RE: how about ccie salary in US? [7:71143]
exam, perhaps with some open ended elements. - If Cisco kept a log of the performance of the individual, such as number of retakes, the quality of their feedback, then at least employers could call Cisco to get a better feel. Of course, not even medical schools do this though if I remember correctly. I am just very strong against the instant filter due to number of years of experience since that means so little to me and from what my clients have experienced. From what I see, the CISSP does that to just mask the fact that their written exam is just a bookworm exam of little practicality. (from what I have heard). If anything, I would rather see Cisco improve the difficulty of the exam itself, rather than employ such filters. I feel that such a filter would not really affect the quality in a positive manner as greatly as you think, but would decrease the supply which is beneficial to existing CCIEs. If that is the end goal, let's do it! :) I just think it is grossly unfair and slows down individuals. For the CCIE, we should be putting up signs you have to be this height (you need these skills), not you have to be this age. (you need to be this old) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71837t=71143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN connect/disconnect issue [7:71845]
Hey folks: I'm struggling with an ISDN issue in which the call comes up, but then is immediately dropped without the interesting traffic being sent. I'm an ISDN neophyte, so I'm more than willing to admit a config error on my part, but from what I can see, my first thought is that it's a provider issue. Anyone ever experienced this before? Thanks, BJ Debug dialer shows: Jul 3 15:02:14.261: BR0/0 DDR: Dialing cause ip (s=w.x.y.z+1, d=w.x.y.z) Jul 3 15:02:14.261: BR0/0 DDR: Attempting to dial (number).. Jul 3 15:02:17: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up Jul 3 15:02:18: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to (number) Jul 3 15:02:18: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down Jul 3 15:02:18.045: BR0/0:1 DDR: disconnecting call Debug isdn q921 shows: Jul 3 15:05:35: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to (number) Jul 3 15:05:35: %ISDN-6-DISCONNECT: Interface BRI0/0:1 disconnected from (number) , call lasted 1 seconds Debug isdn q931 shows: Jul 3 15:08:03.270: ISDN BR0/0: TX - SETUP pd = 8 callref = 0x0C Jul 3 15:08:03.270: Bearer Capability i = 0x8890218F Jul 3 15:08:03.274: Channel ID i = 0x83 Jul 3 15:08:03.274: Keypad Facility i = 'number' Jul 3 15:08:03.470: ISDN BR0/0: RX CONNECT_ACK pd = 8 callref = 0x0C Jul 3 15:08:07.354: ISDN BR0/0: RX RELEASE pd = 8 callref = 0x0C Jul 3 15:08:07.402: ISDN BR0/0: RX Feature Indicate i = 0x8100 Jul 3 15:08:07.450: ISDN BR0/0: RX Relevant Config: interface Dialer16 description ISDN dial backup to John Doe bandwidth 56 ip address w.x.y.z+1 / 30 no ip directed-broadcast ip nat outside encapsulation ppp dialer remote-name JohnDoe dialer string (number) class top1r2 dialer pool 6 dialer-group 1 pulse-time 0 ppp authentication chap interface BRI1/5 description ISDN dial backup Group #6 bandwidth 56 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 6 isdn switch-type basic-ni isdn spid1 (x) isdn spid2 (y) no fair-queue ppp authentication chap map-class dialer top1r2 dialer idle-timeout 1800 dialer isdn speed 56 (interesting traffic defined as all TCP) Let us see some debug ppp auths. I am curious if the issue is an authentication issue. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71850t=71845 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how about ccie salary in US? [7:71143]
let's put it this way...there are ways of correlating medical laboratory tests that I worked out on my own. Indeed, when I was about 16, I came up with a hypothesis independently (but triggered by an aside in a paper on something else) that; (1) it would be clinically useful to be able to give penicillin along with something that protected it from penicillinase, a bacterial enzyme that destroys it and is one mechanism of resistance. (2) there existed at least one compound, which really hadn't been investigated, that could inhibit penicillinase. When I entered college, I did get permission to do this as independent research, but it didn't go very far for many reasons. The big one is that I wasn't economically or emotionally ready for college. Second, I had no real budget for the project, and my basement biological warfare lab (well, it was for a fungus, not a bacterium, but in principle could have grown anthrax) was just too improvised -- I lost about 2 out of three batches due to contamination in the air supply. Third, while I actually understood the theory of some of the measurements I wanted to take, I didn't have the hands-on skill to use some of the instruments. (Again a ...well... I'm now ok with using a dual beam UV spectrophotometer, but I still can't do RJ45 crimps worth anything0. But in the current case of monitoring potential infection, I learned that from a particular physician -- I've never seen it in a textbook. What I'd say is that a bright med student will work out some techniques, but there are a very wide range of unwritten methods that are best learned by mentoring. Learning to take blood from a vein is a reasonable example -- oh, it's written up well, but there's no way I know to learn the feeling of the two pops -- once when you get through the outermost skin, and once when you enter the vein. It takes constant practice to remain competent at this -- I could still probably draw blood from you, but it wouldn't have been fun for either of us. I knew it! You are the Doogie of Networking, save for his social skills (or so you say!)! :) I suppose if the networking realm was a bit smaller, what would be great is a mentor system. Kind of like back in the older medeival days. I see, tis you, Squire Carroll Kong of the Knight Howard C. Berkowitz. Truly your skills have grown under this apprenticeship! We have great need of squires of the Knight Berkowitz! How is the Dame Priscilla Oppenheimer? - says the now more qualified Human Resources of . So at least one can have a far superior vouching system. Nowadays, if I let potential clients know Yes, I have read many of Knight.. er.. Howard C. Berkowitz's books. Designing Routing and Switching Architectures was my favorite book. Yeah, I might get a wow I read that book too and get hired, but I think more likely I would get the umm.. yeah. So, can you cook up a site to site VPN for me with Cisco routers and Netscreen firewalls or what? After the vouchign system, add in some mandatory time in the Arena.. er.. Cisco Labs. Then make them take the Trial Of Fire...(True Conflagration) er.. CCIE Lab, and voila! Of course they can always pick the Trial Of Little Flame or... Trial of Smaller Conflagration..., but it's not mandatory. Hahh...Doogie had MUCH better social skills. Haha, or so you say! If you can communicate and write well... surely your social skills cannot be lacking! I suppose we are talking further back... I will admit, my social skills weren't that good then. Most of the busy body corporations tend to care more about the now and the instant command gratification. ooh ooh he can make it better. There is a very nasty stigma that design is easy, but who cares, can he make it work? Personally I am a bigger fan of a solid design, and so are quite a few of the more exceptional companies, and obviously the research field. Unfortunately, I think the market plays down the very area we care for, and because of that it is not marketable for Cisco to push that angle. Furthermore, one could easily argue that the design aspect, unless carefully monitored, would be even easier to copy than the labs now. Oh I just happened to like that design layout... Really? The last 50 individuals all did it the same way too hmm... and it's wrong. :) ways It's pretty trivial to be able to auto-generate small but important changes in design scenarios. I even have a test engine that for adaptive administration of lab secenarios. Given that Cisco tries that it would not be as hard to generate different tests since they can always generate the slight changes. Furthermore they can restrict feedback on the exam (they somewhat do that currently). However, I wonder if even then it would be a small enough domain to be vulnerable to the oh so wonderful braindumps and bootcamps. What if Cisco
RE: how about ccie salary in US? [7:71143]
it better. There is a very nasty stigma that design is easy, but who cares, can he make it work? Personally I am a bigger fan of a solid design, and so are quite a few of the more exceptional companies, and obviously the research field. Unfortunately, I think the market plays down the very area we care for, and because of that it is not marketable for Cisco to push that angle. Furthermore, one could easily argue that the design aspect, unless carefully monitored, would be even easier to copy than the labs now. Oh I just happened to like that design layout... Really? The last 50 individuals all did it the same way too hmm... and it's wrong. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71626t=71143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how about ccie salary in US? [7:71143]
at their own pace (the hourly time for pilots CAN be done at your own pace, so I would strongly enjoy that modification, so, let it be some Cisco certified lab where people spend time in it). I will admit though, the exam itself probably is NOT hard enough to really weed the bad seeds out. If the exam was longer, more extensive, had more feedback, required written documents (anything with an open ended kind of answer), had a big party of technical advisors to review, yes, it would be better. But as Howard pointed out, this is too slow... and I am sure even you would agree it would be great but WAY too slow and expensive for Cisco, who clearly wants to see their CCIE count grow... just like the rest of the major vendors. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71571t=71143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cosmic rays?? [7:71402]
Cosmic rays typically causes some bits to flip, hence the big need for parity memory (but now the more advanced and self-correctable ECC). Although, you are usually okay in an enclosed environment. (supposedly people get quite a few errors with modern memory if they sit it by the sun light... :) ) Errors can still occur without the assistance of cosmic rays arbitrarily flipping bits. (yes, it has been known as a legitimate cause for bit flippage, but doubtful that was your case). Sounds more like just a flakey card. All sorts of things could have caused the card to start acting flakey. Of course these types of failures can be generically funneled as software or hardware. Although which one is it hmmm. ;) Unless the hardware has some super diagnostics (ever see some of those high end Sun workstations?), might have to do the old fashioned way and isolate the problem (either software or hardware) and try to move from there. i.e. can you get a replacement card? It can be the card, interconnect on the router, router itself (motherboard, memory...), but more likely the other two). How long has the card worked before in the past? On what version of code? Was there any increase in loads after moving to the latest version? Any patterns of usage that can repeat the error? Can they be cross referenced to any known bugs? If you can repeat the error with a certain combination of actions, it leans a bit more towards software. Curious, so if the diagnosis was cosmic rays... what was their proposed solution? I hope it was not... oh well, crap happens, good luck! We have a Cisco VIP card plugged into a 7500 router. Every once in a while the card just stops working and sometimes it gets stuck so hard that we have to reload the microcode. The last we did that, the router crashed and had to be reset (Ugly!). Well, it gets worse. After having to convince the guys at the local Cisco office to help us in this issue, they came to our facilities and began their analysis. To make a long story short, they told us that these problems were caused by cosmic rays! We almost fainted! Cosmic rays! Has anybody around here ever heard of this problem in this combo? Let me tell you this router is not installed in a spaceship or something like that, it4s just an ordinary datacenter. Any ideas about what the real problem might be? P. S. The router is using a recent version of IOS (newer than 12.1) and has been patched as per the Cisco site. Thanks a lot for any advice on this issue. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71418t=71402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how about ccie salary in US? [7:71143]
this, but there are dedicated background-check companies who do this as their main business and Cisco would contract with one of them. Or if you really want to get down to it, you can do what the government does before assigning secret clearances, including interviews of random coworkers and so forth. Well, the first part is STILL suspect to what I described earlier (trimmed out of this post, sorry), which is some managers do not know how bright individuals are. How can they? They are not technically ultra savvy themselves! It is what I call the local guru syndrome. The guy who is your friend's sister's cousin's computer expert. The guy who says Mavis Beacon version 10 will corrupt Windows XP because it has keyboard drivers in it. The guy who says Netbios is absolutely unrouteable and has 3 years to back it up. The guy who was left unchecked and let his ego make him believe he is the master of all technical computer knowledge! Anyway, (sadly enough only the last example was an exaggeration), so the local guru convinces his manager and others that he is good. I am sure he is great, relatively speaking, but put in a pro to compare, and he turns into silly putty. The manager, without seeing the pro, will give this guy the thumbs up because he has won the local guru award. As for the random government contact bit, I think that would work a bit better, since colleagues tend to have a better view on the technical skills of each other rather than the manager. Now again, could this procedure be corrupted? Of course. It's not perfect, no solution is. But I believe it's still a substantial improvement over what we got right now. Like I said, common sense dicates that a carresser CCIE is on average better than a lab-rat ccie. Both guys have passed the test, but at least the carresser has worked on real network. True, he didn't do much on that real network, but he still did more than the labrat who has, by definition, never worked on a real network. Oh no doubt, I understand NO system can be 100% perfect. However, this solution eliminates potentially very bright individuals with less years of experience, but potentially significantly much higher quality of experience. I suppose without statistics here, you could easily argue that sample is too small. If I do see some solid statistics on it, I will agree with you then. If the sample is too small, fine. If it is a fair amount, I think we should reconsider. You are trading one set of bad apples (lab rates) for a set of bad oranges (router carressers) and demolishing innocent candidates (the people who should be certifying) in the process. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71465t=71143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Quoting in Replies [7:71366]
Until it becomes such an unwieldy and nasty message... Sometimes I take out some of the messages to avoid gargantuan replies. Sometime I post inline to directly respond to certain viewpoints. Otherwise you tend to get that nasty... um.. you didn't answer that question syndrome. I think quoting relevant info is good, not sure on the entire bit. Some of the other mailing lists I am on suggest I do not quote every little detail to avoid the gargantuan replies of doom. ;) I agree. I was going to rag about this the other day, but figured that many people on this list already think I bi*ch too much about other things! :-) Shawn K. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: Quoting in Replies [7:71366] Okay, this is getting really old, really fast. When responding to a post, PLEASE QUOTE WHAT YOU'RE REPLYING TO! The number of unintelligible posts is increasing and some simple quoting would help immensely. Perhaps the issue is that if you use the web-based board to post a quote does not happen by default. So, if you are using the board to reply to posts, please hit the QUOTE button and edit appropriately. Thanks, John (who is exceptionally grumpy today, and it shows. Sorry about that.) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71389t=71366 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how about ccie salary in US? [7:71143]
A lot of us have mentioned that it is not usually just the raw certification that gets the job, and in some cases, not even both experience and the certification. Even NRF has mentioned diversity is the key, but on top of that people skills. Lack people skills, you will find yourself not making as much as you could be (within a reasonable degree considering realistic opportunity costs). As you mentioned as well, depending on the kind of job you are going for and the politics involved around it, a certification may be useful, experience may be useful, the people skills...there is a whole plethora of things and all of the importance levels of each requirement vary greatly for each job. Basically, I do not think it is easy to make a full checklist of all the things you need and if you do it, you will instantly get the job. It changes per job a lot. Employers have different requirements and goals. I think at best we can leave it at that. NRF is not saying diversity is not the key either, all he is saying is that, considering all of those requirements that I mentioned, NRF is saying that the CCIE alone will almost certainly never match most of the jobs out there. I am assuming NRF means such because he has not explicitly mentioned otherwise. All he said was, the CCIE alone is not enough. I think he responded to the Linux vs CCIE thread by saying how most should know both, but not necessarily go all gung ho on the Linux cert. I'd say diversity is the key. I know several CCIEs who, outside of R/S don't have much to offer in the way of skillset and they are not commanding as high of salaries as guys without a number but deeper and more diverse expertise. It totally depends on the individual, the need, the location and the experiences (which are unique to and every one of us). Will Gragido CISSP CCNP CIPTSS CCDA MCP Suite 325 9450 W. Bryn Mawr Ave. Rosemont, Il 60018 [EMAIL PROTECTED] The Knowledge Behind The Network -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n rf Sent: Monday, June 23, 2003 7:39 PM To: [EMAIL PROTECTED] Subject: Re: how about ccie salary in US? [7:71143] - jvd wrote: I wonder if anybody is going to have anything positive to say about this post? So basically, you want us to lie, eh? ;-. Seriously, CCIE salaries have been down for awhile and any honest discussion about salaries is going to be necessarily negative. When something's black, it would be a lie to call it white. As far as the original question, so much depends on your experience level, the geographical location, things like holding a degree (or not). Strong candidates that have lots of experience, are well educated, and are in places can still pull nice salaries. But I'm also aware of CCIE's applying for positions that pay less than 30k - and not getting them. The point is that the CCIE by itself guarantees nothing. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71238t=71143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios [7:71084]
From my /etc/services... netbios-ns 137/tcp#NETBIOS Name Service netbios-ns 137/udp#NETBIOS Name Service netbios-dgm 138/tcp#NETBIOS Datagram Service netbios-dgm 138/udp#NETBIOS Datagram Service netbios-ssn 139/tcp#NETBIOS Session Service netbios-ssn 139/udp#NETBIOS Session Service I believe that these are the NetBIOS over TCP/IP instantiations so to speak. While NetBIOS can easily be run over IPX/SPX or even NetBeui, clearly a tcp/ip port number has to relevant in that case. [rant mode] I cannot blame you for the confusion as Priscilla mentioned that quite a few people somehow believe it is not. I think they are confusing it with NetBeui which techically has nothing to do with each other. (yes the name Netbeui means Netbios Extended User Interface, but still, technically nothing to do with each other in terms of NetBios functionality, it can ride over other network transports) I have had countless debates and arguments where people insisted they are bound to the hip or interchange their names like candy. Here is an interesting excerpt of some dialog I had at a startup I worked at years ago. Premise: When dealing with two separate LANs, as defined as Layer2 domains Is it possible to get network neighborhood to work between the upstairs and the basement. - VP/Sales Sure, we just need to bind Netbios over TCP/IP and make sure we can route over the two different networks. We might need to deal with WINS for seamless naming integration but it should work fine otherwise. - Carroll You also will need NetBeui. - Other Tech Guy [Trying to be nice]. No, sorry [Other Tech Guy], I am pretty sure you will not. - Carroll Yes you do. - Other Tech Guy [Still trying to be nice.]. Well, I do not think you do, since Netbeui is a transport protocol, and Netbios rides on top of any protocol it wants to. You already have TCP/IP as your transport, you do not need Netbeui, and on top of that, Netbeui will not cross over the LAN. - Carroll You are wrong, you need Netbeui. - Other Tech Guy Trying the wait, look there is a transport, you only need one angle. But, if that was true, how come I can get a Unix box with Samba to work with a Windows machine. TCP/IP is the transport there, my Unix box has no concept of NetBeui yet it works. - Carroll Look, Carroll, I have been in the ISP business for over 5 years, I think I know what I am doing. - Other Tech Guy Not that I could see the relevance of NetBeui in an ISP, just that he was clearly pushing his move aside green horn argument instead of trying to sensible attack the problem through theory. Well, since the other tech guy was older than me, and supposedly far more experienced, they made sure Netbeui was on every machine. Sigh, I had other responsibilities rather than to go around proving him wrong. But experiences like these is what makes me say... - Check the theory and make sure it sounds right. - Check the practice, make sure it works right. - I don't care about your past experiences; technology moves so fast it invalidates so many truisms within months. The guy was wrong on 1, 2, and... for 3, he never had a truism to begin with, just a false sense of knowledge of the systems he worked with. As with those logical fallacies, does not matter how smart or how great your past work is, people can make mistakes. If you say something that is true in the now, it is true. If you say something that is false in the now it is false regardless of your past history. hi pple, well the reason why i ask this is because, recently i was told by my network manager that there is a virus which uses netbios (udp 137, tcp 138 and tcp 139) as a transport and had acrosses the WAN from a spoke site to a hub site. And i was told to put an ACL by blocking the above port on the fastethernet interface, well i was kind of confuse as in, i remember that netbios arnt routable across the WAN, IF, and i mean IF there is really such virus uses this ports, they shouldnt be able to traverse to the other site across the WAN rite?? And when i did some debug ip packet, the udp 136 and or ofcourse the tcp138 and 139, was captured and dropped! at the fastethernet interface and TR interface (i had place the ACL on both fastether and TR) but when i place it on the serial, i dun see any udp 136 at all!...i jus need some clarification from people at this forum here -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71235t=71084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: number of CCIE [7:70151]
