Re: [CISCO] RE: VLANs AD [7:69873]

[Patrick Aland]

URT is supposed to allow mapping of vlan's to a swithcport based on
user (I've never used though).
http://www.cisco.com/en/US/products/sw/secursw/ps2136/index.html

At a recent cisco event one of the cisco se's mentioned that Cisco may
be URT with 802.1x once all the kinks are worked out so I wouldn't be 
surprised if URT goes EOS soon.

On Mon, Jun 02, 2003 at 01:15:14AM +, - jvd wrote:
 Joseph,
 
 I may be wrong, but I think dynamic VLANS can only by assigned according to
 the MAC address (I can't believe Cisco doesn't make dynamic VLAN assignment
 also based on the IP, port, etc. !!??) In any case the feature you need to
 use is VMPS (VLAN membership policy server).

http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html#12998
 
 Please post again if you find contrary information, because I would like to
 learn more on this...
 
 Regards,
-- 

 Patrick Aland  [EMAIL PROTECTED]
 Network Administrator  Voice: 386.822.7217
 Stetson University Fax: 386.822.7367





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69989t=69873
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Need help for CCNA 3.0 [7:69772]

[Peri Sophos]

Cisco Certified Network Associate Exam (CCNA 640-607)*  

 


  Exam Number: 640-607 
Associated Certifications: CCNA 
Duration: 90 minutes (55-65 questions) 
Available Languages: English, Japanese in Japan only 
Click Here to Register: Pearson VUE or Prometric 
 



*Approved for VA reimbursement.

 

Exam Description  ALERT Practice Exam Tutorial 
Exam Topics Preview Course Simulated Lab 
Recommended Training Download Free Challenge Tests 
Additional Resources Self Test Software Offer
New online practice tests from Self Test Software 


  Exam Description 
 
 The Cisco Certified Network Associate exam (CCNA) is the only exam
required to achieve a CCNA Routing and Switching certification. 

  Exam Topics 
 
 The following topics are general guidelines for the content likely to
be included on the CCNA exam. However, other related topics may also
appear on any specific delivery of the exam.


Bridging/Switching
 Distinguish between cut-through and store-and-forward LAN switching  
 Describe the operation of the Spanning Tree Protocol and its benefits 
 Verify the operation of the Spanning Tree Protocol on the switch 
 Describe the operation and benefits of VLANs 
 Configure VLANs on a switch 
 Configure VTP and trunking on switches 
 Compare and contrast switches and bridges 
 Identify anomolies in VLAN, trunking, and VTP operation 
 Configure a switch for basic operations 


OSI Reference Model  Layered Communication
 Describe data link and network addresses and identify key differences
between them 
 Identify at least three reasons why the industry uses a layered model 
 Define and explain the conversion steps of data encapsulation and
de-encapsulation 
 Describe connection-oriented network service and connectionless network
service, and identify their key differences 
 Describe the functions of each the seven layers of the OSI model and
their corresponding applications 
 Compare the OSI model with the TCP/IP stack 
 Match networking devices to their OSI layer(s) 
 Use the OSI model as a conceptual strategy to identify network problems



Routed Protocols
 Describe the different classes of IP addresses including subnetting and
private addresses 
 Configure IP addresses 
 Troubleshoot IP address schemes 
 Develop an IP addressing scheme to meet requirements 
 Identify the fundamental uses of various TCP/IP application layer
protocols 
 Convert between decimal, hexadecimal, and binary 
 Define flow control and describe the three basic methods used in
networking 
 Explain the functions of the TCP/IP network and transport layer
protocols 


Routing Protocols
 Configure a router for inter-VLAN communication 
 Verify IP routing with show and debug commands 
 Compare and contrast the key operations that distinguish
distance-vector, link-state, and hybrid protocols 
 Identify exterior and interior routing protocols 
 Configure static and default routes on a router 
 Enable RIP and IGRP on a router 
 Identify routing metrics used by IGRP and RIP 


WAN Protocols
 Explain key Frame Relay terms and features 
 Configure Frame Relay LMIs, maps, and subinterfaces 
 Identify ISDN protocols, function groups, reference points, and
channels 
 Differentiate between the following WAN services: LAPB, Frame Relay,
ISDN/LAPD, HDLC, PPP, and DDR 
 Identify PPP operations to encapsulate WAN data on Cisco routers 
 Use show commands to display network operational parameters so that
anomalies are detected 
 Configure ISDN BRI and legacy dial-on-demand routing (DDR) 
 Configure a serial connection with PPP encapsulation 


Network Management
 Monitor and verify selected access list operations on the router 
 Configure authentification types (CHAP/PAP) on PPP links 
 Manage configuration files from the privilege EXEC mode 
 Manage IOS images and device configuration files 
 Load Cisco IOS software from: Flash memory, a TFTP server, or ROM 
 Perform backup, upgrade, and loading of Cisco IOS software and
configuration files 
 Configure access lists to meet specified operational requirements 
 Use CDP to identify a network topology 
 Use ICMP to verify network connectivity and locate network problems 


LAN Technologies
 Determine the appropriate uses for full- and half-duplex Ethernet
operation. 
 Describe the causes and effects of network congestion in Ethernet
networks 
 Describe the benefits of network segmentation with various networking
devices 
 Identify the cause(s) of LAN connectivity problem 
 Describe the function, operation, and primary components on a LAN 


Cisco Basics, IOS  Network Basics
 Describe router elements (RAM, ROM, Flash, NVRAM, config register) 
 Configure router passwords, identification, and banner 
 Use the context-sensitive help facility 
 Use the command history and editing features 
 Perform the initial router configuration (including using the setup
mode). 
 Use show commands to display basic network operational parameters 
 Describe router start-up sequence 
 Establish connectivity from a host to 

Multicasting Problem [7:69987]

[[EMAIL PROTECTED]]

Hi All,
We need to enable multicasting support accross our network. Their are two
technologies available to limit the multicast
packets on the switch: 1) RGMP 2)CGMP. My routers support both these
technologies. Just wanted to know from the
group if any body has used any of these  which is better of the two.
  also let me know of any common problems in anyone of them 

Thanks in advance,
Bharat 



DISCLAIMER:
This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69987t=69987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Router simulator for CCNP? [7:69986]

[oscar]

There is a lot of router simulators but Is there any good for the ccnp?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69986t=69986
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX to concentrator Problem ......Urgent [7:69988]

[[EMAIL PROTECTED]]

Hi All,
We are using site-site Tunnel formed between PIX firewall at one remote
location to Cisco VPN concentrator connected
at central side. On the central side their are number  of subnets that all
been added to the network list on  both PIX  VPN concentrator to enable
remote site to access all the subnets on the central site. Problem is that 
while Tunnel is  running it suddenly drops all packets for one particular
subet on the central site. I have tried all possible means of
troubleshooting  but nothing seems to work. Pls help me out with any ideas
if possible.



Thanks 
Bharat 



DISCLAIMER:
This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69988t=69988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ccnp foundation 640-841, [7:69984]

[Hinwoto]

hi guys,..

Has anybody taken this foundation exam 640-841 recently ?
Any advise.. please ..appreciate it.
Gonna give a shot ..

cheers
hin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69984t=69984
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Switches with Stonebeat [7:69505]

[Richard Botham]

Bikespace,
Just spent a day testing exactly this...spooky

You're correct , Cisco's cannot put a multicast mac in its arp cache
dynamically - BUT - you CAN put STATIC ARP entries in a Cisco pointing to a
multicast mac.( Even if Layer3 is unicast)

However there are some small perfomance points here ( only small !)
Turning CEF on does have some benefits but not huge amounts.

I threw 100 * 512 byte UPD segments at the Cisco for 5 mins while using a
static multicast arp entry - It coped just fine.


HTH Rich


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69993t=69505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]

[Richard Botham]

Charles/Mark,

No infinate wisdom i'm afraid - just my £0.2.

Is it because the statements below effectively do nothing due to the fact
the statement 2 undoes what statement one has just done ?
[or have i missed the point.]

1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 
2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 

I would have thought that you would only need the statement one - why do you
need to reverse what you did in statement one fro the hosts on the inside
net ?

regards
Richard


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69990t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Prolonged BS Vs. CCNP ? Another alternative [7:69963]

[Howard C. Berkowitz]

At 7:35 AM + 6/2/03, n rf wrote:
Howard C. Berkowitz wrote:



  Another aspect that hasn't been discussed is the whole area of
  other
  skill sets, other than perhaps server skills and general
  management
  (MBA-ish). Now, I'll challenge the assumption of some people
  that say
  they don't want to be engineers and haul boxes around for their
  whole
  careers. Engineers do lots of things that don't involve hauling
  boxes, such as design, product management, presales, etc.
  Engineer
  != support technician.

I would submit that all these alternatives are more easily achieved with a
degree than with a cert.  Things like presales, design, product-management
and the like all require soft-skills that are better addressed via a degree
program but are addressed poorly, if at all, by a cert program.


I don't necessarily disagree with the above. But, the reason I 
changed the thread title slightly is that _my_ central point is that 
a work-study degree may  be the best of all worlds early in a career, 
since it allows both.

Degree programs are not necessarily the best for soft skills, or at 
least some of the technical degree programs. I remember telling a 
computer science professor in a graduate program that if I started 
programming his sloppy way, I'd get fired. If one attends the IETF, 
one will find the presentation skills often to be very deficient. The 
IETF is a very mixed bag, with dropouts and PhD's getting respect on 
their accomplishments rather than their credentials.

Realistic network design doesn't usually enter undergraduate programs 
of any sort.

Quite frankly, in later career, personal networking and one's 
experience (including things such as publications) may be more 
important than either.  Self-education, beyond the scope of the 
degree or cert, also is important. While my original academic work 
was in biochemistry, most of my medical knowledge was acquired less 
formally. I have an extremely successful friend who is a consultant 
to the brokerage industry -- his main training was as a Navy sonar 
technician, but he now has a deep understanding of financial 
operations.


