RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

 exam, perhaps with some open ended 
elements.
- If Cisco kept a log of the performance of the individual, such as 
number of retakes, the quality of their feedback, then at least 
employers could call Cisco to get a better feel.  Of course, not even 
medical schools do this though if I remember correctly.

I am just very strong against the instant filter due to number of 
years of experience since that means so little to me and from what 
my clients have experienced.  From what I see, the CISSP does that to 
just mask the fact that their written exam is just a bookworm exam of 
little practicality.  (from what I have heard).

If anything, I would rather see Cisco improve the difficulty of the 
exam itself, rather than employ such filters.  I feel that such a 
filter would not really affect the quality in a positive manner as 
greatly as you think, but would decrease the supply which is 
beneficial to existing CCIEs.  If that is the end goal, let's do it!  
:)  I just think it is grossly unfair and slows down individuals.

For the CCIE, we should be putting up signs you have to be this 
height (you need these skills), not you have to be this age. (you 
need to be this old)


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71837t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN connect/disconnect issue [7:71845]

[Carroll Kong]

 Hey folks:
 
 I'm struggling with an ISDN issue in which the call comes up, but then is
 immediately dropped without the interesting traffic being sent.  I'm an
 ISDN neophyte, so I'm more than willing to admit a config error on my part,
 but from what I can see, my first thought is that it's a provider issue. 
 Anyone ever experienced this before?
 
 Thanks,
 
 BJ
 
 
 Debug dialer shows:
 
 Jul  3 15:02:14.261: BR0/0 DDR: Dialing cause ip (s=w.x.y.z+1, d=w.x.y.z)
 Jul  3 15:02:14.261: BR0/0 DDR: Attempting to dial (number)..
 Jul  3 15:02:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
 Jul  3 15:02:18: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
 (number)
 Jul  3 15:02:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
 Jul  3 15:02:18.045: BR0/0:1 DDR: disconnecting call
 
 Debug isdn q921 shows:
 
 Jul  3 15:05:35: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
 (number)
 Jul  3 15:05:35: %ISDN-6-DISCONNECT: Interface BRI0/0:1  disconnected from
 (number) , call lasted 1 seconds
 
 Debug isdn q931 shows:
 
 Jul  3 15:08:03.270: ISDN BR0/0: TX - SETUP pd = 8  callref = 0x0C
 Jul  3 15:08:03.270: Bearer Capability i = 0x8890218F
 Jul  3 15:08:03.274: Channel ID i = 0x83
 Jul  3 15:08:03.274: Keypad Facility i = 'number'
 Jul  3 15:08:03.470: ISDN BR0/0: RX  CONNECT_ACK pd = 8  callref = 0x0C
 Jul  3 15:08:07.354: ISDN BR0/0: RX  RELEASE pd = 8  callref = 0x0C
 Jul  3 15:08:07.402: ISDN BR0/0: RX  Feature Indicate i = 0x8100
 Jul  3 15:08:07.450: ISDN BR0/0: RX  
 Relevant Config:
 
 interface Dialer16
  description ISDN dial backup to John Doe
  bandwidth 56
  ip address w.x.y.z+1 / 30
  no ip directed-broadcast
  ip nat outside
  encapsulation ppp
  dialer remote-name JohnDoe
  dialer string (number) class top1r2
  dialer pool 6
  dialer-group 1
  pulse-time 0
  ppp authentication chap
 
 interface BRI1/5
  description ISDN dial backup Group #6
  bandwidth 56
  no ip address
  no ip directed-broadcast
  encapsulation ppp
  dialer pool-member 6
  isdn switch-type basic-ni
  isdn spid1 (x)
  isdn spid2 (y)
  no fair-queue
  ppp authentication chap
 
 map-class dialer top1r2
  dialer idle-timeout 1800
  dialer isdn speed 56
 
 (interesting traffic defined as all TCP)

Let us see some debug ppp auths.  I am curious if the issue is an 
authentication issue.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71850t=71845
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

 let's put it this way...there are ways of correlating medical 
 laboratory tests  that I worked out on my own. Indeed, when I was 
 about 16, I came up with a hypothesis independently (but triggered by 
 an aside in a paper on something else) that;
  (1) it would be clinically useful to be able to give penicillin along
  with something that protected it from penicillinase, a bacterial
  enzyme that destroys it and is one mechanism of resistance.
  (2) there existed at least one compound, which really hadn't been
  investigated, that could inhibit penicillinase.
 
 When I entered college, I did get permission to do this as 
 independent research, but it didn't go very far for many reasons. The 
 big one is that I wasn't economically or emotionally ready for 
 college.  Second, I had no real budget for the project, and my 
 basement biological warfare lab (well, it was for a fungus, not a 
 bacterium, but in principle could have grown anthrax) was just too 
 improvised -- I lost about 2 out of three batches due to 
 contamination in the air supply. Third, while I actually understood 
 the theory of some of the measurements I wanted to take, I didn't 
 have the hands-on skill to use some of the instruments. (Again a 
 ...well... I'm now ok with using a dual beam UV spectrophotometer, 
 but I still can't do RJ45 crimps worth anything0.
 
 But in the current case of monitoring potential infection, I learned 
 that from a particular physician -- I've never seen it in a textbook. 
 What I'd say is that a bright med student will work out some 
 techniques, but there are a very wide range of unwritten methods that 
 are best learned by mentoring. Learning to take blood from a vein is 
 a reasonable example -- oh, it's written up well, but there's no way 
 I know to learn the feeling of the two pops -- once when you get 
 through the outermost skin, and once when you enter the vein. It 
 takes constant practice to remain competent at this -- I could still 
 probably draw blood from you, but it wouldn't have been fun for 
 either of us.

I knew it!  You are the Doogie of Networking, save for his social 
skills (or so you say!)!  :)

I suppose if the networking realm was a bit smaller, what would be 
great is a mentor system.  Kind of like back in the older medeival 
days.

I see, tis you, Squire Carroll Kong of the Knight Howard C. 
Berkowitz.  Truly your skills have grown under this apprenticeship!  
We have great need of squires of the Knight Berkowitz!  How is the 
Dame Priscilla Oppenheimer? - says the now more qualified Human 
Resources of .

So at least one can have a far superior vouching system.  Nowadays, 
if I let potential clients know Yes, I have read many of Knight.. 
er.. Howard C. Berkowitz's books.  Designing Routing and Switching 
Architectures was my favorite book.  Yeah, I might get a wow I 
read that book too and get hired, but I think more likely I would 
get the umm.. yeah.  So, can you cook up a site to site VPN for me 
with Cisco routers and Netscreen firewalls or what?

After the vouchign system, add in some mandatory time in the 
Arena.. er.. Cisco Labs.  Then make them take the Trial Of 
Fire...(True Conflagration) er.. CCIE Lab, and voila!  Of course they 
can always pick the Trial Of Little Flame or... Trial of Smaller 
Conflagration..., but it's not mandatory.


 Hahh...Doogie had MUCH better social skills.

Haha, or so you say!  If you can communicate and write well... surely 
your social skills cannot be lacking!  I suppose we are talking 
further back... I will admit, my social skills weren't that good 
then.

 Most of the busy body corporations tend to care more about the
 now and the instant command gratification.  ooh ooh he can make
 it better.  There is a very nasty stigma that design is easy, but
 who cares, can he make it work?
 
 Personally I am a bigger fan of a solid design, and so are quite a
 few of the more exceptional companies, and obviously the research
 field.  Unfortunately, I think the market plays down the very area we
 care for, and because of that it is not marketable for Cisco to push
 that angle.  Furthermore, one could easily argue that the design
 aspect, unless carefully monitored, would be even easier to copy
 than the labs now.
 
 Oh I just happened to like that design layout... 
 Really?  The last 50 individuals all did it the same way too
 hmm... and it's wrong.  :)   ways
 
 It's pretty trivial to be able to auto-generate small but important 
 changes in design scenarios. I even have a test engine that for 
 adaptive administration of lab secenarios.

Given that Cisco tries that it would not be as hard to generate 
different tests since they can always generate the slight changes.  
Furthermore they can restrict feedback on the exam (they somewhat do 
that currently).  However, I wonder if even then it would be a small 
enough domain to be vulnerable to the oh so wonderful braindumps 
and bootcamps.

What if Cisco

RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

 
it better.  There is a very nasty stigma that design is easy, but 
who cares, can he make it work?

Personally I am a bigger fan of a solid design, and so are quite a 
few of the more exceptional companies, and obviously the research 
field.  Unfortunately, I think the market plays down the very area we 
care for, and because of that it is not marketable for Cisco to push 
that angle.  Furthermore, one could easily argue that the design 
aspect, unless carefully monitored, would be even easier to copy 
than the labs now.

Oh I just happened to like that design layout... 
Really?  The last 50 individuals all did it the same way too 
hmm... and it's wrong.  :)  


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71626t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

 at their own pace (the hourly time for pilots CAN be 
done at your own pace, so I would strongly enjoy that modification, 
so, let it be some Cisco certified lab where people spend time in 
it).

I will admit though, the exam itself probably is NOT hard enough to 
really weed the bad seeds out.  If the exam was longer, more 
extensive, had more feedback, required written documents (anything 
with an open ended kind of answer), had a big party of technical 
advisors to review, yes, it would be better.  But as Howard pointed 
out, this is too slow... and I am sure even you would agree it would 
be great but WAY too slow and expensive for Cisco, who clearly wants 
to see their CCIE count grow... just like the rest of the major 
vendors.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71571t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cosmic rays?? [7:71402]

[Carroll Kong]

Cosmic rays typically causes some bits to flip, hence the big need 
for parity memory (but now the more advanced and self-correctable 
ECC).

Although, you are usually okay in an enclosed environment.  
(supposedly people get quite a few errors with modern memory if they 
sit it by the sun light... :) )  Errors can still occur without the 
assistance of cosmic rays arbitrarily flipping bits.  (yes, it has 
been known as a legitimate cause for bit flippage, but doubtful that 
was your case).

Sounds more like just a flakey card.  All sorts of things could have 
caused the card to start acting flakey.

Of course these types of failures can be generically funneled as 
software or hardware.  Although which one is it hmmm.  ;)

Unless the hardware has some super diagnostics (ever see some of 
those high end Sun workstations?), might have to do the old fashioned 
way and isolate the problem (either software or hardware) and try to 
move from there.

i.e.  can you get a replacement card?  It can be the card, 
interconnect on the router, router itself (motherboard, memory...), 
but more likely the other two).

How long has the card worked before in the past?  On what version of 
code?  Was there any increase in loads after moving to the latest 
version?  Any patterns of usage that can repeat the error?  Can they 
be cross referenced to any known bugs?

If you can repeat the error with a certain combination of actions, it 
leans a bit more towards software.

Curious, so if the diagnosis was cosmic rays... what was their 
proposed solution?  I hope it was not... oh well, crap happens, good 
luck!

 We have a Cisco  VIP card plugged into a 7500 router. Every once in a while
 the card  just stops working and sometimes it gets stuck so hard that we
 have to reload the microcode. The last we did that, the router crashed and
 had to be reset (Ugly!). Well, it gets worse. After having to convince the
 guys at the local Cisco office to help us in this issue, they came to our
 facilities and began their analysis. To make a long story short, they told
 us that these problems were caused by cosmic rays! We almost fainted!
Cosmic
 rays!
 Has anybody around here ever heard of this problem in this combo?  Let me
 tell you this router is not installed in a spaceship or something like
that,
 it4s just an ordinary datacenter.
 Any ideas about what the real problem might be?
 
 P. S. The router is using a recent version of IOS (newer than 12.1) and has
 been patched as per the Cisco site.
 
 Thanks a lot for any advice on this issue.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71418t=71402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

 this, but there are dedicated background-check companies
 who do this as their main business and Cisco would contract with one of
 them. Or if you really want to get down to it, you can do what the
 government does before assigning secret clearances, including interviews of
 random coworkers and so forth.

Well, the first part is STILL suspect to what I described earlier 
(trimmed out of this post, sorry), which is some managers do not know 
how bright individuals are.  How can they?  They are not technically 
ultra savvy themselves!  It is what I call the local guru syndrome. 
 The guy who is your friend's sister's cousin's computer expert.  The 
guy who says Mavis Beacon version 10 will corrupt Windows XP because 
it has keyboard drivers in it.  The guy who says Netbios is 
absolutely unrouteable and has 3 years to back it up.  The guy who 
was left unchecked and let his ego make him believe he is the master 
of all technical computer knowledge!  Anyway, (sadly enough only the 
last example was an exaggeration), so the local guru convinces his 
manager and others that he is good.  I am sure he is great, 
relatively speaking, but put in a pro to compare, and he turns into 
silly putty.  The manager, without seeing the pro, will give this guy 
the thumbs up because he has won the local guru award.

As for the random government contact bit, I think that would work a 
bit better, since colleagues tend to have a better view on the 
technical skills of each other rather than the manager.

 Now again, could this procedure be corrupted?  Of course.  It's not
perfect,
 no solution is.  But I believe it's still a substantial improvement over
 what we got right now.  Like I said, common sense dicates that a carresser
 CCIE is on average better than a lab-rat ccie.   Both guys have passed the
 test, but at least the carresser has worked on real network.  True, he
 didn't do much on that real network, but he still did more than the labrat
 who has, by definition, never worked on a real network.

Oh no doubt, I understand NO system can be 100% perfect.  However, 
this solution eliminates potentially very bright individuals with 
less years of experience, but potentially significantly much higher 
quality of experience.  I suppose without statistics here, you could 
easily argue that sample is too small.  If I do see some solid 
statistics on it, I will agree with you then.

If the sample is too small, fine.  If it is a fair amount, I think we 
should reconsider.  You are trading one set of bad apples (lab 
rates) for a set of bad oranges (router carressers) and demolishing 
innocent candidates (the people who should be certifying) in the 
process.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71465t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Quoting in Replies [7:71366]

[Carroll Kong]

Until it becomes such an unwieldy and nasty message...  Sometimes I 
take out some of the messages to avoid gargantuan replies.

Sometime I post inline to directly respond to certain viewpoints.  
Otherwise you tend to get that nasty... um.. you didn't answer that 
question syndrome.

I think quoting relevant info is good, not sure on the entire bit.  
Some of the other mailing lists I am on suggest I do not quote every 
little detail to avoid the gargantuan replies of doom.  ;)

 I agree. I was going to rag about this the other day, but figured that many
 people on this list already think I bi*ch too much about other things! :-)
 
 Shawn K.
 
 -Original Message-
 From: John Neiberger [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, June 25, 2003 2:34 PM
 To: [EMAIL PROTECTED]
 Subject: Quoting in Replies [7:71366]
 
 Okay, this is getting really old, really fast.  When responding to a post,
 PLEASE QUOTE WHAT YOU'RE REPLYING TO!  The number of unintelligible posts
is
 increasing and some simple quoting would help immensely.
 
 Perhaps the issue is that if you use the web-based board to post a quote
 does not happen by default.  So, if you are using the board to reply to
 posts, please hit the QUOTE button and edit appropriately. 
 
 Thanks,
 John (who is exceptionally grumpy today, and it shows.  Sorry about that.)
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71389t=71366
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how about ccie salary in US? [7:71143]

[Carroll Kong]

A lot of us have mentioned that it is not usually just the raw 
certification that gets the job, and in some cases, not even both 
experience and the certification.

Even NRF has mentioned diversity is the key, but on top of that 
people skills.  Lack people skills, you will find yourself not making 
as much as you could be (within a reasonable degree considering 
realistic opportunity costs).

As you mentioned as well, depending on the kind of job you are going 
for and the politics involved around it, a certification may be 
useful, experience may be useful, the people skills...there is a 
whole plethora of things and all of the importance levels of each 
requirement vary greatly for each job.

Basically, I do not think it is easy to make a full checklist of all 
the things you need and if you do it, you will instantly get the job. 
 It changes per job a lot.  Employers have different requirements and 
goals.  I think at best we can leave it at that.

NRF is not saying diversity is not the key either, all he is saying 
is that, considering all of those requirements that I mentioned, 
NRF is saying that the CCIE alone will almost certainly never match 
most of the jobs out there.

I am assuming NRF means such because he has not explicitly mentioned 
otherwise.  All he said was, the CCIE alone is not enough.  I think 
he responded to the Linux vs CCIE thread by saying how most should 
know both, but not necessarily go all gung ho on the Linux cert.

 I'd say diversity is the key.  I know several CCIEs who, outside of R/S
 don't have much to offer in the way of skillset and they are not commanding
 as high of salaries as guys without a number but deeper and more diverse
 expertise.  It totally depends on the individual, the need, the location
and
 the experiences (which are unique to and every one of us).
 
 Will Gragido CISSP CCNP CIPTSS CCDA MCP
 Suite 325 9450 W. Bryn Mawr Ave. 
 Rosemont, Il 60018
 [EMAIL PROTECTED]
 The Knowledge Behind The Network
  
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n
rf
 Sent: Monday, June 23, 2003 7:39 PM
 To: [EMAIL PROTECTED]
 Subject: Re: how about ccie salary in US? [7:71143]
 
 - jvd wrote:
  
  I wonder if anybody is going to have anything positive to say
  about this post?
 
 So basically, you want us to lie, eh?  ;-.  
 
 Seriously, CCIE salaries have been down for awhile and any honest
discussion
 about salaries is going to be necessarily negative.  When something's
black,
 it would be a lie to call it white.
 
 As far as the original question, so much depends on your experience level,
 the geographical location, things like holding a degree (or not).  Strong
 candidates that have lots of experience, are well educated, and are in
 places can still pull nice salaries.  But I'm also aware of CCIE's applying
 for positions that pay less than 30k - and not getting them.  The point is
 that the CCIE by itself guarantees nothing.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71238t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: netbios [7:71084]

[Carroll Kong]

From my /etc/services...

netbios-ns  137/tcp#NETBIOS Name Service
netbios-ns  137/udp#NETBIOS Name Service
netbios-dgm 138/tcp#NETBIOS Datagram Service
netbios-dgm 138/udp#NETBIOS Datagram Service
netbios-ssn 139/tcp#NETBIOS Session Service
netbios-ssn 139/udp#NETBIOS Session Service

I believe that these are the NetBIOS over TCP/IP instantiations so to 
speak.  While NetBIOS can easily be run over IPX/SPX or even NetBeui, 
clearly a tcp/ip port number has to relevant in that case.

[rant mode]

I cannot blame you for the confusion as Priscilla mentioned that 
quite a few people somehow believe it is not.  I think they are 
confusing it with NetBeui which techically has nothing to do with 
each other.  (yes the name Netbeui means Netbios Extended User 
Interface, but still, technically nothing to do with each other in 
terms of NetBios functionality, it can ride over other network 
transports)

I have had countless debates and arguments where people insisted they 
are bound to the hip or interchange their names like candy.

Here is an interesting excerpt of some dialog I had at a startup I 
worked at years ago.

Premise:
When dealing with two separate LANs, as defined as Layer2 domains

Is it possible to get network neighborhood to work between the 
upstairs and the basement. - VP/Sales
Sure, we just need to bind Netbios over TCP/IP and make sure we can 
route over the two different networks.  We might need to deal with 
WINS for seamless naming integration but it should work fine 
otherwise.  - Carroll
You also will need NetBeui. - Other Tech Guy
[Trying to be nice].  No, sorry [Other Tech Guy], I am pretty sure 
you will not. - Carroll
Yes you do. - Other Tech Guy
[Still trying to be nice.].  Well, I do not think you do, since 
Netbeui is a transport protocol, and Netbios rides on top of any 
protocol it wants to.  You already have TCP/IP as your transport, you 
do not need Netbeui, and on top of that, Netbeui will not cross over 
the LAN. - Carroll
You are wrong, you need Netbeui. - Other Tech Guy

Trying the wait, look there is a transport, you only need one 
angle.

But, if that was true, how come I can get a Unix box with Samba to 
work with a Windows machine.  TCP/IP is the transport there, my Unix 
box has no concept of NetBeui yet it works. - Carroll
Look, Carroll, I have been in the ISP business for over 5 years, I 
think I know what I am doing. - Other Tech Guy

Not that I could see the relevance of NetBeui in an ISP, just that he 
was clearly pushing his move aside green horn argument instead of 
trying to sensible attack the problem through theory.

Well, since the other tech guy was older than me, and supposedly 
far more experienced, they made sure Netbeui was on every machine.  
Sigh, I had other responsibilities rather than to go around proving 
him wrong.  But experiences like these is what makes me say...

-  Check the theory and make sure it sounds right.
-  Check the practice, make sure it works right.
-  I don't care about your past experiences; technology moves so fast 
it invalidates so many truisms within months.

The guy was wrong on 1, 2, and... for 3, he never had a truism to 
begin with, just a false sense of knowledge of the systems he worked 
with.

As with those logical fallacies, does not matter how smart or how 
great your past work is, people can make mistakes.  If you say 
something that is true in the now, it is true.  If you say 
something that is false in the now it is false regardless of your 
past history.

 hi pple, well the reason why i ask this is because, recently i was told by
 my network manager that there is a virus which uses netbios (udp 137, tcp
 138 and tcp 139) as a transport and had acrosses the WAN from a spoke site
 to a hub site. And i was told to put an ACL by blocking the above port on
 the fastethernet interface, well i was kind of confuse as in, i remember
 that netbios arnt routable across the WAN, IF, and i mean IF there is
really
 such virus uses this ports, they shouldnt be able to traverse to the other
 site across the WAN rite?? And when i did some debug ip packet, the udp 136
 and or ofcourse the tcp138 and 139, was captured and dropped! at the
 fastethernet interface and TR interface (i had place the ACL on both
 fastether and TR) but when i place it on the serial, i dun see any udp 136
 at all!...i jus need some clarification from people at this forum here

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71235t=71084
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: number of CCIE [7:70151]

[Carroll Kong]

 But that's really neither here nor there.  At the end of the day, more
 bootcamps = easier test.  Why there are more bootcamps around today is
 unimportant for purposes of this discussion.  It doesn't matter why - so
why
 ask why.  All that matters is are there more bootcamps.
 
 Now again, I would reiterate that I don't have a problem with bootcamps per
 se. I see them as basically inevitable.  But on the other hand, it does
mean
 that Cisco must make the exam even more difficult to compensate for the
 effects of the bootcamps.

Right, I think I mentioned that in my earlier post (that ultimately 
it doesn't matter what caused the cycle, just that the net result is 
an easier exam).

Of course how to make it difficult, in a fair fashion is yet another 
animal.

 Personally I think the best way to solve this problem is to force people to
 recertify by taking the current lab exam again.  No more of this BS where
 guys can just take a written exam to recertify.  You want to continue
 calling yourself a CCIE?  Then you should have no problem in passing the
lab
 again.  Otherwise, we'll convert your status to 'retired CCIE' or CCIE
 emeritus or something like.

Yeah but that would clearly decrease the number of CCIEs, which can 
be viewed as a good or bad thing.  Cisco does want more CCIEs to some 
degree, yet it can hurt them if there is no longer a true upper 
echelon of certification anymore.