But that's really neither here nor there. At the end of the day, more bootcamps = easier test. Why there are more bootcamps around today is unimportant for purposes of this discussion. It doesn't matter why - so why ask why. All that matters is are there more bootcamps. Now again, I would reiterate that I don't have a problem with bootcamps per se. I see them as basically inevitable. But on the other hand, it does mean that Cisco must make the exam even more difficult to compensate for the effects of the bootcamps. Right, I think I mentioned that in my earlier post (that ultimately it doesn't matter what caused the cycle, just that the net result is an easier exam). Of course how to make it difficult, in a fair fashion is yet another animal. Personally I think the best way to solve this problem is to force people to recertify by taking the current lab exam again. No more of this BS where guys can just take a written exam to recertify. You want to continue calling yourself a CCIE? Then you should have no problem in passing the lab again. Otherwise, we'll convert your status to 'retired CCIE' or CCIE emeritus or something like. Yeah but that would clearly decrease the number of CCIEs, which can be viewed as a good or bad thing. Cisco does want more CCIEs to some degree, yet it can hurt them if there is no longer a true upper echelon of certification anymore. Ironically if they make a new tree, such as the REAL CCIE, it only turns the current CCIES into a pile of ugly ducklings and validates all the nay-sayers of the CCIEs. :) Hey, don't get me wrong, I'm not saying it is a total negative. But I dispute the fervent contention of some that it's a total positive. I think it is very difficult to adjust any complex system to get a total 'positive' when they are upgraded. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71098t=70151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: number of CCIE [7:70151]
Hmmm that might work. However, while you say someone good with concepts will do well, that is what I always thought earlier, until a good amount of members on this list and in the real world insisted that good knowledge of theory won't get you anywhere on the CCIE exam, only hardened practice. Granted, you probably need a good mixture of both, and I feel strong theory is worth a heck of a lot more than just mindless practice. (and I mean really understanding it, not just saying oh yeah it.. um.. makes packets move). I guess we have to wonder what Cisco's ultimate goals are. If they decreased the lab time and altered the exam to be more 'streamlined' and 'easier', why would they immediately step backwards? I think your ideas are very good in increasing the difficulty of the exam, but this is just going to be a big expensive variation war, somewhat like hackers vs developers and hackers vs virus scanner software companies. If Cisco wanted more CCIEs out in the field, why would they want to engage in this expensive battle anyway? If they truly wanted to increase the value, why take the steps they have taken now such as decreasing the lab time and making it more streamlined? That's a decent first step. But I would go further. I would actually mix up the equipment. Let me explain. The final objection I have heard is that it will make test grading harder. For example, one person might get the ISDN rack and fail whereas he might have passed if he had gotten the switching rack, or something like that, and therefore a certain element of dumb luck enters into the fray. First of all, that already happens now - if you happen to get test questions on subjects that you know very well, you are far more likely to pass than if you get test questions on subjects that you know poorly. Second of all, hey, welcome to the real world, where no 2 networks are alike. Again, if your grounding in concepts is good, you should be able to handle the variety. Third, need I say it, such objections could be properly addressed through my old idea of relative scoring (but I digress) Anyway, the point is, now I think it is time for Cisco to seriously consider using different racks. I see little reason besides inertia and nostalgia for all test racks to always be exactly the same. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71099t=70151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: number of CCIE [7:70151]
Carroll Kong wrote: Hey, I don't want to take either of them again if I don't have to. But if I was forced to make a choice, I'd prefer to take the singlet over the doublet. It's like being punched in the face once vs. being punched twice. Well I cannot say anything specific against it since I was never in that situation. However, I guess you are right, anything to delay or prolong that nasty feeilng. ;) I'm afraid I have to disagree about the speed aspect of the test. The fact of the matter is that the speed component of the test is greatly overrated, whether we're talking about the 1 or the 2-day versions. Take the 1-day version of the test. The fact is, if you're not essentially done with everything by 1 or 2 PM, you're probably DOA. I remember in both of my successful 1-day tests, I sat around for about 2-3 hours at the end with nothing to do - I checked all my work, reread the test questions over and over again, and was quite frankly bored. The same was true of my 2-day test, again, I had done everything on both days by mid-afternoon and I just sat around with nothing to do but check my work over and over again. Nor is my experience unique - I think that most CCIE's would agree that if you're not done with several hours to spare, you're probably not going to pass. I would venture that very few people that have passed the test have actually required all the of the testtime that was allotted to them. Actually, you are right. I was essentially done, with a fair chunk of time remaining as well, I just triple checked everything and tried to iron out some nuggets. ;) If you could compare it to driving a car, the last few hours was a much smoother ride, with less thinking going on. But, everyone does make mistakes occasionally, so that kind of stuff will somewhat cost you. I think some of the older CCIEs I worked with were probably not as fast in typing or were able to optimize as well in their thought processes. :( Why do I get a feeling I should throw you into the middle CCIE list (which I consider to be the better chunk to be honest!). :) In all seriousness though, I suppose the individual skillset and mindset matters a lot. Bad people were able to squeak by in both 2 day and 1 day exams. (Yes, I have met quite a few CCIES which had me scratching my head... you are a CCIE?) This is not to insult a lot of the lower number CCIE. Just that a VERY large percentage of them have taken up more managerial jobs, and have not kept up at all with the latest technologies. Their learning / thought processes seem so slow it is so hard for them to adopt new things since they are used to managerial work now. Some of them were saying how hard deploying IPSEC VPNs is (I think they are very easy) ... and what is GRE?. (come on! this was in their 2 day lab I am sure, no?). Basically anyone who has taken the time to even contribute to this list, I put on the good list. A lot of the other CCIEs I know of insist it's a waste of time. With that kind of mindset, you can see that they aren't interested in learning all there is to know (even to a fair degree) just enough to get by and win the bids with their lower numbers. What seems to kill people is that they don't read the questions carefully or they simply don't know the material and then they consequently make mistakes, and then in their haste, they start working too fast thereby making more mistakes, etc. But again, if you know the material and you're careful about reading the questions, the test is really quite straightforward. Well, take it from me, the Security train was not 100% straightforward, the lab itself had BUGS I had to report to the proctor, in which he vehemently denied there was (but I proved it to him there was later on, without that, I would have failed), some parts were vague and contradictoryI guess the Security one had less polish but definitely doable. However, for the most part, yes, it was pretty straight forward bugs and kinks aside. The layered effect, while necessary was pretty brutal. Fail or do not understand something earlier, you will fail the entire exam, even if you know the other 90% of it. I suppose though it is a reasonable request/requirement to acquire the daunting certification. :) But not realistic. Let's face it - as a network engineer, how many times are you really building networks from scratch vs. how many times are you troubleshooting already-built networks? The fact is, building networks from scratch is really only a minor part of the overall job, most of the time you are maintaining built networks. A far more useful test would be one that was PURE troubleshooting. For example, you get the whole morning to familiarize yourself with the network, and in the afternoon, all kinds of funky problems get injected into your network. One serious problem with the present format is that you end up with guys who are really
Re: ISDN CCIE [7:70944]
Not sure, but I hope for a a little while longer. DSL, ISDN's new and improved cousin may be superior in quite a few number of ways, but sometimes you have NO other choice but to use ISDN to access some far off places. Maybe this is changing soon and they will phase it out, but ISDN still seems fairly important, for say PRI deployments. Cannot think off the top of my head why a PRI would be better than a T1... but some clients I know still have them. Not sure if ISDN falls off to the old technology that should never be deployed nowadays (at least BRIs, nevermind multichassis/multippp bonding for now). Seems like it still has applicability as not everywhere is that close to a CO, so I would keep up on learning about it. Hi, I was wandering how long will be isdn part of the CCIE exam. regards, rooban = cheers, rooban -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71000t=70944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: number of CCIE [7:70151]
Those three have pretty much echoed my themes. Hansang, in fact, has admitted that he accelerated his ccie studies so that he would take (and pass) the 2-day exam because he didn't want to run the risk of being known as an asterisk-ccie (meaning the one-day ccie). I know someone who took both the two day and one day. He felt the one day was harder. He might have been an exception, I do not know any other two dayers who took a one day. He was RS first, then he just got a Security one to get the double. Of all the CCIEs I do know, none of them ever wanted to really take it again (except one other CCIE I know... he wants to see if he still got the touch!) While I agree to some degree about how the old style might have been harder to some degree, I feel it is more of a preference. I think depending on the kind of problem solver you are, one will appear easier than the other and vice versa. I only took the one day, and all I have to say is it is a real speed torture exam. One slip up, and it's pretty much over. You have a SLIGHT margin of the error and that is only if you are very fast, both in the mind and on the keyboard. This is not to say if you are slower you are necessarily any less qualified, just, some people do not type as fast or take longer to formulate a very solid plan anyway. Those people suffer greatly from this new format. This is also probably why I got some seriously mixed reviews from different CCIEs in terms of the difficulty of the exams (be it one day or two day). For the record, the one day exam was more suited to my style than the two day sounded like. Oh well, I will never have a direct comparison now. The same was said about the two day as well in terms of speed but with some ancillary tricks such as the physical element, etc. I suppose that is good to know, but hey, nothing 5 minutes couldn't figure out on a web page. The troubleshooting element was definitely a sorely missed element from the two day lab, but trust me, with the one day it is a dynamic truobleshooting element built in. It is VERY easy to break your working network while you perform the exam. Unfortunately, because it is more speed driven and because the content, while jam packed, is probably 'less', it also means it might be more prone to some form of bootcamp brain dumpage. But this is not really conclusive. It might just be that, the CCIE is becoming more popular and people have recently tapped into this market. The drop in Cisco gear pricing on the used market probably had a LOT to do with bringing down this barrier to entry. Regretably, it is difficult to say whether or not it is the slippery slope we are going up if we really believe a one day exam is instantly easier than a two day and that is the reason why there are more CCIEs per month, or if it is because the failure rate is the same, and the expected value of passing CCIEs goes up due to the higher volume of candidates per month. Whether or not it is easy or not, I cannot say. I encourage any CCIEs of the two day to take a one day and see how it is. I only know of one who did it, and he felt it was worse than the two day lab. But, like I said, different types of people, different types of problem solvers. Might be easier for some. One thing is true though. By law of numbers, even if the percentage rate of failure IS the same, since the NET number of CCIES passing is higher, by supply and demand the value of the CCIE is dropping. (someone else mentioned this as well). If the percentage of failure is even lower... then the value just drops exponentially. :) As for having a lower CCIE number, I do not care, I do not know. Most of the really older CCIE numbers I know tend to be mediocre with the new technology and are sick of knob turning anyway (although some are still verry good). The medium numbers seem to be the best. ;) The ones on the highest numbers end seem to be a mixed bag. And while someone said the higher number ones have less experience that should not be true in theory since the CCIE was designed for people who already worked in the networking field for years. However, I will agree in practice, that does seem to happen often (higher numbers, less experience). I think as with all things in life, take the individual on a case to case basis. You are going to find good and bad apples in every basket. The CCIE is still a very good certification, I do not think anyone is denying that. But I do not think it is clear if it is blatantly easier now. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70806t=70151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Prolonged Batchlers Vs. CCNP ? [7:69483]
This sort of thinking is why I've decided to skip the CCNP and just work on the CCIE. As long as Cisco keeps it insanely difficult with the lab exam being the majority of the work required it will be valuable. -- John A. Kilpatrick Go for it! Skip the CCNP and aim for the CCIE (or heck, skip the CCNA too). It is a bit hard, but come on, this stuff is not rocket science. Practice practice, and if you are a fast learned, decent typer, fast thinker, you can do it. But, do learn Cisco's methodologies for troubleshooting and Ciscoisms. Also, learn the basic layout of how the documentation is. Think fast, and implement fast and you got it. ;) Of course much easier said than done. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70008t=69483 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: eBGP Multi-hop [7:65823]
I guess I am kind of just going to a quick stab. Do you have no synchronization under the BGP configuration? hello all, (Re-post...not sure if original msg made it our not) playing around again and have a question. eBGP multi-hop cannot come up if the peer is known through a default route. Is there a reason why? I mean, what is the point of a static route that causes a recursive lookup or a static route that simply points to the same next hop as a default route? For that matter, I can't see it being a matter of proximity either. If convergence time were not an issue, what is really wrong with having a 10 hop or even 50 hop BGP session? (I know it is unlikely and there are cetainly better ways to handle it (GRE or IPSec tunnel)) but for the sake of argument... Just curious, not able to find much on WHY it is like this... thanks, Jim -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65835t=65823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Recommendations [7:65514]
Well, if you really want to learn more or understand what you are doing, you do not any certification for that. Just some solid reading, good comprehension skills, and a good tutor/mentor resource to fall back on to validate your learning. For this goal, you do not need a CCIE nor an MIS degree. So seeing, that you have two divergent goals, I will tell you what to do for the CCIE goal. However, for basic CCIE training, some pretty good books, albeit, a bit dated if you want lab workbooks are Caslow's book, routing TCP/IP Volume 1 by Doyle, and Internet Routing Architectures by Halabi. You will need a touch more for the written. Refer to cisco.com and look up every nook and cranny on the required to know list if you want to play it safe. They added quite a bit now. Perusing www.cisco.com is a good start too, as you can learn a lot of Ciscoisms that way. It might be hard to navigate at first, but it is worth it in the long run, not only for the exam, but to be a valuable resource for Cisco technical knowledge. Definitely try to master www.cisco.com/univercd/. While a lot of people claim if you use the ciscocd resource, you will fail, I felt either they were very slow at finding information or were just really into the rote memorization scheme. Knowing where most of the information is easy once you understand how Cisco categorizes most of the information. Of course, this is only pertinent after you pass the written. I do not see how getting a degree in MIS will help you. I mean, it almost seems like you are going backwards. I am going to assume you have some kind of degree now. If not, perhaps it is remotely worth it, but seeing that you have four years of experience, getting a degree now might have diminishing returns compared to just saving that money for anything else. Of course, getting jobs and what not depends on the quality of the lead so to speak. (worth of mouth, vs interview, vs headhunter, etc) And, for you to qualify for some of the lower quality leads you will need silly things like a BS since some companies have no exceptions. The CCIE is a pretty powerful certification, most people who are looking for this, will ignore the lack of a BS/BA degree anyway. Good luck in your journeys! I have four years of networking experience. I have gone thru the entry level jobs and made it. I want to continue to learn more about the networking field. I not interested in getting paper certs. I want to understand what I am doing. My goal is to go for the CCIE and a degree in MIS. I apprieciate your advice and welcome any further advice that you can give me on the subject. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65751t=65514 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACS Database Repl Problem [7:63988]
Try the counter intuitive. There is another list there somewhere, I do not have ACS 3.0 up on here right now but we DID see this before and spent many hours on it, just like you. :( My colleagues ran into this, and it was just because the prompts seemed counter intuitive on who is a replication partner or not. Try inverting them. I would do a personal backup first though before you try it. Unfortunately this was a few months ago, and I did not work on it directly to tell you the precise prompt. However, try inverting them or looking for another subtle list of allowable servers. Or there was another odd list to denote who is allowed to replicate or not. It was very counter intuitive to my colleagues. I think we resolved this before TAC could, but if you could get them on the phone, ask them specifically which area you should be looking at. Let me see if I can get it loaded up, but there is one more odd list or something counter intuitive (it was definitely a list of 'adding' 'removing' different servers). I'm running two CiscoSecure ACS 3.0 servers on W2K and trying to replicate the database from one to the other. They can both see eachother and are setup as replication partners. One is set to send all components and one to receive all components. They both have the other server listed under Accept replication from. Both are set for Manual replication, but when I click on Replicate Now, the screen refreshes immediately and the following message is logged in Reports and Activity under Database Replicaton: 02/27/2003 10:27:12 INFO Outbound replication cycle completed 02/27/2003 10:27:12 ERROR ACS '' has denied replication request 02/27/2003 10:27:08 INFO Outbound replication cycle starting... The other server logs the following info: 02/27/2003 10:28:50 ERROR Inbound database replication from ACS '' denied (Server names removed to protect the guilty.) It doesn't matter which server I try to kick off replication from. The other one always seems to deny it. I did a search on cisco.com for this, but got nothing. If anyone can give me some guidance here or something to check, I'd appreciate it. thanks, Aaron -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64006t=63988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISS Real Secure Vs Cisco IDS [7:63461]-Automated IDS [7:63557]
I cut out some of the other messages to concentrate on one issue, automated IDS responses. If your automated IDS responses result in a automated packet filter of any sort, I think you are doing yourself a disservice. You might stop some kiddies, but you are just leaving yourself wide open to professionals who can DoS you very easily. I suppose if everyone just started filtering at the edge to help prevent spoofing, but alas, that is not the reality of today's networks. It should be trivial for the attacker to DoS your systems beyond compare. For example, what if he spoofs a trusted host? Now your trusted host cannot have access anymore. Ok, so what if you have exceptions for the trusted host? Now he has a host worth spoofing for, DoS trusted host, assume trusted host's identity. Easier said than done and you can mitigate the risk with stuff like mac address port locking, anti-spoofing acls, but just to give you some ideas that automated IDS responses can be particularly dangerous. Not even factoring the possibility you can lose accessibility to many systems, but most firewall products have some pitiful limitations (one can easily blow out any stateful firewall), and you can be assured your acls will grow to be so big your firewall just might keel over. I hope you got default-closed systems. ;) But I suppose it won't matter at that point, your network will be down, or your IDS might be filled with so much garbage that you might not see the real attack come through for your forensics team to discover which hosts have been compromised. Come on now, the slammer worm? If you are security conscious this shouldn't have had any effect on you. Microsoft released a patch last summer. Security is a best effort solution. It is about layers and maintenance. You cannot eliminate risk, you can only reduce risk. An IDSs responsibility is to pick up attacks on the wire, not prevent them. I personally don't believe in allowing my IDS to respond to an attack. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Lu Sent: Friday, February 21, 2003 9:19 AM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] Hi Troy, Must be some secure site, reason I was interested is that I had a discussion with someone else before in regards to multi-vendor IDS solutions and how effective they might be. So if you mostly rely on manual action, and an attack came in after hours, how quickly can you respond to your alerts? Since for some attacks, a half hour response time could cause your site to be down (eg. slammer virus). If that was the case, even if you had all the vendor's IDS, it will be useless. Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 21, 2003 10:57 PM To: [EMAIL PROTECTED] Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461] As with most things, you need to way up costs againts your requirements. IN our case, security is absolutely essential, so having a multivendor security solutions (and indeed fully redundant) is costly, but we see it as justified. With regards to action during attacks etc. We mostly rely on manual actions as we dont want to inadvertently block legitimate traffic (for example if an attack came from a spoofed IP). For automatic action, you can make use of Ciso Policy manage, which has the ability to dynamically rewrite ACL's, on Pix's, Routers, and indeed Cat's. according to data from IDS. So for example, if you where really paraniod (like we are),. you could have pix's as the first firewall, with IDS on the inside / dmz etc (using IDSM or standalone IDS), tie these together with Policy manager .. then taking a further step into your network, a set of Nokia Fw1 NG, along with further Nokia IDS solutions on the inside, and tied together using the enterprisef software! -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63557t=63557 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT Re: Snort versus Cisco IDS [7:62939]
