Test [7:43186]
Test email Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43186&t=43186 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPX Problem [7:42735]
I have a network where corporate is connected to 3 branch offices through Point to Point. The branch office are also connected together in a full mesh frame-relay toplogy as a backup. The corporate office is also connected to few other small branches in a hub and spoke frame-relay topology. I was running IPX RIP by default between those networks and response time between IPX hosts and servers was not really bad. I decided to make some more changes to decrease the latency by configuring IPX eigrp between WAN Links only and left RIP on LAN interfaces. Instead of decreasing the latency it increased it by 4 times. Before EIGRP I copied a file and it took about 20 seconds. Now it's taking almost 4 minutes. I am curious where I went wrong. All I did to enable IPX Router eigrp 2 advertised all my WAN networks. network network and so on. I then removed those WAN networks from RIP routing by IPX router rip no network no network and so on. Note: I am also running EIGRP 1 for IP network. I don't think that it will conflict since both have under different Autonomous systems. Any suggestions folks. Regards, Ab Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42735&t=42735 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Very Strange [7:40966]
Is your 2501 router booting correctly? If it is booting in rommon, then you will not be able to access the router through console with the standard settings. What you need to do is to change your baud rate to 38400, and keep increasing unless it sees it. Don't change the baud rate and then expect it will work. If it doesn't work with 38400, then close it and reopen hyper terminal with the new baud rate and so on. Believe me I have been through this. Abbas -Original Message- From: Kevin Corbin [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 1:36 PM To: [EMAIL PROTECTED] Subject: Very Strange [7:40966] I've got a 2501, that I cannot connect directly to the console port of, however, if using the same PC, same cable, and all settings the same, I can connect fine to all of my other routers. And if I use the AUX port on another router connected via rollover cable into the console port on this 2501, it works fine w/ a reverse telnet session. Anyone ever seen this? any suggestions? Thanks, Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40970&t=40966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco CD [7:40124]
Is there any guidelines we could download to learn techniques regarding how to quickly search for stuff in Cisco Documentation CD. This is the only resource available in CCIE Lab if one doesn't know what to do. Some CCIEs recommend to learn how to navigate Cisco Documentation CD thoroughly. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40124&t=40124 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Name in ISDN mapping statement [7:39924]
Hello Folks, In ISDN configuration, there is an option to use hostname in the mapping command. For example, rtrA: dialer map ip 138.2.80.2 name rtrB broadcast 2005 rtrB: dialer map ip 138.2.80.1 name rtrA broadcast 2004 What is the main purpose of using the remote hostnames in the mapping commands. I have tried all combination and it works just fine without it. If I remove name from one side, I would still be able ping between each other and vice versa. If I remove name from the both sides, I would still be able to ping. Tried CCO, but no real explanation. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39924&t=39924 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISDN Problem [7:39342]
In simplest ISDN configuration I should be able to ping, but unfortunetly I can't. This week is very tough nothing seems to work I guess. I have two routers connected through ISDN. Here is the config. I should be able to ping, but can't ping the local and the remote interface. Any Clue. Router 1: isdn switch-type basic-5ess interface BRI1/0 ip address 150.100.6.1 255.255.255.0 encapsulation ppp dialer string 8358662 dialer-group 1 isdn switch-type basic-5ess dialer-list 1 protocol ip permit Switch and interface stauts. R3#show isdn status Global ISDN Switchtype = basic-5ess ISDN BRI1/0 interface dsl 8, interface ISDN Switchtype = basic-5ess Layer 1 Status: ACTIVE Layer 2 Status: TEI = 82, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 8 CCBs = 0 The Free Channel Mask: 0x8003 BRI1/0 is up, line protocol is up (spoofing) Hardware is BRI with integrated NT1 Internet address is 150.100.6.1/24 MTU 1500 bytes, BW 64 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Last input 00:00:22, output never, output hang never Last clearing of "show interface" counters 00:20:34 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/16 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 46 packets input, 235 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 52 packets output, 316 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions Router 2 isdn switch-type basic-5ess interface BRI1/0 ip address 150.100.6.2 255.255.255.0 encapsulation ppp dialer string 8358661 dialer-group 1 isdn switch-type basic-5ess dialer-list 1 protocol ip permit ___ R3#ping 150.100.6.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 150.100.6.2, timeout is 2 seconds: 00:29:13: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, sending 00:29:13: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, encapsulat ion failed 00:29:13: ISDN BR1/0: TX -> INFOc sapi = 0 tei = 82 ns = 4 nr = 4 i = 0x080 10905040288901801832C0738333538363632 00:29:13: SETUP pd = 8 callref = 0x09 00:29:13: Bearer Capability i = 0x8890 00:29:13: Channel ID i = 0x83 00:29:13: Keypad Facility i = '8358662' 00:29:14: ISDN BR1/0: RX RRr sapi = 0 tei = 82 nr = 5 00:29:15: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, sending 00:29:15: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, encapsulation failed. 00:29:17: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, sending 00:29:17: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, encapsulation failed. 00:29:19: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, sending 00:29:19: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, encapsulation failed. 00:29:21: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, sending 00:29:21: IP: s=150.100.6.1 (local), d=150.100.6.2 (BRI1/0), len 100, encapsulation failed. Success rate is 0 percent (0/5) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39342&t=39342 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 6509 [7:39192]
