Re: Pix & non-Rfc networks. [7:56347]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> Gaz wrote:
> > 
> > I would have thought Windows 98 would accept something like:
> > 
> > route add 100.100.100.240 mask 255.255.255.240 [default gateway]
> 
> It depends on the host's own address. And I've forgotten what we said that
> was by now. ;-)
> 
> > 
> > I don't think there's any restriction to host routes.
> 
> A host route is one that specifies a specific address, i.e. the mask is
> 255.255.255.255. I doubt there are restrictions to that either, although,
> obviously, you have to point to a local default gateway and not just any
old
> address.
> 

Thanks :-)

> But there are restrictions to other routes, depending on the bit pattern.
> I'm using different addresses than in our example and don't really feel
like
> twidling bits, but I was able to do something like this:
> 
> My address is 100.100.100.17 255.255.255.224
> 
> I can:
> 
> route add 100.100.100.16 mask 255.255.255.240 gateway
> 
> That causes the packets for 100.100.100.16/28 to go through the gateway
> router.
> 
> I can't do the following though. Windows 98 gives an error message and
won't
> add the route:
> 
> route add 100.100.100.2 mask 255.255.255.240 gateway
> 
> I can do this though:
> 
> route add 100.100.100.2 mask 255.255.255.254 gateway

Not sure what you were trying with the first one. Have I misunderstood? 
I don't know any device that would accept a route without using the 
network address. (100.100.100.2 is the network address for a 
255.255.255.254 mask, but not for 255.255.255.224).

But now you've got me worried, because I know your pedigree :-). 
Humo(u)r me. What d'ya mean.


All this has given me an idea though.
I would like to have used the same IP address on my laptop when I'm at 
home and at work.
I had to change my local subnet at home, because when I VPN in to work, 
I have 192.168.80.0/24 at both ends. I should, if what we're thinking is 
right, be able to put a more specific route on for the odd addresses I 
need to get to at work, primarily remote desktop to my work PC, our 
local router and a couple of terminal servers.
That way I can leave my IP address the same for both locations 
(probably).

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56420&t=56347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix & non-Rfc networks. [7:56347]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> > 
> > Can I chip in with a question for everyone now?
> > 
> > If you apply more specific routes to all devices for an address
> > which
> > should appear on your local subnet, will it then try the routed
> > path to
> > the device.
> > 
> > eg Machine addressed 100.100.100.100 255.255.255.0
> > route add 100.100.100.10 mask 255.255.255.255 [default gateway]
> 
> This is a host-specific route. Operating systems should understand this and
> behave correctly. Host-specific routes have been around for a long time,
> like probably since the birth of IP. They solve various problems.
> 
> So I tred it on a Windows 98 PC. I added the route and then pinged the
> device specified in the addition.
> 
> The PC ARPed for the default gateway and then sent the ping to the default
> gateway, even though the device is really local. The default gateway sent
> the packet back out the same Ethernet and the local machine replied
directly
> to my PC. I would have expected a redirct from the router too, but I didn't
> see one.
> 
> Now, is this behavior specific to the host-specific route? I wonder if I do
> something like:
> 
> route add 100.100.100.2 255.255.255.0 default gateway
> 
> Hmm
> 
> Oh, Windows 98 won't let me do that! ;-) It will only let me add a
> host-specific route. Makes sense I guess. And then it does behave correctly
> when I add a host-speciif route (e.g., it does what the route tells it to
do.)
> 
> ___
> 
> Priscilla Oppenheimer
> www.troubleshootingnetworks.com
> www.priscilla.com
> 
> > 
> > Not that you'd want to do it, but just wondering.
> > 
> > 
> > Cheers,
> > 
> > Gaz
> > 

I would have thought Windows 98 would accept something like:

route add 100.100.100.240 mask 255.255.255.240 [default gateway]

I don't think there's any restriction to host routes.

I wonder though if you don't bother with the individual route on the 
PC's (which you obviously wouldn't want to do on a larger scale), would 
the router proxy arp for addresses which should be on it's ethernet, if 
you applied a route via the serial for example.

I'll try it later, but I'm having my dinner :-))

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56417&t=56347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix & non-Rfc networks. [7:56347]

[Gaz]

H The new DNS idea to negate the need for alias is neat. Not as 
neat as not buggering up the IP addressing in the first place :-)

I hadn't considered using overlapping NAT because of the DNS problems, 
but I suppose alias would have done it and now it's even easier, but I 
will still avoid it at all costs. 

With the internet (DNS), I think it's too much of a bodge not to cause 
problems in the long run.


Gaz


In article , 
[EMAIL PROTECTED] says...
> To all,
> 
> In 6.2 of the FOS you CAN do this :-).
> 
> You just have a situation of overlapping networks. here is the info on how
> to accomplish this:
>
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration
> _guide_chapter09186a00800eb71e.html#xtocid26
> (watch the wrap).
> 
> Cheers!
> 
> Richard
> 
> 
> ""Brett spunt""  wrote in message
> news:200210270014.AAA27223@;groupstudy.com...
> > True, but that network is not a private ip, so if inside host is trying
to
> > hit a "live" web server at 192.5.2.x, there are SCREWED, ya
> > know.
> >
> > -Original Message-
> > From: gogarty [mailto:ciaron@;gogarty.net]
> > Sent: Saturday, October 26, 2002 4:47 PM
> > To: Brett spunt; [EMAIL PROTECTED]
> > Subject: Re: Pix & non-Rfc networks. [7:56347]
> >
> >
> > No need to doubt.  If you have the network 192.5.2.0/24 inside the pix,
> why
> > would a client want to connect to the same network outside the pix?  As
> far
> > as the client is concerned it is ON the 192.5.2.0/24 network!!
> >
> > - Original Message -
> > From: "Brett spunt"
> > To:
> > Sent: Saturday, October 26, 2002 7:36 PM
> > Subject: RE: Pix & non-Rfc networks. [7:56347]
> >
> >
> > > Yes,
> > >
> > > You will never even make it to the pix if your destined for the
> > 192.5.2.0/24
> > > network.
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of
> > > [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56416&t=56347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PCMCIA Flash [7:53866]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> Hello,
> 
> W2K and XP recognize CISCO flash cards without any problems, what do you
> need - drivers, which you can download from internet. As soon as drivers
> will be installed you can start to use your flash card as a removable HD.
> 
> Regards
> Igor
> 
> ""Steven Greeno""  wrote in message
> news:200209222114.VAA12315@;groupstudy.com...
> > Is there any way to copy images to the PC-Card based Flash using a
laptop,
> > either with a special card reader or using software and the PC-Card slot
> on
> > a laptop?  I am just curious if I could copy IOS images for distribution
> to
> > the Flash card using my laptop then take card to the devices and load IOS
> > version.  (In situations where TFTP isn't feasible or the best option.)
> >
> > Thanks.
> > steven
Are you saying that there is some PC software which will put them in the 
right format for Cisco.
I'm sceptical, but would be good.


Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56386&t=53866
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix & non-Rfc networks. [7:56347]

[Gaz]

In article , 
[EMAIL PROTECTED] says...
> Hello,
> 
> I was just reading this document,from the following link
> http://www.cisco.com/warp/customer/110/8.html I have attached the Pdf file
> of the same for your convinence :-).
> 
> 
> now coming to my doubt. 
> 
> If i have a network say like 192.5.2.0/24 inside the pix (connecting to
> internet) Does it mean that all the sites with 192.5.2.0/24 would not be
> accessible to the inside network ?? 
> 
> thanks and regards,
> Murali
> 

Yes, but it's not limited to the Pix.

