Re: ospf type 5 lsas [7:74699]
Mmm, looks like you have area 15 configured as a Not so stubby totally stubby area (NSSTSA) rather than as a not so stubby area (NSSA)...some slight differences as noted below; also, note how type 5 and 7 are (and are not) supportedLSA type 5 routes will not be used in a NSSA or NSSTSA; however, the same information conveyed by type 7 will (comes from ABR for the area). NSSA: If there is an ABR configured into this area (to area 0), it will convert the LSA type 7 to an LSA type 5. The LSA type 5 that was a LSA type 7 gets passed to the backbone area, where it gets distributed as a normal LSA type 5 to the rest of the OSPF routing domain. This LSA type 5 does not get sent into the NSSA because the NSSA does not allow LSA type 5 into the area.not to mention that the NSSA routers already have this information via the LSA type 7. By default, type 5 LSAs cannot be summarized at an ASBR or ABR, though Type 7 can. An area is configured as a NSSA with the following command in OSPF configuration mode. This command must be entered on all routers in the area in order for them to become neighbors. area 1 nssa About NSSTSA... The Not So Stubby Totally Stubby Area (NSSTSA) is a special definition of the NSSA. It is more restrictive regarding what it allows into the area. The NSSTSA is similar to the NSSA, except that it does not allow LSA type 3 and 4 into the area. Otherwise, the NSSTSA is just like a NSSA. The NSSTSA ASBR creates LSA type 7 for the routes that it is redistributing from another routing protocol into the NSSTSA. The NSSTSA ABR converts the 7 into a 5 for propagation to the rest of the OSPF domain. A default route, sent as a LSA type 3 summary, is the only exception to NSSTSA rule that no 3 or 4 is allowed into the area. To configure a NSSTSA, enter the following command on the NSSTSA ABR only. This configures the ABR not to send LSA type 3 and 4 into the NSSTSA. All routers will be configured with the NSSA command, as previously discussed. On the NSSTSA ABR only: area 1 nssa no-summary On all other NSSTSA routers: area 1 nssa HTH, Charles ""Thomas Salmen"" wrote in message news:[EMAIL PROTECTED] > someone requested the configs; i'm sorry, i'm not sure who. > > and the links are numbered, btw. > > > 7500: > > interface atm 0/1/0.101 > ip address 192.168.10.1 255.255.255.252 > > ! > > ! > router ospf 120 > network 192.168.10.0 0.0.0.3 area 0 > network 10.64.0.0 0.0.0.255 area 14 > > ! > > > > 2500: > > interface ethernet 0 > ip address 172.16.10.5 255.255.255.252 > ! > interface serial 0/0.101 point-to-point > ip address 192.168.10.2 255.255.255.252 > > ! > > ! > router ospf 120 > network 192.168.10.0 0.0.0.3 area 0 > network 172.16.10.4 0.0.0.3 area 15 > area 15 nssa no-summary > ! > > the only other router in area 15 is at 172.16.10.6, and is configured as an > nssa asbr. > > the 7500 has all the type 5 lsas in its database, but none entered in its > route table. > > eg: > > 7500#show ip ospf database external 200.88.200.220 > > OSPF Router with ID (200.55.10.244) (Process ID 20) > > Type-5 AS External Link States > > LS age: 2576 > Options: (No TOS-capability, DC) > LS Type: AS External Link > Link State ID: 200.88.200.220 (External Network Number ) > Advertising Router: 200.27.100.154 > LS Seq Number: 8008 > Checksum: 0x1A8B > Length: 36 > Network Mask: /32 > Metric Type: 2 (Larger than any link state path) > TOS: 0 > Metric: 2 > Forward Address: 0.0.0.0 > External Route Tag: 3221225472 > > 7500#show ip route | include 200.88.200.220 > > 7500# > > > > > thomas > > > > - Original Message - > From: Thomas Salmen > To: [EMAIL PROTECTED] > Sent: Tuesday, September 02, 2003 3:43 PM > Subject: ospf type 5 lsas > > > i have a problem with ospf that someone may be able to help with. > > i have a 2500 connected to a 7500 via a frame (2500 end) to atm (7500 end) > link. the 2500 is an abr for area 15 (serial area 0, ethernet area 15); the > 7500 is an abr for area 14 (atm area 0, other interfaces area 14). > > area 15 is configured as an nssa, as it is attached to another router which > is > redistributing static routes. area 14 is a standard ospf area, not stub or > nssa. > > the 2500 (abr) is recieving type 7 lsas and converting them to type 5 and > flooding them into area 0, no problems. the 7500 has them in its lsa > database. > the problem is that none of the type 5 lsas are being entered in the 7500s > route table. > > i have run through everything i can think of, and i'm a bit stuck. the > forwarding address of each lsa is 0.0.0.0. the network type is correct (ptp). > the 7500 can reach the abr and the asbr. subnet masks are all correct. i'm > not > sure what to look for next... > > anyone? > > thomas > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisc
Re: Urgent [7:74680]
Is is a truly unmanaged switch that can not be addressed whatsoever, or is a switch that can be assigned an IP address and managed, but just hasn't been done yet??? I believe that 99.44% of Cisco switches are all manageable (have a MAC associated with them). Persausions and dissausions for this statement are welcome... Cheap and easy rule of thumb...if it supports SNMP, it has a MAC address. As to how to determine the MACshow interface on the newer switches, or on CATOS switches, show module (shows addresses for a module), and show mac to view MAC addresses of whatever is connected to a particular port). ""Bharani"" wrote in message news:[EMAIL PROTECTED] > Dear Reader > > Does unmanaged switches have MAC Address , because we have some > unmanaged switches which uses the concept of Store and Forward for handling > the frames > > if it is there , what is the simple way to find the MAC address of the > switch > > Thanks in advance > Bani > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74687&t=74680 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: ospf type 5 lsas [7:74632]
Can we see the configuration for the 2500 and 7500 (just the OSPF part). Also, is this route in the table at all? That is, is another protocol (like EIGRP) also advertising this route?? Thanks, Charles ""Thomas Salmen"" wrote in message news:[EMAIL PROTECTED] > i have a problem with ospf that someone may be able to help with. > > i have a 2500 connected to a 7500 via a frame (2500 end) to atm (7500 end) > link. the 2500 is an abr for area 15 (serial area 0, ethernet area 15); the > 7500 is an abr for area 14 (atm area 0, other interfaces area 14). > > area 15 is configured as an nssa, as it is attached to another router which > is > redistributing static routes. area 14 is a standard ospf area, not stub or > nssa. > > the 2500 (abr) is recieving type 7 lsas and converting them to type 5 and > flooding them into area 0, no problems. the 7500 has them in its lsa > database. > the problem is that none of the type 5 lsas are being entered in the 7500s > route table. > > i have run through everything i can think of, and i'm a bit stuck. the > forwarding address of each lsa is 0.0.0.0. the network type is correct (ptp). > the 7500 can reach the abr and the asbr. subnet masks are all correct. i'm > not > sure what to look for next... > > anyone? > > thomas > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74658&t=74632 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Interesting Question [7:74652]
I don't know why a Class A address was chosen...personnally, I would have chosen a Class C address...less wasteful. However, I might be missing the point here, tho... ""Bharani"" wrote in message news:[EMAIL PROTECTED] > Dear Readers > > Does any one know the Mathematical reason for making > 127.X.X.X as a Loop Back address, if so please let me know > > Thanks in advance > Bani > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74659&t=74652 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Trying run ISIS on 2600 [7:74051]
Looked this up on Software Advisor...it listed feature sets primarily with an Enterprise flavor, as well as a few VoIP, Telco, and Service Provider flavors. What I got out of the whole thing was that the IP only feature set will not cut it. IS-IS speakers natively use CLNS to communicate even as they route IP. I used to get it with the Desktop feature, though I did not see that as an option here. Cisco provides a nice basic example of ISIS here at http://www.cisco.com/en/US/customer/tech/tk365/tk381/technologies_configurat ion_example09186a0080093f38.shtml If you are interested in having it route both IP and CLNS...use Integrated ISIS...more info at http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1835/products_con figuration_guide_chapter09186a00800c5bc1.html#wp1000871 HTH, Charles ""irfan siddiqui"" wrote in message news:[EMAIL PROTECTED] > I am trying to run ISIS on a 2600 series router however it does not accept > the CLNS and ISIS routing commands at the Config mode. I am using IOS IP > version only? Do i need IP plus version to configure ISIS?? > > Thanks > > _ > The new MSN 8: smart spam protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74057&t=74051 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: did you save ?????? [7:73986]
Hamsters have optimal ground for electricity...groundhogs have too much... ""Larry Letterman"" wrote in message news:[EMAIL PROTECTED] > I thought it was groundhogs that Kansas had an oversupply of... > > > Larry Letterman > Cisco Systems > > > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Charles Cthulhu Riley > Sent: Friday, August 15, 2003 12:35 PM > To: [EMAIL PROTECTED] > Subject: Re: did you save ?? [7:73986] > > > Out here in Kansas, we all got ethanol fueled hamsters running on > treadmills for power production, so we were unaffected by the blackout. > One hamster did escape and raid the local quickee-mart for some > chocolate donettes, though...that reduced power output by about .1%, as > well as causing cardio problems with said hamster. We called him Jimmy > the Hamster, and he does NOT have his CCNA, despite his claims of high > test scores. > > Sorry for the silly response...been writing all day and needed a goof > break. > > Charles > > ""Kurt Kruegel"" wrote in message > news:[EMAIL PROTECTED] > > so did everybody save there configs before the power went out ??? > > > > i'm more worried about about server's that had their power cut then my > > > network equipment > > > > like my older grouchy sun boxes ! > > **Please support GroupStudy by purchasing from the GroupStudy Store: > > http://shop.groupstudy.com FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74034&t=73986 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: did you save ?????? [7:73986]
Out here in Kansas, we all got ethanol fueled hamsters running on treadmills for power production, so we were unaffected by the blackout. One hamster did escape and raid the local quickee-mart for some chocolate donettes, though...that reduced power output by about .1%, as well as causing cardio problems with said hamster. We called him Jimmy the Hamster, and he does NOT have his CCNA, despite his claims of high test scores. Sorry for the silly response...been writing all day and needed a goof break. Charles ""Kurt Kruegel"" wrote in message news:[EMAIL PROTECTED] > so did everybody save there configs before the power went out ??? > > i'm more worried about about server's that had their power cut then my > network > equipment > > like my older grouchy sun boxes ! > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74030&t=73986 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: PIX xlate question [7:74012]
