Re: [CISCO] RE: VLANs AD [7:69873]
URT is supposed to allow mapping of vlan's to a swithcport based on user (I've never used though). http://www.cisco.com/en/US/products/sw/secursw/ps2136/index.html At a recent cisco event one of the cisco se's mentioned that Cisco may be URT with 802.1x once all the kinks are worked out so I wouldn't be surprised if URT goes EOS soon. On Mon, Jun 02, 2003 at 01:15:14AM +, - jvd wrote: Joseph, I may be wrong, but I think dynamic VLANS can only by assigned according to the MAC address (I can't believe Cisco doesn't make dynamic VLAN assignment also based on the IP, port, etc. !!??) In any case the feature you need to use is VMPS (VLAN membership policy server). http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html#12998 Please post again if you find contrary information, because I would like to learn more on this... Regards, -- Patrick Aland [EMAIL PROTECTED] Network Administrator Voice: 386.822.7217 Stetson University Fax: 386.822.7367 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69989t=69873 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Need help for CCNA 3.0 [7:69772]
Cisco Certified Network Associate Exam (CCNA 640-607)* Exam Number: 640-607 Associated Certifications: CCNA Duration: 90 minutes (55-65 questions) Available Languages: English, Japanese in Japan only Click Here to Register: Pearson VUE or Prometric *Approved for VA reimbursement. Exam Description ALERT Practice Exam Tutorial Exam Topics Preview Course Simulated Lab Recommended Training Download Free Challenge Tests Additional Resources Self Test Software Offer New online practice tests from Self Test Software Exam Description The Cisco Certified Network Associate exam (CCNA) is the only exam required to achieve a CCNA Routing and Switching certification. Exam Topics The following topics are general guidelines for the content likely to be included on the CCNA exam. However, other related topics may also appear on any specific delivery of the exam. Bridging/Switching Distinguish between cut-through and store-and-forward LAN switching Describe the operation of the Spanning Tree Protocol and its benefits Verify the operation of the Spanning Tree Protocol on the switch Describe the operation and benefits of VLANs Configure VLANs on a switch Configure VTP and trunking on switches Compare and contrast switches and bridges Identify anomolies in VLAN, trunking, and VTP operation Configure a switch for basic operations OSI Reference Model Layered Communication Describe data link and network addresses and identify key differences between them Identify at least three reasons why the industry uses a layered model Define and explain the conversion steps of data encapsulation and de-encapsulation Describe connection-oriented network service and connectionless network service, and identify their key differences Describe the functions of each the seven layers of the OSI model and their corresponding applications Compare the OSI model with the TCP/IP stack Match networking devices to their OSI layer(s) Use the OSI model as a conceptual strategy to identify network problems Routed Protocols Describe the different classes of IP addresses including subnetting and private addresses Configure IP addresses Troubleshoot IP address schemes Develop an IP addressing scheme to meet requirements Identify the fundamental uses of various TCP/IP application layer protocols Convert between decimal, hexadecimal, and binary Define flow control and describe the three basic methods used in networking Explain the functions of the TCP/IP network and transport layer protocols Routing Protocols Configure a router for inter-VLAN communication Verify IP routing with show and debug commands Compare and contrast the key operations that distinguish distance-vector, link-state, and hybrid protocols Identify exterior and interior routing protocols Configure static and default routes on a router Enable RIP and IGRP on a router Identify routing metrics used by IGRP and RIP WAN Protocols Explain key Frame Relay terms and features Configure Frame Relay LMIs, maps, and subinterfaces Identify ISDN protocols, function groups, reference points, and channels Differentiate between the following WAN services: LAPB, Frame Relay, ISDN/LAPD, HDLC, PPP, and DDR Identify PPP operations to encapsulate WAN data on Cisco routers Use show commands to display network operational parameters so that anomalies are detected Configure ISDN BRI and legacy dial-on-demand routing (DDR) Configure a serial connection with PPP encapsulation Network Management Monitor and verify selected access list operations on the router Configure authentification types (CHAP/PAP) on PPP links Manage configuration files from the privilege EXEC mode Manage IOS images and device configuration files Load Cisco IOS software from: Flash memory, a TFTP server, or ROM Perform backup, upgrade, and loading of Cisco IOS software and configuration files Configure access lists to meet specified operational requirements Use CDP to identify a network topology Use ICMP to verify network connectivity and locate network problems LAN Technologies Determine the appropriate uses for full- and half-duplex Ethernet operation. Describe the causes and effects of network congestion in Ethernet networks Describe the benefits of network segmentation with various networking devices Identify the cause(s) of LAN connectivity problem Describe the function, operation, and primary components on a LAN Cisco Basics, IOS Network Basics Describe router elements (RAM, ROM, Flash, NVRAM, config register) Configure router passwords, identification, and banner Use the context-sensitive help facility Use the command history and editing features Perform the initial router configuration (including using the setup mode). Use show commands to display basic network operational parameters Describe router start-up sequence Establish connectivity from a host to
Multicasting Problem [7:69987]
Hi All, We need to enable multicasting support accross our network. Their are two technologies available to limit the multicast packets on the switch: 1) RGMP 2)CGMP. My routers support both these technologies. Just wanted to know from the group if any body has used any of these which is better of the two. also let me know of any common problems in anyone of them Thanks in advance, Bharat DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69987t=69987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Router simulator for CCNP? [7:69986]
There is a lot of router simulators but Is there any good for the ccnp? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69986t=69986 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX to concentrator Problem ......Urgent [7:69988]
Hi All, We are using site-site Tunnel formed between PIX firewall at one remote location to Cisco VPN concentrator connected at central side. On the central side their are number of subnets that all been added to the network list on both PIX VPN concentrator to enable remote site to access all the subnets on the central site. Problem is that while Tunnel is running it suddenly drops all packets for one particular subet on the central site. I have tried all possible means of troubleshooting but nothing seems to work. Pls help me out with any ideas if possible. Thanks Bharat DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69988t=69988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ccnp foundation 640-841, [7:69984]
hi guys,.. Has anybody taken this foundation exam 640-841 recently ? Any advise.. please ..appreciate it. Gonna give a shot .. cheers hin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69984t=69984 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Switches with Stonebeat [7:69505]
Bikespace, Just spent a day testing exactly this...spooky You're correct , Cisco's cannot put a multicast mac in its arp cache dynamically - BUT - you CAN put STATIC ARP entries in a Cisco pointing to a multicast mac.( Even if Layer3 is unicast) However there are some small perfomance points here ( only small !) Turning CEF on does have some benefits but not huge amounts. I threw 100 * 512 byte UPD segments at the Cisco for 5 mins while using a static multicast arp entry - It coped just fine. HTH Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69993t=69505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]
Charles/Mark, No infinate wisdom i'm afraid - just my £0.2. Is it because the statements below effectively do nothing due to the fact the statement 2 undoes what statement one has just done ? [or have i missed the point.] 1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 I would have thought that you would only need the statement one - why do you need to reverse what you did in statement one fro the hosts on the inside net ? regards Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69990t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Prolonged BS Vs. CCNP ? Another alternative [7:69963]
