's what you meant... > > Allowing Telnet and SMTP through the router is more common, > especially SMTP. > You have to allow SMTP if you have an e-mail server that gets > mail from the > outside world. Avoid Telnet, though, if you can. It sends all > text as clear > text, including passwords. > > The question is really how vulnerable is the operating system > that the SMTP > server is running on? It's probably horribly vulnerable if your client > hasn't kept up with the latest patches, and it sounds like > your client is > the type that hasn't? In fact, the server is probably busy > attacking the > rest of us right now! ;-0 > > So, as far as convicing your customer > > The best way may be to put a free firewall, like Zone Alarm, > on the decision > maker's computer and show her/him all the attacks happening > all the time. Or > if she already has a firewall, walk her through the log. > > Good luck. I have a good book to recommend on this topic: > > Greenberg, Eric. "Mission-Critical Security Planner." New > York, New York, > Wiley Publishing, Inc., 2003. > > Here's an Amazon link: > > http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw > inc/104-9901005-4572707 > > Priscilla > > > how long would it take a determined hacker a) cause some kind > > of network > > downtime and b) to map a network drive to a share on a file > > server over the > > internet. > > > > Thanks, > > Rusty > > > > > -Original Message- > > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, April 02, 2003 1:44 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: VLAN loop problem [7:66656] > > > > > > > > > Yes, > > > it prevents loops in spanning tree on layer 2 switches from > > > causing a loop > > > by disabling the port on a cisco switch... > > > > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > Thomas N. > > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > > interfaces with > > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > > > > ""Larry Letterman"" wrote in message > > > > news:[EMAIL PROTECTED] > > > > > > > > > port mac
Re: Computer for ISP [7:66736]
well georgeW, your questions seem a little hidden. what are you asking? why an ISP would need a server? for dns is the first example that comes to mind. btw, 4 more? scott ""George"" wrote in message news:[EMAIL PROTECTED] > A computer is to be purchased for an Internet Service Provider (ISP) that is > to be used as one of the server at the network backbone. What may be the > role of this server for the ISP? > > Can this server be put for other server related applications? > > What will be configuration of this server giving reason for selection of > various components ( economicaly wise and performance wise ) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66793&t=66736 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP route to Null0? [7:66755]
null0 is used as an alternative to access-lists. it is a blackhole. so anything routed to it gets dropped automatically. an access-list uses more processor overhead than a null interface and thus if you have a certain part of your network that you don't want to go anywhere, then use a null interface instead of access-lists. as for why its a floating route or the tie-ins to bgp, thats beyond me and hopefully someone comments on this. bgp makes my head hurt. scott ""Anil Gupte"" wrote in message news:[EMAIL PROTECTED] > I am trying to understand some IP route commands on our router. Several of > them go to Null0 - what does that mean? > > For example, I have > ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > > What is this doing? > > I need to add another block of class Cs from the same provider. Do I need > a similar statement to the above? > > Thanx for your help. > Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66790&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS Download to the new flash [7:66739]
He appears to have done that.. the erase command is the format function for the 3600 flash card... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Symon Thurlow > Sent: Thursday, April 03, 2003 11:43 AM > To: [EMAIL PROTECTED] > Subject: RE: IOS Download to the new flash [7:66739] > > > Can you format flash in a 3600? > > -Original Message- > From: Larry Letterman [mailto:[EMAIL PROTECTED] > Sent: 03 April 2003 10:49 > To: [EMAIL PROTECTED] > Subject: RE: IOS Download to the new flash [7:66739] > > > Looks like a bad flash card..try another flash card.. > if it wont erase correctly, I dont think it will copy the file and > be usable... > > > Larry Letterman > Network Engineer > Cisco Systems > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > > Mamoon Dawood > > Sent: Thursday, April 03, 2003 12:36 AM > > To: [EMAIL PROTECTED] > > Subject: IOS Download to the new flash [7:66739] > > > > > > Dear All, > > > > While tring to download an IOS to the new (Clear) flash of a 3662 > > router using the xmodem method, and after finishing the download and > > reload, we got the following message, > > > > > > device does not contain a valid magic number > > boot: cannot open "flash:" > > boot: cannot determine first file name on device "flash:" > > > > > > > > Erasing flash at 0x3000sector erase failed at location 0x3000, > > > status 0x 20202020 > > > > > > Please advise what we sould do to download the IOS, > > > > Thanks, > = > > This email has been content filtered and > subject to spam filtering. If you consider > this email is unsolicited please forward > the email to [EMAIL PROTECTED] and > request that the sender's domain be > blocked from sending any further emails. > > = > > > > = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66788&t=66739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: A career in MPLS..... [7:66609]
If you really want to make big money, go for MPLampS: http://www.ietf.org/internet-drafts/draft-bala-mplamps-04.txt Very specialized, but big market, :-) Eric - Original Message - From: "nrf" To: Sent: Thursday, April 03, 2003 4:20 AM Subject: Re: A career in MPLS. [7:66609] > ""Cisco Nuts"" wrote in message > news:[EMAIL PROTECTED] > > Thank you so much for your enlightening reply!! > > > > And thank God I moved away from Novell to MS to Citrix and finally Cisco > > and now onto MPLS...And thank God "it is a very specialized and small > > market right now that is looking for MPLS experience"All the more > > better to develop skills in MPLS as every Tom, Dick and Harry is either > > just routing or switching ;- ) > > > > Looks like MPLS is the way to go!!! Come'on Sprint.Let's get on with > > the Show :-) > > Well, actually, I would temper my enthusiasm. Like you said, MPLS is indeed > a very small and specialized market, meaning there really aren't many jobs > because there are so few implementations. True, you might reply that there > are also few people who know MPLS. But almost all those MPLS are within the > large carriers where if you want to be the MPLS engineer, you can't just > know MPLS, you have to REALLY REALLY REALLY know it, with verifiable > experience and/or published papers to boot. Carriers aren't going to snap > you up just because you may have read a book or took a 1-week class. . > > > > > >From: >Reply-To: >To: [EMAIL PROTECTED] >Subject: Re: A > > career in MPLS. [7:66609] >Date: Wed, 2 Apr 2003 04:47:44 GMT > >Ah - > > MPLS. Yes there are several large carriers with MPLS >deployed or in the > > process of deploying it (equant, global >crossing...). Some on their core > > and some on their layer 2 networks >such as ATM (AT&T for example). > > Others backed away from it but >are now looking at it since it's a huge > > marketing beast that can't be >ignored (Sprint for example). > >Aside > > from ISP's some large enterprises are using it for things like >MPLS > > enabled VPN's. As to the market for someone that knows >MPLS - what I > > have seen is it's a very specialized and small market >right now that is > > looking for MPLS experience. Mostly due to it still >being relatively new > > in deployments and being relatively small in the >number of deployments. > > > >I do believe however after saying that - that it never hurts to have a > > >wide background of skills. Imagine if you specialized in Novell and > > >never moved into other areas for example. Novell is a great product >but > > the market for Novell pro's dried up a lot from the good ole days. >You > > would be much less marketable if you didn't also know other >things such > > as Microsoft or Routing or ... > >I could go into my opinions of the > > pros and cons of MPLS and where >I think it fits - but that's another > > boring story for later :) > > >www.ccie4u.com > > > >On 1 Apr 2003 at > > 15:47, nrf wrote: > > > ""Cisco Nuts"" wrote in message > > > > news:[EMAIL PROTECTED] > > > Hello group, How > > does one feel about a career in MPLS...I mean doing MPLS > > > as part of > > your core job day in and out.Is it worth it? Since our > > > network > > does not use MPLS (maybe never will) inspite of being one of the > > > > > Big Four Tier 1 SP's > > > > Let me guess. Do you work for Sprint? > > > > > > >are there other SP's that use MPLS in their > > > backbone?? > > > > > > Yeah, there are some. > > > > >I have just given myself a month or so > > break from my CCIE Lab > > > Prep.(yeah!yeah! most would consider me > > stupid on this) to study MPLS > > > for the CCIP and am thinking if I > > should pursue this subject just like I > > > did for BGP.know it > > inside out cold.and maybe consider a new > > > career/job in MPLS > > (obviously along with BGP, MBGP, MCast etc...) Does > > > anyone know of > > how MPLS is viewed out there? I mean, in terms of > > > implementation, > > popularity and last but not the least , $$$ ??? >;->Which > > > of the > > Big SP's or Enterprise networks have implemented MPLS? Has it been > > > > > worth the advantages that MPLS proposes??Thank you.Sincerely,CN > > > > > > The way I see it is this. MPLS is potentially powerful technology for it > > > > can be used as a lingua-franca among a carrier's network and > > transport >layer > > and also as a way to impose circuit-switching > > discipline upon IP and > > therefore offer circuit-switching services > > with a pure IP network. > > > > But MPLS is by no means a slam-dunk. > > Certain carriers, most notably > > Sprint, have elected not to go down > > the MPLS path because they believe the > > technology is immature (and > > they are correct) and also because they believe > > that they can garner > > the benefits of MPLS by other means (also correct). > > The point is that > > while MPLS offers great potential, it also presents > > problems, so > > implementing it is not
