FCS Errors between 2 5500's [7:64180]

[Chuck Church]

Elijah,

What kind of GBICs are you using?  If they're LX and MM fiber, are you
using mode-conditioning cables?

Chuck Church
CCIE #8776, MCNE, MCSE


From: Elijah Savage [mailto:[EMAIL PROTECTED]
Sent: Friday, February 28, 2003 8:27 AM
To: [EMAIL PROTECTED]
Subject: FCS Errors between 2 5500's [7:64072]


All,



Last night I had to shutdown a gig fiber trunk between 2 5500's to run
on a 100M trunk we setup as a backup. The FCS errors are only showing up
on one side the fiber between the 2 cats were replaced but the errors
are still showing up. Which side would you all say you would replace the
fiber daughter card the one with the errors or the side without the
errors?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64180t=64180
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: CCIE Self-Employment [7:62367]

[Chuck Church]

Yes.  Money will depend on your skill level with both Cisco and other
products as well, such as Unix, NW, MS, etc.  It could be $30/hour, could be
$100.  Location is probably almost as important.  NYC pays pretty well, but
it cost's $50 to park a car for 4 hours!  The thing about consulting like
this is you need be a salesperson at times.  Personally, I hate salespeople,
and therefore don't make a good one myself.  There's also more
responsibility, as far as finding your own insurance, paying taxes, etc.  If
you can find a headhunter who will place you as a 1099 employee, that's
usually pretty good, but I haven't heard from my headhunter in months
:(I was on an indefinite project for a year, but that ended when they
outsourced.  Since then it's all been small projects, mostly complicated
installs involving layer 3 switching.  It's a tough market, and getting a
name for yourself can be difficult.  Personally, I'm looking for a full time
position now.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Jay Greenberg 
To: ; 
Sent: Monday, February 03, 2003 12:14 PM
Subject: CCIE Self-Employment


 Any CCIEs on the list in business for themselves?  What's the money
 like, what sort of companies do you work for?  Do you do short-term or
 long term contracts?  Hourly work?

 Thanks,

 --
 Jason Greenberg, CCIE #11021
 
 .




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62367t=62367
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: L3 Switching Swtich/Router Comparsion [7:62273]

[Chuck Church]

I got into this discussion kind of late, but here's my take:

Functionally, you can configure either to do what you want.  But a 1 armed
router has a couple major limitations that a layer 3 switch doesn't.  A
layer 3 switch has ASICs (application specific integrated chip/circuit) that
can perform MAC re-writes, RIB/FIB lookups, rate-limiting, QOS, and ACL at
wire speed without bothering the CPU of the device.  A 1 armed router needs
to use the CPU for some of these functions, and will quickly become a
bottleneck after a certain level of traffic is passing through.  Also, a 1
armed router is limited by it's 1 arm :)  That link will be limited to 100
mb/sec (unless you move up to a 72xx or higher router, where gig is
possible).  So for instance if you're copying a large file between VLANs,
it'd be pretty easy to use up all the bandwidth of that 100 mbit full duplex
link, even if the CPU wasn't working hard on the 1 armed router.  Moving to
a layer 3 switch typically bumps that layer 3 device to layer 2 backplane a
multi-gigabit speed connection.  So if your traffic between vlans will ever
exceed 100 mbit, you can either shell out huge bucks for a 72xx, or get a
real QOS-friendly 3550 that is both faster and cheaper.  Of course if you
need WAN modules in the device that's another story.  I was sent this chart
a while ago listing speeds of various routers and switches:

 Router Performance Specs

 Router Switching Performance - Performance based on 64 Byte packets

 PlatformProcess Fast   Fast
SwitchingSwitching  Switching
 (PPS) (Mb/S)
 ---
 1400  6004,000  2,048,000
 16006004,000  2,048,000
 1700  1,5008,400  4,300,800
 25008004,400  2,252,800
 261X  1,500   15,000  7,680,000
 262X  1,500   25,000 12,800,000
 265X  2,000   37,000 18,944,000
 3620  2,000   40,000 20,480,000
 3640  4,000   80,000 40,960,000
 3660 12,000  120,000 61,440,000
 MC38102,000   10,000  5,120,000
 4000  1,800   14,000  7,168,000
 4500  5,000   40,000 20,480,000
 4700  7,000   50,000 25,600,000
 7120 13,000  175,000 89,600,000
 7140 20,000  300,000153,600,000
 7200-NPE100   7,000  100,000 51,200,000
 7200-NPE150  10,000  150,000 76,800,000
 7200-NPE175   9,000  175,000 89,600,000
 7200-NPE200  13,000  200,000102,400,000
 7200-NPE225  13,000  225,000115,200,000
 7200-NPE300  20,000  300,000153,600,000
 7200-NPE400  20,000  400,000204,800,000
 7200-NSE-1   20,000  300,000153,600,000
 uBR-NPE150   10,000  100,000 51,200,000
 uBR-NPE200   13,000  150,000 76,800,000
 7000-RP   2,500   30,000 15,360,000
 7500-RSP2 5,000  220,000112,640,000
 7500-RSP4 8,000  345,000176,640,000
 7500-RSP822,000  470,000240,640,000
 Cat 2948G-L3N/A   10,000,000  5,120,000,000
 Cat 4908G-L3N/A   12,000,000  6,144,000,000
 Cat 4232-L3 N/A6,000,000  3,072,000,000
 Cat -RSM 14,000  175,000 89,600,000
 Catalyst-RSFC170,000 87,040,000
 Catalyst-RSFC/NFFCII   2,000,000  1,024,000,000
 Catalyst-MSFC (IP,IPX)15,000,000  7,680,000,000
 Catalyst-MSFC (Other)170,000 87,040,000
 Catalyst-MSFC2 (IP,IPX)   15,000,000  7,680,000,000
 Catalyst-MSFC2 (Other)   680,000348,160,000
 Catalyst-MSFC (X-bar) 30,000,000 15,360,000,000

 NOTE: VIP2 Distributed Switching significantly increases
 the performance on RSP platforms.


Chuck Church
CCIE #8776, MCNE, MCSE



Please advice if there are any difference in the

functionalities etc. if I

use

1) a L3 switch for routing between VLANs,
2) a L2 switch followed by a router for routing

 between VLANs.

1) define functionality

2) define difference




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62273t=62273
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Buffer tuning [7:60647]

[Chuck Church]

I assume you're running in Hybrid mode (IOS on MSFC, CatOS on Sup).  12.1.9
to 12.1.11 had that problem.  Not exactly sure about the versions, but I
know it's fixed in 12.1.13.  The medium buffer category will disappear after
the upgrade, and the normal small, middle, etc will have few, if any,
misses.

Chuck Church
CCIE #8776, MCNE, MCSE

Date: Wed, 8 Jan 2003 13:13:13 GMT
From: [EMAIL PROTECTED] 
Subject: Re: Buffer Tuning [7:60526]

Any thoughts on that?


==
Is it possible to tune the medium buffer?

I did find how to tune the middle buffer on the Cisco pages, but nothing
about medium buffer.  Also, I do not have that option on the 6509 MSFC.

The number of failures is very high, and that is why I want to tune it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60647t=60647
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Subject: Re: question - how many commands are there [7:60086]

[Chuck Church]

I just recieved my 12.2 complete doc set the other day.  123 lbs in all, must
have been about 30 to 35 books, in a box the size of a Cat4006.  The command
references are just the right size for curls :)


Chuck Church
CCIE #8776, MCNE, MCSE



Date: Wed, 1 Jan 2003 14:37:04 GMT
From: Howard C. Berkowitz 
Subject: Re: question - how many commands are there [7:60051]



As a vague context, I weighed the 9.x command reference on my kitchen
scale, and it was four ounces or so.  10.x was about ten ounces.
11.x slammed the pointer beyond the limit with a loud thump.

I have not repeated the experiment with 12.x. When I want to lift
that much, I use barbells.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60086t=60086
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re:Laying Cable Accross the Pond [7:59994]

[Chuck Church]

Travis,

I've often wondered the same thing.  I dug this up on google.  Amazingly
it dates back to the 1890s!
http://www.atlantic-cable.com/

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59994t=59994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: problem with initiating PPTP connection behind [7:59663]

[Chuck Church]

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec.  Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC, same
port.  At one time I thought it needed GRE, but I don't see it listed on
that doc.  HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Neil Moore 
To: eric nguyen ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


 Its all broken... I will give you 500 bux for that pix ..no problem!
 
 Neil Moore CCIE#10044
 - Original Message -
 From: eric nguyen 
 To: ; 
 Sent: Friday, December 20, 2002 4:47 PM
 Subject: problem with initiating PPTP connection behind a Pix Firewall via
 PAT


  I just replace my home linux iptables firewall fwith a franken pix
 firewall
 
  (700MHz CPU/512MB RAM/16MBFlash)  running version 6.2(2) with PDM
2.1(1).
 
  My internal network is 172.16.1.0/24 with the inside interface of the
 firewall is
 
  172.16.1.254.  The outside interface of the firewall is 4.64.1.100.  I
 also have
 
  a dmz 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
 Machines
 
  on both the inside and dmz access the Internet via Port Address
 Translation
 
  (PAT) to the outside interface and it seems to work OK.  On the
inside
 network,
 
  I have a Websense filter server (IP 172.16.1.2) to do url filtering for
 both the inside
 
  and outside interface.  I use Websense server to filter out traffics
 that I don't want
 
   my children to see.  Everything is working great with a minor
exception:
 
  I need to make a PPTP connection from a laptop on the inside network
(IP
 
  172.16.1.100) to a PPTP server at my work place.  The problem is that
the
 
  connection keeps timing out.  The connection time out at the verify
 username and
 
  password.  To make sure that this is not a problem with my laptop, I
hook
 my
 
  laptop directly to the cable modem (I have roadrunner).  Since my laptop
 has a valid
 
  external IP address, PPTP works.  If I place the laptop on the inside
 network
 
  behind the franken pix, PPTP doesn't work. I even make the firewall
 wide-open for
 
  both inbound and outbound and it still doesn't work.  Now if I replace
the
 franken
 
  pix firewall with a linux firewall, PPTP works just fine through IP
 masquerading which
 
  is equivalent to PAT.
 
  My question is this:  has anyone been able to successfully initiate a
PPTP
 
  from behind a Pix firewall via Port Address Translation (PAT)?  Does it
 even work
 
  at all with PAT?  I am starting to have serious doubt with Cisco Pix
 firewall.  It costs
 
  me $500 to build this franken pix firewall.  With the CPU, memory and
 flash, this
 
  franken pix is equivalent to a Cisco Pix525 (minus the Gigabit
 Interface) and it can
 
  not even do a simple thing like allowing PPTP through PAT.  My linux
 firewall is
 
  running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
 it
 
  costs me $20 for that old system.
 
  I think PPTP will work with static NAT but I don't have an extra public
IP
 to spare.
 
  If anyone has PPTP works through PAT, please reply.  Thanks.
 
  Eric.
 
  Here is my Pix configuration
 
  HERNDON-PIX# wr t
 
  Building configuration...
 
