RE: NOBODY emails [7:72997]
yup -Original Message- From: Puckette, Larry (TIFPC) [mailto:[EMAIL PROTECTED] Sent: Friday, 25 July 2003 1:26 PM To: [EMAIL PROTECTED] Subject: NOBODY emails [7:72997] Is anybody else receiving multiple emails from [EMAIL PROTECTED] that are empty?? Larry Puckette Network Analyst Temple Inland [EMAIL PROTECTED] 512-434-1838 Where there is no idol but money and power, there is no hope for integrity. -Original Message- From: Maximus [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 9:02 PM To: [EMAIL PROTECTED] Subject:RE: Vty access class [7:72990] I believe the standard ACL should be enough since your already specifying transport input ssh on line vty 0 4. Just my $0.02 Jablonski, Michael wrote: I'm having a bit of trouble with extended access-lists for vty access. Basically I'd like to setup an extended access list that only allows ssh access from certain IPs, but after creating the list and applying it to the VTY I lose access. But if I use a standard acl only allowing certain IPs it works fine... ip access-list extended local_shell permit tcp host 192.168.1.2 host 192.168.1.1 eq 22 vty 0 4 access-class local_shell in transport input ssh Is the standard enough is the above over-kill? Thanx, mkj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73006t=72997 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
Though to answer your question :) Summarization means advertising the biggest network you choose/should advertise. If you had a /23 that was routed as 2 /24s in your network, you'd summarize those as a /23 on the way out of your network to keep the routing table smaller... You should probably do the same for your next /24 unless you can find a specific reason not to. It saves headaches with route dampening in the long run if nothing else :) -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED] Sent: Friday, 4 April 2003 7:21 AM To: [EMAIL PROTECTED] Subject: Re: IP route to Null0? [7:66755] You are right, it is using BGP. What does summarization do? Do I need an identical statement for my new Class C? Thanx, Anil Gupte - Original Message - From: Karsten To: Anil Gupte ; Sent: Thursday, April 03, 2003 10:46 AM Subject: Re: IP route to Null0? [7:66755] Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: I am trying to understand some IP route commands on our router. Several of them go to Null0 - what does that mean? For example, I have ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 What is this doing? I need to add another block of class Cs from the same provider. Do I need a similar statement to the above? Thanx for your help. Anil Gupte Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66817t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP route to Null0? [7:66755]
In the event that you are running an internal dynamic routing protocol that would normally be the reason why the /24 is in your routing table (hence the ability for it to be in the BGP advertisements), should the place you are dynamically routing it to go away, so does your route in the IGP, thus so does the BGP route. Since providers dampen routes that flap constantly (to avoid their own routers being bogged down by BGP), if you have problems in your internal network, it is seen by other people. If your route gets dampened, certain parts of the internet can't get to you depending on who's done the dampening. (ie, if a route flaps, the router takes notice of how many times its flapped and when it hits a threshold, the route is removed from that provider's routing table for a specified period of time, usually depending on the size of network .. small /24's go for a long time because they're usually smaller outfits, /16 goes for a short period of time because its usually going to be a bigger outfit/tier 1). A route to null0 with a high AD provides a way for that route to exist in your IGP statically should your dynamic protocol have issues. You will never lose a route to Null0 unless you add it .. remove it .. add it .. remove it .. etc :) Or your router's having serious rebooting problems .. On the other hand, you'd also lose the route if it was a directly connected interface that went down. Null0 route would also help there I'd guess. -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED] Sent: Friday, 4 April 2003 7:21 AM To: [EMAIL PROTECTED] Subject: Re: IP route to Null0? [7:66755] You are right, it is using BGP. What does summarization do? Do I need an identical statement for my new Class C? Thanx, Anil Gupte - Original Message - From: Karsten To: Anil Gupte ; Sent: Thursday, April 03, 2003 10:46 AM Subject: Re: IP route to Null0? [7:66755] Either a sloppy way to drop traffic for a /24, or bgp summarization using null routing. -Karsten On Thursday 03 April 2003 07:40 am, Anil Gupte wrote: I am trying to understand some IP route commands on our router. Several of them go to Null0 - what does that mean? For example, I have ip route xxx.xxx.xxx.0 255.255.255.0 Null0 200 What is this doing? I need to add another block of class Cs from the same provider. Do I need a similar statement to the above? Thanx for your help. Anil Gupte Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66816t=66755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Unable to delete flash [7:65529]
