RE: Nice to meet all of you. [7:73672]
and if you do happen upon a few neteng positions with Home Depot, be sure to let me know. I am assuming that would be based outta the HQ in Atlanta and would love to move there. I know you know absolutely nothing about me, but I promise I'm a great guy, and totally qualified, and modest and all that stuff... Thanks Charles D Hammonds, CCNP CCSA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Wideman Sent: Thursday, August 07, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: Nice to meet all of you. [7:73672] Hello everybody! My name is Rob Wideman and I am a product of the Cisco Networking Academy as presented by Davenport University in Midland Michigan. I passed my CCNA and CCNP tests while working for a national big box retail store. Unfortunately, I am still working for Home Depot while looking for work in our field of choice. ( I am also A+ and Network+, thought I'd backfill a little to help get a position). My problem is that with very little actual OTJ experience, I have found that I am almost unhireable because I am overqualified and yet underqualified as well. Any suggestions? Rob Wideman CCNP, CCNA, A+, Network + [EMAIL PROTECTED] P.S. I love the theoretical problems that are occasionally posted. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73697t=73672 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Can block DHCP traffic at layer 2 switch? [7:73489]
only thing I would know to do at L2 is port security... just lock it down to pre-identified MACs to prevent users from throwing unauthorized boxes on the network. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, August 04, 2003 6:23 PM To: [EMAIL PROTECTED] Subject: Can block DHCP traffic at layer 2 switch? [7:73489] Dear All, We have configured DHCP server at the CORE switch and this will assign the ip address to the client located at edge switch. PC---edge switch-GE uplink---CORE---DHCP server (The network is pure Layer 2 network) But we are afraid that some end users will place their own DHCP server at the edge switch so it will interrupt the normal ip address assignment. Any method to block the unauthorized DCHP server? TIA. Lo Ching **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73491t=73489 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Sniffer Recommendation [7:72372]
span port is not a sniffer requirement, but one of the switch. switches send unicast/multicast traffic out only the ports that it is destined to. so, if you want to see anything other than straight broadcast traffic, span is required. charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nathan Sent: Tuesday, July 15, 2003 9:33 PM To: [EMAIL PROTECTED] Subject: Sniffer Recommendation [7:72372] I need a sniffer that doesn't require spanning a port. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72374t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Natting problem...help!!! [7:66111]
??? There is no IP in the payload of an icmp echo or echo-reply packet so what would NAT modify? I'm gonna hafta lab this up and see it in action I suppose. One good thing about working Sundays... plenty o' time to play ;) Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Roberts Sent: Friday, March 28, 2003 2:01 PM To: [EMAIL PROTECTED] Subject: Re: Natting problem...help!!! [7:66111] I've never had to implement a dns change, but supposedly yes it does change the payload. there is only a few services where is does these payload changes though. another big one used to be ping, NATing modifies the payload of that also. scott Charles D Hammonds wrote in message news:[EMAIL PROTECTED] from the below link: Is that accurate??? The ip nat outside source command will translate the IP in the PAYLOAD of the DNS reply packet even though it is not the source??? doesn't sound right and I am unable to test it rite now... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 1:06 AM To: [EMAIL PROTECTED] Subject: RE: Natting problem...help!!! [7:66111] You could get around this by doing a two way nat, or as cisco calls it, nating for overlapping networks .. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_examp le09186a0080093f30.shtml JP wrote: I have the following scenario 0---0--telnet application network3network 1 network 2 lan wan link I need all hosts on network 3 to telnet to my telnet application Problem is network 3 and network 2 both have the same ip range. My question is the following: Is there any way i can perform natting to allow network 3 hosts to telnet to the application and use an ip address other than the one assigned to the application as the destination address??? Any ideas appreciated Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66521t=66111 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Multihome 2 isp's [7:66137]
