Re: DS3 bandwidth issues [7:65790]
""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED] > s vermill wrote: > > > > Nate wrote: > > > > > > We've run a bandwidth test on our DS3 with nothing connected > > to > > > it but a > > > workstation (and obviously a router/pix). We went to > > > testmyspeed.com as > > > well as dslreports.com. We both got very good bandwidth tests > > > (upward 6m/s) > > > however in transferring a 200m file to/from a workstation > > > behind the > > > connection, we got over 30 minutes while our existing T1 got > > 26 > > > minutes. > > > Anyone mind explaining this phenomenon? Just a side note, we > > > have no > > > encryption between GRE tunnels. Thanks in advanced. > > > > Since he said he tested with those other tools and got 6m/sec (I guess he > meant 6 megabits per second which is OK, thought not great), the file The above is what I key'ed in on as the last test transfer he had done over the new path. Which is why I had originally suggested to tune tcp(the URL's below the jokes were seen weren't they?) since a single tcp session at 6Mbps crossing the continent(country) could be within expectations. In most stock tcp's and a 80ms RTT he would need a packet loss rate near .02%(.0002) to get 6Mbps. Nothing unrealistic about those numbers and it seemed to me someone just wanted to see 40+ Mbps numbers. But I overlooked the part about 30minutes over the DS3. Regarding the concerns about the 26 minute T1 transer. Maybe I'm a little too sleep deprived from doing datacenter moves, but I don't see the issue with 26minutes for a 200MB(bytes) file is roughly 1Mbps, don't forget overhead too. That's completely within norm for a single TCP session between two reasonably distant endpoints bandlimited by a T1. Back to the DS3 being slower for this one. As everyone has been saying break down the problem. My guess would be you've got some major performance inhibiting thing like a duplex mismatch somewhere and by being able to ramp up transmit speeds quicker the session is smacked back down due to the loss(from duplex mismatch). What might be the simpliest suggestion for testing is to start up the file transfer and while it's running do a traceroute(large packet size if you could) from one end-host to the far end and see if you notice a place of particularly high loss to go look at. My appologies for overlooking the note about 30minute 200MB transfer over DS3(not T1), Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65895&t=65790 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Questions [7:65806]
And for IOS nat'ing you can use policy routing to determine egress interface and thus NAT pool, which determines source address of outgoing traffic, which can be useful in controlling inbound traffic flow. YMMV But, this can be very useful when you are trying to do network gymnastics or inflict pain on a support team. ""Robert Perez"" wrote in message news:[EMAIL PROTECTED] > Newer versions of the PIX OS have more routing protocol support such as > OSPF. Vs. 6.3 > > -Original Message- > From: Ben W [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 20, 2003 2:16 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX Questions [7:65806] > > > The PIX is not a router, however it does have a routing table and can > participate in a limited fashion in certain routing protocols, like RIP. > > To answer your 2nd question, there is no functional difference between the > IOS and PIX doing nat/pat. Its just a difference in configuration really. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65890&t=65806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DS3 bandwidth issues [7:65790]
Increase the speed of light. By increasing the speed of light you will increase the speed of your file transfer. Ask management to fund advanced research into light accelerators, then wait to do your transfers after light has been speed up by a few orders of magnitude. (This works best for non-technical folks) or Use the turbo switch on the back of the router labeled - / oor... Pull fiber directly from A to B Help out the economy and network staff. Buy a backhoe, some explosives, and a fiber splice hit. Start at location A, use gps to plot a direct path to B(as the crow flys), point the tractor in the precise direction and do not deviate. Remove any buildings, reroute roads, destroy gardens, but keep driving in a straight line. Don't bother with regen, just stay the course. (Works good for technical staff who don't yet get it) .OR.. ""Nate"" wrote in message news:[EMAIL PROTECTED] > We've run a bandwidth test on our DS3 with nothing connected to it but a > workstation (and obviously a router/pix). We went to testmyspeed.com as > well as dslreports.com. We both got very good bandwidth tests (upward 6m/s) > however in transferring a 200m file to/from a workstation behind the > connection, we got over 30 minutes while our existing T1 got 26 minutes. > Anyone mind explaining this phenomenon? Just a side note, we have no > encryption between GRE tunnels. Thanks in advanced. > > -Nate > . Tune your tcp stack on the send side. http://www.psc.edu/networking/perf_tune.html http://www-iepm.slac.stanford.edu/monitoring/bulk/fast/ Or maybe you have a real life problem or capacity shortage somewhere. Good Luck, Darrell Always looking for the next big project... darrell (at) hayaitacos net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65796&t=65790 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Graphing usage based on CAR Policies [7:65674]
> Can you create bandwidth graphs based on CAR policies? I would like to be > able to create multiple policies matching access lists on an interface, and > graph them separately to find out how much usage each policy is seeing. > I had this problem 3 years ago and didn't quickly find a MIB which exposed CAR's byte counts. Netflow data collection works and you can create the same groupings of traffic that your CAR policy has though depending upon the complexity of the policies it is extra lifting. Netflow combined with a changing need meant I didn't need to spend time finding the CAR data. The router is collecting it as you can see the byte counts in "sh int rate" output. Some folks find traffic %'s to fit their needs fairly well. I don't like it much but you could take the % of total traffic that is CAR'ed in each class and use that to make approximate guesses to the volume of any given CAR class in any sampling period. Really not a lot of fun and not very accurate, if you're CAR'ing traffic to keep it under control, you've probably shifted some of that offered demand into other time periods. Thus, the colored glasses you use to look at the data this way over estimates the usage of a CAR class during overall peak demand periods and underestimates the amount of CAR'ed class during the overall low demand periods. I'd be interested in hearing if the CAR byte counts are exposed in any MIB. Or hearing about what you decide to do to solve your need. Good Luck and hope this help a bit, Darrell Always looking for the next big project... darrell (at) hayaitacos net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65696&t=65674 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DS3 slow connection problem. [7:65491]
> As others are saying, get the carrier involved. Do some loopbacks with their > help. (Do loopbacks still make sense with DS3? I've only worked with DS1). > Regardless, I think you've done the requisite testing and swapping on your > side. Time to hassle the carrier. > I haven't been reading groupstudy much lately so my appologies if this has been suggested already. One of the more simple ways to exact a loopback is to do a hardloop for this environment with a short piece of coax. Doing this against tx/rx of the PA will allow you to send test pings with the link up. Remember you'll need to use an encap that doesn't require much of the far end, such as HDLC. Use this to test the PA and swap it out if needed. You can use this same hard loop against the circuit as it enters one of your prem's, but there are a variety of reasons why this wouldn't be preferred. But in a pinch it can allow you to run across the far end without having hands at both ends of the circuit. Of course you'll need some way to reach both routers outside of this circuit. I didn't see any verification if you are running c-bit on the 7500 as well? Best of Luck, Darrell Always looking for the next big project... darrell (at) hayaitacos net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65614&t=65491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DS3 slow connection problem. [7:65491]
> As others are saying, get the carrier involved. Do some loopbacks with their > help. (Do loopbacks still make sense with DS3? I've only worked with DS1). > Regardless, I think you've done the requisite testing and swapping on your > side. Time to hassle the carrier. > I haven't been reading groupstudy much lately so my appologies if this has been suggested already. One of the more simple ways to exact a loopback is to do a hardloop for this environment with a short piece of coax. Doing this against tx/rx of the PA will allow you to send test pings with the link up. Remember you'll need to use an encap that doesn't require much of the far end, such as HDLC. Use this to test the PA and swap it out if needed. You can use this same hard loop against the circuit as it enters one of your prem's, but there are a variety of reasons why this wouldn't be preferred. But in a pinch it can allow you to run across the far end without having hands at both ends of the circuit. Of course you'll need some way to reach both routers outside of this circuit. I didn't see any verification if you are running c-bit on the 7500 as well? Best of Luck, Darrell Always looking for the next big project... darrell (at) hayaitacos net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65605&t=65491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Split-Tunnel with PPTP on PIX [7:64585]
There is a check box in the MS dialer configuration to "use remote network as default gateway". With it checked as you can imagine it creates a new default route with a low metric and increments the metrics of other default routes. If this isn't checked many versions of the MS dialup software will insert a classful route for the prefix of the newly installed dialup interface. So for your example lets say your PPTP tunnel is addressed with 192.168.1.100, then the MS dialup software has frequently installed a 192.168.0.0/16 route. If you are lucky enough to have your internal sites fall within one classful boundary then you could lean on this behavior to build a "split-tunnel". YMMV as I doubt microsoft is committed to keeping this quirk and I can't recall which of their clients behaved which ways, just that this behavior has been extremely common. Best of Luck, Darrell Newcomb Technology Advisor, Netswitch http://www.netswitch.net ""Arni V. Skarphedinsson"" wrote in message news:[EMAIL PROTECTED] > I there a way to do split-tunneling for vpn clients connecting to a pix with > pptp so that they don4t lose internet conectivity, the clients are using the > microsoft vpn dialar. > > any examples of this would be great. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64858&t=64585 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL Between Head Office and Remote Branch [7:63711]
I would say the most simple cisco product for using the dry copper available in your environment would be the long range ethernet(LRE) products. The Catalyst LRE products will do 5Mbps @ 1524meters, but be quite sure of the distance and charactaristics of your copper. I haven't pushed LRE's distance and medium quality demands much so more digging would be in order. Good Luck, Darrell Newcomb Netswitch Technology Management http://www.netswitch.net ""Ismail Al-Shelh"" wrote in message news:[EMAIL PROTECTED] > I have read the MXL-2300 Brochure its really not complicated like Cisco DSL > products cause to be honest I have lost in Cisco site searching for the > right product to implement my solution , I am still interested to look for > the equivalent product from Cisco, but if I did not find it then I will go > for MXL-2300. > > > Thanks for help. > > > Ismail Al-Shelh > > > -Original Message- > From: Troy Leliard [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 25, 2003 7:31 PM > To: [EMAIL PROTECTED] > Subject: RE: ADSL Between Head Office and Remote Branch [7:63711] > > What you want to do is possibleinfact I demo'd something similar. I > used the MXL-2300 from tut systems ... > > http://www.tutsys.com/mtu/products/ethernetworking/mxl_2300/index.cfm > > at anything under 3.5km you can get about 2MB. I haven't tried it this > using any cisco kit, > > Ismail Al-Shelh wrote: > > > > I think I have to refine my question to be clearer > > > > Again > > > > I want to connect my branch office with my head office (1.5Km) > > away via DSL > > without any external service provider (phone company). > > > > > > Two dry copper wires are laid physically from the Head Office > > to the Branch > > office. > > > > > > Is this design going to achieve my goal: > > > > > > Clients PC--Ethernet-dsl router-dry pair of copper > > wiresdsl > > router---Ethernet--Clients PC. > > > > Ismail Al-Shelh > > > > Thanks for your help. > > > > > > > > -Original Message- > > From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, February 25, 2003 4:11 PM > > To: [EMAIL PROTECTED] > > Subject: ADSL Between Head Office and Remote Branch [7:63711] > > > > I want to connect my branch office with my head office (1.5Km) > > away via ADSL > > without any external service provider. > > Two copper wires are laid physically from the Head Office to > > the Branch > > office. > > > > > > Is this design going to achieve my goal? > > > > Clients PC--Ethernet--837 ADSL-pair of copper wires837 > > ADSL---Ethernet--Clients PC > > > > > > > > Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63837&t=63711 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISS Real Secure Vs Cisco IDS [7:63461]
""Albert Lu"" wrote in message news:[EMAIL PROTECTED] > how quickly can you respond to your alerts? Since for some attacks, a half > hour response time could cause your site to be down (eg. slammer virus). If > that was the case, even if you had all the vendor's IDS, it will be useless. Just to soapbox a bit on the current flare so many networking and security folks have for IDS's Using anything that only did detection would have let SQL slammer in. It is a single packet attack, by the time you saw one(and had vulnerable systems) it would have been too late for that host. Lets think about if you had super-double-secret AI to build a rule based the change in traffic behaviour of the (now infected) server and push this rule toward the "outside" or policy enforcement locations. Your would still have an infected server and any other vulnerable SQL server inside the nearest policy enforcement location would quickly also be infected. So now weeks later if you have vulnerable systems an IDS, with perfectly valid signatures, STILL does you no good. You would have already needed to deploy proper filtering, which was the case on day0, day10, and on day(-365). IDS's are nice tools, but like firewalls they don't do much for any network JUST becuase they were purchased and installed. Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63540&t=63461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help with Route-Maps [7:63381]
Yes this can work. I have a couple suggestions: 1)Make your access-list in the route map an extended ACL since you need to base this forwarding on source address. 2)Consider applying this type of policy on the RAS server. If Cisco it can be defined in the virtual interface template specific to this single RAS device. Though with the simple topology that appears to exist doing the policy routing on the RAS device may be less efficient than the 2600's. 3)Make sure the RAS device either handles asymmetric routing for packets inbound to it. Or that both 2600's have routes to the proper Ethernet interfaces of this RAS device. You might consider using virtual routers on the RAS server to achieve the same effects. Also you might consider solving your root problem of not announcing your address space out both available servicesor are you using el-cheapo xDSL service for this? Good Luck, Darrell Newcomb http://www.hayaitacos.net/mpeer/ ""CiscoNewbie"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all. Here is a scneario that I need your help on: > > I have a RAS server that has 2 ethernet interfaces for egress traffic. The > IP addressing on each interface are on separate networks. In addition, the > dialin pools configured on the RAS are in separate networks from each other > as well as from those defined on the ethernet interfaces of the RAS. Each > Ethernet interface gateway points to a Cisco 2620 router which each of the > routers have their own connection to the internet via 2 separate providers. > No BGP being done. The IP Pool addressing on the RAS server are from each > of the providers. So Pool A IPs are from Sprint and Pool B are from Choice1. > > So in the event that one dialin user gets an IP from Pool B but gets routed > to Router A, the user will not go any where because each provider will not > route the other provider IPs. My goal was to be able to say on the RAS that > " pool A goes out of ethernet port 1" and "Pool B goes out ethernet port 2" > but the RAS solution that I am using will not allow this to be done. So I > thought about creating a route-map on the Cisco's to be applied to the > ethernet interface (ingress) as an inbound policy. The route-map on Router > A would need to say something like: "If Pool B which belongs to Router B, > then set IP next-hop to Router B ethernet interface". Both routers know > about each other. I would like to know if all I would need to do is the > following or if I need something else or maybe I cant do it. Thanks. > > Here is what I come up with: > > ROUTER A: > > route-map from-RAS permit 10 > match ip address 1 > set ip next-hop 192.168.1.2 > > interface Ethernet 0/0 > description Traffic from Pool A > ip address 192.168.1.1 255.255.255.0 > no ip directed-broadcast > ip policy route-map from-RAS > > access-list 1 permit > > > > The same will be done on the ROUTER B but with the appropriate IPs. > > Thanks in advance. > > > > > > > > > > > > > > - > Do you Yahoo!? > Yahoo! Shopping - Send Flowers for Valentine's Day Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63397&t=63381 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP connection drops after 11 minutes [7:62855]
Since there isn't enough details and the answers to Priscilla's questions would help us. I'll continue the speculative guessing game with a few spare minutes. When I read the description I thought Jason meant that he made (one) request to a webserver which was taking a VERY long time to complete. 11 minutes later this request "failed" as per some message from the web browser. Guessing Scenarios: 1)The request being made to the server was really an http upload of a file and transferring the file was taking a long time. Do you see mid to high levels of network activity to/from the endhost running the web browser? 2)The request required backend operations by the webserver which were particularly weighty for this specific request. Is this specific request a particularly big query? Do similar queries over smaller time periods, datasets, or whatever dimension (you have to scale down the workload) also take this long? Have you checked server logs? I assumed this only happens for a specific type or subset of the queries you launch so there should be something to point you in the right direction. Also the specific timeout on the client side(web browser) would be helpful. Is it the tcp session which is dropping, an error message delivered from the webserver due to an application timeout, ... Best of Luck, Darrell Netswitch Technology Management http://www.netswitch.net ""Jason Dimagiba"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello everyone, it's been a while since I last posted a message on this > board > > > My question is: > > I currently experience a session timeout after 11 minutes running a > query on IE5. I was thinking it may be the MTU size being set > incorrectly on the router. I may be wrong but has anyone ever came > across this in their network? What are the things to check for? Any > suggestion will be greatly appreciated. > > Thanks, > > jd Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62926&t=62855 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Question [7:62914]