RE: Hybrid vs. Native [7:66766]
Native means that the sup/msfc module is running IOS for the routing and switching, similar to the 3500 switches... Hybrid indicates that the switch sup will run Cat-os for the switching function and the msfc will run IOS for the routing functions...similar to a Cat5000 with the RSM... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > DeVoe, Charles (PKI) > Sent: Thursday, April 03, 2003 10:19 AM > To: [EMAIL PROTECTED] > Subject: Hybrid vs. Native [7:66766] > > > We have a 6509 and I have heard talk about native vs. Hybrid mode of > operation. What is the difference? Is there a link to a white paper or > something? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66791&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
my company does a lot of firewall consulting and I run into this question all the time. frankly I don't have a great answer for it though. packet filters (i.e. access-lists) are technically first generation firewalls, so they do have a firewall in place already. the sell really comes into play when you state that first generation firewalls aren't as robust and up-to-date as the latest third generation firewalls and are open to concerted attacks. this usually they can understand. trying to explain multilayer stateful inspection to them is pointless, so don't even try. probably the best thing you can do (as already sugeested), is make sure your acl is complete and anytime a security issue comes up point out the problem as relates to no firewall. after about a year of you doing this, they'll catch on and will budget it in eventually. scott ""Wilmes, Rusty"" wrote in message news:[EMAIL PROTECTED] > there's an access list on the ethernet interface thats directly connected to > a dsl modem. > > they're allowing telnet and smpt to basically, any any plus various other > protocols from/to specific addresses. There're only two outside addresses > that are natted but its really hideous and the access list is the only thing > resembling a layer of security between the internet and their server farm. > > I was just hoping to hear some really good verbage about how vulnerable they > are. I've told them for 3 months to get a pix but it just aint sinking in. > Now they've got a worm loose on their mail server thats bringing down their > main host system and their internet line (but thats another story). > > > > > -Original Message- > > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 03, 2003 8:46 AM > > To: [EMAIL PROTECTED] > > Subject: RE: hacking challenge [7:66720] > > > > > > Wilmes, Rusty wrote: > > > > > > this is a general question for the security specialists. > > > > > > Im trying to convince a client that they need a firewall > > > > > > so hypothetically, > > > > > > if you had telnet via the internet open to a router (with an > > > access list > > > that allowed smtp and telnet) (assuming you didn't know the > > > telnet password > > > or the enable password)that had a bunch of nt servers on > > > another interface, > > > > Do you actually mean that you are allowing Telnet and SMTP to > > go through the > > router? You said "to" above which is confusing. Allowing Telnet to the > > router unrestricted would be a horrible security hole, even > > for people who > > don't know the password because passwords are often guessable. > > > > But I don't think that's what you meant... > > > > Allowing Telnet and SMTP through the router is more common, > > especially SMTP. > > You have to allow SMTP if you have an e-mail server that gets > > mail from the > > outside world. Avoid Telnet, though, if you can. It sends all > > text as clear > > text, including passwords. > > > > The question is really how vulnerable is the operating system > > that the SMTP > > server is running on? It's probably horribly vulnerable if your client > > hasn't kept up with the latest patches, and it sounds like > > your client is > > the type that hasn't? In fact, the server is probably busy > > attacking the > > rest of us right now! ;-0 > > > > So, as far as convicing your customer > > > > The best way may be to put a free firewall, like Zone Alarm, > > on the decision > > maker's computer and show her/him all the attacks happening > > all the time. Or > > if she already has a firewall, walk her through the log. > > > > Good luck. I have a good book to recommend on this topic: > > > > Greenberg, Eric. "Mission-Critical Security Planner." New > > York, New York, > > Wiley Publishing, Inc., 2003. > > > > Here's an Amazon link: > > > > http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw > > inc/104-9901005-4572707 > > > > Priscilla > > > > > how long would it take a determined hacker a) cause some kind > > > of network > > > downtime and b) to map a network drive to a share on a file > > > server over the > > > internet. > > > > > > Thanks, > > > Rusty > > > > > > > -Original Message- > > > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, April 02, 2003 1:44 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: VLAN loop problem [7:66656] > > > > > > > > > > > > Yes, > > > > it prevents loops in spanning tree on layer 2 switches from > > > > causing a loop > > > > by disabling the port on a cisco switch... > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > > > > > > > > > > > > > > -Original Message- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > > Thomas N. > > > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > > > > > > > What does "portfas
Re: IOS Download to the new flash [7:66739]
No. But you can now delete individual files and squeeze the flash which is relatively new!! dave Symon Thurlow wrote: > Can you format flash in a 3600? > > -Original Message- > From: Larry Letterman [mailto:[EMAIL PROTECTED] > Sent: 03 April 2003 10:49 > To: [EMAIL PROTECTED] > Subject: RE: IOS Download to the new flash [7:66739] > > > Looks like a bad flash card..try another flash card.. > if it wont erase correctly, I dont think it will copy the file and > be usable... > > > Larry Letterman > Network Engineer > Cisco Systems > > > > > > >>-Original Message- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > >>Mamoon Dawood >>Sent: Thursday, April 03, 2003 12:36 AM >>To: [EMAIL PROTECTED] >>Subject: IOS Download to the new flash [7:66739] >> >> >>Dear All, >> >>While tring to download an IOS to the new (Clear) flash of a 3662 >>router using the xmodem method, and after finishing the download and >>reload, we got the following message, >> >> >>device does not contain a valid magic number >>boot: cannot open "flash:" >>boot: cannot determine first file name on device "flash:" >> >> >> >>Erasing flash at 0x3000sector erase failed at location 0x3000, > > >>status 0x 20202020 >> >> >>Please advise what we sould do to download the IOS, >> >>Thanks, > > = > > This email has been content filtered and > subject to spam filtering. If you consider > this email is unsolicited please forward > the email to [EMAIL PROTECTED] and > request that the sender's domain be > blocked from sending any further emails. > > = > > > > = -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66794&t=66739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP route to Null0? [7:66755]
I'll clarify. On lower end cisco routers not running bgp, yes, it will save you some cpu cycles. But most of the routers I'm working on a day to day basis(12Ks, 10Ks, 7200s) are running full table and hardly get slowed by by acls. Not to mention the problems a null route (for the purpose of bit-bucketing) can do when your're using null routes for bgp. -Karsten On Thursday 03 April 2003 10:53 am, MADMAN wrote: > Sloppy!? why?? > >Dave > > Karsten wrote: > > Either a sloppy way to drop traffic for a /24, or bgp > > summarization using null routing. > > > > -Karsten > > > > On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > >>I am trying to understand some IP route commands on our router. Several > >> of them go to Null0 - what does that mean? > >> > >>For example, I have > >>ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > >> > >>What is this doing? > >> > >>I need to add another block of class Cs from the same provider. Do I need > >>a similar statement to the above? > >> > >>Thanx for your help. > >>Anil Gupte > >>Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66789&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP route to Null0? [7:66755]
