RE: CA in IPSec
> We will secure by having the root CA off-line and walking > the ROOT Cert to the RA. Also, the CA cert will remain > pending until the security admin issues it to the router. You should note that IOS currently doesn't currently support cert chaining (subordinate CAs). I learned this the hard way. TAC tells me, however, that DE is testing two-level hierar- chies and that they expect it to ship with 12.1(4)T or maybe first with 12.2. HTH, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CA in IPSec
> One other thing to note, we are still unsuccessfull in > getting certs from Microsoft to the PIX. According to > CCO it will only work with entrust and Verisign. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/pixrn5 21.htm#xtocid1335820 HTH, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: urgent PIX help
> I have only 1 ip address assigned by my ISP, how can I use > PIX to do NAT? Looks like PIX requires at least 2 outside ip > addresses, one for outside interface, one for PAT. Is there a > way to use only 1 ip address? PIX software 5.2(1) allows you to do this, sort of like the IOS 'overload' parameter to the 'ip nat' command. Try this nat (inside) 1 0 0 global (outside) 1 interface HTH, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: urgent PIX help AGAIN
> One more question: when I configure PIX as DHCP server, it > only allows 10 addresses in the pool. > Is 10 max? Yes, 10 is max. It's in the command reference. The PIX wasn't meant to be a large-scale DHCP server. It's a firewall and if you need extensive DHCP server capabilities, you should run that on another platform. -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco support for VRRP any platform ?
> Does anyone know if any IOS version supports VRRP on any of > the standard platforms? > Not yet. We are working on a VRRP implementation though. I think you meant to write 'Not yet on the routers'. I'm sure some of the boxes you've bought recently (such as the CSS / ArrowPoint switches) does support VRRP. > HSRP offers much more functionality than VRRP, but of course > it is limited to usage with other Cisco devices. Actually, since HSRP is documented in RFC2281, other companies could have implemented it if they wanted to. I guess they don't feel VRRP lacking in functionality, since they haven't. -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SNMP process [7:28134]
> on our core router, every once in a while we will drop some > telnet connections. When this happens I look at "show proc > cpu" and see that overall util is 89% in which 69% of that > traffic is snmp. Obviously this is not good. An obvious suggestion would be to stop asking the router so many questions (via SNMP). If you're unsure who's generating the SNMP traffic, set up an access-list to block it. If you're looking for something else that that, please be more specific. -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=28134&t=28134 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 2950-24 [7:31215]
> does anyone have any experience with the Cisco 2950-24 port > switch? Yep. The 2950's are cheap, OEM'd hardware running Cisco IOS (modelled on the C6K Native IOS software). A few things (such as ISL) can't be done because the ASICs are OEM'd. They're cheap, but I think that's all the nice stuff I can find to say about them. The 2950Gs are quite another story. They're better than the 3500 XL series (on QoS and security for example) for the same price or lower. Quite nice. HTH, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31215&t=31215 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Links and Information to Virtual Labs...
> I'm looking to compile and collect a lists of links of > Virtual labs such as Virtual Rack and CCIEbootcamp. Try http://www.hojmark.org/networking/general.html#stu (No, I haven't used any of them). HTH, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
L2TF on IPSec CA, from W2K to IOS
Has anyone successfully made Windows 2000 clients connect to IOS routers with L2TP on IPSec with a CA? We're trying to make this work to a couple of 7100s without much luck. The W2K clients connect just fine to a W2K server and two routers also connect fine to each other, but the Windows machines cannot connect to the routers when using a CA. (When run with pre-shared keys, everything is fine and dandy). The Windows machines were configured according to the paper "L2TP and IPSec - Cisco IOS and Microsoft Windows 2000" by Natalie Timms, Cisco. We have tried 12.0(7)T, 12.1(2) and 12.1(2)T. The first two just doesn't work, the last one crashes the router when we attempt to connect from the Windows machine. Any thoughts are welcome, -A -- Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe Links : http://www.hojmark.org/networking/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CLNS and ISIS in R&S Lab??? [7:21602]
> By considering the fact that CLNS is no more a part of R&S > Lab sylabus, how far they can go to ask about ISIS?? I attended the CCIE Power Session at Networkers 2001 here in Copenhagen this Saturday, and they said something along the lines of: "Know how to configure basic ISIS for IP. It will be in the lab, though not all of them". > As far as i know there are many things which require support > of CLNS in ISIS?? For routing IP? No, not really. -A Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=21602&t=21602 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]