Hello Maverick, You mentioned that isolating managment vlan from traffic vlans helps when there is a broadcast storm which will allow you to connect to your managment port since the management port is in a different vlan. I thought about this last night and need some clarification if my logic is correct. First of all, for the managment purpose we assign IP address to SC0 virtual port and move this port to a management VLAN which we will assume is VLAN 10, then we create VLAN 10 on a router blade and also assign ip address to this router blade and point this ip address as a default gateway for the SC0 interface. If we think about it both SC0 and VLAN 10 are virtual, and in case of broadcast storm, my PC which is in VLAN 1 will have to go through VLAN 1 first to reach to VLAN 10 where I have my management port. Question is if VLAN 1 is already attacked with Broadcast storm then how I will reach to the managment VLAN. Regards, Ali -Original Message- From: maverick hurley To: [EMAIL PROTECTED] Sent: 3/22/02 1:07 PM Subject: RE: Catalyst 6509 [7:39192] absoultly it will help for security, The thing to remember is that your ports are default for native vlan1. You can specify a different vlan number for your management like vlan 5. But in case of trunking mishaps/issues and vlan pruning issues it is safer using vlan 1. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39311&t=39192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 6509 [7:39192]
It means that if you isolate your managment vlan with your user's vlan then it will help you reaching the managment interface and it totally makes sense. But do you think that isolating your managment vlan will also help you securing your network from hackers? Regards, Ali -Original Message- From: maverick hurley [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: RE: Catalyst 6509 [7:39192] I have always been advised to use Vlan 1 for management only? Just dont use vlan 1 for users and other devices. I would use vlan 1 for the managemnet under a different subnet than your devices. Assign the subnet for vlan1 on your router card. Use a ip under that subnet for your SC0 interface and point your default gateway to the vlan1 interface of your router card. The advantage for using vlan 1 only for managment is that if your management is in the same vlan as devices and you have broadcast storms this can effect you not being able to reach the interface for management. Also your native vlans for ports is vlan1 incase you ever loose one end of a trunked port you can recover easier. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39217&t=39192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IDS blade [7:39193]
Has anyone ever configured IDS module for catalyst 6500 series router? I tried browsing Cisco Website, but did not find any help in terms of installing and configuring the IDS blade. Can someone point me to correct link? Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39193&t=39193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Catalyst 6509 [7:39192]
Hello Folks, I need help understanding this logic. I have Catalyst 6509 switch with 4 Vlans. I have done configuration which is recommended by Cisco. Here is the details. VLAN 2 Users: Subnet 10.0.2.0/24 VLAN 3 Servers Subnet 10.0.3.0/24 VLAN 4 PBX Application Subnet 10.0.4.0/24 VLAN 5 Management Vlan Subnet 10.0.5.0/24 Catalyst 6509 has dual IOS. The catalyst IOS for switch and Cisco IOS for the router blade. I have assigned IP address 10.0.5.2 to the SC0 interface and assigned IP address 10.0.5.1/24 to VLAN 5 that I created in cisco IOS. By doing this I can telnet to both from my PC which is in user vlan. I believe I will also have to do a default gateway command in SC0 interface and gateway should be pointing to 10.0.5.1 (VLAN 5's IP address) in order for me to telnet the catalyst IOS from different VLANS. Am I approaching the correct path? Please advise. I am not using VLAN 1 as not recommended by Cisco. What disadvantage I would have had if I would choose VLAN 1 for the management. I am also using a totally different subnet for the management per guidelines, but I could have put SC0 in a VLAN 2 and could have used the IP address from the user VLAN 2 and by doing that I would not have to create a VLAN 5. Is there any real advantage for using a totally separate VLAN for the management purpose. Some guidelines say that it is really secured by using a different VLAN other than VLAN 1 or any other VLANS which are used for Users, Servers etc. Can someone explain how? Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39192&t=39192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Does someone know? [7:38322]
On my 2600 router, I configured the T1 0/0 controller, and the below message is keep appearing. "00:23:10: %CONTROLLER-5-UPDOWN: Controller T1 0/0, changed state to down (RAI de tected) 00:23:12: %LINK-5-CHANGED: Interface Serial0/0:0, changed state to reset 00:23:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0:0, changed s tate to down 00:23:22: %CONTROLLER-5-UPDOWN: Controller T1 0/0, changed state to up 00:23:24: %LINK-3-UPDOWN: Interface Serial0/0:0, changed state to up 00:23:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0:0, changed s tate to up" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38322&t=38322 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Latency in Telnet, intervlan routing [7:38187]
To add, Make sure that subnet masks are all configured properly. Beleive me that could be the problem. Wrong subnet masks are hidden problems that would allow you to do certain thing and deny certain things. It may allow you to ping, but not to telnet. Abbas -Original Message- From: Tauseef Nagi [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 9:22 PM To: [EMAIL PROTECTED] Subject: Re: Latency in Telnet, intervlan routing [7:38187] Here are few things you could look into, 1) Is this a new config.? 2) Did it ever work before? if yes, what changed? 3) Assuming that routing is setup correctly on the Cat5K routing module (if this is being used), (a) do you have the right static routing setup on the server to respond to traffic coming from different network? (b) where is your default gateway point to (as next hop) on your server? (c) If the server is a unix box, do you have any tcp wrappers? any ip-chains? any firewall? 