You are right, it is using BGP. What does summarization do? Do I need an identical statement for my new Class C? Thanx, Anil Gupte - Original Message - From: "Karsten" To: "Anil Gupte" ; Sent: Thursday, April 03, 2003 10:46 AM Subject: Re: IP route to Null0? [7:66755] Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > I am trying to understand some IP route commands on our router. Several of > them go to Null0 - what does that mean? > > For example, I have > ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > > What is this doing? > > I need to add another block of class Cs from the same provider. Do I need > a similar statement to the above? > > Thanx for your help. > Anil Gupte > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66797&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
UNSUBSCRIBE [7:66796]
UNSUBSCRIBE [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66796&t=66796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: so how does IGRP unequal load-balancing work anywa [7:66795]
your example is fair. I haven't seen many real example of load balancing. in the case you're describing you can simply change the metrics on one of the routers 'secondary' link to the other router. this would prevent it from passing anything it received from the one router back to itself. yes the way you've created the example things would 'loop' between them, but as an experienced cisco person, you've recognized the misconfiguration and have avoid the conflict in this setup. I can come up with dozens of normal operation scenarios where if put together in such a manner (which taken alone work fine), would fall apart because they were assembled without a perspective on the greater network. its like me wondering about the validity of marriage if the possibility exists that could marry my own sister. its a possibilty if I can think of the right scenario, but with this knowledge in mind, I can be on the lookout for anyone that resembles me a bit too closely. scott ""nwo"" wrote in message news:[EMAIL PROTECTED] > OK, consider this scenario. > > You have a large network of IGRP routers. You have routers A and B who each > have a metric of, say, 10 to a given destination (I am going to use simple > values for the metrics of IGRP to make things easy). Routers A and B are > also directly connected, and the link between them has a metric of 1. > Router A sends an update to B that the destination has a metric of 10, and > router B adds the value of the link to arrive at a total metric of 11. > Therefore, router B has 2 ways to get to the destination, the first would be > through the normal way (through the path that has a metric of 10) and the > other through router A (which has a metric of 11). Vice versa is also true > with respect to router A. When you configure variance of larger than 1, > then both paths will be entered into the route table. > > If this is the case, then you can see that some packets can bounce around. > For example, router A may, through unequal load-balancing, send some of the > dest packets to B, and then B will, again through unequal balancing, send > some of those packets back to A, etc. Yes, the number of packets sent the > 'wrong way' decreases exponentially but the point is that there is still > some bouncing around. > > The only way I can see that this would not happen is if a router would > compare the metric of a received route (before the cost of the link is > added) to the metric that the router is currently holding for that route, > and if it is equal to or greater than that value, the route is rejected > unconditionally for unequal balancing. This would be something similar to > what the whole EIGRP successor algorithm accomplishes. Does anybody know > for a fact whether this is in the IGRP algorithm? > > > ""Priscilla Oppenheimer"" wrote in message > news:[EMAIL PROTECTED] > > nwo wrote: > > > > > > It occurs to me that I do not understand how IGRP unequal load > > > balancing > > > works. > > > > > > Yes, I understand what the commands are, and I am well aware of > > > the > > > intricacies involved in fast-switching and CEF. So please > > > don't respond by > > > telling me to configure 'variance' or stuff like that. I > > > already know all > > > that. > > > > > > What I don't understand is this. A fundamental part of EIGRP > > > unequal load > > > balancing is the concept of the feasible successor, where > > > routes of unequal > > > metric to a particular destination will be considered only if > > > the > > > corresponding neighbor is a feasible successor for the > > > destination in > > > question. This is in order to prevent the problem of packets > > > being sent to > > > to a router that is actually further away from the destination > > > than the > > > sending router is to that destination. > > > > > > Yet, I am aware of no such safeguards in IGRP. IGRP has no > > > such concept of > > > > I don't think such a safeguard is necessary. A router running even a > simple > > distance-vector protocol like IGRP knows the metric of its neighbors > because > > the neighbors report it in update packets. The router can add routes to > the > > routing table based on this information alone and knowledge of the > variance > > and maximum-paths values. It would be a broken protocol indeed if it added > > routes that included a next-hop neighbor that was farther away. > > > > The business of feasible successors, unique to EIGRP, helps maintain the > > routing table when changes happen, such as when a directly connected link > > fails or when update or queries arrive. I don't know if it's used for load > > balancing though. It wouldn't need to be. > > > > If you have a URL that explains what feasible successor has to do with > load > > balancing, please send it. Thanks. But I would probably still say that > it's > > not necessary for load balancing to work. > > > > > a topology table with neighbor's advertised distances and > > > whatnot. > > > Therefore it seems that
Re: WIC 2A/S working at speeds greater than 128kbps. [7:66733]
I think thats the maximum of asynchronous communication that they've put into their documentation, I don't think there is an upper limit to the real transfer rate. I suppose you could clock a asynchronous transmission way up into the Mbps range and that interface would still suck it in. granted there would probably be tons of errors/drops, but I don't think cisco has a hard limit on how much it can receive. technically I think rs-449 is rated into the Mbps range and is still considered asynchronous. correct me if I'm wrong. scott wrote in message news:[EMAIL PROTECTED] > We have a Cisco 1750 router with a WIC2A/S card installed..According to > Cisco's documentation, the WIC card supports speeds upto 128kbps. But i have > seen the serial port working at speeds of 250kbps.How??? Is Cisco's > documentation wrong or am i missing something?? > > Thanks and Regards > > Simon K. Carvalho > Sr. Network Engineer > Network Solutions Ltd. , Bangalore > Email: :[EMAIL PROTECTED] > Web : www.netsol.co.in > Phone : +91 80 5535228 ext 433 > Mobile : +91 9845349843 > > "Tomorrow's Networks.Today." Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66802&t=66733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PAT AFTER NAT (confused) [7:66734]
this is the current nat setup I have on one of my PIXs: global (outside) 1 xxx.xxx.223.235-64.172.223.236 global (outside) 1 xxx.xxx.223.237 nat (inside) 0 access-list 100 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 heres the translations: PAT Global xxx.xxx.223.237(16882) Local 192.168.2.18(2193) PAT Global xxx.xxx.223.237(16914) Local 192.168.2.18(2229) PAT Global xxx.xxx.223.237(4739) Local 192.168.2.18(2228) PAT Global xxx.xxx.223.237(16915) Local 192.168.2.18(2230) Global xxx.xxx.223.236 Local 192.168.2.17 PAT Global xxx.xxx.223.237(16880) Local 192.168.2.18(2190) Global xxx.xxx.223.235 Local 192.168.2.14 PAT Global xxx.xxx.223.237(16913) Local 192.168.2.18(2227) PAT Global xxx.xxx.223.237(16918) Local 192.168.2.18(2233) PAT Global xxx.xxx.223.237(16919) Local 192.168.2.18(2234) PAT Global xxx.xxx.223.237(16916) Local 192.168.2.18(2231) PAT Global xxx.xxx.223.237(16917) Local 192.168.2.18(2232) PAT Global xxx.xxx.223.237(16922) Local 192.168.2.18(2237) PAT Global xxx.xxx.223.237(16923) Local 192.168.2.18(2238) PAT Global xxx.xxx.223.237(16920) Local 192.168.2.18(2235) PAT Global xxx.xxx.223.237(16904) Local 192.168.2.18(2218) PAT Global xxx.xxx.223.237(16921) Local 192.168.2.18(2236) you can see that the two nat IPs are being used already and the rest are being NATed. I can only assume the NATs went through first, since PAT would take like 4000+ to fill up I believe. on another note, whats up with all those xlates for 192.168.1.18!! (I'll ignore that for now) I can't think of a recent nat I have off of a regular router, but I suspect based upon what people are saying that perhaps the PIX's nat works correctly, but the routers is kinda backward. something to setup in a lab I suppose. scott ""Marko Milivojevic"" wrote in message news:[EMAIL PROTECTED] > I have been following this thread with great interest, for I had > problems with PAT/NAT in IOS recently. It looks to me that many people have > the same confusions (hopes) as I had. > > I have a case where I have many users on private address space > (around 1000 or so) which must be NAT-ed through a pool