Jim, Continue to announce the /19 as before. You MAY want to also announce the /24 you've allocated to your downstream; depending upon the business relationship around this connectivity you may really want to announce the more specific /24. This is probably the critical choice you'll make. More details about the desired function of this interconnection would be needed to make intelligent comments on that. Depending upon the specifics of the environment...The covering /19 will attract some traffic for this /24 regardless of the customer announcing the /24 via other providers. If you also propagate the announcement of this /24 then you will get a bigger % of the inbound traffic for this /24 depending upon the announcements made on the other interconnection(s) the customer AS has. Againmore specifics on the desired traffic flow would be helpful in deciding behaviour in various states. For some example of this When you give backup connectivity to a company which has sublet space from your shrinking dotcom, you'd not like to carry any of this downstream's traffic unless you have to. When you are billing the customer by the bit you'd like to bill them for as much traffic as you can carry without increasing your own costs enough to hurt your margins on the service. Suggestions: -Filter his announcements to you beyond just the as-path filter you've mentioned. Also use prefix list or such to limit the announcements you'll listen to be just the prefixes you've agreed to accept. This is probably just the /24(and nothing longer) you are allocating to him now. -Make sure you are allowing all your routers(especially border) to see this /24(or some covering aggregate) so that you don't create blackholes for some subset of the network. -Adjust your outbound route filters to permit the one /24(and nothing longer) to leak if you've decided you wanted this announced to the world via your network. This probably will require you to speak with your upstreams for them to adjust route filters on their side. -Regardless verify the announcements from outside your network by using a public looking glass. It is likely that all of the objectives for this interconnection will not be met with canned configuration or suggestions. It's also quite common that no one will notice that the objectives are failing to be met. This is usually due to the fact that "it works" right now and "it works" under simple failure modes. Best of luck and if you've got the time to share more details about what is desired the group can make more suggestions, Darrell Newcomb darrell(at)hayaitacosnet http://www.hayaitacos.net/mpeer/ Home of the Managed Peering Service ""Jim Devane"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > I am looking for some guidelines and I cannot find any relevant examples. I > have a situation where I have SWIP'd a /24 of my address block to a customer > downstream. They have their own AS and are multi-homed. > > My concern/question is: the /24 will originate from their AS and not mine. > Is there any special concerns I will need to take into accoutn for BGP > advertisements to my upstream providers? That is, I will peer with him and > allow his AS to originate the router and allow ^$ from him, but I am > concerned that this will mess up my advertisements of a /19. (the /24 I gave > him is out of my larger. Can I no longer advertise that? > > Are my concerns founded at all? Any advice? > > thanks, > Jim Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62918&t=62914 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: In a pix or router, can you nat the Source IP based on dest [7:62319]
To add to this... The pix would operate under these conditions too. But it is absolutely not supported by Cisco and anyone doing it should consider the hurdles. First by having multiple interfaces facing the target IP network(global Internet). Then by setting routes to the chosen destinations IP prefixes(remote network) to egress the pix on an interface with different NAT pool. Then ensure that routing from the target IP network(global Internet again?) with source addresses of the remote networks enter the pix on the correct interface. I have used this in 5.x and 6.x for some very specific cases, though I am NOT recommending anyone do this. Just wanted to share knowledge that it is possible to make it work in a stable fashion on the PIX as well...of course every software upgrade has the potential to break this unintended(by Cisco) use. Darrell Newcomb http://www.netswitch.net ""Daniel Cotts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The following URL should be what you need for a router. > pad > Watch the wrap: > http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 > 093fca.shtml > > > -Original Message- > > From: Robert Perez [mailto:[EMAIL PROTECTED]] > > Sent: Friday, January 31, 2003 2:00 PM > > To: [EMAIL PROTECTED] > > Subject: In a pix or router, can you nat the Source IP based on dest > > [7:62277] > > > > > > *** > > | Bob Perez | > > | Intercept Payment Solutions | > > | [EMAIL PROTECTED] | > > | 100 West Commons BLVD | > > | New Castle, DE 19720 | > > | Phone: 302.326.0700 | > > | Cell: 302.420.6883 | > > | www.intercept.net | > > | | > > -- > > | | > > || || > > | :|: :|: | > > | :|||: :|||: | > > | ..:|||:...:|||:.. | > > | ___ | > > | C i s c o S y s t e m s | > > | CCNA CCNP MCSE NET+ | > > | | > > *** > > > > Confidentiality Notice: This e-mail message, including any > > attachments, is > > for the sole use of the intended recipient(s) and may contain > > confidential > > and privileged information. Any unauthorized review, use, > > disclosure or > > distribution is prohibited. If you are not the intended > > recipient, please > > contact the sender by reply e-mail and destroy all copies of > > the original > > message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62319&t=62319 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: L3 Switching & Swtich/Router Comparsion [7:62166]
""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > ""MADMAN"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hmmm, IOS imgaes that are approaching, (in some cases exceeding) 20M ;) > > speaking of which, how big would the same IOS image be without Banyan, > DecNet, Apollo, and all the other obsolete garbage that contaminates them > now? > Valid point, but those components aren't the things that are causing bloat. Unless I'm giving too much credit to compile time optimizations. Banyan, dec, apollo, aren't getting new features, aren't causing non-linear image growth, and thus are not the cause of image bloat. Removing them, although useful, won't buy much time as the things causing the bloat will keep coming and surpass the savings before one calendar year is up. But I'd say 3 months is a better estimate. It's the items that a small number of folks actually use that would be a good target to eliminate. But those are the new features which are part of the story. Without the benefits of modular software and also to maintain low enough testing overhead; there are not great options(there ARE some options) to slow the bloat. Darrell http://www.netswitch.net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62215&t=62166 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF default-information originate criteria [7:61683]
Typo below > 3)Now maybe your entire network is just Router's A,B,andC. Then RouterC > would have a default learned from somewhere else and hopefully a lower admin > distance than the default seen from RouterA. Then you could have a > survivable situation where RouterA can originate a new default based upon > RouterA. It would look strange on some levels but it would function. ^Should be RouterC. Refering to "based upon RouterC's announced default" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61697&t=61683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF default-information originate criteria [7:61683]
Well logically you'd have problems with the 2nd condition regardless of IOS restrictions. To use a few situations to describe why is probably easier to follow the 2nd condition. Some OSPF Network--Router A(device under consideration)---Router B 1) RouterA received default via OSPF and passes it on. You've got this router with a default learned via the upstream(lefthand) OSPF network. It can and will pass that default on to other OSPF routers such as RouterB. You've gotten what you'd hoped for, right? And by coincidence the 2nd condition the SE described is met. Exceptions are when you want RouterB to always point default to RouterA, even when it becomes disconnected from the rest of the OSPF network. Some OSPF Network---RouterC---RouterA---RouterB 2)RouterA learns default via OSPF network and originates a new default Again RouterA learns default in the same manner. But this time RouterA is configured to insert(originate) a default route into the OSPF domain. RouterA now injects this default and sends to neighbors. Neighboring routers such as RouterC now have a better path to default through RouterA and drop the default received from the rest of the OSPF network. As a result RouterA looses the default it was using in forwarding, but is receiving traffic it now can't forward. Of course if RouterA is NOT configured for default originate always then it will drop the default annoucement and things will cycle endlessly. I take it this isn't what you'd want, right? ;-) 3)Now maybe your entire network is just Router's A,B,andC. Then RouterC would have a default learned from somewhere else and hopefully a lower admin distance than the default seen from RouterA. Then you could have a survivable situation where RouterA can originate a new default based upon RouterA. It would look strange on some levels but it would function. I would say that for #2 or 3 that you'd be better off pointing default with a static route on RouterB than trying to get OSPF to do that. Same would go for strict primary/secondary default paths with two circuits out of RouterB. If you describe the intended situation in more detail, folks here could probably give better input. Regardless I hope these examples help clear things up. Good Luck, Darrell http://www.hayaitacos.net/mpeer/ ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > You'll have trouble finding documentation for the second condition > because it's baloney. :-) > > Of course, if I'm wrong or if there is some odd twist to this that I'm > not familiar with, someone will correct me. > > Regards, > John > > >>> "Hart, Todd A [LTD]" 1/23/03 9:44:09 > AM >>> > I would like to know if anyone knows where I can find documentation > regarding criteria for OSPF to originate default using the > default-information originate command? Our Cisco SE provided me with > the > following information, and he is trying to locate information to > support the > second condition of, "- That default route *cannot* have been learned > via > OSPF." > > In order for 'default-information originate' to redistribute a default > route, 2 conditions must be met: > - The router must have a default in it's routing table > - That default route *cannot* have been learned via OSPF > > I have found Cisco supporting documentation regarding the first > condition, > but not the second. I would appreciate any documentation regarding > this > issue. > > Thanks, > Todd Hart Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61696&t=61683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: route-map no-export - not working!! [7:61480]
Xueyan's comments about changing permit and deny's would work. But I think the big thing you are missing here is you're tagging something no-export on the way out of AS34. That will pass the route to the neighboring AS and then they shouldn't pass it on to their neighboring AS's. If you wanted to use no-export to prevent AS34 from leaking these routes then you should tag them as such on the way into the AS. Or as Xueyan's comments say deny the routes in your route-map/acl's on the way out. Also given the nature of what you want to filter(routes through AS1000, but not filter routes originating from AS1000) you'll need to alter the as-path acl. Then again I may be mis-understanding the goals on this part and you really don't want routes from or through AS1000. Darrell http://www.netswitch.net ""Cisco Nuts"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello,I am trying to block any routes that have traversed AS1000 from > being advertised beyond AS34 but am having no luck.R4 is learning a bunch > of routes from AS100 and the config is on R4 which in in AS34R4#route-map > comm_out permit 10 > match as-path 99 > set community no-export > ! > route-map comm_out permit 20 > match ip address 96 > set metric 31337 > ! > route-map comm_out permit 30!ip as-path access-list 99 permit _1000_! On > the peer routers:R2#bt > BGP table version is 203, local router ID is 220.1.3.1 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal > Origin codes: i - IGP, e - EGP, ? - incomplete Network Next > Hop Metric LocPrf Weight Path > *> 100.0.0.0/24 150.1.4.40 34 100 200 300 > 1000 400 500 i > * 100.1.0.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.40 34 100 200 300 > 400 500 i > *> 100.2.0.0/24 150.1.4.40 34 100 200 300 > 1000 400 500 i > * 100.3.0.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.40 34 100 200 300 > 400 500 i > * 110.110.110.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.40 34 100 200 300 > 400 500 i > * 111.111.111.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.4 31337 0 34 100 200 300 > 400 500 i > * 112.112.112.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.40 34 100 200 300 > 400 500 i > * 113.113.113.0/24 150.1.12.1 0 1 34 100 200 > 300 400 500 i > *> 150.1.4.4 31337 0 34 100 200 300 > 400 500 i On R2, I can still see routes that have traversed AS1000 !!!What > am I doing wrong?Please help.Thank you.Sincerely,CN > > > > Protect your PC - Click here for McAfee.com VirusScan Online Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61598&t=61480 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: response time between PIX with VPN [7:60981]
What eric is refering to is a couple different items. One is the forward lookup of the name given on the command prompt, which I don't recall any traceroute implementations which cause high latency for that. Secondly is the reverse lookup many traceroute's will do if you give an IP address as the destination. Many of these send the first packet out, then make a call for reverse lookup.Sun Solaris is the notable OS who does this with ping and causes the first response(s) to be reported as extremely high latency due to the program waiting on the reverse lookup to finish. 3rd is the reverse lookup of individual hops as seen in traceroute output. I can't recall any implementation mangling RTT results due to this, but I wouldn't be surprised to see it. Mostly this just delays the next round packets from being sent. Finally kernel level ICMP rate limiting has been done in a number of OS's and makes agressive ping tests a poor tool. And makes using low rate ping against a busy host something to trust with skepitism. I doubt you are seeing any of these Mike, but just wanted to clarify why someone would see those kinds of results. I know I've had to have long conversations explaining these things to *nix admins who believed the network had extremely high latency. :-) There is obviously something going on, not sure what it is myself. I agree with the other posters that L2 could be causing performance problems. Have you broken down testing so it's not just end-to-end between these two windows hosts but also from one windows host to each of the endpoints along the way? Has IKE finished already when you send these packets? Are the lifetimes of your SA's long enough or are they aging out between individual test packets? Darrell ""Mike Sweeney"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In answer to Eric, there is not any DNS involved as the traceroute is IP > only... no name resolution needed. > > In answer Ed's comments, I have both plugged into a switch and so it's not > *back to back* in the normal sense of the word. > > MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61235&t=60981 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Stability problem over DSL link [7:55507]
Have you observed any problems with long lived tcp sessions besides this bgp session?(Of course that'd be for sessions not dependant upon the routes learned/announced via the troublesome session) Have you looked to see if the link state changing(rapidly) and causing the bgp session to be dropped? Specifically fast fall over on link failure. Does the problem have to do with the sent/recieved routes on either side interfering with bgp's tcp session? If you've got multihop then there should be some nailed up routes to support the bgp session. Good Luck, Darrell http://www.hayaitacos.net ""Zahid Hassan"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear All, > > I trying to configure BGP peering over a DSL link. > The peering drops after few minutes, comes back once the DSL link is reseted. > Other than that Internet connectivity over the DSL link seems to be working > fine. > Has anyone experienced any similar problem with BGP over DSL ? > I would really appreciate any thoughts on this matter. > > Regards, > > Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55510&t=55507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Need help with link utilisation [7:55347]
The load shown in your sh int's is that of the % on output rate not some combination of both input and output. If you look at your interface's "input rate 47 bits/sec" you'll see it's quite close to 512kbps or a "high load". ""John Botha (Mnet)"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At one stage we were running serious CRC's on the line, but our local telco' > sorted out the line problem. They just haven't cleared their counters. The > errors and CRC's showing their side is still from long ago ;-) > -Original Message- > From: Creighton Bill-BCREIGH1 [mailto:[EMAIL PROTECTED]] > Sent: 11 October 2002 10:52 > To: [EMAIL PROTECTED] > Subject: RE: Need help with link utilisation [7:55347] > > Maybe a dumb observation, but: > Why are input errors and CRC's so dramatically higher on the ISP side, > wouldn't the constant CRC retransmit requests increase the utilization? > Excessive line noise or transmission probs? > > -Original Message- > From: John Botha (Mnet) [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 11, 2002 3:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Need help with link utilisation [7:55347] > > > The following sh int from both sides: > > Our side: > > MNET4500>sh int s1 > Serial1 is up, line protocol is up > Hardware is HD64570 > Description: 512Kb Internet SOLUTION CCT# 64-63487-11 > Internet address is 196.6.242.90/30 > MTU 1500 bytes, BW 512 Kbit, DLY 2 usec, rely 255/255, load 36/255 > Encapsulation HDLC, loopback not set, keepalive set (10 sec) > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters 1w0d > Input queue: 0/75/0 (size/max/drops); Total output drops: 1720 > Queueing strategy: weighted fair > Output queue: 0/1000/64/1707 (size/max total/threshold/drops) > Conversations 0/96/256 (active/max active/max total) > Reserved Conversations 0/0 (allocated/max allocated) > 5 minute input rate 47 bits/sec, 59 packets/sec > 5 minute output rate 74000 bits/sec, 55 packets/sec > 20649049 packets input, 2472568997 bytes, 0 no buffer > Received 60233 broadcasts, 0 runts, 0 giants, 0 throttles > 96 input errors, 95 CRC, 44 frame, 0 overrun, 0 ignored, 12 abort > 18034063 packets output, 3701447186 bytes, 0 underruns > 0 output errors, 0 collisions, 66 interface resets > 0 output buffer failures, 0 output buffers swapped out > 8 carrier transitions > DCD=up DSR=up DTR=up RTS=up CTS=up > > Theirs: > Serial4/4 is up, line protocol is up > Hardware is M8T-X.21 > Description: mnet | B1:TT4:L | 64-63487-11 > Internet address is 196.6.242.89/30 > MTU 1500 bytes, BW 512 Kbit, DLY 2 usec, rely 255/255, load 232/255 > Encapsulation HDLC, crc 16, loopback not set > Keepalive set (10 sec) > Last input 00:00:05, output 00:00:00, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0 (size/max/drops); Total output drops: 1 > Queueing strategy: weighted fair > Output queue: 0/1000/64/1 (size/max total/threshold/drops) > Conversations 0/32/256 (active/max active/max total) > Reserved Conversations 0/0 (allocated/max allocated) > 30 second input rate 78000 bits/sec, 58 packets/sec > 30 second output rate 467000 bits/sec, 63 packets/sec > 16910473 packets input, 3203937235 bytes, 0 no buffer > Received 0 broadcasts, 177 runts, 7 giants, 0 throttles > 11225 input errors, 11081 CRC, 0 frame, 0 overrun, 0 ignored, 144 abort > > 19484732 packets output, 1636048060 bytes, 0 underruns > 0 output errors, 0 collisions, 6 interface resets > 0 output buffer failures, 0 output buffers swapped out > 7 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up > --More-- > > > Regards, > > John Botha > E-mail: [EMAIL PROTECTED] > > > -Original Message- > From: Magondo, Michael [mailto:[EMAIL PROTECTED]] > Sent: 11 October 2002 09:48 > To: [EMAIL PROTECTED] > Subject: RE: Need help with link utilisation [7:55347] > > John > > Are you sure both interfaces have the same bandwidth configured? > > Michael > > -Original Message- > From: John Botha (Mnet) [mailto:[EMAIL PROTECTED]] > Sent: 11 October 2002 09:04 AM > To: [EMAIL PROTECTED] > Subject: Need help with link utilisation [7:55347] > > Hi group > > I have a problem that is currently scrambling my noodle. Our link to our ISP > shows up as under utilized from a show interface command, most often sitting > at less than 100/255. I questioned the slow response during working hours > with one of their engineers, and his interface to us is showing at running > at greater than 200/255 at the same time that my receiving interface is > showing less than 100/255. Surely transmitter and receiver interfaces should > show the same load? > > Any help and/or ideas would be appreciated. > > Regards, > > John > MCSE, CCNA,CCNP,CCDA,CCDP Message Posted at: http://www.gro