try doing a squeeze on the flash to get rid of the deleted file.. -Original Message- From: Sales [mailto:[EMAIL PROTECTED] Sent: Monday, 17 March 2003 12:37 AM To: [EMAIL PROTECTED] Subject: RE: Unable to delete flash [7:65529] Some possible things to try would be to use the /force switch with the delete command. Also try erase versus delete to see if that helps. Thanks, www.ccie4u.com Rack Rentals and Lab Scenarios -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tafasi Sent: Saturday, March 15, 2003 11:09 PM To: [EMAIL PROTECTED] Subject: Unable to delete flash [7:65529] Hi Group, I have a problem deleting a file from a 4500 series flash memory. The file shows up as been deleted but the available free space indicates that the file has not been deleted yet. I tried to use the squeeze command but it will not work with this file system. Can you guys suggest something. Thanks John Tafasi r1#show fla System flash directory: File Length Name/status 1 10031664 c4500-a3jk8s-mz.122-7b.bin [deleted] 2 3668568 c4500-i-mz.120-25.bin [13700360 bytes used, 3076856 available, 16777216 total] 16384K bytes of processor board System flash (Read/Write) r1#delete flash:c4500-a3jk8s-mz.122-7b.bin Delete filename [c4500-a3jk8s-mz.122-7b.bin]? Delete flash:c4500-a3jk8s-mz.122-7b.bin? [confirm] %Error deleting flash:c4500-a3jk8s-mz.122-7b.bin (No such file or directory) r1# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65619t=65529 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Understanding VLANs - how they remove the physical [7:63196]
Why can't the L3 switches be run as L2 switches (ignoring the routing capabilities) in that situation? If those two switches were connected in that case, then connected to the core, wouldn't that solve the problem of a gateway being 3 or 4 L3 switches away? -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 18 February 2003 9:15 AM To: [EMAIL PROTECTED] Subject: RE: Understanding VLANs - how they remove the physical [7:63173] Stephen Hoover wrote: back to switch A to get his routing to the servers? Why would you EVER want a network configured this way?? Or even worse, what if your respective gateway was 3 or 4 L3 switches away? Your gateway can't be any L3 switches (routers) away. It has to be on your LAN. It has to be in your subnet. It has to be in your broadcast domain. It has to be in your VLAN. For one thing, a host ARPs for its default gateway. ARP uses broadcast. I just noticed your comment and wanted to add my comment. Without being able to decode your drawing, it's hard to tell exactly how to answer, but I'm just trying to get you to think about what really happens to packets on a campus network. The network design you're considering isn't just impractical. It won't work, if I understand it correctly. Priscilla That just doesn't seem practical to me. Thanks! Stephen Hoover Dallas, Texas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63196t=63196 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Understanding VLANs - how they remove the phys [7:63196]
I'm resisting the overwhelming urge to say something like So there's not a problem? but the two L3/L2/Router/switch discussion are just so darned informative! I think there's a bit of a hole of confusion that I fell into the first time I consoled onto a 2950 and had to configure it. Every interface said no ip address and vlans could be real interfaces with IP addresses. Its around that moment that you forget they *can* still be layer 2 devices :) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 18 February 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE: Understanding VLANs - how they remove the phys [7:63196] Emilia Lambros wrote: Why can't the L3 switches be run as L2 switches (ignoring the routing capabilities) in that situation? If those two switches were connected in that case, then connected to the core, wouldn't that solve the problem of a gateway being 3 or 4 L3 switches away? Your default gateway can be any number of L2 switches away from you. It just has to be in your subnet, VLAN, broadcast domain. Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 18 February 2003 9:15 AM To: [EMAIL PROTECTED] Subject: RE: Understanding VLANs - how they remove the physical [7:63173] Stephen Hoover wrote: back to switch A to get his routing to the servers? Why would you EVER want a network configured this way?? Or even worse, what if your respective gateway was 3 or 4 L3 switches away? Your gateway can't be any L3 switches (routers) away. It has to be on your LAN. It has to be in your subnet. It has to be in your broadcast domain. It has to be in your VLAN. For one thing, a host ARPs for its default gateway. ARP uses broadcast. I just noticed your comment and wanted to add my comment. Without being able to decode your drawing, it's hard to tell exactly how to answer, but I'm just trying to get you to think about what really happens to packets on a campus network. The network design you're considering isn't just impractical. It won't work, if I understand it correctly. Priscilla That just doesn't seem practical to me. Thanks! Stephen Hoover Dallas, Texas Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63222t=63196 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61060t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: applying PIX access-lists [7:61033]
Nope, wouldn't work well in that situation, but if you're only talking a few entries then its not a problem Also, in that sort of situation if you wanted to put a deny before a permit (where order really does matter other than aesthetically), you remove the line permitting the traffic, add the deny, then put in the permit again and you're back to where you were. The most you'd have to readd after that would be a deny ip any any :) -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 8:38 AM To: [EMAIL PROTECTED] Subject: Re: applying PIX access-lists [7:61033] The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61070t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing NAT [7:60663]