of 768 "real" > addresses. This are all, mostly, heavy users (xDSL customers). > > I have foolishly hoped that if I configure pool with overload, IOS > will do 1:1 and when it runs out of addresses, it will do PAT. Well, I was > wrong. And that's wrong at a price. Not only that IOS is immediately > performing PAT, but PAT is *much* more CPU intensive than 1:1 NAT. Also, it > is not possible to define multiple address ranges or pools for the same > translation (I would greatly appreciate if someone corrects me here). > > So, from my experience with this matter: > > * it is not easily possible to do NAT and switch to PAT when > addresses run out > * if you define overload, IOS automatically does PAT, with more CPU > usage > > One way of getting away from running out of NAT addresses is to > lower translation timeout (default is I think 24h). This timeout defines how > long NAT relationship remains between real and private IP. You can lower > this to one hour by doing: > > ip nat translation timeout 3600 > > In my experience, this proved to be useful in this, far from 1:1 > scenario. Further lowering this to some 15 minutes or so, could cause more > load on router (guesswork), but hugely decrease your chances of running out > of translation addresses. > > > Kind regards, > Marko. > > Tolvupostur ?essi er fra Margmi?lun hf., Su?urlandsbraut 4, Reykjavik. > Fyrirvara og lei?beiningar til vi?takenda tolvuposts fra Margmi?lun hf. er > a? finna a vefsi?unni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66799&t=66734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
You can look at it that way.. Instead of having a switch and a router you actually 1 device with one IOS running that does the job of both other devices.. Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > DeVoe, Charles (PKI) > Sent: Thursday, April 03, 2003 1:01 PM > To: [EMAIL PROTECTED] > Subject: RE: Hybrid vs. Native [7:66766] > > > So if I read this right, it is just a different set of commands. > Are there > operational differences? > > -Original Message- > From: MADMAN [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 3:44 PM > To: DeVoe, Charles (PKI) > Cc: [EMAIL PROTECTED] > Subject: Re: Hybrid vs. Native [7:66766] > > > DeVoe, Charles (PKI) wrote: > > We have a 6509 and I have heard talk about native vs. Hybrid mode of > > operation. What is the difference? Is there a link to a > white paper or > > something? >That question comes up periodically but the in a nutshell a 6500 in > native mode is a big router, no catOS commands, and if you are familiar > with 2900/3500 switch commands native switch layer 2 stuff will be > familiar and of coarse the L3 commands are your regualr old IOS > commands. Here is a snap shot of a 6506 running native: > > Native6506#sh ha > Cisco Internetwork Operating System Software > IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > DEPLOYMEN > T RELEASE SOFTWARE (fc1) > TAC Support: http://www.cisco.com/tac > Copyright (c) 1986-2002 by cisco Systems, Inc. > Compiled Wed 04-Sep-02 18:45 by eaarmas > Image text-base: 0x40008C00, data-base: 0x41A68000 > > ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) > BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > DEPLOYMEN > T RELEASE SOFTWARE (fc1) > > Native6506 uptime is 5 weeks, 2 days, 43 minutes > Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes > System returned to ROM by power-on (SP by power-on) > System image file is "slot0:c6sup12-js-mz.121-13.E.bin" > > cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. > Processor board ID SAD05020HUX > R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache > Last reset from power-on > Bridging software. > X.25 software, Version 3.0.0. > SuperLAT software (copyright 1990 by Meridian Technology Corp). > TN3270 Emulation software. > 8 Virtual Ethernet/IEEE 802.3 interface(s) > 120 FastEthernet/IEEE 802.3 interface(s) > 4 Gigabit Ethernet/IEEE 802.3 interface(s) > 381K bytes of non-volatile configuration memory. > > 16384K bytes of Flash internal SIMM (Sector size 512K). > Standby is up > Standby has 112640K/18432K bytes of memory. > > Configuration register is 0x2102 > > Native6506# > > Native6506#sh conf > Using 8789 out of 391160 bytes > ! > version 12.1 > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname Native6506 > ! > boot system flash slot0:c6sup12-js-mz.121-13.E.bin > boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 > no logging console > enable password cisco > ! > ip subnet-zero > ! > ! > ip tcp intercept mode watch > no ip domain-lookup > ! > mls flow ip destination > mls flow ipx destination > ! > redundancy > mode rpr-plus > main-cpu >auto-sync running-config >auto-sync standard > ! > ! > ! > interface Port-channel1 > no ip address > switchport > switchport trunk encapsulation dot1q > ! > interface GigabitEthernet1/1 > no ip address > switchport > switchport trunk encapsulation dot1q > switchport trunk native vlan 64 > ! > interface GigabitEthernet1/2 > no ip address > shutdown > ! > interface FastEthernet3/1 > no ip address > duplex full > speed 100 > switchport > switchport access vlan 301 > switchport trunk encapsulation dot1q > switchport mode trunk > ! > interface FastEthernet3/2 > ip address 121.1.1.2 255.255.255.0 > duplex full > speed 100 > ! > interface FastEthernet3/3 > ip address 30.1.1.1 255.255.255.0 > ip access-group 199 in > duplex half > speed 100 > ! > interface FastEthernet3/4 > no ip address > duplex half > speed 10 > switchport > switchport access vlan 304 > switchport mode access > !interface Vlan1 > no ip address > shutdown > ! > interface Vlan64 > ip address 172.28.64.23 255.255.255.0 > ! > interface Vlan302 > ip address 79.79.79.1 255.255.255.0 > ip access-group 199 in > ! > interface Vlan303 > ip address 99.13.13.1 255.255.255.0 > shutdown > ! > interface Vlan304 > ip address 79.79.80.1 255.255.255.0 > ! > interface Vlan305 > ip address 99.15.15.1 255.255.255.0 > shutdown > ! > interface Vlan306 > no ip address > shutdown > ! > interface Vlan307 > no ip address > ! > router eigrp 1 > network 172.28.0.0 > no auto-summary > eigrp log-neighbor-changes > ! > router eigrp 100 > network 99.0.0.0 > no auto-summary > no eigrp log-neighbor-chan
RE: Hybrid vs. Native [7:66766]
thats true, however a switch is kinda useless in the network if the devices cant talk to anywhere past the local switch... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Joseph Brunner > Sent: Thursday, April 03, 2003 12:43 PM > To: [EMAIL PROTECTED] > Subject: RE: Hybrid vs. Native [7:66766] > > > HYBRID, Especiall for someone like you who needs uptime/redundancy. > > In hybrid, if the MSFC dies, you don't loose the whole switch, > just intervlan routing, etc. You can still telnet to the supervisor > engine to get and and find out whats up. > > In native the whole switch dies and your burned. > > Cisco's answer- buy two sup2/msfc2/pfc2 boards and run high > availability.. No thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66801&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hybrid vs. Native [7:66766]
What! I have a switch running Native in the lab with dual sups configured for RPR+, works fine. RPR is what the 7500's with dual RSPs use. Dave Joseph Brunner wrote: > HYBRID, Especiall for someone like you who needs uptime/redundancy. > > In hybrid, if the MSFC dies, you don't loose the whole switch, > just intervlan routing, etc. You can still telnet to the supervisor > engine to get and and find out whats up. > > In native the whole switch dies and your burned. > > Cisco's answer- buy two sup2/msfc2/pfc2 boards and run high > availability.. No thanks! -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 I would rather have a German division in front of me than a French one behind me." --- General George S. Patton Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66803&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP Recertification Exam Review [7:66644]
I discovered one thing that you can't do that you might think you could do. After I recertified as a CCDP, I wanted to just take Support to recert as CCNP. After all, theoretically I had recertified for everything else just by taking CCDP. Alas, they wouldn't let me do that. I had to do the gruelling CCNP recert test. It was quite a bit harder than the CCDP test mainly because the routing questions are based on BSCI. CCDP recert was still using the Routing questions. Priscilla Scott Roberts wrote: > > thanks for the advice. seems like very good and concise info! > > I have to laugh though, I started my ccnp over two years ago, > passing three > of the four tests and then got caught up in work related > projects (damn > work!) and put my certificatiosn on the back burner. the funny > thing is, my > ccna was about to expire in less than a month, so I took my > final ccnp test > (CIT) and renewed my ccna at the same time. it almost seems > like you can > find a way to work the system; I was kinda even hoping that > ccie would renew > my ccnp/ccna and then I could wait the three years complete > that and then > forget about the renewal issue altogether. > > scott > > ""Priscilla Oppenheimer"" wrote in > message > news:[EMAIL PROTECTED] > > The CCNP Recertification Exam was gruelling, and that's no > April Fool's > > joke. But I survived it! ;-) > > > > Exam number: 640-851 (the current one) > > Number of questions: 112 > > Time: 2 hours > > Passing Score 732 > > My score: 834 > > > > Is anyone else taking it soon? Here's