that would work, but I would get at least each providers internal routes rather than just a default. and unless it's for financial reasons (i.e. billed per usage) I wouldn't prepend your AS on either link... just let the internet do its thing and choose the best path. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J M Sent: Tuesday, March 25, 2003 3:21 AM To: [EMAIL PROTECTED] Subject: BGP Multihome 2 isp's [7:66137] we are multihomed to 2 isp's on 1 router I only want to send the one network 62.154.91.0 and only want to recieve the default 0.0.0.0 addit9onally i want to prepend our as 23484 outbound to 1 neighbor does this work? is there a better way? router bgp 23484 no synchronization bgp log-neighbor-changes network 62.154.91.0 mask 255.255.255.0 neighbor 146.223.74.37 remote-as 1239 neighbor 146.223.74.37 distribute-list 20 in neighbor 146.223.74.37 distribute-list 10 out neighbor 162.206.236.69 remote-as 6128 neighbor 162.206.236.69 distribute-list 20 in neighbor 162.206.236.69 distribute-list 10 out neighbor 162.206.236.69 route-map 6128 out no auto-summary ! ip classless no ip http server ip http access-class 1 ! access-list 10 permit 62.154.91.0 0.0.0.255 access-list 20 permit 0.0.0.0 log access-list 30 permit 62.154.91.0 0.0.0.255 route-map 6128 permit 30 match ip address 30 set as-path prepend 23484 ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66213t=66137 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Natting problem...help!!! [7:66111]
from the below link: ...The inside device cannot use the IP address of the outside device because it is the same as the address assigned to itself (the inside device). Therefore, the inside device will send a DNS query for the outside device's domain name. The inside device's IP address will be the source of this query, and that address will be translated to an address from the test-loop pool because the ip nat inside source list command is configured. The DNS server replies to the address which came from the pool test-loop with the IP address associated with the outside device's domain name in the payload of the packet. The destination address of the reply packet is translated back to the inside device's address, and the address in the payload of the reply packet is then translated to an address from the pool test-dns because of the ip nat outside source list command. Therefore the inside device learns that the IP address for the outside device is one of the addresses from the test-dns pool, and it will use this address when communicating with the outside device. The router running NAT takes care of the translations at this point... Is that accurate??? The ip nat outside source command will translate the IP in the PAYLOAD of the DNS reply packet even though it is not the source??? doesn't sound right and I am unable to test it rite now... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 1:06 AM To: [EMAIL PROTECTED] Subject: RE: Natting problem...help!!! [7:66111] You could get around this by doing a two way nat, or as cisco calls it, nating for overlapping networks .. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_examp le09186a0080093f30.shtml JP wrote: I have the following scenario 0---0--telnet application network3network 1 network 2 lan wan link I need all hosts on network 3 to telnet to my telnet application Problem is network 3 and network 2 both have the same ip range. My question is the following: Is there any way i can perform natting to allow network 3 hosts to telnet to the application and use an ip address other than the one assigned to the application as the destination address??? Any ideas appreciated Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66215t=66111 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Multihome 2 isp's [7:66137]
didn't even look at your config the first time 'round, but now that I do... if you're using distribute-lists, why match ip addr again in route-map 6128? remove the match clause and just set as-path prepend (if you must) since you only have the one route. then you can get rid of access-list 30 charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles D Hammonds Sent: Tuesday, March 25, 2003 4:28 PM To: [EMAIL PROTECTED] Subject: RE: BGP Multihome 2 isp's [7:66137] that would work, but I would get at least each providers internal routes rather than just a default. and unless it's for financial reasons (i.e. billed per usage) I wouldn't prepend your AS on either link... just let the internet do its thing and choose the best path. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of J M Sent: Tuesday, March 25, 2003 3:21 AM To: [EMAIL PROTECTED] Subject: BGP Multihome 2 isp's [7:66137] we are multihomed to 2 isp's on 1 router I only want to send the one network 62.154.91.0 and only want to recieve the default 0.0.0.0 addit9onally i want to prepend our as 23484 outbound to 1 neighbor does this work? is there a better way? router bgp 23484 no synchronization bgp log-neighbor-changes network 62.154.91.0 mask 255.255.255.0 neighbor 146.223.74.37 remote-as 1239 neighbor 146.223.74.37 distribute-list 20 in neighbor 146.223.74.37 distribute-list 10 out neighbor 162.206.236.69 remote-as 6128 neighbor 162.206.236.69 distribute-list 20 in neighbor 162.206.236.69 distribute-list 10 out neighbor 162.206.236.69 route-map 6128 out no auto-summary ! ip classless no ip http server ip http access-class 1 ! access-list 10 permit 62.154.91.0 0.0.0.255 access-list 20 permit 0.0.0.0 log access-list 30 permit 62.154.91.0 0.0.0.255 route-map 6128 permit 30 match ip address 30 set as-path prepend 23484 ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66219t=66137 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RSP7000 fails to break. Can I clear NVRAM [7:65265]