Re: BVI at OC3 speed [7:54828]
Interesting. Wish I could provide a direct answer. Aside from NOT using BVI's :) I usually like to just make the assumption bvi's are going to be process switched to be safe which works for the small environments I've used them in. And they usually are process switched for interesting packets like ip options, multicast, ... which are important to many folks. Process switching is just too much work to fill your pipes in both directions. I think you're answer/hope lies in researching the enchancements made to do larger numbers of sessions for DSL agreegation which there have been many changes in the last year. I believe those test results are internal cisco docs, or at least I couldn't find them easily. There might be another saviour if BVI made it into PXF(NSE) too which I doubt it did. http://www.cisco.com/warp/public/794/7200_bdaggreg.html (Cisco 7200 Configuration for RFC1483) Sorry for the vague answer and Good Luck! Let us know what you find, Darrell ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Has anyone out there ever configured a 7200 with a bridged OC3 > interface that is then routed via a BVI?? The config is not the issue > but can the router handle it as this link will be heavily used. Since > the bridged to routed conversion is done in software I don't have a warm > fuzzy about this but the customer doesn't understandably want to buy > another router and just let the 7200 be a bridge. > > If your wondering what the hell, this is for an LSS, LAN Switching > Service, application which by tarriff is a fully meshed, bridged ATM > service that extends 10 or 100M ethernet. > > Thanks > > Dave > -- > David Madland > CCIE# 2016 > Sr. Network Engineer > Qwest Communications > 612-664-3367 > > "You don't make the poor richer by making the rich poorer." --Winston > Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54831&t=54828 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Wireless Netowrk [7:54757]
It'll work however: 1)You're not offering much security unless the conduits are for protocol/applications of a completely benign nature, which I'm confident the probably are not. 2)By doing this the data traveling between wireless clients and these opened(conduit) services are at risk of being captured. 3)You've got the administration complexity of maintaining conduits for approved applications. This may not be an issue in this environment but it would be for most. Placing the pix there and using conduits alone is not doing to offer much security like most folks hope for from them. The described situation isn't providing authentication, decent encryption, nor preventing any random wireless node from accessing those services. But then again maybe the wireless security you mentioned is addressing those sufficiently for the situation. Darrell ""Azhar Teza"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > In a campus network the customer would like to have a wireless LAN since all > the users in the other building are Telecommuters. Wireless has its own > security, but they would still like to have PIX between this wirless network > and the main network. PIX is the device which is mainly used to isolate the > private network from the public network, but in this scenerio the PIX would > be used between two Private Networks. Here is the details: Users on Wirelss > subnet 172.16.10.0 would connect to the Cisco 2900 switch. The PIX's outside > interface will be part of this subnet. The PIX Internal address would then > connect to another Cisco switch where customer main network resides, > Servers, Applications etc. This subnet is 192.168.10.0. Conduits will be > opened for Wirless users to access this network. This should work fine. I > just wanted to have an advise from the forum users to make sure that it will > work. > > > Changed your e-mail? Keep your contacts! Use this free e-mail change of > address service from Return Path. Register now! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54758&t=54757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Major DNS Issues?? [7:54674]
Not that this is directly going to do much for you, but seems fine from here.(See below) Are you walking the tree and observing a problem? With which root server did you observe issues? Or are you seeing things through a caching dns server? Is the cache polluted? > server 192.5.5.241 Default Server: f.root-servers.net Address: 192.5.5.241 > com. Server: f.root-servers.net Address: 192.5.5.241 Non-authoritative answer: com nameserver = A.GTLD-SERVERS.NET com nameserver = G.GTLD-SERVERS.NET com nameserver = H.GTLD-SERVERS.NET com nameserver = C.GTLD-SERVERS.NET com nameserver = I.GTLD-SERVERS.NET com nameserver = B.GTLD-SERVERS.NET com nameserver = D.GTLD-SERVERS.NET com nameserver = L.GTLD-SERVERS.NET com nameserver = F.GTLD-SERVERS.NET com nameserver = J.GTLD-SERVERS.NET com nameserver = K.GTLD-SERVERS.NET com nameserver = E.GTLD-SERVERS.NET com nameserver = M.GTLD-SERVERS.NET A.GTLD-SERVERS.NET internet address = 192.5.6.30 G.GTLD-SERVERS.NET internet address = 192.42.93.30 H.GTLD-SERVERS.NET internet address = 192.54.112.30 C.GTLD-SERVERS.NET internet address = 192.26.92.30 I.GTLD-SERVERS.NET internet address = 192.43.172.30 B.GTLD-SERVERS.NET internet address = 192.33.14.30 D.GTLD-SERVERS.NET internet address = 192.31.80.30 L.GTLD-SERVERS.NET internet address = 192.41.162.30 F.GTLD-SERVERS.NET internet address = 192.35.51.30 J.GTLD-SERVERS.NET internet address = 192.48.79.30 K.GTLD-SERVERS.NET internet address = 192.52.178.30 E.GTLD-SERVERS.NET internet address = 192.12.94.30 M.GTLD-SERVERS.NET internet address = 192.55.83.30 > ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Perhaps I should be more specific. Anyone noticing any problems with > the root DNS servers? > > >>> "John Neiberger" 10/1/02 4:57:21 PM > >>> > Just out of curiosity, is anyone else having DNS issues? > > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54676&t=54674 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Serves Me Right - DHCP problem [7:54402]
""Kevin Wigle"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > W2K/XP does that automatically. If you have the icon turned on in the > system tray for the nic, you will see when the cable is unplugged and when > it is plugged in again. (you don't need it turned on to work) > > this has been stated somewhere before in this thread. That was me trying to keep everyone's perspective of the pre-w2k clients on the described network. But I didn't realize there were problems with w2k clients as well at that point. > But Chuck says he has W2K/XP and it isn't working. (for everybody). Why is > it working for some and not others? > In our lab we sometimes punch a PC from one segment to another. When it > doesn't work we just unplug and replug and it usually works the 2nd time. > Oh I didn't catch that part of the problem description. I thought the users were all 98/NT4. If that were so, it would be perfectly expected what's happening. > Sounds like it's time to get the sniffer working. Yes it really does sound like time to look at L2 and the ACTUAL details of this situation. Could be a variety of things but the packet capture should show the cards. After solving those though there is still the pre-w2k clients which aren't disappearing tomorrow. IMHO the traditional way to handle this before many clients did the automatic renewal upon link up was to: a)make the "mobile" access ports on one VLAN per building(or conveniently close geographic footprint) b)with caution tune lease times downward for those access VLANs to roughly the time it would take to travel from one building/campus to another Some folks also: -got fancy with meeting the concept behind A and did things based upon mac prefixes. -just educated folks to release and acquire a new address or reboot(doesn't help Chuck's situation much) Darrell Service Advisor http://www.netswitch.net Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54576&t=54402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: gigabit design possibilities [7:53862]
Yes that darn business driver of selling more transport. Reminds me of my days at a PTT doing research for applications to drive transport. Seeing the big picture is usually very helpful, people don't buy transport for no reason. If you're not the PTT or cable based telco then selling transport itself isn't your strength, it's providing the flexibility the cable maintenance folks can't or won't provide in servicing the business need of customers. Any customer with money and a business driver for several hundred GE's within one metro area will likely have a ton of other business outside that metro you'd like to get. IMHO, even subcontracting the "hassle" would be worth it to gain the visibility and position for future business. The main area to challenge(and that will create good savings) is the assumption of housing all equipment in COs. Serving customers from customer premises works if you're careful. I can think of some big providers in europe who made it fly with a handful of different techniques. Also look at the long established Sonet ADMs at customer prems, we know it's viable with good planning/engineering. I still believe the options I've stated make sense for the described situation regardless of the short visioned layer8 of FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Serves Me Right - DHCP problem [7:54402]
Because pre-W2K windows didn't automatically try to renew a lease when the ethernet interface comes back up after being down. So...if the old lease hadn't come up for renewal during the time the machine moved from point A to B.the users don't automatically get connectivity. Lots of options to teach the helpdesk how to educate usersbut since it 'worked before' in Chuck's case it's seen as a (big?) problem(PITA). ""Larry Letterman"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > why is that ? we have segmented avvid network across our campus. The > laptops are all W2K and they work just > fine without any issues on DHCP...The routers are all running hsrp and > work correctly.. > > Chuck's Long Road wrote: > > >I see I should have made this one a "Friday Folly" :-> > > > >In a Big Flat Bridged Network, a mobile user unplugs the laptop at one > >office, drives over to the next office, plugs back in, and no further action > >is required. The Windoze PC has retained it's IP address, and the network > >doesn't care about location, because it is one big flat network. > > > >However, in the brand new ATM based AVVID ready routed network, said mobile > >user is now in a different segment in each location. With Windoze, you have > >to manually intervene. Sometimes you have to release the IP address, reload > >the computer, and then get your new DHCP assignment. Users don't like this. > >After all, now they have to do something, whereas before they did not. Never > >mind the higher speed, the failover capability of the routers, the new 100 > >mbs switches rather than 10mbs. They have to take an extra step or two in > >order to log in. > > > >This is normal behaviour for Windoze machines, and maybe for DHCP clients in > >general. I have had to do this release / renew for years. > > > >But to the customer, who is pretty naive in terms of networking, there is a > >"problem" that was caused by the new routers. To the users, there is a > >problem that never existed before. > > > >Like I said, serves me right. You give a customer a great new network, and > >you break something so rudimentary that it never would have occurred > >otherwise. :-> > > > >-- > > > >www.chuckslongroad.info > >like my web site? > >take the survey! > > > > > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Spare us the mystery and tell us what you're getting at. :-) Did you > >> > >forget > > > >>to tell the DHCP server to provide the correct default gateway address to > >>the PCs? That's my guess, since you say everything else like helper > >>addresses, etc. is configured correctly. Just a late-night theory, > >> > >waiting > > > >>for Jay Leno to come on. > >> > >>Thanks, > >> > >>Priscilla > >> > >>Chuck's Long Road wrote: > >> > >>>The AVVID solution I sold a few months ago is gong through > >>>implementation. > >>>This project has been problematic for a lot of reasons, so it > >>>is not unusual > >>>for a round of e-mails from the customer complaining about one > >>>thing or > >>>another. > >>> > >>>Today was a good one, however. Shows to go you have to ask > >>>things you > >>>normally wouldn't think about. > >>> > >>>DHCP - no big deal. Works fine. All of us have probably used it > >>>or > >>>configured it. All of us probably have experience with running > >>>several small > >>>sites off a single DHCP server at a central site. > >>> > >>>So why is the customer complaining about DHCP not working, and > >>>it's because > >>>our routers are screwed up and Microsoft told them that they > >>>would have to > >>>change their network addressing to a single class B rather than > >>>subnets of > >>>/16 space, the way I designed it? > >>> > >>>The routers are configured correctly. The network is designed > >>>correctly - no > >>>overlapping subnets. IP helpering is configured correctly. > >>> > >>>Problem occurs with several users, different NIC's, either > >>>Win2K or WinXP. > >>>No one common factor. Worked just fine before we put the new > >>>routers in. > >>> > >>>Recognizing that Microsoft is full of C**P and their TCP stack > >>>is S**T, > >>>still, why the problem. > >>> > >>>Gee, what happens to DHCP when you go from a single flat > >>>bridged network to > >>>a segmented routed network? Especially to mobile users, who > >>>travel from site > >>>to site for various reasons on a regular basis? > >>> > >>>Serves me right > >>> > >>>Chuck > >>> > >>>-- > >>> > >>>www.chuckslongroad.info > >>>like my web site? > >>>take the survey! > -- > > Larry Letterman > Network Engineer > Cisco Systems Inc. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54462&t=54402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: gigabit design possibilities [7:53862]
Inline... ""Chuck's Long Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > One of my coworkers was telling me about a project he is working on. We are > positioning a gigabit service, which in this neck of the woods is a point to > point technology. > > The customer has a giant hub site and several hundred remote sites, making > provisioning somewhat problematic. Rack space, for one thing. > > At this point in time, the telco I work for does not have the means to > provide aggregation services. I'm thinking that about the only way we could > offer some kind of efficiency to the customer is to provide CO space, and > put in a high end switch with the required number of gigabit ports for > termination of the gig links. This switch would also have an appropriate OC > port, and the connection from the CO to the customer hub site would then be > OC to OC. > I'm struggling to imagine a customer who actually needs FULL gig-e to each of several hundred sites who didn't also have access to physical plant. Why send back Sonet to the customer hub site? One or more 802.1q GE trunks should be fine. To the customer hub site you'll have 1(or more) VLANs to each spoke site. No routing or fancy things for the provider to control for the customer, just simple L2 like always. It sounds like the spoke sites are all within very close proximity, using only a handful of CO's. Riverstone and Extreme both make L2 switches with GE density you'd require. With extreme you could entertain T1's(hopefully over UNE) or (probably not) VDSL where data rate wasn't near gige. Seriously I'd be looking at innovative ways of doing agreegation, using some of the spokes to do aggregation, RPR/DPT, utilizing other providers(onfiber?) to aggregate sites which are within their footprint. If you've got a lot broader area to cover I think the dollar savings will be much higher by challenging the goals and doing intersting things to meet the goals rather than doing just Full GE to each site. > I'm wondering if other folks on the list have dealt with similar type > considerations and what their telco's might be offering in terms of > aggregation of gigabit links. > > Out here, the telco would have to start thinking in terms of being a service > provider rather than a provider of circuits. I'm not so sure that would be > an easy ( or even possible ) transition, for a lot of reasons, both > political and practical. For one thing, the telco would then become > responsible for maintenance and configuration of all CO homed equipment, > something that I am not certain telcos really want to do. > I think you'll find the ILECs wanting to provide ptp GE (ala gigaman) and the ethernet providers wanting to provide VLANs from point A to B. The competitively priced wavelength and dark fiber folks probably don't have the footprint you need. Other things will require some cooperation which with several hundred high bandwidth sites you'll find a lot of compromise. Drop the ILEC GE (overpriced)into the nearest agreegation point of the competitive folks while taking care not to get killed by port costs everywhere. Plenty of providers at this point would be glad to work together on a project of this scope. Heck I know I'd like to work on piecing together a competitive solution or do independant evaluation of the proposals. Hope this helps a bit and Good Luck, Darrell Newcomb Technology Advisor, Netswitch http://www.netswitch.net > So, what have you folks run across? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54397&t=53862 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: slightly OT: Pingflood [7:54334]
If you need to generate traffic which is a little more behaved I'd suggest
using one of the ttcp packages. That way you can get better stats on the
traffic and more easily increase number of simultaneous tcp
sessions ->traffic volume. Many versions support sending UDP as well if you
don't want well behaved test background traffic. There are minor risks in
using ICMP as a test traffic...some kernel's implementation of rate limiting
number of outbound icmp messages, the volume of packets being processed by
kernel hurts an application on one of your test hosts, or if testing across
other's networks the mildly common practice of rate limiting icmp or subsets
there of.
