Re: Problem [7:71890]
Hi, first you need to enable ip routing to make it work. Then your default route should look like this: ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx where is xxx.xxx.xxx.xxx is the other router interface. Note: after the destination network follows a subnet mask (not a wildcard mask). Make sure you have a route in your other back to this router (Entires in the routing table are oneway only). Try show ip route to verify. With kind regards Jens Neelsen --- Projet AIM wrote: Hi again I am pretty much thanksfull for your explanantion I have tried what you have suggested and still it doesn't work The thing is I am convainced that I am missing something but can't find out what Thanx again and any help is appreciated Elias From: Jans van Deventer Reply-To: Jans van Deventer To: [EMAIL PROTECTED] Subject: Re: Problem [7:71890] Date: Fri, 4 Jul 2003 14:25:41 GMT Hi What you did when you typed no ip routing was to effectively change your router into an IP host. You must enable ip routing with ip routing and then add your static route. Test again and come back for help if it doensn't work. One advantage of disabling IP routing and effectively turning your router into a host is because you can then use all the nice debug functionalities like debug ip packet, as though your router was a host. Regards, Jans Projet AIM wrote: Hi all I have a cisco 3600 and I am facing an unknown problem maybe it is stupuid but realy i don't know I have a pretty much common configuration 2 valid IP addresses on both interfaces. one of them are my network the other interface is linked to another router interface when I trie to ping the outside from the router's consol I have a response but when I try to ping from a machine in my network and don't have any reply. I used static route as in ip route 0.0.0.0 255.255.255.255 xxx.xxx.xxx.xxx where is xxx.xxx.xxx.xxx is the other router interface I disabled ip routing no ip routing Can Anyone please help me if a missed anything THANX a lot Elias _ Trouvez l'bme soeur sur MSN Rencontres ! http://g.msn.fr/FR1000/9551 _ Dicouvrez les nouvelles imotictnes animies de http://g.msn.fr/FR1001/866 MSN Messenger nouvelle formule [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71942t=71890 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: Multimedia/Voice over VSAT [7:71706]
interactive voice over satellite is problematic due to the inherent latency of the signal travelling 40,000km distance to the satellite and another 40,000km back. this adds 125ms of latency in each direction (to/from the bird), give or take. if you remeber using satellite for long distance calls it took some getting used to (a bit like talking on a 2 way radio) and the perceived signal quality was less than using an under the pond cable. satellite for 1 way video is fine, carriers use it for backhaul on a regular basis, but interactive video suffers the same difficulties as interactive voice. so with the amount of latency already involved i would try to reduce any further quality impairments caused by voip or digital video processing. satellite offers a variety of quality impairments of its Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71943t=71706 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy-Based Routing [7:71944]
Just for clarification can someone comment on or confirm the following: If policy routing is enabled on an interface and the policy states that a packet received on that particular interface be sent to a next hop IP or an interface, will the packet be sent to that next hop even if a route exists via an IGP that points to another next hop?? I guess my real question is does the packet even get processed in regards to the routing table, or is its destination set as soon as its matched by the route-map applied to the ingress interface?? Thanks in advance!! Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71944t=71944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy-Based Routing [7:71944]
policy based routing takes place before the routing process, so yes the packet will be sent to the destination that policy routing states. Jason Viera wrote: Just for clarification can someone comment on or confirm the following: If policy routing is enabled on an interface and the policy states that a packet received on that particular interface be sent to a next hop IP or an interface, will the packet be sent to that next hop even if a route exists via an IGP that points to another next hop?? I guess my real question is does the packet even get processed in regards to the routing table, or is its destination set as soon as its matched by the route-map applied to the ingress interface?? Thanks in advance!! Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71945t=71944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATM Bandwith [7:71937]