At 7:35 AM + 6/2/03, n rf wrote: Howard C. Berkowitz wrote: Another aspect that hasn't been discussed is the whole area of other skill sets, other than perhaps server skills and general management (MBA-ish). Now, I'll challenge the assumption of some people that say they don't want to be engineers and haul boxes around for their whole careers. Engineers do lots of things that don't involve hauling boxes, such as design, product management, presales, etc. Engineer != support technician. I would submit that all these alternatives are more easily achieved with a degree than with a cert. Things like presales, design, product-management and the like all require soft-skills that are better addressed via a degree program but are addressed poorly, if at all, by a cert program. I don't necessarily disagree with the above. But, the reason I changed the thread title slightly is that _my_ central point is that a work-study degree may be the best of all worlds early in a career, since it allows both. Degree programs are not necessarily the best for soft skills, or at least some of the technical degree programs. I remember telling a computer science professor in a graduate program that if I started programming his sloppy way, I'd get fired. If one attends the IETF, one will find the presentation skills often to be very deficient. The IETF is a very mixed bag, with dropouts and PhD's getting respect on their accomplishments rather than their credentials. Realistic network design doesn't usually enter undergraduate programs of any sort. Quite frankly, in later career, personal networking and one's experience (including things such as publications) may be more important than either. Self-education, beyond the scope of the degree or cert, also is important. While my original academic work was in biochemistry, most of my medical knowledge was acquired less formally. I have an extremely successful friend who is a consultant to the brokerage industry -- his main training was as a Navy sonar technician, but he now has a deep understanding of financial operations. Therefore the central point still stands - the degree gives you greater overall career flexibility than a cert will. No industry field outside the very narrow confines of network engineering gives much credence to the value of a Cisco cert, but every field values the degree. So the real question a person who chooses to forgo the degree in favor of Cisco certs has to ask himself is whether he is absolutely sure that he wants to do Cisco networking for the rest of his life, or does the possibility exist that he might want to do something else when he gets older? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69992t=69963 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multiple VLANs in a single switch port [7:69991]
hi ppl, is there any way/s to configure mulitple VLANs in a single switch port? thanks!! regards, jef Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69991t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Problem with RSA ACE SERVER (aka SecureID) authentication for [7:69995]
All, I am trying to get the RSA ACE Server to authenticate VPN remote users that terminate VPN connection to my Pix firewall. So far it is not working and here is my scenario: Pix FW: Outside IP: 12.1.1.100 (netmask /21) Inside IP: 172.161.254 (netmask /24) DMZ IP: 172.18.1.254 (netmask /24) The IP address of the RSA ACE-Server is 172.18.1.2. Here is the configuration on my pix firewall. By the way, I am using Pix OS 6.3(1): ip local pool test 172.30.1.1-172.30.1.254 aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server ACE-SERVER protocol radius aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5 sysopt connection permit-ipsec crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac crypto ipsec transform-set set2 esp-des esp-sha-hmac crypto ipsec transform-set set3 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3 crypto map outside 20 ipsec-isakmp dynamic vpnremote crypto map outside client configuration address respond crypto map outside client authentication ACE-SERVER outside interface outside isakmp enable outside isakmp key *** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local test outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup default address-pool test vpngroup default dns-server 129.174.1.8 vpngroup default wins-server 129.174.1.8 vpngroup default default-domain test.com vpngroup default split-tunnel 100 vpngroup default split-dns test.com vpngroup default idle-time 1800 The problem is that whenever the pix sends an access-request to the RSA ACE Server, the ACE Server sends back an access-reject to the pix. It seems like the ACE Server thinks that the pix is an unauthorized host to communicate with the ACE Server. Now, I add the pix as an Agent Hosts on the ACE Server (Is this similar to the clients.conf to FreeRadius?) and it still wouldn't work. Radius is also running on the ACE Server so I know that the communication is there. Furthermore, the is NO blocking of communication between the Pix and the ACE Server. Can someone with experience with ACE Server help me out with this problem? It has been a frustrating week. I am running ACE Server version 5.1 on both Windows 2000 Server. D - Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69995t=69995 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multiple VLANs in a single switch port [7:69991]
koh jef wrote: is there any way/s to configure mulitple VLANs in a single switch port? Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on what switch you're using. Most switches can't do it, but some can; Cisco's 2900 series can, for instance. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69997t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: multiple isakmp policies question-No authentication [7:69996]
Hey... thanks.. finally I got response from my PIX515, but it just hang at securing communication channel stage (see below) and it doesn't authenticate the users. What config should I add to point it to my authentication server 192.168.1.201? For your info, my VPN client is installed at Win95 and my authentication server is a W2K server. Initializing the connection... Contacting the gateway at 100.100.100.101... Negotiating security policies... Securing communication channel... I remember in VPN3000 server, I need to specify the authentication server for VPN group, but why in PIX515 sample on the net, why it doesn't have this entry From: Andrew Larkins from what I remember about this, they will try each policy until a match is amde, otherwise the connection terminates -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] hey.. I have a PIX 515 and have a PIX to PIX connection to London and NY using pre-shared key des, hash sha and dh group 1 and I am going to let VPN3000 client 3.X connect to here as here and I created another isakmp policy 20, with hash md5, dh group 2 as shown below. Can u take a look whether the config is correct? And my question is I have 2 isakmp policies here, how does the PIX-PIX and VPN 3000 3.X client know which isakmp policy to take? crypto ipsec transform-set newset esp-des crypto dynamic-map dynmap 30 set transform-set newset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer nyapix crypto map newmap 10 set transform-set newset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 102 crypto map newmap 20 set peer ldnpix crypto map newmap 20 set transform-set newset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key address ldnpix netmask 255.255.255.255 isakmp key address nyapix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CLIENTS address-pool REMOTEIPPOOLS vpngroup CLIENTS dns-server 192.168.1.201 vpngroup CLIENTS wins-server 192.168.1.201 vpngroup CLIENTS default-domain xyz.com vpngroup CLIENTS idle-time 1800 vpngroup CLIENTS password _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69996t=69996 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX to concentrator Problem ......Urgent [7:69988]
Check your network lists on the concentrator. They need to as explicit as possible. If you supernet any contiguous networks, ensure that you do not accidentally include a network that is really down another tunnel. Cheers, Steve Wilson CCNP CCDA Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 02 June 2003 12:55 To: [EMAIL PROTECTED] Subject: PIX to concentrator Problem ..Urgent [7:69988] Hi All, We are using site-site Tunnel formed between PIX firewall at one remote location to Cisco VPN concentrator connected at central side. On the central side their are number of subnets that all been added to the network list on both PIX VPN concentrator to enable remote site to access all the subnets on the central site. Problem is that while Tunnel is running it suddenly drops all packets for one particular subet on the central site. I have tried all possible means of troubleshooting but nothing seems to work. Pls help me out with any ideas if possible. Thanks Bharat DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6t=69988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multiple VLANs in a single switch port [7:69991]
Put the port in trunk mode then multiple vlans can go in and out of the port. -Original Message- From: koh jef [mailto:[EMAIL PROTECTED] Sent: 02 June 2003 02:13 PM To: [EMAIL PROTECTED] Subject: Re: Multiple VLANs in a single switch port [7:69991] hi ppl, is there any way/s to configure mulitple VLANs in a single switch port? thanks!! regards, jef NOTICE - This message contains privileged and confidential information intended only for the use of the addressee named above. Any review, retransmission, dissemination, copying, disclosure or other use of, or taking of any action in reliance upon, this information by person or entities other than the intended recipient is prohibited. If you have received this message in error, please notify the sender by return email and delete this message. This message should not be copied or used for any purpose other than intended, nor should it be disclosed to any other person. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the view of Investec Group, its subsidiaries or associates. The Investec Group is not liable for the security of information sent by e-mail at your request, nor for the proper and complete transmission of the information contained in the communication nor for any delay in its receipt. Please note that the recipient must scan this e-mail and any attached files for viruses and the like. The Investec Group accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from the access of any files which are attached to this message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Router [7:70001]
I have a router connected to a vlan trunk one for internet access, and one for a remote branch,but then I have a pix that all my users connect throuhg, and does the NAT, but then of course the users in the remote branch that connect directly to the border router, cant access the internet as that router just routes them to the internet, but I would like for it to go through the pix, first inn, than nat, out, is this possible, i.e. as the PIX can not generaly send traffic out the same interface as it recives it. best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70001t=70001 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multiple VLANs in a single switch port [7:69991]