Ironically if they make a new tree, such as the REAL CCIE, it only 
turns the current CCIES into a pile of ugly ducklings and validates 
all the nay-sayers of the CCIEs.  :)

 Hey, don't get me wrong, I'm not saying it is a total negative.  But I
 dispute the fervent contention of some that it's a total positive.

 I think it is very difficult to adjust any complex system to 
get a total 'positive' when they are upgraded.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71098t=70151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: number of CCIE [7:70151]

[Carroll Kong]

Hmmm that might work.  However, while you say someone good with 
concepts will do well, that is what I always thought earlier, until a 
good amount of members on this list and in the real world insisted 
that good knowledge of theory won't get you anywhere on the CCIE 
exam, only hardened practice.

Granted, you probably need a good mixture of both, and I feel strong 
theory is worth a heck of a lot more than just mindless practice.  
(and I mean really understanding it, not just saying oh yeah it.. 
um.. makes packets move).

I guess we have to wonder what Cisco's ultimate goals are.  If they 
decreased the lab time and altered the exam to be more 'streamlined' 
and 'easier', why would they immediately step backwards?

I think your ideas are very good in increasing the difficulty of the 
exam, but this is just going to be a big expensive variation war, 
somewhat like hackers vs developers and hackers vs virus scanner 
software companies.

If Cisco wanted more CCIEs out in the field, why would they want to 
engage in this expensive battle anyway?  If they truly wanted to 
increase the value, why take the steps they have taken now such as 
decreasing the lab time and making it more streamlined?

 That's a decent first step. 
 
 But I would go further.  I would actually mix up the equipment.  Let me
 explain.
 
 The final objection I have heard is that it will make test grading harder.
 For example, one person might get the ISDN rack and fail whereas he might
 have passed if he had gotten  the switching rack, or something like that,
 and therefore a certain element of dumb luck enters into the fray. First of
 all, that already happens now - if you happen to get test questions on
 subjects that you know very well, you are far more likely to pass than if
 you get test questions on subjects that you know poorly.  Second of all,
 hey, welcome to the real world, where no 2 networks are alike.  Again, if
 your grounding in concepts is good, you should be able to handle the
 variety.  Third, need I say it, such objections could be properly addressed
 through my old idea of relative scoring (but I digress)
 
 Anyway, the point is, now I think it is time for Cisco to seriously
consider
 using different racks.  I see little reason besides inertia and nostalgia
 for all test racks to always be exactly the same.
 


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71099t=70151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: number of CCIE [7:70151]

[Carroll Kong]

 Carroll Kong wrote:
 
 Hey, I don't want to take either of them again if I don't have to.  But if
I
 was forced to make a choice, I'd prefer to take the singlet over the
 doublet.  It's like being punched in the face once vs. being punched twice.

Well I cannot say anything specific against it since I was never in 
that situation.  However, I guess you are right, anything to delay or 
prolong that nasty feeilng.  ;)

 I'm afraid I have to disagree about the speed aspect of the test.  The fact
 of the matter is that the speed component of the test is greatly overrated,
 whether we're talking about the 1 or the 2-day versions.  Take the 1-day
 version of the test.  The fact is, if you're not essentially done with
 everything by 1 or 2 PM, you're probably DOA.  I remember in both of my
 successful 1-day tests, I sat around for about 2-3 hours at the end with
 nothing to do - I checked all my work, reread the test questions over and
 over again, and was quite frankly bored.  The same was true of my 2-day
 test, again, I had done everything on both days by mid-afternoon and I just
 sat around with nothing to do but check my work over and over again.  Nor
is
 my experience unique - I think that most CCIE's would agree that if you're
 not done with several hours to spare, you're probably not going to pass.  I
 would venture that very few people that have  passed the test have actually
 required all the of the testtime that was allotted to them.

Actually, you are right.  I was essentially done, with a fair chunk 
of time remaining as well, I just triple checked everything and tried 
to iron out some nuggets.  ;)  If you could compare it to driving a 
car, the last few hours was a much smoother ride, with less thinking 
going on.

But, everyone does make mistakes occasionally, so that kind of stuff 
will somewhat cost you.

I think some of the older CCIEs I worked with were probably not as 
fast in typing or were able to optimize as well in their thought 
processes.  :(  Why do I get a feeling I should throw you into the 
middle CCIE list (which I consider to be the better chunk to be 
honest!).  :)  In all seriousness though, I suppose the individual 
skillset and mindset matters a lot.  Bad people were able to squeak 
by in both 2 day and 1 day exams.

(Yes, I have met quite a few CCIES which had me scratching my head... 
you are a CCIE?)  This is not to insult a lot of the lower number 
CCIE.  Just that a VERY large percentage of them have taken up more 
managerial jobs, and have not kept up at all with the latest 
technologies.  Their learning / thought processes seem so slow it is 
so hard for them to adopt new things since they are used to 
managerial work now.  Some of them were saying how hard deploying 
IPSEC VPNs is (I think they are very easy) ... and what is GRE?.  
(come on!  this was in their 2 day lab I am sure, no?).

Basically anyone who has taken the time to even contribute to this 
list, I put on the good list.  A lot of the other CCIEs I know of 
insist it's a waste of time.  With that kind of mindset, you can see 
that they aren't interested in learning all there is to know (even to 
a fair degree) just enough to get by and win the bids with their 
lower numbers.

 What seems to kill people is that they don't read the questions carefully
or
 they simply don't know the material and then they consequently make
 mistakes, and then in their haste, they start working too fast thereby
 making more mistakes, etc.  But again, if you know the material and you're
 careful about reading the questions, the test is really quite
straightforward.

Well, take it from me, the Security train was not 100% 
straightforward, the lab itself had BUGS I had to report to the 
proctor, in which he vehemently denied there was (but I proved it to 
him there was later on, without that, I would have failed), some 
parts were vague and contradictoryI guess the Security one had 
less polish but definitely doable.

However, for the most part, yes, it was pretty straight forward bugs 
and kinks aside.

The layered effect, while necessary was pretty brutal.  Fail or do 
not understand something earlier, you will fail the entire exam, even 
if you know the other 90% of it.  I suppose though it is a reasonable 
request/requirement to acquire the daunting certification.  :)

 But not realistic.  Let's face it - as a network engineer, how many times
 are you really building networks from scratch vs. how many times are you
 troubleshooting already-built networks?  The fact is, building networks
from
 scratch is really only a minor part of the overall job, most of the time
you
 are maintaining built networks.  A far more useful test would be one that
 was PURE troubleshooting.  For example, you get the whole morning to
 familiarize yourself with the network, and in the afternoon, all kinds of
 funky problems get injected into your network.  One serious problem with
the
 present format is that you end up with guys who are really

Re: ISDN CCIE [7:70944]

[Carroll Kong]

Not sure, but I hope for a a little while longer.  DSL, ISDN's new 
and improved cousin may be superior in quite a few number of ways, 
but sometimes you have NO other choice but to use ISDN to access some 
far off places.

Maybe this is changing soon and they will phase it out, but ISDN 
still seems fairly important, for say PRI deployments.  Cannot think 
off the top of my head why a PRI would be better than a T1...  but 
some clients I know still have them.

Not sure if ISDN falls off to the old technology that should never 
be deployed nowadays (at least BRIs, nevermind multichassis/multippp 
bonding for now).  Seems like it still has applicability as not 
everywhere is that close to a CO, so I would keep up on learning 
about it.

 Hi,
 
 I was wandering how long will be isdn part of the CCIE
 exam.
 
 regards,
 rooban
 
 =
 cheers,
 rooban
 




-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=71000t=70944
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: number of CCIE [7:70151]

[Carroll Kong]

 Those three have pretty much echoed my themes.  Hansang, in fact, has
 admitted that he accelerated his ccie studies so that he would take (and
 pass) the 2-day exam because he didn't want to run the risk of being known
 as an asterisk-ccie (meaning the one-day ccie).

I know someone who took both the two day and one day.  He felt the 
one day was harder.  He might have been an exception, I do not know 
any other two dayers who took a one day.  He was RS first, then he 
just got a Security one to get the double.  Of all the CCIEs I do 
know, none of them ever wanted to really take it again (except one 
other CCIE I know... he wants to see if he still got the touch!)

While I agree to some degree about how the old style might have 
been harder to some degree, I feel it is more of a preference.  I 
think depending on the kind of problem solver you are, one will 
appear easier than the other and vice versa.

I only took the one day, and all I have to say is it is a real speed 
torture exam.  One slip up, and it's pretty much over.  You have a 
SLIGHT margin of the error and that is only if you are very fast, 
both in the mind and on the keyboard.  This is not to say if you are 
slower you are necessarily any less qualified, just, some people do 
not type as fast or take longer to formulate a very solid plan 
anyway.  Those people suffer greatly from this new format.

This is also probably why I got some seriously mixed reviews from 
different CCIEs in terms of the difficulty of the exams (be it one 
day or two day).

For the record, the one day exam was more suited to my style than the 
two day sounded like.  Oh well, I will never have a direct comparison 
now.

The same was said about the two day as well in terms of speed but 
with some ancillary tricks such as the physical element, etc.  I 
suppose that is good to know, but hey, nothing 5 minutes couldn't 
figure out on a web page.

The troubleshooting element was definitely a sorely missed element 
from the two day lab, but trust me, with the one day it is a dynamic 
truobleshooting element built in.  It is VERY easy to break your 
working network while you perform the exam.

Unfortunately, because it is more speed driven and because the 
content, while jam packed, is probably 'less', it also means it might 
be more prone to some form of bootcamp brain dumpage.  But this is 
not really conclusive. It might just be that, the CCIE is becoming 
more popular and people have recently tapped into this market.  The 
drop in Cisco gear pricing on the used market probably had a LOT to 
do with bringing down this barrier to entry.

Regretably, it is difficult to say whether or not it is the slippery 
slope we are going up if we really believe a one day exam is 
instantly easier than a two day and that is the reason why there are 
more CCIEs per month, or if it is because the failure rate is the 
same, and the expected value of passing CCIEs goes up due to the 
higher volume of candidates per month.

Whether or not it is easy or not, I cannot say.  I encourage any 
CCIEs of the two day to take a one day and see how it is.  I only 
know of one who did it, and he felt it was worse than the two day 
lab.  But, like I said, different types of people, different types of 
problem solvers.  Might be easier for some.

One thing is true though.  By law of numbers, even if the percentage 
rate of failure IS the same, since the NET number of CCIES passing is 
higher, by supply and demand the value of the CCIE is dropping.  
(someone else mentioned this as well).

If the percentage of failure is even lower... then the value just 
drops exponentially.  :)

As for having a lower CCIE number, I do not care, I do not know.  
Most of the really older CCIE numbers I know tend to be mediocre with 
the new technology and are sick of knob turning anyway  (although 
some are still verry good).  The medium numbers seem to be the best.  
;)  The ones on the highest numbers end seem to be a mixed bag.

And while someone said the higher number ones have less 
experience that should not be true in theory since the CCIE was 
designed for people who already worked in the networking field for 
years.

However, I will agree in practice, that does seem to happen often 
(higher numbers, less experience).

I think as with all things in life, take the individual on a case to 
case basis.  You are going to find good and bad apples in every 
basket.  The CCIE is still a very good certification, I do not think 
anyone is denying that.  But I do not think it is clear if it is 
blatantly easier now.

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70806t=70151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Prolonged Batchlers Vs. CCNP ? [7:69483]

[Carroll Kong]

 This sort of thinking is why I've decided to skip the CCNP and just work on
 the CCIE.  As long as Cisco keeps it insanely difficult with the lab exam
 being the majority of the work required it will be valuable.
 
 -- 
John A. Kilpatrick

Go for it!  Skip the CCNP and aim for the CCIE  (or heck, skip the 
CCNA too).  It is a bit hard, but come on, this stuff is not rocket 
science.  Practice practice, and if you are a fast learned, decent 
typer, fast thinker, you can do it.

But, do learn Cisco's methodologies for troubleshooting and 
Ciscoisms.  Also, learn the basic layout of how the documentation is. 
 Think fast, and implement fast and you got it.  ;)

Of course much easier said than done.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70008t=69483
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: eBGP Multi-hop [7:65823]

[Carroll Kong]

I guess I am kind of just going to a quick stab.  Do you have no 
synchronization under the BGP configuration?

 hello all, 
 
 (Re-post...not sure if original msg made it our not)
 
 playing around again and have a question. eBGP multi-hop cannot come up if
 the peer is known through a default route.
 Is there a reason why? 
 I mean, what is the point of a static route that causes a recursive lookup
 or a static route that simply points to the same next hop as a default
route?
 For that matter, I can't see it being a matter of proximity either. If
 convergence time were not an issue, what is really wrong with having a 10
 hop or even 50 hop BGP session? (I know it is unlikely and there are
 cetainly better ways to handle it (GRE or IPSec tunnel)) but for the sake
of
 argument...
 
 Just curious, not able to find much on WHY it is like this... 
 
 thanks, 
 Jim 
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65835t=65823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNP Recommendations [7:65514]

[Carroll Kong]

Well, if you really want to learn more or understand what you are 
doing, you do not any certification for that.  Just some solid 
reading, good comprehension skills, and a good tutor/mentor resource 
to fall back on to validate your learning.  For this goal, you do not 
need a CCIE nor an MIS degree.  So seeing, that you have two  
divergent goals, I will tell you what to do for the CCIE goal.

However, for basic CCIE training, some pretty good books, albeit, a 
bit dated if you want lab workbooks are Caslow's book, routing TCP/IP 
Volume 1 by Doyle, and Internet Routing Architectures by Halabi.  You 
will need a touch more for the written.  Refer to cisco.com and look 
up every nook and cranny on the required to know list if you want 
to play it safe.  They added quite a bit now.

Perusing www.cisco.com is a good start too, as you can learn a lot of 
Ciscoisms that way.  It might be hard to navigate at first, but it is 
worth it in the long run, not only for the exam, but to be a valuable 
resource for Cisco technical knowledge.

Definitely try to master www.cisco.com/univercd/.  While a lot of 
people claim if you use the ciscocd resource, you will fail, I felt 
either they were very slow at finding information or were just really 
into the rote memorization scheme.  Knowing where most of the 
information is easy once you understand how Cisco categorizes most of 
the information.  Of course, this is only pertinent after you pass 
the written.

I do not see how getting a degree in MIS will help you.  I mean, it 
almost seems like you are going backwards.  I am going to assume you 
have some kind of degree now.  If not, perhaps it is remotely worth 
it, but seeing that you have four years of experience, getting a 
degree now might have diminishing returns compared to just saving 
that money for anything else.

Of course, getting jobs and what not depends on the quality of the 
lead so to speak.  (worth of mouth, vs interview, vs headhunter, 
etc)  And, for you to qualify for some of the lower quality leads 
you will need silly things like a BS since some companies have no 
exceptions.

The CCIE is a pretty powerful certification, most people who are 
looking for this, will ignore the lack of a BS/BA degree anyway.

Good luck in your journeys!

 I have four years of networking experience. I have gone thru the entry
level
 jobs and made it. I want to continue to learn more about the networking
 field. I not interested in getting paper certs. I want to understand what I
 am doing. My goal is to go for the CCIE and a degree in MIS. I apprieciate
 your advice and welcome any further advice that you can give me on the
 subject.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65751t=65514
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ACS Database Repl Problem [7:63988]

[Carroll Kong]

Try the counter intuitive.  There is another list there somewhere, I 
do not have ACS 3.0 up on here right now but we DID see this before 
and spent many hours on it, just like you.  :(

My colleagues ran into this, and it was just because the prompts 
seemed counter intuitive on who is a replication partner or not.  
Try inverting them.  I would do a personal backup first though before 
you try it.

Unfortunately this was a few months ago, and I did not work on it 
directly to tell you the precise prompt.  However, try inverting them 
or looking for another subtle list of allowable servers.  Or there 
was another odd list to denote who is allowed to replicate or not.  
It was very counter intuitive to my colleagues.  I think we resolved 
this before TAC could, but if you could get them on the phone, ask 
them specifically which area you should be looking at.

Let me see if I can get it loaded up, but there is one more odd list 
or something counter intuitive (it was definitely a list of 'adding' 
'removing' different servers).

 I'm running two CiscoSecure ACS 3.0 servers on W2K and trying to replicate
 the database from one to the other.
 They can both see eachother and are setup as replication partners.  
 One is set to send all components and one to receive all components.  They
 both have the other server listed under Accept replication from.
 
 Both are set for Manual replication, but when I click on Replicate Now,
 the screen refreshes immediately and the following message is logged in
 Reports and Activity under Database Replicaton:
 02/27/2003 10:27:12 INFO Outbound replication cycle completed 
 02/27/2003 10:27:12 ERROR ACS '' has denied replication request 
 02/27/2003 10:27:08 INFO Outbound replication cycle starting... 
 The other server logs the following info:
 02/27/2003 10:28:50 ERROR Inbound database replication from ACS '' denied 
 
 (Server names removed to protect the guilty.)
 
 It doesn't matter which server I try to kick off replication from.  The
 other one always seems to deny it.  I did a search on cisco.com for this,
 but got nothing.
 If anyone can give me some guidance here or something to check, I'd
 appreciate it.
 
 thanks,
 Aaron
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64006t=63988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automated IDS [7:63557]

[Carroll Kong]

I cut out some of the other messages to concentrate on one issue, 
automated IDS responses.  If your automated IDS responses result in a 
automated packet filter of any sort, I think you are doing yourself 
a disservice.  You might stop some kiddies, but you are just leaving 
yourself wide open to professionals who can DoS you very easily.

I suppose if everyone just started filtering at the edge to help 
prevent spoofing, but alas, that is not the reality of today's 
networks.

It should be trivial for the attacker to DoS your systems beyond 
compare.  For example, what if he spoofs a trusted host?  Now your 
trusted host cannot have access anymore.  Ok, so what if you have 
exceptions for the trusted host?  Now he has a host worth spoofing 
for, DoS trusted host, assume trusted host's identity.  Easier said 
than done and you can mitigate the risk with stuff like mac address 
port locking, anti-spoofing acls, but just to give you some ideas 
that automated IDS responses can be particularly dangerous.

Not even factoring the possibility you can lose accessibility to many 
systems, but most firewall products have some pitiful limitations 
(one can easily blow out any stateful firewall), and you can be 
assured your acls will grow to be so big your firewall just might 
keel over.  I hope you got default-closed systems.  ;)  But I suppose 
it won't matter at that point, your network will be down, or your IDS 
might be filled with so much garbage that you might not see the 
real attack come through for your forensics team to discover which 
hosts have been compromised.

 Come on now, the slammer worm? If you are security conscious this
 shouldn't have had any effect on you. Microsoft released a patch last
 summer.  Security is a best effort solution. It is about layers and
 maintenance. You cannot eliminate risk, you can only reduce risk.
 
 An IDSs responsibility is to pick up attacks on the wire, not prevent
 them. I personally don't believe in allowing my IDS to respond to an
 attack.
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
 Albert Lu
 Sent: Friday, February 21, 2003 9:19 AM
 To: [EMAIL PROTECTED]
 Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]
 
 Hi Troy,
 
 Must be some secure site, reason I was interested is that I had a
 discussion
 with someone else before in regards to multi-vendor IDS solutions and
 how
 effective they might be.
 
 So if you mostly rely on manual action, and an attack came in after
 hours,
 how quickly can you respond to your alerts? Since for some attacks, a
 half
 hour response time could cause your site to be down (eg. slammer virus).
 If
 that was the case, even if you had all the vendor's IDS, it will be
 useless.
 
 Albert
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Friday, February 21, 2003 10:57 PM
 To: [EMAIL PROTECTED]
 Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]
 
 
 As with most things, you need to way up costs againts your requirements.
 IN
 our case, security is absolutely essential, so having a multivendor
 security
 solutions (and indeed fully redundant) is costly, but we see it as
 justified.
 
 With regards to action during attacks etc.  We mostly rely on manual
 actions
 as we dont want to inadvertently block legitimate traffic (for example
 if an
 attack came from a spoofed IP). For automatic action, you can make use
 of
 Ciso Policy manage, which has the ability to dynamically rewrite ACL's,
 on
 Pix's, Routers, and indeed Cat's.  according to data from IDS.  So for
 example, if you where really paraniod (like we are),. you could have
 pix's
 as the first firewall, with IDS on the inside / dmz etc (using IDSM or
 standalone IDS), tie these together with Policy manager .. then taking a
 further step into your network, a set of Nokia Fw1 NG, along with
 further
 Nokia IDS solutions on the inside, and tied together using the
 enterprisef
 software!
 
 
 



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=63557t=63557
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT Re: Snort versus Cisco IDS [7:62939]

[Carroll Kong]

Backing up what Craig said, Snort is probably better performing in 
terms of cost/performance than almost all the IDSes out there, 
including Cisco.  It does not have a end to end solution to make 
one's life easier though, at least not out of the box.

Of course, you will need some sort of a unix background to set it up, 
and I do not mean installing Solaris with GUI tools.  Pretty easy to 
anyone who has worked with a FreeBSD or a Linux box (without using 
GUI all over the place and/or rpms everywhere).  The idea of no GUI 
is probably quite daunting to enterprise level engineers.  

You COULD make it have a lot of the enterprise level features, but 
it requires a lot of work on your part, and of course no commercial 
support, so you are on your own.  (So, add this to your end cost...)

If you want a GUI frontend to snort, you can try Demarc, or what they 
call themselves PureSecure now.  There are also some freeware 
analyzers, but Demarc/PureSecure is definately one of the nicest 
ones.  Albeit, it had some bugs, fortunately since they give you 
their cgis, if you know some perl, you can patch it yourself before 
they get around to it.  (unless they changed this behavior, the last 
I used was 1.05).

Puresecure DOES charge for commercial usage, which I suppose puts a 
damper on it.  Their licensing is a bit ridiculous.  However, the 
pricing should still be very competitive.

It's a mixed bag, but if you know your Unix, seems like Snort is a 
much cheaper (if you know Unix and programming very well, the 
disadvantages aren't that big) IDS solution.

If you don't, oh well, like all things in life, pay the price for 
one's ignorance.  :)

 Someone told me in an authoritative voice today that Cisco doesn't
recommend
 their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
 big part of SAFE?
 
 Of course, the person who said this doesn't understand that Cisco is a
huge,
 chaotic organism, and that saying Cisco does something based on what one
 person does, doesn't make sense.
 
 But I'm just curious, what do you all recommend for intrusion detection?
How
 do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
 complicated, requiring appliances or IDS cards in a switch and a console:
 
 Cisco Secure IDS DirectorHP OpenView Network Node Manager plug-in that
 runs on UNIX (Solaris and HP-UX)
 
 Cisco Secure Policy Manager (v2.2+)Windows NT-based package
 
 Thanks.
 
 Priscilla
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62966t=62939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SUBNET CLASS Ranges [7:11618]

[Carroll Kong]

I have done VLSM calculations in my head ever since I learned them in 
college.  Unfortunately, some of the CCIEs I know of, do not.