sounds like you could be connected to the aux port instead of console??? those would be the symptoms anyway. If not, disregard... charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nelson Herron Sent: Wednesday, March 12, 2003 9:35 PM To: [EMAIL PROTECTED] Subject: RSP7000 fails to break. Can I clear NVRAM [7:65265] I have an RSP7000 that fails to accept any of the break sequences from the Cisco site, i.e., TeraTerm (alt-b), HyperTerm (Ctrl-brk), and Break Emulation (1200 baud-spacebar). I reloaded the boot image, rearranged RAM. sh ver seems fine but it gives me a No password set error when I try to go into priv. exec mode. It does not show the boot sequence on the terminal console as it boots. I got this thing used and didn't check it thoroughly for a month because I primarily needed the CI for another chassis. Now I need this one and I can't get in. Is there a safe way to clear NVRAM? Can that NVRAM chip be pulled safely? I've never tried this particular surgery before. It's running a 12.1.3 early deployment image both for boot and for main IOS image. The Bootvar is set to this image for the Boot image and it doesn't seem to boot with a different image installed on the flash - I tried swapping flash from a different RSP7000. I haven't tried renaming my 12.2.7 flash to 12.1.3 yet, but that doesn't really seem to be the problem as it will boot, and I can access the regular unprivileged user command line. What is most puzzling is that none of the boot sequence is echoed to the terminal session. Not a single character until Press Enter Help!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65273t=65265 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TTY Background Process - Cisco 3620 [7:64465]
Had this same issue on a 2511 not long ago. Called the TAC and they recommended clearing all of the lines even though none had connections. I cleared 1-16 to no avail, but when I cleared aux0 it immediately dropped from around 20% down to 0%. HTH Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Elizabeth McCord Sent: Wednesday, March 05, 2003 6:00 AM To: [EMAIL PROTECTED] Subject: TTY Background Process - Cisco 3620 [7:64465] Hi there, Does anybody know what the TTY Background process does and what it is responsible for? Is it normal that such a process should take up 20% of the processing power on a Cisco 3620 which handles two 2M serial links alongside a LAN connection? (These links are not more than 30-40% loaded). Other such similar routers' TTY process are running at a consistent 0%. Thanks in advance, Liz _ Use MSN Messenger to send music and pics to your friends http://messenger.msn.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64571t=64465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 10 half or 100 full [7:64482]
Never tried this, but I am assuming that if you attempt 100M across CAT3, you would see errors accumulate on the switch port at a pretty substantial rate??? If that is the case, I would initially set everything to auto-detect and watch the switch port statistics. After a little while, I would think it would be clear which were the problem ports. You could then go through and hard code them to 10-full and all other to 100-full on both ends. Easiest of course would be just to set everything to 10-full. Depends on need I suppose... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of M.C. van den Bovenkamp Sent: Wednesday, March 05, 2003 7:39 AM To: [EMAIL PROTECTED] Subject: Re: 10 half or 100 full [7:64482] Mike Momb wrote: very well. My question is this, what has been this groups experience on how to set the ports for the maximum bandwith. We are using a combination of Cat 5 Cat 3 cables. Any advice would be appreciated. CAT3? Ouch. If you can't be *very* sure which cable run is what (CAT3 vs. CAT5), forcing everything to 10/Full is as good as it's going to get, because CAT3 won't support 100Mbps. Which also makes autonegotiation A Very Bad Idea, as that will happily negotiate 100Mbps over CAT3, even when it does what it's supposed to. Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64547t=64482 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall blocked 224.0.0.2 [7:64236]
It's multicast for all routers. See http://www.iana.org/assignments/multicast-addresses Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 03, 2003 11:24 AM To: [EMAIL PROTECTED] Subject: RE: Firewall blocked 224.0.0.2 [7:64236] Ask wrote: Dear all, Inbound ICMP packets send to my windows 2000 professional PC from the router. From the logfile, the local address is 224.0.0.2 and the remote address is the router. Why the PC get the packet ? It's a multicast. All devices in the broadcast (multicast) domain will see these packets, unless you do some filtering or have a smart NIC that knows better than to pass a packet for which it has not registered up to the operating system. Many PC NICs aren't that smart. I doubt it's ICMP. 224.0.0.2 is used by routing protocols. Priscilla Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64306t=64236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CiscoSecure Question [7:63941]