some advice: > > > > Do study. > > Take each question one at a time. > > There's plenty of time. > > Despite some of the gruelling questions, there are some > give-aways too. > > Read carefully. > > Don't guess unless you absolutely have to. > > BREATHE! ;-) > > > > There's a variety of question types, including one right > answer, multiple > > right answers (they tell you how many), drag-and-drop, type > in the > command, > > select a command from a list, and that new simulator thingie > that Cisco > uses. > > > > One reason the test is so hard is that it covers so many > topics, in quite > a > > lot of depth. After a while, your brain gets fried and you > forget, is it > > OSPF that considers a high priority a good thing (for DR > election) or it > STP > > that considers a high priority a good thing (for root bridge > election?) > > (It's OSPF). And with OSPF, does a 0 in a mask mean "must > match" like in > > access lists or does it mean "don't care" like in static > routes (and OSPF > > range commands?!) (0 means must match in OSPF network > statements.) > > > > Those things may seem obvious, but by about question 72, you > start to get > > confused, if you're like me. You just have to relax and > realize that you > DO > > know this stuff. Don't let your brain get into a Mobius strip > like mine > > almost did. > > > > The good news is that the questions from the different > qualifying tests > are > > not merged. It's very clear when you move between the > following tests: > > > > Routing: > > It's based on BSCI actually, not Routing, and is quite hard. > Know your > BGP, > > OSPF, and IS-IS. I used Doyle and papers at > CertificationZone. You won't > be > > able to just use books that you read when you passed 3 years > ago. > > > > Support: > > This didn't seem to have changed. So you could use the Cisco > Press CIT > book, > > but there is a new resource available too. (Troubleshooting > Campus > Networks. > > :-) > > > > Remote Access: > > This didn't seem to have changed. The Cisco Press book edited > by Catherine > > Pacquet is still an excellent resource. Yes, you may > encounter BCRAN > > questions from last millennium's technologies and products. > > > > Switching: > > This had changed. So know the topics listed for the latest > version. I'm > not > > sure what you should study. I guess the official BCMSN book? > I studied > with > > Cisco LAN Switching, by Clark and Hamilton, which is > excellent, but I > still > > couldn't answer a lot of the questions. I suspect you need a > lesser book > so > > you know all Cisco's latest misconceptions about LAN > technologies. ;-) > > > > For the switching exam, know your stuff because some of the > questions are > > unanswerable by anyone with a logical brain. You'll get > things like: Which > 3 > > statements are true? > > > > IEEE 802.3 > > FDDI > > SONET > > Gigabit Ethernet > > > > Notice, the answers aren't statements! ARGH. > > > > Finally a word about CertificationZone. I have written > troubleshooting > > guides for them but am no longer compensated by them, so I > hope you won't > > think this is biased. Their papers were extremely helpful. > Also they have > > practice exams for BSCI, Support, BCRAN, and Switching. The > practice exams > > are very helpful, with one exception: SWITCHING! (The bane of > my > existence.) > > Their switching exam covers too many topics that aren't on > the current > exam. > > > > Well, that's a
Re: Hybrid vs. Native [7:66766]
There are still some functional/operational differences between 6500 hybrid and native modes with the current CatOS and IOS versions available. A white paper on the topic is located at (watch for any wrapping): http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09 186a00800c8441.shtml Cisco's stated direction for some time has been towards native mode IOS. Both hybrid and native mode options still exist for valid reasons based upon customer requirements. Your account SE should be able to provide more information and assist in the analysis and selection process. I have deployed 6509s at multiple customer locations over the past three years. If you would like to discuss my experiences with hybrid vs. native further, feel free to contact me offline. Hope this helps! Mark Foster ""DeVoe, Charles (PKI)"" wrote in message news:[EMAIL PROTECTED] > We have a 6509 and I have heard talk about native vs. Hybrid mode of > operation. What is the difference? Is there a link to a white paper or > something? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66808&t=66766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Taking Support Exam this Friday...Need some po [7:66704]
Passing score is 760, took it last Dec, its a bear, took it 2X's. Studyup on protocols. HTH's Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66806&t=66704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hybrid vs. Native [7:66766]
The big thing to watch out for is line card support. Most OSM cards are only supported in Native mode and the inverse is true with many voice modules. I can't think of any other operational differances that would make me lean to one method or the other. The 6500 is the only "box" being manufactured by Cisco that runs catOS so Native is the future. I actually thought the "future" would be here by now... Dave DeVoe, Charles (PKI) wrote: > So if I read this right, it is just a different set of commands. Are there > operational differences? > > -Original Message- > From: MADMAN [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 3:44 PM > To: DeVoe, Charles (PKI) > Cc: [EMAIL PROTECTED] > Subject: Re: Hybrid vs. Native [7:66766] > > > DeVoe, Charles (PKI) wrote: > > We have a 6509 and I have heard talk about native vs. Hybrid mode of > > operation. What is the difference? Is there a link to a white paper or > > something? >That question comes up periodically but the in a nutshell a 6500 in > native mode is a big router, no catOS commands, and if you are familiar > with 2900/3500 switch commands native switch layer 2 stuff will be > familiar and of coarse the L3 commands are your regualr old IOS > commands. Here is a snap shot of a 6506 running native: > > Native6506#sh ha > Cisco Internetwork Operating System Software > IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > DEPLOYMEN > T RELEASE SOFTWARE (fc1) > TAC Support: http://www.cisco.com/tac > Copyright (c) 1986-2002 by cisco Systems, Inc. > Compiled Wed 04-Sep-02 18:45 by eaarmas > Image text-base: 0x40008C00, data-base: 0x41A68000 > > ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) > BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > DEPLOYMEN > T RELEASE SOFTWARE (fc1) > > Native6506 uptime is 5 weeks, 2 days, 43 minutes > Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes > System returned to ROM by power-on (SP by power-on) > System image file is "slot0:c6sup12-js-mz.121-13.E.bin" > > cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. > Processor board ID SAD05020HUX > R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache > Last reset from power-on > Bridging software. > X.25 software, Version 3.0.0. > SuperLAT software (copyright 1990 by Meridian Technology Corp). > TN3270 Emulation software. > 8 Virtual Ethernet/IEEE 802.3 interface(s) > 120 FastEthernet/IEEE 802.3 interface(s) > 4 Gigabit Ethernet/IEEE 802.3 interface(s) > 381K bytes of non-volatile configuration memory. > > 16384K bytes of Flash internal SIMM (Sector size 512K). > Standby is up > Standby has 112640K/18432K bytes of memory. > > Configuration register is 0x2102 > > Native6506# > > Native6506#sh conf > Using 8789 out of 391160 bytes > ! > version 12.1 > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname Native6506 > ! > boot system flash slot0:c6sup12-js-mz.121-13.E.bin > boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 > no logging console > enable password cisco > ! > ip subnet-zero > ! > ! > ip tcp intercept mode watch > no ip domain-lookup > ! > mls flow ip destination > mls flow ipx destination > ! > redundancy > mode rpr-plus > main-cpu >auto-sync running-config >auto-sync standard > ! > ! > ! > interface Port-channel1 > no ip address > switchport > switchport trunk encapsulation dot1q > ! > interface GigabitEthernet1/1 > no ip address > switchport > switchport trunk encapsulation dot1q > switchport trunk native vlan 64 > ! > interface GigabitEthernet1/2 > no ip address > shutdown > ! > interface FastEthernet3/1 > no ip address > duplex full > speed 100 > switchport > switchport access vlan 301 > switchport trunk encapsulation dot1q > switchport mode trunk > ! > interface FastEthernet3/2 > ip address 121.1.1.2 255.255.255.0 > duplex full > speed 100 > ! > interface FastEthernet3/3 > ip address 30.1.1.1 255.255.255.0 > ip access-group 199 in > duplex half > speed 100 > ! > interface FastEthernet3/4 > no ip address > duplex half > speed 10 > switchport > switchport access vlan 304 > switchport mode access > !interface Vlan1 > no ip address > shutdown > ! > interface Vlan64 > ip address 172.28.64.23 255.255.255.0 > ! > interface Vlan302 > ip address 79.79.79.1 255.255.255.0 > ip access-group 199 in > ! > interface Vlan303 > ip address 99.13.13.1 255.255.255.0 > shutdown > ! > interface Vlan304 > ip address 79.79.80.1 255.255.255.0 > ! > interface Vlan305 > ip address 99.15.15.1 255.255.255.0 > shutdown > ! > interface Vlan306 > no ip address > shutdown > ! > interface Vlan307 > no ip address > ! > router eigrp 1 > network 172.28.0.0 > no auto-summary > eigrp log-neighbor-changes > ! > router eigrp 100 > network 99.0.0.0 > no auto-summar