Sure there are! One is Multi Port and second, trunks. Search on CCO for details. Vikram -Original Message- From: koh jef [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 5:43 PM To: [EMAIL PROTECTED] Subject: Re: Multiple VLANs in a single switch port [7:69991] hi ppl, is there any way/s to configure mulitple VLANs in a single switch port? thanks!! regards, jef Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69998t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multiple VLANs in a single switch port [7:69991]
You don't say what type of switch so I'll assume a 2900/3500 switchport mode multi Dave koh jef wrote: hi ppl, is there any way/s to configure mulitple VLANs in a single switch port? thanks!! regards, jef -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70003t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multiple VLANs in a single switch port [7:69991]
Hi, I believe it depends on the switch, like Marco said. I have a Catalyst 3548XL and I can setup multiple vlans on one port. Thanks, Michael Montiverdi -Original Message- From: M.C. van den Bovenkamp [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 9:15 AM To: [EMAIL PROTECTED] Subject: Re: Multiple VLANs in a single switch port [7:69991] koh jef wrote: is there any way/s to configure mulitple VLANs in a single switch port? Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on what switch you're using. Most switches can't do it, but some can; Cisco's 2900 series can, for instance. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70002t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall 6.2.2 Inside network can not reach [7:69779]
Richard- As I had said in my last post, in analyzing his syntax, it appears he's trying to do Destination NAT and DNS Doctoring at the same time, for which it obviously doesn't work. I couldn't tell you if line 2 is auto-reversing what line 1 does by the PIX's operating code, but you are correct that only one line is needed. From what I gathered of the documentation, he also needed to do a second Alias statement against the DMZ interface, or he needed to do a Static statement utilizing the DNS keyword; example: static (dmz,outside) pub.lic.ip.addr dmz.host.ip.addr dns netmask 255.255.255.255 0 0 I don't have a 3-interface pix to test these possible solutions on, so I can't say for certain that I'm correct. :( -Mark -Original Message- From: Richard Botham [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:12 AM To: [EMAIL PROTECTED] Subject: RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779] Charles/Mark, No infinate wisdom i'm afraid - just my #0.2. Is it because the statements below effectively do nothing due to the fact the statement 2 undoes what statement one has just done ? [or have i missed the point.] 1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 I would have thought that you would only need the statement one - why do you need to reverse what you did in statement one fro the hosts on the inside net ? regards Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70004t=69779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Looking for a CCIE RS studypartner in Holland [7:70005]
Hello i am looking for someone who is allso preparing for CCIE LAB in The Netherlands... I live in Rotterdam... If someone is interested to be my study partner...please let me know... EMAIL = [EMAIL PROTECTED] TEL = +31647954616 Thank you! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70005t=70005 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Prolonged Batchlers Vs. CCNP ? [7:69483]
This sort of thinking is why I've decided to skip the CCNP and just work on the CCIE. As long as Cisco keeps it insanely difficult with the lab exam being the majority of the work required it will be valuable. -- John A. Kilpatrick Go for it! Skip the CCNP and aim for the CCIE (or heck, skip the CCNA too). It is a bit hard, but come on, this stuff is not rocket science. Practice practice, and if you are a fast learned, decent typer, fast thinker, you can do it. But, do learn Cisco's methodologies for troubleshooting and Ciscoisms. Also, learn the basic layout of how the documentation is. Think fast, and implement fast and you got it. ;) Of course much easier said than done. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70008t=69483 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multiple VLANs in a single switch port [7:69991]
Ofcourse you can only use the mswitchport mode multi if you dont have a trunk already... if you do you get the error Command rejected: One or more ports is already configured as a trunk port. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70006t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RFP response--- How to?-Help****** [7:70007]
This question is for people with network management experience. I have to do a lot of things lately, and one of those things looks like is project management. The problem is that I'm not a project manager. How do you normally respond to RFP from clients. I think I understand what an RFP is, however I'm not sure in how to respond to it. Any help will be appreciated. JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70007t=70007 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Router Configuration Backups?? [7:70009]
Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70009t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ccnp foundation 640-841, [7:69984]
Not recently, but I took it a long time ago. Study the blueprint on Cisco's website. Cheers Hinwoto wrote in message news:[EMAIL PROTECTED] hi guys,.. Has anybody taken this foundation exam 640-841 recently ? Any advise.. please ..appreciate it. Gonna give a shot .. cheers hin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70013t=69984 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIM-SM Join Messages. [7:70014]
Hello, I have two questions here on the above. Are PIM joins sent multicast or unicast. Some docs says it's unicast, but I see it as multicast in my trace. Also, If a flow maintains state for a period of time, do PIM-Join messages get sent periodically to the RP or root of the source, if so how often? Many thx Ken For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70014t=70014 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multicasting Problem [7:69987]
Do CGMP. wrote in message news:[EMAIL PROTECTED] Hi All, We need to enable multicasting support accross our network. Their are two technologies available to limit the multicast packets on the switch: 1) RGMP 2)CGMP. My routers support both these technologies. Just wanted to know from the group if any body has used any of these which is better of the two. also let me know of any common problems in anyone of them Thanks in advance, Bharat DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70012t=69987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Router [7:70001]
No, you can not do that. Skarphedinsson Arni V. wrote in message news:[EMAIL PROTECTED] I have a router connected to a vlan trunk one for internet access, and one for a remote branch,but then I have a pix that all my users connect throuhg, and does the NAT, but then of course the users in the remote branch that connect directly to the border router, cant access the internet as that router just routes them to the internet, but I would like for it to go through the pix, first inn, than nat, out, is this possible, i.e. as the PIX can not generaly send traffic out the same interface as it recives it. best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70011t=70001 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router Configuration Backups?? [7:70009]
CiscoWorks2000 will do all that and more, but that might be overkill for you. What you want can be acomplished with a few perl scripts and a few hours of programming. ___ Mike Pistone NASA - Russian Services Group Marshall Space Flight Center Huntsville, AL 35806 Ph: (256) 544-2915 Em: [EMAIL PROTECTED] -Original Message- From: Stevo [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 11:37 AM To: [EMAIL PROTECTED] Subject: Router Configuration Backups?? [7:70009] Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70015t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCDP Recertification [7:69911]
Congratulations! I just passed today (first time VERY lucky ;), and I have to agree that it is a crazy exam. A couple of the questions were so badly worded that I didn't understand them. I just thought that I'd add a few extra pointers for the unlucky ones who still have to take the exam. There are some newer questions (e.g. quite a few on BGP), although nothing on IS-IS. However, a lot of the questions are very old - for example when did you last hear of Stratacom or configured a 700 series router (or for that matter used appletalk)! This was probably the worst Cisco exam EVER, and I just hope it is better in 3 years time. Now I just have to take CSI for my CCSP before my summer vacation. Good luck! Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jeff sicuranza Sent: 31. mam 2003 06:09 To: [EMAIL PROTECTED] Subject: CCDP Recertification [7:69911] Well fellas I passed the CCDP recert today. Man what a messed up test. The exam objectives on CCO(for all tests) are not what are on this exam. This exam is basically version 1 Routing, Switching, Remote access and CID version 1 from 3-4 years ago. I mean I did have some MLS but I had x25, smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID design questions that did not make sense, type in questions(which is to be expected) and old hardware that is probably not even supported anymore, like 700s and 1600s. I made many comments during the exam that these questions are no longer relevant especially for a CCDP update recert. It was all old stuff. I mean old stuff that was not too relevant then, specific 1600s and 700s issues, come on now.. I studied based on the info. from the CCO site, so for Routing, Switching and Remote access for the CCNP recert., which was updated, but it was my experience that carried me on this one. I did go over my old Sybex and Cisco Press ver. 1 CID books this week just in case, so that helped too. I thought halfway through I was failing for all of the older 700/1600, desktop protocols and x25/atm crap was driving me nuts. Since I have been in computer technology since 84 I was able to pass. A lot of the questions were hands on fill in the blank types so that helped me also. Funny though, I did better on this exam(averaging in the 80% range for every topic except CID) and got in the high 800s than I did on the CCNP recert.(Considering the CCO CCNP topics matched the exam). I only studied a week and a half for both and took them two days apart. What I learned in the CCNP recert exam, that I posted earlier here, did not apply on the CCDP recert. exam to my dismay so I was bummed out during the exam. In this case my old hands on experience rules. So, for those of you fellas preparing for the CCDP recert. your old books(even version 1 CCDP stuff) is fine. Now to decide if I want to take a second stab at my ccie lab seat. Good luck to all /JS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70017t=69911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router Configuration Backups?? [7:70009]