If your internal network is using one subnet, your devices will never be 
able to get to devices on the Internet using addresses from the same 
subnet.

When your machine looks at the destination address, it thinks it is on 
its local network (layer 2) and will not even bother going to the 
default gateway for it.

I've done the same thing by 'fat fingering' the mask to encapsulate more 
than the intended addresses (255.255.0.0 instead of 255.255.255.0 for 
instance). If the destination address would normally fall outside your 
subnet, but you stuffed up the mask and now it is included, your machine 
doesn't bother going to the default gateway to find it.

Can I chip in with a question for everyone now?

If you apply more specific routes to all devices for an address which 
should appear on your local subnet, will it then try the routed path to 
the device.

eg Machine addressed 100.100.100.100 255.255.255.0
route add 100.100.100.10 mask 255.255.255.255 [default gateway]

Not that you'd want to do it, but just wondering.


Cheers,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56363&t=56347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VRRP Question [7:55429]

[Gaz]

There doesn't seem to be too much of a problem as long as the master 
stays healthy.
There seem to be major problems though if the master flaps.
I'm sure there may be an answer to this. If not I can't imagine me using 
VRRP much. I'll stick to the proprietary protocols.
I would have thought that VRRP would have been developed from some of 
the proprietary protocols so I would have thought that it would have at 
least equalled them?

I'll have a read of the RFC.


Gaz


In article , Priscilla says...
> The RFC for VRRP (2338) says this:
> 
> Once Master election has been performed then any unnecessary transitions
> between Master and Backup routers can result in a disruption in service.
The
> protocol should ensure after Master election that no state transition is
> triggered by any Backup router of equal or lower preference as long as the
> Master continues to function properly.
> 
> It kind of waters that down with the next comment, though:
> 
> Some environments may find it beneficial to avoid the state transition
> triggered when a router becomes available that is more preferential than
the
> current Master. It may be useful to support an override of the immediate
> convergence to the preferred path.
> 
> You might want to read the RFC more carefully than I did though. I'm kind
of
> rushing so I can watch some baseball!
> 
> ___
> 
> Priscilla Oppenheimer
> www.troubleshootingnetworks.com
> www.priscilla.com
> 
> Gaz wrote:
> > 
> > Hi all,
> > 
> > I actually thought of this question while working with VRRP on
> > Foundry
> > kit. I came across a query, and thought 'I bet Cisco isn't this
> > cr*p at
> > it'.
> > This is very possibly me as I played with VRRP for the first
> > time today,
> > but I've not found the answer yet with Cisco either.
> > 
> > 
> > The set up is simple:
> > 
> > A couple of routers running VRRP, with a network on the other
> > side of
> > them running OSPF.
> > 
> > If the master router goes down, (or for that matter, an
> > interface being
> > tracked goes down), the backup takes over. If the master comes
> > back up
> > it immediately takes over as active again, even though it
> > hasn't got




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55506&t=55429
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VRRP Question [7:55429]

[Gaz]

Hi all,

I actually thought of this question while working with VRRP on Foundry 
kit. I came across a query, and thought 'I bet Cisco isn't this cr*p at 
it'.
This is very possibly me as I played with VRRP for the first time today, 
but I've not found the answer yet with Cisco either.


The set up is simple:

A couple of routers running VRRP, with a network on the other side of 
them running OSPF.

If the master router goes down, (or for that matter, an interface being 
tracked goes down), the backup takes over. If the master comes back up 
it immediately takes over as active again, even though it hasn't got 
half of its routes yet (OSPF is still doing its thing), so ruins things 
for a while.

Now OSPF has sorted itself out again, and everything's OK - but suppose 
the master goes down again, and the back up takes over.
If the master flaps my VRRP destroys the subnet it's being used for.

I've messed with "vrrp 1 preempt delay 60", but this seems to be for 
backup routers only and doesn't apply to the master.


Any thoughts?



Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55429&t=55429
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: changing telnet port in router [7:55377]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> I forgot how to  change the telnet port in the router from 23.

So did I.

Don't think you can, but no doubt someone will correct me if wrong.
What's the reason?
SSH help at all?

Gaz

> Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55422&t=55377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: General PIX question DES/3DES [7:55200]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> 3DES is subject to country implementation. So need to request to Cisco for 
> implementation of the 3DES.
> CMIAW
> 
> Best Regards,
> HATO
> 
> 
> >From: "[EMAIL PROTECTED]" 
> >Reply-To: "[EMAIL PROTECTED]" 
> >To: [EMAIL PROTECTED]
> >Subject: General PIX question DES/3DES [7:55200]
> >Date: Wed, 9 Oct 2002 17:35:10 GMT
> >
> >Do any of the PIX firewalls come with 3DES or is it an upgrade option on 
> >all
> >the models  Particularly the PIX-525-UR-BUN.
> >
> >Thanx,
> >mkj
> _
> MSN Photos is the easiest way to share and print your photos: 
> http://photos.msn.com/support/worldwide.aspx
I may be mistaken, but  I seem to remember the 3DES licence for the 
bigger Pix's (525) are about #450 (GBP).
The smaller ones are much cheaper starting at about 40 GBP for the 501 
and rising.


Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55414&t=55200
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Tech Tips [7:55015]

[Gaz]

What about Software Bug Toolkit!

Where do you reckon that belongs?

Ahhh - Troubleshooting Tools!

Nope!

Configuration Tools. 

Wot?


In article , [EMAIL PROTECTED] 
says...
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Persio Pucci
> Sent: Monday, October 07, 2002 1:38 PM
> To: [EMAIL PROTECTED]
> Subject: Tech Tips [7:55015]
> 
> Hey folks,
> 
> where did the "Tech Tips" go that I cannot find it anywhere in the new
> Cisco
> site? Did anybody find it already? :(
> 
> Regards,
> 
> Persio




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55130&t=55015
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Off topic - Cisco's jazzy web site [7:54966]

[Gaz]

I think the idea is that when you look for a 2600 for example, 
everything is there together (the sales gumpf, the tech specs, etc etc)
Not sure whether that's a good idea or not. As an engineer you're fairly 
regularly going to certain areas, and it's handy to have the info for 
all the routers there, rather than going to a different place for each 
router (if that's the way it's going).

Gaz


In article , 
[EMAIL PROTECTED] says...
> I'm seeing more integration between the marketing materials and the
> technical materials. As expected, the marketing seems to be prominent.
> I'll keep an open mind as to its improved/not improved logic.
> 
> > -Original Message-
> > From: John Neiberger [mailto:[EMAIL PROTECTED]]
> 
> > Ugh...I just took a look.  Am I the only one who thinks this 
> > is horrid?
> > Perhaps I'm too used to the old layout but this seems to be much more
> > difficult to follow.  
> > 
> > Oh well, in a few months I'm sure it will be old-hat.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55129&t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off topic - Cisco's jazzy web site [7:54966]

[Gaz]

In article , 
[EMAIL PROTECTED] says...
> Hey Chuck,
> Yep, I noticed this as well.  The greatest addition to
> the new site is the button/link(image) that read "Go to the old Site".
> After mastering where all the information is on CCO, it's going to take
> sometime to fimilarize myself with the new layout..
> 
> Nigel
> 
> - Original Message -
> From: "Chuck's Long Road" 
> To: 
> Sent: Sunday, October 06, 2002 10:46 AM
> Subject: Off topic - Cisco's jazzy web site [7:54966]
> 
> 
> > Apparently the elves were busy last night. CCO has a new look.
> >
> > www.cisco.com
> >
> >
> >
> > --
> >
> > www.chuckslongroad.info
> > like my web site?
> > take the survey!
We went to a Cisco presentation to introduce the new web site. It has 
been developed from customer feedback apparently.
I'm sure most customers would say leave the bloody thing alone for a bit 
:-)

Myself and 2 CCIE's went to the two hour presentation, and had to 
chuckle as we walked out and our summary was "Same shit - different 
place"

Can't knock it really though. I have worked with masses of different 
products over the years, and in my view, one of the best things about 
Cisco is the availability and quality of information on their web site.


Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54977&t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: =======> FIREWALL <======== [7:54938]

[Gaz]

In article , [EMAIL PROTECTED] says...
> Hi all
> 
> Would u tell me any website that contain materials and concept of firewall
> implementation with different brands like cisco and checkpoint
> 
> 
> Appreciated
> Joupin
> www.joupin.com
I've done more Pix than Checkpoint, although I haven't gone for the 
qualifications in Cisco yet. The best place I have found for Firewall-1 
is www.phoneboy.com.
He is excellent.
The best place for the Pix is still CCO as far as I know.

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54941&t=54938
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to dial in & power up home lab?? [7:54768]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> Dear GroupStudy,
> 
> Here is my interesting dilemma.  I hope someone can lend some insight...
> 
> 1 - I only have dial-up (no cable modem - i.e. no constant connection to
> Internet).
> 2 - I travel for work, so I'm not home very often.
> 3 - I have a lab that I would like to use rather often.
> 4 - I do not want to spend a lot of $$ on long distance to dial up my
> lab.
> 5 - I also do not want to spend a lot of $$ on electricity if the lab is
> not in use.
> 6 - I have (will have) an APC MasterSwitch PDU that I know can be used
> to remotely power up/power down the lab.
> 7 - The lab consists of all 2500 series routers (7 of them).
> 
> I do not know if I can dial in to the PDU in order to power up the lab
> (this I can figure out).  Once the lab is powered up, is there a way to
> have one of the routers dial up my ISP?  But then, how would I know what
> the IP address of the router is (since the ISP uses DHCP) in order to
> telnet to the lab?
> 
> One of the solutions I have thought of is to dial up my PC (with wake on
> LAN - if that works on the modem), disconnect.  Then the dial up
> connection would be in my startup folder so the PC would dial the ISP
> automatically.  Then I would dial up the ISP from wherever I would be.
> Then I still have the problem of knowing my IP address.  A friend said
> to use ICQ.  I don't know how that works, but will try it.
> 
> I think I have covered everything.  Thanks in advance for any help.
> 
> Jake Secrist
I set a similar thing up at home although it doesn't answer all of your 
questions it may give you other ideas. Try www.no-ip.com.
For simple dynamic DNS they offer a free service. It seems to work fine 
for me.
I use Windows XP remote desktop to a home PC and connect to everything 
else from there. Bit of a strange set-up, but I use Internet Connection 
sharing on the XP box and all the routers sit behind that.
 I suppose the security may not be wonderful?? but to be honest I don't 
care. The XP machine can be re-built in minutes (ish).

I don't have the problem of remote power on, as I have a much more 
complicated and infinitely more expensive device which powers everything 
on when needed. Unfortunately she's not always in when I call, but you 
can't have everything :-)


Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54836&t=54768
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Failover [7:51491]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> Hi,
> 
> In a Stataful configuration, and two PIX are interconnected via a
> dedicated Failover Fastethernet, in case of the Active unit's Internal
> interface fails, is there any method to shift traffic to the Standby
> unit's Internal interface to maintain connectivity, thanks.
> 
> Leo
> Best Regards.
Not sure what you mean there. That's what failover does unless I'm 
misunderstanding your question.

You configure the main IP address for the interface and you configure a 
failover address. If the Pix's decide that the active one has a problem 
(power,interface down etc) the secondary pix takes over the main IP 
address.
If the primary is still contactable it will have the failover IP address 
on its inside interface.

That's why it's safe to telnet to the main IP address and you know that 
you're on the active Pix, but by console you need to do a show fail to 
make sure the device you're on is primary active or secondary active 
before you make changes.

Regards,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51497&t=51491
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Modem Speeds for callback [7:51472]

[Gaz]

Hi All,

This is probably a pretty basic question if you've done a bit of work 
with modems.
If for instance a PC with a 56k modem dials in to an AS5300 with V90 
capable modems (or V92?), and activates a call back, will the call back 
be able to connect at up to 56k.
I'm not too sure what this is dependent on. Could the AS5300 do it if 
the other modem was capable, and are the usual PC modems capable of 
answering calls and negotiating speeds of up to 56k.(or are there any PC 
modems at all capable of receiving at 56k).


Sorry - I'm sort of struggling to ask the right questions. Anybody fancy 
having a go at explaining the options.


Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51472&t=51472
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dial out solution [7:51230]

[Gaz]

In article , [EMAIL PROTECTED] 
says...
> We replaced our Shiva LanRover with a Cisco AS5300. 
> We then purchased a software product called DialOut EZ
> that allowed for clients to do a remote reverse telnet
> session and associate it with a com port.  It was
> actually very easy to set up and it was recommended by
> cisco so the support is there.
> 
> Thanks,
> Benjamin Pierce
> --- "neil K."  wrote:
> > Hi All,
> > Guys I am currently using a Shiva modem pool for
> > dial out, Is there a Cisco
> > solution for this.The Shiva is not working upto our
> > expectations.
> > Will the Cisco Access Servers or a cisco 3640 with
> > modem card be able to do
> > the same.
> > 
> > Any help will be highly apprecisted.
> > 
> > Thanks,
> > 
> > neiL
> [EMAIL PROTECTED]
> 
> 
> __
> Do You Yahoo!?
> HotJobs - Search Thousands of New Jobs
> http://www.hotjobs.com
This is probably a more recent version of the one I mentioned a couple 
of weeks ago "Cisco Dialout".
Cisco Dialout became a free download, before it disappeared. Although 
it's no longer supported it may give you an idea if it's what you want.
I don't think I'm doing anybody out of business with this. If you want 
support, etc, you're going to have to pay for an up to date 3rd party 
version.

A few people asked me for a copy last time and my dial-up connection got 
hammered, so if you'd like a copy I dumped it on an old web page. This 
is not a plug, it's just a page I used to sell my road bike and it's 
gone.
Go to www.bikespace.co.uk and click on the download button.
Please use at your own risk.

Cheers,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51270&t=51230
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco PIX 3DES [7:51144]

[Gaz]

I think list price is about #60 sterling so I would imagine that's about 100
US dollars (list price)

Gaz


""Elijah Savage III""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Does anyone know what the price is for ordering the 3DES software for
> the pix 501.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51155&t=51144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix logging to a Freebsd syslog server [7:51124]

[Gaz]

Is it really the source port?

Normally the destination port is UDP 514.

Does it care what the source port is?