  : Saved
 
  :
 
  PIX Version 6.2(2)
 
  nameif ethernet0 outside security0
 
  nameif ethernet1 inside security100
 
  nameif ethernet2 dmz security99
 
  nameif ethernet3 dmz2 security98
 
  enable password * encrypted
 
  passwd * encrypted
 
  hostname HOME-PIX
 
  domain-name home.com
 
  clock timezone est -5
 
  clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
 
  fixup protocol ftp 21
 
  fixup protocol http 80
 
  fixup protocol h323 h225 1720
 
  fixup protocol h323 ras 1718-1719
 
  fixup protocol ils 389
 
  fixup protocol rsh 514
 
  fixup protocol rtsp 554
 
  fixup protocol smtp 25
 
  fixup protocol sqlnet 1521
 
  fixup protocol sip 5060
 
  fixup protocol skinny 2000
 
  names
 
  access-list compiled
 
  access-list 100 permit icmp any any
 
  access-list 100 permit ip any any
 
  access-list 100 permit gre any any
 
  access-list 101 permit ip any any
 
  access-list 101 permit icmp any any
 
  access-list 101 permit gre any any
 
  access-list 200 permit ip any any
 
  access-list 200 permit icmp any any
 
  access-list 200 permit gre any any
 
  pager lines 24
 
  logging on
 
  logging timestamp
 
  logging monitor debugging
 
  logging trap notifications
 
  logging facility 23
 
  logging queue 1024
 
  logging host inside 172.16.1.2
 
  interface ethernet0 auto
 
  interface ethernet1 100full
 
  interface ethernet2 100full
 
  interface ethernet3 100full shutdown
 
  mtu outside 1500
 
  mtu inside 1500
 
  mtu dmz 1500
 
  mtu dmz2 1500
 
  ip

Re: problem with initiating PPTP connection behind [7:59673]

[Chuck Church]

You know, IPSec is far more secure than PPTP, especially if you're dealing
with an MS PPTP server.  Sound's like you need a PIX at work...

Chuck Church
CCIE #8776, MCNE, MCSE


  - Original Message -
  From: eric nguyen
  To: [EMAIL PROTECTED] ; 'Chuck Church' ; [EMAIL PROTECTED] ;
[EMAIL PROTECTED]
  Sent: Friday, December 20, 2002 10:27 PM
  Subject: RE: problem with initiating PPTP connection behind a Pix Firewall
via PAT


  Thanks for the info.

  This absolutely sucks.  I am sure there are many folks out there with
broadband

  connection like myself, cable modem or DSL, that has only one external IP

  address.  Those folks might be using Cisco Pix501, Pix506 or Pix506E for
their

  home firewall.  I am sure they need to connect to their corporate network
via

  PPTP just like myself. Now I have no choice but to switch back to my Linux

  firewall. Pix firewall, what a piece of shit.  For an expensive product
like
that,

  you would think that Cisco makes an effort to make PPTP work via PAT.

  Enough of me venting off my frustration.  Thanks everyone for your help.

  Eric

   Raymond Jett (rajett)  wrote:

Hmmm To quote cisco.com...

PPTP through the PIX with Port Address Translation (PAT) does not work
because there is no concept of ports in GRE.

That was from:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094a5a.shtml

This URL shows you how to do it with NAT...

Although, interestingly enough... You can do it with IOS:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xample09186a00800949c0.shtml

Watch the word wrap on the URLs!

Raymond

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
eric nguyen
Sent: Friday, December 20, 2002 8:59 PM
To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT

Chuck,
I did try the following:
static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0 access-list 100 permit ip any any access-list 100
permit gre any any access-list 100 permit icmp any any access-group 100
in interface outside it still doesn't work. The example you provided
has to do with Cisco IOS. Pix is not the same as Cisco IOS even though
it comes from the same company. This is really frustrating. I feel like
I am being ripped-off by Cisco Pix firewall
(even though I am running a clone, there is no way in hell that Cisco
will support it). It is really amazing that an expensive product like
this one doesn't support PPTP with PAT (to my knowlegde). Even Linux
firewall supports PPTP over PAT. I feel like I am hitting a brick wall
here. Please help. Eric Chuck Church
wrote:Eric,

To get PPTP to work with PAT, you need to play with it like you do with
I! PSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e
xamp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same port. At one time I thought it needed GRE, but I don't see it
listed on that doc. HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Neil Moore
To: eric nguyen ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall via PAT


 Its all broken... I will give you 500 bux for that pix ..no problem!
 
 Neil Moore CCIE#10044
 - Original Message -
 From: eric nguyen
 To: ;
 Sent: Friday, December 20, 2002 4:47 PM
 Subject: problem with initiating PPTP connection behind a Pix Firewall
via
 PAT


  ! I just replace my home linux iptables firewall fwith a franken
  pix
 firewall
 
  (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
 
  My internal network is 172.16.1.0/24 with the inside interface of
  the
 firewall is
 
  172.16.1.254. The outside interface of the firewall is 4.64.1.100.

  I
 also have
 
  a dmz 172.17.1.0/24 network with the Pix interface IP of
  172.17.1.254.
 Machines
 
  on both the inside and dmz access the Internet via Port Address
 Translation
 
  (PAT) to the outside interface and it seems to work OK. On the
inside
 network,
 
  I have a Websense filter server (IP 172.16.1.2) to do url filtering
  for
 both the inside
 
! ;  and outside interface. I use Websense server to filter out
  traffics
 that I don't want
 
  my children to see. Everything is working great with a minor
exception:
 
  I need to make a PPTP connection from a laptop on the inside

Re: problem with initiating PPTP connection behind [7:59672]

[Chuck Church]

Eric,

I just checked it with an ACL.  GRE is used incoming from a PPTP server,
at least from my work PIX it does.  But the trick is getting the incoming GRE
(with a destination of your PATing PIX) to the client inside.  Can you try
putting a 1-to-1 static from the PIX address pointing to the inside client? 
I
don't have a PIX here to try it.  I think anything then without a translation
will be sent to your inside client.  But it's not really the PIX's fault.
What you're trying to do is PAT a protocol that for the most part is
incompatible with it.  Give it a shot.

Chuck Church
CCIE #8776, MCNE, MCSE


  - Original Message -
  From: eric nguyen
  To: Chuck Church ; [EMAIL PROTECTED] ; [EMAIL PROTECTED]
  Sent: Friday, December 20, 2002 9:59 PM
  Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


  Chuck,

  I did try the following:

  static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask
255.255.255.255 0 0

  access-list 100 permit ip any any

  access-list 100 permit gre any any

  access-list 100 permit icmp any any

  access-group 100 in interface outside

  it still doesn't work.  The example you provided has to do with Cisco IOS.
Pix is

  not the same as Cisco IOS even though it comes from the same company.

  This is really frustrating. I feel like I am being ripped-off by Cisco
Pix
firewall

  (even though I am running a clone, there is no way in hell that Cisco will
support

  it).  It is really amazing that an expensive product like this one doesn't
support

  PPTP with  PAT (to my knowlegde).  Even Linux firewall supports PPTP over
PAT.

  I feel like I am hitting a brick wall here.  Please help.

  Eric

   Chuck Church  wrote:

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec. Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_ex
amp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC,
same
port. At one time I thought it needed GRE, but I don't see it listed on
that doc. HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Neil Moore
To: eric nguyen ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix
Firewall
via PAT


 Its all broken... I will give you 500 bux for that pix ..no problem!
 
 Neil Moore CCI! E#10044
 - Original Message -
 From: eric nguyen
 To: ;
 Sent: Friday, December 20, 2002 4:47 PM
 Subject: problem with initiating PPTP connection behind a Pix Firewall
via
 PAT


  I just replace my home linux iptables firewall fwith a franken
pix
 firewall
 
  (700MHz CPU/512MB RAM/16MBFlash) running version 6.2(2) with PDM
2.1(1).
 
  My internal network is 172.16.1.0/24 with the inside interface of
the
 firewall is
 
  172.16.1.254. The outside interface of the firewall is 4.64.1.100.
I
 also have
 
  a dmz 172.17.1.0/24 network with the Pix interface IP of
172.17.1.254.
 Machines
 
  on both the inside and dmz access the Internet via Port Address
 Translation 
  (PAT) to the outside interface and it seems to work OK. On the
inside
 network,
 
  I have a Websense filter server (IP 172.16.1.2) to do url filtering
for
 both the inside
 
  and outside interface. I use Websense server to filter out traffics
 that I don't want
 
  my children to see. Everything is working great with a minor
exception:
 
  I need to make a PPTP connection from a laptop on the inside
network
(IP
 
  172.16.1.100) to a PPTP server at my work place. The problem is that
the
 
  connection keeps timing out. The connection time out at the verify
 username and
 
  password. To make sure that this is not a problem with my laptop, I
hook
 my
 
  laptop directly to the cable modem (I have roadrunner). Since m! y
laptop
 has a valid
 
  external IP address, PPTP works. If I place the laptop on the
inside
 network
 
  behind the franken pix, PPTP doesn't work. I even make the firewall
 wide-open for
 
  both inbound and outbound and it still doesn't work. Now if I replace
the
 franken
 
  pix firewall with a linux firewall, PPTP works just fine through IP
 masquerading which
 
  is equivalent to PAT.
 
  My question is this: has anyone been able to successfully initiate a
PPTP
 
  from behind a Pix firewall via Port Address Translation (PAT)? Does
it
 even work
 
  at all with PAT? I am starting to have serious doubt with Cisco Pix
 firewall. It costs
 
  me $500 to build this franken pix firewall. With the CPU, memory
and flash

Re: problem with initiating PPTP connection behind [7:59663]

[Chuck Church]

Eric,

To get PPTP to work with PAT, you need to play with it like you do with
IPSec.  Check out:
http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_examp
le09186a00800949c0.shtml
You need to statically map TCP 1723 on the outside to your inside PC, same
port.  At one time I thought it needed GRE, but I don't see it listed on
that doc.  HTH.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Neil Moore 
To: eric nguyen ; ;

Sent: Friday, December 20, 2002 5:58 PM
Subject: Re: problem with initiating PPTP connection behind a Pix Firewall
via PAT


 Its all broken... I will give you 500 bux for that pix ..no problem!
 
 Neil Moore CCIE#10044
 - Original Message -
 From: eric nguyen 
 To: ; 
 Sent: Friday, December 20, 2002 4:47 PM
 Subject: problem with initiating PPTP connection behind a Pix Firewall via
 PAT


  I just replace my home linux iptables firewall fwith a franken pix
 firewall
 
  (700MHz CPU/512MB RAM/16MBFlash)  running version 6.2(2) with PDM
2.1(1).
 
  My internal network is 172.16.1.0/24 with the inside interface of the
 firewall is
 
  172.16.1.254.  The outside interface of the firewall is 4.64.1.100.  I
 also have
 
  a dmz 172.17.1.0/24 network with the Pix interface IP of 172.17.1.254.
 Machines
 
  on both the inside and dmz access the Internet via Port Address
 Translation
 
  (PAT) to the outside interface and it seems to work OK.  On the
inside
 network,
 
  I have a Websense filter server (IP 172.16.1.2) to do url filtering for
 both the inside
 
  and outside interface.  I use Websense server to filter out traffics
 that I don't want
 
   my children to see.  Everything is working great with a minor
exception:
 
  I need to make a PPTP connection from a laptop on the inside network
(IP
 
  172.16.1.100) to a PPTP server at my work place.  The problem is that
the
 
  connection keeps timing out.  The connection time out at the verify
 username and
 
  password.  To make sure that this is not a problem with my laptop, I
hook
 my
 
  laptop directly to the cable modem (I have roadrunner).  Since my laptop
 has a valid
 
  external IP address, PPTP works.  If I place the laptop on the inside
 network
 
  behind the franken pix, PPTP doesn't work. I even make the firewall
 wide-open for
 
  both inbound and outbound and it still doesn't work.  Now if I replace
the
 franken
 
  pix firewall with a linux firewall, PPTP works just fine through IP
 masquerading which
 
  is equivalent to PAT.
 
  My question is this:  has anyone been able to successfully initiate a
PPTP
 
  from behind a Pix firewall via Port Address Translation (PAT)?  Does it
 even work
 
  at all with PAT?  I am starting to have serious doubt with Cisco Pix
 firewall.  It costs
 
  me $500 to build this franken pix firewall.  With the CPU, memory and
 flash, this
 
  franken pix is equivalent to a Cisco Pix525 (minus the Gigabit
 Interface) and it can
 
  not even do a simple thing like allowing PPTP through PAT.  My linux
 firewall is
 
  running on a Pentium 90Mhz with 64MB of RAM and PPTP works just fine,
and
 it
 
  costs me $20 for that old system.
 
  I think PPTP will work with static NAT but I don't have an extra public
IP
 to spare.
 
  If anyone has PPTP works through PAT, please reply.  Thanks.
 
  Eric.
 
  Here is my Pix configuration
 
  HERNDON-PIX# wr t
 
  Building configuration...
 