Your pool may consist of addresses from the local addresses, and the xlates are occuring on a catch as catch basis, which acconts for the weird results of your show command.. Assuming your local addresses are 213.x.x.x, your pool of addresses to which these locals are to be translated is also 213.x.x.xyou apparently have a case of unintional identity NAT here ""Skarphedinsson Arni V."" wrote in message news:[EMAIL PROTECTED] > why would I see the folowing when I do sh xlate on the pix, i.e. > one global address is beeing translated to the next in line global address ? > > and sugestions would be welcome > > > Global 213.213.128.143 Local 213.213.128.142 > Global 213.213.128.142 Local 213.213.128.141 > Global 213.213.128.137 Local 213.213.128.136 > Global 213.213.128.136 Local 213.213.128.135 > Global 213.213.128.139 Local 213.213.128.138 > Global 213.213.128.138 Local 213.213.128.137 > Global 213.213.128.133 Local 217.3.103.62 > Global 213.213.128.132 Local 213.213.128.131 > Global 213.213.128.135 Local 213.213.128.134 > Global 213.213.128.134 Local 213.213.128.133 > Global 213.213.128.129 Local 213.213.128.128 > Global 213.213.128.128 Local 213.213.128.127 > Global 213.213.128.131 Local 213.213.128.130 > Global 213.213.128.130 Local 213.213.128.129 > Global 213.213.128.189 Local 213.213.128.188 > Global 213.213.128.188 Local 213.213.128.187 > Global 213.213.128.191 Local 200.65.74.239 > Global 213.213.128.190 Local 213.213.128.189 > Global 213.213.128.185 Local 213.213.128.184 > Global 213.213.128.184 Local 213.213.128.183 > Global 213.213.128.187 Local 213.213.128.186 > Global 213.213.128.186 Local 213.213.128.185 > Global 213.213.128.181 Local 213.213.128.180 > Global 213.213.128.180 Local 213.213.128.179 > Global 213.213.128.183 Local 213.213.128.182 > Global 213.213.128.182 Local 213.213.128.181 > Global 213.213.128.177 Local 213.213.128.176 > Global 213.213.128.176 Local 213.213.128.175 > Global 213.213.128.179 Local 213.213.128.178 > Global 213.213.128.178 Local 213.213.128.177 > Global 213.213.128.173 Local 213.213.138.210 > Global 213.213.128.172 Local 10.200.20.124 > Global 213.213.128.175 Local 213.213.128.174 > Global 213.213.128.174 Local 213.213.128.173 > Global 213.213.128.169 Local 213.213.128.168 > Global 213.213.128.168 Local 213.213.128.167 > Global 213.213.128.171 Local 213.213.128.170 > Global 213.213.128.170 Local 213.213.128.169 > Global 213.213.128.165 Local 213.213.128.164 > Global 213.213.128.164 Local 213.213.128.163 > Global 213.213.128.167 Local 213.213.128.166 > Global 213.213.128.166 Local 213.213.128.165 > Global 213.213.128.161 Local 213.213.128.160 > Global 213.213.128.160 Local 213.213.128.159 > Global 213.213.128.163 Local 213.213.128.162 > Global 213.213.128.162 Local 213.213.128.161 > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=74029&t=74012 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Frame Relay Design Consideration (P2P or P2Multipoint) [7:73415]
Less IP addresses used? wrote in message news:[EMAIL PROTECTED] > Guys, > > Very quick one here. > > If I have a hub site with 5 spoke sites on an FR network, I could use FR > P2P sub ints or P2M sub ints. > > Why would I prefer a P2P over P2M method? The routing protocol would be > EIGRP and apart from broadcast traffic being 5 times more than a P2P > network, why would it be better for a P2P. I mean the split horizon can be > turned off on the hub multipoint interface. > > Sorry if this sounds like dumb question? > > Many thx > Ken > > > > For more information about Barclays Capital, please > visit our web site at http://www.barcap.com. > > > Internet communications are not secure and therefore the Barclays > Group does not accept legal responsibility for the contents of this > message. Although the Barclays Group operates anti-virus programmes, > it does not accept responsibility for any damage whatsoever that is > caused by viruses being passed. Any views or opinions presented are > solely those of the author and do not necessarily represent those of the > Barclays Group. Replies to this email may be monitored by the Barclays > Group for operational or business reasons. > > > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73415&t=73415 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #1 [7:73370]
Assign an address (as secondary) from the incorrect range to the router interface to which this device is connected, and from that router, connect (telnet or ssh) to that device, fix the ip, (get disconnected in process, of course), and remove the incorret secondary from the router...voila and other French words I don't understand. ""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > You have a device that is reachable only via telnet or console that you've > preconfigured with an IP address, subnet mask, and default gateway and > subsequently shipped out to a remote location to be installed. Once the > device was in place you realized that you've configured it with the wrong > addressing information. The subnet you used actually exists at another > location so this device is currently unreachable via IP. If you could > somehow reach the device you'd be able to correct your mistake without > having someone ship the device back to you. > > What can you do to restore IP connectivity to this device in its current > location and make it reachable from both the local router and remote > routers? > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73377&t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #2 [7:73371]
Three words MY-CROW-SOFF? ""John Neiberger"" wrote in message news:[EMAIL PROTECTED] > [This isn't the usual type of follies question where you have to figure > something out. In this case, you either know the answer or you don't. If you > don't, you can probably figure out how to look it up and it would be good > information to have in case you see this in your own network.] > > Your network uses RFC 1918 private IP address space (10.0.0.0/8) for your > addressing. You have a logging access list configured on a LAN interface and > you begin seeing traffic from devices in the 169.254.0.0/16 subnet destined > for 169.254.255.255. You don't have any machines configured with addresses > in this subnet, so what could it be? > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73378&t=73371 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: OSPF through PIX [7:72938]
Get PIXOS 6.3, enable OSPF on the firewall, and let it participate in OSPF routing...voila! OSPF "through" the firewall... Also, how about using neighbor statements (with no translation) which converts the OSPF multicasts to unicasts? Just a thoughtobviously, would need an ACL applied at key points. ""Robertson, Douglas"" wrote in message news:[EMAIL PROTECTED] > OSPF through a PIX firewall is not supported. There are two ways to > configure routing through a PIX. > 1) Configure a GRE tunnel between the two routers. > 2) Configure BGP between the two routers. > The two choices have different implications depending on your specific > network. > > Thanks Doug > > -Original Message- > From: Massucco Emanuele [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 24, 2003 11:28 AM > To: [EMAIL PROTECTED] > Subject: OSPF through PIX [7:72938] > > > Does anyone know if there are any problems configuring OSPF trhough PIX > interfaces? > I know PIX should block broadcast, so which is the way to make it work? > > thanks > LEle Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72958&t=72938 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Quoting in Replies [7:71366]
I would appreciate if the posters would drive over to my house and read their message to me, with accompanying gestures as appropriate.Not only that, but maybe fix me a glass of ice tea and some cookies. It's hot out here in Kansas, and cookies are hard to come by... ""Kaminski, Shawn G"" wrote in message news:[EMAIL PROTECTED] > I agree. I was going to rag about this the other day, but figured that many > people on this list already think I bi*ch too much about other things! :-) > > Shawn K. > > -Original Message- > From: John Neiberger [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 25, 2003 2:34 PM > To: [EMAIL PROTECTED] > Subject: Quoting in Replies [7:71366] > > Okay, this is getting really old, really fast. When responding to a post, > PLEASE QUOTE WHAT YOU'RE REPLYING TO! The number of unintelligible posts is > increasing and some simple quoting would help immensely. > > Perhaps the issue is that if you use the web-based board to post a quote > does not happen by default. So, if you are using the board to reply to > posts, please hit the QUOTE button and edit appropriately. > > Thanks, > John (who is exceptionally grumpy today, and it shows. Sorry about that.) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71383&t=71366 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: New CCNA tracks [7:71256]
Go, Cisco, milk that cash cow! Hope it doesn't kick you in theoh, look a bird! ""annlee"" wrote in message news:[EMAIL PROTECTED] > Here's the actual announcement: > > > > CISCO INTRODUCES CCNA PROGRAM ENHANCEMENTS > CCNA Offers New Exams for Those Entering Networking Field > >Today, Cisco Systems, Inc. . announces three enhancements to the > CCNA. (Cisco Certified Network Associate) Program which are based on > customer feedback, the need for an accessible entry path into the > certifications, and upgrades to the exam for addressing emerging networking > technologies. As the entry-level certification of the Cisco Career > Certifications Program, CCNA represents a strong foundation and > understanding of IP networking and troubleshooting. The enhancements include > a new two-step exam path for new candidates entering the networking field, > revisions to the existing CCNA exam and the option for candidates to apply > one of the new exams for CCNA recertification. > > A Two-Step Approach: >The two-step approach introduced in the CCNA program offers > candidates the ability to certify at their own pace and skill levels. The > two step approach does not replace the existing one exam option, but allows > candidates to achieve the certification in two stages by passing a new > Introduction to Cisco Networking Technologies (INTRO) exam and a new > Interconnecting Cisco Network Devices (ICND) exam to achieve CCNA > certification. > >"Given the popularity and success of the CCNA program, we > continue to enhance CCNA to meet our customers needs through skills > assessment aimed at today's job requirements," said Don Field, senior > manager, Internet Learning Solutions Group, Cisco Systems, Inc. "The > two-step approach offers those new to the networking field the option to > test their networking knowledge in stages." > > The two-certification paths for CCNA include: > > a.. Passing the CCNA 640-801 exam (available on June 30, 2003); or > b.. Passing the INTRO 640-821 exam (currently as beta exam 641-821) > and ICND 640-811 exam (available on June 30, 2003). > Revisions to the CCNA content: >The revised CCNA 640-801 exam replaces existing CCNA 640-607 exam > and is designed to better assess the networking skills of entry level > candidates. The CCNA curriculum includes understanding the functions and > operations of local area networks (LAN), Cisco IOS fundamentals, wide area > networks (WAN), virtual private networks (VPN), and Storage Area Networks > (SAN). Other topics covered in the CCNA curriculum are IP Addressing, Cisco > Command Line Interface (CLI), Routing and Switching technologies and > protocols. The CCNA certification content, technology and testing remains > focused on real-world skills assessment with labs and exam simulations being > key components of CCNA courses and exams. > > Recertification: >The new ICND exam now qualifies CCNA holders for recertification. > The CCNA certifications are valid for three years. To recertify, candidates > can also pass the new ICND 640-811 exam, the current CCNA exam, or any exam > at the Professional or Cisco Qualified Specialist level bearing the prefix > 642. The existing CCNA 640-607 exam will retire on September 30, 2003. CCNA: > www.cisco.com/go/ccna > > > -- > > Cisco Learning Partners are the only source of authorized Cisco > training. Carefully selected by Cisco Systems, these companies are the only > organizations to employ Certified Cisco Systems Instructors and deliver > Cisco authorized and approved content. To find a Cisco Learning Partner in > your area offering the new CCNA course curriculum, choose your preferred > delivery method and go to the "Click Here to List Offerings" links to > register for a scheduled course today. > > Introduction to Cisco Networking Technologies (INTRO) v1.0a > Interconnecting Cisco Network Devices (ICND) v2.1 > > www.cisco.com/go/training > > Cisco Learning Credits Program provides customers with an unrivaled > ability to review, redeem and administrate training online. The new Learning > Credits Management Tool lets customers view credit balances, review account > transactions, generate reports and monitor training courses taken by > individuals and departments in real-time. > www.cisco.com/go/learningcredits > > > -- > > You have been sent this message because you indicated that you wish to > receive updates on Cisco products and special offerings. If you would prefer > not to receive news about special promotions from Cisco in the future, > please click here > > All contents copyright ) 2003 Cisco Systems, Inc. > > > > > ""Dennis Laganiere"" wrote in message > news:[EMAIL PROTECTED] > > I haven't seen anyth
Re: Technology, Certification, Skill Sets, and Looking [7:70860]