Gaz


""HORVATH TAMAS""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Helo!
>
> To Neal Rauhauser : If you don't specify source port, the PIX (OS 6.x)
will
> send syslog messages from UDP port 514!! You can change this to whatever
> from range 1025-65535 : for example: logging host inside 192.168.11.4
udp/1025
>
> So I think this is not a problem, if the FreeBSD syslogd expects the
packets
> to be sourced from UDP port 514.
> 
>
> To Elijah Savage: Did you checked the connections among syslog host and
PIX
> inside interface, and IP adressess and mask? If they will correct then the
> problem will be in the FreeBSD syslogd config, because your PIX config is
> good.
>
> BIe, HT!
>
> -Original Message-
> From: Neal Rauhauser [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 10, 2002 11:38 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Pix logging to a Freebsd syslog server [7:51124]
>
>
> The Cisco logging facility on a router uses a random high port as the
> source for the syslog packets. I assume the PIX is the same since you're
> having trouble. The FreeBSD syslogd expects the packets to be sourced
> from port 514. You can try the flag that supposedly allows syslogd to
> take random source ports, but it doesn't work :-(
>
>   I'd strongly suggest you do what I did - just modify the syslogd
> source so it doesn't check source port, compile it, then install.
>
>   If that is beyond your C programming skills drop me a note and I can
> email you the bungholed syslogd.c file and you can take it from there.
>
>
>
> Elijah Savage III wrote:
> >
> > Can anyone help me out with a PIX logging to a Freebsd syslog server. I
> > thought I was sure about setting this up but I am not getting any
> > messages on the server, see my configs below.
> >
> > logging on
> >
> > logging timestamp
> >
> > logging trap debugging
> >
> > logging facility 23
> >
> > logging host inside 192.168.11.4
> >
> > FreeBSD
> >
> > local7.debug/var/log/cisco.all
> >
> > I also startes syslogd with these parameters
> >
> > 29612  ??  Ss 0:00.03 syslogd -a 192.168.11.2/255.255.255.0
> --
> Neal Rauhauser CCNP, CCDP voice: 402-301-9555
> mailto:[EMAIL PROTECTED] fcc  : k0bsd
> "This is my private email devoted to various mailing lists. If you're
> a twerp with an attorney and someone else's money, don't bother my
> employer about the things I say, just come see me personally and we'll
> discuss the situation. No names, you twerps should know who you are".




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51152&t=51124
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dell switches [7:50934]

[Gaz]

I think it was humo(u)r John. I'm an eternal infant and appreciate the poor
humo(u)r as much as the serious replies.
Have a beer  Have a 'Chuck'le.:-)

Sorry, not seen much of Dell switches, but no doubt if you get enough
sarcastic infantile replies it will keep the thread alive to be read by
someone who has.

Good luck

Gaz


""John Chang""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This is not intended to offend anyone:  Just thought professionals could
be
> just that and wanted an objective answer if you had used a Dell managed
> switch.  Thank you.
>
>
>
> At 01:07 AM 8/9/2002 +, Chuck wrote:
> >The Dell switch product line is the spawn of the underworld. Using Dell
> >switches will cause your teeth to fall out and hair to grow on your
palms.
> >Dell switches will make your food taste like dust and your water taste
like
> >vinegar. Don't even ask what happens to your packets as they cross a Dell
> >backplane.
> >
> >Well, what else would you expect from us Cisco jocks? :->
> >
> >
> >""John Chang""  wrote in message
> >news:[EMAIL PROTECTED]...
> > > Has anyone used Dell managed switches 3024 or 5012 and is it reliable?
> > > complaints? problems?  Thank you.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51150&t=50934
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FR traffic shaping [7:51044]

[Gaz]

I think I understand it better (that's usually the point where someone pulls
the rug from under my feet :-))

The two seem to contradict each other though. One saying that the Tc can be
set by the provider, and Cisco saying it's automatically calculated.

They both seem to make sense. The Cisco way means that the higher the value
of Bc compared to CIR, the greater flexibility you have, because as well as
increasing the value of Bc, it increases the period over which the average
is taken.
Spohn's method suggests that both variables are configurable allowing
ultimate flexibility (to the provider).

Or am I still messed up?  :-)

Gaz

""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Gaz wrote:
> >
> > Bit embarrassed. You say you may have simplified it too much,
> > but my brain
> > is still buzzing!
> >
> > How does the time interval T come in to it, and who decides the
> > time
> > interval. If you've got bursty traffic will a longer time
> > interval let you
> > get away with murder (on average).
>
> Good questions. I don't think I described Bc correctly, so no wonder
you're
> confused! I can tell you what Darren Spohn says in his book, Data Network
> Design. Then I'll tell you what Cisco says, and hopefully I won't leave
the
> situation even messier than it already is, and if I do, hopefully somebody
> will clean it up. ;-) I'll insert my own pithy comments in parentheses.
Here
> goes:
>
> Spohn:
>
> "The CIR is computed as the number of bits in a committed Burst size, Bc,
> that can arrive during an averaging interval T such that CIR = Bc/T.
>
> If the number of bits that arrive during the interval T exceeds Bc, but is
> less than an excess threshold, Bc + Be, then the subsequent frames are
> marked as DE.
>
> At present, there is no uniform method for setting the interval T. If T is
> set too small, such that Bc is less than the length of a single frame,
then
> every frame will be marked DE. If T is set too large, the buffer capacity
in
> the FR access node may not be practical In public FR, it is the
> responsibility of the provider to set the value of T, and the value of 1
is
> often used to match the line measure of bps."
>
> And here's what Cisco says:
>
> "frame relay bc
>
> The amount of data to send per each Tc interval in bits. Ideally for data
> PVCs Bc = CIR/8 so that Tc = 125msec. If we are doing voice on the PVC,
then
> Bc = CIR/100 is preferable, so that the interval Tc = 10msec... The value
of
> Bc by default is the CIR in bits. (which would match the Spohn statement,
by
> the way)
> ...
>
> Non-Configurable Parameters
>
> interval (Tc)
>
> The time interval during which you send the Bc bits in order to maintain
the
> average rate of the CIR in seconds.
>
> Tc = Bc/CIR in seconds. (algebraically the same as Spohn's equation, by
the
> way)
>
> The range for Tc is between 10 ms and 125 ms. The router internally
> calculates this value based on the CIR and Bc values in the map class. If
> Bc/CIR is more than or equal to 125 msec, it uses the internal Tc value.
If
> Bc/CIR is less than 125 ms, it uses the Tc calculated from that equation."
>
> (I hope I haven't just confused matters even more! ;-)
>
> Priscilla
>
>
> > But if the Burst rate is already Bits per second and then we
> > add another
> > time interval, doesn't that make it bits/s/s. Isn't that bit
> > acceleration?
> > :-]
> >
> > My mind won't allow me to continue.
> >
> > After reading a bit more since I wrote the garbage above, I
> > think I confused
> > myself by calling it Burst rate rather than Burst size. Burst
> > size makes it
> > more sense.
> > So do different providers have different time intervals to
> > calculate mean
> > rate from Burst size or is there a recognised standard. I take
> > it that the
> > longer the Tc the better (for the customer)?
> >
> > Help - Frame is my bogey subject
> >
> > Gaz
> >
> >
> >
> >
> >
> >
> > ""Priscilla Oppenheimer""  wrote in
> > message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Davis, Scott [ISE/RAC] wrote:
> > > >
> > > > I guess maybe I need to make sure I understand the whole
> > theory
> > > > here. My
> > > > understanding is that by setting Bc in conjunction with CIR,
> > > > you are
> > > > defining the delay by defining the timing interval with a
> > &g

Re: FR traffic shaping [7:51044]

[Gaz]

Bit embarrassed. You say you may have simplified it too much, but my brain
is still buzzing!

How does the time interval T come in to it, and who decides the time
interval. If you've got bursty traffic will a longer time interval let you
get away with murder (on average).
But if the Burst rate is already Bits per second and then we add another
time interval, doesn't that make it bits/s/s. Isn't that bit acceleration?
:-]

My mind won't allow me to continue.

After reading a bit more since I wrote the garbage above, I think I confused
myself by calling it Burst rate rather than Burst size. Burst size makes it
more sense.
So do different providers have different time intervals to calculate mean
rate from Burst size or is there a recognised standard. I take it that the
longer the Tc the better (for the customer)?