Heck cisco even has a ttcp for some versions of IOS, but I've never used it
much since I need ttcp more with hardware based forwarding devices where
ttcp on the RP would be a bad thing. Cisco's info is at
http://www.cisco.com/warp/public/471/ttcp.html
Sorry for not responding earlier I'd been on the road.
Darrell Newcomb
darrell(at)netswitchnet
Technology Advisor, Netswitch
http://www.netswitch.net
""sam sneed"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Does anyone know where I can get a copy of this or something similiar for
> Linux. I found a windoze version but I need linux or UNIX.
> My ping versions of linux and SunOS do not have the -f option. The only
> version of pingflood I found on google is crap, the source code reads:
>
> void main(){
> int count=1;
> for(;count>10;count++){
> system (ping -s 2000 targetsite);
> sleep(3);
> }
> }
>
> all this does is ping alot, I want the version of thje program that sends
> pings out faster than usual. I need to create lots of traffic to check
> response times across a router. And I want to do it without purchasing
> software (aka solarwinds WAN Killer)
>
> thanks
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54369&t=54334
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Linux Fetchmail monitoring tool [7:53244]
I don't really have much to say about fetchmail specifically, but two comments which are probably useful. Sounds like you really want to speed up fetchmail, not just monitor it. I don't have any great suggestions about monitoring it other than parsing logs like any other service you can't actively monitor. But why not parellelize the fetching with multiple instances of fetchmail just like you'd do to scale the canned mrtg. That is as long as the target(Intuity Audix?) you are retreiving mail from can handle the extra connections. Good Luck, Darrell up too late again. darrellhayaitacosnet ""Firesox"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Sorry for the offline topic. > I have 750 POP3 email account being fetched by Linux fetchmail and forwarded > to SMTP account in Exchange. > It takes a very long time to go from the top of the .fetchmailrc run control > file to the bottom of the script. > Anyone know of any monitoring tooling for fetchmail? > Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53249&t=53244 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Squid Caching Software [7:53221]
As dre said squid works great. Has worked great for a long time and I don't see any reason for it to stop being good. The available tools for log analysis are broad and pretty good, better than those of the commercial vendors I've seen. The tools for content filtering on squid(though I don't advocate this so I don't try to track) are moderate and the commercial vendors seem to have done better at this. Squid has a much more visible process which makes it easier to support and you won't have to deal with vendors claiming black magic inside their box. The only headaches I've had from a deployed squid cache were from content developers who had no knowledge of caching and who's server was on the far side of a cache. Arguably they shouldn't have been writing content for that big of an audience, but a little education and guidance along with appropriate acl's make that type of problem disappear quickly. BTW, I'm also a fan of anycast when I put it in a few situations back in the mid 90s then saw other folks had been doing it in roughly similar ways, even went to work for one of them briefly. It works well too, only challenge there was finding midlevel support folks willing to wrap their minds around something a little different and in today's market that doesn't seem to be much of a challenge. Good Luck, Darrell always looking for the next big project... darrellhayaitacosnet ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I guess I should have been specific about our circumstances. We're > replacing an older Compaq TaskSmart cache server and we want to get two > of something or other, and we're having a hard time making up our minds. > Today I got the bright idea that we could simply buy two Sun Netra > servers and put Squid on them. Sounds like a good idea to me but I > wanted to hear the opinions of other Squid users. > > Thanks! > John > > >>> "dre" 9/12/02 3:04:07 PM >>> > ""John Neiberger"" wrote in message > > Are any of you using the Squid open source software on your own > > hardware? If so, are you happy with it? How does it perform in > > comparison to other caches you've used? > > I like Squid. ICP multicast seems like a very intelligent way to move > content around. Content encapsulation with mod_gzip is nice on the > sending side, but more people need to be caching content on the > receiving side!!! > > Cache hierarchies are very nice, but as a content provider (no names > here), > I can tell you that all the CDN's and cache hierarchies in the world > aren't > going to solve any real world problems. Cache hierachies are for > end-users, > not content providers. > > Direct interconnection and/or smart routing (BGP performance and > correct > operation of multi-homed networks) has been and also currently is the > champion for content providers, and where they should put the most > investment in. Private/Public peering is also a better cost > optimization > (by > leaps and bounds!) for heavy content providers than CDN's or cache > hierarchies. Another big responsibility for content providers (and a > MUST > if they want to save huge amounts of time and money) is to provide the > ability for their content to be cached by end-users and Tier-2's. The > book > "Web Caching" by Duane Wessels is excellent as are the RFC's. > However, > this is not a networking problem, it's an HTML and coding problem. > > While Cisco and Akamai don't understand this at all, they seem to be > pushing their products to the wrong people, IMO, and this is why their > product lines are suffering. DNS content routing mechanisms (e.g. RR > DNS, > Cisco Boomerang, Cisco DD, Radware Global Triangulation, et al) are > proving to not work (because of DNS servers caching TTL's). > > To put this in easier terms, content routing can be done in a few > forms: > * DNS mode - done by client's DNS (not direct end-user), DNS server > caching >avoids adminitratively set TTL's, can be bypassed by using IP or > different DNS >name (http://yahoo.com instead of www.yahoo.com) > * HTTP-Redirect mode - browser problems, bookmarks can bypass, DNS >caching can still avoid administratively set TTL's (same problems > really) > * Edge-Intercept - now this does avoid DNS caching, but requires access > to >all the end-users and network. Still has problems with multi-homed > users > or >users attempting to use different DNS servers. > * BGP + Anycast - only real method that I know to solve global > reachability > of >services across distributed data centers. Done with IP addresses > (announcing >single multi-homed blocks in more than one place, with /32's > reachable > for single >IP's throughout the internal infrastructure (since you can't > announce > anything >greater than a /24 in the Internet routing table). Anycast > addresses are > injected >into the IGP (could be IBGP, doesn't have to be OSPF/EIGRP/ISIS) > and > marked >with metrics showing
Re: Unicast flooding on switch ports [7:52907]
Well I had an early Cat6k with Sup1 and a software bug which caused the L2 CAM not to populate. Simple software upgrade resolved the problem, been too long for me to recall which CatOS version that would have been. I doubt that's what you're facing, but since you asked for examples :-) First I would suggest you verify the packets you are seeing have unicast MAC destination addresses. Some protocols do use broadcast MAC addresses with Layer3 unicast addresses and this traffic you're observing may well be normal. It's best to understand what you are seeing before jumping to conclusions. Also double check that you aren't SPAN'ing that VLAN to your sniffer... That being said and there is still something to chase. The next thing to do is verify the cam is populated correctly for those endhosts. The cam--content addressable memory is the storage for the layer 2 forwarding tables in these boxes. Without knowing where to forward frames to the switch is forced to flood the frame out each port that is a part of that VLAN, which may be what your sniffer is seeing. For CatOS based use sh cam to view it, issue for the other NT server as well. If a definite dest port isn't listed then you need to look into why. Issue the commands a few times in short succession to see if a destination port is ever learned. It may be that the switch you're attached to isn't keeping a stable cam due to interfaces flapping, STP topology changes(from network design flaw), software bugs, some other device sending frames from those host's MAC addresses, use your imagination. If you need to hook the sniffer up to one of the other switches which carry that VLAN, that may help you narrow the scope of the problem. If you can't see what's wrong provide us the following: -Where are the two NT hosts in question attached to in the diagram you're giving. -What are the specific src/dst mac, ip, and if applicable port numbers of the traffic that you see leaking. -What is the state of the cam's for each of these hosts' mac addresses. It'd be nice for each switch between these hosts. And what device do each of these destinations port represent -Output of sh spant stat Good Luck, Darrell Newcomb [EMAIL PROTECTED] Consultant, Netswitch--Turning your Needs into Results http://www.netswitch.net BTW, Netswitch has been Serving Indonesia since 2000 ""Hitesh Pathak R"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear Group, > > I am having a setup like this :- > > cat6k -- cat6k | | >| | >| Cat5k| | Cat5k| > > I am connecting the sniffer on one of my core switches (cat6ks) and without > doing port mirroring (SPAN) able to see the unicast packets flow between 2 > Windows NT servers. Does this indicate unicast port flooding ??? or is this > the default behavior of my Sniffer s/w. I am using Network associates > Sniffer s/w. The port where the PC is connected is also in the same vlan in > which the Windows NT servers are connected. Both the Servers are connected > on the same switch. The servers are Win2k. > > Has anybody faced a similar problem like this ??? > > many thanks in advance > > Hitesh > > > > > > DISCLAIMER: > Information contained and transmitted by this E-MAIL is proprietary to Wipro > Limited and is intended for use only by the individual or entity to which it > is addressed, and may contain information that is privileged, confidential > or exempt from disclosure under applicable law. If this is a forwarded > message, the content of this E-MAIL may not have been sent with the > authority of the Company. If you are not the intended recipient, an agent of > the intended recipient or a person responsible for delivering the > information to the named recipient, you are notified that any use, > distribution, transmission, printing, copying or dissemination of this > information in any way or in any manner is strictly prohibited. If you have > received this communication in error, please delete this mail & notify us > immediately at [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52914&t=52907 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic shapping and rate-limit [7:52468]
On the outbounds side the ISP has already incurred the expense of transporting the outbound data to the edge router the customer is connected to. So delivering the traffic within reason would be in everyone's best interest. On the inbound side the pricing model for rate limited service which the customer wanted is such that taking more traffic than they are paying for would be financially unacceptable. Now of course as the ISP you could build into the price of service the overage traffic, but look at what that meansfirst you need to have backbone capacity for it since your backbone capacity planning metrics/plan won't easily account for drops and usage of various diffserv values mainly since a fully paying customer has much traffic with zero'ed diffserv values and may expect those values to hold true for one of thier egress circuits on your network(IP-VPN or other site-to-site). Then you're incurring expense of upgrading backbone circuits sooner. For most frame services you'll will build this into the cost structure since customers traffic CAN be shaped by the ATM core effectively, it's almost 100% on your network so the unit cost for bits above committed rates are much lower, and there are a controlled set of sink/sources based upon the PVC's the customers has purchased to make the capacity planning problem slightly more constrained. Hope this helps to explain why shape outbound and limit inbound. Of course there are good arguements for doing similar services in different ways, I was just trying to give the background for why many folks choose this method. Darrell ""YASSER ALY"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's my turn to disagree :). If we are going to consider quality of > service from ISP point of view then don't you think that rate-limit is > giving you the advantage of passing exceding traffic for your client > after marking it such that if you do have free bandwidth as the ISP you > can let this traffic through, and drop it if not? Using rate-limit in > such a way means that you can think of charging your client more for > giving him such an option. > > This is not acheivable using traffic-shapping as it just sets a > threshold and drops packets exceeding that threshold. > > What you are doing means to me that you find traffic-shapping is better > than rate-limitting so you are applying it on the outgoing traffic to the > client. However, as it is unidirectional and you can't rely on asking the > client to do it from his side also for the other direction so the only > alternative is to rate-limit on the incoming traffic. > > Would you kindly explain to us why you find your way would provide a > better quality from the ISP ? > > Regards, > > Yasser > > >From: Jay Greenberg > >I would have to disagree. From an ISP standpoint, > when we supply a >capped service to a customer, we use a combination of > rate-limiting and >traffic shaping. I Rate-limit the input, and traffic > shape the output. >I suppose it is more resource-intensive on our end, > however don't you >agree that it is better quality of service from the > ISP? > >On Sun, 2002-09-01 at 04:29, YASSER ALY wrote: > > Rate-limiting > is what we call policing and it is done from the ISP side. > > It is > bi-directional so you can rate limit input & output. You can define > > > what is the policy to be followed when traffic is within range and what > > > to be done once exceeded like pass, mark, drop. > > > > > Traffic-shapping is done from the client side and it is unidirectional ( > > > Controlling the outgoing traffic from an interface. Shapping helps > when 2 > > sites are communicating with each other, one of them is 1M > while the > > other is 256K, traffic shapping would be defined from the > 1M side inorder > > not to flood the 256K link and lots or retransmission > occurs. > > > > >From: "Mohamed Saro" > >what is the difference and the > direction of > > rate-limit and traffic shapping > >FAQ, list archives, > and subscription > > info: http://www.groupstudy.com/list/cisco.html > >Report misconduct and > > Nondisclosure violations to > [EMAIL PROTECTED] > > > > > > > > > > Chat with friends online, try MSN Messenger: Click Here > > > > > > archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and > Nondisclosure violations to [EMAIL PROTECTED] > > > > > > Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52673&t=52468 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Secondary addresses on fast ethernet interfaces [7:52295]
Short answer would be not unless the volume of data was a problem or the new configuration caused packets to be switched(proccess, ...) in a different manner than before. I think you want to do: int fa0/0 ip addr 205.109.29.x(where x is >128) 255.255.255.128 ip addr 205.109.29.33 255.255.255.224 sec If you are trying to keep x below 128 then you've got a problem with the subnet mask's being different. Not a problem for the router, but a problem for the end hosts the router sends icmp redirects to which have different subnet masks. Assuming no other routers attached to this the L2 network of this fa0/0 this just Disable icmp re-directs and also seriously consider ip route-cache same-interface. If you want to run a trunking protocol and have the two networks on different sub interfaces then you'll have to straighten out any overlapping net blocks. By abstracting X for us you really made it difficult to help. Showing the .29. as an X if you wanted to hide addresses would have been better. Good Luck and hope this helps, Darrell ""McHugh Randy"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > All, > Does anyone know if using a seconday interface on fast ethernet 0/0 on a > 7204 will degrade perfomance on the network for the primary interface? I > have to route a a different subnet on a LAN and cannot do it without > creating a secondary interace? > > for instance > interface FastEthernet0/0 > ip address 205.109.29.x 255.255.255.128 > no ip route-cache > no ip mroute-cache > full-duplex > no cdp enable > interface FastEthernet0/0.1 > ip add 205.109.29.33 255.255.255.224 > > to add a second subnet to this router for that LAN > > Will this degrade performance or cause a problem. > > There is probably a beter way to do it but I the router will not let me > create a static route for this subnet becuase the gateway is the router > itself. > for instance > > > Enter configuration commands, one per line. End with CNTL/Z. > AAAV7204(config)#ip route 205.109.29.32 255.255.255.224 205.109.29.129 > %Invalid next hop address (it's this router) > AAAV7204(config)# > > Thanks, > Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52304&t=52295 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to force a gratuitous ARP [7:51674]
Been awhile since I've read this list, but saw this posting and figured I'd offer an alternative way of looking at this. I can recall a time when I had to make a move just like this, without knowning what the mix of devices was on that L2 network. If you don't need the original router for something extremely soon you can just move the IP address and keep an address with ip forwarding enabled on the depricated(historic) router. Policy routing on that interface works good when the historic router needs to carry on other tasks as well. If you are moving service from R1 to a new router R2 do the following by connecting to those routers independantly of the moving address: R1: conf t int fa0/0 ip address R2: conf t int fa0/0 ip address Now you've got the hosts which have arp'ed or have fixed arp tables sending traffic to R2. You have stale arp entries with the MAC address of R1, which is receiving and handling traffic as before. You've got time to fix the host's arp tables via any number of different methods. You can watch the packet input rate on R1's interface and see which hosts are still not cleaned up. If the input rate doesn't match output then most of the packets coming in are probably junk of some sort dhcp or other broadcasts. As the volume drops you can probably use an inbound acl on the interface to log packets...there is likely some noise of packets which will be coming in and you want to make sure it's really noise and not a valid host still forwarding to R1. It would be advisable to finally shutdown R1's interface in a maintenance window just in case you missed something... A plus and minus depending upon how you look at it is R1 would now be issuing icmp redirects to the address those hosts thought they were sending things to anyway. The plus side is the admins of those hosts catch them in logs and think about it at which time you should have educated them already about what it is and to DO something about it before R1 gets shutdown. The minus side is some hosts's IP stacks insert permanent host records for each redirect they receive which means you could cause them cleanliness problems(memory, forwarding table size, ...). Consider turning off redirects on R1's interface if you haven't already turned it off everywhere. if you need to force traffic through R2 go back to R1 because R1's existing config can't support accepting the remaining traffic: access-list 100 permit ip any any (change this if you have other traffic entering this interface you don't want to force toward R2) route-map moveto-r2 match ip addr 100 set ip next-hop int fa0/0 ip policy route-map moveto-r2 A variation on other suggestions would be if R1 and R2 are both attached to the same switch getting L2 forwarding of R1's mac wouldn't be hard along with setting the MAC of R2's interface. Not sure if that'd work in your environment though. Good Luck, Darrell Newcomb Always looking for the next killer project darrell(at)hayaitacosnet ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'm planning on moving routing responsibilities from a router to our > 6513 and I *really* need to minimize downtime. I'll be moving an > interface IP address from one device to another and this is the default > gateway for all devices on that network. The problem is that all > devices on that subnet will have the wrong MAC address in their ARP > caches. I know that if I issue a unicast ping from the new router it > will force the end host to update its ARP cache but a broadcast ping > does not accomplish the same thing, probably because most devices ignore > a broadcast ping, and I don't feel like pinging every device > individually. > > I can't configure HSRP just to gain the benefit of gratuitous ARP; > simply configuring it will be disruptive and that's what I'm trying to > avoid. > > Any ideas? > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51803&t=51674 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab - San Jose [7:37444]
