No Subject

[FARHAN AHMED]

 
 

__
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one Place.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix 520 [7:37836]

[Farhan Ahmed]

U might need more Flash size 

-Original Message-
From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] 
Sent: Monday, March 11, 2002 11:15 AM
To: 
Subject: Pix 520 [7:37836]


I currently am trying to upgrade a pix 520 from pix ios 4.7(7) to 6.2
and am having some difficulty or errors more like.  When upgrading the
pix I am using the 6.1 boothelper on the floppy to upgrade the pix.  It
gives me an error telling me that the pix's flash is obsolete.  It then
reboots the pix. I have never seen this before and have worked with
plenty of pix's before. The pix runs fine with version 4.7 and has 8mb
of flash for upgrade. Anybody have any ideas of what I can do to trick
it possibly or a work around.

Thanks,

Jason Pehrson
Systems Administrator
Information Systems Department
Naval Support Activity Naples, Italy [EMAIL PROTECTED]
Work:   (39) 081-568-4316 
Cell:   (39) 347-381-1060
Fax:(39) 081-568-5689
 > 

[GroupStudy.com removed an attachment of type application/octet-stream
which had a name of Pehrson, Jason Contractor (NSANAP N63).vcf]

[GroupStudy.com removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37839&t=37836
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix 520 [7:37836]

[Farhan Ahmed]

6.0 and Higher 

PIX software releases 6.0 and later and PIX Device Manager require a
minimum of 32MB RAM and 8MB Flash.  Some PIX 520 systems may not meet
these minimum requirements, and the purchase and installation of a 128MB
RAM upgrade and/or a 16MB flash card will be necessary.  

-Original Message-
From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] 
Sent: Monday, March 11, 2002 12:24 PM
To: [EMAIL PROTECTED]
Subject: RE: Pix 520 [7:37836]


It only requires 8 mb of flash also.  I am actually trying to install
6.13 not 6.2.  I've also tried going just to 5.2 and get the same
results.

thanks

-Original Message-
From: Mark Odette II [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 11, 2002 9:02 AM
To: 
Subject: RE: Pix 520 [7:37836]


Jason- I might be wrong, but I think the 6.x PIX software requires the
16MB Flashcard.

You might check CCO to confirm.

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, March 11, 2002 1:15 AM
To: [EMAIL PROTECTED]
Subject: Pix 520 [7:37836]


I currently am trying to upgrade a pix 520 from pix ios 4.7(7) to 6.2
and am having some difficulty or errors more like.  When upgrading the
pix I am using the 6.1 boothelper on the floppy to upgrade the pix.  It
gives me an error telling me that the pix's flash is obsolete.  It then
reboots the pix. I have never seen this before and have worked with
plenty of pix's before. The pix runs fine with version 4.7 and has 8mb
of flash for upgrade. Anybody have any ideas of what I can do to trick
it possibly or a work around.

Thanks,

Jason Pehrson
Systems Administrator
Information Systems Department
Naval Support Activity Naples, Italy [EMAIL PROTECTED]
Work:   (39) 081-568-4316
Cell:   (39) 347-381-1060
Fax:(39) 081-568-5689
 >

[GroupStudy.com removed an attachment of type application/octet-stream
which had a name of Pehrson, Jason Contractor (NSANAP N63).vcf]

[GroupStudy.com removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37842&t=37836
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PAT [7:37848]

[Farhan Ahmed]

Hi Group,

Any one has idea how to figure out or how to connect to specific service
via an outside ip address that is being pat on a router

Best Regards
Have A Good Day!! 
++
Farhan Ahmed
MCSE+I, MCP Win2k, CCA, CCDA, CCNA, CSE , CCNP
Network Engineer
Mideast Data Systems Abu Dhabi Uae. www.mdsemirates.com

Tel: 97126274000Cellular: 971507903578
++

Privileged/Confidential Information may be contained in this message or
Attachments hereto. Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind. Opinions,
Conclusions and other information in this message that do not relate to
the Official business of this company shall be understood as neither
given nor Endorsed by it

[GroupStudy.com removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37848&t=37848
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IP helper addresses [7:11434]

[Farhan Ahmed]

1st one

-Original Message-
From: Wilson, Christian [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 09, 2001 5:43 PM
To: [EMAIL PROTECTED]
Subject: IP helper addresses [7:11434]


If I enter two ip helper address statements referencing two different IP
addresses in my router configs, which one does the router use?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11439&t=11434
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Routing polices [7:11896]

[Farhan Ahmed]

u can put a access list if u want?

-Original Message-
From: McCallum, Robert [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 1:48 PM
To: [EMAIL PROTECTED]
Subject: RE: Routing polices [7:11896]


What do you want us to do for you?  Firstly go onto the CCO and read about
route-maps. 

For your example this would be relatively easy.  Apply a route map on one
interface and make sure that it will only accept traffic from your LAN0 and
vice versa.  It is easy but you will have to show that you have actually
tried to understand route maps yourself rather than just look for the
answer.

-Original Message-
From: Jacek Malinowski [mailto:[EMAIL PROTECTED]]
Sent: 11 July 2001 10:18
To: [EMAIL PROTECTED]
Subject: Re: Routing polices [7:11896]


I can't use BGP  !!!
On Linux routers there is no problem, but I see that the Cisco has a big
problem.
I receive only advice use BGP. I don't need any BGP. I want only that LAN 0
go through serial0 and LAN 1 do through serial1, on my Linux routers I do
this on 3 second.
Who really understand route-map command and routing policy on cisco routers
?

""MacDonald""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> is your Router has AS number
> Use BGP multi homing config
>
>
> ""Jacek Malinowski""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have 2 ISP and 2 serial and 2 ethernet in my 2509 Cisco router.
> > I want half my LAN goes through ISP1 and serial 0 and ethernet 0.
> > And the other through ISP2 and serial1 and ethernet1.
> > How should I do this ?
> > What combination with route map should I use ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11904&t=11896
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix not routing for Frame Spokes [7:11860]

[Farhan Ahmed]

do u want the spokes to come inside and access or what i didnt understand
sorry

-Original Message-
From: Tony Medeiros [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 11, 2001 12:33 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix not routing for Frame Spokes [7:11860]


PIX's ( and most firewalls except checkpoint and netscreen I think)  Will
NOT send ICMP redirects.  Newer versions of the PIX OS might let you
configure it,  I am not sure.  I haven't played with the newer versions
lately.  Your options are have the host's default gateway point at a real
router and put a default static route in the router pointing at the PIX.
Or, put in network routes via a login script on all the hosts (ugly solution
if you ask me).

Firewalls are not routers.  Even though they do some router fuctions.

Tony M.
#6172

- Original Message -
From: trammer 
To: 
Sent: Tuesday, July 10, 2001 9:26 PM
Subject: Pix not routing for Frame Spokes [7:11860]


> Don't let the subject mislead you in my intention but here is my situation
> if anyone would like to take a look.
>
> I've got  multiple locations connected via frame coming into a 2610 @
> 10.1.1.5:
>
> 10.2.0.0
> 10.3.0.0
> 10.4.0.0
> 10.5.0.0
> 10.6.0.0
> 10.7.0.0
>
> The 2610's default route is to 10.1.1.1 which is obviously on the 10.1.0.0
> segment in the HQ through a pix to the internet.  The clients at HQ, whos
> gateway is 10.1.1.1 need to occasionally access the spokes so I added
static
> routes in the Pix for each of the spokes.  I am a firm beleiver in Cisco's
> products being a specific task oriented device (ie. pix>firewall, 3015 >
> VPN) and not to be used for anything different.  I know the PIX is not
> designed to be a router but in this case I need get some input from others
> as to why the PIX is not bouncing requests for the spokes out the 2610
like
> a quote unquote "regular router" would.
>
> What happens is the PIX can ping to say for example the 10.1.1.17 which is
a
> Domain Controller in that site.  But if I ping from a client or the DC in
HQ
> no luck.  This is with the gateway of 10.1.1.1 assigned to the DC and or
> client.  Also, when I do a show ip route I see only the outside and the
> inside IP addresses.
>
> Here is the config minus the Public's IP's and security info.  The only
NAT
> pool is through a PAT and an access list is applied on the outside
interface
> to filter inbound traffic.   Maybe I had a brainfart on something
> suggestions are appreciated:
>
>
> 0300-PIX-01# sh conf
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> <>
> hostname 0300-PIX-01
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 100 <>
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside <>
> ip address inside 10.1.1.1 255.255.0.0
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 <>
> nat (inside) 1 10.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp <> <>
> static (inside,outside) tcp <> <>
> <>
> <>
> access-group 100 in interface outside
>
> route outside 0.0.0.0 0.0.0.0 <> 1
>
> route inside 10.2.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.3.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.4.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.5.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.6.0.0 255.255.0.0 10.1.1.5 1
> route inside 10.7.0.0 255.255.0.0 10.1.1.5 1
>
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> <>
> 0300-PIX-01#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11908&t=11860
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: dialer idle-timeout [7:12256]

[Farhan Ahmed]

wrong dialer load threshold is for bringing up the second link
u can put maximum numb on idle time out or use fast idle command

-Original Message-
From: Vette Boy [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 15, 2001 8:18 PM
To: [EMAIL PROTECTED]
Subject: Re: dialer idle-timeout [7:12256]


Configue the dialer load threshold to 0 for the link
to be always up.

VB

--- "Michael L. Williams" 
wrote:
> I would have to say that the idle-timer is for pure
> idle time. not just
> interesting traffic AFAIK interesting traffic is
> only used to initiaite
> the dial, but after that any traffic is enough to
> keep the link open..
> BUT (now that I've looked it up) I'M WRONG! 
> Damn I hate when that
> happens.
> 
> from Cisco's site:
> 
> "Interesting packets are packets that pass the
> restrictions of the access
> lists. These packets either initiate a call (if one
> is not already in
> progress) or reset the idle timer if a call is in
> progress. Uninteresting
> packets are transmitted if the link is active, but
> dropped if the link is
> not active. Uninteresting packets do not initiate
> calls or reset the idle
> timer."
> 
> Good call Charles..
> 
> Mike W.
> 
> "Charles Manafa"  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Interesting traffic will bring up the link, and
> maintain it. Whilst the
> link
> > is up, any traffic can cross the link, but only
> interesting traffic can
> > reset the idle timer.
> >
> > CM
> >
> > > -Original Message-
> > > From: Burnham, Chris
> [mailto:[EMAIL PROTECTED]]
> > > Sent: 13 July 2001 11:39
> > > To: [EMAIL PROTECTED]
> > > Subject: dialer idle-timeout [7:12256]
> > >
> > >
> > > I am currently working throught the "Caslow ,
> Pavlichenko Cisco
> > > Certification Book" I have a query on page 163
> that you guy's
> > > and girl's
> > > maybe able to help me with.
> > >
> > > It states that the DDR connection is maintained
> as long as
> > > "interesting
> > > traffic" is transferred over the connection
> before the
> > > dialer-idle-timeout
> > > occurs.?
> > >
> > > Is this correct?? I was alway's under the
> impression that the
> > > interesting
> > > traffic only determined what brought up the link
> & once the
> > > link was up it
> > > would stay up regardless of traffic type
> crossing the ISDN link
> > >
> > > I would like to hear your opinions
> > >
> > > Chris Burnham,
> > > Systems Engineer,
> > > Delphis Consulting Plc.
> > > Tel:   +(44) 020 7916 0200
> > > Mob: +(44) 07799403576
> > > [EMAIL PROTECTED]
> > >
> > >
> > > This e-mail and any files transmitted with it
> are intended
> > > solely for the
> > > addressee and are confidential. They may also be
> legally privileged.
> > > Copyright in them is reserved by Delphis
> Consulting PLC
> > > ["Delphis"] and they
> > > must not be disclosed to, or used by, anyone
> other than the
> > > addressee. If
> > > you have received this e-mail and any
> accompanying files in
> > > error, you may
> > > not copy, publish or use them in any way and you
> should
> > > delete them from
> > > your system and notify us immediately.E-mails
> are not secure.
> > >  Delphis does
> > > not accept responsibility for changes to e-mails
> that occur
> > > after they have
> > > been sent.  Any opinions expressed in this
> e-mail may be
> > > personal to the
> > > author and may not necessarily reflect the
> opinions of Delphis.
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12418&t=12256
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

measuring VPN speed [7:12419]

[Farhan Ahmed]

lets say i have 64k connection on both ends
if i built up a vpn what will be the speed of the tunnel

any thoughts?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12419&t=12419
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN Help [7:12365]u r forgetting nat outside! [7:12417]

[Farhan Ahmed]

service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Cisco801
!
enable password a
!
no ip name-server
!
isdn switch-type basic-net3
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Dialer 1
 description connected to Internet
 ip address negotiated
 ip nat outside
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 120
 dialer string 5005333
 dialer hold-queue 10
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname a
 ppp chap password a
 ppp pap sent-username a password a
 no ppp multilink
 no cdp enable
!
interface Ethernet 0
 no description
 no ip address
 ip nat inside
 shutdown
!
interface BRI 0
 no shutdown
 description connected to Internet
 no ip address
 ip nat outside
 dialer rotary-group 1
!
! Access Control List 1
!
no access-list 1
access-list 1 deny any
!
! Dialer Control List 1
!
no dialer-list 1
dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Dialer 1 overload
!
router rip
 version 2
 passive-interface Dialer 1
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Dialer 1
no ip http server
!
line console 0
 exec-timeout 0 0
 password a
 login
!
line vty 0 4
 password a
 login
!
end

-Original Message-
From: Dennis Bailey [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 15, 2001 3:59 AM
To: [EMAIL PROTECTED]
Subject: Re: ISDN Help [7:12365]


This happened to me once and turning off fast switching on the BRI interface
made it work.  command is 'no ip route-cache'.  I am not sure if that will
solve your problem but give it a shot.

I also notice that you are routing for network 10.0.0.0 and 192.168.0.0 but
do not see any interfaces in those networks.  You can probably remove those
from the config.

On your dialer-list, unless you want the line to stay up all the time, you
may want to narrow your definition of interesting traffic.

HTH-Dennis
""dt""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
> I am pretty new so please be patient. I am wearing my flame retardant
suit.
>
> I am trying to configure my ISDN BR. I am running a Cisco 804. Everything
> connects just fine. I can ping the inside interface on the router, the
> outside interface (dialer) which get an IP address from my ISP. I can ping
> the interfaces of my nodes on the LAN. I authenticate to the ISP Radius
> server. From the router everything seems to resolve just fine but from my
> inside network ( I run NAT)  I can only ping the router interfaces. I can
> not ping anything beyond my outside interface.
>
> I know I must be missing something basic but I just can't figure it out.
Any
> help will be greatly appreciated.
>
> Thanks
>
> Dave T
>
> Here is my sh run from the router.
>
> Current configuration:
> !
> version 12.0
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname backbone_r1
> !
> enable secret 5 x
> enable password 
> !
> dial-peer voice 1 pots
>  no call-waiting
>  ring 0
>  port 1
>  destination-pattern xx
> !
> pots country US
> ip subnet-zero
> !
> ip domain-name uswest.net
> ip name-server 206.196.128.1
> isdn switch-type basic-ni
> !
> !
> !
> interface Ethernet0
>  ip address 172.16.0.2 255.255.0.0
>  no ip directed-broadcast
>  ip nat inside
> !
> interface BRI0
>  ip address negotiated
>  no ip directed-broadcast
>  ip nat inside
>  encapsulation ppp
>  bandwidth 64
>  dialer rotary-group 0
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 
>  isdn spid2 
>  isdn incoming-voice modem
> !
> interface Dialer0
>  ip address negotiated
>  no ip directed-broadcast
>  ip nat inside
>  ip rip send version 1
>  ip rip receive version 1
>  encapsulation ppp
>  bandwidth 64
>  keepalive 32767
>  dialer in-band
>  dialer idle-timeout 300
>  dialer string 3032541488
>  dialer string 3032541186
>  dialer hold-queue 10
>  dialer load-threshold 10 outbound
>  dialer-group 1
>  ppp authentication pap callin
>  ppp pap sent-username xxx password xxx
>  ppp multilink
> !
> router rip
>
> router rip
>  network 10.0.0.0
>  network 172.16.0.0
>  network 192.168.0.0
> !
> ip nat inside source list 1 interface BRI0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> !
> dialer-list 1 protocol ip permit
> dialer-list 1 protocol clns permit
> dialer-list 1 protocol netbios permit
> !
> line con 0
>  transport input none
>  stopbits 1
> line vty 0 4
>  password
>  login
> !
> end




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12417&t=12417
--
FAQ, list archives, and subscription info: http://www.groupstud

RE: IPSec problem [7:12463]

[Farhan Ahmed]

send me the exact error
debug

-Original Message-
From: Vyacheslav Luschinsky [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 3:06 PM
To: [EMAIL PROTECTED]
Subject: IPSec problem [7:12463]


I have a very strange problem with IPSec, namely with ISAKMP. When it is
time for next key exchange between piers (one in an hour) it goes well
without any problem but all IPSec traffic is droped with messages like
CRYPTO_ENGINE: packets dropped: State = 0 conn_id=2000, pak=81749C44 
when I do "clear crypto sa" it starts working till next rekeying.
Why could it happen?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12468&t=12463
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IPSec problem [7:12463]

[Farhan Ahmed]

i would say if u wana overcome this problem in short time
make the tunnel again 

-Original Message-
From: Luschinsky Slava [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 3:54 PM
To: Farhan Ahmed
Subject: RE: IPSec problem [7:12463]


I try to establish tunnel between two routers. I send you two logs from
every router.  Second router first starts negotiation for new SA after
"clear cry sa" then after an hour it starts new key exchange and after that
first router begins to drop packets..


send me the output debug crypto engine 

-Original Message-
From: Vyacheslav Luschinsky [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 3:06 PM
To: [EMAIL PROTECTED]
Subject: IPSec problem [7:12463]


I have a very strange problem with IPSec, namely with ISAKMP. When it is
time for next key exchange between piers (one in an hour) it goes well
without any problem but all IPSec traffic is droped with messages like
CRYPTO_ENGINE: packets dropped: State = 0 conn_id=2000, pak=81749C44 
when I do "clear crypto sa" it starts working till next rekeying. Why could
it happen?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12469&t=12463
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IPSec problem [7:12463]

[Farhan Ahmed]

show crypto cisco key-timeout 
After an encrypted communication session is established, it is valid for a
specific length of time. After this length of time, the session times out. A
new session must be negotiated, and a new DES (session) key must be
generated for encrypted communication to continue. Use this command to
change the time that an encrypted communication session will last before it
expires (times out): 


  
Loser#show crypto cisco key-timeout
Session keys will be re-negotiated every 30 minutes

Use these commands to determine the length of time before the DES keys are
renegotiated

i would say if u wana overcome this problem in short time
make the tunnel again 

-Original Message-
From: Luschinsky Slava [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 3:54 PM
To: Farhan Ahmed
Subject: RE: IPSec problem [7:12463]


I try to establish tunnel between two routers. I send you two logs from
every router.  Second router first starts negotiation for new SA after
"clear cry sa" then after an hour it starts new key exchange and after that
first router begins to drop packets..


send me the output debug crypto engine 

-Original Message-
From: Vyacheslav Luschinsky [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 3:06 PM
To: [EMAIL PROTECTED]
Subject: IPSec problem [7:12463]


I have a very strange problem with IPSec, namely with ISAKMP. When it is
time for next key exchange between piers (one in an hour) it goes well
without any problem but all IPSec traffic is droped with messages like
CRYPTO_ENGINE: packets dropped: State = 0 conn_id=2000, pak=81749C44 
when I do "clear crypto sa" it starts working till next rekeying. Why could
it happen?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12470&t=12463
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Alert: HTTP bug makes nearly all Cisco routers vulnerable [7:12473]

[Farhan Ahmed]

this is too ugly
i just try
http://192.168.5.1/level/29/exec/
on my 2503
and i m in
ha

-Original Message-
From: Oke Oyebanji [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 4:38 PM
To: [EMAIL PROTECTED]
Subject: Alert: HTTP bug makes nearly all Cisco routers vulnerable
[7:12471]


Hi Everybody,

This was a released from TechRepublic on Cisco routers vulnerablity early 
this morning, please do check it out and take necessary precaution. For 
details check:

 http://www.techrepublic.com/article.jhtml?id=r00220010716mco02.htm

Have a nice day.

Kind regards,
Banji.


_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

[GroupStudy.com removed an attachment of type application/msword which had a
name of Cisco Routers Bugs.doc]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12473&t=12473
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: async issues - still cant get it to dial [7:12496]

[Farhan Ahmed]

are u getting the answer of access server or no
is it stays on verifying password or ur router doesnt dial at all
check your modem chat script at 56k.com
send me 

debug ppp negotiation


-Original Message-
From: No Data [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 8:33 PM
To: [EMAIL PROTECTED]
Subject: async issues - still cant get it to dial [7:12496]


Im still stuggling with an async connection.  Using
Ejay's wonderful help last week Ive gotten my router
configured but I cant seem to get the modem to dial. 
Right now I am just trying to dial into a remote
dial-in server with ppp, pap authentication.  Here is
my config.

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging console
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
!
chat-script dial ABORT ERROR "" "AT Z" OK "ATDT \T"
TIMEOUT 30 CONNECT
!
!
!
interface Serial0
 physical-layer async
 no ip address
 encapsulation ppp
 dialer in-band
 dialer pool-member 1
 async mode dedicated
!
interface Serial1
 no ip address
 shutdown
!
interface FastEthernet0
 ip address 10.129.0.132 255.255.0.0
 speed auto
!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer remote-name ?
 dialer pool 1
 dialer string 1308334
 dialer hold-queue 100
 dialer-group 1
 ppp authentication pap
 ppp pap sent-username 'name' password 'password'
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.129.0.1
ip route 150.150.0.0 255.255.0.0 Dialer1
no ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
 transport input none
line 1
 no exec
 script dialer dial
 modem InOut
 modem autoconfigure type usr_courier
 transport input all
 stopbits 1
 flowcontrol hardware
line aux 0
line vty 0 4
 login
!
end


Im using an external usr_courier and have the pins all
set to defaults.  Does anyone have any ideas?

Ben

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12501&t=12496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: async issues - still cant get it to dial [7:12496]

[Farhan Ahmed]

use config maker 

-Original Message-
From: No Data [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 9:05 PM
To: [EMAIL PROTECTED]
Subject: RE: async issues - still cant get it to dial [7:12496]


I should be more specific I think.  Im not even
getting the modem to dial.  I think my problem is with
the chat script.  I checked 56k.com and still have no
idea how to write the script (yep, Im a complete
newbie with modems)  I believe I have the DIP switches
set correctly now (3 and 8 down for the USR modem). 
The initialization string that the cisco website says
to use is AT&F1S0=1 while 56k.com says AT&F1 should be
fine.  Maybe that narrows down the problem Im having.