you should be able to just use the ip tacacs source-interface command to make sure the tacacs request always sources the same IP... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mossburg, Geoff (MAN-Corporate) Sent: Wednesday, February 26, 2003 8:21 PM To: [EMAIL PROTECTED] Subject: CiscoSecure Question [7:63941] All, Does anyone out there have experience with CiscoSecure? I could really use the help! I have over 50 routers that I'm setting up to access through TACACS, and I've been told that I have to make entries in CiscoSecure for every interface on every router to make sure that each router is TACACS accessible from anywhere in the network! Is this true??? Thanks! Geoff Mossburg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63948t=63941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy question [7:63002]
0x2102 or just - 40h Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnson, Richard (NY Int) Sent: Thursday, February 13, 2003 8:22 PM To: [EMAIL PROTECTED] Subject: Easy question [7:63002] Hi all, Every time I boot my router, it asks if I want to configure my router. I know I have to type some sort of confreg line in. Can someone tell me which one so I can boot my router correctly, without having to reconfigure it each time. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63004t=63002 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question? [7:61716]
I have not been able to perfrom password recovery via a modem connected directly to console. When the router reloads, you get disconnected and have to re-dial which by that time is too late to break. In my experience, I have had to dial up to a 2511 and connect to console of the problem router that way... Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Williams Sent: Thursday, January 23, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: RE: Question? [7:61716] Uh... if he could get into enable mode to issue a 'reload' command, he could just change the password and there wouldn't be any need to do a password recovery?!?!? Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61753t=61716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: set IOS Command [7:55395]
try just set ?. without the /. you should be able to feel your way around from there... charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Trevor Chandler Sent: Friday, October 11, 2002 11:23 AM To: [EMAIL PROTECTED] Subject: set IOS Command [7:55395] Hello all, Has anyone ever used the set command that is available ineither the USER or PRIVILEGE modes? The brief description provided by the IOS is: Set system parameter (not config) The IOS doesn't provide any additional parameter information when I append the /?. I'm using an 804 router with IOS version 12.0(1)XB1. Thanks in advance to all who respond. Trevor C. MSN Photos is the easiest way to share and print your photos: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55525t=55395 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access List Change [7:54901]
The first 0.0.0.0 means all networks. The second 0.0.0.0 means all hosts. Huh??? router1(config)#ip route ? A.B.C.D Destination prefix router1(config)#ip route 0.0.0.0 ? A.B.C.D Destination prefix mask while together, they could be construed as 'all networks' and 'all hosts' (in the absense of more specific routes), your statement would not be accurate as seperately they are meaningless. charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Cotts Sent: Friday, October 04, 2002 7:39 PM To: [EMAIL PROTECTED] Subject: RE: Access List Change [7:54901] I just lost a major reply that I had composed due to a computer lockup. So shorter reply this time. The static route that your European router has is correct as it is. It takes all traffic for which it doesn't have an explicit route and passes it out to the Internet. I'm assuming that the ip address 1.2.3.4 is a valid address of an interface on your European ISPs router. So all traffic to the Internet from your European office goes to their local European ISP. Look at the syntax of a static route. Destination network, netmask to determine what bits identify the network, egress port. The first 0.0.0.0 means all networks. The second 0.0.0.0 means all hosts. 1.2.3.4 seems to be your European ISP. ip route 0.0.0.0 0.0.0.0 1.2.3.4 is a good default route. If you were to use 172.29.30.0 255.255.255.0 1.2.3.4 you would be telling your router to find its LAN network out on the Internet. The router knows better. It already has that network shown as directly connected. Do a show ip route to verify. Your statement that However, it has been configured for all Europe internet traffic to be routed through U.S. office ... doesn't agree with the configuration. Access-list 100 would have to send all traffic over the VPN. It doesn't. To verify that, check the path that traffic to the Internet takes from your remote office. From the DOS Prompt of a European PC ping a web site such as Cisco. ping cisco.com. You should get a reply like 198.133.219.25. Again from the DOS Prompt do a tracert to that address. It should display the intermediate routers. I'll bet that traffic from Europe goes out that router to the local ISP. No time to repeat my lost sermon on named access-lists. Access-list 100 defines traffic that is allowed to traverse the VPN. Access-list 101 specifies that traffic bound for the VPN tunnel should not be NATed. All other traffic (to the ip nat outside interface (usually Internet)) should be NATed. For every permit statement in 100 there should be a corresponding deny in 101. 