Ejay, I think you mean the one in Sunnyvale on Mathilda just off 101? With a Burger King and Hobbee's right there as well. Wish I had a URL to share, but would seem like a good place to stay. Darrell "Hire, Ejay" wrote: > > There is a $50/night motel 6 with a denny's in the parking lot that is > okay.I can't remember the name of the street it's on, but it's only about 2 > mi. from the hq. > > -Ejay > > -Original Message- > From: timothy thielen [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 07, 2002 12:57 PM > To: [EMAIL PROTECTED] > Subject: RE: CCIE Lab - San Jose [7:37444] > > If you test date is a long way off, or you are close by, start walking now. > Remember to pack food and supplies for cold and warm weather. Also, a rain > poncho may be wise. > > Carry or search for a cardboard box (the only approved Homeless/bum shelter > approved for use within San Jose). Find a space to sleep either near the > cisco compound or near a light-rail station. > > Transportation from Box to Cisco: Take the light-rail. USUALLY nobody will > even check for a ticket. If the transit police DO check, at least you have > a better place to sleep tomorrow night. > > Seriously, though, things are not cheap in San Jose. BUT, the do have an > abundance of Starbucks Coffee Installations, where jack-booted > Caffiene-Nazi's are likely to force you to consume the People's Drink. > > --Tim > > James wrote: > > > > Hello, > > > > I hope to get some advice from those who attempted the > > lab in San Jose. I have a lab scheduled soon and hope > > that someone can let me know where to stay at the best > > rates, travel arrangements from hotel to Cisco, etc.. > > any information is greatly appreciated. > > Thank you > > > > > > > > __ > > Do You Yahoo!? > > Try FREE Yahoo! Mail - the world's greatest free email! > > http://mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37577&t=37444 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPLS and AS5300 [7:37252]
>From the top of my head the cisco party line on this is to use the as5300 as a LAC for a 7200/7400/... LNS which would do the MPLS encaps. Then again there has been a lot of standards work on making the LNS/LAC communication over MPLS. There's my two cents for what it's worth. But these developing features really require research given your individual requirements. Good Luck, Darrell "Woods, Randall, SOLCM" wrote: > > searching the software advisor by features, doesn't look like the as5300 > support MPLS. Maybe someone can find something different. > > Woody > CCNP > > -Original Message- > From: Michalis Palis [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, March 05, 2002 7:02 AM > To: [EMAIL PROTECTED] > Subject: MPLS and AS5300 [7:37252] > > Dear all > > Can AS5300 supports MPLS? If yes what is the IOS that > supports it? I checked Cisco side but i couldn't find > any info > > thanks > > __ > Do You Yahoo!? > Try FREE Yahoo! Mail - the world's greatest free email! > http://mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37275&t=37252 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is wrong with the job market ? [7:35611]
nrf wrote: > > ""Chuck"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > in the case of a number of the CLEC's, part of the problem was the old > telco > > monopoly that they had to fight. > > Maybe it was part of the problem, but not the whole problem. True, the > RBOC's were hindering the DSL CLEC's. But that doesn't explain the > financial failures of international network backbone providers (Global > Crossing), the biggest cable-modem ISP (Excite@Home), or the biggest hosting > service (Exodus). Or the downward spiral of many of the other big > providers. > > Now you might say that all these companies made mistakes, and surely they > did. On the other hand, I believe it is the case that even if these > companies had executed perfectly, they still would have failed, although I > agree they would have lasted longer. The biggest factor contributing to > their decline is that the demand wasn't there to sustain them. If there had > been as much demand as these providers thought there was, then I believe > that most of these providers would be doing quite well, mistakes or no. First it's nice to see folks from the trenches talking about these things in public. I totally agree that demand was less than projected. This really beat to hell the working capital management practices companies had adopted. A shortfall in demand in the short term wasn't a big deal as that'd been happening throughout the boom. It was the lack of access to new capital so that there was time to build the demand. The time horizons for profitability on many of these firms was tightened by several years. Massive changes needed to take place to realize thatwe're watching that now along with a general economic recession. Another factor that most large telecom builds have in common is the use of debt(usually bonds) to fund the builds. Given two equal providers; one who has a significant debt/interest burden can't last nearly as long. We have seen much progress with providers dumping debt by negotiating with bond holders.(At least the bond holders are getting something now while they can) These facts of telecom providers led to psuedo price wars with a big downward spiral in prices. Firms trying to survive dropped pricing beyond sustainable levels to increase revenue, they have(are) gone(going) out of business. Their assets are being purchased at much lower price points with the resulting providers able to offer services much cheaper than the debt burdened providers. I'm not going to speculate here about how the telcos will pull out of this mess, but in looking at this we can't ignore the tightened timeframe to profitability higher interest payments from longterm debt aquired during the boom. Darrell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35804&t=35611 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ccnp beta [7:35726]
I took some beta exams for CCNP back the last time(?) they reworked the tests a few years ago. Got some big surprises on questions covering some odd areas, but they seemed pretty fair. As long as you aren't in a rush to get results back go for it, Darrell Constantin Tivig wrote: > > Anyone passed or participated in a CCNP beta exam? > How is it? How many questions, how much time, how difficult? > Do you think it is worth, or take the normal exam? > > Any answers appreciated. > > Costin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35800&t=35726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF across PIX [7:24608]
You 'could' pass a BGP session with a route-map to set next-hop correctly for both sides of the session. But you still have the issue of what routes you are advertising across any NAT. The challenge you have is extracting value from running some dynamic routing over a statically configured device(PIX). There are a few cases where it makes sense but not many. Darrell Tom Martin wrote: > > Pat, > > Getting a PIX to pass OSPF would require one of two methods: Routing or > NAT. First, the PIX isn't a router, and if it were it still wouldn't work > since OSPF LSAs are sent to the non-routable 224.0.0.5/6 addresses (as > well as have a TTL of 1). NAT is not a viable alternative as NAT will not > change the payload of OSPF packets, a requirement as networks would appear > differently on one side than on the other. > > An alternative, although it probably introduces an unwanted security > problem is to allow an IP-IP or GRE tunnel through the firewall. With > OSPF packets encapsulated inside the tunnel NAT becomes a non-issue. Of > course, if you implement this type of solution you could encrypt data sent > through the tunnel which is better than nothing -- but I would not > implement a solution like this for long-term use. > > - Tom > > In article , "Patrick Ramsey" > wrote: > > > First thought is that this will not work. imagine this and tell me what > > you think. > > > > In pix, your acl's are based on tcp/udp/icmp these all are > > protocols, like ospf is it's own protocol... since ospf (protocol 89) is > > separate, opening up a port dealing with tcp/udp/icmp would be > > completely useless. > > > > -Patrick > > > "pat" 10/29/01 11:01PM >>> > > Does anybody has any ideas on how to run OSPF across firewall. What > > ports to be open & how to make router esablish nighbour relations across > > firewall. > > > > Any thought on this will be greatly appriciated. > > > > Thanks, > > patterson. > > > > __ Do You Yahoo!? Make a > > great connection at Yahoo! Personals. http://personals.yahoo.com > > misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34358&t=24608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Lab Question [7:34222]
My subscription to the lab mailing list hasn't gone through yet so I figured I should post this question here. We know that in preparation most folks use various products to emulate a Frame Relay switch. Cisco also details the questions I have about FR, but in regards to ATM. http://www.cisco.com/warp/customer/625/ccie/certifications/ATM_FAQs.html 1)It is my understanding that in the lab any FR switch will be an external device not to be configured by the candidate. Just like item 1 in the above URL explains about ATM. Is this correct? 2)Is IS-IS included in the CCIE Lab or does the removal of CLNS stated from http://www.cisco.com/warp/public/625/ccie/certifications/routing.html#43 mean that CLNS is so far out of coverage that it can't be used as local L2 transport for ISIS. Thanks in advance for your input, Darrell http://www.hayaitacos.net/ccie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34222&t=34222 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Limit access to serial link to four [7:33306]
Ok this is like the 8th time I've sent this, maybe I'm tripping the new spam systembut never had a problem posting before. I try not to use the below logic on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get 300kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... To more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS as well -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link.(read: IME(nee opinion) tcp will backoff quicker than a given streaming protocol) Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33368&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Limit access to serial link to four users [7:33306]
Hmm the last one made it I try not to use the below logic on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get 300kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... To more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS NAT -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link.(read: IME(nee opinion) tcp will backoff quicker than a given streaming protocol) Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33319&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Limit access to serial link to four users [7:33306]
I try not to use the below logic on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get 300kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... To more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS as well -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link.(read: IME(nee opinion) tcp will backoff quicker than a given streaming protocol) Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Gaz wrote: > > Hi all, > > I'm after some ideas if you'd be so kind :-) > > A 2Mb link being used mainly for streaming media has about 15 potential > users. The task is to limit the number of users at any one time to four, so > they have half a Mb each (ish). > > My initial idea, which I must admit, I dont think is such a good one is to > set up a NAT pool of four addresses, and drag the translation timeout down > to about a minute (yet to be tested), so that the first four users to pass > traffic will be translated and allowed through, but after that, they'll have > to wait. > > I'm off to look at something like TACACS to see if I can control network > authorization by number of users (shot in the dark). > > No equipment in place yet, so we have a clean drawing board. > > Anybody have any neat ideas please!! > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33317&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Limit access to serial link to four users [7:33306]
I try not to use the below logic on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get 300kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... To more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS as well -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link.(read: IME(nee opinion) tcp will backoff quicker than a given streaming protocol) Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=0&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Limit access to serial link to four users [7:33306]
I try not to use the below logic on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get 300kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... To more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS NAT -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link.(read: IME(nee opinion) tcp will backoff quicker than a given streaming protocol) Good Luck, Darrell (always looking for contract work) Newcomb Gaz wrote: > > Hi all, > > I'm after some ideas if you'd be so kind :-) > > A 2Mb link being used mainly for streaming media has about 15 potential > users. The task is to limit the number of users at any one time to four, so > they have half a Mb each (ish). > > My initial idea, which I must admit, I dont think is such a good one is to > set up a NAT pool of four addresses, and drag the translation timeout down > to about a minute (yet to be tested), so that the first four users to pass > traffic will be translated and allowed through, but after that, they'll have > to wait. > > I'm off to look at something like TACACS to see if I can control network > authorization by number of users (shot in the dark). > > No equipment in place yet, so we have a clean drawing board. > > Anybody have any neat ideas please!! > > Thanks, > > Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33308&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Limit access to serial link to four users [7:33306]
This didn't seem to post earlier I try not to use the following on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get "300"kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... Now to more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS NAT -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link. Basically that should read that in my experience tcp will backoff quicker than a given streaming protocol and that definately FASTER than common streams. Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Gaz wrote: > > Hi all, > > I'm after some ideas if you'd be so kind :-) > > A 2Mb link being used mainly for streaming media has about 15 > potential > users. The task is to limit the number of users at any one time > to four, so > they have half a Mb each (ish). > > My initial idea, which I must admit, I dont think is such a > good one is to > set up a NAT pool of four addresses, and drag the translation > timeout down > to about a minute (yet to be tested), so that the first four > users to pass > traffic will be translated and allowed through, but after that, > they'll have > to wait. > > I'm off to look at something like TACACS to see if I can > control network > authorization by number of users (shot in the dark). > > No equipment in place yet, so we have a clean drawing board. > > Anybody have any neat ideas please!! > > > Thanks, > > Gaz > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33311&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Limit access to serial link to four users [7:33306]
I try not to use the following on my networks, but have also never had it fail to deliver service when there was no other choice. The common streaming of windows media and real have such large client side buffers that you'll find you can seemingly overload the link without having any user observable qualitative difference. Some factors which contribute even more to the success of overloading are the bit rate varies as the encoders don't always output the maximum data rate. The fact that most streams on the public internet are short lived, the standard buffers can cover the end of the stream the user is still viewing leaving capacity for other streams to go through their peak startup period. The traditional stat muxing factors come into play where depending upon the application there is some downcycle in streaming usage in the workflow. You only need a 2.5:1 to get "300"kbps streams through uncongested. Lastly I think you are approaching the wrong problem. Non streaming uses for the same 2Mbps link will be the big enemy of predictably good streaming performance. Your application may even be one of those by downloading other supporting data... Now to more directly approach the problem space you posed: -There is xauth in pixOS and I believe IOS NAT -Couple that with a creative authentication server, or script to control it -The above should get you the max number of sessions through. -Can't recall the reflexive access lists with CAR ball of wax off the top of my head. But there is some per-session rate limiting in cisco. There are various rate limiting equipment out there. Riverstone has good affordable routers for this, Netscreen claims to do it(haven't used them yet), and Packeteer also does this type of thing. There is more but I believe them to be the notables. There are proxy and/or cache products which would address the max number of sessions issue and maybe address the usage pattern you have. Not that I'd recommend this, but if your application and rest of the network path can adequately support forcing the streams over a tcp session you'll probably find it much easier to deal with the rate limiting. But really try to handle it without forcing tcp as any backoffs will hurt the qualitative performance if there are other signficant numbers of tcps over any congested link. Basically that should read that in my experience tcp will backoff quicker than a given streaming protocol and that definately FASTER than common streams. Good Luck, Darrell (always looking for contract work) Newcomb [EMAIL PROTECTED] Gaz wrote: > > Hi all, > > I'm after some ideas if you'd be so kind :-) > > A 2Mb link being used mainly for streaming media has about 15 > potential > users. The task is to limit the number of users at any one time > to four, so > they have half a Mb each (ish). > > My initial idea, which I must admit, I dont think is such a > good one is to > set up a NAT pool of four addresses, and drag the translation > timeout down > to about a minute (yet to be tested), so that the first four > users to pass > traffic will be translated and allowed through, but after that, > they'll have > to wait. > > I'm off to look at something like TACACS to see if I can > control network > authorization by number of users (shot in the dark). > > No equipment in place yet, so we have a clean drawing board. > > Anybody have any neat ideas please!! > > > Thanks, > > Gaz > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33310&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP and one backup link [7:33433]