Therefore the central point still stands - the degree gives you greater
overall career flexibility than a cert will.  No industry field outside the
very narrow confines of network engineering gives much credence to the value
of a Cisco cert, but every field values the degree.   So the real question a
person who chooses to forgo the degree in favor of Cisco certs has to ask
himself is whether he is absolutely sure that he wants to do Cisco
networking for the rest of his life, or does the possibility exist that he
might want to do something else when he gets older?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69992t=69963
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[koh jef]

hi ppl,

is there any way/s to configure mulitple VLANs in a single switch port?

thanks!!

regards,

jef


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69991t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Problem with RSA ACE SERVER (aka SecureID) authentication for [7:69995]

[d tran]

All,
I am trying to get the RSA ACE Server to authenticate VPN remote 
users that terminate VPN connection to my Pix firewall.  So far it is
not working and here is my scenario:
 
Pix FW: 
Outside IP:  12.1.1.100 (netmask /21)
Inside IP:  172.161.254 (netmask /24)
DMZ IP:  172.18.1.254 (netmask /24)
 
The IP address of the RSA ACE-Server is 172.18.1.2.  Here is the 
configuration on my pix firewall.  By the way, I am using Pix OS 6.3(1):
 
ip local pool test 172.30.1.1-172.30.1.254
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server ACE-SERVER protocol radius
aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set set2 esp-des esp-sha-hmac
crypto ipsec transform-set set3 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3
crypto map outside 20 ipsec-isakmp dynamic vpnremote
crypto map outside client configuration address respond
crypto map outside client authentication ACE-SERVER
 outside interface outside
isakmp enable outside
isakmp key *** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup default address-pool test
vpngroup default dns-server 129.174.1.8
vpngroup default wins-server 129.174.1.8
vpngroup default default-domain test.com
vpngroup default split-tunnel 100
vpngroup default split-dns test.com
vpngroup default idle-time 1800
 
The problem is that whenever the pix sends an access-request to the
RSA ACE Server, the ACE Server sends back an access-reject to the 
pix.  It seems like the ACE Server thinks that the pix is an 
unauthorized host to communicate with the ACE Server.  Now, I 
add the pix as an Agent Hosts on the ACE Server (Is this similar to
the clients.conf to FreeRadius?) and it still wouldn't work.  Radius is 
also running on the ACE Server so I know that the communication is 
there.  Furthermore, the is NO blocking of communication between the
Pix and the ACE Server. Can someone with experience with ACE Server
help me out with this problem?  It has been a frustrating week.  
 
I am running ACE Server version 5.1 on both Windows 2000 Server.
 
D


-
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69995t=69995
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[M.C. van den Bovenkamp]

koh jef wrote:

 is there any way/s to configure mulitple VLANs in a single switch port?

Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on 
what switch you're using.

Most switches can't do it, but some can; Cisco's 2900 series can, for 
instance.

Regards,

Marco.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69997t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:69996]

[Richard Campbell]

Hey...  thanks..  finally I got response from my PIX515, but it just hang at 
securing communication channel stage (see below) and it doesn't authenticate 
the users.  What config should I add to point it to my authentication server 
192.168.1.201?  For your info, my VPN client is installed at Win95 and my 
authentication server is a W2K server.

Initializing the connection...
Contacting the gateway at 100.100.100.101...
Negotiating security policies...
Securing communication channel...

I remember in VPN3000 server, I need to specify the authentication server 
for VPN group, but why in PIX515 sample on the net, why it doesn't have this 
entry

From: Andrew Larkins 

from what I remember about this, they will try each policy until a match is
amde, otherwise the connection terminates

-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED]

hey..  I have a PIX 515 and have a PIX to PIX connection to London and NY
using pre-shared key des, hash sha and dh group 1 and I am going to let
VPN3000 client 3.X connect to here as here and I created another isakmp
policy 20, with hash md5, dh group 2 as shown below.  Can u take a look
whether the config is correct?

And my question is I have 2 isakmp policies here, how does the PIX-PIX and
VPN 3000 3.X client know which isakmp policy to take?

crypto ipsec transform-set newset esp-des
crypto dynamic-map dynmap 30 set transform-set newset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 101
crypto map newmap 10 set peer nyapix
crypto map newmap 10 set transform-set newset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer ldnpix
crypto map newmap 20 set transform-set newset
crypto map newmap 30 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key  address ldnpix netmask 255.255.255.255
isakmp key  address nyapix netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup CLIENTS address-pool REMOTEIPPOOLS
vpngroup CLIENTS dns-server 192.168.1.201
vpngroup CLIENTS wins-server 192.168.1.201
vpngroup CLIENTS default-domain xyz.com
vpngroup CLIENTS idle-time 1800
vpngroup CLIENTS password 

_
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_
Add photos to your messages with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69996t=69996
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX to concentrator Problem ......Urgent [7:69988]

[Steve Wilson]

Check your network lists on the concentrator. They need to as explicit as
possible. If you supernet any contiguous networks, ensure that you do not
accidentally include a network that is really down another tunnel. 
Cheers,
Steve Wilson CCNP CCDA
Network Engineer

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: 02 June 2003 12:55
To: [EMAIL PROTECTED]
Subject: PIX to concentrator Problem ..Urgent [7:69988]

Hi All,
We are using site-site Tunnel formed between PIX firewall at one remote
location to Cisco VPN concentrator connected
at central side. On the central side their are number  of subnets that all
been added to the network list on  both PIX  VPN concentrator to enable
remote site to access all the subnets on the central site. Problem is that 
while Tunnel is  running it suddenly drops all packets for one particular
subet on the central site. I have tried all possible means of
troubleshooting  but nothing seems to work. Pls help me out with any ideas
if possible.



Thanks 
Bharat 



DISCLAIMER:
This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6t=69988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Peri Sophos]

Put the port in trunk mode  then multiple vlans can go in and out of
the port.

-Original Message-
From: koh jef [mailto:[EMAIL PROTECTED]
Sent: 02 June 2003 02:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]


hi ppl,

is there any way/s to configure mulitple VLANs in a single switch port?

thanks!!

regards,

jef
NOTICE - This message contains privileged and confidential 
information intended only for the use of the addressee 
named above. Any review, retransmission, dissemination, 
copying, disclosure or other use of, or taking of any 
action in reliance upon, this information by person or 
entities other than the intended recipient is prohibited. 
If you have received this message in error, please notify 
the sender by return email and delete this message. 
This message should not be copied or used for any purpose 
other than intended, nor should it be disclosed to any 
other person. Any views expressed in this message are those 
of the individual sender, except where the sender specifically
 states them to be the view of Investec Group, its 
subsidiaries or associates. The Investec Group is not 
liable for the security of information sent by e-mail at 
your request, nor for the proper and complete transmission 
of the information contained in the communication nor for 
any delay in its receipt. Please note that the recipient 
must scan this e-mail and any attached files for viruses 
and the like. The Investec Group accepts no liability of 
whatever nature for any loss, liability, damage or expense 
resulting directly or indirectly from the access of any files 
which are attached to this message.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=7t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Router [7:70001]

[Skarphedinsson Arni V.]

I have a router connected to a vlan trunk one for internet access, and one
for a remote branch,but then I have a pix that all my users connect throuhg,
and does the NAT, but then of course the users in the remote branch that
connect directly to the border router, cant access the internet as that
router just routes them to the internet, but I would like for it to go
through the pix, first inn, than nat, out, is this possible, i.e. as the PIX
can not generaly send traffic out the same interface as it recives it.

best regards,


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70001t=70001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Vikram JeetSingh]

Sure there are!


One is Multi Port and second, trunks.

Search on CCO for details.

Vikram

-Original Message-
From: koh jef [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 5:43 PM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]


hi ppl,

is there any way/s to configure mulitple VLANs in a single switch port?

thanks!!

regards,

jef




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=69998t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[MADMAN]

You don't say what type of switch so I'll assume a 2900/3500

   switchport mode multi

   Dave

koh jef wrote:
 hi ppl,
 
 is there any way/s to configure mulitple VLANs in a single switch port?
 
 thanks!!
 
 regards,
 
 jef
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

Government can do something for the people only in proportion as it
can do something to the people. -- Thomas Jefferson




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70003t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Michael Montiverdi]

Hi,
I believe it depends on the switch, like Marco said. I have a Catalyst
3548XL and I can setup multiple vlans on one port.

Thanks,
Michael Montiverdi
 
 
 

-Original Message-
From: M.C. van den Bovenkamp [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 9:15 AM
To: [EMAIL PROTECTED]
Subject: Re: Multiple VLANs in a single switch port [7:69991]

koh jef wrote:

 is there any way/s to configure mulitple VLANs in a single switch
port?

Aside from ISL or 802.1Q trunking? The answer is 'it depends'. Mostly on

what switch you're using.

Most switches can't do it, but some can; Cisco's 2900 series can, for 
instance.

Regards,

Marco.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70002t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall 6.2.2 Inside network can not reach [7:69779]

[Mark W. Odette II]

Richard- 
As I had said in my last post, in analyzing his syntax, it appears he's
trying to do Destination NAT and DNS Doctoring at the same time, for which
it obviously doesn't work.

I couldn't tell you if line 2 is auto-reversing what line 1 does by the
PIX's operating code, but you are correct that only one line is needed.
From what I gathered of the documentation, he also needed to do a second
Alias statement against the DMZ interface, or he needed to do a Static
statement utilizing the DNS keyword; example:
static (dmz,outside) pub.lic.ip.addr dmz.host.ip.addr dns netmask
255.255.255.255 0 0

I don't have a 3-interface pix to test these possible solutions on, so I
can't say for certain that I'm correct. :(

-Mark
-Original Message-
From: Richard Botham [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 7:12 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]

Charles/Mark,

No infinate wisdom i'm afraid - just my #0.2.