  : Saved
 
  :
 
  PIX Version 6.2(2)
 
  nameif ethernet0 outside security0
 
  nameif ethernet1 inside security100
 
  nameif ethernet2 dmz security99
 
  nameif ethernet3 dmz2 security98
 
  enable password * encrypted
 
  passwd * encrypted
 
  hostname HOME-PIX
 
  domain-name home.com
 
  clock timezone est -5
 
  clock summer-time est date Apr 6 2002 19:00 Oct 26 2002 19:00
 
  fixup protocol ftp 21
 
  fixup protocol http 80
 
  fixup protocol h323 h225 1720
 
  fixup protocol h323 ras 1718-1719
 
  fixup protocol ils 389
 
  fixup protocol rsh 514
 
  fixup protocol rtsp 554
 
  fixup protocol smtp 25
 
  fixup protocol sqlnet 1521
 
  fixup protocol sip 5060
 
  fixup protocol skinny 2000
 
  names
 
  access-list compiled
 
  access-list 100 permit icmp any any
 
  access-list 100 permit ip any any
 
  access-list 100 permit gre any any
 
  access-list 101 permit ip any any
 
  access-list 101 permit icmp any any
 
  access-list 101 permit gre any any
 
  access-list 200 permit ip any any
 
  access-list 200 permit icmp any any
 
  access-list 200 permit gre any any
 
  pager lines 24
 
  logging on
 
  logging timestamp
 
  logging monitor debugging
 
  logging trap notifications
 
  logging facility 23
 
  logging queue 1024
 
  logging host inside 172.16.1.2
 
  interface ethernet0 auto
 
  interface ethernet1 100full
 
  interface ethernet2 100full
 
  interface ethernet3 100full shutdown
 
  mtu outside 1500
 
  mtu inside 1500
 
  mtu dmz 1500
 
  mtu dmz2 1500
 
  ip

RE: campus LAN design w/DHCP server [7:59664]

[Chuck Church]

Hey Priscilla,

I feel about 10 times better knowing it's a fast ethernet  :)  If
there's anyway to localize the traffic, such as putting department X's
clients and servers on vlan 100, and department Y's clients/servers on the
other, it'd be optimal.  But even if you can't it should run pretty well.
Worse comes to worse, they could always buy a 3550 and have that route
between VLANs at like light speed.  Which ghosting software is the client
using?  I thought that Ghost itself used multicast and was IGMP aware.

Chuck Church
CCIE #8776, MCNE, MCSE



 It's a fast Ethernet trunk, actually. I forgot to mention that. He does
have
 some internal servers. Do you think in and out of a Fast Ethernet trunk
will
 be less of a problem?

 You know my first reaction was also just move the subnet mask over. But he
 didn't seem to want to do that.

 He had a broadcast meltdown last week. Perhaps that's why he's concerned.
He
 was using ghosting software.

 Thanks for the input!

 Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59664t=59664
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routers multicast address 224.0.0.2 [7:59666]

[Chuck Church]

HSRP uses 224.0.0.2, UDP port 1985.  Any ACLs blocking this?  Is IGMP
snooping enabled all places between the two routers?  Check out:
http://www.cisco.com/en/US/tech/tk648/tk365/technologies_q_and_a_item09186a0
0800a9679.shtml
for more info.  Also, check the switch's multicast forwarding tables.
HTH.

Chuck Church
CCIE #8776, MCNE, MCSE



 Mohannad Khuffash wrote:
 
  Hi ...
 
  I have tried to configure HSRP on two 3660 routers, I
  configured them
  straight forward where only a little commands needed.But HSRP
  don't worked
  well ! The reason simply was that they are not seeing the HSRP
  hello
  messages so every one act as the active one ! When I checked
  the problem
  more, I discovered that both of them are not seeing the
  224.0.0.2 messages
  by using the SHOW IP INTERFACE command where none of the
  interfaces of the
  two routers are joined for this multicast group !
  My question now is how I can make them joined to 224.0.0.2
  which should be
  the default configuration ? Or may be I'm wrong in my
  investigation ?!
 
  Thanks for your help
 
  --
 
 
 
 
 
 
 
  Mohannad  Khuffash




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59666t=59666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: campus LAN design w/DHCP server [7:59646]

[Chuck Church]

If everyone just goes to the internet, it'll work.  But if you've got one or
more servers internally, I'd be real afraid of trunking on a 10 mb interface.
You'll reduce your broadcasts, but I think performance will suffer horribly
crossing the router.  Since you've run out of addresses on a /24, I assume
you've got a couple hundred devices.  Personally I'd just move the mask back
one or 2 bits, making it a /22 or /23, and using the additional 1.0 or 1,2,
and 3.0 subnets.  There's things you can do to almost all OSs to reduce
broadcasts.  How many broadcasts are you seeing per second?  If it's no more
than 20 on average, I wouldn't even worry about it.

Chuck Church
CCIE #8776, MCNE, MCSE

The customer has been using 192.168.168.0/24 in one small flat LAN. He
has run out of these addresses and is being hit by performance issues
related to broadcasts.

He wants to implement subnets and VLANs:

VLAN 100 192.168.168.0/24
VLAN 200 192.168.169.0/24

New design:

 Internet
 |
 s0
  2600 router e1 --- public servers
 e0
 | dot1q trunk
   switch
VLAN 200 VLAN 100

There is just one DHCP server. It will be in VLAN 100, address
192.168.168.10. The DHCP server will have 2 scopes for the 2 subnets.

We're going to do inter-VLAN routing on the 2600 router.

Will this config work as far as DHCP is concerned?

interface ethernet 0
no ip address
interface ethernet 0.1
encapsulation dot1q  100
ip address 192.168.168.1  255.255.255.0
interface ethernet 0.2
encapsulation dot1q  200
ip address 192.168.169.1  255.255.255.0
ip helper-address 192.168.168.10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59646t=59646
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: High Speed Internet Test from Browser [7:59118]

[Chuck Church]

Well, I suppose they could have a script that downloaded to your PC and then
tested some sites for speed.  But I think your browser would warn you about
that.  The most simple way would be for the web server to ping you, say with
a 500 byte packet, and based on the reply time, determine your speed.  To be
more accurate, it could ping with a small packet, then a big one to analyze
the difference.  I've got a cable modem.  Two different pings:

Pinging www.novell.com [192.233.80.5] with 32 bytes of data:

Reply from 192.233.80.5: bytes=32 time=110ms TTL=34
Reply from 192.233.80.5: bytes=32 time=152ms TTL=34
Reply from 192.233.80.5: bytes=32 time=109ms TTL=34
Reply from 192.233.80.5: bytes=32 time=111ms TTL=34

Ping statistics for 192.233.80.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 109ms, Maximum = 152ms, Average = 120ms

C:\Documents and Settings\churchping www.novell.com -l 500

Pinging www.novell.com [192.233.80.5] with 500 bytes of data:

Reply from 192.233.80.5: bytes=500 time=114ms TTL=34
Reply from 192.233.80.5: bytes=500 time=122ms TTL=34
Reply from 192.233.80.5: bytes=500 time=146ms TTL=34
Reply from 192.233.80.5: bytes=500 time=144ms TTL=34

Ping statistics for 192.233.80.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 114ms, Maximum = 146ms, Average = 131ms

As you can see, even though the the second ping data size was over 10
times bigger, the time went up very little, indicating your connection isn't
the bottleneck, but the latency through numerous router hops was.  Try the
same on a slow connection, and you'd see a much bigger difference between
the two.

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59118t=59118
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Little Help Please blocking pop ups and ads [7:58182]

[Chuck Church]

Elijah,

Not real easy to do with a PIX.  You could setup ACLs to block access to
all the big marketing companies like doubleclick.net, etc.  But that would be
a never-ending battle.  An alternative is running Mozilla as your browser.
It's got an option to turn off unrequested windows.  I'm not sure, the newer
Netscapes might do it now as well.  It works fine.
http://www.mozilla.org

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58182t=58182
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hsrp isl trunking [7:58144]

[Chuck Church]

Dennis,

It's better to have a unique HSRP group for each VLAN.  Cisco bases the
virtual MAC address on the group.  If you reuse the group number, you'll have
duplicate MAC addresses.  Granted, they're on seperate VLANs and shouldn't
matter, but I had a Cat4000 that didn't like it at all, and gave me lots of
logged messages about MACs moving around.

Chuck Church
CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58144t=58144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hsrp isl trunking [7:58144]

[Chuck Church]

I think the 'use-bia' may have been a fix for the problem as well.  It's
been a while since it happened.  For all I know it might have been a problem
with the CatOS on the switch.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Larry Letterman 
To: Chuck Church 
Cc: 
Sent: Tuesday, November 26, 2002 6:36 PM
Subject: Re: hsrp  isl trunking [7:58144]


 And..
 on the new msfc-2 you only get 16 hsrp groups
 supposedly the issue that chuck states below is
 not an issue with the new msfc-2 for the 6509's

 Chuck Church wrote:

 Dennis,
 
 It's better to have a unique HSRP group for each VLAN.  Cisco bases
the
 virtual MAC address on the group.  If you reuse the group number, you'll
have
 duplicate MAC addresses.  Granted, they're on seperate VLANs and
shouldn't
 matter, but I had a Cat4000 that didn't like it at all, and gave me lots
of
 logged messages about MACs moving around.
 
 Chuck Church
 CCIE #8776, MCNE, MCSE




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58153t=58144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Client WIN2000 Internet sharing [7:58062]

[Chuck Church]

Guys,

IPSec will work with PAT, with some caveats.  On the device doing the
NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated
inside device.  Like this:

ip nat inside source list 100 interface Ethernet0/0 overload
(Standard PAT statement)
ip nat inside source static esp 192.168.0.2 interface Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500
(IKE/ISAKMP)

By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using
the 3.x client.  I'm doing it right now.  Of course, if you've got more than
1 internal needing to dial, you'll need more external addresses.  Now
whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a
certain internal client is another question...

Chuck Church
CCIE #8776, MCNE, MCSE




 This is correct.  IPSec will NOT through PAT.  At the moment, Pix does
 NOT
 support NAT traversal (udp encapsulation).  Therefore, trying to
 connect
 to a Pix behind a NAT device with vpn dialer will not work.  VPN
 concentrators, on the other hand will work.  Or better yet, throw away
 your Pix and put in either a CheckPoint NG Firewall or linux firewall
 (iptables).  Both CP and Linux
 are stateful firewalls.  If you want to stick with Pix, wait until
 version 6.3 where it will support NAT traversal (UDP encapsulation).

  Edward Sohn  wrote:nope, it won't work...ipsec needs it's own IP
 address and not PAT. i've tested this extensively, and it won't
 work...if anyone else can comment, please do.

 either way, best thing to do is get a few statics from your ISP and
 statically translate...

 ed

 - -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 Derek
 Sent: Sunday, November 24, 2002 9:12 AM
 To: [EMAIL PROTECTED]
 Subject: PIX Client  WIN2000 Internet sharing [7:57988]


 I have a home network which uses an ADSL line which is shared via
 Internet Connection Sharing. I have 3 pc's in the network and they can
 all access the internet. From these pc's i am trying to connect to my
 office VPN.I Can ping the address but cannot connect via Dialer. The VPN
 connection works when Internet Sharing is disabled. Is their anyway
 around this ? Do you Yahoo!? Yahoo! Mail Plus - Powerful.
 Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58062t=58062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Client WIN2000 Internet sharing [7:58062]

[Chuck Church]

I'm not really sure what 'IPSec passthough' means.  I've seen it used by
different companies and it means different things.  If the PIX is smart
enough to detect your IKE going out, and setup the necessary IKE and IPSec
translations for the other end of the VPN (for the return traffic), then you
don't need the statics.  This is how the Linksys DSL/Cable routers work, I
beleive.  But if it doesn't work, try setting up the statics for IKE and
IPSec.  What works on the router should work on the PIX, although I don't
know for sure if the PIX will let you do the extended translations like the
IOS does.  Don't have a PIX here to try it on.