Hi, ATM technology is based on 53 byte cells. Also ATM has a 5 byte header per cell. So your payloads length can be 48 bytes per ATM cell. with a basic calculation, for an ip traffic on 34Mb ATM link : 48 (payload includes the ip header) / 53 (total bytes can be trasnfered in a cell) equals to 0.90566. That means maximum %90.56 of your ATM link can be ip traffic (including the ip headers) so 34Mb * 0.90566 = 30.7925 Mb can be the ip traffic. and also consider that you have ip headers in that traffic, if you calculate the actual payload , it is lesser than that. hope that helps, Gerard Torin wrote: Hi guys, Anybody know how is built the ATM4S Bandwith?. For example, In ATM`s link of 34Mbps, Is true that 4Mbps is just only header?, I ask that, because actually my company has it. But we don4t reach the maximun bandwith of 34Mbps. Yesterday, we did stress test in the link and just only reach 30Mbps. I thanks any comment. - Yahoo! Messenger Nueva versioacute;n: Super Webcam, voz, caritas animadas, y maacute;s #161;Gratis! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71946t=71937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
chat script ... modem [7:71947]
Hi all, Can any one help about Chat script configuring. It will be very nice if we get some diagrams for the detailed configurations. how about this topic for the lab? Is there any one have experienced it? cheers, Heiman. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71947t=71947 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy-Based Routing [7:71944]
It actually depends on which command u use: if u use the set ip next-hop OR set interface THEN packets will be sent to the destinations defined in these commands if u use the set ip default next-hop OR set default interface THEN packets will be sent to the defined destinations if there is no explicit route. here is a link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca590.html Jason Viera a icrit dans le message de news:[EMAIL PROTECTED] Just for clarification can someone comment on or confirm the following: If policy routing is enabled on an interface and the policy states that a packet received on that particular interface be sent to a next hop IP or an interface, will the packet be sent to that next hop even if a route exists via an IGP that points to another next hop?? I guess my real question is does the packet even get processed in regards to the routing table, or is its destination set as soon as its matched by the route-map applied to the ingress interface?? Thanks in advance!! Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71949t=71944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chat script ... modem [7:71947]
Here is a link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca6f5.html AK H T a icrit dans le message de news:[EMAIL PROTECTED] Hi all, Can any one help about Chat script configuring. It will be very nice if we get some diagrams for the detailed configurations. how about this topic for the lab? Is there any one have experienced it? cheers, Heiman. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71948t=71947 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Configuring TCP intercept question; need help [7:71950]
Hi, Has anyone actually been playing with Cisco TCP intercept lately? Does this piece of crap work at all? I am running both IOS version 12.1.5(T9) and 12.2.15(T) and TCP intercept is not working in intercept mode. TCP intercept does work in watch mode. when it is running in intercept mode, I can not get to the web page at all. It works in watch mode. Any ideas why? In intercept mode, it has to handle the connection for the server. In watch mode, it just watchs the connection. Here is what I am testing with: 1) Apache web server in linux, 2) hping2 utility to generate 10,000 concurrent http connections I also use NAT to make the apache web server available to the external so that hping2 can DOS it. Here is my config: C2610#sh run Building configuration... Current configuration : 4222 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname C2610 ! logging buffered 8192 notifications logging rate-limit 1 no logging console aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NONE none aaa authentication login TACACS group tacacs+ local enable aaa authentication login LOCAL local enable aaa authorization auth-proxy default group tacacs+ enable secret 5 $1$Bj2H$ad4Dn5rkgKvwPZzJDKAgZ1 ! memory-size iomem 10 ip subnet-zero no ip source-route ! ! no ip finger ip tcp intercept list 100 ip tcp intercept connection-timeout 3600 ip tcp intercept watch-timeout 5 ip tcp intercept max-incomplete low 300 ip tcp intercept max-incomplete high 1000 ip tcp intercept one-minute low 100 ip tcp intercept one-minute high 500 ip domain-name micronetsolution.com ip host tac 2065 10.10.10.10 ip name-server 172.17.1.2 ip name-server 129.174.1.8 ip dhcp excluded-address 10.100.0.71 ip dhcp excluded-address 10.100.0.72 ip dhcp excluded-address 10.100.0.254 ip dhcp ping packets 5 ! ip dhcp pool DHCP network 10.100.0.0 255.255.255.0 netbios-name-server 172.17.1.2 129.174.1.8 dns-server 172.17.1.2 129.174.1.8 default-router 10.100.0.254 domain-name micronetsolution.com lease 3 ! ip inspect audit-trail ip inspect dns-timeout 15 ip inspect name CBAC tcp timeout 3600 ip inspect name CBAC udp timeout 3600 ip auth-proxy auth-proxy-banner ip auth-proxy auth-proxy-audit ip auth-proxy auth-cache-time 1 ip auth-proxy name AUTH-PROXY http ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit notify log ip audit po max-events 100 ip audit name ATTACK attack action alarm ip audit name INFO info action alarm ! ! call rsvp-sync cns event-service server ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! interface Ethernet0/0 ip address 172.18.1.1 255.255.0.0 ip nat outside half-duplex ! interface FastEthernet1/0 ip address 10.100.0.254 255.255.255.0 ip nat inside speed 100 full-duplex ! ip kerberos source-interface any ip nat pool natpool 172.18.1.1 172.18.1.1 netmask 255.255.0.0 ip nat inside source list 130 interface Ethernet0/0 overload ip nat inside source static 10.100.0.71 172.18.0.71 ip classless ip route 0.0.0.0 0.0.0.0 172.18.1.254 ip http server ip http authentication aaa ! ! ip access-list extended NAMEDACL permit tcp any any permit udp any any permit ip any any ip access-list extended in2out permit udp 10.100.0.0 0.0.0.255 any eq domain reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq www reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq telnet reflect traffic deny ip any any ip access-list extended out2in permit icmp any any evaluate traffic deny ip any any logging trap notifications logging facility local5 logging source-interface Ethernet0/0 logging 172.17.1.2 access-list 100 permit tcp any host 10.100.0.71 eq www access-list 100 permit tcp any host 10.100.0.71 eq 443 access-list 100 permit tcp any host 10.100.0.71 eq 22 access-list 100 permit tcp any host 10.100.0.71 eq telnet access-list 100 permit tcp any host 10.100.0.71 eq ftp access-list 100 permit tcp any host 10.100.0.71 eq ftp-data access-list 110 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq telnet access-list 110 dynamic lock-and-key permit ip 10.100.0.0 0.0.0.255 any access-list 110 deny ip any any access-list 120 permit udp 10.100.0.0 0.0.0.255 any eq domain access-list 120 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq www access-list 120 deny ip any any access-list 130 permit ip 10.100.0.0 0.0.0.255 any access-list 140 permit ip host 172.18.1.2 host 172.18.1.1 access-list 140 permit icmp any 10.100.0.0 0.0.0.255 access-list 140 permit icmp any host 172.18.0.71 access-list 140 deny ip any any ! tacacs-server host 172.18.1.2 tacacs-server attempts 2 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous login authentication NONE transport input none line aux 0 login authentication NONE transport input all line vty 0 4 login authentication LOCAL !
IOS AUTH-PROXY problem [7:71952]
All, Below is the configuration I have with AUTH-PROXY. I don't understand why the configuration works with IOS version 12.2.15(T) but doesn't work with IOS version 12.1.5T(9). With version 12.1.5T(9), I am not getting a authentication failed. Instead I am getting bad request. Any ideas? C2610#sh run Building configuration... Current configuration : 4248 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname C2610 ! logging buffered 8192 notifications logging rate-limit 1 no logging console aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NONE none aaa authentication login TACACS group tacacs+ local enable aaa authentication login LOCAL local enable aaa authorization auth-proxy default group tacacs+ enable secret 5 $1$Bj2H$ad4Dn5rkgKvwPZzJDKAgZ1 ! memory-size iomem 10 ip subnet-zero no ip source-route ! ! no ip finger ip tcp intercept list 100 ip tcp intercept connection-timeout 3600 ip tcp intercept watch-timeout 5 ip tcp intercept max-incomplete low 300 ip tcp intercept max-incomplete high 1000 ip tcp intercept one-minute low 100 ip tcp intercept one-minute high 500 ip domain-name micronetsolution.com ip host tac 2065 10.10.10.10 ip name-server 172.17.1.2 ip name-server 129.174.1.8 ip dhcp excluded-address 10.100.0.71 ip dhcp excluded-address 10.100.0.72 ip dhcp excluded-address 10.100.0.254 ip dhcp ping packets 5 ! ip dhcp pool DHCP network 10.100.0.0 255.255.255.0 netbios-name-server 172.17.1.2 129.174.1.8 dns-server 172.17.1.2 129.174.1.8 default-router 10.100.0.254 domain-name micronetsolution.com lease 3 ! ip inspect audit-trail ip inspect dns-timeout 15 ip inspect name CBAC tcp timeout 3600 ip inspect name CBAC udp timeout 3600 ip auth-proxy auth-proxy-banner ip auth-proxy auth-proxy-audit ip auth-proxy auth-cache-time 1 ip auth-proxy name AUTH-PROXY http ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit notify log ip audit po max-events 100 ip audit name ATTACK attack action alarm drop reset ip audit name INFO info action alarm ! ! call rsvp-sync cns event-service server ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! interface Ethernet0/0 ip address 172.18.1.1 255.255.0.0 ip nat outside half-duplex ! interface FastEthernet1/0 ip address 10.100.0.254 255.255.255.0 ip nat inside ip auth-proxy AUTH-PROXY speed 100 full-duplex ! ip kerberos source-interface any ip nat pool natpool 172.18.1.1 172.18.1.1 netmask 255.255.0.0 ip nat inside source list 130 interface Ethernet0/0 overload ip nat inside source static 10.100.0.71 172.18.0.71 ip classless ip route 0.0.0.0 0.0.0.0 172.18.1.254 ip http server ip http authentication aaa ! ! ip access-list extended NAMEDACL permit tcp any any permit udp any any permit ip any any ip access-list extended in2out permit udp 10.100.0.0 0.0.0.255 any eq domain reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq www reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq telnet reflect traffic deny ip any any ip access-list extended out2in permit icmp any any evaluate traffic deny ip any any logging