Basically any changes to the sticky/persistent part are not options :( the hardware that's in and performing the load balancing won't be changed because it works - the NAT portion just needs some ... horrible kludges? :) -Original Message- From: Clayton Price [mailto:[EMAIL PROTECTED]] Sent: Sunday, 12 January 2003 10:35 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] Could you change the persistence to use cookies instead of source IP address (assuming it is a browser based connection)? That would allow you to still load balance across the multiple app servers. Clayton Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking more for a way to play with how the nat pool I have behaves with IP address use. The NAT config and translations are all working, however I can't find a situation online that shows me how I can force translations to not overload quite so much, or how I can make more IP addresses be used so my load balancing works with sticky sessions set. For as long as only 1 IP is being used, all connections to the application servers go to one application server. Even with 2 IPs being used, I would have more of a chance of connections going to the 2nd application server to create some load balancing but as I said, I'm sitting on 8500 connections and 1 IP being used. I know in theory I can go up to 65K+ connections on that 1 IP, but I would prefer more like a couple of hundred per IP. The majority of articles I've read show how to configure, say rotary pools or tcp load distribution but not examples of how you can use it another way that I could perhaps, adapt. As I said though, I can't play with the config because its a live environment so its a little harder to play and test with, without a guarantee that it will work :) -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Thursday, 9 January 2003 11:24 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] if you have a CCO customer account, there are a lot of articles in the TAC database this one is a good start, I believe. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 9186a0080093fca.shtml watch the wrap. HTH -- TANSTAAFL there ain't no such thing as a free lunch Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I have an application being load balanced at one site (sticky sessions set such that each connection from 1 IP will continue its transactions to the same server it started on) and at another site, the users accessing the load balanced application. The users come in from different office locations across private WAN links, nat inside is on each of their interfaces and on each interface out of the router those WAN links connect to, is nat outside. I have changed their initial configuration based on NAT overload to an interface IP address to be a pool of addresses overloaded. I was hoping that the connections would spill over to the second IP in the pool at some stage sooner than the 8500 NAT connections I have currently, but no go. I may as well have NAT'd to 1 IP again :) Is there a way to overload NAT, but have it using more than 1 IP in the pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to even round robin the use of IPs out of the pool but I can't play with the config to try it (live environment) and can't find any documentation online explaining exactly what I need NAT to do/not do :( Thanks, Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60922t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing NAT [7:60663]
It all makes sense now :) As much of a kludge as it is, the individual NAT pools will be perfect. There's several offices, which means several IP addresses will be used if I make individual pools. -Original Message- From: Doug S [mailto:[EMAIL PROTECTED]] Sent: Friday, 10 January 2003 6:45 AM To: [EMAIL PROTECTED] Subject: RE: Load balancing NAT [7:60663] The way PAT works when overloading multiple addresses is to overload the first address in the pool until ALL port numbers are used up. I can't point you to any publicly available documentation on this, but cut and pasted from Network Academy curriculum: However, on a Cisco IOS router, NAT will overload the first address in the pool until it's maxed out, and then move on to the second address, and so on. I've seen people wanting to get around this behavior for a variety of reasons and I haven't seen anyone post a good reply. I've come up with a a workaround that I beleive should work for you, although you'll have to take a good look at your inside local addresses and figure out how to best define those in to two equal groups. Each group could then be separately translated to a different address. For instance, if you are now transating 8000 inside addresses all in the range of 10.0.32.0/19 to one overloaded pool, you could configure it to translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a separate overloaded pool something like #access-list 1 permit 10.0.32.0 0.0.15.255 #access-list 2 permit 10.0.48.0 0.0.15.255 #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre 24 #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10 pre 24 #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload Forgive me if I've screwed up the syntax somewhere, but the idea is there. As I said, you'll have to put some thought into what best works in your addressing scheme to best separate translated addresses in to two roughly equal groups. You might even find it helpful to partition them in to more than two groups. Hope it helps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60766t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Load balancing NAT [7:60663]