You don't need to ask your customers to change their configuration, but you do probably need to continue to pass them fulls so you need fulls from your upstreams. To better control your 'backup' link: 1)To better control your outbound use local pref, but beware you might recieve some prefixes unique to the view of the backup provider. You'll need to do something else to cover that up or hope the usage is in the noise. 2)To better control your inbound you just need to use methods which will get the backup provider to not prefer that link and thus not advertise it to anyone else. Your AS path prepend isn't doing the job. Likely they set the customer link to have a higher local pref and the traffic you see is from the backup provider, it's customers, and probably peers(since many set local pref on peers higher than transit providers) of backup provider(who don't peer with other provider). Most providers which prefer customer links provide community structure to control advertisements use as backup.(standard customer, customer backup(customer with 2 links), customer fallback(if no other path is available)). Darrell Alejandro Acosta wrote: > > Well, In fact I have had ultil 3 simultaneos links to Internet working very > well. The idea of only have one primary link and one backup link is for > saving costs. Addionally I have many customers talking to me BGP. At this > moment I can not ask to my clients to change their BGP configutarion. > > Any idea? > > Alejandro Acosta > > > > -Original Message- > From: Thomas Crowe > To: [EMAIL PROTECTED] > Sent: 28/01/02 12:45 > Subject: RE: BGP and one backup link [7:33433] > > Why not just use floating static routes? With only one active exit > point, I > don't see the reason for burdening your router with the BGP routing > table, > unless you are just receiving aggregates from your provider. Even then > the > floating static's should work. > > __ > > Thomas Crowe > Senior Systems Engineer / Architect > CTS Professional Services - Atlanta > __ > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 28, 2002 10:36 AM > To: [EMAIL PROTECTED] > Subject: BGP and one backup link [7:33433] > > Hi all, > I have a BGP question. > In this moment we have one Internet link with just one provider, now, > we > have got a second link just for backup. I mean, we can only use it for > 180 > hrs per month. > I can easily manage my outgoing traffic (using local preferece or > weight), > however the incomming traffic in more difficult. I added many prepends > (9) > in the publication of the second link but there still few traffic on it. > There is not IBGP between my two providers. > > Any ideas? > > Thks in advanced. > > Alejandro Acosta > > [GroupStudy.com removed an attachment of type text/x-vcard which had a > name > of Thomas Crowe.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33454&t=33433 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Limit access to serial link to four users [7:33306]
If all of my responses get through this will be embarassing. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33318&t=33306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EtherChannel alternatives(??) [7:33187]
One thing to remember if you do the etherchannel for this customer is the src/dst mac pairs and their respective flows may not be diverse enough to offer good load balancing. This is the case for most router to router subnets such as in customer hand-offs like you seem to have. Yes some of the cisco line does src/dst mac+IP (4) tuples which addresses this problem, but not every box does that. I too am interested in why the no VLAN policy in this (hosting?) environment, Darrell John McCartney wrote: > > It is a policy from our IP-Eng group, can't find it in writting but they > tell me it exists. I think because they like to have control. Oh well. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33276&t=33187 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid Question [7:32591]
With the key NT cheap shot being: It doesn't matter how coherent the file system is if the OS isn't executing code, but rather rebooting. 'least those crashes proves they wrote a reasonable filesystem. I really don't have anything against NT. Mainly since I'm not running it on any of my servers. :) Darrell Carroll Kong wrote: > > Reason being that NTFS is a journalled file system. Not sure on > NT 3.51's version of NTFS, but if you say so, probably true. (not meant to > be sarcastic, but sincere) > As for the SQL database, depending if it had good rollback > mechanisms to avoid corruption, it may or may not get corrupted, as you said. > As for the unix systems, most of them use UFS, which is not a > journalled file system. However, I do not know of many OSes or > distributions that let you add in a journalled fs. One that comes to mind > is linux with the reiserfs. (linux comes stock with ext2fs). (you can add > in journalled file systems afterwards, one commercial unix in mind that > comes stock and barrel with a journalled fs is the venerable Irix with it's > XFS). Go ahead, pull the plug on him, he won't care. No fsck on > startup. Just smooth rolling. > If you note the pattern here, it is a function of the file system > (or in the database's case, how it retains data and does integrity checks > and if it has rollback recovery to avoid data loss or undo bad transactions). > Not sure if I can give a definitive reason on why the cisco's do > not fear such things. Probably because it is not usually writing data very > often, and the data it writes is essentially a text file (NVRAM > configurations). The "OS" in itself is a static flash file that never > needs to be overwritten during normal runtime operation, only during > upgrades. This is totally different on a fully blown OS that has crazy > writes usually going on during operation. Or even if it did not, has a > good reason to double check for file integrity. The Cisco router was meant > to be more of an appliance like machine, so it's behavior makes sense, and > so does it's obvious resistance to the occasional power plug pull. > > At 06:42 PM 1/21/02 -0500, Mark Odette II wrote: > >H. > >Funny, last I checked, you could turn off in Mid-Boot process, Pull the plug > >in Mid-Shutdown process, or yank the power to the UPS (and no battery left) > >with all NT Machines running (NT3.51 - W2K), and the system would never miss > >a beat in start-up file system recovery. > > > >Now do that to NT servers with Oracle or some SQL-type application server > >running on it, and it may have data corruption- but that's only with the > >DB's ... and that happens, no matter WHAT the platform. > > > >Now, then again, try doing the above such listed tasks of brutality to a Sun > >Box, an SCO box, or an AT&T Unix box, and watch the games begin as "Inodes" > >fly everywhere and the file system checker starts griping about how unhappy > >it is and I wouldn't be surprised if an AIX or SGI box did the same. > >DB Server or not. > > > >Sorry... just gotta love those MickeySoft stabs that have no meaning other > >than for slander. > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > >Sent: Monday, January 21, 2002 12:42 PM > >To: [EMAIL PROTECTED] > >Subject: RE: Stupid Question [7:32591] > > > >Just turn them off or simply unplug them. > > > >Fortunately the IOS was not written by Microsoft and nothing will get > >corrupted!!! > > > >-Serge. > > > >Richard Tufaro wrote: > > > > > > What is the proper way to shutdown a router? not reload, but > > > shutdown? Just flick the switch? Seems to brutal to me. > > > > > > Richard Tufaro - MCSE - GSEC- CCNA > > > Network Engineer - Anda Inc. > > > [EMAIL PROTECTED] > > > MSN IM - [EMAIL PROTECTED] > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32772&t=32591 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cisco 26xxx to run 8mbps [7:32628]
Ok help us help you by providing all the details. Have you already defined the use of FRF.15, FRF.16, or FR/DS3 for this 8Mbps of traffic? Is the 8Mbps of traffic 8Mbps in each direction or an in+out sum to reach 8Mbps? Is the 8Mbps a 95%-tile or a peak? Darrell suaveguru wrote: > > problem is that I am running over frame-realy not ATM > > so how should I solve the problem? > > regards, > suaveguru > --- Brian wrote: > > Wanted you to see > > > http://www.cisco.com/univercd/cc/td/doc/pcat/atne__p2.htm > > > > Brian > > > > On Sun, 20 Jan 2002, Circusnuts_1999 wrote: > > > > > Ask your carrier this question and they will want > > to sell you a DS3 with > > > say a minimum of a 7 Meg port charge (a lot of US > > carriers move in 7 Meg > > > intervals and I don't know why). That would make > > your wants and needs > > > an ATM capable router and DS3 (minus IMA) is > > pretty much entry level > > > ATM. I thought the 2600 accepted DS3 interfaces, > > I know a 3600 would > > > work, but the question becomes an up-time issue. > > Most customers > > > wouldn't baulk @ having to install a loaded 7206 > > VXR to support a 6K > > > monthly connection and all the priceless traffic > > it can carry. > > > > > > All the best !!! > > > Phil > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > suaveguru > > > Sent: Sunday, January 20, 2002 10:22 AM > > > To: [EMAIL PROTECTED] > > > Subject: cisco 26xxx to run 8mbps [7:32628] > > > > > > hi all > > > > > > thanks for all the comments and tips given by some > > of > > > you guys . It seems like a 26xxx cannot cater for > > > 8mbps traffic . If this is so what is the min > > cisco > > > router that supports 8mbps and what interface this > > > router will need? > > > > > > > > > thanks > > > > > > suaveguru > > > > > > __ > > > Do You Yahoo!? > > > Send FREE video emails in Yahoo! Mail! > > > http://promo.yahoo.com/videomail/ > > > > > > _ > > > Do You Yahoo!? > > > Get your free @yahoo.com address at > > http://mail.yahoo.com > [EMAIL PROTECTED] > > __ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32657&t=32628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PPTP performance [7:32649]
We need more info What is the state of the underlying network that the VPN is using? That's basically be traceroutes to the VPN tunnel endpoint. Pings to the public side of PIX, the pix itself, and the static NAT of the VPN server. Have you verified current behaviour between VPN server and the other LAN endpoint's it is providing accedd to? (just to eliminate that whole set of problems) Darrell Pierre-Alex wrote: > > (rephrased) > > I am logged on to a server via PPTP and pinging machines on the LAN. > > Are those response time typical? Looks kind of slow > > The VPN server is an IBM e-server, dual Pentium III with 512 Meg of RAM. > > Operating system is Windows 2000 Advanced Server (in a workgroup) > > There is only 1 user on the network at this time: me! > > The packets are going through a Cisco PIX with TCP port 1723 and Gre ports > open for PPTP > > traffic. > > Please advise, > > Pierre-Alex > > Reply from 192.168.3.2: bytes=32 time=891ms TTL=254 > Reply from 192.168.3.2: bytes=32 time=751ms TTL=254 > Reply from 192.168.3.2: bytes=32 time=801ms TTL=254 > Reply from 192.168.3.2: bytes=32 time=791ms TTL=254 > > Ping statistics for 192.168.3.2: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 751ms, Maximum = 891ms, Average = 808ms > > C:\>ping 192.168.3.1 > > Pinging 192.168.3.1 with 32 bytes of data: > > Reply from 192.168.3.1: bytes=32 time=792ms TTL=254 > Reply from 192.168.3.1: bytes=32 time=731ms TTL=254 > Reply from 192.168.3.1: bytes=32 time=761ms TTL=254 > Reply from 192.168.3.1: bytes=32 time=951ms TTL=254 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32652&t=32649 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst 5000 vs. Catalyst 1201 for CCNP home [7:32606]
The 1201 UI is very close. Please correct me since it's been awhile since I've run into 1200's. 1)Trunking. You can't do any form of trunking on the ethernet ports. But having 4000series routers with the FDDI interface might be a good compromise. 2)Multicast. There are few of the Catalyst multicast features(CGMP) which I am under the impression is part of the lab. But I'm suprised the 1201 has IGMP snooping. The old 2901, not the newer XL or G stuff, but the old Cat5k stuffed into a 'fixed' configuration 2 slot chassis has got to be cheap at this point. It runs the same images as the Cat5k so there is no delta. Darrell Brad Ellis wrote: > > I just got a Cat 1201, I have to tell you, it's VERY similar to a Cat5k. Im > working on setting the device up in a special rack. If you want telnet > access to check it out, let me know via email (address is below). > > thanks, > -Brad Ellis > CCIE#5796 (R&S / Security) > Network Learning Inc > [EMAIL PROTECTED] > used Cisco gear: www.optsys.net > CCIE Labs, racks, and classes: http://www.ccbootcamp.com/quicklinks.html > > ""Colin"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hi, > > > > I am studying for my CCNP and getting together a list for equipment for > > a home lab. I want to purchase a Cat 5xxx but have heard that Cat > > 1201's is very "similar" to the Cat 5xxx. Would I be better of getting > > a 1201 (which is a lot cheaper than a Cat 5xxx)? Or should I spend the $ > > and get a Cat 5xxx? > > > > Thanks > > > > Colin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32632&t=32606 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst 5000 vs. Catalyst 1201 for CCNP home lab [7:32606]
I don't think a 1201 would be a good platform. A 2901 on the other hand would be perfect as long as you can get the images you want to run loaded. I don't think the newer features for the Cat5k would be critical in CCNP or CCIE prep. Darrell Colin wrote: > > Hi, > > I am studying for my CCNP and getting together a list for equipment for > a home lab. I want to purchase a Cat 5xxx but have heard that Cat > 1201's is very "similar" to the Cat 5xxx. Would I be better of getting > a 1201 (which is a lot cheaper than a Cat 5xxx)? Or should I spend the $ > and get a Cat 5xxx? > > Thanks > > Colin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32608&t=32606 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and PPTP [7:32593]
Man am I having trouble finding time to keep up with the postings. You need to permit GRE through as well. PPTP consists of a tcp control session and a GRE data channel. This way loss on the underlying transport directly affects the data path rather than having the messy tcp over tcp interactions when the network is pretty lossy or an LFN. Darrell Chris Headings wrote: > > We are using a PIX 520, running PIX Version 4.4(8). I have opened tcp/udp > port 1723 for our outside office members to connect to our W2K VPN Server. > I can get the intial connect (shown in the "SH CONN" command), but it never > finsihes the final "handshake". > > Any problems with this verison of the PIX IOS not allowing PP2P connection > thru? > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32594&t=32593 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Waiting Period [7:32232]
Now you have me interested since I haven't found much of any time to prepare for and thus schedule the lab. I logged in and in March see sparse(if any) availability all the way to July. Argh! Time for me to fish or cut bait this quarter. So that answers Ed's question that he could run in and take the exams quickly. But it seems as Chuck is pointing out that since March on were based on the 1 day schedule that things will change soon. Chuck Larrieu wrote: > > Dare I release my currently scheduled date so I can look? ;-> > > the rule of thumb is that you can book a date this week or in six months, > but nothing in between. > > Also, I believe Cisco is opening up dates on a month by month basis. In > other words, say for the month of February the schedule was based on the two > day lab. So in late January Cisco opens up the 14 days formerly reserved for > the second day of the two day lab. So for a very brief period of time there > are a number of openings available in February. This was certainly true a > couple of months ago when I was trying to book my next attempt. > > Chuck > > ""Darrell Newcomb"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I was presently surprised to see quite a lot of availability for Lab > > testing in San Jose. I'll let others comment on comparing to other > > exams. > > > > Ed Chuchaisri wrote: > > > > > > Guys, > > > > > > I wonder when is the earliest R/S lab available in San Jose if I passed > the > > > written today? I heard that it still takes at least 6 months even > though > > > Cisco has changed the lab to a 1-day format. > > > > > > And how do you compared the written exam to other Cisco Exam like CID > 3.0 > > (I > > > think this is the most challenging one out there), Routing 2.0, and > > > switching 2.0. Is it true that written exam for R/S is the combination > of > > > Routing 2.0 and switching 2.0 together. How many questions by the way? > > > > > > Thanks, > > > > > > Ed > > > www.router4u.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32247&t=32232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Waiting Period [7:32232]
I was presently surprised to see quite a lot of availability for Lab testing in San Jose. I'll let others comment on comparing to other exams. Ed Chuchaisri wrote: > > Guys, > > I wonder when is the earliest R/S lab available in San Jose if I passed the > written today? I heard that it still takes at least 6 months even though > Cisco has changed the lab to a 1-day format. > > And how do you compared the written exam to other Cisco Exam like CID 3.0 (I > think this is the most challenging one out there), Routing 2.0, and > switching 2.0. Is it true that written exam for R/S is the combination of > Routing 2.0 and switching 2.0 together. How many questions by the way? > > Thanks, > > Ed > www.router4u.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32244&t=32232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PPTP - Conduit - Protocol 47 [7:31748]
Usually you can easily convince TAC that they should provide you with an image which is no longer publicly listed, but which is the logical next step for you to minimize the amount of changes to your already stable device. However in the face of significant bugs such as PSIRTs or what not your request may(fairly legitimately) be turned down. "[EMAIL PROTECTED]" wrote: > > I found out that version 4.1(7) supports GRE > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v41/pixrn417.h > tm#xtocid1224219 > > Unfortunately, the image is no longer on CC0 (too old). > > Pierre-Alex > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Paul Lalonde > Sent: Saturday, January 12, 2002 9:51 PM > To: [EMAIL PROTECTED] > Subject: Re: PPTP - Conduit - Protocol 47 [7:31748] > > Pierre-Alex, > > You might have an issue with that version of PIX OS. On a PIX OS of 4.2 or > later, you can do: > > conduit permit gre host any > conduit permit tcp host eq 1723 any > > Not sure about 4.0.7... are you not able to update this to at least 4.4 or > something better? > > Paul > > ""Pierre-Alex J. Guanel"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > How do you configure a conduit to let this go through: > > > > Source 0.0.0.0 to Protocol Other Protocol Number 47 > > > > I need to this in order to do PPTP through the firewall to a Windows 2000 > > machine.I am running version 4.0.7 on the PIX and the conduit only have > > option for tcp or udp. See below from the Cisco documentation: > > > > conduit global_ip port[-port] udp|tcp ip_address [netmask] > > > > Thank you > > > > Pierre-Alex Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31784&t=31748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: %static entry in use, cannot remove [7:31560]