4) If everything checks out OK thus far, check for issues with switch and routing module configuration 5) What are you using to route inter-vlan traffic? is it routing module in Cat5K or is it external router? 6) If it is internal routing module, have you configured the vlan interfaces correctly? 7) Once all the end stations are connected, are the vlan interfaces show as "up" and "up"? 8) How about the ip addressing? are all the configurations falling withing their respective masking bounderies? 9) How about the ACLs? 10) So on and so forth... I hope that somewhere along this path, you'll find the issue. Please do share with us what was the resolution. Tauseef ""Mason"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I do Telnet from a client on VLAN1 and I reach the server just > fine. VLAN1 is where the server is also connected to. > I do Telnet from any other VLAN: Telnet takes a long time, then it times > out. > > That tells me it is something in the InterVLAN routing. What would be the > next step to troubleshoot the problem ? I look into the Cat 5000 > configuration but I can't see any relevant changes that caused the problem. > If I use a Sniffer, I noticed a delta time larger for the Telnet. However, I > don't see any brodcast that could such delay. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38288&t=38187 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Question [7:37893]
I have just installed a PIX firewall with three interfaces. The Inside network is 192.168.1.0 and the DMZ network is 192.168.2.0. There are a few webservers on a dmz network that need to have an access to all the servers on the inside network. Technically I am going to have to statically map each server on the inside netowork to an unused address on the dmz network and then open the conduit permission. For example, I have a NT server running on 192.168.1.12. In order for webserver to connect to this box I will have to to Static(inside, dmz) 192.168.2.12 192.168.1.12 netmask 255.255.255.255 conduit permit tcp host 192.168.2.12 host any or 192.168.1.12. I will be very tedious and I will waste so many address on a dmz network in an order to create mapping entry for all the servers on inside network. Is there any smaller way of doing it? Can I map the whole dmz network to inside network instead of mapping each unused address to inside address? Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II NextiraOne, LLC Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37893&t=37893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPX Network Number question [7:35146]
By default, the Network Address FFFE is taken by IPX default route. What you gotta do is to disable this in global configuaration mode. The command is "NO IPX DEFAULT-ROUTE". Turn this off and then you will be able to assign network FFFE. Abbas -Original Message- From: Brian [mailto:[EMAIL PROTECTED]] Sent: Monday, February 11, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Re: IPX Network Number question [7:35146] Having never worked with ipx before except in an ACRC class 2 years ago, I wanted to test my Cisco website searching ability. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/atip x_r/ipx/2rdipx5.htm seems to imply it is a default network? Any IPX pros, feel free to jump in. By the way, I found several pages on www.cisco.com, some said FFFE is the upper limit, some said FFFD. Brian On Mon, 11 Feb 2002, Wilson, Christian wrote: > I have a IPX network question > > I am doing a practice lab that requires me to assign the IPX network address > FFFE to an interface and to set the encapsulation type to SAP. I have > attempted to do this, but my router will not take the address. When typing > "ipx network ? ", I see that the valid range for IPX network numbers ends at > FFFD. The practice lab is very specific about assigning FFFE, > stating that there is a trick to accomplish this. I have searched the CCO > and my documentation, but I have found nothing. Can someone please assist > me with this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35158&t=35146 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
TAP Port [7:34793]
Does anyone know what TAP port is on a catalyst Switch? All I know it is something to do with Diagnostic. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34793&t=34793 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Weird Problem [7:33961]
I have a network corporate side is connected to four branch offices with full T1 and branches are also connected to each other through Frame-Relay in a full mesh topology as a backup. Everything is working fine, all the branches have installed the preferred route through T1 link to reach the corporate network and other sites. Just to confuse you I have a DHCP server running at the corporate as well as one of the branch sides. All the branches have a IP helper address pointing to a DHCP server which is running on a branch office. In other words, traffic goes to the corporate first then from there go the branch office for dhcp lease ip address and logon to a windows 2000 domain. It is just a temporary solution. Eventually all branches will be pointing to the corporate office through wins or ip helper address for logon to a windows 2000 server. Here is the issue, one of the branches even though is going through a preferred route through T1, all the windows hosts will not even boot up and stuck in a black screen mode if Frame-Relay link is up which is S0. When I say up it means that is ready to take over incase of the primary link which is Point to Point fails. As soon as I shut down the S0 interface for Frame-Relay link, and then boot the hosts they boot fine and also logs on to the windows 2000 domain. I even made sure that the branch is installing the preferred route through T1 link and will only go through FR cloud if primary link goes down. I can't figure it out how Frame Relay interface can possibly conflict with this problem. Other branches are working fine with being Frame-Relay interfaces are up. Does anyone have a clue? All the help will be appreciated. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33961&t=33961 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:33933]
