Re: ospf type 5 lsas [7:74699]

[Charles Cthulhu Riley]

Mmm, looks like you have area 15 configured as a  Not so stubby totally
stubby area (NSSTSA) rather than as a not so stubby area (NSSA)...some
slight differences as noted below;  also, note how type 5 and 7 are (and are
not) supportedLSA type 5 routes will not be used in a NSSA or NSSTSA;
however, the same information conveyed by type 7 will (comes from ABR for
the area).


NSSA:
If there is an ABR configured into this area (to area 0), it will convert
the LSA type 7 to an LSA type 5. The LSA type 5 that was a LSA type 7 gets
passed to the backbone area, where it gets distributed as a normal LSA type
5 to the rest of the OSPF routing domain. This LSA type 5 does not get sent
into the NSSA because the NSSA does not allow LSA type 5 into the area.not
to mention that the NSSA routers already have this information via the LSA
type 7. By default, type 5 LSAs cannot be summarized at an ASBR or ABR,
though Type 7 can.
An area is configured as a NSSA with the following command in OSPF
configuration mode. This command must be entered on all routers in the area
in order for them to become neighbors.

area 1 nssa


About NSSTSA...
The Not So Stubby Totally Stubby Area (NSSTSA) is a special definition of
the NSSA. It is more restrictive regarding what it allows into the area. The
NSSTSA is similar to the NSSA, except that it does not allow LSA type 3 and
4 into the area. Otherwise, the NSSTSA is just like a NSSA.

The NSSTSA ASBR creates LSA type 7 for the routes that it is redistributing
from another routing protocol into the NSSTSA. The NSSTSA ABR converts the 7
into a 5 for propagation to the rest of the OSPF domain. A default route,
sent as a LSA type 3 summary, is the only exception to NSSTSA rule that no 3
or 4 is allowed into the area.
To configure a NSSTSA, enter the following command on the NSSTSA ABR only.
This configures the ABR not to send LSA type 3 and 4 into the NSSTSA. All
routers will be configured with the NSSA command, as previously discussed.

On the NSSTSA ABR only:

area 1 nssa no-summary

On all other NSSTSA routers:

area 1 nssa

HTH,


Charles

""Thomas Salmen""  wrote in message
news:[EMAIL PROTECTED]
> someone requested the configs; i'm sorry, i'm not sure who.
>
> and the links are numbered, btw.
>
>
> 7500:
>
> interface atm 0/1/0.101
>  ip address 192.168.10.1 255.255.255.252
>
> !
>
> !
> router ospf 120
>  network 192.168.10.0 0.0.0.3 area 0
>  network 10.64.0.0 0.0.0.255 area 14
>
> !
>
>
>
> 2500:
>
> interface ethernet 0
>  ip address 172.16.10.5 255.255.255.252
> !
> interface serial 0/0.101 point-to-point
>  ip address 192.168.10.2 255.255.255.252
>
> !
>
> !
> router ospf 120
>  network 192.168.10.0 0.0.0.3 area 0
>  network 172.16.10.4 0.0.0.3 area 15
>  area 15 nssa no-summary
> !
>
> the only other router in area 15 is at 172.16.10.6, and is configured as
an
> nssa asbr.
>
> the 7500 has all the type 5 lsas in its database, but none entered in its
> route table.
>
> eg:
>
> 7500#show ip ospf database external  200.88.200.220
>
> OSPF Router with ID (200.55.10.244) (Process ID 20)
>
> Type-5 AS External Link States
>
>   LS age: 2576
>   Options: (No TOS-capability, DC)
>   LS Type: AS External Link
>   Link State ID: 200.88.200.220 (External Network Number )
>   Advertising Router: 200.27.100.154
>   LS Seq Number: 8008
>   Checksum: 0x1A8B
>   Length: 36
>   Network Mask: /32
> Metric Type: 2 (Larger than any link state path)
> TOS: 0
> Metric: 2
> Forward Address: 0.0.0.0
> External Route Tag: 3221225472
>
> 7500#show ip route | include 200.88.200.220
>
> 7500#
>
>
>
>
> thomas
>
>
>
> - Original Message -
> From: Thomas Salmen
> To: [EMAIL PROTECTED]
> Sent: Tuesday, September 02, 2003 3:43 PM
> Subject: ospf type 5 lsas
>
>
> i have a problem with ospf that someone may be able to help with.
>
> i have a 2500 connected to a 7500 via a frame (2500 end) to atm (7500 end)
> link. the 2500 is an abr for area 15 (serial area 0, ethernet area 15);
the
> 7500 is an abr for area 14 (atm area 0, other interfaces area 14).
>
> area 15 is configured as an nssa, as it is attached to another router
which
> is
> redistributing static routes. area 14 is a standard ospf area, not stub or
> nssa.
>
> the 2500 (abr) is recieving type 7 lsas and converting them to type 5 and
> flooding them into area 0, no problems. the 7500 has them in its lsa
> database.
> the problem is that none of the type 5 lsas are being entered in the 7500s
> route table.
>
> i have run through everything i can think of, and i'm a bit stuck. the
> forwarding address of each lsa is 0.0.0.0. the network type is correct
(ptp).
> the 7500 can reach the abr and the asbr. subnet masks are all correct. i'm
> not
> sure what to look for next...
>
> anyone?
>
> thomas
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisc

Re: Urgent [7:74680]

[Charles Cthulhu Riley]

Is is a truly unmanaged switch that can not be addressed whatsoever, or is a
switch that can be assigned an IP address and managed, but just hasn't been
done yet???  I believe that 99.44% of Cisco switches are all manageable
(have a MAC associated with them).  Persausions and dissausions for this
statement are welcome...

Cheap and easy rule of thumb...if it supports SNMP, it has a MAC address.

As to how to determine the MACshow interface on the newer switches, or
on CATOS switches, show module (shows addresses for a module), and show mac
to view MAC addresses of whatever is connected to a particular port).

""Bharani""  wrote in message
news:[EMAIL PROTECTED]
> Dear Reader
>
> Does unmanaged switches have MAC Address , because we have some
> unmanaged switches which uses the concept of Store and Forward for
handling
> the frames
>
> if it is there , what is the simple way to find the MAC address of the
> switch
>
> Thanks in advance
> Bani
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74687&t=74680
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: ospf type 5 lsas [7:74632]

[Charles Cthulhu Riley]

Can we see the configuration for the 2500 and 7500 (just the OSPF part).

Also,  is this route in the table at all?  That is, is another protocol
(like EIGRP) also advertising this route??

Thanks,


Charles



""Thomas Salmen""  wrote in message
news:[EMAIL PROTECTED]
> i have a problem with ospf that someone may be able to help with.
>
> i have a 2500 connected to a 7500 via a frame (2500 end) to atm (7500 end)
> link. the 2500 is an abr for area 15 (serial area 0, ethernet area 15);
the
> 7500 is an abr for area 14 (atm area 0, other interfaces area 14).
>
> area 15 is configured as an nssa, as it is attached to another router
which
> is
> redistributing static routes. area 14 is a standard ospf area, not stub or
> nssa.
>
> the 2500 (abr) is recieving type 7 lsas and converting them to type 5 and
> flooding them into area 0, no problems. the 7500 has them in its lsa
> database.
> the problem is that none of the type 5 lsas are being entered in the 7500s
> route table.
>
> i have run through everything i can think of, and i'm a bit stuck. the
> forwarding address of each lsa is 0.0.0.0. the network type is correct
(ptp).
> the 7500 can reach the abr and the asbr. subnet masks are all correct. i'm
> not
> sure what to look for next...
>
> anyone?
>
> thomas
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74658&t=74632
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Interesting Question [7:74652]

[Charles Cthulhu Riley]

I don't know why a Class A address was chosen...personnally, I would have
chosen a Class C address...less wasteful.  However, I might be missing the
point here, tho...
""Bharani""  wrote in message
news:[EMAIL PROTECTED]
> Dear Readers
>
>   Does any one know the Mathematical reason for making
> 127.X.X.X as a Loop Back address, if so please let me know
>
> Thanks in advance
> Bani
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74659&t=74652
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Trying run ISIS on 2600 [7:74051]

[Charles Cthulhu Riley]

Looked this up on Software Advisor...it listed feature sets primarily with
an Enterprise flavor, as well as a few VoIP, Telco, and Service Provider
flavors.  What I got out of the whole thing was that the IP only feature set
will not cut it.  IS-IS speakers natively use CLNS to communicate even as
they route IP.  I used to get it with the Desktop feature, though I did not
see that as an option here.

Cisco provides a nice basic example of ISIS here at
http://www.cisco.com/en/US/customer/tech/tk365/tk381/technologies_configurat
ion_example09186a0080093f38.shtml

If you are interested in having it route both IP and CLNS...use Integrated
ISIS...more info at
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1835/products_con
figuration_guide_chapter09186a00800c5bc1.html#wp1000871


HTH,

Charles



""irfan siddiqui""  wrote in message
news:[EMAIL PROTECTED]
> I am trying to run ISIS on a 2600 series router however it does not accept
> the CLNS and ISIS routing commands at the Config mode. I am using IOS IP
> version only? Do i need IP plus version to configure ISIS??
>
> Thanks
>
> _
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74057&t=74051
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: did you save ?????? [7:73986]

[Charles Cthulhu Riley]

Hamsters have optimal ground for electricity...groundhogs have too much...


""Larry Letterman""  wrote in message
news:[EMAIL PROTECTED]
> I thought it was groundhogs that Kansas had an oversupply of...
>
>
> Larry Letterman
> Cisco Systems
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Charles Cthulhu Riley
> Sent: Friday, August 15, 2003 12:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: did you save ?? [7:73986]
>
>
> Out here in Kansas, we all got ethanol fueled hamsters running on
> treadmills for power production, so we were unaffected by the blackout.
> One hamster did escape and raid the local quickee-mart for some
> chocolate donettes, though...that reduced power output by about .1%, as
> well as causing cardio problems with said hamster.  We called him Jimmy
> the Hamster, and he does NOT have his CCNA, despite his claims of high
> test scores.
>
> Sorry for the silly response...been writing all day and needed a goof
> break.
>
> Charles
>
> ""Kurt Kruegel""  wrote in message
> news:[EMAIL PROTECTED]
> > so did everybody save there configs before the power went out ???
> >
> > i'm more worried about about server's that had their power cut then my
>
> > network equipment 
> >
> > like my older grouchy sun boxes !
> > **Please support GroupStudy by purchasing from the GroupStudy Store:
> > http://shop.groupstudy.com FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74034&t=73986
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: did you save ?????? [7:73986]

[Charles Cthulhu Riley]

Out here in Kansas, we all got ethanol fueled hamsters running on treadmills
for power production, so we were unaffected by the blackout. One hamster did
escape and raid the local quickee-mart for some chocolate donettes,
though...that reduced power output by about .1%, as well as causing cardio
problems with said hamster.  We called him Jimmy the Hamster, and he does
NOT have his CCNA, despite his claims of high test scores.

Sorry for the silly response...been writing all day and needed a goof break.

Charles

""Kurt Kruegel""  wrote in message
news:[EMAIL PROTECTED]
> so did everybody save there configs before the power went out ???
>
> i'm more worried about about server's that had their power cut then my
> network
> equipment 
>
> like my older grouchy sun boxes !
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74030&t=73986
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: PIX xlate question [7:74012]

[Charles Cthulhu Riley]

Your pool may consist of addresses from the local addresses, and the xlates
are occuring on a catch as catch basis, which acconts for the weird results
of your show command..