Wow, Chuck, way to suck the life out of the economy and our futures...oh, wait, that was due to the bubble popping lo all those years ago. For an assessment of networking futures, let's turn to Lovecraft...(thanks to www.Cthulhu.org) "It seemed to be a sort of monster, or symbol representing a monster, of a form which only a diseased fancy could conceive. If I say that my somewhat extravagant imagination yielded simultaneous pictures of an octopus, a dragon, and a human caricature, I shall not be unfaithful to the spirit of the thing. A pulpy, tentacled head surmounted a grotesque and scaly body with rudimentary wings; but it was the general outline of the whole which made it most shockingly frightful. " We know the pulpy head has been popped... Sadly, though, I believe that you are right on the money...networking and its advanced features are becoming more point-button simple. I figure that we got about 10 years at the most before the bottom truly drops out and networking becomes as simple and mindless as programming your VCR or TiVo...you don't need assistance anymore. As far as for myself, I am currently working on developing my people skills as I do want to attain senior greeter status...the handing out balloons and talking is really tripping me up...does anyone want to form a study group with me to study that? Charles ""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > The Road Goes Ever On wrote: > > > > ""Priscilla Oppenheimer"" wrote in > > message > > news:[EMAIL PROTECTED] > > > > > > Someone also just sent me a URL to this newspaper article > > that points out > > > the importance of learning business practices, not just > > particular > > > technologies. It's a good read: > > > > > > http://www.startribune.com/stories/789/3936460.html > > > > > > > An interesting artivcle, and one with some nuggets of good > > advice, > > particularly for those new to the business cycle. For those who > > have been > > seeing articles like this over the past twenty years or so, > > this article > > reinforces good advice, much along the lines that NRF has > > offered in other > > threads that appear regularly on Groupstudy. Good advice is > > timeless, and > > the advice in this article, which reiterates similar outlooks > > as have > > appeared in the business press over the past couple of decades > > remains true. > > > > Way back when I was learning things and formulating my own > > technology > > philosophy, I was blown away by three things I read - Peter > > Keens book > > Competing in Time, Paul Strassman's book The Business Value of > > Computers, > > and an obscure article written by an economist working for the > > Chicago > > Federal Reserve Bank. Each of these sources in its own way says > > similar > > things from a higher level. The Fed study was a short and > > simple one, but of > > all the business sources I have read, still seems the most > > relevant. The > > gist of the study was that investment in infrastructure yielded > > high returns > > in productivity. The author was reporting on government > > investment in > > physical infrastructure such as roads, water treatement, and > > the like, but a > > clever studentworking towards his master degree while going to > > night school > > ran with that theme and wrote a master's thesis which earned him > > departmental honors. > > Was that you? :-) Sounds interesting. > > Thanks for commenting on the article. I thought it made some good points. > > Priscilla > > > > > > Anyone in the technology field, whether it be IT Management, > > Consulting, or > > even something as seemingly mundane as sales, should ALWAYS be > > aware of the > > business value of technology. Over the past 15 years or so it > > has been > > technology which has driven productivity. > > > > The dark side is that technology changes, and has a way of > > becoming more > > appliance like, meaning that what as skilled labor yesterday is > > out of the > > box tomorrow. Thin about it. All you folks who are AVVID > > experts and > > therefore in high demand. How long before AVVID is nothing more > > than another > > PBX, and routers self configure for QoS? Think the telco > > employee who drives > > the truck and installs your DSL is making 100K? not likely. > > > > So yes - keep your skills up to date, so you don't end up like > > the guy in > > the article. My own opinion is that one must always consider > > the value to > > business for any skill set one pursues. > > > > JMHO > > > > NRF - your comments are always welcome on topics such as these. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70860&t=70860 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: STP problem [7:70797]
What an interesting scenario! If I understood your message correctly, the network picture is something like this: Wired Network -Cat-Wireless Network |User| Your problem is that the user is bridging the wired and wireless (and so is the Cat), which means there are two functioning links (bridges) between the wireless and wired. Your real problem is even if you track this user down and beat them severaly with an AP antenna until his MCSE falls on the floor,this problem is going to repeat itself with the next user who has a similar wired/wireless card. So...it's a long day and I can't think of the specific commands or syntax or what I had for lunch, but configure the cat port that the wireless AP is connected to to make it the root bridge such that it will always beat the out of any wanna be bridges, thus ensuring that the rogues block. Sorry, can't be more specific than this, but my brain is frazzled so right now, I think STP is something you put in your car...but maybe it will help with your problem... HTH anyway, Charles ""Christopher Dumais"" wrote in message news:[EMAIL PROTECTED] > Hi all, > We are having an STP problem where we think a user with an integrated > wireless and LAN NIC is creating a bridge loop and bringing down the entire > network. The problem occurs then goes away after 20 or so minutes unless we > can narrow down which closet it is coming from and reboot the switch. All of > our management tools die during the outage. Does anyone have any ideas on > how we might prevent this from happening or track down the offender? We have > 6509's in our Core and a mix of 3548's and 3550-SMI. Any thoughts are > appreciated. Thanks! > > Chris Dumais, CCNP, CNA > Sr. Network Administrator > NSS Customer and Desktop Services Team > Maine Medical Center > (207)871-6940 > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70801&t=70797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Quick Pix Question. [7:70145]
The counters are not incrementing because the entries are not being matched. Suspect that the ACL is applied to the wrong interface. Remember the direction - in - which means that the access list is applied to traffic entering a particular interface from their residence on that interface. For example: INISDE -PIX -OUTSIDE If I want my ACL to filter ICMP traffic orginating from the INSIDE network, I would apply it to the INSIDE interface. However, if I have to filter ICMP traffic to my INSIDE network from the OUTSIDE network, I would apply it to the OUTSIDE interface. HTH, Charles ""Paul"" wrote in message news:[EMAIL PROTECTED] > Hi all ... > > One of my 515's has all its access-list counters set to 0, when I ping for > instance, the counter for the relevant ICMP access-list does not increment > ??? > > How do I turn it on ??? I have searched the Cisco website and my Pix book > without any luck ?? > > Kind regards > > Paul ... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70198&t=70145 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to trace conversations of Yahoo and Acess to Sex sites [7:70136]
My first question to you is: Do you have a written security policy governing such actions, along with consequences and a chain of escalation spelled out? If not, give it up, as it will rapidly devolve into a did too/did not discussion, with one of you bursting into tears, which, while funny in the movies, is not so fun in real life. That is not to say that you should condone this person's behavior. Make it a point to pop into his office, and say, "hey, how's it hanging...whatcha looking at, pictures of your sister?" then call other people into the office, and say very loudly, "hey, look what his sister is doing!". Point and giggle at him. Do that often enough and it 'll become an open secret, which is bound to bring attention to it. Otherwise, without official sanction and without evidence, you will be fighting a losing battle. You can also file a sexual harassment complaint about it especially if you are exposed to something that offends you or makes you uncomfortable in the workplace. Finally, if you boss is so worried, he/she needs to take the initiative and pursue this if it is that important. Tell your boss that your hands are tied without the f/w access, and that you have done as much as you can. HTH, Charles ""Tom Martin"" wrote in message news:[EMAIL PROTECTED] > Bala Ware, > > With all due respect, it seems to me that you have a political problem > on your hands. You're dealing with a GM that wants (more or less) > direct access to the Internet and manages the person(s) responsible for > managing the firewall. > > Of course there's ways to identify what he's doing on the Internet, but > it sounds as if the GM has enough authority to make this process > difficult (assuming he finds out) and your job could end up in jeopardy. > It may not be fair, but sometimes that's life. > > Perhaps your boss should talk to the GM (or his boss). I'm not sure > that a technical approach would be appropriate given the situation. > > My 2 cents anyway. > > - Tom > > Mr piyush shah wrote: > > Hello all > > I will be highly appreciable if someone will help > > me.In our organisation there is a newly joineD to whom > > we have provided internet access through proxy server > > .However being slightly technical he has insistently > > taken public Ip address and have opened all the ports > > on firewall ,wherein from his pc to external world all > > ports are opened .My boss is worrying whether this > > chap is utilising this facility for chating using > > yahoo messanger woth sex chat rooms as well as > > acessing many more sex sites.Unfortunately there is no > > way to trace whetgher what is he accessing .I request > > you to suggest some software which will track what > > site is he accesiing and what conversation is he > > doing. > > I know that I can load websense or surfcontrol on > > f/w,but unfortunately f/w is being controlled by one > > of the engineer who reports to tha GM.Hence no access > > to f/w. > > I sincererly request to help me. > > > > > > Regards > > > > BALA WARE > > > > > > > > Missed your favourite TV serial last night? Try the new, Yahoo! TV. > >visit http://in.tv.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70136&t=70136 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Loosing router config (OT rants) [7:69850]
I feel your pain! I am sitting here looking at a "correct" configuration that is not working. Cisco TAC seems befuddled as I am. Why is hte PIX so erractic? This sometimes work, sometimes not is driving me bonkers! Whatever you do, do NOT use 6.3 unless there is a specific feature or bug fix you KNOW that you need. Nothing but heartache for me since I tried to upgrade to that piece of..oh, look, a butterfly! Thanks for the rant opp. Charles ""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > Bruce Enders wrote: > > > > What kind of output do you get after the write mem or copy run > > start > > Wasn't Cisco supposed to depricate "write mem?" I never learned those forms > of the commands because when I first started learning Cisco eight years ago, > Cisco said not to bother learning them because they were going away! > > Then yesterday I discovered that my new PIX firewall wouldn't take "copy run > start?" Or was I making a typo or something? I had to reach into the back of > my mind and come up with "write mem" which I thought they were going to get > rid of. And I approved of that plan since it's totally non-intuitive. :-) > > Speaking of non-intuitive, why DO we put up with the PIX? What a beast. It > took me all day to get it to do some simple forwarding. The thing is > expensive, slow, and almost impossible to configure. Why do we put up with > it? :-) Not being able to do "copy run start" took the cake. > > Rantings from a frustrated Cisco fan. > > Priscilla > > > > commands? Anything? > > Also, after you save the config, do a show start to see if the > > changes > > have in fact been written to NVRAM. (I suspect the problem is > > with NVRAM, > > although I personally have never encountered a write-protected > > NVRAM on a > > Cisco router before, but that doesn't mean it can't happen! And > > your > > symptoms certainly sound like that is the case)! > > Since the existing configuration is still there when you > > reboot, I doubt > > the problem is with the config-register. > > I will be interested in what you find, > > Bruce > > > > MADMAN wrote: > > > > That's a good one! After saving the config do you see the > > changes > > when you do a write term? What is the platform and the IOS? > > > > Dave > > > > Hitesh Arora wrote: > > > > Dear All, > > > > I need some expert comments from this group for my problem. > > The router is > > > > in > > > > working condition and 3 links are working fine on this > > router. Now I need > > > > to > > > > do some changes in the router configuration. After changing > > and saving the > > configuration, I gave a reboot to the router. But I find, > > that router is > > back to the previuos old configuration. Why so?? > > > > I have checked that the config-register setting is set to > > 0x2102. Sh > > > > Version > > > > command also shows me the config-register is set to 0x2102. > > I have applied > > the config-register 0x2102 command also to be doubly sure > > that the router > > > > is > > > > picking config from the same register. > > > > Pls. help > > > > Thanks > > Hitesh > > > > > > _ > > Got a wish? Make it come true. > > http://server1.msn.co.in/msnleads/citibankpersonalloan/index.asp Best > > personal loans! > > > > -- > > Bruce Enders > > Chesapeake Netcraftsmen, LLC Cell 443-994-0678 > > 1290 Bay Dale Drive #312 HO 410-280-6927 > > Arnold, MD 21012 efax 443-331-0651 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69921&t=69850 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Loosing router config (OT rants) [7:69850]