Is it because the statements below effectively do nothing due to the fact
the statement 2 undoes what statement one has just done ?
[or have i missed the point.]

1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 
2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 

I would have thought that you would only need the statement one - why do you
need to reverse what you did in statement one fro the hosts on the inside
net ?

regards
Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70004t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Looking for a CCIE RS studypartner in Holland [7:70005]

[Iwan Hoogendoorn]

Hello i am looking for someone who is allso preparing for CCIE LAB in The
Netherlands...

I live in Rotterdam...
If someone is interested to be my study partner...please let me know...
EMAIL = [EMAIL PROTECTED]
TEL  = +31647954616

Thank you! 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70005t=70005
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Prolonged Batchlers Vs. CCNP ? [7:69483]

[Carroll Kong]

 This sort of thinking is why I've decided to skip the CCNP and just work on
 the CCIE.  As long as Cisco keeps it insanely difficult with the lab exam
 being the majority of the work required it will be valuable.
 
 -- 
John A. Kilpatrick

Go for it!  Skip the CCNP and aim for the CCIE  (or heck, skip the 
CCNA too).  It is a bit hard, but come on, this stuff is not rocket 
science.  Practice practice, and if you are a fast learned, decent 
typer, fast thinker, you can do it.

But, do learn Cisco's methodologies for troubleshooting and 
Ciscoisms.  Also, learn the basic layout of how the documentation is. 
 Think fast, and implement fast and you got it.  ;)

Of course much easier said than done.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70008t=69483
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[Troy Leliard]

Ofcourse you can only use the mswitchport mode multi if you dont have a
trunk already... if you do you get the error

Command rejected: One or more ports is already configured as a trunk port.





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70006t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RFP response--- How to?-Help****** [7:70007]

[J B]

This question is for people with network management experience.
I have to do a lot of things lately, and one of those things looks like is
project management.  The problem is that I'm not a project manager.  How do
you normally respond to RFP from clients.  I think I understand what an RFP
is, however I'm not sure in how to respond to it.
Any help will be appreciated.
JB  


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70007t=70007
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Router Configuration Backups?? [7:70009]

[Stevo]

Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70009t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccnp foundation 640-841, [7:69984]

[Darbi Yanitzi]

Not recently, but I took it a long time ago. Study the blueprint on Cisco's
website.

Cheers
Hinwoto  wrote in message
news:[EMAIL PROTECTED]
 hi guys,..

 Has anybody taken this foundation exam 640-841 recently ?
 Any advise.. please ..appreciate it.
 Gonna give a shot ..

 cheers
 hin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70013t=69984
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIM-SM Join Messages. [7:70014]

[[EMAIL PROTECTED]]

Hello,

I have two questions here on the above.

Are PIM joins sent multicast or unicast.  Some docs says it's unicast, but I
see it as multicast in my trace.

Also, If a flow maintains state for a period of time, do PIM-Join messages
get sent periodically to the RP or root of the source, if so how often?

Many thx
Ken



For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70014t=70014
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multicasting Problem [7:69987]

[Darbi Yanitzi]

Do CGMP.

 wrote in message
news:[EMAIL PROTECTED]
 Hi All,
 We need to enable multicasting support accross our network. Their are two
 technologies available to limit the multicast
 packets on the switch: 1) RGMP 2)CGMP. My routers support both these
 technologies. Just wanted to know from the
 group if any body has used any of these  which is better of the two.
   also let me know of any common problems in anyone of them

 Thanks in advance,
 Bharat



 DISCLAIMER:
 This message contains privileged and confidential information and is
 intended only for the individual named.If you are not the intended
recipient
 you should not disseminate,distribute,store,print, copy or deliver this
 message.Please notify the sender immediately by e-mail if you have
received
 this e-mail by mistake and delete this e-mail from your system.E-mail
 transmission cannot be guaranteed to be secure or error-free as
information
 could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
 contain viruses.The sender therefore does not accept liability for any
 errors or omissions in the contents of this message which arise as a
result
 of e-mail transmission. If verification is required please request a
 hard-copy version.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70012t=69987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Router [7:70001]

[Darbi Yanitzi]

No, you can not do that.

Skarphedinsson Arni V.  wrote in message
news:[EMAIL PROTECTED]
 I have a router connected to a vlan trunk one for internet access, and one
 for a remote branch,but then I have a pix that all my users connect
throuhg,
 and does the NAT, but then of course the users in the remote branch that
 connect directly to the border router, cant access the internet as that
 router just routes them to the internet, but I would like for it to go
 through the pix, first inn, than nat, out, is this possible, i.e. as the
PIX
 can not generaly send traffic out the same interface as it recives it.

 best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70011t=70001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Pistone, Mike]

CiscoWorks2000 will do all that and more, but that might be overkill for
you.   
What you want can be acomplished with a few perl scripts and a few hours of
programming.




___
Mike Pistone
NASA - Russian Services Group
Marshall Space Flight Center
Huntsville, AL 35806
Ph: (256) 544-2915
Em: [EMAIL PROTECTED]



-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 11:37 AM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]


Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70015t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP Recertification [7:69911]

[mailsub1]

Congratulations! I just passed today (first time VERY lucky ;), and I
have to agree that it is a crazy exam. A couple of the questions were so
badly worded that I didn't understand them. 

I just thought that I'd add a few extra pointers for the unlucky ones
who still have to take the exam. There are some newer questions (e.g.
quite a few on BGP), although nothing on IS-IS. However, a lot of the
questions are very old - for example when did you last hear of Stratacom
or configured a 700 series router (or for that matter used appletalk)!

This was probably the worst Cisco exam EVER, and I just hope it is
better in 3 years time.

Now I just have to take CSI for my CCSP before my summer vacation.

Good luck!

Mark.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jeff sicuranza
Sent: 31. mam 2003 06:09
To: [EMAIL PROTECTED]
Subject: CCDP Recertification [7:69911]

Well fellas I passed the CCDP recert today. Man what a messed up test.
The
exam objectives on CCO(for all tests) are not what are on this exam.
This
exam is basically version 1 Routing, Switching, Remote access and CID
version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
design questions that did not make sense, type in questions(which is to
be
expected) and old hardware that is probably not even supported anymore,
like
700s and 1600s. I made many comments during the exam that these
questions
are no longer relevant especially for a CCDP update recert. It was all
old
stuff. I mean old stuff that was not too relevant then, specific 1600s
and
700s issues, come on now..

I studied based on the info. from the CCO site, so for Routing,
Switching
and Remote access for the CCNP recert., which was updated, but it was my
experience that carried me on this one. I did go over my old Sybex and
Cisco
Press ver. 1 CID books this week just in case, so that helped too.

I thought halfway through I was failing for all of the older 700/1600,
desktop protocols and x25/atm crap was driving me nuts. Since I have
been in
computer technology since 84 I was able to pass. A lot of the questions
were hands on fill in the blank types so that helped me also. Funny
though,
I did better on this exam(averaging in the 80% range for every topic
except
CID) and got in the high 800s than I did on the CCNP recert.(Considering

the CCO CCNP topics matched the exam). I only studied a week and a half
for
both and took them two days apart. What I learned in the CCNP recert
exam,
that I posted earlier here, did not apply on the CCDP recert. exam to my
dismay so I was bummed out during the exam. In this case my old hands on
experience rules.

So, for those of you fellas preparing for the CCDP recert. your old
books(even version 1 CCDP stuff) is fine.

Now to decide if I want to take a second stab at my ccie lab seat.

Good luck to all

/JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70017t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Kevin Stone]

A number of perl scripts(I don't have links handy but check the
archives) or Kiwi CatTools will back up the configs and let you know if
they have changed.  You can also use syslog to get notification of when
it was changed.

-Kevin


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
 Behalf Of Stevo
 Sent: Monday, June 02, 2003 12:37 PM
 To: [EMAIL PROTECTED]
 Subject: Router Configuration Backups?? [7:70009]
 
 Hey Group,
 
 I have a number of routers that don't get their configs 
 backed up on a regular basis... does anyone have (or know of) 
 any software products out there that will do the backups for 
 me...  or even better still, let me know if a config is 
 changed by someone??
 
 Thanks
 
 --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70016t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Router Configuration Backups?? [7:70009]

[Vincent Tocco]

We use Pancho, it's a perl script that downloads the configs via snmp. 
Just setup a cron job on a unix box..
http://www.panchoproject.org/

After you setup that, you can run diff on the files to see if anything 
changed.. Maybe every night?


-Vince

Stevo wrote:
 Hey Group,
 
 I have a number of routers that don't get their configs backed up on a
 regular basis... does anyone have (or know of) any software products out
 there that will do the backups for me...  or even better still, let me know
 if a config is changed by someone??
 
 Thanks
 
 --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70019t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Lupi, Guy]

Kiwi CatTools works very well for configuration backups and is inexpensive
(it might be free, I don't recall).

http://www.kiwisyslog.com/

-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]

Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70021t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDP Recertification [7:69911]

[jsicuran]

Yes, the CCDP recert exam is old and messed up. The CCNP recert exam was
updated for content over the last three years so it has bgp, hands on
simulation and ISIS. IT will get better and tougher if the CCNP recert is
any hint. Look at the current changes to the DP program. It will be more
difficult if you have to recert in three years...

Congrats also, good luck on the CSI..

/JS

-Original Message-
From: mailsub1 [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 3:00 PM
To: 'jeff sicuranza'; [EMAIL PROTECTED]
Subject: RE: CCDP Recertification [7:69911]


Congratulations! I just passed today (first time VERY lucky ;), and I
have to agree that it is a crazy exam. A couple of the questions were so
badly worded that I didn't understand them.

I just thought that I'd add a few extra pointers for the unlucky ones
who still have to take the exam. There are some newer questions (e.g.
quite a few on BGP), although nothing on IS-IS. However, a lot of the
questions are very old - for example when did you last hear of Stratacom
or configured a 700 series router (or for that matter used appletalk)!