Assuming your local addresses are 213.x.x.x, your pool of addresses to which
these locals are to be translated is also 213.x.x.xyou apparently have a
case of unintional identity NAT here

""Skarphedinsson Arni V.""  wrote in message
news:[EMAIL PROTECTED]
> why would I see the folowing when I do sh xlate on the pix, i.e.
> one global address is beeing translated to the next in line global address
?
>
> and sugestions would be welcome
>
>
> Global 213.213.128.143 Local 213.213.128.142
> Global 213.213.128.142 Local 213.213.128.141
> Global 213.213.128.137 Local 213.213.128.136
> Global 213.213.128.136 Local 213.213.128.135
> Global 213.213.128.139 Local 213.213.128.138
> Global 213.213.128.138 Local 213.213.128.137
> Global 213.213.128.133 Local 217.3.103.62
> Global 213.213.128.132 Local 213.213.128.131
> Global 213.213.128.135 Local 213.213.128.134
> Global 213.213.128.134 Local 213.213.128.133
> Global 213.213.128.129 Local 213.213.128.128
> Global 213.213.128.128 Local 213.213.128.127
> Global 213.213.128.131 Local 213.213.128.130
> Global 213.213.128.130 Local 213.213.128.129
> Global 213.213.128.189 Local 213.213.128.188
> Global 213.213.128.188 Local 213.213.128.187
> Global 213.213.128.191 Local 200.65.74.239
> Global 213.213.128.190 Local 213.213.128.189
> Global 213.213.128.185 Local 213.213.128.184
> Global 213.213.128.184 Local 213.213.128.183
> Global 213.213.128.187 Local 213.213.128.186
> Global 213.213.128.186 Local 213.213.128.185
> Global 213.213.128.181 Local 213.213.128.180
> Global 213.213.128.180 Local 213.213.128.179
> Global 213.213.128.183 Local 213.213.128.182
> Global 213.213.128.182 Local 213.213.128.181
> Global 213.213.128.177 Local 213.213.128.176
> Global 213.213.128.176 Local 213.213.128.175
> Global 213.213.128.179 Local 213.213.128.178
> Global 213.213.128.178 Local 213.213.128.177
> Global 213.213.128.173 Local 213.213.138.210
> Global 213.213.128.172 Local 10.200.20.124
> Global 213.213.128.175 Local 213.213.128.174
> Global 213.213.128.174 Local 213.213.128.173
> Global 213.213.128.169 Local 213.213.128.168
> Global 213.213.128.168 Local 213.213.128.167
> Global 213.213.128.171 Local 213.213.128.170
> Global 213.213.128.170 Local 213.213.128.169
> Global 213.213.128.165 Local 213.213.128.164
> Global 213.213.128.164 Local 213.213.128.163
> Global 213.213.128.167 Local 213.213.128.166
> Global 213.213.128.166 Local 213.213.128.165
> Global 213.213.128.161 Local 213.213.128.160
> Global 213.213.128.160 Local 213.213.128.159
> Global 213.213.128.163 Local 213.213.128.162
> Global 213.213.128.162 Local 213.213.128.161
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=74029&t=74012
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Frame Relay Design Consideration (P2P or P2Multipoint) [7:73415]

[Charles Cthulhu Riley]

Less IP addresses used?

 wrote in message
news:[EMAIL PROTECTED]
> Guys,
>
> Very quick one here.
>
> If I have a hub site with 5 spoke sites on an FR network,  I could use FR
> P2P sub ints or P2M sub ints.
>
> Why would I prefer a P2P over P2M method?  The routing protocol would be
> EIGRP and apart from broadcast traffic being 5 times more than a P2P
> network, why would it be better for a P2P.  I mean the split horizon can
be
> turned off on the hub multipoint interface.
>
> Sorry if this sounds like dumb question?
>
> Many thx
> Ken
>
>
> 
> For more information about Barclays Capital, please
> visit our web site at http://www.barcap.com.
>
>
> Internet communications are not secure and therefore the Barclays
> Group does not accept legal responsibility for the contents of this
> message.  Although the Barclays Group operates anti-virus programmes,
> it does not accept responsibility for any damage whatsoever that is
> caused by viruses being passed.  Any views or opinions presented are
> solely those of the author and do not necessarily represent those of the
> Barclays Group.  Replies to this email may be monitored by the Barclays
> Group for operational or business reasons.
>
> 
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=73415&t=73415
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Friday Follies #1 [7:73370]

[Charles Cthulu Riley]

Assign an address (as secondary)  from the incorrect range to the router
interface to which this device is connected, and from that router, connect
(telnet or ssh) to that device, fix the ip, (get disconnected in process, of
course), and remove the incorret secondary from the router...voila and other
French words I don't understand.

""John Neiberger""  wrote in message
news:[EMAIL PROTECTED]
> You have a device that is reachable only via telnet or console that you've
> preconfigured with an IP address, subnet mask, and default gateway and
> subsequently shipped out to a remote location to be installed. Once the
> device was in place you realized that you've configured it with the wrong
> addressing information. The subnet you used actually exists at another
> location so this device is currently unreachable via IP. If you could
> somehow reach the device you'd be able to correct your mistake without
> having someone ship the device back to you.
>
> What can you do to restore IP connectivity to this device in its current
> location and make it reachable from both the local router and remote
> routers?
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=73377&t=73370
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: Friday Follies #2 [7:73371]

[Charles Cthulu Riley]

Three words

MY-CROW-SOFF?


""John Neiberger""  wrote in message
news:[EMAIL PROTECTED]
> [This isn't the usual type of follies question where you have to figure
> something out. In this case, you either know the answer or you don't. If
you
> don't, you can probably figure out how to look it up and it would be good
> information to have in case you see this in your own network.]
>
> Your network uses RFC 1918 private IP address space (10.0.0.0/8) for your
> addressing. You have a logging access list configured on a LAN interface
and
> you begin seeing traffic from devices in the 169.254.0.0/16 subnet
destined
> for 169.254.255.255. You don't have any machines configured with addresses
> in this subnet, so what could it be?
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=73378&t=73371
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: OSPF through PIX [7:72938]

[Charles Cthulhu Riley]

Get PIXOS 6.3, enable OSPF on the firewall, and let it participate in OSPF
routing...voila! OSPF "through" the firewall...

Also,  how about using neighbor statements (with no translation) which
converts the OSPF multicasts to unicasts?  Just a thoughtobviously,
would need an ACL applied at key points.


""Robertson, Douglas""  wrote in message
news:[EMAIL PROTECTED]
> OSPF through a PIX firewall is not supported. There are two ways to
> configure routing through a PIX.
> 1) Configure a GRE tunnel between the two routers.
> 2) Configure BGP between the two routers.
> The two choices have different implications depending on your specific
> network.
>
> Thanks Doug
>
> -Original Message-
> From: Massucco Emanuele [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 24, 2003 11:28 AM
> To: [EMAIL PROTECTED]
> Subject: OSPF through PIX [7:72938]
>
>
> Does anyone know if there are any problems configuring OSPF trhough PIX
> interfaces?
> I know PIX should block broadcast, so which is the way to make it work?
>
> thanks
> LEle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72958&t=72938
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Quoting in Replies [7:71366]

[Charles Cthulhu Riley]

I would appreciate if the posters would drive over to my house and read
their message to me, with accompanying gestures as appropriate.Not only
that,  but maybe fix me a glass of ice tea and some cookies.  It's hot out
here in Kansas, and cookies are hard to come by...


""Kaminski, Shawn G""  wrote in message
news:[EMAIL PROTECTED]
> I agree. I was going to rag about this the other day, but figured that
many
> people on this list already think I bi*ch too much about other things! :-)
>
> Shawn K.
>
> -Original Message-
> From: John Neiberger [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 25, 2003 2:34 PM
> To: [EMAIL PROTECTED]
> Subject: Quoting in Replies [7:71366]
>
> Okay, this is getting really old, really fast.  When responding to a post,
> PLEASE QUOTE WHAT YOU'RE REPLYING TO!  The number of unintelligible posts
is
> increasing and some simple quoting would help immensely.
>
> Perhaps the issue is that if you use the web-based board to post a quote
> does not happen by default.  So, if you are using the board to reply to
> posts, please hit the QUOTE button and edit appropriately.
>
> Thanks,
> John (who is exceptionally grumpy today, and it shows.  Sorry about that.)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71383&t=71366
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New CCNA tracks [7:71256]

[Charles Cthulhu Riley]

Go, Cisco,  milk that cash cow!  Hope it doesn't kick you in theoh, look
a bird!

""annlee""  wrote in message
news:[EMAIL PROTECTED]
> Here's the actual announcement:
>
>
>
>   CISCO INTRODUCES CCNA PROGRAM ENHANCEMENTS
>   CCNA Offers New Exams for Those Entering Networking Field
>
>Today, Cisco Systems, Inc. . announces three enhancements to
the
> CCNA. (Cisco Certified Network Associate) Program which are based on
> customer feedback, the need for an accessible entry path into the
> certifications, and upgrades to the exam for addressing emerging
networking
> technologies. As the entry-level certification of the Cisco Career
> Certifications Program, CCNA represents a strong foundation and
> understanding of IP networking and troubleshooting. The enhancements
include
> a new two-step exam path for new candidates entering the networking field,
> revisions to the existing CCNA exam and the option for candidates to apply
> one of the new exams for CCNA recertification.
>
>   A Two-Step Approach:
>The two-step approach introduced in the CCNA program offers
> candidates the ability to certify at their own pace and skill levels. The
> two step approach does not replace the existing one exam option, but
allows
> candidates to achieve the certification in two stages by passing a new
> Introduction to Cisco Networking Technologies (INTRO) exam and a new
> Interconnecting Cisco Network Devices (ICND) exam to achieve CCNA
> certification.
>
>"Given the popularity and success of the CCNA program, we
> continue to enhance CCNA to meet our customers needs through skills
> assessment aimed at today's job requirements," said Don Field, senior
> manager, Internet Learning Solutions Group, Cisco Systems, Inc. "The
> two-step approach offers those new to the networking field the option to
> test their networking knowledge in stages."
>
> The two-certification paths for CCNA include:
>
> a.. Passing the CCNA 640-801 exam (available on June 30, 2003); or
> b.. Passing the INTRO 640-821 exam (currently as beta exam
641-821)
> and ICND 640-811 exam (available on June 30, 2003).
>   Revisions to the CCNA content:
>The revised CCNA 640-801 exam replaces existing CCNA 640-607
exam
> and is designed to better assess the networking skills of entry level
> candidates. The CCNA curriculum includes understanding the functions and
> operations of local area networks (LAN), Cisco IOS fundamentals, wide area
> networks (WAN), virtual private networks (VPN), and Storage Area Networks
> (SAN). Other topics covered in the CCNA curriculum are IP Addressing,
Cisco
> Command Line Interface (CLI), Routing and Switching technologies and
> protocols. The CCNA certification content, technology and testing remains
> focused on real-world skills assessment with labs and exam simulations
being
> key components of CCNA courses and exams.
>
>   Recertification:
>The new ICND exam now qualifies CCNA holders for
recertification.
> The CCNA certifications are valid for three years. To recertify,
candidates
> can also pass the new ICND 640-811 exam, the current CCNA exam, or any
exam
> at the Professional or Cisco Qualified Specialist level bearing the prefix
> 642. The existing CCNA 640-607 exam will retire on September 30, 2003.
CCNA:
> www.cisco.com/go/ccna
>
>
> --
>
>   Cisco Learning Partners are the only source of authorized Cisco
> training. Carefully selected by Cisco Systems, these companies are the
only
> organizations to employ Certified Cisco Systems Instructors and deliver
> Cisco authorized and approved content. To find a Cisco Learning Partner in
> your area offering the new CCNA course curriculum, choose your preferred
> delivery method and go to the "Click Here to List Offerings" links to
> register for a scheduled course today.
>
>   Introduction to Cisco Networking Technologies (INTRO) v1.0a
>   Interconnecting Cisco Network Devices (ICND) v2.1
>
>   www.cisco.com/go/training
>
>   Cisco Learning Credits Program provides customers with an unrivaled
> ability to review, redeem and administrate training online. The new
Learning
> Credits Management Tool lets customers view credit balances, review
account
> transactions, generate reports and monitor training courses taken by
> individuals and departments in real-time.
>   www.cisco.com/go/learningcredits
>
>
> --
>
>   You have been sent this message because you indicated that you wish
to
> receive updates on Cisco products and special offerings. If you would
prefer
> not to receive news about special promotions from Cisco in the future,
> please click here
>
>   All contents copyright ) 2003 Cisco Systems, Inc.
>
>
>
>
> ""Dennis Laganiere""  wrote in message
> news:[EMAIL PROTECTED]
> > I haven't seen anyth

Re: Technology, Certification, Skill Sets, and Looking [7:70860]

[Riley]

Wow, Chuck, way to suck the life out of the economy and our futures...oh,
wait, that was due to the bubble popping lo all those years ago. For an
assessment of networking futures, let's turn to Lovecraft...(thanks to
www.Cthulhu.org)

"It seemed to be a sort of monster, or symbol representing a monster, of a
form which only a diseased fancy could conceive. If I say that my somewhat
extravagant imagination yielded simultaneous pictures of an octopus, a
dragon, and a human caricature, I shall not be unfaithful to the spirit of
the thing. A pulpy, tentacled head surmounted a grotesque and scaly body
with rudimentary wings; but it was the general outline of the whole which
made it most shockingly frightful. "

We know the pulpy head has been popped...