I suppose that is still better than the most to nearly all of the 
network administrators I met who have been working in the field 
for years that cannot understand any level of subnetting (What's a 
slash /24, that's so complicated, I just call it the 255.255.255.0), 
let alone even fathom binary numbers.

 Just out of curiosity, how many CCIEs and people that have at least 

 had a shot at the lab can comfortably do VLSM calculations in their 

 heads?
 
 I think this is quite common among ISP operators, but I really 
don't 
 know about people in an enterprise orientation.
[EMAIL PROTECTED]



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60744t=11618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

[Carroll Kong]

 But on the other hand, there are indeed a significant number of 
CCIE's out
 there to which I would never trust a production network.  They're 
not
 'paper' because they did pass the lab, but they are basically lab-
CCIE's
 because lab-work is the only thing they know.  The 'lab-CCIE' (or 
perhaps
 the more pejorative term of 'lab-rat') is someone who has zero or 
minimal
 experience in a production environment.  And let's not beat around 
the
 bush - a production network is totally different from a lab.
 

 One quick fix that I think Cisco should do for the program is 
something that
 the CISSP program does now - mandate X years of verifiable 
experience before
 you can attempt the lab.  Or, if that seems too harsh, then perhaps 
Cisco
 can institute another program that sits on top of the CCIE (call it 
the CCIM
 or whatever) and have that program be not only hard, but also use 
verifiable
 experience as a pre-req.

This is not a personal attack on nrf, I do agree with him that there 
are many holes in the test the do undermine it's authority as the 
domineering certification exam.  However, I think we might be doing 
more harm than good.

There are too many router caressers out there who would fulfill one 
qualification to take the exam yet totally fail due to their lack of 
speed, problem solving, and cognitive capabilities.  Yet the 
qualified individuals with the skills I mentioned would be eliminated 
because they did not caress routers for a few years.

Besides, how can the manager, who typically has far less technical 
prowess be able to verify his employee has done his job to the finest 
of his ability.

Too many times I have heard someone say well, the way we did it in 
company XYZ is this way because that's the way we have been doing it 
for years.  (even if it's dead wrong, inefficient, and what not.)  I 
would be more frightened of the guy sitting in maintenance of a 
production network for years and he never knew WHY things were the 
way they were.  The manager might think he was doing a great job in 
keeping the network up because the employee never setup anything.  
In fact, typically in a production network you are greatly 
discouraged from setting up anything intrusive in anyway.  (oh no, 
moving to OSPF from RIP, can't do that now better save that for 48 
weekends!).  Of course there are exceptions to the rule.

Just, you can find people who have been doing aggressive setups with 
a fraction of the years of experience who can beat the crap out of 
anyone who has done the years of router caressing simply because 
they do not have to work on that wait until the weekend cut over 
time frame for every little change, instead they are working on quite 
a few turn ups for different clients every weekend and supporting 
them.

I am trying to gear more towards agreement with Howard's earlier 
statements in reference to not being so worried about the person who 
did not port 80 == HTTP but rather that there is a protocol over TCP 
etc etc.  Knowing the raw fundamentals down cold is a big plus and 
filtering out qualified individuals because they were not allowed to 
router caress for three years seems a bit unfounded.  When people 
say I know the theory about XYZ the common belief is that they do 
not know it that well.  My take on it is reversed, IF you know 
something, you can explain it cold, and IF you can explain the theory 
of something, you can teach it and explain it.  So most people who 
say Yeah I got the theory about FTP... NO, quit fooling yourself, 
you do not know it.

The CISSP's restriction has done little to stop their own flood of 
paper CISSPs.  In fact, the same story goes there, people have seen 
quite a few CISSPs who know very little about real world security.  
Ironically, they should be applying their knowledge to real world 
products but they typically fail since the kind of mentality of a 
person going for these certs is usually for the least amount of work 
for the most amount of money.

People still think the CCIE is a very difficult exam in it's current 
form.

Both tests have cheaters who sneak through.  Maybe we should stop 
trying to 
fix the exam and increase awareness of what the exam guarantees in 
terms of 
deliverables.

Perhaps it is just time for people to reevaluate their needs and 
their 
requirements for new employees rather than trying to fixup the one 
Examination to rule them all.  Sorry Sauron.  

(this was not directly to you, nrf, just ... a little humor if you 
could catch 
the allusion.)



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60656t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS dergree [7:59481]

[Carroll Kong]

You are correct.  For most people, I think acquiring a PhD is more 
resources and time consumed than becoming a CCIE.  Now, not to 
belittle the CCIE, it is still probably one of the hardest lab 
examinations in the IT field.  However, all in all, for most people, 
seems like the PhD would be harder.  The issues on the CCIE, 
ultimately is all in the router, all within Cisco's website.  There 
is no rocket science.  Such a finite state of material to study 
cannot possibly compare to the type of research of data for a PhD.  
While the thinking level during the exam can be complex, does not 
compare to some of the things I ran into in college.  It is more 
speed oriented and have you tried all the combinations and do you 
know the common gotchas.

Sorry guys, I cut a bit out on everyone's responses to stay more 
focused.  While I do not have a PhD, just from reading it and seeing 
others go for it, and realizing how many YEARS it takes to get it, I 
agree, acquiring a PhD is probably much harder than acquiring the 
CCIE.  On average, a fairly bright guy can get the CCIE within a 
year.  If even more motivated, probably a few months (ignoring other 
priorities and issues).  Try that with a PhD.

 Much like John mentions, comparing the two is like comparing apples
 and oranges.  The material covered in each area is very different.  
A
 PhD is much more theory oriented and there's a lot more of the 
why
 types
 of thinking.

 I don't have a CCIE, so can't say for sure, but here's my take on 
doing
 the exams up to and including the CCIE written.  Everyone gets the 
list
 of
 books to read, and if you know the information in these references,
 you'll
 pass the tests.  Note that with commercial study guides, practice 
labs,
 practice tests, and courses geared specifically to pass these 
tests,
 there's
 plenty of external help available to help make it through the CCIE
 written.
 As far as I know, as long as your willing to pay, you can take the 
tests
 over and
 over again until you pass.   This aspect is not true when working 
on a
 PhD.

 John Neiberger wrote:
  
  MS- or PhD-level coursework is more difficult than what you'll 
run into
  studying for the CCIE, but they don't really cover the same 
subject
  matter so it's really apples and oranges. 
  So, my opinion?  You're compairing apples to oranges, but an MS 
or PhD
  is tougher than CCIE if you're going to a reputable school.
  
  Regards,
  John
  
   Black Jack  12/18/02 12:05:01 PM 
  I suppose a CCIE is sort of a Ph.D. of networking. Studying for 
and
  taking
  the written is the equivalent of coursework, then doing hands-on 
to
  prepare
  for the lab is like research for your dissertation, the the lab 
test
  represents the oral exam. But I wouldn't stretch the analogy too 
far.
  For
  one thing the quality and difficulty of computer science graduate
  schools
  varies greatly. Just getting into one of the top programs is 
probably
  harder
  than CCIE. And for another the two programs don't really test the 
same
  skills, do they? (Though they surely overlap)
  
  Mic shoeps wrote:
  
   Hello
  
   I've been arguing with a collegue of mine which one would be
   tougher to achieve. I told him that it would be much more
   harder to have a computer science or a networking degree (you
   have to take the GRE and complete 2 or 3 years of school works)
   than a CCIE, but my collegue think other wise. He literally
   believes that having a CCIE is equivalent of having a Ph.d in
   Networking. I'd like to hear your thought.
[EMAIL PROTECTED]



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60021t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT - Possible Attack???? [7:59813]

[Carroll Kong]

Protocol TotalFlows   Packets Bytes  Packets
   Active(Sec)
   Idle(Sec)
    Flows /Sec /Flow  /Pkt /Sec
   /Flow /Flow
   TCP-Telnet  41  0.05040  0.0
   31.3  14.4
   TCP-FTP 87  0.0 765  0.0
   17.0  12.1
   TCP-FTPD27  0.0   135   211  0.0
   83.0   3.5
   TCP-WWW  43121  0.3 8   335  2.8
   3.6   2.7
   TCP-SMTP  1137  0.0 6   173  0.0
   9.8   9.7
   TCP-BGP  1  0.0   67368  0.0
   1796.8   3.6
   TCP-Frag 2  0.0 140  0.0
   0.0  15.5
   TCP-other33285  0.214   246  3.7
   24.0  10.3
   UDP-DNS   6005  0.0 173  0.0
   1.3  15.4
   UDP-NTP 10  0.0 176  0.0
   0.0  15.4
   UDP-other13772  0.1 678  0.7
   1.2  15.5
   ICMP  2904  0.0 372  0.0
   19.1  15.4
   IP-other 20559  0.1   14820 24.5
   6.8  15.4
   Total:  120951  0.93376 32.2
   9.9   9.4
  
  
   .
   .
   .
   SrcIf SrcIPaddressDstIf DstIPaddressPr
   SrcP DstP
   Pkts
   Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00
    
   285
   Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00
    
   38
   Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00
    
   35
   Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00
    
   296
   Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00
    
   33
   Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00
    
   36
   Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00
    
   52
   Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00
    
   189
   Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00
    
   277
   Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00
    
   32
   Fa0/1 127.0.0.115 Se1/2.500 108.122.0.0 00
    
   215
   Fa0/1 127.0.0.112 Se1/2.500 108.122.0.0 00
    
   177
   Fa0/1 127.0.0.113 Se1/2.500 108.122.0.0 00
    
   80
   Fa0/1 127.0.0.110 Se1/2.500 108.122.0.0 00
    
   234
   Fa0/1 127.0.0.111 Se1/2.500 108.122.0.0 00
    
   279
   Fa0/1 127.0.0.108 Se1/2.500 108.122.0.0 00
    
   171
   Fa0/1 127.0.0.109 Se1/2.500 108.122.0.0 00
    
   139
   Fa0/1 127.0.0.106 Se1/2.500 108.122.0.0 00
    
   151
   Fa0/1 127.0.0.107 Se1/2.500 108.122.0.0 00
    
   57
   Fa0/1 127.0.0.104 Se1/2.500 108.122.0.0 00
    
   67
   Fa0/1 127.0.0.105 Se1/2.500 108.122.0.0 00
    
   34
   Fa0/1 127.0.0.102 Se1/2.500 108.122.0.0 00
    
   272
   Fa0/1 127.0.0.103 Se1/2.500 108.122.0.0 00
    
   144
   Fa0/1 127.0.0.100 Se1/2.500 108.122.0.0 00
    
   88
   .
   .
   .
   .
  
  
   The list goes on and on showing 127.x.x.x.  If you notice that
   the incoming
   interface is my Fast Ethernet interface but the incoming source
   address is a
   127.x.x.x.  It is going out my WAN link (the same one that has
   been peaking
   to ~20MB) destined to a boggus Network.  The protocol is boggus
   as well.
  
  
   I enabled an access-list to block this 127.x.x.x address
   inbound from my FE
   interface and that has seem to take care of the spikes but the
   problem is
   still present.  Anyone have any ideas what this could be?
  
  
  
  
   Thanks,
  
   Mario Puras
   SoluNet Technical Support
   Mailto: [EMAIL PROTECTED]
   Direct: (321) 309-1410
   888.449.5766 (USA) / 888.SOLUNET (Canada)
[EMAIL PROTECTED]



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59927t=59813
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Carroll Kong]

Well, a few work arounds.  You can just go straight to the documentation CD

(right now the site seems down for me, ugh, so I cannot verify 100%, the
links are pretty close, and if you navigate hard enough it really just links
back to the universal cd anyway)

http://www.cisco.com/univercd/

OR just go to the bottom right and click on GO TO THE OLD SITE.  And
presto you get your old site back.  Ironically it usually takes a very long
time to load the old site

As for general navigation, if you guys want to find docs, I think it was
under support, hardware (for stuff like the pix) and software for IOS, then
you can drill down and one of them eventually brings you back to the
universal cd.  ;)

While I hate it too, but come on guys we are powerful Cisco Study
candidates, we should be able to solve anything that comes up quickly!  If
we can crunch Cisco problems we can navigate this new nasty site as
well!  :)

 I used to bitch about the old one and am now totally screwed... I guess
I'll
 learn to like it ;-(
 
 Tim
 
 sam sneed  wrote in message
 news:200210241956.TAA01985;groupstudy.com...
  Am I the only one that hates Cisco's new site? I can't find anything that
  I'm looking for on the there. Its driving me up the wall.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56282t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Firewall [7:55547]

[Carroll Kong]

You have not mentioned any issues though.  So I will guess you are somehow
unhappy with the default Pix behavior.  Did you want to deny all icmp
requests?  By default, after a certain rev of Pix code, icmp allows
are on by default.

icmp deny any outside
icmp deny any inside

Once you place these rules, it will have a 'default deny' afterwards, so if
you do

icmp permit host 1.2.3.4 inside

then... all hosts on the inside except for 1.2.3.4 can ping it.

As for allowing people to ping through the pix, not sure if a static or
anything like that would work (along with an acl).  Doesn't seem to make
much sense to allow an outsider to ping the inside of a pix anyway.

Typically, the theory behind the pix (at least in it's latest incarnation)
is that acls generally only apply to traffic traversing THROUGH the pix, not
terminating at the pix or any of it's interfaces.

For that, you need to find the magic fudge command, and in this case, the
icmp commands are the fudge that determine if icmp will be permitted on
the pix's inside or outside addresses.

This is all well documented under this URL, assuming code rev 6.2 (you can
just go up a tree to find the other revs)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm

 I have a PIX 525. I am trying bring it up on my network.  It is installed
 virtually betrween my router and my ISP's router.  While testing, I noticed
 that from an inside host, I could ping my inside interface on the PIX, but
 not the outside interface.  From the ISP, they could ping my outside
 interface but not my inside interface.  From the PIX I can ping  my outside
 interface and beyond.
 Any suggestions?
  
 Naomi James
 Computer Services and Information Technology
 Savannah State University
 912-356-2509


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6t=55547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF area 0 [7:45995]

[Carroll Kong]

If I remember correctly, yes, Area 0 routers must always have a way to
connect to each other.  It does not have to be a full mesh (if that is what
you mean by contiguous).  Three routers in a mesh would be fine if one
link broke.

Now, if an area 0 router loses all connectivity to the other Area 0s (in
your case, isolate one point of the triangle by losing TWO links), then your
network gets borked.  You will need a virtual link (if at all possible), or...
well... your network is broken?  :)

 Hi group,
 
 
 
 Is there any condition that OSPF area 0 must be contiguous?.
 
 I remembered read this some where on CCO. Is this true?. For a
 situation, three ospf routers connected in a triangle shape, what if
 one of the link goes down?.
 
 Any one experienced on this situation, please show me some documents
 related to this?.
 
 
 
 Thanks in advance,
 
 J.
 
 
 
 -
 Do You Yahoo!?
 Sign-up for Video Highlights of 2002 FIFA World Cup
 Nondisclosure violations to [EMAIL PROTECTED]



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46010t=45995
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: static route for port 21-theory rules. [7:45682]

[Carroll Kong]

e) opens
  another
 data
  connection. (In Active mode, these data connections come from the
  server's port 20.)
 
  Now, if you're using Passive mode, the client opens the data
  connection, from an ephemeral port to an ephemeral port on the
  server. Here are the steps:
 
  1. The client sends a TCP SYN to the well-known FTP control port
  (port 21) on the server. The client uses an ephemeral port as the
  source port. 2. The server sends the client a SYN ACK from port 21
  to the ephemeral
 port
  on the client.
  3. The client sends an ACK. The client uses this connection to send
  FTP commands and the server uses the connection to send FTP replies.
  4. When the user requests a directory listing or initiates the
  sending or receiving of a file, the client software sends a PASV
  command to the
 server
  indicating the desire to enter passive mode.
  5. The server replies. The reply includes the IP address of the
  server and an ephemeral port number that the client should use when
  opening the connection for data transfer. 6. The client sends a SYN
  from a client-selected ephemeral port to the server's ephemeral port
  number, which was provided to the client in the reply to the
  client's PASV command. 7. The server sends a SYN ACK from its
  ephemeral port to the client's ephemeral port. 8. The client sends
  an ACK. 9. The host that is sending data uses this new connection to
  send the data in TCP segments, which the other host ACKs. (With some
  commands, such as STOR, the client sends data. With other commands,
  such as RETR, the server sends data.) 10. After the data transfer is
  complete, the host sending data closes the data connection with a
  FIN, which the other host ACKs. The other host also sends its own
  FIN, which the sending host ACKs. 11. The client can send more
  commands on the control session, which may cause additional data
  connections to be opened and then closed. At some point, when the
  user is finished, the client closes the control connection with a
  FIN. The server ACKs the client's FIN. The server also sends its
 own
  FIN, which the client ACKs.
 
 
  The gist of your problem is these multiple connections that happen.
  I assume that HTTP works fine. That's probably because it opens only
  one connection.
 
  So, is there some more advanced configuration you can do to make FTP
  work? That's the question.
 
  As far as your idea of fixing the problem with a static route, I'm
  afraid that won't work because static routes don't let you specify a
  port number. Would policy routing work? It's going to be tricky,
  though, because of those ephemeral ports.
 
  Maybe you could just pull one of the connections when you do FTP!
  ;-)
 
  HTH
 
  Priscilla
 
 
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com
 




-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45717t=45682
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what is wrong with the job market ? [7:35611]

[Carroll Kong]

At 09:51 PM 2/18/02 -0500, Kevin St.Amour wrote:
Just a thought.
 Just as there is a glut of Fiber, I believe the market created a
glut of  Tech works. I remember going to a Technical School, and before
slapping down 15k for a networking Degree in 1998 (BTW, the school went
under a year ago http://clcx.com )  I heard numbers like This industry
will be behind 500k Tech workers due to lack of Skill by 2004...Get the
skills now (paraphrasing)

-Kevin

Do not know about you, but on average, most of the guys I see in the 
industry are woefully inept and incompetent.  I am shocked they get paid 
anything even close to the amount they do.  If one thing is for certain, we 
definitely need BETTER guys out there.  However, it seems like, most 
companies do not realize what good people are.  Such a disparity only helps 
in the downturn.

What is sad is, instead of appreciating technical ability and learning 
capacity, most companies are doing a fire sale and axing what few good 
people they have.  While some of the incompetent upper management survive 
due to nepotism and what not.

So, while I agree a downturn is occurring, I do NOT agree that there is an 
oversupply of qualified individuals.  I would say 60-80% of the IT 
people I meet are inadequate.

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35826t=35611
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2924XL and Blue Screen of Death: Resolved [7:33203]

[Carroll Kong]

At 10:57 AM 1/25/02 -0500, John Neiberger wrote:
Well, sort of resolved.  This turned out to be a known issue with Dell
machines, specifically machines using a 3COM 3C905C NIC.  They expect
the network to be available almost immediately upon bootup and can't
handle the delay caused by spanning tree.  In some cases, even portfast
did not reduce the time sufficiently.

So, watch out for those 3COM NICs!

John
Disable portfast, disable channeling, disable trunking on all user ports, 
and it will be fast enough.  Also, you might want to lock the speeds.

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33219t=33203
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: pix problem [7:33184]

[Carroll Kong]

A few quick thoughts that might be messing this up.
 You have no default route for your DMZ.  If you planned on having 
the DMZ map back to the outside properly, your global does not indicate 
so.  Also, you do not seem to have any globals which match the nat ids for 
the dmz.

At 09:35 AM 1/25/02 -0500, cage wrote:
The following is my configure of pix 525, now the nodes in the dmz can not
connect to the outside, why?
and do i have to use the NAT command to the traffic from the dmz to the
outside. It seem that the pix cant route the dmz traffic to the outside.
help me! please!

sh conf
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_in permit tcp any host 202.99.33.69 eq smtp
access-list acl_in permit tcp any host 202.99.33.72 eq www
access-list acl_in permit tcp any host 202.99.33.66 eq domain
access-list acl_in permit tcp any host 202.99.33.67 eq domain
access-list acl_in permit icmp any any
access-list ping_acl permit icmp any any
pager lines 30
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto


interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu intf3 1500
mtu intf4 1500
ip address outside 210.82.34.29 255.255.255.0
ip address inside 192.168.4.1 255.255.255.0
ip address dmz 202.99.33.254 255.255.255.0
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
pdm history enable
arp timeout 14400
global (dmz) 1 202.99.33.73 netmask 255.255.255.0
nat (inside) 1 0 0
nat (dmz) 0 202.99.33.0 255.255.255.0 0 0
static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0
static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0


static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group ping_acl in interface dmz
route outside 0.0.0.0 0.0.0.0 210.82.34.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3be86ece2c90058e0c9190f986717d63

pixfirewall#
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33202t=33184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Slightly OT: 2924XL and Blue Screen of Death [7:32536]

[Carroll Kong]

I have seen this happen when you have a speed and duplex 
mismatch.  (actually 10baseT hooking into a 100baseT hub with no dual speed 
mechanism, old school stuff).  Then when you go into network neighborhood, 
BOOM.  Check that first.  This might be the case if the NICs are only 
10baseT hooking into a 100BaseT Switch that might be locked at that speed.

At 09:46 AM 1/21/02 -0500, Patrick Ramsey wrote:
Have you enabled portfast?  sometimes things like this can happen because
the client is having difficulties seeing traffic to bind to.  It takes
forever on a cisco cwitch to get a good link if portfast is not enabled.

-Patrick

  Chuck Larrieu  01/18/02 05:50PM 
have you tried this particular machine in the other switches?

sometimes a bad windows installation on a pc will blue screen no matter
what.

John Neiberger  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  We're having an interesting issue that just appeared recently.  We have
  some Dell PCs running Netware 6 and new client software.  We're not sure
  why, but if one of these machines is connected to a 2924XL switch, it
  regularly experiences a blue screen of death either at login or within 5
  minutes of login.
 
  We have identical machines that operate fine if they're connected to
  our Bay switches or Cisco 1900 switches.
 
  Have any of you seen anything like this??  That makes no sense to me.
  The only difference I've been able to determine is that Spanning Tree is
  turned off on those particular Bay switches and 1900 switches, yet it is
  turned on on the 2924XL switches.  So, perhaps these PCs are reacting
  badly to STP BPDU.
 
  Any thoughts?  Our LAN people are doing some testing with different NIC
  software and Novell client software and I'll post back to the list if we
  determine the actual cause of the issue.  But can you think of why it
  would only happen if they're connect to a 2924?
 