I feel your pain! I am sitting here looking at a "correct" configuration that is not working. Cisco TAC seems befuddled as I am. Why is hte PIX so erractic? This sometimes work, sometimes not is driving me bonkers! Whatever you do, do NOT use 6.3 unless there is a specific feature or bug fix you KNOW that you need. Nothing but heartache for me since I tried to upgrade to that piece of..oh, look, a butterfly! Thanks for the rant opp. Charles ""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > Bruce Enders wrote: > > > > What kind of output do you get after the write mem or copy run > > start > > Wasn't Cisco supposed to depricate "write mem?" I never learned those forms > of the commands because when I first started learning Cisco eight years ago, > Cisco said not to bother learning them because they were going away! > > Then yesterday I discovered that my new PIX firewall wouldn't take "copy run > start?" Or was I making a typo or something? I had to reach into the back of > my mind and come up with "write mem" which I thought they were going to get > rid of. And I approved of that plan since it's totally non-intuitive. :-) > > Speaking of non-intuitive, why DO we put up with the PIX? What a beast. It > took me all day to get it to do some simple forwarding. The thing is > expensive, slow, and almost impossible to configure. Why do we put up with > it? :-) Not being able to do "copy run start" took the cake. > > Rantings from a frustrated Cisco fan. > > Priscilla > > > > commands? Anything? > > Also, after you save the config, do a show start to see if the > > changes > > have in fact been written to NVRAM. (I suspect the problem is > > with NVRAM, > > although I personally have never encountered a write-protected > > NVRAM on a > > Cisco router before, but that doesn't mean it can't happen! And > > your > > symptoms certainly sound like that is the case)! > > Since the existing configuration is still there when you > > reboot, I doubt > > the problem is with the config-register. > > I will be interested in what you find, > > Bruce > > > > MADMAN wrote: > > > > That's a good one! After saving the config do you see the > > changes > > when you do a write term? What is the platform and the IOS? > > > > Dave > > > > Hitesh Arora wrote: > > > > Dear All, > > > > I need some expert comments from this group for my problem. > > The router is > > > > in > > > > working condition and 3 links are working fine on this > > router. Now I need > > > > to > > > > do some changes in the router configuration. After changing > > and saving the > > configuration, I gave a reboot to the router. But I find, > > that router is > > back to the previuos old configuration. Why so?? > > > > I have checked that the config-register setting is set to > > 0x2102. Sh > > > > Version > > > > command also shows me the config-register is set to 0x2102. > > I have applied > > the config-register 0x2102 command also to be doubly sure > > that the router > > > > is > > > > picking config from the same register. > > > > Pls. help > > > > Thanks > > Hitesh > > > > > > _ > > Got a wish? Make it come true. > > http://server1.msn.co.in/msnleads/citibankpersonalloan/index.asp Best > > personal loans! > > > > -- > > Bruce Enders > > Chesapeake Netcraftsmen, LLC Cell 443-994-0678 > > 1290 Bay Dale Drive #312 HO 410-280-6927 > > Arnold, MD 21012 efax 443-331-0651 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69896&t=69850 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
HHEEEELLLLPPPP! PIX 515E 6.2: Inside Networks can only reach [7:69757]
Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech thee, oh, Group of Infinite Wisdom, for your assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69757&t=69757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69756]
Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69756&t=69756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
HHEEEELLLLPPPP! PIX 515E 6.2: Inside Networks can only reach [7:69759]
Sorry if you get this twice or thrice...problem with outlook and dates... Hi, all, I have a problem that is making me scream and shout, gonna knock myself out. It has to do with my PIX firewall configuration. The long and short of my problem is that the inside network can only reach inside hosts and outside networks: it can not reach any host on on the DMZ, depsite the fact that there are numerous statics and alias configured to permit it to do so. I have a 515 6.2 with the following networks configured: Inside 10.1.1.0/24 Outside 10.2.2.0/24 DMZ 10.3.3.0/24 First, we have names for ServerA located on the DMZ network: name 10.3.3.1 SERVERA_DMZ name 10.2.2.1 SERVERA_OUTSIDE ServerA actually is addressed with 10.3.3.1 because it is on the DMZ; the 10.2.2.1 is its outside address (as well as being its registed DNS name). If an inside networker DNS queries for SERVERA, the following commands are supposed to swap the outside address for the DMZ address. IN other words, intercept the DNS repy and change it so that the inside network will then establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside nat'ed address) alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 Initial DNS tests shows that this is not happening: the inside network DNS requeries are getting outside addresses. Compounding the problem is translation process itself. The below states that when Inside networks go to the DMZ network, PAT their address to 10.3.3.9, excepting those sessions listed in ACL 100 (which upon checking do not affect the tranlation in this particular case). nat (inside) 0 access-list 100 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 global (DMZ) 1 10.3.3.9 netmask 255.255.255.0 So, in a happy world, the inside network should DNS query for SERVERA, the PIX should intercept replies and change to a DMZ address (alias), and NAT should then translate as appropriate. In the words of Larry King, it ain't happening, gang...and I don't know why. I beseech, oh, Group of Infinite Wisdom, for you assistance. As a closer, my problems started when I upgraded to 6.3.1...what a mistake. I have since downgraded it back to 6.2, and have checked and rechecked the config...there are no commands missing. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69759&t=69759 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Putting my rack online [7:65214]
Hi, all, Does anyone have a template or configuration I can use to put my rack online? At this point, this is for me and my colleagues personnally, not looking at selling time on it anytime soon. I figured I would ask the group for a design or template and see if I can avoid reinventing the wheel. Basically, I'd like to set up a Linux box with friendly web page for scheduling, turn teh rack on and off (apc9211 power switch), and other features. The users would schedule their time, which configures the console router to open up the access list for their account, and from there, straight sessions to each router. I am not asking for much, am I? TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65214&t=65214 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
You may be able to avoid throwing a VPN concentrator into the mix just yet. Need more information before this can be answered, but it could be that the source address of your home system is being NATed, which can interface with IPsec. It could be that your Pix is blocking. Before you tear into your Pix's configuration, take it out of the equation and ensure that you can establish the VPN as you did before you installed the Pix. If successful, then put your Pix back into the mix. Check a few things: 1. are you translating the VPN client's source IP address? 2. are you permitting IPsec traffic to pass untranslated? 3. are IPsec responses permitted to return to your VPN client? 4. Does the Pix at work only accept IPsec from specific addresses? Obviously, since the work Pix and your VPN client did not change, the problem lies with the configuration of the PIx you have at home. HTH, Charles ""Kevin O'Gilvie"" wrote in message news:[EMAIL PROTECTED] > You have to do a IPSEC tunnel from Pix to Pix or Purchase VPN Concentrator. > I have the same issue. > > > > > > > > >From: "Steve Smith" > >Reply-To: "Steve Smith" > >To: [EMAIL PROTECTED] > >Subject: VPN Client behind PIX [7:64358] > >Date: Tue, 4 Mar 2003 16:15:21 GMT > > > >OK gang here is the scenario. We have a PIX at work running VPN. I have > >a 515 at home. Before I put the 515 at home in I could use the VPN > >client to connect to work. Now I can not. I remember a year or so back > >reading a Cisco article about this and that you had to use a certain IP > >range on the remote (my house) network. Does anyone know anything about > >this? Any suggestions? > > > >Thanks! > > > >Steve Smith > >Enterprise Engineer > >901-758-8179 ext. 108 > >TEKSELL > >[EMAIL PROTECTED] > _ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64376&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Log files Pix & Chkpnt [7:63646]
Try www.micromuse.com or logboss at http://www.securityprofiling.com/logboss.htm. HTH, Charles wrote in message news:[EMAIL PROTECTED] > Does anyone know of a product that will merge log files from multiple > sources Snort, PIX, Checkpoint, etc...? > > I'm trying to centralize much of our security management responsibilities. > > Thanx, > Mike J. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63649&t=63646 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: Snort versus Cisco IDS [7:62939]
There are also some very nice prebuilt Snort sensors with a GUI from the following vendors. www.sourcefire.com www.silicondefense.com www.packetalarm.com I have had the opportunity to evaluate and configure products from all three, and they have done an excellent job of bringing Snort to the masses. Basically, the sensors have a hardened OS (Linux or Solaris) with a creamy GUI wrapped around itand of course, Snort in all its glory. And, no, I don't get a commission from any of the above... HTH, Charles ""Craig Columbus"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Having installed and worked with both products, I think that Cisco's > offering is more comprehensive, but Snort is highly reliable and much > cheaper. > It doesn't have some of the features of the Cisco product (dynamic > shunning), but for most small to medium sized businesses (like the kind I > work with daily), Snort is more than sufficient given the cost. > On average, I can install a Snort sensor on dedicated hardware and FreeBSD > for approximately $1000. A single Cisco 4210 sensor install costs me about > $5600. If I need to scale to Gbit capability, I can install a Snort sensor > for approx. $5000, compared to $18K for a Cisco 4250. > > In summary, they're both decent products. If you need a comprehensive > system for large enterprise, then Cisco certainly has the edge over > Snort...at least until you start talking about hardware-based, customized > snort like that from Silicon Defense. If you just need a solid IDS for > small business and don't want to spend a ton of cash, then Snort is a great > alternative and is usually my first recommendation. > > > At 05:06 AM 2/13/2003 +, you wrote: > >Someone told me in an authoritative voice today that Cisco doesn't recommend > >their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a > >big part of SAFE? > > > >Of course, the person who said this doesn't understand that Cisco is a huge, > >chaotic organism, and that saying Cisco does something based on what one > >person does, doesn't make sense. > > > >But I'm just curious, what do you all recommend for intrusion detection? How > >do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > >complicated, requiring appliances or IDS cards in a switch and a console: > > > >Cisco Secure IDS DirectorHP OpenView Network Node Manager "plug-in" that > >runs on UNIX (Solaris and HP-UX) > > > >Cisco Secure Policy Manager (v2.2+)Windows NT-based package > > > >Thanks. > > > >Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62971&t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: New Instructor Experiences [7:62826]