Backing up what Craig said, Snort is probably better performing in terms of cost/performance than almost all the IDSes out there, including Cisco. It does not have a end to end solution to make one's life easier though, at least not out of the box. Of course, you will need some sort of a unix background to set it up, and I do not mean installing Solaris with GUI tools. Pretty easy to anyone who has worked with a FreeBSD or a Linux box (without using GUI all over the place and/or rpms everywhere). The idea of no GUI is probably quite daunting to enterprise level engineers. You COULD make it have a lot of the enterprise level features, but it requires a lot of work on your part, and of course no commercial support, so you are on your own. (So, add this to your end cost...) If you want a GUI frontend to snort, you can try Demarc, or what they call themselves PureSecure now. There are also some freeware analyzers, but Demarc/PureSecure is definately one of the nicest ones. Albeit, it had some bugs, fortunately since they give you their cgis, if you know some perl, you can patch it yourself before they get around to it. (unless they changed this behavior, the last I used was 1.05). Puresecure DOES charge for commercial usage, which I suppose puts a damper on it. Their licensing is a bit ridiculous. However, the pricing should still be very competitive. It's a mixed bag, but if you know your Unix, seems like Snort is a much cheaper (if you know Unix and programming very well, the disadvantages aren't that big) IDS solution. If you don't, oh well, like all things in life, pay the price for one's ignorance. :) Someone told me in an authoritative voice today that Cisco doesn't recommend their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a big part of SAFE? Of course, the person who said this doesn't understand that Cisco is a huge, chaotic organism, and that saying Cisco does something based on what one person does, doesn't make sense. But I'm just curious, what do you all recommend for intrusion detection? How do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more complicated, requiring appliances or IDS cards in a switch and a console: Cisco Secure IDS DirectorHP OpenView Network Node Manager plug-in that runs on UNIX (Solaris and HP-UX) Cisco Secure Policy Manager (v2.2+)Windows NT-based package Thanks. Priscilla -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62966t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SUBNET CLASS Ranges [7:11618]
I have done VLSM calculations in my head ever since I learned them in college. Unfortunately, some of the CCIEs I know of, do not. I suppose that is still better than the most to nearly all of the network administrators I met who have been working in the field for years that cannot understand any level of subnetting (What's a slash /24, that's so complicated, I just call it the 255.255.255.0), let alone even fathom binary numbers. Just out of curiosity, how many CCIEs and people that have at least had a shot at the lab can comfortably do VLSM calculations in their heads? I think this is quite common among ISP operators, but I really don't know about people in an enterprise orientation. [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60744t=11618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Vs. BS or MS degree [7:59481]
But on the other hand, there are indeed a significant number of CCIE's out there to which I would never trust a production network. They're not 'paper' because they did pass the lab, but they are basically lab- CCIE's because lab-work is the only thing they know. The 'lab-CCIE' (or perhaps the more pejorative term of 'lab-rat') is someone who has zero or minimal experience in a production environment. And let's not beat around the bush - a production network is totally different from a lab. One quick fix that I think Cisco should do for the program is something that the CISSP program does now - mandate X years of verifiable experience before you can attempt the lab. Or, if that seems too harsh, then perhaps Cisco can institute another program that sits on top of the CCIE (call it the CCIM or whatever) and have that program be not only hard, but also use verifiable experience as a pre-req. This is not a personal attack on nrf, I do agree with him that there are many holes in the test the do undermine it's authority as the domineering certification exam. However, I think we might be doing more harm than good. There are too many router caressers out there who would fulfill one qualification to take the exam yet totally fail due to their lack of speed, problem solving, and cognitive capabilities. Yet the qualified individuals with the skills I mentioned would be eliminated because they did not caress routers for a few years. Besides, how can the manager, who typically has far less technical prowess be able to verify his employee has done his job to the finest of his ability. Too many times I have heard someone say well, the way we did it in company XYZ is this way because that's the way we have been doing it for years. (even if it's dead wrong, inefficient, and what not.) I would be more frightened of the guy sitting in maintenance of a production network for years and he never knew WHY things were the way they were. The manager might think he was doing a great job in keeping the network up because the employee never setup anything. In fact, typically in a production network you are greatly discouraged from setting up anything intrusive in anyway. (oh no, moving to OSPF from RIP, can't do that now better save that for 48 weekends!). Of course there are exceptions to the rule. Just, you can find people who have been doing aggressive setups with a fraction of the years of experience who can beat the crap out of anyone who has done the years of router caressing simply because they do not have to work on that wait until the weekend cut over time frame for every little change, instead they are working on quite a few turn ups for different clients every weekend and supporting them. I am trying to gear more towards agreement with Howard's earlier statements in reference to not being so worried about the person who did not port 80 == HTTP but rather that there is a protocol over TCP etc etc. Knowing the raw fundamentals down cold is a big plus and filtering out qualified individuals because they were not allowed to router caress for three years seems a bit unfounded. When people say I know the theory about XYZ the common belief is that they do not know it that well. My take on it is reversed, IF you know something, you can explain it cold, and IF you can explain the theory of something, you can teach it and explain it. So most people who say Yeah I got the theory about FTP... NO, quit fooling yourself, you do not know it. The CISSP's restriction has done little to stop their own flood of paper CISSPs. In fact, the same story goes there, people have seen quite a few CISSPs who know very little about real world security. Ironically, they should be applying their knowledge to real world products but they typically fail since the kind of mentality of a person going for these certs is usually for the least amount of work for the most amount of money. People still think the CCIE is a very difficult exam in it's current form. Both tests have cheaters who sneak through. Maybe we should stop trying to fix the exam and increase awareness of what the exam guarantees in terms of deliverables. Perhaps it is just time for people to reevaluate their needs and their requirements for new employees rather than trying to fixup the one Examination to rule them all. Sorry Sauron. (this was not directly to you, nrf, just ... a little humor if you could catch the allusion.) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60656t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Vs. BS or MS dergree [7:59481]
You are correct. For most people, I think acquiring a PhD is more resources and time consumed than becoming a CCIE. Now, not to belittle the CCIE, it is still probably one of the hardest lab examinations in the IT field. However, all in all, for most people, seems like the PhD would be harder. The issues on the CCIE, ultimately is all in the router, all within Cisco's website. There is no rocket science. Such a finite state of material to study cannot possibly compare to the type of research of data for a PhD. While the thinking level during the exam can be complex, does not compare to some of the things I ran into in college. It is more speed oriented and have you tried all the combinations and do you know the common gotchas. Sorry guys, I cut a bit out on everyone's responses to stay more focused. While I do not have a PhD, just from reading it and seeing others go for it, and realizing how many YEARS it takes to get it, I agree, acquiring a PhD is probably much harder than acquiring the CCIE. On average, a fairly bright guy can get the CCIE within a year. If even more motivated, probably a few months (ignoring other priorities and issues). Try that with a PhD. Much like John mentions, comparing the two is like comparing apples and oranges. The material covered in each area is very different. A PhD is much more theory oriented and there's a lot more of the why types of thinking. I don't have a CCIE, so can't say for sure, but here's my take on doing the exams up to and including the CCIE written. Everyone gets the list of books to read, and if you know the information in these references, you'll pass the tests. Note that with commercial study guides, practice labs, practice tests, and courses geared specifically to pass these tests, there's plenty of external help available to help make it through the CCIE written. As far as I know, as long as your willing to pay, you can take the tests over and over again until you pass. This aspect is not true when working on a PhD. John Neiberger wrote: MS- or PhD-level coursework is more difficult than what you'll run into studying for the CCIE, but they don't really cover the same subject matter so it's really apples and oranges. So, my opinion? You're compairing apples to oranges, but an MS or PhD is tougher than CCIE if you're going to a reputable school. Regards, John Black Jack 12/18/02 12:05:01 PM I suppose a CCIE is sort of a Ph.D. of networking. Studying for and taking the written is the equivalent of coursework, then doing hands-on to prepare for the lab is like research for your dissertation, the the lab test represents the oral exam. But I wouldn't stretch the analogy too far. For one thing the quality and difficulty of computer science graduate schools varies greatly. Just getting into one of the top programs is probably harder than CCIE. And for another the two programs don't really test the same skills, do they? (Though they surely overlap) Mic shoeps wrote: Hello I've been arguing with a collegue of mine which one would be tougher to achieve. I told him that it would be much more harder to have a computer science or a networking degree (you have to take the GRE and complete 2 or 3 years of school works) than a CCIE, but my collegue think other wise. He literally believes that having a CCIE is equivalent of having a Ph.d in Networking. I'd like to hear your thought. [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60021t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT - Possible Attack???? [7:59813]
Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 67368 0.0 1796.8 3.6 TCP-Frag 2 0.0 140 0.0 0.0 15.5 TCP-other33285 0.214 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 173 0.0 1.3 15.4 UDP-NTP 10 0.0 176 0.0 0.0 15.4 UDP-other13772 0.1 678 0.7 1.2 15.5 ICMP 2904 0.0 372 0.0 19.1 15.4 IP-other 20559 0.1 14820 24.5 6.8 15.4 Total: 120951 0.93376 32.2 9.9 9.4 . . . SrcIf SrcIPaddressDstIf DstIPaddressPr SrcP DstP Pkts Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00 285 Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00 38 Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00 35 Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00 296 Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00 33 Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00 36 Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00 52 Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00 189 Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00 277 Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00 32 Fa0/1 127.0.0.115 Se1/2.500 108.122.0.0 00 215 Fa0/1 127.0.0.112 Se1/2.500 108.122.0.0 00 177 Fa0/1 127.0.0.113 Se1/2.500 108.122.0.0 00 80 Fa0/1 127.0.0.110 Se1/2.500 108.122.0.0 00 234 Fa0/1 127.0.0.111 Se1/2.500 108.122.0.0 00 279 Fa0/1 127.0.0.108 Se1/2.500 108.122.0.0 00 171 Fa0/1 127.0.0.109 Se1/2.500 108.122.0.0 00 139 Fa0/1 127.0.0.106 Se1/2.500 108.122.0.0 00 151 Fa0/1 127.0.0.107 Se1/2.500 108.122.0.0 00 57 Fa0/1 127.0.0.104 Se1/2.500 108.122.0.0 00 67 Fa0/1 127.0.0.105 Se1/2.500 108.122.0.0 00 34 Fa0/1 127.0.0.102 Se1/2.500 108.122.0.0 00 272 Fa0/1 127.0.0.103 Se1/2.500 108.122.0.0 00 144 Fa0/1 127.0.0.100 Se1/2.500 108.122.0.0 00 88 . . . . The list goes on and on showing 127.x.x.x. If you notice that the incoming interface is my Fast Ethernet interface but the incoming source address is a 127.x.x.x. It is going out my WAN link (the same one that has been peaking to ~20MB) destined to a boggus Network. The protocol is boggus as well. I enabled an access-list to block this 127.x.x.x address inbound from my FE interface and that has seem to take care of the spikes but the problem is still present. Anyone have any ideas what this could be? Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59927t=59813 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
Well, a few work arounds. You can just go straight to the documentation CD (right now the site seems down for me, ugh, so I cannot verify 100%, the links are pretty close, and if you navigate hard enough it really just links back to the universal cd anyway) http://www.cisco.com/univercd/ OR just go to the bottom right and click on GO TO THE OLD SITE. And presto you get your old site back. Ironically it usually takes a very long time to load the old site As for general navigation, if you guys want to find docs, I think it was under support, hardware (for stuff like the pix) and software for IOS, then you can drill down and one of them eventually brings you back to the universal cd. ;) While I hate it too, but come on guys we are powerful Cisco Study candidates, we should be able to solve anything that comes up quickly! If we can crunch Cisco problems we can navigate this new nasty site as well! :) I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56282t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall [7:55547]
You have not mentioned any issues though. So I will guess you are somehow unhappy with the default Pix behavior. Did you want to deny all icmp requests? By default, after a certain rev of Pix code, icmp allows are on by default. icmp deny any outside icmp deny any inside Once you place these rules, it will have a 'default deny' afterwards, so if you do icmp permit host 1.2.3.4 inside then... all hosts on the inside except for 1.2.3.4 can ping it. As for allowing people to ping through the pix, not sure if a static or anything like that would work (along with an acl). Doesn't seem to make much sense to allow an outsider to ping the inside of a pix anyway. Typically, the theory behind the pix (at least in it's latest incarnation) is that acls generally only apply to traffic traversing THROUGH the pix, not terminating at the pix or any of it's interfaces. For that, you need to find the magic fudge command, and in this case, the icmp commands are the fudge that determine if icmp will be permitted on the pix's inside or outside addresses. This is all well documented under this URL, assuming code rev 6.2 (you can just go up a tree to find the other revs) http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/bafwcfg.htm I have a PIX 525. I am trying bring it up on my network. It is installed virtually betrween my router and my ISP's router. While testing, I noticed that from an inside host, I could ping my inside interface on the PIX, but not the outside interface. From the ISP, they could ping my outside interface but not my inside interface. From the PIX I can ping my outside interface and beyond. Any suggestions? Naomi James Computer Services and Information Technology Savannah State University 912-356-2509 -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF area 0 [7:45995]
If I remember correctly, yes, Area 0 routers must always have a way to connect to each other. It does not have to be a full mesh (if that is what you mean by contiguous). Three routers in a mesh would be fine if one link broke. Now, if an area 0 router loses all connectivity to the other Area 0s (in your case, isolate one point of the triangle by losing TWO links), then your network gets borked. You will need a virtual link (if at all possible), or... well... your network is broken? :) Hi group, Is there any condition that OSPF area 0 must be contiguous?. I remembered read this some where on CCO. Is this true?. For a situation, three ospf routers connected in a triangle shape, what if one of the link goes down?. Any one experienced on this situation, please show me some documents related to this?. Thanks in advance, J. - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup Nondisclosure violations to [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46010t=45995 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: static route for port 21-theory rules. [7:45682]
e) opens another data connection. (In Active mode, these data connections come from the server's port 20.) Now, if you're using Passive mode, the client opens the data connection, from an ephemeral port to an ephemeral port on the server. Here are the steps: 1. The client sends a TCP SYN to the well-known FTP control port (port 21) on the server. The client uses an ephemeral port as the source port. 2. The server sends the client a SYN ACK from port 21 to the ephemeral port on the client. 3. The client sends an ACK. The client uses this connection to send FTP commands and the server uses the connection to send FTP replies. 4. When the user requests a directory listing or initiates the sending or receiving of a file, the client software sends a PASV command to the server indicating the desire to enter passive mode. 5. The server replies. The reply includes the IP address of the server and an ephemeral port number that the client should use when opening the connection for data transfer. 6. The client sends a SYN from a client-selected ephemeral port to the server's ephemeral port number, which was provided to the client in the reply to the client's PASV command. 7. The server sends a SYN ACK from its ephemeral port to the client's ephemeral port. 8. The client sends an ACK. 9. The host that is sending data uses this new connection to send the data in TCP segments, which the other host ACKs. (With some commands, such as STOR, the client sends data. With other commands, such as RETR, the server sends data.) 10. After the data transfer is complete, the host sending data closes the data connection with a FIN, which the other host ACKs. The other host also sends its own FIN, which the sending host ACKs. 11. The client can send more commands on the control session, which may cause additional data connections to be opened and then closed. At some point, when the user is finished, the client closes the control connection with a FIN. The server ACKs the client's FIN. The server also sends its own FIN, which the client ACKs. The gist of your problem is these multiple connections that happen. I assume that HTTP works fine. That's probably because it opens only one connection. So, is there some more advanced configuration you can do to make FTP work? That's the question. As far as your idea of fixing the problem with a static route, I'm afraid that won't work because static routes don't let you specify a port number. Would policy routing work? It's going to be tricky, though, because of those ephemeral ports. Maybe you could just pull one of the connections when you do FTP! ;-) HTH Priscilla Priscilla Oppenheimer http://www.priscilla.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45717t=45682 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
At 09:51 PM 2/18/02 -0500, Kevin St.Amour wrote: Just a thought. Just as there is a glut of Fiber, I believe the market created a glut of Tech works. I remember going to a Technical School, and before slapping down 15k for a networking Degree in 1998 (BTW, the school went under a year ago http://clcx.com ) I heard numbers like This industry will be behind 500k Tech workers due to lack of Skill by 2004...Get the skills now (paraphrasing) -Kevin Do not know about you, but on average, most of the guys I see in the industry are woefully inept and incompetent. I am shocked they get paid anything even close to the amount they do. If one thing is for certain, we definitely need BETTER guys out there. However, it seems like, most companies do not realize what good people are. Such a disparity only helps in the downturn. What is sad is, instead of appreciating technical ability and learning capacity, most companies are doing a fire sale and axing what few good people they have. While some of the incompetent upper management survive due to nepotism and what not. So, while I agree a downturn is occurring, I do NOT agree that there is an oversupply of qualified individuals. I would say 60-80% of the IT people I meet are inadequate. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35826t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2924XL and Blue Screen of Death: Resolved [7:33203]
At 10:57 AM 1/25/02 -0500, John Neiberger wrote: Well, sort of resolved. This turned out to be a known issue with Dell machines, specifically machines using a 3COM 3C905C NIC. They expect the network to be available almost immediately upon bootup and can't handle the delay caused by spanning tree. In some cases, even portfast did not reduce the time sufficiently. So, watch out for those 3COM NICs! John Disable portfast, disable channeling, disable trunking on all user ports, and it will be fast enough. Also, you might want to lock the speeds. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33219t=33203 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix problem [7:33184]
A few quick thoughts that might be messing this up. You have no default route for your DMZ. If you planned on having the DMZ map back to the outside properly, your global does not indicate so. Also, you do not seem to have any globals which match the nat ids for the dmz. At 09:35 AM 1/25/02 -0500, cage wrote: The following is my configure of pix 525, now the nodes in the dmz can not connect to the outside, why? and do i have to use the NAT command to the traffic from the dmz to the outside. It seem that the pix cant route the dmz traffic to the outside. help me! please! sh conf : Saved : PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_in permit tcp any host 202.99.33.69 eq smtp access-list acl_in permit tcp any host 202.99.33.72 eq www access-list acl_in permit tcp any host 202.99.33.66 eq domain access-list acl_in permit tcp any host 202.99.33.67 eq domain access-list acl_in permit icmp any any access-list ping_acl permit icmp any any pager lines 30 interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet3 auto shutdown interface ethernet4 auto shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 ip address outside 210.82.34.29 255.255.255.0 ip address inside 192.168.4.1 255.255.255.0 ip address dmz 202.99.33.254 255.255.255.0 ip address intf3 127.0.0.1 255.255.255.255 ip address intf4 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 failover ip address intf3 0.0.0.0 failover ip address intf4 0.0.0.0 pdm history enable arp timeout 14400 global (dmz) 1 202.99.33.73 netmask 255.255.255.0 nat (inside) 1 0 0 nat (dmz) 0 202.99.33.0 255.255.255.0 0 0 static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0 static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0 access-group acl_in in interface outside access-group ping_acl in interface dmz route outside 0.0.0.0 0.0.0.0 210.82.34.25 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:3be86ece2c90058e0c9190f986717d63 pixfirewall# -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33202t=33184 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slightly OT: 2924XL and Blue Screen of Death [7:32536]