  Thanks,
  John
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32691t=32536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Stupid Question [7:32591]

[Carroll Kong]

Reason being that NTFS is a journalled file system.  Not sure on 
NT 3.51's version of NTFS, but if you say so, probably true.  (not meant to 
be sarcastic, but sincere)
 As for the SQL database, depending if it had good rollback 
mechanisms to avoid corruption, it may or may not get corrupted, as you said.
 As for the unix systems, most of them use UFS, which is not a 
journalled file system.  However, I do not know of many OSes or 
distributions that let you add in a journalled fs.  One that comes to mind 
is linux with the reiserfs.  (linux comes stock with ext2fs).  (you can add 
in journalled file systems afterwards, one commercial unix in mind that 
comes stock and barrel with a journalled fs is the venerable Irix with it's 
XFS).  Go ahead, pull the plug on him, he won't care.  No fsck on 
startup.  Just smooth rolling.
 If you note the pattern here, it is a function of the file system 
(or in the database's case, how it retains data and does integrity checks 
and if it has rollback recovery to avoid data loss or undo bad transactions).
 Not sure if I can give a definitive reason on why the cisco's do 
not fear such things.  Probably because it is not usually writing data very 
often, and the data it writes is essentially a text file (NVRAM 
configurations).  The OS in itself is a static flash file that never 
needs to be overwritten during normal runtime operation, only during 
upgrades.  This is totally different on a fully blown OS that has crazy 
writes usually going on during operation.  Or even if it did not, has a 
good reason to double check for file integrity.  The Cisco router was meant 
to be more of an appliance like machine, so it's behavior makes sense, and 
so does it's obvious resistance to the occasional power plug pull.

At 06:42 PM 1/21/02 -0500, Mark Odette II wrote:
H.
Funny, last I checked, you could turn off in Mid-Boot process, Pull the plug
in Mid-Shutdown process, or yank the power to the UPS (and no battery left)
with all NT Machines running (NT3.51 - W2K), and the system would never miss
a beat in start-up file system recovery.

Now do that to NT servers with Oracle or some SQL-type application server
running on it, and it may have data corruption- but that's only with the
DB's ... and that happens, no matter WHAT the platform.

Now, then again, try doing the above such listed tasks of brutality to a Sun
Box, an SCO box, or an ATT Unix box, and watch the games begin as Inodes
fly everywhere and the file system checker starts griping about how unhappy
it is and I wouldn't be surprised if an AIX or SGI box did the same.
DB Server or not.

Sorry... just gotta love those MickeySoft stabs that have no meaning other
than for slander.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 21, 2002 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: Stupid Question [7:32591]

Just turn them off or simply unplug them.

Fortunately the IOS was not written by Microsoft and nothing will get
corrupted!!!

-Serge.

Richard Tufaro wrote:
 
  What is the proper way to shutdown a router? not reload, but
  shutdown? Just flick the switch? Seems to brutal to me.
 
  Richard Tufaro - MCSE - GSEC- CCNA
  Network Engineer - Anda Inc.
  [EMAIL PROTECTED]
  MSN IM - [EMAIL PROTECTED]
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32771t=32591
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP AS Number [7:32107]

[Carroll Kong]

Verio blocks it.  I believe they even required up to /20.

At 10:35 AM 1/16/02 -0500, John Neiberger wrote:
That may be true in some cases, but a /24 will work just fine.  Our
organization is multihomed and we advertise a /24 to two providers.  I
have yet to notice any reachability issues.  Perhaps there might be
portions of the net that filter our address range but I've checked
numerous looking glass sites and have yet to see one where our specific
prefix didn't appear.

  Eric  1/15/02 10:36:26 PM 
IMHO - You will need at least a /21 as some ISP's set policies that
will
filter anything less.

Best bet is to pick up a copy of: Internet Routing Architectures,
Second
Edition. ISBN# 1-57870-233-X.

This book will also introduce you to the third item to consider when
connecting to two ISP's: Symmetry.

Regards,
Eric


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32171t=32107
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Displaying Certifications [7:31196]

[Carroll Kong]

You are right.  It is a preliminary and is not a 
certification.  My guess is the purpose is to either confuse people into 
believe they are a CCIE or try to get the most credibility that you can 
get by without outright lying.  (at least they are not saying they ARE
ccies).
 Depends on the clue level of the hiring manager.  Most people do 
not know how Cisco's Certification structure goes, and may very well 
believe the CCIE Written is a legitimate certification.  This is going to 
wildly vary depending on the location and intelligence of the hiring 
managers across the world.
 Is it normal practice to try to overextend what you know, of 
course.  Is it a practice I condone or do myself?  No.
 However, I never did feel people who carassed routers and called 
TAC for every single trivial problem for 5 years have 5 years of 
experience in the networking field.  Do people still do it?  Yes.  Will 
they still be doing it even after I have turned into worm food.  Most 
likely yes.  It will be a different context, but people will be 
overextending what they claim to know and their abilities all the time.

At 03:24 PM 1/7/02 -0500, juno vtv wrote:
I have noticed that people who have passed their CCIE written exam will put
CCIE Written under their name.

I would like to know why?

I personally don't believe that the written exam is a certification but more
of a preliminary. What is the purpose of putting CCIE written after your
signature?

Hiring managers:  What are your thoughts when you see a resume with CCIE
written on there?  Is that misleading?

I am asking this out of curiosity.  I do not know if this is a normal
practice or not.

I would like see people's thoughts on this.

-junovtv
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31203t=31196
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT Request; LAN/WAN monitoring software [7:31227]

[Carroll Kong]

Please do not hold me to the gun on it, but I believe you can run 
SNMP managers such like Castle Rock and Netcool seem to be OK.  I 
think Concord might work as well.  I have not deployed these myself, just 
seen my clients run them.
 Running SNMP on all of your machines can have drastic security 
consequences.  Be careful.

At 07:45 PM 1/7/02 -0500, Michael Smith wrote:
A bit off topic, but would appreciate any suggestions -

Looking for a software solution, not UNIX based, that has capabilities
to centrally monitor hardware and network traffic on a small LAN/WAN
network, that contains HP switches, Cisco routers and Compaq servers.
HPOV is not an option, end user is not UNIX guru, and network is Win2k
based.

Any suggestions would be most appreciated.

Regards,

Michael Smith
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31233t=31227
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - Firewall performance Comparisons - is it quitting time [7:30675]

[Carroll Kong]

Funky Unix exploits tend to only happen when people for some odd 
reason, decide to open up public services on those machines.  The same 
problem exists with NT, but usually it has silly libraries sploits as well.
 Any decent security admin can lock down any box running any 
OS.  The problem I would fear of using an OS based vs appliance based is 
making sure they cannot do more damage with it.  A hacked unix box can do 
oodles more damage than a hacked windows box.  Of course, you can lockdown 
the amount of binaries on the machine to make it very hard to continue 
attacking.  These are super hardened boxes.  Disabling services, any good 
admin can do in his sleep.  Hardening the box by removing specific binaries 
is a bit more difficult.  Have you checked the Nokia 440s or 330s 
appliance like boxes?  They run a BSD variant (IIRC), and are quite 
secure OS wise.  Yes, checkpoint runs on them as well.  Now, Checkpoint's 
security issues, that's a different story.  You will find most of the 
security holes in checkpoint are because of checkpoint itself, not the 
OS.  As for running it under NT, all I can say to the man who suggested it 
is, What are you thinking?.
 On the side, Pix has flaws too.  To be fair, I do not think there 
has been any firewall product released without a security exploit either in 
it's rule handling or in it's management interface.
 I think checkpoint can interoperate between some other devices as 
well.  So this is not a big deal.
 Supposedly, skip checkpoint specific tech support and get it from 
Nokia.  Nokia surprisingly has better checkpoint guys than checkpoint 
themselves.
 I agree that anything command line based can be configured far 
faster.  I think we all know the reason why people still go with 
checkpoint.  For some odd reason, some companies either believe that having 
an easier to use firewall will allow for a more secure network.  (insert 
your laughter here).  Or they believe that command line firewalls are too 
hard to use.  (insert more laughter)  Sigh.  My take on it.  If you do not 
understand firewalling theory, you will not understand it with or without a 
GUI.  Syntax aside, but that's trivial.  Ask any programmer who can make 
this analogy.  The key is understanding fundamentals, not understanding 
mouse clicks.
 Finally, I am not arguing for or against the Pix or 
Checkpoint.  Personally, I find they both have glaring problems that I am 
shocked to find.  They also have their own specific advantages.  However, I 
find some of your points are not necessarily valid.

At 07:42 AM 1/2/02 -0500, Tim O'Brien wrote:
A couple of points, and I will then get off of my soapbox...

Checkpoint NG is STILL an application running on UNIX or NT, not a self
contained appliance. Personally I love Microsoft (let the flames begin!),
however, with the critical updates that I see getting installed on my 2000
and XP workstations I am POSITIVE that I would not want to trust my company
security to it. Another point.. Have you ever installed and configured a
Checkpoint firewall? You can have the PIX up and running with failover even
before you get the OS half installed on the new server that you need to buy
for it, thus raising the cost for an already more expensive solution in
man-hours and equipment. The PIX is also very interoperable with other
devices in the network. You can create PIX to PIX or PIX to IOS or PIX to
3000VPN site-to-site with other offices or home offices with built in 56bit
DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client
available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last
point, Have you ever had to get support from Checkpoint??? enough said about
that one...

If you would like to discuss further contact me offline...

Tim

- Original Message -
From: [EMAIL PROTECTED]

To:
Sent: Wednesday, January 02, 2002 4:05 AM
Subject: Re: OT - Firewall performance Comparisons - is it quitting time
[7:30652]


  For quite a while CheckPoint is out performing every single Firewall in
the
  market a specially in the CheckPoint Next Generation Firewall version
  and with the release of there SecureXL API.
  It is important to remember that performance is not everything that need
to
  be compared while testing a Firewall.
  I love the Cisco PIX but the CheckPoint NG is amazing.
 
  Gil
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30675t=30675
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Howard Berkowitz to speak at EveCon 19 [7:30121]

[Carroll Kong]

At 07:48 PM 12/26/01 -0500, Priscilla Oppenheimer wrote:
So, completely OT, but has anyone seen the first LOTR movie yet? Is it any
good? I think Howard could be considered the Gandalf of networking. ;-)

Priscilla

Yes, not a bad movie at all.  I felt it was a fairly close translation to 
the book.  Obviously some parts had to be omitted, but I think they did a 
great job.  Of course, your mileage may vary, especially if you are 
pedantic about following the book to the letter.

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30137t=30121
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routing protocols [7:29139]

[Carroll Kong]

At 09:10 AM 12/14/01 -0500, Howard C. Berkowitz wrote:
 To Chuck, I do not agree that the OSI model is crap.  Sometimes it can
 add confusion, but for the most part it is fairly well defined.  Also, no
 one ever said TCP/IP follows the OSI model 100%.  The concept of layering
 is just very easy to see with the OSI model.  TCP/IP generally has only
 layers such as the application, network, transport, and physical.  You
 could throw in datalink in there I suppose.  It certainly helps people
 understand networks.  Without the OSI model, it seems like a lot of random
 musings.  TCP/IP has a very clear transport and network and application
 layer.

Then how is it that the TCP/IP suite was developed before the OSI
reference model was finished, largely by people that, at the time,
were very hostile to the OSI work and vice versa. I was there at the
time, and remember European delegates to ISO making comments like we
will never use protocols developed by the bomb-crazed American
military.

OSPF and ISIS have some similarities, yet one came out earlier than the 
other.  The similarities were taken as they were developed.  Just because 
it was not set it stone yet, does not mean it did not exist.  The 
standards were not atomically created, they are developed as time goes 
on.  As some parts were done, they probably took it and ran with it.  Plus 
it only seemed like a logical separation.  It was mainly for insulation of 
different layers (as you mentioned, good programming practices) which 
created these divides.  So, I think it is reasonable to still say as a 
reference model, tcp/ip matched some parts of the osi model.  Who stole 
who, does not matter, they still follow a similar layering for transport 
and network.  And the network layer for the most part, could care less what 
it runs over as long as that is insulated from them.  That seems very real 
in both practical and theory cases.  That is what tcp/ip does, that is what 
the osi model references.

 To Jose, I feel they do not work at the network layer, and work at the
 application layer.  If it uses protocols, (EIGRP and OSPF) it uses IP RAW
 which means it skipped the transport component, ultimately I still feel it
 is at the application layer.

In my sophomore year of high school, I _felt_ that a girl named Gail
_should_ have reciprocated my affections and lust. She didn't. Just
because, Carroll, you feel something, doesn't make it right. Ignoring
the TCP/IP work, ISO says you are wrong in its OSI Routeing
Framework document, in which routing protocols for layer N are
defined as layer management protocols for and of layer N.  The
transport they use is irrelevant, because their payloads affect layer
N directly.

I did not mean I was being definitive.  That is why I said I felt.  I was 
not sure, and told him my perspective since he was asking for one.  All of 
us seem to agree that the result / payload affects the network layer.  As 
long as we understand that part, I think that is pretty good.  Semantics
aside.

(That seems to be what Chuck is getting at.  Screw the OSI model and 
semantics, as long as we know what it is doing.  However, I think some 
people are not at that level to even know since we have no semantics to 
work at all.  The important key here is that we understand it resides 
perhaps at another layer, but affects layer 3.  As opposed to it itself 
being at layer 3.)

Anyway, I guess I am totally wrong on this.  Sorry for wasting everyone's 
time I will try not to respond anymore.  I just felt that it seemed like a 
good way to learn, and as a baseline, the OSI model seemed ok, and I 
thought TCP/IP matched some of it.  I guess it does not match it at all, so 
learn the layering of tcp/ip elsewhere.

-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29202t=29139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with IP Addressing/VLSM- work project [7:29160]

[Carroll Kong]

You almost got it, but it does not seem correct.  When you break 
the 65.85.105.128 255.255.255.192 into 4 subnets, you cut from the 
65.85.105.128, not the 65.85.105.0.  Also, you cannot cut 4 subnets out of 
a 65.85.105.128 with a 255.255.255.192 mask.  You would only get 2 
more.  Since you have a 65.85.105.128, you only have 128 hosts left.  A 
255.255.25.192 mask will give you 64 host subnets.  128/64 is 2.  A VLSM 
lets you subnet a subnet while routing is still sane.  Anyway, you have to 
further slice it using a 255.255.255.224.

65.85.105.128 with 32 host subnets will give you the final 4 since 128 
hosts divided by 32 is 4 subnets.

I put the masks in both bitcount and dotted decimal notation.

Subnet 1 = 65.85.105.0/25 (255.255.255.128)
Subnet 2 = 65.85.105.128/27 (255.255.255.224)
Subnet 3 = 65.85.105.160/27 (255.255.255.224)
Subnet 4 = 65.85.105.192/27 (255.255.255.224)
Subnet 5 = 65.85.105.224/27 (255.255.255.224)

At 11:15 PM 12/13/01 -0500, Sarah Parker wrote:
Hello Everyone,

I am working on a small IP address project and trying
to figure out VLSM.

Since I am not very good and do not have much
experience with IP addressing, I wanted to send this
to make sure what I have is correct or if I am really
wrong on this one.
Thanks in advance for any feedback or corrections!!

This is a new network-
Current IP Address=65.85.105.0
Mask=255.255.255.0

I need a total of  5 subnets.

What I did
Took 65.85.105.0, 255.255.255.128 to subnet into  2
networks,
This gave me
Subnet 1= 65.85.105.0, hosts 1-126, broadcast  127
Subnet 2=65.85.105.128, hosts 129-254, broadcast 255

Took 65.85,105.128 255.255.255.192 to subnet into 4
subnets
This gave me
Subnet 1=65.85.105.0. hosts 1-62, broadcast 63
Subnet 2=65.85.105.64, hosts 54-126, broadcast 127
Subnet 3=65.85.105.128, hosts 129-190, broadcast 190
Subnet 4=65.85.105.192, hosts 193.254, broadcast 255

So this would give me to use on the network
1=65.85.105.0 255.255.255.128 (17 mask?)
2=65.85.105.0 255.255.255.192 (18 mask?)
3=65.85.105.64 255.255.255.192
4=65.85.105.128 255.255.255.192
5=65.85.105.192 255.255.255.192


Did I do this correctly? This is based on using subnet
zero.

I am using a public class A but for security reasons I
did change the actual real address.

Thanks again for everyones feedback.


__
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29162t=29160
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routing protocols [7:29139]

[Carroll Kong]

To Chuck, I do not agree that the OSI model is crap.  Sometimes it can 
add confusion, but for the most part it is fairly well defined.  Also, no 
one ever said TCP/IP follows the OSI model 100%.  The concept of layering 
is just very easy to see with the OSI model.  TCP/IP generally has only 
layers such as the application, network, transport, and physical.  You 
could throw in datalink in there I suppose.  It certainly helps people 
understand networks.  Without the OSI model, it seems like a lot of random 
musings.  TCP/IP has a very clear transport and network and application
layer.

Not sure if there was sarcasm or an attack on the reputable source that 
UDP is an application layer part.  I am going to assume so, because it's 
spot as a transport is very clear.

So, it is wrong for me to say that ftp clients and telnet clients use layer 
7?  (referencing user application vs service application)?  Then where 
would it go?  No where?  (hence why you say the OSI model is crap?)

To Jose, I feel they do not work at the network layer, and work at the 
application layer.  If it uses protocols, (EIGRP and OSPF) it uses IP RAW 
which means it skipped the transport component, ultimately I still feel it 
is at the application layer.

Perhaps it is just my roots that routing daemons are still just daemons, 
programs which run on a box.  They dynamically insert information into a 
routing table.  Unix machines still do it, a Cisco router is just an 
appliance version of a unix box with a routing daemon with multiple 
interfaces.  (without extraneous baggage of course)

At 10:57 PM 12/13/01 -0500, Chuck Larrieu wrote:
I once had an interesting, if heated argument with someone off list about
this. IIRC, I was told by that person that Cisco, in its current CCNP study
materials, is saying just that - that something operates at the OSI layer
above which it functions. I.e. if a routing protocol uses an IP protocol
number, then it is operating at transport layer. Since BGP uses TCP port
179, it is operating at the session layer, along with RIP, which uses UDP
port 520. ( BTW, I have also read in a reputable source that UDP is
application layer because it is not reliable, and therefore cannot be
transport layer, and there is no place else it really fits )

I recognize that Cisco just LOVES the OSI model in the lower level
certifications, but the fact is that in terms of how things work it is crap,
and tends to cause more confusion and add no value.

Every vendor of content switches is calling them layer 4-7 switches. what
kind of crap is that?
I dare anyone to justify switching as a layer 5 or a layer 6 activity. Yet
there it is. Also, to judge from what content switches do, the marketers are
saying the OSI layer 7 is user application, not a service application,
something Howard takes great pain to differentiate in his writings on the
subject, again IIRC.

TCP/IP is NOT OSI compliant, never has been, never will be. OSI is a
reference model, and not necessarily related to anything in real life.

End of rant.

Chuck

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jose Luis De Abreu
Sent: Thursday, December 13, 2001 12:25 PM
To: [EMAIL PROTECTED]
Subject: Routing protocols [7:29139]


Just an open question ?

We read, learn and teach Routing protocols are at the
NETWORK layer of the famous OSI model...

But they have PROTOCOLS NUMBERS - TRANSPORT LAYER(such
as IGRP protocol 9, EIGRP protocol 88 and OSPF
protocol 89)and APPLICATION PORTS values - APPLICATION
LAYER (RIP uses port 520 and BGP4 uses port 179)
indicating they work in the upper layers and not in
the network layer, although the result is shown int
the NETWORK layer...

So may question is...

Do they really operate at LAYER 3 ?

Warm regards,

Jose Luis De Abreu

__
Send your holiday cheer with http://greetings.yahoo.ca
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29165t=29139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Home lab - 2523 [7:27788]

[Carroll Kong]

Seems to be a lot on Ebay. (2514 that is).  (2523) is a bit more rare.

At 09:49 AM 12/9/01 -0500, John Green wrote:
ok tell me this guys.
the 2523 and 2514 are not available in like
used_hardware / online / acution sites.
seems these two are pretty popular ones. why ?
i have been trying to get hold of 2514 (has 2 ethernet
interfaces) but have been unsuccessful yet.



--- Circusnuts  wrote:
  All you need is @ least version 10.0 IOS and Serial
  interfaces.  This
  explains why the AGS and MGS (and ear muffs) are
  still found in a lot of
  CCIE labs today.
 
  All the best !!!
  Phil
 
  - Original Message -
  From: EA Louie
  To:
  Sent: Saturday, December 08, 2001 2:53 PM
  Subject: Re: Home lab - 2523 [7:27788]
 
 
   yes it is.  I have one and it works fine as a
  frame switch AND router with
   isdn, serial, and token ring.  A great
  multi-purpose device, and usually
   cheaper than a 2522.
  
   - Original Message -
   From: Ham web
   To:
   Sent: Friday, November 30, 2001 3:39 AM
   Subject: Home lab - 2523 [7:27788]
  
  
hi folks,
   
Joust wanted to know if the 2523 was a good buy
  to act
as a frame relay/x.25 switch in a home lab
   
Many thanks
   
Ham
   
   
  __
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site
  hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
  
 
_
   Do You Yahoo!?
   Get your free @yahoo.com address at
  http://mail.yahoo.com
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28586t=27788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Does session layer protocol use IP address ? [7:28378]

[Carroll Kong]

 statement, although it's taken out
of
  context and you haven't given us enough information to say that the
  statement is definitely wrong.
  
  However, try to picture the numerous OSI pictures you have seen. Most of
  them show horizontal lines between a layer on one host talking to the
same
  layer on another host. So the session layer talks to the session layer
on
  the other host. That's probably what Todd was getting at.
  
  However, the pictures also show vertical lines. A layer calls on a layer
  below to provide services. Each layer offers services to layers above
it.
  
  The session layer is an elusive beast that is not implemented much. But
one
  example might help. NetBIOS is a session layer. On a Windows client,
when
  you access a Server Message Block (SMB) server, NetBIOS has the job of
  setting up a session with the server. Before it can do that, however, it
  must find the address of the server. If it's a modern Windows network,
then
  SMB and NetBIOS are probably running above TCP/IP and UDP/IP. So NetBIOS
  sends a DNS or WINS query to find the IP address of the named server. It
  then sets up a NetBIOS session with the server. Actually, first, the
client
  sets up a TCP connection. TCP has port numbers. The client sends to the
  well-known TCP port for NetBIOS session (139) and use an ephemeral port
on
  its side. These port numbers could be considered addresses at the
  transport layer.
  
  Anyway, back to the question. The statement is at best over-simplified.
I
  recommend you get yourself a sniffer and watch what really happens
between
  layers. (Ethereal is free by the way.)
  
  Priscilla
  
  
  
   Thank you for your time.
   
   mlh
  
  
  Priscilla Oppenheimer
  http://www.priscilla.com
 
 
 Priscilla Oppenheimer
 http://www.priscilla.com


Priscilla Oppenheimer
http://www.priscilla.com
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28604t=28378
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Does session layer protocol use IP address ? [7:28378]

[Carroll Kong]

 And since NFS definitely uses RPC, and there can only be ONE,
 perhaps NFS is truly just at the application layer.

That is one of the sentences I wrote.  You seemed to have missed that 
one.  Although I suppose I was not as clear.  Sorry.