Help - Frame is my bogey subject

Gaz






""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Davis, Scott [ISE/RAC] wrote:
> >
> > I guess maybe I need to make sure I understand the whole theory
> > here. My
> > understanding is that by setting Bc in conjunction with CIR,
> > you are
> > defining the delay by defining the timing interval with a
> > maximum burst size
>
> Maybe indirectly this could have an effect on delay, but that's not what
> you're setting. Don't think "delay" just because you see "time." The time
> interval is used simply because otherwise a burst has no definite meaning.
> Sending at rate x for 10 minutes is a lot different from sending at rate x
> for 10 seconds.
>
> A lot of the descriptions are incomprehensible and get into token buckets
> and other obscure minutiae. :-) Here's how I understand it at a higher
> level. Someone please correct me if I have oversimplified to the point of
> being wrong.
>
> The CIR specifies that as long as the data input to the Frame Relay
network
> is below or equal to the CIR, then the network provider will continue to
> forward data for that virtual circuit. If the data input rate exceeds the
> CIR, there is no longer any "commitment." The provider might discard
traffic
> beyond the CIR limit, although if there is sufficient bandwidth, it might
> continue to forward traffic. CIR is measured over a time interval. Let's
say
> that CIR is measured over a time interval T.
>
> The committed burst size (Bc) specifies a maximum amount of data that the
> provider will transmit over the time interval T even after the CIR has
been
> exceeded. The provider's Frame Relay switch is allowed to set the DE bit
for
> frames at the Bc level.
>
> Beyond the Bc, the provider can also support an excess burst size (Be)
that
> specifies the maximum amount in excess of Bc that the network will attempt
> to transfer under normal circumstances during the time interval T. The
> ingress switch at the provider immediately sets the DE bit on these frames
> and also has the right to immediately discard the frames if the switch or
> network is congested.
>
> Priscilla
>
> > and that by defining Be to anything other than 0 you are
> > allowing specific
> > instances where a burst larger than Bc will be allowed but
> > marked DE ... or
> > something like that but less jumbled that makes sense. I
> > understand the
> > mechanics of the commands, I just want to make sure I
> > understand the theory.
> > Thanks for the link Mark ... the explanation in that document
> > is a bit
> > clearer than the one in the FRTS docs.
> >
> > Thanks again
> > Scott
> >
> >
> > -Original Message-
> > From: Turpin, Mark [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 09, 2002 10:10 AM
> > To: 'Davis, Scott [ISE/RAC]'; [EMAIL PROTECTED]
> > Subject: RE: FR traffic shaping [7:51044]
> >
> >
> >
> > Scott,
> >
> > I'm sure you know how to configure it, so I'll leave
> > configuration examples out.  To get a conceptual overview
> > of how shaping and policing actually works, check out this
> > link: (wrap)
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos
> > _c/fqcprt4/qcfpolsh.htm
> >  s_c/fqcprt4/qcfpolsh.htm>
> > as well as picking up the book IP Quality of Service
> > (its actually a good read!)  The most important
> > section that explains traffic shaping on frame is the
> > section "Traffic Shaping and Rate of Transfer".
> > Look for that, it explains it very well!
> >
> > Short answer, you can define Be/Bc values,
> > but you're really better off leaving

Re: Notes on salaries [7:51052]

[Gaz]

Can't agree more. If I've been through subnet masks once I've been through
it ten times with my son. He's still not happy with wildcard masks and goes
off the handle if the addresses aren't contiguous.
I'm going to leave it until he's at least six years old now. I'm wasting my
time with him.

:-)

Gaz

""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Robert D. Cluett wrote:
> >
> > I like this statement
> >
> > "Times have changed, he said. Six years ago the technology was
> > complex.
> > Certification was important because it told an employer and
> > customers that
> > the certified professional could find his way around
> > complicated networks.
> > But now networks are easier to install and maintain.
> > "Now they've dumbed it down to the point where a 12-year-old
> > can install a
> > Cisco router," Mazurek said.
>
> That's ridiculous, to put it bluntly. :-) The technology becomes more
> complex every year.
>
> >
> > Mazurek says that he pays little attention to certification
> > when he is
> > hiring. It is experience that matters to him.
> >
> >
> >
> > - A 12 year old, huh?
>
> Hey, I have experience trying to teach Cisco Networking Academy at the
high
> school level. It doesn't work. Many of the students didn't even have the
> reading skills to follow the materials, let alone the sophisticated brain
> CPU power required to understand the concepts. Only a few of the math whiz
> types even got subnet maksing, and they don't plan to install routers for
a
> living. They plan to be computer scientists.
>
> Cisco Networking Academy does work at the college level, though.
>
> Priscilla
>
> >
> >  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > From the web...just posted for dicussion fodder, I'm not
> > making any
> > > statements here or trying to discourage anyone...
> > >
> > >
> >
>
http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci8434
> > 00,00.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51098&t=51052
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 and enabling DES [7:49705]

[Gaz]

The image comes with the Pix if you bought it legally from Cisco.
I'm sure they could sell all Pix's with encryption enabled and charge more
for all of them.
I'd rather have the option to pay for Pix without encryption if I don't need
it.

As I said though in version 6.2 onwards you don't need to reload the image.
Just use "activation key"

Gaz

""NetEng""  wrote in message
news:[EMAIL PROTECTED]...
> So Cisco sells a firewall with no encryption and then forces you to buy a
> smartnet contract so you can download the lastest IOS and install the key?
> Thats sounds like Microsoft marketing.
>
> ""Brad Ellis""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Yes, re-install the same version of the OS, and enter a new activiation
> key.
> > That's all ya got to do.
> >
> > thanks,
> > -Brad Ellis
> > CCIE#5796 (R&S / Security)
> > [EMAIL PROTECTED]
> > Cisco home labs:  www.optsys.net
> >
> > ""NetEng""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I received my PIX 501 this afternoon! Hoowever I can not access it via
> > PDM.
> > > I got the 56bit DES key from Cisco, but I can't figure out how to
> activate
> > > the thing. The documentation just goes through upgrading the FW IOS
and
> at
> > > the end it will prompt you for the key. I don't want to upgrade the
IOS,
> > > just install the key. Any ideas? Please note my versions (no command
> > > activate-key). Thanks
> > >
> > > show version:
> > > Cisco PIX Firewall Version 6.1(3)
> > > Cisco PIX Device Manager Version 1.1(2)
> > >
> > > Compiled on Fri 22-Feb-02 08:15 by morlee
> > >
> > > pixfirewall up 45 mins 40 secs
> > >
> > > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > > Flash E28F640J3 @ 0x300, 8MB
> > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> > >
> > > 0: ethernet0: address is 000a.411e.f696, irq 9
> > > 1: ethernet1: address is 000a.411e.f697, irq 10
> > >
> > > Licensed Features:
> > > Failover:   Disabled
> > > VPN-DES:Disabled
> > > VPN-3DES:   Disabled
> > > Maximum Interfaces: 2




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49839&t=49705
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Anyone tried Huawei Routers ? [7:49670]

[Gaz]

Not sure whether Cisco could close them down if they wanted.

Wouldn't like to be on Cisco's side as they roll in to China.
They can probably do enough business in their own part of the worls to keep
the family fed and watered.

Do China abide by everyone elses laws?

Dunno...