The recommended design for PIX to have your Webserver in a private network segment hanging off at the dmz port, and then statically map private IP address to public IP address. In this design before customer decided to have PIX for security they were running their webserver with atleast 25 virtual IP addresses (All Public) spanning two different network segments. Obviously PIX could only respond to an IP address assigned to the PIX's dmz port from one of the two network segments. Customer decided to add one more NIC card into a webserver and then attach it to another dmz port for the second network segment. I believe, I will have to disable NAT into a PIX because webserver will still be using public IP addresses, and there will be no natting. The other approach I could take to use static mapping and conduit with the same IP address. For example, If one of the web addresses is mapped to public IP address 63.83.198.21, I could statically map to the same address. static (dmz, outside) 63.83.198.21 63.83.198.21 255.255.255.255 conduit permit tcp host 63.83.198.21 eq www any. Will both approach work? Which one will be better because I am talking about atleast 25 addresses. Another question, Customer purchased one more public block with 6 IP addresses for their media server. 208.21.233.48/29. The want to use 2 out of 6 IP addresses for the media server which will be on another dmz port, and again they will actually assign public ip addresses to the boxes itself, so again there will be no natting, or I could use the same technique which I mentioned above which is statically map with the same IP addresses. The question is that the customer wants to use the last 4 addresses for the internal users to browse the network. So, I will have to create a global pool and PAT (if necessary). Will PIX be able to differentiate among 6 addresses 2 coming out from dmz and the rest of them will be used for the users coming out from the internal network. Logically, it will work, but I need input from the forum experts. Regards, AA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33933&t=33933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix problem [7:33183]
Two important rules about PIX. Any outside traffic or I should say any traffic from the lower security to the higher security, you must have static and conduit commands. And any traffic from higher security to lower security you must have global pool and nat depends if you are doing translation or not. If you did have nat command with ID 0 and 0 0 for all networks and then it should work, but if you are specifying certain networks then you must have that network installed with your nat ID. Note: if you configur nat (inside) 1 0 0 it only allows inside networks to be translated. For your other dmzs you gotta put nat (dmzx) 1 0 0 in order for those network to see outside world. Abbas -Original Message- From: cage [mailto:[EMAIL PROTECTED]] Sent: Friday, January 25, 2002 6:36 AM To: [EMAIL PROTECTED] Subject: pix problem [7:33183] The following is my configure of pix 525, now the nodes in the dmz can not connect to the outside, why? and do i have to use the NAT command to the traffic from the dmz to the outside. It seem that the pix cant route the dmz traffic to the outside. help me! please! sh conf : Saved : PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_in permit tcp any host 202.99.33.69 eq smtp access-list acl_in permit tcp any host 202.99.33.72 eq www access-list acl_in permit tcp any host 202.99.33.66 eq domain access-list acl_in permit tcp any host 202.99.33.67 eq domain access-list acl_in permit icmp any any access-list ping_acl permit icmp any any pager lines 30 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 ip address outside 210.82.34.29 255.255.255.0 ip address inside 192.168.4.1 255.255.255.0 ip address dmz 202.99.33.254 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 pdm history enable arp timeout 14400 global (dmz) 1 202.99.33.73 netmask 255.255.255.0 nat (inside) 1 0 0 nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 access-group acl_in in interface outside access-group ping_acl in interface dmz route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:3be86ece2c90058e0c9190f986717d63 pixfirewall# Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33224&t=33183 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX firewall book [7:33216]
I learned PIX from the book which comes with the PIX itself. Have you read it yet? It really explains everything in details with examples. Try if you haven't read it. AA -Original Message- From: Richard Deal [mailto:[EMAIL PROTECTED]] Sent: Friday, January 25, 2002 10:37 AM To: [EMAIL PROTECTED] Subject: Re: Cisco PIX firewall book [7:33216] Sam, The book is pretty much a direct port from the CSPFA 2.0 class. The new class, 2.1, is now out and it does have some minor changes. One that I remember is that 2.0 talks a lot about WebSense but 2.1 doesn't. I was somewhat disappointed with this book, considering that the MCNS book was a pretty good book. I expected the book to be about 500 pages but it comes in at about 350 pages. Hope this helps! Enjoy! -- Richard Deal * Author of the ebook "CCNA Secrets Revealed!" and Exam Cram and Exam Prep books from the Coriolis Group * Test author for QuizWare (www.quizware.com) ""sam sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Has anyone read the Cisco Secure PIX Firewalls by David W. Chapman Jr.? I > have no experience with PIX yet and need a good book to give me a > foundation. I don't trust the reviews on Amazon and feel I could get better > input from y'all. > > Thanks alot > > sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33230&t=33216 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router is not installing the better route [7:33102]
The branch router is 2600 with built in T1 module. My configurtion is: routere(config)int s0/0 service-module T1 timeslots 1-6 speed 64 along with linecode and framing just to let you know. I did not specifically assign bandwidth parameter at the interface level. I assumed that that the timeslot configuration should be able to take care of a Serial link bandwidth which defaults to T1 1.544M and change it to 384. But looks like the default serial link bandwidth takes precedence regardless of timeslots configuration unless I manually specify the bandwidth 384 command on physical serial link itself. Correct me if I am wrong. Regards, AA -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 24, 2002 11:06 AM To: [EMAIL PROTECTED] Subject: Re: Router is not installing the better route [7:33102] what does the bandwidth on the interface to the FR cloud say it is, T1 or384? Is the real T1 link to the site even a FS? -- RFC 1149 Compliant. FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33106&t=33102 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Router is not installing the better route [7:33102]