trap notifications logging facility local5 logging source-interface Ethernet0/0 logging 172.17.1.2 access-list 100 permit tcp any host 10.100.0.71 eq www access-list 100 permit tcp any host 10.100.0.71 eq 443 access-list 100 permit tcp any host 10.100.0.71 eq 22 access-list 100 permit tcp any host 10.100.0.71 eq telnet access-list 100 permit tcp any host 10.100.0.71 eq ftp access-list 100 permit tcp any host 10.100.0.71 eq ftp-data access-list 110 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq telnet access-list 110 dynamic lock-and-key permit ip 10.100.0.0 0.0.0.255 any access-list 110 deny ip any any access-list 120 permit udp 10.100.0.0 0.0.0.255 any eq domain access-list 120 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq www access-list 120 deny ip any any access-list 130 permit ip 10.100.0.0 0.0.0.255 any access-list 140 permit ip host 172.18.1.2 host 172.18.1.1 access-list 140 permit icmp any 10.100.0.0 0.0.0.255 access-list 140 permit icmp any host 172.18.0.71 access-list 140 deny ip any any ! tacacs-server host 172.18.1.2 tacacs-server attempts 2 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous login authentication NONE transport input none line aux 0 login authentication NONE transport input all line vty 0 4 login authentication LOCAL ! ntp clock-period 17208324 end C2610# - Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71952t=71952 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL
Re: VLAN Tagging on Cat 3550 Another question [7:71703]
simon watson wrote in message news:[EMAIL PROTECTED] Hi Some how I was thinking VLAN tagging was something more than just Trunking in Cisco talk,as you can guess I'm pretty rusty when it comes to switching.I have another question.Look at the example below. REMOTE SITE MAIN SITE PC's-CISCO 3550CISCO 2600~~CISCO 3600ALCATEL L3 SWITCH..PIX...INTERNET ROUTER---INTERNET. (VLAN3) (802.1q TRUNK) (256K LINK) (802.1q TRUNK)(VLAN3) A client wants to allow a group of PC's on a remote site, access to the internet via the main site's ISP.But wants these group of Pc's on their own VLAN so they have no connection to the rest of the network (except for the internet router which the whole network uses to access the internet) they have been advised by a third party to do it as above.They have a Cisco 3550EMI switch at the remote site a Alcatel Omnicore L3 switch at the Main site.The WAN link is a 256k lease line.They want to configure the PC's on the remote site with the same VLAN as a dedicated PIX on the Main site (also on the same subnet). The Cat 3550 is not using it's L3 capabilities and is trunked to the remote site's router Can this be done ? sure. not sure you need to worry about switching. use the inbound ( from the branch office ) router to route to the default gateway for internet access. put in policy routing and access lists denying access from the branch net to anything on the host site net. where is all this vlan trunking coming from? looks to me like a red herring. I'm sure thinking of the basic laws of routing it won't be possible to have devices being on the same subnet but across different WAN links, as routing loops can occur.Also would it be best to enable the layer 3 capabilities of the switches, or to let the routers do the work. I'm looking forward to your answers Thanks in advance Simon. - Original Message - From: Henrique Issamu Terada To: simon watson Cc: Sent: Tuesday, July 01, 2003 2:09 PM Subject: RES: VLAN Tagging on Cat 3550 [7:71703] Vlan tagging is commonly called by Cisco as trunks. Have you ever configured trunks as ISL ou 802.1q ? Actually the name vlan tagging makes more sense on non Cisco equipment, where only exists 802.1q . ISL doesn't do tag as 802.1q , but reencapsulates the packet with a new header . My 0,02 _ Henrique Issamu Terada, CCIE # 7460 IT Support - Open Network CPM S.A. - Tecnologia criando valor Tel.: 55 11 4196-0710 Fax: 55 11 4196-0900 [EMAIL PROTECTED] www.cpm.com.br -- --- Esta mensagem pode conter informagco confidencial e/ou privilegiada. Se vocj nco for o destinatario ou a pessoa autorizada a receber esta mensagem, nco pode usar, copiar ou divulgar as informagues nela contidas ou tomar qualquer agco baseada nessas informagues. Se vocj recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperagco. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Mensagem original- De: simon watson [SMTP:[EMAIL PROTECTED] Enviada em: terga-feira, 1 de julho de 2003 05:02 Para: [EMAIL PROTECTED] Assunto: VLAN Tagging on Cat 3550 [7:71703] Hi Guys A client wants a Cat 3550 configured for VLAN tagging, I have not done one of these before so how do I configure the switch, also there is a Cisco 2600 router also connected to the switch.Do I need to configure the router to accomodate VLAN tagging (and any router that packets of the VLAN goes through ?) Thanks Simon. Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.495 / Virus Database: 294 - Release Date: 30/06/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.495 / Virus Database: 294 - Release Date: 30/06/2003 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71951t=71703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATM Bandwith [7:71937]