My preference in this is to just scope the translation clearing to just the affected static, then quickly delete the static translation which I think sridder was saying. In particularly busy environments an inbound acl on the internal/external interfaces will keep traffic from triggering the static translation while you can delete it and then remove the additional acl denies. If you do it all carefully no other endpoints will have service distrupted and that should always be a goal. AMR wrote: > > You dont shut down the interface. Just remove the 'ip nat outside' or other > such necessary command from the interface. It's far less affecting to the > router to remove the nat command than it is to shut down an interface which > would possibly cause a change in the route table, forcing calculations, etc. > > ""Steven A. Ridder"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Also shut down the local lan interface in case some lan client tries to go > > out to the internet while you are changing nat. Some busy sites this > > happens at. And include an * after the trans for all the translations. > > > > -- > > RFC 1149 Compliant. > > > > > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31584&t=31560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Using a PIX firewall with multiple IP addresses [7:31052]
Yes. One pitfall is I don't think it'll do it's proxy arp for those addresses, but I can't recall. As long as your forwarding that subnet directly to the PIX's outside interface it'll be fine. Darrell "Rizzo, Damian" wrote: > > Hey all. Anyone know if you can successfully use a PIX firewall with > Multiple IP addresses? > For example; If you assigned a Public IP address to the outside interface is > it possible to assign a totally different Public IP address (different > subnet) for the "Global" IP addresses to be translated? > > Thank you, > > -Rizzo Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31053&t=31052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to Block MSN ... [7:30891]
Not that I think doing this type of stuff on employees is a good idea I've been in positions where it was needed. By making the HR policy and have midlevel managers reinforce its existence in meetings you've done a good part of warning. Then by *allowing* the application's default behavior you can monitor usage. With monitored usage contacting folks personally with a "hey we know what you're doing and it's braking company policy" message; this can be a great task for NOC personnel in the downtime. The final step is using those managers which have surely exposed themselves as supporters of this policy. Make the list of violators available as a matter of record and they'll do all the dirty work for you. Word of these examples will spread and usage tends to all but stop. I've found this much easier and more rapid than outright prevention which is a very difficult war to win in today's corporate networks which don't depend upon proxies and bastions to interact with the outside world. nrf wrote: > > It's not a case of choosing something that works all the time. It's more a > case of turning it from a technical problem to an HR problem. > > Because let's face it. Even if you do manage to find a way to block out > messenger for most people in your office you're always going to have one > employee who knows a lot about computers, and will figure out a way to > circumvent whatever roadblocks you've put in his way. For example, he'll > set up a proxy at his home computer and get to messenger that way. Then of > course that employee will inevitably tell others how to do it, and you'll > pretty much wind up with the same situation as before. Then you'll have a > grand old time trying to find and ban all the proxies, and whenever you ban > one, another one will inevitably pop up. It becomes like the amusement-park > game of Cisco "whack-a-mole", with the difference being that there's no > teddy bear if you win. > > ""Jarmoc, Jeff"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > But truly the best way is to simply have company policy that bans > > messenger. > > > > Because we all know that always works, right? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30989&t=30891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: SSL Accelerators [7:30724]
Check out the Click Array products.(www.clickarray.com) Though one of the younger vendors in this space they have a very good engineering team. I should note I've not used any of their products nor am I affiliated with the company. I've just had involved conversations and know some of the employees. The decisions and their basis tend to be very sound. John Neiberger wrote: > > We are looking at buying some new load balancing switches and new cache > engines and somewhere in that mix we want to add SSL acceleration. One > vendor that we're looking at sells load balancing switches with SSL > acceleration built-in. Of course, they really like their way of doing > this. The other vendor has a cache engine with SSL acceleration and > they say there is a significant performance increase by caching content > in SSL-ready format. > > Do any of you have any thoughts here? The first vendor is F5 and I > really like the looks of their Big IP series. The second vendor is > Stratacache and I really don't know much about them despite having > talked to them about this. :-) > > Any tips? > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30729&t=30724 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can't ping an address from anywhere but the router itself [7:30526]
Here is a much better reference. Actual PPPoE instead PPPoEoA. Don't know when/if it'll be available on the lower end platforms. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fwan_c/wcfppp.htm#xtocid1245615 Darrell Newcomb wrote: > > Well actually I meant the PPP interface would be separate from the > native IP/ethernet interface. This is leaving an area which I actually > have real world experience with but a quick search on CCO brought up a > good config example. > > http://www.cisco.com/warp/public/794/soho77pppoe_client.html > Though not a perfect example here the dialer1 on SOHO77 is separate from > the underlying "ethernet"(AAL5 PVC). > > The PPP interfaces do eat IDBs and the configuration syntax allows > expressing them as independent interfaces. The problem we have in > John's example below is that the inside and outside NAT interfaces are > the same. To address the problem we can try lots of ways to make IOS > treat it as two interfaces so that what we want can be expressed within > the bounds of IOS. AFAIK there is no protocol reason why we can't nat > traffic who enters/exits the same interface. But with IOS there doesn't > seem to be a straight forward way to express that. I wouldn't argue > that someone SHOULD do this :) so it's purely academic, yet still > somewhat interesting. > > Mark Odette II wrote: > > > > First, there's only a handful of Cisco Routers that do PPPoE with certain > > versions of IOS, but the one that sticks out in my mind at the moment is > the > > 1750 with it's WIC-1ENET > > ... and yes, you have a point, as that specific scenario would yield two > > Ethernet interfaces > > ... But I think (can't remember exactly at the moment) the 2610/2620 can do > > PPPoE, and that would be a single-interface situation. > > > > I was just babbling aloud, as I know that Cisco PPPoE isn't always simple > > and straight forward (depending on your point of view supporting the telco > > side of implementation or the Cisco CPE side of implementation) :-) > > > > For myself, luckily, I didn't have any complications with getting PPPoE to > > work with SWBell... It was pretty straight forward... and if I recall, I > > didn't even have to specify the DSL PVC (VSI? 0/XX)... which I think has to > > be done with the WIC-1ADSL card. > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > Darrell Newcomb > > Sent: Monday, December 31, 2001 12:56 AM > > To: [EMAIL PROTECTED] > > Subject: Re: can't ping an address from anywhere but the router itself > > [7:30520] > > > > Not sure how cisco does PPPoE but shouldn't that make it easier being > > that it'd be a seperate interface, no? > > > > Mark Odette II wrote: > > > > > > Good point there Chuck. I should have paid closer attention to that > > little > > > detail in my last post... DOH! > > > > > > The rest of what I said still stands though, as is the majority response- > > > NAT will have to be used. > > > > > > ... though, I must say, Darrell's most recent reply to this thread was > > > definitely interesting to me... never seen, or thought of that type of > > > solution before... Will have to keep that in mind for those > > single-interface > > > Cisco router situations. Of course, it probably won't work for PPPoE > DSL, > > > unless you can specify "next-hop 'interface-name'" in the route map I > > > suppose. Hmm... very interesting. > > > > > > Mark Odette II > > > ... who should be in bed at this time (12:30am CST). :) > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > Sent: Sunday, December 30, 2001 11:41 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: can't ping an address from anywhere but the router itself > > > [7:30514] > > > > > > I presume we all understand that 250.x.x.x is a fictitious address, i.e. > > is > > > used here as an example, and cannot legally be used for any reason. :-> > > > > > > If Pac Bell assigned you a /24, and stated that dot 254 is the DSL > > gateway, > > > do they mean that is your DSL router's ethernet port? that is, do you > have > > a > > > different address for the DSL/ATM side of things? > > > > > > My own experience is you have to be careful about wha
Re: can't ping an address from anywhere but the router itself [7:30525]
Well actually I meant the PPP interface would be separate from the native IP/ethernet interface. This is leaving an area which I actually have real world experience with but a quick search on CCO brought up a good config example. http://www.cisco.com/warp/public/794/soho77pppoe_client.html Though not a perfect example here the dialer1 on SOHO77 is separate from the underlying "ethernet"(AAL5 PVC). The PPP interfaces do eat IDBs and the configuration syntax allows expressing them as independent interfaces. The problem we have in John's example below is that the inside and outside NAT interfaces are the same. To address the problem we can try lots of ways to make IOS treat it as two interfaces so that what we want can be expressed within the bounds of IOS. AFAIK there is no protocol reason why we can't nat traffic who enters/exits the same interface. But with IOS there doesn't seem to be a straight forward way to express that. I wouldn't argue that someone SHOULD do this :) so it's purely academic, yet still somewhat interesting. Mark Odette II wrote: > > First, there's only a handful of Cisco Routers that do PPPoE with certain > versions of IOS, but the one that sticks out in my mind at the moment is the > 1750 with it's WIC-1ENET > ... and yes, you have a point, as that specific scenario would yield two > Ethernet interfaces > ... But I think (can't remember exactly at the moment) the 2610/2620 can do > PPPoE, and that would be a single-interface situation. > > I was just babbling aloud, as I know that Cisco PPPoE isn't always simple > and straight forward (depending on your point of view supporting the telco > side of implementation or the Cisco CPE side of implementation) :-) > > For myself, luckily, I didn't have any complications with getting PPPoE to > work with SWBell... It was pretty straight forward... and if I recall, I > didn't even have to specify the DSL PVC (VSI? 0/XX)... which I think has to > be done with the WIC-1ADSL card. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Darrell Newcomb > Sent: Monday, December 31, 2001 12:56 AM > To: [EMAIL PROTECTED] > Subject: Re: can't ping an address from anywhere but the router itself > [7:30520] > > Not sure how cisco does PPPoE but shouldn't that make it easier being > that it'd be a seperate interface, no? > > Mark Odette II wrote: > > > > Good point there Chuck. I should have paid closer attention to that > little > > detail in my last post... DOH! > > > > The rest of what I said still stands though, as is the majority response- > > NAT will have to be used. > > > > ... though, I must say, Darrell's most recent reply to this thread was > > definitely interesting to me... never seen, or thought of that type of > > solution before... Will have to keep that in mind for those > single-interface > > Cisco router situations. Of course, it probably won't work for PPPoE DSL, > > unless you can specify "next-hop 'interface-name'" in the route map I > > suppose. Hmm... very interesting. > > > > Mark Odette II > > ... who should be in bed at this time (12:30am CST). :) > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Sunday, December 30, 2001 11:41 PM > > To: [EMAIL PROTECTED] > > Subject: Re: can't ping an address from anywhere but the router itself > > [7:30514] > > > > I presume we all understand that 250.x.x.x is a fictitious address, i.e. > is > > used here as an example, and cannot legally be used for any reason. :-> > > > > If Pac Bell assigned you a /24, and stated that dot 254 is the DSL > gateway, > > do they mean that is your DSL router's ethernet port? that is, do you have > a > > different address for the DSL/ATM side of things? > > > > My own experience is you have to be careful about what Pac Bell says. > > sometimes the terminology they use can be misleading to those of us in > > Ciscoland. ;-> > > > > I would expect that you would be doing NAT between your inside ( 192.x.x.x > ) > > network and the public space you have been assigned. > > > > internet-DSL_router-firewall/router-inside > > > > are you doing something different? > > > > Chuck > > > > ""Ole Drews Jensen"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > First of all John, I don't believe this is a very good way of doing > this, > > > because you ar
New Member [7:30524]
I've been reading and posting for a week or so now and figured I'd introduce myself. I'm preparing for the CCIE R/S Lab. At this point I'm trying to list out which areas I need to study. I passed the written with a few days prep in early December. I've got a CCNA and CCNP. Most of my certification tests have been because peers bet I couldn't pass or score whatever. I haven't eaten crow on that...yet. I've done consulting for all size enterprises, some service providers, a small amount of applied research and protocol design, and currently run a smallish enterprise/xSP network. I'm looking for the R/S to represent existing knowledge and provide income protection in the current economy though many of the postings throughout groupstudy haven't been too reassuring. This is a great community and I look forward to participating. Darrell Mountain View, CA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30524&t=30524 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can't ping an address from anywhere but the router itself [7:30520]
Not sure how cisco does PPPoE but shouldn't that make it easier being that it'd be a seperate interface, no? Mark Odette II wrote: > > Good point there Chuck. I should have paid closer attention to that little > detail in my last post... DOH! > > The rest of what I said still stands though, as is the majority response- > NAT will have to be used. > > ... though, I must say, Darrell's most recent reply to this thread was > definitely interesting to me... never seen, or thought of that type of > solution before... Will have to keep that in mind for those single-interface > Cisco router situations. Of course, it probably won't work for PPPoE DSL, > unless you can specify "next-hop 'interface-name'" in the route map I > suppose. Hmm... very interesting. > > Mark Odette II > ... who should be in bed at this time (12:30am CST). :) > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Sunday, December 30, 2001 11:41 PM > To: [EMAIL PROTECTED] > Subject: Re: can't ping an address from anywhere but the router itself > [7:30514] > > I presume we all understand that 250.x.x.x is a fictitious address, i.e. is > used here as an example, and cannot legally be used for any reason. :-> > > If Pac Bell assigned you a /24, and stated that dot 254 is the DSL gateway, > do they mean that is your DSL router's ethernet port? that is, do you have a > different address for the DSL/ATM side of things? > > My own experience is you have to be careful about what Pac Bell says. > sometimes the terminology they use can be misleading to those of us in > Ciscoland. ;-> > > I would expect that you would be doing NAT between your inside ( 192.x.x.x ) > network and the public space you have been assigned. > > internet-DSL_router-firewall/router-inside > > are you doing something different? > > Chuck > > ""Ole Drews Jensen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > First of all John, I don't believe this is a very good way of doing this, > > because you are actually running two different networks on the same LAN: > > 192.168.0.0/24 and 250.100.100.238/8. > > > > Anyway, I believe the problem lies in that the DSL GATEWAY has a default > > gateway that points to PacBell, so when it receives a ping echo from your > > workstation on network 192.168.0.0/24, it see's that it's not on it's own > > network, and sends the ping reply to its default gateway, and your > > workstation never receives the reply. > > > > In order for ping to work, the traffic must be able to travel both > > directions. > > > > I don't know what kind of DSL gateway you have, but if you can tell it to > > route traffic destined for network 192.168.0.0/24 to the router > > (250.100.100.238), it should work, because the echo reply would then find > > its way back to the workstation you're pinging from. > > > > Hth, > > > > Ole > > > > > > Ole Drews Jensen > > Systems Network Manager > > CCNP, MCSE, MCP+I > > RWR Enterprises, Inc. > > [EMAIL PROTECTED] > > http://www.RouterChief.com > > > > NEED A JOB ??? > > http://www.oledrews.com/job > > > > > > > > > > -Original Message- > > From: John Mairs [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 28, 2001 4:27 PM > > To: Ole Drews Jensen > > Subject: RE: can't ping an address from anywhere but the router itself > > [7:30328] > > > > > > Im sorry, you're right, my explanation was not very > > clear. the inside network is 192.168.0.0/24 and all > > devices on that network are hosts. the addresses for > > the list you have below is. lets say > > > > 250.100.100.254/24 (DSL gateway) > > 250.100.100.238/24 (Static IP assigned to me from > > pacbell assigned to e0 to) > > 250.100.100.230/24 (for fun my printer) > > > > I can, from any host on the 192.168.0.0/24 (inside > > network [192.168.0.1 e0 secondary) successfully ping > > .238 and .230 but not .254 > > > > from the router I can successfully ping everything > > including the gateway (.254). > > > > if I can ping .238 and the printer .230 from the > > inside network (which means that the 2501 is resolving > > or routing those addresses on the outside network) I > > don't understand why .254 in unreachable (times out) > > > > here is the config > > > > Router3#show conf > > using 886 pit pf 32762 bytes > > ! > > version 11.2 > > no service password-encryption > > no service udp-small-servers > > no service udp-small-servers > > ! > > hostname Router3 > > ! > > enable secret 5 $1$llkfflkaiey.ddfakdjfadlkjrlll > > enable password cisco > > ! > > no ip domain-lookup > > ! > > interface ethernet0 > > ip address 192.168.0.1 255.255.255.0 secondary > > ip address 250.100.100.238 255.255.255.0 > > no mop enabled > > ! > > interface Serial0 > > no ip address > > ! > > interface Serial1 > > no ip address > > ! > > ip classless > > ip route 192.168.0.0 255.