Sadly, though, I believe that you are right on the money...networking and
its advanced features are becoming more point-button simple.  I figure that
we got about 10 years at the most before the bottom truly drops out and
networking becomes as simple and mindless as programming your VCR or
TiVo...you don't need assistance anymore.

As far as for myself,  I am currently working on developing my people skills
as I do want to attain senior greeter status...the handing out balloons and
talking is really tripping me up...does anyone want to form a study group
with me to study that?

Charles



""Priscilla Oppenheimer""  wrote in message
news:[EMAIL PROTECTED]
> The Road Goes Ever On wrote:
> >
> > ""Priscilla Oppenheimer""  wrote in
> > message
> > news:[EMAIL PROTECTED]
> > >
> > > Someone also just sent me a URL to this newspaper article
> > that points out
> > > the importance of learning business practices, not just
> > particular
> > > technologies. It's a good read:
> > >
> > > http://www.startribune.com/stories/789/3936460.html
> > >
> >
> > An interesting artivcle, and one with some nuggets of good
> > advice,
> > particularly for those new to the business cycle. For those who
> > have been
> > seeing articles like this over the past twenty years or so,
> > this article
> > reinforces good advice, much along the lines that NRF has
> > offered in other
> > threads that appear regularly on Groupstudy. Good advice is
> > timeless, and
> > the advice in this article, which reiterates similar outlooks
> > as have
> > appeared in the business press over the past couple of decades
> > remains true.
> >
> > Way back when I was learning things and formulating my own
> > technology
> > philosophy, I was blown away by three things I read - Peter
> > Keens book
> > Competing in Time, Paul Strassman's book The Business Value of
> > Computers,
> > and an obscure article written by an economist working for the
> > Chicago
> > Federal Reserve Bank. Each of these sources in its own way says
> > similar
> > things from a higher level. The Fed study was a short and
> > simple one, but of
> > all the business sources I have read, still seems the most
> > relevant. The
> > gist of the study was that investment in infrastructure yielded
> > high returns
> > in productivity. The author was reporting on government
> > investment in
> > physical infrastructure such as roads, water treatement, and
> > the like, but a
> > clever studentworking towards his master degree while going to
> > night school
> > ran with that theme and wrote a master's thesis which earned him
> > departmental honors.
>
> Was that you? :-) Sounds interesting.
>
> Thanks for commenting on the article. I thought it made some good points.
>
> Priscilla
>
>
> >
> > Anyone in the technology field, whether it be IT Management,
> > Consulting, or
> > even something as seemingly mundane as sales, should ALWAYS be
> > aware of the
> > business value of technology. Over the past 15 years or so it
> > has been
> > technology which has driven productivity.
> >
> > The dark side is that technology changes, and has a way of
> > becoming more
> > appliance like, meaning that what as skilled labor yesterday is
> > out of the
> > box tomorrow. Thin about it. All you folks who are AVVID
> > experts and
> > therefore in high demand. How long before AVVID is nothing more
> > than another
> > PBX, and routers self configure for QoS? Think the telco
> > employee who drives
> > the truck and installs your DSL is making 100K? not likely.
> >
> > So yes - keep your skills up to date, so you don't end up like
> > the guy in
> > the article. My own opinion is that one must always consider
> > the value to
> > business for any skill set one pursues.
> >
> > JMHO
> >
> > NRF - your comments are always welcome on topics such as these.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70860&t=70860
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: STP problem [7:70797]

[Riley]

What an interesting scenario!  If I understood your message correctly, the
network picture is something like this:


  Wired Network -Cat-Wireless Network
 |User|

Your problem is that the user is bridging the wired and wireless (and so is
the Cat), which means there are two functioning links (bridges) between the
wireless and wired.

Your real problem is even if you track this user down and beat them severaly
with an AP antenna until his MCSE falls on the floor,this problem is going
to repeat itself with the next user who has a similar wired/wireless card.

So...it's a long day and I can't think of the specific commands or
syntax or what I had for lunch, but configure the cat port that the wireless
AP is connected to to make it the root bridge such that it will always beat
the  out of any wanna be bridges, thus ensuring that the rogues block.

Sorry, can't be more specific than this, but my brain is frazzled so right
now, I think STP is something you put in your car...but maybe it will help
with your problem...

HTH anyway,

Charles


""Christopher Dumais""  wrote in message
news:[EMAIL PROTECTED]
> Hi all,
> We are having an STP problem where we think a user with an integrated
> wireless and LAN NIC is creating a bridge loop and bringing down the
entire
> network. The problem occurs then goes away after 20 or so minutes unless
we
> can narrow down which closet it is coming from and reboot the switch. All
of
> our management tools die during the outage. Does anyone have any ideas on
> how we might prevent this from happening or track down the offender? We
have
> 6509's in our Core and a mix of 3548's and 3550-SMI. Any thoughts are
> appreciated. Thanks!
>
> Chris Dumais, CCNP, CNA
> Sr. Network Administrator
> NSS Customer and Desktop Services Team
> Maine Medical Center
> (207)871-6940
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70801&t=70797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Quick Pix Question. [7:70145]

[Riley]

The counters are not incrementing because the entries are not being matched.
Suspect that the ACL is applied to the wrong interface.  Remember the
direction - in - which means that the access list is applied to traffic
entering a particular interface from their residence on that interface.

For example:

INISDE -PIX -OUTSIDE

If I want my ACL to filter ICMP traffic orginating from the INSIDE network,
I would apply it to the INSIDE interface.  However, if I have to filter ICMP
traffic to my INSIDE network from the OUTSIDE network, I would apply it to
the OUTSIDE interface.

HTH,

Charles

""Paul""  wrote in message
news:[EMAIL PROTECTED]
> Hi all ...
>
> One of my 515's has all its access-list counters set to 0, when I ping for
> instance, the counter for the relevant ICMP access-list does not increment
> ???
>
> How do I turn it on ??? I have searched the Cisco website and my Pix book
> without any luck ??
>
> Kind regards
>
> Paul ...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70198&t=70145
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to trace conversations of Yahoo and Acess to Sex sites [7:70136]

[Charles EEEE Riley]

My first question to you is:

Do you have a written security policy governing such actions, along with
consequences and a chain of escalation spelled out?

If not, give it up, as it will rapidly devolve into a did too/did not
discussion, with one of you bursting into tears, which, while funny in the
movies, is not so fun in real life.

That is not to say that you should condone this person's behavior.  Make it
a point to pop into his office, and say, "hey, how's it hanging...whatcha
looking at, pictures of your sister?"  then call other people into the
office, and say very loudly, "hey, look what his sister is doing!".  Point
and giggle at him.

Do that often enough and it 'll become an open secret, which is bound to
bring attention to it.

Otherwise, without official sanction and without evidence, you will be
fighting a losing battle.  You can also file a sexual harassment complaint
about it especially if you are exposed to something that offends you or
makes you uncomfortable in the workplace.

Finally, if you boss is so worried, he/she needs to take the initiative and
pursue this if it is that important.  Tell your boss that your hands are
tied without the f/w access, and that you have done as much as you can.

HTH,

Charles




""Tom Martin""  wrote in message
news:[EMAIL PROTECTED]
> Bala Ware,
>
> With all due respect, it seems to me that you have a political problem
> on your hands.  You're dealing with a GM that wants (more or less)
> direct access to the Internet and manages the person(s) responsible for
> managing the firewall.
>
> Of course there's ways to identify what he's doing on the Internet, but
> it sounds as if the GM has enough authority to make this process
> difficult (assuming he finds out) and your job could end up in jeopardy.
>   It may not be fair, but sometimes that's life.
>
> Perhaps your boss should talk to the GM (or his boss).  I'm not sure
> that a technical approach would be appropriate given the situation.
>
> My 2 cents anyway.
>
> - Tom
>
> Mr piyush shah wrote:
> > Hello all
> > I will be highly appreciable if someone will help
> > me.In our organisation there is a newly joineD to whom
> > we have provided internet access through proxy server
> > .However being slightly technical he has insistently
> > taken public Ip address and have opened all the ports
> > on firewall ,wherein from his pc to external world all
> > ports are opened .My boss is worrying whether this
> > chap is utilising this facility for chating using
> > yahoo messanger woth sex chat rooms as well as
> > acessing many more sex sites.Unfortunately there is no
> > way to trace whetgher what is he accessing .I request
> > you to suggest some software which will track what
> > site is he accesiing and what conversation is he
> > doing.
> > I know that I can load websense or surfcontrol on
> > f/w,but unfortunately f/w is being controlled by one
> > of the engineer who reports to tha GM.Hence no access
> > to f/w.
> > I sincererly request to help me.
> >
> >
> > Regards
> >
> > BALA WARE
> >
> >
> > 
> > Missed your favourite TV serial last night? Try the new, Yahoo! TV.
> >visit http://in.tv.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70136&t=70136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Loosing router config (OT rants) [7:69850]

[Charles EEEE Riley]

I feel your pain!  I am sitting here looking at a "correct" configuration
that is not working.  Cisco TAC seems befuddled as I am.

Why is hte PIX so erractic?  This sometimes work, sometimes not is driving
me bonkers!

Whatever you do, do NOT use 6.3 unless there is a specific feature or bug
fix you KNOW that you need.  Nothing but heartache for me since I tried to
upgrade to that piece of..oh, look, a butterfly!

Thanks for the rant opp.