Chuck Church
CCIE #8776, MCNE, MCSE


- Original Message -
From: Elijah Savage III 
To: Chuck Church ; 
Sent: Monday, November 25, 2002 4:32 PM
Subject: RE: PIX Client  WIN2000 Internet sharing [7:58062]


Chuck,

Please correct me if I am wrong but you are using a router with PAT, and
with a router you will need those statics. But on the PIX you do not
need to have statics because it supports ipsec passthrough, I have no
statics on my PIX at all.

-Original Message-
From: Chuck Church [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 25, 2002 4:03 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX Client  WIN2000 Internet sharing [7:58062]


Guys,

IPSec will work with PAT, with some caveats.  On the device doing
the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the
designated inside device.  Like this:

ip nat inside source list 100 interface Ethernet0/0 overload (Standard
PAT statement) ip nat inside source static esp 192.168.0.2 interface
Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0
500
(IKE/ISAKMP)

By doing this, inside device 192.168.0.2 can connect to an IPSec VPN,
using the 3.x client.  I'm doing it right now.  Of course, if you've got
more than 1 internal needing to dial, you'll need more external
addresses.  Now whether the M$ ICS can be told to send incoming ISAKMP
and IPSec to a certain internal client is another question...

Chuck Church
CCIE #8776, MCNE, MCSE




 This is correct.  IPSec will NOT through PAT.  At the moment, Pix does

 NOT support NAT traversal (udp encapsulation).  Therefore, trying to
 connect
 to a Pix behind a NAT device with vpn dialer will not work.  VPN
 concentrators, on the other hand will work.  Or better yet, throw away
 your Pix and put in either a CheckPoint NG Firewall or linux firewall
 (iptables).  Both CP and Linux
 are stateful firewalls.  If you want to stick with Pix, wait until
 version 6.3 where it will support NAT traversal (UDP encapsulation).

  Edward Sohn  wrote:nope, it won't work...ipsec needs it's own IP
 address and not PAT. i've tested this extensively, and it won't
 work...if anyone else can comment, please do.

 either way, best thing to do is get a few statics from your ISP and
 statically translate...

 ed

 - -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
 Of Derek
 Sent: Sunday, November 24, 2002 9:12 AM
 To: [EMAIL PROTECTED]
 Subject: PIX Client  WIN2000 Internet sharing [7:57988]


 I have a home network which uses an ADSL line which is shared via
 Internet Connection Sharing. I have 3 pc's in the network and they can

 all access the internet. From these pc's i am trying to connect to my
 office VPN.I Can ping the address but cannot connect via Dialer. The
 VPN connection works when Internet Sharing is disabled. Is their
 anyway around this ? Do you Yahoo!? Yahoo! Mail Plus -
 Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58064t=58062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Apparent packet loss... [7:57957]

[Chuck Church]

Keith,

Don't ever listen to a sales person.  Ever!  What is the ratio of
collisions to frames output on that interface to the provider?  Cisco
recommends limiting collisions to 1 out of every 1000 frames, although 1 out
of every 100 isn't bad.  If it's worse than 1 out of every 100, definitely
get
them to make it full duplex.  Frames queueing up on this interface could be
causing problems with the others.  Definitely turn on CEF.  If they want to
limit your network speed it should occur on their interface to their own
equipment, not yours.  NBAR (Network Based Application Recognition) is
available on 12.2 and does a lot of what Packeteer can do.  Assuming you've
got adequate memory (do a 'sh mem', check how much is free), I'd bump up both
the buffers a bit and the queues on the interfaces.  Shouldn't be too much
more CPU load.  Do 200/300 per/max for small buffers, 100/150 for middle, and
75/150 for big.  Double the size of the interface queues that have drops.  Go
with this for a day, and see how it looks.  Also, do a 'sh int stat' to see
the ratio of process to fast switched packets.  This ratio should improve
with
CEF.  Hope this helps.  Let me know if you need more help.

Chuck Church
CCIE #8776, MCNE, MCSE

Date: Sat, 23 Nov 2002 18:18:16 GMT
From: Keith Woodworth 
Subject: Re: Apparent packet loss... [7:57922]

On Sat, 23 Nov 2002, The Long and Winding Road wrote:

|- They have told us to config our ethernet port to half duplex so packets
|- will be retransmitted if they get lost in their ATM cloud so we have a
|- fairly high collison rate on this port. I dont know enough about ATM to
|- say if this is good or bad...?
|-
|-
|-CL: huh? the retransmission is determined from and between the source and
|-destination hosts, not by routers along the way. this half duplex
|-instruction doesn't make sense to me.

Nor does it to me either but before we put in the 7206, we had their 7204
as the gateway connected to a switch and it was set half-duplex even
before I started here. I'm going to dig more into this.

The part of this that annoys me is when I asked my boss about this he said
the provider would charge us an xtra $2k/month to run the port
full-duplextelus is hurting and are trying to squeeze as much as they
can from us and everyone else.

|-CL: have you considered doing traffic studies to determine if any qos type
|-services could be of benefit? anything like traffic shaping, random early
|-detect, things like that?

We have started doing that because we started noticing that outbound
traffic higher than inbound. About 6 weeks ago we moved the routers to a
switch as a start just to look at sniffing the traffic via port spanning.
4pm in the afternoon we started and within an hour, we found that 50-60%
of traffic outbound was riding on port 1214 (Kazaa etc) At that time
outbound traffic was pushing 18Megs, inbound was about 15Megs.

Historically traffic was 8-10Megs out and 15-18Megs in. P2P is killing us.

A few simple ACL's have been put to rate-limit outgoing traffic on that
port for P2P, which has helped. And we are looking at packet shaping
possiblities. My boss wants a Packeteerbut I'd like to see if I can do
something with the router instead of spending 20 grand.

|-CL: according to the following link, up to 400,000 pps
|-
|-http://www.cisco.com/warp/public/cc/pd/rt/7200/prodlit/c7200_ds.htm
|-
|-your description doesn't indicate you have oversubscribed the back plane.
|-

Yea I dont think we are either now that Ive seen some numbers. I was
looking for specs on the NSE1 not the 7206. Thanks for the link.

|- Anyway to acutally tell for certain if the router is dropping packets?
|-
|-show buffers
|-show queueing
|-show queue interface etc.

Showing misses/failures on all buffers but these have the most:

Small buffers, 104 bytes (total 50, permanent 50, peak 201 @ 7w0d):
 44 in free list (20 min, 150 max allowed)
 1991931468 hits, 98395 misses, 43142 trims, 43142 created
 2371 failures (0 no memory)
Middle buffers, 600 bytes (total 25, permanent 25, peak 92 @ 3d20h):
 23 in free list (10 min, 150 max allowed)
 43042905 hits, 2828 misses, 2508 trims, 2508 created
 703 failures (0 no memory)
Big buffers, 1524 bytes (total 50, permanent 50, peak 68 @ 6d12h):
 50 in free list (5 min, 150 max allowed)
 12398616 hits, 359 misses, 81 trims, 81 created
 79 failures (0 no memory)

so according to docs on CCO about buffers, misses/failures usually lead to
dropped packets. This leads me to believe that data is coming in at a rate
higher than the RP can keep up though. Will have to look at upping the #
of permenant buffers and see if that helps.

Thanks,
Keith




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57957t=57957
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

6509 Buffer problem - Fix [7:57009]

[Chuck Church]

6509 dude,

Sorry, don't remember the person's name who posted the original
question, but I was dealing with the same thing.  Installed 12.1.13E last
night, now I'm getting nothing but hits, even with default buffer settings.
Hope this helps.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57009t=57009
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: buffer tuning 6509 [7:56906]

[Chuck Church]

Mr. Joshua,

This looks like a bug I'm working with:

Anyway, the issue might be related to the middle buffer not populating
and there is a bug which was open for the similar issue 
(should be fixed in later IOS versions): CSCdx15857 (Buffer Failure). You
couldn't change the middle buffers because of the same bug.
In order to fix the issue you should upgrade the IOS but prior of doing this
you would probably need to consult your Cisco NSA/SE.

That came from a TAC guy I'm working with.  He's telling me the 12.1.13E
code will fix that problem, where you can't even configure medium buffers.
Keep in mind that buffers use RAM, so occasionally do a 'sh mem' and make
sure your 2 pools aren't running low.  I'd install that code, and then run
it for a few days.  After that, set your permanent buffers to between 50 and
75% of what the peak was for that particular pool.  Set the max to maybe 100
more than the permanent.  So for below I'd start out with:

buff sma per 750
buff sma max 850
buff med per 75
buff med max 150
buff mid per 300
buff mid max 400
buff big per 600
buff big max 700
buff very per 20
(use default for very max)
buff large per 10
buff large max 25
buff huge per 10
buff huge max 20

Paste these in, see how it goes.  Good luck.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000

Date: Tue, 5 Nov 2002 12:41:12 GMT
From: Mr Joshua 
Subject: buffer tuning 6509 [7:56891]

Does anybody know of a good white paper on buffer tuning? I have read a
couple of generic ones on Cisco's website, yet they are not
good enough to satisfy what I need to know. Called TAC - not a whole
lot of help this time! As you can see, there are a lot of misses on 
medium and middle buffers. I also see that total and permanent are
not allocated. I know the general CCNP level of what those mean and
commands to adjust them, but does anybody know this - the second line
of output says that there are 500 max allowed. Does that mean that
I need to break this number down into public buffer pool? Does that mean
that the cumulative sum of all public pools can't be more than 500? (as you
can see, the big buffers are 500). Does anybody know of a GOOD paper that
gives examples of buffer tuning? Sorry if those are stupid questions.

here is the output:

Buffer elements:
499 in free list (500 max allowed)
898918875 hits, 0 misses, 0 created

Public buffer pools:
Small buffers, 104 bytes (total 73, permanent 50, peak 1501 @ 7w0d):
72 in free list (20 min, 150 max allowed)
609248534 hits, 201320 misses, 121659 trims, 121682 created
86630 failures (0 no memory)
Medium buffers, 256 bytes (total 0, permanent 0, peak 123 @ 4d08h):
0 in free list (0 min, 0 max allowed)
705511 hits, 140644897 misses, 1414484 trims, 1414484 created
139937655 failures (0 no memory)
Middle buffers, 600 bytes (total 150, permanent 25, peak 555 @ 7w0d):
149 in free list (10 min, 150 max allowed)
185320811 hits, 4615702 misses, 167032 trims, 167157 created
4439672 failures (0 no memory)
Big buffers, 1524 bytes (total 500, permanent 500, peak 595 @ 7w0d):
500 in free list (5 min, 500 max allowed)
41418467 hits, 3577401 misses, 39229 trims, 39229 created
3540388 failures (0 no memory)
VeryBig buffers, 4520 bytes (total 10, permanent 10, peak 20 @ 7w0d):
10 in free list (0 min, 100 max allowed)
1006090 hits, 3524469 misses, 22 trims, 22 created
3524458 failures (0 no memory)
Large buffers, 5024 bytes (total 0, permanent 0):
0 in free list (0 min, 10 max allowed)
0 hits, 3524458 misses, 0 trims, 0 created
3524458 failures (0 no memory)
Huge buffers, 18024 bytes (total 2, permanent 0, peak 2 @ 7w0d):
2 in free list (0 min, 4 max allowed)
4580 hits, 3522061 misses, 120 trims, 122 created
3522000 failures (0 no memory)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56906t=56906
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX amp; Novell [7:51427]

[Chuck Church]

Brian,

A well-designed NW network is a very stable and secure environment.
I used to work for a bank with over 400 NW 4.11 servers.  The support team
consisted of myself and two others.  We spent all our free time studying
Cisco!  The major problem these days is VARs send their MCSE drones to try
to fix these networks, and break all kinds of things.  People who don't
understand how NDS works shouldn't be touching it.  You'll see issues in MS
like this once (if ever) people start trying to install Active Directory.
All the NW IP clients work great with the 1.1 and 3.x Cisco VPN clients
also, so VPN shouldn't really be an issue.  I know for a fact that the NW
client will NOT work through NAT, but no one should be accessing a server
over the internet without encryption anyways.
MS uses tons of broadcasts and directed broadcasts for everything.
It's actually worse than NW these days.  Multicasting is the way to go.
Just enable PIM, and all servers and clients can see each other.  It's
really easy compared to WINS.
Security holes?  You can't possibly think that NW has more security
holes than MS.  Even Gartner Group now recommends that companies stay away
from IIS from any internet-accessible servers.  Patching NT servers is a
full time job (with no benefits).