Re: setting up NPAT using only one ethernet interface (2501) [7:30509]
I resonded briefly to John earlier but didn't copy the list due to the low value content. Just not enough timeNeed a Spec Miata(Anyone have an old Miata for sale on the west coast?) Since I guess actually configs are what you want I took a spin around to find where I might have saved those but didn't find it. I'll take a quick stab at config sample, but it's been while for me and this isn't the intended way to use this equipment/software. Assuming 192.168.1.0/24 is your internal network which you want NAT'ed into a global pool out of an allocated 123.45.67.0/29. This 2501 is connected to another router via 111.22.33.2/30 and pointing default to 111.22.33.1 int e0 no ip redir no ip proxy-arp ip addr 192.168.1.1 255.255.255.0 ip addr 111.22.33.2 255.255.255.252 sec ip nat inside ip policy route-map send-to-nat int loop100 ip address 123.45.67.1 255.255.255.248 ip nat outside ip route 0.0.0.0 0.0.0.0 111.22.33.1 policy-map send-to-nat ip nat pool public 123.45.67.2 123.45.67.6 netmask 255.255.255.248 ip nat inside source list 10 pool public access-list 10 permit 192.168.1.0 0.0.0.255 route-map send-to-nat permit 10 match ip address 10 set ip next-hop 123.45.67.7 !Or maybe this needs to be 123.45.67.1 !It's possible that you'd need this if the ip nat inside is catching traffic, but with explict src it shouldn't. access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 permit ip any 123.45.67.0 0.0.0.7 route-map send-to-nat permit 5 match ip address 101 set ip next-hop 123.45.67.1 John Mairs wrote: > > How would I find the examples you speak of? how would > I apply the > ip nat inside and ip nat outside commands. would it be > something like > ! > interface ethernet e0 > ip nat inside > ! > interface ethernet e0 secondary > ip nat outside > > --- Darrell Newcomb wrote: > > Interesting. I assume you're trying to place global > > and locally > > addresses machines on the same L2 ethernet and use > > secondary addresses > > to place the router on both L3 networks. This part > > is straight forward, > > just remember to disable icmp-redirects on this > > interface to remove a > > couple ambiguities. > > > > For some special cases I've used policy routing to > > direct traffic to > > "the right" nat pool. In your case just base it on > > source address for > > the locally addressed endpoints. I've also used > > loopback addresses to > > create the outside interface, if you need such a > > thing. Together those > > should work for what you're trying to do. But it's > > far from the > > intended deployment senario and wouldn't get support > > for any interesting > > bugs that are uncovered. There are examples of both > > of these situations > > I think it's just a matter of putting it all > > together. And talk about > > slow. > > > > I'm sure others will have different approaches. > > Good Luck, > > Darrell > > > > John Mairs wrote: > > > > > > Hi, > > > > > > can I, if so, how would I go about setting up NPAT > > on > > > my 2501's only ethernet port. I am confused as to > > how > > > my router will be able to distinguish > > inside/outside > > > NAT on the primary/secondary interfaces. > > > > > > Essentially I would like to now how to configure > > the > > > router to do this with a rudimentary explanation > > what > > > is happening. > > > > > > I can find thousands of descriptions of how to set > > up > > > NAT but none of them show how to do this over a > > single > > > LAN interface. > > > > > > Any thoughts would be greatly appreciated. > > > > > > Thanks for your time, > > > > > > John > > > > > > __ > > > Do You Yahoo!? > > > Send your FREE holiday greetings online! > > > http://greetings.yahoo.com > [EMAIL PROTECTED] > > = > John L. Mairs > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30509&t=30509 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: setting up NPAT using only one ethernet interface (2501) [7:30459]
Interesting. I assume you're trying to place global and locally addresses machines on the same L2 ethernet and use secondary addresses to place the router on both L3 networks. This part is straight forward, just remember to disable icmp-redirects on this interface to remove a couple ambiguities. For some special cases I've used policy routing to direct traffic to "the right" nat pool. In your case just base it on source address for the locally addressed endpoints. I've also used loopback addresses to create the outside interface, if you need such a thing. Together those should work for what you're trying to do. But it's far from the intended deployment senario and wouldn't get support for any interesting bugs that are uncovered. There are examples of both of these situations I think it's just a matter of putting it all together. And talk about slow. I'm sure others will have different approaches. Good Luck, Darrell John Mairs wrote: > > Hi, > > can I, if so, how would I go about setting up NPAT on > my 2501's only ethernet port. I am confused as to how > my router will be able to distinguish inside/outside > NAT on the primary/secondary interfaces. > > Essentially I would like to now how to configure the > router to do this with a rudimentary explanation what > is happening. > > I can find thousands of descriptions of how to set up > NAT but none of them show how to do this over a single > LAN interface. > > Any thoughts would be greatly appreciated. > > Thanks for your time, > > John > > __ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30459&t=30459 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: certification salary posting [7:30237]
Well by taking a meaningful sample of a certification's population you should cover the variation in experience. Personally I would expect lower level certifications to have a wider distribution wrt experience and that should translate into the same in salary. With small populations(numbers of CCIEs) it becomes very difficult to produce a meaningful average by sampling the population. This is especially true when the years of experience has lead to different areas of focus. Those areas of focus make large differences in salary and This doesn't even cover difference between: -Perm. W2'ed employees of a Consulting Firm vs. Corporate -Cost of Living in various parts of the Country/World -COL in mico regions Bottom line is traking averages for these smaller populations will be greatly affected by the types of folks responding and not reflect the highly variable market in a meaningful way. Put 10% of the time you all seem to into studying for certs and put it into looking at the employement marketplace...the return will be just as big as the cert. my $0.0002 micropayment, Darrell John Neiberger wrote: > > That may be true but I'd also be interested in a more accurate > survey. The problem with these surveys is that they don't take enough > variables into account. A certification alone is not enough to make a > judgement. We should take into account education, years in the field, > etc. > > For example, there are probably CCNAs making double what I'm making > because they've got over twice the time in the field, one or more > degrees, etc. There are also probably a few CCIEs making less than I, > but I'm not so sure about that. ;-) They'd have to be unemployed > entirely and that doesn't count! heh heh > > So, I think a good survey would ask you which certs you have, how long > you've been in the field, your educational background, and then your > salary. I think the end result would produce data that would be far > more useful for comparison. > > John > > >>> "Gaz" 12/28/01 2:15:33 PM >>> > To be honest, if I were to take part in the survey, I would inflate > the > salary and expect most others to do the same. > This wouldn't be done out of pride or to impress, but what are you > going to > get out of giving your real salary out. > May as well try to push the going rate up, I would have thought. > Otherwise, knowing my employer, he'll try and pay well below the > average > anyway, pay will spiral downwards and before long, you'd be better off > working in the cafe next door. > > Gaz > > ""Paul Jin"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I think it is part B.S. and part people that were lucky that > > are making the avg or above avg. > > > > For many of the people making more then the average, I believe it > was > > a combination of > > 1 - salesmanship > > 2 - outright LIE > > 3 - interviewer not making sure they can do what they say > > they can. > > I said many not all.. some trully deserve it and more... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30396&t=30237 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP filtering [7:30172]
Good start, RPSL is actually a step forward from RIPE-181. I think RIPE has the best documentation and surely most widely used RPSL databases. The IRR as the collection of databases isn't quite perfectly mirrored nor is the data nearly up to date. As for the question about the application. It sounds like your being asked to filter routes the other networks(probably just customers and peers) are advertising into your network. The nice idea being chased is probably to verify authority to advertise a given route to prevent mistakes and some malicious activity. Various Places to look: http://www.ripe.net/ripencc/pub-services/db/irrtoolset/index.html nee http://www.isi.edu/ra/RAToolSet/ http://www.ripe.net/ http://www.ripe.net/ripencc/pub-services/ http://www.ripe.net/ripe/docs/databaseref-manual.html RPSL in RFC 2622 RFC 2725 Using RPSL RFC 2650 Peter van Oene wrote: > > AS-Macro's are an object in an RPSL based Internet Routing Registry (IRR) > that is used to simplify routing policy registration by grouping AS's. See > Ripe-181 (rfc 1786). > > If you happen to build routing policies using RPSL, I expect you can write > policies around AS-Macros, though I've no experience doing so. Try posting > on the ISP lists, ISP-Routing or ISP-BGP or another similar ISP oriented > list or doing some additional reading. > > At 06:23 AM 12/27/2001 -0500, you wrote: > >Recently I was asked to do BGP filtering for a peer thru AS-Macros. I've > >looked around but can't find any examples of it. I'm at a loss: is BGP > >filtering thru AS-Macros another fancy name for AS-PATH filtering, or is it > >something entirely different? If it is different, can anybody point mt to > >some examples/sources of information on this? > > > >Many thanks, > >Hugo Taxa Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30290&t=30172 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst port [7:29718]
Woops in CatOS that's set port duplex 5/1 full Darrell Newcomb wrote: > > set port duplex full > > IOS(interface config mode): > duplex full > > Christian Fredrickson wrote: > > > > What is the command to force an Ethernet port on a Catalyst to Full Duplex? > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29720&t=29718 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst port [7:29718]
set port duplex full IOS(interface config mode): duplex full Christian Fredrickson wrote: > > What is the command to force an Ethernet port on a Catalyst to Full Duplex? > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29719&t=29718 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Help [7:29650]
Actually when I first saw the response of "routes renewing constantly" I took it to mean that he was recieving large numbers of updates not have major failure events locally. If my assumption is correct you would see MsgRcvd MsgSent TblVer InQ OutQ all incrementing quickly as seen through sh ip bgp sum. This could be due to: -Recursive route lookups for Nexthop where the NH is another BGP derived route causing it to come/go while creating new FIB. It's normally good design practice to have the BGP NH reachable via an IGP. OR -BGP occilations due to using MEDs in a confed or RR configuration. draft-ietf-idr-route-oscillation-00.txt has a good description. Depending upon the number of updates use "debug ip bgp updates " with an ACL scoped enough to keep from killing your router with logging. That's the tough part hopefully the number of updates are small enough you can safely look at all updates for a short period of time. MADMAN wrote: > > If all your routes are floppin then we need to know why. Do you have > suffcient > memory, i.e 128M for full routing. Is the peer stable, the WAN, why did it > reset? See last line in this output. > > Dave > > C7507MIX#sh ip bgp nei > BGP neighbor is 99.1.1.1, remote AS 15, external link > BGP version 4, remote router ID 99.1.1.1 > BGP state = Established, up for 1w5d > Last read 00:00:32, hold time is 180, keepalive interval is 60 seconds > Neighbor capabilities: > Route refresh: advertised and received(new) > Address family IPv4 Unicast: advertised and received > IPv4 MPLS Label capability: > Received 21895 messages, 0 notifications, 0 in queue > Sent 22001 messages, 0 notifications, 0 in queue > Default minimum time between advertisement runs is 30 seconds > > For address family: IPv4 Unicast > BGP table version 145, neighbor version 145 > Index 1, Offset 0, Mask 0x2 > Route refresh request: received 0, sent 0 > 0 accepted prefixes consume 0 bytes > Prefix advertised 91, suppressed 2, withdrawn 52 > Number of NLRIs in the update sent: max 37, min 0 > > Connections established 2; dropped 1 > Last reset 1w5d, due to Peer closed the session > > [EMAIL PROTECTED] wrote: > > > Routes renewing constantly. > > > > > > MADMAN > > prise.com>cc: > [EMAIL PROTECTED] > > Subject: Re: BGP Help > [7:29650] > > 12/19/2001 > > 02:54 PM > > > > > > > > Describe what you mean by flapping. > > > > Dave > > > > "[EMAIL PROTECTED]" wrote: > > Greetings all, > > > > I was wondering if you guys can help out with this problem. We're > > connected to both Sprint and UUnet and receiving full routes. All > > routers are peering with each other. My problem is with both RTRA > > and > > RTRB, they're flapping constantly, RTRC and RTRD are very stable. > > Is > > there a knowing cause am missing here? any suggestions would be > > great. > > > > Thanks.Nabil > > > > RTR A- - - - - - - - - - - - - - - - - - - - RTRB > > | | > > | | > > | | > > | | > > RTRC RTRD > > Sprint UUNET > > [EMAIL PROTECTED] > > > > -- > > David Madland > > CCIE# 2016 > > Senior Network Engineer > > Qwest Communications > > 612-664-3367 > > -- > David Madland > CCIE# 2016 > Senior Network Engineer > Qwest Communications > 612-664-3367 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29713&t=29650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