I agree with what you said or at least speculated that yes, there can only 
be ONE component of the particular layer.  Which would imply that NFS is 
indeed at the application layer since it uses RPC which RPC itself is in 
the Session layer.

NFS itself has synchronization issues which some have considered to be a 
Session Layer characteristic.

I never said once that the USE of RPC means that it should be in the 
session layer.  I did mention that the fact that NFS has synchronization 
primitives, which is considered a characteristic of the Session layer.

So that is the possible two sides.  I did not take a particular side, and 
perhaps I should work more carefully with nfsd.  I do know that the final 
application uses mountd, which hooks into NFSd.  NFSd alone will not let 
you do a remote mount.

Hope that clears things up a bit.  This sure seems as debatable as whether 
or not ARP should be in Layer 3 or Layer 2.

At 07:59 PM 12/9/01 -0500, [EMAIL PROTECTED] wrote:
It's possibly an exercise in bad faith to continually reintroduce written
materials that have been explicitly discounted by people who can make a
legitimate claim to understand the context they were churned out in. In
this case, the cisco materials often don't offer any substantiative
reasoning for their arbitrary taxonomical assignents of protocols as far as
higher-numbered layers of the osi stack are concerned (providing somewhat
of a contrast to their treatment of better-scrutinized layers).

I'm a little concerned though, about the following:

In sentence 7, you place RPC in the session layer. Two sentences earlier,
you cite NFS' use of RPC as a justification for assuming that NFS resides
in the session layer. While it might be exactly an example of the
discontinuities you cite in your first paragraph, one of the few
straightforward parts of the out-of-control agglomeration of ideas 
assertions that constitute the concept of osi communications protocol
layering as it appears in (english) print seemed to be the notion that
services maintained at level X+1 use services at layers X, and do not
(directly) interact with other X+1 entities. Am I missing something?

In either case, some instances where treatments clash are rife with
potential insight  revelant ambiguities, while others are not. It's not
clear that the certification prep treatments of this abstraction belong in
the former category (most notably for their unignorably light treatment of
upper-layer protocol characteristics), rendering them a dubious
justification for a reasonable opportunity to think otherwise.

I dread the day when all extant statements about a given topic are accorded
equal weight (not least of all because I make statements about given topics
and would find it hard to live with such a weighty burden).






Carroll Kong @groupstudy.com on 12/09/2001 04:59:49
PM

Please respond to Carroll Kong

Sent by:  [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Kevin Cullimore)
Subject:  RE: Does session layer protocol use IP address ? [7:28378]


Priscilla, I think you are being a bit too hard on the guy.  He
tried to do some real research, he is referencing other written
material.  I did some quick research and I am finding some information is
clashing about it.  I think sometimes it is hard to make the differentiate
between the layers for certain constructs.
  I think perhaps, WHY NFS is so often put in the Session Layer is
because it uses RPC.  Also, NFS does do synchronization of files, which can
be heavily argued as a Session Layer characteristic.  I would say RPC
definitely is in the Session Layer.  NFS does synchronization, (remember
the ancient days of keeping file consistency with UDP?)  but looks like it
might be at the application layer.  I suppose that is where the confusion
is.  And since NFS definitely uses RPC, and there can only be ONE,
perhaps NFS is truly just at the application layer.  You could argue that
it mountd that really allows remote mounting and nfsd just does
synchronization.
  I think it is somewhat debatable and reasonable for him to think
otherwise if so many other references point it to the wrong direction.
  I am interested in any reference, as that is how we make sure we
did not mislearn something.

At 02:04 PM 12/9/01 -0500, Priscilla Oppenheimer wrote:
 At 06:18 PM 12/8/01, anil wrote:
  This is from Cisco Oct 2001 Packet..
  http://www.cisco.com/warp/public/784/packet/oct01/p76-training.html
  
  It must be out of date :-)
 
 Not out of date. Just wrong. You can keep coming up with wrong material.
 What's your point?
 
 Have you looked at NFS with a Sniffer? Have you read a Unix man page? Have
 you checked some RFCs?
 
 Have you considered what NFS does? What

Re: /31 subnet. [7:27742]

[Carroll Kong]

Law of subnets is a tradeoff.  Bigger subnets, have higher 
efficiency, at the cost of bigger broadcast domains.  Smaller subnets have 
abysmal efficiency, at the benefit of smaller broadcast domains.
 /31 is a new RFC proposed rule which eliminates the loss of 
effiency of 50% to.. 0%.
 /30 has 2 usable addresses but loses 2 for broadcast and 
network.  So, you need 4 ips to make the subnet, but you only can use 
2.  50% efficiency.  /31 is going to let you take 2, and use 2, and ignore 
the broadcast and network need.  This is ideal for point to point.

At 08:32 AM 11/30/01 -0500, VoIP Guy wrote:
Maybe I'm missing something, but there are only 2 useable addresses in a
/30, and only 2 interfaces participating in a point-to-point link, so how
are there 50% of the addresses wasted.

Steve


MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Point to point connections, with a /30 you waste 50% of the
  avaivalable addresses.
 
Dave
 
  Nicolas FEVRIER wrote:
  
   Hi group,
  
   I'm puzzled by the use of /31 subnets...
   Anybody can explain me the benefits of such a subnet on an interface ?
  
   Thanxx.
  
   Nicolas.
  --
  David Madland
  Sr. Network Engineer
  CCIE# 2016
  Qwest Communications Int. Inc.
  [EMAIL PROTECTED]
  612-664-3367
 
  Emotion should reflect reason not guide it
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27810t=27742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help on VLSM [7:27665]

[Carroll Kong]

At 07:35 AM 11/29/01 -0500, Tel Khan wrote:
Hi folks,

I dont fully undertand VLSM i have read this in the Sybex book and i'm still
at a loss, I would be grateful for some guideness.

Sorry for beeing thick!

Regards
Tel
VLSM means you can variable length subnet masks.

192.168.0.0/24 is normally a classic class C block.  Let us say you want 
to break it up into two subnets, normally you would do

192.168.0.0/25
192.168.0.128/25

What VLSM lets you do is have this scenario.  Say I want 3 subnets!

192.168.0.0/25
192.168.0.128/26
192.168.0.192/26

Notice, now I have Variable Length Subnet Masks!

Normally, since subnet info is not passed into certain routing protocols at 
all, they trust on the subnet mask assigned on the router's 
interface.  Obviously, with just that method, you can ONLY break them into 
the same subnet masks across all subnets.  In the VLSM case, I can break 
them up dynamically into smaller and smaller pieces.  You can expand this 
example to make tiny /30 networks too.  Ultimately, it is not that 
magical.  It just means you can pass these routes into one router's 
interface without getting it confused because the routing protocols that 
support VLSM carry the subnet mask information within the routing packets.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27671t=27665
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Terminal Server with SSH - Not cheap are they? [7:27038]

[Carroll Kong]

Hey, why not look into Cyclade's Terminal Server?  It runs linux 
which means you get ssh v2, plus they say you can get the 16 port version 
for around $2200 bucks.  Compared to the $4500, seems like you are WAY 
ahead of the game.  They say they will have a web interface soon and at 
that point, you already have official support for the product, which 
greatly diminishes the learning curve of doing the initial install and 
getting the right parts.

http://www.cyclades.com/products/stdalone/ts1_2000.htm##D

 I guess you can say it is risky since no one on the list ever 
tried it.  However, in all seriousness, this is not exactly a complicated 
piece of hardware.  So how can they possibly go wrong?  They even have 
routers in their diagram!  Can't possibly be Nortel routers, they are 
almost pointless to console into.  ;)

 Anyway, just email them and tell them your woes.  At half the 
price, PLUS official support, I really think you are ahead of the 
game.  Without official support, I would call it a toss up.

At 04:59 AM 11/22/01 -0500, Gaz wrote:
Thanks for all the suggestions. Linux does seem to win for most cases.
I do have the dilemma that this a solution that may be used at many sites
and ideally needs to be a small, neat, rack mounted affair.
Once we get into the realms of buying 1U servers for the linux as well as
2511, it's getting to the point where the difference in money to step to a
2610 is not that great. Or at least probably not great enough to compensate
for the difference in neatness/engineering required to install etc

Thanks for the info everyone.

Gaz


Kent Hundley  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  One could install an extra ethernet nic in the linux box and then just
use
a
  cross-over cable to connect directly to the 2501.
 
  Regards,
  Kent
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
  Patrick Ramsey
  Sent: Wednesday, November 21, 2001 10:58 AM
  To: [EMAIL PROTECTED]
  Subject: Re: Terminal Server with SSH - Not cheap are they? [7:27038]
 
 
  seems to be the consensus...  : )
 
  Although if you telnet from the linux box then you are just as insecure
as
  you originally were...
 
  -Patrick
 
   Berry Mobley  11/21/01 01:53PM 
  Why not just build a linux box with ssh support and telnet from there to
  the term server?  Another step - but probably more secure...and a lot
  cheaper than another router.
 
  Berry
 
  At 01:04 PM 11/21/2001 -0500, you wrote:
  Hi all,
  
  I currently use a 2511 RJ Terminal Server on a site with dial up access
  through a modem. Ten pieces of Cisco equipment are then configured using
  reverse telnet to their consoles.
  Someone's thrown a spanner in the works. We now need to use something
such
  as SSH to the Terminal Server.
  The 2500 doesn't support it. The nearest I could think of was a 2610
with
  an
  NM16A (16 port Async) module. Unfortunately to run a decent version of
code
  with DES (for SSH support) this needs a DRAM and Flash upgrade.
  There isn't as far as I can find, a 16 port RJ45 Asynchronous module
  (closer
  replacement for the 2511RJ), so we need two octal cables.
  
  Total Price around #4500 as opposed to around #1800 for the 2511RJ.
  2511's always seemed a bit steep for this job, but using a 2610 for it
  seems
  to be even more so, even though the 2610 itself is only #1100. I think
all
  this still only gives me SSH version 1.
  
  Does anybody have any ideas for suitable replacements. Space is a
concern,
  but I am thinking about putting a 1U server in there to do the same job
if
  I
  can source a 16 port serial card that fits, and I'm also looking at
whether
  Shiva are still in the market. All ideas accepted gladly, but this does
  have
  to get past a security board. I don't want full solutions, just asking
for
  brief ideas.
  
  Thanks,
  
  Gaz
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27132t=27038
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX 520 [7:26898]

[Carroll Kong]

Well, you asked for a step by step link to setup a VPN on a Pix 
520.  My normal route is that, I use www.cisco.com, and look at the Pix 
documentation.  How else does anyone else do anything?  Read the 
manual.  This goes for anything, even non-Cisco stuff.

www.cisco.com
technical documents
2nd column now, 3rd row, Cisco Pix
select OS version
read docs, including the nice handy link that says site to site vpn among 
other things.

Anyway, after taking a 30 seconds to figure that one out, here is the link.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/index.htm

I strongly suggest you get used to their web site.  It is daunting at first 
but is very powerful.  Definitely worth learning in the long run.

 Or, you can do it the easy way.

www.cisco.com
type in the search box
pix vpn
I see a lot of pertinent hits.

Advantage of the first technique, practice for the lab's documentation 
cd.  Advantage of the second hit, it's just out right easier, but I doubt 
there is a search engine and all of the other white papers that cisco has 
available.  Use it as a crutch, and you will be forever handicappped.

 Now, you may think Brad is being cruel, however, I think he is 
doing you a favor.  I probably did you a disservice here.  If you cannot 
figure out how to navigate the cisco web site, taking the CCIE Lab is just 
a few orders of magnitude harder.  Why?  You cannot use the documentation 
effectively at all if you cannot navigate cisco's technical documents web 
page.  Therefore you must memorize a lot more and practice a heck of a lot 
more on silly details.  I know people go on about never use the docs, you 
will fail.  you will run out of time  Hog wash.  If it takes me 5 seconds 
to look up something on the docs, that is less info for me to memorize.  I 
guess your mileage may vary.  I know the use aliases, or you will fail is 
hog wash for me in particular.  I type fast and the commands are 
logical.  So, if you feel learning their web page is a hopeless endeavor, 
so why bother and just memorize and work it out the hard way, go 
ahead.  Everyone has a different way of tackling a problem.
 If you were just looking for some quick simple answers, the thing 
is, the best we can do is lead you to the general area.  I have no idea on 
what kind of VPN you want to setup, what peers you want to use, versions of 
code, etc.  So please, do a bit more work so we can get a more specific 
question, so then we can assist you better.  Otherwise, you can get a 
refund for this service.

 Anyway, Happy Thanksgiving!

At 06:19 PM 11/21/01 -0500, Inamul wrote:
Idiot...I and everyone knows cisco.com but the reason
people ask here dumb question is they want to save some time by asking
someone who already gone thru
that process and spent time reasearchin that topic..


Brad Ellis  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  www.cisco.com
 
  has that information.
 
  thanks,
  -Brad Ellis
  CCIE#5796 (RS / Security)
  Network Learning Inc
  [EMAIL PROTECTED]
 
  Inamul  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Does anyone have step by step link to setup VPN on PIX 520
   running code 5.2 ?
   thanks
  
   Inamul
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27113t=26898
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Terminal Server with SSH - Not cheap are they? [7:27038]

[Carroll Kong]

Although this would be considered high maintenance, you could 
think about a FreeBSD box with a Cyclades serial card.  (you can get enough 
to handle A LOT more than 16 serial ports if you need it)  You could get 
the BSD box in a 1U format.  It supports ssh and telnet.  The problem here 
is you would have to jimmy up your own cables.  (just know the pinouts from 
the serial port to the console)  The cyclades has some RJ45 outputs you 
could use, but you would need the right pin outs.  Then you can use cu to 
console in to any box.

At 01:04 PM 11/21/01 -0500, Gaz wrote:
Hi all,

I currently use a 2511 RJ Terminal Server on a site with dial up access
through a modem. Ten pieces of Cisco equipment are then configured using
reverse telnet to their consoles.
Someone's thrown a spanner in the works. We now need to use something such
as SSH to the Terminal Server.
The 2500 doesn't support it. The nearest I could think of was a 2610 with an
NM16A (16 port Async) module. Unfortunately to run a decent version of code
with DES (for SSH support) this needs a DRAM and Flash upgrade.
There isn't as far as I can find, a 16 port RJ45 Asynchronous module (closer
replacement for the 2511RJ), so we need two octal cables.

Total Price around #4500 as opposed to around #1800 for the 2511RJ.
2511's always seemed a bit steep for this job, but using a 2610 for it seems
to be even more so, even though the 2610 itself is only #1100. I think all
this still only gives me SSH version 1.

Does anybody have any ideas for suitable replacements. Space is a concern,
but I am thinking about putting a 1U server in there to do the same job if I
can source a 16 port serial card that fits, and I'm also looking at whether
Shiva are still in the market. All ideas accepted gladly, but this does have
to get past a security board. I don't want full solutions, just asking for
brief ideas.

Thanks,

Gaz
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27043t=27038
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Terminal Server with SSH - Not cheap are they? [7:27038]

[Carroll Kong]

High maintenance as in, there is a hdd, if it fails it is a pain 
in the butt to get your colocation guy to pull it out.  Or have fun flying 
down there.  It will cost money to do that, plus hdds will more likely fail 
than say a flash card.  You COULD run FreeBSD on a flash card, but 
ultimately, doing all of this, configuring the system so it can handle a 
cyclades serial card, is a lot of work especially for people new to 
unix.  I do not even want to get started on updating the software and what 
not.  Not a problem for a unix administrator, but I get a feeling (sadly) 
there are very few good multi-classed hybrids who know unix and 
cisco.  This is why people buy precanned solutions.  So this is why I call 
it high maintenance.  There is also a high foot print (learning curve) to 
get it started compared to the Cisco product which he already knows how to 
use fluently.
 Cyclades sells serial cards AND terminal servers.  He might be 
able to just buy one of their terminal servers for about $2200 each.  I 
never used them though.  The serial cards he needs is maybe (with the 16 
port box) about $800.  Add that to a rackmount 1U PC using cheap parts for 
about $600, he is only at $1400 with a flexible box.  Add the cost factor 
of setting it up, that is going to vary per builder's skill level in Unix 
and building PCs.  Pricing is all relative.
 Well, depending on how much you trust your switch and if you can 
prevent arp spoofing, telnet to an cisco 2511RJ on the same switch might 
NOT be so bad.  Then we are talking about maybe $500-600 (checkout dell's 
1U racks).

seems to be the consensus...  : )

Although if you telnet from the linux box then you are just as insecure as
you originally were...

-Patrick

  Berry Mobley  11/21/01 01:53PM 
Why not just build a linux box with ssh support and telnet from there to
the term server?  Another step - but probably more secure...and a lot
cheaper than another router.

Berry

At 01:42 PM 11/21/01 -0500, Patrick Ramsey wrote:
It's not THAT high maintenance... I mean...how often have yo urebooted any 
linux/bsd box?  : )

But cyclades are not cheap!  : (

  Carroll Kong  11/21/01 01:28PM 
Although this would be considered high maintenance, you could
think about a FreeBSD box with a Cyclades serial card.  (you can get enough
to handle A LOT more than 16 serial ports if you need it)  You could get
the BSD box in a 1U format.  It supports ssh and telnet.  The problem here
is you would have to jimmy up your own cables.  (just know the pinouts from
the serial port to the console)  The cyclades has some RJ45 outputs you
could use, but you would need the right pin outs.  Then you can use cu to
console in to any box.

At 01:04 PM 11/21/01 -0500, Gaz wrote:
 Hi all,
 
 I currently use a 2511 RJ Terminal Server on a site with dial up access
 through a modem. Ten pieces of Cisco equipment are then configured using
 reverse telnet to their consoles.
 Someone's thrown a spanner in the works. We now need to use something such
 as SSH to the Terminal Server.
 The 2500 doesn't support it. The nearest I could think of was a 2610 with
an
 NM16A (16 port Async) module. Unfortunately to run a decent version of
code
 with DES (for SSH support) this needs a DRAM and Flash upgrade.
 There isn't as far as I can find, a 16 port RJ45 Asynchronous module
(closer
 replacement for the 2511RJ), so we need two octal cables.
 
 Total Price around #4500 as opposed to around #1800 for the 2511RJ.
 2511's always seemed a bit steep for this job, but using a 2610 for it
seems
 to be even more so, even though the 2610 itself is only #1100. I think all
 this still only gives me SSH version 1.
 
 Does anybody have any ideas for suitable replacements. Space is a concern,
 but I am thinking about putting a 1U server in there to do the same job
if I
 can source a 16 port serial card that fits, and I'm also looking at
whether
 Shiva are still in the market. All ideas accepted gladly, but this does
have
 to get past a security board. I don't want full solutions, just asking for
 brief ideas.
 
 Thanks,
 
 Gaz
-Carroll Kong
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27058t=27038
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix question [7:26832]

[Carroll Kong]

At 08:24 AM 11/20/01 -0500, Ramesh c wrote:
1) I got a pix in test(all internal) environment (configured as
outside,inside and DMZ).Do I need to use NAT to connect to the outside
segment from inside  or vice versa.Since Pix can act as a router ,will
enabling routing solve this purpose without use of NAT.Applying access list
later  for security.

2)I want to open all the ports of TCP connection for a particular host.How
do I go about?


cheers
Ramesh
No, you do not.  If you want to do a No Nat configuration, make an acl for 
no nat (using id 0) for the ips you do not want to translate.  Of course, 
this is only sensible if you have registered ips on the inside.  If not, 
you really should use NAT.

The pix is generally a horrible router, it only supports rip.A 
router in the most generic sense of a multihomed host that can move from 
interface a to interface b is barely a router.  Heck, Windows NT can do 
that.  (shudder)

You have not defined what security policy you want.  access-lists for 
what?  Inbound or outbound?  If you use PAT (which is really a misnamed 
ciscoism), you have some light level of security for inbound 
conneciton.  By default, no one can hit your inside from the outside unless 
you have statics + access lists.  If you use static NATs, you WILL open a 
security hole for sure unless you got ACLs blocking on the outside 
interface.  Remember, the inflexible Cisco pix can only do inbound ACLs to 
any interface.  (However, you can still simulate the inbound outbound 
security policy by putting it on the other interfaces).

You have not mentioned inbound or outbound.  If you mean inbound, use a 
static (from the outside to the inside) and write an acl that allows him 
access through.

I know you said this is a test environment.  However, I think you should 
review some of the pix's basic configurations on Cisco's web site to get a 
better understanding and should definitely get a consultant to review your 
final configuration before deployment.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26839t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ZONE Tests vs Boson Tests [7:26639]

[Carroll Kong]

I am digressing a bit, and want to concentrate specifically on 
raw memorization vs understanding.
 I am a big fan of theory for a few reasons.  I mean REALLY 
understanding theory, not just saying yeah I get the theory, but I do not 
understand it.  No.  If you understand the theory, you understand it, 
period.  If you cannot explain something to someone, you do NOT know that 
something.  Period.  Implementation details aside.

 Although both ways can be used to conquer any test, be it raw 
memorization or knowing the theory well and having some cached info in your 
head, ultimately, I think you are doing yourself a disservice by failing to 
understand the theory.

1)  For someone who just memorizes and memorizes answers, when new 
technology comes out, they are baffled at first, and take a long time to 
relearn.

2)  For someone who knows the theory, when new technology comes out, it 
is trivial to apply the theory to most new technologies and easily 
understand it.

 While this is a bit drastic, simply because many people begin to 
learn the theory as they memorize all sorts of information, I feel this is 
closer to the truth than most people realize.  Some people just outright 
never learn it.

 As for the 3x3 bit, that is just embedding cached knowledge in 
someone's head.  No different than someone eventually memorizing the 
decimal - binary conversions.  The difference is, the man who knows the 
theory will be able to derive back the answer should he forget.  The one 
who just memorizes will forget, and fail.  3x3 is somewhat of the simple 
extreme case since it has been drilled in since day 1.
 Also, it is akin to realizing that 3x3 is merely a shortcut for 
3+3+3.  The one who just memorizes would sadly never know that.  It is also 
why you learn addition before multiplication.

 Being asked to code a tcp/ip stack for vpn and understanding the 
different phases of IKE and IPsec are a bit different.  Ultimately, you 
should only need to learn what you need to succeed in whatever job field 
you are in.  However, UNDERSTANDING it is a key issue.  Also, to design a 
protocol in itself does NOT require high math.  A protocol, by definition, 
is a language of types.  A form of communication.  You need zero math to do 
that.  As for the actual encryption ciphers and how they function, if you 
wanted to know precisely how they worked or were to design a new cipher, 
then math would enter into the fray.