More about Linux VS. Cisco [7:66811]
Hello Group. I read all that you guys wrote about this interesting issue about Linux Vs Cisco. The following are the ideas in my mind: 1. I think this is more something about what you like to do, what you love to do. I currently hold several IT certifications (MCSE, MCDBA, CCNP, MCSA) and this is because one old and experienced systems engineer told me once "Diego, if you are feeling good doing your stuff, and you are good doing that thing, then go and try one certification exam), so I tought, hey you are right. So I started this race for the certifications and liked it because on those computer based exams I found the things that I do every day. If there is some Hat Certified Salesman(HCS) certification and you are an expert saling hats, then take the exam. By the way, for me the hardest one was the MCSE (cuz of the really tuff design exams). If the Cisco design exams are like MS design exams, goodbye to the CCDP. 2. If you are talking about money, it depends. Like some of you said, experience is THA THING. It depends WHERE you WORK. I know CCNPs that earn more than some CCIEs, even people who are not certified on anything but know how to get the job done, earn more. But if you love networking and I mean really love networking, go for the CCIE and learn about every old and new technology. Personally, I am now willing to pursue that cert cuz right know I am studying some new interesting stuff (wireless, ip telephony, Advanced Hacking Techniques (just kidding)) 3. Linux, what can I said about this little friend? I admit that I am a Microsoft kind of guy, I administer 18 MS servers and 2 Linux boxes which are serving as secondary DNS servers. I really like Command Line Interfaces, commands prompts or whatever you call it. So Linux for me is not as hard, but If the company you work for can afford Microsoft OSs, then go for it. Linux is getting more and more mature but does not have a clear support that you want for a production server. They don`t even standarize the Graphic Interface (Linuxers every single day discuss about which is better (KDE or GNOME). Linux has some serious security issues (Sendmail, Apache) and when there is a patch, sometimes the patch is installing the lastest version of the service (that`s something that a network or systems administration won`t like). Imaging installing a new release once a month. A lot of people are contributing on the Linus Project, but it is getting out of his hands. If we are talking about money again, a company that does not have Linux installed or not have plans to implement it, will find a Linux Engineer useless, the same for MS engineers on a 100% Linux shop. By now, I can`t recommend Linux for a mission critical production server. Tunning Linux is not easy but can be done. 4. Cisco, oh! Cisco, what can I say? I love Cisco. And the greatest device MR. Router. This guy is the 8th wonder!! Reliable. The Router is such a great device you know why? Because it does not have a hard drive!!! I hate HARD DRIVES. And I know some of you we`ll agree in this one. When you think that everything is under control, PUFF, a hard drive failure. So as Priscilla said, do Cisco Networking if you love it. Take a closer look to you router, think about all the technologies included in that dark case and I mean that this device is the creator of the Internet, the supporter for the Internet. For this reasons, Cisco Networking Professionals and Experts will always be needed. Internet is not going anywhere. Peace Diego Martinez Boque -- __ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66811&t=66811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hybrid vs. Native [7:66766]
Especially since we run native in all our 6500's that perform L3 task in the corp network here... Larry Letterman Network Engineer Cisco Systems > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > MADMAN > Sent: Thursday, April 03, 2003 3:38 PM > To: [EMAIL PROTECTED] > Subject: Re: Hybrid vs. Native [7:66766] > > > The big thing to watch out for is line card support. Most OSM cards > are only supported in Native mode and the inverse is true with many > voice modules. I can't think of any other operational differances that > would make me lean to one method or the other. The 6500 is the only > "box" being manufactured by Cisco that runs catOS so Native is the > future. I actually thought the "future" would be here by now... > >Dave > > DeVoe, Charles (PKI) wrote: > > So if I read this right, it is just a different set of > commands. Are there > > operational differences? > > > > -Original Message- > > From: MADMAN [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 03, 2003 3:44 PM > > To: DeVoe, Charles (PKI) > > Cc: [EMAIL PROTECTED] > > Subject: Re: Hybrid vs. Native [7:66766] > > > > > > DeVoe, Charles (PKI) wrote: > > > We have a 6509 and I have heard talk about native vs. Hybrid mode of > > > operation. What is the difference? Is there a link to a > white paper or > > > something? > >That question comes up periodically but the in a nutshell a 6500 in > > native mode is a big router, no catOS commands, and if you are familiar > > with 2900/3500 switch commands native switch layer 2 stuff will be > > familiar and of coarse the L3 commands are your regualr old IOS > > commands. Here is a snap shot of a 6506 running native: > > > > Native6506#sh ha > > Cisco Internetwork Operating System Software > > IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > > DEPLOYMEN > > T RELEASE SOFTWARE (fc1) > > TAC Support: http://www.cisco.com/tac > > Copyright (c) 1986-2002 by cisco Systems, Inc. > > Compiled Wed 04-Sep-02 18:45 by eaarmas > > Image text-base: 0x40008C00, data-base: 0x41A68000 > > > > ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) > > BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > > DEPLOYMEN > > T RELEASE SOFTWARE (fc1) > > > > Native6506 uptime is 5 weeks, 2 days, 43 minutes > > Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes > > System returned to ROM by power-on (SP by power-on) > > System image file is "slot0:c6sup12-js-mz.121-13.E.bin" > > > > cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes > of memory. > > Processor board ID SAD05020HUX > > R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, > 1024KB L3 Cache > > Last reset from power-on > > Bridging software. > > X.25 software, Version 3.0.0. > > SuperLAT software (copyright 1990 by Meridian Technology Corp). > > TN3270 Emulation software. > > 8 Virtual Ethernet/IEEE 802.3 interface(s) > > 120 FastEthernet/IEEE 802.3 interface(s) > > 4 Gigabit Ethernet/IEEE 802.3 interface(s) > > 381K bytes of non-volatile configuration memory. > > > > 16384K bytes of Flash internal SIMM (Sector size 512K). > > Standby is up > > Standby has 112640K/18432K bytes of memory. > > > > Configuration register is 0x2102 > > > > Native6506# > > > > Native6506#sh conf > > Using 8789 out of 391160 bytes > > ! > > version 12.1 > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname Native6506 > > ! > > boot system flash slot0:c6sup12-js-mz.121-13.E.bin > > boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 > > no logging console > > enable password cisco > > ! > > ip subnet-zero > > ! > > ! > > ip tcp intercept mode watch > > no ip domain-lookup > > ! > > mls flow ip destination > > mls flow ipx destination > > ! > > redundancy > > mode rpr-plus > > main-cpu > >auto-sync running-config > >auto-sync standard > > ! > > ! > > ! > > interface Port-channel1 > > no ip address > > switchport > > switchport trunk encapsulation dot1q > > ! > > interface GigabitEthernet1/1 > > no ip address > > switchport > > switchport trunk encapsulation dot1q > > switchport trunk native vlan 64 > > ! > > interface GigabitEthernet1/2 > > no ip address > > shutdown > > ! > > interface FastEthernet3/1 > > no ip address > > duplex full > > speed 100 > > switchport > > switchport access vlan 301 > > switchport trunk encapsulation dot1q > > switchport mode trunk > > ! > > interface FastEthernet3/2 > > ip address 121.1.1.2 255.255.255.0 > > duplex full > > speed 100 > > ! > > interface FastEthernet3/3 > > ip address 30.1.1.1 255.255.255.0 > > ip access-group 199 in > > duplex half > > speed 100 > > ! > > interface FastEthernet3/4 > > no ip address > > duplex half > > speed 10 > > switchport > > switchport access vlan 304 > > switchport mode access > > !interface Vlan1 > > no ip add
VPN 3000 & Token Server [7:66810]
Sent this email out a while back but didn't get any response. Wasn't sure if it didn't get through...Please help if you can... I currently have the Cisco ACS and would like to implement a VPN 3000 series solution with a token server. If you have done or researched 2-factor authentication, which Token server product works best with Cisco's ACS? If possible, please respond directly to me. Thanks, Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66810&t=66810 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: hacking challenge [7:66720]