Hi Levent, I thanks your explanation. It was very good. Best Regards. Levent Ogut wrote: Hi, ATM technology is based on 53 byte cells. Also ATM has a 5 byte header per cell. So your payloads length can be 48 bytes per ATM cell. with a basic calculation, for an ip traffic on 34Mb ATM link : 48 (payload includes the ip header) / 53 (total bytes can be trasnfered in a cell) equals to 0.90566. That means maximum %90.56 of your ATM link can be ip traffic (including the ip headers) so 34Mb * 0.90566 = 30.7925 Mb can be the ip traffic. and also consider that you have ip headers in that traffic, if you calculate the actual payload , it is lesser than that. hope that helps, Gerard Torin wrote: Hi guys, Anybody know how is built the ATM4S Bandwith?. For example, In ATM`s link of 34Mbps, Is true that 4Mbps is just only header?, I ask that, because actually my company has it. But we don4t reach the maximun bandwith of 34Mbps. Yesterday, we did stress test in the link and just only reach 30Mbps. I thanks any comment. - Yahoo! Messenger Nueva versisn: Super Webcam, voz, caritas animadas, y mas #161;Gratis! Yahoo! Messenger Nueva versioacute;n: Super Webcam, voz, caritas animadas, y maacute;s #161;Gratis! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71954t=71937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ATM Bandwith [7:71937]
Hi Dom, we did test with TFY aplication, generating a burst traffic of 3000 bytes UDP. This aplication stressed the link, but I don`t undestard why not reach the maximun bandwith permited: 34Mbps. What do you think about this test? Is right? Dom wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Torin Sent: 05 July 2003 19:06 To: [EMAIL PROTECTED] Subject: ATM Bandwith [7:71937] Hi guys, Anybody know how is built the ATM4S Bandwith?. For example, In ATM`s link of 34Mbps, Is true that 4Mbps is just only header?, I ask that, because actually my company has it. But we don4t reach the maximun bandwith of 34Mbps. Yesterday, we did stress test in the link and just only reach 30Mbps. I thanks any comment. Please supply more details. How did you test and with what size packets? Cell tax (the overhead of breaking your data down in 53byte chunks) might account for hat you are observing. Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org Yahoo! Messenger Nueva versioacute;n: Super Webcam, voz, caritas animadas, y maacute;s #161;Gratis! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71953t=71937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Policy-Based Routing [7:71944]
Hi Jason, PBR is used to override the routing table. So if you have a Policy on an interface to set the nex-hop explicitly then any traffic that matches your route-map that the policy is calling will have a next-hop set to what YOU specified not what the routing table states. Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Viera Sent: Sunday, July 06, 2003 1:55 AM To: [EMAIL PROTECTED] Subject: Policy-Based Routing [7:71944] Just for clarification can someone comment on or confirm the following: If policy routing is enabled on an interface and the policy states that a packet received on that particular interface be sent to a next hop IP or an interface, will the packet be sent to that next hop even if a route exists via an IGP that points to another next hop?? I guess my real question is does the packet even get processed in regards to the routing table, or is its destination set as soon as its matched by the route-map applied to the ingress interface?? Thanks in advance!! Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71957t=71944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ATM Bandwith [7:71937]
Somebody (I'm sorry I deleted the post), posted after me, and it does look like you are hitting the cell tax problem. With other (including layer 3 overheads) you are not doing to badly Sorry if this is not what you want to hear ;) Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org -Original Message- From: Gerard Torin [mailto:[EMAIL PROTECTED] Sent: 06 July 2003 18:29 To: Dom; [EMAIL PROTECTED] Subject: RE: ATM Bandwith [7:71937] Hi Dom, we did test with TFY aplication, generating a burst traffic of 3000 bytes UDP. This aplication stressed the link, but I don`t undestard why not reach the maximun bandwith permited: 34Mbps. What do you think about this test? Is right? Dom wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Torin Sent: 05 July 2003 19:06 To: [EMAIL PROTECTED] Subject: ATM Bandwith [7:71937] Hi guys, Anybody know how is built the ATM4S Bandwith?. For example, In ATM`s link of 34Mbps, Is true that 4Mbps is just only header?, I ask that, because actually my company has it. But we don4t reach the maximun bandwith of 34Mbps. Yesterday, we did stress test in the link and just only reach 30Mbps. I thanks any comment. Please supply more details. How did you test and with what size packets? Cell tax (the overhead of breaking your data down in 53byte chunks) might account for hat you are observing. Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org _ Yahoo! Messenger Nueva versisn: Super Webcam, voz, caritas animadas, y mas !Gratis! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71955t=71937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS AUTH-PROXY problem [7:71956]
