RE: switch default gateway question [7:72288]
ip default-gateway in IOS is only used when the device is acting as a host (not routing, etc). If it has IP routing enabled, then you probably want to use a default route (0.0.0.0/0) and/or other routes for your networks (static, RIP, EIGRP, etc). Erick --- Reimer, Fred wrote: I'm not saying that your way won't work. To tell you the truth, I don't really understand your method. I've just been through a lot of migrations myself in the past with customers, and creating new VLANs and moving users over to them is the typical way it is accomplished. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: gab.seun jones.ewulomi [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 12:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: switch default gateway question [7:72288] Hi Fred, Yes we are using vlans. Hence why we purchased the types of switches What I listed was a suggestion in which I asked if that way to would work. I know you can create another vlan sub-interface and start moving the the new addresses. I was thinking of the idea that if the switches can accept more than 2 default routes then why wont that way work What is wrong with dual default routes? As i understand according to how these works there will be a primary default etc regards, seun From: Reimer, Fred To: gab S.E jones , [EMAIL PROTECTED] Subject: RE: switch default gateway question [7:72288] Date: Tue, 15 Jul 2003 10:11:24 -0400 Say what? Why don't you just create additional VLANs for the new address space(s) and move PC's to the new VLANs as their addresses are changed? There is no need to be messing around with dual default routes. You could move all of the switches over to the new address space immediately, or change them over time to the new address and VLAN. If you are not using VLANs, then why did you purchase 4506s, 3550s, and 6509s? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: gab S.E jones [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 5:48 AM To: [EMAIL PROTECTED] Subject: switch default gateway question [7:72288] Basically I want to know how best to approach the situation. Our network is all statically mapped no dynamic routing our switches(4506,3550,6509) are going to be changed to a different address range. the switches can accept more than one default gateway. The core routers addresses has to be changed to the same subnet as the switches soon 1)the switch old ip address is on a 11/8 address pointing to the core router(interface) with a 11/8 address 2)now the switch addresses are being changed to a 10/16(subnetted) address and the default gateway has to point to the core with a 10/16 address as well Myu approach was to 1)configure the swith with another default pointing to a 10/16 2)configure a secondary interface on the core with a 10/16 address 3)the other core routers connected to this core will be also given a secondary of 10/16 address 4)then on the core routers put floating statics for all our original routes to point to the default GW 10/16 addresses I presume that because the swithes now have to defalt GW statements that the swith will automatically send packest for pc's of 10 and 11 addresses. While we slowly migrate all our lan devices to the new 10/16 GW 5)will start gradually changing the lan devices to start pointing to the 10/16 GW Please correct me if im thinking of this the wrong way. Any advice will be greatly appreciated My apologies if I didnt explain myself properly regards, seun _ Sign-up for a FREE BT Broadband connection today!
cisco IOS [7:72454]
Dear all Does anyone know where I can download cisco IOS. I am not a cco member and therefore unable to access the cisco cco site. I just bought 2 used cisco 2501 and I want to upgrade the IOS to a more up to date version. Does ver 12.0 works on a 2501 ? what is the requirement to run ios ver 12.0 ? Regards, kws Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72454t=72454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
rE:snmp book [7:72456]
Hello Can somebody suggest a nice book on SNMP ? tHANKS IN ADVANCE. Send free SMS using the Yahoo! Messenger. Go to http://in.mobile.yahoo.com/new/pc/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72456t=72456 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multicasting [7:72403]
We are using dense mode. Havent tested the rest. No auto-rp MSDP. Tunnel worked on pt-2-pt , but not when its not that way. Rgds - Original Message - From: Reimer, Fred To: [EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:10 PM Subject: RE: Multicasting [7:72403] I've never configured it with a tunnel before, but conceptually it should be the same. What mode are you using? Sparse, Dense, Sparse-dense? Are you doing auto-rp? Using MSDP? Read the Cisco docs on their web site and it gives you a run-down on all of the different configuration methods. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: MR [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 12:23 PM To: [EMAIL PROTECTED] Subject: Multicasting [7:72403] Hi, This is on multicasting. We are trying to setup a muticasted n/w on GRE tunnel with mutilple transit routers. We have enabled muticast only in the end routers i.e tunnel source/destination routers. IGMP too has been enabled with a group being formed. Though we were able to successfully carry out multicasting with tunnel on a serial link , we have not been able to when its not a point to point link. Could observe that there is traffic in the tunnel on the source side , but nil at the other end. On the configuration side, we enabled PIM/IGMP on tunnel interface and other interfaces. Could anyone tell me what should the ideal configuration be. Please let me know incase you need more info. Rgds Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72457t=72403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multicasting [7:72403]
Thanks for your config. But would be ideal if you can send me a config when there is no pt-2-pt link. Rgds - Original Message - From: alaerte Vidali To: [EMAIL PROTECTED] Sent: Thursday, July 17, 2003 1:25 AM Subject: RE: Multicasting [7:72403] I have configured it same time ago; the serial link was frame relay. But I used point-to-point subinterface Something like that: R1 interface tunnel 0 ip address 172.16.1.1 255.255.255.252 ip pim sparse-dense-mode tunnel source 192.168.1.1 tunnel destination 192.168.1.2 ! inter ser 0 encap frame-relay ! inter ser 0.1 point ip ad 192.168.1.1 255.255.255.252 frame-relay map interface-dlci 100 Same for R2. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72458t=72403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multicasting [7:72403]
At the source end , if i observed traffic on tunnel, it was 1.5mb . But at the other end , it was zero.There was no incoming traffic. As i said earlier , its not a point to point connection ans involves multiple transit routers on the way. R1 --- SP1 ---SP2---R2 TSTD SP-Service Provider TS- Tunnel Source TD-Tunnel Dest. At SP1 , we observed there was traffic on their serial interface with R1. Now multicast is not enabled in any SP router. Its enabled only in R1 R2. Should we be enabling it. As it was a public n/w we couldnt. Also there was no RP configured in R1 R2. Just enabled multicast with IGMP group specified. We enabled PIM /IGMP in both tunnel as well as serial interfaces of R1R2. R1 Config- ip multicast-routing interface Tunnel0 ip address 172.16.1.2 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1 tunnel source a.b.c.d tunnel destination w.x.y.z interface Serial0 ip address a.b.c.d 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1. R2 Config- ip multicast-routing interface Tunnel0 ip address 172.16.1.1 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1 tunnel source w.x.y.z tunnel destination a.b.c.d interface Serial0 ip address w.x.y.z 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1. Please do revert back to me for more info. Rgds - Original Message - From: Reimer, Fred To: [EMAIL PROTECTED] Sent: Thursday, July 17, 2003 3:59 AM Subject: RE: Multicasting [7:72403] I think you said that you see traffic going out one tunnel, but not coming in on the other end of the tunnel. How are you checking that? What does your mroute cache look like for the group in question? Does it list the tunnel interface as an outgoing interface? On the end that isn't receiving anything, is it configured for the RP? Does it find the RP successfully? Does it know about the group in it's mroute cache? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 3:55 PM To: [EMAIL PROTECTED] Subject: RE: Multicasting [7:72403] I have configured it same time ago; the serial link was frame relay. But I used point-to-point subinterface Something like that: R1 interface tunnel 0 ip address 172.16.1.1 255.255.255.252 ip pim sparse-dense-mode tunnel source 192.168.1.1 tunnel destination 192.168.1.2 ! inter ser 0 encap frame-relay ! inter ser 0.1 point ip ad 192.168.1.1 255.255.255.252 frame-relay map interface-dlci 100 Same for R2. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72460t=72403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
rE:snmp book [7:72455]
Hello Can somebody suggest a nice book on SNMP ? tHANKS IN ADVANCE. Send free SMS using the Yahoo! Messenger. Go to http://in.mobile.yahoo.com/new/pc/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72455t=72455 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN book vs CCIE LAN switching [7:72412]
Hi, If you are studying for CCIE, you need the LAN Switching book; I doubt whether there is an option here, you need the LAN Switching book.you will also like the material in the book. Good Luck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72459t=72412 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Debugging ISDN problems [7:72396]
taken a snapshot of some of the config... ** interface Dialer1 description ISDN Dial In Users ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip ospf interface-retry 0 no ip mroute-cache dialer remote-name rushta01 dialer pool 20 dialer-group 1 no snmp trap link-status pulse-time 0 no cdp enable ppp authentication chap ! interface Dialer2 description ISDN Dial In Users ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip ospf interface-retry 0 no ip mroute-cache dialer remote-name mckeng01 dialer pool 20 dialer-group 1 no snmp trap link-status pulse-time 0 no cdp enable ppp authentication chap ! interface Dialer3 description ISDN Dial In Users ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip ospf interface-retry 0 dialer remote-name walkej02 dialer pool 20 dialer-group 1 no snmp trap link-status pulse-time 0 no cdp enable ppp authentication chap ! access-list 101 deny ospf any any access-list 101 deny udp any any eq snmp access-list 101 deny ip any host 255.255.255.255 access-list 101 permit ip any any dialer-list 1 protocol ip list 101 Ronnie Higginbotham wrote in message news:[EMAIL PROTECTED] If your idle timeout is 120 sec and you have interesting traffic defined with the dialer-list 1 protocol ip permit command then I would start check for bugs in my IOS. As long as some interest traffic is going over the link (ie. routing protocol, user traffic, etc) something has to reset the timers. Are you running a routing protocol over the link? Can you post some debug dialer. Ants wrote in message news:[EMAIL PROTECTED] me again on isdn issues. have resolved previous problems thanks for all input. another ugly snake has reared it's neck.. have a number of isdn sites dialing in (dialer interfaces and not ddr) and being disconnected on random timeouts. they idle timeout is set to 120 seconds.. somtimes they disconnect after 70.. sometimes as much a 1050 seconds.. which debugging command can i use to best analyze what causes these conections to disconnect? thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72461t=72396 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Can Not Router on 3550 [7:72462]
Dear All, I congifured a simple L3 routing on my 3550-EMI, but seem like not working. Any help? Thanks == Current configuration : 6579 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname LOL-3550 ! enable password cisco ! ip subnet-zero ip routing ! ! spanning-tree extend system-id ! ! ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/2 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/4 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/5 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/6 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/7 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/8 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/9 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/10 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/11 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/12 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/13 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/14 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/16 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/17 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/18 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/19 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/20 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/21 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/22 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/23 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/24 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/25 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/26 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/27 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/28 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/29 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/30 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/31 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/32 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/33 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/34 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/35 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/36 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/37 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk !
a really big bug [7:72463]
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72463t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route commands [7:72406]
This was discussed a milion times; static route that points to an interface has AD=1. Sasa CCIE #8635 Nakul Malik wrote: by default, a static route has an AD of 1. If the static route points to an exit interface, the AD=0. That is the only difference HTH. -Nakul Karyn Williams wrote in message news:[EMAIL PROTECTED] We recently added another interface, S1/1, that connects a private line to another school. We are routing 156.3.37.0 to them. Should I have route statements that say ip route 156.3.37.0 255.255.255.0 192.168.0.2 or ip route 156.3.37.0 255.255.255.0 Serial1/1 Current config: ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 0.0.0.0 0.0.0.0 Serial1/0 ip route 65.165.174.0 255.255.254.0 FastEthernet0/0 ip route 156.3.37.0 255.255.255.0 192.168.0.2 ip route 198.182.157.0 255.255.255.0 65.165.175.253 ip route 207.233.56.0 255.255.255.0 192.168.0.2 I am interested if there is a performance difference between these two route statements or any other reason why one would be preferred over the other. TIA. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network -- Regards, Sasa CCIE #8635 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72464t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Analyzers [7:72346]
Hi, I prefer ethereal. I have used the the sniffers as well but personally I prefer the unix versions(maybe because im more comfortably with unix as you can have full control) e.g even tcpdump i find very good because you can use this with the ngrep utility to filter stuff. As suggested its quite important to know how protocols work and conversate. regards, seun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72466t=72346 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: switch default gateway question [7:72288]
Hi people, My sincere, sincere apologies that i didnt explain the situation more clearly. I deserve to get attacked. Have only started working on this customers network for a few days now Yes it is a flat network (thanks Fred). Have just started to review this customers network and still dont know all the details to fully yet(the customers dont either believe it or not) What I listed was a suggestion in which I asked if that way too would work which i have noticed is not a good idea even if it might work. My apologies Zsombor i mis quoted my self what I meant to say was you can use statics to load balance as well. e.g will load balance Ip route 100.5.0.0 255.255.0.0 100.0.1.1 Ip route 10.5.0.0 255.255.0.0 100.0.1.2 e.g will as a backup ip route 100.5.0.0 255.255.0.0 100.0.1.1 ip route 10.5.0.0 255.255.0.0 100.0.1.2 5 Fred that was the original plan I had in mind as well thanks. I was going to be moving the PC's that are all in one VLAN to a bunch of separate VLANs. I just implied on the poissibilty of using another default route to point to as another way of moving the pc's across as I have never done it that way before. hi Priscilla thanks for your input. I do know how you feel I find it frustrating as well when I dont understand questions. My apologies on mis-guidiance in my explaination as I just rushed it. I was told to just re-address the routers for this customer without any prior good knowledge of how the Lan team have gone about their design Was the network all one big flat network with everything being addressed with 11.0.0.0/8 before? And the switches really were just L2 switches? And now they are moving to subnets and using the switches as routers? this is correct Priscilla I thank everyone for thier input even if I didnt make myself clear regards, seun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72465t=72288 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Network Analyzers [7:72346]
I agree! I have used most of the commercially available packages such as Sniffer, and for most things I prefer Ethereal. I do not always carry an analyser with me and being able to download Ethereal to a clients workstation has helped me many times. I also like Ethereal's ability to read most capture formats so a client can mail me captures for analysis. Just my 0.02 (GBP). Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 July 2003 13:19 To: [EMAIL PROTECTED] Subject: RE: Network Analyzers [7:72346] Hi, I prefer ethereal. I have used the the sniffers as well but personally I prefer the unix versions(maybe because im more comfortably with unix as you can have full control) e.g even tcpdump i find very good because you can use this with the ngrep utility to filter stuff. As suggested its quite important to know how protocols work and conversate. regards, seun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72471t=72346 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Tokenring [7:72470]
B? How can her workstation retain connectivity if it's turned off? Could you successfully ping it? A seems right to me. =?iso-8859-1?q?maine=20dude?= wrote: Hi, I know that this should be a easy question, I think that the answer is B. But the book says A, what do you think the answer is? If you could also provide a link for a detailed answer that would be good. What would happen on a simple ring network if one of the users turned off her workstation? a. Only her workstation would lose connectivity. b. None of the workstations would lose connectivity. c. The workstations on either side of hers in the ring would lose network connectivity. d. The network would fail Answer: ? Thanks in advance Dj - Yahoo! Plus - For a better Internet experience Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72473t=72470 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Definitive list of books for the CCIE CS Lab exam [7:72469]
For those you whom have encountered the CCIE CS Lab exams, What list of books would you recommend as being most have items. Furthermore, I think? a new version of the Caslow CCIE book is being published soon? but I am considering getting the existing version for revision. Especially to use for revising the WAN components of the exam? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72469t=72469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route commands [7:72406]
So I guess it's now 1,000,001 times :-)) Still, I don't blame anyone for believing this urban legend of the networking world when authorities such as Doyle and Caslow continue to propagate it. I just wonder how the AD=0 rumor ever got started. However, although the AD=1 for both routes, they are not the same in all respects. One important difference-- with the interface form, the router considers any host reachable through that interface to be directly connected and so ARPs for its address. This does not happen for all hosts with a numeric next hop. This might not make a difference in the case given, but suppose your default route pointed to an interface rather than a numeric next hop? See for a more detailed exmple and explanation. Sasa Milic wrote: This was discussed a milion times; static route that points to an interface has AD=1. Sasa CCIE #8635 Nakul Malik wrote: by default, a static route has an AD of 1. If the static route points to an exit interface, the AD=0. That is the only difference HTH. -Nakul Karyn Williams wrote in message news:[EMAIL PROTECTED] We recently added another interface, S1/1, that connects a private line to another school. We are routing 156.3.37.0 to them. Should I have route statements that say ip route 156.3.37.0 255.255.255.0 192.168.0.2 or ip route 156.3.37.0 255.255.255.0 Serial1/1 Current config: ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 0.0.0.0 0.0.0.0 Serial1/0 ip route 65.165.174.0 255.255.254.0 FastEthernet0/0 ip route 156.3.37.0 255.255.255.0 192.168.0.2 ip route 198.182.157.0 255.255.255.0 65.165.175.253 ip route 207.233.56.0 255.255.255.0 192.168.0.2 I am interested if there is a performance difference between these two route statements or any other reason why one would be preferred over the other. TIA. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network -- Regards, Sasa CCIE #8635 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72468t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route commands [7:72406]
At 11:25 AM 7/17/2003 +, Sasa Milic wrote: This was discussed a milion times; static route that points to an interface has AD=1. Just out of curiosity, does anyone know when this was changed? It used to be 0 for interface static routes, right? However, this is pretty irrelevant as far the original question is concerned. To answer the original question, the difference between static routes pointing to IP addresses and interfaces is that you get screwed if you point to a broadcast interface without an IP address. It's due to ARP; think about it, try it out, or search in the Groupstudy archives to find out what exactly happens. So the recommended solution (at least for broadcast interfaces) is to configure both IP address and interface name. For static routes pointing to p2p interfaces, I don't think you need to configure IP address (as someone else suggested, you will spare some work if a renumbering ever happens). Thanks, Zsombor Sasa CCIE #8635 Nakul Malik wrote: by default, a static route has an AD of 1. If the static route points to an exit interface, the AD=0. That is the only difference HTH. -Nakul Karyn Williams wrote in message news:[EMAIL PROTECTED] We recently added another interface, S1/1, that connects a private line to another school. We are routing 156.3.37.0 to them. Should I have route statements that say ip route 156.3.37.0 255.255.255.0 192.168.0.2 or ip route 156.3.37.0 255.255.255.0 Serial1/1 Current config: ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 0.0.0.0 0.0.0.0 Serial1/0 ip route 65.165.174.0 255.255.254.0 FastEthernet0/0 ip route 156.3.37.0 255.255.255.0 192.168.0.2 ip route 198.182.157.0 255.255.255.0 65.165.175.253 ip route 207.233.56.0 255.255.255.0 192.168.0.2 I am interested if there is a performance difference between these two route statements or any other reason why one would be preferred over the other. TIA. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network -- Regards, Sasa CCIE #8635 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72472t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: STP problem [7:70797]
We had a similar situation. Only in this case, the user was taking down internet access. Seems whoever configured the machine put the default gateway in as the users address. At the time we were running two protocols, decnet and tcp/ip. Decnet was the first one to be used. The only time there was a problem was when the user would try to access the internet. After a week of troubleshooting, we started looking at all of the PCs that had been installed recently. It was pure luck that we found it. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 4:35 PM To: [EMAIL PROTECTED] Subject: Re: STP problem [7:70797] Access points can be configured to do bridging and I wouldn't be surprised to discover that they don't do STP, especially low-end ones from the local KMart. A lot of low-end switches don't do STP either. So, the access point would have to be inserted into the network just right so that it caused a loop, but that's certainly possible. In that case all the looping broadcast traffic, not to mention looping unknown unicast traffic, could bring a network to its knees. I'm surprised so many people doubted his decription of the problem!? Anyway, finding it will be hard, though there's good advice from Tom and others. I think I would revert to an old-fasioned communications channel. Announce over the loud speaker that if you just connected a wireless access point, disconnect it now and report to the office! :-) Priscilla Tom Martin wrote: Chris, STP should be enough to avoid these types of problems. In order to cause a bridging loop the station would have to have both interfaces in the same VLAN and forward all L2 traffic except for BPDUs. Even if this were the case the wireless network (10-Mbps?) shouldn't be enough to bring the LAN to its knees (100-Mbps?). If you have STP enabled on all of your switches, I'm doubt that a single station is bringing the network down. Once you find the offending switch that you need to reboot, you can issue console commands to determine the root bridge and any blocked ports. Make sure that things are normal. You do have your root bridge set manually, don't you? :) To find out which port is causing the loop, take a look at the interface counters. You should see an unreal amount of traffic on the offending port (and the uplink to the core switch). When STP has been enabled I have only come across layer-2 loops twice. Once when a few HP switches had gone bad, and another time when a customer had configured channeling on one side but not the other (3500 series, no channel negotiation). In both cases I found that the problem was made worse with increasing traffic levels, and the problem also revolved around the same set of switches. The channeling problem was a bit more difficult to narrow down though, since it disabled MLS on the core switch and every segment appeared to have problems!!! I hope that helps, - Tom Christopher Dumais wrote: Hi all, We are having an STP problem where we think a user with an integrated wireless and LAN NIC is creating a bridge loop and bringing down the entire network. The problem occurs then goes away after 20 or so minutes unless we can narrow down which closet it is coming from and reboot the switch. All of our management tools die during the outage. Does anyone have any ideas on how we might prevent this from happening or track down the offender? We have 6509's in our Core and a mix of 3548's and 3550-SMI. Any thoughts are appreciated. Thanks! Chris Dumais, CCNP, CNA Sr. Network Administrator NSS Customer and Desktop Services Team Maine Medical Center (207)871-6940 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72467t=70797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Tokenring [7:72470]