A number of perl scripts(I don't have links handy but check the archives) or Kiwi CatTools will back up the configs and let you know if they have changed. You can also use syslog to get notification of when it was changed. -Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stevo Sent: Monday, June 02, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: Router Configuration Backups?? [7:70009] Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70016t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Router Configuration Backups?? [7:70009]
We use Pancho, it's a perl script that downloads the configs via snmp. Just setup a cron job on a unix box.. http://www.panchoproject.org/ After you setup that, you can run diff on the files to see if anything changed.. Maybe every night? -Vince Stevo wrote: Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70019t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router Configuration Backups?? [7:70009]
Kiwi CatTools works very well for configuration backups and is inexpensive (it might be free, I don't recall). http://www.kiwisyslog.com/ -Original Message- From: Stevo [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: Router Configuration Backups?? [7:70009] Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70021t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCDP Recertification [7:69911]
Yes, the CCDP recert exam is old and messed up. The CCNP recert exam was updated for content over the last three years so it has bgp, hands on simulation and ISIS. IT will get better and tougher if the CCNP recert is any hint. Look at the current changes to the DP program. It will be more difficult if you have to recert in three years... Congrats also, good luck on the CSI.. /JS -Original Message- From: mailsub1 [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 3:00 PM To: 'jeff sicuranza'; [EMAIL PROTECTED] Subject: RE: CCDP Recertification [7:69911] Congratulations! I just passed today (first time VERY lucky ;), and I have to agree that it is a crazy exam. A couple of the questions were so badly worded that I didn't understand them. I just thought that I'd add a few extra pointers for the unlucky ones who still have to take the exam. There are some newer questions (e.g. quite a few on BGP), although nothing on IS-IS. However, a lot of the questions are very old - for example when did you last hear of Stratacom or configured a 700 series router (or for that matter used appletalk)! This was probably the worst Cisco exam EVER, and I just hope it is better in 3 years time. Now I just have to take CSI for my CCSP before my summer vacation. Good luck! Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jeff sicuranza Sent: 31. mam 2003 06:09 To: [EMAIL PROTECTED] Subject: CCDP Recertification [7:69911] Well fellas I passed the CCDP recert today. Man what a messed up test. The exam objectives on CCO(for all tests) are not what are on this exam. This exam is basically version 1 Routing, Switching, Remote access and CID version 1 from 3-4 years ago. I mean I did have some MLS but I had x25, smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID design questions that did not make sense, type in questions(which is to be expected) and old hardware that is probably not even supported anymore, like 700s and 1600s. I made many comments during the exam that these questions are no longer relevant especially for a CCDP update recert. It was all old stuff. I mean old stuff that was not too relevant then, specific 1600s and 700s issues, come on now.. I studied based on the info. from the CCO site, so for Routing, Switching and Remote access for the CCNP recert., which was updated, but it was my experience that carried me on this one. I did go over my old Sybex and Cisco Press ver. 1 CID books this week just in case, so that helped too. I thought halfway through I was failing for all of the older 700/1600, desktop protocols and x25/atm crap was driving me nuts. Since I have been in computer technology since 84 I was able to pass. A lot of the questions were hands on fill in the blank types so that helped me also. Funny though, I did better on this exam(averaging in the 80% range for every topic except CID) and got in the high 800s than I did on the CCNP recert.(Considering the CCO CCNP topics matched the exam). I only studied a week and a half for both and took them two days apart. What I learned in the CCNP recert exam, that I posted earlier here, did not apply on the CCDP recert. exam to my dismay so I was bummed out during the exam. In this case my old hands on experience rules. So, for those of you fellas preparing for the CCDP recert. your old books(even version 1 CCDP stuff) is fine. Now to decide if I want to take a second stab at my ccie lab seat. Good luck to all /JS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70018t=69911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
LLQ on Ethernet subinterfaces [7:70020]
Can somebody tell me how to configure LLQ on Ethernet subinterfaces connected to two VLAN's. Will appreciate it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70020t=70020 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX access-list [7:70022]
I'm trying to allow inbound UDP traffic from the DMZ web server to the inside BDC. I'm getting the following: 2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19: %PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on interface dmz I have the following entries in the access-list: access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135 access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137 access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138 access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139 When I perform a show access-list, I don't see any hit counts. I do have a static translation for the public to private IP for the BDC, but that shouldn't matter. I'm not sure if I even need to allow this, but it shows up in my KIWI syslog. Could someone please tell me what's missing to stop the deny inbound? Thanks. Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70022t=70022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF over FR [7:70025]
I am testing Hub-Spoke for OSPF over FR, I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and 3.3.3.3 in the routing table, RouterA#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 1 FULL/ -00:01:4110.1.1.6 Serial0/0.2 2.2.2.2 1 FULL/ -00:01:3910.1.1.2 Serial0/0.1 RouterB#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:3810.1.1.1Serial0/0 RouterC#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:3410.1.1.5Serial0/0 RouterA#sh ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/0.1 C 10.1.1.4 is directly connected, Serial0/0.2 Please help. Thanks Catherine RouterA interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/0 no ip address encapsulation frame-relay frame-relay lmi-type ansi no sh ! interface Serial0/0.1 point-to-point ip address 10.1.1.1 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 101 ! interface Serial0/0.2 point-to-point ip address 10.1.1.5 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 102 ! router ospf 1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 1 network 10.1.1.0 0.0.0.3 area 0 network 10.1.1.4 0.0.0.3 area 0 RouterB ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.1 110 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 2 network 10.1.1.0 0.0.0.3 area 0 neighbor 10.1.1.1 ! RouterC interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.6 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.5 120 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 3 network 10.1.1.4 0.0.0.3 area 0 neighbor 10.1.1.5 [GroupStudy removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70025t=70025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router Configuration Backups?? [7:70009]
i believe solarwinds can alert you if the config changes. I don't think it will schedule the config backups. -Original Message- From: Stevo [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 9:37 AM To: [EMAIL PROTECTED] Subject: Router Configuration Backups?? [7:70009] Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70024t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list [7:70022]
This is possible because you are using win2k now and if that is the case for AD stuff you need to open port 445 also. -Original Message- From: jmullins1 [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 4:52 PM To: [EMAIL PROTECTED] Subject: PIX access-list [7:70022] I'm trying to allow inbound UDP traffic from the DMZ web server to the inside BDC. I'm getting the following: 2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19: %PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on interface dmz I have the following entries in the access-list: access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135 access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137 access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138 access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139 When I perform a show access-list, I don't see any hit counts. I do have a static translation for the public to private IP for the BDC, but that shouldn't matter. I'm not sure if I even need to allow this, but it shows up in my KIWI syslog. Could someone please tell me what's missing to stop the deny inbound? Thanks. Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70026t=70022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: appletalk stuff [7:69961]