It could just be that in version of 12.2.15(T) it is finally fully implemented. 12.1.5T(9) is just an earlier version. I ran into this last night while working on blocking Nimda and Code Red. The feature required to do the blocking was released in 12.1E (not exactly sure which version, I can't find my notes). I couldn't find the feature anywhere in the documentation for 12.1, but as soon as I looked in 12.2, it was there. Hope that helps. Cheers, Joe - Original Message - From: d tran To: ; Sent: Sunday, July 06, 2003 10:18 AM Subject: IOS AUTH-PROXY problem All, Below is the configuration I have with AUTH-PROXY. I don't understand why the configuration works with IOS version 12.2.15(T) but doesn't work with IOS version 12.1.5T(9). With version 12.1.5T(9), I am not getting a authentication failed. Instead I am getting bad request. Any ideas? C2610#sh run Building configuration... Current configuration : 4248 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname C2610 ! logging buffered 8192 notifications logging rate-limit 1 no logging console aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NONE none aaa authentication login TACACS group tacacs+ local enable aaa authentication login LOCAL local enable aaa authorization auth-proxy default group tacacs+ enable secret 5 $1$Bj2H$ad4Dn5rkgKvwPZzJDKAgZ1 ! memory-size iomem 10 ip subnet-zero no ip source-route ! ! no ip finger ip tcp intercept list 100 ip tcp intercept connection-timeout 3600 ip tcp intercept watch-timeout 5 ip tcp intercept max-incomplete low 300 ip tcp intercept max-incomplete high 1000 ip tcp intercept one-minute low 100 ip tcp intercept one-minute high 500 ip domain-name micronetsolution.com ip host tac 2065 10.10.10.10 ip name-server 172.17.1.2 ip name-server 129.174.1.8 ip dhcp excluded-address 10.100.0.71 ip dhcp excluded-address 10.100.0.72 ip dhcp excluded-address 10.100.0.254 ip dhcp ping packets 5 ! ip dhcp pool DHCP network 10.100.0.0 255.255.255.0 netbios-name-server 172.17.1.2 129.174.1.8 dns-server 172.17.1.2 129.174.1.8 default-router 10.100.0.254 domain-name micronetsolution.com lease 3 ! ip inspect audit-trail ip inspect dns-timeout 15 ip inspect name CBAC tcp timeout 3600 ip inspect name CBAC udp timeout 3600 ip auth-proxy auth-proxy-banner ip auth-proxy auth-proxy-audit ip auth-proxy auth-cache-time 1 ip auth-proxy name AUTH-PROXY http ip audit info action alarm drop reset ip audit attack action alarm drop reset ip audit notify log ip audit po max-events 100 ip audit name ATTACK attack action alarm drop reset ip audit name INFO info action alarm ! ! call rsvp-sync cns event-service server ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.10.10.10 255.255.255.255 ! interface Ethernet0/0 ip address 172.18.1.1 255.255.0.0 ip nat outside half-duplex ! interface FastEthernet1/0 ip address 10.100.0.254 255.255.255.0 ip nat inside ip auth-proxy AUTH-PROXY speed 100 full-duplex ! ip kerberos source-interface any ip nat pool natpool 172.18.1.1 172.18.1.1 netmask 255.255.0.0 ip nat inside source list 130 interface Ethernet0/0 overload ip nat inside source static 10.100.0.71 172.18.0.71 ip classless ip route 0.0.0.0 0.0.0.0 172.18.1.254 ip http server ip http authentication aaa ! ! ip access-list extended NAMEDACL permit tcp any any permit udp any any permit ip any any ip access-list extended in2out permit udp 10.100.0.0 0.0.0.255 any eq domain reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq www reflect traffic permit tcp 10.100.0.0 0.0.0.255 any eq telnet reflect traffic deny ip any any ip access-list extended out2in permit icmp any any evaluate traffic deny ip any any logging trap notifications logging facility local5 logging source-interface Ethernet0/0 logging 172.17.1.2 access-list 100 permit tcp any host 10.100.0.71 eq www access-list 100 permit tcp any host 10.100.0.71 eq 443 access-list 100 permit tcp any host 10.100.0.71 eq 22 access-list 100 permit tcp any host 10.100.0.71 eq telnet access-list 100 permit tcp any host 10.100.0.71 eq ftp access-list 100 permit tcp any host 10.100.0.71 eq ftp-data access-list 110 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq telnet access-list 110 dynamic lock-and-key permit ip 10.100.0.0 0.0.0.255 any access-list 110 deny ip any any access-list 120 permit udp 10.100.0.0 0.0.0.255 any eq domain access-list 120 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq www access-list 120 deny ip any any access-list 130 permit ip 10.100.0.0 0.0.0.255 any access-list 140 permit ip host 172.18.1.2 host 172.18.1.1 access-list 140 permit icmp any 10.100.0.0 0.0.0.255 access-list 140 permit icmp any host 172.18.0.71 access-list 140
Re: BSMSN 1.1 Vs 2.0 [7:71932]
That figures. Well I noticed it too late. Class stoarts tomorrow. Such is life. I will just get an updated cisco press book whenthey come out and bring myself up to speed. Thanks for the heads up it gives me something to look for. David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71958t=71932 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSI routing in CCIE RS exam? [7:71960]
Hi, I am preparing for the R S written exam and wondering do we have to master in everything mentioned in the blueprint? I find myself hard to decide how deep I should dip into some of the subjects. For example, OSI model is listed in the blue print but do I have to know CNLP, CONP those stuff? Also how much do we need to know about IPX? thanks! Ellie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71960t=71960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