Charles


""Priscilla Oppenheimer""  wrote in message
news:[EMAIL PROTECTED]
> Bruce Enders wrote:
> >
> > What kind of output do you get after  the write mem or copy run
> > start
>
> Wasn't Cisco supposed to depricate "write mem?" I never learned those
forms
> of the commands because when I first started learning Cisco eight years
ago,
> Cisco said not to bother learning them because they were going away!
>
> Then yesterday I discovered that my new PIX firewall wouldn't take "copy
run
> start?" Or was I making a typo or something? I had to reach into the back
of
> my mind and come up with "write mem" which I thought they were going to
get
> rid of. And I approved of that plan since it's totally non-intuitive. :-)
>
> Speaking of non-intuitive, why DO we put up with the PIX? What a beast. It
> took me all day to get it to do some simple forwarding. The thing is
> expensive, slow, and almost impossible to configure. Why do we put up with
> it? :-) Not being able to do "copy run start" took the cake.
>
> Rantings from a frustrated Cisco fan.
>
> Priscilla
>
>
> > commands? Anything?
> > Also, after you save the config, do a show start to see if the
> > changes
> > have in fact been written to NVRAM. (I suspect the problem is
> > with NVRAM,
> > although I personally have never encountered a write-protected
> > NVRAM on a
> > Cisco router before, but that doesn't mean it can't happen! And
> > your
> > symptoms certainly sound like that is the case)!
> > Since the existing configuration is still there when you
> > reboot, I doubt
> > the problem is with the config-register.
> > I will be interested in what you find,
> > Bruce
> >
> > MADMAN wrote:
> >
> >   That's a good one!  After saving the config do you see the
> > changes
> >   when you do a write term?  What is the platform and the IOS?
> >
> >  Dave
> >
> >   Hitesh Arora wrote:
> >
> > Dear All,
> >
> > I need some expert comments from this group for my problem.
> > The router is
> >
> >   in
> >
> > working condition and 3 links are working fine on this
> > router. Now I need
> >
> >   to
> >
> > do some changes in the router configuration. After changing
> > and saving the
> > configuration, I gave a reboot to the router. But I find,
> > that router is
> > back to the previuos old configuration. Why so??
> >
> > I have checked that the config-register setting is set to
> > 0x2102. Sh
> >
> >   Version
> >
> > command also shows me the config-register is set to 0x2102.
> > I have applied
> > the config-register 0x2102 command also to be doubly sure
> > that the router
> >
> >   is
> >
> > picking config from the same register.
> >
> > Pls. help
> >
> > Thanks
> > Hitesh
> >
> >
> > _
> > Got a wish? Make it come true.
> > http://server1.msn.co.in/msnleads/citibankpersonalloan/index.asp
Best
> > personal loans!
> >
> > -- 
> > Bruce Enders
> > Chesapeake Netcraftsmen, LLC   Cell 443-994-0678
> > 1290 Bay Dale Drive #312   HO 410-280-6927
> > Arnold, MD 21012   efax 443-331-0651




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69921&t=69850
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Loosing router config (OT rants) [7:69850]

[Charles EEEE Riley]

I feel your pain!  I am sitting here looking at a "correct" configuration
that is not working.  Cisco TAC seems befuddled as I am.

Why is hte PIX so erractic?  This sometimes work, sometimes not is driving
me bonkers!

Whatever you do, do NOT use 6.3 unless there is a specific feature or bug
fix you KNOW that you need.  Nothing but heartache for me since I tried to
upgrade to that piece of..oh, look, a butterfly!

Thanks for the rant opp.

Charles


""Priscilla Oppenheimer""  wrote in message
news:[EMAIL PROTECTED]
> Bruce Enders wrote:
> >
> > What kind of output do you get after  the write mem or copy run
> > start
>
> Wasn't Cisco supposed to depricate "write mem?" I never learned those
forms
> of the commands because when I first started learning Cisco eight years
ago,
> Cisco said not to bother learning them because they were going away!
>
> Then yesterday I discovered that my new PIX firewall wouldn't take "copy
run
> start?" Or was I making a typo or something? I had to reach into the back
of
> my mind and come up with "write mem" which I thought they were going to
get
> rid of. And I approved of that plan since it's totally non-intuitive. :-)
>
> Speaking of non-intuitive, why DO we put up with the PIX? What a beast. It
> took me all day to get it to do some simple forwarding. The thing is
> expensive, slow, and almost impossible to configure. Why do we put up with
> it? :-) Not being able to do "copy run start" took the cake.
>
> Rantings from a frustrated Cisco fan.
>
> Priscilla
>
>
> > commands? Anything?
> > Also, after you save the config, do a show start to see if the
> > changes
> > have in fact been written to NVRAM. (I suspect the problem is
> > with NVRAM,
> > although I personally have never encountered a write-protected
> > NVRAM on a
> > Cisco router before, but that doesn't mean it can't happen! And
> > your
> > symptoms certainly sound like that is the case)!
> > Since the existing configuration is still there when you
> > reboot, I doubt
> > the problem is with the config-register.
> > I will be interested in what you find,
> > Bruce
> >
> > MADMAN wrote:
> >
> >   That's a good one!  After saving the config do you see the
> > changes
> >   when you do a write term?  What is the platform and the IOS?
> >
> >  Dave
> >
> >   Hitesh Arora wrote:
> >
> > Dear All,
> >
> > I need some expert comments from this group for my problem.
> > The router is
> >
> >   in
> >
> > working condition and 3 links are working fine on this
> > router. Now I need
> >
> >   to
> >
> > do some changes in the router configuration. After changing
> > and saving the
> > configuration, I gave a reboot to the router. But I find,
> > that router is
> > back to the previuos old configuration. Why so??
> >
> > I have checked that the config-register setting is set to
> > 0x2102. Sh
> >
> >   Version
> >
> > command also shows me the config-register is set to 0x2102.
> > I have applied
> > the config-register 0x2102 command also to be doubly sure
> > that the router
> >
> >   is
> >
> > picking config from the same register.
> >
> > Pls. help
> >
> > Thanks
> > Hitesh
> >
> >
> > _
> > Got a wish? Make it come true.
> > http://server1.msn.co.in/msnleads/citibankpersonalloan/index.asp
Best
> > personal loans!
> >
> > -- 
> > Bruce Enders
> > Chesapeake Netcraftsmen, LLC   Cell 443-994-0678
> > 1290 Bay Dale Drive #312   HO 410-280-6927
> > Arnold, MD 21012   efax 443-331-0651




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69896&t=69850
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

HHEEEELLLLPPPP! PIX 515E 6.2: Inside Networks can only reach [7:69757]

[Charles EEEE Riley]

Hi, all,

I have a problem that is making me scream and shout, gonna knock myself out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only reach
inside hosts and outside networks:  it can not reach any host on on the DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;  the
10.2.2.1 is its outside address (as well as being its registed DNS name).


If an inside networker DNS queries for SERVERA, the following commands are
supposed to swap the outside address for the DMZ address.  IN other words,
intercept the DNS repy and change it so that the inside network will then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA, the
PIX should intercept replies and change to a DMZ address (alias), and NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know why.
I beseech thee, oh, Group of Infinite Wisdom, for your assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a mistake.
I have since downgraded it back to 6.2, and have checked and rechecked the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69757&t=69757
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756]

[Charles EEEE Riley]

Hi, all,

I have a problem that is making me scream and shout, gonna knock myself out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only reach
inside hosts and outside networks:  it can not reach any host on on the DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;  the
10.2.2.1 is its outside address (as well as being its registed DNS name).


If an inside networker DNS queries for SERVERA, the following commands are
supposed to swap the outside address for the DMZ address.  IN other words,
intercept the DNS repy and change it so that the inside network will then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA, the
PIX should intercept replies and change to a DMZ address (alias), and NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know why.
I beseech, oh, Group of Infinite Wisdom, for you assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a mistake.
I have since downgraded it back to 6.2, and have checked and rechecked the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69756&t=69756
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

HHEEEELLLLPPPP! PIX 515E 6.2: Inside Networks can only reach [7:69759]

[Charles EEEE Riley]

Sorry if you get this twice or thrice...problem with outlook and dates...

Hi, all,

I have a problem that is making me scream and shout, gonna knock myself out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only reach
inside hosts and outside networks:  it can not reach any host on on the DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;  the
10.2.2.1 is its outside address (as well as being its registed DNS name).


If an inside networker DNS queries for SERVERA, the following commands are
supposed to swap the outside address for the DMZ address.  IN other words,
intercept the DNS repy and change it so that the inside network will then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA, the
PIX should intercept replies and change to a DMZ address (alias), and NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know why.
I beseech, oh, Group of Infinite Wisdom, for you assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a mistake.
I have since downgraded it back to 6.2, and have checked and rechecked the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69759&t=69759
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Putting my rack online [7:65214]

[Charles EEEE Riley]

Hi, all,

Does anyone have a template or configuration I can use to put my rack
online? At this point, this is for me and my colleagues personnally, not
looking at selling time on it anytime soon.  I figured I would ask the group
for a design or template and see if I can avoid reinventing the wheel.

Basically, I'd like to set up a Linux box with friendly web page for
scheduling, turn teh rack on and off (apc9211 power switch), and other
features.  The users would schedule their time, which configures the console
router to open up the access list for their account, and from there,
straight sessions to each router.

I am not asking for much, am I?



TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65214&t=65214
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Client behind PIX [7:64358]

[Charles Riley]

You may be able to avoid throwing a VPN concentrator into the mix just yet.

Need more information before this can be answered, but it could be that the
source address of your home system is being NATed, which can interface with
IPsec.  It could be that your Pix is blocking.

Before you tear into your Pix's configuration, take it out of the equation
and ensure that you can establish the VPN as you did before you installed
the Pix.  If successful, then put your Pix back into the mix.  Check a few
things:

1. are you translating the VPN client's source IP address?

2. are you permitting IPsec traffic to pass untranslated?

3.  are IPsec responses permitted to return to your VPN client?

4. Does the Pix at work only accept IPsec from specific addresses?

Obviously, since the work Pix and your VPN client did not change, the
problem lies with the configuration of the PIx you have at home.


HTH,

Charles



""Kevin O'Gilvie""  wrote in message
news:[EMAIL PROTECTED]
> You have to do a IPSEC tunnel from Pix to Pix or Purchase VPN
Concentrator.
> I have the same issue.
>
>
>
>
>
>
>
> >From: "Steve Smith"
> >Reply-To: "Steve Smith"
> >To: [EMAIL PROTECTED]
> >Subject: VPN Client behind PIX [7:64358]
> >Date: Tue, 4 Mar 2003 16:15:21 GMT
> >
> >OK gang here is the scenario. We have a PIX at work running VPN. I have
> >a 515 at home. Before I put the 515 at home in I could use the VPN
> >client to connect to work. Now I can not. I remember a year or so back
> >reading a Cisco article about this and that you had to use a certain IP
> >range on the remote (my house) network. Does anyone know anything about
> >this? Any suggestions?
> >
> >Thanks!
> >
> >Steve Smith
> >Enterprise Engineer
> >901-758-8179 ext. 108
> >TEKSELL
> >[EMAIL PROTECTED]
> _
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64376&t=64358
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Log files Pix & Chkpnt [7:63646]

[Charles Riley]

Try www.micromuse.com or logboss at
http://www.securityprofiling.com/logboss.htm.


HTH,

Charles


 wrote in message
news:[EMAIL PROTECTED]
> Does anyone know of a product that will merge log files from multiple
> sources  Snort, PIX, Checkpoint, etc...?
>
> I'm trying to centralize much of our security management responsibilities.
>
> Thanx,
> Mike J.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63649&t=63646
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Re: Snort versus Cisco IDS [7:62939]

[Charles Riley]

There are also some very nice prebuilt Snort sensors with a GUI from the
following vendors.

www.sourcefire.com
www.silicondefense.com
www.packetalarm.com


I have had the opportunity to evaluate and configure products from all
three, and they have done an excellent job of bringing Snort to the masses.
Basically, the sensors have a hardened OS (Linux or Solaris) with a creamy
GUI wrapped around itand of course, Snort in all its glory.  And, no, I
don't get a commission from any of the above...