It's funny that we are seeing this message after seeing all those complaints about the CCDP recert exam including AppleTalk! :-) =?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote: Does anyone have an idea on that: we use 7200 in the center of a big bay-networks routers we use ipx , ip and appletalk ip , ipx works fine in FR/PPP links and OSPF etc.. apple talk zones and routing are shown ok on the macintosh machines All zones are showing up on the Macs? That's a good sign. Routing wouldn't show up on the Macs, but do all routes show up on the routers? Most AppleTalk problems are related to routing, not finding services. To avoid problems with split horizon, be sure to use Frame Relay subinterfaces. there is appletalk services advertised on PPP links AppleTalk services are never advertised. Users look for them. but they are not advertised on FR links routing is RTMP , zones are ok on FR links just the macintosh servers does not show up on FR !! Do you mean that servers don't show up when users who are across the Frame Relay network try to find them? That is indeed strange. no access-lists of any kind Hmmm. It does seem like an access list problem, though It also sounds like it could be a duplicate network number. If this is a new or updated design, it's pretty common to mistakenly reuse an AppleTalk cable range, or have overlapping ranges. Other than misconfigured access lists, that's the only time I've ever seen such a strange result as what you're seeing, if I understand what you're seeing (zones and routes OK, but users can't find services). If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole other story. I think Mac OS X uses Service Location Protocol, which is multicast based and requires IGMP and an IP multicast routing protocol to be working correctly. Is this a new problem? What changed? What version of Mac OS are the users using? Is this pure AppleTalk or AppleTalk over TCP/IP? I might be willing to help if you could send more info on what's happening, version numbers, config, etc. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70027t=69961 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCDP Recertification [7:69911]
There are also Appletalk and 700 routers on the CCNP re-cert. I decided to review the 700 documentation on CCO. The 700 is not listed on the router list. Fortunately searching on the 700 brought me to the right docs, although most of the links say, end of sale, etc. Kevin Wigle - Original Message - From: mailsub1 To: Sent: Monday, June 02, 2003 3:00 PM Subject: RE: CCDP Recertification [7:69911] Congratulations! I just passed today (first time VERY lucky ;), and I have to agree that it is a crazy exam. A couple of the questions were so badly worded that I didn't understand them. I just thought that I'd add a few extra pointers for the unlucky ones who still have to take the exam. There are some newer questions (e.g. quite a few on BGP), although nothing on IS-IS. However, a lot of the questions are very old - for example when did you last hear of Stratacom or configured a 700 series router (or for that matter used appletalk)! This was probably the worst Cisco exam EVER, and I just hope it is better in 3 years time. Now I just have to take CSI for my CCSP before my summer vacation. Good luck! Mark. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jeff sicuranza Sent: 31. mam 2003 06:09 To: [EMAIL PROTECTED] Subject: CCDP Recertification [7:69911] Well fellas I passed the CCDP recert today. Man what a messed up test. The exam objectives on CCO(for all tests) are not what are on this exam. This exam is basically version 1 Routing, Switching, Remote access and CID version 1 from 3-4 years ago. I mean I did have some MLS but I had x25, smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID design questions that did not make sense, type in questions(which is to be expected) and old hardware that is probably not even supported anymore, like 700s and 1600s. I made many comments during the exam that these questions are no longer relevant especially for a CCDP update recert. It was all old stuff. I mean old stuff that was not too relevant then, specific 1600s and 700s issues, come on now.. I studied based on the info. from the CCO site, so for Routing, Switching and Remote access for the CCNP recert., which was updated, but it was my experience that carried me on this one. I did go over my old Sybex and Cisco Press ver. 1 CID books this week just in case, so that helped too. I thought halfway through I was failing for all of the older 700/1600, desktop protocols and x25/atm crap was driving me nuts. Since I have been in computer technology since 84 I was able to pass. A lot of the questions were hands on fill in the blank types so that helped me also. Funny though, I did better on this exam(averaging in the 80% range for every topic except CID) and got in the high 800s than I did on the CCNP recert.(Considering the CCO CCNP topics matched the exam). I only studied a week and a half for both and took them two days apart. What I learned in the CCNP recert exam, that I posted earlier here, did not apply on the CCDP recert. exam to my dismay so I was bummed out during the exam. In this case my old hands on experience rules. So, for those of you fellas preparing for the CCDP recert. your old books(even version 1 CCDP stuff) is fine. Now to decide if I want to take a second stab at my ccie lab seat. Good luck to all /JS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70031t=69911 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Virtual MAC and Port Security [7:70030]
I have several Servers that are going to be doing NIC pooling. So I'm supposed to see a virtual MAC address instead of the actual physical address of the NIC's. I run the NICs from one server to different switches for fault tolerance. If I have several 6500 series switches how can I set it up for Port Security? I know I can set up the ports to handle several MAC's but if they are running the same virtual MAC what's the answer? David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70030t=70030 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: [CISCO] OSPF over FR [7:70025]
Have you run any debug's (debug ip ospf events, etc) and are the routes showing in the ospf database (sh ip ospf data) and just not in the routing table? If so check out: http://www.cisco.com/warp/public/104/24.html On Mon, Jun 02, 2003 at 09:51:48PM +, Catherine Wu wrote: -- Patrick Aland [EMAIL PROTECTED] Network Administrator Voice: 386.822.7217 Stetson University Fax: 386.822.7367 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70033t=70025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multiple VLANs in a single switch port [7:69991]
thanks guys, wat abt 4xxx, 5xxx, 6xxx series? well i m not talking abt trunking though... regards, jef Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70032t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: multiple isakmp policies question-No authentication [7:70034]
Hi.. Daniel and Dear all, Thanks for the guide. May I know whether Remote VPN client to PIX515 can be authenticated by my W2K server or not? I recall I can in VPN3000. I am not familiar about RADIUS. May I ask whether I should install a RADIUS server on my network or the PIX515 itself can act as the RADIUS server to authenticate? (I prefer to authenticate locally in PIX515 without install radius server) From the config shown below, what is aaa.bbb.ccc.10 ? a IP address of RADIUS server? can we make authentication done locally in PIX515? aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 From: Daniel Cotts To: 'Richard Campbell' , [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Date: Mon, 2 Jun 2003 18:25:38 -0500 In the following config RADIUS is used to authenticate the Clients. IIRC The group password is sufficient to allow a client to connect - although not too secure as all clients would have one password. crypto map FF_fw_int0 client authentication AuthInbound aaa-server RADIUS protocol radius aaa-server AuthInbound protocol radius aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 8:07 AM To: [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Hey... thanks.. finally I got response from my PIX515, but it just hang at securing communication channel stage (see below) and it doesn't authenticate the users. What config should I add to point it to my authentication server 192.168.1.201? For your info, my VPN client is installed at Win95 and my authentication server is a W2K server. Initializing the connection... Contacting the gateway at 100.100.100.101... Negotiating security policies... Securing communication channel... I remember in VPN3000 server, I need to specify the authentication server for VPN group, but why in PIX515 sample on the net, why it doesn't have this entry From: Andrew Larkins from what I remember about this, they will try each policy until a match is amde, otherwise the connection terminates -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] hey.. I have a PIX 515 and have a PIX to PIX connection to London and NY using pre-shared key des, hash sha and dh group 1 and I am going to let VPN3000 client 3.X connect to here as here and I created another isakmp policy 20, with hash md5, dh group 2 as shown below. Can u take a look whether the config is correct? And my question is I have 2 isakmp policies here, how does the PIX-PIX and VPN 3000 3.X client know which isakmp policy to take? crypto ipsec transform-set newset esp-des crypto dynamic-map dynmap 30 set transform-set newset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer nyapix crypto map newmap 10 set transform-set newset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 102 crypto map newmap 20 set peer ldnpix crypto map newmap 20 set transform-set newset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key address ldnpix netmask 255.255.255.255 isakmp key address nyapix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CLIENTS address-pool REMOTEIPPOOLS vpngroup CLIENTS dns-server 192.168.1.201 vpngroup CLIENTS wins-server 192.168.1.201 vpngroup CLIENTS default-domain xyz.com vpngroup CLIENTS idle-time 1800 vpngroup CLIENTS password _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70034t=70034 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF over FR [7:70025]