Hi, I know that this should be a easy question, I think that the answer is B. But the book says A, what do you think the answer is? If you could also provide a link for a detailed answer that would be good. What would happen on a simple ring network if one of the users turned off her workstation? a. Only her workstation would lose connectivity. b. None of the workstations would lose connectivity. c. The workstations on either side of hers in the ring would lose network connectivity. d. The network would fail Answer: ? Thanks in advance Dj - Yahoo! Plus - For a better Internet experience Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72470t=72470 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can Not Router on 3550 [7:72462]
How do you know it's not working? What does 'show ip route' show on the 3550? Do you have a router (running RIP) attached to this 3550? Can it ping the VLAN interfaces? Do you have any PCs connected to the 3550? Can they ping the VLAN interfaces? Maybe try 'debug ip rip' as well... Thanks, Zsombor At 09:16 AM 7/17/2003 +, Steiven Poh-\(Jaring MailBox\) wrote: Dear All, I congifured a simple L3 routing on my 3550-EMI, but seem like not working. Any help? Thanks == Current configuration : 6579 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname LOL-3550 ! enable password cisco ! ip subnet-zero ip routing ! ! spanning-tree extend system-id ! ! ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/2 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/4 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/5 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/6 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/7 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/8 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/9 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/10 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/11 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/12 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/13 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/14 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/16 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/17 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/18 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/19 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/20 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/21 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/22 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/23 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/24 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/25 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/26 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/27 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/28 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/29 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/30 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/31 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/32 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/33 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk
OT: new CCIE requirement/step [7:72475]
Heard there's a new requirement between the CCIE written and lab. One now has to sing the following song on a street corner on Tasman Drive. Passing score is 740. http://puck.nether.net/~jared/gigflapping.mp3 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72475t=72475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: route commands [7:72406]
Answer is Cisco's own training materials. In the BSCN ver 1 materials there is a AD Comparison Chart Connected interface AD=0 Static Route out an interface AD=0 Static Route to a next hop AD=1 etc. The instructor told us that a Static route out an interface had an AD of 1 for 11.3 and newer. -Original Message- From: Black Jack [mailto:[EMAIL PROTECTED] I just wonder how the AD=0 rumor ever got started. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72478t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Multicasting [7:72403]
Not that this will solve your problem, but why do you need IGMP between two routers? Thanks, Zsombor At 08:22 AM 7/17/2003 +, MR wrote: At the source end , if i observed traffic on tunnel, it was 1.5mb . But at the other end , it was zero.There was no incoming traffic. As i said earlier , its not a point to point connection ans involves multiple transit routers on the way. R1 --- SP1 ---SP2---R2 TSTD SP-Service Provider TS- Tunnel Source TD-Tunnel Dest. At SP1 , we observed there was traffic on their serial interface with R1. Now multicast is not enabled in any SP router. Its enabled only in R1 R2. Should we be enabling it. As it was a public n/w we couldnt. Also there was no RP configured in R1 R2. Just enabled multicast with IGMP group specified. We enabled PIM /IGMP in both tunnel as well as serial interfaces of R1R2. R1 Config- ip multicast-routing interface Tunnel0 ip address 172.16.1.2 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1 tunnel source a.b.c.d tunnel destination w.x.y.z interface Serial0 ip address a.b.c.d 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1. R2 Config- ip multicast-routing interface Tunnel0 ip address 172.16.1.1 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1 tunnel source w.x.y.z tunnel destination a.b.c.d interface Serial0 ip address w.x.y.z 255.255.255.252 ip pim dense-mode ip igmp join-group 224.1.1.1. Please do revert back to me for more info. Rgds - Original Message - From: Reimer, Fred To: [EMAIL PROTECTED] Sent: Thursday, July 17, 2003 3:59 AM Subject: RE: Multicasting [7:72403] I think you said that you see traffic going out one tunnel, but not coming in on the other end of the tunnel. How are you checking that? What does your mroute cache look like for the group in question? Does it list the tunnel interface as an outgoing interface? On the end that isn't receiving anything, is it configured for the RP? Does it find the RP successfully? Does it know about the group in it's mroute cache? Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: alaerte Vidali [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 3:55 PM To: [EMAIL PROTECTED] Subject: RE: Multicasting [7:72403] I have configured it same time ago; the serial link was frame relay. But I used point-to-point subinterface Something like that: R1 interface tunnel 0 ip address 172.16.1.1 255.255.255.252 ip pim sparse-dense-mode tunnel source 192.168.1.1 tunnel destination 192.168.1.2 ! inter ser 0 encap frame-relay ! inter ser 0.1 point ip ad 192.168.1.1 255.255.255.252 frame-relay map interface-dlci 100 Same for R2. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72476t=72403 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Tokenring [7:72470]
The answer is A. When the PC has power removed, the PC's connection is broken and the NAUN (Nearest Active Upstream Neighbor) then looks for a new MAC address to use as a NAUN. B is not completely correct because the workstation that is turned off, is no longer accessible, but the rest of the ring is. That is the simple answer. I don't have a current link that definitively shows this answer, but it should be in some of the old references. Hope this helps. Dave Williams, CCDA, CCNA, CCSA Director - Network Engineering (402) 661-2143 -Original Message- From: maine dude [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 8:15 AM To: [EMAIL PROTECTED] Subject: Tokenring [7:72470] Hi, I know that this should be a easy question, I think that the answer is B. But the book says A, what do you think the answer is? If you could also provide a link for a detailed answer that would be good. What would happen on a simple ring network if one of the users turned off her workstation? a. Only her workstation would lose connectivity. b. None of the workstations would lose connectivity. c. The workstations on either side of hers in the ring would lose network connectivity. d. The network would fail Answer: ? Thanks in advance Dj - Yahoo! Plus - For a better Internet experience Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72477t=72470 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: STP problem [7:70797]
Heh, you should have been at Networkers 2003 in LA. Cisco's wireless network was... Unstable to say the least. I'd estimate that the network was available only 50% of the time. First someone hacked into the DHCP server and brought that down. They someone set their IP address the same as the default route. Then people setup peer-to-peer networks with the same ESSID as the Cisco AP's. It was almost comical! Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: DeVoe, Charles (PKI) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 8:39 AM To: [EMAIL PROTECTED] Subject: RE: STP problem [7:70797] We had a similar situation. Only in this case, the user was taking down internet access. Seems whoever configured the machine put the default gateway in as the users address. At the time we were running two protocols, decnet and tcp/ip. Decnet was the first one to be used. The only time there was a problem was when the user would try to access the internet. After a week of troubleshooting, we started looking at all of the PCs that had been installed recently. It was pure luck that we found it. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 4:35 PM To: [EMAIL PROTECTED] Subject: Re: STP problem [7:70797] Access points can be configured to do bridging and I wouldn't be surprised to discover that they don't do STP, especially low-end ones from the local KMart. A lot of low-end switches don't do STP either. So, the access point would have to be inserted into the network just right so that it caused a loop, but that's certainly possible. In that case all the looping broadcast traffic, not to mention looping unknown unicast traffic, could bring a network to its knees. I'm surprised so many people doubted his decription of the problem!? Anyway, finding it will be hard, though there's good advice from Tom and others. I think I would revert to an old-fasioned communications channel. Announce over the loud speaker that if you just connected a wireless access point, disconnect it now and report to the office! :-) Priscilla Tom Martin wrote: Chris, STP should be enough to avoid these types of problems. In order to cause a bridging loop the station would have to have both interfaces in the same VLAN and forward all L2 traffic except for BPDUs. Even if this were the case the wireless network (10-Mbps?) shouldn't be enough to bring the LAN to its knees (100-Mbps?). If you have STP enabled on all of your switches, I'm doubt that a single station is bringing the network down. Once you find the offending switch that you need to reboot, you can issue console commands to determine the root bridge and any blocked ports. Make sure that things are normal. You do have your root bridge set manually, don't you? :) To find out which port is causing the loop, take a look at the interface counters. You should see an unreal amount of traffic on the offending port (and the uplink to the core switch). When STP has been enabled I have only come across layer-2 loops twice. Once when a few HP switches had gone bad, and another time when a customer had configured channeling on one side but not the other (3500 series, no channel negotiation). In both cases I found that the problem was made worse with increasing traffic levels, and the problem also revolved around the same set of switches. The channeling problem was a bit more difficult to narrow down though, since it disabled MLS on the core switch and every segment appeared to have problems!!! I hope that helps, - Tom Christopher Dumais wrote: Hi all, We are having an STP problem where we think a user with an integrated wireless and LAN NIC is creating a bridge loop and bringing down the entire network. The problem occurs then goes away after 20 or so minutes unless we can narrow down which closet it is coming from and reboot the switch. All of our management tools die during the outage. Does anyone have any ideas on how we might prevent this from happening or track down the offender? We have 6509's in our Core and a mix of 3548's and 3550-SMI. Any thoughts are appreciated. Thanks! Chris Dumais, CCNP, CNA Sr. Network Administrator NSS Customer and Desktop Services Team Maine Medical Center (207)871-6940 [EMAIL PROTECTED] Message Posted