101 in addition then permits all other destinations. Here's a tutorial on access-lists http://www.nwc.com/907/907ws1.html Be extremely careful about changing access-lists in the European router. If you edit 100 you will take the VPN down. Not good if you are connected via that VPN. Telnet to the 217.x.x.x interface of the European router from your local router. Consider using the reload in command. I've mentioned it previously. Look it up in the Cisco documentation on www.cisco.com The Firewall feature set can be used on a router with NAT and with VPNs. Not trivial. It would be good to remove the ip http server line. Let us know your progress. May I suggest that you purchase a few books. You may only need a small bit of it; but Routing TCP/IP Vol 1 by Jeff Doyle is a classic. Cisco Access Lists Field Guide by Held and Hundley is quite good. It's also all on CCO - you just have to find it. Start under Service and Support and go to the TAC page. Look under each major area. Drill down just to see what's there. -Original Message- From: CTM CTM [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 3:10 PM To: [EMAIL PROTECTED] Subject: Re: Access List Change [7:54901] Hi, The router was purchased along with the Cisco firewall software license. I figured to implement that? Otherwise I could put ISA on the server out there. The security concerns are duly noted, and I won't leave the office on public until addressed. That being said; to get them to use their own internet portal direct I would do a: ip route 172.29.30.0 255.255.255.0 1.2.3.4 and do a: no ip route 0.0.0.0 0.0.0.0 is that correct? BTW, and don't laugh, I put in that last route chasing down a CPU utilization issue. The router was typically at 34% utilization. Doing some research and I found that maybe packets to unclaimed addressed were looping between internal network and ISP, and that line would throw them in the bit bucket. So that was way out in left field wasn't it. I did solve the utilization issue; there was an unused ADSL module, when I had that pulled it went down to normal. Chuck's Long Road wrote: just a quick comment or two. you are writing as if you need to do something on your routers other than change the gateway of last resort. ip route 0.0.0.0 0.0.0.0 goes where? without
RE: BGP announcing problem [7:54193]
remember - a BGP speaker will only advertise routes that it actually uses (i.e. that it propogates its own routing table with). So in this case, you're peering router's routing table could be propogated with 50% sprint routes and 50% telia routes, so that if you block 1299, you only send the other 50% from telia to the customer. You could try setting your bgp max-paths to '2'. This way your routing table should include all routes learned from both providers. Then your permit _1299_ route-map should work. charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of TMS Sent: Wednesday, September 25, 2002 11:16 PM To: [EMAIL PROTECTED] Subject: BGP announcing problem [7:54193] Hello I have problem with BGP and annoucing prefixes to one of my customers. I have two BGP connections to Tier-1 providers - Sprint and Telia (connected to separate routers). I have customer which wants full routing table from Telia. So I created filter-list : permit _1299_ which deny Sprint prefies, but now my customer receives only 50% prefixes :-( Is any solution for this problem ? best regards, Tommy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54201t=54193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Erasing Flash system [7:54198]
delete flash:c1700-sv3y-mz.121-5.YB4 then squeeze charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Parameswaran S Sent: Wednesday, September 25, 2002 11:42 PM To: [EMAIL PROTECTED] Subject: Erasing Flash system [7:54198] Dear Group, I need to delete on the flash file system in my 1700 series router and the sh flash output is teynampet#sh flas System flash directory: File Length Name/status 1 6756080 c1700-sv3y-mz.121-5.YB4 2 7624104 c1700-sv3y-mz.122-8.T.bin [14380312 bytes used, 19174120 available, 33554432 total] 32768K bytes of processor board System flash (Read/Write) Acutually 122-8.T.bin is the working one and the other one is not needed.How do i erase 121-5.YB4?Any advise is appreciated. TIA, Regards, S.Parameswaran. - Do you Yahoo!? New DSL Internet Access from SBC Yahoo! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54206t=54198 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Input errors on catalyst 3548 [7:53957]
huh? not quite clear on how tftp relates to interface errors? charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlLee Sent: Tuesday, September 24, 2002 1:31 PM To: [EMAIL PROTECTED] Subject: Re: Input errors on catalyst 3548 [7:53957] When you use TFTP to download IOS image , please note , it is have a limitation! Priscilla Oppenheimer wrote: Tunde Kalejaiye wrote: what could be the cause of large input errors on a catalyst switch? The most likely cause is a duplex mismatch. Is it just on one port? What connects to that port? Could it be misconfigured or could the port be misconfigured for half/full duplex? What kind of errors are they? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com regards, Tunde Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54017t=53957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Prefix-list VS Access-list [7:53582]