Ben

--- Farhan Ahmed  wrote:
> are u getting the answer of access server or no
> is it stays on verifying password or ur router
> doesnt dial at all
> check your modem chat script at 56k.com
> send me 
> 
> debug ppp negotiation
> 
> 
> -Original Message-
> From: No Data [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 16, 2001 8:33 PM
> To: [EMAIL PROTECTED]
> Subject: async issues - still cant get it to dial
> [7:12496]
> 
> 
> Im still stuggling with an async connection.  Using
> Ejay's wonderful help last week Ive gotten my router
> configured but I cant seem to get the modem to dial.
> 
> Right now I am just trying to dial into a remote
> dial-in server with ppp, pap authentication.  Here
> is
> my config.
> 
> Current configuration:
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Router
> !
> no logging console
> !
> !
> !
> !
> !
> memory-size iomem 25
> ip subnet-zero
> !
> chat-script dial ABORT ERROR "" "AT Z" OK "ATDT \T"
> TIMEOUT 30 CONNECT
> !
> !
> !
> interface Serial0
>  physical-layer async
>  no ip address
>  encapsulation ppp
>  dialer in-band
>  dialer pool-member 1
>  async mode dedicated
> !
> interface Serial1
>  no ip address
>  shutdown
> !
> interface FastEthernet0
>  ip address 10.129.0.132 255.255.0.0
>  speed auto
> !
> interface Dialer1
>  ip address negotiated
>  encapsulation ppp
>  dialer remote-name ?
>  dialer pool 1
>  dialer string 1308334
>  dialer hold-queue 100
>  dialer-group 1
>  ppp authentication pap
>  ppp pap sent-username 'name' password 'password'
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.129.0.1
> ip route 150.150.0.0 255.255.0.0 Dialer1
> no ip http server
> !
> dialer-list 1 protocol ip permit
> !
> line con 0
>  transport input none
> line 1
>  no exec
>  script dialer dial
>  modem InOut
>  modem autoconfigure type usr_courier
>  transport input all
>  stopbits 1
>  flowcontrol hardware
> line aux 0
> line vty 0 4
>  login
> !
> end
> 
> 
> Im using an external usr_courier and have the pins
> all
> set to defaults.  Does anyone have any ideas?
> 
> Ben
> 
> __
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12512&t=12496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access List problem. [7:12525]

[Farhan Ahmed]

i it working or not
what u want to allow disallow forget this1

-Original Message-
From: Robert Fowler [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 16, 2001 11:05 PM
To: [EMAIL PROTECTED]
Subject: Access List problem. [7:12525]


Someone sent me this and I just can't figure it out. I've been staring at it
and trying things since last week. Any ideas?


Jeff Doyle says this access-list can be rewritten with 3 lines and still
provide the same functionality.  Let me know if you guys figure out:

access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255
access-list 101 permit ip 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255
access-list 101 deny ip 172.22.30.0 0.0.0.255 192.168.18.27 0.0.0.0
access-list 101 permit ip 172.22.0.0 0.0.31.255 192.168.18.0 0.0.0.255
access-list 101 deny ip 172.22.0.0 0.0.255.255 192.168.18.64 0.0.0.63
access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Have fun...


Thank You,
Robert Fowler




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12530&t=12525
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DNS and Firewalls [7:12547]

[Farhan Ahmed]

get a iis server redirect to some server which ll be down and customize the
error page

-Original Message-
From: Nabil Fares [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 1:19 AM
To: [EMAIL PROTECTED]
Subject: DNS and Firewalls [7:12547]


Greetings all,

Looking for methods to inform outside users that our network is down,
complete outage. Assuming users visiting our website, they'll redirected and
flagged with a banner advising network is down for now.  This method needs
to be fully automated.  Do you guys have any suggestion?

Thanks for your time.

Nabil

I hope my request is clear!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12594&t=12547
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Block Icq With Pix Firewall [7:12601]

[Farhan Ahmed]

outbound 10 deny 0 0 icqport tcp 

apply (inside) 10 outgoing_src
 
-Original Message-
From: Makis
To: [EMAIL PROTECTED]
Sent: 7/17/01 12:13 PM
Subject: Block  Icq With Pix Firewall [7:12601]

Hi

How can i block Icq through Pix Firewall ?
Any ideas ?

Makis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12606&t=12601
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Ports with PIX Firewall [7:12605]

[Farhan Ahmed]

when u configure the dynamic nat 
users will start connecting

i dont know what u done with the config

send me the config

to block some port

u need
for static mapping
static (inside,outside) 204.31.17.4 192.168.3.4 netmask 255.255.255.255
conduit permit tcp host 10.1.1.1 eq smtp any
 

outbound 10 permit 192.168.1.42 255.255.255.255 irc tcp
 
apply (INSIDE) 10 outgoing_src


SEND ME THE CONFIG
 

-Original Message-
From: Lano Kris
To: [EMAIL PROTECTED]
Sent: 7/17/01 12:54 PM
Subject: Ports with PIX Firewall [7:12605]

I configured my PIX Firewall and opened all the TCP ports, I found that
i
can ping yahoo or cisco by ip address but not with name i.e ping
cisco.com
doesn't worked, then I opened all the UDP Ports also and my Surfing
started
also I was been able to PING by name.

I just want to allow port 80 (HTTP), FTP , SMTP access to my users.

Which all Ports do I need to Open??

DO I Need to open a port for DNS Name Resolution ?
I am using DNS Server of ISP as I don't have resources to set-up my own
DNS.

Please Help




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12607&t=12605
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Ports with PIX Firewall [7:12605]

[Farhan Ahmed]

sorry the correct
u need
for static mapping
static (inside,outside) 204.31.17.4 192.168.3.4 netmask 255.255.255.255
conduit permit tcp host 192.168.3.4 eq smtp any
-Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 1:46 PM
To: [EMAIL PROTECTED]
Subject: RE: Ports with PIX Firewall [7:12605]


when u configure the dynamic nat 
users will start connecting

i dont know what u done with the config

send me the config

to block some port

u need
for static mapping
static (inside,outside) 204.31.17.4 192.168.3.4 netmask 255.255.255.255
conduit permit tcp host 10.1.1.1 eq smtp any
 

outbound 10 permit 192.168.1.42 255.255.255.255 irc tcp
 
apply (INSIDE) 10 outgoing_src


SEND ME THE CONFIG
 

-Original Message-
From: Lano Kris
To: [EMAIL PROTECTED]
Sent: 7/17/01 12:54 PM
Subject: Ports with PIX Firewall [7:12605]

I configured my PIX Firewall and opened all the TCP ports, I found that
i
can ping yahoo or cisco by ip address but not with name i.e ping
cisco.com
doesn't worked, then I opened all the UDP Ports also and my Surfing
started
also I was been able to PING by name.

I just want to allow port 80 (HTTP), FTP , SMTP access to my users.

Which all Ports do I need to Open??

DO I Need to open a port for DNS Name Resolution ?
I am using DNS Server of ISP as I don't have resources to set-up my own
DNS.

Please Help




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12615&t=12605
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Error in configuring ISDN [7:12611]

[Farhan Ahmed]

u r too much wrong


hostname Cisco2620
!
enable password f
!
no ip name-server
!
isdn switch-type basic-net3
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Dialer 1
 description connected to Internet
 ip address negotiated
 ip nat outside
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 120
 dialer string 8008000
 dialer hold-queue 10
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname a
 ppp chap password a
 ppp pap sent-username a password a
 no ppp multilink
 no cdp enable
!
interface FastEthernet 0/0
 no description
 no ip address
 ip nat inside
 shutdown
!
interface BRI 0/0
 no shutdown
 description connected to Internet
 no ip address
 ip nat outside
 dialer rotary-group 1
!
! Access Control List 1
!
no access-list 1
access-list 1 deny any
!
! Dialer Control List 1
!
no dialer-list 1
dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Dialer 1 overload
!
router rip
 version 2
 passive-interface Dialer 1
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Dialer 1





Hi ,
   I am facing an error in configuring the ISDN on my Cisco 2620 with the
BRI S/T interface card  , it keeps on getting disconnected after it dials ,
can anyone guide me what mistake I could be making ?


cisco2620#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2620
!
!
username mcse password 0 mcse
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
 ip address 200.100.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto

no dialer?

!
interface Serial0/0
 ip address 10.100.10.1 255.0.0.0
 no ip directed-broadcast
 clockrate 64000
!
no ip thing

interface BRI0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 dialer string 172324
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 0
 isdn spid2 0
 isdn calling-number 172324
 ppp authentication chap
!
ip nat inside source list 1 interface BRI0/0 overload
ip classless
no ip http server
!
access-list 1(2) not 1 anyway there is no use permit any
dialer-list 2 protocol ip list 2
!
line con 0
 transport input none
line aux 0
line vty 0 4
 login
!
end

cisco2620#

The error message that I am recieving is as follows :


cisco2620#
07:14:36: ISDN BR0/0: Outgoing call id = 0x800C, dsl 0
07:14:36: ISDN BR0/0: Event: Call to 172324 at 64 Kb/s
07:14:36: ISDN BR0/0: process_bri_call(): call id 0x800C, called_number
172324, speed 64, call type DATA
07:14:154618822656: CC_CHAN_GetIdleChanbri: dsl 0
07:14:154618822656: Found idle channel B1
07:14:154618822656: ISDN BR0/0: received HOST_INFORMATION call_id 0x800C
07:14:184683593728: ISDN Event: dsl 0 call_id 0x800C B channel assigned by
switch 0
ISDN BR0/0: received HOST_PROCEEDING call_id 0x800C
07:14:184683593728: B-channel assigned in previous message call id = 0x800C
07:14:186844205132: ISDN BR0/0: received HOST_ALERTING call_id 0x800C
07:14:184683593728: ISDN BR0/0: DEV_CALL_PROGRESSING: modem 3A bchan 0,
call_id 800C, cause 0
07:14:184683593728: ISDN BR0/0: HOST_PROGRESS: VOICE ERROR 3A: bchan 0, call
id 800C
07:14:186844205132: ISDN BR0/0: received HOST_CONNECT call_id 0x800C
07:14:184683593775: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
07:14:184683593792: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
172324
07:14:186844205036: ISDN BR0/0: Event: Connected to 172324 on B1 at 64 Kb/s
07:14:186844205132: ISDN BR0/0: received HOST_INFORMATION call_id 0x800C
07:14:197568495616: ISDN BR0/0: received HOST_DISCONNECT call_id 0x800C
07:14:197568495616: ISDN BR0/0: Event:  Call to  was hung up.
07:14:199729106892: ISDN BR0/0: process_disc_ack(): call id 0x800C, ces 1,
call type DATA
07:14:197568495663: %ISDN-6-DISCONNECT: Interface BRI0/0:1  disconnected
from 172324 , call lasted 3 seconds
07:14:199729106700: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
down
07:14:206158430207: CC: dsl 0 No CCB Src->L3 cid 0x800C, ev 0x99 ces 1
07:14:244813135872: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI 80
changed to down
07:14:244813135872:  In L3_StopT309 for dsl 0.
07:14:246973706992: ISDN BR0/0: Incoming call id = 0x3, dsl 0
07:14:246971349881: ISDN BR0/0: received HOST_DISCONNECT_ACK call_id 0x0
07:14:246973747196: ISDN BR0/0: HOST_DISCONNECT_ACK: call type is INTERNAL
07:14:244813135872: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 80
changed to up
07:14:249108103167:  Null Spid: 0
07:14:246971359084:  In L3_StopT309 for dsl 0.
cisco2620#
cisco2620#
cisco2620#

My interface configurations are as follows :
cisco2620#sh int bri0/0
B

RE: sample config on PIX AND VPN ON CISCO [7:12618]

[Farhan Ahmed]

do u wana connect ciso to pix via vpn?

-Original Message-
From: RAJESH AGNIHOTRI [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 3:08 PM
To: [EMAIL PROTECTED]
Subject: sample config on PIX AND VPN ON CISCO [7:12618]


Greetings ,


Can u please send me the sample config on PIX FIREWALL WITH STATIC AND 
DYNAMIC NAT AND VPN ON CISCO BOX WITH PRESHARED KEYSS




CHEERS

RAJESH
_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12626&t=12618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: isdn status [7:12599]

[Farhan Ahmed]

Cause i = 0x82A2  No circuit/channel available  The connection cannot be
established because no appropriate channel is available to take the call. 

u dont have a free channel

how many bri  u have?
-Original Message-
From: Charlie Hartwell [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 12:33 PM
To: [EMAIL PROTECTED]
Subject: Re: isdn status [7:12599]


The first call failed because there were no available b-channels at
the remote end (0x82A2).
>From this information I cannot see why layer 1 is going down - try
running "debug isdn q921" and "debug bri" to see if that gives any
clues - it is most likely to be a telco problem though.

Cheers

Charlie

 --- Omer Ehsan Dar  wrote: > Hi all,
> these contarary messages from to commands ahve me stumped once it
> says
> that layer 1 is working and then it says that it isnt. Could
> anybody
> tell me what the problem is???
> Omer
> 
> 2503#sh isdn stat
> The current ISDN Switchtype = basic-ni1
> ISDN BRI0 interface
> Layer 1 Status:
> ACTIVE
> Layer 2 Status:
> TEI = 76, State = MULTIPLE_FRAME_ESTABLISHED
> TEI = 77, State = MULTIPLE_FRAME_ESTABLISHED
> Spid Status:
> TEI 76, ces = 1, state = 5(init)
> spid1 configured, spid1 sent, spid1 valid
> Endpoint ID Info: epsf = 0, usid = 1, tid = 1
> TEI 77, ces = 2, state = 5(init)
> spid2 configured, spid2 sent, spid2 valid
> Endpoint ID Info: epsf = 0, usid = 3, tid = 1
> Layer 3 Status:
> 0 Active Layer 3 Call(s)
> Activated dsl 0 CCBs = 1
> CCB: callid=0x0, sapi=0, ces=1, B-chan=0
> Total Allocated ISDN CCBs = 1
> 2504#ping 172.16.71.1
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.71.1, timeout is 2
> seconds:
> 
> ISDN BR0: TX ->  SETUP pd = 8  callref = 0x05
> Bearer Capability i = 0x8890
> Channel ID i = 0x83
> Keypad Facility i = '8358661'
> ISDN BR0: RX  Cause i = 0x82A2 - No channel available
> ISDN BR0: Setup was rejected, cause = 22.
> Success rate is 0 percent (0/5)
> 
> BRI unit 0
> D Chan Info:
> Layer 1 is DEACTIVATED
> idb 0xBB2F0, ds 0xCB6E8, reset_mask 0x8
> buffer size 1524
> RX ring with 2 entries at 0x2101600 : Rxhead 1
> 00 pak=0x108E34 ds=0x407EDC4 status=D000 pak_size=0
> 01 pak=0x0CBA78 ds=0x403E1C0 status=F000 pak_size=0
> TX ring with 1 entries at 0x2101640: tx_count = 0, tx_head = 0,
> tx_tail
> = 0
> 00 pak=0x00 ds=0x00 status=00 pak_size=0
> 0 missed datagrams, 0 overruns, 0 bad frame addresses
> 0 bad datagram encapsulations, 0 memory errors
> 0 transmitter underruns
> 0 d channel collisions
> B1 Chan Info:
> Layer 1 is DEACTIVATED
> idb 0xC0628, ds 0xCB7C0, reset_mask 0x0
> buffer size 1524
> RX ring with 8 entries at 0x2101400 : Rxhead 0
> 00 pak=0x0CC87C ds=0x40410C8 status=D000 pak_size=0
> 01 pak=0x0CC6AC ds=0x4040A10 status=D000 pak_size=0
> 02 pak=0x0CC4DC ds=0x4040358 status=D000 pak_size=0
> 03 pak=0x0CC30C ds=0x403FCA0 status=D000 pak_size=0
> X ring with 4 entries at 0x2101440: tx_count = 0, tx_head = 0,
> tx_tail =
> 0
> 00 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 01 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 02 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 03 pak=0x00 ds=0x00 status=7C00 pak_size=0
> 0 missed datagrams, 0 overruns, 0 bad frame addresses
> 0 bad datagram encapsulations, 0 memory errors
> 0 transmitter underruns
> 0 d channel collisions
> B2 Chan Info:
> Layer 1 is DEACTIVATED
> idb 0xC5960, ds 0xCB890, reset_mask 0x2
> buffer size 1524
> RX ring with 8 entries at 0x2101500 : Rxhead 0
> 00 pak=0x0CE6D0 ds=0x4047C48 status=D000 pak_size=0
> 01 pak=0x0CE500 ds=0x4047590 status=D000 pak_size=0
> 02 pak=0x0CE330 ds=0x4046ED8 status=D000 pak_size=0
> 03 pak=0x0CE160 ds=0x4046820 status=D000 pak_size=0
> 04 pak=0x108524 ds=0x407CC2C status=D000 pak_size=0
> 05 pak=0x108354 ds=0x407C574 status=D000 pak_size=0
> 06 pak=0x108184 ds=0x407BEBC status=D000 pak_size=0
> 07 pak=0x107FB4 ds=0x407B804 status=F000 pak_size=0
> TX ring with 4 entries at 0x2101540: tx_count = 0, tx_head = 0,
> tx_tail
> = 0
> 00 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 01 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 02 pak=0x00 ds=0x00 status=5C00 pak_size=0
> 03 pak=0x00 ds=0x00 status=7C00 pak_size=0
> 0 missed datagrams, 0 overruns, 0 bad frame addresses
> 0 bad datagram encapsulations, 0 memory errors
> 0 transmitter underruns
> 0 d channel collisions
> 
> 2504#ping 172.16.71.1
> 
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.71.1, timeout is 2
> seconds:
> 
> ISDN BR0: Outgoing call id = 0x8007
> ISDN BR0: Event: Call to 8358661 at 64 Kb/s
> ISDN BR0: Activating..
> %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 73 changed to
> down
> ISDN BR0: received HOST_DISCONNECT_ACK
> ISDN BR0: Error: Unexpected Disconnect_Ack - callid 8007..
> ISDN BR0: Physical layer is IF_DOWN
> ISDN BR0: Shutt

RE: VTP config on 3548 [7:12629]

[Farhan Ahmed]

NV Ram or TFTP server

-Original Message-
From: Radford Dion [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 4:54 PM
To: [EMAIL PROTECTED]
Subject: VTP config on 3548 [7:12629]


Im trying to configure VTP on a 3548 switch, but when its asking me to
provide a file of vtp configuration details as shown below:


FSFPH0600B(config)#vtp ?
  file  Configure IFS filesystem file where VTP configuration is stored.
   

Does anyone know how this works and what is the syntax of the information in
file?

Thanks,

Dion
*
DISCLAIMER:   The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee.  Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized.  If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12630&t=12629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Error in configuring ISDN [7:12611]

[Farhan Ahmed]

first of all in basic net3 u dont need spids 
and the second u dont have a ip assigned to your bri neither you are using
esy ip there is no dialer as well

what happen to u guys

-Original Message-
From: Danner, John (ZoomTown) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:37 PM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


The spids are definitely wrong:
>From debug:
07:14:249108103167:  Null Spid: 0

>From config:
isdn spid1 0
isdn spid2 0

Is this in a lab setting with a isdn simulator or with a transport from the
phone company?
If it's with the phone company you need to put the spids the phone company
gave you into the configuration or you won't be able to dial correctly.  

If it's in a lab - I don't know. :(

-John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Hire, Ejay
Sent: Tuesday, July 17, 2001 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


I may be way off, but I thinks your spids are wrong.  Call the Phone company
and ask them what your spids are supposed to be.  

> TEI 80, ces = 1, state = 8(established)
> spid1 configured, no LDN, spid1 NOT sent, spid1 NOT valid
> TEI Not Assigned, ces = 2, state = 1(terminal down)
> spid2 configured, no LDN, spid2 NOT sent, spid2 NOT valid

-Ejay


-Original Message-
From: NKP [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:25 AM
To: [EMAIL PROTECTED]
Subject: Error in configuring ISDN [7:12611]


Hi ,
   I am facing an error in configuring the ISDN on my Cisco 2620 with the
BRI S/T interface card  , it keeps on getting disconnected after it dials ,
can anyone guide me what mistake I could be making ?


cisco2620#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2620
!
!
username mcse password 0 mcse
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
 ip address 200.100.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.100.10.1 255.0.0.0
 no ip directed-broadcast
 clockrate 64000
!
interface BRI0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 dialer string 172324
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 0
 isdn spid2 0
 isdn calling-number 172324
 ppp authentication chap
!
ip nat inside source list 1 interface BRI0/0 overload
ip classless
no ip http server
!
access-list 1 permit any
dialer-list 2 protocol ip list 2
!
line con 0
 transport input none
line aux 0
line vty 0 4
 login
!
end

cisco2620#

The error message that I am recieving is as follows :


cisco2620#
07:14:36: ISDN BR0/0: Outgoing call id = 0x800C, dsl 0
07:14:36: ISDN BR0/0: Event: Call to 172324 at 64 Kb/s
07:14:36: ISDN BR0/0: process_bri_call(): call id 0x800C, called_number
172324, speed 64, call type DATA
07:14:154618822656: CC_CHAN_GetIdleChanbri: dsl 0
07:14:154618822656: Found idle channel B1
07:14:154618822656: ISDN BR0/0: received HOST_INFORMATION call_id 0x800C
07:14:184683593728: ISDN Event: dsl 0 call_id 0x800C B channel assigned by
switch 0
ISDN BR0/0: received HOST_PROCEEDING call_id 0x800C
07:14:184683593728: B-channel assigned in previous message call id = 0x800C
07:14:186844205132: ISDN BR0/0: received HOST_ALERTING call_id 0x800C
07:14:184683593728: ISDN BR0/0: DEV_CALL_PROGRESSING: modem 3A bchan 0,
call_id 800C, cause 0
07:14:184683593728: ISDN BR0/0: HOST_PROGRESS: VOICE ERROR 3A: bchan 0, call
id 800C
07:14:186844205132: ISDN BR0/0: received HOST_CONNECT call_id 0x800C
07:14:184683593775: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
07:14:184683593792: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to
172324
07:14:186844205036: ISDN BR0/0: Event: Connected to 172324 on B1 at 64 Kb/s
07:14:186844205132: ISDN BR0/0: received HOST_INFORMATION call_id 0x800C
07:14:197568495616: ISDN BR0/0: received HOST_DISCONNECT call_id 0x800C
07:14:197568495616: ISDN BR0/0: Event:  Call to  was hung up.
07:14:199729106892: ISDN BR0/0: process_disc_ack(): call id 0x800C, ces 1,
call type DATA
07:14:197568495663: %ISDN-6-DISCONNECT: Interface BRI0/0:1  disconnected
from 172324 , call lasted 3 seconds
07:14:199729106700: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
down
07:14:206158430207: CC: dsl 0 No CCB Src->L3 cid 0x800C, ev 0x99 ces 1
07:14:244813135872: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, TEI 80
changed to down
07:14:244813135872:  In L3_StopT309 for dsl 0.
07:14:246973706992: ISDN BR0/0: Incoming call id = 0x3, dsl 0
07:14:246971349881: ISDN BR0/0: received HOST_DISCONNECT_ACK call_id 0x0
07:14:246973747196: ISDN BR0/0: HOST_DISCONNECT_ACK: call type is INTERNAL
07:14:244813135872: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 80
changed to up
07:14:2491

RE: WIC to WIC Connection [7:12668]

[Farhan Ahmed]

get a cross over cable from ebay.com

-Original Message-
From: Chris Headings [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 8:05 PM
To: [EMAIL PROTECTED]
Subject: WIC to WIC Connection [7:12668]


Hello allsetting up a small lab w/2 2621's.  Would like to create a
"WAN" cable to be able to bring up a serial connection between routers.  Is
it possible and if so, what is the pin-out's to custom create it

Thx

Chris




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12670&t=12668
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 506 hang up!!!! [7:5132]

[Farhan Ahmed]

security breach is occurring
%PIX-7-106011: Deny inbound (No xlate) chars

Explanation   This is a connection-related message. This message occurs when
a packet is sent to the same interface that it arrived on. This usually
indicates that a security breach is occurring. When the PIX Firewall
receives a packet, it tries to establish a translation slot based on the
security policy you set with the global and conduit commands, and your
routing policy set with the route command. 