I have seen this happen when you have a speed and duplex mismatch. (actually 10baseT hooking into a 100baseT hub with no dual speed mechanism, old school stuff). Then when you go into network neighborhood, BOOM. Check that first. This might be the case if the NICs are only 10baseT hooking into a 100BaseT Switch that might be locked at that speed. At 09:46 AM 1/21/02 -0500, Patrick Ramsey wrote: Have you enabled portfast? sometimes things like this can happen because the client is having difficulties seeing traffic to bind to. It takes forever on a cisco cwitch to get a good link if portfast is not enabled. -Patrick Chuck Larrieu 01/18/02 05:50PM have you tried this particular machine in the other switches? sometimes a bad windows installation on a pc will blue screen no matter what. John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... We're having an interesting issue that just appeared recently. We have some Dell PCs running Netware 6 and new client software. We're not sure why, but if one of these machines is connected to a 2924XL switch, it regularly experiences a blue screen of death either at login or within 5 minutes of login. We have identical machines that operate fine if they're connected to our Bay switches or Cisco 1900 switches. Have any of you seen anything like this?? That makes no sense to me. The only difference I've been able to determine is that Spanning Tree is turned off on those particular Bay switches and 1900 switches, yet it is turned on on the 2924XL switches. So, perhaps these PCs are reacting badly to STP BPDU. Any thoughts? Our LAN people are doing some testing with different NIC software and Novell client software and I'll post back to the list if we determine the actual cause of the issue. But can you think of why it would only happen if they're connect to a 2924? Thanks, John -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32691t=32536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Stupid Question [7:32591]
Reason being that NTFS is a journalled file system. Not sure on NT 3.51's version of NTFS, but if you say so, probably true. (not meant to be sarcastic, but sincere) As for the SQL database, depending if it had good rollback mechanisms to avoid corruption, it may or may not get corrupted, as you said. As for the unix systems, most of them use UFS, which is not a journalled file system. However, I do not know of many OSes or distributions that let you add in a journalled fs. One that comes to mind is linux with the reiserfs. (linux comes stock with ext2fs). (you can add in journalled file systems afterwards, one commercial unix in mind that comes stock and barrel with a journalled fs is the venerable Irix with it's XFS). Go ahead, pull the plug on him, he won't care. No fsck on startup. Just smooth rolling. If you note the pattern here, it is a function of the file system (or in the database's case, how it retains data and does integrity checks and if it has rollback recovery to avoid data loss or undo bad transactions). Not sure if I can give a definitive reason on why the cisco's do not fear such things. Probably because it is not usually writing data very often, and the data it writes is essentially a text file (NVRAM configurations). The OS in itself is a static flash file that never needs to be overwritten during normal runtime operation, only during upgrades. This is totally different on a fully blown OS that has crazy writes usually going on during operation. Or even if it did not, has a good reason to double check for file integrity. The Cisco router was meant to be more of an appliance like machine, so it's behavior makes sense, and so does it's obvious resistance to the occasional power plug pull. At 06:42 PM 1/21/02 -0500, Mark Odette II wrote: H. Funny, last I checked, you could turn off in Mid-Boot process, Pull the plug in Mid-Shutdown process, or yank the power to the UPS (and no battery left) with all NT Machines running (NT3.51 - W2K), and the system would never miss a beat in start-up file system recovery. Now do that to NT servers with Oracle or some SQL-type application server running on it, and it may have data corruption- but that's only with the DB's ... and that happens, no matter WHAT the platform. Now, then again, try doing the above such listed tasks of brutality to a Sun Box, an SCO box, or an ATT Unix box, and watch the games begin as Inodes fly everywhere and the file system checker starts griping about how unhappy it is and I wouldn't be surprised if an AIX or SGI box did the same. DB Server or not. Sorry... just gotta love those MickeySoft stabs that have no meaning other than for slander. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 12:42 PM To: [EMAIL PROTECTED] Subject: RE: Stupid Question [7:32591] Just turn them off or simply unplug them. Fortunately the IOS was not written by Microsoft and nothing will get corrupted!!! -Serge. Richard Tufaro wrote: What is the proper way to shutdown a router? not reload, but shutdown? Just flick the switch? Seems to brutal to me. Richard Tufaro - MCSE - GSEC- CCNA Network Engineer - Anda Inc. [EMAIL PROTECTED] MSN IM - [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32771t=32591 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP AS Number [7:32107]
Verio blocks it. I believe they even required up to /20. At 10:35 AM 1/16/02 -0500, John Neiberger wrote: That may be true in some cases, but a /24 will work just fine. Our organization is multihomed and we advertise a /24 to two providers. I have yet to notice any reachability issues. Perhaps there might be portions of the net that filter our address range but I've checked numerous looking glass sites and have yet to see one where our specific prefix didn't appear. Eric 1/15/02 10:36:26 PM IMHO - You will need at least a /21 as some ISP's set policies that will filter anything less. Best bet is to pick up a copy of: Internet Routing Architectures, Second Edition. ISBN# 1-57870-233-X. This book will also introduce you to the third item to consider when connecting to two ISP's: Symmetry. Regards, Eric -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32171t=32107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Displaying Certifications [7:31196]
You are right. It is a preliminary and is not a certification. My guess is the purpose is to either confuse people into believe they are a CCIE or try to get the most credibility that you can get by without outright lying. (at least they are not saying they ARE ccies). Depends on the clue level of the hiring manager. Most people do not know how Cisco's Certification structure goes, and may very well believe the CCIE Written is a legitimate certification. This is going to wildly vary depending on the location and intelligence of the hiring managers across the world. Is it normal practice to try to overextend what you know, of course. Is it a practice I condone or do myself? No. However, I never did feel people who carassed routers and called TAC for every single trivial problem for 5 years have 5 years of experience in the networking field. Do people still do it? Yes. Will they still be doing it even after I have turned into worm food. Most likely yes. It will be a different context, but people will be overextending what they claim to know and their abilities all the time. At 03:24 PM 1/7/02 -0500, juno vtv wrote: I have noticed that people who have passed their CCIE written exam will put CCIE Written under their name. I would like to know why? I personally don't believe that the written exam is a certification but more of a preliminary. What is the purpose of putting CCIE written after your signature? Hiring managers: What are your thoughts when you see a resume with CCIE written on there? Is that misleading? I am asking this out of curiosity. I do not know if this is a normal practice or not. I would like see people's thoughts on this. -junovtv -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31203t=31196 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT Request; LAN/WAN monitoring software [7:31227]
Please do not hold me to the gun on it, but I believe you can run SNMP managers such like Castle Rock and Netcool seem to be OK. I think Concord might work as well. I have not deployed these myself, just seen my clients run them. Running SNMP on all of your machines can have drastic security consequences. Be careful. At 07:45 PM 1/7/02 -0500, Michael Smith wrote: A bit off topic, but would appreciate any suggestions - Looking for a software solution, not UNIX based, that has capabilities to centrally monitor hardware and network traffic on a small LAN/WAN network, that contains HP switches, Cisco routers and Compaq servers. HPOV is not an option, end user is not UNIX guru, and network is Win2k based. Any suggestions would be most appreciated. Regards, Michael Smith -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31233t=31227 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT - Firewall performance Comparisons - is it quitting time [7:30675]
Funky Unix exploits tend to only happen when people for some odd reason, decide to open up public services on those machines. The same problem exists with NT, but usually it has silly libraries sploits as well. Any decent security admin can lock down any box running any OS. The problem I would fear of using an OS based vs appliance based is making sure they cannot do more damage with it. A hacked unix box can do oodles more damage than a hacked windows box. Of course, you can lockdown the amount of binaries on the machine to make it very hard to continue attacking. These are super hardened boxes. Disabling services, any good admin can do in his sleep. Hardening the box by removing specific binaries is a bit more difficult. Have you checked the Nokia 440s or 330s appliance like boxes? They run a BSD variant (IIRC), and are quite secure OS wise. Yes, checkpoint runs on them as well. Now, Checkpoint's security issues, that's a different story. You will find most of the security holes in checkpoint are because of checkpoint itself, not the OS. As for running it under NT, all I can say to the man who suggested it is, What are you thinking?. On the side, Pix has flaws too. To be fair, I do not think there has been any firewall product released without a security exploit either in it's rule handling or in it's management interface. I think checkpoint can interoperate between some other devices as well. So this is not a big deal. Supposedly, skip checkpoint specific tech support and get it from Nokia. Nokia surprisingly has better checkpoint guys than checkpoint themselves. I agree that anything command line based can be configured far faster. I think we all know the reason why people still go with checkpoint. For some odd reason, some companies either believe that having an easier to use firewall will allow for a more secure network. (insert your laughter here). Or they believe that command line firewalls are too hard to use. (insert more laughter) Sigh. My take on it. If you do not understand firewalling theory, you will not understand it with or without a GUI. Syntax aside, but that's trivial. Ask any programmer who can make this analogy. The key is understanding fundamentals, not understanding mouse clicks. Finally, I am not arguing for or against the Pix or Checkpoint. Personally, I find they both have glaring problems that I am shocked to find. They also have their own specific advantages. However, I find some of your points are not necessarily valid. At 07:42 AM 1/2/02 -0500, Tim O'Brien wrote: A couple of points, and I will then get off of my soapbox... Checkpoint NG is STILL an application running on UNIX or NT, not a self contained appliance. Personally I love Microsoft (let the flames begin!), however, with the critical updates that I see getting installed on my 2000 and XP workstations I am POSITIVE that I would not want to trust my company security to it. Another point.. Have you ever installed and configured a Checkpoint firewall? You can have the PIX up and running with failover even before you get the OS half installed on the new server that you need to buy for it, thus raising the cost for an already more expensive solution in man-hours and equipment. The PIX is also very interoperable with other devices in the network. You can create PIX to PIX or PIX to IOS or PIX to 3000VPN site-to-site with other offices or home offices with built in 56bit DES or available 3DES . You can tunnel in VPN clients (free Cisco VPN client available). You can tunnel in Microsoft PPTP or L2TP sessions. And one last point, Have you ever had to get support from Checkpoint??? enough said about that one... If you would like to discuss further contact me offline... Tim - Original Message - From: [EMAIL PROTECTED] To: Sent: Wednesday, January 02, 2002 4:05 AM Subject: Re: OT - Firewall performance Comparisons - is it quitting time [7:30652] For quite a while CheckPoint is out performing every single Firewall in the market a specially in the CheckPoint Next Generation Firewall version and with the release of there SecureXL API. It is important to remember that performance is not everything that need to be compared while testing a Firewall. I love the Cisco PIX but the CheckPoint NG is amazing. Gil -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30675t=30675 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Howard Berkowitz to speak at EveCon 19 [7:30121]
At 07:48 PM 12/26/01 -0500, Priscilla Oppenheimer wrote: So, completely OT, but has anyone seen the first LOTR movie yet? Is it any good? I think Howard could be considered the Gandalf of networking. ;-) Priscilla Yes, not a bad movie at all. I felt it was a fairly close translation to the book. Obviously some parts had to be omitted, but I think they did a great job. Of course, your mileage may vary, especially if you are pedantic about following the book to the letter. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30137t=30121 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routing protocols [7:29139]
At 09:10 AM 12/14/01 -0500, Howard C. Berkowitz wrote: To Chuck, I do not agree that the OSI model is crap. Sometimes it can add confusion, but for the most part it is fairly well defined. Also, no one ever said TCP/IP follows the OSI model 100%. The concept of layering is just very easy to see with the OSI model. TCP/IP generally has only layers such as the application, network, transport, and physical. You could throw in datalink in there I suppose. It certainly helps people understand networks. Without the OSI model, it seems like a lot of random musings. TCP/IP has a very clear transport and network and application layer. Then how is it that the TCP/IP suite was developed before the OSI reference model was finished, largely by people that, at the time, were very hostile to the OSI work and vice versa. I was there at the time, and remember European delegates to ISO making comments like we will never use protocols developed by the bomb-crazed American military. OSPF and ISIS have some similarities, yet one came out earlier than the other. The similarities were taken as they were developed. Just because it was not set it stone yet, does not mean it did not exist. The standards were not atomically created, they are developed as time goes on. As some parts were done, they probably took it and ran with it. Plus it only seemed like a logical separation. It was mainly for insulation of different layers (as you mentioned, good programming practices) which created these divides. So, I think it is reasonable to still say as a reference model, tcp/ip matched some parts of the osi model. Who stole who, does not matter, they still follow a similar layering for transport and network. And the network layer for the most part, could care less what it runs over as long as that is insulated from them. That seems very real in both practical and theory cases. That is what tcp/ip does, that is what the osi model references. To Jose, I feel they do not work at the network layer, and work at the application layer. If it uses protocols, (EIGRP and OSPF) it uses IP RAW which means it skipped the transport component, ultimately I still feel it is at the application layer. In my sophomore year of high school, I _felt_ that a girl named Gail _should_ have reciprocated my affections and lust. She didn't. Just because, Carroll, you feel something, doesn't make it right. Ignoring the TCP/IP work, ISO says you are wrong in its OSI Routeing Framework document, in which routing protocols for layer N are defined as layer management protocols for and of layer N. The transport they use is irrelevant, because their payloads affect layer N directly. I did not mean I was being definitive. That is why I said I felt. I was not sure, and told him my perspective since he was asking for one. All of us seem to agree that the result / payload affects the network layer. As long as we understand that part, I think that is pretty good. Semantics aside. (That seems to be what Chuck is getting at. Screw the OSI model and semantics, as long as we know what it is doing. However, I think some people are not at that level to even know since we have no semantics to work at all. The important key here is that we understand it resides perhaps at another layer, but affects layer 3. As opposed to it itself being at layer 3.) Anyway, I guess I am totally wrong on this. Sorry for wasting everyone's time I will try not to respond anymore. I just felt that it seemed like a good way to learn, and as a baseline, the OSI model seemed ok, and I thought TCP/IP matched some of it. I guess it does not match it at all, so learn the layering of tcp/ip elsewhere. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29202t=29139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with IP Addressing/VLSM- work project [7:29160]
You almost got it, but it does not seem correct. When you break the 65.85.105.128 255.255.255.192 into 4 subnets, you cut from the 65.85.105.128, not the 65.85.105.0. Also, you cannot cut 4 subnets out of a 65.85.105.128 with a 255.255.255.192 mask. You would only get 2 more. Since you have a 65.85.105.128, you only have 128 hosts left. A 255.255.25.192 mask will give you 64 host subnets. 128/64 is 2. A VLSM lets you subnet a subnet while routing is still sane. Anyway, you have to further slice it using a 255.255.255.224. 65.85.105.128 with 32 host subnets will give you the final 4 since 128 hosts divided by 32 is 4 subnets. I put the masks in both bitcount and dotted decimal notation. Subnet 1 = 65.85.105.0/25 (255.255.255.128) Subnet 2 = 65.85.105.128/27 (255.255.255.224) Subnet 3 = 65.85.105.160/27 (255.255.255.224) Subnet 4 = 65.85.105.192/27 (255.255.255.224) Subnet 5 = 65.85.105.224/27 (255.255.255.224) At 11:15 PM 12/13/01 -0500, Sarah Parker wrote: Hello Everyone, I am working on a small IP address project and trying to figure out VLSM. Since I am not very good and do not have much experience with IP addressing, I wanted to send this to make sure what I have is correct or if I am really wrong on this one. Thanks in advance for any feedback or corrections!! This is a new network- Current IP Address=65.85.105.0 Mask=255.255.255.0 I need a total of 5 subnets. What I did Took 65.85.105.0, 255.255.255.128 to subnet into 2 networks, This gave me Subnet 1= 65.85.105.0, hosts 1-126, broadcast 127 Subnet 2=65.85.105.128, hosts 129-254, broadcast 255 Took 65.85,105.128 255.255.255.192 to subnet into 4 subnets This gave me Subnet 1=65.85.105.0. hosts 1-62, broadcast 63 Subnet 2=65.85.105.64, hosts 54-126, broadcast 127 Subnet 3=65.85.105.128, hosts 129-190, broadcast 190 Subnet 4=65.85.105.192, hosts 193.254, broadcast 255 So this would give me to use on the network 1=65.85.105.0 255.255.255.128 (17 mask?) 2=65.85.105.0 255.255.255.192 (18 mask?) 3=65.85.105.64 255.255.255.192 4=65.85.105.128 255.255.255.192 5=65.85.105.192 255.255.255.192 Did I do this correctly? This is based on using subnet zero. I am using a public class A but for security reasons I did change the actual real address. Thanks again for everyones feedback. __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29162t=29160 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Routing protocols [7:29139]
To Chuck, I do not agree that the OSI model is crap. Sometimes it can add confusion, but for the most part it is fairly well defined. Also, no one ever said TCP/IP follows the OSI model 100%. The concept of layering is just very easy to see with the OSI model. TCP/IP generally has only layers such as the application, network, transport, and physical. You could throw in datalink in there I suppose. It certainly helps people understand networks. Without the OSI model, it seems like a lot of random musings. TCP/IP has a very clear transport and network and application layer. Not sure if there was sarcasm or an attack on the reputable source that UDP is an application layer part. I am going to assume so, because it's spot as a transport is very clear. So, it is wrong for me to say that ftp clients and telnet clients use layer 7? (referencing user application vs service application)? Then where would it go? No where? (hence why you say the OSI model is crap?) To Jose, I feel they do not work at the network layer, and work at the application layer. If it uses protocols, (EIGRP and OSPF) it uses IP RAW which means it skipped the transport component, ultimately I still feel it is at the application layer. Perhaps it is just my roots that routing daemons are still just daemons, programs which run on a box. They dynamically insert information into a routing table. Unix machines still do it, a Cisco router is just an appliance version of a unix box with a routing daemon with multiple interfaces. (without extraneous baggage of course) At 10:57 PM 12/13/01 -0500, Chuck Larrieu wrote: I once had an interesting, if heated argument with someone off list about this. IIRC, I was told by that person that Cisco, in its current CCNP study materials, is saying just that - that something operates at the OSI layer above which it functions. I.e. if a routing protocol uses an IP protocol number, then it is operating at transport layer. Since BGP uses TCP port 179, it is operating at the session layer, along with RIP, which uses UDP port 520. ( BTW, I have also read in a reputable source that UDP is application layer because it is not reliable, and therefore cannot be transport layer, and there is no place else it really fits ) I recognize that Cisco just LOVES the OSI model in the lower level certifications, but the fact is that in terms of how things work it is crap, and tends to cause more confusion and add no value. Every vendor of content switches is calling them layer 4-7 switches. what kind of crap is that? I dare anyone to justify switching as a layer 5 or a layer 6 activity. Yet there it is. Also, to judge from what content switches do, the marketers are saying the OSI layer 7 is user application, not a service application, something Howard takes great pain to differentiate in his writings on the subject, again IIRC. TCP/IP is NOT OSI compliant, never has been, never will be. OSI is a reference model, and not necessarily related to anything in real life. End of rant. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jose Luis De Abreu Sent: Thursday, December 13, 2001 12:25 PM To: [EMAIL PROTECTED] Subject: Routing protocols [7:29139] Just an open question ? We read, learn and teach Routing protocols are at the NETWORK layer of the famous OSI model... But they have PROTOCOLS NUMBERS - TRANSPORT LAYER(such as IGRP protocol 9, EIGRP protocol 88 and OSPF protocol 89)and APPLICATION PORTS values - APPLICATION LAYER (RIP uses port 520 and BGP4 uses port 179) indicating they work in the upper layers and not in the network layer, although the result is shown int the NETWORK layer... So may question is... Do they really operate at LAYER 3 ? Warm regards, Jose Luis De Abreu __ Send your holiday cheer with http://greetings.yahoo.ca -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29165t=29139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Home lab - 2523 [7:27788]
Seems to be a lot on Ebay. (2514 that is). (2523) is a bit more rare. At 09:49 AM 12/9/01 -0500, John Green wrote: ok tell me this guys. the 2523 and 2514 are not available in like used_hardware / online / acution sites. seems these two are pretty popular ones. why ? i have been trying to get hold of 2514 (has 2 ethernet interfaces) but have been unsuccessful yet. --- Circusnuts wrote: All you need is @ least version 10.0 IOS and Serial interfaces. This explains why the AGS and MGS (and ear muffs) are still found in a lot of CCIE labs today. All the best !!! Phil - Original Message - From: EA Louie To: Sent: Saturday, December 08, 2001 2:53 PM Subject: Re: Home lab - 2523 [7:27788] yes it is. I have one and it works fine as a frame switch AND router with isdn, serial, and token ring. A great multi-purpose device, and usually cheaper than a 2522. - Original Message - From: Ham web To: Sent: Friday, November 30, 2001 3:39 AM Subject: Home lab - 2523 [7:27788] hi folks, Joust wanted to know if the 2523 was a good buy to act as a frame relay/x.25 switch in a home lab Many thanks Ham __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com [EMAIL PROTECTED] __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28586t=27788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Does session layer protocol use IP address ? [7:28378]