HTH,

Charles


""Craig Columbus""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Having installed and worked with both products, I think that Cisco's
> offering is more comprehensive, but Snort is highly reliable and much
> cheaper.
> It doesn't have some of the features of the Cisco product (dynamic
> shunning), but for most small to medium sized businesses (like the kind I
> work with daily), Snort is more than sufficient given the cost.
> On average, I can install a Snort sensor on dedicated hardware and FreeBSD
> for approximately $1000.  A single Cisco 4210 sensor install costs me
about
> $5600.  If I need to scale to Gbit capability, I can install a Snort
sensor
> for approx. $5000, compared to $18K for a Cisco 4250.
>
> In summary, they're both decent products.  If you need a comprehensive
> system for large enterprise, then Cisco certainly has the edge over
> Snort...at least until you start talking about hardware-based, customized
> snort like that from Silicon Defense.  If you just need a solid IDS for
> small business and don't want to spend a ton of cash, then Snort is a
great
> alternative and is usually my first recommendation.
>
>
> At 05:06 AM 2/13/2003 +, you wrote:
> >Someone told me in an authoritative voice today that Cisco doesn't
recommend
> >their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
> >big part of SAFE?
> >
> >Of course, the person who said this doesn't understand that Cisco is a
huge,
> >chaotic organism, and that saying Cisco does something based on what one
> >person does, doesn't make sense.
> >
> >But I'm just curious, what do you all recommend for intrusion detection?
How
> >do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
> >complicated, requiring appliances or IDS cards in a switch and a console:
> >
> >Cisco Secure IDS DirectorHP OpenView Network Node Manager "plug-in" that
> >runs on UNIX (Solaris and HP-UX)
> >
> >Cisco Secure Policy Manager (v2.2+)Windows NT-based package
> >
> >Thanks.
> >
> >Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62971&t=62939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New Instructor Experiences [7:62826]

[Charles Riley]

John,

Sounds like you had what I call a "Floating Talking Head" experience.  It's
happened to me before.

Basically, you are in the middle of teaching, presenting, or briefing, and
you experience a trippy sensation of almost being outside yourself.  As you
talk, your self awareness gets distorted, and you become very aware that you
are forming sounds with your mouth.  You are like "whoa!  I am talking about
stuff!"  to people!  Whoa!  This of causes messes up whatever it was you
were trying to say, or you speed up, or get goofy.

There is no cure, though some professors try leather elbow patches and a
pipe.  Best just get some cookies and coffee and chalk it up.   Tomorrow, if
I were you, I'd review what you were covering when you experienced FTH just
to ensure that your students are on the same sheet of music.

HTH,

Charles






""John Neiberger""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just feel the need to rant/vent for a bit and I knew there were a
> bunch of you who might be able to relate to this.  I've started teaching
> a short, one-session general networking class for some of the people
> here at the bank.  The first session, which was really just a runthrough
> with a handful of students, went fairly well.  In fact, it went so well
> that they increased the number of overall attendees to about 60 or so.
>
> Last week I had another session that went exceptionally well, except
> for a couple of students who really didn't want to be there.  I couldn't
> have asked for it to go better, and my boss heard lots of good things
> about it.  One person even said I should be a professor!  :-)  Now, that
> brings us to today
>
> Today I had an afternoon class, and in my opinion it sucked rotten
> eggs.  I feel embarrassed to have been involved with it.I can't
> think of too many ways in which it could have gone worse.  I rambled, I
> flew through 2.5 hours of material in about an hour, I lost my place a
> lot.  I'm not certain that I ever formed a train of thought longer than
> a couple of cars, and I think even those trains were without engine and
> caboose.
>
> Have any of you other instructors had days like that?  As I even
> mentioned in class, I felt like my 'explainer' was broken today, and it
> certainly was.  I'm hoping that I could get some sympathy from other
> instructors with similar experiences.
>
> Okay, I'm going to go drown my disappointment in some coffee!
>
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62829&t=62826
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Checkpoint NG trial licence needed [7:62823]

[Charles Riley]

Chris,

Got this off of www.firewall-1.org,  not exactly what you are looking for
but at least you can play with the GUI until CP comes through

You need an eval licence to have a fully functional product for 30 days. But
if what you want is to see the GUI interface (not functionall at all), you
can download the GUI, install it on a Windows Machine, and set the server as
"*local". The SMART Dashboard (formerly known as Policy Editor) will open
with a demo configuration.


HTH,

Charles



""Chris""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi all
>
> I know it's OT but I hope some of you have a clue for this. Where from I
> can get a trial license for Checkpoint NG ? I already asked this
> question on their news site but now answer (it was the second posting).
> I don't understand how can u get certified unless you take the training.
>
> Thank you in advance
> Chris




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62827&t=62823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Lab - I have seen he future and it is.... [7:62776]

[Charles Riley]

Thanks to all who wrote in.  My Kafkaseque post yesterday apparently touched
a chord (or nerve) with several folks.  I was hoping to start an OT
discussion on those Dippin' Dots ice cream, and draw analogies to
networking.  Heck, I would even settle for Howard asking a variation of his
favorite question:  "what is the ice cream you are trying to eat?"

In all seriousness, I haven't abandoned all hope yet, it has just lessened
in importance and intensity for me. In response to CN's question,  I have
attempted the lab at least once, Brussels, way back when the lab was a two
day lab, and the numbers were still quad digits.Without violating the NDA,
let's just say that  I will never forgive ISDN for what it did to me.

As far as my motives for CCIE chasing, the main reason I am persisting is
that not only have I invested time, money, and freeze dried ice cream, but
the CCIE quest motivates me to study topics that I don't necessarily deal
with on a daily basis, and to practice exotic configurations with those that
I do.  OSPF through a GRE tunnel over an ISDN DBU to the Dippin' Dots
website, anyone?

Thanks,

Charles







""Cisco Nuts""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello Charles,
>
> With due respect I ask, why did you abandon your quest for the CCIE? I am
> curious as to how many times you actually hit the Lab?
>
> Sincerely,
>
> CN
>
> >From: "Charles Riley" >Reply-To: "Charles Riley" >To:
> [EMAIL PROTECTED] >Subject: Re: CCIE Lab - I have seen he future and
> it is [7:62776] >Date: Mon, 10 Feb 2003 22:19:54 GMT > >Chuck, >
> >Your post reminds me of those weird little ice cream stands that I
> sometimes >see at the mall and various carnivals. It's called something
> like "Dipping >Dots - The Ice Cream of the Future". The initial human
> instinct is much >like the Cro-Magnon humanoids encountering the monolith
> at the beginning of >2001: A Space Odyssey (sp): jump up and down with
> excitement until you >realize it's just freeze dried ice cream. >
> >Rounding out that analogy, the CCIE of the future will probably be
> reduced >to being the CCNP of today. Regardless, I have spent too much
> time and >money to abandon the quest for CCIE now, but frankly, if I
> hadn't invested >as much as I have, I would most likely abandon the quest
> in favor of >broadening into other areas. I really don't see much market
> value for the >CCIE anymore, especially with Cisco hellbent on making it
> a meatgrinding >cash cow. Your java console and "one way only to
> configure" experience kind >of bears this out. > >Sorry for the
> depressing post, just wanted to share. > >Charles > > > > > >""The Long
> and Winding Road"" wrote in >message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Been spending this
> weekend on what was once the Cisco Advanced SE Training > > ( ASET ) set
> of labs. These are available for those whose Cisco account >team > >
> approves - there are a few conditions which can be found in the wee
> places > > of certification training. > > > > The program is run by Lab
> Gear ( the only link I have is www.labgear.net, > > but > > this is a
> login page ) There are a number of labs of CCIE level, look, and > >
> feel. > > > > Supposed to be real equipment, but the access is via java
> script windows, > > not terminal emulation. This makes for some
> interesting situations. The > > windows show or provide output only when
> they are active. So if you had >two > > router sessions open, and you
> made changes on one router that would >generate > > systems messages of
> one sort or another you would not see those messages >on > > the other.
> also, I have yet to find a way to generate output from >debugging > >
> commands. Things like term mon and logging of one kind or another have
> not > > been successful. so no debug ip routing and debug ip ospf adj. >
> > > > As with the real lab, there are a series of tasks to be completed.
> Grading > > is done via a script. This is the point of most interest.
> Actually, I > > suspect a lot of the current CCIE Lab grading is done
> using scripting >tools. > > I believe the proctors still physically
> examine equipment configurations >for > > some things, but I could be
> wrong. > > > > It is of interest because to judge from the script outputs
> I am seeing, > > there appears to be an assumption that there is one and
> only one way to 

Re: CCIE Lab - I have seen he future and it is.... [7:62776]

[Charles Riley]

Chuck,

Your post reminds me of those weird little ice cream stands that I sometimes
see at the mall and various carnivals.  It's called something like "Dipping
Dots - The Ice Cream of the Future".  The initial human instinct is much
like the Cro-Magnon humanoids encountering the monolith  at the beginning of
2001: A Space Odyssey (sp):  jump up and down with excitement until you
realize it's just freeze dried ice cream.

Rounding out that analogy, the CCIE of the future will probably be reduced
to being the CCNP of today.  Regardless, I have spent too much time and
money to abandon the quest for CCIE now, but frankly, if I hadn't invested
as much as I have, I would most likely abandon the quest in favor of
broadening into other areas.  I really don't see much market value for the
CCIE anymore, especially with Cisco hellbent on making it a meatgrinding
cash cow. Your java console and "one way only to configure" experience kind
of bears this out.

Sorry for the depressing post, just wanted to share.

Charles





""The Long and Winding Road""  wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Been spending this weekend on what was once the Cisco Advanced SE Training
> ( ASET ) set of labs. These are available for those whose Cisco account
team
> approves - there are a few conditions which can be found in the wee places
> of certification training.
>
> The program is run by Lab Gear ( the only link I have is www.labgear.net,
> but
> this is a login page ) There are a number of labs of CCIE level, look, and
> feel.
>
> Supposed to be real equipment, but the access is via java script windows,
> not terminal emulation. This makes for some interesting situations. The
> windows show or provide output only when they are active. So if you had
two
> router sessions open, and you made changes on one router that would
generate
> systems messages of one sort or another you would not see those messages
on
> the other. also, I have yet to find a way to generate output from
debugging
> commands. Things like term mon and logging of one kind or another have not
> been successful. so no debug ip routing and debug ip ospf adj.
>
> As with the real lab, there are a series of tasks to be completed. Grading
> is done via a script.  This is the point of most interest. Actually, I
> suspect a lot of the current CCIE Lab grading is done using scripting
tools.
> I believe the proctors still physically examine equipment configurations
for
> some things, but I could be wrong.
>
> It is of interest because to judge from the script outputs I am seeing,
> there appears to be an assumption that there is one and only one way to do
> things. I'm not sure this is always true. I am not sure that this results
in
> an entirely accurate grade.
>
> But more importantly, given my experience with the java consoles and the
> manner in which these labs must be done, I am not sure I like where this
is
> headed. Something Brian Dennis and Brad Ellis and some other people
started
> talking about back when the CCIE Lab went from two days to one - something
> about the longer term goal being to do the test remotely, and having
people
> show up at Sylvan or some other testing center and log in remotely.
>
> If the Lab Gear approach is any indication, this is not ready for real
live
> testing. I experienced far too many problems with terminal ( javascript )
> sessions disconnecting mysteriously. With 8 open windows, it sometimes got
> to be very hard to find the session ( router ) I was looking for. Cut and
> paste is a real pain. You have to open a "scratchpad" window, which is
> associated with the javascript console window. cutting and pasting is done
> to this wind. there are scratchpad windows associated with each java wind,
> so if you had a scratchpad open for every router session, that makes for a
> LOT of junk to fight your way through looking for what you want. then
there
> is the problem of actually moving what you want to copy and paste.
highlight
> and control c control v or alt e paste don't work. you have to click on
> buttons on the java consoles to copy to and from routers.
>
> beyond that, there is the problems of whether or not the "script" answer
is
> the right answer. For example, in one lab, a particular instruction
requires
> that the rip routers on a particular segment have to use the neighbor
> statement to see eachother ( and prevent other routers on that segment
from
> joining into the RIP domain ) well, the problem is, one of those routers
is
> connected to another RIP router via a different interface. need a neighbor
> statement there too, but the script does not cover this, nor does the
answer
> configuration show this.
>
> anyway, I have seen the future, and the CCIE Lab future looks like it may
be
> heading to these kinds of remote lab settings.
>
> --
> TANSTAAFL
> "there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62776&t=62776
-

Re: PIX firewall simultaneous connections [7:62575]

[Charles Riley]

I believe that if you check the Cisco website or documentation, you will see
that it defines a session as a single TCP or UDP connection.  If somehow you
had 2M users, yet their total number of sessions never exceeded 500K, then
your firewall could handle 2M users.  I am not addressing performance at all
here.