Failing both policies, PIX Firewall allows the packet to flow from the
higher priority network to a lower priority network, if it is consistent
with the security policy. If a packet comes from a lower priority network
and the security policy does not allow it, PIX Firewall routes the packet
back to the same interface.

To provide access from an interface with a higher security to a lower
security, use the nat and global commands. For example, use the nat command
to let inside users access outside servers, to let inside users access
perimeter servers, and to let perimeter users access outside servers.

To provide access from an interface with a lower security to higher
security, use the static and conduit commands. For example, use the static
and conduit commands to let outside users access inside servers, outside
users access perimeter servers, or perimeter servers access inside servers.

Action Fix your configuration to reflect your security policy for handling
these attack events.


-Original Message-
From: Magdy H. Ibrahim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 7:23 PM
To: "Farhan Ahmed"
Subject: Re: PIX 506 hang up [1:5132]


Assalamo Alikom Farhan,

Thanx in advance to your help..
Kindly find attached file which contained the output of sh tech ...

Awaiting for your reply

Magdy


- Original Message - 
From: ""Farhan Ahmed"" 
Newsgroups: groupstudy.associate
Sent: Tuesday, July 17, 2001 6:27 PM
Subject: RE: PIX 506 hang up [1:5132]


> send me the sh tech support
> output
> 
> -Original Message-
> From: Magdy H. Ibrahin [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 17, 2001 6:57 PM
> To: [EMAIL PROTECTED]
> Subject: PIX 506 hang up [1:5132]
> 
> 
> Dear All,
> 
> Please help to solve up this problem Which I faced with my PIX 506.
> from three days ago, my PIX 506 hang up and stop response to any process
> even from the console interface...
> I found the three leds "Power, ACT, Network" switched off.
> When I turn its power off and on it works fine for few hours...
> and each time It needs to switching off/on the power key.
> I do know how to investegate this problem or what is the cause of it...
> Is there any guy of you can help me in this...
> 
> Any reply will be appreciated...
> 
> Thanx
> 
> Magdy H. Ibrahim
> CCNA, MCSE
> Purenet Internetworking




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12677&t=5132
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DLCI [7:12679]

[Farhan Ahmed]

no 

-Original Message-
From: SH Wesson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 8:47 PM
To: [EMAIL PROTECTED]
Subject: DLCI [7:12679]


Can we have two DLCI having the same number on the same router but point to 
different destinations on different interfaces?
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12682&t=12679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Error in configuring ISDN [7:12611]

[Farhan Ahmed]

why he put then and where is the ip ,u cant define switch type on legacy ddr
can u?
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2620
!
!
username mcse password 0 mcse
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
 ip address 200.100.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.100.10.1 255.0.0.0
 no ip directed-broadcast
 clockrate 64000
!
interface BRI0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 dialer string 172324
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 0
 isdn spid2 0
 isdn calling-number 172324
 ppp authentication chap


-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 9:27 PM
To: 'Farhan Ahmed'; '[EMAIL PROTECTED]'
Subject: RE: Error in configuring ISDN [7:12611]


The Switch type as defined under the interface is Basic-ni.  According to
http://www.cisco.com/warp/public/129/bri_invalid_spid.html this switch type
requires spids.
Additionally, this is an exact copy of the invalid spid example in the Cisco
troubleshooter. http://www.cisco.com/warp/public/129/bri_sh_isdn_stat.html
Not having an Ip address wil cause it not to work, but it won't cause the
call not to complete.
This configuration doesn't require a dialer interface.  It is using legacy
configuration.

-Ejay

-----Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 11:26 AM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


first of all in basic net3 u dont need spids 
and the second u dont have a ip assigned to your bri neither you are using
esy ip there is no dialer as well

what happen to u guys

-Original Message-
From: Danner, John (ZoomTown) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:37 PM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


The spids are definitely wrong:
>From debug:
07:14:249108103167:  Null Spid: 0

>From config:
isdn spid1 0
isdn spid2 0

Is this in a lab setting with a isdn simulator or with a transport from the
phone company?
If it's with the phone company you need to put the spids the phone company
gave you into the configuration or you won't be able to dial correctly.  

If it's in a lab - I don't know. :(

-John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Hire, Ejay
Sent: Tuesday, July 17, 2001 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


I may be way off, but I thinks your spids are wrong.  Call the Phone company
and ask them what your spids are supposed to be.  

> TEI 80, ces = 1, state = 8(established)
> spid1 configured, no LDN, spid1 NOT sent, spid1 NOT valid
> TEI Not Assigned, ces = 2, state = 1(terminal down)
> spid2 configured, no LDN, spid2 NOT sent, spid2 NOT valid

-Ejay


-Original Message-
From: NKP [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:25 AM
To: [EMAIL PROTECTED]
Subject: Error in configuring ISDN [7:12611]


Hi ,
   I am facing an error in configuring the ISDN on my Cisco 2620 with the
BRI S/T interface card  , it keeps on getting disconnected after it dials ,
can anyone guide me what mistake I could be making ?


cisco2620#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2620
!
!
username mcse password 0 mcse
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
 ip address 200.100.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.100.10.1 255.0.0.0
 no ip directed-broadcast
 clockrate 64000
!
interface BRI0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 dialer string 172324
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 0
 isdn spid2 0
 isdn calling-number 172324
 ppp authentication chap
!
ip nat inside source list 1 interface BRI0/0 overload
ip classless
no ip http server
!
access-list 1 permit any
dialer-list 2 protocol ip list 2
!
line con 0
 transport input none
line aux 0
line vty 0 4
 login
!
end

cisco2620#

The error message that I am recieving is as follows :


cisco2620#
07:14:36: ISDN BR0/0: Outgoing call id = 0x800C, dsl 0
07:14:36: ISDN BR0/0: Event: Call to 172324 at 64 Kb/s
07:14:36: ISDN BR0/0: process_bri_call(): call id 0x800C, called_number
172324, speed 64, call type DATA
07:14:154618822656: CC_CHAN_GetIdleChanbri: dsl 0
07:14:154618822656: Found idle channel B1
07:14:154618822656: ISDN BR0/

RE: DLCI [7:12679]

[Farhan Ahmed]

may be if u are using a specific service provider
dlci is local specific

Frame Relay (DLCI) Data Link Connection Identifier
Frame Relay virtual circuits are identified by their data link connection
identifiers or DLCI. DLCI have numeric values that are usually assigned by
the service provider or public carrier. Although they are typically assigned
by the service provider they are only important at a local level as the
service provider are not unique in the Frame Relay network. Also, it is not
unusual for two DTE devices connected with a virtual circuit to use
different DLCI values when communicating on the same connection.
 

-Original Message-
From: NP-BASS LEON [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 9:32 PM
To: 'Farhan Ahmed'; [EMAIL PROTECTED]
Subject: RE: DLCI [7:12679]


OKAY, I THINK WE NEED TO GET THIS STRAIGHT, I HAVE A YES AND A NO

WRITTEN EARLIER, IT WAS QUOTED AS SAYING THAT:

Yes you can.  The local telco will map the DLCI to what ever the host
circuit iswe are an ISP and have the same DLCI sometimes 3 or 4 times
mapping to different host circuits all destined to different clients

-Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 1:04 PM
To: [EMAIL PROTECTED]
Subject: RE: DLCI [7:12679]


no 

-Original Message-
From: SH Wesson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 8:47 PM
To: [EMAIL PROTECTED]
Subject: DLCI [7:12679]


Can we have two DLCI having the same number on the same router but point to 
different destinations on different interfaces?
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12695&t=12679
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Error in configuring ISDN [7:12611]

[Farhan Ahmed]

its saying connected
?
07:14:186844205132: ISDN BR0/0: received HOST_CONNECT call_id 0x800C
07:14:184683593775: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
07:14:184683593792: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to

-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 9:47 PM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


The Switch type as defined under the interface is Basic-ni.  According to
http://www.cisco.com/warp/public/129/bri_invalid_spid.html this switch type
requires spids.
Additionally, this is an exact copy of the invalid spid example in the Cisco
troubleshooter. http://www.cisco.com/warp/public/129/bri_sh_isdn_stat.html
Not having an Ip address wil cause it not to work, but it won't cause the
call not to complete.
This configuration doesn't require a dialer interface.  It is using legacy
configuration.

-Ejay

-Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 11:26 AM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


first of all in basic net3 u dont need spids 
and the second u dont have a ip assigned to your bri neither you are using
esy ip there is no dialer as well

what happen to u guys

-Original Message-
From: Danner, John (ZoomTown) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:37 PM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


The spids are definitely wrong:
>From debug:
07:14:249108103167:  Null Spid: 0

>From config:
isdn spid1 0
isdn spid2 0

Is this in a lab setting with a isdn simulator or with a transport from the
phone company?
If it's with the phone company you need to put the spids the phone company
gave you into the configuration or you won't be able to dial correctly.  

If it's in a lab - I don't know. :(

-John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Hire, Ejay
Sent: Tuesday, July 17, 2001 10:03 AM
To: [EMAIL PROTECTED]
Subject: RE: Error in configuring ISDN [7:12611]


I may be way off, but I thinks your spids are wrong.  Call the Phone company
and ask them what your spids are supposed to be.  

> TEI 80, ces = 1, state = 8(established)
> spid1 configured, no LDN, spid1 NOT sent, spid1 NOT valid
> TEI Not Assigned, ces = 2, state = 1(terminal down)
> spid2 configured, no LDN, spid2 NOT sent, spid2 NOT valid

-Ejay


-Original Message-
From: NKP [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 6:25 AM
To: [EMAIL PROTECTED]
Subject: Error in configuring ISDN [7:12611]


Hi ,
   I am facing an error in configuring the ISDN on my Cisco 2620 with the
BRI S/T interface card  , it keeps on getting disconnected after it dials ,
can anyone guide me what mistake I could be making ?


cisco2620#sh run
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cisco2620
!
!
username mcse password 0 mcse
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
 ip address 200.100.10.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.100.10.1 255.0.0.0
 no ip directed-broadcast
 clockrate 64000
!
interface BRI0/0
 no ip address
 no ip directed-broadcast
 ip nat outside
 encapsulation ppp
 dialer string 172324
 dialer-group 2
 isdn switch-type basic-ni
 isdn spid1 0
 isdn spid2 0
 isdn calling-number 172324
 ppp authentication chap
!
ip nat inside source list 1 interface BRI0/0 overload
ip classless
no ip http server
!
access-list 1 permit any
dialer-list 2 protocol ip list 2
!
line con 0
 transport input none
line aux 0
line vty 0 4
 login
!
end

cisco2620#

The error message that I am recieving is as follows :


cisco2620#
07:14:36: ISDN BR0/0: Outgoing call id = 0x800C, dsl 0
07:14:36: ISDN BR0/0: Event: Call to 172324 at 64 Kb/s
07:14:36: ISDN BR0/0: process_bri_call(): call id 0x800C, called_number
172324, speed 64, call type DATA
07:14:154618822656: CC_CHAN_GetIdleChanbri: dsl 0
07:14:154618822656: Found idle channel B1
07:14:154618822656: ISDN BR0/0: received HOST_INFORMATION call_id 0x800C
07:14:184683593728: ISDN Event: dsl 0 call_id 0x800C B channel assigned by
switch 0
ISDN BR0/0: received HOST_PROCEEDING call_id 0x800C
07:14:184683593728: B-channel assigned in previous message call id = 0x800C
07:14:186844205132: ISDN BR0/0: received HOST_ALERTING call_id 0x800C
07:14:184683593728: ISDN BR0/0: DEV_CALL_PROGRESSING: modem 3A bchan 0,
call_id 800C, cause 0
07:14:184683593728: ISDN BR0/0: HOST_PROGRESS: VOICE ERROR 3A: bchan 0, call
id 800C
07:14:186844205132: ISDN BR0/0: received HOST_CONNECT call_id 0x800C
07:14:184683593775: %LINK-3-UPDOWN: Interface BRI0/0:1, changed

RE: WIC to WIC Connection [7:12668]

[Farhan Ahmed]

u can buy 1 cable crossover

-Original Message-
From: Juliano Moises da Luz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 9:42 PM
To: [EMAIL PROTECTED]
Subject: Re: WIC to WIC Connection [7:12668]


You're correct. It will need a DTE and a DCE cable. The part numbers
are CAB-V35MT(dte cable) and a CAB-V35-FC(dce cable).

He need to configure  the clock on the interface:

config-if#clock rate 64000



- Original Message -
From: "Paulo Cesar Buerger" 
To: 
Sent: Tuesday, July 17, 2001 2:04 PM
Subject: RE: WIC to WIC Connection [7:12668]


> Acesso pelo menor prego do mercado! R$ 14,90 nos 3 primeiros
meses!
> ASSINE AGORA! http://www.bol.com.br/acessobol/
>
>
> I'm not sure if a cross cable is enough. What about the clock ? If
we have 2
> DTE cables are we able to generate the clock ? Maybe a DCE cable
(for one of
> the routers) be the best solution.
>
> > -Mensagem original-
> > De: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> > Enviada em: terga-feira, 17 de julho de 2001 13:23
> > Para: [EMAIL PROTECTED]
> > Assunto: RE: WIC to WIC Connection [7:12668]
> >
> >
> > get a cross over cable from ebay.com
> >
> > -Original Message-
> > From: Chris Headings [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 17, 2001 8:05 PM
> > To: [EMAIL PROTECTED]
> > Subject: WIC to WIC Connection [7:12668]
> >
> >
> > Hello allsetting up a small lab w/2 2621's.  Would like
> > to create a
> > "WAN" cable to be able to bring up a serial connection
> > between routers.  Is
> > it possible and if so, what is the pin-out's to custom create
it
> >
> > Thx
> >
> > Chris
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12698&t=12668
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Ports with PIX Firewall [7:12625]

[Farhan Ahmed]

just put

access-list acl_in deny tcp any any
access-list acl_in deny udp any any
access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq www
access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq smtp
access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq ftp
access-group acl_in in interface inside 

let me know

Building configuration...
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names



access-list ping_acl permit icmp any any 
access-list ping_acl permit tcp any any eq www 
access-list ping_acl permit tcp any any 
access-list ping_acl permit udp any any 
access-list acl_out permit icmp any any 
access-list acl_out permit tcp any any eq www 
access-list acl_out permit tcp any any 
access-list acl_out permit udp any any 


pager lines 24

interface ethernet0 100basetx
interface ethernet1 100basetx

mtu outside 1500
mtu inside 1500
mtu ndtv 1500
ip address outside 172.110.0.2 255.255.0.0
ip address inside 172.100.0.1 255.255.0.0

ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0

pdm history enable
arp timeout 600
global (outside) 1 202.196.214.40-202.196.214.45 netmask 255.255.255.224
global (outside) 1 202.196.214.46

nat (inside) 1 172.100.0.0 255.255.0.0 0 0

access-group acl_out in interface outside
access-group ping_acl in interface inside

route outside 0.0.0.0 0.0.0.0 172.110.0.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat

telnet 172.100.0.0 255.255.0.0 inside
telnet 172.120.0.0 255.255.0.0 inside

telnet timeout 5
ssh timeout 5
terminal width 80
 Cryptochecksum:b27e96cd58b6c27b71ff163898579460
[OK]
 pixfirewall# 
>  -Original Message-
> From: Support [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, July 17, 2001 2:54 PM
> To:   [EMAIL PROTECTED]
> Subject:  Ports with PIX Firewall
> 
> Dear Farhan,
> 
> This is my configuration.
> 
>  >




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12625&t=12625
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3500 xl switch problem [7:12705]

[Farhan Ahmed]

Changing IP Information
You can assign and change the IP information of your switch in the following
ways:


Using the setup program, as described in the release notes


Manually assigning an IP address, as described in this section


Using Dynamic Host Configuration Protocol (DHCP)-based autoconfiguration, as
described in this section




 Caution   Changing the switch IP address ends any CMS, Telnet, or Simple
Network Management Protocol (SNMP) session. To restart your CMS session,
enter the new IP address in the browser Location field (Netscape
Communicator) or Address field (Internet Explorer). To restart your CLI
session through Telnet, follow the steps described in the "Accessing the
CLI" section.  






 Note   If you enabled the DHCP feature, the switch assumes you are using an
external server for IP address allocation. While this feature is enabled,
any values you manually enter (from the CMS or from the ip address command)
are ignored.  




Manually Assigning and Removing Switch IP Information
You can manually assign an IP address, mask, and default gateway to the
switch. The mask identifies the bits that denote the network number in the
IP address. When you use the mask to subnet a network, the mask is then
referred to as a subnet mask. The broadcast address is reserved for sending
messages to all hosts. The CPU sends traffic to an unknown IP address
through the default gateway.

Beginning in privileged EXEC mode, follow these steps to enter the IP
information:

 Command  Purpose  
Step 1  
 configure terminal
 Enter global configuration mode.
 
Step 2  
 interface vlan 1
 Enter interface configuration mode, and enter the VLAN to which the IP
information is assigned. VLAN 1 is the default management VLAN, but you can
configure any VLAN from IDs 1 to 1001.
 
Step 3  
 ip address ip_address subnet_mask
 Enter the IP address and subnet mask.
 
Step 4  
 exit
 Return to global configuration mode.
 
Step 5  
 ip default-gateway ip_address
 Enter the IP address of the default router.
 
Step 6  
 end
 Return to privileged EXEC mode.
 
Step 7  
 show running-config
 Verify that the information was entered correctly by displaying the running
configuration. If the information is incorrect, repeat the procedure.
 
 


Use the following procedure to remove the IP information from a switch. 
-Original Message-
From: Angel [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 11:33 PM
To: [EMAIL PROTECTED]
Subject: 3500 xl switch problem [7:12705]


Hello Everyone!

I changed the management VLAN of a 3500 switch  thorugh the
browser-based cisco cluster management suite (CMS).  By default the
switch IP address belongs to the management VLAN which is VLAN 1. Only
one vLan can be adminstratively active at the same time. By changing to
a newly created vlan I have lost the chance to manage the default vlan.
can't no longer console or access via the assigned IP address.

Thanks in advance if anyone knows anything about this!

Angel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12712&t=12705
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Need to bypass Firewall-Can the telnet port be changed? [7:12715]

[Farhan Ahmed]

How to Change Terminal Server's Listening Port 



The information in this article applies to:

Microsoft Windows NT Server version 4.0, Terminal Server Edition 
Microsoft Windows 2000 Advanced Server 
Microsoft Windows 2000 Professional 
Microsoft Windows 2000 Server



IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the "Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key"
Help topic in Regedt32.exe.


SUMMARY
By default Terminal Server and Windows 2000 Terminal Services uses TCP port
3389 for client connections. Microsoft does not recommend that this value be
changed. However, if it becomes necessary to change this port, follow these
instructions. 



MORE INFORMATION
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it.
If you are running Windows NT or Windows 2000, you should also update your
Emergency Repair Disk (ERD).

To change the default port for all new connections created on the Terminal
Server: 

Run Regedt32 and go to this key:


   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
   Server\Wds\Repwd\Tds\Tcp 
NOTE: The above registry key is one path; it has been wrapped for
readability. 


Find the "PortNumber" subkey and notice the value of 0D3D, hex for
(3389). Modify the port number in Hex and save the new value. 

To change the port for a specific connection on the Terminal Server:


Run Regedt32 and go to this key: 
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
  Server\WinStations\ 
NOTE: The above registry key is one path; it has been wrapped for
readability. 


Find the "PortNumber" subkey and notice the value of 0D3D, hex for
(3389). Modify the port number in Hex and save the new value.

NOTE: Because the use of alternate ports has not been fully implemented for
Terminal Server 4.0, support will be provided as "reasonable effort" only,
and Microsoft may require you to set the port back to 3389, if any problems
occur. 


To Alter the Port on the Client Side
Open Client Connection Manager.


On the File menu, click New Connection, and then create the new connection.
After running the wizard, you should have a new connection listed there.


Making sure that the new connection is highlighted, on the File menu, click
Export. Save it as name.cns.


Edit the .cns file using Notepad changing "Server Port=3389" to "Server
Port=" where  is the new port that you specified on Terminal Server.


Now import the file back into Client Connection Manager. You may be prompted
to overwrite the current one, if it has the same name. Go ahead and
overwrite it. You now have a client that has the correct port settings to
match your change Terminal Server settings.


NOTE: The Terminal Server ActiveX client listens on TCP port 3389 and cannot
be changed. 

Additional query words: 
 

-Original Message-
From: Lurker [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 17, 2001 11:56 PM
To: [EMAIL PROTECTED]
Subject: Need to bypass Firewall-Can the telnet port be changed?
[7:12707]


I need to use the VPN to get to my study lab in the office.  Unfortunately,
telnet appears to be blocked.  Is it possible to change the terminal server
configuration so it answers on a different port such as port 80?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12715&t=12715
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12776]

[Farhan Ahmed]

set a static route
ip route 0.0.0.0 0.0.0.0 serial0
ip route 0.0.0.0 0.0.0.0 serial0

r u using unnumbered?
 send me sh int s0

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 2:06 PM
To: [EMAIL PROTECTED]
Subject: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12774]


HI all, 

Strange problem here.

The serial interface are UP UP on both sides, but we are not able to ping
each other  - even though directly connected. A "debug ip ICMP" on the
remote site shows the ping coming through and replying, but the reply never
gets back.
Also the remote site saw my router using CDP, but I do not see him.

Any ideas??

I believe this is Telco related, but the line shows clean from the interface
stats

Andrew




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12776&t=12776
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: What is no Free B-channels [7:12775] caveats [7:12782]

[Farhan Ahmed]

Caveats
Caveats describe unexpected behavior in Cisco IOS software releases.
Severity 1 caveats are the most serious caveats; severity 2 caveats are less
serious. Severity 3 caveats are moderate caveats, and only select severity 3
caveats are included in the caveats document.

For information on caveats in Cisco IOS Release 12.2 T, refer to the Caveats
for Cisco IOS 
Release 12.2 T document, which lists severity 1 and 2 caveats and select
severity 3 caveats for 
Cisco IOS Release 12.2 T and is located on Cisco.com and the Documentation
CD-ROM.

All caveats in Cisco IOS Release 12.2(2)T are also in Cisco IOS Release
12.2(2) XA.

Caveat numbers and brief descriptions are listed in Table 13. For details
about a particular caveat, go to Bug Toolkit at:

http://www.cisco.com/kobayashi/bugs/bugs.html

To access this location, you must have an account on Cisco.com. For
information about how to obtain an account, go to the "Feature Navigator"
section.




 Note   If you have an account with Cisco.com, you can use Bug Navigator II
to find caveats of any severity for any release. To reach Bug Navigator II,
log in to Cisco.com and click Software Center: Cisco IOS Software: Cisco
Bugtool Navigator II. Another option is to go to
http://www.cisco.com/support/bugtools/bugtool.shtml.  




Open Caveats for Release 12.2(2) XA
At publication time, all the caveats listed in Table 13 are unresolved in
Cisco IOS Release 12.2(2) XA. This table lists only severity 1 and 2 caveats
and select severity 3 caveats.


Table 13: Open Caveats for Release 12.2(2) XA  Caveat ID Number  Description

CSCdu29508
 Router crashed with dsp 3.6.8 firmware
 
CSCdu46752
 Cisco 3640 router crash
 
CSCdu38445
 ISDN BRI :isdn_is_bchannel_available: no free B channels
 
CSCdt84774
 Crash and alignment error at tcp_removeackedsendsegments on Cisco 3600
 
CSCdt11921
 Ping failed on interfaces when fast switching is configured 
 
 


Closed and Resolved Caveats for Release 12.2(2) XA
As of publication date, none of the caveats listed in Table 13 are resolved
for the Cisco 3600 in Cisco IOS Release 12.2(2) XA. For current information,
check the caveat number in the Bug Toolkit at:

http://www.cisco.com/kobayashi/bugs/bugs.html


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 2:16 PM
To: [EMAIL PROTECTED]
Subject: Re:What is no Free B-channels [7:12775]


Hi everybody, I have 2 routers connected using ISDN line.Router A dials out
to Router B in multilink mode wherein the 2nd call gets generated when the
traffic reaches 40%
 dialer load-threshold 100 outbound
Using command sh isdn active ,I can see 2 calls generated on 2 B- channels
 but at the same time I am getting messages like this continiously when I
 am putting terminal monitor on.