Switching exam tomorrow. 1 question. [7:72485]
I'm taking the 640-604 BCMSN test tomorrow. Without divulging anything that might get anyone in trouble, I'm trying to find out what sort of simulations I can expect.I havn't really been able to find anything that would give me an idea of what they will be. Thanks, David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72485t=72485 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can Not Router on 3550 [7:72462]
Just to make sure though.. because I didn't see in the attached configs. Were the vlans 2 and 3 created at this point? thanks, rajesh Steiven Poh-(Jaring MailBox) wrote: Dear All, I congifured a simple L3 routing on my 3550-EMI, but seem like not working. Any help? Thanks == Current configuration : 6579 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname LOL-3550 ! enable password cisco ! ip subnet-zero ip routing ! ! spanning-tree extend system-id ! ! ! interface FastEthernet0/1 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/2 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/3 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/4 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/5 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/6 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/7 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/8 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/9 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/10 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/11 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/12 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/13 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/14 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/15 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/16 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/17 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/18 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/19 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/20 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/21 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/22 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/23 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/24 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/25 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/26 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/27 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/28 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/29 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/30 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/31 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/32 switchport access vlan 3 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/33 switchport access vlan 2 switchport mode access no ip address spanning-tree portfast trunk ! interface FastEthernet0/34 switchport access vlan 2 switchport mode access no ip address
Topics covered for the CID 640-025 exam?? [7:72479]
Hello, Sorry, If this is another request but Are any of the following topics covered under the CID 640-025 exam? The exam is still valid for upto 45 days after July 25th, I think? IPX AppleTalk Windows Networking SNA X.25 Stratacom Switches These topics are not listed under: http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/640-025.html Anyone? Thank you. Sincerely. _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72479t=72479 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: route commands [7:72406]
At 03:07 PM 7/17/2003 +, Daniel Cotts wrote: Answer is Cisco's own training materials. In the BSCN ver 1 materials there is a AD Comparison Chart Connected interface AD=0 Static Route out an interface AD=0 Static Route to a next hop AD=1 etc. The instructor told us that a Static route out an interface had an AD of 1 for 11.3 and newer. FWIW I just tried a 11.2 image and it had AD of 1, too. Thanks, Zsombor -Original Message- From: Black Jack [mailto:[EMAIL PROTECTED] I just wonder how the AD=0 rumor ever got started. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72484t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: switch default gateway question [7:72288]
No reason to apologize so much! It was just a little confusing. The scary part is: I was told to just re-address the routers for this customer without any prior good knowledge of how the Lan team have gone about their design. Now that's scary! Our engineers would be fired on the spot if they proposed some LAN design without taking into account the layer-3 migration plan... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: gab S.E jones [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 7:54 AM To: [EMAIL PROTECTED] Subject: RE: switch default gateway question [7:72288] Hi people, My sincere, sincere apologies that i didnt explain the situation more clearly. I deserve to get attacked. Have only started working on this customers network for a few days now Yes it is a flat network (thanks Fred). Have just started to review this customers network and still dont know all the details to fully yet(the customers dont either believe it or not) What I listed was a suggestion in which I asked if that way too would work which i have noticed is not a good idea even if it might work. My apologies Zsombor i mis quoted my self what I meant to say was you can use statics to load balance as well. e.g will load balance Ip route 100.5.0.0 255.255.0.0 100.0.1.1 Ip route 10.5.0.0 255.255.0.0 100.0.1.2 e.g will as a backup ip route 100.5.0.0 255.255.0.0 100.0.1.1 ip route 10.5.0.0 255.255.0.0 100.0.1.2 5 Fred that was the original plan I had in mind as well thanks. I was going to be moving the PC's that are all in one VLAN to a bunch of separate VLANs. I just implied on the poissibilty of using another default route to point to as another way of moving the pc's across as I have never done it that way before. hi Priscilla thanks for your input. I do know how you feel I find it frustrating as well when I dont understand questions. My apologies on mis-guidiance in my explaination as I just rushed it. I was told to just re-address the routers for this customer without any prior good knowledge of how the Lan team have gone about their design Was the network all one big flat network with everything being addressed with 11.0.0.0/8 before? And the switches really were just L2 switches? And now they are moving to subnets and using the switches as routers? this is correct Priscilla I thank everyone for thier input even if I didnt make myself clear regards, seun Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72481t=72288 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Lab Simulator [7:72167]
I have heard of the router sim from Sybex http://www.routersim.com Is this any good. -Original Message- From: Alan Ho [mailto:[EMAIL PROTECTED] Sent: Friday, July 11, 2003 10:55 PM To: [EMAIL PROTECTED] Subject: CCNP Lab Simulator [7:72167] I am preparing for the CCNP certification. Anyone know of a good CCNP Lab Simulator? Please provide experience and details. Thanks Alan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72483t=72167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72487t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Switching exam tomorrow. 1 question. [7:72485]
I'd imagine a fair amount Dave. I recently took the MCNS exam and it had a pretty fair amount of simulations. Will Gragido CISSP CCNP CIPTSS CCDA MCP Suite 325 9450 W. Bryn Mawr Ave. Rosemont, Il 60018 [EMAIL PROTECTED] The Knowledge Behind The Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 11:21 AM To: [EMAIL PROTECTED] Subject: Switching exam tomorrow. 1 question. [7:72485] I'm taking the 640-604 BCMSN test tomorrow. Without divulging anything that might get anyone in trouble, I'm trying to find out what sort of simulations I can expect.I havn't really been able to find anything that would give me an idea of what they will be. Thanks, David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72493t=72485 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route commands [7:72406]
Black Jack wrote: So I guess it's now 1,000,001 times :-)) Still, I don't blame anyone for believing this urban legend of the networking world when authorities such as Doyle and Caslow continue to propagate it. I just wonder how the AD=0 rumor ever got started. It used to be true!? It also wasn't relevant anyway. She asked if there were any performance issues... However, although the AD=1 for both routes, they are not the same in all respects. One important difference-- with the interface form, the router considers any host reachable through that interface to be directly connected and so ARPs for its address. This does not happen for all hosts with a numeric next hop. The ARP caveat isn't relevant in her case either, where the interface is a serial interface. I'm sure you knew that, but I thought I would mention it, since I don't think you did... The original question had to do with using a default route that points to an IP address or serial interface and whether there are any performance issues. I can't think of any performance issues and checked a few books and Web sites and nobody mentioned one. I can't think of any issues other than the one that someone brought up about IP address renumbering being a bit harder if you used an IP address instead of an interface number. This might not make a difference in the case given, but suppose your default route pointed to an interface rather than a numeric next hop? See The URL is for partners only. Where are the tech notes for us lowly non-partner users? Priscilla for a more detailed exmple and explanation. Sasa Milic wrote: This was discussed a milion times; static route that points to an interface has AD=1. Sasa CCIE #8635 Nakul Malik wrote: by default, a static route has an AD of 1. If the static route points to an exit interface, the AD=0. That is the only difference HTH. -Nakul Karyn Williams wrote in message news:[EMAIL PROTECTED] We recently added another interface, S1/1, that connects a private line to another school. We are routing 156.3.37.0 to them. Should I have route statements that say ip route 156.3.37.0 255.255.255.0 192.168.0.2 or ip route 156.3.37.0 255.255.255.0 Serial1/1 Current config: ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 0.0.0.0 0.0.0.0 Serial1/0 ip route 65.165.174.0 255.255.254.0 FastEthernet0/0 ip route 156.3.37.0 255.255.255.0 192.168.0.2 ip route 198.182.157.0 255.255.255.0 65.165.175.253 ip route 207.233.56.0 255.255.255.0 192.168.0.2 I am interested if there is a performance difference between these two route statements or any other reason why one would be preferred over the other. TIA. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network -- Regards, Sasa CCIE #8635 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72490t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72489t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cisco IOS [7:72454]
KW S, You need to obtain Smartnet on the routers. Once you do you will get a CCO and download access. Contact your local Cisco partner for more information: http://tools.cisco.com/WWChannels/LOCATR/jsp/partner_locator.jsp - Tom KW S wrote: Dear all Does anyone know where I can download cisco IOS. I am not a cco member and therefore unable to access the cisco cco site. I just bought 2 used cisco 2501 and I want to upgrade the IOS to a more up to date version. Does ver 12.0 works on a 2501 ? what is the requirement to run ios ver 12.0 ? Regards, kws Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72491t=72454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route commands [7:72406]