 I do not blame the test.  The test has no way of discerning 
between one who truly understands and someone who memorizes.  Sure there 
are ways to draw it out a bit more (written essays, open ended answers), 
but that makes things a bit difficult to grade and handle effectively in 
large numbers.  I just worry a lot more when someone simply passes by pure 
memorization, and does not know WHY answer A is so.  Odds are that 
individual will quickly forget, and will take a long time to get back his 
knowledge.  The one who understood it will easily regain that knowledge.  I 
think HR should stop depending on the CERT as a shortcut verification 
system and just ask the senior engineers for doing their own little cross 
examination.  Of course, there could be a chicken and the egg 
syndrome.  What if you have no seniors?  ;)

At 06:11 PM 11/20/01 -0500, Michael Snyder wrote:
I disagree.

Everyone seems to think teaching to the test is a bad thing, but I think
it's a lot more fuzzy than that.

Here's an example,

If I ask you what 3x3 equals, you can answer 9 (I hope).  How do you know
that?  Did you go to college and study math theory for four years?  Do you
how many pages it takes to prove that 3x3=9?  Do you know the concepts
needed for the proof?

I'm assuming that you were learned 3x3 just like I did, with a 3rd grade
teacher going over it and over it and over it.  She was in effect, was
teaching to the test.

Let's jump forward a few years.  Lately I've been dealing with
L2TP/IPSEC/VPN. I think I understand the basic concepts these protocols
well, seeing that I use them daily, but in truth do I really?

If someone asked me to code a tcp/ip stack for vpn, I wouldn't have a clue
where to start.  I think it would take me years just to start understanding
the high math needed to code a vpn protocol.

My point being that I have learned the correct answers on how to use vpn by
being told the correct answers thru self study, reading and experience.

I have in effect taught myself the correct answers to use when I see the
correct questions.  Is there a difference here other than learning that
3x3=9 and passing third grade math test?  I'm not sure there is.

I think anyway you look at it, a pass is pass.  If someone can learn to pass
the test, but can't effectively use that knowledge in the real world, maybe
we will find the fault is in the test itself.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26945t=26639

Re: Is Pix failover can be Load balancer ? [7:26673]

[Carroll Kong]

Yes, certain models have a serial fail over link.  (515?), look at 
cisco web page for more details.  If you buy another NIC, you can even have 
stateful failover.  (retains all tcp connection information to the other 
firewall).  Although, I wonder if you really need it since I did get it 
working without the extra NIC at one point.  Hmmm marketting ploy? 
Maybe.
 As for load balancing, not sure if it can do that.

At 03:39 AM 11/19/01 -0500, Sivarajan Thiruvadi wrote:
Hi Pals

I wish to know wheather 2 cisco pix firewalls can be configured for
redundancy
as well as Load balancing.

In general failover means in case of active PIX fails the stand by one will
come into line.
But my customer wants FWLB (Fire wall load balancing).
If any one has idea on this please help me.

Thanks and regards
Siva
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26677t=26673
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Carroll Kong]

Implicit denys behind every access-list are inserted.  Are you 
mixing conduits and access-lists?  You really should not.  Use ALL conduits 
or ALL access-lists.  If both are used, conduits take priority and override 
your access-lists.  Access-lists are first match, conduits are any match.

At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
Does the PIX 506 require an explicit deny statement after setting up a
permit conduit or access list.

I appear to be receiving more traffic (e.g. NTP) than my conduit statements
allow.

Thanks much,
Steve
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26694t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX conduit access lists [7:26684]

[Carroll Kong]

I believe so.

At 10:25 AM 11/19/01 -0500, Steve Alston wrote:
Carroll,
   Thanks for the reply.  I'm using conduits now, but will switch to access
lists in the future.  (I'd like to fully understand the configuration I
inherited before I start making changes)  Are implicit denys inserted behind
each conduit as well?


Carroll Kong  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Implicit denys behind every access-list are inserted.  Are you
  mixing conduits and access-lists?  You really should not.  Use ALL
conduits
  or ALL access-lists.  If both are used, conduits take priority and
override
  your access-lists.  Access-lists are first match, conduits are any match.
 
  At 09:24 AM 11/19/01 -0500, Steve Alston wrote:
  Does the PIX 506 require an explicit deny statement after setting up a
  permit conduit or access list.
  
  I appear to be receiving more traffic (e.g. NTP) than my conduit
statements
  allow.
  
  Thanks much,
  Steve
  -Carroll Kong
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26705t=26684
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Loopback and Null interfaces [7:26703]

[Carroll Kong]

At 10:44 AM 11/19/01 -0500, Mark Latis wrote:
What is the purpose of the Loopback and the Null interfaces ?
(I know that the loopback interface can be used to emulate an always-on
interface to be used for point-topoint unnumbered links )

Thanks,
Mark
Well, you got the loopback part right.  That way, if a single router has at 
least one of his WAN links up, you can still reach him by one address.  I 
suppose it is more of a slightly easier administration issue.

As for the null interface, if you put ip unreachables in it, it can be 
used for black hole routing.  This is faster than using an ACL and does 
not use cef.  (woohoo).

You will typically find routing protocols that create summary routes that 
lead to the Null0 interface.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26728t=26703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Spanning Tree Protocol [7:26538]

[Carroll Kong]

This is a computer architecture topic and it has been a while for 
me, so please feel free to correct me.  Basically, it is how multibyte 
values are stored in a particular computer architecture.  For instance, in 
big endian, the last byte, has the most significant byte, and in little 
endian the last byte, has the least significant byte.

 Given that a byte is 8 bits.
 Given an integer 64932  (2 bytes)
 This converts to

 1101   1010 0100
in binary.

In a little endian architecture, the data would be stored like
 1101   1010 0100

 One machine would store this value from left to right and the 
other would store it from right to left.  In a big endian architecture, 
the data would be stored like

1010 0100    1101

 Needless to say, this has caused much pain in the world.  It is 
purely a big religious war as to which is better.  Also, one might 
quickly add well if this is true, wouldn't all socket programming be 
borked?!?  No.  They force you to convert back to network form vs host 
form.  I believe network form is big endian, but not that it 
matters.  Everyone converts it to this form in C (or any other language) 
before it hits the network, so there is still cross OS
compatibility.

Now, looking at 42, it seems to be this in binary

alone it is 101010, but in a byte, it would look liks

0010 1010

Maybe I got something mixed up?  Maybe with a 7 bit byte then it is
010 1010

At 10:05 AM 11/19/01 -0500, Matthew Tayler wrote:
Ok dumb question of the day, what do you mean by Big Endian  Little Endian
please ?

Priscilla Oppenheimer wrote:
 
  At 10:12 PM 11/16/01, Kane, Christopher A. wrote:
  Someone was a Douglas Adams fan?
 
  Of course! Also another cool thing about 42 is that it's a
  palindrome (the
  same backwards and forwards in binary) and avoided the Little
  Endian/ Big
  Endian wars!
 
  Priscilla
 


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26704t=26538
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Starting CCNP [7:26734]

[Carroll Kong]

Cisco's web site is pretty good for technical 
documentation.  Although, I have never done the CCNP, I found that Doyle, 
Caslow, and Halabi are great books.  Using that and my knowledge of 
security over the years, alongside some college courses, and just reading 
good old RFCs, I was able to pass the CCIE Security Written.  Not sure if 
that is remotely comparable to the half a dozen tests you need to take the 
CCNP.  Sorry, I never use sample questions or tests, my best advice is to 
learn the general material well, and I think those few books will help out 
a bunch.
 On the side, to reach the mystical archives, just take a look at 
the footer, and click once or cut and paste, then you can see your own 
message in the archives.  Click on search and you can find further 
info.  How did you, (Larry) subscribe to the list?  Did not the web page 
have an archives link?

At 01:07 PM 11/19/01 -0500, Puckette, Larry (TIFPC) wrote:
Syed, DUCK!!!  NOW!!! You are most likely going to get bombarded with emails
with abusive tones telling you to look at the archives before asking
questions. You'll notice that none of them will tell you how to get to the
archives though.

Larry Puckette
Network Analyst CCNA,MCP,LANCP
Temple Inland
[EMAIL PROTECTED]
512/434-1838

  -Original Message-
From:   Syed Raza [mailto:[EMAIL PROTECTED]]
Sent:   Monday, November 19, 2001 11:39 AM
To: [EMAIL PROTECTED]
Subject:Starting CCNP [7:26734]

Hi Guys,
I am new to this site but after taking the glance at the site. I think I
have lot of smart people to help me thru this CCNP journey. Well I wanna
know what are the best resourses out there that i can use for my CCNP. Plus
if anyone of you have sample questions and practise tests that I could use
to start my process, that would be very helpful. Looking forward to see your
advise.
Thanks.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26748t=26734
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: The Scoop on PIX? [7:26607]

[Carroll Kong]

At 06:08 PM 11/17/01 -0500, Andrew Michael wrote:
Hi all.

   What are some of the reasons why a person would choose a PIX solution
rather than a good router with the the right IOS for security?

The Pix is a stateful firewall, Cisco routers (as far as I know, typically) 
are not.  Generally higher performance, short of using CEF and other 
possibly buggy speed optimizations.

   From what I've read on Cisco's site, there does not seem to be the huge
gap between using a router as a firewall solution vs. using a PIX, as some
people make it sound.

Cisco calls is the Adaptive Security Algorithm or something.  Basically, it 
has a stateful firewall mechanism.

   One last thing...for the life of me, I can't find what PIX stands for!
Any help appreciated!  Thanks in advance.

I believe Private Internet Exchange.
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26627t=26607
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - Baystack 350T [7:26431]

[Carroll Kong]

At 09:47 PM 11/15/01 -0500, Mark Rose wrote:
I was given a Baystack 350t and I'm trying to get into it to set up the
configuration. I am using the default settings (9600,8,1,no,1,none). I am
entering ctrl+C as per documentation. I get no response. I could use
suggestions from anyone who has used this switch.

TIA
Mark
Try ctrl-d, enter, etc.  If it does not work, it might just be a bad 
one.  I did an audit with a pile of these darn bay stacks, and some of them 
would just REFUSE to work.  Of course, since we audited so many of them, 
80% of them were consoleable, the others failed.  Ah well.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26434t=26431
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Salary Expectations/CCNP's!!!!!!!!! [7:25805]

[Carroll Kong]

You are right, but marketting hype (misleading info).  He still 
got close, IIRC, ~a few million dollars worth in stock options.  So, he got 
a few million in stock options (the usual), and lowered his $300K salary to 
$1 dollar.  Somewhat heroic, some would not even lower a dime.  However, 
hardly what many people expect.

At 11:44 PM 11/11/01 -0500, Russ Kreigh wrote:
  And if  you are talkin of your friend with 10 years of exp. and he cant
find
  a job then I really doubt what he has been doin from last 10 years that
he
  cant find a job of courseif he is looking for a salary of somethin like
John
  Chambers then he won't get that.

Actually I think I read in an article that Chambers cut his salary to $1.00
a year. I am 99% sure this was Chambers who did this, but have been known to
be wrong once in a while. ;-)
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26032t=25805
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ConfigMaker [7:26022]

[Carroll Kong]

At 07:43 PM 11/12/01 -0500, Larry Johnson wrote:
I have client that will not take no for answer.

He feels that the using ConfigMaker from Cisco is an absolute must to
configure his routers and switches.

I would appreciate your opinions about ConfigMaker and the Pix firewall
graphic configuration utility that Cisco has also.

Thank you in advance for your thoughts.

LJ
I put these tools as enabling devices.  Cisco wants to bridge the gap 
between laymen and cisco qualified individuals, ConfigMaker and the Pix 
configuration utility does this.  While it does help a neophyte do a 
similar amount of work as a skilled worker to some degree, it quickly 
levels off.

Weird issues and bugs and more complicated configurations can always be 
done by a trained individual.  I am sure many others on this list will 
attest, they have setup rock solid configurations without the need for 
these tools.  Many of the professional cisco qualified individuals can work 
much faster than the ConfigMaker or Pix GUI.

I am not going to say these tools are the work of the Devil!  However, to 
add some negative points to them.  The Cisco Pix GUI might be opening up a 
possible security hole despite the little ACLs it can have.  Convenience at 
the price of security.  ConfigMaker can work directly or indirectly so that 
is ok I suppose.  Take a look at the list of HTTP configuration tools for 
the routers and switches.  Easy to use.  Also, they have a nasty history of 
security holes.  Inside network only?  Heh.  Most hacks happen from the
inside.

So, while they the tools are ok.  The only ones who say it is an absolute 
must tend to be inexperienced individuals in terms of Cisco 
hardware/software configuration.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26044t=26022
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Two default routes on the same router [7:25750]

[Carroll Kong]

So you have a router with two WAN links, and two LAN links, you 
want to make sure LAN A goes to WAN A, and LAN B goes to WAN B?  Use policy 
routing, AKA route-maps that uses an ACL that matches off the source of LAN 
A, and set the next hop to WAN A, do the same for the other network, or 
just have the default go to the other one.
 As for what would happen with two gateways, probably per 
destination load balancing since they would have the same metric.

At 12:35 PM 11/10/01 -0500, McHugh Randy wrote:
Does anyone know if you can have two completley different default routes and
on the same router in totally two different subnets pointing to two totally
different gateways?
For instance
ip route 0.0.0.0 0.0.0.0 25.13.240.1

ip route 0.0.0.0 0.0.0.0 65.11.213.1

Will the router parse each one separatley or will neither one of them work?
This is on a 2514 .

Thanks
Randy
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=25763t=25750
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2500 IOS TFTP Problem - For a change! (sarc) [7:25144]

[Carroll Kong]

Wow, I thought I was the only one with that problem.  I had 
similar issues with putting a 12.1 image on a 2500.  It rebooted quite a 
few times with checksum errors.

At 07:55 PM 11/2/01 -0500, Gareth Hinton wrote:
Hi all,

This is not a major problem as I am just playing, but having a nightmare
trying to get 2500 image on. I had the same nightmare last time with 12.1.
It went on eventually, for no reason whatsoever, by just repeating the
process.

I seem to remember that there maybe a way to make the router ignore the
checksum. Anybody know if I've dreamt this up or whether there is actually a
method.

Cheers,

Gareth

!
[OK - 15445320/16777216 bytes]

Verifying checksum...  invalid (expected 0x73BD, computed 0xE283)
Flash copy took 0:08:26 [hh:mm:ss]
A(boot)#reload

snip..


System flash directory:
File  Length   Name/status
   1   15445320  122.bin  [invalid checksum]
[15445384 bytes used, 1331832 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=25147t=25144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to find serial number of router? [7:24760]

[Carroll Kong]

I think you are right.  After I posted my message, I tried to hand 
verify it, but, I honestly do not know which is the serial number.  There 
are so many stickers tags and numbers!  On top of that, I NEVER found the 
same serial number on the chassis as the motherboard part even after 
looking through all of those tags.  I think you are right and that the 
serial number is JUST for the internal parts.  The serial number needed to 
service is probably the chassis serial number which of course, is not 
available inside the box or so it seems.

At 09:16 AM 11/1/01 -0500, R. Benjamin Kessler wrote:
Are you sure that it is reporting the same serial # that is on the chassis?
In my experience, the only way I could get the serial number remotely is by
entering the snmp-server chassis-id command into the config manually.

I just double-checked on a 3600, 7200 and 7500 (running various 12.x code)
and the serial number I get with show diag or show version aren't the same
as the one I entered manually (based-on physical verification).

Note:  I also did this on my IOS-based switches (cat3500's) even though the
show version command will give you this info - System serial number: x

Bottom-line is that when you open a case w/TAC and they ask for a serial
number of the system, they're interested in the one on the chassis not some
internal component.

Just my $0.02

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Carroll Kong
Sent: Wednesday, October 31, 2001 5:42 PM
To: [EMAIL PROTECTED]
Subject: Re: How to find serial number of router? [7:24760]


Wow, excellent tip!  However, this does not seem to work on the
2500s series.  (using 12.1(11) with a 2514).  It does work on my
2610.  (using 12.1(11)).

At 02:44 AM 10/31/01 -0800, Budi Widjojo wrote:
 you can use
 show diag command.
 
 or as you said, you can use cisco resource manager
 also.
 
 cheers,
 budi
 --- IT Guy  wrote:
   Hi Guys,
  
   Can anyone here please help what are the possible
   software ways to findout
   the serial number of router without looking at the
   hardware itself??
  
   Can we findout by using any management software like
   Cisco resource manger
   or etc??
  
   Thanks for help.
  
  
 _
   Get your FREE download of MSN Explorer at
   http://explorer.msn.com/intl.asp
 [EMAIL PROTECTED]
 
 
 __
 Do You Yahoo!?
 Make a great connection at Yahoo! Personals.
 http://personals.yahoo.com


-Carroll Kong
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24942t=24760
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 ios question [7:24966]

[Carroll Kong]

I do not know the answer either, and plan on picking one up to 
train with.  However, here is some info that seems to imply that it does 
use the standard Cisco Pix Command Line Interface.

http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm

 Note how it says minimum software version 6.1(1).  As for, will it 
help you for higher level Pixes, yes it should.  However, one key feature 
that is not available on the 501 and 506 is there is not fail 
over.  Configuring failover and stateful failover is not really difficult, 
but it is something totally new if you just trained from a 501, 506, or 
lone 515.

At 05:26 PM 11/1/01 -0500, sam sneed wrote:
I've already read that. It didn't answer my question though.


Jonathan Hays  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  sam sneed wrote:
 
   hello ,
  
I wanted to know if the IOS on PIX 501 is the same as the higher
models.
   The product description on Cisco's site do not specify it.I want to
learn
   PIX and 501 is the cheapest but I want to know if the commands I learn
and
   experience i gain will be good enough to setup and administer a higher
  model
   of PIX. I have good firewalling experience but none with PIX.
thanks
  
   sam sneed
  Here's the product data sheet.
 
  http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24999t=24966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to find serial number of router? [7:24760]

[Carroll Kong]

Wow, excellent tip!  However, this does not seem to work on the 
2500s series.  (using 12.1(11) with a 2514).  It does work on my 
2610.  (using 12.1(11)).

At 02:44 AM 10/31/01 -0800, Budi Widjojo wrote:
you can use
show diag command.

or as you said, you can use cisco resource manager
also.

cheers,
budi
--- IT Guy  wrote:
  Hi Guys,
 
  Can anyone here please help what are the possible
  software ways to findout
  the serial number of router without looking at the
  hardware itself??
 
  Can we findout by using any management software like
  Cisco resource manger
  or etc??
 
  Thanks for help.
 
 
_
  Get your FREE download of MSN Explorer at
  http://explorer.msn.com/intl.asp
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24872t=24760
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: is it really bad market for ccie ? NO! NO! NO!!!! [7:24336]

[Carroll Kong]

there would be for a Juniper job.   I also must take issue with your
contention that the CCIE is more valuable in this economy, because  the
salary numbers don't like either.  I don't want to sound crass and venal,
but JNCIE's on average get paid more (sometimes significantly more) than a
CCIE.  For those who will say that it's not certs that count, it's
experience, OK fine - then let me revise that above sentence to say that
somebody with a certain amount of skill and experience in Juniper can most
likely expect to earn more than somebody else with an equivalent amount of
skill and experience in Cisco.  For those who still don't believe me, I say
Do the math yourself.  It's really as simple as that.


You just made a common error - you've only  looked at the demand side of the
equation, which is misleading.  Economics dictates that to measure the value
of anything, you need to be looking at both the supply and the demand. This
is why being a doctor pays better than manning a cash register, even though
the demand for cashiers is higher (how many times do you get sick vs. how
many times do you buy something in a store?)


Hey, Brad, I know how you feel, and I sympathize.  I know what you're going
through, because I've been there too.   Just maybe 6 months ago, when I
first started really hearing about how the Juniper might have a better
router, and how the JNCIE program might be a better indicator of guru
status, I didn't want to believe it either.I have to admit, I was in a
state of denial too.  But the more I checked out the facts, the more
incontrovertible they looked.  I have twisted this subject around in my head
many times over and over, and, believe me, I wanted to come up with a
reasonable scenario where Cisco wins out.  But you can only fight it for so
long.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24344t=24336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: is it really bad market for ccie ? NO! NO! NO!!!! [7:24336]

[Carroll Kong]

 just end up sitting at home or ending up 
getting some other job waiting for that call.

So, it looks like a mixed bag.  I agree whole heartedly that the equal 
experience, and what not, juniper guys will get more.  The hard part is 
getting the jobs now, which right now, at best, we can make educated 
guesses on the future trends.

As for my guess?  It does seem like Juniper is growing, and that getting 
the certification might be very lucrative.  I will think about it sometime 
in the future.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24355t=24336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CIT today!-sniffer skills [7:24131]

[Carroll Kong]

From my experience, there is nothing inherently special about 
learning how to use a sniffer in itself.  You are learning how different 
protocols work, and the sniffer just lets you see that.  Learning a sniffer 
should just mean, I know which buttons to click to get X, Y, Z kinds of 
data.  Understanding protocols means you can discern what X, Y, Z data is 
doing and what it means in the big picture.  As you can see, one should 
value the latter, but too many instantly proclaim the former is more
important.
 Not to say you are not doing that, you are doing precisely what 
you should be doing, really learning tcp/ip.  Ironically, if half the 
people who claimed on their resume TCP/IP Knowledge, you would not need 
the presupposed claim of Experience with Sniffer Pro.  Of course, it does 
not just have to be TCP/IP, it can go down to many different layers, 
application, data link, etc.  Eh, silly HR will be silly HR.  I should 
write a web page about How to hire the right IT people for dummies. (HR)
 As for your move to become a jack of all trades, master of 
none.  Back in the day that was the coined term.  I strongly disagree with 
it, and I think people can easily dual-class themselves into excellent 
multi-versed individuals.  (dual class is an add term, you can actually 
become a jack of all trades, master of many).  Too bad you probably will 
not get paid double, even if you really should.  :)
 As for learning packet capture analysis, pick your favorite 
protocol of the day, read RFCs on it, practice using it while sniffing 
yourself (no pun intended), and follow the packets.

At 01:03 PM 10/25/01 -0400, Buri, Heather L. wrote:
They have really been good at explaining how to analyze a packet trace.  I
already knew how to do a basic capture, but analysis was another story.  I
just thought I would mention these in case anyone else out there was in a
situation like mine.  Stuck in a job that won't pay for training, but
wanting to learn packet capture analysis.  I had not seen these particular
books mentioned previously.