0:36:10: ISDN BRI1/0: isdn_is_bchannel_available: No Free B-channels
0:36:12: ISDN BRI1/0: isdn_is_bchannel_available: No Free B-channels
0:36:14: ISDN BRI1/0: isdn_is_bchannel_available: No Free B-channels
0:36:16: ISDN BRI1/0: isdn_is_bchannel_available: No Free B-channels



Can anyboby explain what this message indicates?
Also somestime the calls are not initiated on router A end ,what could be
the reason ?


Regards
Bware




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12782&t=12782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12789]

[Farhan Ahmed]

The counters for interface Serial3/0 have never been reset.
TRY THIS: Use the command 'clear counters' to insure current information is
being displayed.


-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 4:01 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12785]


The interface resets are from when we moved the config to other ports to
rule out physical issues

First side
Serial3/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: 
  Internet address is 10.99.253.17/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 25000 bits/sec, 60 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1073220 packets input, 61641174 bytes, 0 no buffer
 Received 1911 broadcasts, 0 runts, 0 giants, 0 throttles
 2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
 9220 packets output, 906798 bytes, 0 underruns
 0 output errors, 0 collisions, 4 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Remote side:
Serial1/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: xxx 
  Internet address is 10.99.253.18/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:02, output 00:00:02, output hang never
  Last clearing of "show interface" counters 00:00:02
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1 packets input, 56 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 1 packets output, 56 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

-----Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 13:24
To: 'Andrew Larkins'
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:1 2780]


send me the sh int

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 3:17 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12780]


the very weird thing here is at RTS DTS etc are all up both devices are
on a /30 subnet no problems here. I do not need any routing because these
are directly connected networks. NO crc errors on link flap/ interface
resets!!

Very confused

-Original Message-
From: Phil Barker [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 12:45
To: [EMAIL PROTECTED]
Subject: Re: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12778]


Andrew,
 From what you say your remote end is working fine
both in Tx and Rx and your Tx is working fine since
remote end sees your cdp. Your Rx appears to be the
problem. Have you tried swapping out your local Serial
cable ? What about 'sh int serial xxx' to check your
pins ? DCD RTS etc.

regards,

Phil.
 --- Andrew Larkins 
wrote: > HI all, 
> 
> Strange problem here.
> 
> The serial interface are UP UP on both sides, but we
> are not able to ping
> each other  - even though directly connected. A
> "debug ip ICMP" on the
> remote site shows the ping coming through and
> replying, but the reply never
> gets back.
> Also the remote site saw my router using CDP, but I
> do not see him.
> 
> Any ideas??
> 
> I believe this is Telco related, but the line shows
> clean from the interface
> stats
> 
> Andrew
[EMAIL PROTECTED] 


Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12789&t=12789
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12792]

[Farhan Ahmed]

send me  show controllers

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 4:01 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12785]


The interface resets are from when we moved the config to other ports to
rule out physical issues

First side
Serial3/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: 
  Internet address is 10.99.253.17/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 25000 bits/sec, 60 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1073220 packets input, 61641174 bytes, 0 no buffer
 Received 1911 broadcasts, 0 runts, 0 giants, 0 throttles
 2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
 9220 packets output, 906798 bytes, 0 underruns
 0 output errors, 0 collisions, 4 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Remote side:
Serial1/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: xxx 
  Internet address is 10.99.253.18/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:02, output 00:00:02, output hang never
  Last clearing of "show interface" counters 00:00:02
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1 packets input, 56 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 1 packets output, 56 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

-Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 13:24
To: 'Andrew Larkins'
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:1 2780]


send me the sh int

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 3:17 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12780]


the very weird thing here is at RTS DTS etc are all up both devices are
on a /30 subnet no problems here. I do not need any routing because these
are directly connected networks. NO crc errors on link flap/ interface
resets!!

Very confused

-Original Message-
From: Phil Barker [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 12:45
To: [EMAIL PROTECTED]
Subject: Re: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12778]


Andrew,
 From what you say your remote end is working fine
both in Tx and Rx and your Tx is working fine since
remote end sees your cdp. Your Rx appears to be the
problem. Have you tried swapping out your local Serial
cable ? What about 'sh int serial xxx' to check your
pins ? DCD RTS etc.

regards,

Phil.
 --- Andrew Larkins 
wrote: > HI all, 
> 
> Strange problem here.
> 
> The serial interface are UP UP on both sides, but we
> are not able to ping
> each other  - even though directly connected. A
> "debug ip ICMP" on the
> remote site shows the ping coming through and
> replying, but the reply never
> gets back.
> Also the remote site saw my router using CDP, but I
> do not see him.
> 
> Any ideas??
> 
> I believe this is Telco related, but the line shows
> clean from the interface
> stats
> 
> Andrew
[EMAIL PROTECTED] 


Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12792&t=12792
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12797]

[Farhan Ahmed]

also send me 
debug serial interface---Verifies whether HDLC keepalive packets are
incrementing. If they are not, a possible timing problem exists on the
interface card or in the network.



-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 4:01 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12785]


The interface resets are from when we moved the config to other ports to
rule out physical issues

First side
Serial3/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: 
  Internet address is 10.99.253.17/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 25000 bits/sec, 60 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1073220 packets input, 61641174 bytes, 0 no buffer
 Received 1911 broadcasts, 0 runts, 0 giants, 0 throttles
 2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
 9220 packets output, 906798 bytes, 0 underruns
 0 output errors, 0 collisions, 4 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Remote side:
Serial1/0 is up, line protocol is up 
  Hardware is CD2430 in sync mode
  Description: xxx 
  Internet address is 10.99.253.18/30
  MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
  Encapsulation HDLC, loopback not set, keepalive set (10 sec)
  Last input 00:00:02, output 00:00:02, output hang never
  Last clearing of "show interface" counters 00:00:02
  Input queue: 0/75/0 (size/max/drops); Total output drops: 0
  Queueing strategy: priority-list 1
  Output queue (queue priority: size/max/drops):
 high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 1 packets input, 56 bytes, 0 no buffer
 Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
 1 packets output, 56 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out
 0 carrier transitions
 DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

-Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 13:24
To: 'Andrew Larkins'
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:1 2780]


send me the sh int

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 3:17 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12780]


the very weird thing here is at RTS DTS etc are all up both devices are
on a /30 subnet no problems here. I do not need any routing because these
are directly connected networks. NO crc errors on link flap/ interface
resets!!

Very confused

-Original Message-
From: Phil Barker [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2001 12:45
To: [EMAIL PROTECTED]
Subject: Re: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12778]


Andrew,
 From what you say your remote end is working fine
both in Tx and Rx and your Tx is working fine since
remote end sees your cdp. Your Rx appears to be the
problem. Have you tried swapping out your local Serial
cable ? What about 'sh int serial xxx' to check your
pins ? DCD RTS etc.

regards,

Phil.
 --- Andrew Larkins 
wrote: > HI all, 
> 
> Strange problem here.
> 
> The serial interface are UP UP on both sides, but we
> are not able to ping
> each other  - even though directly connected. A
> "debug ip ICMP" on the
> remote site shows the ping coming through and
> replying, but the reply never
> gets back.
> Also the remote site saw my router using CDP, but I
> do not see him.
> 
> Any ideas??
> 
> I believe this is Telco related, but the line shows
> clean from the interface
> stats
> 
> Andrew
[EMAIL PROTECTED] 


Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12797&t=12797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12801]

[Farhan Ahmed]

why dont u remove all your config and try from the beginning
or send ur complete config
or send the debugs atleast

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 4:51 PM
To: [EMAIL PROTECTED]
Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
[7:12798]


are compression settings the same both ends?

---
> only in relation to priority queues
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: 18 July 2001 16:00
> To: Andrew Larkins
> Cc: [EMAIL PROTECTED]
> Subject: RE: WAN link funnies - UP UP but no comms- on same
subnet!!!
> [7:12788]
> 
> 
> Do yo have any ACL's in place?
> 
> ---
> > All have IP classless and are using HDLC
> > 
> > -Original Message-
> > From: Eric Hoffman [mailto:[EMAIL PROTECTED]]
> > Sent: 18 July 2001 13:53
> > To: 'Andrew Larkins'
> > Cc: '[EMAIL PROTECTED]'
> > Subject: RE: WAN link funnies - UP UP but no comms- on same
> subnet!!!
> > [7:1 2780]
> > 
> > 
> > 
> > What version of ios are you running?
> > 
> > If you are running some flavor of 11, check to make sure you have
> the ip
> > classless on both routers.  
> > 
> > 
> > 
> > -Original Message-
> > From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, July 18, 2001 7:17 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: WAN link funnies - UP UP but no comms- on same
> subnet!!!
> > [7:12780]
> > 
> > 
> > the very weird thing here is at RTS DTS etc are all up both
> devices are
> > on a /30 subnet no problems here. I do not need any routing
because
> these
> > are directly connected networks. NO crc errors on link flap/
> interface
> > resets!!
> > 
> > Very confused
> > 
> > -Original Message-
> > From: Phil Barker [mailto:[EMAIL PROTECTED]]
> > Sent: 18 July 2001 12:45
> > To: [EMAIL PROTECTED]
> > Subject: Re: WAN link funnies - UP UP but no comms- on same
> subnet!!!
> > [7:12778]
> > 
> > 
> > Andrew,
> >  From what you say your remote end is working fine
> > both in Tx and Rx and your Tx is working fine since
> > remote end sees your cdp. Your Rx appears to be the
> > problem. Have you tried swapping out your local Serial
> > cable ? What about 'sh int serial xxx' to check your
> > pins ? DCD RTS etc.
> > 
> > regards,
> > 
> > Phil.
> >  --- Andrew Larkins 
> > wrote: > HI all, 
> > > 
> > > Strange problem here.
> > > 
> > > The serial interface are UP UP on both sides, but we
> > > are not able to ping
> > > each other  - even though directly connected. A
> > > "debug ip ICMP" on the
> > > remote site shows the ping coming through and
> > > replying, but the reply never
> > > gets back.
> > > Also the remote site saw my router using CDP, but I
> > > do not see him.
> > > 
> > > Any ideas??
> > > 
> > > I believe this is Telco related, but the line shows
> > > clean from the interface
> > > stats
> > > 
> > > Andrew
> > [EMAIL PROTECTED] 
> > 
> > 
> > Do You Yahoo!?
> > Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
> > or your free @yahoo.ie address at http://mail.yahoo.ie
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12801&t=12801
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN link funnies - UP UP but no comms- on same subnet!!! [7:12807]

[Farhan Ahmed]

e subnet!!! [7:1 
>2785]
>Date: Wed, 18 Jul 2001 14:27:24 +0200
>
>Lease line
>
>-Original Message-
>From: Robert Nelson-Cox [mailto:[EMAIL PROTECTED]]
>Sent: 18 July 2001 14:23
>To: [EMAIL PROTECTED]
>Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
>[7:12785]
>
>
>Is this across a leased circuit, or x-over cable?
>
>If leased circuit, then you A and B end may not be joined.
>
>Rob./
>
>
> >From: "Andrew Larkins" 
> >Reply-To: "Andrew Larkins" 
> >To: [EMAIL PROTECTED]
> >Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
> >[7:12785]
> >Date: Wed, 18 Jul 2001 08:01:08 -0400
> >
> >The interface resets are from when we moved the config to other ports to
> >rule out physical issues
> >
> >First side
> >Serial3/0 is up, line protocol is up
> >   Hardware is CD2430 in sync mode
> >   Description: 
> >   Internet address is 10.99.253.17/30
> >   MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
> >   Encapsulation HDLC, loopback not set, keepalive set (10 sec)
> >   Last input 00:00:00, output 00:00:00, output hang never
> >   Last clearing of "show interface" counters never
> >   Input queue: 0/75/0 (size/max/drops); Total output drops: 0
> >   Queueing strategy: priority-list 1
> >   Output queue (queue priority: size/max/drops):
> >  high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
> >   5 minute input rate 25000 bits/sec, 60 packets/sec
> >   5 minute output rate 0 bits/sec, 0 packets/sec
> >  1073220 packets input, 61641174 bytes, 0 no buffer
> >  Received 1911 broadcasts, 0 runts, 0 giants, 0 throttles
> >  2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort
> >  9220 packets output, 906798 bytes, 0 underruns
> >  0 output errors, 0 collisions, 4 interface resets
> >  0 output buffer failures, 0 output buffers swapped out
> >  0 carrier transitions
> >  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
> >
> >Remote side:
> >Serial1/0 is up, line protocol is up
> >   Hardware is CD2430 in sync mode
> >   Description: xxx
> >   Internet address is 10.99.253.18/30
> >   MTU 1500 bytes, BW 128 Kbit, DLY 2 usec, rely 255/255, load 1/255
> >   Encapsulation HDLC, loopback not set, keepalive set (10 sec)
> >   Last input 00:00:02, output 00:00:02, output hang never
> >   Last clearing of "show interface" counters 00:00:02
> >   Input queue: 0/75/0 (size/max/drops); Total output drops: 0
> >   Queueing strategy: priority-list 1
> >   Output queue (queue priority: size/max/drops):
> >  high: 0/20/0, medium: 0/40/0, normal: 0/60/0, low: 0/80/0
> >   5 minute input rate 0 bits/sec, 0 packets/sec
> >   5 minute output rate 0 bits/sec, 0 packets/sec
> >  1 packets input, 56 bytes, 0 no buffer
> >  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
> >  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
> >  1 packets output, 56 bytes, 0 underruns
> >  0 output errors, 0 collisions, 0 interface resets
> >  0 output buffer failures, 0 output buffers swapped out
> >  0 carrier transitions
> >  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
> >
> >-Original Message-
> >From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> >Sent: 18 July 2001 13:24
> >To: 'Andrew Larkins'
> >Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
> >[7:1 2780]
> >
> >
> >send me the sh int
> >
> >-Original Message-
> >From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
> >Sent: Wednesday, July 18, 2001 3:17 PM
> >To: [EMAIL PROTECTED]
> >Subject: RE: WAN link funnies - UP UP but no comms- on same subnet!!!
> >[7:12780]
> >
> >
> >the very weird thing here is at RTS DTS etc are all up both devices 
>are
> >on a /30 subnet no problems here. I do not need any routing because these
> >are directly connected networks. NO crc errors on link flap/ interface
> >resets!!
> >
> >Very confused
> >
> >-Original Message-
> >From: Phil Barker [mailto:[EMAIL PROTECTED]]
> >Sent: 18 July 2001 12:45
> >To: [EMAIL PROTECTED]
> >Subject: Re: WAN link funnies - UP UP but no comms- on same subnet!!!
> >[7:12778]
> >
> >
> >Andrew,
> >  From what you say your remote end is working fine
> >both in Tx and Rx and your Tx is working fine since
> >remote end sees your cdp. Your 

RE: BRI state [7:12802]

[Farhan Ahmed]

Spid Status 
TEI 109, ces = 1, state = 8(established) 
 Terminal Endpoint Identifier (TEI) number and state. Valid dynamic TEI
assignment range is 64-126. 

The most common state values are:
state = 1(terminal down) 
state = 3(await establishment) 
state = 5(init)
state = 6(not initialized)
state = 8(established) 

Only states 5(init) and 8(established) indicate a working BRI circuit. The
other states mean the circuit is not properly established.

 
-Original Message-
From: SH Wesson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 5:18 PM
To: [EMAIL PROTECTED]
Subject: BRI state [7:12802]


I have a question regarding BRI state.  The following is a capture of my 
"show isdn status":

ISDN BRI4/0 interface
dsl 24, interface ISDN Switchtype = basic-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 88, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI = 97, Ces = 2, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI 88, ces = 1, state = 5(init)
spid1 configured, spid1 sent, spid1 valid
Endpoint ID Info: epsf = 0, usid = 0, tid = 1
TEI 97, ces = 2, state = 5(init)
spid2 configured, spid2 sent, spid2 valid
Endpoint ID Info: epsf = 0, usid = 1, tid = 1
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 24 CCBs = 0
The Free Channel Mask:  0x8003

Notice that a few lines down the "state = 5(init)" and it's also in the same

state for the other channel.  Doesn't that have to be in a "established" 
state to use the line.  I know that Cisco docs say that if the state is a 
"init" or "established" that the line is good.  I know that it's good, but 
can't dial out for some reason and wanted to know if that was it and what 
the exact meaning of the init state is and if there's a way to bring it to 
an established state.  Do a clear int bri4/0 didn't do it either.  Any 
suggestions will be appreciated.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12808&t=12802
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BRI state [7:12802]

[Farhan Ahmed]

what u cannot dial u are already connected?
can u send the config

-Original Message-
From: SH Wesson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 5:18 PM
To: [EMAIL PROTECTED]
Subject: BRI state [7:12802]


I have a question regarding BRI state.  The following is a capture of my 
"show isdn status":

ISDN BRI4/0 interface
dsl 24, interface ISDN Switchtype = basic-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 88, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI = 97, Ces = 2, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
TEI 88, ces = 1, state = 5(init)
spid1 configured, spid1 sent, spid1 valid
Endpoint ID Info: epsf = 0, usid = 0, tid = 1
TEI 97, ces = 2, state = 5(init)
spid2 configured, spid2 sent, spid2 valid
Endpoint ID Info: epsf = 0, usid = 1, tid = 1
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 24 CCBs = 0
The Free Channel Mask:  0x8003

Notice that a few lines down the "state = 5(init)" and it's also in the same

state for the other channel.  Doesn't that have to be in a "established" 
state to use the line.  I know that Cisco docs say that if the state is a 
"init" or "established" that the line is good.  I know that it's good, but 
can't dial out for some reason and wanted to know if that was it and what 
the exact meaning of the init state is and if there's a way to bring it to 
an established state.  Do a clear int bri4/0 didn't do it either.  Any 
suggestions will be appreciated.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12809&t=12802
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Meet Your New CCIE Proctor (was RE: CCIE Lab Remote) [7:12811]

[Farhan Ahmed]

i checked the last 2 candidates
CCIE Verification Tool 
No, I'm sorry, Dave Mack is not CCIE number 6963. To receive a positive
verification, you will need to enter in the CCIE's name exactly as it is in
the CCIE database. For example, if the CCIE's first name is Dan, you may
also want to try Daniel. Since there is a possibility that we have a
different spelling of the person's  

-Original Message-
From: Brian Dennis [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 5:32 PM
To: [EMAIL PROTECTED]
Subject: Meet Your New CCIE Proctor (was RE: CCIE Lab Remote) [7:12803]


I heard it directly and indirectly from sources at Cisco that they were
looking into Sylvan as a testing provider. Sylvan wouldn't actually own the
equipment or employ CCIEs, they would just provide the testing facilities.
The equipment would still be located at Cisco and administrated by Cisco.
Also I know that the beta of the one-day lab was offered to people remote.
Not from Sylvan but from any Cisco sales office.

Do you want to meet your new proctor? Click on the link below.

http://www.mentortech.com/learn/ccie_assessor.shtml

Let me say that this technology looks totally impressive. It looks to be a
great product but do I think I want something like this to replace the
proctor? No.

I truly hope that I'm totally incorrect and this isn't the direction that
Cisco is going.

Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
5G Networks, Inc.
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
EA Louie
Sent: Wednesday, July 18, 2001 12:21 AM
To: [EMAIL PROTECTED]
Subject: Re: CCIE Lab Remote (was RE: Current Wait time on the lab)
[7:12770]


Is there any evidence to support this possibility?  The reason I ask is that
the proctors have a very important role in the lab exam as it sits today,
and I don't see how that role could be diminished.

Hmmm...as a CCIE, if there were Sylvan remote lab testing, and lab proctors
had to be CCIE's, that would fill a the gap in the CCIE
unemployment...interesting tactic...

But I doubt it will ever happen.  Too much reputation at stake for Cisco to
give up that much control over that coveted certification.