I have a router in my main office which is connected to four different locations through full T1 for each location. For example, Router A: Main office router Router B: Branch B Router C: Branch C Router D: Branch D Router E: Branch E All the branch routers are also connected through Frame-Relay Cloud in a full mesh topology and each has a bandwidth of 384KB. I am running EIGRP Network. In EIGRP routing, it always installs the route based on the bandwidth regardless of hop counts. The problem here I see that the router in branch E has installed a route to Branch B through Frame-Relay Cloud instead of picking up the better bandwidth link which is T1 to Main Office and then again T1 to the Branch E. But instead it installed the route through Frame-Relay cloud which is directly connected to Branch E as it is a full mesh network. Can someone shed some lights on it? Regards, AA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33102&t=33102 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help on testing connectivity between two interfaces [7:31687]
You can assign an IP address to the interfaces and ping each other. You don't have to have hosts connected to the interface for the interface connectivity. -Original Message- From: Stephane Wantou Siantou [mailto:[EMAIL PROTECTED]] Sent: Friday, January 11, 2002 2:18 PM To: [EMAIL PROTECTED] Subject: Help on testing connectivity between two interfaces [7:31685] Hi everybody, I set up a network with 3 routers but I don't have hosts to connect to the ethernet interfaces. Can anybody tell me how test connectivity between two ethernet interfaces using ping or trace if there are no host attached to those interfaces? Thanks a lot, Stephane Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31687&t=31687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Frame relay map 0.0.0.0 question, please help! CCIE lab is [7:31573]
You also need to consider to use the newer Cisco method which is "IP OSPF NETWORK TYPE". Neighbor command is an old mehtod of doing it and not recommended anymore. Abbas -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 10:28 AM To: [EMAIL PROTECTED] Subject: RE: Frame relay map 0.0.0.0 question, please help! CCIE lab is [7:31565] Did you change the Hub router's ospf priority so It will become DR? And change The spoke routers' ospf priority to 0 so it will never attempt to become DR or bdr? -Original Message- From: Wilson, Christian [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 12:23 PM To: [EMAIL PROTECTED] Subject: Frame relay map 0.0.0.0 question, please help! CCIE lab is Feb [7:31555] I have a frame switch configured for full mesh connectivity over a 3 node frame relay cloud. Router A and router B cannot use subinterfaces. Router B and router C can only use thier dlci that connects them to Router A, not the dlci that connects them to each other. Because the frame switch is set up as a full mesh, I have disabled inverse arp on router A, B, and C and have used frame relay map commands with the broadcast parameter on each router. I am able to ping every router just fine using router A as a hub. Then I need to enable ospf between all of them. I used the neighbor x.x.x.x command to enable ospf, but the two spoke routers, B and C, only form adj with router A, they can not form adj with each other. When I debug ip ospf adj, I see that routers B and C are sending their poll-intervals? to 0.0.0.0. When I issued a sh frame relay map command, I saw the following entires: sh fram map Serial0/0 (up): ip 0.0.0.0 dlci 503(0x1F7,0x7C70) broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 0.0.0.0 dlci 502(0x1F6,0x7C60) broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 140.4.1.2 dlci 503(0x1F7,0x7C70), static, broadcast, CISCO, status defined, inactive Serial0/0 (up): ip 140.4.1.3 dlci 503(0x1F7,0x7C70), static, broadcast, CISCO, status defined, inactive I can not seem to loose the frame maps to 0.0.0.0. They do not show themselves as being learned dynamically or statically. What do they mean? How do I get rid of them? How did they get in there? I can not form adj, please help!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31573&t=31573 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Double NAT with PIX [7:31294]
I have a 525 PIX and running normal configuration. Inside network is in 10.0.0.0/16 segment and doing NAT with public address. Here is the situation. I have a client where I need to have an access through my PIX with VPN. The client is using VPN Concentrator and also has 10.0.0.0/16 for their inside network. They sent me the VPN Client CD that I installed in my laptop and gained access to their network through outside segment meaning I attached my PC between my PIX's E0 and Internet router in otherwords bypassed PIX and configured my PC with public address. Is it possible to connect to their network with me being attached to my Internal network. The question is since both the networks mine and theirs are on the same LAN Segment how is it possible? Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31294&t=31294 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
6509 switch [7:31251]
I am receiving lot of errors on my Ethernet Line Cards in 6509 switch. For example, Ports have different errors in FCS, CRC, Runts, Giants, and Collisions. Is it possible to narrow down whether it could be NIC Card, Bad Cable, auto negotiation etc? One of the users has a brand new computer and cable, but I am still showing the port he is connected to has lots of FCS, and collisions as well as runt frame. any help would be appreciated. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31251&t=31251 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Written Passed & Lab Advise [7:30838]
There is a CCIE practice Lab in Virginia. I believe the author of the great book Bridges,Routers and Switches (Caslow) used to teach for that Lab. www.arslimitedtraining.com. -Original Message- From: Olympia Ric [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 1:41 PM To: [EMAIL PROTECTED] Subject: CCIE Written Passed & Lab Advise [7:30838] I just passed the CCIE Routing and Switching Qualification Exam and would appreciate recommendations on preparing for the lab. I do not have access to Cisco gear at work but have registered for Global Knowledge CCIE lab preparation courses. What equipment do I need? Rent vs buy. Recommended lab sites preferably in the Washington DC, Virginia, Maryland area. I would consider other location as well depending on how good they are.Do I need to schedule my lab date now? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30845&t=30838 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISL Trunking [7:30728]