GRE with IPsec [7:71959]
Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71959t=71959 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSI routing in CCIE RS exam? [7:71960]
IPX is no longer in the LAB. -Original Message- From: wj chou [mailto:[EMAIL PROTECTED] Sent: 06 July 2003 23:26 To: [EMAIL PROTECTED] Subject: OSI routing in CCIE RS exam? [7:71960] Hi, I am preparing for the R S written exam and wondering do we have to master in everything mentioned in the blueprint? I find myself hard to decide how deep I should dip into some of the subjects. For example, OSI model is listed in the blue print but do I have to know CNLP, CONP those stuff? Also how much do we need to know about IPX? thanks! Ellie === This message has been checked for all known viruses by the Sirocom Virus Scanning Service === === This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM === Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71962t=71960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab !!! [7:71919]
You need to know EVERYTHING. I took failed last week. RIPv2, OSPF, EIGRP, IS-IS, BGP - all redistributing into each other.. -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED] Sent: 04 July 2003 22:38 To: [EMAIL PROTECTED] Subject: RE: CCIE Lab !!! [7:71919] For sure you should know a lot about redistribution. A statement I heard from a Cisco guy responsable for the test in my country: -Certainly it will be asked one topic that you never have heard about; this is to test your capacity to look the CD documentation and find an answer. Certainly you should know all you can, because there is no time to search on the CD. The IOS on the lab is about to change. 12.2. === This message has been checked for all known viruses by the Sirocom Virus Scanning Service === === This message has been checked for all known viruses by the Sirocom Virus Scanning Service WWW.SIROCOM.COM === Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71961t=71919 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE with IPsec [7:71959]
Try this http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html Lots of examples here. Annlee Michael Jia wrote in message news:[EMAIL PROTECTED] Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71963t=71959 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: GRE with IPsec [7:71965]
Hi, Joe There is a sligt difference between A and B. Could you share some insights as well? Thanks Michael -Original Message- From: Joe Deleonardo [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2003 5:17 PM To: Michael Jia; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: GRE with IPsec I don't have a source. But, it's really very simple all you do is apply the crypto map to the tunnel interface AND the physical interface between the two devices. Then add an ACL: access-l 100 permit gre host host You do that on each device of course. And then the rest of it is just a standard VPN config. Cheers, Joseph - Original Message - From: Michael Jia To: ; Sent: Sunday, July 06, 2003 2:56 PM Subject: GRE with IPsec Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71965t=71965 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE with IPsec [7:71964]
I don't have a source. But, it's really very simple all you do is apply the crypto map to the tunnel interface AND the physical interface between the two devices. Then add an ACL: access-l 100 permit gre host host You do that on each device of course. And then the rest of it is just a standard VPN config. Cheers, Joseph - Original Message - From: Michael Jia To: ; Sent: Sunday, July 06, 2003 2:56 PM Subject: GRE with IPsec Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71964t=71964 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE with IPsec [7:71966]
Hmm, not sure what you mean but. Really all you do is create your regular VPN. Then you create your GRE tunnel. then the ACL here is an abbreviated example. R1# Int Lo0 ip address 1.1.1.1 255.255.255.0 Int Tu0 ip address 10.1.1.1 255.255.255.0 tun source loop0 tun dest 2.2.2.2 crypto map VPN Int s0 ip address 101.101.101.101 255.255.255.0 crypto map VPN access-l 100 permit gre host 1.1.1.1 host 2.2.2.2 That's it, then just take the same actions the other side. It really is just the regular VPN, then extra crypto map on the GRE tunnel and acl. Better? - Original Message - From: Michael Jia To: 'Joe Deleonardo' ; ; Sent: Sunday, July 06, 2003 5:23 PM Subject: RE: GRE with IPsec Hi, Joe There is a sligt difference between A and B. Could you share some insights as well? Thanks Michael -Original Message- From: Joe Deleonardo [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2003 5:17 PM To: Michael Jia; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: GRE with IPsec I don't have a source. But, it's really very simple all you do is apply the crypto map to the tunnel interface AND the physical interface between the two devices. Then add an ACL: access-l 100 permit gre host host destination You do that on each device of course. And then the rest of it is just a standard VPN config. Cheers, Joseph - Original Message - From: Michael Jia To: ; Sent: Sunday, July 06, 2003 2:56 PM Subject: GRE with IPsec Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71966t=71966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSI routing in CCIE RS exam? [7:71960]