Heather Buri
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24131t=24131
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MAC address and VLANs [7:23950]

[Carroll Kong]

I cut a large portion of this the previous message.  My argument 
in that is that, we DO have broadcasting monsters.  It is known as Windows 
based PCs.  NetBIOS over TCP/IP, announcing wondrous information and trying 
to get information so they can perform their wonderful elections and create 
master browsers.  Trying to resolve NetBIOS names so they can find their 
friendly PDC or BDC of the day.  Or how about WINS and it's excellent 
method of doing discerning which names goes where.  All automagic at the 
cost of the network.  While what you speak is true, and in a network bereft 
of windows mongers, I would agree, I think that in a modern system you can 
still run into issues.  According to your logic, it seems like you would be 
ok with forging a 10.0.0.0/16 network and chaining along switches instead 
of breaking them into subnets along with their accused VLANs.  I suppose 
with enough good 10/100 Switches you are ok.  This might be problematic on 
a 10BaseT network as the broadcast snowball into huge gobs of bandwidth 
draining gunk.  (I guess this rolls into the non-modern network though)  I 
have a client who used some 10 base hubs too, and just band aided it with a 
few switches here and there.
 NetBIOS over TCP/IP sends broadcasts quite frequently.  I almost 
dare say within a minute.  CPUs can vary, and there is always the aging 486 
on the fringe.
 I guess ultimately on a solid 10/100Base Switched network you do 
pose a good point.  However, do you think that a nasty 10.0.0.0/16 network 
might be going a bit too far even with the latest technology?  In that 
case, we can argue, who really needs routing protocols internally?  Just 
slap up the good old super flat network and have a default gateway and 
rarely call in the big dogs to make changes.  Just throw a few statics to 
the few other super flat networks and we got an enterprise solution.  :)
 Not trying to pick a bone with you.  I agree with you, but I am 
curious where do you feel is the threshold?  You say until it breaks, but I 
want to deploy a better solution before we get to that.

At 07:52 PM 10/24/01 -0400, Chuck Larrieu wrote:
hooray for you, PO! you are absolutely correct.

In military science, it is well known that military establishments enter any
war prepared to fight the previous one. In these days of DSL to the home
desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML
based applications, we networking students study various means of eking out
another packet or two on 56K links. Anyone here see the point of ISDN backup
for DS3 links? ;-

Your forward thinking is commendable.

Chuck

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Priscilla Oppenheimer
Sent: Wednesday, October 24, 2001 11:51 AM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]


The multi-VLAN feature that Leigh Anne mentioned might solve your problem.
The Cisco switch port could be associated with two VLANs that way. You
didn't say which switch you have, and this feature may not be available on
all Cisco switches, though.

Assuming that you don't want to upgrade the little switch to one that does
802.1Q or ISL, another somewhat radical fix to the problem might be to not
use VLANs. My philosophy is that once VLANs get to the point of causing
more problems then they fix, I eliminate them. ;-)

One of the main things VLANs were supposed to fix was excessive broadcasts
causing too many CPU interruptions on numerous workstations in a large,
flat, switched network.

Lately I have taken to making the controversial statement that this problem
doesn't exist on many modern networks. These days workstations have
amazingly fast CPUs. They are not bogged down by processing broadcasts.
Also, as we eliminate older desktop protocols such as AppleTalk and IPX,
what is still sending broadcasts? An ARP here or there is not a big
problem. And ARPs don't actually happen that often. A PC keeps the
data-link-layer address of its default gateway and other communication
partners for a long time.

Also, a lot of PC NICs used to be stupid about multicasts and interrupt the
CPU for irrelevant multicasts for which the PC was not registered to
listen. I bet that bug has been fixed by now.

VLANs have other benefits (security, dividing up management and
administrative domains, etc.) But if broadcasts are the issue, one should
ask:

Which protocol send broadcasts and how often?
How fast are the CPUs?

And that is my latest harangue against my least favorite LAN technology
(VLANs!)

Priscilla

___

Priscilla Oppenheimer
http://www.priscilla.com
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24061t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MAC address and VLANs [7:23950]

[Carroll Kong]

At 08:32 PM 10/24/01 -0700, Chuck Larrieu wrote:
interesting points, and well taken.

if one takes VLANs to be synonymous with subnets then sure.

your 10.0.0.0/16 thought reminds me of the good old days when the Xylan
marketing team was out hawking their flatten the network religion. In this
respect I am a traditionalist - route where you can, and bridge where you
must.

yeah, I keep forgetting that Windows does some broadcasting, but recall that
I come out of the brokerage industry, where broadcast was a necessity. How
else would quote machines work? Upwards of 80-90% of our LAN traffic during
market hours was broadcast. So how much broadcast traffic can a couple
hundred windoze boxes really create, and just how badly does that really
effect network performance? Particularly if you are running a fully switched
environment, or even in a hubbed environment, assuming 12-24 port hubs? When
I was young and foolish, I ran my network on daisy chained 48 port hubs, and
I think I got up to around 125 stations and printers before I regretted my
foolishness. This was in that self same brokerage firm, with the outrageous
broadcast traffic. I know a Major Bank where they at one time ran segments
of 700-100 end stations. And survived to a certain degree. ( although they
were the masters of broadcast control :- )

As I said, your points are well taken. the application drives most things,
but the architecture surely drives others.

thanks.

Chuck

Well, I admit, my response was a bit clouded by the fact that one of our 
clients recently requested a redesign of their flat beyond flat 
network.  Call it justification!  They are using, UGH, 10BaseT Hubs with 
some nasTY (with an iintentional capital T and Y), daisy chaining hub 
action, which REALLY exacerbated performance loss.Not to mention it's 
all Bay GEAR!  Evil!  :)  Admittedly, that IS changing the premise of 
Priscilla's original statement.  The network I am working on is HARDLY the 
epitome of the modern day model system Priscilla described.  I am guessing 
with solid switches across the board, it might very well be pretty darn 
good in terms of performance.  I was just curious where the new practical 
bar was raised to.

If the situation is with 10BaseT hubs, I would not be surprised if 
performance is really becoming an issue where broadcasts become a 
percentage of your daily bandwidth.  Where broadcasts are probably far more 
often being that even unicast packets are broadcasted on the wonderous 
layer 1 repeater technology known as hubs.  With all switches, I am not too 
sure I can say clearly otherwise, but I was just wondering how far is a 
practical limit in today's modern systems?  On top of that, yes, all in 
moderation.  If we take either approach to the extreme, we clearly see 
significant flaws.  No one wants to run subnets of 2 usable hosts each for 
their entire network and smash their catalyst 6509 with routing modules to 
oblivion.  No one wants to run the 30,000 flat network from HecK.  (Ok, 
maybe some people do...)  Look Ma, no routers!

On the side, you just noticed your statement impies that some would run 
multiple VLANs with a single subnet?   I guess you would depend on having 
at least one port on both VLANs to get interconnectivity?  Would that be 
like bridging?  (unifying two layer 2 networks).

Her statements on the windows protocol seem correct.  Ugh, I got to whip 
out the old sniffer again.  Or read up again.  I could have sworn I STILL 
saw a multitude of crap flying every second on my old college network even 
after we went to a switch.  I should try again since her points seem quite 
valid.

Hm.  Although broadcasting was necessary, in the more extreme case, does it 
make sense for a quote server to broadcast to another quote server?  There 
is a small subsegment of don't cares for the quotes, it seems like 
multicast is more ideal, but probably not necessary.  No matter, I am sure 
the demigods of broadcast control had a working solution.  :)


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24080t=23950
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem with Etherchannel [7:23692]

[Carroll Kong]

You cannot do both as desirable.  One must be desirable and the 
other auto.  Or you can try forcing the modes to on and on.  That might 
fix it!

At 12:57 PM 10/21/01 -0400, Brad Moss wrote:
I am trying to connect two cat5500s and am unable to get port channel to
come online.  I have configured both sides below is the config of the ports.
Any help would be greatly appreciated. These are production switches the
only thing I have to done is reboot them.  For some reason they are not
recognizing that they are connect to the same switch on the other end of
either link. I am unaware on any special things that must happen for port
channeling both blades support it.


Set po channel 8/3-4 mode desirable
Set trunk 8/3 isl on
Set trunk 8/4 isl on

Set po channel 1/1-2 desirable
Set trunk 1/1 isl on
Set trunk 1/2  isl on

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  8/3 connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel  Admin Ch
  Mode Group Id
- --  - -
  8/3  connected  desirable non-silent   157 0

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  8/4 connected  trunk  normal   full   100
100BaseFX
MM
Port  Status Channel  Admin Ch
  Mode Group Id
- --  - -
  8/4  connected  desirable non-silent   157 0

SJMDFSW01 (enable) sho po channel
No ports channeling

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  1/1  Uplink SJMDFSW01   connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel   Channel Neighbor  Neighbor
 mode  status  device   
port
- -- - --- - --
  1/1  connected  desirable not channel

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  1/2  Uplink SJMDFSW01   connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel   Channel Neighbor  Neighbor
  mode  status  device
port
- -- - --- - --
  1/2  connected  desirable not channel

SJDCSW02 (enable) sho po channel
No ports channelling


Brad Moss,  CCNA
Network Administrator
CHRISTUS St. Joseph's Medical Center - South
www.christushealth.org
(903) 737-3160
[EMAIL PROTECTED]
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23693t=23692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem with Etherchannel [7:23692]

[Carroll Kong]

Yeah, sorry for the misinformation before.  Here is the a good way 
to remember the modes.  The most part, PaGP is either auto or 
desirable.  Or you can just turn the pesky thing on or 
off.  (non-PaGp).  Of course it will only work if you are both on if you 
choose the non-PaGp mode.  As for knowing the right compatibility, remember 
that desirable people are also aggressive.  :)  Two aggressive people can 
communicate.  Auto is passive.  Two passive people cannot communicate.  One 
aggressive and one passive can communicate as well.  Just think of an 
aggressive desirable as those players.  (male or female).  Those nice guys 
and girls who are passive just never get with anyone.  :)  Sorry, I just 
immediately jumped the gun and assumed you chose the two passive case 
without really reading carefully and remembering my own rules.  :(  Very 
bad form, I do not blame anyone for not believing me after such a blunder.

 You cannot do both as desirable.  One must be desirable and the 
other auto.  Or you can try forcing the modes to on and on.  That might 
fix it!

At 12:57 PM 10/21/01 -0400, Brad Moss wrote:
I am trying to connect two cat5500s and am unable to get port channel to
come online.  I have configured both sides below is the config of the ports.
Any help would be greatly appreciated. These are production switches the
only thing I have to done is reboot them.  For some reason they are not
recognizing that they are connect to the same switch on the other end of
either link. I am unaware on any special things that must happen for port
channeling both blades support it.


Set po channel 8/3-4 mode desirable
Set trunk 8/3 isl on
Set trunk 8/4 isl on

Set po channel 1/1-2 desirable
Set trunk 1/1 isl on
Set trunk 1/2  isl on

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  8/3 connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel  Admin Ch
  Mode Group Id
- --  - -
  8/3  connected  desirable non-silent   157 0

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  8/4 connected  trunk  normal   full   100
100BaseFX
MM
Port  Status Channel  Admin Ch
  Mode Group Id
- --  - -
  8/4  connected  desirable non-silent   157 0

SJMDFSW01 (enable) sho po channel
No ports channeling

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  1/1  Uplink SJMDFSW01   connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel   Channel Neighbor  Neighbor
 mode  status  device   
port
- -- - --- - --
  1/1  connected  desirable not channel

Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
  1/2  Uplink SJMDFSW01   connected  trunk  normal   full   100
100BaseFX
MM

Port  Status Channel   Channel Neighbor  Neighbor
  mode  status  device
port
- -- - --- - --
  1/2  connected  desirable not channel

SJDCSW02 (enable) sho po channel
No ports channelling


Brad Moss,  CCNA
Network Administrator
CHRISTUS St. Joseph's Medical Center - South
www.christushealth.org
(903) 737-3160
[EMAIL PROTECTED]
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23702t=23692
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Enable secret hacking [7:23670]

[Carroll Kong]

You are correct, assuming fully random values.  Let us not assume 
that 4 hours is a long time.  If they have the hash, they have all the 
time in the world and you will never know they are cracking away at 
it.  The hash MUST be and SHOULD be guarded at all costs.  This definitely 
stops the neophytes, but you really do not want the pros getting their 
hands on it.
 Each attempt varies, for MD5, john in particular runs 440 Cracks 
per second on a k6-200.  This is very slow.
 As for kittens/1, no, it would not help much.  If you have ANY 
string that is within a dictionary, you just gave up that entire 
subsection.  There are lot of clever combinations that can be used and 
done.  If you do not believe me, just take a look at some regular 
expressions that perl programmers use.  You can catch a LOT of combinations 
and do lots of tricks.

1)  Do not use ANYTHING remotely related to you personally or in a 
dictionary for a password.
2)  Do not use clever combinations like KiTtEnS/134, it is just as easy to 
crack.
3)  Do not use password generators.  Why?  Write a program that does 
password generation.  You did it?  Great.  You did an algorithm based on 
some random seed.  Does not matter, you now have a pattern which you can 
write your hacking program to work with.  Now it will know your pattern if 
it can reverse engineer the algorithm (should not be too hard), and you can 
kiss every single password that you used with that good bye, like in 5 
seconds each.  ;)

(if you use open source software to generate, they got the algorithm, if 
you used closed source, you can delude yourself in that security through 
obscurity works.  well, it does not).

At 03:19 PM 10/21/01 -0400, Gareth Hinton wrote:
I would imagine that if using a-z and 0 to 9, with 8 characters there would
be 8 to the power 36 combinations (I think).
Trouble is those numbers are getting too large for me to have any concept of
how long it would take to hack. We'd need to get an idea of how long each
attempt takes.

Looking back at the original password it was very similar to yours. His unix
box had been going for 4 hours when we stopped it to do those tests, so much
harder to crack. I'm going to set one off later to see how long it takes.

This is not scare mongering by the way.
To accomplish this you already need to have the MD5 hash. I think it's just
better to avoid complacency - make the passwords longer and use special
characters if possible. I didn't realise the amount of difference between
dictionary passwords and the alternative. I suppose something as simple as
kittens/1 would cut out the dictionary searches.

Gareth



Maissen Sacha  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Anh,
  Sorry for my question about your test below. This program john the
  ripper, is
  it working with dictionaries or not? Because my question is, if I use
  passwords
  like 12eldkvi, which are not in any dics, how long you need then to
  crack a
  MD5-password?
 
  Regards
  Sacha
 
  -Urspr|ngliche Nachricht-
  Von: Anh Lam [mailto:[EMAIL PROTECTED]]
  Gesendet: Sonntag, 21. Oktober 2001 20:46
  An: [EMAIL PROTECTED]
  Betreff: Re: OT: Enable secret hacking [7:23670]
 
 
  Gareth,
  I create an enable secret password on a Cisco router 2610 with the
  password as you mentioned kittens.  Remember this is an MD5 encrypted
  string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0).  You know what, I take this
  string
  and use the program called john the ripper running on my linux box to
  crack it.  This linux is a pentium 200MHz with 64MB of RAM.  It takes
  exactly 5 minutes to crack this password.  I would imagine for longer
  enable secret password, it takes longer but not as difficult as it
  sounds.
 
  Regards,
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23717t=23670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AW: OT: Enable secret hacking [7:23670]

[Carroll Kong]

It has to do brute force strength.  Against an MD5, it does pretty 
poorly, benching about 440 Cracks per second on a K6-200 with 160 megs of 
ram.  (ram is irrelevant to be honest).  I am guessing that say a gigahertz 
processor might do a linear increase to about ~2000 Cracks per 
second.  This is pretty slow and has almost no chance to stop a good 8 
character password.

With about 92 or so character choices for a password,
8^92 == 121.416E81.  Or, a heck of a lot for a simple 8 character 
password.  Yes, with this number, it is impossible for one machine to do 
this in a life time.

 Note, few people put up good, strong passwords.  If there is any 
level of efficiency, we can cut this number down a lot.

 On the side, Microsoft's Mighty NT Lan Man DES gets hit by an 
astounding 90K cracks per second on a K6-200.  Forget that, I believe 
L0phtcrack lets you do 300-400K cracks per second on your slightly below 
average processor of today and can do them in parallel.  Maybe that is why 
Microsoft is quickly dropping their Lanman Hash as they introduce Win2k as 
the champion server OS?

 However, I wonder if one can use programs like john the ripper 
in parallel with other machines.  With a cracking Athlon box running for 
maybe $400 bucks, you can probably setup one nasty cluster to cut this down 
to size.  Although this may seem like a lot of trouble a hacker has to go 
through, it is and it is not.  If you give ANYONE an encrypted hash 
guarding something really important, you can assume it will be cracked 
within a life time and be used against you.  (Another good reason why you 
should rotate your passwords over a certain amount of time, but that of 
course has other possible problems).  Heck, it seems fairly reasonable for 
a hacker to have a small cluster of Athlon boxes.  I have quite a few PCs 
at home.

 As for practicality, one could argue most script kiddies are 
unable to fathom even what I just wrote.  However, a mere amateur or 
professional hacker could easily wreck do this.  Be careful if you have 
sensitive information or enemies!

At 02:59 PM 10/21/01 -0400, Maissen Sacha wrote:
Anh,
Sorry for my question about your test below. This program john the
ripper, is
it working with dictionaries or not? Because my question is, if I use
passwords
like 12eldkvi, which are not in any dics, how long you need then to
crack a
MD5-password?

Regards
Sacha

-Urspr|ngliche Nachricht-
Von: Anh Lam [mailto:[EMAIL PROTECTED]]
Gesendet: Sonntag, 21. Oktober 2001 20:46
An: [EMAIL PROTECTED]
Betreff: Re: OT: Enable secret hacking [7:23670]


Gareth,
I create an enable secret password on a Cisco router 2610 with the
password as you mentioned kittens.  Remember this is an MD5 encrypted
string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0).  You know what, I take this
string
and use the program called john the ripper running on my linux box to
crack it.  This linux is a pentium 200MHz with 64MB of RAM.  It takes
exactly 5 minutes to crack this password.  I would imagine for longer
enable secret password, it takes longer but not as difficult as it
sounds.

Regards,
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23716t=23670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP network design [7:21019]

[Carroll Kong]

What kind of firewalls?  Pix?  If so, try RIP v2 with redistribution into 
your routers.  As for discontiguous networks, there are many ways around 
that, with a different cost associated of course.

At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote:
Hi everyone

I've got a project where I have to design and implement EIGRP in a small to
medium sized network of about 50 to 70 routers. One of my main problems is
what to do with routing updates at the firewalls at each site, should they
be allowed to pass through the firewall or should statics be used either
side of the firewalls. Another problem I can see is the routes on the
firewalls, is there a way to avoid having to type all those route entries in
them, the network has many discontiguous networks. And one last point is the
redistribution to the BGP routers at the edge of the network I'm after some
tips, experiences and URLs so I can read around the subject myself

Regards Pat
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21096t=21019
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Personal Security Recommandation - Cisco PIX or ? [7:21012]

[Carroll Kong]

At 12:07 PM 9/25/01 -0400, Ole Drews Jensen wrote:
In regards to network design in the security area, I would like to start a
discussion / get feedback from those of you who have dealt / are dealing
with this.

I know that I can most likely pull up some websites that has answers to
this, but I would like a feedback from real people that are working with
this.

I am only now in the process of finishing my last exam for the CCNP, and I
am then planning on going towards the security specialization. Therefore, my
knowledge of firewalls, vpn's, etc. are not that great.

We have at the company I work for used Check Point, but that's a very
expensive product, and needs to be relicensed over and over. We are
currently using Gauntlet, but that will be discontinued on the Windows NT
platform.

Because of this, I am now trying to get some feeling for a good solution,
and (of course) Cisco's PIX came to my mind. However, I have a couple of
questions I would like to get some feedback on, and perhaps start a short
discussion.

How is the PIX compared to other products when looking at:

1) Difficulty of administration?
2) Price?
3) Effectiveness of intruder protection?
4) Speed (slowing down the communication)?

and

5) What would you recommend?

Thank you very much for your time on this,

Ole

Pixes are probably harder to work with then the other friendlier looking 
ones.  I do not consider that a big minus though.  If you understand 
firewalling, any solution will suffice assuming basic primitives are 
available (pix included).  There is a new GUI mode available, but I dismiss 
the interface as a serious buying factor.  However, since you do not 
understand firewalls or so you say, this might be fairly hard.  In my 
viewpoint, you can make the GUI as friendly as possible, but it will not 
make you an expert.  Look at Microsoft and GUI based firewalls.  If you do 
not know what you are doing, no amount of fluff and point and click icons 
is going to make you an expert in security.

Hm.  In terms of a centralized manager, one might exist.  I never worked 
with a large enough number of pixes to need any management tools (just ssh 
in), but I think one is available.

Pricing is probably fairly competitively priced to the others.

These are not intrusion detection systems.  I would have to say, any 
firewall is going to essentially do horrible in this category.  An 
intrusion detection system is simply a glorified sniffer that matches 
against a heuristic database of alerts.  A firewall does not do this, 
especially not the Pix.  I would not buy into Cisco's IDS system either if 
you want a good intrustion detection system.  Sorry Cisco fans, I like 
their routers.  Just not their IDS.

Speed?  Excellent.  Any decent firewall has a negligible performance 
loss.  Except for maybe firewalls on Microsoft NT.  :)

I usually go with a commercial solution, but one thing that bugs me is the 
Pix has HORRIBLE logging capabilities.  I mean absolutely horrible.  I much 
prefer my open source IPFilter firewall over the pix in debugging 
rulesets.  I heard checkpoint is a bit better in logging.  I just think it 
is ludicrous that it is difficult to figure out precisely what is being 
blocked at times.

As for IDS, I prefer snort+demarc combinations.  IDS is a different 
ballgame in my opinion.  I personally would avoid any Cisco solution for 
IDS.  Their boxes are generally poor performers, and (last I checked) they 
are not going to give up full decoded packets like snort will on a BSD box.

If you are really stuck, I can do commercial support.  However, I think you 
are looking for your own answers and are a self-starter.