-e-

- Original Message -
From: Brian Dennis
To:
Sent: Tuesday, July 17, 2001 6:53 PM
Subject: CCIE Lab Remote (was RE: Current Wait time on the lab) [7:12746]


> Greg,
> It won't matter if there isn't a waiting list if the CCIE certification
has
> lost it's value. The one-day lab is the first step to start running the
lab
> remote from testing centers like Sylvan. I don't think that you want to be
> known as a "Sylvan CCIE" do you?
>
> Brian Dennis, CCIE #2210 (R&S)(ISP/Dial) CCSI #98640
> 5G Networks, Inc.
> [EMAIL PROTECTED]
>
> Here is an excert from an e-mail I sent on the ccielab mailing list today:
>
> I think that we all know that someone could make an extremely hard one day
> lab that fails 99% of the candidates but that isn't the issue. There are a
> couple issues with remote labs and the shortening of the waiting list. One
> issue is that with the short waiting list people are going to be able to
> take the lab over and over again enabling the CCIE lab exams to become
> common knowledge just like the CCIE written is today. It'll be simpler for
> someone to just take the lab over and over again then it would to actually
> study. Cisco needs to put safeguards in that don't allow people take the
> test to often to solve this problem and I don't mean a weak solution like
> the 20 points on day one. I bet the average CCNP could get 20 points on
day
> one.
>
> Having a long waiting list enables candidates to prepare and study for the
> lab and is part of the becoming a CCIE. Becoming a CCIE isn't something
that
> you do overnight and should not be able to attempt every 30 days.
>
> Another issue is the problem with Sylvan testing centers that don't
enforce
> Sylvan's policies and Sylvan centers that aren't on the up-and-up. This
> problem speaks for itself.
>
>
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Greg Macaulay
> Sent: Tuesday, July 17, 2001 6:22 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Current Wait time on the lab [7:12713]
>
>
> Chuck ---
> Do you really think the CCIE is finished?? I hope you are wrong! We've all
> invested so many hundreds of hours of blood, sweat, tears and Money to get
> to this point!!  I read Cisco's explanation today -- and hopefully their
new
> lab will simply economize on time -- not on expertise.  Say a prayer!
>
> Greg Macaulay
> Oldest CCNP/CCDP on Earth
> Lifetime Member of AARP
> Retired Attorney/Law Professor
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Chuck Larrieu
> Sent: Tuesday, July 17, 2001 8:52 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Current Wait time on the lab [7:12713]
>
>
> I'm willing to part with my December 3 date for a nominal fee.
>
> Chuc

RE: Error in configuring ISDN [7:12611]

[Farhan Ahmed]

use this config
your isdn state states that u r connected ur doing some wrong config in the
dialer list and nat
use this and let me know
!
ip subnet-zero
no ip domain-lookup
ip routing
!
interface Dialer 1
 description connected to Internet
 ip address negotiated
 ip nat outside
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 120
 dialer string 
 dialer hold-queue 10
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname a
 ppp chap password aa
 ppp pap sent-username a password aa
 no ppp multilink
 no cdp enable
!
interface FastEthernet 0/0
 no description
 no ip address
 ip nat inside
 shutdown
!
interface Serial 0/0
 no description
 no ip address
 ip nat inside
 shutdown
!
interface BRI 0/0
 no shutdown
 description connected to Internet
 no ip address
 ip nat outside
 dialer rotary-group 1
!
!
! Dialer Control List 1
!

dialer-list 1 protocol ip permit
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat inside source list 1 interface Dialer 1 overload
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Dialer 


-Original Message-
From: Technosys [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 6:02 PM
To: Farhan Ahmed
Subject: Re: Error in configuring ISDN [7:12611]


Hi Farhan ,
Enclosed please find the details of the current config parameters which
I have set up on my Cisco 2620 router , I am still facing the same problem
of disconnection , I am sendint you the file of debugs , please guide me
what I should do .
thanking you ,
Navin K Parwal



*/
  Who dares to teach must never cease to learn

   * /

- Original Message -
From: "Farhan Ahmed" 
To: 
Sent: Wednesday, July 18, 2001 12:49 AM
Subject: FW: Error in configuring ISDN [7:12611]


> is it solved?
> can u send
>
>  debug isdn q921
>  debug isdn event and the debug isdn q931
> -Original Message-
> From: Danner, John (ZoomTown) [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 17, 2001 10:14 PM
> To: 'Farhan Ahmed'
> Subject: RE: Error in configuring ISDN [7:12611]
>
>
> While I would agree that a basic-net3 switch doesn't need a SPID a
basic-ni
> does
> and that is the switch type he has configured on his BRI0/0 interface:
> notice:
> ISDN BRI0/0 interface
>  dsl 0, interface ISDN Switchtype = basic-ni
> Layer 1 Status:
>  ACTIVE
> Layer 2 Status:
>  TEI = 80, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
>  I_Queue_Len 0, UI_Queue_Len 0
>  TEI 80, ces = 1, state = 8(established)
>  spid1 configured, no LDN, spid1 NOT sent, spid1 NOT valid
>  TEI Not Assigned, ces = 2, state = 1(terminal down)
>  spid2 configured, no LDN, spid2 NOT sent, spid2 NOT valid
>
> This is where he is getting his error. It may be a matter of him removing
> that part of the configuration.
>
> -John
>
>
> -Original Message-
> From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 17, 2001 11:13 AM
> To: 'Danner, John (ZoomTown)'; [EMAIL PROTECTED]
> Subject: RE: Error in configuring ISDN [7:12611]
>
>
> first of all in basic net3 u dont need spids
> and the second u dont have a ip assigned to your bri neither you are using
> esy ip there is no dialer as well
>
> what happen to u guys
>
> -Original Message-
> From: Danner, John (ZoomTown) [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 17, 2001 6:37 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Error in configuring ISDN [7:12611]
>
>
> The spids are definitely wrong:
> >From debug:
> 07:14:249108103167:  Null Spid: 0
>
> >From config:
> isdn spid1 0
> isdn spid2 0
>
> Is this in a lab setting with a isdn simulator or with a transport from
the
> phone company?
> If it's with the phone company you need to put the spids the phone company
> gave you into the configuration or you won't be able to dial correctly.
>
> If it's in a lab - I don't know. :(
>
> -John
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Hire, Ejay
> Sent: Tuesday, July 17, 2001 10:03 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Error in configuring ISDN [7:12611]
>
>
> I may be way off, but I thinks your spids are wrong.  Call the Phone
company
> and ask them what your spids are supposed to be.
>
> > TEI 80, ces = 1, state = 8(established)
> > spid1 configured, no LDN, spid1 NOT sent, spid1 NOT valid
> > TEI Not Assigned, ces = 2, state = 1(terminal down)
> > spid2 configured, no LDN, spid2 NOT sent, spid2 NO

RE: Ports with PIX Firewall [7:12625]

[Farhan Ahmed]

sorry just a copy paste mistake


> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq www
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq smtp
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq ftp
> access-list acl_in deny tcp any any
> access-list acl_in deny udp any any
> access-group acl_in in interface inside

-Original Message-
From: MikeN [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 18, 2001 8:16 PM
To: [EMAIL PROTECTED]
Subject: Re: Ports with PIX Firewall [7:12625]


It is my understanding that the PIX parses an ACL from top to
bottom..the same as a router does. First match wins. Conduits looks at
the entire list and then chooses the best match. Based on this, the ACL
listed below will deny all TCP and UDP packets and therefore never even get
to the permit statements.

I would be very interested in hearing how this ACL works.

Thank you,
MikeN

""Farhan Ahmed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> just put
>
> access-list acl_in deny tcp any any
> access-list acl_in deny udp any any
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq www
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq smtp
> access-list acl_in permit tcp 172.100.0.1 255.255.0.0 any eq ftp
> access-group acl_in in interface inside
>
> let me know
>
> Building configuration...
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> enable password 2KFQnbNIdI.2KYOU encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
>
>
>
> access-list ping_acl permit icmp any any
> access-list ping_acl permit tcp any any eq www
> access-list ping_acl permit tcp any any
> access-list ping_acl permit udp any any
> access-list acl_out permit icmp any any
> access-list acl_out permit tcp any any eq www
> access-list acl_out permit tcp any any
> access-list acl_out permit udp any any
>
>
> pager lines 24
>
> interface ethernet0 100basetx
> interface ethernet1 100basetx
>
> mtu outside 1500
> mtu inside 1500
> mtu ndtv 1500
> ip address outside 172.110.0.2 255.255.0.0
> ip address inside 172.100.0.1 255.255.0.0
>
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
>
> pdm history enable
> arp timeout 600
> global (outside) 1 202.196.214.40-202.196.214.45 netmask 255.255.255.224
> global (outside) 1 202.196.214.46
>
> nat (inside) 1 172.100.0.0 255.255.0.0 0 0
>
> access-group acl_out in interface outside
> access-group ping_acl in interface inside
>
> route outside 0.0.0.0 0.0.0.0 172.110.0.1 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> no floodguard enable
> no sysopt route dnat
>
> telnet 172.100.0.0 255.255.0.0 inside
> telnet 172.120.0.0 255.255.0.0 inside
>
> telnet timeout 5
> ssh timeout 5
> terminal width 80
>  Cryptochecksum:b27e96cd58b6c27b71ff163898579460
> [OK]
>  pixfirewall#
> >  -Original Message-
> > From: Support [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 17, 2001 2:54 PM
> > To: [EMAIL PROTECTED]
> > Subject: Ports with PIX Firewall
> >
> > Dear Farhan,
> >
> > This is my configuration.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12835&t=12625
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

network design [7:12918]

[Farhan Ahmed]

any thoughts welcome

we have a lan including proxy server and database server
there are two depts in the lan , one public and one private, ther is no vlan
and not supported on switch
the public department connect to the internet via proxy server which has a
acounting software connection to the database server ON GIGABIT in the
private lan that logs all the timmings for internet for billing purpose

they company wants to put a PIX but want to keep the gigabit conection




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12918&t=12918
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

network design (updated) [7:12921]

[Farhan Ahmed]

any thoughts welcome

we have a lan including proxy server and database server
there are two depts in the lan , one public and one private, ther is no vlan
and not supported on switch
the public department connect to the internet via proxy server which has a
acounting software connection to the database server ON GIGABIT AND WANT TO
SEPERATE PUBLIC AND PRIVATE LAN , PROXY SERVER SHOULD ONLY ALLOWED TO TALK
TO DATABASE SERVER AND NO OTHER PC in the private lan that logs all the
timmings for internet for billing purpose

they company wants to put a PIX but want to keep the gigabit conection




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12921&t=12921
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

sorry but i couldnt understand 
do u want from the notebook to ping hosts
if this is the case
ther is a command
router(config)#async-bootp dns-server
to pass the dns server to dial up clients

Best Regards

Have A Good Day!!

Farhan Ahmed
   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
Network Engineer
Mideast Data Systems Abudhabi Uae.



-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 7:58 PM
To: [EMAIL PROTECTED]
Subject: Remote Access [7:12958]


I have a 3640 set up with async dial in for remote users.  The laptops
must be configured to to append domain suffixes in order resolve host
names.  

Is it possible to have this information sent from the router?  I do have
the ip domain-list/name commands configured, but can I  set this for the
async-group, and pass it down when a user connects and receives ip
information?

thanks for your help,

JR

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12960&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

which dns server are u using

-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 8:28 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Access [7:12958]


Sorry for not making it that clear.

Once I connect I can ping by machine name but only if it is fully
qualified.  I thought that the domain-list command would enter the DNS
suffix into the adapter,but it's not.  We are taking care of this now by
just manually entering the DNS suffix in the connection properties.

I tried the async commands but nothing has changed.

JR

Farhan Ahmed wrote:
> 
> sorry but i couldnt understand
> do u want from the notebook to ping hosts
> if this is the case
> ther is a command
> router(config)#async-bootp dns-server
> to pass the dns server to dial up clients
> 
> Best Regards
> 
> Have A Good Day!!
> 
> Farhan Ahmed
>MCSE+I, MCP Win2k, CCDA, CCNA, CSE
> Network Engineer
> Mideast Data Systems Abudhabi Uae.
> 
> -Original Message-
> From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 7:58 PM
> To: [EMAIL PROTECTED]
> Subject: Remote Access [7:12958]
> 
> I have a 3640 set up with async dial in for remote users.  The laptops
> must be configured to to append domain suffixes in order resolve host
> names.
> 
> Is it possible to have this information sent from the router?  I do have
> the ip domain-list/name commands configured, but can I  set this for the
> async-group, and pass it down when a user connects and receives ip
> information?
> 
> thanks for your help,
> 
> JR
> 
> [GroupStudy.com removed an attachment of type application/octet-stream
which
> had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12966&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

yes u just need a 
async-bootp dns-server
command folowed by yr dns srv ip
and u are done
and remove the dns suffix from client as welll

Best Regards

Have A Good Day!!

Farhan Ahmed
   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
Network Engineer
Mideast Data Systems Abudhabi Uae.


-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 9:31 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Access [7:12958]


The clients are getting assigned from a local pool using ppp...They are
authenticated against a securid server using tacacs+.  Once they are
authenticated we have them type ppp default at the router prompt to
finish the connection.  Below is the config with my ip info omitted.

Thanks for everyone's help,

JR

ip domain-list *
ip domain-list *
ip domain-name *
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip address-pool local

ip local pool local 'range'

interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer in-band
 dialer idle-timeout 900
 dialer wait-for-carrier-time 60
 dialer-group 1
 async dynamic address
 async dynamic routing
 async mode interactive
 no snmp trap link-status
 peer default ip address pool local
 no fair-queue
 group-range 1 24

line 2 24
 exec-timeout 30 0
 logout-warning 120
 script dialer cisco-default
 accounting connection test
 login authentication async-tacacs+
 modem Dialin
 modem autoconfigure discovery
 terminal-type vt100


"Hire, Ejay" wrote:
> 
> It is possible to do this, depending on how your clients are getting the
Ip
> addresses.  From your statements I assume the access sever is handing them
> out via PPP, but where is the router getting the IP's?  From a local pool
> (most likely), a radius server, a local DHCP server, or ?
> 
> Additionally, can you post or e-mail me a copy of your config.
> 
> -Original Message-
> From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Remote Access [7:12958]
> 
> I have a 3640 set up with async dial in for remote users.  The laptops
> must be configured to to append domain suffixes in order resolve host
> names.
> 
> Is it possible to have this information sent from the router?  I do have
> the ip domain-list/name commands configured, but can I  set this for the
> async-group, and pass it down when a user connects and receives ip
> information?
> 
> thanks for your help,
> 
> JR

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12981&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Latency on ATM interface - Any ideas [7:12978]

[Farhan Ahmed]

can u send sh int output
uncleared and after clearing counters...

-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 9:51 PM
To: [EMAIL PROTECTED]
Subject: Latency on ATM interface - Any ideas [7:12978]


I experience intermittent increased latency on
extended pings from a 3662 to another 3662 router
accross my lab WAN. The ping starts off with replies
at 32 ms but once in a while the reply goes over
600ms. ie the replies are not constant. Removing
the vbr-nrt from my config results in faster replies
between 1 and 2 ms but again every 13th or so reply is
10ms. Does any one know what maybe causing this??? My
config is as follows


Router A:

interface ATM3/0
 no ip address
 atm ilmi-keepalive
 pvc 0/16 ilmi
 !
!
interface ATM3/0.1 point-to-point
 ip address 192.168.1.2 255.255.255.252
 pvc 2/100
  protocol ip 192.168.1.1 broadcast
  vbr-nrt 512 128 100
  encapsulation aal5snap
 !
!
interface ATM3/0.2 point-to-point
 pvc voice 2/101
  cbr 500
  encapsulation aal5mux voice
 !

Router B

interface ATM3/0
 no ip address
 atm ilmi-keepalive
 pvc 0/16 ilmi
 !
!
interface ATM3/0.1 point-to-point
 ip address 192.168.1.1 255.255.255.252
 pvc ip 0/50
  protocol ip 192.168.1.2 broadcast
  vbr-nrt 512 128 100
  encapsulation aal5snap
 !
!
interface ATM3/0.2 point-to-point
 pvc voice 0/51
  cbr 500
  encapsulation aal5mux voice
 !
!

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12982&t=12978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Latency on ATM interface - Any ideas [7:12978]

[Farhan Ahmed]

send me in using different MTU sizes in extended pings
-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 9:51 PM
To: [EMAIL PROTECTED]
Subject: Latency on ATM interface - Any ideas [7:12978]


I experience intermittent increased latency on
extended pings from a 3662 to another 3662 router
accross my lab WAN. The ping starts off with replies
at 32 ms but once in a while the reply goes over
600ms. ie the replies are not constant. Removing
the vbr-nrt from my config results in faster replies
between 1 and 2 ms but again every 13th or so reply is
10ms. Does any one know what maybe causing this??? My
config is as follows


Router A:

interface ATM3/0
 no ip address
 atm ilmi-keepalive
 pvc 0/16 ilmi
 !
!
interface ATM3/0.1 point-to-point
 ip address 192.168.1.2 255.255.255.252
 pvc 2/100
  protocol ip 192.168.1.1 broadcast
  vbr-nrt 512 128 100
  encapsulation aal5snap
 !
!
interface ATM3/0.2 point-to-point
 pvc voice 2/101
  cbr 500
  encapsulation aal5mux voice
 !

Router B

interface ATM3/0
 no ip address
 atm ilmi-keepalive
 pvc 0/16 ilmi
 !
!
interface ATM3/0.1 point-to-point
 ip address 192.168.1.1 255.255.255.252
 pvc ip 0/50
  protocol ip 192.168.1.2 broadcast
  vbr-nrt 512 128 100
  encapsulation aal5snap
 !
!
interface ATM3/0.2 point-to-point
 pvc voice 0/51
  cbr 500
  encapsulation aal5mux voice
 !
!

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12989&t=12978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

he is using ppp isnt it..

when the client will have the dns server

ping hosta

the dns will reply with the ip, and he would be able to ping by name..
if he make a zone on dns server lets say

zonea.co.ae

and then he would make a  A record 

so hosta name will be
hosta.zonea.co.ae

when he will ping hosta

he ll get a reply

from 
hosta.zonea.co.ae

what do u say?

-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 10:43 PM
To: 'Farhan Ahmed'; [EMAIL PROTECTED]
Subject: RE: Remote Access [7:12958]


The Async BootP commands only work with SLIP connections, not PPP.  (See
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr921/rpcr/79012.h
tm#xtocid26281)  Additionally, their isn't one that will supply the domain
name that will be postpended to the hostname to make a fqdn
(host.domain.tld). 

A possible solution appears to be proxying the ip requests to a dhcp server,
or router acting as a dhcp server.  I'll be testing it in a minute or two.

-eh
-Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 2:04 PM
To: [EMAIL PROTECTED]
Subject: RE: Remote Access [7:12958]


yes u just need a 
async-bootp dns-server
command folowed by yr dns srv ip
and u are done
and remove the dns suffix from client as welll

Best Regards

Have A Good Day!!

Farhan Ahmed
   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
Network Engineer
Mideast Data Systems Abudhabi Uae.


-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 9:31 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Access [7:12958]


The clients are getting assigned from a local pool using ppp...They are
authenticated against a securid server using tacacs+.  Once they are
authenticated we have them type ppp default at the router prompt to
finish the connection.  Below is the config with my ip info omitted.

Thanks for everyone's help,

JR

ip domain-list *
ip domain-list *
ip domain-name *
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip address-pool local

ip local pool local 'range'

interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer in-band
 dialer idle-timeout 900
 dialer wait-for-carrier-time 60
 dialer-group 1
 async dynamic address
 async dynamic routing
 async mode interactive
 no snmp trap link-status
 peer default ip address pool local
 no fair-queue
 group-range 1 24

line 2 24
 exec-timeout 30 0
 logout-warning 120
 script dialer cisco-default
 accounting connection test
 login authentication async-tacacs+
 modem Dialin
 modem autoconfigure discovery
 terminal-type vt100


"Hire, Ejay" wrote:
> 
> It is possible to do this, depending on how your clients are getting the
Ip
> addresses.  From your statements I assume the access sever is handing them
> out via PPP, but where is the router getting the IP's?  From a local pool
> (most likely), a radius server, a local DHCP server, or ?
> 
> Additionally, can you post or e-mail me a copy of your config.
> 
> -Original Message-
> From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Remote Access [7:12958]
> 
> I have a 3640 set up with async dial in for remote users.  The laptops
> must be configured to to append domain suffixes in order resolve host
> names.
> 
> Is it possible to have this information sent from the router?  I do have
> the ip domain-list/name commands configured, but can I  set this for the
> async-group, and pass it down when a user connects and receives ip
> information?
> 
> thanks for your help,
> 
> JR




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12995&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

u can also put the host name in wins server and use dnslookup on the wins
tab
it will give him a fqdn.


-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 11:03 PM
To: [EMAIL PROTECTED]
Subject: RE: Remote Access [7:12958]


The Async BootP commands only work with SLIP connections, not PPP.  (See
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr921/rpcr/79012.h
tm#xtocid26281)  Additionally, their isn't one that will supply the domain
name that will be postpended to the hostname to make a fqdn
(host.domain.tld). 

A possible solution appears to be proxying the ip requests to a dhcp server,
or router acting as a dhcp server.  I'll be testing it in a minute or two.

-eh
-Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 2:04 PM
To: [EMAIL PROTECTED]
Subject: RE: Remote Access [7:12958]


yes u just need a 
async-bootp dns-server
command folowed by yr dns srv ip
and u are done
and remove the dns suffix from client as welll

Best Regards

Have A Good Day!!

Farhan Ahmed
   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
Network Engineer
Mideast Data Systems Abudhabi Uae.


-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 9:31 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Access [7:12958]


The clients are getting assigned from a local pool using ppp...They are
authenticated against a securid server using tacacs+.  Once they are
authenticated we have them type ppp default at the router prompt to
finish the connection.  Below is the config with my ip info omitted.

Thanks for everyone's help,

JR

ip domain-list *
ip domain-list *
ip domain-name *
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
ip address-pool local

ip local pool local 'range'

interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 dialer in-band
 dialer idle-timeout 900
 dialer wait-for-carrier-time 60
 dialer-group 1
 async dynamic address
 async dynamic routing
 async mode interactive
 no snmp trap link-status
 peer default ip address pool local
 no fair-queue
 group-range 1 24

line 2 24
 exec-timeout 30 0
 logout-warning 120
 script dialer cisco-default
 accounting connection test
 login authentication async-tacacs+
 modem Dialin
 modem autoconfigure discovery
 terminal-type vt100


"Hire, Ejay" wrote:
> 
> It is possible to do this, depending on how your clients are getting the
Ip
> addresses.  From your statements I assume the access sever is handing them
> out via PPP, but where is the router getting the IP's?  From a local pool
> (most likely), a radius server, a local DHCP server, or ?
> 
> Additionally, can you post or e-mail me a copy of your config.
> 
> -Original Message-
> From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Remote Access [7:12958]
> 
> I have a 3640 set up with async dial in for remote users.  The laptops
> must be configured to to append domain suffixes in order resolve host
> names.
> 
> Is it possible to have this information sent from the router?  I do have
> the ip domain-list/name commands configured, but can I  set this for the
> async-group, and pass it down when a user connects and receives ip
> information?
> 
> thanks for your help,
> 
> JR




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12997&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access [7:12958]

[Farhan Ahmed]

dhcp wont solve this problem ..i guess u have to pass out dns add to clients

-Original Message-
From: JR Van Noy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 11:31 PM
To: [EMAIL PROTECTED]
Subject: Re: Remote Access [7:12958]


Thanks for investigating this.  I agree with the DHCP solution.  That
will work best since these same remote users will bring their laptops
into the office from time to time as well.

JR

"Hire, Ejay" wrote:
> 
> The Async BootP commands only work with SLIP connections, not PPP.  (See
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr921/rpcr/79012.h
> tm#xtocid26281)  Additionally, their isn't one that will supply the domain
> name that will be postpended to the hostname to make a fqdn
> (host.domain.tld).
> 
> A possible solution appears to be proxying the ip requests to a dhcp
server,
> or router acting as a dhcp server.  I'll be testing it in a minute or two.
> 
> -eh
> -Original Message-
> From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 2:04 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Remote Access [7:12958]
> 
> yes u just need a
> async-bootp dns-server
> command folowed by yr dns srv ip
> and u are done
> and remove the dns suffix from client as welll
> 
> Best Regards
> 
> Have A Good Day!!
> 
> Farhan Ahmed
>MCSE+I, MCP Win2k, CCDA, CCNA, CSE
> Network Engineer
> Mideast Data Systems Abudhabi Uae.
> 
> -Original Message-
> From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 9:31 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Remote Access [7:12958]
> 
> The clients are getting assigned from a local pool using ppp...They are
> authenticated against a securid server using tacacs+.  Once they are
> authenticated we have them type ppp default at the router prompt to
> finish the connection.  Below is the config with my ip info omitted.
> 
> Thanks for everyone's help,
> 
> JR
> 
> ip domain-list *
> ip domain-list *
> ip domain-name *
> ip name-server x.x.x.x
> ip name-server x.x.x.x
> ip name-server x.x.x.x
> ip name-server x.x.x.x
> ip address-pool local
> 
> ip local pool local 'range'
> 
> interface Group-Async1
>  ip unnumbered Loopback0
>  no ip directed-broadcast
>  encapsulation ppp
>  ip tcp header-compression passive
>  dialer in-band
>  dialer idle-timeout 900
>  dialer wait-for-carrier-time 60
>  dialer-group 1
>  async dynamic address
>  async dynamic routing
>  async mode interactive
>  no snmp trap link-status
>  peer default ip address pool local
>  no fair-queue
>  group-range 1 24
> 
> line 2 24
>  exec-timeout 30 0
>  logout-warning 120
>  script dialer cisco-default
>  accounting connection test
>  login authentication async-tacacs+
>  modem Dialin
>  modem autoconfigure discovery
>  terminal-type vt100
> 
> "Hire, Ejay" wrote:
> >
> > It is possible to do this, depending on how your clients are getting the
> Ip
> > addresses.  From your statements I assume the access sever is handing
them
> > out via PPP, but where is the router getting the IP's?  From a local
pool
> > (most likely), a radius server, a local DHCP server, or ?
> >
> > Additionally, can you post or e-mail me a copy of your config.
> >
> > -Original Message-
> > From: JR Van Noy [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 11:58 AM
> > To: [EMAIL PROTECTED]
> > Subject: Remote Access [7:12958]
> >
> > I have a 3640 set up with async dial in for remote users.  The laptops
> > must be configured to to append domain suffixes in order resolve host
> > names.
> >
> > Is it possible to have this information sent from the router?  I do have
> > the ip domain-list/name commands configured, but can I  set this for the
> > async-group, and pass it down when a user connects and receives ip
> > information?
> >
> > thanks for your help,
> >
> > JR




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13004&t=12958
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Latency on ATM interface - Any ideas [7:12978]

[Farhan Ahmed]

u need to cont ur telco they are dropping ur traffic
is there too much load on line?