John, Sounds like you had what I call a "Floating Talking Head" experience. It's happened to me before. Basically, you are in the middle of teaching, presenting, or briefing, and you experience a trippy sensation of almost being outside yourself. As you talk, your self awareness gets distorted, and you become very aware that you are forming sounds with your mouth. You are like "whoa! I am talking about stuff!" to people! Whoa! This of causes messes up whatever it was you were trying to say, or you speed up, or get goofy. There is no cure, though some professors try leather elbow patches and a pipe. Best just get some cookies and coffee and chalk it up. Tomorrow, if I were you, I'd review what you were covering when you experienced FTH just to ensure that your students are on the same sheet of music. HTH, Charles ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I just feel the need to rant/vent for a bit and I knew there were a > bunch of you who might be able to relate to this. I've started teaching > a short, one-session general networking class for some of the people > here at the bank. The first session, which was really just a runthrough > with a handful of students, went fairly well. In fact, it went so well > that they increased the number of overall attendees to about 60 or so. > > Last week I had another session that went exceptionally well, except > for a couple of students who really didn't want to be there. I couldn't > have asked for it to go better, and my boss heard lots of good things > about it. One person even said I should be a professor! :-) Now, that > brings us to today > > Today I had an afternoon class, and in my opinion it sucked rotten > eggs. I feel embarrassed to have been involved with it.I can't > think of too many ways in which it could have gone worse. I rambled, I > flew through 2.5 hours of material in about an hour, I lost my place a > lot. I'm not certain that I ever formed a train of thought longer than > a couple of cars, and I think even those trains were without engine and > caboose. > > Have any of you other instructors had days like that? As I even > mentioned in class, I felt like my 'explainer' was broken today, and it > certainly was. I'm hoping that I could get some sympathy from other > instructors with similar experiences. > > Okay, I'm going to go drown my disappointment in some coffee! > > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62829&t=62826 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Checkpoint NG trial licence needed [7:62823]
Chris, Got this off of www.firewall-1.org, not exactly what you are looking for but at least you can play with the GUI until CP comes through You need an eval licence to have a fully functional product for 30 days. But if what you want is to see the GUI interface (not functionall at all), you can download the GUI, install it on a Windows Machine, and set the server as "*local". The SMART Dashboard (formerly known as Policy Editor) will open with a demo configuration. HTH, Charles ""Chris"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all > > I know it's OT but I hope some of you have a clue for this. Where from I > can get a trial license for Checkpoint NG ? I already asked this > question on their news site but now answer (it was the second posting). > I don't understand how can u get certified unless you take the training. > > Thank you in advance > Chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62827&t=62823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab - I have seen he future and it is.... [7:62776]
Thanks to all who wrote in. My Kafkaseque post yesterday apparently touched a chord (or nerve) with several folks. I was hoping to start an OT discussion on those Dippin' Dots ice cream, and draw analogies to networking. Heck, I would even settle for Howard asking a variation of his favorite question: "what is the ice cream you are trying to eat?" In all seriousness, I haven't abandoned all hope yet, it has just lessened in importance and intensity for me. In response to CN's question, I have attempted the lab at least once, Brussels, way back when the lab was a two day lab, and the numbers were still quad digits.Without violating the NDA, let's just say that I will never forgive ISDN for what it did to me. As far as my motives for CCIE chasing, the main reason I am persisting is that not only have I invested time, money, and freeze dried ice cream, but the CCIE quest motivates me to study topics that I don't necessarily deal with on a daily basis, and to practice exotic configurations with those that I do. OSPF through a GRE tunnel over an ISDN DBU to the Dippin' Dots website, anyone? Thanks, Charles ""Cisco Nuts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello Charles, > > With due respect I ask, why did you abandon your quest for the CCIE? I am > curious as to how many times you actually hit the Lab? > > Sincerely, > > CN > > >From: "Charles Riley" >Reply-To: "Charles Riley" >To: > [EMAIL PROTECTED] >Subject: Re: CCIE Lab - I have seen he future and > it is [7:62776] >Date: Mon, 10 Feb 2003 22:19:54 GMT > >Chuck, > > >Your post reminds me of those weird little ice cream stands that I > sometimes >see at the mall and various carnivals. It's called something > like "Dipping >Dots - The Ice Cream of the Future". The initial human > instinct is much >like the Cro-Magnon humanoids encountering the monolith > at the beginning of >2001: A Space Odyssey (sp): jump up and down with > excitement until you >realize it's just freeze dried ice cream. > > >Rounding out that analogy, the CCIE of the future will probably be > reduced >to being the CCNP of today. Regardless, I have spent too much > time and >money to abandon the quest for CCIE now, but frankly, if I > hadn't invested >as much as I have, I would most likely abandon the quest > in favor of >broadening into other areas. I really don't see much market > value for the >CCIE anymore, especially with Cisco hellbent on making it > a meatgrinding >cash cow. Your java console and "one way only to > configure" experience kind >of bears this out. > >Sorry for the > depressing post, just wanted to share. > >Charles > > > > > >""The Long > and Winding Road"" wrote in >message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Been spending this > weekend on what was once the Cisco Advanced SE Training > > ( ASET ) set > of labs. These are available for those whose Cisco account >team > > > approves - there are a few conditions which can be found in the wee > places > > of certification training. > > > > The program is run by Lab > Gear ( the only link I have is www.labgear.net, > > but > > this is a > login page ) There are a number of labs of CCIE level, look, and > > > feel. > > > > Supposed to be real equipment, but the access is via java > script windows, > > not terminal emulation. This makes for some > interesting situations. The > > windows show or provide output only when > they are active. So if you had >two > > router sessions open, and you > made changes on one router that would >generate > > systems messages of > one sort or another you would not see those messages >on > > the other. > also, I have yet to find a way to generate output from >debugging > > > commands. Things like term mon and logging of one kind or another have > not > > been successful. so no debug ip routing and debug ip ospf adj. > > > > > As with the real lab, there are a series of tasks to be completed. > Grading > > is done via a script. This is the point of most interest. > Actually, I > > suspect a lot of the current CCIE Lab grading is done > using scripting >tools. > > I believe the proctors still physically > examine equipment configurations >for > > some things, but I could be > wrong. > > > > It is of interest because to judge from the script outputs > I am seeing, > > there appears to be an assumption that there is one and > only one way to
Re: CCIE Lab - I have seen he future and it is.... [7:62776]
Chuck, Your post reminds me of those weird little ice cream stands that I sometimes see at the mall and various carnivals. It's called something like "Dipping Dots - The Ice Cream of the Future". The initial human instinct is much like the Cro-Magnon humanoids encountering the monolith at the beginning of 2001: A Space Odyssey (sp): jump up and down with excitement until you realize it's just freeze dried ice cream. Rounding out that analogy, the CCIE of the future will probably be reduced to being the CCNP of today. Regardless, I have spent too much time and money to abandon the quest for CCIE now, but frankly, if I hadn't invested as much as I have, I would most likely abandon the quest in favor of broadening into other areas. I really don't see much market value for the CCIE anymore, especially with Cisco hellbent on making it a meatgrinding cash cow. Your java console and "one way only to configure" experience kind of bears this out. Sorry for the depressing post, just wanted to share. Charles ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Been spending this weekend on what was once the Cisco Advanced SE Training > ( ASET ) set of labs. These are available for those whose Cisco account team > approves - there are a few conditions which can be found in the wee places > of certification training. > > The program is run by Lab Gear ( the only link I have is www.labgear.net, > but > this is a login page ) There are a number of labs of CCIE level, look, and > feel. > > Supposed to be real equipment, but the access is via java script windows, > not terminal emulation. This makes for some interesting situations. The > windows show or provide output only when they are active. So if you had two > router sessions open, and you made changes on one router that would generate > systems messages of one sort or another you would not see those messages on > the other. also, I have yet to find a way to generate output from debugging > commands. Things like term mon and logging of one kind or another have not > been successful. so no debug ip routing and debug ip ospf adj. > > As with the real lab, there are a series of tasks to be completed. Grading > is done via a script. This is the point of most interest. Actually, I > suspect a lot of the current CCIE Lab grading is done using scripting tools. > I believe the proctors still physically examine equipment configurations for > some things, but I could be wrong. > > It is of interest because to judge from the script outputs I am seeing, > there appears to be an assumption that there is one and only one way to do > things. I'm not sure this is always true. I am not sure that this results in > an entirely accurate grade. > > But more importantly, given my experience with the java consoles and the > manner in which these labs must be done, I am not sure I like where this is > headed. Something Brian Dennis and Brad Ellis and some other people started > talking about back when the CCIE Lab went from two days to one - something > about the longer term goal being to do the test remotely, and having people > show up at Sylvan or some other testing center and log in remotely. > > If the Lab Gear approach is any indication, this is not ready for real live > testing. I experienced far too many problems with terminal ( javascript ) > sessions disconnecting mysteriously. With 8 open windows, it sometimes got > to be very hard to find the session ( router ) I was looking for. Cut and > paste is a real pain. You have to open a "scratchpad" window, which is > associated with the javascript console window. cutting and pasting is done > to this wind. there are scratchpad windows associated with each java wind, > so if you had a scratchpad open for every router session, that makes for a > LOT of junk to fight your way through looking for what you want. then there > is the problem of actually moving what you want to copy and paste. highlight > and control c control v or alt e paste don't work. you have to click on > buttons on the java consoles to copy to and from routers. > > beyond that, there is the problems of whether or not the "script" answer is > the right answer. For example, in one lab, a particular instruction requires > that the rip routers on a particular segment have to use the neighbor > statement to see eachother ( and prevent other routers on that segment from > joining into the RIP domain ) well, the problem is, one of those routers is > connected to another RIP router via a different interface. need a neighbor > statement there too, but the script does not cover this, nor does the answer > configuration show this. > > anyway, I have seen the future, and the CCIE Lab future looks like it may be > heading to these kinds of remote lab settings. > > -- > TANSTAAFL > "there ain't no such thing as a free lunch" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62776&t=62776 -
Re: PIX firewall simultaneous connections [7:62575]