This was probably the worst Cisco exam EVER, and I just hope it is
better in 3 years time.

Now I just have to take CSI for my CCSP before my summer vacation.

Good luck!

Mark.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
jeff sicuranza
Sent: 31. mam 2003 06:09
To: [EMAIL PROTECTED]
Subject: CCDP Recertification [7:69911]

Well fellas I passed the CCDP recert today. Man what a messed up test.
The
exam objectives on CCO(for all tests) are not what are on this exam.
This
exam is basically version 1 Routing, Switching, Remote access and CID
version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
design questions that did not make sense, type in questions(which is to
be
expected) and old hardware that is probably not even supported anymore,
like
700s and 1600s. I made many comments during the exam that these
questions
are no longer relevant especially for a CCDP update recert. It was all
old
stuff. I mean old stuff that was not too relevant then, specific 1600s
and
700s issues, come on now..

I studied based on the info. from the CCO site, so for Routing,
Switching
and Remote access for the CCNP recert., which was updated, but it was my
experience that carried me on this one. I did go over my old Sybex and
Cisco
Press ver. 1 CID books this week just in case, so that helped too.

I thought halfway through I was failing for all of the older 700/1600,
desktop protocols and x25/atm crap was driving me nuts. Since I have
been in
computer technology since 84 I was able to pass. A lot of the questions
were hands on fill in the blank types so that helped me also. Funny
though,
I did better on this exam(averaging in the 80% range for every topic
except
CID) and got in the high 800s than I did on the CCNP recert.(Considering

the CCO CCNP topics matched the exam). I only studied a week and a half
for
both and took them two days apart. What I learned in the CCNP recert
exam,
that I posted earlier here, did not apply on the CCDP recert. exam to my
dismay so I was bummed out during the exam. In this case my old hands on
experience rules.

So, for those of you fellas preparing for the CCDP recert. your old
books(even version 1 CCDP stuff) is fine.

Now to decide if I want to take a second stab at my ccie lab seat.

Good luck to all

/JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70018t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

LLQ on Ethernet subinterfaces [7:70020]

[neil K]

Can somebody tell me how to configure LLQ on Ethernet subinterfaces
connected to two VLAN's.
Will appreciate it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70020t=70020
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX access-list [7:70022]

[jmullins1]

I'm trying to allow inbound UDP traffic from the DMZ web server to the
inside BDC.  I'm getting the following:

2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19:
%PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on
interface dmz

I have the following entries in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139

When I perform a show access-list, I don't see any hit counts.  I do have a
static translation for the public to private IP for the BDC, but that
shouldn't matter.  I'm not sure if I even need to allow this, but it shows
up in my KIWI syslog.  Could someone please tell me what's missing to stop
the deny inbound?  Thanks.
Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70022t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF over FR [7:70025]

[Catherine Wu]

I am testing Hub-Spoke for OSPF over FR,

I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and
3.3.3.3 in the routing table, 

RouterA#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
3.3.3.3   1   FULL/  -00:01:4110.1.1.6
Serial0/0.2
2.2.2.2   1   FULL/  -00:01:3910.1.1.2
Serial0/0.1
RouterB#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
1.1.1.1   1   FULL/BDR00:01:3810.1.1.1Serial0/0
RouterC#sh ip ospf nei

Neighbor ID Pri   State   Dead Time   Address Interface
1.1.1.1   1   FULL/BDR00:01:3410.1.1.5Serial0/0

RouterA#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
   D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
   N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
   E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
   i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
   * - candidate default, U - per-user static route, o - ODR
   P - periodic downloaded static route

Gateway of last resort is not set

 1.0.0.0/32 is subnetted, 1 subnets
C   1.1.1.1 is directly connected, Loopback0
 10.0.0.0/30 is subnetted, 2 subnets
C   10.1.1.0 is directly connected, Serial0/0.1
C   10.1.1.4 is directly connected, Serial0/0.2

Please help.

Thanks 

Catherine

RouterA
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type ansi
 no sh
!
interface Serial0/0.1 point-to-point
 ip address 10.1.1.1 255.255.255.252
 ip ospf hello-interval 30
 frame-relay interface-dlci 101
!
interface Serial0/0.2 point-to-point
 ip address 10.1.1.5 255.255.255.252
 ip ospf hello-interval 30
 frame-relay interface-dlci 102
!
router ospf 1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 1
 network 10.1.1.0 0.0.0.3 area 0
 network 10.1.1.4 0.0.0.3 area 0

RouterB
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Serial0/0
 ip address 10.1.1.2 255.255.255.252
 encapsulation frame-relay
 frame-relay map ip 10.1.1.1 110 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 no sh
!
router ospf 1
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.1.1.0 0.0.0.3 area 0
 neighbor 10.1.1.1 
!
RouterC
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Serial0/0
 ip address 10.1.1.6 255.255.255.252
 encapsulation frame-relay
 frame-relay map ip 10.1.1.5 120 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type ansi
 no sh
!
router ospf 1
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 3
 network 10.1.1.4 0.0.0.3 area 0
 neighbor 10.1.1.5 

[GroupStudy removed an attachment of type application/ms-tnef which had a
name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70025t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Wilmes, Rusty]

i believe solarwinds can alert you if the config changes.  I don't think it
will schedule the config backups.

-Original Message-
From: Stevo [mailto:[EMAIL PROTECTED]
Sent: Monday, June 02, 2003 9:37 AM
To: [EMAIL PROTECTED]
Subject: Router Configuration Backups?? [7:70009]


Hey Group,

I have a number of routers that don't get their configs backed up on a
regular basis... does anyone have (or know of) any software products out
there that will do the backups for me...  or even better still, let me know
if a config is changed by someone??

Thanks

--Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70024t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list [7:70022]

[Elijah Savage]

This is possible because you are using win2k now and if that is the case
for AD stuff you need to open port 445 also.

-Original Message-
From: jmullins1 [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 4:52 PM
To: [EMAIL PROTECTED]
Subject: PIX access-list [7:70022]

I'm trying to allow inbound UDP traffic from the DMZ web server to the
inside BDC.  I'm getting the following:

2003-05-23 15:02:45 Local4.Critical 10.0.1.1 May 23 2003 15:02:19:
%PIX-2-106006: Deny inbound UDP from 172.16.2.2/137 to 10.0.1.19/137 on
interface dmz

I have the following entries in the access-list:
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 135
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 137
access-list LAN permit udp host 172.16.2.2 host 10.0.1.19 eq 138
access-list LAN permit tcp host 172.16.2.2 host 10.0.1.19 eq 139

When I perform a show access-list, I don't see any hit counts.  I do
have a
static translation for the public to private IP for the BDC, but that
shouldn't matter.  I'm not sure if I even need to allow this, but it
shows
up in my KIWI syslog.  Could someone please tell me what's missing to
stop
the deny inbound?  Thanks.
Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70026t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: appletalk stuff [7:69961]

[Priscilla Oppenheimer]

It's funny that we are seeing this message after seeing all those complaints
about the CCDP recert exam including AppleTalk! :-)

=?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote:
 
 Does anyone have an idea on that:
 we use 7200 in the center of a big bay-networks routers
 we use ipx , ip and appletalk
 ip , ipx works fine in FR/PPP links and OSPF etc..
 apple talk zones and routing are shown ok on the macintosh
 machines

All zones are showing up on the Macs? That's a good sign. 

Routing wouldn't show up on the Macs, but do all routes show up on the
routers?

Most AppleTalk problems are related to routing, not finding services. To
avoid problems with split horizon, be sure to use Frame Relay subinterfaces.

 there is appletalk services advertised on PPP links

AppleTalk services are never advertised. Users look for them.

 but they are not advertised on FR links
 routing is RTMP , zones are ok on FR links
 just the macintosh servers does not show up on FR !!

Do you mean that servers don't show up when users who are across the Frame
Relay network try to find them? That is indeed strange.

 no access-lists of any kind

Hmmm. It does seem like an access list problem, though

It also sounds like it could be a duplicate network number. If this is a new
or updated design, it's pretty common to mistakenly reuse an AppleTalk cable
range, or have overlapping ranges. Other than misconfigured access lists,
that's the only time I've ever seen such a strange result as what you're
seeing, if I understand what you're seeing (zones and routes OK, but users
can't find services).

If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole
other story. I think Mac OS X uses Service Location Protocol, which is
multicast based and requires IGMP and an IP multicast routing protocol to be
working correctly.

Is this a new problem? What changed? What version of Mac OS are the users
using? Is this pure AppleTalk or AppleTalk over TCP/IP?

I might be willing to help if you could send more info on what's happening,
version numbers, config, etc.

Priscilla


 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70027t=69961
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCDP Recertification [7:69911]

[Kevin Wigle]

There are also Appletalk and 700 routers on the CCNP re-cert.

I decided to review the 700 documentation on CCO.

The 700 is not listed on the router list.

Fortunately searching on the 700 brought me to the right docs, although most
of the links say, end of sale, etc.

Kevin Wigle

- Original Message -
From: mailsub1 
To: 
Sent: Monday, June 02, 2003 3:00 PM
Subject: RE: CCDP Recertification [7:69911]


 Congratulations! I just passed today (first time VERY lucky ;), and I
 have to agree that it is a crazy exam. A couple of the questions were so
 badly worded that I didn't understand them.

 I just thought that I'd add a few extra pointers for the unlucky ones
 who still have to take the exam. There are some newer questions (e.g.
 quite a few on BGP), although nothing on IS-IS. However, a lot of the
 questions are very old - for example when did you last hear of Stratacom
 or configured a 700 series router (or for that matter used appletalk)!

 This was probably the worst Cisco exam EVER, and I just hope it is
 better in 3 years time.

 Now I just have to take CSI for my CCSP before my summer vacation.

 Good luck!

 Mark.