""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Tom Scott wrote:
> >
> >
> > BTW what does "wei" mean in futurewei and huawei?
>
> Thief? Copy Cat? One who has no innate creativity and takes ideas from
> others? ;-)
>
> Seriously, they can't possibly have stolen the actual IOS code or Cisco
> would close them down. Most of the protocols are industry standards, so
why
> shouldn't they make a router that can do those protocols too? Even with
> EIGRP, there's enough info out there to make it work almost like Cisco's
> EIGRP.
>
> Copying the CLI is somewhat questionable, but they wouldn't be the first
> company to do it. I'm no legal expert, but I doubt you can copyright
things
> like "show running-config" anyway.
>
> Maybe they will improve on Cisco's CLI? ;-) Cisco's CLI isn't really very
> well done. They aren't even consistent regarding when and when not to use
a
> hyphen, for example, or when to include a word as part of the command
versus
> a parameter.
>
> So, even though the lack of innovation bugs me, I can't see anything
> seriously wrong with it. I wouldn't want to work for a company that just
> copied someone else's work, but a lot of people don't seem to mind.
>
> Cisco can still win out by offering better service, tech support,
training,
> warranties, and simply by stomping on them with better advertising and
> marketing.
>
> My $0.0010.
>
> Priscilla
> >
> > -- TT




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49836&t=49670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to allow outside user to browse the inside web [7:49720]

[Gaz]

Looks fine.
Clear xlate on the pix.
Failing that - reboot the pix if you have that luxury.
Troubleshoot your connectivity.
Can you browse to the web server internally?
Can you browse to internet from the web server?
Allow icmp through the pix and check connectivity.

Put some logging on while you try to connect:

logging on
logging console 4 (or 5)

Let us know results.

Gaz


""Magdy Ibrahim""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi all,
> I have PIX firewall with 6.0(1) and I am running my mail server behind it
> and it works find till now...
> these days I need to run a web server "apatche" behind it..
> I tried to configure it to allow the oursiders to access the inside web
bage
> by usning the following commands:
> static (inside,outside) xx.xx.60.21 10.0.0.20 netmask 255.255.255.255 0 0
> conduit permit tcp host xx.xx.60.21 eq www any
>
> I failed to run this web sites installed on the apatche server...
> Is there extra commands I have to add to my PIX to allaow outsider to
access
> that web server???
> Please help me to fix this issue ASAP
>
> Thanx in advance
>
> magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49720&t=49720
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New CCIE Written is here. He afraid, be very afraid... [7:49715]

[Gaz]

I think a CCIE candidate should have some knowledge of the older stuff. The
knowledge needed isn't too deep at all. It's always good to have at least a
little knowledge of the more obscure subjects.
We;re doing a large TR migration at the moment, and it's not the only one
we've seen recently.

Hopefully the exam is a little harder. I think it was only intended in the
past to weed out the absolute no hopers before they block up lab slots, not
to be added to the signature blocks of blaggers as a qualification in its
self.

Although even if it's no harder, as long as people realise that it's not a
qualification, just a basic test to prove you might be worthy of starting
the long path to CCIE.

My two penneth.


Gaz


""Scott""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This is a good thing.  Although, why add things like MPLS, wireless, SS7
> when you still have token ring and x.25?  Seems kinda stupid.
>
> Scott
> CCIE #9340
>
> ""Dennis Laganiere""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > "The CCIE Program is proud to announce the upcoming release of the
revised
> > CCIE Routing and Switching Written Exam (350-001). The new version of
the
> > exam will go live, and replace the current exam, on August 7th, 2002.
> Note:
> > The revised exam will consist of 150 questions and be 180 minutes in
> > duration. To prepare for this exam, candidates may wish to review the
exam
> > blueprint and study suggestions."
> > http://www.cisco.com/warp/public/625/ccie/ccie_program/whatsnew.html#5
> >
> > If this is anything like the beta, things just got quite a bit harder...
> > --- Dennis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49715&t=49715
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Here we go again ( Pix 515) [7:49492]

[Gaz]

What's everybody's view on using the Pix as a DHCP server?

I used it once, only because after arriving on site to install the Pix the
customer mentioned that his old Firewall was doing DHCP and he had no plans
to do it on anything else.
Seemed to go fine, but would like to know if people have come across
limitations/issues.

I tend to agree with the view "Right box for the job", i.e. don't make the
Pix do things it's not made for, but if pushed into the situation, how does
it compare.

Cheers,

Gaz

""Kevin O'Gilvie""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Kelly,
>
> You are absolutely right, and I love your strategy.
> That is the way I did it 2 years ago, but the only thing now is finding a
> vpn solution for the Macs. I used Pix for the PC's last time round but
never
> had to do this for the Mac's. Any ideas?
>
>
> >From: "Kelly Cobean"
> >Reply-To: "Kelly Cobean"
> >To: [EMAIL PROTECTED]
> >Subject: RE: Here we go again ( Pix 515) [7:49492]
> >Date: Wed, 24 Jul 2002 02:18:38 GMT
> >
> >Man, you aren't asking much, are you? ;-)
> >
> >Ok, here's the order I'd do things in...
> >
> >First things first, get that firewall in place.  You don't list what
their
> >internet connectivity is, but if they bought a PIX, it's safe to assume
> >that
> >they have a persistent connection, and that being true, they're really
> >hanging it out there for someone to cut off, so to speak.  Network
security
> >is always a primary concern, and the firewall won't take alot of time to
> >set
> >up.  Not setting it up could be very costly.  If they already have a
> >light(er)-weight firewall like a Linux host running IP chains or IP
tables,
> >replacing this first will save your users down-time later because you can
> >pre-configure your internet rulebase/access in preparation for your
private
> >addressing.
> >
> >Next, I'd do the DHCP and Private Addressing.  These go hand in hand, and
> >since your firewall is now in place, you can do the NAT/PAT translations
as
> >needed and not have to rethink these later.
> >
> >Third, get Exchange up and running.  If it's going on a different system
> >than Quick mail is running on, great!  Now you can get them running in
> >parallel, and move users accounts over one at a time or in batches.
There
> >are probably tools out there to do the mailbox format conversion.  Now
that
> >your network is secure at layer3/4, you can focus on the nitty-gritty of
> >the
> >user data. (Oh yeah, don't forget that backup!!!)
> >
> >It's a 10,000 foot view, but that's how I'd do it.  I'm not really a MAC
> >guy, but I'd venture a guess that most or all of your MAC's run TCP/IP
and
> >support DHCP, so from an L3/4 standpoint, they're really no different
than
> >your PC's.
> >
> >When doing multiple projects like this, I tend to work along the OSI
model.
> >If the wiring is horrible, or the NIC's are all old 10Base2 nics and have
> >transceivers to hook them to your BaseT network, take care of the layer 1
> >stuff first.  Next, if the network is all unmanaged hubs, and your
network
> >is one gigantic broadcast domain, start installing switches to quiet down
> >the network.  Next, get VLANs/routing/security in place for Layer3/4.
> >Next,
> >work on the "upper layers" where all of your apps and data live and talk.
> >Just my $0.02 worth.
> >
> >HTH,
> >Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
> >Network Engineer
> >AT&T Government Solutions, Inc.
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Kevin O'Gilvie
> >Sent: Tuesday, July 23, 2002 9:07 PM
> >To: [EMAIL PROTECTED]
> >Subject: Here we go again ( Pix 515) [7:49492]
> >
> >
> >Dear All,
> >
> >I am jumping into a similar mess as when I started at my current company,
> >but this time the Macs out number the PC's. Well here is the scoop:
> >180 Macs
> >50 PC's
> >Static Ip's
> >No DHCP
> >No FW
> >Quick Mail Server
> >and a whole bunch of other nasty things..
> >- They just purchases a Pix 515
> >- They just bought Exchange 5.5
> >
> >My projects are:
> >Set up DHCP
> >Set up Pix
> >Set up Private Addressing
> >Set up Exchange
> >Migrate them from Quick Mail
> >etc etc
> >I have done this before but maybe you guys can help as to how I should go
> >about this the quickest.
> >
> >Thanks,
> >
> >Kevin
> >
> >
> >_
> >Send and receive Hotmail on your mobile device: http://mobile.msn.com
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49591&t=49492
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: pix quick help [7:49450]

[Gaz]

I was under the impression that the PDM command is just a pain in the arse
cosmetic addition for use only within PDM.
I'm fairly certain it's nothing to do with access to PDM itself. I'll try
deleting them next time I get chance and see what effect it has on PDM, and
if PDM automatically puts them back (in the same way that it automatically
put them there in the first place)

As always...let me know if I'm talking rubbish.