I would have to take issue with the following statement: " You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. " -MANY- so-called vulnerabilities are actually by design, we usually call them features. This is where the quality of the original coding, the quality/details of the installation/configuration, and the layers wrapped around all of this come together. Typically, we as users have no control over the coding aspect, aside from auditing the application in question before deploying it and choosing your vendor accordingly. The installation / config is *very* important. Nearly every vulnerability would be bypassed if we could just disable all of the services, or leave the machine without a network connection :). Code Red and Slammer, to site two VERY BIG examples, would never have been an issue if the "recommended best practices" from the vendor (MS, in this case) had been followed. Patching, of course, is not to be underrated. This *REALLY* comes into play when the vulnerability exists in the services you offer - web services or SQL, for ex. I hate to sound repetitive, but the key lies in knowing how to address all applicable layers and do maintain vigilance in doing so. "Defense in Depth" Thanks! TJ -Original Message- From: Symon Thurlow [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] This prompts me to say something about a comment from a previous poster about how vulnerable Windows is compared to Linux/xBSD etc I see many, many vulnerability alerts weekly for *nix based systems. Probably just as many as you see for Windows. You should of course harden any Internet facing network device, however the point is not really the type of server OS you run, or the Apps on it, but how good you are at proactively keeping them patched. I suggest that you go to some firewall vendor sites and plagiarise a bit of marketing guff if you want to sell the firewall idea to a sceptic, although just plonking a firewall in front of your unpatched sendmail server won't achieve a great deal. My 2c, YMMV Symon -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 03 April 2003 20:05 To: [EMAIL PROTECTED] Subject: RE: hacking challenge [7:66720] there's an access list on the ethernet interface thats directly connected to a dsl modem. they're allowing telnet and smpt to basically, any any plus various other protocols from/to specific addresses. There're only two outside addresses that are natted but its really hideous and the access list is the only thing resembling a layer of security between the internet and their server farm. I was just hoping to hear some really good verbage about how vulnerable they are. I've told them for 3 months to get a pix but it just aint sinking in. Now they've got a worm loose on their mail server thats bringing down their main host system and their internet line (but thats another story). > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 8:46 AM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > > Wilmes, Rusty wrote: > > > > this is a general question for the security specialists. > > > > Im trying to convince a client that they need a firewall > > > > so hypothetically, > > > > if you had telnet via the internet open to a router (with an access > > list that allowed smtp and telnet) (assuming you didn't know the > > telnet password > > or the enable password)that had a bunch of nt servers on > > another interface, > > Do you actually mean that you are allowing Telnet and SMTP to > go through the > router? You said "to" above which is confusing. Allowing Telnet to the > router unrestricted would be a horrible security hole, even > for people who > don't know the password because passwords are often guessable. > > But I don't think that's what you meant... > > Allowing Telnet and SMTP through the router is more common, > especially SMTP. > You have to allow SMTP if you have an e-mail server that gets > mail from the > outside world. Avoid Telnet, though, if you can. It sends all > text as clear > text, including passwords. > > The question is really how vulnerable is the operating system > that the SMTP > server is running on? It's probably horribly vulnerable if your client > hasn't kept up with the latest patches, and it sounds like > your client is > the type that hasn't? In fact, the server is probably busy > attacking the > rest of us right now! ;-0 > > So, as far as convicing your customer > > The best way may be to put a free firewall, like Zone Alarm, > on the decision > maker's computer and show her/him all the attacks happening > all the time. Or > if she already has a firewall,
weird css/ce problem [7:66813]
Hi, I have a weird CSS/CE problem that I couldn't figure out. I appreciate if anyone can help me out. We use 1 CSS11500 and 2 CE590s as proxy server to connect to the Internet. Users at main office don't have any problems. Users at branch office couldn't open a particular site page. That page just kept refreshing itself. If I disable proxy and have users connect to Internet directly, everything works. So the problem must be either CSS or CE. However, I couldn't find anything wrong on them. What could be the problem? Thank you, Yoshi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66813&t=66813 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a question about ospf virtual-link auth [7:66648]
thanks a lotDanny Free wrote: > > OOPS, > I forgot to add on Router 2: > ! > router ospf 100 > area 0 authentication message-digest. > > :)) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66815&t=66648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
UNSUBSCRIBE [7:66814]
UNSUBSCRIBE [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66814&t=66814 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
Though to answer your question :) Summarization means advertising the biggest network you choose/should advertise. If you had a /23 that was routed as 2 /24s in your network, you'd summarize those as a /23 on the way out of your network to keep the routing table smaller... You should probably do the same for your next /24 unless you can find a specific reason not to. It saves headaches with route dampening in the long run if nothing else :) -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED] Sent: Friday, 4 April 2003 7:21 AM To: [EMAIL PROTECTED] Subject: Re: IP route to Null0? [7:66755] You are right, it is using BGP. What does summarization do? Do I need an identical statement for my new Class C? Thanx, Anil Gupte - Original Message - From: "Karsten" To: "Anil Gupte" ; Sent: Thursday, April 03, 2003 10:46 AM Subject: Re: IP route to Null0? [7:66755] Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > I am trying to understand some IP route commands on our router. Several of > them go to Null0 - what does that mean? > > For example, I have > ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > > What is this doing? > > I need to add another block of class Cs from the same provider. Do I need > a similar statement to the above? > > Thanx for your help. > Anil Gupte > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66817&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
In the event that you are running an internal dynamic routing protocol that would normally be the reason why the /24 is in your routing table (hence the ability for it to be in the BGP advertisements), should the place you are dynamically routing it to go away, so does your route in the IGP, thus so does the BGP route. Since providers dampen routes that flap constantly (to avoid their own routers being bogged down by BGP), if you have problems in your internal network, it is seen by other people. If your route gets dampened, certain parts of the internet can't get to you depending on who's done the dampening. (ie, if a route flaps, the router takes notice of how many times its flapped and when it hits a threshold, the route is removed from that provider's routing table for a specified period of time, usually depending on the size of network .. small /24's go for a long time because they're usually smaller outfits, /16 goes for a short period of time because its usually going to be a bigger outfit/tier 1). A route to null0 with a high AD provides a way for that route to exist in your IGP statically should your dynamic protocol have issues. You will never lose a route to Null0 unless you add it .. remove it .. add it .. remove it .. etc :) Or your router's having serious rebooting problems .. On the other hand, you'd also lose the route if it was a directly connected interface that went down. Null0 route would also help there I'd guess. -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED] Sent: Friday, 4 April 2003 7:21 AM To: [EMAIL PROTECTED] Subject: Re: IP route to Null0? [7:66755] You are right, it is using BGP. What does summarization do? Do I need an identical statement for my new Class C? Thanx, Anil Gupte - Original Message - From: "Karsten" To: "Anil Gupte" ; Sent: Thursday, April 03, 2003 10:46 AM Subject: Re: IP route to Null0? [7:66755] Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: > I am trying to understand some IP route commands on our router. Several of > them go to Null0 - what does that mean? > > For example, I have > ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 > > What is this doing? > > I need to add another block of class Cs from the same provider. Do I need > a similar statement to the above? > > Thanx for your help. > Anil Gupte > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66816&t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Debug display to VTY [7:66762]