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 jeff sicuranza
 Sent: 31. mam 2003 06:09
 To: [EMAIL PROTECTED]
 Subject: CCDP Recertification [7:69911]

 Well fellas I passed the CCDP recert today. Man what a messed up test.
 The
 exam objectives on CCO(for all tests) are not what are on this exam.
 This
 exam is basically version 1 Routing, Switching, Remote access and CID
 version 1 from 3-4 years ago. I mean I did have some MLS but I had x25,
 smds, atm aal3-4 nonsense, desktop protocol issues, lan manager, old CID
 design questions that did not make sense, type in questions(which is to
 be
 expected) and old hardware that is probably not even supported anymore,
 like
 700s and 1600s. I made many comments during the exam that these
 questions
 are no longer relevant especially for a CCDP update recert. It was all
 old
 stuff. I mean old stuff that was not too relevant then, specific 1600s
 and
 700s issues, come on now..

 I studied based on the info. from the CCO site, so for Routing,
 Switching
 and Remote access for the CCNP recert., which was updated, but it was my
 experience that carried me on this one. I did go over my old Sybex and
 Cisco
 Press ver. 1 CID books this week just in case, so that helped too.

 I thought halfway through I was failing for all of the older 700/1600,
 desktop protocols and x25/atm crap was driving me nuts. Since I have
 been in
 computer technology since 84 I was able to pass. A lot of the questions
 were hands on fill in the blank types so that helped me also. Funny
 though,
 I did better on this exam(averaging in the 80% range for every topic
 except
 CID) and got in the high 800s than I did on the CCNP recert.(Considering

 the CCO CCNP topics matched the exam). I only studied a week and a half
 for
 both and took them two days apart. What I learned in the CCNP recert
 exam,
 that I posted earlier here, did not apply on the CCDP recert. exam to my
 dismay so I was bummed out during the exam. In this case my old hands on
 experience rules.

 So, for those of you fellas preparing for the CCDP recert. your old
 books(even version 1 CCDP stuff) is fine.

 Now to decide if I want to take a second stab at my ccie lab seat.

 Good luck to all

 /JS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70031t=69911
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Virtual MAC and Port Security [7:70030]

[David Vital]

I have several Servers that are going to be doing NIC pooling.  So I'm
supposed to see a virtual MAC address instead of the actual physical address
of the NIC's.  I run the NICs from one server to different switches for
fault tolerance.  If I have several 6500 series switches how can I set it up
for Port Security?  I know I can set up the ports to handle several MAC's
but if they are running the same virtual MAC what's the answer?

David


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70030t=70030
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: [CISCO] OSPF over FR [7:70025]

[Patrick Aland]

Have you run any debug's (debug ip ospf events, etc) and are the routes
showing in the ospf database (sh ip ospf data) and just not in the
routing table?

If so check out:
http://www.cisco.com/warp/public/104/24.html



On Mon, Jun 02, 2003 at 09:51:48PM +, Catherine Wu wrote:


-- 

 Patrick Aland  [EMAIL PROTECTED]
 Network Administrator  Voice: 386.822.7217
 Stetson University Fax: 386.822.7367





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70033t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Multiple VLANs in a single switch port [7:69991]

[koh jef]

thanks guys, wat abt 4xxx, 5xxx, 6xxx series? well i m not talking abt
trunking though...

regards,
jef


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70032t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70034]

[Richard Campbell]

Hi..  Daniel and Dear all,

Thanks for the guide.  May I know whether Remote VPN client to PIX515 can be 
authenticated by my W2K server  or not? I recall I can in VPN3000.  I am not 
familiar about RADIUS.  May I ask whether I should install a RADIUS server 
on my network or the PIX515 itself can act as the RADIUS server to 
authenticate?  (I prefer to authenticate locally in PIX515 without install 
radius server)

From the config shown below, what is aaa.bbb.ccc.10 ?  a IP address of 
RADIUS server? can we make authentication done locally in PIX515?

aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10

From: Daniel Cotts 
To: 'Richard Campbell' , [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication [7:69996]
Date: Mon, 2 Jun 2003 18:25:38 -0500

In the following config RADIUS is used to authenticate the Clients. IIRC 
The
group password is sufficient to allow a client to connect - although not 
too
secure as all clients would have one password.
crypto map FF_fw_int0 client authentication AuthInbound
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
10

  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  Sent: Monday, June 02, 2003 8:07 AM
  To: [EMAIL PROTECTED]
  Subject: RE: multiple isakmp policies question-No authentication
  [7:69996]
 
 
  Hey...  thanks..  finally I got response from my PIX515, but
  it just hang at
  securing communication channel stage (see below) and it
  doesn't authenticate
  the users.  What config should I add to point it to my
  authentication server
  192.168.1.201?  For your info, my VPN client is installed at
  Win95 and my
  authentication server is a W2K server.
 
  Initializing the connection...
  Contacting the gateway at 100.100.100.101...
  Negotiating security policies...
  Securing communication channel...
 
  I remember in VPN3000 server, I need to specify the
  authentication server
  for VPN group, but why in PIX515 sample on the net, why it
  doesn't have this
  entry
 
  From: Andrew Larkins
  
  from what I remember about this, they will try each policy
  until a match is
  amde, otherwise the connection terminates
  
  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  
  hey..  I have a PIX 515 and have a PIX to PIX connection to
  London and NY
  using pre-shared key des, hash sha and dh group 1 and I am
  going to let
  VPN3000 client 3.X connect to here as here and I created
  another isakmp
  policy 20, with hash md5, dh group 2 as shown below.  Can u
  take a look
  whether the config is correct?
  
  And my question is I have 2 isakmp policies here, how does
  the PIX-PIX and
  VPN 3000 3.X client know which isakmp policy to take?
  
  crypto ipsec transform-set newset esp-des
  crypto dynamic-map dynmap 30 set transform-set newset
  crypto map newmap 10 ipsec-isakmp
  crypto map newmap 10 match address 101
  crypto map newmap 10 set peer nyapix
  crypto map newmap 10 set transform-set newset
  crypto map newmap 20 ipsec-isakmp
  crypto map newmap 20 match address 102
  crypto map newmap 20 set peer ldnpix
  crypto map newmap 20 set transform-set newset
  crypto map newmap 30 ipsec-isakmp dynamic dynmap
  crypto map newmap interface outside
  isakmp enable outside
  isakmp key  address ldnpix netmask 255.255.255.255
  isakmp key  address nyapix netmask 255.255.255.255
  isakmp identity address
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption des
  isakmp policy 10 hash sha
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  
  vpngroup CLIENTS address-pool REMOTEIPPOOLS
  vpngroup CLIENTS dns-server 192.168.1.201
  vpngroup CLIENTS wins-server 192.168.1.201
  vpngroup CLIENTS default-domain xyz.com
  vpngroup CLIENTS idle-time 1800
  vpngroup CLIENTS password 
  
  _
  Protect your PC - get McAfee.com VirusScan Online
  http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
  _
  Add photos to your messages with MSN 8. Get 2 months FREE*.
  http://join.msn.com/?page=features/featuredemail
_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70034t=70034
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF over FR [7:70025]

[Rivalino YMT.]

Catherine,

You forget to define ospf network type in each frame interface.
Add this interface config command: ip ospf network point-to-point

Thank,
Rivalino

On Mon, 2 Jun 2003, Catherine Wu wrote:

 I am testing Hub-Spoke for OSPF over FR,
 
 I verified the neighbor adjacency,but I couldn't see route 2.2.2.2 and
 3.3.3.3 in the routing table, 
 
 RouterA#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time   Address Interface
 3.3.3.3   1   FULL/  -00:01:4110.1.1.6
 Serial0/0.2
 2.2.2.2   1   FULL/  -00:01:3910.1.1.2
 Serial0/0.1
 RouterB#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time   Address Interface
 1.1.1.1   1   FULL/BDR00:01:3810.1.1.1Serial0/0
 RouterC#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time   Address Interface
 1.1.1.1   1   FULL/BDR00:01:3410.1.1.5Serial0/0
 
 RouterA#sh ip ro
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
 area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
 Gateway of last resort is not set
 
  1.0.0.0/32 is subnetted, 1 subnets
 C   1.1.1.1 is directly connected, Loopback0
  10.0.0.0/30 is subnetted, 2 subnets
 C   10.1.1.0 is directly connected, Serial0/0.1
 C   10.1.1.4 is directly connected, Serial0/0.2
 
 Please help.
 
 Thanks 
 
 Catherine
 
 RouterA
 interface Loopback0
  ip address 1.1.1.1 255.255.255.255
 !
 interface Serial0/0
  no ip address
  encapsulation frame-relay
  frame-relay lmi-type ansi
  no sh
 !
 interface Serial0/0.1 point-to-point
  ip address 10.1.1.1 255.255.255.252
  ip ospf hello-interval 30
  frame-relay interface-dlci 101
 !
 interface Serial0/0.2 point-to-point
  ip address 10.1.1.5 255.255.255.252
  ip ospf hello-interval 30
  frame-relay interface-dlci 102
 !
 router ospf 1
  log-adjacency-changes
  network 1.1.1.1 0.0.0.0 area 1
  network 10.1.1.0 0.0.0.3 area 0
  network 10.1.1.4 0.0.0.3 area 0
 
 RouterB
 !
 interface Loopback0
  ip address 2.2.2.2 255.255.255.255
 !
 interface Serial0/0
  ip address 10.1.1.2 255.255.255.252
  encapsulation frame-relay
  frame-relay map ip 10.1.1.1 110 broadcast
  no frame-relay inverse-arp
  frame-relay lmi-type ansi
  no sh
 !
 router ospf 1
  log-adjacency-changes
  network 2.2.2.2 0.0.0.0 area 2
  network 10.1.1.0 0.0.0.3 area 0
  neighbor 10.1.1.1 
 !
 RouterC
 interface Loopback0
  ip address 3.3.3.3 255.255.255.255
 !
 interface Serial0/0
  ip address 10.1.1.6 255.255.255.252
  encapsulation frame-relay
  frame-relay map ip 10.1.1.5 120 broadcast
  no frame-relay inverse-arp
  frame-relay lmi-type ansi
  no sh
 !
 router ospf 1
  log-adjacency-changes
  network 3.3.3.3 0.0.0.0 area 3
  network 10.1.1.4 0.0.0.3 area 0
  neighbor 10.1.1.5 
 