Realistically, though, your users are going to have any number of sessions
established as they read their email, check the web, download files, and so
on.  It's possible that your 500K PIX firewall could only be able to handle
about 5K or 50K of your users if they are the kind of users to keep hundreds
or thousands of sessions going at once.

HTH,

Charles


""Kenan Ahmed Siddiqi""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello groupies,
> I was reading the PIX book and it apparently said that the no. of
connection
> supported by a PIX firewall (higher order) is 500,000. Does this mean that
> upto 500,000 sessions can be established or something else? If so, what do
I
> do if I have a thoroughput of say 2 million users? Thanks in adv.
>
> Cheers,
>
> Kenan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62578&t=62575
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what the h... - strange problem - MORE INFO [7:62184]

[Charles Riley]

Thanks to all who have responded and requested more information.  Below is a
more embellished picture:

  "Internet"-BIG_ROUTER-FR-2500HUB---AS5300---D/U Users

We are the ISP, in this case, which is why I can say no content filtering is
occuring.  We have several of these small POPs in the region, all of the
going to BIG_ROUTER at a central location.  BIG_ROUTER and its trusty
configuration are not suspects at this point because the other POPs
connected to it have no problem.  In fact, if users dial into the POPs of
nearby towns, they do not have this problem.  This problem was brought to my
attention about a week before the slammer attacks occured.

The downloads are via HTTP and FTP;  the results are the same.  The problems
occur with any server on the Internet.  This morning, an user just informed
that he can no longer download .img files.  He also told that he logs attack
traffic, and is seeing alot of scans and attempts against ports 137 (and
sometimes 139) on his box.

I don't think our FR provider is the problem since FR stops at Layer 2 and
won't/can't distinguish between .zip and .gz files.  I am thinking that
perhaps there is a workstation or server connected to the hub that may be
proxying or intercepting .zip and .exe requests?   Sam's suggestion of
sniffing is a good one, and will be probably be my next step as it's been a
while since this POP LAN had its health checked.

Troubleshooting continues!

Charles



""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Consider your OSI layers. :-) A hub problem is very unlikely to cause such
> an issue. A generic router wouldn't either. This definitely seems like a
> Layer 7 problem.
>
> Someone is filtering on .exe and .zip. They just weren't smart enough to
> think about the UNIX and Mac equivalents. This could be an Intrustion
> Detection System or some sort of smart firewall.
>
> How are they downloading these? E-mail attachments maybe? Not letting
users
> download .exe files via e-mail attachments might make a lot of sense as an
> e-mail server configuration.
>
> Anyway, start looking at Layer 7 and above (politics, policies). Question
> your Internet provider!
>
> Priscilla
>
> Charles Riley wrote:
> >
> > Sorry, should have mentioned.  I get the same result whether
> > the user system
> > is UNIX, Mac, or Windows...it plays havoc with .exe and .zip.
> >
> > That is a good suggestion, though, about the sniffer...that is
> > about the
> > only thing I haven't tried yet.  The Kmart bluelight special
> > hub is making
> > me a little suspicious...
> >
> > Thanks,
> >
> > Charles
> >
> > ""Sam Sneed""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > load a packet sniffer on the laptop and see what really
> > happens. If you
> > > don't have one I know of a good free one . You install
> > libpcap first,
> > reboot
> > > and then install analyzer.
> > >
> > > http://winpcap.polito.it/install/default.htm
> > > http://analyzer.polito.it/install/default.htm
> > >
> > > Then you can see if the packets are coming back to you and if
> > windows is
> > > dropping them for some reason.
> > >
> > > ""Charles Riley""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > I ran across a strange problem with one of our POPs the
> > other day, and
> > am
> > > in
> > > > the process of researching/troubleshooting it.  We have a
> > configuration
> > > > something like this:
> > > >
> > > >
> > > >"Internet"---2500---AS5300---D/U Users
> > > >
> > > > Not shown is a LAN connected to the 2nd Ethernet on the
> > 2500.  All
> > > > connections to the shared Ethernet are via a Kmart
> > bluelight special
> > hub.
> > > > The connection to the Internet is a T-1 FR. Neither the
> > 2500 nor the T-1
> > > is
> > > > anywhere close to being overloaded.
> > > >
> > > > We are not doing any content filtering, nor have any access
> > lists been
> > > > applied, nor are any sites blocked.
> > > >
> > > > The connection works great...email, web browsing, etc.  all
> > work just
> > > fine.
> > > > The only problem is that users can only download UNIX and
> > Mac flavored
> > > > files, but not anything that smacks of Win

Re: what the h... - strange problem - Cisco doesn't like [7:62148]

[Charles Riley]

Sorry, should have mentioned.  I get the same result whether the user system
is UNIX, Mac, or Windows...it plays havoc with .exe and .zip.

That is a good suggestion, though, about the sniffer...that is about the
only thing I haven't tried yet.  The Kmart bluelight special hub is making
me a little suspicious...

Thanks,

Charles

""Sam Sneed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> load a packet sniffer on the laptop and see what really happens. If you
> don't have one I know of a good free one . You install libpcap first,
reboot
> and then install analyzer.
>
> http://winpcap.polito.it/install/default.htm
> http://analyzer.polito.it/install/default.htm
>
> Then you can see if the packets are coming back to you and if windows is
> dropping them for some reason.
>
> ""Charles Riley""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I ran across a strange problem with one of our POPs the other day, and
am
> in
> > the process of researching/troubleshooting it.  We have a configuration
> > something like this:
> >
> >
> >"Internet"---2500---AS5300---D/U Users
> >
> > Not shown is a LAN connected to the 2nd Ethernet on the 2500.  All
> > connections to the shared Ethernet are via a Kmart bluelight special
hub.
> > The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1
> is
> > anywhere close to being overloaded.
> >
> > We are not doing any content filtering, nor have any access lists been
> > applied, nor are any sites blocked.
> >
> > The connection works great...email, web browsing, etc.  all work just
> fine.
> > The only problem is that users can only download UNIX and Mac flavored
> > files, but not anything that smacks of Windows.  For example, they can
> down
> > the .gz/tar and .sft files for a SSH client for example, but can not
> > download its .exe or .zip counterpart for Windows!  Take the same .exe
and
> > .zip file, and rename it with a UNIX or Mac filename extension, and you
> can
> > download it.
> >
> > Surprisingly enough, the problem does not lie with the users.  I took a
> > "clean" laptop to the site, and encountered the same results.
> >
> > Has anyone ever experienced a problem like this?  Could this be a bug in
> the
> > IOS on the 2500?  Any suggestions would be welcome.
> >
> >
> > TIA,
> >
> > Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62148&t=62148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: wireless [7:62104]

[Charles Riley]

John,

It's a little dated, but alot of folks like  802.11 Wireless Networks: The
Definitive Guide (O'Reilly Networking) (Matthew S. Gast).  I have that book
and it provides some very good detail on A and B, but little on G which just
emerging as the book went to press.

The below is an excellent starting URL for info:

http://www.drizzle.com/~aboba/IEEE/

HTH,

Charles



""John Hutchison""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm navigating the Cisco site as well as whatever google comes up with,
but
> I'm having a very difficult time finding any decent reference material for
> 802.11. I work for an ISP and unfortunately, we've been left in a position
> of not having anyone left who's well versed in wireless access. We have
> several towers and many wireless customers and as things fell, I'm the one
> in charge of taking care of these customers. I am looking for a good, full
> understanding of wireless. We use breezecom and cisco equipment. Any URL
or
> book references would be greatly appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62145&t=62104
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

what the h... - strange problem - Cisco doesn't like Windows? [7:62144]

[Charles Riley]

I ran across a strange problem with one of our POPs the other day, and am in
the process of researching/troubleshooting it.  We have a configuration
something like this:


   "Internet"---2500---AS5300---D/U Users

Not shown is a LAN connected to the 2nd Ethernet on the 2500.  All
connections to the shared Ethernet are via a Kmart bluelight special hub.
The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 is
anywhere close to being overloaded.

We are not doing any content filtering, nor have any access lists been
applied, nor are any sites blocked.

The connection works great...email, web browsing, etc.  all work just fine.
The only problem is that users can only download UNIX and Mac flavored
files, but not anything that smacks of Windows.  For example, they can down
the .gz/tar and .sft files for a SSH client for example, but can not
download its .exe or .zip counterpart for Windows!  Take the same .exe and
.zip file, and rename it with a UNIX or Mac filename extension, and you can
download it.

Surprisingly enough, the problem does not lie with the users.  I took a
"clean" laptop to the site, and encountered the same results.

Has anyone ever experienced a problem like this?  Could this be a bug in the
IOS on the 2500?  Any suggestions would be welcome.


TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62144&t=62144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with pix firewall logging [7:61902]

[Charles Riley]

It may that no alerts at the "warnings" level have occured.  Trying setting
it at a high level such as 6 or 7 (which pretty much logs everthing).   Once
you have ascertained that logging between the PIX and syslog server are
working, then restore it back to the warnings level.

HTH,

Charles

""Elijah Savage III""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> All,
>
>
>
> I have a pix running 6.2 it is logging to a freebsd server on the local
> network. It was logging at one time to syslog no problem but all of a
> sudden it stopped and I can't get it working. Here is the logging config
> I turned up logging to see if it would help and nothing. Yes I am sure
> syslog is running on the box if I do a tcpdump on the freebsd server I
> see nothing coming from the pix.
>
>
>
> logging on
>
> logging timestamp
>
> logging trap warnings
>
> logging history debugging
>
> logging facility 23
>
> logging host inside 192.168.11.254




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61923&t=61902
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco VPN Client 4.0 -- BETA [7:61589]

[Charles Riley]

Robert,

What new features does it have,and what problems will it solve?

TIA,

Charles

""Robert Raver""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hey,
>
> For all those interested the 4.0 VPN Client(BETA) will be in March/April.
> This VAN Client is totally rebuilt and has some very nice new features.
> Thought I would just let everyone know.
>
> Thanks,
> Robert Raver




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61602&t=61589
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT well, sort of - IDS [7:61523]

[charles riley]

I like the various SNORT products...non-proprietary (or as close as this
field gets).