Catherine, You forget to define ospf network type in each frame interface. Add this interface config command: ip ospf network point-to-point Thank, Rivalino On Mon, 2 Jun 2003, Catherine Wu wrote: I am testing Hub-Spoke for OSPF over FR, I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and 3.3.3.3 in the routing table, RouterA#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 1 FULL/ -00:01:4110.1.1.6 Serial0/0.2 2.2.2.2 1 FULL/ -00:01:3910.1.1.2 Serial0/0.1 RouterB#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:3810.1.1.1Serial0/0 RouterC#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:3410.1.1.5Serial0/0 RouterA#sh ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/0.1 C 10.1.1.4 is directly connected, Serial0/0.2 Please help. Thanks Catherine RouterA interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/0 no ip address encapsulation frame-relay frame-relay lmi-type ansi no sh ! interface Serial0/0.1 point-to-point ip address 10.1.1.1 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 101 ! interface Serial0/0.2 point-to-point ip address 10.1.1.5 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 102 ! router ospf 1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 1 network 10.1.1.0 0.0.0.3 area 0 network 10.1.1.4 0.0.0.3 area 0 RouterB ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.1 110 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 2 network 10.1.1.0 0.0.0.3 area 0 neighbor 10.1.1.1 ! RouterC interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.6 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.5 120 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 3 network 10.1.1.4 0.0.0.3 area 0 neighbor 10.1.1.5 [GroupStudy removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70036t=70025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fwd: Re: Problem with RSA ACE SERVER (aka SecureID) [7:70035]
There used to be a key value called 'shared secret' that you had to configure on the ACE server as well as the 'requesting' device (and unfortuanately it was plain text). I haven't played with an ACE server for about 5yrs so that may have changed. Pete d tran wrote: All, I am trying to get the RSA ACE Server to authenticate VPN remote users that terminate VPN connection to my Pix firewall. So far it is not working and here is my scenario: Pix FW: Outside IP: 12.1.1.100 (netmask /21) Inside IP: 172.161.254 (netmask /24) DMZ IP: 172.18.1.254 (netmask /24) The IP address of the RSA ACE-Server is 172.18.1.2. Here is the configuration on my pix firewall. By the way, I am using Pix OS 6.3(1): ip local pool test 172.30.1.1-172.30.1.254 aaa-server radius-authport 1812 aaa-server radius-acctport 1813 aaa-server ACE-SERVER protocol radius aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5 sysopt connection permit-ipsec crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac crypto ipsec transform-set set2 esp-des esp-sha-hmac crypto ipsec transform-set set3 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3 crypto map outside 20 ipsec-isakmp dynamic vpnremote crypto map outside client configuration address respond crypto map outside client authentication ACE-SERVER outside interface outside isakmp enable outside isakmp key *** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local test outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup default address-pool test vpngroup default dns-server 129.174.1.8 vpngroup default wins-server 129.174.1.8 vpngroup default default-domain test.com vpngroup default split-tunnel 100 vpngroup default split-dns test.com vpngroup default idle-time 1800 The problem is that whenever the pix sends an access-request to the RSA ACE Server, the ACE Server sends back an access-reject to the pix. It seems like the ACE Server thinks that the pix is an unauthorized host to communicate with the ACE Server. Now, I add the pix as an Agent Hosts on the ACE Server (Is this similar to the clients.conf to FreeRadius?) and it still wouldn't work. Radius is also running on the ACE Server so I know that the communication is there. Furthermore, the is NO blocking of communication between the Pix and the ACE Server. Can someone with experience with ACE Server help me out with this problem? It has been a frustrating week. I am running ACE Server version 5.1 on both Windows 2000 Server. D - Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70035t=70035 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP Policy-based Routing -- applicable for inbound and outbound [7:70037]
hi guys, Can BGP Policy-based routing be configured both on inbound and outbound interfaces ? I know that it is definitely for inbound interface. And can the policy-based routing also be used to alter the final destination of the packet ? I don't think there's an option to set that. Please, show the light. Thanks guys hin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70037t=70037 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco's BGP Course is Okay [7:70038]
Hi All, This is just a comment arising after I read a paper in the current IEEE Communications Magazine. I was a little surprised. The paper is, of course, a refereed paper and was written by three guys, one of them a PhD. I was surprised because I could write the same paper just from the knowledge I gained on BGP through self-study. I understood the paper in its entirety without any struggle at all. So, my main point is that we can get good knowledge through Cisco Certifications, knowledge which can even help us attend conferences and present very decent papers. Good Luck. Mwalie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70038t=70038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
permit only even subnets [7:70039]
Dear groupstudy members, Lets say we have these networks: 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 how do we permit only even subnets and deny all the odd subnets? what would be the network number and wildcard mask should i use in the access-list statement? sorry if this question has been asked before... RD Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70039t=70039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Redistribute OSPF to RIPv1 [7:69969]
you could try to configure area 1 range command at the abr, R2. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70041t=69969 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: permit only even subnets [7:70039]
To match the even subnets, use access-list 1 permit 192.168.0.0 0.0.254.255 To match the odd subnets, use access-list 1 permit 192.168.1.0 0.0.254.255 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70040t=70039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: multiple isakmp policies question-No authentication [7:70043]
Hi.. Sorry me again, I just realise that W2K can act as a RADIUS server, is it true?? I tried to installed cisco CSACS software on my W2K server, it prompt me that another program is using RADIUS port, pls disable it, it means my W2K server come with RADIUS? Where to configure it? the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server? I should configure my W2k Radius server to have the same key PASSWORD HERE as the PIX515 right? Where can I enter this value in my W2k server? aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 From: Daniel Cotts To: 'Richard Campbell' , [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Date: Mon, 2 Jun 2003 18:25:38 -0500 In the following config RADIUS is used to authenticate the Clients. IIRC The group password is sufficient to allow a client to connect - although not too secure as all clients would have one password. crypto map FF_fw_int0 client authentication AuthInbound aaa-server RADIUS protocol radius aaa-server AuthInbound protocol radius aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 8:07 AM To: [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Hey... thanks.. finally I got response from my PIX515, but it just hang at securing communication channel stage (see below) and it doesn't authenticate the users. What config should I add to point it to my authentication server 192.168.1.201? For your info, my VPN client is installed at Win95 and my authentication server is a W2K server. Initializing the connection... Contacting the gateway at 100.100.100.101... Negotiating security policies... Securing communication channel... I remember in VPN3000 server, I need to specify the authentication server for VPN group, but why in PIX515 sample on the net, why it doesn't have this entry From: Andrew Larkins from what I remember about this, they will try each policy until a match is amde, otherwise the connection terminates -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] hey.. I have a PIX 515 and have a PIX to PIX connection to London and NY using pre-shared key des, hash sha and dh group 1 and I am going to let VPN3000 client 3.X connect to here as here and I created another isakmp policy 20, with hash md5, dh group 2 as shown below. Can u take a look whether the config is correct? And my question is I have 2 isakmp policies here, how does the PIX-PIX and VPN 3000 3.X client know which isakmp policy to take? crypto ipsec transform-set newset esp-des crypto dynamic-map dynmap 30 set transform-set newset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer nyapix crypto map newmap 10 set transform-set newset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 102 crypto map newmap 20 set peer ldnpix crypto map newmap 20 set transform-set newset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key address ldnpix netmask 255.255.255.255 isakmp key address nyapix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CLIENTS address-pool REMOTEIPPOOLS vpngroup CLIENTS dns-server 192.168.1.201 vpngroup CLIENTS wins-server 192.168.1.201 vpngroup CLIENTS default-domain xyz.com vpngroup CLIENTS idle-time 1800 vpngroup CLIENTS password _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70043t=70043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multiple VLANs in a single switch port [7:69991]