Is it possible to remove default Vlans 1, 1002-1005 from ISL trunking? I am setting up a ISL trunking between Catalyst 2924 and 3640 router. I am running IOS on Catalyst XL 2924 and only want certain vlan on my link. IOS does it, but then it also inserts default vlan 1 and 1002-1005 automatically. The IOS accepts the remove command to remove vlans from the current list, but will not remove default vlans. Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30728&t=30728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX scenario [7:29905]
Here is the challenging questions I think it is doable, but needs to know for sure before I give green signal to my customer. Customer has only one web server sitting on a physical public IP address 68.112.1.5, and has about 10 virtual IP addresses mapped to different names. They ran out of addresses, and purchased two additional blocks from the ISP. 208.212.23.32 and 208.198.12.5, and these are all virtual IP addresses. There are 3 different network segments running off only one web server. I installed a PIX and DMZ port assigned an IP address from a physical segment 68.112.1.6 and configured a default gateway on a web server pointing to 68.112.1.5. Surely people were able to browse the web server from outside, but only services to one segment. The other two virtual segments were not be able to browse able since there is only one default gateway that web server could talk to. I suggested to put a router between PIX's DMZ and the web server, and assigned secondary addresses to the router. For example, router's Ethernet Interfaces: ip address 68.112.1.6 255.255.255.240 ip address 208.212.23.34 255.255.255.240 secondary ip address 208.198.12.6 255.255.255.240 secondary. by doing this way the web server will just give it a packet to router and router will handle all the virtual ip addresses coming from the 3 segments. I believe this solution should work. At that time customer was not agreeing to change their web servers ip addresses to just one private network segment, but now they want to go with that. My question to you guys, if customer chooses network segment 192.168.103.0 and assigns all the ip addresses from this segment, can then pix will be able to handle through one dmz port. All I need to do is create static mapping for each private virtual link to public addresses ( Note: 3 public segments). For example, static (dmz1, outside) 1 68.112.1.10 192.168.102.10 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.212.23.38 192.168.102.38 netmask 255.255.255.255 (ANY MANY MORE) static (dmz1, outside) 1 208.198.12.12 192.168.103.12 netmask 255.255.255.255 (ANY MANY MORE) Note: PIX will do the Nating from the same private network segment to 3 different public segments. In my opinion this should work. Please advise. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29905&t=29905 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Lab Date [7:29590]
I have scheduled my CCIE Lab for 06/25/02. This is the earliest I could have gotten. I want to take it in March. If anyone has scheduled for March and Like to exchange, please let me know. Regards, Ali Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29590&t=29590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Written Exam [7:28870]
I took my CCIE Written yesterday and passed it. I got 78%. The good thing that it allowed me to review the questions, but the bad thing was that in multiple choice questions, the only hint you will get "CHECK MULTIPLE ANSWERS". Some questions were really confusing. If anyone is preparing make sure to learn everything about Token Ring (RSRB, SRB,SRT, SR/TLB, DSLW+). Lot of people get frustrated with Token Ring. But in my case it actually helped me passed the exam since I did little bad in other sections. Token ring questions are more like math's equations if you do it right you know that you are right compare to couple of other sections where memorization is required and the wording game by Ciso will kill you. The test is not interactive, so don't worry too much about command lines. Regards, Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II > Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28870&t=28870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE written questions [7:28862]
Sorry guys, I just got carried away. I always respected Cisco's NDA. I just didn't think that were the real questions since they were so long. In my previous groups I always raised the issue of NDA when some people tried to violate. IT WILL NOT HAPPEN AGAIN. Regards, Abbas -Original Message- From: james mensah [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 11:32 AM To: Ali, Abbas; [EMAIL PROTECTED] Subject: RE: CCIE written questions [7:28862] Abbas are you new to this group and do you have some respect for Cisco NDA and for that matter ethics? Watch out Cisco is about to get you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ali, Abbas Sent: Tuesday, December 11, 2001 2:22 PM To: [EMAIL PROTECTED] Subject: RE: CCIE written questions [7:28862] Sorry to hear that. Here is what I think the answers would be. Q1) B Q2) B Q3) Definetly A, could also include B if multiple choice. Q4) AB Q5) Don't know. Q6) BC Q7) Q8) Q9) D Q10) Q11)B -Original Message- From: Yang Jun (Ike Yang) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 9:50 AM To: [EMAIL PROTECTED] Subject: CCIE written questions [7:28862] Dear CCIEs, I failed in the CCIE written exam today and, I recall some questions here but can't find the correct answer. Do please help me figure out the correct answer and give me your explain. Great thanks! 1.. In a token ring environment, what is allowed regarding early token release? A. More than one token can circulate the ring at any given time, but only one data frame is allowed. B. More than one data frame can circulate the ring at any given time, but only one token is allowed. C. More than one data frame and more than one token can circulate the ring at any given time. D. A station releases a free token after stripping the frame from the ring E. A station can transmit early without waiting for a token to be released from its neighbor. 