I'm looking more for a way to play with how the nat pool I have behaves with IP address use. The NAT config and translations are all working, however I can't find a situation online that shows me how I can force translations to not overload quite so much, or how I can make more IP addresses be used so my load balancing works with sticky sessions set. For as long as only 1 IP is being used, all connections to the application servers go to one application server. Even with 2 IPs being used, I would have more of a chance of connections going to the 2nd application server to create some load balancing but as I said, I'm sitting on 8500 connections and 1 IP being used. I know in theory I can go up to 65K+ connections on that 1 IP, but I would prefer more like a couple of hundred per IP. The majority of articles I've read show how to configure, say rotary pools or tcp load distribution but not examples of how you can use it another way that I could perhaps, adapt. As I said though, I can't play with the config because its a live environment so its a little harder to play and test with, without a guarantee that it will work :) -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Thursday, 9 January 2003 11:24 AM To: [EMAIL PROTECTED] Subject: Re: Load balancing NAT [7:60663] if you have a CCO customer account, there are a lot of articles in the TAC database this one is a good start, I believe. http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0 9186a0080093fca.shtml watch the wrap. HTH -- TANSTAAFL there ain't no such thing as a free lunch Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I have an application being load balanced at one site (sticky sessions set such that each connection from 1 IP will continue its transactions to the same server it started on) and at another site, the users accessing the load balanced application. The users come in from different office locations across private WAN links, nat inside is on each of their interfaces and on each interface out of the router those WAN links connect to, is nat outside. I have changed their initial configuration based on NAT overload to an interface IP address to be a pool of addresses overloaded. I was hoping that the connections would spill over to the second IP in the pool at some stage sooner than the 8500 NAT connections I have currently, but no go. I may as well have NAT'd to 1 IP again :) Is there a way to overload NAT, but have it using more than 1 IP in the pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to even round robin the use of IPs out of the pool but I can't play with the config to try it (live environment) and can't find any documentation online explaining exactly what I need NAT to do/not do :( Thanks, Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60670t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Load balancing NAT [7:60663]
Hi all, I have an application being load balanced at one site (sticky sessions set such that each connection from 1 IP will continue its transactions to the same server it started on) and at another site, the users accessing the load balanced application. The users come in from different office locations across private WAN links, nat inside is on each of their interfaces and on each interface out of the router those WAN links connect to, is nat outside. I have changed their initial configuration based on NAT overload to an interface IP address to be a pool of addresses overloaded. I was hoping that the connections would spill over to the second IP in the pool at some stage sooner than the 8500 NAT connections I have currently, but no go. I may as well have NAT'd to 1 IP again :) Is there a way to overload NAT, but have it using more than 1 IP in the pool? e.g. a pool of 30 IPs, its currently using 1.. I'd love the router to even round robin the use of IPs out of the pool but I can't play with the config to try it (live environment) and can't find any documentation online explaining exactly what I need NAT to do/not do :( Thanks, Em :) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60663t=60663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Minimum BGP Address Aggregation
As far as "may not be globally routable" is concerned, keep in mind that a lot of the big boys use access-lists to filter smaller networks out. There was an old standard access-list *Access-list 112* I think it was, that used to block all bar /19s. So, if you were advertising anything smaller than a /19, it wouldn't be seen by anyone using that access-list (eg /20, /21 etc). There's a new standard one - access-list 190 which we use albeit a little edited (http://www.magna.com.au/~phillipg/acl190.txt) that denies anything smaller than a /24 (eg /25, /26 etc). So, that's another example of why anything less than a /24 will generally not be guaranteed as globally routable. Cheers, Em -Original Message- From: Jason [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 29, 2000 2:32 PM To: [EMAIL PROTECTED] Subject: Re: Minimum BGP Address Aggregation ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:v04220882b5d05ad06a2b@[63.216.127.98]... What do you mean by "may NOT be globally routable" ? This would be due to the address aggregation on the the 1st Tier ISP ? Would this be a