Multiple-VLANs per port can be configured on certain models, but if you do multiple VLANs then you can't do dot1q or ISL trunks anywhere on the box. one or the other... thats the limitation. I wonder why cisco doesn't do protocol-based VLANs, etc like some other vendors. It's a sweet feature that rocks. --- Michael Montiverdi wrote: Hi, I believe it depends on the switch, like Marco said. I have a Catalyst 3548XL and I can setup multiple vlans on one port. Thanks, Michael Montiverdi -Original Message- From: M.C. van den Bovenkamp [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 9:15 AM To: [EMAIL PROTECTED] Subject: Re: Multiple VLANs in a single switch port [7:69991] koh jef wrote: is there any way/s to configure mulitple VLANs in a single switch port? Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on what switch you're using. Most switches can't do it, but some can; Cisco's 2900 series can, for instance. Regards, Marco. [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70042t=69991 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: appletalk stuff [7:69961]
Also, are you doing it via one arm routing or do you have separate interfaces in each vlan? ( fa0/0 in vlan or lan x, fa0/1 in vlan or lan y, etc., etc. ) http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/subifs.htm You should definitely use sub-interfaces though.. ( Reference above ) Scotty Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED] It's funny that we are seeing this message after seeing all those complaints about the CCDP recert exam including AppleTalk! :-) =?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote: Does anyone have an idea on that: we use 7200 in the center of a big bay-networks routers we use ipx , ip and appletalk ip , ipx works fine in FR/PPP links and OSPF etc.. apple talk zones and routing are shown ok on the macintosh machines All zones are showing up on the Macs? That's a good sign. Routing wouldn't show up on the Macs, but do all routes show up on the routers? Most AppleTalk problems are related to routing, not finding services. To avoid problems with split horizon, be sure to use Frame Relay subinterfaces. there is appletalk services advertised on PPP links AppleTalk services are never advertised. Users look for them. but they are not advertised on FR links routing is RTMP , zones are ok on FR links just the macintosh servers does not show up on FR !! Do you mean that servers don't show up when users who are across the Frame Relay network try to find them? That is indeed strange. no access-lists of any kind Hmmm. It does seem like an access list problem, though It also sounds like it could be a duplicate network number. If this is a new or updated design, it's pretty common to mistakenly reuse an AppleTalk cable range, or have overlapping ranges. Other than misconfigured access lists, that's the only time I've ever seen such a strange result as what you're seeing, if I understand what you're seeing (zones and routes OK, but users can't find services). If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole other story. I think Mac OS X uses Service Location Protocol, which is multicast based and requires IGMP and an IP multicast routing protocol to be working correctly. Is this a new problem? What changed? What version of Mac OS are the users using? Is this pure AppleTalk or AppleTalk over TCP/IP? I might be willing to help if you could send more info on what's happening, version numbers, config, etc. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70044t=69961 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Virtual MAC and Port Security [7:70030]
David- it's been a while since I did this, but from what I understand you to say, you are trying to provide fault tolerance (fail-over) at the NIC level for these servers. I can't vouch for the 6500s, but on the 5500s that I used to manage, we used Intel NICs in a teaming fashion (which was to provide said fault tolerance). These NICs had their FastEthernet cables going to each switch respectively. (4 NICs in each Server, 2 CAT5500's to plug into). The virtual mac's of the Teaming group was plugged into the port security table on the CATs. The CATs were also Trunk'd together via GBICs, so STP would block one Fast-Ether-Channel group of NIC cables on one switch while allowing the other group to operate. So, the short of it is, I believe you'll have to set up an EtherChannel with the NIC Pool(s) and it's assumed that you already are Trunking between your 6500's for backbone redundancy. Port Security should be straight forward- just one Virtual-MAC per NIC Pool to be plugged into the MAC Security Table, and reference the security mac table on the ports you want to enable port security. It's been a couple of years since I did this, so hopefully I remembered all the steps required. YMMV :) HTHs -Mark -Original Message- From: David Vital [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 6:59 PM To: [EMAIL PROTECTED] Subject: Virtual MAC and Port Security [7:70030] I have several Servers that are going to be doing NIC pooling. So I'm supposed to see a virtual MAC address instead of the actual physical address of the NIC's. I run the NICs from one server to different switches for fault tolerance. If I have several 6500 series switches how can I set it up for Port Security? I know I can set up the ports to handle several MAC's but if they are running the same virtual MAC what's the answer? David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70045t=70030 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF over FR [7:70025]
Catherine, You forget to define ospf network type in each frame interface. Add this interface config command: ip ospf network point-to-point Thank, Rivalino Exactly right but you will have to do 2 more things: 1)Since you changed the hello-interval to 30 on Router A's point-to-point subinterfaces you will have to do the same for Router B and Router C's interfaces. 2) Remove the neighbor statement from Router B and Router C's OSPF process. Not needed. So just add the ip ospf network point-to-point on Routers B and C frame relay physical interface and do steps 1 and 2. Best of luck. Danny Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70046t=70025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Lab prep in Sydney [7:70048]
Hi, Where can I find a lab prep in Sydney? Please give me the contact of them. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70048t=70048 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: multiple isakmp policies question-No authentication [7:70051]
Richard- Google is your friend Fluf-fluf http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 11:37 PM To: [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:70043] Hi.. Sorry me again, I just realise that W2K can act as a RADIUS server, is it true?? I tried to installed cisco CSACS software on my W2K server, it prompt me that another program is using RADIUS port, pls disable it, it means my W2K server come with RADIUS? Where to configure it? the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server? I should configure my W2k Radius server to have the same key PASSWORD HERE as the PIX515 right? Where can I enter this value in my W2k server? aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 From: Daniel Cotts To: 'Richard Campbell' , [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Date: Mon, 2 Jun 2003 18:25:38 -0500 In the following config RADIUS is used to authenticate the Clients. IIRC The group password is sufficient to allow a client to connect - although not too secure as all clients would have one password. crypto map FF_fw_int0 client authentication AuthInbound aaa-server RADIUS protocol radius aaa-server AuthInbound protocol radius aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 8:07 AM To: [EMAIL PROTECTED] Subject: RE: multiple isakmp policies question-No authentication [7:69996] Hey... thanks.. finally I got response from my PIX515, but it just hang at securing communication channel stage (see below) and it doesn't authenticate the users. What config should I add to point it to my authentication server 192.168.1.201? For your info, my VPN client is installed at Win95 and my authentication server is a W2K server. Initializing the connection... Contacting the gateway at 100.100.100.101... Negotiating security policies... Securing communication channel... I remember in VPN3000 server, I need to specify the authentication server for VPN group, but why in PIX515 sample on the net, why it doesn't have this entry From: Andrew Larkins from what I remember about this, they will try each policy until a match is amde, otherwise the connection terminates -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED] hey.. I have a PIX 515 and have a PIX to PIX connection to London and NY using pre-shared key des, hash sha and dh group 1 and I am going to let VPN3000 client 3.X connect to here as here and I created another isakmp policy 20, with hash md5, dh group 2 as shown below. Can u take a look whether the config is correct? And my question is I have 2 isakmp policies here, how does the PIX-PIX and VPN 3000 3.X client know which isakmp policy to take? crypto ipsec transform-set newset esp-des crypto dynamic-map dynmap 30 set transform-set newset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address 101 crypto map newmap 10 set peer nyapix crypto map newmap 10 set transform-set newset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 102 crypto map newmap 20 set peer ldnpix crypto map newmap 20 set transform-set newset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key address ldnpix netmask 255.255.255.255 isakmp key address nyapix netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup CLIENTS address-pool REMOTEIPPOOLS vpngroup CLIENTS dns-server 192.168.1.201 vpngroup CLIENTS wins-server 192.168.1.201 vpngroup CLIENTS default-domain xyz.com vpngroup CLIENTS idle-time 1800 vpngroup CLIENTS password _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at:
PIX 520 Static NAT [7:70049]