I believe that if you check the Cisco website or documentation, you will see that it defines a session as a single TCP or UDP connection. If somehow you had 2M users, yet their total number of sessions never exceeded 500K, then your firewall could handle 2M users. I am not addressing performance at all here. Realistically, though, your users are going to have any number of sessions established as they read their email, check the web, download files, and so on. It's possible that your 500K PIX firewall could only be able to handle about 5K or 50K of your users if they are the kind of users to keep hundreds or thousands of sessions going at once. HTH, Charles ""Kenan Ahmed Siddiqi"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello groupies, > I was reading the PIX book and it apparently said that the no. of connection > supported by a PIX firewall (higher order) is 500,000. Does this mean that > upto 500,000 sessions can be established or something else? If so, what do I > do if I have a thoroughput of say 2 million users? Thanks in adv. > > Cheers, > > Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62578&t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what the h... - strange problem - MORE INFO [7:62184]
Thanks to all who have responded and requested more information. Below is a more embellished picture: "Internet"-BIG_ROUTER-FR-2500HUB---AS5300---D/U Users We are the ISP, in this case, which is why I can say no content filtering is occuring. We have several of these small POPs in the region, all of the going to BIG_ROUTER at a central location. BIG_ROUTER and its trusty configuration are not suspects at this point because the other POPs connected to it have no problem. In fact, if users dial into the POPs of nearby towns, they do not have this problem. This problem was brought to my attention about a week before the slammer attacks occured. The downloads are via HTTP and FTP; the results are the same. The problems occur with any server on the Internet. This morning, an user just informed that he can no longer download .img files. He also told that he logs attack traffic, and is seeing alot of scans and attempts against ports 137 (and sometimes 139) on his box. I don't think our FR provider is the problem since FR stops at Layer 2 and won't/can't distinguish between .zip and .gz files. I am thinking that perhaps there is a workstation or server connected to the hub that may be proxying or intercepting .zip and .exe requests? Sam's suggestion of sniffing is a good one, and will be probably be my next step as it's been a while since this POP LAN had its health checked. Troubleshooting continues! Charles ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Consider your OSI layers. :-) A hub problem is very unlikely to cause such > an issue. A generic router wouldn't either. This definitely seems like a > Layer 7 problem. > > Someone is filtering on .exe and .zip. They just weren't smart enough to > think about the UNIX and Mac equivalents. This could be an Intrustion > Detection System or some sort of smart firewall. > > How are they downloading these? E-mail attachments maybe? Not letting users > download .exe files via e-mail attachments might make a lot of sense as an > e-mail server configuration. > > Anyway, start looking at Layer 7 and above (politics, policies). Question > your Internet provider! > > Priscilla > > Charles Riley wrote: > > > > Sorry, should have mentioned. I get the same result whether > > the user system > > is UNIX, Mac, or Windows...it plays havoc with .exe and .zip. > > > > That is a good suggestion, though, about the sniffer...that is > > about the > > only thing I haven't tried yet. The Kmart bluelight special > > hub is making > > me a little suspicious... > > > > Thanks, > > > > Charles > > > > ""Sam Sneed"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > load a packet sniffer on the laptop and see what really > > happens. If you > > > don't have one I know of a good free one . You install > > libpcap first, > > reboot > > > and then install analyzer. > > > > > > http://winpcap.polito.it/install/default.htm > > > http://analyzer.polito.it/install/default.htm > > > > > > Then you can see if the packets are coming back to you and if > > windows is > > > dropping them for some reason. > > > > > > ""Charles Riley"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > I ran across a strange problem with one of our POPs the > > other day, and > > am > > > in > > > > the process of researching/troubleshooting it. We have a > > configuration > > > > something like this: > > > > > > > > > > > >"Internet"---2500---AS5300---D/U Users > > > > > > > > Not shown is a LAN connected to the 2nd Ethernet on the > > 2500. All > > > > connections to the shared Ethernet are via a Kmart > > bluelight special > > hub. > > > > The connection to the Internet is a T-1 FR. Neither the > > 2500 nor the T-1 > > > is > > > > anywhere close to being overloaded. > > > > > > > > We are not doing any content filtering, nor have any access > > lists been > > > > applied, nor are any sites blocked. > > > > > > > > The connection works great...email, web browsing, etc. all > > work just > > > fine. > > > > The only problem is that users can only download UNIX and > > Mac flavored > > > > files, but not anything that smacks of Win
Re: what the h... - strange problem - Cisco doesn't like [7:62148]
Sorry, should have mentioned. I get the same result whether the user system is UNIX, Mac, or Windows...it plays havoc with .exe and .zip. That is a good suggestion, though, about the sniffer...that is about the only thing I haven't tried yet. The Kmart bluelight special hub is making me a little suspicious... Thanks, Charles ""Sam Sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > load a packet sniffer on the laptop and see what really happens. If you > don't have one I know of a good free one . You install libpcap first, reboot > and then install analyzer. > > http://winpcap.polito.it/install/default.htm > http://analyzer.polito.it/install/default.htm > > Then you can see if the packets are coming back to you and if windows is > dropping them for some reason. > > ""Charles Riley"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I ran across a strange problem with one of our POPs the other day, and am > in > > the process of researching/troubleshooting it. We have a configuration > > something like this: > > > > > >"Internet"---2500---AS5300---D/U Users > > > > Not shown is a LAN connected to the 2nd Ethernet on the 2500. All > > connections to the shared Ethernet are via a Kmart bluelight special hub. > > The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 > is > > anywhere close to being overloaded. > > > > We are not doing any content filtering, nor have any access lists been > > applied, nor are any sites blocked. > > > > The connection works great...email, web browsing, etc. all work just > fine. > > The only problem is that users can only download UNIX and Mac flavored > > files, but not anything that smacks of Windows. For example, they can > down > > the .gz/tar and .sft files for a SSH client for example, but can not > > download its .exe or .zip counterpart for Windows! Take the same .exe and > > .zip file, and rename it with a UNIX or Mac filename extension, and you > can > > download it. > > > > Surprisingly enough, the problem does not lie with the users. I took a > > "clean" laptop to the site, and encountered the same results. > > > > Has anyone ever experienced a problem like this? Could this be a bug in > the > > IOS on the 2500? Any suggestions would be welcome. > > > > > > TIA, > > > > Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62148&t=62148 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: wireless [7:62104]
John, It's a little dated, but alot of folks like 802.11 Wireless Networks: The Definitive Guide (O'Reilly Networking) (Matthew S. Gast). I have that book and it provides some very good detail on A and B, but little on G which just emerging as the book went to press. The below is an excellent starting URL for info: http://www.drizzle.com/~aboba/IEEE/ HTH, Charles ""John Hutchison"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm navigating the Cisco site as well as whatever google comes up with, but > I'm having a very difficult time finding any decent reference material for > 802.11. I work for an ISP and unfortunately, we've been left in a position > of not having anyone left who's well versed in wireless access. We have > several towers and many wireless customers and as things fell, I'm the one > in charge of taking care of these customers. I am looking for a good, full > understanding of wireless. We use breezecom and cisco equipment. Any URL or > book references would be greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62145&t=62104 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
what the h... - strange problem - Cisco doesn't like Windows? [7:62144]
I ran across a strange problem with one of our POPs the other day, and am in the process of researching/troubleshooting it. We have a configuration something like this: "Internet"---2500---AS5300---D/U Users Not shown is a LAN connected to the 2nd Ethernet on the 2500. All connections to the shared Ethernet are via a Kmart bluelight special hub. The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 is anywhere close to being overloaded. We are not doing any content filtering, nor have any access lists been applied, nor are any sites blocked. The connection works great...email, web browsing, etc. all work just fine. The only problem is that users can only download UNIX and Mac flavored files, but not anything that smacks of Windows. For example, they can down the .gz/tar and .sft files for a SSH client for example, but can not download its .exe or .zip counterpart for Windows! Take the same .exe and .zip file, and rename it with a UNIX or Mac filename extension, and you can download it. Surprisingly enough, the problem does not lie with the users. I took a "clean" laptop to the site, and encountered the same results. Has anyone ever experienced a problem like this? Could this be a bug in the IOS on the 2500? Any suggestions would be welcome. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62144&t=62144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with pix firewall logging [7:61902]
It may that no alerts at the "warnings" level have occured. Trying setting it at a high level such as 6 or 7 (which pretty much logs everthing). Once you have ascertained that logging between the PIX and syslog server are working, then restore it back to the warnings level. HTH, Charles ""Elijah Savage III"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > All, > > > > I have a pix running 6.2 it is logging to a freebsd server on the local > network. It was logging at one time to syslog no problem but all of a > sudden it stopped and I can't get it working. Here is the logging config > I turned up logging to see if it would help and nothing. Yes I am sure > syslog is running on the box if I do a tcpdump on the freebsd server I > see nothing coming from the pix. > > > > logging on > > logging timestamp > > logging trap warnings > > logging history debugging > > logging facility 23 > > logging host inside 192.168.11.254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61923&t=61902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN Client 4.0 -- BETA [7:61589]
Robert, What new features does it have,and what problems will it solve? TIA, Charles ""Robert Raver"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hey, > > For all those interested the 4.0 VPN Client(BETA) will be in March/April. > This VAN Client is totally rebuilt and has some very nice new features. > Thought I would just let everyone know. > > Thanks, > Robert Raver Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61602&t=61589 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT well, sort of - IDS [7:61523]
I like the various SNORT products...non-proprietary (or as close as this field gets). SNORT looks good (www.snort.org) And if you don't have time to build your own, try: www.sourcfire.com www.silicondefense.com Heck, even Packet Alarm may be an option though you will not find any contact information for them: which could speak volumes for their post sale support philosophy: www.packetalarm.com The ISS IDS product is "SNORT compatible" meaning SNORT rules can be used on it. http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=ISS&oid=20602 HTH, Charles ""Symon Thurlow"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > Just looking for a heads up with regards to IDS in a Cisco PIX > environment, ie, what works, what doesn't, and good resources online to > read etc. > > TIA > > Symon Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61535&t=61523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Making data centers HIPAA compliant - what is required [7:61462]