Gaz


""Mark W. Odette II""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I believe the answer is yes.
>
> The HTTP command specifies what node is allowed to hit the HTTP Server,
> while the PDM command defines the host allowed to log into the PDM App.
>
> I'm sure someone will rightly correct me if I'm wrong. :)
>
> -Mark
>
> -Original Message-
> From: John Green [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 23, 2002 11:35 AM
> To: [EMAIL PROTECTED]
> Subject: pix quick help [7:49450]
>
> to allow a workstation access so as to be able to use
> and configure via the PDM, we give the command
> http server enable
> http 165.12.55.12 255.255.255.255 inside
>
> what is the purpose for the command
> pdm location 165.12.55.12 255.255.255.255 inside
>
> do we need both the commands to allow the workstation
> be able to access PDM GUI ??
>
>
> __
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49478&t=49450
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ACL studying [7:49154]

[Gaz]

I reckon you typo'd with the third line Philip.

How's this:

access-list 1 permit 10.10.10.32 0.0.0.1
access-list 1 permit host 10.10.10.34
access-list 1 deny 10.10.10.32 0.0.0.15
access-list 1 deny host 10.10.10.49
access-list 1 permit any


""Blair, Philip S""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> A different spin.
>
> access-list 1 permit 10.10.10.32 0.0.0.1
> access-list 1 permit host 10.10.10.34
> access-list 1 deny 10.10.10.32 0.0.0.127
> access-list 1 deny host 10.10.10.49
> access-list 1 permit any
>
>
>
>
> -Original Message-
> From: Persio Pucci [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 18, 2002 2:19 PM
> To: [EMAIL PROTECTED]
> Subject: ACL studying [7:49154]
>
>
> Folks,
>
> what would be the smallest way to put an ACL to filter, let's say, IPs
> 10.10.10.35 to 10.10.10.49?
>
> (just want to check if I am doing it ok...)
>
> Persio




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49178&t=49154
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: dhcp and subinterfaces [7:49070]

[Gaz]

Yep - IP helper address on the sub interface works fine in this situation.
It's secondary addresses  which cause problems (in fact don't work as far as
I know).

Gaz


""GEORGE""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If I have subinterfaces configured for my vlans' and I wanted a dhcp
> server for one vlan can I create the dhcp server and assign it to that
> subinterfaces pertaining the vlan in question. I don't have a server on
> that vlan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49155&t=49070
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VOIP with 2600 Router [7:48709]

[Gaz]

I'm not sure.

I think I found the answer. I didn't understand the two stage dialling which
I think I do now.
The voip dial peer sends all digits whereas the pots dial peer strips the
matched digits.
The destination pattern for an operator (dial 0) on a remote site would be
something like:

dial-peer voice 1 voip
  destination-pattern 70
  session target ipv4:1.1.1.1

Then at the remote site the corresponding pattern would be:

dial-peer voice 1 pots
 destination-pattern 7.
 port 2/1


Is this correct?  i.e. would this allow users to dial 70 for the remote
operator as well as dialled numbers such as 7201 as long as there is also a
dial-peer like this on the remote site:

dial-peer voice 2 pots
 destination-pattern 7...
 port 2/1

I'm just trying to confirm whether the first dial peer would intercept the
longer string and throw the other two digits away.

Thanks,

Gaz



""Steven A. Ridder""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm not sure I understand the question.  If the question is, if there's a
> number 335, and I tell the router 355 is over on a different router, is
that
> a valid dial-peer (355).  If that's the question, yes it is.
>
> Did I understand the question correctly?
>
>
> ""Gaz""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > On a similar subject - Is it possible to use a destination-pattern of
for
> > instance 70 (no wild cards or anything) and still get it to work. The
> reason
> > for this is to allow users to phone the operator of another site using
> just
> > the trunk code and a "0".
> > As it is the router comes back with something like 'no number to dial'
> even
> > when used with prefix 70, because there is nothing except the
> > destination-pattern.
> >
> > Basically the destination-pattern needs to be the full number.
> >
> > Hope I've explained myself well enough.
> >
> > Please excuse the VoIP newbie.
> >
> >
> > Gaz
> >
> >
> > ""Steven A. Ridder""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I'd do some dubugs like "debug voice ccapi inout" to see what numbers
> are
> > > being sent to the PBX and across the IP call leg (on both sides).
> > >
> > > I'd also try to validate your dialing plan by doing a "show dialplan
> > number
> > > (DN you wish to test)" to see whci dial-peer the router thinks it
should
> > be
> > > using.
> > >
> > > Finally check for codec mismatches, missing routes in the routing
table
> > > etc..
> > >
> > >
> > >
> > > ""Firesox""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Site A
> > > > voice-card 1
> > > > !
> > > > ip subnet-zero
> > > > no ip source-route
> > > > no ip finger
> > > > !
> > > > lane client flush
> > > > !
> > > > !
> > > > controller T1 1/0
> > > >  framing esf
> > > >  linecode b8zs
> > > >  ds0-group 1 timeslots 1-24 type e&m-wink-start
> > > >  cas-custom 1
> > > > !
> > > > !
> > > > voice-port 1/0:1
> > > >  operation 4-wire
> > > > !
> > > > !
> > > > dial-peer voice 1 pots
> > > >  destination-pattern 370..
> > > >  port 1/0:1
> > > >  prefix 370
> > > > !
> > > > dial-peer voice 10 voip
> > > >  destination-pattern 79..
> > > >  session target ipv4:1.1.1.2
> > > > !
> > > > dial-peer voice 2 pots
> > > >  destination-pattern 374..
> > > >  port 1/0:1
> > > >  prefix 374
> > > > !
> > > > !
> > > > interface FastEthernet0/0
> > > >  bandwidth 1
> > > >  ip address x.x.x.x x.x.x.x
> > > >  speed 10
> > > >  full-duplex
> > > > !
> > > > interface Serial0/0
> > > >  bandwidth 1536
> > > >  ip address 2.2.2.2 255.255.255.252
> > > >  no fair-queue
> > > >  down-when-looped
> > > > !
> > > > ip classless
> > > > ip route 0.0.0.0 0.0.0.0 Serial0/0
> > > > 
> > > > Site B
> > > >
> > > > voice-card 1
> >

Re: TFTP Server [7:48763]

[Gaz]

I agree - Pumpkin.
Every one of our engineers use it now and never heard of a problem.
Also supports multiple simultaneous TFTP - not sure if this is a feature of
others or not. don't suppose it's that much of a selling point, but the
reliability is.