-Original Message-
From: Eric Mwambaji [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 11:23 PM
To: Farhan Ahmed
Subject: RE: Latency on ATM interface - Any ideas [7:12978]


ping
Protocol [ip]: 
Target IP address: pingy   50192.168.1.1
Repeat count [5]: 50
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: y
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]:
verbose
Loose, Strict, Record, Timestamp, Verbose[V]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 192.168.1.1,
timeout is 2 seconds:
Reply to request 0 (708 ms)
Reply to request 1 (68 ms)
Reply to request 2 (48 ms)
Reply to request 3 (56 ms)
Reply to request 4 (48 ms)
Reply to request 5 (76 ms)
Reply to request 6 (44 ms)
Reply to request 7 (48 ms)
Reply to request 8 (56 ms)
Reply to request 9 (48 ms)
Reply to request 10 (44 ms)
Reply to request 11 (48 ms)
Reply to request 12 (44 ms)
Reply to request 13 (48 ms)
Reply to request 14 (48 ms)
Reply to request 15 (44 ms)
Reply to request 16 (48 ms)
Reply to request 17 (44 ms)
Reply to request 18 (48 ms)
Reply to request 19 (44 ms)
Reply to request 20 (48 ms)
Reply to request 21 (48 ms)
Reply to request 22 (44 ms)
Reply to request 23 (48 ms)
Reply to request 24 (44 ms)
Reply to request 25 (48 ms)
Reply to request 26 (48 ms)
Reply to request 27 (44 ms)
Reply to request 28 (48 ms)
Reply to request 29 (44 ms)
Reply to request 30 (48 ms)
Reply to request 31 (44 ms)
Reply to request 32 (48 ms)
Reply to request 33 (76 ms)
Reply to request 0 (708 ms)
Reply to request 34 (48 ms)
Reply to request 35 (48 ms)
Reply to request 36 (44 ms)
Reply to request 37 (48 ms)
Reply to request 38 (68 ms)
Reply to request 39 (44 ms)
Reply to request 40 (48 ms)
Reply to request 41 (48 ms)
Reply to request 42 (68 ms)
Reply to request 43 (44 ms)
Reply to request 44 (48 ms)
Reply to request 45 (44 ms)
Reply to request 46 (48 ms)
Reply to request 47 (68 ms)
Reply to request 48 (48 ms)
Reply to request 49 (44 ms)
Success rate is 100 percent (50/50), round-trip
min/avg/max = 44/62/708 ms


ping   
Protocol [ip]: 
Target IP address: pingverbosey 
50192.168.1.1
Repeat count [5]: 50
Datagram size [100]: 1500
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: y
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]:
Verbose
Loose, Strict, Record, Timestamp, Verbose[V]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 50, 1500-byte ICMP Echos to 192.168.1.1,
timeout is 2 seconds:
Reply to request 0 (708 ms)
Reply to request 1 (704 ms)
Reply to request 2 (716 ms)
Reply to request 3 (704 ms)
Reply to request 4 (704 ms)
Reply to request 5 (708 ms)
Reply to request 6 (704 ms)
Reply to request 7 (708 ms)
Reply to request 8 (704 ms)
Reply to request 9 (708 ms)
Reply to request 10 (740 ms)
Reply to request 11 (704 ms)
Reply to request 12 (708 ms)
Reply to request 13 (704 ms)
Reply to request 14 (704 ms)
Reply to request 15 (708 ms)
Reply to request 16 (704 ms)
Reply to request 17 (708 ms)
Reply to request 18 (1184 ms)
Reply to request 19 (1184 ms)
Reply to request 20 (704 ms)
Reply to request 21 (704 ms)
Reply to request 22 (708 ms)
Reply to request 23 (704 ms)
Reply to request 24 (708 ms)
Reply to request 25 (704 ms)
Reply to request 26 (708 ms)
Reply to request 27 (740 ms)
Reply to request 28 (704 ms)
Reply to request 29 (704 ms)
Reply to request 30 (708 ms)
Reply to request 31 (704 ms)
Reply to request 32 (708 ms)
Reply to request 33 (704 ms)
Reply to request 34 (708 ms)
Reply to request 35 (704 ms)
Reply to request 36 (704 ms)
Reply to request 37 (708 ms)
Reply to request 38 (704 ms)
Reply to request 39 (708 ms)
Reply to request 40 (724 ms)
Reply to request 41 (704 ms)
Reply to request 42 (704 ms)
Reply to request 43 (708 ms)
Reply to request 44 (704 ms)
Reply to request 45 (708 ms)
Reply to request 46 (704 ms)
Reply to request 47 (708 ms)
Reply to request 48 (704 ms)
Reply to request 49 (704 ms)
Success rate is 100 percent (50/50), round-trip
min/avg/max = 704/726/1184 ms

sho at  i atm int atm3/0.1
Interface ATM3/0:
AAL enabled:  AAL5 , Maximum VCs: 1024, Current VCCs:
18

Maximum Transmit Channels: 64
Max. Datagram Size: 4496
PLIM Type: DS3 - 45000Kbps, Framing is C-bit ADM,
DS3 lbo: short, TX clocking: LINE
Cell-payload scrambling: OFF
13830 input, 9729 output, 2129 IN fast, 1312 OUT fast,
0 out dropCBR : 500 VBR-NRT : 128 
 Avail bw = 44372 
Config. is ACTIVE
TOKYO#sho atm traffic
16049 Input packets
11101 Output packets
0 Broadcast packets
0 Packets received on non-existent VC
0 Packets attempted to send on non-existent VC
0 OAM cells received
F5

RE: HELP with BOOTUP !!!! [7:13031]

[Farhan Ahmed]

write any file name .bin

-Original Message-
From: Ray Smith [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 20, 2001 4:54 AM
To: [EMAIL PROTECTED]
Subject: HELP with BOOTUP  [7:13031]


I have a cisco 2503 router that is in the mode of Router(boot)>.  I have 
tried doing a "copy tftp flash" with another 2500 file stored on my tftp 
server, but it would not work, because when I got to the option that asked 
for destination file name there was none present in the router.  Any 
suggestions as to how I can get this mess solved?  Thanks



Ray

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13065&t=13031
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: routing issue with ISDN backup [7:13045]

[Farhan Ahmed]

use  redistribute command..


-Original Message-
From: pat [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 20, 2001 6:51 AM
To: [EMAIL PROTECTED]
Subject: routing issue with ISDN backup [7:13045]


Hello everyone:


I have some routing issue here.

I have central office with a core router sitting
behind the PIX. All branch office (remote) routers
connect to central router using frame relay & ISDN as
back up. Each branch office (having 1 Serial, 1 ISDN,
1 Eth Int) should be able get to any other branch
office & to Internet through PIX. All IPs used will be
private & PIX will be doing NAT. 
I am planning on having EIGRP to route between all
routers over frame relay & floating static route to
trigger ISDN if FR goes down. This floating static
route will be something like

ip route 0.0.0.0 0.0.0.0 10.0.0.1 200  (10.0.0.1 will
be IP of central router)

In each branch office router EIGRP will have Ethernet
& serial networks in it. This will make all internal
routing fine when the network is on FR. But how do I
route Internet traffic to core router so that it can
send to PIX? I am already using default static route
to core router, which I want to be used only when FR
is down. Is there any way in EIGRP to propagate
default route through network from core router?


Thanks a lot,
pat


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13068&t=13045
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Q about configuring new WIC's [7:13051]

[Farhan Ahmed]

remove all the wics and then boot
put the wic  first in 0 then 1

which wics u have

-Original Message-
From: chris klebl [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 20, 2001 7:10 AM
To: [EMAIL PROTECTED]
Subject: Q about configuring new WIC's [7:13051]


i have recently gotten 3   2610's off eBay and have also gotten some 
additional WIC's.
i am having the hardest time getting the router to recognize the new 
cards.  when i do sh int it actually shows cards that are no longer present 
that the old owner had installed but it does not show the new cards that i 
put in. can't find the answer to this question anywhere.

please help




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13070&t=13051
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX.. [7:13067]

[Farhan Ahmed]

-Original Message-
From: sakella locuz [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 20, 2001 11:51 AM
To: [EMAIL PROTECTED]
Subject: PIX.. [7:13067]


Can anyone update me with the advantages of PIX over Checkpoint and
Gauntlet?

-a-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13072&t=13067
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: CodeRed: the next generation [7:13131]

[Farhan Ahmed]

-Original Message-
From: Marc Maiffret [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 20, 2001 10:48 PM
To: [EMAIL PROTECTED]
Subject: CodeRed: the next generation


The following is a description of a "variant" "Code Red" worm that we have
found to be in the wild. Sorry for the rough content but we thought it would
be best to get this information out sooner and worry about pretty text
formating later ;-]

--
In this text, we will be refering to the original "Code Red" worm as CRv1
and the second generation "Code Red" worm as CRv2.  This does not preclude
further generations/varioations still in the wild, it is just an analysis of
the worms we have access to.

This information is not currently public. Well, sort of is (we published the
disassembly of CRv1, so CRv1 targeting info may be known), but the existance
of CRv2 with different targeting has not been verified until now as far as
we know. For the evidence surrounding the impetus for this second worm
search, please examine Stuart Staniford's ([EMAIL PROTECTED])
excellent statistical analysis of worm hit data.

The CRv2 worm has the following charecteristics:
second:milisecond randomness added to ip selection process removal of web
page hack display (no notice to the end users via a defaced page)

All other parts of the worm are the same. (still attacks whitehouse.gov (but
the IP address has been blackholed), has time limits/definitions of attack,
notworm lysine)

The worst part about this means that our original tracking methodology
(sensors early in the sequence) is no longer accurate, since CRv2 infected
hosts do not contact early hosts, nor reliably contact any point (other than
the blackholed IP address that use to point to whitehouse.gov).  This means
that potentially ALL(ie: global, coprehensive) ids/logs data must be
organized and sorted to find infected hosts.

The Differences:
It has 13 or so pertient bytes changed, adding a time based randomness
factor and disabling page defacement.  The code had been there all along. It
had intentially (we must assume) been disabled in CRv1 , then reenabled near
the end of the cycle.  There has been discussion that this was a natural
progression of the worm code, however, we do not beleive this is the
case.  From analsysis of CRv1, there seems to be no distinct way to shift
the nessecary bytes to generate CRv2. Hence, it is my belief that this is a
modified worm, rereleased.  It has been posited that the CRv1 was a target
aqusition mechanism, gathering data on infectable hosts to gain a high
initital base for the following CRv2 infection.


The Ip Selection Process:
We will display the effecive CRv1(sequence), and the effective
CRv2(timebased) ip selection processes.  This is a one byte change, at
offset 9C2.  it changes the storage of some time based computations that
were performed in CRv1 but discarded. The new byte changes the storage
location from EBP-1B0( a general purpose holder stack var) to EBP - 18C(the
location of the ip).  This means that the timevars are actively used in
CRv2, while being discarded in CRv1.

These are the targeting algorithms(complete, as far as we can discern) that
are the asm in the CRv1 worm and also in the CRv2  worm.

Seeding the "PRNG" for these examples seed is used for ip through the first
iteration of the connect loop.  the seed does not change between CRv1 and
CRv2, but each thread in the worm has a mildly different seed.

seed = threadcount(based on 1) * 50F0668D;

CRv1:
The ipselection process in CRv1 is a simple sequence generator. This caused
the early sequences that we noticed and refered to in our (eEye's) initital
warning advisory:

ip = (ip * 0x0CF3383) + 0x76BFE53;

CRv2:
The ipselection process in CRs2 is signifigantly more complex.  It takes use
of time and a whole lot more input operations.  In the following  secmsec is
the DWORD pair of seconds and mseconds returned from GetSystemTime

ip = (ip + secmsec*secmsec*0x0CD59E3 +  secmsec*0x1E1B9) * 0x0CF3383 +
0x76BFE53

Other Details:
Coincidentally, if this isn't general public knowledge, the worm is smart
enough to avoid attacking the 127.x.x.x and 224.x.x.x subnets using the
following logic after setting the ip.
if( (ip & 0xFF == 0x7f) || (ip & 0xFF == 0xE0) )ip +=0x20DA9;



the Hacked Page:
The second difference between CRv1 and CRv2 is that CRv2 does not deface the
webpage of an infected system.  It does this by having 12 bytes different
from CRv1.

When TcpSockSend is hooked(this still happens), CRv2 points this to a basic
redirect that performs harmless actions and returns without actually
changing any content. Crv1 pointed to a replacement, CRv2 points to
basically a donothing function.

what is happeinging is that the label "PADDING_BYTES" actually is padding
bytes in CRv1(the code does not disassemble to any sane code).

CRv1:
We've used ida's data feature to show the "padding data" as dwords(instead
of a bunch of bytes)

CD4 - EB F8jmp short n

RE: AGS+ as a frame-relay switch [7:13133]

[Farhan Ahmed]

tm





-Original Message-
From: Charles Ryan [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 12:04 AM
To: [EMAIL PROTECTED]
Subject: AGS+ as a frame-relay switch [7:13133]


Apologies if this has already been covered once before.

Quick question regarding setting up an AGS+ as a frame switch.

Do the cables connecting to the AGS+ have to be DCE in order to get the
frame-relay switching to work, or can it still work if the cables are DTE? I
currently have DTE cables into the AGS+ and am not getting line protocol to
come up, even though the other ends are DCE and I have "clock rate 64000"
configured on the other ends.

I also have encap frame-realy ietf on both sides, frame-relay lmi-type ansi
as well.

I'll search the archives while I await an answer.

Thanks!

-Chuck



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13134&t=13133
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: what is Bearer capability not implemented in ISDN ? [7:13185]

[Farhan Ahmed]

A speed mismatch can occur when the source and destination ISDN ports do not
belong to the same network.

try setting

The following example sets the line speed for incoming calls to 56 kbps:
command
on bri int

isdn not-end-to-end 56 



or 64(def)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 10:28 AM
To: [EMAIL PROTECTED]
Subject: what is Bearer capability not implemented in ISDN ? [7:13182]


Hello all,
 When I am trying to generate the call on ISDN ,I am not able to connect
the ISDN Upon debug ISDN events and debug isdn q931 ,I got the cause to be
as follow

Cause i = 0x82C1 - Bearer capability not implemented


The sample of the debug is given below for more help.Can anybody tell me
this could be due to what ?
Is it a line problem because I tested the line voltage and found to be
around 105.6 Volts ,Also Upon connecting the ISDN instrument to this line I
am able to get dial tone as well as generate voice calls?

4w1d: ISDN BR1/1: Outgoing call id = 0x8F65
4w1d: ISDN BR1/1: Event: Call to 6156540 at 64 Kb/s
4w1d: ISDN BR1/1: TX ->  SETUP pd = 8  callref = 0x0B
4w1d: Bearer Capability i = 0x8890
4w1d: Channel ID i = 0x83
4w1d: Called Party Number i = 0x80, '6156540'
4w1d: ISDN BR1/1: RX <-  RELEASE_COMP pd = 8  callref = 0x8B
4w1d: Cause i = 0x82C1 - Bearer capability not implemented
4w1d: ISDN BR1/1: received HOST_DISCONNECT_ACK call_id 0x8F65
4w1d: ISDN BR1/1: Error: Unexpected Disconnect_Ack - call id 0x8F65.
Success rate is 0 percent (0/5)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13185&t=13185
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Disaster Recovery Documentation? was Re: what's wrong with [7:13186]

[Farhan Ahmed]

AGREE

-Original Message-
From: Torren Craigie-Manson [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 9:37 AM
To: [EMAIL PROTECTED]
Subject: Disaster Recovery Documentation? was Re: what's wrong with CCIE
[7:13180]


""Sean Young""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What's wrong with CCIEs today?  I know that I am making a general
{snip}
> one of our tacacs servers (solaris) die due to hardware
> failure and the amazingly the tacacs process on the Linux die.
{snip}
> As to our problems, the simple to do is just
> to restart the tacacs process byfirst:  "killall tac_plus" and second
> "/usr/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg" but these CCIEs guys
> have absolutely no clues.

Were the instructions for verifying and restarting your tacacs process
available in your disaster recovery documentation? Do your CCIEs know where
the disaster recovery documentation is, and how it's organized?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13186&t=13186
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX activation key on 4.1(6) [7:13187]

[Farhan Ahmed]

u need to put your serial no
and u ll get a new key
u need cco login

-Original Message-
From: Jacques Allison [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 5:24 PM
To: [EMAIL PROTECTED]
Subject: PIX activation key on 4.1(6) [7:13187]


Hi all,

On PIX ver 4.1(7) I can use the "show actkey" to display the connection
license key, but the command is not on the ver 4.1.(6). How do I upgrade the
PIX is I lost the original disk and license? I look on CCO and can't find
any answers.

Regards,

Jacques Allison

Senior Network Engineer

Tel: (+27) 012 349 2030 ext.: 210

Fax: (+27) 012 349 1015

Mobile: (+27) 083 327 4941

[EMAIL PROTECTED]

http://www.geocities.com/jacquesa_2000/index.html

+Security





[demime removed a uuencoded section named clip_image002.jpg which was 29
lines]
[demime removed a uuencoded section named clip_image004.jpg which was 30
lines]
[demime removed a uuencoded section named clip_image006.jpg which was 40
lines]
[demime removed a uuencoded section named clip_image008.jpg which was 31
lines]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13192&t=13187
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: tftp server! [7:13203]

[Farhan Ahmed]

just need a copy tftp flash command


-Original Message-
From: chica [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 9:31 PM
To: [EMAIL PROTECTED]
Subject: tftp server! [7:13203]


hi,
i'm setting up my lab and want to install the tftp
server on one PC.I would also want to upgrade my IOS
image and install the IP feature pack.I reckon,that
the tftp can be installed on any PC on any OS say
windows,and that the tftp server would acquire the ip
address of the PC.Can anyone please give a detailed
process of the installation and integration in a
network, plus how to install the ip fearure pack.
I'ld appreciate any input.
thanx
>chika

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13204&t=13203
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX activation key on 4.1(6) [7:13187]

[Farhan Ahmed]

and names commands). PIX Firewall must know how to
reach this location via its routing table information. This information is
determined by the ip address command, the route command, or also RIP,
depending upon your configuration.

The pathname can include any directory names besides the actual last
component of the path to the file on the server. The pathname cannot contain
spaces. If a directory name has spaces, set the directory in the TFTP server
instead of in the copy tftp flash command. In UNIX, the file needs to be
world readable for the TFTP server to access it.

If your TFTP server has been configured to point to a directory on the
system from which you are downloading the image, you need only use the IP
address of the system and the image filename. For example, if you want to
download the pix601.bin file from the D: partition on a Windows system (IP
address 10.1.1.5), you would access the Cisco TFTP Server View>Options menu
and enter the filename path in the TFTP server root directory edit box; for
example, D:pix_images. To copy the file to the PIX Firewall, use the
following copy tftp command:

copy tftp://10.1.1.5/pix601.bin flash
 

The TFTP server receives the command and correlates the actual file location
from its root directory information. The server then downloads the TFTP
image to the PIX Firewall.

Examples



The following example causes the PIX Firewall to prompt you for the filename
and location before you start the TFTP download:

copy tftp flash
Address or name of remote host [127.0.0.1]? 10.1.1.5
Source file name [cdisk]? pix601.bin
copying tftp://10.1.1.5/pix601.bin to flash
[yes|no|again]?yes
!!!
Received 1695744 bytes.
Erasing current image.
Writing 1597496 bytes of image.
!!!!!!!
Image installed.



-Original Message-
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 7:57 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX activation key on 4.1(6) [7:13187]


u need to put your serial no
and u ll get a new key
u need cco login

-Original Message-
From: Jacques Allison [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 21, 2001 5:24 PM
To: [EMAIL PROTECTED]
Subject: PIX activation key on 4.1(6) [7:13187]


Hi all,

On PIX ver 4.1(7) I can use the "show actkey" to display the connection
license key, but the command is not on the ver 4.1.(6). How do I upgrade the
PIX is I lost the original disk and license? I look on CCO and can't find
any answers.

Regards,

Jacques Allison

Senior Network Engineer

Tel: (+27) 012 349 2030 ext.: 210

Fax: (+27) 012 349 1015

Mobile: (+27) 083 327 4941

[EMAIL PROTECTED]

http://www.geocities.com/jacquesa_2000/index.html

+Security





[demime removed a uuencoded section named clip_image002.jpg which was 29
lines]
[demime removed a uuencoded section named clip_image004.jpg which was 30
lines]
[demime removed a uuencoded section named clip_image006.jpg which was 40
lines]
[demime removed a uuencoded section named clip_image008.jpg which was 31
lines]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13200&t=13187
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Working Frame Relay Point-to-Point Config [7:13245]

[Farhan Ahmed]

Deleted means that the Frame Relay switch doesn't have this DLCI programmed
for the router. But it was programmed at some point in the past. This could
also be caused by the DLCIs being reversed on the router, or by the PVC
being deleted by the telco in the Frame Relay cloud. Configuring a DLCI
(that the switch doesn't have) will show up as a 0x4

-Original Message-
From: Albert Lu [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 22, 2001 4:56 PM
To: [EMAIL PROTECTED]
Subject: Working Frame Relay Point-to-Point Config [7:13245]


Hello Group,

Could someone point me to (or send me) a working config for a Frame switch
and routers attached to it, using point-to-point connections. I'm currently
stuck on this for my routers, as the PVCs are there but in a deleted state.
I probably should have included my configs in this email, but I'm not at my
routers at the moment, and I'm sure it's something simple that I have
missed.

Thanks for your help.

Albert


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13247&t=13245
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: peer to peer IPX [7:13246]

[Farhan Ahmed]

ofcourse u can its a protocol

-Original Message-
From: Mr. Richard L. Pickard [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 22, 2001 5:03 PM
To: [EMAIL PROTECTED]
Subject: peer to peer IPX [7:13246]


7/22/2001   7:45am  Sunday

It is possible to run IPX between WIN 95 workstations without a server on
the
segment?

Richard
[EMAIL PROTECTED]

//




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13248&t=13246
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cabling info needed [7:13317]

[Farhan Ahmed]

cisco.com/go/tools

-Original Message-
From: Omer Ehsan Dar [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 10:53 AM
To: [EMAIL PROTECTED]
Subject: Cabling info needed [7:13317]


Hi all, 
Where can I find good cabling info related to LAN networking and the
cisco switches in particular.
Thanks
Omer Ehsan dar




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13318&t=13317
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

pix 525 gigabit restriction [7:13327]

[Farhan Ahmed]

does any body know why cisco restrict to use only 1 gigabit interface on pix
models?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13327&t=13327
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: sh system command ? [7:13330]

[Farhan Ahmed]

current traffic rate

-Original Message-
From: Phil Barker [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 1:28 PM
To: [EMAIL PROTECTED]
Subject: sh system command ? [7:13330]


Hi,
   The 'show system' command on a Cat 5500 contains a
current traffic level and a peak level. How long are
these values valid for. e.g is the current traffic
value over a five minute period ?
Is the peak value from when the Supy is booted up
?

PS : checked cisco.com but cannot find an answer.

Regards,

Phil.


Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13331&t=13330
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: what's wrong with CCIE today? [7:13151]

[Farhan Ahmed]

u should have used 3 tacacs servers 


""Sean Young""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What's wrong with CCIEs today?  I know that I am making a general
> assumptions; however,this is the second time that it has happend to the
> company that I work for.  We have several tacacs servers that use to
> authenticate users.  These tacacs servers are running on a combination of
> Linux and Solaris platforms.  While I was away at the Networker
> Conference, one of our tacacs servers (solaris) die due to hardware
> failure and the amazingly the tacacs process on the Linux die.  Because
> of this, everyone has to login to the routers and switches via local
> account.  We hire these CCIEs to maintain the network while I am away for
> a few weeks.  None of these CCIEs have any background with tacacs servers
> running on Unix platforms.  As to our problems, the simple to do is just
> to restart the tacacs process byfirst:  "killall tac_plus" and second
> "/usr/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg" but these CCIEs guys
> have absolutely no clues.  Furthermore, they don't even know how to use
> editing in Unix (i.e vi or emacs) and ended up screwing up my tacacs
> configuration files.  We have a few employees that need tacacs account
> but these CCIEs guys have no clues how to addnew users to a configuration
> file which if anyone has done tacacs on the unix platform know that you
> just modify the configuration file tac_plus.conf and restart tacacs
> process.   These CCIE guys say that they come from a windows environment
> so they don't have too much with Unix platforms.  I also notice that a
> lot of CCIEs these days lack the Unix skills that are required for the
> Service Providers environment.  Most don't even know how to tunnel
> X-application through Secure Shell (SSH).  I still remember those days
> when Cisco Engineers are very well verse in both unix and routers
> skills.  I long for those days again. Comments anyone?
>
> 
>
> Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13336&t=13151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 1601, dial-in server... [7:13285]

[Farhan Ahmed]

!
interface Dialer 1
 description connected to Dial-inPCs(modem)
 ip unnumbered Ethernet 0
 ip tcp header-compression passive
 encapsulation ppp
 dialer in-band
 dialer-group 1
 ppp authentication chap
 no cdp enable
 peer default ip address pool Cisco1601-Group-1
!

!
interface Serial 0
 physical-layer async
 no shutdown
 description connected to Dial-inPCs(modem)
 ip unnumbered Ethernet 0
 async mode dedicated
 dialer rotary-group 1
 
!
!
ip local pool Cisco1601-Group-1 10.1.1.1 10.1.1.1
ip classless

!


!
line 1
 autoselect ppp
 modem InOut
 transport input all
 stopbits 1
 speed 38400
 flowcontrol hardware


-Original Message-
From: Arun [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 4:39 PM
To: [EMAIL PROTECTED]
Subject: Re: 1601, dial-in server... [7:13285]


hi
try this link
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:PPP&;
s=Implementation_and_Configuration


Regards
""Justin""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> hey all :)
> Im trying to configure my 1601, to recieve calls via async serial port,
and
> initiate a ppp connection, like an access server..
> i can make it dial out and connect to my isp. etc, but i cant seem to get
> it to do the opossite.
> i've looked on cisco.com and im starting to think its not possible on
these
> type of routers ?
> anyone done this ??
>
> thanks :)
> Justin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13346&t=13285
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FrameRelay Over Utilized [7:13349]

[Farhan Ahmed]

send me debug frame-relay lmi output

-Original Message-
From: Jeff [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 5:20 PM
To: [EMAIL PROTECTED]
Subject: FrameRelay Over Utilized [7:13349]


Hello,
If I have a frame relay switch which is being over utilized will that cause
the connection to drop.  After looking in the log I see dlci 501 state
changed
to inactive, line protocol on interface s0/0.1 changed to down, dlci 501
active, this keeps going and going through out the log.  The local telco
insists that the circuit is overutilized and this is why the connection is
dropping.  I think it is a telco or csu problem.  Also doing a show
interface
is showing 3000 crc errors and 500 interface resets for the past 3 days.  Is
there any way to tell for sure whether it is overutilization or a telco
problem??




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13352&t=13349
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FrameRelay Over Utilized [7:13349]

[Farhan Ahmed]

also these outputs

show interfaces serial
show controllers serial 
debug serial interface

-Original Message-
From: Jeff [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 5:20 PM
To: [EMAIL PROTECTED]
Subject: FrameRelay Over Utilized [7:13349]


Hello,
If I have a frame relay switch which is being over utilized will that cause
the connection to drop.  After looking in the log I see dlci 501 state
changed
to inactive, line protocol on interface s0/0.1 changed to down, dlci 501
active, this keeps going and going through out the log.  The local telco
insists that the circuit is overutilized and this is why the connection is
dropping.  I think it is a telco or csu problem.  Also doing a show
interface
is showing 3000 crc errors and 500 interface resets for the past 3 days.  Is
there any way to tell for sure whether it is overutilization or a telco
problem??




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13355&t=13349
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Urgent... [7:13351]

[Farhan Ahmed]

first do
backup delay 30 600
just to wait isdn 4 30 sec

use eigrp
and floating static put cost above 90 
let me know

-Original Message-
From: sakella locuz [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 5:37 PM
To: [EMAIL PROTECTED]
Subject: Urgent... [7:13351]


Hi everybody,

I am in a big problem..request ur assistance immediately...
This is the configuration now working on 2 routers connected over a leased
line also has a ISDN backup. While the leased line is working we tried the
backup by switching of the leased line modem. The ISDN connection came up
but
there was nothing traversing over the connection.

We checked the status, connection is absolutely OK, also we found that the
leased circuit configuration when removed totally and connected over ISDN
data
flows smoothly.

Kindly reply with exact problem...enclosed is the running config..

-- show running-config --

 Building configuration...

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname BOBKHYD

!

enable secret 5

!

username bobk password 0

username BOBKBOM password 0

ip subnet-zero

!

isdn switch-type basic-net3

!

!

!

interface Ethernet0/0

 ip address 10.4.10.50 255.255.255.0

 no ip directed-broadcast

 no keepalive

!

interface Serial0/0

 ip address 192.168.1.1 255.255.255.252

 no ip directed-broadcast

 no ip mroute-cache

 backup delay 0 600

 backup interface Dialer1

 backup load 60 40

 no fair-queue

!

interface BRI0/0

 description connected to BOBKBOM

 no ip address

 no ip directed-broadcast

 encapsulation ppp

 dialer rotary-group 1

 isdn switch-type basic-net3

 no cdp enable

!

interface Serial0/1

 no ip address

 no ip directed-broadcast

 shutdown

!

interface Dialer1

 description connected to BOBKBOM

 bandwidth 64

 ip unnumbered Ethernet0/0

 no ip directed-broadcast

 encapsulation ppp

 no ip split-horizon

 dialer in-band

 dialer idle-timeout 600

 dialer map ip 10.4.0.30 name BOBKBOM broadcast 0222805890

 dialer hold-queue 10

 dialer-group 1

 no cdp enable

 ppp authentication chap

!

ip classless

ip route 10.4.0.0 255.255.255.0 Serial0/0

ip route 10.4.0.0 255.255.255.0 Dialer1 100

ip http server

!

dialer-list 1 protocol ip permit

!

line con 0

 exec-timeout 0 0

 transport input none

line aux 0

line vty 0 4

 password

 login

!

end

-- show running-config --

Building configuration...

Current configuration:

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname BOBKBOM

!

enable secret 5

!

username bobk password 0

username BOBKHYD password 0

!

!

!

!

memory-size iomem 25

ip subnet-zero

!

isdn switch-type basic-net3

!

!

!

!

!

!

!

!

!

interface Serial0

 description connected to bobkhyd

 bandwidth 64000

 ip address 192.168.1.2 255.255.255.252

 no fair-queue

!

interface BRI0

 description connected to BOBKHYD

 no ip address

 encapsulation ppp

 dialer rotary-group 1

 isdn switch-type basic-net3

 no cdp enable

!

interface FastEthernet0

 description connected to fastethernetLAN

 ip address 10.4.0.30 255.255.255.0

 no keepalive

 speed auto

!

interface Dialer1

 description connected to BOBKHYD

 ip unnumbered FastEthernet0

 encapsulation ppp

 no ip split-horizon

 dialer in-band

 dialer idle-timeout 600

 dialer map ip 10.4.0.50 name BOBKHYD broadcast 0403391011

dialer hold-queue 10

 dialer-group 1

no cdp enable

 ppp authentication chap

!

ip classless

ip route 10.4.10.0 255.255.255.0 Serial0

ip route 10.4.10.0 255.255.255.0 Dialer1 100

ip http server

!

dialer-list 1 protocol ip permit

!

voice-port 2/0

!

voice-port 2/1

!

!

line con 0

 transport input none

line aux 0

line vty 0 4

 password

 login

!

no scheduler allocate

end



-Surya-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13358&t=13351
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: certificate system again [7:13401]

[Farhan Ahmed]

what is the scenario

-Original Message-
From: Jim Bond [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 23, 2001 10:01 PM
To: [EMAIL PROTECTED]
Subject: OT: certificate system again [7:13401]


Hello,

I posted this message on certificate newsgroup but
didn't get any response. Since there are many experts
here, allow me to ask this question again:

We're trying to set up a certificate system, I'm
wondering which one is better?
Entrust, Microsoft, VeriSign and Netscape?

Thanks in advance.

Jim

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13414&t=13401
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ACS2.6 users on Cluster Servers!! [7:13481]

[Farhan Ahmed]

Cisco Secure ACS operates as a Windows NT or Windows 2000 service and
controls the authentication, authorization, and accounting (AAA) of users
accessing networks. Cisco Secure ACS operates with Windows NT Server version
4.0 and Windows 2000 Server. Provided that Microsoft Clustering Services are
not installed, Cisco Secure ACS operates on Windows 2000 Advanced Server and
Windows 2000 Datacenter Server.

u might look 4 some 3rd part clustering software
like doubletake

-Original Message-
From: Magdy H. Ibrahim [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 2:28 PM
To: [EMAIL PROTECTED]
Subject: ACS2.6 users on Cluster Servers!! [7:13481]


Hi guys,

I installed ACS2.6 on 2 nodes cluster , using Win2k to provide high
availability , so when any ACS service stop on one node the ACS will
failover to the other node .
The problem I'm facing is that the ACS configuration replicated well when
ACS moves from one node to the other , but the users database not !! , So
are there any way to replicate the users database from Windows registry , If
answer is yes , which key I'll need to copy ?
Any suggestions will be appriciated .

Thanks in advance,

Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13487&t=13481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

vpn speed [7:13499]

[Farhan Ahmed]

lets say we have 2 cisco 1720 with vpn accelerator card and both have a 64k
connection to internet
> what would be the speed of the tunnel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13499&t=13499
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Ciscco IDS [7:13516]

[Farhan Ahmed]

how its possible for ids to read the contents of packet for eg
"confidential doc" and generate an alaram

what if somebody using vpn from inside network to somewhere else to transfer
confidential information

what does it means that ipsec is ,,,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13516&t=13516
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

access list.. [7:13564]

[Farhan Ahmed]

What mask would be used if you want to create an
access list where the IP addresses (128.252.0.0 to
128.252.240.0) would be blocked
pls support with explanation,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13564&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ccna challenge question [7:13565]

[Farhan Ahmed]

Last Weeks CCNA(tm) Challenge Question 
Question
Using classful assumptions, what is the directed broadcast address for
172.18.2.0 with the mask 255.255.254.0?

a) 172.18.2.255

b) 172.18.3.255

c) 172.18.255.255

d) 172.18.0.0
Answer
b)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13565&t=13565
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access list.. [7:13564]

[Farhan Ahmed]

def mask

-Original Message-
From: MikeN [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 10:36 PM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]


To answer this question, we would need to know what the subnet masks are.

Thanks,
MikeN

""Farhan Ahmed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13569&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Problem with Fastethernet 2610 router [7:13497]

[Farhan Ahmed]

u need to setup static route in both direction u just put only 1 route to
the 1st vlan u need more rotes in both direc
on the other vlans u should have static routes to router via x

-Original Message-
From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 10:28 PM
To: [EMAIL PROTECTED]
Subject: Re: Problem with Fastethernet 2610 router [7:13497]


Thanks for your mail. 

No, the default route is already there. It is already defined in that
router. Infact I just copied it from the working router.

Thanks,
Kiran


On Tue, 24 Jul 2001, Patrick Ramsey wrote:

> sounds like you have missed a default route on the 2610.
> 
> The 2610 will not be able to see any other vlans unless the vlan it is
plugged into has an ip address assigned to it acting as a "gateway".  Then
you need to set that ip address as the 2610's default gateway.  (or at least
specify a specific route to the other vlans)
> 
> If this is a router conencted to the internet, you would defiantely want
to keep the default gw out it's serial interface.
> 
> -Patrick
> 
> 
> >>> "Kiran Kumar M"  07/24/01 10:27AM >>>
> Hai,
> 
> I am facing a strange problem. I am using a cisco 2610 router in my
> network. In that I am having one fastethernet, and 2 WIC2T . When I am
> connecting to the L3 switch, it is able to ping to that particular VLAN,
> and unable to ping to other VLANS or outside of that VLAN. If I use
> another router with ethernet card (becuase I am not having another
> ethernet card in first router), with the same setup it is able to
> communicate with the outside world. So I concluded that it is not the
> problem with L3 switch. I tried to find it on cisco site, but unable to
> locate the solution.
> 
> Thanks in advance,
> Kiran




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13568&t=13497
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Problem with Fastethernet 2610 router [7:13497]

[Farhan Ahmed]

cAN U SEND YR CONFIGS

-Original Message-
From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 10:40 PM
To: Farhan Ahmed
Cc: [EMAIL PROTECTED]
Subject: RE: Problem with Fastethernet 2610 router [7:13497]



It is not at all the routing problem. Because it is perfectly working with
the same configuration with other router with out any changes.

Thanks,
Kiran
On Tue, 24 Jul 2001, Farhan Ahmed wrote:

> u need to setup static route in both direction u just put only 1 route to
> the 1st vlan u need more rotes in both direc
> on the other vlans u should have static routes to router via x
> 
> -Original Message-
> From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 10:28 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Problem with Fastethernet 2610 router [7:13497]
> 
> 
> Thanks for your mail. 
> 
> No, the default route is already there. It is already defined in that
> router. Infact I just copied it from the working router.
> 
> Thanks,
> Kiran
> 
> 
> On Tue, 24 Jul 2001, Patrick Ramsey wrote:
> 
> > sounds like you have missed a default route on the 2610.
> > 
> > The 2610 will not be able to see any other vlans unless the vlan it is
> plugged into has an ip address assigned to it acting as a "gateway".  Then
> you need to set that ip address as the 2610's default gateway.  (or at
least
> specify a specific route to the other vlans)
> > 
> > If this is a router conencted to the internet, you would defiantely want
> to keep the default gw out it's serial interface.
> > 
> > -Patrick
> > 
> > 
> > >>> "Kiran Kumar M"  07/24/01 10:27AM >>>
> > Hai,
> > 
> > I am facing a strange problem. I am using a cisco 2610 router in my
> > network. In that I am having one fastethernet, and 2 WIC2T . When I am
> > connecting to the L3 switch, it is able to ping to that particular VLAN,
> > and unable to ping to other VLANS or outside of that VLAN. If I use
> > another router with ethernet card (becuase I am not having another
> > ethernet card in first router), with the same setup it is able to
> > communicate with the outside world. So I concluded that it is not the
> > problem with L3 switch. I tried to find it on cisco site, but unable to
> > locate the solution.
> > 
> > Thanks in advance,
> > Kiran




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13574&t=13497
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Problem with Fastethernet 2610 router [7:13497]

[Farhan Ahmed]

WHAT DO u mean by another router with ethernet card

nd unable to ping to other VLANS or outside of that VLAN. If I use
> > another router with ethernet card (becuase I am not having another
> > ethernet card in first router),
-Original Message-
From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 10:40 PM
To: Farhan Ahmed
Cc: [EMAIL PROTECTED]
Subject: RE: Problem with Fastethernet 2610 router [7:13497]



It is not at all the routing problem. Because it is perfectly working with
the same configuration with other router with out any changes.

Thanks,
Kiran
On Tue, 24 Jul 2001, Farhan Ahmed wrote:

> u need to setup static route in both direction u just put only 1 route to
> the 1st vlan u need more rotes in both direc
> on the other vlans u should have static routes to router via x
> 
> -Original Message-
> From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 10:28 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Problem with Fastethernet 2610 router [7:13497]
> 
> 
> Thanks for your mail. 
> 
> No, the default route is already there. It is already defined in that
> router. Infact I just copied it from the working router.
> 
> Thanks,
> Kiran
> 
> 
> On Tue, 24 Jul 2001, Patrick Ramsey wrote:
> 
> > sounds like you have missed a default route on the 2610.
> > 
> > The 2610 will not be able to see any other vlans unless the vlan it is
> plugged into has an ip address assigned to it acting as a "gateway".  Then
> you need to set that ip address as the 2610's default gateway.  (or at
least
> specify a specific route to the other vlans)
> > 
> > If this is a router conencted to the internet, you would defiantely want
> to keep the default gw out it's serial interface.
> > 
> > -Patrick
> > 
> > 
> > >>> "Kiran Kumar M"  07/24/01 10:27AM >>>
> > Hai,
> > 
> > I am facing a strange problem. I am using a cisco 2610 router in my
> > network. In that I am having one fastethernet, and 2 WIC2T . When I am
> > connecting to the L3 switch, it is able to ping to that particular VLAN,
> > and unable to ping to other VLANS or outside of that VLAN. If I use
> > another router with ethernet card (becuase I am not having another
> > ethernet card in first router), with the same setup it is able to
> > communicate with the outside world. So I concluded that it is not the
> > problem with L3 switch. I tried to find it on cisco site, but unable to
> > locate the solution.
> > 
> > Thanks in advance,
> > Kiran




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13575&t=13497
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Problem with Fastethernet 2610 router [7:13497]

[Farhan Ahmed]

what do u mean by safe side?

-Original Message-
From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 11:04 PM
To: Farhan Ahmed
Subject: RE: Problem with Fastethernet 2610 router [7:13497]



Nothing Actually second line is not required if we are defining the
first. But it was defined on safe side.. some time we remove the routing
after incresing the links..

Thanks,
Kiran


On Tue, 24 Jul 2001, Farhan Ahmed wrote:

> whats the diff bw these 2   
> ip route 0.0.0.0 0.0.0.0 192.168.2.1
> ip route 192.168.2.0 255.255.255.0 192.168.2.1
> !
> -Original Message-
> From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 10:57 PM
> To: Farhan Ahmed
> Cc: [EMAIL PROTECTED]
> Subject: RE: Problem with Fastethernet 2610 router [7:13497]
> 
> 
> 
> Sure. It is very simple configuration.
> 
> 2610 Router:
> 
> Current configuration:
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Router
> !
> enable secret 5 x
> enable password 
> !
> ip subnet-zero
> ip domain-name xx.xxx
> ip name-server xxx.xxx.xxx.xxx
> !
> !
> interface Loopback0
>  no ip address
>  no ip directed-broadcast
> !
> interface Ethernet0/0
>  ip address 192.168.2.2 255.255.255.0
>  no ip directed-broadcast
> !
> interface Serial0/0
>  no ip directed-broadcast
>  encapsulation ppp
>  no ip route-cache
>  no ip mroute-cache
>  shutdown
> !
> interface Serial0/1
>  ip address 192.168.1.61 255.255.255.252
>  no ip directed-broadcast
>  encapsulation ppp
>  no ip route-cache
>  no ip mroute-cache
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 192.168.2.1
> ip route 192.168.2.0 255.255.255.0 192.168.2.1
> !
> !
> !
> line con 0
>  transport input none
> line aux 0
> line vty 0 4
>  password xx
>  login
> !
> end
> 
> Here I replaced the passwords and IP address ( Actually I am using public
> IP address, here I mention the private IP addresses).
> 
> The very same is following on 2620 router also. Except one change. That is
> Ethernet is replaced with Fast ethernet.
> 
> Thanks,
> Kiran
> 
> 
> On Tue, 24 Jul 2001, Farhan Ahmed wrote:
> 
> > cAN U SEND YR CONFIGS
> > 
> > -Original Message-
> > From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 24, 2001 10:40 PM
> > To: Farhan Ahmed
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Problem with Fastethernet 2610 router [7:13497]
> > 
> > 
> > 
> > It is not at all the routing problem. Because it is perfectly working
with
> > the same configuration with other router with out any changes.
> > 
> > Thanks,
> > Kiran
> > On Tue, 24 Jul 2001, Farhan Ahmed wrote:
> > 
> > > u need to setup static route in both direction u just put only 1 route
> to
> > > the 1st vlan u need more rotes in both direc
> > > on the other vlans u should have static routes to router via x
> > > 
> > > -Original Message-
> > > From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, July 24, 2001 10:28 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Problem with Fastethernet 2610 router [7:13497]
> > > 
> > > 
> > > Thanks for your mail. 
> > > 
> > > No, the default route is already there. It is already defined in that
> > > router. Infact I just copied it from the working router.
> > > 
> > > Thanks,
> > > Kiran
> > > 
> > > 
> > > On Tue, 24 Jul 2001, Patrick Ramsey wrote:
> > > 
> > > > sounds like you have missed a default route on the 2610.
> > > > 
> > > > The 2610 will not be able to see any other vlans unless the vlan it
is
> > > plugged into has an ip address assigned to it acting as a "gateway".
> Then
> > > you need to set that ip address as the 2610's default gateway.  (or at
> > least
> > > specify a specific route to the other vlans)
> > > > 
> > > > If this is a router conencted to the internet, you would defiantely
> want
> > > to keep the default gw out it's serial interface.
> > > > 
> > > > -Patrick
> > > > 
> > > > 
> > > > >>> "Kiran Kumar M"  07/24/01 10:27AM >>>
> > > > Hai,
> > > > 
> > > > I am facing a strange problem. I am using a cisco 2610 router in my
> > > > network. In that I am

RE: Problem with Fastethernet 2610 router [7:13497]

[Farhan Ahmed]

nothing wrong but its illogical
same route pointing to one host none of them will work if that host is down
so there is no point of safe side.. right?

-Original Message-
From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 11:12 PM
To: Farhan Ahmed
Subject: RE: Problem with Fastethernet 2610 router [7:13497]



Here right now I am testing on only one interface, imagine If I have 10
WAN and 2 ethernet.. Then This kind of setting will be useful. We
generally follow it, so it was there.. What is the wrong in that ?