Howard, Thanks for the reply, you have helped me to narrow my focus to rendering the data center "HIPAA compliant".Do you have any pointers or URLs that you can share to any checklists, policies, requirements, etc. for making a data center compliant? TIA, Charles ""Howard C. Berkowitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 5:23 PM + 1/20/03, Charles Riley wrote: > >Sorry for the OT post, but have searched high and low, and no definite > >answer in site. Really, really apoliogize for the nontechnical nature of > >this post, but I have reached a wall after searching all over for an answer. > >I guess you could say that I am "ill" with searching... > > > >HIPAA is an medical information protection and privacy act passed by > >Congress in 1996. The deadline for complying or gettting an extension is > >this year. You'll probably see more and more requests like mine as the year > >goes by, so I figured I'd start things off. > > > >HIPAA is currently in a state of flux as far as implementation and > >enforcement is concerned, as many medical professional and organizations > >rush to comply. Which brings me to my question... > > > >In my searches, I see several organizations trumpeting the fact their data > >centers are "HIPAA certified", meaning that they are cleared to process, > >store, or otherwise handle medical and private info. > > There is no such thing as HIPAA certification, and I do work > extensively with medical systems. The best anyone could say is > "HIPAA compliant", which has fairly established parallels in the > telephony world, where it is possible to get NEBS certification, but > extremely expensive and applicable only to one configuration (much as > was NSA Orange Book certification) > > Reputable vendors mean something when they say NEBS compliant, but > there is much more track record in telephony than in medical > informatics. > > Indeed, there are additional regulations besides HIPAA that may > become relevant, including 21CFR11 (primarily about human subject > research), CLIA laboratory accreditation and the DEA regulations for > electronic prescribing of controlled substances. All of these do > include technical, as well as procedural, requirements. For example, > DEA specifies the digital signature algorithms and keys, but also has > requirements for time synchronization to be used on message > authenticators and events logged. > > >How is it possible to > >achive this certification when there does not seem to be any standards or > >processes from the U.S. government detailing what will earn the > >certification? > > Again, there isn't. If an industry group were to get together and > try to set procedures for doing this, there is an umbrella > administrative organization tht might help -- the National Voluntary > Laboratory Accreditation Program (NVLAP), which has probably been > renamed in the normal course of events. > > >Does having a couple of tape drives on a server behind a firewall with > >restricted access qualify a data center to be "HIPAA Compliant"? > > If that firewall is connected to the Internet, no. There are > specific HIPAA guidelines that would call for 128-bit DES outside the > firewall. At present, HIPAA does allow cleartext on dedicated or FR > facilitie, but it appears that an encryption requirement will evolve > because things like DEA require it. > > >Is there a > >checklist, policy, standard, or procedure for certification required by the > >U.S. government that I missed in my searches? If so, I would appreciate > >gettting the links to such information. > > They exist in many places; I've got loads of things that I've > collected for consulting clients. You have to be selective in what > you are looking for; I'm sure I don't have everything. For example, > there are checklists for design and review of human research, but I > only scanned those, because my client was concerned with the related > but separate problem of patient recruitment for clinical trials. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61462&t=61462 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Making data centers HIPAA compliant - what is [7:61396]
Thanks to Priscilla, I think the below may be what I was looking for...more reading before I make a final determination. http://aspe.hhs.gov/admnsimp/nprm/seclist.htm Thanks! ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Charles Riley wrote: > > > > Sorry for the OT post, but have searched high and low, and no > > No problem. I don't think it's really OT. HIPAA is going to have a big > affect on many data networks. > > I'm surprised that you say there isn't information available on how to > become HIPAA compliant. There's a lot, isn't there? If companies are saying > that they are HIPAA certified, that's a bit of a misnomor. I don't think > there's any certification, but there is compliance info available. > > Did you check these links: > > http://www.hipaadvisory.com/ > > http://aspe.hhs.gov/admnsimp/ > > http://www.cms.hhs.gov/hipaa/ > > http://www.hipaa.org/ > > I wonder if you could hire a consultant to help you wade through all the > regulations and confusing info from the goverment. Hopefuly some consultants > will specialize in this. > > Priscilla > > > definite > > answer in site. Really, really apoliogize for the nontechnical > > nature of > > this post, but I have reached a wall after searching all over > > for an answer. > > I guess you could say that I am "ill" with searching... > > > > HIPAA is an medical information protection and privacy act > > passed by > > Congress in 1996. The deadline for complying or gettting an > > extension is > > this year. You'll probably see more and more requests like > > mine as the year > > goes by, so I figured I'd start things off. > > > > HIPAA is currently in a state of flux as far as implementation > > and > > enforcement is concerned, as many medical professional and > > organizations > > rush to comply. Which brings me to my question... > > > > In my searches, I see several organizations trumpeting the fact > > their data > > centers are "HIPAA certified", meaning that they are cleared to > > process, > > store, or otherwise handle medical and private info. How is > > it possible to > > achive this certification when there does not seem to be any > > standards or > > processes from the U.S. government detailing what will earn the > > certification? > > > > Does having a couple of tape drives on a server behind a > > firewall with > > restricted access qualify a data center to be "HIPAA > > Compliant"? Is there a > > checklist, policy, standard, or procedure for certification > > required by the > > U.S. government that I missed in my searches? If so, I would > > appreciate > > gettting the links to such information. > > > > TIA, > > > > Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61396&t=61396 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Making data centers HIPAA compliant - what is [7:61395]
Priscilla, Thank you for the reply. I had actually already checked most of these sites here. There is a great focus on getting the providers into compliance, but very little information about certifiying the networks, servers, storage devices, and other infrastructure used to support in creation, transport, and sharing of medical information...very very very very little. The most I have found is a brief paragraph about ensuring that software complies (and no checklist for that either.) In thinking about this, I would not only need a checklist, but applicable clauses, sub clauses, etc. of the actual HIPAA to comply with. In other words, I need to go back and major in law, or do as you suggest and locate a HIPAA tech specialist, and hope I get one that knows what they are doing. Given all the confusion right now, I wonder if those companies touting their data centers as "HIPAA compliant" are doing the equivalent of individuals putting "CCIE Written" on their resumes? Charles ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Charles Riley wrote: > > > > Sorry for the OT post, but have searched high and low, and no > > No problem. I don't think it's really OT. HIPAA is going to have a big > affect on many data networks. > > I'm surprised that you say there isn't information available on how to > become HIPAA compliant. There's a lot, isn't there? If companies are saying > that they are HIPAA certified, that's a bit of a misnomor. I don't think > there's any certification, but there is compliance info available. > > Did you check these links: > > http://www.hipaadvisory.com/ > > http://aspe.hhs.gov/admnsimp/ > > http://www.cms.hhs.gov/hipaa/ > > http://www.hipaa.org/ > > I wonder if you could hire a consultant to help you wade through all the > regulations and confusing info from the goverment. Hopefuly some consultants > will specialize in this. > > Priscilla > > > definite > > answer in site. Really, really apoliogize for the nontechnical > > nature of > > this post, but I have reached a wall after searching all over > > for an answer. > > I guess you could say that I am "ill" with searching... > > > > HIPAA is an medical information protection and privacy act > > passed by > > Congress in 1996. The deadline for complying or gettting an > > extension is > > this year. You'll probably see more and more requests like > > mine as the year > > goes by, so I figured I'd start things off. > > > > HIPAA is currently in a state of flux as far as implementation > > and > > enforcement is concerned, as many medical professional and > > organizations > > rush to comply. Which brings me to my question... > > > > In my searches, I see several organizations trumpeting the fact > > their data > > centers are "HIPAA certified", meaning that they are cleared to > > process, > > store, or otherwise handle medical and private info. How is > > it possible to > > achive this certification when there does not seem to be any > > standards or > > processes from the U.S. government detailing what will earn the > > certification? > > > > Does having a couple of tape drives on a server behind a > > firewall with > > restricted access qualify a data center to be "HIPAA > > Compliant"? Is there a > > checklist, policy, standard, or procedure for certification > > required by the > > U.S. government that I missed in my searches? If so, I would > > appreciate > > gettting the links to such information. > > > > TIA, > > > > Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61395&t=61395 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Making data centers HIPAA compliant - what is required - [7:61383]
Sorry for the OT post, but have searched high and low, and no definite answer in site. Really, really apoliogize for the nontechnical nature of this post, but I have reached a wall after searching all over for an answer. I guess you could say that I am "ill" with searching... HIPAA is an medical information protection and privacy act passed by Congress in 1996. The deadline for complying or gettting an extension is this year. You'll probably see more and more requests like mine as the year goes by, so I figured I'd start things off. HIPAA is currently in a state of flux as far as implementation and enforcement is concerned, as many medical professional and organizations rush to comply. Which brings me to my question... In my searches, I see several organizations trumpeting the fact their data centers are "HIPAA certified", meaning that they are cleared to process, store, or otherwise handle medical and private info. How is it possible to achive this certification when there does not seem to be any standards or processes from the U.S. government detailing what will earn the certification? Does having a couple of tape drives on a server behind a firewall with restricted access qualify a data center to be "HIPAA Compliant"? Is there a checklist, policy, standard, or procedure for certification required by the U.S. government that I missed in my searches? If so, I would appreciate gettting the links to such information. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61383&t=61383 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic: Re: Profession Cert or PhD!!! [7:60385]
Please, kill this thread. It is contributing highly to bandwidth waste. If you love Cisco and networking, get your CCIE. If you love academia over everything else, get your Ph.D. If you love both equally, get them both. Bottom line is that both are hard to attain, and unless you got the love for either one, you are not going to get 'em! For example, there is good bucks in programming, but I hate to program, even little batch files and scripts turn me off.. No amount of money will ever entice me to voluntarily learn programming in any language. Same thing with either the CCIE or a Ph.D. Whew, hope this puts this thread to rest. TIA, Charles ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > ""Jimmy"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > If you will given a choice, would you choose to go for PhD in networking > > area or juz stay in your field and pursuing profession certification such > as > > CCNP/CCDP etc. Assume that both is fully sponsored, can anyone tell me > which > > one will paid off in a long run? > > > My current hero Bill Parkhurst, author of two books that are must -read for > CCIE Lab prep, and I believe high up in the CCIE program at Cisco, has both! > PhD ( I believe in electrical engineering ) and CCIE > > > > > > Cheers! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60387&t=60385 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: IPX and AppleTalk Network Scanner [7:59139]