I think you have to prepare everything that is in the blueprint. but like CLNP, you have to know, because it's related with ISIS, is it right? everything in the blueprint will be in the written exam. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71968t=71960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE with IPsec [7:71967]
From your original email. by permitting ip you're allowing everything over the IPSec tunnel. If you just permit gre you're just allowing the gre tunnel over the ipsec tunnel. You might want to do this to transport something that ipsec can't handle by itself, like AppleTalk or IPX. You're thinking of it as a flavor. That's the wrong mind set for this concept. Just think of it as a regular ipsec tunnel and all your acl does, is just what any other acl does... controls granularity. - Original Message - From: Michael Jia To: ; Sent: Sunday, July 06, 2003 2:56 PM Subject: GRE with IPsec Hi, Anyone has good reference doc about GRE with Ipsec . I am a little confused about 2 flavors of crypto ACL used: A) permit ip B) permit gre any any It seems option A is encry first then GRE encap, while option B is encap first then encrypt. Is there a good ref about these setups? Thanks Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71967t=71967 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy-Based Routing [7:71944]
Thanks ALL, for the clarification!! Jason Junoguy wrote in message news:[EMAIL PROTECTED] Hi Jason, PBR is used to override the routing table. So if you have a Policy on an interface to set the nex-hop explicitly then any traffic that matches your route-map that the policy is calling will have a next-hop set to what YOU specified not what the routing table states. Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Viera Sent: Sunday, July 06, 2003 1:55 AM To: [EMAIL PROTECTED] Subject: Policy-Based Routing [7:71944] Just for clarification can someone comment on or confirm the following: If policy routing is enabled on an interface and the policy states that a packet received on that particular interface be sent to a next hop IP or an interface, will the packet be sent to that next hop even if a route exists via an IGP that points to another next hop?? I guess my real question is does the packet even get processed in regards to the routing table, or is its destination set as soon as its matched by the route-map applied to the ingress interface?? Thanks in advance!! Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71970t=71944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ATM Bandwith [7:71937]
Hi Gerard, ATM as a technology per se, is a high overhead technology. As the basic fact the fixed size cell is of 53 bytes and out of it the Cell Header consumes 5 bytes. So the net payload per cell is actually 48 bytes only, so effectively you are having a close to 10% overhead, and it is not the end, you have to leave some bandwidth on the error detection etc things also, because of which you are never able to use more than a tentative 90% bandwidth on any kind of technology. So if you are getting a burst of 30 Mbps on a E3 link, (I would like to know about the bandwidth consumption tool or parameters used by you) you are not doing bad; for sure. HTH Vikram -Original Message- From: Dom [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2003 11:30 PM To: [EMAIL PROTECTED] Subject: RE: ATM Bandwith [7:71937] Somebody (I'm sorry I deleted the post), posted after me, and it does look like you are hitting the cell tax problem. With other (including layer 3 overheads) you are not doing to badly Sorry if this is not what you want to hear ;) Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org -Original Message- From: Gerard Torin [mailto:[EMAIL PROTECTED] Sent: 06 July 2003 18:29 To: Dom; [EMAIL PROTECTED] Subject: RE: ATM Bandwith [7:71937] Hi Dom, we did test with TFY aplication, generating a burst traffic of 3000 bytes UDP. This aplication stressed the link, but I don`t undestard why not reach the maximun bandwith permited: 34Mbps. What do you think about this test? Is right? Dom wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerard Torin Sent: 05 July 2003 19:06 To: [EMAIL PROTECTED] Subject: ATM Bandwith [7:71937] Hi guys, Anybody know how is built the ATM4S Bandwith?. For example, In ATM`s link of 34Mbps, Is true that 4Mbps is just only header?, I ask that, because actually my company has it. But we don4t reach the maximun bandwith of 34Mbps. Yesterday, we did stress test in the link and just only reach 30Mbps. I thanks any comment. Please supply more details. How did you test and with what size packets? Cell tax (the overhead of breaking your data down in 53byte chunks) might account for hat you are observing. Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org _ Yahoo! Messenger Nueva versisn: Super Webcam, voz, caritas animadas, y mas !Gratis! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71969t=71937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