Prefix lists can permit annoucements in a range of netmasks. For example, the following prefix-list entry will permit announcements of 192.168.1.0/24, or any prefix within that. ip prefix-list example seq 5 permit 192.168.1.0/24 le 32 I don't believe there's a way to do that using access-lists. actually, i think that the following would do the same: access-list 101 permit ip 192.168.1.0 0.0.0.255 255.255.255.0 0.0.0.255 don't have any way of testing right now... anyone confirm/deny? Thanks, Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ian Henderson Sent: Wednesday, September 18, 2002 8:56 PM To: [EMAIL PROTECTED] Subject: Re: Prefix-list VS Access-list [7:53582] On Thu, 19 Sep 2002, JohnZ wrote: Can I use access-list to produce the same effect as prefix-list ? Any thoughts on which is a better way to use in redistribution over other. I am just trying to find which one I should stick with. Thanks ip prefix-list test seq 5 deny 199.172.4.0/24 ip prefix-list test seq 10 deny 199.172.6.0/24 ip prefix-list test seq 15 deny 199.172.8.0/24 ip prefix-list test 20 permit 0.0.0.0/0 le 32 Prefix lists can permit annoucements in a range of netmasks. For example, the following prefix-list entry will permit announcements of 192.168.1.0/24, or any prefix within that. ip prefix-list example seq 5 permit 192.168.1.0/24 le 32 I don't believe there's a way to do that using access-lists. The other major advantage is you can pull entries out of a sequence, and insert them without re-writing the entire prefix-list again. For example, 'no ip prefix-list example seq 10' will remove only sequence 10, rather than the entire prefix list. These two features however need to ba taken with a grain of salt. Firstly you may want explicit routing control rather than a blanket cover, and secondly configurations like this are usually built out of databases so you're not going to be manually inserting entries. Rgds, - I. -- Ian Henderson CCNA, CCNP Senior Network Engineer, Chime Communications Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53600t=53582 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: which exam to appear after routing 640-603 [7:52770]
either switching or remote access unless you have completed those. The support exam is cumulative and will cover material from each of the other 3. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 05, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: which exam to appear after routing 640-603 [7:52770] hi, i need to know which exam would be more appropreate to appear for after the routing exam towards the ccnp cert. thanks, jaffar Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52772t=52770 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Interface In/Out stats [7:52177]
Yes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Keith Woodworth Sent: Tuesday, August 27, 2002 4:43 PM To: [EMAIL PROTECTED] Subject: Interface In/Out stats [7:52177] Small very simple question but need clarification w/regards to MRTG stuff. Have a 7206 connected to a 7202 via xover ethernet. Used the above, when looking at the interface stats on the 7206 is the input rate the data coming into the interface from the 7202? And the output rate the data coming out of the 7206 to the 7202? sh int from the 7206: 5 minute input rate 16514000 bits/sec, 3772 packets/sec 5 minute output rate 16281000 bits/sec, 3666 packets/sec Thanks, Keith Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52181t=52177 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TFTP Server [7:48763]
I really like PumpKIN found at: http://www.klever.net/kin/pumpkin.html Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 14, 2002 7:39 AM To: [EMAIL PROTECTED] Subject: TFTP Server [7:48763] I have a cisco TFTP Server v 1.1, It is creating some problems with my XP Machine. Is there a better TFTP Server or is there a better Version Available. Regards, Muhammad Usman Network Engineer al Alamiah Electronics Co. Network Section www.alamiah.com.sa Tel. : (+966-1) 477 0106 Fax. : (+966-2) 477 7629 Mob. : (+966-5) 301 4903 P.O. Box 5954, Riyadh 11432 Kingdom of Saudi Arabia. ~~The End-to-End Networkers~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48787t=48763 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF problem [7:48463]
It is always best practice to use area 0 if it is the only area. If you have more than one area configured either one of them *must* be area 0 or there must be a virtual link to area 0. See the following for your particular error: http://www.cisco.com/warp/public/104/19.html#1 Google is your friend ;) Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Williams Sent: Tuesday, July 09, 2002 9:37 PM To: [EMAIL PROTECTED] Subject: RE: OSPF problem [7:48463] Lemme take a stab at this one. I don't run OSPF where I work, but I'd like to keep my chops up to date =) In OSPF, you need to have an Area 0. If there are 2 routers only in your network, and only one area, it needs to be Area 0. If there is only 1 Area in your network, there is no need for it to be anything other than Area 0. Since every Area must touch Area 0, it seems to me there is something in the IOS that looks for at least one interface to be in Area 0 or at least in a virtual link to Area 0. Change your areas on your routers to Area 0 and see if you have the same problem (OSPF gurus, please correct me as, again, I'm just taking a stab and would like to keep my OSPF up to date) (Now that I'm thinking about it, you could have a router that is totally within a certain Area that's not an ASBR or ABR, so not it's possible to there could be an interfaces not in Area 0... so at this point, my whole post is moot. too many rum and cokes =) OSPF gurus, please advise =) Thanks! Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48471t=48463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