statement, although it's taken out of context and you haven't given us enough information to say that the statement is definitely wrong. However, try to picture the numerous OSI pictures you have seen. Most of them show horizontal lines between a layer on one host talking to the same layer on another host. So the session layer talks to the session layer on the other host. That's probably what Todd was getting at. However, the pictures also show vertical lines. A layer calls on a layer below to provide services. Each layer offers services to layers above it. The session layer is an elusive beast that is not implemented much. But one example might help. NetBIOS is a session layer. On a Windows client, when you access a Server Message Block (SMB) server, NetBIOS has the job of setting up a session with the server. Before it can do that, however, it must find the address of the server. If it's a modern Windows network, then SMB and NetBIOS are probably running above TCP/IP and UDP/IP. So NetBIOS sends a DNS or WINS query to find the IP address of the named server. It then sets up a NetBIOS session with the server. Actually, first, the client sets up a TCP connection. TCP has port numbers. The client sends to the well-known TCP port for NetBIOS session (139) and use an ephemeral port on its side. These port numbers could be considered addresses at the transport layer. Anyway, back to the question. The statement is at best over-simplified. I recommend you get yourself a sniffer and watch what really happens between layers. (Ethereal is free by the way.) Priscilla Thank you for your time. mlh Priscilla Oppenheimer http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28604t=28378 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Does session layer protocol use IP address ? [7:28378]
And since NFS definitely uses RPC, and there can only be ONE, perhaps NFS is truly just at the application layer. That is one of the sentences I wrote. You seemed to have missed that one. Although I suppose I was not as clear. Sorry. I agree with what you said or at least speculated that yes, there can only be ONE component of the particular layer. Which would imply that NFS is indeed at the application layer since it uses RPC which RPC itself is in the Session layer. NFS itself has synchronization issues which some have considered to be a Session Layer characteristic. I never said once that the USE of RPC means that it should be in the session layer. I did mention that the fact that NFS has synchronization primitives, which is considered a characteristic of the Session layer. So that is the possible two sides. I did not take a particular side, and perhaps I should work more carefully with nfsd. I do know that the final application uses mountd, which hooks into NFSd. NFSd alone will not let you do a remote mount. Hope that clears things up a bit. This sure seems as debatable as whether or not ARP should be in Layer 3 or Layer 2. At 07:59 PM 12/9/01 -0500, [EMAIL PROTECTED] wrote: It's possibly an exercise in bad faith to continually reintroduce written materials that have been explicitly discounted by people who can make a legitimate claim to understand the context they were churned out in. In this case, the cisco materials often don't offer any substantiative reasoning for their arbitrary taxonomical assignents of protocols as far as higher-numbered layers of the osi stack are concerned (providing somewhat of a contrast to their treatment of better-scrutinized layers). I'm a little concerned though, about the following: In sentence 7, you place RPC in the session layer. Two sentences earlier, you cite NFS' use of RPC as a justification for assuming that NFS resides in the session layer. While it might be exactly an example of the discontinuities you cite in your first paragraph, one of the few straightforward parts of the out-of-control agglomeration of ideas assertions that constitute the concept of osi communications protocol layering as it appears in (english) print seemed to be the notion that services maintained at level X+1 use services at layers X, and do not (directly) interact with other X+1 entities. Am I missing something? In either case, some instances where treatments clash are rife with potential insight revelant ambiguities, while others are not. It's not clear that the certification prep treatments of this abstraction belong in the former category (most notably for their unignorably light treatment of upper-layer protocol characteristics), rendering them a dubious justification for a reasonable opportunity to think otherwise. I dread the day when all extant statements about a given topic are accorded equal weight (not least of all because I make statements about given topics and would find it hard to live with such a weighty burden). Carroll Kong @groupstudy.com on 12/09/2001 04:59:49 PM Please respond to Carroll Kong Sent by: [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Kevin Cullimore) Subject: RE: Does session layer protocol use IP address ? [7:28378] Priscilla, I think you are being a bit too hard on the guy. He tried to do some real research, he is referencing other written material. I did some quick research and I am finding some information is clashing about it. I think sometimes it is hard to make the differentiate between the layers for certain constructs. I think perhaps, WHY NFS is so often put in the Session Layer is because it uses RPC. Also, NFS does do synchronization of files, which can be heavily argued as a Session Layer characteristic. I would say RPC definitely is in the Session Layer. NFS does synchronization, (remember the ancient days of keeping file consistency with UDP?) but looks like it might be at the application layer. I suppose that is where the confusion is. And since NFS definitely uses RPC, and there can only be ONE, perhaps NFS is truly just at the application layer. You could argue that it mountd that really allows remote mounting and nfsd just does synchronization. I think it is somewhat debatable and reasonable for him to think otherwise if so many other references point it to the wrong direction. I am interested in any reference, as that is how we make sure we did not mislearn something. At 02:04 PM 12/9/01 -0500, Priscilla Oppenheimer wrote: At 06:18 PM 12/8/01, anil wrote: This is from Cisco Oct 2001 Packet.. http://www.cisco.com/warp/public/784/packet/oct01/p76-training.html It must be out of date :-) Not out of date. Just wrong. You can keep coming up with wrong material. What's your point? Have you looked at NFS with a Sniffer? Have you read a Unix man page? Have you checked some RFCs? Have you considered what NFS does? What
Re: /31 subnet. [7:27742]
Law of subnets is a tradeoff. Bigger subnets, have higher efficiency, at the cost of bigger broadcast domains. Smaller subnets have abysmal efficiency, at the benefit of smaller broadcast domains. /31 is a new RFC proposed rule which eliminates the loss of effiency of 50% to.. 0%. /30 has 2 usable addresses but loses 2 for broadcast and network. So, you need 4 ips to make the subnet, but you only can use 2. 50% efficiency. /31 is going to let you take 2, and use 2, and ignore the broadcast and network need. This is ideal for point to point. At 08:32 AM 11/30/01 -0500, VoIP Guy wrote: Maybe I'm missing something, but there are only 2 useable addresses in a /30, and only 2 interfaces participating in a point-to-point link, so how are there 50% of the addresses wasted. Steve MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Point to point connections, with a /30 you waste 50% of the avaivalable addresses. Dave Nicolas FEVRIER wrote: Hi group, I'm puzzled by the use of /31 subnets... Anybody can explain me the benefits of such a subnet on an interface ? Thanxx. Nicolas. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27810t=27742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help on VLSM [7:27665]
At 07:35 AM 11/29/01 -0500, Tel Khan wrote: Hi folks, I dont fully undertand VLSM i have read this in the Sybex book and i'm still at a loss, I would be grateful for some guideness. Sorry for beeing thick! Regards Tel VLSM means you can variable length subnet masks. 192.168.0.0/24 is normally a classic class C block. Let us say you want to break it up into two subnets, normally you would do 192.168.0.0/25 192.168.0.128/25 What VLSM lets you do is have this scenario. Say I want 3 subnets! 192.168.0.0/25 192.168.0.128/26 192.168.0.192/26 Notice, now I have Variable Length Subnet Masks! Normally, since subnet info is not passed into certain routing protocols at all, they trust on the subnet mask assigned on the router's interface. Obviously, with just that method, you can ONLY break them into the same subnet masks across all subnets. In the VLSM case, I can break them up dynamically into smaller and smaller pieces. You can expand this example to make tiny /30 networks too. Ultimately, it is not that magical. It just means you can pass these routes into one router's interface without getting it confused because the routing protocols that support VLSM carry the subnet mask information within the routing packets. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27671t=27665 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Terminal Server with SSH - Not cheap are they? [7:27038]
Hey, why not look into Cyclade's Terminal Server? It runs linux which means you get ssh v2, plus they say you can get the 16 port version for around $2200 bucks. Compared to the $4500, seems like you are WAY ahead of the game. They say they will have a web interface soon and at that point, you already have official support for the product, which greatly diminishes the learning curve of doing the initial install and getting the right parts. http://www.cyclades.com/products/stdalone/ts1_2000.htm##D I guess you can say it is risky since no one on the list ever tried it. However, in all seriousness, this is not exactly a complicated piece of hardware. So how can they possibly go wrong? They even have routers in their diagram! Can't possibly be Nortel routers, they are almost pointless to console into. ;) Anyway, just email them and tell them your woes. At half the price, PLUS official support, I really think you are ahead of the game. Without official support, I would call it a toss up. At 04:59 AM 11/22/01 -0500, Gaz wrote: Thanks for all the suggestions. Linux does seem to win for most cases. I do have the dilemma that this a solution that may be used at many sites and ideally needs to be a small, neat, rack mounted affair. Once we get into the realms of buying 1U servers for the linux as well as 2511, it's getting to the point where the difference in money to step to a 2610 is not that great. Or at least probably not great enough to compensate for the difference in neatness/engineering required to install etc Thanks for the info everyone. Gaz Kent Hundley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... One could install an extra ethernet nic in the linux box and then just use a cross-over cable to connect directly to the 2501. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Wednesday, November 21, 2001 10:58 AM To: [EMAIL PROTECTED] Subject: Re: Terminal Server with SSH - Not cheap are they? [7:27038] seems to be the consensus... : ) Although if you telnet from the linux box then you are just as insecure as you originally were... -Patrick Berry Mobley 11/21/01 01:53PM Why not just build a linux box with ssh support and telnet from there to the term server? Another step - but probably more secure...and a lot cheaper than another router. Berry At 01:04 PM 11/21/2001 -0500, you wrote: Hi all, I currently use a 2511 RJ Terminal Server on a site with dial up access through a modem. Ten pieces of Cisco equipment are then configured using reverse telnet to their consoles. Someone's thrown a spanner in the works. We now need to use something such as SSH to the Terminal Server. The 2500 doesn't support it. The nearest I could think of was a 2610 with an NM16A (16 port Async) module. Unfortunately to run a decent version of code with DES (for SSH support) this needs a DRAM and Flash upgrade. There isn't as far as I can find, a 16 port RJ45 Asynchronous module (closer replacement for the 2511RJ), so we need two octal cables. Total Price around #4500 as opposed to around #1800 for the 2511RJ. 2511's always seemed a bit steep for this job, but using a 2610 for it seems to be even more so, even though the 2610 itself is only #1100. I think all this still only gives me SSH version 1. Does anybody have any ideas for suitable replacements. Space is a concern, but I am thinking about putting a 1U server in there to do the same job if I can source a 16 port serial card that fits, and I'm also looking at whether Shiva are still in the market. All ideas accepted gladly, but this does have to get past a security board. I don't want full solutions, just asking for brief ideas. Thanks, Gaz -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27132t=27038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX 520 [7:26898]
Well, you asked for a step by step link to setup a VPN on a Pix 520. My normal route is that, I use www.cisco.com, and look at the Pix documentation. How else does anyone else do anything? Read the manual. This goes for anything, even non-Cisco stuff. www.cisco.com technical documents 2nd column now, 3rd row, Cisco Pix select OS version read docs, including the nice handy link that says site to site vpn among other things. Anyway, after taking a 30 seconds to figure that one out, here is the link. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/index.htm I strongly suggest you get used to their web site. It is daunting at first but is very powerful. Definitely worth learning in the long run. Or, you can do it the easy way. www.cisco.com type in the search box pix vpn I see a lot of pertinent hits. Advantage of the first technique, practice for the lab's documentation cd. Advantage of the second hit, it's just out right easier, but I doubt there is a search engine and all of the other white papers that cisco has available. Use it as a crutch, and you will be forever handicappped. Now, you may think Brad is being cruel, however, I think he is doing you a favor. I probably did you a disservice here. If you cannot figure out how to navigate the cisco web site, taking the CCIE Lab is just a few orders of magnitude harder. Why? You cannot use the documentation effectively at all if you cannot navigate cisco's technical documents web page. Therefore you must memorize a lot more and practice a heck of a lot more on silly details. I know people go on about never use the docs, you will fail. you will run out of time Hog wash. If it takes me 5 seconds to look up something on the docs, that is less info for me to memorize. I guess your mileage may vary. I know the use aliases, or you will fail is hog wash for me in particular. I type fast and the commands are logical. So, if you feel learning their web page is a hopeless endeavor, so why bother and just memorize and work it out the hard way, go ahead. Everyone has a different way of tackling a problem. If you were just looking for some quick simple answers, the thing is, the best we can do is lead you to the general area. I have no idea on what kind of VPN you want to setup, what peers you want to use, versions of code, etc. So please, do a bit more work so we can get a more specific question, so then we can assist you better. Otherwise, you can get a refund for this service. Anyway, Happy Thanksgiving! At 06:19 PM 11/21/01 -0500, Inamul wrote: Idiot...I and everyone knows cisco.com but the reason people ask here dumb question is they want to save some time by asking someone who already gone thru that process and spent time reasearchin that topic.. Brad Ellis wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... www.cisco.com has that information. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] Inamul wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone have step by step link to setup VPN on PIX 520 running code 5.2 ? thanks Inamul -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27113t=26898 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Terminal Server with SSH - Not cheap are they? [7:27038]
Although this would be considered high maintenance, you could think about a FreeBSD box with a Cyclades serial card. (you can get enough to handle A LOT more than 16 serial ports if you need it) You could get the BSD box in a 1U format. It supports ssh and telnet. The problem here is you would have to jimmy up your own cables. (just know the pinouts from the serial port to the console) The cyclades has some RJ45 outputs you could use, but you would need the right pin outs. Then you can use cu to console in to any box. At 01:04 PM 11/21/01 -0500, Gaz wrote: Hi all, I currently use a 2511 RJ Terminal Server on a site with dial up access through a modem. Ten pieces of Cisco equipment are then configured using reverse telnet to their consoles. Someone's thrown a spanner in the works. We now need to use something such as SSH to the Terminal Server. The 2500 doesn't support it. The nearest I could think of was a 2610 with an NM16A (16 port Async) module. Unfortunately to run a decent version of code with DES (for SSH support) this needs a DRAM and Flash upgrade. There isn't as far as I can find, a 16 port RJ45 Asynchronous module (closer replacement for the 2511RJ), so we need two octal cables. Total Price around #4500 as opposed to around #1800 for the 2511RJ. 2511's always seemed a bit steep for this job, but using a 2610 for it seems to be even more so, even though the 2610 itself is only #1100. I think all this still only gives me SSH version 1. Does anybody have any ideas for suitable replacements. Space is a concern, but I am thinking about putting a 1U server in there to do the same job if I can source a 16 port serial card that fits, and I'm also looking at whether Shiva are still in the market. All ideas accepted gladly, but this does have to get past a security board. I don't want full solutions, just asking for brief ideas. Thanks, Gaz -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27043t=27038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Terminal Server with SSH - Not cheap are they? [7:27038]
High maintenance as in, there is a hdd, if it fails it is a pain in the butt to get your colocation guy to pull it out. Or have fun flying down there. It will cost money to do that, plus hdds will more likely fail than say a flash card. You COULD run FreeBSD on a flash card, but ultimately, doing all of this, configuring the system so it can handle a cyclades serial card, is a lot of work especially for people new to unix. I do not even want to get started on updating the software and what not. Not a problem for a unix administrator, but I get a feeling (sadly) there are very few good multi-classed hybrids who know unix and cisco. This is why people buy precanned solutions. So this is why I call it high maintenance. There is also a high foot print (learning curve) to get it started compared to the Cisco product which he already knows how to use fluently. Cyclades sells serial cards AND terminal servers. He might be able to just buy one of their terminal servers for about $2200 each. I never used them though. The serial cards he needs is maybe (with the 16 port box) about $800. Add that to a rackmount 1U PC using cheap parts for about $600, he is only at $1400 with a flexible box. Add the cost factor of setting it up, that is going to vary per builder's skill level in Unix and building PCs. Pricing is all relative. Well, depending on how much you trust your switch and if you can prevent arp spoofing, telnet to an cisco 2511RJ on the same switch might NOT be so bad. Then we are talking about maybe $500-600 (checkout dell's 1U racks). seems to be the consensus... : ) Although if you telnet from the linux box then you are just as insecure as you originally were... -Patrick Berry Mobley 11/21/01 01:53PM Why not just build a linux box with ssh support and telnet from there to the term server? Another step - but probably more secure...and a lot cheaper than another router. Berry At 01:42 PM 11/21/01 -0500, Patrick Ramsey wrote: It's not THAT high maintenance... I mean...how often have yo urebooted any linux/bsd box? : ) But cyclades are not cheap! : ( Carroll Kong 11/21/01 01:28PM Although this would be considered high maintenance, you could think about a FreeBSD box with a Cyclades serial card. (you can get enough to handle A LOT more than 16 serial ports if you need it) You could get the BSD box in a 1U format. It supports ssh and telnet. The problem here is you would have to jimmy up your own cables. (just know the pinouts from the serial port to the console) The cyclades has some RJ45 outputs you could use, but you would need the right pin outs. Then you can use cu to console in to any box. At 01:04 PM 11/21/01 -0500, Gaz wrote: Hi all, I currently use a 2511 RJ Terminal Server on a site with dial up access through a modem. Ten pieces of Cisco equipment are then configured using reverse telnet to their consoles. Someone's thrown a spanner in the works. We now need to use something such as SSH to the Terminal Server. The 2500 doesn't support it. The nearest I could think of was a 2610 with an NM16A (16 port Async) module. Unfortunately to run a decent version of code with DES (for SSH support) this needs a DRAM and Flash upgrade. There isn't as far as I can find, a 16 port RJ45 Asynchronous module (closer replacement for the 2511RJ), so we need two octal cables. Total Price around #4500 as opposed to around #1800 for the 2511RJ. 2511's always seemed a bit steep for this job, but using a 2610 for it seems to be even more so, even though the 2610 itself is only #1100. I think all this still only gives me SSH version 1. Does anybody have any ideas for suitable replacements. Space is a concern, but I am thinking about putting a 1U server in there to do the same job if I can source a 16 port serial card that fits, and I'm also looking at whether Shiva are still in the market. All ideas accepted gladly, but this does have to get past a security board. I don't want full solutions, just asking for brief ideas. Thanks, Gaz -Carroll Kong -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27058t=27038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix question [7:26832]
At 08:24 AM 11/20/01 -0500, Ramesh c wrote: 1) I got a pix in test(all internal) environment (configured as outside,inside and DMZ).Do I need to use NAT to connect to the outside segment from inside or vice versa.Since Pix can act as a router ,will enabling routing solve this purpose without use of NAT.Applying access list later for security. 2)I want to open all the ports of TCP connection for a particular host.How do I go about? cheers Ramesh No, you do not. If you want to do a No Nat configuration, make an acl for no nat (using id 0) for the ips you do not want to translate. Of course, this is only sensible if you have registered ips on the inside. If not, you really should use NAT. The pix is generally a horrible router, it only supports rip.A router in the most generic sense of a multihomed host that can move from interface a to interface b is barely a router. Heck, Windows NT can do that. (shudder) You have not defined what security policy you want. access-lists for what? Inbound or outbound? If you use PAT (which is really a misnamed ciscoism), you have some light level of security for inbound conneciton. By default, no one can hit your inside from the outside unless you have statics + access lists. If you use static NATs, you WILL open a security hole for sure unless you got ACLs blocking on the outside interface. Remember, the inflexible Cisco pix can only do inbound ACLs to any interface. (However, you can still simulate the inbound outbound security policy by putting it on the other interfaces). You have not mentioned inbound or outbound. If you mean inbound, use a static (from the outside to the inside) and write an acl that allows him access through. I know you said this is a test environment. However, I think you should review some of the pix's basic configurations on Cisco's web site to get a better understanding and should definitely get a consultant to review your final configuration before deployment. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26839t=26832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ZONE Tests vs Boson Tests [7:26639]