SNORT looks good (www.snort.org)

And if you don't have time to build your own, try:

www.sourcfire.com
www.silicondefense.com

Heck, even Packet Alarm may be an option though you will not find any
contact information for them: which could speak volumes for their post sale
support philosophy:

www.packetalarm.com

The ISS IDS product is "SNORT compatible" meaning SNORT rules can be used on
it.

http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=ISS&oid=20602

HTH,

Charles



""Symon Thurlow""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi all,
>
> Just looking for a heads up with regards to IDS in a Cisco PIX
> environment, ie, what works, what doesn't, and good resources online to
> read etc.
>
> TIA
>
> Symon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61535&t=61523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Making data centers HIPAA compliant - what is required [7:61462]

[Charles Riley]

Howard,

Thanks for the reply, you have helped me to narrow my focus to rendering the
data center "HIPAA compliant".Do you have any pointers or URLs that you
can share to any checklists, policies, requirements, etc. for making a data
center compliant?


TIA,

Charles


""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> At 5:23 PM + 1/20/03, Charles Riley wrote:
> >Sorry for the OT post, but have searched high and low, and no definite
> >answer in site. Really, really apoliogize for the nontechnical nature of
> >this post, but I have reached a wall after searching all over for an
answer.
> >I guess you could say that I am "ill" with searching...
> >
> >HIPAA is an medical information protection and privacy act passed by
> >Congress in 1996.  The deadline for complying or gettting an extension is
> >this year.  You'll probably see more and more requests like mine as the
year
> >goes by, so I figured I'd start things off.
> >
> >HIPAA is currently in a state of flux as far as implementation and
> >enforcement is concerned, as many medical professional and organizations
> >rush to comply.  Which brings me to my question...
> >
> >In my searches, I see several organizations trumpeting the fact their
data
> >centers are "HIPAA certified", meaning that they are cleared to process,
> >store, or otherwise handle medical and private info.
>
> There is no such thing as HIPAA certification, and I do work
> extensively with medical systems.  The best anyone could say is
> "HIPAA compliant", which has fairly established parallels in the
> telephony world, where it is possible to get NEBS certification, but
> extremely expensive and applicable only to one configuration (much as
> was NSA Orange Book certification)
>
> Reputable vendors mean something when they say NEBS compliant, but
> there is much more track record in telephony than in medical
> informatics.
>
> Indeed, there are additional regulations besides HIPAA that may
> become relevant, including 21CFR11 (primarily about human subject
> research), CLIA laboratory accreditation and the DEA regulations for
> electronic prescribing of controlled substances.  All of these do
> include technical, as well as procedural, requirements.  For example,
> DEA specifies the digital signature algorithms and keys, but also has
> requirements for time synchronization to be used on message
> authenticators and events logged.
>
> >How is it possible to
> >achive this certification when there does not seem to be any standards or
> >processes from the U.S. government detailing what will earn the
> >certification?
>
> Again, there isn't.  If an industry group were to get together and
> try to set procedures for doing this, there is an umbrella
> administrative organization tht might help -- the National Voluntary
> Laboratory Accreditation Program (NVLAP), which has probably been
> renamed in the normal course of events.
>
> >Does having a couple of tape drives on a server behind a firewall with
> >restricted access qualify a data center to be "HIPAA Compliant"?
>
> If that firewall is connected to the Internet, no.  There are
> specific HIPAA guidelines that would call for 128-bit DES outside the
> firewall.  At present, HIPAA does allow cleartext on dedicated or FR
> facilitie, but it appears that an encryption requirement will evolve
> because things like DEA require it.
>
> >Is there a
> >checklist, policy, standard, or procedure for certification required by
the
> >U.S. government that I missed in my searches?  If so, I would appreciate
> >gettting the links to such information.
>
> They exist in many places; I've got loads of things that I've
> collected for consulting clients.  You have to be selective in what
> you are looking for; I'm sure I don't have everything.  For example,
> there are checklists for design and review of human research, but I
> only scanned those, because my client was concerned with the related
> but separate problem of patient recruitment for clinical trials.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61462&t=61462
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Making data centers HIPAA compliant - what is [7:61396]

[Charles Riley]

Thanks to Priscilla,  I think the below may be what I was looking for...more
reading before I make a final determination.

http://aspe.hhs.gov/admnsimp/nprm/seclist.htm

Thanks!

""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Charles Riley wrote:
> >
> > Sorry for the OT post, but have searched high and low, and no
>
> No problem. I don't think it's really OT. HIPAA is going to have a big
> affect on many data networks.
>
> I'm surprised that you say there isn't information available on how to
> become HIPAA compliant. There's a lot, isn't there? If companies are
saying
> that they are HIPAA certified, that's a bit of a misnomor. I don't think
> there's any certification, but there is compliance info available.
>
> Did you check these links:
>
> http://www.hipaadvisory.com/
>
> http://aspe.hhs.gov/admnsimp/
>
> http://www.cms.hhs.gov/hipaa/
>
> http://www.hipaa.org/
>
> I wonder if you could hire a consultant to help you wade through all the
> regulations and confusing info from the goverment. Hopefuly some
consultants
> will specialize in this.
>
> Priscilla
>
> > definite
> > answer in site. Really, really apoliogize for the nontechnical
> > nature of
> > this post, but I have reached a wall after searching all over
> > for an answer.
> > I guess you could say that I am "ill" with searching...
> >
> > HIPAA is an medical information protection and privacy act
> > passed by
> > Congress in 1996.  The deadline for complying or gettting an
> > extension is
> > this year.  You'll probably see more and more requests like
> > mine as the year
> > goes by, so I figured I'd start things off.
> >
> > HIPAA is currently in a state of flux as far as implementation
> > and
> > enforcement is concerned, as many medical professional and
> > organizations
> > rush to comply.  Which brings me to my question...
> >
> > In my searches, I see several organizations trumpeting the fact
> > their data
> > centers are "HIPAA certified", meaning that they are cleared to
> > process,
> > store, or otherwise handle medical and private info.   How is
> > it possible to
> > achive this certification when there does not seem to be any
> > standards or
> > processes from the U.S. government detailing what will earn the
> > certification?
> >
> > Does having a couple of tape drives on a server behind a
> > firewall with
> > restricted access qualify a data center to be "HIPAA
> > Compliant"?  Is there a
> > checklist, policy, standard, or procedure for certification
> > required by the
> > U.S. government that I missed in my searches?  If so, I would
> > appreciate
> > gettting the links to such information.
> >
> > TIA,
> >
> > Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61396&t=61396
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Making data centers HIPAA compliant - what is [7:61395]

[Charles Riley]

Priscilla,

Thank you for the reply.  I had actually already checked most of these sites
here.  There is a great focus on getting the providers into compliance, but
very little information about certifiying the networks, servers, storage
devices, and other infrastructure used to support in creation, transport,
and sharing of medical information...very very very very little.   The most
I have found is a brief paragraph about ensuring that software complies (and
no checklist for that either.)

In thinking about this, I would not only need a checklist, but applicable
clauses, sub clauses, etc. of the actual HIPAA to comply with.  In other
words, I need to go back and major in law, or do as you suggest and locate a
HIPAA tech specialist, and hope I get one that knows what they are doing.

Given all the confusion right now,  I wonder if those companies touting
their data centers as "HIPAA compliant" are doing the equivalent of
individuals putting "CCIE Written" on their resumes?

Charles


""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Charles Riley wrote:
> >
> > Sorry for the OT post, but have searched high and low, and no
>
> No problem. I don't think it's really OT. HIPAA is going to have a big
> affect on many data networks.
>
> I'm surprised that you say there isn't information available on how to
> become HIPAA compliant. There's a lot, isn't there? If companies are
saying
> that they are HIPAA certified, that's a bit of a misnomor. I don't think
> there's any certification, but there is compliance info available.
>
> Did you check these links:
>
> http://www.hipaadvisory.com/
>
> http://aspe.hhs.gov/admnsimp/
>
> http://www.cms.hhs.gov/hipaa/
>
> http://www.hipaa.org/
>
> I wonder if you could hire a consultant to help you wade through all the
> regulations and confusing info from the goverment. Hopefuly some
consultants
> will specialize in this.
>
> Priscilla
>
> > definite
> > answer in site. Really, really apoliogize for the nontechnical
> > nature of
> > this post, but I have reached a wall after searching all over
> > for an answer.
> > I guess you could say that I am "ill" with searching...
> >
> > HIPAA is an medical information protection and privacy act
> > passed by
> > Congress in 1996.  The deadline for complying or gettting an
> > extension is
> > this year.  You'll probably see more and more requests like
> > mine as the year
> > goes by, so I figured I'd start things off.
> >
> > HIPAA is currently in a state of flux as far as implementation
> > and
> > enforcement is concerned, as many medical professional and
> > organizations
> > rush to comply.  Which brings me to my question...
> >
> > In my searches, I see several organizations trumpeting the fact
> > their data
> > centers are "HIPAA certified", meaning that they are cleared to
> > process,
> > store, or otherwise handle medical and private info.   How is
> > it possible to
> > achive this certification when there does not seem to be any
> > standards or
> > processes from the U.S. government detailing what will earn the
> > certification?
> >
> > Does having a couple of tape drives on a server behind a
> > firewall with
> > restricted access qualify a data center to be "HIPAA
> > Compliant"?  Is there a
> > checklist, policy, standard, or procedure for certification
> > required by the
> > U.S. government that I missed in my searches?  If so, I would
> > appreciate
> > gettting the links to such information.
> >
> > TIA,
> >
> > Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61395&t=61395
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Making data centers HIPAA compliant - what is required - [7:61383]

[Charles Riley]

Sorry for the OT post, but have searched high and low, and no definite
answer in site. Really, really apoliogize for the nontechnical nature of
this post, but I have reached a wall after searching all over for an answer.
I guess you could say that I am "ill" with searching...

HIPAA is an medical information protection and privacy act passed by
Congress in 1996.  The deadline for complying or gettting an extension is
this year.  You'll probably see more and more requests like mine as the year
goes by, so I figured I'd start things off.

HIPAA is currently in a state of flux as far as implementation and
enforcement is concerned, as many medical professional and organizations
rush to comply.  Which brings me to my question...

In my searches, I see several organizations trumpeting the fact their data
centers are "HIPAA certified", meaning that they are cleared to process,
store, or otherwise handle medical and private info.   How is it possible to
achive this certification when there does not seem to be any standards or
processes from the U.S. government detailing what will earn the
certification?

Does having a couple of tape drives on a server behind a firewall with
restricted access qualify a data center to be "HIPAA Compliant"?  Is there a
checklist, policy, standard, or procedure for certification required by the
U.S. government that I missed in my searches?  If so, I would appreciate
gettting the links to such information.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61383&t=61383
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic: Re: Profession Cert or PhD!!! [7:60385]

[charles riley]

Please, kill this thread.  It is contributing highly to bandwidth waste.  If
you love Cisco and networking, get your CCIE.  If you love academia over
everything else, get your Ph.D.  If you love both equally, get them both.

Bottom line is that both are hard to attain, and unless you got the love for
either one, you are not going to get 'em!   For example, there is good bucks
in programming, but I hate to program, even little batch files and scripts
turn me off..  No amount of money will ever entice me to voluntarily learn
programming in any language.  Same thing with either the CCIE or a Ph.D.

Whew, hope this puts this thread to rest.

TIA,

Charles





""The Long and Winding Road""  wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> ""Jimmy""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > If you will given a choice, would you choose to go for PhD in networking
> > area or juz stay in your field and pursuing profession certification
such
> as
> > CCNP/CCDP etc. Assume that both is fully sponsored, can anyone tell me
> which
> > one will paid off in a long run?
>
>
> My current hero Bill Parkhurst, author of two books that are must -read
for
> CCIE Lab prep, and I believe high up in the CCIE program at Cisco, has
both!
> PhD ( I believe in electrical engineering ) and CCIE
>
>
> >
> > Cheers!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60387&t=60385
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: IPX and AppleTalk Network Scanner [7:59139]

[Charles Riley]

Hi, all

Apologies in advance for this slightly OT, but can anyone point me in the
direction of a scanner that can scan and enumerate IPX-only and
AppleTalk-only networks?  That is, scan and identify devices on a network
running IPX only or AppeTalk only...no IP.