2.What is the best description of poison reverse? A. It is a procedure used by OSPF to remove a network from the OSPF area. B. Once a connection disappears, the router advertising the bad network will send an update from this network indicating an infinite cost. C. The specific network is not sent out again on the interface it was received on. The network is sent back out on the interface it was received on, but with a metric of one more than the metric in the receive update. 3.In FDD, the characteristics of !04B/5B Encoding!1 include: (multiple answer) A. Sending 4 bits of informations using a 5 bit symbol. B. Increasing the clock rate of the transmitter and receiver to 125Mhz, which establishes an effective data rate of 100Mbps. C. Increasing the distance between two FDDI stations to more than 2km, when using multi-mode fiber. D. Providing a workaround for the optical Bypass Relay. 4.Examine the following: Based on the information above, which OSPF configurations listed are valid? (multiple answer) A. router A router OSPF 1 network 14.0.0.0 0.255.255.255 area 0 router B router OSPF 1 network 14.0.0.0 0.255.255.255 area 0 B. router A router OSPF 1 network 14.1.1.0 0.0.0.255 area 0 router B router OSPF 2 network 14.1.1.0 0.0.0.255 area 0 C. router A router OSPF 1 network 14.0.0.0 0.0.255.255 area 0 router B router OSPF 1 network 14.1.0.0 0.0.0.255 area 0 D. router A router OSPF 1 network 14.1.1.0 0.0.0.255 area 0 router B router OSPF 1 network 14.1.0.0 0.0.255.255 area 0 5.In reorganization, OSPF areas are realigned. Is this a valid network design? If not, what changes could be made to the network and/or router configurations? A. No changes are necessary. B. A virtual link could be configured between Area 60 and area 0. C. A serial line or other physical connections could be installed between devices in Area 60 and Area 0. D. Router B could be configured as an Area Border Router between Area 60 and Area 6. E. This is not valid design, and no changes can make it work. 6.Which of the following CGMP (Cisco group management protocol) statements is correct? A. CGMP manages multicast traffic Catalyst 5000 series switches by allowing directed switching of IP multicast traffic. B. CGMP will switch IP multicast packets to all ports in one specific VLAN. C. CGMP filtering requires a network connection from the Catalyst 5000 series to a router running CGMP. D. CGMP handles ARP, SAP, UDP, SSAP and DSAP. 7
RE: CCIE written questions [7:28862]
If you can remember the questions then you should be able to find you own answers. You are violating the Cisco's policy. Please be careful. Regards, Ali, Abbas -Original Message- From: Yang Jun (Ike Yang) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 9:50 AM To: [EMAIL PROTECTED] Subject: CCIE written questions [7:28862] Dear CCIEs, I failed in the CCIE written exam today and, I recall some questions here but can't find the correct answer. Do please help me figure out the correct answer and give me your explain. Great thanks! 1.. In a token ring environment, what is allowed regarding early token release? A. More than one token can circulate the ring at any given time, but only one data frame is allowed. B. More than one data frame can circulate the ring at any given time, but only one token is allowed. C. More than one data frame and more than one token can circulate the ring at any given time. D. A station releases a free token after stripping the frame from the ring E. A station can transmit early without waiting for a token to be released from its neighbor. 2.What is the best description of poison reverse? A. It is a procedure used by OSPF to remove a network from the OSPF area. B. Once a connection disappears, the router advertising the bad network will send an update from this network indicating an infinite cost. C. The specific network is not sent out again on the interface it was received on. The network is sent back out on the interface it was received on, but with a metric of one more than the metric in the receive update. 3.In FDD, the characteristics of !04B/5B Encoding!1 include: (multiple answer) A. Sending 4 bits of informations using a 5 bit symbol. B. Increasing the clock rate of the transmitter and receiver to 125Mhz, which establishes an effective data rate of 100Mbps. C. Increasing the distance between two FDDI stations to more than 2km, when using multi-mode fiber. D. Providing a workaround for the optical Bypass Relay. 4.Examine the following: Based on the information above, which OSPF configurations listed are valid? (multiple answer) A. router A router OSPF 1 network 14.0.0.0 0.255.255.255 area 0 router B router OSPF 1 network 14.0.0.0 0.255.255.255 area 0 B. router A router OSPF 1 network 14.1.1.0 0.0.0.255 area 0 router B router OSPF 2 network 14.1.1.0 0.0.0.255 area 0 C. router A router OSPF 1 network 14.0.0.0 0.0.255.255 area 0 router B router OSPF 1 network 14.1.0.0 0.0.0.255 area 0 D. router A router OSPF 1 network 14.1.1.0 0.0.0.255 area 0 router B router OSPF 1 network 14.1.0.0 0.0.255.255 area 0 5.In reorganization, OSPF areas are realigned. Is this a valid network design? If not, what changes could be made to the network and/or router configurations? A. No changes are necessary. B. A virtual link could be configured between Area 60 and area 0. C. A serial line or other physical connections could be installed between devices in Area 60 and Area 0. D. Router B could be configured as an Area Border Router between Area 60 and Area 6. E. This is not valid design, and no changes can make it work. 6.Which of the following CGMP (Cisco group management protocol) statements is correct? A. CGMP manages multicast traffic Catalyst 5000 series switches by allowing directed switching of IP multicast traffic. B. CGMP will switch IP multicast packets to all ports in one specific VLAN. C. CGMP filtering requires a network connection from the Catalyst 5000 series to a router running CGMP. D. CGMP handles ARP, SAP, UDP, SSAP and DSAP. 7.Which statement about RADIUS is true? A. The RADIUS server must you use TCP for its connection the NAS. B. AAA can be configured to direct RADIUS authentication/authorization to one server and RADIUS accounting to a different server. C. RADIUS supports bi-directional CHAP authentication. D. RADIUS is a proprietary protocol that is necessarily vendor specific. E. RADIUS supports command authorization. 8.Which statements about TACACS+ are true? (multiple answer) A. If more than one TACACS+ server is configured and the first one does not respond within a given timeout period, the next TACACS+ server in the list will be contacted. B. The TACACS+ server!/s connection to the NAS encrypts the entire packet. C.