James Gosnold wrote: > Um, probably a silly one for you all. > > I have a 1721 router at either end of a leased line. I telnet into the > router and: > > Router#debug serial int > Serial network interface debugging is on > Router#terminal monitor > > And nothing. Shouldn't I get some debug messages here, keep alives and such > between the CSU and my router? It's a live connection and the line works, as > far as I knew this was all I needed to enter to view debug output from a > telnet session? In fact I don't appear to be getting debug output for > anything so I'm missing something silly here but I thought 'terminal > monitor' was sufficient? > > Regards, James. You might try turning off fast switching on the serial interface (no ip route-cache). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66818&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN CONCENTRATOR Parallel FW [7:66819]
All, I am planning to put a VPN concentrator parallel with a Firewall.The problem I am concerned about is the default gateway on the servers and other workstations. Since the concentrator is sitting parallel to the FW, The servers have a router which is on the same subnet as the Firewall inside interface and VPN Concentrator inside,defined as the default gateway. So for the servers to send the traffic back,I think we have to add a static route with the regular route command under windows.. Is that the only solution or the Tunnel Default Gateway option in the Concentrator will help to fix this issue. Any help will be highly appreciated. Thanks, Neil Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66819&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: More about Linux VS. Cisco [7:66811]
I don't usually post but I follow the discussions with a great deal of interest. This discussion is particularly interesting and has prompted me out from under my rock to throw in my 2 cents worth.I'll climb back under my rock when I'm done. > 3. > Linux, what can I said about this little friend? I admit that > I am a Microsoft kind of guy, I administer 18 MS servers and 2 > Linux boxes which are serving as secondary DNS servers. > > I really like Command Line Interfaces, commands prompts or > whatever you call it. So Linux for me is not as hard, but If > the company you work for can afford Microsoft OSs, then go for > it. Linux is getting more and more mature but does not have a > clear support that you want for a production server. They > don`t even standarize the Graphic Interface (Linuxers every > single day discuss about which is better (KDE or GNOME). > Linux has some serious security issues (Sendmail, Apache) and > when there is a patch, sometimes the patch is installing the > lastest version of the service (that`s something that a network > or systems administration won`t like). Imaging installing a > new release once a month. A lot of people are contributing on > the Linus Project, but it is getting out of his hands. > > By now, I can`t recommend Linux for a mission critical > production server. Tunning Linux is not easy but can be done. > I can't believe these statements. What a load of rubbish. Just because there are choices available for GUI, thats bad? (you dn't usually run linux servers with a GUI, waste of resources). As for Sendmail, Apache, these are not part of the OS, they are apps that run on Linux (you can get Apache for windows). You can't make such a comparison and lump it all as Linux. On the subject of patches, I don't know of any major piece of software (be it OS or whatever) that don't have continuous patches and updates (including Cisco), why is that bad? And finally on production servers, I know sites running linux in such roles with a great deal of success and realiability. You may think tuning Linux is not easy but in fact it is very easy to do and well documented. At least you can see exactly what the OS is doing and have lot more control on how the kernel behaves. I believe (from a variety of magazine surveys,etc) that the Red Hat Certification (RHCE) is right up there with Cisco. RHCE follows Cisco in that you have to do a practical lab to get your cert, which I have been told is very tough. I'll get off my soapbox now; I am not trying to be provocative at all, I just think misinformation is bad and not useful. I concur with what other people have said already, if you like networking and Cisco, do it. Don't worry about what the other guy is doing. I would comment though that Linux, FreeBSD, etc are very useful and vaulable tools that can greatly help your understanding of networking. Its really great setting up a dozen really old PCs with linux as web,ftp,mail servers, DNS boxes, even NetBIOS server/clients and running them up on a Cisco lab scenario and run your own little internet! Beats "pinging" everything. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66820&t=66811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Hybrid vs. Native [7:66766]
""MADMAN"" wrote in message news:[EMAIL PROTECTED] > The big thing to watch out for is line card support. Most OSM cards > are only supported in Native mode and the inverse is true with many > voice modules. I can't think of any other operational differances that > would make me lean to one method or the other. The 6500 is the only > "box" being manufactured by Cisco that runs catOS so Native is the > future. I actually thought the "future" would be here by now... Guess again. I was at a Cisco presentation yesterday in San Jose. Heard all about the Native versus Cat storyline. IIRC from the slides, CatOS is in the plans through 2012. If Cisco every delivers on their promise to provide the slides, I'll send you a copy, which I know you're entitled to, being a Customer and a CCIE in good standing ;-> did I ever thank you for the beer truck, by the way? > >Dave > > DeVoe, Charles (PKI) wrote: > > So if I read this right, it is just a different set of commands. Are there > > operational differences? > > > > -Original Message- > > From: MADMAN [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 03, 2003 3:44 PM > > To: DeVoe, Charles (PKI) > > Cc: [EMAIL PROTECTED] > > Subject: Re: Hybrid vs. Native [7:66766] > > > > > > DeVoe, Charles (PKI) wrote: > > > We have a 6509 and I have heard talk about native vs. Hybrid mode of > > > operation. What is the difference? Is there a link to a white paper or > > > something? > >That question comes up periodically but the in a nutshell a 6500 in > > native mode is a big router, no catOS commands, and if you are familiar > > with 2900/3500 switch commands native switch layer 2 stuff will be > > familiar and of coarse the L3 commands are your regualr old IOS > > commands. Here is a snap shot of a 6506 running native: > > > > Native6506#sh ha > > Cisco Internetwork Operating System Software > > IOS (tm) c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > > DEPLOYMEN > > T RELEASE SOFTWARE (fc1) > > TAC Support: http://www.cisco.com/tac > > Copyright (c) 1986-2002 by cisco Systems, Inc. > > Compiled Wed 04-Sep-02 18:45 by eaarmas > > Image text-base: 0x40008C00, data-base: 0x41A68000 > > > > ROM: System Bootstrap, Version 12.1(4r)E, RELEASE SOFTWARE (fc1) > > BOOTLDR: c6sup2_rp Software (c6sup2_rp-JS-M), Version 12.1(13)E, EARLY > > DEPLOYMEN > > T RELEASE SOFTWARE (fc1) > > > > Native6506 uptime is 5 weeks, 2 days, 43 minutes > > Time since Native6506 switched to active is 5 weeks, 2 days, 42 minutes > > System returned to ROM by power-on (SP by power-on) > > System image file is "slot0:c6sup12-js-mz.121-13.E.bin" > > > > cisco Catalyst 6000 (R7000) processor with 112640K/18432K bytes of memory. > > Processor board ID SAD05020HUX > > R7000 CPU at 300Mhz, Implementation 39, Rev 2.1, 256KB L2, 1024KB L3 Cache > > Last reset from power-on > > Bridging software. > > X.25 software, Version 3.0.0. > > SuperLAT software (copyright 1990 by Meridian Technology Corp). > > TN3270 Emulation software. > > 8 Virtual Ethernet/IEEE 802.3 interface(s) > > 120 FastEthernet/IEEE 802.3 interface(s) > > 4 Gigabit Ethernet/IEEE 802.3 interface(s) > > 381K bytes of non-volatile configuration memory. > > > > 16384K bytes of Flash internal SIMM (Sector size 512K). > > Standby is up > > Standby has 112640K/18432K bytes of memory. > > > > Configuration register is 0x2102 > > > > Native6506# > > > > Native6506#sh conf > > Using 8789 out of 391160 bytes > > ! > > version 12.1 > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname Native6506 > > ! > > boot system flash slot0:c6sup12-js-mz.121-13.E.bin > > boot bootldr bootflash:c6msfc2-boot-mz.121-4.E1 > > no logging console > > enable password cisco > > ! > > ip subnet-zero > > ! > > ! > > ip tcp intercept mode watch > > no ip domain-lookup > > ! > > mls flow ip destination > > mls flow ipx destination > > ! > > redundancy > > mode rpr-plus > > main-cpu > >auto-sync running-config > >auto-sync standard > > ! > > ! > > ! > > interface Port-channel1 > > no ip address > > switchport > > switchport trunk encapsulation dot1q > > ! > > interface GigabitEthernet1/1 > > no ip address > > switchport > > switchport trunk encapsulation dot1q > > switchport trunk native vlan 64 > > ! > > interface GigabitEthernet1/2 > > no ip address > > shutdown > > ! > > interface FastEthernet3/1 > > no ip address > > duplex full > > speed 100 > > switchport > > switchport access vlan 301 > > switchport trunk encapsulation dot1q > > switchport mode trunk > > ! > > interface FastEthernet3/2 > > ip address 121.1.1.2 255.255.255.0 > > duplex full > > speed 100 > > ! > > interface FastEthernet3/3 > > ip address 30.1.1.1 255.255.255.0 > > ip access-group 199 in > > duplex half > > speed 100 > > ! > > interface FastEthernet3/4 > > no ip address > > duplex half > > speed 10 > > switchport > > switchport ac