 [GroupStudy removed an attachment of type application/ms-tnef which had a
 name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70036t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fwd: Re: Problem with RSA ACE SERVER (aka SecureID) [7:70035]

[Pete Felber]

There used to be a key value called 'shared secret' that you had to 
configure on the ACE server as well as the 'requesting' device (and 
unfortuanately it was plain text).  I haven't played with an ACE server 
for about 5yrs so that may have changed.
Pete

d tran wrote:

All,
I am trying to get the RSA ACE Server to authenticate VPN remote 
users that terminate VPN connection to my Pix firewall.  So far it is
not working and here is my scenario:
 
Pix FW: 
Outside IP:  12.1.1.100 (netmask /21)
Inside IP:  172.161.254 (netmask /24)
DMZ IP:  172.18.1.254 (netmask /24)
 
The IP address of the RSA ACE-Server is 172.18.1.2.  Here is the 
configuration on my pix firewall.  By the way, I am using Pix OS 6.3(1):
 
ip local pool test 172.30.1.1-172.30.1.254
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server ACE-SERVER protocol radius
aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set set2 esp-des esp-sha-hmac
crypto ipsec transform-set set3 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3
crypto map outside 20 ipsec-isakmp dynamic vpnremote
crypto map outside client configuration address respond
crypto map outside client authentication ACE-SERVER
 outside interface outside
isakmp enable outside
isakmp key *** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup default address-pool test
vpngroup default dns-server 129.174.1.8
vpngroup default wins-server 129.174.1.8
vpngroup default default-domain test.com
vpngroup default split-tunnel 100
vpngroup default split-dns test.com
vpngroup default idle-time 1800
 
The problem is that whenever the pix sends an access-request to the
RSA ACE Server, the ACE Server sends back an access-reject to the 
pix.  It seems like the ACE Server thinks that the pix is an 
unauthorized host to communicate with the ACE Server.  Now, I 
add the pix as an Agent Hosts on the ACE Server (Is this similar to
the clients.conf to FreeRadius?) and it still wouldn't work.  Radius is 
also running on the ACE Server so I know that the communication is 
there.  Furthermore, the is NO blocking of communication between the
Pix and the ACE Server. Can someone with experience with ACE Server
help me out with this problem?  It has been a frustrating week.  
 
I am running ACE Server version 5.1 on both Windows 2000 Server.
 
D


-
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70035t=70035
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP Policy-based Routing -- applicable for inbound and outbound [7:70037]

[Hinwoto]

hi guys,

Can BGP Policy-based routing be configured both on inbound and outbound
interfaces ?
I know that it is definitely for inbound interface.
And can the policy-based routing also be used to alter the final destination
of the packet ?
I don't think there's an option to set that.

Please, show the light.
Thanks guys
hin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70037t=70037
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco's BGP Course is Okay [7:70038]

[Mwalie W]

Hi All,

This is just a comment arising after I read a paper in the current IEEE
Communications Magazine.

I was a little surprised. The paper is, of course, a refereed paper and was
written by three guys, one of them a PhD.

I was surprised because I could write the same paper just from the knowledge
I gained on BGP through self-study. I understood the paper in its entirety
without any struggle at all.

So, my main point is that we can get good knowledge through Cisco
Certifications, knowledge which can even help us attend conferences and
present very decent papers.

Good Luck.

Mwalie


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70038t=70038
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

permit only even subnets [7:70039]

[lost in space]

Dear groupstudy members,

Lets say we have these networks:

192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24

how do we permit only even subnets and deny all the odd subnets?
what would be the network number and wildcard mask should i use in the
access-list statement?

sorry if this question has been asked before...


RD


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70039t=70039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Redistribute OSPF to RIPv1 [7:69969]

[Peter Paul]

you could try to configure area 1 range  command at the abr, R2.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70041t=69969
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: permit only even subnets [7:70039]

[Peter Paul]

To match the even subnets, use 

access-list 1 permit 192.168.0.0 0.0.254.255

To match the odd subnets, use

access-list 1 permit 192.168.1.0 0.0.254.255


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70040t=70039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70043]

[Richard Campbell]

Hi..  Sorry me again, I just realise that W2K can act as a RADIUS server, is 
it true??  I tried to installed cisco CSACS software on my W2K server, it 
prompt me that another program is using RADIUS port, pls disable it, it 
means my W2K server come with RADIUS?  Where to configure it?

the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server?  I should 
configure my W2k Radius server to have the same key PASSWORD HERE as the 
PIX515 right?  Where can I enter this value in my W2k server?

aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
10

From: Daniel Cotts 
To: 'Richard Campbell' , [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication [7:69996]
Date: Mon, 2 Jun 2003 18:25:38 -0500

In the following config RADIUS is used to authenticate the Clients. IIRC 
The
group password is sufficient to allow a client to connect - although not 
too
secure as all clients would have one password.
crypto map FF_fw_int0 client authentication AuthInbound
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 
10

  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  Sent: Monday, June 02, 2003 8:07 AM
  To: [EMAIL PROTECTED]
  Subject: RE: multiple isakmp policies question-No authentication
  [7:69996]
 
 
  Hey...  thanks..  finally I got response from my PIX515, but
  it just hang at
  securing communication channel stage (see below) and it
  doesn't authenticate
  the users.  What config should I add to point it to my
  authentication server
  192.168.1.201?  For your info, my VPN client is installed at
  Win95 and my
  authentication server is a W2K server.
 
  Initializing the connection...
  Contacting the gateway at 100.100.100.101...
  Negotiating security policies...
  Securing communication channel...
 
  I remember in VPN3000 server, I need to specify the
  authentication server
  for VPN group, but why in PIX515 sample on the net, why it
  doesn't have this
  entry
 
  From: Andrew Larkins
  
  from what I remember about this, they will try each policy
  until a match is
  amde, otherwise the connection terminates
  
  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  
  hey..  I have a PIX 515 and have a PIX to PIX connection to
  London and NY
  using pre-shared key des, hash sha and dh group 1 and I am
  going to let
  VPN3000 client 3.X connect to here as here and I created
  another isakmp
  policy 20, with hash md5, dh group 2 as shown below.  Can u
  take a look
  whether the config is correct?
  
  And my question is I have 2 isakmp policies here, how does
  the PIX-PIX and
  VPN 3000 3.X client know which isakmp policy to take?
  
  crypto ipsec transform-set newset esp-des
  crypto dynamic-map dynmap 30 set transform-set newset
  crypto map newmap 10 ipsec-isakmp
  crypto map newmap 10 match address 101
  crypto map newmap 10 set peer nyapix
  crypto map newmap 10 set transform-set newset
  crypto map newmap 20 ipsec-isakmp
  crypto map newmap 20 match address 102
  crypto map newmap 20 set peer ldnpix
  crypto map newmap 20 set transform-set newset
  crypto map newmap 30 ipsec-isakmp dynamic dynmap
  crypto map newmap interface outside
  isakmp enable outside
  isakmp key  address ldnpix netmask 255.255.255.255
  isakmp key  address nyapix netmask 255.255.255.255
  isakmp identity address
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption des
  isakmp policy 10 hash sha
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  
  vpngroup CLIENTS address-pool REMOTEIPPOOLS
  vpngroup CLIENTS dns-server 192.168.1.201
  vpngroup CLIENTS wins-server 192.168.1.201
  vpngroup CLIENTS default-domain xyz.com
  vpngroup CLIENTS idle-time 1800
  vpngroup CLIENTS password 
  
  _
  Protect your PC - get McAfee.com VirusScan Online
  http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
  _
  Add photos to your messages with MSN 8. Get 2 months FREE*.
  http://join.msn.com/?page=features/featuredemail
_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70043t=70043
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple VLANs in a single switch port [7:69991]

[Erick B.]

Multiple-VLANs per port can be configured on certain
models, but if you do multiple VLANs then you can't do
dot1q or ISL trunks anywhere on the box. one or the
other... thats the limitation.

I wonder why cisco doesn't do protocol-based VLANs,
etc like some other vendors. It's a sweet feature that
rocks.

--- Michael Montiverdi  wrote:
 Hi,
 I believe it depends on the switch, like Marco said.
 I have a Catalyst
 3548XL and I can setup multiple vlans on one port.
 
 Thanks,
 Michael Montiverdi
  
  
  
 
 -Original Message-
 From: M.C. van den Bovenkamp
 [mailto:[EMAIL PROTECTED] 
 Sent: Monday, June 02, 2003 9:15 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Multiple VLANs in a single switch port
 [7:69991]
 
 koh jef wrote:
 
  is there any way/s to configure mulitple VLANs in
 a single switch
 port?
 
 Aside from ISL or 802.1Q trunking? The answer is 'it
 depends'. Mostly on
 
 what switch you're using.
 
 Most switches can't do it, but some can; Cisco's
 2900 series can, for 
 instance.
 
   Regards,
 
   Marco.
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70042t=69991
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: appletalk stuff [7:69961]

[Scott Nelson]

Also, are you doing it via one arm routing or do you have separate
interfaces in each vlan?
( fa0/0 in vlan or lan x, fa0/1 in vlan or lan y, etc., etc. )

http://www.cisco.com/warp/public/779/smbiz/service/knowledge/wan/subifs.htm

You should definitely use sub-interfaces though..  ( Reference above )

Scotty



Priscilla Oppenheimer  wrote in message
news:[EMAIL PROTECTED]
 It's funny that we are seeing this message after seeing all those
complaints
 about the CCDP recert exam including AppleTalk! :-)

 =?WINDOWS-1255?Q?=F7=E5=F8=EF__=EC=E1 wrote:
 
  Does anyone have an idea on that:
  we use 7200 in the center of a big bay-networks routers
  we use ipx , ip and appletalk
  ip , ipx works fine in FR/PPP links and OSPF etc..
  apple talk zones and routing are shown ok on the macintosh
  machines

 All zones are showing up on the Macs? That's a good sign.