The link did not get sent. I would like to check it out if you have it. Thanks for your help. At 12:44 PM 7/17/03 GMT, you wrote: So I guess it's now 1,000,001 times :-)) Still, I don't blame anyone for believing this urban legend of the networking world when authorities such as Doyle and Caslow continue to propagate it. I just wonder how the AD=0 rumor ever got started. However, although the AD=1 for both routes, they are not the same in all respects. One important difference-- with the interface form, the router considers any host reachable through that interface to be directly connected and so ARPs for its address. This does not happen for all hosts with a numeric next hop. This might not make a difference in the case given, but suppose your default route pointed to an interface rather than a numeric next hop? See for a more detailed exmple and explanation. Sasa Milic wrote: This was discussed a milion times; static route that points to an interface has AD=1. Sasa CCIE #8635 Nakul Malik wrote: by default, a static route has an AD of 1. If the static route points to an exit interface, the AD=0. That is the only difference HTH. -Nakul Karyn Williams wrote in message news:[EMAIL PROTECTED] We recently added another interface, S1/1, that connects a private line to another school. We are routing 156.3.37.0 to them. Should I have route statements that say ip route 156.3.37.0 255.255.255.0 192.168.0.2 or ip route 156.3.37.0 255.255.255.0 Serial1/1 Current config: ip route 0.0.0.0 0.0.0.0 Serial0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1 ip route 0.0.0.0 0.0.0.0 Serial1/0 ip route 65.165.174.0 255.255.254.0 FastEthernet0/0 ip route 156.3.37.0 255.255.255.0 192.168.0.2 ip route 198.182.157.0 255.255.255.0 65.165.175.253 ip route 207.233.56.0 255.255.255.0 192.168.0.2 I am interested if there is a performance difference between these two route statements or any other reason why one would be preferred over the other. TIA. -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network -- Regards, Sasa CCIE #8635 -- Karyn Williams, CNE Network Services Manager California Institute of the Arts [EMAIL PROTECTED] http://www.calarts.edu/network Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72488t=72406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Zsombor Papp wrote: At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: I think Cisco was right not to publish the details about these rare, specially crafted packets, I think so. Along the same lines, you also shouldn't publish it even if you know it. :) but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Usually these details are carefully removed from every publicly available document after they turn out to be a security risk. Of course, the details will get published. I was just hoping someone could help me be more efficient in finding the details. The routers at my ISP (my husband's company) aren't Cisco but we will be affected by attempts with these packets. What do the packets look like? What should we be on the lookout for? We will probably have to program our IDS to protect ourselves. For anyone new to the thread, I'm talking about the packets mentioned in this Cisco advisory: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks, Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72494t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: I think Cisco was right not to publish the details about these rare, specially crafted packets, I think so. Along the same lines, you also shouldn't publish it even if you know it. :) but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Usually these details are carefully removed from every publicly available document after they turn out to be a security risk. Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72492t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: new CCIE requirement/step [7:72475]
This is so hilariousyou need to copyright it so that you can package it for sale...lol -Original Message- From: p b [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 9:49 AM To: [EMAIL PROTECTED] Subject: OT: new CCIE requirement/step [7:72475] Heard there's a new requirement between the CCIE written and lab. One now has to sing the following song on a street corner on Tasman Drive. Passing score is 740. http://puck.nether.net/~jared/gigflapping.mp3 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72486t=72475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: new CCIE requirement/step [7:72475]
don't click on goatse.cx you were warned. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72499t=72475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Static Routes and Administrative Distance [7:72495]
I accidentally deleted the posting about this but I wanted to make a point. It's been said that a static route has an AD of 1 unless it points directly out an interface, in which case it has an AD of 0. Sasa just mentioned that this has been discussed in the past and is a myth. However, I'd like to agree with the 'myth'. A directly connected route has an AD of 0. If you create a static route pointing directly out an interface, that route will show up as directly connected in the routing table, and would therefore have an AD of 0. In fact, if you look at a static route you'll see the usual [AD/metric] listed as [1/0]. However, if you look at a static route pointing out an interface this is missing. This is because the router treats that route as if it were directly connected to the interface. If I'm wrong about this--and I certainly might be--please let me know where my reasoning is incorrect. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72495t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static Routes and Administrative Distance [7:72495]
John, The behavior changed with the IOS releases. Newer IOS releases with static routes pointing to an interface will have an administrative distance of 1, not 0. Older versions will have an administrative distance of 0. Unfortunately I do not know the exact release in which the behavior changed. The term myth is too strong and it's possible that the people that haven't worked with the older IOSs do not realize that this behavior was once different. This is the output from one of my routers running 12.2(15)T: Lab#show ip route 10.1.1.0 Routing entry for 10.1.1.0/24 Known via static, distance 1, metric 0 (connected) Routing Descriptor Blocks: * directly connected, via Serial0 Route metric is 0, traffic share count is 1 As far as I know, certification study materials still expect you to think that a static route to an interface has an AD of 0. - Tom John Neiberger wrote: I accidentally deleted the posting about this but I wanted to make a point. It's been said that a static route has an AD of 1 unless it points directly out an interface, in which case it has an AD of 0. Sasa just mentioned that this has been discussed in the past and is a myth. However, I'd like to agree with the 'myth'. A directly connected route has an AD of 0. If you create a static route pointing directly out an interface, that route will show up as directly connected in the routing table, and would therefore have an AD of 0. In fact, if you look at a static route you'll see the usual [AD/metric] listed as [1/0]. However, if you look at a static route pointing out an interface this is missing. This is because the router treats that route as if it were directly connected to the interface. If I'm wrong about this--and I certainly might be--please let me know where my reasoning is incorrect. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72501t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: new CCIE requirement/step [7:72475]
you must also go to cisco to check out the real updated requirments [url=http://www.goatse.cx]www.cisco.com[/url] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72498t=72475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static Routes and Administrative Distance [7:72495]
John Neiberger 7/17/03 12:12:42 PM I accidentally deleted the posting about this but I wanted to make a point. It's been said that a static route has an AD of 1 unless it points directly out an interface, in which case it has an AD of 0. Sasa just mentioned that this has been discussed in the past and is a myth. However, I'd like to agree with the 'myth'. A directly connected route has an AD of 0. If you create a static route pointing directly out an interface, that route will show up as directly connected in the routing table, and would therefore have an AD of 0. In fact, if you look at a static route you'll see the usual [AD/metric] listed as [1/0]. However, if you look at a static route pointing out an interface this is missing. This is because the router treats that route as if it were directly connected to the interface. If I'm wrong about this--and I certainly might be--please let me know where my reasoning is incorrect. Regards, John Nevermind, I've answered my own question by testing. A static route definitely has an AD of 1 regardless of the destination. If you simply do a show ip route static you won't see an administrative distance listed; it will show as directly connected. However, if you look at a specific static route, like 'show ip route 10.1.1.1', no matter which destination you used it will look like this: Router#sho ip route 20.1.1.1 Routing entry for 20.1.1.1/32 Known via static, distance 1, metric 0 (connected) Redistributing via eigrp 1 Routing Descriptor Blocks: * 172.16.10.75 Route metric is 0, traffic share count is 1 directly connected, via Ethernet0/2 Route metric is 0, traffic share count is 1 This output is caused by having both flavors of static route in the routing table at the same time. If the AD of one of them was actually zero it would be the only one listed. In this case, they both have an AD of 1. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72500t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco 2621 Window NLB...Slightly off topic [7:72496]
Quick question for the group. I have a 2621, 1 of the FA ports connected to a hub. from there, I have 2 servers running win2K's network load balancing. Pretty simple config to cluster 2 web servers with a VIP and virtual mac based on that VIP. For the life of me, I cannot get one of the web servers to repond to requests... So, my question would be, has anyone deployed this before? And, run into problems because of the router ? Thanks, Duncan Wallace Sr. Systems Engineer Pacific Star Communications 15714 SW 72nd Ave. Portland, OR 97224 Work:503-403-3000 Cell:971-506-8164 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72496t=72496 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Just got a call from our Cisco vendor...he said he's getting calls from some major clients that have routers that are affected. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:34 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72497t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a default route question.. [7:72211]
Priscilla Oppenheimer wrote: Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? You don't need default-info orig with IGRP/EIGRP BTW EIGRP does understand 0.0.0.0, IGRP is the protocol that does not. It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. I saved you some time and money;) When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72504t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static Routes and Administrative Distance [7:72495]