problem even if I'm connected to a 1st Tier ISP rather than a lower Tier ISP ? Depends on the policy of the particular ISP, even tier 1. Some simply don't want to advertise any /24 that's not part of their address space, some won't do it except for direct customers who have negotiated to advertise provider-independent address space, some might not be willing to negotiate to advertise an a more-specific assignment of another provider's space, and some don't care. So this is a policy issue where the ISP doesn't want to advertise the address rather than that it cannot be done ? Is there a specific range of address defined as "provider-independant address space" and if so, who do we need to get hold of to get this addresses ? Could I multihome a network across different countries or different geographical region ? You might -- which might or might not be a good idea. Depends what you are trying to accomplish. When I've done this, there were some very carefully designed policies to protect transoceanic bandwidth. In this scenerio, I want to allow users to access this network without being affected by the congestions that occurs between international link. I have simulated the network links and policies in the lab to protect this bandwidth but would like to draw further feedback to identify any other potential problem. It is also one of the more interesting BGP exercises . How could I ensure that the traffic takes the nearest route to the network and the data traffic from the network takes the nearest gateway out to the destination on the internet ? What is the potential problem with this ? Not sure what you mean by this. In general, the default of most routing schemes is closest exit (hot potato) rather than best exit (cold potato). Again, discussed in some detail in the new paper. Iin this case, since the gateways are transoceanic, without redistributing BGP into IGP, it would appear that it is difficult to select the best exit using IGP. Jason ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: distribute list problem
Haven't distribute-lists for BGP been made obsolete by prefix-lists? Regards, Em - Original Message - From: suaveguru [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, December 08, 2000 5:26 PM Subject: distribute list problem Hi, I have already configured BGP for but our trafiic for IP Address 202.95.159.0/24 not yet routing back via this circuit. Here is the configuration at our router. Can you tell us, what's wrong about our configuration. router bgp 9875 no synchronization network 202.95.159.0 network 202.95.128.0 mask 255.255.224.0 neighbor 202.161.128.93 remote-as 11919 neighbor 202.161.128.93 distribute-list 1 out neighbor 202.161.128.173 remote-as 11919 neighbor 202.161.128.173 distribute-list 2 out no auto-summary ! access-list 1 permit 202.95.159.0 0.0.0.255 access-list 2 deny 202.95.159.0 0.0.0.255 access-list 2 permit any __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: distribute list problem
he's got no synchronization, so it doesn't *need* to be in the internal routing protocol does it? Em - Original Message - From: McCallum, Robert [EMAIL PROTECTED] To: 'suaveguru' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, December 08, 2000 8:07 PM Subject: RE: distribute list problem first thing is does your internal routing protocol know where it is? -Original Message- From: suaveguru [mailto:[EMAIL PROTECTED]] Sent: 08 December 2000 06:27 To: [EMAIL PROTECTED] Subject: distribute list problem Hi, I have already configured BGP for but our trafiic for IP Address 202.95.159.0/24 not yet routing back via this circuit. Here is the configuration at our router. Can you tell us, what's wrong about our configuration. router bgp 9875 no synchronization network 202.95.159.0 network 202.95.128.0 mask 255.255.224.0 neighbor 202.161.128.93 remote-as 11919 neighbor 202.161.128.93 distribute-list 1 out neighbor 202.161.128.173 remote-as 11919 neighbor 202.161.128.173 distribute-list 2 out no auto-summary ! access-list 1 permit 202.95.159.0 0.0.0.255 access-list 2 deny 202.95.159.0 0.0.0.255 access-list 2 permit any __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Ip management
Are there any that do just the IP management? Most that I've seen do all sorts of DNS and DHCP stuff as well as manage IPs. I need something that will JUST help me manage a multitude of IP addresses - not provide DNS entries or make them available as a DHCP server :) Is there anything that anyone else has come across that has does LESS rather than more? I've been looking for about a year and come up with nothing :( Cheers, Em -Original Message-From: Irwin Lazar [mailto:[EMAIL PROTECTED]]Sent: Wednesday, November 29, 2000 3:35 AMTo: 'Palis Michael'; Group Study; CISCOSubject: RE: Ip management There are lots of good ones out there. Check out Lucent's QIP, Checkpoint's NetID, and Cisco's Network Registrar to name a few. If you search back issues of Network Computing, you'll find a couple of product comparisons and reviews. irwin -Original Message-From: Palis Michael [mailto:[EMAIL PROTECTED]]Sent: Tuesday, November 28, 2000 12:06 AMTo: Group Study; CISCOSubject: Ip management I am looking for an good IP management program able to manage several class C and privade addresses allocated to several customers. Can you suggest one? ../ Ppalis Micheal ../ e-mail: [EMAIL PROTECTED] ../ CYPRUS TELECOM. AUTHORITY FAX: + 357 2 486634../ Value Added Services www: http://www.cytanet.com.cy./ Telecommunications Str../ P.O.Box 24929, CY-1396../ Nicosia, Cyprus
Re: bgp policy?