P.S.  Cisco's stock is pretty crappy right now also (bought some of mine at
$80 :(.  But I'm not recommending Foundry to anyone either.  Use what you
like, 

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000

If you believe any of this, you can spend $1.50 and own some of the
Novell Company (stock market). About the cost of a candy bar? My
experience with Novell you need to spend a lot of effort to get anything
to work, and there support is non-existant. I have heard of even
hardcore Novell shops switch to a different OS, after trying Novell 5
with horror stories. Everything about Novell works with broadcasts that
flood the network. They are considered a step up from Apple networks
though, in the unnecessary traffic they create. Recently, I was told I
needed to make a VPN connection to another company using ADSL, the
problem is that Novell Client will not work with ADSL. It may work now
in Novell 6 client. There was a long laundry list of work arounds, and
modifications you had to do to get it running. I really don't have this
kind of patience, so I think they dropped the idea of getting a VPN
connection into Novell. Some of the fixes were playing games with the
MTU size to get it to work. The problem with that, is the rest of my
network is using the ADSL line.

I think you will find issues with using Pix Firewall with Novell. Novell
requires so many modifications to make it work, that you will compromise
performance and security (i.e. compatability mode), if you can get it
to work at all. With major security Vulnerabilities like Denial of
Service issues with the Novell VPN.

I find a lot of people like Novell (and other obsolete OS's) because
they have good memories of running the 3.xx box on a 386. Maybe back
then it was worth mentioning. Now, it is full of security holes, and
bugs that are in the Novell OS which no one bothers to fix. At this
point, they are just struggling to keep the lights on at Novell.

Novell got IPX from Xerox anyway, not so innovating at all. 



Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51427t=51427
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

re: Cisco PIX Novell [7:51358]

[Chuck Church]

John,

Keep in mind that Pure IP NW uses multicasts as part of SLP to map
server names to IP addresses and build a table.  The PIX won't pass
multicasts.  I assume you're manually putting in the server IP address into
the client.  Otherwise you'll need a directory agent.  Or replace it with
MS.  Now that's funny :)

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51358t=51358
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE#8903 [7:37511]

[Chuck Church]

George,

Way to go.  I guess we were good partners for each other at NMC-1!
Congratulations.

Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
George Zhang
Sent: Wednesday, March 06, 2002 5:57 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: CCIE#8903


All,

The title says it all.  I took my first attempt at the CCIE lab test 
yesterday (March 5) in Halifax and received the Congratulations on Passing 
the CCIE Lab! this morning.

I was the only person taking the lab test in Halifax yesterday.  I was told 
that there was another person scheduled yesterday but did not show up.  My 
test started about 8:15 AM in the morning.  We broke for lunch at about 
12:20PM.  By then, I only finished all the IGP stuff and felt some pressure 
on time.  But I have already reviewed rest of the test and knew that I could

go through the rest quickly.  After the 15 min lunch break, I worked through

rest of the test very quickly.  By about 3:00 PM, I finished every thing 
except one small requirement that I had no clue how to do it.  I decided to 
skip that item.  Then, I started reviewing and checking my config.  Along 
the way of reviewing/checking, I spotted and fixed a few issues.  Just about

the time I finished reviewing every thing, the proctor walked in and told me

that it' time.  I looked at the watch.  It was 4:30 PM.  My proctor was 
Steve.  Steve is a great proctor.  He answered quite a few of my questions 
and cleared my mis-understanding and confusion about the requirements of the

test.

I would like to take this opportunity to thank all people who helped me to 
achieve my goal.  First, I would like to thank my wife for her support and 
understanding.  Without her support, there is no way I could achieve my 
goal.  Next, I will give my thanks to Bruce, Val, and Fred of 
NetMasterClass.  As I said earlier, the NMC1 class is the most important 
part of my final preparation.  Thanks to Katie Wong of Cisco who scheduled 
me to access the ASET racks.  Thats my primary resource for hands-on 
practices for the past couple of months.  Thanks to Eric Fairfield for 
lending me a few routers when I was in Wisconsin.  Also thanks to those that

I've either studied with or have helped me one way or another.  Thanks also 
to Paul for putting this great list together.

As far as my story, I started my quest of the Cisco certifications a little 
over two and half years ago.  I got my CCNA and CCNP in the first year.  
Three months later, I passed the CCIE written test.  I wanted to take the 
lab a year ago.  However, due to work and personal reasons, I did not get 
time to do it until now.  Last year, I was too busy to do much study.  At 
work, as a consultant, I was billing at least 40 hours/week for the whole 
year.  At home, my second child was born in February, my wife finished 
school in July, and we moved to New Jersey from Wisconsin in September.  In 
October of last year, I foresaw a window of opportunity for me to take the 
lab test early this year.  Then, I lobbed my manager to let me go to the 
ECP1 class.  By the time my manager approved my training request, I found 
that Mentor Technologies went belly up.  However, I learned that Bruce and 
Val founded a new company called NetMasterClass, LLC 
(www.netmasterclass.net) and offering the NMC1 and NMC2 classes.  I 
registered and took the NMC1 class by the end January.  By the end of last 
year, the project I worked on finished.  So since the beginning of this year

I got a lot of time to study.  For the past couple of months, I have studied

8-10 hours every day.

As far as how I prepared, I have read most of the books (Doyle I  II, 
Caslow, Halabi, Tam-Nam-Kee, Solie, Satterlee, etc.) recommended by people 
on this list.  Among this long list of books, the only one I dont like is 
Solies book because there are too many errors in the book.  There are a few

topics I was more confused after reading the book.  I dont have a home lab.

  So my primary resource for hands-on practice is remote labs such as Mentor

Technologies vlabs (not available any more), Cisco ASET lab.  Because I 
dont have a home lab, my preparation included more reading than hands-on 
practice.  That actually worked out very well for me.  Above all, the most 
important part of my preparation is the NMC1 class taught by Bruce, Val and 
Fred.  IF I HAD NOT TAKEN THE NMC1 CLASS, IT PROBABLY WOULD HAVE TAKEN ME 
ONE OR TWO MORE ATTEMPTS BEFORE I COULD GET MY NUMBER.  There are a lot of 
things that just cannot be learned from reading books or practicing.  So the

NMC1 class helped me to fill in that gap very well.  It also helped me to 
access my strength and weakness.  So I know what to study on the last few 
weeks.  I strongly recommend taking the NMC1 class a few weeks before your 
lab

Whew! CCIE 8776! [7:35257]

[Chuck Church]

All,

I think the title says it all.  Took the lab today at RTP.  4th time
was the charm.  I don't know where to begin.  Might as well start with the
thank you's.  Thanks to Bruce, Val, and Fred at NetMasterClass.  Thanks also
to those on the list that I've either studied with or have helped me out in
the past with problems.  Thanks also to Paul for putting this great list
together.  As far as how I prepared, I might as well give the whole story.
Started working on Cisco about 2 1/2 years ago after going though the Novell
and MS Certs.  After getting NA, DA, NP, and DP, I passed the CCIE written
in October 2000.  Without really knowing how to study or what to prepare
for, I got my butt handed to me in January at RTP.  Didn't know much more
than your average CCNP would.  Tried again in April, but BGP killed me, and
again I didn't make it to day 2.  After that, I found a study partner
(Thanks Boris) and we worked pretty hard last summer.  Did all the bootcamp
labs, thought I knew everything I needed to.
November 4 of 2001, figured I'd breeze through the lab.  I don't
know if it's true, but I heard the first couple of months with the new 1 day
format had a very low pass rate.  I know I could have used a couple more
hours to finish.  If anyone took the lab in Oct or Nov of last year and
failed, don't be discouraged.  I think they've scaled it back a little
nowadays.
Fast forwarding to today.  After spending a week with Val, Bruce,
and Fred at the NMC-1 course, and doing nothing but working on my speed, I
felt pretty prepared.  Everything in the Doyle Volume 1 and Bruce/Val's book
made sense.  Though running a little low on sleep, I felt good this morning.
Roughly 4.5 hours into the test, we got lunch.  At that point I was done
with the IGP's and almost done with the EGP's.  In other words about 2/3 of
the way done, by my estimate.  At 1:30 I was done, but needed to go back and
work on 3 things I couldn't figure out.  A little discussing with the
proctor, and 2 of them were fixed.  But then I think I read too much.  I had
solved a problem one way, but realized the wording of the question might
change what they were looking for.  Checking with the proctor, I got the
impression that he really didn't like my solution.  So there I am, 1.5 hours
to go, and I'm making a somewhat major change :(  Looked OK, but with 1/2 an
hour to go, I noticed a 'neighborship' bouncing up and down :o  10 minutes
to go, got it all working, but didn't get a chance to completely double
check all my other work as time expired.  I know I left 1 thing unconfigured
(a 2 pointer), but started wondering if I'd made other mistakes.  They said
to expect the results tomorrow afternoon.  A plane flight back to New York,
and there's the email waiting.  8776!
If anyone's wondering what I used to study, here's the short list:

Groupstudy!  Paul's done a great job.  There are certain people on this list
that should be flagged as must-reads.  I won't mention any last names, but
there are a couple guys named 'Brian' (both long-time CCIEs) that are a huge
asset to this list.  Thanks guys.

Doyle - Volumes 1 and 2 - Everything you ever wanted to know about IP, but
were afraid to ask.

Bridges, Routers, and Switches for CCIEs - Bruce Caslow and Val Pavlichenko
- Used edition 2, but I understand 3 is coming out soon.  This book covers
most everything.  I expect the new edition will cover more multicast and
QOS, and drop Appletalk and DECnet.  But still the most useful book I've
found.

Halabi - Used 1st edition, but everything I was asked to do with BGP is in
that book.

Bootcamp labs - Worked though these with a partner, because his company was
cool enough to buy them for him, and my company wasn't!  Great preparation
and simulation for the test.

Various docs from CCO - Might as well go to the source!

Most importantly - NMC-1 http://www.netmasterclass.net/nmc/  Bruce and Val
explain the most difficult subjects very well.  A couple of things are a
little lacking in the book, but they cover those very well in the class.  Be
prepared to work your a** off that week though.  8:30AM to 11PM is the norm
that week.  But I highly recommend it, especially if you've come close to
passing before.

Well, sorry to ramble on so much.  I'm off to bed for a L O N G
sleep.

Thanks again,

Chuck Church
CCIE 8776
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35257t=35257
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How to block MSN, and others. [7:31057]

[Chuck Church]

All,

I've had good luck blocking access by denying all traffic to the IP
ranges of the login servers for those services.  Currently I block all
traffic to:

AOL IM
152.163.0.0 /16   255.255.0.0
205.188.0.0 /16
64.12.0.0   /16

MSN Messenger
64.4.0.0/18  255.255.192.0

Yahoo Messenger
216.136.224.0 /22  255.255.252.0


This works currently.  You might want to keep all 3 installed you your work
PC, and check them once a week.  If one starts working, they must have added
another network.  Open a DOS window, and do a 'netstat'.  Look for the
connection to login server, most likely will mention the company in the DNS
name.  Mine looked like this:
TCPsuperdave:1530 msgr-ns56.msgr.hotmail.com:1863  ESTABLISHED

If you then do a netstat -n, you'll get the address rather than the
DNS name.  Then look up that address in www.arin.net in the WHOIS utility.
That will give you the block of addresses.  Add that block of addresses, and
you'll be blocking them all once again.