Hi group, we have a pix 520 with 3 interfaces, what we want is to allow outside 10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as inside network. and the server 10.16.206.21 already has a static translation entry to a public IP address. static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 0 0 and the outside network 10.20.20.0/24 is allowed to access inside network by NAT 0 command ACL with permit host. Any idea to allow inside IP address 10.16.206.21 from outside and outside network is 10.20.20.0/24 even we have a static translation above. Thanks Best Regards DA' _ Send sxde postkort til sxde mennesker http://www.msn.dk/postkort Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70049t=70049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Access for Inside IP Pool [7:70050]
Hi group, we have a pix 520 with 3 interfaces, what we want is to allow outside 10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as inside network. and the server 10.16.206.21 already has a static translation entry to a public IP address. static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 0 0 and the outside network 10.20.20.0/24 is allowed to access inside network by NAT 0 command ACL with permit host. Any idea to allow inside IP address 10.16.206.21 from outside and outside network is 10.20.20.0/24 even we have a static translation above. Thanks Best Regards DA' _ Tag din Hotmail med dig, ner du ger http://www.msn.dk/mobile Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70050t=70050 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router Configuration Backups?? [7:70009]
Check out RANCID - http://www.shrubbery.net/rancid/ RANCID - Really Awesome New Cisco confIg Differ Rancid monitors a router's (or device's) configuration, including software and hardware (cards, serial numbers, etc), using CVS. Rancid currently supports Bay routers, Cisco routers, Juniper routers, Catalyst switches, Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd), Alteon switches, and HP procurve switches. Rancid logs into each of the devices in a router table file, runs various commands, chomps the output, and emails any differences ( sample) from the previous collection to a mail list. Rancid is known to be used at: Global Crossing, MFN, Verio, Certainty Solutions Inc. -Original Message- From: Vincent Tocco [mailto:[EMAIL PROTECTED] Sent: 02 June 2003 09:45 To: [EMAIL PROTECTED] Subject: Re: Router Configuration Backups?? [7:70009] We use Pancho, it's a perl script that downloads the configs via snmp. Just setup a cron job on a unix box.. http://www.panchoproject.org/ After you setup that, you can run diff on the files to see if anything changed.. Maybe every night? -Vince Stevo wrote: Hey Group, I have a number of routers that don't get their configs backed up on a regular basis... does anyone have (or know of) any software products out there that will do the backups for me... or even better still, let me know if a config is changed by someone?? Thanks --Stevo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70052t=70009 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX access-list [7:70022]
Silly thing to overlook, but best to check anyway is that you have applied the ACL to the correct interface Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70053t=70022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF over FR [7:70025]
Hi Catherine, Because you are using point to point sub interfaces on the one routea and one the other just using the real interface, OSPF behaves differently and has different helo / dead timers etc, and this is why you are not getting all your routes. You need to make sure that all ospf interfaces in the same area are of the same network type using the interface command ip ospf network Below is a link to a quick ref http://www.chuckslongroad.info/OSPF_Frame_Reference.htm Catherine Wu wrote: I am testing Hub-Spoke for OSPF over FR, I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and 3.3.3.3 in the routing table, RouterA#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 3.3.3.3 1 FULL/ -00:01:4110.1.1.6 Serial0/0.2 2.2.2.2 1 FULL/ -00:01:3910.1.1.2 Serial0/0.1 RouterB#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:38 10.1.1.1Serial0/0 RouterC#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface 1.1.1.1 1 FULL/BDR00:01:34 10.1.1.5Serial0/0 RouterA#sh ip ro Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets C 1.1.1.1 is directly connected, Loopback0 10.0.0.0/30 is subnetted, 2 subnets C 10.1.1.0 is directly connected, Serial0/0.1 C 10.1.1.4 is directly connected, Serial0/0.2 Please help. Thanks Catherine RouterA interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface Serial0/0 no ip address encapsulation frame-relay frame-relay lmi-type ansi no sh ! interface Serial0/0.1 point-to-point ip address 10.1.1.1 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 101 ! interface Serial0/0.2 point-to-point ip address 10.1.1.5 255.255.255.252 ip ospf hello-interval 30 frame-relay interface-dlci 102 ! router ospf 1 log-adjacency-changes network 1.1.1.1 0.0.0.0 area 1 network 10.1.1.0 0.0.0.3 area 0 network 10.1.1.4 0.0.0.3 area 0 RouterB ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.1 110 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 2.2.2.2 0.0.0.0 area 2 network 10.1.1.0 0.0.0.3 area 0 neighbor 10.1.1.1 ! RouterC interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface Serial0/0 ip address 10.1.1.6 255.255.255.252 encapsulation frame-relay frame-relay map ip 10.1.1.5 120 broadcast no frame-relay inverse-arp frame-relay lmi-type ansi no sh ! router ospf 1 log-adjacency-changes network 3.3.3.3 0.0.0.0 area 3 network 10.1.1.4 0.0.0.3 area 0 neighbor 10.1.1.5 [GroupStudy removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70054t=70025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IOS for 2500 series router. [7:70056]
Hi, I will be thankful to you if you could let me know from where i can download IOS version for my Home Cisco 2500 series routers. Thanks regards Amir Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70056t=70056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP addressing [7:70057]
Hi, Can someone please check below, to see if I am going in the right direction. I have 3 sites A B C A wants 500 users. B wants 2000 users c unknown up to 200 IP address range I have is as follows:- 10.225.200.0 to 10.225.219.255 I have worked the following:- For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of 255.255.254.0 or is it 255.255.255.0 For B the range is 10.225.202.0-255 10.225.203.0-255 10.225.204.0-255 10.225.205.0-255 10.225.206.0-255 10.225.207.0-255 10.225.208.0-255 All with a subnet mask of 255.255.248.0. For C the range is 10.225.209.0-255 to 10.225.210.0-255 subnet mask of 255.255.254.0 if all on single network will all these talk without any problems and I still have 211 through to 219 free. Another quick question was should these all respond across different subnets even using OSPF or won't they. Thanks, -DJ - Yahoo! Plus - For a better Internet experience Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70057t=70057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Wireless Spec. question [7:69842]
By kit I mean questions about the Cisco devices (1200 / 350 / Bridges etc), and their abilities, specs etc. I had no questions on the CLI at all.. 1 cisco wrote in message news:[EMAIL PROTECTED] Do you mean cisco interface when talking about the KIT? Any questions on the cli? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70058t=69842 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BRI [7:70059]
Hi ppl, i'm encountering some issues on the 2nd channel, it takes quite a while for it to come up despite the 1st channel hits the threshold, is there any command that i can issue to monitor on the 2nd channel? thanks regards, jef Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70059t=70059 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RTP Cisco User's Group Meeting - June 4 2003 [7:70061]
Folks, The Research Triangle Park (RTP) Cisco User's group will meet on June 4th from 12:00 to 1:00 PM in the first floor conference room of the Lake Building on Cisco's RTP campus. This meeting's topic will be TAC procedures and best practices. The meeting will also include a guided tour through sections of the Cisco.com website. Learn answers to questions such as -- What is the difference between a management escalation and a technical escalation? Which is the best method to use to open a TAC case? Who is [EMAIL PROTECTED]? We apologize for the short notice and plan to provide more notice in the future. If you're planning to attend please RSVP to so we can get a good head count. BTW, more info on RTPCiscoUsers can be found at Yahoo Group. I'm a member of the group and will answer what questions I can. Feel free to email me at [EMAIL PROTECTED] Thanks, Steve Alston Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70061t=70061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP addressing [7:70057]
See Inline. Hi, Can someone please check below, to see if I am going in the right direction. I have 3 sites A B C A wants 500 users. - should be a /23 B wants 2000 users - should be a /21 c unknown up to 200 - should be a /24 IP address range I have is as follows:- 10.225.200.0 to 10.225.219.255 I have worked the following:- For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of 255.255.254.0 or is it 255.255.255.0 It should be 255.255.254.0 for a /23 For B the range is 10.225.202.0-10.225.203.255 - 512 address 10.225.204.0-10.225.205.255 - 512 address 10.225.206.0-10.225.207.255 - 512 address 10.225.208.0-10.225.209.255 - 512 address All with a subnet mask of 255.255.248.0. For C the range is 10.225.209.0-255 to 10.225.210.0-255 subnet mask of 255.255.254.0 The bldg C address should be a /24 for 200 address's...you don't need a /23 for 200 address's. The 209 subnet is part of the /21 for area Byou should use 10.225.210.0 - 255 /24. if all on single network will all these talk without any problems and I still have 211 through to 219 free. You will obviously need a router and have 3 networks...one for area A, B, C...which would be 3 networks Not one single network Another quick question was should these all respond across different subnets even using OSPF or won't they. They should respond and work across any routing protocol if the switches and router are config'd correctly... Thanks, -DJ - Yahoo! Plus - For a better Internet experience Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70060t=70057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]