Policy depends on the situation you're in .. The most common meanings of "policy" I've seen in a BGP environment are : a) policy as in policy routing - route-maps and the like b) policy as in international and domestic traffic being divided .. as in you can ask for just international traffic/routes from your ISP or you can ask for just domestic traffic from your ISP. c) t's and c's of your ISP .. for example if you have a BGP peering session with your ISP, its part of your ISP's policy to only route traffic that has been registered in the RADB .. for argument's sake. - Original Message - From: Yee, Jason [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 25, 2000 6:33 PM Subject: bgp policy? hi guys and gals, I got a simple question to ask, it is necessary to use BGP to connect to an ISP if you have different policy requirements than the ISP , in particular can anyone tell me what you mean by different policy Jason ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Blocking IRC
I think from memory, IRC servers also uses ports between and 7000 .. Its been a while since I used IRC, but I'm pretty sure it still operates on those ports. Em - Original Message - From: SH Wesson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 25, 2000 1:24 AM Subject: Blocking IRC The port for Internet Relay Chat (IRC) is 194 for UDP and TCP. In fact, after block TCP and UDP port 194, IRC traffic seems to be going through still. However blocking that port does block out much IRC traffic because IRC seems to be using random ports as well such as 7000, 6000, etc. Can anyone tell me how I can block out IRC traffic entirely. Any assistance would be greatly appreciated. Thanks. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: radb
There are some ISPs that will not route your network blocks unless they're registered in the RADB and advertised the exact way they're registered. I know of places in the USA who will not accept routing updates unless its in the RADB first. There's also places in Australia who will ensure that if you haven't already registered the route, they'll do it for you before they add it to their own filter lists. So in answer to your question, I would say the RADB is very much in use today and if you're working for an ISP, you should definitely read up on how to make entries in the RADB. Cheers, Em - Original Message - From: Kane, Christopher A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 22, 2000 7:44 AM Subject: radb A question probably for the ISP folks: Is the radb still used very much today ? Are there very many ISPs that use the info in the route servers to set policies ? I have been reading Halabi's Routing Architectures book and was curious. Chris ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: EIGRP IGRP
Isn't that administrative distance? -Original Message- From: JEK [mailto:[EMAIL PROTECTED]] Sent: Monday, August 14, 2000 4:20 PM To: [EMAIL PROTECTED] Subject: Re: EIGRP IGRP That's 100 for IGRP not EIGRP. Eigrp is 90/170 where the 170 is an external learned route. JEK "Tapas Das" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... what is max hop count for EIGRP IGRP for IP Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is there a command to test a connection using a specific port
For testing connectivity between two ports, try telnetting to the port .. For example if you have "Server1" - 192.168.0.1 and you need to see if "Router A" can access "Server1" on a particular port (say port 110, on Router A: Router A# telnet 192.168.0.1 110 You can also specify a source interface on the router .. For example you have interface E0 192.168.2.1 and E1 192.168.3.1 and you need to see if the 192.168.3.0 network can reach that port on Server1: Router A# telnet 192.168.0.1 110 /source-interface Ethernet 1 Is this what you meant you wanted to do? Regards, Em -Original Message- From: Chee Tong Sim To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: 8/10/00 3:58 AM Subject: Is there a command to test a connection using a specific port Dear friends, 1)Is there a command to test a connection using a specific port? I have a X windows client which was removed from segment to another in the remote site, the client use specific port to talk to server after the relocation, the client cannot talk to the server in our site. But we can ping to the client from our site, so we suspect the access list problem Because there are too many router in between and two back bone switch, we checked all access list but nothing found wrong. Is there a cisco command to test a connection between two site using specific port?? 2) I have a back bone switch with RSM module, so I have two configuration file, 1 for router and 1 for switch. I understand the router module but not switch module. Can access-list applied on the switches module?? or is there a way to block the specific port connection in the switches module?? Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Exams