 I would prefer something that did not cost an arm and leg such as the ISS
products.  I have heard that AXENT makes something like that, but their
website seems to be hosed right now so I can not check.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59139&t=59139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security Policy [7:52061]

[Charles Riley]

Howard C. Berkowitz wrote:
> 
> Password structure is too detailed for the security policy,
> although
> it's necessary in the security design. The policy should state 
> something on the order that people must protect their
> passwords,
> whether they can or cannot change their own, etc.
> 

OK, the part about protecting/changing passwords is a given, but I wonder
about your comment that "password structure is too detailed..."

...where to put the details about that which you are trying to protect...in
a SOP on passwords?  or possibly as appendix to the official security policy?

My view of security policy is that it needs to lay the law, include
specifics on complying with said law, and detail the penalities for
non-compliance.  Telling people that they need to protect their passwords is
not enough, they need to know what the organization considers protecting
said passwords.

Without these specifics, I could make the case that writing my password
backwards on a sticky note and placing it in my wallet is protection enough,
and why not, the policy only told me to protect it, it did not tell me the
required manner and depth of the protection.

Can you clarify further where you would put such details?  

TIA,

Charles



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52237&t=52061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security Policy [7:52061]

[Charles Riley]

While security policies need to be unique per organization, there are some
common elements that can be recycled.

Just to give an example, how about the handling of passwords?  Really, do
you need to re-create the piece of the policy that says passwords need to be
protected, must be of a certain length, and mixed characters?  It really
doesn't matter if the policy is for Van Kamps fish sticks factory, or for
the DEA:  both need to ensure that they have some baseline protection for
passwords.

The below book may help, the high price tag buys you a one-organization
copyright.  Having a ready-made template can save some time, and enable you
to focus on the more unique aspects of the organization's requirements
without spending all your time re-inventing the wheel.

To that end, John, the following may be useful to you. Check it on Amazon.

Information Security Policies Made Easy Version 8
by Charles Cresson Wood

HTH,

Charles 



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52134&t=52061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Disable Telnet [7:41293]

[Scott Riley]

Hey Rich,

Easiest way is probably:

!
line vty 0 4
 transport input none
!

However, you might want to reserve telnet access to a private range for
your own ease of admin in which case:

!
line vty 0 4
 transport input telnet
 access-class 2 in
!
access-list 2 remark Secure Telnet Access
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 2 deny any log
!
Cheers,

Scott



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Johnson, Richard (NY Int)
Sent: 12 April 2002 14:05
To: [EMAIL PROTECTED]
Subject: Disable Telnet [7:41293]


Hi All, 

How do I disable Telnetting capability to my 3640. I only want
console access. 


Thanks, 


Rich




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41299&t=41293
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: prefix lists .. [7:34312]

[Scott Riley]

Do you mean "gt" and "lt" for "greater than" or "less than" specific
port numbers?

Use extended access lists with an ACL number of 100 - 199 and a specific
protocol (TCP / UDP).

Eg:

Access-list 101 deny tcp 192.168.100.0 0.0.0.255 host 192.168.200.1 gt
1024

HTH,

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
dk
Sent: 04 February 2002 12:07
To: [EMAIL PROTECTED]
Subject: prefix lists .. [7:34312]


Can anyone help me get a handle on the "ge" and "le" options on  prefix
lists? I find them totaly confusing.

Thanks in advance for any advice offered

David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34313&t=34312
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: cpu utilization with MRTG [7:32677]

[Scott Riley]

Here try this - works for me...

# Router CPU load %
Target[cpu.192.168.0.1]:
1.3.6.1.4.1.9.2.1.58.0&1.3.6.1.4.1.9.2.1.58.0:[EMAIL PROTECTED]
RouterUptime[cpu.192.168.0.1]: [EMAIL PROTECTED]
MaxBytes[cpu.192.168.0.1]: 100
Title[cpu.192.168.0.1]: CPU LOAD
PageTop[cpu.192.168.0.1]: CPU Utilisation for Customerx
 
   Description:CPU Load Monitor  
 
Unscaled[cpu.192.168.0.1]: ymwd
ShortLegend[cpu.192.168.0.1]: %
XSize[cpu.192.168.0.1]: 380
YSize[cpu.192.168.0.1]: 100
YLegend[cpu.192.168.0.1]: CPU Utilization
Legend1[cpu.192.168.0.1]: CPU Utilization in % (Load)
Legend2[cpu.192.168.0.1]: CPU Utilization in % (Load)
Legend3[cpu.192.168.0.1]:
Legend4[cpu.192.168.0.1]:
LegendO[cpu.192.168.0.1]:  Usage
Options[cpu.192.168.0.1]: growright,nopercent,gauge

Obviously, you should replace the ip address '192.168.0.1' and the snmp
string 'snmpstringhere' with the appropriate ones for your device.

Hope this helps!

Scott Riley CCNP CCDA MCSE (NT4)
Senior Network Engineer
Firstnet Services Ltd
T: 0113 292 7768
F: 0113 234 1962
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mohammed Saro
Sent: Monday, 21 January 2002 11:25
To: [EMAIL PROTECTED]
Subject: cpu utilization with MRTG [7:32677]


Any ideas about object ID of CPU utilization on Cisco routers for monitoring
with MRTG



Mohamed Saro




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=32686&t=32677
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: I need Help in Cisco [7:31875]

[Scott Riley]

One suggestion is to use two route-map's,  one to permit traffic to pass
straight through the cache and one with the "set ip next-hop" feature.  This
second route map will match an access-list configured to capture web
traffic, something like the following should do it:


Fastethernet 1/0
 ip policy route-map proxy-redirect out

route-map proxy-redirect permit 10
match ip address 101

route-map proxy-redirect permit 10
 match ip address 110
 set ip next-hop abc.abc.abc.abc[IP ADDRESS OF SQUID SERVER]

access-list 101 remark STRAIGHT THROUGH TRAFFIC
access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any any[RANGE OF
SOURCE TRAFFIC TO GO THROUGH]

access-list 110 remark TRAFFIC TO BE REDIRECTED TO WEB-CACHE
access-list 110 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq web [RANGE OF
SOURCE TRAFFIC TO BE REDIRECTED]


Place all networks to be cached in list 110 and any you don't want to be
cached in list 101.  For example if you wanted to ensure that the entire
192.168.100.0 network is cached except for host 192.168.0.254 then do the
following:

access-list 101 permit tcp host 192.168.0.1 any

access-list 110 permit tcp 192.168.100.0 0.0.0.255 any eq web

Remember to put your Squid (proxy) server in the exceptions list otherwise
it'll never work!

Hope this helps...

Cheers,

Scott Riley CCNP CCDA MCSE (NT4)
Senior Network Engineer
Firstnet Services Ltd
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ing. Milton Amador Z.
Sent: Monday, 14 January 2002 16:41
To: [EMAIL PROTECTED]
Subject: I need Help in Cisco [7:31875]


I have one Cisco 3640 i need to send all my trafic www to one linux box, in
this linux box i have Proxy squid, but i don4t know how make this.

Somebody know how make this?


Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31882&t=31875
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OSPF Question... [7:31402]

[Scott Riley]

Hi guys,

Hoping to pick someone's brain about this issue that we're seeing:

We have two 6509 Cat switches with a Gig trunk and RSM's.  Multiple VLAN's
are configured on the RSM and we are running OSPF (area 0).  The problem we
have is that the two 6509's are forming OSPF adjacancies with each other on
every vlan (via the Gig trunk).   So if we have 4 vlans set up there are 4
sets of OSPF neighbor adjancies set up, for example:

Neighbor ID Pri   State   Dead Time   Address Interface
lo-3.bob1   FULL/DR 00:00:38192.168.1.140 Vlan1
lo-3.bob1   2WAY/DROTHER00:00:32192.168.1.172 Vlan30
lo-3.bob1   2WAY/DROTHER00:00:32192.168.1.188 Vlan35
lo-3.bob1   FULL/BDR00:00:37192.168.1.34  Vlan100

[The names and IP addresses have been changed to protect the innocent!]

The same is also true on the partnering router "Bill".

Now, in reality, there are about 10 or 12 vlans in this setup, most of them
are passive interfaced so they do not add into the equation.  We can't
passive interface these vlans because they are used for distribution to
different OSPF areas.
My question is this, how can we ensure that bob and bill only form one
adjacancy with one another, not one per vlan.  We were hoping to do
something like a "source-interface" whereby you specify that OSPF
adjacancies are formed on a given address (eg a loopback int), that way
regardless of how many vlans bob and bill can see each other on, they will
only form adjacancies on one IP address with one another.

Any comments or suggestions would be greatly appreciated.

(Here's were it's something REALLY obvious and I look silly)...

Cheers guys,

Scott Riley
Senior Network Engineer
Firstnet Services Ltd
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31402&t=31402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Serial links [7:28270]

[Scott Riley]

Each port on the NM-4T is capable of supporting 2Mb full-duplex, 2Mb
upstream and 2Mb downstream.

The card has a total 8Mb Full-Duplex throughput.  You can actually have 8Mb
in one direction and 8 Mb in the other direction at the same time assuming
all the channels are bonded together.

HTH,

Scott Riley
Senior Network Engineer
Firstnet Services Ltd
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 06 December 2001 14:48
To: [EMAIL PROTECTED]
Subject: Re: Serial links [7:28270]


So should the data sheet say "total throughput" and not "total full-duplex
throughput"??

RB




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=28290&t=28270
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DNS [7:24949]

[Scott Riley]

The following line in global config mode should help:

  async-bootp dns-server 10.10.10.1 10.10.10.2

Alternatively you could pass the details to them via RADIUS.

  Cisco-AVPair = "ip:dns-servers=10.10.10.1 10.10.10.2"


Scott Riley
Firstnet Services Ltd
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ashraf Wagih
Sent: Thursday, 01 November 2001 16:24
To: [EMAIL PROTECTED]
Subject: DNS [7:24949]


Hi All,
how can i let the Access Server 5300/5400 assing a DNS
to the dial up users?

regards


Nokia Game is on again.
Go to http://uk.yahoo.com/nokiagame/ and join the new
all media adventure before November 3rd.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=24957&t=24949
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to setup syslog server [7:23501]

[Scott Riley]

You can easily use shell scripting to separate the logs for the individual
routers.

We use something similar to the following:
echo Sorting Log Files:
cat /var/log/remote.log |grep routername >> /var/log/cisco/routername
rm -f /var/log/remote.log
killall -HUP syslogd

Hope this helps!

Scott Riley
Cisco Internet Engineer
Firstnet Services Ltd
W: http://www.firstnet.net.uk

[This message subject to: http://www.firstnet.net.uk/disclaimer.html]



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Anh Lam
Sent: Friday, 19 October 2001 11:26
To: [EMAIL PROTECTED]
Subject: How to setup syslog server [7:23501]


Hi Everyone,

I am trying to setup a syslog server so that I can log messages from cisco
routers and switches.  I am running this syslog on a Linux box.
Since syslog is a standard feature of unix/linux, I am pretty happy with it,
given my disdain for Microssoft.

By default syslog server on Linux refuses to accept remoting logging from
other devices other than itself.  I modify this by turning on the
-r option.  This make the Linux machine to accept remote logging.

My problem is that the syslog messages from Cisco routers and switches are
logged into the same file (/var/log/messages) that the Linux machines logs
its own system messages.  How can I separate the messages between the two?

Thanks.

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=23503&t=23501
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]