 Routing wouldn't show up on the Macs, but do all routes show up on the
 routers?

 Most AppleTalk problems are related to routing, not finding services. To
 avoid problems with split horizon, be sure to use Frame Relay
subinterfaces.

  there is appletalk services advertised on PPP links

 AppleTalk services are never advertised. Users look for them.

  but they are not advertised on FR links
  routing is RTMP , zones are ok on FR links
  just the macintosh servers does not show up on FR !!

 Do you mean that servers don't show up when users who are across the Frame
 Relay network try to find them? That is indeed strange.

  no access-lists of any kind

 Hmmm. It does seem like an access list problem, though

 It also sounds like it could be a duplicate network number. If this is a
new
 or updated design, it's pretty common to mistakenly reuse an AppleTalk
cable
 range, or have overlapping ranges. Other than misconfigured access lists,
 that's the only time I've ever seen such a strange result as what you're
 seeing, if I understand what you're seeing (zones and routes OK, but users
 can't find services).

 If it's been upgraded to AppleTalk over IP and Mac OS X, then it's a whole
 other story. I think Mac OS X uses Service Location Protocol, which is
 multicast based and requires IGMP and an IP multicast routing protocol to
be
 working correctly.

 Is this a new problem? What changed? What version of Mac OS are the users
 using? Is this pure AppleTalk or AppleTalk over TCP/IP?

 I might be willing to help if you could send more info on what's
happening,
 version numbers, config, etc.

 Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70044t=69961
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Virtual MAC and Port Security [7:70030]

[Mark W. Odette II]

David- it's been a while since I did this, but from what I understand
you to say, you are trying to provide fault tolerance (fail-over) at the
NIC level for these servers.

I can't vouch for the 6500s, but on the 5500s that I used to manage, we
used Intel NICs in a teaming fashion (which was to provide said fault
tolerance).  These NICs had their FastEthernet cables going to each
switch respectively. (4 NICs in each Server, 2 CAT5500's to plug into).

The virtual mac's of the Teaming group was plugged into the port
security table on the CATs.  The CATs were also Trunk'd together via
GBICs, so STP would block one Fast-Ether-Channel group of NIC cables on
one switch while allowing the other group to operate.

So, the short of it is, I believe you'll have to set up an EtherChannel
with the NIC Pool(s) and it's assumed that you already are Trunking
between your 6500's for backbone redundancy.  Port Security should be
straight forward- just one Virtual-MAC per NIC Pool to be plugged into
the MAC Security Table, and reference the security mac table on the
ports you want to enable port security.

It's been a couple of years since I did this, so hopefully I remembered
all the steps required. YMMV :)

HTHs
-Mark
-Original Message-
From: David Vital [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: Virtual MAC and Port Security [7:70030]

I have several Servers that are going to be doing NIC pooling.  So I'm
supposed to see a virtual MAC address instead of the actual physical
address
of the NIC's.  I run the NICs from one server to different switches for
fault tolerance.  If I have several 6500 series switches how can I set
it up
for Port Security?  I know I can set up the ports to handle several
MAC's
but if they are running the same virtual MAC what's the answer?

David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70045t=70030
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF over FR [7:70025]

[Danny Free]

Catherine, 

You forget to define ospf network type in each frame interface. 
Add this interface config command: ip ospf network point-to-point 

Thank, 
Rivalino 

Exactly right but you will have to do 2 more things:
1)Since you changed the hello-interval to 30 on Router A's
point-to-point subinterfaces you will have to do the same for
Router B and Router C's interfaces.
2) Remove the neighbor statement from Router B and Router C's
OSPF process. Not needed. 
So just add the ip ospf network point-to-point on Routers B and
C frame relay physical interface and do steps 1 and 2. Best of luck.
Danny


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70046t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Lab prep in Sydney [7:70048]

[Pichai Ruangroj]

Hi,
Where can I find a lab prep in Sydney? Please give me the contact of
them.
Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70048t=70048
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70051]

[Mark W. Odette II]

Richard- Google is your friend 

Fluf-fluf http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html



-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 11:37 PM
To: [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication
[7:70043]

Hi..  Sorry me again, I just realise that W2K can act as a RADIUS
server, is 
it true??  I tried to installed cisco CSACS software on my W2K server,
it 
prompt me that another program is using RADIUS port, pls disable it, it 
means my W2K server come with RADIUS?  Where to configure it?

the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server?  I should 
configure my W2k Radius server to have the same key PASSWORD HERE as
the 
PIX515 right?  Where can I enter this value in my W2k server?

aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
10

From: Daniel Cotts 
To: 'Richard Campbell' , [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication
[7:69996]
Date: Mon, 2 Jun 2003 18:25:38 -0500

In the following config RADIUS is used to authenticate the Clients.
IIRC 
The
group password is sufficient to allow a client to connect - although
not 
too
secure as all clients would have one password.
crypto map FF_fw_int0 client authentication AuthInbound
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
10

  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  Sent: Monday, June 02, 2003 8:07 AM
  To: [EMAIL PROTECTED]
  Subject: RE: multiple isakmp policies question-No authentication
  [7:69996]
 
 
  Hey...  thanks..  finally I got response from my PIX515, but
  it just hang at
  securing communication channel stage (see below) and it
  doesn't authenticate
  the users.  What config should I add to point it to my
  authentication server
  192.168.1.201?  For your info, my VPN client is installed at
  Win95 and my
  authentication server is a W2K server.
 
  Initializing the connection...
  Contacting the gateway at 100.100.100.101...
  Negotiating security policies...
  Securing communication channel...
 
  I remember in VPN3000 server, I need to specify the
  authentication server
  for VPN group, but why in PIX515 sample on the net, why it
  doesn't have this
  entry
 
  From: Andrew Larkins
  
  from what I remember about this, they will try each policy
  until a match is
  amde, otherwise the connection terminates
  
  -Original Message-
  From: Richard Campbell [mailto:[EMAIL PROTECTED]
  
  hey..  I have a PIX 515 and have a PIX to PIX connection to
  London and NY
  using pre-shared key des, hash sha and dh group 1 and I am
  going to let
  VPN3000 client 3.X connect to here as here and I created
  another isakmp
  policy 20, with hash md5, dh group 2 as shown below.  Can u
  take a look
  whether the config is correct?
  
  And my question is I have 2 isakmp policies here, how does
  the PIX-PIX and
  VPN 3000 3.X client know which isakmp policy to take?
  
  crypto ipsec transform-set newset esp-des
  crypto dynamic-map dynmap 30 set transform-set newset
  crypto map newmap 10 ipsec-isakmp
  crypto map newmap 10 match address 101
  crypto map newmap 10 set peer nyapix
  crypto map newmap 10 set transform-set newset
  crypto map newmap 20 ipsec-isakmp
  crypto map newmap 20 match address 102
  crypto map newmap 20 set peer ldnpix
  crypto map newmap 20 set transform-set newset
  crypto map newmap 30 ipsec-isakmp dynamic dynmap
  crypto map newmap interface outside
  isakmp enable outside
  isakmp key  address ldnpix netmask 255.255.255.255
  isakmp key  address nyapix netmask 255.255.255.255
  isakmp identity address
  isakmp policy 10 authentication pre-share
  isakmp policy 10 encryption des
  isakmp policy 10 hash sha
  isakmp policy 10 group 1
  isakmp policy 10 lifetime 86400
  
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  
  vpngroup CLIENTS address-pool REMOTEIPPOOLS
  vpngroup CLIENTS dns-server 192.168.1.201
  vpngroup CLIENTS wins-server 192.168.1.201
  vpngroup CLIENTS default-domain xyz.com
  vpngroup CLIENTS idle-time 1800
  vpngroup CLIENTS password 
  
  _
  Protect your PC - get McAfee.com VirusScan Online
  http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
  _
  Add photos to your messages with MSN 8. Get 2 months FREE*.
  http://join.msn.com/?page=features/featuredemail
_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:

PIX 520 Static NAT [7:70049]

[Danial Morison]

Hi group,

we have a pix 520 with 3 interfaces, what we want is to allow outside 
10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as 
inside network. and the server 10.16.206.21 already has a static translation 
entry to a public IP address.

static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 
0 0

and the outside network 10.20.20.0/24 is allowed to access inside network by 
NAT 0 command  ACL with permit host.

Any idea to allow inside IP address 10.16.206.21 from outside and outside 
network is 10.20.20.0/24 even we have a static translation above.

Thanks  Best Regards

DA'

_
Send sxde postkort til sxde mennesker http://www.msn.dk/postkort




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70049t=70049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Access for Inside IP Pool [7:70050]

[Danial Morison]

Hi group,

we have a pix 520 with 3 interfaces, what we want is to allow outside 
10.20.20.0/24 to inside 10.16.206.21/32.Although 10.0.0.0/8 is defined as 
inside network. and the server 10.16.206.21 already has a static translation 
entry to a public IP address.

static (inside,outside) 203.125.152.243 10.16.206.21 netmask 255.255.255.255 
0 0

and the outside network 10.20.20.0/24 is allowed to access inside network by 
NAT 0 command  ACL with permit host.

Any idea to allow inside IP address 10.16.206.21 from outside and outside 
network is 10.20.20.0/24 even we have a static translation above.