On Tue, 24 Jul 2001, Farhan Ahmed wrote:

> what do u mean by safe side?
> 
> -Original Message-
> From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 11:04 PM
> To: Farhan Ahmed
> Subject: RE: Problem with Fastethernet 2610 router [7:13497]
> 
> 
> 
> Nothing Actually second line is not required if we are defining the
> first. But it was defined on safe side.. some time we remove the routing
> after incresing the links..
> 
> Thanks,
> Kiran
> 
> 
> On Tue, 24 Jul 2001, Farhan Ahmed wrote:
> 
> > whats the diff bw these 2   
> > ip route 0.0.0.0 0.0.0.0 192.168.2.1
> > ip route 192.168.2.0 255.255.255.0 192.168.2.1
> > !
> > -Original Message-
> > From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 24, 2001 10:57 PM
> > To: Farhan Ahmed
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: Problem with Fastethernet 2610 router [7:13497]
> > 
> > 
> > 
> > Sure. It is very simple configuration.
> > 
> > 2610 Router:
> > 
> > Current configuration:
> > !
> > version 12.0
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname Router
> > !
> > enable secret 5 x
> > enable password 
> > !
> > ip subnet-zero
> > ip domain-name xx.xxx
> > ip name-server xxx.xxx.xxx.xxx
> > !
> > !
> > interface Loopback0
> >  no ip address
> >  no ip directed-broadcast
> > !
> > interface Ethernet0/0
> >  ip address 192.168.2.2 255.255.255.0
> >  no ip directed-broadcast
> > !
> > interface Serial0/0
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  no ip route-cache
> >  no ip mroute-cache
> >  shutdown
> > !
> > interface Serial0/1
> >  ip address 192.168.1.61 255.255.255.252
> >  no ip directed-broadcast
> >  encapsulation ppp
> >  no ip route-cache
> >  no ip mroute-cache
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 192.168.2.1
> > ip route 192.168.2.0 255.255.255.0 192.168.2.1
> > !
> > !
> > !
> > line con 0
> >  transport input none
> > line aux 0
> > line vty 0 4
> >  password xx
> >  login
> > !
> > end
> > 
> > Here I replaced the passwords and IP address ( Actually I am using
public
> > IP address, here I mention the private IP addresses).
> > 
> > The very same is following on 2620 router also. Except one change. That
is
> > Ethernet is replaced with Fast ethernet.
> > 
> > Thanks,
> > Kiran
> > 
> > 
> > On Tue, 24 Jul 2001, Farhan Ahmed wrote:
> > 
> > > cAN U SEND YR CONFIGS
> > > 
> > > -Original Message-
> > > From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, July 24, 2001 10:40 PM
> > > To: Farhan Ahmed
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: Problem with Fastethernet 2610 router [7:13497]
> > > 
> > > 
> > > 
> > > It is not at all the routing problem. Because it is perfectly working
> with
> > > the same configuration with other router with out any changes.
> > > 
> > > Thanks,
> > > Kiran
> > > On Tue, 24 Jul 2001, Farhan Ahmed wrote:
> > > 
> > > > u need to setup static route in both direction u just put only 1
route
> > to
> > > > the 1st vlan u need more rotes in both direc
> > > > on the other vlans u should have static routes to router via x
> > > > 
> > > > -Original Message-
> > > > From: Kiran Kumar M [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, July 24, 2001 10:28 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: Problem with Fastethernet 2610 router [7:13497]
> > > > 
> > > > 
> > > > Thanks for your mail. 
> > > > 
> > > > No, the default rou

RE: last modem question ever (I can only hope) [7:13586]

[Farhan Ahmed]

try this
telnet 192.168.1.201 20(yourline#)
at
OK  READY
02:02:56: TTY3: DSR was dropped
02:02:56: tty3: Modem: READY->HANGUP
02:02:57: TTY3: dropping DTR, hanging up
02:02:57: tty3: Modem: HANGUP->IDLE
02:03:02: TTY3: restoring DTR

It looks to me like it connects (both from the debug
and the pretty lights on the modems themselves) but
that ppp negotiation does not start.  Hardwarewise Ive
got a 3640 with a wic-2a/s and a 1720 with a wic-2a/s
attached to v.34 usr courier modems.  Here is the
relevent parts of the config from the router that is
dialing out.

!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PHX_Router
!
!
username dialto password 0 password
username dialfrom password 0 password
ip subnet-zero
!
isdn voice-call-failure 0
chat-script dialout ABORT ERROR "" "AT&F&C1&D2" OK
"ATDT \T" TIMEOUT 60 \c
call rsvp-sync
!
!
interface Serial2/0
 physical-layer async
 no ip address
 encapsulation ppp
 dialer in-band
 dialer pool-member 2
 async mode dedicated
!
interface Serial2/1
 physical-layer async
 no ip address
!
interface Dialer2
 ip address 10.145.1.2 255.255.255.0
 encapsulation ppp
 dialer pool 2
 dialer remote-name dialto
 dialer string 2546593
 dialer hold-queue 100
 dialer-group 2
 pulse-time 0
 ppp authentication chap
!
ip classless
ip route 192.168.1.0 255.255.255.0 Dialer2
no ip http server
!
dialer-list 2 protocol ip permit
!
!
!
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 transport input none
line 65 66
 no exec
 script dialer dialout
 modem InOut
 modem autoconfigure type usr_courier
 transport input all
 stopbits 1
 speed 115200
line aux 0
line vty 0 4
 password password
 login
!
end


and here is the config from the modem it is dialing
into.

version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
username dialto password 0 password
username dialfrom password 0 password
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
chat-script dial ABORT ERROR "" "AT&F&C1&D2" OK "ATDT
\T" TIMEOUT 60 \c
chat-script resetusr ""
"at&fs0=1e0&r2&d2&c1&b1&h1&m4&k1q0&w" "OK"
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.255
!
interface Serial0
 no ip address
!
interface Serial1
 physical-layer async
 no ip address
 encapsulation ppp
 dialer in-band
 dialer map ip 10.145.1.2 name Phx_Router broadcast
 dialer-group 1
 async mode dedicated
 ppp authentication chap
!
interface Serial2
 physical-layer async
 no ip address
!
interface FastEthernet0
 ip address 10.129.0.132 255.255.0.0
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1
no ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
 transport input none
line 2 3
 no exec
 script dialer dial
 script reset resetusr
 modem InOut
 transport input all
 stopbits 1
 speed 115200
line aux 0
line vty 0 4
 login
!
no scheduler allocate
end


I think im missing something pretty basic here, as in
I basically dont know what to do now.  Any help or
ideas would be greatly appreciated at this point.

Ben

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13589&t=13586
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: last modem question ever (I can only hope) [7:13586]

[Farhan Ahmed]

try putting flowcontrol hardware

-Original
> hostname PHX_Router
> !
> !
> username dialto password 0 password
> username dialfrom password 0 password
> ip subnet-zero
> !
> isdn voice-call-failure 0
> chat-script dialout ABORT ERROR "" "AT&F&C1&D2" OK
> "ATDT \T" TIMEOUT 60 \c
> call rsvp-sync
> !
> !
> interface Serial2/0
>  physical-layer async
>  no ip address
>  encapsulation ppp
>  dialer in-band
>  dialer pool-member 2
>  async mode dedicated
> !
> interface Serial2/1
>  physical-layer async
>  no ip address
> !
> interface Dialer2
>  ip address 10.145.1.2 255.255.255.0
>  encapsulation ppp
>  dialer pool 2
>  dialer remote-name dialto
>  dialer string 2546593
>  dialer hold-queue 100
>  dialer-group 2
>  pulse-time 0
>  ppp authentication chap
> !
> ip classless
> ip route 192.168.1.0 255.255.255.0 Dialer2
> no ip http server
> !
> dialer-list 2 protocol ip permit
> !
> !
> !
> !
> !
> !
> dial-peer cor custom
> !
> !
> !
> !
> line con 0
>  exec-timeout 0 0
>  transport input none
> line 65 66
>  no exec
>  script dialer dialout
>  modem InOut
>  modem autoconfigure type usr_courier
>  transport input all
>  stopbits 1
>  speed 115200
> line aux 0
> line vty 0 4
>  password password
>  login
> !
> end
> 
> 
> and here is the config from the modem it is dialing
> into.
> 
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname Router
> !
> !
> username dialto password 0 password
> username dialfrom password 0 password
> !
> !
> !
> !
> memory-size iomem 25
> ip subnet-zero
> no ip domain-lookup
> !
> chat-script dial ABORT ERROR "" "AT&F&C1&D2" OK
> "ATDT
> \T" TIMEOUT 60 \c
> chat-script resetusr ""
> "at&fs0=1e0&r2&d2&c1&b1&h1&m4&k1q0&w" "OK"
> !
> !
> !
> interface Loopback0
>  ip address 192.168.1.1 255.255.255.255
> !
> interface Serial0
>  no ip address
> !
> interface Serial1
>  physical-layer async
>  no ip address
>  encapsulation ppp
>  dialer in-band
>  dialer map ip 10.145.1.2 name Phx_Router broadcast
>  dialer-group 1
>  async mode dedicated
>  ppp authentication chap
> !
> interface Serial2
>  physical-layer async
>  no ip address
> !
> interface FastEthernet0
>  ip address 10.129.0.132 255.255.0.0
>  speed auto
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial1
> no ip http server
> !
> dialer-list 1 protocol ip permit
> !
> line con 0
>  transport input none
> line 2 3
>  no exec
>  script dialer dial
>  script reset resetusr
>  modem InOut
>  transport input all
>  stopbits 1
>  speed 115200
> line aux 0
> line vty 0 4
> 
=== message truncated ===


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13596&t=13586
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access list.. [7:13564]

[Farhan Ahmed]

should be 0.0.15.255
but how?

-Original Message-
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:27 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255
128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all
of the class b



Thank You,


Michael Ayers
Network Engineer
 > OneNeck IT Services
(480) 539-2203
(800) 272-3077


 -Original Message-
From:   MikeN [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 24, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject:Re: access list.. [7:13564]

Okay.. default masks meaning classful class B.
128.252.0.0 with a subnet mask of 255.255.0.0
 and
128.252.240.0  with a subnet mask of 255.255.0.0

On a router you would use the wildcard mask (inverse) of the subnet mask:

access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255
access-list 101 permit ip any any
Then apply it to the interface with ip access-group 101 in or out depending
on what interface it is applied to.

It is easy to envision what the wildcard mask is and what it does if we view
the decimal numbers in binary format:
wildcard mask 0.0.255.255 = ...
0's = interesting part of the address is to the router; 1's = portion of
address the router isn't going to care aboutthis portion of the accress
could be any number.

If you list the ip address in binary above the wildcard mask, it looks like
this:
   128   . 252 .  0.  0
1000.1100..
...
0  .  0.252 . 252

The router will only view the portion of the address NOT blocked by 1's as
interesting: 128.252.x.x

You will need to grasp this concept before moving on to subnetting and
supernetting.

There are some excellent explanations for how this works in the Cisco Press
CCNA books.

To confirm, this is for routers and not the PIX ACLs.

HTH
MikeN


""Farhan Ahmed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,
Privileged/Confidential Information may be contained in this message or
attachments hereto.  Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind.  Opinions,
conclusions and other information in this message that do not relate to the
official business of this company shall be understood as neither given nor
endorsed by it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13606&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access list..cool up [7:13564]

[Farhan Ahmed]

Tac Certified Doc

Using Wildcard Masks in Access List Definitions
Question: How do I configure an access list to disallow network 10.90.0.0
255.255.0.0 from accessing 10.80.0.0 255.255.0.0, but allow it to access
others? 

I''ve entered the following commands: 

access list 101 deny ip 10.90.0.0 255.255.0.0 10.80.0.0 255.255.0.0

access list 101 permit ip any any

int vlan 90

ip access-group 101 out

But when I do a show run, I see the following: 

access-list 102 deny ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

access-list 102 permit ip any any

Why does this happen? 
Answer: 

The problem is that you are using subnet masks rather than wildcard masks 

in your access list definition.



A wildcard mask is just the opposite of a subnet mask: each time there is

a binary 1 in a subnet mask, you have to replace it with a 0 to get the 

equivalent wildcard mask. In other words, if you have a subnet mask of 

255.255.0.0, the equivalent wilcard mask is 0.0.255.255. The same idea
applies

to subnet mask of 255.255.255.252, which becomes 0.0.0.3 as a wildcard mask.




For your access list, you should enter the following lines to your
configuration:



access-list 101 deny ip 10.90.0.0 0.0.255.255 10.80.0.0 0.0.255.255

access-list 101 permit ip any any



Then type sh run to verify that the above lines are unchanged.


Last Modified: 30-NOV-99 

 

All contents copyright ) 1992--2001 Cisco Systems, Inc. Important Notices
and Privacy Statement.

-Original Message-
From: fgh [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:40 AM
To: [EMAIL PROTECTED]
Subject: Re: access list.. [7:13564]


He wants to block the range 128.252.0.0-128.252.240.0 and permit all else.

access-list 1 deny 128.252.0.0 0.0.240.255
access-list 1 permit any

I have a CCIE and a sniffer instructor sitting next to me and they verified
that the above commands work for blocking the range and permitting
everything else.



- Original Message -
From: Ayers, Michael 
To: 'fgh' ; 
Sent: Tuesday, July 24, 2001 3:04 PM
Subject: RE: access list.. [7:13564]


> That should be 0.0.15.255, but that allows 240, and you have it backwards,
> you need to permit the first line (access-list 1 deny 128.252.0.0
> 0.0.15.255), and then deny the class b , then permit all else
>
>  -Original Message-
> From: fgh [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 1:02 PM
> To: [EMAIL PROTECTED]
> Subject: Re: access list.. [7:13564]
>
> access-list 1 deny 128.252.0.0 0.0.240.255
> access-list 1 permit any
>
> the 1st line blocks that range and the 2nd line allows all other traffic
>
>
>  i think? not positive though
>
>
> - Original Message -
> From: Farhan Ahmed
> To:
> Sent: Tuesday, July 24, 2001 1:28 PM
> Subject: access list.. [7:13564]
>
>
> > What mask would be used if you want to create an
> > access list where the IP addresses (128.252.0.0 to
> > 128.252.240.0) would be blocked
> > pls support with explanation,
> Privileged/Confidential Information may be contained in this message or
> attachments hereto.  Please advise immediately if you or your employer do
> not consent to Internet email for messages of this kind.  Opinions,
> conclusions and other information in this message that do not relate to
the
> official business of this company shall be understood as neither given nor
> endorsed by it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13610&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access list.. [7:13564]

[Farhan Ahmed]

we wanted to block till 240

1-240



-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 1:33 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Wouldn't the right answer be this:

ip access-list 101 deny 128.252.240.0 0.0.0.255

ip access-list 101 permit 128.252.240.0 0.0.240.255

ip access-list 101 deny 128.252.0.0 0.0.255.255

ip access-list 101 permit any

Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNA, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:06 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Only problem, your scenario should be too block all from 0 to 239 to make an
easy solution.




 -Original Message-
From:   Ayers, Michael  
Sent:   Tuesday, July 24, 2001 1:40 PM
To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED]
Subject:RE: access list.. [7:13564]

0.0.15.255 =    

I only care what the first 20 bits are.  So 128.252 are 16 bits, we can
ignore them (they match visually).  The last octet is all 1, so we can
ignore that also don't care.

We also don't care what the last 4 bits are, so we do care what the first 4
are.  If we use 128.252.240.0,

we get 1000 1100  000 in binary.
We only want to focus on the 3rd octet .  

SO 
CARE  Don't Care Decimal Number
240
0001241
0010242
0011243
0100244
0101245
0110246 
0111247
1000248
1001249
1010250
1011251
1100252
1101253
1110254
255

 -Original Message-
From:   Farhan Ahmed [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 24, 2001 1:35 PM
To: 'Ayers, Michael'; [EMAIL PROTECTED]
Subject:RE: access list.. [7:13564]

should be 0.0.15.255
but how?

-Original Message-
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:27 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255
128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all
of the class b



Thank You,


Michael Ayers
Network Engineer
 > OneNeck IT Services
(480) 539-2203
(800) 272-3077


 -Original Message-
From:   MikeN [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 24, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject:Re: access list.. [7:13564]

Okay.. default masks meaning classful class B.
128.252.0.0 with a subnet mask of 255.255.0.0
 and
128.252.240.0  with a subnet mask of 255.255.0.0

On a router you would use the wildcard mask (inverse) of the subnet mask:

access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255
access-list 101 permit ip any any
Then apply it to the interface with ip access-group 101 in or out depending
on what interface it is applied to.

It is easy to envision what the wildcard mask is and what it does if we view
the decimal numbers in binary format:
wildcard mask 0.0.255.255 = ...
0's = interesting part of the address is to the router; 1's = portion of
address the router isn't going to care aboutthis portion of the accress
could be any number.

If you list the ip address in binary above the wildcard mask, it looks like
this:
   128   . 252 .  0.  0
1000.1100..
...
0  .  0.252 . 252

The router will only view the portion of the address NOT blocked by 1's as
interesting: 128.252.x.x

You will need to grasp this concept before moving on to subnetting and
supernetting.

There are some excellent explanations for how this works in the Cisco Press
CCNA books.

To confirm, this is for routers and not the PIX ACLs.

HTH
MikeN


""Farhan Ahmed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,
Privileged/Confidential Information may be contained in this message or
attachments hereto.  Please advise im

RE: access list.. [7:13564]

[Farhan Ahmed]

i think b4 it was ok

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 1:46 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Oops, I made an error - sorry.

It should be:

ip access-list 101 deny 128.252.240.0 0.0.0.255

ip access-list 101 permit 128.252.240.0 0.0.15.255

ip access-list 101 deny 128.252.0.0 0.0.255.255

ip access-list 101 permit any

Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNA, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~



-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:33 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Wouldn't the right answer be this:

ip access-list 101 deny 128.252.240.0 0.0.0.255

ip access-list 101 permit 128.252.240.0 0.0.240.255

ip access-list 101 deny 128.252.0.0 0.0.255.255

ip access-list 101 permit any

Line 1 would block .240
Line 2 would allow .240 thru .255
Line 3 would block .0 thru .255
Line 4 would allow the rest

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNA, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~


-Original Message-
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 4:06 PM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Only problem, your scenario should be too block all from 0 to 239 to make an
easy solution.




 -Original Message-
From:   Ayers, Michael  
Sent:   Tuesday, July 24, 2001 1:40 PM
To: 'Farhan Ahmed'; Ayers, Michael; [EMAIL PROTECTED]
Subject:RE: access list.. [7:13564]

0.0.15.255 =    

I only care what the first 20 bits are.  So 128.252 are 16 bits, we can
ignore them (they match visually).  The last octet is all 1, so we can
ignore that also don't care.

We also don't care what the last 4 bits are, so we do care what the first 4
are.  If we use 128.252.240.0,

we get 1000 1100  000 in binary.
We only want to focus on the 3rd octet .  

SO 
CARE  Don't Care Decimal Number
240
0001241
0010242
0011243
0100244
0101245
0110246 
0111247
1000248
1001249
1010250
1011251
1100252
1101253
1110254
255

 -Original Message-
From:   Farhan Ahmed [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 24, 2001 1:35 PM
To: 'Ayers, Michael'; [EMAIL PROTECTED]
Subject:RE: access list.. [7:13564]

should be 0.0.15.255
but how?

-Original Message-
From: Ayers, Michael [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:27 AM
To: [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Your statement (access-list 101 deny ip 128.252.0.0 0.0.255.255
128.252.240.0 0.0.255.255), will AND off the 240 part, and still block all
of the class b



Thank You,


Michael Ayers
Network Engineer
 > OneNeck IT Services
(480) 539-2203
(800) 272-3077


 -Original Message-
From:   MikeN [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, July 24, 2001 12:49 PM
To: [EMAIL PROTECTED]
Subject:Re: access list.. [7:13564]

Okay.. default masks meaning classful class B.
128.252.0.0 with a subnet mask of 255.255.0.0
 and
128.252.240.0  with a subnet mask of 255.255.0.0

On a router you would use the wildcard mask (inverse) of the subnet mask:

access-list 101 deny ip 128.252.0.0 0.0.255.255 128.252.240.0 0.0.255.255
access-list 101 permit ip any any
Then apply it to the interface with ip access-group 101 in or out depending
on what interface it is applied to.

It is easy to envision what the wildcard mask is and what it does if we view
the decimal numbers in binary format:
wildcard mask 0.0.255.255 = ...
0's = interesting part of the address is to the router; 1's = portion of
address the router isn't going to care aboutthis portion of the accress
could be any number.

If you list the ip address in binary above the wildcard mask, it looks like
this:
   128   . 252 .  0.  0
1000.1100.0

RE: access list.. [7:13564]

[Farhan Ahmed]

solution2; will permit 1-240 range and the deny statement will deny the rest
thats opposite

to get a wild mask
we put higher minus lower

 255.255.255.255
 255.255.240. 0
   0  015   255

so the router will permit 1-240 instead

-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 9:22 PM
To: 'Farhan Ahmed'; [EMAIL PROTECTED]
Subject: RE: access list.. [7:13564]


Objective:  
Create an Access list to block the source address range 128.252.0.0 to
128.252.240.0

Solution 1:
access-list 1 deny 128.252.0.00.0.127.255 Blocks 128.252.0-127.0-255
access-list 1 deny 128.252.128.0  0.0.63.255  Blocks 128.252.128-191.0-255
access-list 1 deny 128.252.192.0  0.0.31.255  Blocks 128.252.192-223.0-255
access-list 1 deny 128.252.224.0  0.0.15.255  Blocks 128.252.224-239.0-255
access-list 1 permit any Allows all other traffic to
pass.

Solution 2:
access-list 1 permit 128.252.240.0 0.0.15.255 Permits 128.252.240-255.0-255
access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic from 128.252 that
is not permitted by the previous line
access-list 1 permit any

Notes:
Both Solutions work, but solution 2 has less lines and will result in less
processor utilization in most scenarios.

-Ejay



-Original Message-----
From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 24, 2001 2:29 PM
To: [EMAIL PROTECTED]
Subject: access list.. [7:13564]


What mask would be used if you want to create an
access list where the IP addresses (128.252.0.0 to
128.252.240.0) would be blocked
pls support with explanation,

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13790&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access list.. [7:13564]

[Farhan Ahmed]

hi ejay..

sunet calc wont calc wild mask or does it?

Best Regards
> -Original Message-
> From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 26, 2001 12:42 AM
> To: [EMAIL PROTECTED]
> Subject: RE: access list.. [7:13564]
> 
> 
> No, Solution2 is correct. 
> The objective was to permit x.x.240-255.0-255 per the 
> original message :
> >What mask would be used if you want to create an
> >access list where the IP addresses (128.252.0.0 to
> >128.252.240.0) would be blocked
> >pls support with explanation,
> 
> You can check it with the subnet calculator from B0s0n Software.
> 
> -ejay
> 
> -Original Message-
> From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 25, 2001 2:23 PM
> To: 'Hire, Ejay'; [EMAIL PROTECTED]
> Subject: RE: access list.. [7:13564]
> 
> 
> solution2; will permit 1-240 range and the deny statement 
> will deny the rest
> thats opposite
> 
> to get a wild mask
> we put higher minus lower
> 
>  255.255.255.255
>  255.255.240. 0
>0  015   255
> 
> so the router will permit 1-240 instead....
> 
> -Original Message-
> From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 25, 2001 9:22 PM
> To: 'Farhan Ahmed'; [EMAIL PROTECTED]
> Subject: RE: access list.. [7:13564]
> 
> 
> Objective:  
> Create an Access list to block the source address range 128.252.0.0 to
> 128.252.240.0
> 
> Solution 1:
> access-list 1 deny 128.252.0.00.0.127.255 Blocks 
> 128.252.0-127.0-255
> access-list 1 deny 128.252.128.0  0.0.63.255  Blocks 
> 128.252.128-191.0-255
> access-list 1 deny 128.252.192.0  0.0.31.255  Blocks 
> 128.252.192-223.0-255
> access-list 1 deny 128.252.224.0  0.0.15.255  Blocks 
> 128.252.224-239.0-255
> access-list 1 permit any Allows all other 
> traffic to
> pass.
> 
> Solution 2:
> access-list 1 permit 128.252.240.0 0.0.15.255 Permits 
> 128.252.240-255.0-255
> access-list 1 deny 128.252.0.0 0.0.255.255 Denies traffic 
> from 128.252 that
> is not permitted by the previous line
> access-list 1 permit any
> 
> Notes:
> Both Solutions work, but solution 2 has less lines and will 
> result in less
> processor utilization in most scenarios.
> 
> -Ejay
> 
> 
> 
> -Original Message-
> From: Farhan Ahmed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 24, 2001 2:29 PM
> To: [EMAIL PROTECTED]
> Subject: access list.. [7:13564]
> 
> 
> What mask would be used if you want to create an
> access list where the IP addresses (128.252.0.0 to
> 128.252.240.0) would be blocked
> pls support with explanation,

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13835&t=13564
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]