I am digressing a bit, and want to concentrate specifically on raw memorization vs understanding. I am a big fan of theory for a few reasons. I mean REALLY understanding theory, not just saying yeah I get the theory, but I do not understand it. No. If you understand the theory, you understand it, period. If you cannot explain something to someone, you do NOT know that something. Period. Implementation details aside. Although both ways can be used to conquer any test, be it raw memorization or knowing the theory well and having some cached info in your head, ultimately, I think you are doing yourself a disservice by failing to understand the theory. 1) For someone who just memorizes and memorizes answers, when new technology comes out, they are baffled at first, and take a long time to relearn. 2) For someone who knows the theory, when new technology comes out, it is trivial to apply the theory to most new technologies and easily understand it. While this is a bit drastic, simply because many people begin to learn the theory as they memorize all sorts of information, I feel this is closer to the truth than most people realize. Some people just outright never learn it. As for the 3x3 bit, that is just embedding cached knowledge in someone's head. No different than someone eventually memorizing the decimal - binary conversions. The difference is, the man who knows the theory will be able to derive back the answer should he forget. The one who just memorizes will forget, and fail. 3x3 is somewhat of the simple extreme case since it has been drilled in since day 1. Also, it is akin to realizing that 3x3 is merely a shortcut for 3+3+3. The one who just memorizes would sadly never know that. It is also why you learn addition before multiplication. Being asked to code a tcp/ip stack for vpn and understanding the different phases of IKE and IPsec are a bit different. Ultimately, you should only need to learn what you need to succeed in whatever job field you are in. However, UNDERSTANDING it is a key issue. Also, to design a protocol in itself does NOT require high math. A protocol, by definition, is a language of types. A form of communication. You need zero math to do that. As for the actual encryption ciphers and how they function, if you wanted to know precisely how they worked or were to design a new cipher, then math would enter into the fray. I do not blame the test. The test has no way of discerning between one who truly understands and someone who memorizes. Sure there are ways to draw it out a bit more (written essays, open ended answers), but that makes things a bit difficult to grade and handle effectively in large numbers. I just worry a lot more when someone simply passes by pure memorization, and does not know WHY answer A is so. Odds are that individual will quickly forget, and will take a long time to get back his knowledge. The one who understood it will easily regain that knowledge. I think HR should stop depending on the CERT as a shortcut verification system and just ask the senior engineers for doing their own little cross examination. Of course, there could be a chicken and the egg syndrome. What if you have no seniors? ;) At 06:11 PM 11/20/01 -0500, Michael Snyder wrote: I disagree. Everyone seems to think teaching to the test is a bad thing, but I think it's a lot more fuzzy than that. Here's an example, If I ask you what 3x3 equals, you can answer 9 (I hope). How do you know that? Did you go to college and study math theory for four years? Do you how many pages it takes to prove that 3x3=9? Do you know the concepts needed for the proof? I'm assuming that you were learned 3x3 just like I did, with a 3rd grade teacher going over it and over it and over it. She was in effect, was teaching to the test. Let's jump forward a few years. Lately I've been dealing with L2TP/IPSEC/VPN. I think I understand the basic concepts these protocols well, seeing that I use them daily, but in truth do I really? If someone asked me to code a tcp/ip stack for vpn, I wouldn't have a clue where to start. I think it would take me years just to start understanding the high math needed to code a vpn protocol. My point being that I have learned the correct answers on how to use vpn by being told the correct answers thru self study, reading and experience. I have in effect taught myself the correct answers to use when I see the correct questions. Is there a difference here other than learning that 3x3=9 and passing third grade math test? I'm not sure there is. I think anyway you look at it, a pass is pass. If someone can learn to pass the test, but can't effectively use that knowledge in the real world, maybe we will find the fault is in the test itself. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26945t=26639
Re: Is Pix failover can be Load balancer ? [7:26673]
Yes, certain models have a serial fail over link. (515?), look at cisco web page for more details. If you buy another NIC, you can even have stateful failover. (retains all tcp connection information to the other firewall). Although, I wonder if you really need it since I did get it working without the extra NIC at one point. Hmmm marketting ploy? Maybe. As for load balancing, not sure if it can do that. At 03:39 AM 11/19/01 -0500, Sivarajan Thiruvadi wrote: Hi Pals I wish to know wheather 2 cisco pix firewalls can be configured for redundancy as well as Load balancing. In general failover means in case of active PIX fails the stand by one will come into line. But my customer wants FWLB (Fire wall load balancing). If any one has idea on this please help me. Thanks and regards Siva -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26677t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26694t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX conduit access lists [7:26684]
I believe so. At 10:25 AM 11/19/01 -0500, Steve Alston wrote: Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At 09:24 AM 11/19/01 -0500, Steve Alston wrote: Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve -Carroll Kong -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26705t=26684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Loopback and Null interfaces [7:26703]
At 10:44 AM 11/19/01 -0500, Mark Latis wrote: What is the purpose of the Loopback and the Null interfaces ? (I know that the loopback interface can be used to emulate an always-on interface to be used for point-topoint unnumbered links ) Thanks, Mark Well, you got the loopback part right. That way, if a single router has at least one of his WAN links up, you can still reach him by one address. I suppose it is more of a slightly easier administration issue. As for the null interface, if you put ip unreachables in it, it can be used for black hole routing. This is faster than using an ACL and does not use cef. (woohoo). You will typically find routing protocols that create summary routes that lead to the Null0 interface. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26728t=26703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Spanning Tree Protocol [7:26538]
This is a computer architecture topic and it has been a while for me, so please feel free to correct me. Basically, it is how multibyte values are stored in a particular computer architecture. For instance, in big endian, the last byte, has the most significant byte, and in little endian the last byte, has the least significant byte. Given that a byte is 8 bits. Given an integer 64932 (2 bytes) This converts to 1101 1010 0100 in binary. In a little endian architecture, the data would be stored like 1101 1010 0100 One machine would store this value from left to right and the other would store it from right to left. In a big endian architecture, the data would be stored like 1010 0100 1101 Needless to say, this has caused much pain in the world. It is purely a big religious war as to which is better. Also, one might quickly add well if this is true, wouldn't all socket programming be borked?!? No. They force you to convert back to network form vs host form. I believe network form is big endian, but not that it matters. Everyone converts it to this form in C (or any other language) before it hits the network, so there is still cross OS compatibility. Now, looking at 42, it seems to be this in binary alone it is 101010, but in a byte, it would look liks 0010 1010 Maybe I got something mixed up? Maybe with a 7 bit byte then it is 010 1010 At 10:05 AM 11/19/01 -0500, Matthew Tayler wrote: Ok dumb question of the day, what do you mean by Big Endian Little Endian please ? Priscilla Oppenheimer wrote: At 10:12 PM 11/16/01, Kane, Christopher A. wrote: Someone was a Douglas Adams fan? Of course! Also another cool thing about 42 is that it's a palindrome (the same backwards and forwards in binary) and avoided the Little Endian/ Big Endian wars! Priscilla -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26704t=26538 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Starting CCNP [7:26734]
Cisco's web site is pretty good for technical documentation. Although, I have never done the CCNP, I found that Doyle, Caslow, and Halabi are great books. Using that and my knowledge of security over the years, alongside some college courses, and just reading good old RFCs, I was able to pass the CCIE Security Written. Not sure if that is remotely comparable to the half a dozen tests you need to take the CCNP. Sorry, I never use sample questions or tests, my best advice is to learn the general material well, and I think those few books will help out a bunch. On the side, to reach the mystical archives, just take a look at the footer, and click once or cut and paste, then you can see your own message in the archives. Click on search and you can find further info. How did you, (Larry) subscribe to the list? Did not the web page have an archives link? At 01:07 PM 11/19/01 -0500, Puckette, Larry (TIFPC) wrote: Syed, DUCK!!! NOW!!! You are most likely going to get bombarded with emails with abusive tones telling you to look at the archives before asking questions. You'll notice that none of them will tell you how to get to the archives though. Larry Puckette Network Analyst CCNA,MCP,LANCP Temple Inland [EMAIL PROTECTED] 512/434-1838 -Original Message- From: Syed Raza [mailto:[EMAIL PROTECTED]] Sent: Monday, November 19, 2001 11:39 AM To: [EMAIL PROTECTED] Subject:Starting CCNP [7:26734] Hi Guys, I am new to this site but after taking the glance at the site. I think I have lot of smart people to help me thru this CCNP journey. Well I wanna know what are the best resourses out there that i can use for my CCNP. Plus if anyone of you have sample questions and practise tests that I could use to start my process, that would be very helpful. Looking forward to see your advise. Thanks. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26748t=26734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: The Scoop on PIX? [7:26607]
At 06:08 PM 11/17/01 -0500, Andrew Michael wrote: Hi all. What are some of the reasons why a person would choose a PIX solution rather than a good router with the the right IOS for security? The Pix is a stateful firewall, Cisco routers (as far as I know, typically) are not. Generally higher performance, short of using CEF and other possibly buggy speed optimizations. From what I've read on Cisco's site, there does not seem to be the huge gap between using a router as a firewall solution vs. using a PIX, as some people make it sound. Cisco calls is the Adaptive Security Algorithm or something. Basically, it has a stateful firewall mechanism. One last thing...for the life of me, I can't find what PIX stands for! Any help appreciated! Thanks in advance. I believe Private Internet Exchange. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26627t=26607 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - Baystack 350T [7:26431]
At 09:47 PM 11/15/01 -0500, Mark Rose wrote: I was given a Baystack 350t and I'm trying to get into it to set up the configuration. I am using the default settings (9600,8,1,no,1,none). I am entering ctrl+C as per documentation. I get no response. I could use suggestions from anyone who has used this switch. TIA Mark Try ctrl-d, enter, etc. If it does not work, it might just be a bad one. I did an audit with a pile of these darn bay stacks, and some of them would just REFUSE to work. Of course, since we audited so many of them, 80% of them were consoleable, the others failed. Ah well. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26434t=26431 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Salary Expectations/CCNP's!!!!!!!!! [7:25805]
You are right, but marketting hype (misleading info). He still got close, IIRC, ~a few million dollars worth in stock options. So, he got a few million in stock options (the usual), and lowered his $300K salary to $1 dollar. Somewhat heroic, some would not even lower a dime. However, hardly what many people expect. At 11:44 PM 11/11/01 -0500, Russ Kreigh wrote: And if you are talkin of your friend with 10 years of exp. and he cant find a job then I really doubt what he has been doin from last 10 years that he cant find a job of courseif he is looking for a salary of somethin like John Chambers then he won't get that. Actually I think I read in an article that Chambers cut his salary to $1.00 a year. I am 99% sure this was Chambers who did this, but have been known to be wrong once in a while. ;-) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26032t=25805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ConfigMaker [7:26022]
At 07:43 PM 11/12/01 -0500, Larry Johnson wrote: I have client that will not take no for answer. He feels that the using ConfigMaker from Cisco is an absolute must to configure his routers and switches. I would appreciate your opinions about ConfigMaker and the Pix firewall graphic configuration utility that Cisco has also. Thank you in advance for your thoughts. LJ I put these tools as enabling devices. Cisco wants to bridge the gap between laymen and cisco qualified individuals, ConfigMaker and the Pix configuration utility does this. While it does help a neophyte do a similar amount of work as a skilled worker to some degree, it quickly levels off. Weird issues and bugs and more complicated configurations can always be done by a trained individual. I am sure many others on this list will attest, they have setup rock solid configurations without the need for these tools. Many of the professional cisco qualified individuals can work much faster than the ConfigMaker or Pix GUI. I am not going to say these tools are the work of the Devil! However, to add some negative points to them. The Cisco Pix GUI might be opening up a possible security hole despite the little ACLs it can have. Convenience at the price of security. ConfigMaker can work directly or indirectly so that is ok I suppose. Take a look at the list of HTTP configuration tools for the routers and switches. Easy to use. Also, they have a nasty history of security holes. Inside network only? Heh. Most hacks happen from the inside. So, while they the tools are ok. The only ones who say it is an absolute must tend to be inexperienced individuals in terms of Cisco hardware/software configuration. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26044t=26022 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Two default routes on the same router [7:25750]
So you have a router with two WAN links, and two LAN links, you want to make sure LAN A goes to WAN A, and LAN B goes to WAN B? Use policy routing, AKA route-maps that uses an ACL that matches off the source of LAN A, and set the next hop to WAN A, do the same for the other network, or just have the default go to the other one. As for what would happen with two gateways, probably per destination load balancing since they would have the same metric. At 12:35 PM 11/10/01 -0500, McHugh Randy wrote: Does anyone know if you can have two completley different default routes and on the same router in totally two different subnets pointing to two totally different gateways? For instance ip route 0.0.0.0 0.0.0.0 25.13.240.1 ip route 0.0.0.0 0.0.0.0 65.11.213.1 Will the router parse each one separatley or will neither one of them work? This is on a 2514 . Thanks Randy -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25763t=25750 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2500 IOS TFTP Problem - For a change! (sarc) [7:25144]
Wow, I thought I was the only one with that problem. I had similar issues with putting a 12.1 image on a 2500. It rebooted quite a few times with checksum errors. At 07:55 PM 11/2/01 -0500, Gareth Hinton wrote: Hi all, This is not a major problem as I am just playing, but having a nightmare trying to get 2500 image on. I had the same nightmare last time with 12.1. It went on eventually, for no reason whatsoever, by just repeating the process. I seem to remember that there maybe a way to make the router ignore the checksum. Anybody know if I've dreamt this up or whether there is actually a method. Cheers, Gareth ! [OK - 15445320/16777216 bytes] Verifying checksum... invalid (expected 0x73BD, computed 0xE283) Flash copy took 0:08:26 [hh:mm:ss] A(boot)#reload snip.. System flash directory: File Length Name/status 1 15445320 122.bin [invalid checksum] [15445384 bytes used, 1331832 available, 16777216 total] 16384K bytes of processor board System flash (Read/Write) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25147t=25144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to find serial number of router? [7:24760]
I think you are right. After I posted my message, I tried to hand verify it, but, I honestly do not know which is the serial number. There are so many stickers tags and numbers! On top of that, I NEVER found the same serial number on the chassis as the motherboard part even after looking through all of those tags. I think you are right and that the serial number is JUST for the internal parts. The serial number needed to service is probably the chassis serial number which of course, is not available inside the box or so it seems. At 09:16 AM 11/1/01 -0500, R. Benjamin Kessler wrote: Are you sure that it is reporting the same serial # that is on the chassis? In my experience, the only way I could get the serial number remotely is by entering the snmp-server chassis-id command into the config manually. I just double-checked on a 3600, 7200 and 7500 (running various 12.x code) and the serial number I get with show diag or show version aren't the same as the one I entered manually (based-on physical verification). Note: I also did this on my IOS-based switches (cat3500's) even though the show version command will give you this info - System serial number: x Bottom-line is that when you open a case w/TAC and they ask for a serial number of the system, they're interested in the one on the chassis not some internal component. Just my $0.02 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carroll Kong Sent: Wednesday, October 31, 2001 5:42 PM To: [EMAIL PROTECTED] Subject: Re: How to find serial number of router? [7:24760] Wow, excellent tip! However, this does not seem to work on the 2500s series. (using 12.1(11) with a 2514). It does work on my 2610. (using 12.1(11)). At 02:44 AM 10/31/01 -0800, Budi Widjojo wrote: you can use show diag command. or as you said, you can use cisco resource manager also. cheers, budi --- IT Guy wrote: Hi Guys, Can anyone here please help what are the possible software ways to findout the serial number of router without looking at the hardware itself?? Can we findout by using any management software like Cisco resource manger or etc?? Thanks for help. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [EMAIL PROTECTED] __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com -Carroll Kong -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24942t=24760 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX 501 ios question [7:24966]
I do not know the answer either, and plan on picking one up to train with. However, here is some info that seems to imply that it does use the standard Cisco Pix Command Line Interface. http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm Note how it says minimum software version 6.1(1). As for, will it help you for higher level Pixes, yes it should. However, one key feature that is not available on the 501 and 506 is there is not fail over. Configuring failover and stateful failover is not really difficult, but it is something totally new if you just trained from a 501, 506, or lone 515. At 05:26 PM 11/1/01 -0500, sam sneed wrote: I've already read that. It didn't answer my question though. Jonathan Hays wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... sam sneed wrote: hello , I wanted to know if the IOS on PIX 501 is the same as the higher models. The product description on Cisco's site do not specify it.I want to learn PIX and 501 is the cheapest but I want to know if the commands I learn and experience i gain will be good enough to setup and administer a higher model of PIX. I have good firewalling experience but none with PIX. thanks sam sneed Here's the product data sheet. http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24999t=24966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to find serial number of router? [7:24760]
Wow, excellent tip! However, this does not seem to work on the 2500s series. (using 12.1(11) with a 2514). It does work on my 2610. (using 12.1(11)). At 02:44 AM 10/31/01 -0800, Budi Widjojo wrote: you can use show diag command. or as you said, you can use cisco resource manager also. cheers, budi --- IT Guy wrote: Hi Guys, Can anyone here please help what are the possible software ways to findout the serial number of router without looking at the hardware itself?? Can we findout by using any management software like Cisco resource manger or etc?? Thanks for help. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [EMAIL PROTECTED] __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24872t=24760 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: is it really bad market for ccie ? NO! NO! NO!!!! [7:24336]
there would be for a Juniper job. I also must take issue with your contention that the CCIE is more valuable in this economy, because the salary numbers don't like either. I don't want to sound crass and venal, but JNCIE's on average get paid more (sometimes significantly more) than a CCIE. For those who will say that it's not certs that count, it's experience, OK fine - then let me revise that above sentence to say that somebody with a certain amount of skill and experience in Juniper can most likely expect to earn more than somebody else with an equivalent amount of skill and experience in Cisco. For those who still don't believe me, I say Do the math yourself. It's really as simple as that. You just made a common error - you've only looked at the demand side of the equation, which is misleading. Economics dictates that to measure the value of anything, you need to be looking at both the supply and the demand. This is why being a doctor pays better than manning a cash register, even though the demand for cashiers is higher (how many times do you get sick vs. how many times do you buy something in a store?) Hey, Brad, I know how you feel, and I sympathize. I know what you're going through, because I've been there too. Just maybe 6 months ago, when I first started really hearing about how the Juniper might have a better router, and how the JNCIE program might be a better indicator of guru status, I didn't want to believe it either.I have to admit, I was in a state of denial too. But the more I checked out the facts, the more incontrovertible they looked. I have twisted this subject around in my head many times over and over, and, believe me, I wanted to come up with a reasonable scenario where Cisco wins out. But you can only fight it for so long. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24344t=24336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: is it really bad market for ccie ? NO! NO! NO!!!! [7:24336]
just end up sitting at home or ending up getting some other job waiting for that call. So, it looks like a mixed bag. I agree whole heartedly that the equal experience, and what not, juniper guys will get more. The hard part is getting the jobs now, which right now, at best, we can make educated guesses on the future trends. As for my guess? It does seem like Juniper is growing, and that getting the certification might be very lucrative. I will think about it sometime in the future. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24355t=24336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CIT today!-sniffer skills [7:24131]