Hi, all Apologies in advance for this slightly OT, but can anyone point me in the direction of a scanner that can scan and enumerate IPX-only and AppleTalk-only networks? That is, scan and identify devices on a network running IPX only or AppeTalk only...no IP. I would prefer something that did not cost an arm and leg such as the ISS products. I have heard that AXENT makes something like that, but their website seems to be hosed right now so I can not check. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59139&t=59139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
Howard C. Berkowitz wrote: > > Password structure is too detailed for the security policy, > although > it's necessary in the security design. The policy should state > something on the order that people must protect their > passwords, > whether they can or cannot change their own, etc. > OK, the part about protecting/changing passwords is a given, but I wonder about your comment that "password structure is too detailed..." ...where to put the details about that which you are trying to protect...in a SOP on passwords? or possibly as appendix to the official security policy? My view of security policy is that it needs to lay the law, include specifics on complying with said law, and detail the penalities for non-compliance. Telling people that they need to protect their passwords is not enough, they need to know what the organization considers protecting said passwords. Without these specifics, I could make the case that writing my password backwards on a sticky note and placing it in my wallet is protection enough, and why not, the policy only told me to protect it, it did not tell me the required manner and depth of the protection. Can you clarify further where you would put such details? TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52237&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security Policy [7:52061]
While security policies need to be unique per organization, there are some common elements that can be recycled. Just to give an example, how about the handling of passwords? Really, do you need to re-create the piece of the policy that says passwords need to be protected, must be of a certain length, and mixed characters? It really doesn't matter if the policy is for Van Kamps fish sticks factory, or for the DEA: both need to ensure that they have some baseline protection for passwords. The below book may help, the high price tag buys you a one-organization copyright. Having a ready-made template can save some time, and enable you to focus on the more unique aspects of the organization's requirements without spending all your time re-inventing the wheel. To that end, John, the following may be useful to you. Check it on Amazon. Information Security Policies Made Easy Version 8 by Charles Cresson Wood HTH, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52134&t=52061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Disable Telnet [7:41293]
Hey Rich, Easiest way is probably: ! line vty 0 4 transport input none ! However, you might want to reserve telnet access to a private range for your own ease of admin in which case: ! line vty 0 4 transport input telnet access-class 2 in ! access-list 2 remark Secure Telnet Access access-list 2 permit 192.168.100.0 0.0.0.255 access-list 2 deny any log ! Cheers, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Johnson, Richard (NY Int) Sent: 12 April 2002 14:05 To: [EMAIL PROTECTED] Subject: Disable Telnet [7:41293] Hi All, How do I disable Telnetting capability to my 3640. I only want console access. Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41299&t=41293 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: prefix lists .. [7:34312]
Do you mean "gt" and "lt" for "greater than" or "less than" specific port numbers? Use extended access lists with an ACL number of 100 - 199 and a specific protocol (TCP / UDP). Eg: Access-list 101 deny tcp 192.168.100.0 0.0.0.255 host 192.168.200.1 gt 1024 HTH, Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of dk Sent: 04 February 2002 12:07 To: [EMAIL PROTECTED] Subject: prefix lists .. [7:34312] Can anyone help me get a handle on the "ge" and "le" options on prefix lists? I find them totaly confusing. Thanks in advance for any advice offered David Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34313&t=34312 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cpu utilization with MRTG [7:32677]
Here try this - works for me... # Router CPU load % Target[cpu.192.168.0.1]: 1.3.6.1.4.1.9.2.1.58.0&1.3.6.1.4.1.9.2.1.58.0:[EMAIL PROTECTED] RouterUptime[cpu.192.168.0.1]: [EMAIL PROTECTED] MaxBytes[cpu.192.168.0.1]: 100 Title[cpu.192.168.0.1]: CPU LOAD PageTop[cpu.192.168.0.1]: CPU Utilisation for Customerx Description:CPU Load Monitor Unscaled[cpu.192.168.0.1]: ymwd ShortLegend[cpu.192.168.0.1]: % XSize[cpu.192.168.0.1]: 380 YSize[cpu.192.168.0.1]: 100 YLegend[cpu.192.168.0.1]: CPU Utilization Legend1[cpu.192.168.0.1]: CPU Utilization in % (Load) Legend2[cpu.192.168.0.1]: CPU Utilization in % (Load) Legend3[cpu.192.168.0.1]: Legend4[cpu.192.168.0.1]: LegendO[cpu.192.168.0.1]: Usage Options[cpu.192.168.0.1]: growright,nopercent,gauge Obviously, you should replace the ip address '192.168.0.1' and the snmp string 'snmpstringhere' with the appropriate ones for your device. Hope this helps! Scott Riley CCNP CCDA MCSE (NT4) Senior Network Engineer Firstnet Services Ltd T: 0113 292 7768 F: 0113 234 1962 W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mohammed Saro Sent: Monday, 21 January 2002 11:25 To: [EMAIL PROTECTED] Subject: cpu utilization with MRTG [7:32677] Any ideas about object ID of CPU utilization on Cisco routers for monitoring with MRTG Mohamed Saro Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32686&t=32677 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: I need Help in Cisco [7:31875]
One suggestion is to use two route-map's, one to permit traffic to pass straight through the cache and one with the "set ip next-hop" feature. This second route map will match an access-list configured to capture web traffic, something like the following should do it: Fastethernet 1/0 ip policy route-map proxy-redirect out route-map proxy-redirect permit 10 match ip address 101 route-map proxy-redirect permit 10 match ip address 110 set ip next-hop abc.abc.abc.abc[IP ADDRESS OF SQUID SERVER] access-list 101 remark STRAIGHT THROUGH TRAFFIC access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any any[RANGE OF SOURCE TRAFFIC TO GO THROUGH] access-list 110 remark TRAFFIC TO BE REDIRECTED TO WEB-CACHE access-list 110 permit tcp xxx.xxx.xxx.xxx 0.0.0.255 any eq web [RANGE OF SOURCE TRAFFIC TO BE REDIRECTED] Place all networks to be cached in list 110 and any you don't want to be cached in list 101. For example if you wanted to ensure that the entire 192.168.100.0 network is cached except for host 192.168.0.254 then do the following: access-list 101 permit tcp host 192.168.0.1 any access-list 110 permit tcp 192.168.100.0 0.0.0.255 any eq web Remember to put your Squid (proxy) server in the exceptions list otherwise it'll never work! Hope this helps... Cheers, Scott Riley CCNP CCDA MCSE (NT4) Senior Network Engineer Firstnet Services Ltd W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ing. Milton Amador Z. Sent: Monday, 14 January 2002 16:41 To: [EMAIL PROTECTED] Subject: I need Help in Cisco [7:31875] I have one Cisco 3640 i need to send all my trafic www to one linux box, in this linux box i have Proxy squid, but i don4t know how make this. Somebody know how make this? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31882&t=31875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF Question... [7:31402]
Hi guys, Hoping to pick someone's brain about this issue that we're seeing: We have two 6509 Cat switches with a Gig trunk and RSM's. Multiple VLAN's are configured on the RSM and we are running OSPF (area 0). The problem we have is that the two 6509's are forming OSPF adjacancies with each other on every vlan (via the Gig trunk). So if we have 4 vlans set up there are 4 sets of OSPF neighbor adjancies set up, for example: Neighbor ID Pri State Dead Time Address Interface lo-3.bob1 FULL/DR 00:00:38192.168.1.140 Vlan1 lo-3.bob1 2WAY/DROTHER00:00:32192.168.1.172 Vlan30 lo-3.bob1 2WAY/DROTHER00:00:32192.168.1.188 Vlan35 lo-3.bob1 FULL/BDR00:00:37192.168.1.34 Vlan100 [The names and IP addresses have been changed to protect the innocent!] The same is also true on the partnering router "Bill". Now, in reality, there are about 10 or 12 vlans in this setup, most of them are passive interfaced so they do not add into the equation. We can't passive interface these vlans because they are used for distribution to different OSPF areas. My question is this, how can we ensure that bob and bill only form one adjacancy with one another, not one per vlan. We were hoping to do something like a "source-interface" whereby you specify that OSPF adjacancies are formed on a given address (eg a loopback int), that way regardless of how many vlans bob and bill can see each other on, they will only form adjacancies on one IP address with one another. Any comments or suggestions would be greatly appreciated. (Here's were it's something REALLY obvious and I look silly)... Cheers guys, Scott Riley Senior Network Engineer Firstnet Services Ltd W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31402&t=31402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Serial links [7:28270]
Each port on the NM-4T is capable of supporting 2Mb full-duplex, 2Mb upstream and 2Mb downstream. The card has a total 8Mb Full-Duplex throughput. You can actually have 8Mb in one direction and 8 Mb in the other direction at the same time assuming all the channels are bonded together. HTH, Scott Riley Senior Network Engineer Firstnet Services Ltd W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, 06 December 2001 14:48 To: [EMAIL PROTECTED] Subject: Re: Serial links [7:28270] So should the data sheet say "total throughput" and not "total full-duplex throughput"?? RB Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28290&t=28270 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DNS [7:24949]
The following line in global config mode should help: async-bootp dns-server 10.10.10.1 10.10.10.2 Alternatively you could pass the details to them via RADIUS. Cisco-AVPair = "ip:dns-servers=10.10.10.1 10.10.10.2" Scott Riley Firstnet Services Ltd W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ashraf Wagih Sent: Thursday, 01 November 2001 16:24 To: [EMAIL PROTECTED] Subject: DNS [7:24949] Hi All, how can i let the Access Server 5300/5400 assing a DNS to the dial up users? regards Nokia Game is on again. Go to http://uk.yahoo.com/nokiagame/ and join the new all media adventure before November 3rd. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24957&t=24949 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to setup syslog server [7:23501]
You can easily use shell scripting to separate the logs for the individual routers. We use something similar to the following: echo Sorting Log Files: cat /var/log/remote.log |grep routername >> /var/log/cisco/routername rm -f /var/log/remote.log killall -HUP syslogd Hope this helps! Scott Riley Cisco Internet Engineer Firstnet Services Ltd W: http://www.firstnet.net.uk [This message subject to: http://www.firstnet.net.uk/disclaimer.html] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Anh Lam Sent: Friday, 19 October 2001 11:26 To: [EMAIL PROTECTED] Subject: How to setup syslog server [7:23501] Hi Everyone, I am trying to setup a syslog server so that I can log messages from cisco routers and switches. I am running this syslog on a Linux box. Since syslog is a standard feature of unix/linux, I am pretty happy with it, given my disdain for Microssoft. By default syslog server on Linux refuses to accept remoting logging from other devices other than itself. I modify this by turning on the -r option. This make the Linux machine to accept remote logging. My problem is that the syslog messages from Cisco routers and switches are logged into the same file (/var/log/messages) that the Linux machines logs its own system messages. How can I separate the messages between the two? Thanks. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23503&t=23501 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]