did you also allow port 22 (ftp data) on your PIX??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Simer Mayo Sent: Monday, July 08, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: Passive FTP [7:48357] The users are on the inside interface behind the PIX firewall and are trying to make an pftp connection to the outside world. They are being authenticated from the outside server but then the section hangs trying to do a list command. The fixup protocol port 21 is enable on PIX and there is no explicit outbound restriction from the inside interface. The outside server is using port range 4-40020 for passive FTP. I tried enabling this range on the fixup protocol too but it didn't work. Please advice Thanks much SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48359t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Class C summarization question [7:48367]
16 is the correct answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Deutschman Sent: Monday, July 08, 2002 7:51 PM To: [EMAIL PROTECTED] Subject: Class C summarization question [7:48367] I'm confused about a practice question for BSCN that I came across: Your routing tables are getting very large and you need to configure route summarization. How many class C internet addresses can you summarize with a /20 CIDR block? Answer: 8 Would it not be 16? Where am I going wrong? -- Dain Deutschman CNA, MCP, CCNA Data Communications Manager New Star Sales and Service, Inc. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48369t=48367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Router as a terminal server [7:48077]
depends on the device type that you are connecting to, but this works for cisco routers: modem Host terminal-type vt100 transport input all stopbits 1 Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michalis Palis Sent: Wednesday, July 03, 2002 11:34 PM To: [EMAIL PROTECTED] Subject: Cisco Router as a terminal server [7:48077] Hello all I am trying to configure a Cisco 2511 router as a terminal server in order to connect to vi the tty ports to the console ports of my core routers. I followed all the steps that are described on Cisco WEb side but whenever i do reverse telnet, I get the message connection refused by remote host. Any suggestion or a sample working config will be appreciated __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48080t=48077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Neighbor distribute-list command w/ Extended ACL [7:47272]
These examples are the same except for the prefix length of the permit statement: access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 in each, only a single route (/16 in 1st eg and /24 in 2nd eg) is being permitted and all other VLSM subnets under the /16 are being denied. Since the wildcard mask bits in the second octets are set to 1, any subnet/mask combo under the /16 will match and be denied. I don't have any sort of training experience so perhaps someone can break it down better??? Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hunt Lee Sent: Thursday, June 27, 2002 6:57 PM To: [EMAIL PROTECTED] Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] Hello Charles, Sorry to do this to you, but I still have one more e.g. that I'm not too sure (I found this on CCO) :( access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 In this line, I understand that since the wildcard mask for both network mask are 0.0.0.0, it means that it will permit only 131.108.0.0 /24 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 And in this line which is what I'm confused abt, I thought that on network, it will deny 131.108.0.1 to 131.108.255.254, while the prefix being deny is between /16 - /32. However, Cisco CCO said it will permit route 131.108.0/24 (which I understand), ... but deny 131.108/16 and all other subents of 131.108.0.0 Thanks for your help again. Best Regards, Hunt Lee Charles D Hammonds wrote in message news:[EMAIL PROTECTED]... Hunt- access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 Remember that the wildcard mask is used to define which bits of the network and mask fields to ignore. These bits are set to '1'. So, in this example, the last 2 octets in both the src(network) and dest(mask) fields are ignored as all the bits in these octets are set to 1. Only the first 2 octets are compared so that any subnet/mask combo beneath the /16 will be denied. Hope this helps. Regards, Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hunt Lee Sent: Tuesday, June 25, 2002 4:58 PM To: [EMAIL PROTECTED] Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] Hi Charles, Thanks so much for your explanation. I understand your first eg., but I'm still confused how you get to the answer to the 2nd e.g., can you please elaborate a bit more on the steps for the 2nd e.g.?? Thanks for your help again. Best Regards, Hunt Lee Charles D Hammonds wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The statement access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 could also be re-written as: access-list 100 permit ip host 192.108.0.0 host 255.255.0.0 which means that only the aggregate /16 will be accepted. The second statement: access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 denies the VLSM networks under the /16. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Deutschman Sent: Sunday, June 23, 2002 9:05 PM To: [EMAIL PROTECTED] Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] It's kind of wierd. The source portion of the access list defines the network whose updates are permited/denied...no suprise...the wierd part is that the destination portion specifies the subnet mask of that network. So, in your example; access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 ( 192.108.0.0 [wildcard] 0.0.0.0 [subnet mask] 255.255.0.0 [wildcard] 0.0.0.0) ( 192.108.0.0/16 will be advertised ) Maybe someone else can jump in...because the wildcard is 0.0.0.0 does it mean that any other VLSM networks under the 192.108.0.0/16 supernet would also be advertised? access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 ( 192.108.0.0 [wildcard] 0.0.255.255 [ subnet mask ] 255.255.0.0 [wildcard ] 0.0.255.255) (192.108.0.0/16 would be denied...the last two octets are ignored ) I'm new to all this and learning it myself...so please...someone correct me if I am wrong or add to my comments. Thanks. Dain. Hunt Lee wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Can anyone please explain this to me?? I have read some examples regarding neighbor x.x.x.x distribute-list in | out using extended Access-List from CCO, Internet Routing Arch (by Halabi) BGP 4 Command Reference (by Parkhurst), yet I'm still very confused. Below is one of them neighbor 120.23.4.1 dis
RE: Neighbor distribute-list command w/ Extended ACL [7:47272]
The statement access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 could also be re-written as: access-list 100 permit ip host 192.108.0.0 host 255.255.0.0 which means that only the aggregate /16 will be accepted. The second statement: access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 denies the VLSM networks under the /16. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dain Deutschman Sent: Sunday, June 23, 2002 9:05 PM To: [EMAIL PROTECTED] Subject: Re: Neighbor distribute-list command w/ Extended ACL [7:47272] It's kind of wierd. The source portion of the access list defines the network whose updates are permited/denied...no suprise...the wierd part is that the destination portion specifies the subnet mask of that network. So, in your example; access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 ( 192.108.0.0 [wildcard] 0.0.0.0 [subnet mask] 255.255.0.0 [wildcard] 0.0.0.0) ( 192.108.0.0/16 will be advertised ) Maybe someone else can jump in...because the wildcard is 0.0.0.0 does it mean that any other VLSM networks under the 192.108.0.0/16 supernet would also be advertised? access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 ( 192.108.0.0 [wildcard] 0.0.255.255 [ subnet mask ] 255.255.0.0 [wildcard ] 0.0.255.255) (192.108.0.0/16 would be denied...the last two octets are ignored ) I'm new to all this and learning it myself...so please...someone correct me if I am wrong or add to my comments. Thanks. Dain. Hunt Lee wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Can anyone please explain this to me?? I have read some examples regarding neighbor x.x.x.x distribute-list in | out using extended Access-List from CCO, Internet Routing Arch (by Halabi) BGP 4 Command Reference (by Parkhurst), yet I'm still very confused. Below is one of them neighbor 120.23.4.1 distribute-list 100 in access-list 100 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 100 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255 How do you read these things?? Any help will be greatly appreciated. Thanks, Hunt Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47335t=47272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Disable consolep port. [7:46104]
Not sure why you would want to disable console in the first place, but... I tried no password and that doesn't work... the access-list definitely won't work as console is for out-of-band access. I don't see any way of disabling console. You can tweak bits 11 and 12 of the config register to change the line baud rate from default of 9600. There are only 4 possible settings though... If you're concerned about someone gaining physical access to the router then you have physical security issues...find a dead-bolt and lock it ;) Charles, CCNP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 08, 2002 11:26 AM To: [EMAIL PROTECTED] Subject: RE: Disable consolep port. [7:46104] Hi, Well as Jarred said no password will disable the password if set on the console. My idea of doing this is set an standard access list to axis the console Deny any any command. I think this should not allow any body to axis the console with any IP address,. Hope this will help you Murali Sunil CCNP [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46144t=46104 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]