From my experience, there is nothing inherently special about learning how to use a sniffer in itself. You are learning how different protocols work, and the sniffer just lets you see that. Learning a sniffer should just mean, I know which buttons to click to get X, Y, Z kinds of data. Understanding protocols means you can discern what X, Y, Z data is doing and what it means in the big picture. As you can see, one should value the latter, but too many instantly proclaim the former is more important. Not to say you are not doing that, you are doing precisely what you should be doing, really learning tcp/ip. Ironically, if half the people who claimed on their resume TCP/IP Knowledge, you would not need the presupposed claim of Experience with Sniffer Pro. Of course, it does not just have to be TCP/IP, it can go down to many different layers, application, data link, etc. Eh, silly HR will be silly HR. I should write a web page about How to hire the right IT people for dummies. (HR) As for your move to become a jack of all trades, master of none. Back in the day that was the coined term. I strongly disagree with it, and I think people can easily dual-class themselves into excellent multi-versed individuals. (dual class is an add term, you can actually become a jack of all trades, master of many). Too bad you probably will not get paid double, even if you really should. :) As for learning packet capture analysis, pick your favorite protocol of the day, read RFCs on it, practice using it while sniffing yourself (no pun intended), and follow the packets. At 01:03 PM 10/25/01 -0400, Buri, Heather L. wrote: They have really been good at explaining how to analyze a packet trace. I already knew how to do a basic capture, but analysis was another story. I just thought I would mention these in case anyone else out there was in a situation like mine. Stuck in a job that won't pay for training, but wanting to learn packet capture analysis. I had not seen these particular books mentioned previously. Heather Buri -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24131t=24131 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
I cut a large portion of this the previous message. My argument in that is that, we DO have broadcasting monsters. It is known as Windows based PCs. NetBIOS over TCP/IP, announcing wondrous information and trying to get information so they can perform their wonderful elections and create master browsers. Trying to resolve NetBIOS names so they can find their friendly PDC or BDC of the day. Or how about WINS and it's excellent method of doing discerning which names goes where. All automagic at the cost of the network. While what you speak is true, and in a network bereft of windows mongers, I would agree, I think that in a modern system you can still run into issues. According to your logic, it seems like you would be ok with forging a 10.0.0.0/16 network and chaining along switches instead of breaking them into subnets along with their accused VLANs. I suppose with enough good 10/100 Switches you are ok. This might be problematic on a 10BaseT network as the broadcast snowball into huge gobs of bandwidth draining gunk. (I guess this rolls into the non-modern network though) I have a client who used some 10 base hubs too, and just band aided it with a few switches here and there. NetBIOS over TCP/IP sends broadcasts quite frequently. I almost dare say within a minute. CPUs can vary, and there is always the aging 486 on the fringe. I guess ultimately on a solid 10/100Base Switched network you do pose a good point. However, do you think that a nasty 10.0.0.0/16 network might be going a bit too far even with the latest technology? In that case, we can argue, who really needs routing protocols internally? Just slap up the good old super flat network and have a default gateway and rarely call in the big dogs to make changes. Just throw a few statics to the few other super flat networks and we got an enterprise solution. :) Not trying to pick a bone with you. I agree with you, but I am curious where do you feel is the threshold? You say until it breaks, but I want to deploy a better solution before we get to that. At 07:52 PM 10/24/01 -0400, Chuck Larrieu wrote: hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla ___ Priscilla Oppenheimer http://www.priscilla.com -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24061t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
At 08:32 PM 10/24/01 -0700, Chuck Larrieu wrote: interesting points, and well taken. if one takes VLANs to be synonymous with subnets then sure. your 10.0.0.0/16 thought reminds me of the good old days when the Xylan marketing team was out hawking their flatten the network religion. In this respect I am a traditionalist - route where you can, and bridge where you must. yeah, I keep forgetting that Windows does some broadcasting, but recall that I come out of the brokerage industry, where broadcast was a necessity. How else would quote machines work? Upwards of 80-90% of our LAN traffic during market hours was broadcast. So how much broadcast traffic can a couple hundred windoze boxes really create, and just how badly does that really effect network performance? Particularly if you are running a fully switched environment, or even in a hubbed environment, assuming 12-24 port hubs? When I was young and foolish, I ran my network on daisy chained 48 port hubs, and I think I got up to around 125 stations and printers before I regretted my foolishness. This was in that self same brokerage firm, with the outrageous broadcast traffic. I know a Major Bank where they at one time ran segments of 700-100 end stations. And survived to a certain degree. ( although they were the masters of broadcast control :- ) As I said, your points are well taken. the application drives most things, but the architecture surely drives others. thanks. Chuck Well, I admit, my response was a bit clouded by the fact that one of our clients recently requested a redesign of their flat beyond flat network. Call it justification! They are using, UGH, 10BaseT Hubs with some nasTY (with an iintentional capital T and Y), daisy chaining hub action, which REALLY exacerbated performance loss.Not to mention it's all Bay GEAR! Evil! :) Admittedly, that IS changing the premise of Priscilla's original statement. The network I am working on is HARDLY the epitome of the modern day model system Priscilla described. I am guessing with solid switches across the board, it might very well be pretty darn good in terms of performance. I was just curious where the new practical bar was raised to. If the situation is with 10BaseT hubs, I would not be surprised if performance is really becoming an issue where broadcasts become a percentage of your daily bandwidth. Where broadcasts are probably far more often being that even unicast packets are broadcasted on the wonderous layer 1 repeater technology known as hubs. With all switches, I am not too sure I can say clearly otherwise, but I was just wondering how far is a practical limit in today's modern systems? On top of that, yes, all in moderation. If we take either approach to the extreme, we clearly see significant flaws. No one wants to run subnets of 2 usable hosts each for their entire network and smash their catalyst 6509 with routing modules to oblivion. No one wants to run the 30,000 flat network from HecK. (Ok, maybe some people do...) Look Ma, no routers! On the side, you just noticed your statement impies that some would run multiple VLANs with a single subnet? I guess you would depend on having at least one port on both VLANs to get interconnectivity? Would that be like bridging? (unifying two layer 2 networks). Her statements on the windows protocol seem correct. Ugh, I got to whip out the old sniffer again. Or read up again. I could have sworn I STILL saw a multitude of crap flying every second on my old college network even after we went to a switch. I should try again since her points seem quite valid. Hm. Although broadcasting was necessary, in the more extreme case, does it make sense for a quote server to broadcast to another quote server? There is a small subsegment of don't cares for the quotes, it seems like multicast is more ideal, but probably not necessary. No matter, I am sure the demigods of broadcast control had a working solution. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24080t=23950 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem with Etherchannel [7:23692]
You cannot do both as desirable. One must be desirable and the other auto. Or you can try forcing the modes to on and on. That might fix it! At 12:57 PM 10/21/01 -0400, Brad Moss wrote: I am trying to connect two cat5500s and am unable to get port channel to come online. I have configured both sides below is the config of the ports. Any help would be greatly appreciated. These are production switches the only thing I have to done is reboot them. For some reason they are not recognizing that they are connect to the same switch on the other end of either link. I am unaware on any special things that must happen for port channeling both blades support it. Set po channel 8/3-4 mode desirable Set trunk 8/3 isl on Set trunk 8/4 isl on Set po channel 1/1-2 desirable Set trunk 1/1 isl on Set trunk 1/2 isl on Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 8/3 connected trunk normal full 100 100BaseFX MM Port Status Channel Admin Ch Mode Group Id - -- - - 8/3 connected desirable non-silent 157 0 Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 8/4 connected trunk normal full 100 100BaseFX MM Port Status Channel Admin Ch Mode Group Id - -- - - 8/4 connected desirable non-silent 157 0 SJMDFSW01 (enable) sho po channel No ports channeling Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 1/1 Uplink SJMDFSW01 connected trunk normal full 100 100BaseFX MM Port Status Channel Channel Neighbor Neighbor mode status device port - -- - --- - -- 1/1 connected desirable not channel Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 1/2 Uplink SJMDFSW01 connected trunk normal full 100 100BaseFX MM Port Status Channel Channel Neighbor Neighbor mode status device port - -- - --- - -- 1/2 connected desirable not channel SJDCSW02 (enable) sho po channel No ports channelling Brad Moss, CCNA Network Administrator CHRISTUS St. Joseph's Medical Center - South www.christushealth.org (903) 737-3160 [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23693t=23692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem with Etherchannel [7:23692]
Yeah, sorry for the misinformation before. Here is the a good way to remember the modes. The most part, PaGP is either auto or desirable. Or you can just turn the pesky thing on or off. (non-PaGp). Of course it will only work if you are both on if you choose the non-PaGp mode. As for knowing the right compatibility, remember that desirable people are also aggressive. :) Two aggressive people can communicate. Auto is passive. Two passive people cannot communicate. One aggressive and one passive can communicate as well. Just think of an aggressive desirable as those players. (male or female). Those nice guys and girls who are passive just never get with anyone. :) Sorry, I just immediately jumped the gun and assumed you chose the two passive case without really reading carefully and remembering my own rules. :( Very bad form, I do not blame anyone for not believing me after such a blunder. You cannot do both as desirable. One must be desirable and the other auto. Or you can try forcing the modes to on and on. That might fix it! At 12:57 PM 10/21/01 -0400, Brad Moss wrote: I am trying to connect two cat5500s and am unable to get port channel to come online. I have configured both sides below is the config of the ports. Any help would be greatly appreciated. These are production switches the only thing I have to done is reboot them. For some reason they are not recognizing that they are connect to the same switch on the other end of either link. I am unaware on any special things that must happen for port channeling both blades support it. Set po channel 8/3-4 mode desirable Set trunk 8/3 isl on Set trunk 8/4 isl on Set po channel 1/1-2 desirable Set trunk 1/1 isl on Set trunk 1/2 isl on Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 8/3 connected trunk normal full 100 100BaseFX MM Port Status Channel Admin Ch Mode Group Id - -- - - 8/3 connected desirable non-silent 157 0 Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 8/4 connected trunk normal full 100 100BaseFX MM Port Status Channel Admin Ch Mode Group Id - -- - - 8/4 connected desirable non-silent 157 0 SJMDFSW01 (enable) sho po channel No ports channeling Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 1/1 Uplink SJMDFSW01 connected trunk normal full 100 100BaseFX MM Port Status Channel Channel Neighbor Neighbor mode status device port - -- - --- - -- 1/1 connected desirable not channel Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 1/2 Uplink SJMDFSW01 connected trunk normal full 100 100BaseFX MM Port Status Channel Channel Neighbor Neighbor mode status device port - -- - --- - -- 1/2 connected desirable not channel SJDCSW02 (enable) sho po channel No ports channelling Brad Moss, CCNA Network Administrator CHRISTUS St. Joseph's Medical Center - South www.christushealth.org (903) 737-3160 [EMAIL PROTECTED] -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23702t=23692 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Enable secret hacking [7:23670]
You are correct, assuming fully random values. Let us not assume that 4 hours is a long time. If they have the hash, they have all the time in the world and you will never know they are cracking away at it. The hash MUST be and SHOULD be guarded at all costs. This definitely stops the neophytes, but you really do not want the pros getting their hands on it. Each attempt varies, for MD5, john in particular runs 440 Cracks per second on a k6-200. This is very slow. As for kittens/1, no, it would not help much. If you have ANY string that is within a dictionary, you just gave up that entire subsection. There are lot of clever combinations that can be used and done. If you do not believe me, just take a look at some regular expressions that perl programmers use. You can catch a LOT of combinations and do lots of tricks. 1) Do not use ANYTHING remotely related to you personally or in a dictionary for a password. 2) Do not use clever combinations like KiTtEnS/134, it is just as easy to crack. 3) Do not use password generators. Why? Write a program that does password generation. You did it? Great. You did an algorithm based on some random seed. Does not matter, you now have a pattern which you can write your hacking program to work with. Now it will know your pattern if it can reverse engineer the algorithm (should not be too hard), and you can kiss every single password that you used with that good bye, like in 5 seconds each. ;) (if you use open source software to generate, they got the algorithm, if you used closed source, you can delude yourself in that security through obscurity works. well, it does not). At 03:19 PM 10/21/01 -0400, Gareth Hinton wrote: I would imagine that if using a-z and 0 to 9, with 8 characters there would be 8 to the power 36 combinations (I think). Trouble is those numbers are getting too large for me to have any concept of how long it would take to hack. We'd need to get an idea of how long each attempt takes. Looking back at the original password it was very similar to yours. His unix box had been going for 4 hours when we stopped it to do those tests, so much harder to crack. I'm going to set one off later to see how long it takes. This is not scare mongering by the way. To accomplish this you already need to have the MD5 hash. I think it's just better to avoid complacency - make the passwords longer and use special characters if possible. I didn't realise the amount of difference between dictionary passwords and the alternative. I suppose something as simple as kittens/1 would cut out the dictionary searches. Gareth Maissen Sacha wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23717t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AW: OT: Enable secret hacking [7:23670]
It has to do brute force strength. Against an MD5, it does pretty poorly, benching about 440 Cracks per second on a K6-200 with 160 megs of ram. (ram is irrelevant to be honest). I am guessing that say a gigahertz processor might do a linear increase to about ~2000 Cracks per second. This is pretty slow and has almost no chance to stop a good 8 character password. With about 92 or so character choices for a password, 8^92 == 121.416E81. Or, a heck of a lot for a simple 8 character password. Yes, with this number, it is impossible for one machine to do this in a life time. Note, few people put up good, strong passwords. If there is any level of efficiency, we can cut this number down a lot. On the side, Microsoft's Mighty NT Lan Man DES gets hit by an astounding 90K cracks per second on a K6-200. Forget that, I believe L0phtcrack lets you do 300-400K cracks per second on your slightly below average processor of today and can do them in parallel. Maybe that is why Microsoft is quickly dropping their Lanman Hash as they introduce Win2k as the champion server OS? However, I wonder if one can use programs like john the ripper in parallel with other machines. With a cracking Athlon box running for maybe $400 bucks, you can probably setup one nasty cluster to cut this down to size. Although this may seem like a lot of trouble a hacker has to go through, it is and it is not. If you give ANYONE an encrypted hash guarding something really important, you can assume it will be cracked within a life time and be used against you. (Another good reason why you should rotate your passwords over a certain amount of time, but that of course has other possible problems). Heck, it seems fairly reasonable for a hacker to have a small cluster of Athlon boxes. I have quite a few PCs at home. As for practicality, one could argue most script kiddies are unable to fathom even what I just wrote. However, a mere amateur or professional hacker could easily wreck do this. Be careful if you have sensitive information or enemies! At 02:59 PM 10/21/01 -0400, Maissen Sacha wrote: Anh, Sorry for my question about your test below. This program john the ripper, is it working with dictionaries or not? Because my question is, if I use passwords like 12eldkvi, which are not in any dics, how long you need then to crack a MD5-password? Regards Sacha -Urspr|ngliche Nachricht- Von: Anh Lam [mailto:[EMAIL PROTECTED]] Gesendet: Sonntag, 21. Oktober 2001 20:46 An: [EMAIL PROTECTED] Betreff: Re: OT: Enable secret hacking [7:23670] Gareth, I create an enable secret password on a Cisco router 2610 with the password as you mentioned kittens. Remember this is an MD5 encrypted string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this string and use the program called john the ripper running on my linux box to crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes exactly 5 minutes to crack this password. I would imagine for longer enable secret password, it takes longer but not as difficult as it sounds. Regards, -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23716t=23670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21096t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Personal Security Recommandation - Cisco PIX or ? [7:21012]
At 12:07 PM 9/25/01 -0400, Ole Drews Jensen wrote: In regards to network design in the security area, I would like to start a discussion / get feedback from those of you who have dealt / are dealing with this. I know that I can most likely pull up some websites that has answers to this, but I would like a feedback from real people that are working with this. I am only now in the process of finishing my last exam for the CCNP, and I am then planning on going towards the security specialization. Therefore, my knowledge of firewalls, vpn's, etc. are not that great. We have at the company I work for used Check Point, but that's a very expensive product, and needs to be relicensed over and over. We are currently using Gauntlet, but that will be discontinued on the Windows NT platform. Because of this, I am now trying to get some feeling for a good solution, and (of course) Cisco's PIX came to my mind. However, I have a couple of questions I would like to get some feedback on, and perhaps start a short discussion. How is the PIX compared to other products when looking at: 1) Difficulty of administration? 2) Price? 3) Effectiveness of intruder protection? 4) Speed (slowing down the communication)? and 5) What would you recommend? Thank you very much for your time on this, Ole Pixes are probably harder to work with then the other friendlier looking ones. I do not consider that a big minus though. If you understand firewalling, any solution will suffice assuming basic primitives are available (pix included). There is a new GUI mode available, but I dismiss the interface as a serious buying factor. However, since you do not understand firewalls or so you say, this might be fairly hard. In my viewpoint, you can make the GUI as friendly as possible, but it will not make you an expert. Look at Microsoft and GUI based firewalls. If you do not know what you are doing, no amount of fluff and point and click icons is going to make you an expert in security. Hm. In terms of a centralized manager, one might exist. I never worked with a large enough number of pixes to need any management tools (just ssh in), but I think one is available. Pricing is probably fairly competitively priced to the others. These are not intrusion detection systems. I would have to say, any firewall is going to essentially do horrible in this category. An intrusion detection system is simply a glorified sniffer that matches against a heuristic database of alerts. A firewall does not do this, especially not the Pix. I would not buy into Cisco's IDS system either if you want a good intrustion detection system. Sorry Cisco fans, I like their routers. Just not their IDS. Speed? Excellent. Any decent firewall has a negligible performance loss. Except for maybe firewalls on Microsoft NT. :) I usually go with a commercial solution, but one thing that bugs me is the Pix has HORRIBLE logging capabilities. I mean absolutely horrible. I much prefer my open source IPFilter firewall over the pix in debugging rulesets. I heard checkpoint is a bit better in logging. I just think it is ludicrous that it is difficult to figure out precisely what is being blocked at times. As for IDS, I prefer snort+demarc combinations. IDS is a different ballgame in my opinion. I personally would avoid any Cisco solution for IDS. Their boxes are generally poor performers, and (last I checked) they are not going to give up full decoded packets like snort will on a BSD box. If you are really stuck, I can do commercial support. However, I think you are looking for your own answers and are a self-starter. ~~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21095t=21012 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: long wait for TELNET sessions [7:20016]
At 05:45 PM 9/14/01 -0400, Frank Kim wrote: Hi folks, Please advise me on the below: PC1-PIX--Router--RouterPIXPC2 PC1 = nt-box PC2 = unix box framerelay is connected between the two routers PIX codes are 5.2(6) My problem is that when I initiate a telnet session to PC2(unix box), the tcp session establishes right away. But I have to wait for about 30-60 seconds to see the login screen. What is the potential problem in this? Is it on the pix or on the router? Thanks for any help. -Frank Your problem is most likely DNS. Make sure PC2 can do a reverse DNS lookup on PC1. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20026t=20016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT PAT Cost Latency [7:19899]
If you use NAT, you are generally just trying to hide ips, or trying to shovel many ips of one domain (in the mathematical sense) into another smaller domain. If you use NAPT (or the Cisco term, PAT), you are multiplexing connections against ips + ports, instead of just IPs. Of course then you get a many to one cardinality. (hence the concept of ip sharing). The problem with this is sometimes people need specific listening ports for certain applications, and this can pose serious problems. So, people may run into issues with those applications. Fortunately, cisco has some built in light-weight proxying which enables you to use quite a few features with no problems. Most vendors will call this application support with NAT (which they really mean NAPT, or Cisco PAT). I generally do not use Cisco's NAPT that often so I do not know the details of which proxies are available. Some applications that will have issues are -Active FTP -Any server application which has a well-known incoming port In terms of performance, unless you got one of those really crappy cisco boxes doing a bit more than their feeble processors can dig, there is nearly no performance loss. Essentially, it is like a single ACL hit and then a translation which should be fast (hash table access probably). Your costs will be dealing with the many to smaller many issues (when you run out of static NATs to do, think combo of static NAT for the important ips and PAT to avoid this). Also if you choose to go purely with PAT, be aware of the issues with some applications that are server like in nature. Hope this clears some stuff up. Of course, you can always go to... heehe www.cisco.com or any other web site with white papers, AKA ip masquerading for linux ipfilter for openbsd, freebsd, netbsd, solaris, and hp-ux ipfw for freebsd (yeah I know you said no wise cracks, but hey, I could not resist!). At 12:06 AM 9/14/01 -0400, Circusnuts wrote: Has anyone come across performance specs, statistics, or costs (latency or otherwise) for NAT PAT services ??? Thanks Phil PS- no wise-acre's please, I know all about www.Cisco.com :o) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19908t=19899 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Privilege Level command driving me nuts!! [7:19158]