A while back, someone posted a link to the online Cisco practice exams .. something like www.cisco.com/cgi-bin/front.x/wwtraining etc etc I don't have access to my archives at the moment but I was wondering if someone would be so kind as to forward me that link again. Thanks, Em ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IP classless/Default routes
in my experience with having two default routes on a router, they've load-shared across those two interfaces/links. For example, we had a router with a fibre connection and also a wireless connection. The router had two default routes - one across fibre, one across wireless. The fibre went down and half the packets were getting lost, which screamed "load-sharing" to me. I removed the default route across fibre and it worked fine. Cheers, Em -Original Message- From: Dave Page To: 'Cisco List' Sent: 8/8/00 10:05 AM Subject: IP classless/Default routes In Todd Lammle's book for CCNA 640-407, on p. 202 he has set a default route of BOTH 172.16.40.2 and 172.16.20.1. How does one do this, just enter the IP route command as such, one right after the other (??): ip route 0.0.0.0 0.0.0.0 162.16.40.2 ip route 0.0.0.0 0.0.0.0 162.16.20.1 ??? The reason I ask is that in his book for CCNA 640-507, he states on page 253, "Default routing is used to send packets with a remote destination network not in the routing table to the next hop router. You can only use default routing on stub networks, which means that they have only one exit port out of the network." The two books seem to say contradictory things. Is it because the 507 exam is based on a different IOS? What gives? Dave Page ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cisco homepage help!!
That site doesn't exist btw .. "Document Not Found" -Original Message- From: Nick Brooks [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 11, 2000 10:44 AM To: [EMAIL PROTECTED] Subject: Re: cisco homepage help!! you can sign up under the consultant program and get a CCO login that way. http://www.cisco.com/go/consultant jeongwoo park wrote: Hi everybody. I was trying to login on cisco homepage, but I couldn't. what is CCO? Should I be a cisco customer who has purchased cisco product to login to CCO? I am a CCNA. Does it qualify me to be CCO user? I have seen many links that I couldn't go through. Is that because I am not a CCO user? Could somebody clarify this? Thanks in advance ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Which access-list increase load the most?
In response to the other part of the question, I know Cricket (http://cricket.sourceforge.net/) does CPU/Memory monitoring and I MRTG does load, but I'm not sure about memory .. you'd probably have to check it/play with it for a while, but I have seen some pretty weird stuff done with MRTG so you never know until you give it a go. "K.FUJIWARA" [EMAIL PROTECTED] on 26/06/2000 15:59:31 Please respond to "K.FUJIWARA" [EMAIL PROTECTED] To: "[EMAIL PROTECTED]" [EMAIL PROTECTED] cc:(bcc: JENNY MCLEOD/NSO/CSDA) Subject: Which access-list increase load the most? Hi, all. Though the null interface is the best solution for load in the ruter CPU, which extended / standard access-list is the best to reduce the load? Extended one's result may be depends on where it will be put or the case, so where should it be configured? Destination? If you have some good examples, please show me. And then, do you know good tools or utility to monitor the routers performance on CPU or RAM in real time? Kazuyo Fujiwara MCSE/CCNA Japan Kobe ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Tom Holbrook Network Engineer Earthlink ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get Yahoo! Mail ñ Free email you can access from anywhere! http://mail.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Calculating bandwidth utilization
You mean like "show proc cpu" and "show mem" and "show proc mem"?? Em -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 25, 2000 10:48 AM To: [EMAIL PROTECTED] Subject: Calculating bandwidth utilization Hey, Where can I find information on calculating the utilization on an interface. Since I dont have any network management tools to use I want to try to figure it out manually (if possible). Also are their any show commands that show CPU and Memory resource utilization? Thanks, Pete Remove the nospam from e-mail address. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Calculating bandwidth utilization
You mean like "show proc cpu" and "show mem" and "show proc mem"?? Em -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 25, 2000 10:48 AM To: [EMAIL PROTECTED] Subject: Calculating bandwidth utilization Hey, Where can I find information on calculating the utilization on an interface. Since I dont have any network management tools to use I want to try to figure it out manually (if possible). Also are their any show commands that show CPU and Memory resource utilization? Thanks, Pete Remove the nospam from e-mail address. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]