~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNA, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
~~~
  http://www.RouterChief.com
~~~
  NEED A JOB ???
  http://www.oledrews.com/job
~~~
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21095t=21012
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: long wait for TELNET sessions [7:20016]

[Carroll Kong]

At 05:45 PM 9/14/01 -0400, Frank Kim wrote:
Hi folks,
Please advise me on the below:


 PC1-PIX--Router--RouterPIXPC2

 PC1 = nt-box
 PC2 = unix box

 framerelay is connected between the two routers
 PIX codes are 5.2(6)



My problem is that when I initiate a telnet session to PC2(unix box), the
tcp session establishes right away.  But I have to wait for about 30-60
seconds to see the login screen.

What is the potential problem in this?  Is it on the pix or on the
router?  Thanks for any help.


-Frank
Your problem is most likely DNS.  Make sure PC2 can do a reverse DNS lookup 
on PC1.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=20026t=20016
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT PAT Cost Latency [7:19899]

[Carroll Kong]

If you use NAT, you are generally just trying to hide ips, or trying to 
shovel many ips of one domain (in the mathematical sense) into another 
smaller domain.  If you use NAPT (or the Cisco term, PAT), you are 
multiplexing connections against ips + ports, instead of just IPs.  Of 
course then you get a many to one cardinality.  (hence the concept of ip 
sharing).  The problem with this is sometimes people need specific 
listening ports for certain applications, and this can pose serious 
problems.  So, people may run into issues with those 
applications.  Fortunately, cisco has some built in light-weight proxying 
which enables you to use quite a few features with no problems.  Most 
vendors will call this application support with NAT (which they really 
mean NAPT, or Cisco PAT).  I generally do not use Cisco's NAPT that often 
so I do not know the details of which proxies are available.

Some applications that will have issues are
-Active FTP
-Any server application which has a well-known incoming port

In terms of performance, unless you got one of those really crappy cisco 
boxes doing a bit more than their feeble processors can dig, there is 
nearly no performance loss.  Essentially, it is like a single ACL hit and 
then a translation which should be fast (hash table access probably).

Your costs will be dealing with the many to smaller many issues (when you 
run out of static NATs to do, think combo of static NAT for the important 
ips and PAT to avoid this).

Also if you choose to go purely with PAT, be aware of the issues with some 
applications that are server like in nature.

Hope this clears some stuff up.  Of course, you can always go to... heehe
www.cisco.com
or any other web site with white papers, AKA
ip masquerading for linux
ipfilter for openbsd, freebsd, netbsd, solaris, and hp-ux
ipfw for freebsd

(yeah I know you said no wise cracks, but hey, I could not resist!).

At 12:06 AM 9/14/01 -0400, Circusnuts wrote:
Has anyone come across performance specs, statistics, or costs (latency or
otherwise) for NAT  PAT services ???

Thanks
Phil

PS- no wise-acre's please, I know all about www.Cisco.com :o)
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=19908t=19899
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Privilege Level command driving me nuts!! [7:19158]

[Carroll Kong]

Usually, no.  The functions and system calls on a Unix machine are usually 
quite different than a Windows machine.  You would have to run the daemon 
on the Unix machine you compiled on.

Someone would have to port it over.

At 01:07 PM 9/9/01 -0400, Cisco Nuts wrote:
That's pretty coolFree TACACS server !!!  I have configured TACACS
before and yes we did have to put a login local option should the tacacs
server fail. I was just playing around with the privilege command. Thanks
for your help.

I have a Unix box at work. Can I download the tacacs software on it,
compile it and then use it on a NT 4.0 box? Any instructions/directions
that you can provide is highly appreciated.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=19189t=19158
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-list ports ( TCP /UDP) [7:17374]

[Carroll Kong]

Ok, Ednilson is correct in that the list will not help Shella solve her 
problem.  However, I would generally take what www.iana.org says as the 
standard that all should abide by.  Does that mean people will break 
it?  You betcha.  What kind of authority says that they are right?  Well, 
any good network engineer knows that RFC1918 claims a particular set of 
networks are deemed for private usage.  Guess who tries to mandate such 
RFCs in ip address allocation and port allocation, iana.

http://www.iana.org/assignments/ipv4-address-space

The list has allocated the port, UDP and TCP for it.  Yes, not every 
application uses both, but they might, and that is the point.  They do 
preallocation for a particular protocol and people stick with those 'well 
known ports' as a standard to avoid pure chaos.

In reference to Shella, the best way is unfortunately, to read the RFC for 
the protocol.  As far as I remember, DNS uses UDP almost exclusively for 
all queries, and TCP for DNS Zone Transfers.  If that does not make any 
sense to you, you really should double up on the reading on DNS.  For most 
intents and purpose, you only really need UDP to go through unless you got 
secondaries, tertiaries, quadaries (sic) sitting far and away.  This is 
assuming a well defined DNS server that follows the specs.  I am sure you 
can find deviations from the ever-so-popular microsoft DNS servers or any 
other dns server.  But hey, that's the price you pay for buying into the 
pioneers of their own standards.

At 04:39 PM 8/27/01 -0400, Ednilson Rosa wrote:
The problem with this list is that every application seem to use both UDP
and TCP, which is not always true.

Ednilson Rosa

- Original Message -
From: Brian Whalen
To:
Sent: Monday, August 27, 2001 5:03 PM
Subject: Re: access-list  ports ( TCP /UDP) [7:17374]


I use http://www.iana.org/assignments/port-numbers for finding out about
port numbers.  Re the dns topic below, udp is fine for a company that does
not have its own dns servers and only makes queries.  TCP is used for zone
transfers.  I believe that in newer versions of bind, random hi port
numbers are used.

Brian Sonic Whalen
Success = Preparation + Opportunity


On Mon, 27 Aug 2001, shella kevin wrote:

  when dealing with access-list we use both TCP  UDP. For example we use
  tcp 53 or udp 53 for domain.
 
  My Q is when  how we know when we should use UDP and when TCP .
  what is the difference .
 
 
 
  Thanks
 
  Shella K.


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17452t=17374
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: point-to-point question? [7:17437]

[Carroll Kong]

At 05:18 PM 8/27/01 -0400, Marshal Schoener wrote:
Thanks,

It's a full T1.  There was never a problem until there was a power outage.
Ever since then, there have been strange problems trying to hit the remote
servers from the offices...
The setup is simple, being that it is HDLC and only really requires an IP
address on the interface and some routes :)
But, Im thinking that there can be a problem on one of the WICs...
Thanks again,

Well, is it possible that you guys configured some settings, and forgot to 
write the configuration to NVRAM?  So a power outage caused you to load the 
old configuration which is now... unfit for your network settings.  When 
was the next to last reboot of the box?  Anyway, just something to think
about.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17457t=17437
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hyperterminal for linux [7:17115]

[Carroll Kong]

At 10:44 AM 8/24/01 -0400, Patrick Ramsey wrote:
minicom

It's probably already on your system.  start it up and gointo settings and
take out all the dial and hangup commands.

-Patrick

  george gittins  08/24/01 10:01AM 
is there a hyperterminal  version for linux?

For those who may not have installed it, you can almost always depend on
cu.

cu -l /dev/cuaa0 -s 9600

This will console into your serial device on COM1.  To exit, type in ~ 
wait . then hit enter.

The /dev/ might be different for Linux.  You would have to know the same 
information for minicom anyway (IIRC).  Very light and most likely in the 
most bare of systems as well.  (like vi).



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17145t=17115
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT, was RE: Tacacs+ for home Use? and Passed CCIE written [7:14525]

[Carroll Kong]

At 03:16 PM 8/1/01 +, data com wrote:
Carroll,

I got CCNP and CCDP but I am pretty new to UNIX system.
I want to lean UNIX with a focus on networking part for the following
reasons.
-integrate UNIX system to the internetwork
-use UNIX for device management using scripts

Now, what flavour of UNIX do you recommend to learn as a start? I suppose 
there is a flavour which contains many commands that also work on other 
systems, and also a flavour that is most commonly used.

Thank you in advance,
Marc

I suggest FreeBSD, but any Unix can be leveraged as a basic learning tool 
to learn other Unices.  If you really understand the concepts and theory of 
how unix systems are designed, you can easily adopt other unices.

The problem with the universal flavor is that all unices for the most 
part have their roots within two types of unix systems.  BSD and 
SysV.  Most commercial unices will be very SysVish.  This means their init 
scripts are usually different, and the layout is going to be different than 
a BSD like machine.  The freeware OSes tend to be very BSDish.

Unfortunately, this puts you in a bind.  There really is no one unix to 
rule them all.  :(  Even if you do pick a BSDish like userland like 
FreeBSD, some binaries are different than say Redhad Linux.  Things like 
route print would not work in FreeBSD, but netstat -rn would work in 
FreeBSD and in Solaris x86!

In BSDish (and open source) terms, Linux distributions are probably the 
most used.  However, they seem to do a lot of nasty non-standard things 
like Microsoft.  Namely, their GNU route and GNU netstat are drastically 
different.  Plus, their /bin/sh is NOT shell script but rather 
BASH!  ARGH!  I feel FreeBSD is far cleaner.

In SysV (and commercial) terms, Solaris has definitely become a king.  If 
you want to get good with SPARC hardware, buy a Sun Blade.  (not suggested 
unless you REALLY want to be a Sun head)  If you just want to learn 
Solaris, you are in luck as Solaris x86 is available for free I 
believe.  (I bought my copy for ~$80bucks?).  Solaris x86 will most 
definitely be less forgiving on the hardware support.

I feel any BSD, Linux, or Solaris are great starters.  Just pick one, and 
get really good with it.  The others will be easily acquired if you run 
into them.  Learn any of them well enough, and you can easily do the two 
things you mentioned.
-integrate UNIX system to the internetwork
-use UNIX for device management using scripts

Good luck!



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=14525t=14525
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT, was RE: Tacacs+ for home Use? and Passed CCIE written [7:14428]

[Carroll Kong]

At 07:20 PM 7/31/01 -0400, Jonathan Hays wrote:
No keyboard? It depends.

While it's true that native UNIX workstations (Sun, HP, etc.) will run
headless, most
Intel x86 boxes I have encountered require you to plug in a keyboard or the
machine
won't boot, regardless of the OS installed. Or is there a way around this I
don't know
about?
---
Jonathan

Ah, good point.  Now why would it not care which OS?  The bios.  Crapola 
bios which give you very little flexibility (enter most commercial packaged 
PCs with their crap bios) have this problem.  If you get a good Asus 
Motherboard (actually a LOT of vendors give you this flexibility), their 
bios have this option called

Halt On Error:  All Error

Change it to No Errors
Your PC will easy POST without the need for a keyboard after this 
change.  For FreeBSD, you probably want to modify the kernel to always 
force on the keyboard.  You can also recompile the kernel to enable a 
serial console so it works like the bad-boy Unix Workstations.  (need a 
null serial modem cable and you are ready to rock and console  :)  )

Reason why you want FreeBSD to always force on the keyboard.  If you do 
not plug in the keyboard, let the box boot, and then plug the keyboard back 
in, you cannot type anything in.  With always force on, it will work 
afterwards.  Of course, this is only the case if you really messed up the 
box (kernel panic, ip misconfiguration, firewall rules that kick you off) 
and your boss forgot to buy that access console server.

Linux also has a serial console capability IIRC.  If anyone here learns 
basic FreeBSD on their own and needs help for doing some of these more 
advanced features, I will easily lend a hand.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=14428t=14428
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Tacacs+ for home Use? and Passed CCIE written today [7:14288]

[Carroll Kong]

At 06:40 PM 7/30/01 -0400, [EMAIL PROTECTED] (Timothy Ouellette) wrote:
Hello all. I just passed my CCIE today (very happy).  I was not as
difficult as I expected (possibly over studied for it, if that's
possible).  Anyways, I am about to embark on the long journey to
complete the CCIE by taking the lab. I have my own home lab and I was
wondering if there is a free version of Tacacs+ out there?  I know
cisco has a Unix version they supply but I don't run Unix here at home
(win2k for my lab) and I was wondering if anyone could help. Thanks
for your time!

Tim

Congratulations on passing the CCIE Written!

I guess you might be out of luck.  Here are some of your options

a)  continue searching for a free version of TACACS+ for Windows.
b)  Buy Cisco Secure ACS.
c)  Get an old machine and install Linux, Solaris x86, FreeBSD, NetBSD, or 
OpenBSD and grab tacacs+ from
http://www.gazi.edu.tr/tacacs/
d)  Port the code yourself from Unix to Windows.

Obviously there is a certain time host inherent to the last three 
options.  You should certainly weigh out the costs, as ALL of the options 
have an inherent cost to it, even a).  Personally, I think learning Unix is 
not so bad (maybe I am biased after all of these years) and may only take 
perhaps a week of your time (if you are a fast learner, one day) if you 
want to just get TACACS+ on it.  You can consider multi-booting, but then 
you will have to take out more time to make sure you do not fry your 
machine.  I hope you do know a lot about partitioning on x86 
hardware.  :)  It honestly is not that bad, win2k's bootloader is quite 
friendly with booting the unices.  On the side, I do not think TACACS+ is a 
requirement for the lab.  Not that it is a good reason to not learn 
TACACS+.  Every CCIE should learn that eventually, on at least one platform.

If you install FreeBSD, you may run into issues compiling the code, I 
patched it so it can work on it.  (not as hard as it sounds, only a small 
line change).  If you choose that route, I can help you patch the code so 
it will compile on FreeBSD.  Good luck!


-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=14288t=14288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what's wrong with CCIE today? [7:13151]

[Carroll Kong]

At 07:14 PM 7/20/01 -0400, Sean Young wrote:
process.   These CCIE guys say that they come from a windows environment
so they don't have too much with Unix platforms.  I also notice that a
lot of CCIEs these days lack the Unix skills that are required for the
Service Providers environment.  Most don't even know how to tunnel
X-application through Secure Shell (SSH).  I still remember those days
when Cisco Engineers are very well verse in both unix and routers
skills.  I long for those days again. Comments anyone?

So what is the problem?  I mean, yes, it is unfortunate.  However, in no 
way is it a requirement to become a CCIE.  Would I prefer a CCIE with a 
unix background, yeah definitely.  However, that is just asking for more 
candy coating.

My guess is, past CCIEs had more experience because Cisco ACS was only 
available on unix maybe?



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=13159t=13151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: backup plan for a campus [7:7052]

[Carroll Kong]

At 09:33 AM 6/4/01 -0400, Stephen Skinner wrote:

once apon a time there was a man who was given a spec to build a network
with full redundency...the spec he put togother cost WAY to much and
need severly cutting down...he told them not to do it but they ordered
him to .so he did it the network fell over and the company sued
for designing a crap network ...who got the blame..the man with his
NAME on the design doc.


have fun

steve

1)  I am confused.  So, if the man who built the over priced network made 
a fully redundant network, and it still failed, did he not fail his job 
miserably?

2)  Or did you mean, they cut his budget, and STILL told him to make the 
fully redundant network, despite his warnings?

I am going to assume #2, since #1 does not make sense.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=7062t=7052
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Where to get cheap memory for routers? [7:7168]

[Carroll Kong]

At 06:16 PM 6/4/01 -0400, Thomas wrote:
Hi All,

I am looking for upgrading our Cisco 3660 router.  However, the cost for the
128MB of Cisco memory susprised me.  It costs like ... $5000.00 for a piece
of 128MB memory module for Cisco 3660.  I wonder if it is OK to plug in a
third party memory module? Has anyone out there do this? Is it safe to do?
Which vendors do you recommend with good quality and cheap (or reasonable)
price?  Thanks All!

You can buy from crucial.com or memorypro.com (I think?).  Well 
crucial.com's pricing is a bit lower than yours.

http://www.crucial.com/store/listparts.asp?model=3660+Series+Routers+%28DRAM%29x=16y=10

A pesky $41.39 dollars for 128 megs of RAM.  Thank goodness Cisco started 
to use SDRAM instead of EDO!



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=7169t=7168
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passed CIT - Now a CCNP!! [7:6725]

[Carroll Kong]

At 03:14 AM 6/1/01 -0400, Andrew Larkins wrote:
I passed my final exam yesterday - CIT with a score of 919.
At last I have my CCNP.

Many thanks to everyone on this list for all the informative threads and
help with problems I have had over this pass period.

Now to do my CCDP and security specialisation - anyone have any tips for
these

Thanks again

Andrew Larkins

I am fairly sure any specialization based off of the CCNP or CCDP has been 
retired.  If you do not have it by now, you cannot get them.  However, I am 
fairly certain that the CCNP gives you a solid base which is probably more 
than the requirements for the new Cisco Qualified Security Specialist that 
took the CCNP Security Specialist's place.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6754t=6725
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Migration EIGRP-OSPF [7:5724]

[Carroll Kong]

At 08:27 AM 5/31/01 -0400, R. Benjamin Kessler wrote:

What is the reason for going to OSPF in this instance, stability problems
with EIGRP or multi-vendor support?

In my experience people seem to view EIGRP as easier than OSPF - while
probably true in really small networks, networks these days just seem to be
getting bigger and the same planning required for a successful OSPF
implementation is required for EIGRP.  I haven't seen too many companies
with all-Cisco routers and a healthy EIGRP network looking to change
things - thus the question above.

Well, a few points I would bring up is.

Stuck in Active problem of EIGRP.  As the updates are being done, the 
routers will stay in active mode (cannot receive new updates I 
believe).  If the EIGRP network is big, it must wait for the very last 
router in the periphery to respond back.  This could cause issues with 
convergence time.  You may have to modify the timers to increase the hold 
time (which might cause bad convergence) since genuine requests might take 
so long that they will get zonked out and the the router will delete it's 
entry.  This only happens in huge AS (in the EIGRP sense of an area of 
sorts).  So, if the idea of using OSPF and breaking into areas is bad, 
you technically get the same issue with EIGRP, except in the form of ASes.

Also, you are running a proprietary protocol now.  Although it seems to 
work fine now.  If say, they feel another vendor's product is superior in a 
particular aspect of their network, they might be hard pressed or you will 
need to do some redistribution/distribution lists which is probably going 
to be difficult as well.

I suppose all in all it is still easier to use EIGRP.  I agree 
wholeheartedly with your statements.  The cost of going to OSPF might seem 
higher if they are really not that good with it.  In that way it somewhat 
validates them sticking to EIGRP.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6616t=5724
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: help [7:6552]

[Carroll Kong]

At 10:31 PM 5/30/01 -0400, William Harrison wrote:
A little help

As usually we lost the passwords!

We have vty password but no secret.

I need a good cracks for that router

Any help?

TIA
William Harrison
CCNA

There are a number of password recovery techniques assuming you have 
console access in one shape or form.  Do a search for password 
recovery.  The basis is to reboot the router (yeah you will need someone on 
site to reset it), and hit the break sequence, change the config registers 
to avoid loading NVRAM data.  Kick in, restore the data from NVRAM into the 
running configuration.  Change the password.  Change the config register 
back.  Reload. Finished.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6569t=6552
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Software V6.0 [7:5969]

[Carroll Kong]

At 05:17 PM 5/25/01 -0400, Vijay Ramcharan wrote:
If anyone wasn't aware, V6.0 of the PIX software is now available.
And as I just found out, to use the VPN 3.0 client, isakmp policy ?
group 2 must be used to enable successful authentication.

Vijay Ramcharan

Are you sure this is not user configurable?  Group 2 refers to the 
Diffie-Hellman group used.  I suppose unless they made it a standard to not 
allow you to use Group 1 (weaker), but sheesh, if they made that the 
requirement, how dare they let people use DES.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5992t=5969
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Exactly what happens in ATM when QoS cannot be fulfilled? [7:5730]

[Carroll Kong]

At 12:28 AM 5/24/01 -0400, nrf wrote:

But this makes much less sense in a PVC environment, where the circuits are,
well, permanent.  For example, for PVC's I understand that you set up a
circuit with a given QoS.  Then, what if, when you have stuff to send, that
QoS you thought you had is just not available at that time?

This same question can be extended to SVC's.  Let's say you created an SVC
with a certain QoS.  Then, something bad happens, like one of the ATM
switches dies, and rerouting occurs, and the QoS of that SVC can no longer
be fulfilled.  What happens now?  Does the call just die?  Or is it kept,
but at reduced QoS (and if so, then what was the point of stipulating the
QoS in the first place)?

Am I just way off base here?

The way I understood it, treat the PVC as whatever QoS mechanism it 
has.  If someone gives you a UBR PVC, when the bandwidth starts going, you 
are the first pile of cells to drop.  If everyone is UBR, then every can 
get dropped, just like Frame Relay, etc.  If you got 5 guys with UBRs and 
one guy with a CBR, the UBRs all die first, before the CBR does.  If all of 
them are CBR, they will all start dying evenly.  No such thing as a free 
lunch, so no such thing as free bandwidth, SOMEONE must PAY for the 
oversubscription done.  OR the ATM Switch will pre-calculate the CBR PVCs 
and never let you generate such a CBR in which they can oversubscribe the
link.

In the end, QoS does not give someone more bandwidth per se, they might 
give them more prioritized bandwidth, so if they oversubscribe, if you do 
not have a special QoS setup, they are just as doomed as the guy with the 
other medium.  QoS is about dealing with limited resources effectively, 
does not really replace getting just more raw bandwidth, just helps hold 
off buying that new upgrade and keeping some guys happy.  (well, latency is 
a different issue, in which QoS is mandatory and raw bandwidth does not 
help, but sounds like you were talking about normal data)



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5730t=5730
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: DHCP question [7:5745]

[Carroll Kong]

At 11:17 AM 5/24/01 -0400, Nabil Fares wrote:
Greetings all,

For those with pretty good DHCP knowledge, how can I force a user to renew
his IP address/lease from the DHCP server?

Running Linux with ISC DHCP server

Thanks,

Nabil

I do not believe you can.  Just hope that you set the lease time to 
something relatively short.  :)



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5749t=5745
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco 5008 [7:5039]

[Carroll Kong]

At 02:31 PM 5/18/01 -0400, Moe Tavakoli wrote:
Any one have any experience with the 5000 series VPN boxes.  I have in and
set-up there are number of problems...

The ISAKMP rekeying os not standard so I have to reboot the damn thing every
8 hrs...

Now today I set up a tunnel to a Cisco 3030 and the tunnel drops every 20
mins and the syslog on the 5008 is no help.

__
Moe Tavakoli

I ran into some small issues, but for the most part they worked 
fine.  Lan-to-Lan setups or vpn clients?  Are you sure you are using the 
latest version?  We found an enormous amount of bugs fixed when we ran the 
more recent release versions.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=5061t=5039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Loopback interface for OSPF [7:4802]

[Carroll Kong]

At 01:16 AM 5/17/01 -0400, Vincent Chong wrote:
Hi;

  For OSPF implementation, an area can be configured in the Loopback
interface.
But what purpose, when should I do it?

TIA
Vincent Chong

Well, somewhat off topic, but the router id will lock on to the loopback 
address, which might stabilize the network more.  However, I think you even 
wrote to the list an email about that so that probably is not what you are 
asking.

Now why would you want to advertise a loopback interface using OSPF or any 
IGP?  To teach the IGP how to get their later on for redistribution into 
BGP.  Basically only used if you need to use an AS as a transit AS.  You 
have basically two choices.

IBGP (full mesh) to the ASBRs of the transit AS.  Or, you can redistribute 
the transit route through an IGP instead.  They tend to use loopback 
interfaces to help the transit ASs achieve more stability to avoid 
flappage.  I am somewhat new on this, so if I am wrong, I will happily 
defer to someone with more experience, but this is my take on it from what 
I have read.



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=4836t=4802
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Anybody seen a live production network of Apollo, XNS, [7:4727]

[Carroll Kong]

At 02:21 PM 5/16/01 -0400, NRF wrote:
Has anybody here ever actually worked on (or even seen) a live and
functioning Apollo, XNS, CLNS, and/or VINES network lately (like in the last
year or so)?  I'm not talking about some experimental lab, but a bona-fide
network that is doing something useful for some organization somewhere.  I
am sure they are still out there somewhere, and I'm trying to get an idea of
who might still be running these kinds of systems (some government
organizations probably).

Thanx

Unfortunately, yes.  Some legacy machines from heck that did not go 
away.  They are running ... Apollo.  The IS department has wanted to 
terminate those boxes for ages, but the engineers using it insist it is the 
only thing they can use for the job.  Real pain in the butt.  We had to do 
native Apollo routing between two sites or GRE tunneling.  I forgot which 
one we ended up doing.  Fairly certain we did it natively.  Fun stuff.  :)



-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=4727t=4727
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]