Usually, no. The functions and system calls on a Unix machine are usually quite different than a Windows machine. You would have to run the daemon on the Unix machine you compiled on. Someone would have to port it over. At 01:07 PM 9/9/01 -0400, Cisco Nuts wrote: That's pretty coolFree TACACS server !!! I have configured TACACS before and yes we did have to put a login local option should the tacacs server fail. I was just playing around with the privilege command. Thanks for your help. I have a Unix box at work. Can I download the tacacs software on it, compile it and then use it on a NT 4.0 box? Any instructions/directions that you can provide is highly appreciated. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19189t=19158 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list ports ( TCP /UDP) [7:17374]
Ok, Ednilson is correct in that the list will not help Shella solve her problem. However, I would generally take what www.iana.org says as the standard that all should abide by. Does that mean people will break it? You betcha. What kind of authority says that they are right? Well, any good network engineer knows that RFC1918 claims a particular set of networks are deemed for private usage. Guess who tries to mandate such RFCs in ip address allocation and port allocation, iana. http://www.iana.org/assignments/ipv4-address-space The list has allocated the port, UDP and TCP for it. Yes, not every application uses both, but they might, and that is the point. They do preallocation for a particular protocol and people stick with those 'well known ports' as a standard to avoid pure chaos. In reference to Shella, the best way is unfortunately, to read the RFC for the protocol. As far as I remember, DNS uses UDP almost exclusively for all queries, and TCP for DNS Zone Transfers. If that does not make any sense to you, you really should double up on the reading on DNS. For most intents and purpose, you only really need UDP to go through unless you got secondaries, tertiaries, quadaries (sic) sitting far and away. This is assuming a well defined DNS server that follows the specs. I am sure you can find deviations from the ever-so-popular microsoft DNS servers or any other dns server. But hey, that's the price you pay for buying into the pioneers of their own standards. At 04:39 PM 8/27/01 -0400, Ednilson Rosa wrote: The problem with this list is that every application seem to use both UDP and TCP, which is not always true. Ednilson Rosa - Original Message - From: Brian Whalen To: Sent: Monday, August 27, 2001 5:03 PM Subject: Re: access-list ports ( TCP /UDP) [7:17374] I use http://www.iana.org/assignments/port-numbers for finding out about port numbers. Re the dns topic below, udp is fine for a company that does not have its own dns servers and only makes queries. TCP is used for zone transfers. I believe that in newer versions of bind, random hi port numbers are used. Brian Sonic Whalen Success = Preparation + Opportunity On Mon, 27 Aug 2001, shella kevin wrote: when dealing with access-list we use both TCP UDP. For example we use tcp 53 or udp 53 for domain. My Q is when how we know when we should use UDP and when TCP . what is the difference . Thanks Shella K. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17452t=17374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: point-to-point question? [7:17437]
At 05:18 PM 8/27/01 -0400, Marshal Schoener wrote: Thanks, It's a full T1. There was never a problem until there was a power outage. Ever since then, there have been strange problems trying to hit the remote servers from the offices... The setup is simple, being that it is HDLC and only really requires an IP address on the interface and some routes :) But, Im thinking that there can be a problem on one of the WICs... Thanks again, Well, is it possible that you guys configured some settings, and forgot to write the configuration to NVRAM? So a power outage caused you to load the old configuration which is now... unfit for your network settings. When was the next to last reboot of the box? Anyway, just something to think about. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17457t=17437 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hyperterminal for linux [7:17115]
At 10:44 AM 8/24/01 -0400, Patrick Ramsey wrote: minicom It's probably already on your system. start it up and gointo settings and take out all the dial and hangup commands. -Patrick george gittins 08/24/01 10:01AM is there a hyperterminal version for linux? For those who may not have installed it, you can almost always depend on cu. cu -l /dev/cuaa0 -s 9600 This will console into your serial device on COM1. To exit, type in ~ wait . then hit enter. The /dev/ might be different for Linux. You would have to know the same information for minicom anyway (IIRC). Very light and most likely in the most bare of systems as well. (like vi). -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17145t=17115 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT, was RE: Tacacs+ for home Use? and Passed CCIE written [7:14525]
At 03:16 PM 8/1/01 +, data com wrote: Carroll, I got CCNP and CCDP but I am pretty new to UNIX system. I want to lean UNIX with a focus on networking part for the following reasons. -integrate UNIX system to the internetwork -use UNIX for device management using scripts Now, what flavour of UNIX do you recommend to learn as a start? I suppose there is a flavour which contains many commands that also work on other systems, and also a flavour that is most commonly used. Thank you in advance, Marc I suggest FreeBSD, but any Unix can be leveraged as a basic learning tool to learn other Unices. If you really understand the concepts and theory of how unix systems are designed, you can easily adopt other unices. The problem with the universal flavor is that all unices for the most part have their roots within two types of unix systems. BSD and SysV. Most commercial unices will be very SysVish. This means their init scripts are usually different, and the layout is going to be different than a BSD like machine. The freeware OSes tend to be very BSDish. Unfortunately, this puts you in a bind. There really is no one unix to rule them all. :( Even if you do pick a BSDish like userland like FreeBSD, some binaries are different than say Redhad Linux. Things like route print would not work in FreeBSD, but netstat -rn would work in FreeBSD and in Solaris x86! In BSDish (and open source) terms, Linux distributions are probably the most used. However, they seem to do a lot of nasty non-standard things like Microsoft. Namely, their GNU route and GNU netstat are drastically different. Plus, their /bin/sh is NOT shell script but rather BASH! ARGH! I feel FreeBSD is far cleaner. In SysV (and commercial) terms, Solaris has definitely become a king. If you want to get good with SPARC hardware, buy a Sun Blade. (not suggested unless you REALLY want to be a Sun head) If you just want to learn Solaris, you are in luck as Solaris x86 is available for free I believe. (I bought my copy for ~$80bucks?). Solaris x86 will most definitely be less forgiving on the hardware support. I feel any BSD, Linux, or Solaris are great starters. Just pick one, and get really good with it. The others will be easily acquired if you run into them. Learn any of them well enough, and you can easily do the two things you mentioned. -integrate UNIX system to the internetwork -use UNIX for device management using scripts Good luck! -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=14525t=14525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT, was RE: Tacacs+ for home Use? and Passed CCIE written [7:14428]
At 07:20 PM 7/31/01 -0400, Jonathan Hays wrote: No keyboard? It depends. While it's true that native UNIX workstations (Sun, HP, etc.) will run headless, most Intel x86 boxes I have encountered require you to plug in a keyboard or the machine won't boot, regardless of the OS installed. Or is there a way around this I don't know about? --- Jonathan Ah, good point. Now why would it not care which OS? The bios. Crapola bios which give you very little flexibility (enter most commercial packaged PCs with their crap bios) have this problem. If you get a good Asus Motherboard (actually a LOT of vendors give you this flexibility), their bios have this option called Halt On Error: All Error Change it to No Errors Your PC will easy POST without the need for a keyboard after this change. For FreeBSD, you probably want to modify the kernel to always force on the keyboard. You can also recompile the kernel to enable a serial console so it works like the bad-boy Unix Workstations. (need a null serial modem cable and you are ready to rock and console :) ) Reason why you want FreeBSD to always force on the keyboard. If you do not plug in the keyboard, let the box boot, and then plug the keyboard back in, you cannot type anything in. With always force on, it will work afterwards. Of course, this is only the case if you really messed up the box (kernel panic, ip misconfiguration, firewall rules that kick you off) and your boss forgot to buy that access console server. Linux also has a serial console capability IIRC. If anyone here learns basic FreeBSD on their own and needs help for doing some of these more advanced features, I will easily lend a hand. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=14428t=14428 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Tacacs+ for home Use? and Passed CCIE written today [7:14288]
At 06:40 PM 7/30/01 -0400, [EMAIL PROTECTED] (Timothy Ouellette) wrote: Hello all. I just passed my CCIE today (very happy). I was not as difficult as I expected (possibly over studied for it, if that's possible). Anyways, I am about to embark on the long journey to complete the CCIE by taking the lab. I have my own home lab and I was wondering if there is a free version of Tacacs+ out there? I know cisco has a Unix version they supply but I don't run Unix here at home (win2k for my lab) and I was wondering if anyone could help. Thanks for your time! Tim Congratulations on passing the CCIE Written! I guess you might be out of luck. Here are some of your options a) continue searching for a free version of TACACS+ for Windows. b) Buy Cisco Secure ACS. c) Get an old machine and install Linux, Solaris x86, FreeBSD, NetBSD, or OpenBSD and grab tacacs+ from http://www.gazi.edu.tr/tacacs/ d) Port the code yourself from Unix to Windows. Obviously there is a certain time host inherent to the last three options. You should certainly weigh out the costs, as ALL of the options have an inherent cost to it, even a). Personally, I think learning Unix is not so bad (maybe I am biased after all of these years) and may only take perhaps a week of your time (if you are a fast learner, one day) if you want to just get TACACS+ on it. You can consider multi-booting, but then you will have to take out more time to make sure you do not fry your machine. I hope you do know a lot about partitioning on x86 hardware. :) It honestly is not that bad, win2k's bootloader is quite friendly with booting the unices. On the side, I do not think TACACS+ is a requirement for the lab. Not that it is a good reason to not learn TACACS+. Every CCIE should learn that eventually, on at least one platform. If you install FreeBSD, you may run into issues compiling the code, I patched it so it can work on it. (not as hard as it sounds, only a small line change). If you choose that route, I can help you patch the code so it will compile on FreeBSD. Good luck! -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=14288t=14288 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what's wrong with CCIE today? [7:13151]
At 07:14 PM 7/20/01 -0400, Sean Young wrote: process. These CCIE guys say that they come from a windows environment so they don't have too much with Unix platforms. I also notice that a lot of CCIEs these days lack the Unix skills that are required for the Service Providers environment. Most don't even know how to tunnel X-application through Secure Shell (SSH). I still remember those days when Cisco Engineers are very well verse in both unix and routers skills. I long for those days again. Comments anyone? So what is the problem? I mean, yes, it is unfortunate. However, in no way is it a requirement to become a CCIE. Would I prefer a CCIE with a unix background, yeah definitely. However, that is just asking for more candy coating. My guess is, past CCIEs had more experience because Cisco ACS was only available on unix maybe? -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=13159t=13151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: backup plan for a campus [7:7052]
At 09:33 AM 6/4/01 -0400, Stephen Skinner wrote: once apon a time there was a man who was given a spec to build a network with full redundency...the spec he put togother cost WAY to much and need severly cutting down...he told them not to do it but they ordered him to .so he did it the network fell over and the company sued for designing a crap network ...who got the blame..the man with his NAME on the design doc. have fun steve 1) I am confused. So, if the man who built the over priced network made a fully redundant network, and it still failed, did he not fail his job miserably? 2) Or did you mean, they cut his budget, and STILL told him to make the fully redundant network, despite his warnings? I am going to assume #2, since #1 does not make sense. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7062t=7052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Where to get cheap memory for routers? [7:7168]
At 06:16 PM 6/4/01 -0400, Thomas wrote: Hi All, I am looking for upgrading our Cisco 3660 router. However, the cost for the 128MB of Cisco memory susprised me. It costs like ... $5000.00 for a piece of 128MB memory module for Cisco 3660. I wonder if it is OK to plug in a third party memory module? Has anyone out there do this? Is it safe to do? Which vendors do you recommend with good quality and cheap (or reasonable) price? Thanks All! You can buy from crucial.com or memorypro.com (I think?). Well crucial.com's pricing is a bit lower than yours. http://www.crucial.com/store/listparts.asp?model=3660+Series+Routers+%28DRAM%29x=16y=10 A pesky $41.39 dollars for 128 megs of RAM. Thank goodness Cisco started to use SDRAM instead of EDO! -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7169t=7168 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed CIT - Now a CCNP!! [7:6725]
At 03:14 AM 6/1/01 -0400, Andrew Larkins wrote: I passed my final exam yesterday - CIT with a score of 919. At last I have my CCNP. Many thanks to everyone on this list for all the informative threads and help with problems I have had over this pass period. Now to do my CCDP and security specialisation - anyone have any tips for these Thanks again Andrew Larkins I am fairly sure any specialization based off of the CCNP or CCDP has been retired. If you do not have it by now, you cannot get them. However, I am fairly certain that the CCNP gives you a solid base which is probably more than the requirements for the new Cisco Qualified Security Specialist that took the CCNP Security Specialist's place. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6754t=6725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Migration EIGRP-OSPF [7:5724]
At 08:27 AM 5/31/01 -0400, R. Benjamin Kessler wrote: What is the reason for going to OSPF in this instance, stability problems with EIGRP or multi-vendor support? In my experience people seem to view EIGRP as easier than OSPF - while probably true in really small networks, networks these days just seem to be getting bigger and the same planning required for a successful OSPF implementation is required for EIGRP. I haven't seen too many companies with all-Cisco routers and a healthy EIGRP network looking to change things - thus the question above. Well, a few points I would bring up is. Stuck in Active problem of EIGRP. As the updates are being done, the routers will stay in active mode (cannot receive new updates I believe). If the EIGRP network is big, it must wait for the very last router in the periphery to respond back. This could cause issues with convergence time. You may have to modify the timers to increase the hold time (which might cause bad convergence) since genuine requests might take so long that they will get zonked out and the the router will delete it's entry. This only happens in huge AS (in the EIGRP sense of an area of sorts). So, if the idea of using OSPF and breaking into areas is bad, you technically get the same issue with EIGRP, except in the form of ASes. Also, you are running a proprietary protocol now. Although it seems to work fine now. If say, they feel another vendor's product is superior in a particular aspect of their network, they might be hard pressed or you will need to do some redistribution/distribution lists which is probably going to be difficult as well. I suppose all in all it is still easier to use EIGRP. I agree wholeheartedly with your statements. The cost of going to OSPF might seem higher if they are really not that good with it. In that way it somewhat validates them sticking to EIGRP. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6616t=5724 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: help [7:6552]
At 10:31 PM 5/30/01 -0400, William Harrison wrote: A little help As usually we lost the passwords! We have vty password but no secret. I need a good cracks for that router Any help? TIA William Harrison CCNA There are a number of password recovery techniques assuming you have console access in one shape or form. Do a search for password recovery. The basis is to reboot the router (yeah you will need someone on site to reset it), and hit the break sequence, change the config registers to avoid loading NVRAM data. Kick in, restore the data from NVRAM into the running configuration. Change the password. Change the config register back. Reload. Finished. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6569t=6552 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Software V6.0 [7:5969]
At 05:17 PM 5/25/01 -0400, Vijay Ramcharan wrote: If anyone wasn't aware, V6.0 of the PIX software is now available. And as I just found out, to use the VPN 3.0 client, isakmp policy ? group 2 must be used to enable successful authentication. Vijay Ramcharan Are you sure this is not user configurable? Group 2 refers to the Diffie-Hellman group used. I suppose unless they made it a standard to not allow you to use Group 1 (weaker), but sheesh, if they made that the requirement, how dare they let people use DES. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5992t=5969 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Exactly what happens in ATM when QoS cannot be fulfilled? [7:5730]
At 12:28 AM 5/24/01 -0400, nrf wrote: But this makes much less sense in a PVC environment, where the circuits are, well, permanent. For example, for PVC's I understand that you set up a circuit with a given QoS. Then, what if, when you have stuff to send, that QoS you thought you had is just not available at that time? This same question can be extended to SVC's. Let's say you created an SVC with a certain QoS. Then, something bad happens, like one of the ATM switches dies, and rerouting occurs, and the QoS of that SVC can no longer be fulfilled. What happens now? Does the call just die? Or is it kept, but at reduced QoS (and if so, then what was the point of stipulating the QoS in the first place)? Am I just way off base here? The way I understood it, treat the PVC as whatever QoS mechanism it has. If someone gives you a UBR PVC, when the bandwidth starts going, you are the first pile of cells to drop. If everyone is UBR, then every can get dropped, just like Frame Relay, etc. If you got 5 guys with UBRs and one guy with a CBR, the UBRs all die first, before the CBR does. If all of them are CBR, they will all start dying evenly. No such thing as a free lunch, so no such thing as free bandwidth, SOMEONE must PAY for the oversubscription done. OR the ATM Switch will pre-calculate the CBR PVCs and never let you generate such a CBR in which they can oversubscribe the link. In the end, QoS does not give someone more bandwidth per se, they might give them more prioritized bandwidth, so if they oversubscribe, if you do not have a special QoS setup, they are just as doomed as the guy with the other medium. QoS is about dealing with limited resources effectively, does not really replace getting just more raw bandwidth, just helps hold off buying that new upgrade and keeping some guys happy. (well, latency is a different issue, in which QoS is mandatory and raw bandwidth does not help, but sounds like you were talking about normal data) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5730t=5730 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: DHCP question [7:5745]
At 11:17 AM 5/24/01 -0400, Nabil Fares wrote: Greetings all, For those with pretty good DHCP knowledge, how can I force a user to renew his IP address/lease from the DHCP server? Running Linux with ISC DHCP server Thanks, Nabil I do not believe you can. Just hope that you set the lease time to something relatively short. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5749t=5745 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 5008 [7:5039]
At 02:31 PM 5/18/01 -0400, Moe Tavakoli wrote: Any one have any experience with the 5000 series VPN boxes. I have in and set-up there are number of problems... The ISAKMP rekeying os not standard so I have to reboot the damn thing every 8 hrs... Now today I set up a tunnel to a Cisco 3030 and the tunnel drops every 20 mins and the syslog on the 5008 is no help. __ Moe Tavakoli I ran into some small issues, but for the most part they worked fine. Lan-to-Lan setups or vpn clients? Are you sure you are using the latest version? We found an enormous amount of bugs fixed when we ran the more recent release versions. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5061t=5039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Loopback interface for OSPF [7:4802]
At 01:16 AM 5/17/01 -0400, Vincent Chong wrote: Hi; For OSPF implementation, an area can be configured in the Loopback interface. But what purpose, when should I do it? TIA Vincent Chong Well, somewhat off topic, but the router id will lock on to the loopback address, which might stabilize the network more. However, I think you even wrote to the list an email about that so that probably is not what you are asking. Now why would you want to advertise a loopback interface using OSPF or any IGP? To teach the IGP how to get their later on for redistribution into BGP. Basically only used if you need to use an AS as a transit AS. You have basically two choices. IBGP (full mesh) to the ASBRs of the transit AS. Or, you can redistribute the transit route through an IGP instead. They tend to use loopback interfaces to help the transit ASs achieve more stability to avoid flappage. I am somewhat new on this, so if I am wrong, I will happily defer to someone with more experience, but this is my take on it from what I have read. -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4836t=4802 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Anybody seen a live production network of Apollo, XNS, [7:4727]
At 02:21 PM 5/16/01 -0400, NRF wrote: Has anybody here ever actually worked on (or even seen) a live and functioning Apollo, XNS, CLNS, and/or VINES network lately (like in the last year or so)? I'm not talking about some experimental lab, but a bona-fide network that is doing something useful for some organization somewhere. I am sure they are still out there somewhere, and I'm trying to get an idea of who might still be running these kinds of systems (some government organizations probably). Thanx Unfortunately, yes. Some legacy machines from heck that did not go away. They are running ... Apollo. The IS department has wanted to terminate those boxes for ages, but the engineers using it insist it is the only thing they can use for the job. Real pain in the butt. We had to do native Apollo routing between two sites or GRE tunneling. I forgot which one we ended up doing. Fairly certain we did it natively. Fun stuff. :) -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4727t=4727 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]