Chuck 

P.S.  Blocking MSN will also block Hotmail access, you you kill 2 birds with
1 stone!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31057t=31057
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to block MSN, and others. [7:31107]

[Chuck Church]

There's really two reasons to block access to these services.  Managers
don't want their employees wasting time, but the more important reason is
network security.  If you're providing email accounts for employees, what's
the need to access Hotmail, etc?  By doing so, they're bypassing your email
virus scanning capabilities.  That's how my company got stung with Nimda.
Most companies already have a policy for computer use.  Usually it's
something along the lines of 'business use only'.  Accessing your
home/personal email account at work usually isn't business related.  Now if
I can just figure out how to block Media Player using NBAR...

Chuck

 What is the purpose of giving users access to the Internet when you will
 be blocking even the hotmail for them?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31107t=31107
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Portfast

[Chuck Church]

One of my customers had a problem only with W2K machines and DHCP.  His
NT4.0 and 98 machines didn't need port fast.  Possibly W2K has less of a
delay between loading the lan driver (and activating the link) and looking
for a DHCP server?  Or maybe they were just faster machines.  Or maybe W2K
has a shorter timeout for the DCHP lease request?  Anyway, I've been using
portfast on almost all workstation ports for the past few months.

Thanks,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


-Original Message-
From: Scott Morris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 4:44 PM
To: 'Chuck Church'; ''Ccielab' (E-mail)'; 'Cisco@Groupstudy. Com
(E-mail)'
Subject: RE: Portfast


It's not specific to Windows 2000 machines...  Any machine that needs DHCP
and boots up with any speed (less than 50 seconds), or any machine running a
novell client where it would try a GetNearestServer and find nothing

Scott

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Chuck Church
Sent: Thursday, March 01, 2001 4:22 PM
To: 'Ccielab' (E-mail); Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


If this bdpu guard works as it supposed to, I'll definitely use it.  Windows
2000 machines seem to need portfast for DHCP, and almost all Windows
machines need it for IPX.  I've always pointed out to the customer about
NEVER connecting other layer 2 devices to the ports I configured portfast
on.  This is good insurance.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


-Original Message-
From: Latimer, Keith [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 11:13 AM
To: 'McCallum, Robert'; 'John Chang'; 'Ccielab' (E-mail);
Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


Check out the new portfast bpdu guard feature. It can shut down ports that
have portfast enabled when detecting bpdus on the line.
Keith

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 01, 2001 10:44 AM
To: 'John Chang'; 'Ccielab' (E-mail); Cisco@Groupstudy. Com (E-mail)
Subject: RE: Portfast


No,

The problem occurs if he creates a loop i.e. you have a main switch a cable
from the main switch goes to user A.  User A decides to connect a hub and a
few terminals - Outcome fine.  User B then says hey user A can you access
those terminals and the main network.  User A says yeah how do you want to
connect?  User A says yes and inadvertently patches his own pc and the
original connection that was from him to the main switch outcome is now main
switch has 2 connections to the minihub.  NOW spanning tree goes oh my and
recalculates - outcome 30 second outage for everyone on that vlan.  Then the
users go home, switch off their kit and go to the pub.
Next day. The mini hub is switched back on - because portfast is enabled
the ports go whoosh straight into forwarding mode - result - spanning tree
goes oh my!! and recalculates.

Outcome -- You and every other support member run about like loonies
trying to find this fault which occurs only when the user decides to switch
on his equipment.

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: 01 March 2001 15:34
To: McCallum, Robert
Subject: RE: Portfast


Let me see if I got this correct.  If he only connects one mini-hub or
mini-switch it is OK to have portfast on on the main switch.  If he then
connects another mini-hub or mini-switch onto the first mini-hub or
mini-switch than there will be a problem.  But when you connect 2 mini-hubs
aren't you just extending the amount of ports and in a sense there is only
one virtual mini-hub?

At 03:24 PM 3/1/2001 +, you wrote:
yes, but only if he then connects another link to another hub / switch and
causes a bridging loop.

-Original Message-
From: John Chang [mailto:[EMAIL PROTECTED]]
Sent: 01 March 2001 15:08
To: [EMAIL PROTECTED]
Subject: Portfast


In the below website it says not to have portfast on if you connect
switches, hubs, or routers.  I understand that point but what if a user
connected a mini-hub (Ex. Linksys EtherFast 8-Port 10/100 Desktop Hub)
or  unmanaged mini-switch (Ex. Farallon NetLINE 10/100 switch) so that he
could connect multiple computers.  Would this cause any problems?  Thank
you!


http://www-1.cisco.com/warp/public/473/12.html

Note: The portfast feature should never be used on switch ports that
connect to other switches, hubs, or routers. These connections may cause
physical loops
and it is very important that spanning tree go through the full
initialization procedure in these situations. A spanning tree loop can
bring your network down. If portfast
is turned on for a port that is part of a physical loop, it can cause a
window of time where packets could possibly be continuously forwarded

RE: IPX undocumented secrets....

[Chuck Church]

Nigel,

 The purpose of the static SAPs you're creating is to create dummy
entries pointing to dummy services.  These dummy services need to have a
socket number of what the service is trying to emulate.  The socket number
for SAP is what the router will use in the actual SAP packet sent out once a
minute.  This SAP packet will use a SAP socket number, but the records
inside the SAP packet will reference the socket numbers that you entered in
the static entry.  Hope this helps.

Chuck Church

-Original Message-
From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 23, 2001 6:45 PM
To: Cisco Group Study; CCIE_Lab Group Study
Cc: Bryant Andrews
Subject: IPX undocumented secrets


Hi All,
I've just begun to place a spin on my IPX preparation and I must =
admit things seem a little more confusing now more than ever.  Caslow's =
book gives a lot of very specific information on IPX itself which is =
been helpful but now I'm trying to understand how most of what I'm =
currently looking at comes together to enable IPX as a routing protocol. =
=20

What I'm trying to understand is in creating static SAP entries the =
command is

ipx sap service type name network.node socket hop count

Now in looking at Caslow's book pg. 499 he list the IPX Socket Numbers =
that direct data encapsulation to the appropriate upper layer protocols =
as follows;

0x451 -   NCP
0x452 -   SAP
0x453 -   RIP=20
0x455 -   NETBIOS
0x456 -   Diagnostic
0x457 -   Serialization
0x4001   -  =20
0x7FFF  -   Client Socket Numbers
0x85BE  -   IPX EIGRP
0x9001   -   NLSP
0x9004   -   IPXWAN
0x9086   -   IPX PING


In listing this I'm trying to understand lab examples where the =
requirement calls for static SAP entries that make use of various IPX =
sockets namely 0x451.  I'm thinking since there's a socket for SAP why =
and how come the other IPX sockets are used in SAP entries?

Nigel..


___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OFF TOPIC - Where is everyone?

[Chuck Church]

If there's one thing tougher than the lab exam, it's winning in Oakland.
Here's hoping that the Ravens don't go onto day 2 either.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 14, 2001 12:03 PM
To: Cisco Mail List; CCIE_Lab Groupstudy List
Subject: OFF TOPIC - Where is everyone?


You bad boys and girls watching football today instead of studying?

GO RAIDERS! :-


Chuck
http://www.1112.net/lastpage.html




___
To unsubscribe from the CCIELAB list, send a message to
[EMAIL PROTECTED] with the body containing:
unsubscribe ccielab

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cool DDoS (Distributed Denial of Service) link

[Chuck Church]

From Network Computing:

http://www.nwc.com/1201/1201f1c1.html

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cool DDoS (Distributed Denial of Service) link

[Chuck Church]

It sounds like an anti-spoofing mechanism, much like not allowing packets
from the internet into your network with a source address of your network.
This goes a little beyond that by verifying that the source is reachable
from the interface it was received on.  I've always done this with an access
list, which is easy with only 1 connection to the 'Net.  Doing it with CEF
rather than process switching has got to offer some big performance
benefits.  Now, if I could only remember which platforms support CEF... 

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 02, 2001 3:58 PM
To: Chuck Church; '[EMAIL PROTECTED]'
Subject: Re: Cool DDoS (Distributed Denial of Service) link


At 08:49 AM 1/2/01, Chuck Church wrote:
 From Network Computing:

http://www.nwc.com/1201/1201f1c1.html

Indeed, very nicely-written article. The best thing in it was the link to 
the Cisco site on Unicast Reverse Path Forwarding, which I'd never heard 
of. (I'd heard of Multicast RPF, but not unicast.)

I'm curious, is anyone using Unicast RPF? Does it work well? Any 
performance problems with it?

Here's what it does:

"When Unicast RPF is enabled on an interface, the router examines all 
packets received as input on that interface to make sure that the source 
address and source interface appear in the routing table and match the 
interface on which the packet was received. This 'look backwards' ability 
is available only when Cisco express forwarding (CEF) is enabled on the 
router, because the lookup relies on the presence of the Forwarding 
Information Base (FIB). CEF generates the FIB as part of its operation."

For  more info see:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
r_c/scprt5/scdrpf.htm

Priscilla


Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: 
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Priscilla Oppenheimer
http://www.priscilla.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE LAB Groupstudy list

[Chuck Church]

Sam,

This URL should cover both.

http://www.cisco.com/warp/public/625/ccie/exam_preparation/preparation.html

Chuck

- Original Message -
From: "SAM Meng Wai" [EMAIL PROTECTED]
To: "'ElephantChild'" [EMAIL PROTECTED]; "Brian" [EMAIL PROTECTED]
Cc: "Paul Borghese" [EMAIL PROTECTED]; "Nigel Taylor"
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, December 04, 2000 1:08 AM
Subject: RE: CCIE LAB Groupstudy list


 Do anyboody have any information of taking CCIE Lab Test. How can
 i prepare for this exam ?

 Rgds,
 Sam

  -Original Message-
  From: ElephantChild [SMTP:[EMAIL PROTECTED]]
  Sent: Monday, December 04, 2000 11:45 AM
  To: Brian
  Cc: Paul Borghese; Nigel Taylor; [EMAIL PROTECTED];
  [EMAIL PROTECTED]
  Subject: Re: CCIE LAB Groupstudy list
 
  On Sun, 3 Dec 2000, Brian wrote:
 
   On Sun, 3 Dec 2000, Paul Borghese wrote:
  
For the last two weeks I have been fighting them to get
more bandwidth.  The end result is going to be we need to move the
  server to
a new location.  Any ideas?
  
   You could put it at ShreveNet :)  We have transit to Sprint, Qwest,
  Global
   Crossing, UUNet and Cable and Wireless.
  
   I would offer you free colo at shreve.net, we have plenty of
   bandwidth.
 
  Or you could ask cdrom.com (aka Walnut Creek). IIRC their own traffic, I
  doubt that they would notice a 5GB/day increase. :-) (Sorry, I don't
  have any contact there.)
 
  --
  "Airplane travel is nature's way of making you look like your passport
  photo." --- Al Gore
 
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE LAB Groupstudy list

[Chuck Church]

Does anyone know how to get in touch with the admin for the CCIE Lab list?
I've sent a couple requests and never got a response.

Thanks,
Chuck Church

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco CD used in CCIE LAB

[Chuck Church]

Recent lab takers,

  Is the Cisco CD that they provide for the lab exam always the most
current?  If not, how old is it?

TIA,

Chuck Church

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 4 NET WORK CARDS IN ONE SERVER

[Chuck Church]

I have done some extensive
performance tests of aggregating 100Mbs cards using FEC (Fast Ether
ChannelThis was the Intel Server Card) and the increased CPU load
managing the FEC negated the minimal increase in throughput...not to
mention
the major Disk Array bottleneck.