Thanks  Best Regards

DA'

_
Tag din Hotmail med dig, ner du ger http://www.msn.dk/mobile




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70050t=70050
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router Configuration Backups?? [7:70009]

[Jens von Bülow]

Check out RANCID - http://www.shrubbery.net/rancid/

RANCID - Really Awesome New Cisco confIg Differ


Rancid monitors a router's (or device's) configuration, including software
and hardware (cards, serial numbers, etc), using CVS. Rancid currently
supports Bay routers, Cisco routers, Juniper routers, Catalyst switches,
Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd),
Alteon switches, and HP procurve switches.
Rancid logs into each of the devices in a router table file, runs various
commands, chomps the output, and emails any differences ( sample) from the
previous collection to a mail list.

Rancid is known to be used at: Global Crossing, MFN, Verio, Certainty
Solutions Inc.






-Original Message-
From: Vincent Tocco [mailto:[EMAIL PROTECTED] 
Sent: 02 June 2003 09:45
To: [EMAIL PROTECTED]
Subject: Re: Router Configuration Backups?? [7:70009]


We use Pancho, it's a perl script that downloads the configs via snmp. 
Just setup a cron job on a unix box.. http://www.panchoproject.org/

After you setup that, you can run diff on the files to see if anything 
changed.. Maybe every night?


-Vince

Stevo wrote:
 Hey Group,
 
 I have a number of routers that don't get their configs backed up on a 
 regular basis... does anyone have (or know of) any software products 
 out there that will do the backups for me...  or even better still, 
 let me know if a config is changed by someone??
 
 Thanks
 
 --Stevo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70052t=70009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list [7:70022]

[Troy Leliard]

Silly thing to overlook, but best to check anyway is that you have applied
the ACL to the correct interface


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70053t=70022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OSPF over FR [7:70025]

[Troy Leliard]

Hi Catherine, 

Because you are using point to point sub interfaces on the one routea and
one the other just using the real interface, OSPF behaves differently and
has different helo / dead timers etc, and this is why you are not getting
all your routes.  You need to make sure that all ospf interfaces in the same
area are of the same network type using the interface command ip ospf
network

Below is a link to a quick ref 

http://www.chuckslongroad.info/OSPF_Frame_Reference.htm

Catherine Wu wrote:
 
 I am testing Hub-Spoke for OSPF over FR,
 
 I verified the neighbor adjacency,but I couldn't see route
 2.2.2.2 and
 3.3.3.3 in the routing table, 
 
 RouterA#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time  
 Address Interface
 3.3.3.3   1   FULL/  -00:01:4110.1.1.6
 Serial0/0.2
 2.2.2.2   1   FULL/  -00:01:3910.1.1.2
 Serial0/0.1
 RouterB#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time  
 Address Interface
 1.1.1.1   1   FULL/BDR00:01:38   
 10.1.1.1Serial0/0
 RouterC#sh ip ospf nei
 
 Neighbor ID Pri   State   Dead Time  
 Address Interface
 1.1.1.1   1   FULL/BDR00:01:34   
 10.1.1.5Serial0/0
 
 RouterA#sh ip ro
 Codes: C - connected, S - static, I - IGRP, R - RIP, M -
 mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF
 inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
 type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E
 - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia -
 IS-IS inter
 area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
 
 Gateway of last resort is not set
 
  1.0.0.0/32 is subnetted, 1 subnets
 C   1.1.1.1 is directly connected, Loopback0
  10.0.0.0/30 is subnetted, 2 subnets
 C   10.1.1.0 is directly connected, Serial0/0.1
 C   10.1.1.4 is directly connected, Serial0/0.2
 
 Please help.
 
 Thanks 
 
 Catherine
 
 RouterA
 interface Loopback0
  ip address 1.1.1.1 255.255.255.255
 !
 interface Serial0/0
  no ip address
  encapsulation frame-relay
  frame-relay lmi-type ansi
  no sh
 !
 interface Serial0/0.1 point-to-point
  ip address 10.1.1.1 255.255.255.252
  ip ospf hello-interval 30
  frame-relay interface-dlci 101
 !
 interface Serial0/0.2 point-to-point
  ip address 10.1.1.5 255.255.255.252
  ip ospf hello-interval 30
  frame-relay interface-dlci 102
 !
 router ospf 1
  log-adjacency-changes
  network 1.1.1.1 0.0.0.0 area 1
  network 10.1.1.0 0.0.0.3 area 0
  network 10.1.1.4 0.0.0.3 area 0
 
 RouterB
 !
 interface Loopback0
  ip address 2.2.2.2 255.255.255.255
 !
 interface Serial0/0
  ip address 10.1.1.2 255.255.255.252
  encapsulation frame-relay
  frame-relay map ip 10.1.1.1 110 broadcast
  no frame-relay inverse-arp
  frame-relay lmi-type ansi
  no sh
 !
 router ospf 1
  log-adjacency-changes
  network 2.2.2.2 0.0.0.0 area 2
  network 10.1.1.0 0.0.0.3 area 0
  neighbor 10.1.1.1 
 !
 RouterC
 interface Loopback0
  ip address 3.3.3.3 255.255.255.255
 !
 interface Serial0/0
  ip address 10.1.1.6 255.255.255.252
  encapsulation frame-relay
  frame-relay map ip 10.1.1.5 120 broadcast
  no frame-relay inverse-arp
  frame-relay lmi-type ansi
  no sh
 !
 router ospf 1
  log-adjacency-changes
  network 3.3.3.3 0.0.0.0 area 3
  network 10.1.1.4 0.0.0.3 area 0
  neighbor 10.1.1.5 
 
 [GroupStudy removed an attachment of type application/ms-tnef
 which had a name of winmail.dat]
 
 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70054t=70025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS for 2500 series router. [7:70056]

[Amir Tahir]

Hi, 
I will be thankful to you if you could let me know from where i can download
IOS version for my Home Cisco 2500 series routers.

Thanks  regards
Amir


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70056t=70056
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP addressing [7:70057]

[maine dude]

Hi,

Can someone please check below, to see if I am going in the right direction.

I have 3 sites A B C 

A wants 500 users. 
B wants 2000 users 
c unknown up to 200 

IP address range I have is as follows:- 

10.225.200.0 to 10.225.219.255 

 

I have worked the following:- 

For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of
255.255.254.0 or is it 255.255.255.0

For B the range is 10.225.202.0-255 
   10.225.203.0-255 
   10.225.204.0-255 
   10.225.205.0-255 
   10.225.206.0-255 
   10.225.207.0-255 
   10.225.208.0-255 
   
All with a subnet mask of 255.255.248.0. 

For C the range is 10.225.209.0-255 to 10.225.210.0-255 
subnet mask of 255.255.254.0 

if all on single network will all these talk without any problems and I
still have 211 through to 219 free.

Another quick question was should these all respond across different subnets
even using OSPF or won't they.

Thanks,

-DJ





-
Yahoo! Plus - For a better Internet experience




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70057t=70057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Wireless Spec. question [7:69842]

[DW]

By kit I mean questions about the Cisco devices (1200 / 350 / Bridges etc),
and their abilities, specs etc. I had no questions on the CLI at all..

1 cisco  wrote in message
news:[EMAIL PROTECTED]
 Do you mean cisco interface when talking about the KIT?
 Any questions on the cli?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70058t=69842
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BRI [7:70059]

[koh jef]

Hi ppl,

i'm encountering some issues on the 2nd channel, it takes quite a while for
it to come up despite the 1st channel hits the threshold, is there any
command that i can issue to monitor on the 2nd channel?

thanks

regards,

jef 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70059t=70059
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RTP Cisco User's Group Meeting - June 4 2003 [7:70061]

[Stephen Alston]

Folks,
  The Research Triangle Park (RTP) Cisco User's group will meet on June 4th
from 12:00 to 1:00 PM in the first floor conference room of the Lake
Building on Cisco's RTP campus.

  This meeting's topic will be TAC procedures and best practices.  The
meeting will also include a guided tour through sections of the Cisco.com
website.  Learn answers to questions such as -- What is the difference
between a management escalation and a technical escalation?  Which is the
best method to use to open a TAC case?  Who is [EMAIL PROTECTED]?

  We apologize for the short notice and plan to provide more notice in the
future.

  If you're planning to attend please RSVP to so we can get a good head
count.

  BTW, more info on RTPCiscoUsers can be found at Yahoo Group.

  I'm a member of the group and will answer what questions I can.  Feel free
to email me at [EMAIL PROTECTED]

Thanks,
Steve Alston




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70061t=70061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IP addressing [7:70057]

[Larry Letterman]

See Inline.


Hi,

Can someone please check below, to see if I am going in the right
direction.

I have 3 sites A B C 

A wants 500 users.  - should be a /23
B wants 2000 users  - should be a /21
c unknown up to 200 - should be a /24

IP address range I have is as follows:- 

10.225.200.0 to 10.225.219.255 

 

I have worked the following:- 

For A the range is 10.225.200.0 to 10.225.201.255 with a subnet mask of
255.255.254.0 or is it 255.255.255.0

It should be 255.255.254.0 for a /23



For B the range is 10.225.202.0-10.225.203.255  - 512 address
   10.225.204.0-10.225.205.255  - 512 address
   10.225.206.0-10.225.207.255  - 512 address
   10.225.208.0-10.225.209.255  - 512 address
   
All with a subnet mask of 255.255.248.0.  

For C the range is 10.225.209.0-255 to 10.225.210.0-255 
subnet mask of 255.255.254.0 

The bldg C address should be a /24 for 200 address's...you don't need a
/23 for 200 address's.
The 209 subnet is part of the /21 for area Byou should use
10.225.210.0 - 255 /24.



if all on single network will all these talk without any problems and I
still have 211 through to 219 free.

You will obviously need a router and have 3 networks...one for area A,
B, C...which would be 3 networks
Not one single network

Another quick question was should these all respond across different
subnets even using OSPF or won't they.

They should respond and work across any routing protocol if the switches
and router are config'd correctly...

Thanks,

-DJ





-
Yahoo! Plus - For a better Internet experience




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70060t=70057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]