I am skeptical, Tom. Someone, I think it was Howard, researched this as far back as 9.x releases without finding the AD=0 behavior. I can't support this as I couldn't find it in the archives and I have not tried it myself. But, in order to prove that AD=0 never existed one would have to test all releases, a task that is probably impossible without a museum of hardware. But I think the burden of proof has to lie with the pro-AD=0 faction given the history on this issue. Tom Martin wrote: John, The behavior changed with the IOS releases. Newer IOS releases with static routes pointing to an interface will have an administrative distance of 1, not 0. Older versions will have an administrative distance of 0. Unfortunately I do not know the exact release in which the behavior changed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72502t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Priscilla Oppenheimer wrote: Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: Don't know the details but talking with a couple of Cisco engineers they don't know of anyone being hit. It's a good wakeup for those that don't already have common sense ACLs to get them in place and for others to upgrade routers that are running old IOS! Dave A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72503t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Cisco advised us of a new catastrophic bug CSCeb56052 within the new IOS. -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 1:54 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Just got a call from our Cisco vendor...he said he's getting calls from some major clients that have routers that are affected. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:34 PM To: [EMAIL PROTECTED] Subject: RE: a really big bug [7:72463] Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72509t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. Duncan At 04:33 PM 7/17/2003 +, Priscilla Oppenheimer wrote: Oscar wrote: Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet lots and lots of IOS versions are affected http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Thanks for the link. It's scary. Of course, with the proper ACLs, a router wouldn't be affected, but probably lots of routers don't have the proper ACLs. Anyone know the details? The advisory just says this: A rare, specially crafted sequence of IPv4 packets which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. I think Cisco was right not to publish the details about these rare, specially crafted packets, but does anyone have the details? Maybe if you can get to the bugtracker, the details are in there. Thanks Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72510t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: does anyone know the pinout on a t1 cable bet/ a [7:72069]
FYI, it's the same as a token-ring cross-over cable. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 4:35 PM To: [EMAIL PROTECTED] Subject: RE: does anyone know the pinout on a t1 cable bet/ a [7:72069] For a standard T1: Cross-over you will need 14 and 25 Straight through T1 you will need 11, 22, 33 and 44 Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 3:16 PM To: [EMAIL PROTECTED] Subject: does anyone know the pinout on a t1 cable bet/ a [7:72069] 3660 an ls1010...the interfaces on both are t1 thx in advance Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72506t=72069 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Need help: debug question [7:72505]
I have a strange request: I need to find out who's telnetting to a remote host. I don't have sniffer on the remote site so I'm thinking using debug to get this information. I created an access-list 100 permit tcp any host 1.1.1.1 eq 23 log, then debug ip packet detail 100. I expect to see source IP addresses. But I don't see nothing. If I add access-list 100 permit ip any any as 2nd line, I start seeing all the output but it's so much that killed the router. What's wrong with my access-list? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72505t=72505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SPAN problem [7:72507]
Hi all, Quick question, I have enabled SPAN to mirror from one port to another. However, when doing so the transmitting port appears detached form the network. i.e.. I cannot ping from the PC attached to that port and nothing on the network can ping it too. When I remove the port from the session I get connectivity again. Could anyone give me any ideas on why this is occurring please. I used the 'monitor session' command and left it blank at the end implying 'both' rather than explicitly specifying 'TX or 'RX. None of the ports are involved in trunking, they are in the same VLAN and they are on the same physical switch, and even on the same blade (4006). Any help would be greatly appreciated. Kind regards Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72507t=72507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CSSP Security Exams [7:72508]
I have some training for the old CSS1 exams. Anyone know if these will be any good for the *new* CSSP exams? TIA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72508t=72508 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
Hello, (config-router)#default-information ? allowed Allow default information in Accept default routing information out Output default routing information There is no such thing is default-info originate. All the above are default with cisco I believe, I still don't understand what Daniel said about ip default-network How do create an ip default-network to equal to ip route 0.0.0.0 0.0.0.0 1.1.1.1 ? The way I am doing now is just redistribute static and maybe filter to only 0.0.0.0 with route-map Thanks. Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72515t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Need help: debug question [7:72505]
The traffic is probably being fast-switched, which means that the debug process doesn't see it. You would have to disable fast switching, which you might not want to do because it would affect performance. The command is no ip route-cache. Priscilla [EMAIL PROTECTED] wrote: I have a strange request: I need to find out who's telnetting to a remote host. I don't have sniffer on the remote site so I'm thinking using debug to get this information. I created an access-list 100 permit tcp any host 1.1.1.1 eq 23 log, then debug ip packet detail 100. I expect to see source IP addresses. But I don't see nothing. If I add access-list 100 permit ip any any as 2nd line, I start seeing all the output but it's so much that killed the router. What's wrong with my access-list? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72516t=72505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list or Conduit? [7:72514]
Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72514t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Switching exam tomorrow. 1 question. [7:72485]
I took the exam about 2 weeks ago and didn't get any sims. Good Luck, dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:21 PM To: [EMAIL PROTECTED] Subject: Switching exam tomorrow. 1 question. [7:72485] I'm taking the 640-604 BCMSN test tomorrow. Without divulging anything that might get anyone in trouble, I'm trying to find out what sort of simulations I can expect.I havn't really been able to find anything that would give me an idea of what they will be. Thanks, David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72512t=72485 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need help: debug question [7:72505]
[EMAIL PROTECTED] wrote: What's wrong with my access-list? Looks OK to me offhand. But don't forget that for traffic to show up in a debug, it must be process switched. So you might need to do a 'no ip route-cache'. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72511t=72505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72513t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need help: debug question [7:72505]
I would think every decent telnet server is capable of logging the incoming requests. Anyway, comments inline. At 07:38 PM 7/17/2003 +, [EMAIL PROTECTED] wrote: I have a strange request: I need to find out who's telnetting to a remote host. I don't have sniffer on the remote site so I'm thinking using debug to get this information. I created an access-list 100 permit tcp any host 1.1.1.1 eq 23 log, then debug ip packet detail 100. You don't need the 'log' keyword if you use the access list for debugging. However, such debugging is fairly challenging if you are running CEF or maybe even with fast-switching, as then the packets won't touch the code where debugging is happening. If you are not afraid of killing the router, then force it to do process switching and I am sure you will see the packets. A better solution would be however to apply the access list (with the log keyword!) .. and with a 'permit ip any any' at the end... :) to the interface using the 'access-group' command. Then you will see things like list 100 permitted tcp - , 1 packet in the log. I expect to see source IP addresses. But I don't see nothing. If I add access-list 100 permit ip any any as 2nd line, I start seeing all the output but it's so much that killed the router. :))) Thanks, Zsombor What's wrong with my access-list? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72524t=72505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
I've read the ACL section of the advisory again and again thinking I missed something and I for the life of me can't find any reference to a particular type of traffic that should be blocked. It looks likes the regular block traffic from sources you know shouldn't be hitting your network (10. -172.16 - 192.168 ) and also block any ports you know your users don't need. Please let me know what I'm missing here. Thanks, Lance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72521t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RSPAN 3550 [7:72522]
Hey all - Has anyone ever successfully used RSPAN on a 3550? I saw the link that floated by a few days ago for the 6500 and I tried using that but I don't think I have everything correct because the traffic is looped back to the remote vlan but it is never mirrored out to the correct port on switch plugged into the Analyzer. [Analyzer][Switch1]---Trunk---[Switch2] - Switch1 Config monitor session 1 source vlan 1 rx monitor session 1 destination remote vlan 500 reflector-port fa 0/16 monitor session 2 source remote vlan 500 monitor session 2 destination interface fa 0/12 Switch2 Config monitor session 1 source vlan 1 rx monitor session 1 destination remote vlan 500 reflector-port fa 0/16 - Thanks, Andrew --- http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Learn from the mistakes of others. You won't live long enough to make all of them yourself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72522t=72522 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
out of local ports? [7:72519]
Has anyone ever seen this error message before?: router#telnet w.x.y.z % Out of local ports I'm not sure what that means - I've done a search on CCO and haven't gotten any good results. Any insight? Thanks, BJ mail2web - Check your email from the web at http://mail2web.com/ . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72519t=72519 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72520t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SPAN problem [7:72507]
Paul wrote: Hi all, Quick question, I have enabled SPAN to mirror from one port to another. However, when doing so the transmitting port appears detached form the network. i.e.. I cannot ping from the PC attached to that port and nothing on the network can ping it too. When I remove the port from the session I get connectivity again. Could anyone give me any ideas on why this is occurring please. If I understand what you're saying, that's normal. SPAN sends traffic to and from one or more source ports to a destination port. A protocol analyzer resides at the destination port. The source ports are the monitored ports whose traffic you want to analyze. I'm not sure what you mean by transmitting port. Cisco doesn't use that term becauses it's too unclear which port it refers to. Now that we have the terminology straight :-), it's normal for traffic to be disrupted to and from the destination port where the analyzer resides. Per the config guide for the 4000, Once an interface becomes an active destination interface, incoming traffic is disabled. You cannot configure a SPAN destination interface to receive ingress traffic. The interface does not forward any traffic except that required for the SPAN session. It is not normal for the traffic to be disrupted for the source port. If that's what you're saying, then you better tell us more about the config and the output from show monitor session. I'm guessing that's not what you meant though... Priscilla I used the 'monitor session' command and left it blank at the end implying 'both' rather than explicitly specifying 'TX or 'RX. None of the ports are involved in trunking, they are in the same VLAN and they are on the same physical switch, and even on the same blade (4006). Any help would be greatly appreciated. Kind regards Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72518t=72507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Friday Funnies [7:72517]