I've got to agree here.  NT has never been known as a "bandwidth-taxing" OS,
unlike NetWare.  Remember that 100 mbps equates to about 9 megabytes per
second, in each direction if full duplex.  Not much reason to go beyond 2
NICs, in my opinion.  FEC with 2 cards is a good idea for redundancy, but
the last time I checked, the channel ports needed to be on the same line
card of the switch.  If you've got redundant switches, FEC won't help with 2
NICs.  If you're doing redundant switches, the 3Com and Intel "virtual
address" teaming methods seem to work good.  They give immediate fail over
if a NIC fails, and they do load balancing in transmitting.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE RS lab prep

[Chuck Church]

All,

I was talking to a Cisco SE Tuesday and he mentioned that the All-In-One
Cisco CCIE Lab Study Guide by Stephen Hutnik and Michael Satterlee was the
book to use.  Apparently many internal Cisco people in RTP use this book for
preparation.  I've ordered it, and am currently using the Doyle and Halabi
books as well.  Has anyone used this all in one guide to prepare?  Was it
useful?  Also, I found out for sure there will be a small amount of voice on
the test - FXS/FXO on a couple of routers.  Any idea on where to start or
what to read?  Maybe some CCO URLs?

TIA,

Chuck Church
RS Lab - Jan 12/13 RTP (AKA D-Day)
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Ping HSRP 224.0.0.2 Strange reply ?

[Chuck Church]

I thought SLP used something in the 10 or 20s range for the last octet.
HSRP uses 0100 5E00 0002 for the destination MAC address.  Is this what ARP
is resolving?

Chuck

Jeff,
   It is a Novell  5 Server. Think it may have
something to do with SLP protocol on this box using
the same multicast address 224.0.0.2

Regards,

Phil.


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re:enabling WCCP

[Chuck Church]

Ref,

I think for most platforms, WCCP requires the IP Plus feature set.
Straight IP doesn't have it.

Chuck

 Dear All,

 I'm trying to issue the command " IP WCCP ENABLE" but
not accepted by router.
 It keeps on saying "Invaslid   "

 The router IOS ver is 12.0(7)t and should support
WCCP

 Any help please

 Ref


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Yet another CCIE R/S Written Passed message...

[Chuck Church]

Wow, Nice score for not studying in a month.  I assume you cleaned house in
the BGP section, working for an ISP.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Check what's new on CCIE R/S Webpage, right now!

[Chuck Church]

Based on the amount of voice/multiservice on the written, it looks like
AVVID will be plentiful on the lab.  That, and the fact that Cisco wants us,
as a reseller, to really push IP telephony.  I just hope this doesn't make
the CCIE "easier" to obtain.  I'd rather have to take it twice than having
it become easy enough so that most people pass it the first time.  My MCSE
(which I got in '96 when it was harder) is so easy to get these days, it's
ridiculous.  (Please no flames from those who just got their MCSEs)  I'd
just rather see it remain the high-paying, hard to obtain cert that it is.

Just my .02,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

Hello,

That is pretty nice for the new folks to Internetworking like myself.  I
just passed the CCIE written a few days ago and am about to schedule my lab
date.  I wonder what kind of configs we will see on the lab to replace the
waning technologies.  

I guess in retrospect this is both good and bad.  Good in the fact that
Cisco is keeping up with all the new technologies but bad because the study
materials and equipment to setup and practice for things like VOIP and
AVVID
are not easily accessible.

I guess we cannot have our cake and eat it too :(

Hunter Dorroh
MCSE, CCNP, CCDP

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RS lab - ATM gone?

[Chuck Church]

All,

I'm a little curious about them taking ATM LANE off the lab.  Why didn't
they just say ATM?  Is ATM without the LAN emulation supported on any Cisco
devices that are part of the lab?  I know they don't require you to set up
ATM switching, but is it used in native mode on any of the AVVID products?

Thanks,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT timeout

[Chuck Church]

Have you done a 'sh ip nat tra' on the router?  What does the output look
like?  Can you ping either DNS names or addresses from the workstations?


Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE written passed - Must be a Chuck thing!

[Chuck Church]

All,

 I guess it was a good weekend to be taking the CCIE Written if your
name was Chuck!  This morning I passed with a 75%.  Had but 5 minutes to
spare, but never really felt rushed.  It was a fair but mentally draining
test.  None of the questions were ambiguous.  I could have spent more time
studying BGP, IS-IS, and DECnet, but everything else was fairly familiar.
My score sheet doesn't list the number of questions in each section, but
I'll list my percentages for the possible benefit of the group.  Things that
I used to prepare were:

1.  On the job experience - I worked with Cat 5000 and 72xx extensively at
my last job which was a bank.  Currently working for a reseller where I'm
doing everything from PIX to Aironet wireless.  I can't imagine passing the
test without lots of hands-on experience.

2.  Cisco Press books - Used the Halabi BGP book, and most of the actual
courseware from the CCNP track.  Also used some of the titles from the CCIE
development series.

3.  Giles CCIE prep book.  Has some amazing (and amazingly boring) details
on token ring and FDDI.  I think the Cisco Press books are much better,
though.

4.  Certification Zone - Practice written tests and the white papers are
great.  Well worth the money.  The practice written tests are tougher than
the real one.  I had scores of 600, 750, 700, and 710 these last 4 months.
Great preparation.


Now I just got that little lab thingy to pass :)  What's the lead time for
scheduling?  I'm thinking I might be ready by January?  If there's anyone in
the NYC area looking for a CCIE lab study partner, let me know.

SCORES:

Cisco device operation  - 71%
Networking Theory   - 83%
Bridging and LAN switching  - 70%  Ughh, token ring
TCP/IP  - 75%  
IP Routing Protocols- 80% 
Desktop Protocols- 87% Knowledge of NetWare helped here
Performance Management  - 33% I have no idea what happened here
WAN - 83%
LAN - 60% I always thought I was better with LAN
than WAN...
Security- 100% This is more of a mystery than the 33%
above
Multiservice- 0%  I assume there was only a couple questions
here.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Lost config on 5505

[Chuck Church]

Rick,

Are you running VTP?  If all your switches are VTP servers, meaning
they mutually agree on the set of VLANs, it's important that all switches
are reachable while making changes.  If a switch was added to your network
and had a higher database version of VTP, it will overwrite the VLAN
configuration of the other switches, even if it's an empty configuration.
You're better off having 1 or 2 servers, and the rest clients.  Then only
make changes to the servers.  Hope this helps.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

What would cause the configuration to be "wiped out" from a 5505, besides
the obvious "clear config all"...?



_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sniffer Pro 3.5

[Chuck Church]

Surprise.  This has nothing to do with this highly annoying flame-fest.  My
question is about Sniffer Pro 3.5.  Is this a typo, or is 3.5 out now?  I've
been waiting for the new version that runs on W2K, but I was told late
November.  Their web site says nothing about 3.5 yet.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Certification Zone CCIE written results

[Chuck Church]

All,

 Did anyone who took the Certification Zone CCIE written this month find
your scores really low?  I'm taking the real exam in a couple weeks, but was
real disappointed to get a much lower (100 points less than my previous
worst) score this month.  I'm hoping it was just the test.

Slightly worried,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Phony CCIE

[Chuck Church]

Doesn't the 'E' in CCIE actually stand for Expert?  Not only is this guy a
phony, but kind of a bonehead as well.  Definitely let Cisco (mail address
is [EMAIL PROTECTED]) know.
See http://www.cisco.com/warp/public/625/ccie/ for the logo.


Good luck,
Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

I recently worked on a project with a fellow who claimed to be a CCIE. He
even gave me his card with the CCIE logo on it. At least I think it is the
CCIE logo. It is a router symbol surrounded with laurels and has the words
Cisco Certified Internetwork Engineer circling it as well.

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Linux, terminal emulation for console port

[Chuck Church]

All,

 My coworker is playing with Red Hat Linux, but he can't find the Linux
command or application for terminal emulation though the serial port, much
like HyperTerminal.  Does such a thing exist, or can anyone recommend an
equivalent?

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NTP support

[Chuck Church]

Hey,

 Is there any easy way to know which IOS feature sets support NTP
(network time protocol)?  I need correct time on our customer's routers for
logging (datetime) purposes.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE question about buffers being used up on router

[Chuck Church]

Wouldn't the answer to this depend on the speed of the router, and which
switching method is used?  A 16xx or 25xx using access lists might not be
able to handle 5000 pps.  I thought a process switched 2500 was actually in
the sub-1000 range for pps.  What's the actual answer?

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP protocol numbers - found them

[Chuck Church]

All,

 I found a link to my question about IP protocol numbers - 

http://www.isi.edu/in-notes/iana/assignments/protocol-numbers

It's pretty interesting.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IP protocol numbers

[Chuck Church]

All,

Does anyone have a link to or list of IP protocol numbers?  I'm not
looking for TCP or UDP port numbers, but actually what protocol numbers that
TCP, UDP, ESP, etc use.  I've looked through all my Cisco books and can't
find a definitive list.  The IETF.org site doesn't have much as far as
search capabilities either.

TIA,

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Napster Question

[Chuck Church]

I think the key is to allow outbound packets to the Napster servers and
other PCs on the Internet, but not allowing external PCs to establish a
connection to your users' PCs.  Find out the ports that a PC running Napster
is listening on, and then block those at the FW.  A PIX should do this by
default, unless you specifically added a conduit statement to allow Napster.
The access list on the outside interface of a router with FW FS should not
allow inbound Napster connections.  On the Napster client, you'll need to
pick the 'I'm behind a firewall, and can't do anything about it' (or
something like that) option.  I'm blocking Napster both ways at work, so I
can't test it for you.

HTH
Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218



Hello everyone,

I searched through the archives and found lots of good information on
blocking but I did not see anything on the possibility of allowing users to
connect to Napster and download music but NOT be permitted to upload.


**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: personal firewall

[Chuck Church]

In picking out a hardware firewall, make sure it supports DHCP on the
external side.  Most cable and DSL providers use DHCP.  You could hardcode
the DHCP-given address on a firewall, but when the lease is up, your
firewall won't respond to the re-lease requests.  Your current address will
be given out to someone else, causing a conflict and really annoying your
ISP.  Best bet is to get a static address from the ISP.  Also, Cisco has a
new PIX - the 506 which is targeted for SOHO.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

 Any recommendation on a good hardware personal
 firewall? I'm looking for a not too expansive, easy to
 configure, can support NAT one.
 

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Secure VPN client

[Chuck Church]

Ken,

I'm not sure about a part number, but it is downloadable from CCO - 

http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-crypto

watch the wrap.

Chuck Church
CCNP, CCDP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

Anyone knows the product number for the software?

I have VPN-SW-DES-100=  but it is just the license.

TIA.
Ken



**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem in 2948g switch

[Chuck Church]

Whoa!  Doesn't bridging defeat the purpose of buying a layer 3 switch?  I'd
only recommend that as a last resort.  Get off of Netbeui if you're using
it, and go with IP and WINS.  I think this should fix your problem.  This
might not fix the problem with MS's crappy Master browser process, but some
creative IP helper statements should help there.

Good luck;
Chuck Church
CCNP, CCDP, MCNE, MCSE

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Printer

[Chuck Church]

Amjad,

MS's IP printing relies on LPR on the workstation/server and LPD on the
print server itself.  When you install the printer, Windows will check for a
response from the printer on the LPD port - TCP 515.  Make sure you're using
a valid queue name - usually 'raw' or 'auto' works, but check with the Print
server docs.  Check your NT/2000 event viewer - Application for errors.
Make sure your server does not have a space in the name.  This seems to make
LPR fail, from a WS I worked on last week.  Neither MS nor Xerox had an
explanation.  Typical MS problem...

Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies
140 Route 303
Valley Cottage, NY 10989
Email:[EMAIL PROTECTED]
Voice: 914 267-4000 ext 218
Fax:   914 267-1034

I have network printer in one segment and wanted to print to it from remote
computers across a router (2 hops away). The printer is attached to an
Intel
EtherExpress Pro 100 box and is configured to use TCP/IP printing.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Upgrade from 4.4(1) to 5.1(2)

[Chuck Church]

I finally did the upgrade on our 515R.  No problems at all.   Just a few new
defaults.  I know this is a dumb question, but did you save the current
configuration before reloading it for the upgrade?

Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Upgrade from 4.4(1) to 5.1(2)

[Chuck Church]

I'd compare the old 4.4.1 configuration (which you hopefully still have) to
current one.  I'm planning the same upgrade on ours to get VPN capability,
so I'm kind of interested in the problem.

Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

Hello,
I was just curious if any body have any problems when upgrading the pix
software from Ver. 4.4(1) to 5.1(2). When I performed the above upgrade
traffic would no longer flow through the pix. I could ping it from inside
but I could not surf out. Also from outside I could not surf into my
website.
Any suggestions, thoughts, comments would be appreciated.

Thanks
Ronnie John

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: collision - Load counters

[Chuck Church]

Keep in mind that when Cisco puts 'load' on an interface, it's only refering
to transmit, not total.  It seems like the versions of IOS ending in 'T'
list both 'tx load' and 'rx load' for convenience.  Also, since this is
ethernet, does packets and bytes received on the interface refer to all
traffic on the wire, or just that destined to this router.  I'm thinking
that it's only traffic destined to the router, so there might be much more
traffic on the wire than the rx counters are telling you.  Get a sniffer and
look at utilization with that.  Or if your hubs have a little utilization
meter (most 3Com's do), what does it show?  If you're hitting 50%
frequently, it's time for a switch or 100 mb.

Chuck Church
CCNP, MCNE, MCSE

Ok, not sure what everyone has recommended here, but the load you have on
the interface is 4/255 which I believe is a running 5 minute average so
taking workstations off the segment is not correct IMHO.  Also where you
are
right now is .03% which is below the .1% tolerance acceptable.  So...
reset the counters, and see over the next 10 to 30 minutes what happens,
(resend the show int to us).


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Sysco cert question

[Chuck Church]

Hopefully something.  My little sister poured my lab equipment on a
hamburger, and to my utter disbelief, ate it.  But it was probably a good
thing.  Without a serious hardware upgrade, I was only capable of running
COS (condiment operating system) version 11.3.8, which lacks support for
salsa, and some varieties of squash.  I was on site at a family picnic for
hours trying to figure out that one.  Luckily my CAC case is a level one
priority, so I'm updated daily.  Gotta go study (have the munchies!)

Chuck

P.S.  I heard that the SCCE lab is a 2 day buffet.  M


 Date: Tue, 01 Aug 2000 16:57:35 -0400
 From: Rodney [EMAIL PROTECTED]
 Subject: RE: Sysco cert question

 Hey Brad, I know you're the one to come to about equipment, what do you
have
 available for this lab?

 Rodney

 - -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ryan
 Ward
 Sent: Tuesday, August 01, 2000 1:41 PM
 To: Stephen Skinner; [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: RE: Sysco cert question

 ok I was thinking of doing the exam but can anyone recommend the best
books
 or willing to give up the course material in exchange for a no name brand
 ketchup bottle? Has anyone used the Boson practice tests?

 also my boss pays me squat and need to know how much you condiment
engineers
 make blah blah blah ;)


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco specializations - Which?

[Chuck Church]

Hopefully this won't cause a huge thread, but my company (a reseller)
naturally want's to sell everything Cisco makes, so I'm being asked to learn
the Aironet wireless, VPNs and firewall, and IP telephony.  This is all in
addition to my current pursuit of the RS CCIE.  Since it's pretty hard to
be an expert in everything, what's the consensus on these three product
categories?  I've done some VPN and Firewall with PIX, but haven't really
touched wireless or VoIP.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

P.S.  Today diagnosing a frame internet connection, I saw packets with an IP
protocol number 89 and multicast destination 224.0.0.9.  Any idea what these
were?  I didn't get a capture, saw them in a 'deb ip pack det'.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco CCIE All-in-one Lab Study Guide

[Chuck Church]

In Brad's defense, he's helped me with a couple problems.  A lot of CCIE's
don't bother helping other people after they cross over to CCIE land.  He's
still on the list helping others, in addition to selling stuff.  If I had a
way to help other people learn Cisco and also make money, I'd do it.

Chuck Church
CCNP, MCNE, MCSE

start.sales.pitch
P.S. Check out Syngress' new Switching exam book coming out in a month or
two.  I heard that chapter 9 was real good!

P.P.S.  I wrote chapter nine :)
end.sales.pitch

Date: Fri, 28 Jul 2000 21:16:20 -0400
From: "RingLord" [EMAIL PROTECTED]
Subject: RE: Cisco CCIE All-in-one Lab Study Guide

Tell me Brad do you ever post anything useful to the group or are you just
into advertising your company? Are you affiliatated with CCIE BootCamp? I
thought this list was about certification and studying. You working towards
a meaningful goal in life.

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 flash and RAM

[Chuck Church]

Does anyone know of a good source for 2500 flash and RAM?  I'm looking for
something cheap for a home lab, so I don't really care if it voids the Cisco
warranty.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reverse telneting to a console port

[Chuck Church]

All,

Can anyone tell me how to setup reverse telnet on a 2511 to connect to
the console port of another router?  I have the octal cable with RJ45
directly plugged into the console port of another.  Is a x-over needed on
this cable?  I can't seem to find how to do it on CCO.  I did notice that if
I have the first 3 lines connected to routers, and do a port scan on the
2511, I don't see it listening on ports 2001-2003.  If I unplug the RJ45s
from the other routers, the port is listening.  Here's my partial 2511
config:

interface Loopback0
 ip address 172.16.1.1 255.255.255.0
 no ip directed-broadcast
!
.
!
line con 0
 password cisco
 login
 transport input none
line 1
 modem InOut
 transport input telnet
 stopbits 1
 speed 38400
 flowcontrol hardware
line 2 16
 modem InOut
 transport input all
 stopbits 1
 flowcontrol hardware
line aux 0
line vty 0 4
 password cisco
 login
!

SH LINE 1 looks like this:

2511# sh line 1
 Tty Typ Tx/RxA Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*  1 TTY  38400/38400 - inout ---  0   0 0/0   -

Line 1, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 38400/38400, no parity, 1 stopbits, 8 databits
Status: Ready, Active, No Exit Banner
Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out
  Modem Callout, Modem RI is CD
Modem state: Ready
Group codes:0
Modem hardware state: CTS DSR  DTR RTS
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
^^xnone   - -   none
Timeouts:  Idle EXECIdle Session   Modem Answer  Session   Dispatch
   00:10:00nevernone not set
Idle Session Disconnect Warning
  never
Login-sequence User Response
 00:00:30
Autoselect Initial Wait
  not set
Modem type is unknown.
Session limit is not set.
Time since activation: 00:04:12
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed transports are lat pad v120 mop telnet rlogin nasi.  Preferred is
lat.
No output characters are padded
No special data dispatching characters

Thanks in advance,
Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fixed - 2500 - Doesn't accept console input

[Chuck Church]

Thanks Brad, Brian, and Darrin.  I tried Hyperterm from NT, and it worked.
I eventually got it to work under 98.  On the port configuration, I went to
advanced, and unchecked the 'Use FIFO buffers'  This particular 2501 had
a system board dated 1993.  My other ones were '96 and '98.  Must be the
older ones don't like fast bursts of characters.  Thanks again.

Chuck Church
CCNP, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000 x218

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 - Doesn't accept console input

[Chuck Church]

All,

  I picked up a used 2501, but I'm having some problems.  I can see it
boot up and it looks ok, but it doesn't accept any keystrokes from the
console port.  Hyperterm settings are ok, no problems with same
configuration on other 2500s.  I can break into ROM monitor mode, but then
cannot enter anything again at the prompt.  I tried taking out both the
flash and the ram, relying on the ROM IOS and the 1 Mb of system board RAM,
but it made no difference.  Can anyone think of anything else to try before
I return it?  I'm going to attempt to view it's IP address from cdp nei det,
but without a password, I'm probably stuck again.  Any ideas?

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MS Exchange and Outlook 97

[Chuck Church]

Daryn,

  Are you using 3Com NICs on any devices?  I've noticed that 3Coms DO
NOT autonegotiate correctly with Cisco set-based switches.  One side will
always come up half duplex, the other side full.  Intel and Compaq NICs
don't seem to have this problem.  You're better off hardcoding everything to
100 full, switch ports and NICs, assuming everything is capable of it.  Do a
'sh port count' and 'sh port' on the switches, make sure there's no errors
on any port.  Check the servers first.  Very slow response is a symtom of
mismatched duplexity (is that a word?).

Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies
140 Route 303
Valley Cottage, NY 10989
Voice: 914 267-4000 ext 218
Fax:   914 267-1034
mailto:[EMAIL PROTECTED]


- - Original Message -
From: "Bartlett, DS1" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, July 09, 2000 6:34 PM
Subject: 

 After our recent upgrade to our backbone (6500's) we are now pushing
traffic
 at incredible speeds. Unfortunately my users only notice that it now
takes
 forever for their outlook to open up. We use Exchange 5.5 (sp2) and
Outlook
 97. We do not have messenger services loaded. We have Novell servers
 on-line, but the Exchange servers do not have IPX client software loaded.
 Sometimes it takes as much as 2 minutes for mail to come up. I have
allowed
 all udp traffic to be forwarded so netbios will work.

 Any thoughts would be appreciated to an extremely frustrated administrator
 who is fed up with users.

 Daryn


___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DCE cables

[Chuck Church]

All,

  Does anyone know of a good V.35 cable source?  I'm in the process of
building my home lab for CCIE, and all the routers I've got have DTE cables.
I guess I need some DCE cables to go back-to-back, right?  All the routers
are 2500s with 60 pin serial.  I know I should know this, but I've always
dealt with integrated CSU/DSU WICs, so I've never touched a CSU.  I checked
Black Box, but they only had Cisco brand cables, for about $95 each.  I'm
looking for something cheaper.

Thanks,
Chuck Church
CCNP, MCNE, MCSE

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

!!!!! WHAT IS WITH THIS INDIVIDUAL MESSAGE DISTRIBUTION ?????

[Chuck Church]

Is everyone getting each individual message?  I'm getting them faster than I
can delete them.  I know Paul had some sendmail problems.  Is this an
aftereffect?


Chuck Church
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies 
140 Route 303 
Valley Cottage, NY 10989 
Email:[EMAIL PROTECTED] 
Voice: 914 267-4000 ext 218 
Fax:   914 267-1034 

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Micosoft 'routers'

[Chuck Church]

The routing table is a good question.  There's also all the features that
Cisco supports with IOS.  Can MS do bridging, access-lists, HSRP,
redistribution, and ISL?  Plus if you've got backup hardware and a copy of
your config, a totally dead router can be replaced with another in 5
minutes.  How fast can a server be built?  I'm thinking MS may be useful for
adding a couple segments to an existing net, but basing an enterprise on all
MS routers seems almost comical.  With the cost of layer 3 switching coming
down, and performance going through the roof, it looks like switches are
going to be running the core from here on out.

Chuck Church
CCNP, MCNE, MCSE
Network Engineer
Magnacom Technologies
140 N. Rt 303
Valley Cottage, NY 10989

I see that Microsoft has provided resources to configure OSPF and RIP in
Windows 2000 servers
to provide routing capabilities.

Has anybody evaluate this ? Do you think this could substitute 'real'
routers ?

Thanks,

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Passed CIT, now a CCNP - Woohoo!

[Chuck Church]

All,

Passed CIT 4.0 today with a 861.  Needed 720.  Used just the Cisco Press
CIT 4.0 book, and a lot of work experience with Cat 5000 and 7200 routers
(Routers only routed Ethernet, not WAN).  I scored an incredible 0% on the
AppleTalk section, but made up for it on the Frame, IPX, and switching
sections.  Lots of ISDN questions, including 1 that I didn't know that was
asked 3 times with slightly different wording.  As usual, there was lots of
poorly worded questions.  I'm guessing the test questions are all a couple
years old, based on the amount of AppleTalk questions, and lack of ISL
questions.  Very little questions on routing protocols.  Now on to CCIE -
RS.

P.S.  Any recommendations on CCIE?  I'm thinking I should start building my
home lab.

Chuck Church 
Network Engineer
CCNP, MCNE, MCSE
Magnacom Technologies 
140 Route 303 
Valley Cottage, NY 10989 
Email:[EMAIL PROTECTED] 
Voice: 914 267-4000 ext 218 
Fax:   914 267-1034 

___
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]