RE: serial up/up w/o cable [7:27604]
It is correct, but according to my knowledge, it will still show down/down even the cable is attached. The only way to bring it to up/up if other side is also connected along with the encapuslation and other parameters. It is different then Ethernet where the physical port will go up as soon as the cable is detected. Abbas -Original Message- From: anil [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 4:49 PM To: [EMAIL PROTECTED] Subject: RE: serial up/up w/o cable [7:27604] Tom, I don't think you can!! HDLC is the default, and requires cable attached in order for the router to show "up". There is no way to simulate as far as I am aware. Having said that, someone will prove me wrong no doubt. -Anil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom E Sent: Wednesday, November 28, 2001 11:53 PM To: [EMAIL PROTECTED] Subject: serial up/up w/o cable [7:27604] How can you get a serial interface to go up/up without a cable connected? I have tried loop and no keep. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27615&t=27604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Does PIX allow authentication [7:27586]
Does PIX allow you to do authentication between windows NT computers? For Example, If I have a Windows NT server on a DMZ Port and and a Windows NT domain Controller on an Internal Network. How can I configure PIX to logon to PDC on Internal Network. This is a same concept in router by providing IP Helper address. Can PIX does such a thing like that or not? If It can then what kind of port I need to open through conduit. Thanks, Abbas Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II > Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27586&t=27586 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX DMZ Issue [7:26419]
I have a problem with DMZ configuration. Here is the scenerio. DMZ port has UNIX Sendmail Server. IP Address 206.2.34.1 Internal Port has Exchange Server. IP Address 206.6.182.75 Here is what I did to make it work. static (dmz,outside) 155.254.128.7 206.2.34.1 netmask 255.255.255.255 0 0 static (inside,dmz) 206.6.182.75 206.6.182.75 netmask 255.255.255.255 0 0 conduit permit tcp host 155.254.128.7 eq smtp any conduit permit tcp host 206.6.182.75 eq smtp host 206.2.34.1. This is the basic configuration, Customer has an NIS (UNIX) server which is on Internal network at the address 206.6.181.1 and contains all the databases for various applications including the Sendmail server on a dmz port. The sendmail server on dmz port can't come online until it contacts the NIS server on Internal network, and because of the PIX it will not allow polling to work from dmz port to the internal port unless some static mappings and conduit permissions are allowed. How do I reslove this issue with three things. First Sendmail server to contact NIS server at Internal port and then to deliver emails to exchange box. Regards, Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26419&t=26419 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Written [7:24043]
Hello Everone, I am studying for CCIE Written. Any recommendations. I have been studying Andrew Bruce Caslow's book and also reviewing CCNP materials. Thanks, Abbas Ali, AVVID, CCDP, CCNP, MCSE Network Engineer II > Tel: 714.428.3367 Pager: 714.748.4817 Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24043&t=24043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: two routing protocols in one router? [7:23298]
This is not a good idea to run two different protocols in a router unless you have criteria. For example, the router is going to perform redistribution. -Original Message- From: Michael Paulson [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 21, 2001 4:49 PM To: [EMAIL PROTECTED] Subject: Re: two routing protocols in one router? [7:23298] Admin Distance comes into play when both routing protocols have exactly the same route. For example route 10.1.1.0 mask 255.255.255.0 If both RIP2 and OSPF know about this exact route then the route from OSPF would be used. This is because OSPF has an admin distance of 110 versus RIP of 120. Lets take another example. Lets say OSPF knows about the route as part of a larger aggregate such as 10.1.0.0 mask 255.255.254.0 or a /23 mask. Lets also say the RIP2 still knows about the route as 10.1.1.0 mask 255.255.255.0 or /24bit. In this second case the RIP route would be chosen because it has a more exact match. In this case Administrative distance never came into play at all. Mike Paulson Network engineer. tuffgong wrote: > That is not the case. Routes learned from different protocols are evaluated > on preference (administrative distance) before checking the prefix's cost. > > -Bill > ""Jeff Smith"" wrote in message > news:[EMAIL PROTECTED]... > > I would say you could run both on a given interface. If routes come in > that > > match, the one with the lowest cost will be placed into the routing table. > > > > Jeff > > > > > > >From: "Tan Chee Leong" > > >Reply-To: "Tan Chee Leong" > > >To: [EMAIL PROTECTED] > > >Subject: two routing protocols in one router? [7:23298] > > >Date: Wed, 17 Oct 2001 21:42:27 -0400 > > > > > >Hi, > > > > > >Just a quick one: can a router run two protocols simultaneously? e.g. > RIP2 > > >and OSPF? Perhaps each interface still take care of only one protocol > but > > >the router itself manages two. > > > > > >Thanks. > > > > > >Cheers, > > >Chee Leong > > _ > > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [GroupStudy.com removed an attachment of type text/x-vcard which had a name of michael.paulson.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24042&t=23298 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Bootcamp [7:23459]
Hello Everyone, I really need someone to help me with CCIE bootcamp. I was actually gonna sign up for one of the practice lab (Cisco Approved), but later I found out that this lab is designed to be on your own. No instructor help. Someone recommended to take the bootcamp offered by ARSLimited. FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]