It has been a hard week and I do not have any new jokes - I've been trying to write some papers on SNMP. In the mean time I was sent a link to the following site - http://www.dumblaws.com Enjoy. Best regards, Dom Stocqueler SysDom Technologies Visit our website - www.sysdom.org === IMPORTANT: This email is intended for the use of the individual addressee(s)named above and may contain information that is confidential privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the poodle next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites and place it in a warm oven for 40 minutes. Whisk briefly and let it stand for 2 hours before icing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72517t=72517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need help: debug question [7:72505]
I would think every decent telnet server is capable of logging the incoming requests. Anyway, comments inline. At 07:38 PM 7/17/2003 +, [EMAIL PROTECTED] wrote: I have a strange request: I need to find out who's telnetting to a remote host. I don't have sniffer on the remote site so I'm thinking using debug to get this information. I created an access-list 100 permit tcp any host 1.1.1.1 eq 23 log, then debug ip packet detail 100. You don't need the 'log' keyword if you use the access list for debugging. However, such debugging is fairly challenging if you are running CEF or maybe even with fast-switching, as then the packets won't touch the code where debugging is happening. If you are not afraid of killing the router, then force it to do process switching and I am sure you will see the packets. A better solution would be however to apply the access list (with the log keyword!) to the interface using the 'access-group' command. Then you will see things like list 100 permitted tcp - , 1 packet in the log. I expect to see source IP addresses. But I don't see nothing. If I add access-list 100 permit ip any any as 2nd line, I start seeing all the output but it's so much that killed the router. :))) Thanks, Zsombor What's wrong with my access-list? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72523t=72505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: out of local ports? [7:72519]
[EMAIL PROTECTED] wrote: Has anyone ever seen this error message before?: router#telnet w.x.y.z % Out of local ports I'm not sure what that means - I've done a search on CCO and haven't gotten any good results. Any insight? I've never seen it, but it sounds like the router doesn't have a free high port (1025-65535) available to create the local end of your telnet session. Somewhat difficult to believe, but that's what it *sounds* like... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72528t=72519 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
Statics/Conduits are the old pre-Cisco way of doing things in a PIX. Works well, is easy to configure but Cisco says that at some point support for that command will likely be discontinued. Cisco is trying to make the PIX OS more IOS-centric and has brought access lists into the command fold as of about v5.x. I was slow to adopt the change to access lists in my PIX's as I hadn't used them much before then. I was very familiar with conduits but since becoming more familiar with access lists I haven't found anything that I could do with conduits that I can't with access-lists and I'm not concerned that support for ACL's is disappearing anytime soon. Only thing I'd say is that I've read you can experience some very weird and unexpected results if you mix an access list and conduits together. Go with all one or all of the other. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of E. Keith J. Sent: Thursday, July 17, 2003 4:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72527t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSSP Security Exams [7:72508]
Yes. Just add the safe test. CSFPA, VPN3000 are all similar Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72536t=72508 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... ..and if you have ONE port accessible from the internet there's about a gazillion possible culprits... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72532t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
UPDATED INFO: (was RE: a really big bug ) [7:72534]
All interested parties might want to re-review the PSIRT advisory at http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml Please make sure that you are reading the latest advisory (Version 1.3 as of this email) Frank Jimenez, CCIE #5738 Systems Engineer Cisco Systems, Inc. [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 4:54 PM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72534t=72534 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
Keith and Mark are correct. One thing to add, dont permit icmp any any. You definately dont want to allow echo and other stuff from the internet for security reasons... It will allow script kiddie's to map your network. A better way is to only allow echo-replies, time-exceeded (trace routes), source-quench (so you can see icmp messages). Also allow icmp echo's (type 8) outbound. You will then be able to ping stuff on the net, but they can't ping you. see this sample... !create list access-list corp_internet_allowed_in permit icmp any any echo-reply access-list corp_internet_allowed_in permit icmp any any source-quench access-list corp_internet_allowed_in permit icmp any any unreachable access-list corp_internet_allowed_in permit icmp any any time-exceeded !apply list access-group corp_internet_allowed_in in interface outside ! create list access-list corp_internal_allowed_out permit icmp any !apply list access-group corp_internal_allowed_out in interface inside Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72535t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
they just edited the page - here are specific ports to block :) http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml#workarounds Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72530t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 09:54 PM 7/17/2003 +, Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. And in which case wouldn't you? If you are running any of the affected versions, then upgrade the routers or apply the workaround (and if you can't do any of these, then you should be right away grateful for Cisco not being very specific...). If you are not using any of the affected versions (if I understood correctly, you are not even using IOS to start with), then why do you worry about this? I can understand that people's curiosity is always aroused by mysterious things that can kill a router, but keeping other people's production network operational is slightly more important than providing entertainment to the public. :) Thanks, Zsombor It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72537t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
You are looking at the help for a RIP router process, I bet. This is an OSPF default-information help: DC-6509-1-MSFC-1(config)#router ospf 1 DC-6509-1-MSFC(config-router)#default-inf DC-6509-1-MSFC(config-router)#default-information ? originate Distribute a default route DC-6509-1-MSFC(config-router)#default-information HTH, Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 5:16 PM To: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Hello, (config-router)#default-information ? allowed Allow default information in Accept default routing information out Output default routing information There is no such thing is default-info originate. All the above are default with cisco I believe, I still don't understand what Daniel said about ip default-network How do create an ip default-network to equal to ip route 0.0.0.0 0.0.0.0 1.1.1.1 ? The way I am doing now is just redistribute static and maybe filter to only 0.0.0.0 with route-map Thanks. Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72525t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72531t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 10:02 PM 7/17/2003 +, Lance Warner wrote: I've read the ACL section of the advisory again and again thinking I missed something and I for the life of me can't find any reference to a particular type of traffic that should be blocked. It looks likes the regular block traffic from sources you know shouldn't be hitting your network (10. -172.16 - 192.168 ) and also block any ports you know your users don't need. Please let me know what I'm missing here. Probably the fact that an exact ACL would also reveal how you can disable the routers of others... :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72533t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Switching exam tomorrow. 1 question. [7:72485]
Thanks, I appreciate the heads up. I think I'm ready. Just took short nap to let me study for a few more hours tonight. The only thing I am still having issues with is MAC address to ip multicast address. Even after the class I'm still not totally comfortable with that but I figure after a couple more hours I should have it locked in. David Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72529t=72485 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
Command depends on routing protocol. You are probably in EIGRP. 'default-information originate' is used with OSPF and ISIS. As we found out recently, newer versions of IOS allow this command under RIP as well, although I have to wonder what that does as RIP advertises the default route without it anyway (after redistribution, of course). Thanks, Zsombor At 09:16 PM 7/17/2003 +, Luan Nguyen wrote: Hello, (config-router)#default-information ? allowed Allow default information in Accept default routing information out Output default routing information There is no such thing is default-info originate. All the above are default with cisco I believe, I still don't understand what Daniel said about ip default-network How do create an ip default-network to equal to ip route 0.0.0.0 0.0.0.0 1.1.1.1 ? The way I am doing now is just redistribute static and maybe filter to only 0.0.0.0 with route-map Thanks. Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72526t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72542t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Zsombor Papp wrote: At 09:54 PM 7/17/2003 +, Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. And in which case wouldn't you? If you are running any of the affected versions, then upgrade the routers or apply the workaround (and if you can't do any of these, then you should be right away grateful for Cisco not being very specific...). As I explained, I don't use Cisco routers in a production network. But that doesn't stop hackers from attacking us with attacks that work only on Cisco routers. Some attackers are too lazy to try to figure out that we don't have Cisco routers. (It wouldn't be that hard to figure out). We have had crashes on our systems from attackers who thought they were going to do something else because they assumed a certain OS. They didn't succeed in what they were trying to do, but they did wreak havoc. If you are not using any of the affected versions (if I understood correctly, you are not even using IOS to start with), then why do you worry about this? I tried to explain it. Sorry you don't get it. Oh, well. I can understand that people's curiosity is always aroused by mysterious things that can kill a router, but keeping other people's production network operational is slightly more important than providing entertainment to the public. :) It's not entertainment. Duh. By the way, you work at Cisco, right? Are you a good representation of the current employees? I used to work there. A lot of the employees were like you back then too. Priscilla Thanks, Zsombor It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72539t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Cisco has updated the advisory, to version 1.3, which includes a great deal more detail regarding the vulnerability. Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72541t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fiber Question [7:72544]
Just learning basics of fiber communication. I am not sure about which fiber cable I saw but it was orange and basically connected two 3550's together. The fiber had two connectors on each side. One was blue and the other was red. How is it normally connected? I guess the switch ports are receive and transmit. So, does that mean if you connect red on the left port on one switch, you would connect the red on the other side of the cable to the right port of the switch? Thx bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72544t=72544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
53 SWIPE IP with Encryption[JI6] 55 MOBILE IP Mobility [Perkins] 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 103 PIM Protocol Independent Multicast [Farinacci] -Original Message- From: Lance Warner [mailto:[EMAIL PROTECTED] They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72543t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber Question [7:72544]
Bill wrote in message news:[EMAIL PROTECTED] Just learning basics of fiber communication. I am not sure about which fiber cable I saw but it was orange and basically connected two 3550's together. The fiber had two connectors on each side. One was blue and the other was red. How is it normally connected? I guess the switch ports are receive and transmit. So, does that mean if you connect red on the left port on one switch, you would connect the red on the other side of the cable to the right port of the switch? yeah - in effect you have to cross over i.e the TX on device 1 connects to the RX on device 2 and visa versa. this can be done at the patch panel or at the gbic. Thx bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72549t=72544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Daniel Cotts wrote in message news:[EMAIL PROTECTED] 53 SWIPE IP with Encryption[JI6] 55 MOBILE IP Mobility [Perkins] oh great. so any joker with a wireless LAN card can crash your Cisco wireless network, security or no? 77 SUN-ND SUN ND PROTOCOL-Temporary [WM3] 103 PIM Protocol Independent Multicast [Farinacci] -Original Message- From: Lance Warner [mailto:[EMAIL PROTECTED] They are not port numbers but rather *protocol* numbers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72547t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
I agree. If I recall correctly, this change was implemented in the later versions of 5.x and conduits aren't used at all in the 6.x versions. Cisco did this to make the firewall code more IOS like. -Original Message- From: Wilmes, Rusty Sent: Thu Jul 17 20:37:15 2003 To: [EMAIL PROTECTED] Subject:RE: Access list or Conduit? [7:72514] my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72546t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber Question [7:72544]
At 01:20 AM 7/18/2003 +, Bill wrote: Just learning basics of fiber communication. I am not sure about which fiber cable I saw but it was orange FWIW, the MM cables we use are usually orange and the SM cables yellow. Not sure if this is a general rule though... :))) and basically connected two 3550's together. Unfortunatly the type of the cable depends on the GBIC, not the box itself. In fact as we saw here recently, the GBIC type and the cable type doesn't even need to match. The fiber had two connectors on each side. I guess that's a pretty standard solution... although it is possible to transmit and receive on the same fiber, isn't it? Never seen one of those though. One was blue and the other was red. This is unfortunately not the case with every fiber cable, although it could come handy sometimes. How is it normally connected? I guess the switch ports are receive and transmit. Yes. So, does that mean if you connect red on the left port on one switch, you would connect the red on the other side of the cable to the right port of the switch? Probably. Unless the cable manufacturer wants to intentionally screw you and assigns the colors randomly... :) Thanks, Zsombor Thx bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72548t=72544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
At 12:16 AM 7/18/2003 +, Priscilla Oppenheimer wrote: By the way, you work at Cisco, right? Are you a good representation of the current employees? No. Only a few of us post on groupstudy. :) Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72545t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a default route question.. [7:72211]
Yes. Thanks. I was mistakenly thought that there is a way your could redistribute the default route to eigrp neighbors without using the redistribute static command. Wasted half an hour playing around with all the options until...nothing. A search on CCO shows this link which stated:EIGRP propagates a route to network 0.0.0.0, but the static route must be redistributed into EIGRP http://www.cisco.com/en/US/partner/tech/tk365/tk554/technologies_tech_note09186a0080094374.shtml -luan From: Zsombor Papp To: Luan Nguyen CC: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Date: Thu, 17 Jul 2003 15:40:13 -0700 Command depends on routing protocol. You are probably in EIGRP. 'default-information originate' is used with OSPF and ISIS. As we found out recently, newer versions of IOS allow this command under RIP as well, although I have to wonder what that does as RIP advertises the default route without it anyway (after redistribution, of course). Thanks, Zsombor At 09:16 PM 7/17/2003 +, Luan Nguyen wrote: Hello, (config-router)#default-information ? allowed Allow default information in Accept default routing information out Output default routing information There is no such thing is default-info originate. All the above are default with cisco I believe, I still don't understand what Daniel said about ip default-network How do create an ip default-network to equal to ip route 0.0.0.0 0.0.0.0 1.1.1.1 ? The way I am doing now is just redistribute static and maybe filter to only 0.0.0.0 with route-map Thanks. Regards, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: RE: a default route question.. [7:72211] Daniel Cotts wrote: Not an issue of errata but of reading a little further. If there is a default static 0.0.0.0 0.0.0.0 192.168.1.2 and RIP on the router then: that router will use the static as its gateway of last resort and RIP will advertise that route to its neighbors. For IGRP and EIGRP see Doyle p 756 Default routing is somewhat different for IGRP and EIGRP. These protocols do not understand the address 0.0.0.0. Rather, they advertise an actual address as an external route Use the ip default-network command to create that route. ip default-network 10.0.1.0 (or whatever - plus in EIGRP one can add a mask) The router on which that is configured will advertise that route to its neighbors. Will IGRP and EIGRP do this automatically or do they need default-information originate, I wonder? It's probably not worth testing on my routers because they are so old they won't take a recent IOS version. When I get back to my work lab I could test it, but that won't be until September. (The academic life has some advantages. :-) Priscilla See also EIGRP Network Design Solutions page 219-223 (It appears the book is out of print. There are a few available on Amazon.) So - the sentence in Doyle p 753 After a default route is identified in the routing table, RIP, IGRP, and EIGRP will automatically advertise it. - is true as long as we understand that default route means different things for RIP vs EIGRP. No redistribution commands are used. Now - the original point of this thread was 'has the treatment of default routes - particularly by RIP - changed in newer versions of IOS?' Some weeks ago I did some testing and did not find any change (used 11.1 through 12.2). However, I seem to remember some discussion by Chuck and others in the past on this subject. I haven't searched the archives - so am open to anyone proving otherwise. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] But, alas, this didn't work on IGRP or EIGRP. So if anyone has a good errata for Doyle, Volume I, is this in it? _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72550t=72211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber Question [7:72544]
At 01:20 AM 7/18/2003 +, Bill wrote: Just learning basics of fiber communication. Btw, optical communication is indeed an interesting topic. Does anyone have a recommendation for a good book on this? I would be very interested in a book (let alone web site) that explains the fundamental principles (modulation, dispersion, spectral width, etc) in a great detail, but without making my brain explode with thousands of formulas. (Yeah, I know, it's not an easy request.) For example, why exactly do we need that conditioning cable when connecting a MM cable to a SM interface? Thanks, Zsombor I am not sure about which fiber cable I saw but it was orange and basically connected two 3550's together. The fiber had two connectors on each side. One was blue and the other was red. How is it normally connected? I guess the switch ports are receive and transmit. So, does that mean if you connect red on the left port on one switch, you would connect the red on the other side of the cable to the right port of the switch? Thx bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72551t=72544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
Peter? I understand that you are no longer with Cisco, but I thought that you may want to comment on this... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Zsombor Papp [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 9:44 PM To: [EMAIL PROTECTED] Subject: Re: a really big bug [7:72463] At 12:16 AM 7/18/2003 +, Priscilla Oppenheimer wrote: By the way, you work at Cisco, right? Are you a good representation of the current employees? No. Only a few of us post on groupstudy. :) Thanks, Zsombor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72553t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber Question [7:72544]
Zsombor Papp wrote in message news:[EMAIL PROTECTED] At 01:20 AM 7/18/2003 +, Bill wrote: Just learning basics of fiber communication. Btw, optical communication is indeed an interesting topic. Does anyone have a recommendation for a good book on this? I would be very interested in a book (let alone web site) that explains the fundamental principles (modulation, dispersion, spectral width, etc) in a great detail, but without making my brain explode with thousands of formulas. (Yeah, I know, it's not an easy request.) For example, why exactly do we need that conditioning cable when connecting a MM cable to a SM interface? not that CCO necessarily provides intimate technical details, but if you read the footnotes you can infer that it has to do with laser strength and signal saturation. http://www.cisco.com/en/US/products/hw/modules/ps872/products_data_sheet09186a008014cb5e.html watch the wrap. probably the same reason why the minimum length of a fiber patch ( multimode ) is 3 meters / 10 foot Thanks, Zsombor I am not sure about which fiber cable I saw but it was orange and basically connected two 3550's together. The fiber had two connectors on each side. One was blue and the other was red. How is it normally connected? I guess the switch ports are receive and transmit. So, does that mean if you connect red on the left port on one switch, you would connect the red on the other side of the cable to the right port of the switch? Thx bill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72554t=72544 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list or Conduit? [7:72514]
You can use the icmp permit to allow the icmp through. As well cisco recommends you allow unreachable through for SIP. By default all PIX interfaces will respond to icmp echo-reply. You must deny this with the icmp deny command. As well you can you a acl to apply to the icmp permit match acl command, to make the icmp echo-request more granular. Conduits are the old way of blasting a hole in the pix. Cisco recommends the trend of acl and icmp permit statement to mitigate attacks. Cheers, Jamie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lynne Padgett Sent: July 17, 2003 7:09 PM To: [EMAIL PROTECTED] Subject: RE: Access list or Conduit? [7:72514] I agree. If I recall correctly, this change was implemented in the later versions of 5.x and conduits aren't used at all in the 6.x versions. Cisco did this to make the firewall code more IOS like. -Original Message- From: Wilmes, Rusty Sent: Thu Jul 17 20:37:15 2003 To: [EMAIL PROTECTED] Subject:RE: Access list or Conduit? [7:72514] my understanding is conduits are the same as access lists but are being phased out and replaced by access lists so that syntax is more uniform across platforms. -Original Message- From: E. Keith J. [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 2:12 PM To: [EMAIL PROTECTED] Subject: Access list or Conduit? [7:72514] Hi all The boss wants to allow ping. In the website I found the way by using an access list. In another config I see a conduit is used. What is the difference between using a conduit and an access list to allow ping Is it that a conduit is to a specific host Rather than permit any? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72552t=72514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]