Gaz

""Charles D Hammonds""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I really like PumpKIN found at:
>
> http://www.klever.net/kin/pumpkin.html
>
>
> Charles
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, July 14, 2002 7:39 AM
> To: [EMAIL PROTECTED]
> Subject: TFTP Server [7:48763]
>
>
> I have a cisco TFTP Server v 1.1, It is creating some problems
> with my XP Machine.
>  Is there a better TFTP Server or is there a better Version
> Available.
>
>   Regards,
>
> Muhammad Usman
> Network Engineer
> al Alamiah Electronics Co.
> Network Section
> www.alamiah.com.sa
> Tel. : (+966-1) 477 0106
> Fax. : (+966-2) 477 7629
> Mob. : (+966-5) 301 4903
> P.O. Box 5954, Riyadh 11432
> Kingdom of Saudi Arabia.
>
> ~~The End-to-End Networkers~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48952&t=48763
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VOIP with 2600 Router [7:48709]

[Gaz]

On a similar subject - Is it possible to use a destination-pattern of for
instance 70 (no wild cards or anything) and still get it to work. The reason
for this is to allow users to phone the operator of another site using just
the trunk code and a "0".
As it is the router comes back with something like 'no number to dial' even
when used with prefix 70, because there is nothing except the
destination-pattern.

Basically the destination-pattern needs to be the full number.

Hope I've explained myself well enough.

Please excuse the VoIP newbie.


Gaz


""Steven A. Ridder""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'd do some dubugs like "debug voice ccapi inout" to see what numbers are
> being sent to the PBX and across the IP call leg (on both sides).
>
> I'd also try to validate your dialing plan by doing a "show dialplan
number
> (DN you wish to test)" to see whci dial-peer the router thinks it should
be
> using.
>
> Finally check for codec mismatches, missing routes in the routing table
> etc..
>
>
>
> ""Firesox""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Site A
> > voice-card 1
> > !
> > ip subnet-zero
> > no ip source-route
> > no ip finger
> > !
> > lane client flush
> > !
> > !
> > controller T1 1/0
> >  framing esf
> >  linecode b8zs
> >  ds0-group 1 timeslots 1-24 type e&m-wink-start
> >  cas-custom 1
> > !
> > !
> > voice-port 1/0:1
> >  operation 4-wire
> > !
> > !
> > dial-peer voice 1 pots
> >  destination-pattern 370..
> >  port 1/0:1
> >  prefix 370
> > !
> > dial-peer voice 10 voip
> >  destination-pattern 79..
> >  session target ipv4:1.1.1.2
> > !
> > dial-peer voice 2 pots
> >  destination-pattern 374..
> >  port 1/0:1
> >  prefix 374
> > !
> > !
> > interface FastEthernet0/0
> >  bandwidth 1
> >  ip address x.x.x.x x.x.x.x
> >  speed 10
> >  full-duplex
> > !
> > interface Serial0/0
> >  bandwidth 1536
> >  ip address 2.2.2.2 255.255.255.252
> >  no fair-queue
> >  down-when-looped
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Serial0/0
> > 
> > Site B
> >
> > voice-card 1
> > !
> > ip subnet-zero
> > no ip source-route
> > !
> > lane client flush
> > !
> > !
> > controller T1 1/0
> >  framing esf
> >  linecode b8zs
> >  ds0-group 1 timeslots 1-24 type e&m-wink-start
> >  cas-custom 1
> > !
> > !
> > voice-port 1/0:1
> >  operation 4-wire
> > !
> > !
> > dial-peer voice 1 pots
> >  destination-pattern 79..
> >  port 1/0:1
> >  prefix 79
> > !
> > dial-peer voice 10 voip
> >  destination-pattern 370..
> >  session target ipv4:2.2.2.2
> > !
> > dial-peer voice 11 voip
> >  destination-pattern 374..
> >  session target ipv4:2.2.2.2
> > !
> > !
> > interface FastEthernet0/0
> >  ip address x.x.x.x x.x.x.x
> >  duplex auto
> >  speed auto
> > !
> > interface Serial0/0
> >  bandwidth 1544
> >  ip address 1.1.1.2 255.255.255.252
> >  no ip mroute-cache
> >  no fair-queue
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 1.1.1.1
> > no ip http server




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48951&t=48709
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New 2600 and %Error opening tftp [7:48265]

[Gaz]

Sorry - just scrolled down to the rest of your post.
Are you sure "no service config" is in your config.
Never seen that happen once it's there.

Paste your config.


""Gaz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> "no service config" is what you're after. Can't remember if that's
> hyphenated or not.
>
>
> Gaz
>
>
> ""Phil Lorenz""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > %Error opening tftp://255.255.255.255/msb3100_v1_silver_c01 (Timed out)
> >
> > %Error opening tftp://255.255.255.255/msb3100_v1_silver_c01 (Timed out)
> >
> > %Error opening tftp://172.30.100.34/network-confg (Timed out)
> >
> >
> >
> > Any idea where this crap-ola is coming from or what it is ???
> >
> >
> >
> > I just pasted a config into a new 2611 and this appears @ the console
> > every few minutes.
> >
> >
> >
> > I disabled service config (2611# no service config)" but that did not
> > change things.
> >
> >
> >
> > The running config does not contain any TFTP commands.
> >
> >
> >
> > Any ideas ???
> >
> >
> >
> > Thanks In Advance
> >
> > Phil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48277&t=48265
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: New 2600 and %Error opening tftp [7:48265]

[Gaz]

"no service config" is what you're after. Can't remember if that's
hyphenated or not.


Gaz


""Phil Lorenz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> %Error opening tftp://255.255.255.255/msb3100_v1_silver_c01 (Timed out)
>
> %Error opening tftp://255.255.255.255/msb3100_v1_silver_c01 (Timed out)
>
> %Error opening tftp://172.30.100.34/network-confg (Timed out)
>
>
>
> Any idea where this crap-ola is coming from or what it is ???
>
>
>
> I just pasted a config into a new 2611 and this appears @ the console
> every few minutes.
>
>
>
> I disabled service config (2611# no service config)" but that did not
> change things.
>
>
>
> The running config does not contain any TFTP commands.
>
>
>
> Any ideas ???
>
>
>
> Thanks In Advance
>
> Phil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48274&t=48265
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco 7010 router help [7:47893]

[Gaz]

"Subsequently, software releases will be available for the Cisco 7000/7010
through Software Release 11.2 mainline. However, this will be the last
release supported on the platform."

from:

http://www.cisco.com/warp/public/cc/pd/rt/7000/prodlit/615_pp.htm


Gaz

""Kazan, Naim""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This is off the topic but can you help me with what version of IOS is
> support by the 7010 router. I was told before end of sale of 7010 router,
> the highest ios version was 11.0. Is that correct or can I DL 12.0 version
> to 7010 router. The router is for home lab use only.
>
>
>
>
>
> -Original Message-
> From: YASSER ALY [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 01, 2002 6:03 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Who are the financially viable carriers? [7:47655]
>
>
> Regardless of who is more financially secure, I would technically vote for
> C&W. Having an overseas circuit from them I rarely faced troubles and even
> when trouble happens their support is very fast and more important they
> would say the truth and not start playing games with you.
>
> >Since I noticed a plug for another company I'll throw in my 2 cents.
> >
> >I'm not sure what services you are looking for but we offer quite a few
and
> >have a good global presence.  While most company's are in piles of debt,
we
> >have a surplus of cash.  Even after making acquisitions such
> >as Exodus, we still sit on top.
> >
> >For your own comparison purposes:
> >Here is a link to our Network maps showing our global infrastructure.
> >http://www1.cw.com/template_05.jsp?ID=gn_network#
> >
> >Here is a link to our Internet backbone performance standards:
> >http://www.sla.cw.net/
> >
> >Thanks!
> >
> >Mike Munoz
> >Network Engineer
> >US Data GSOC Tier II
> >Cable & Wireless
> >
> >
> >
> >
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Craig Columbus
> >Sent: Friday, June 28, 2002 10:55 AM
> >To: [EMAIL PROTECTED]
> >Subject: OT: Who are the financially viable carriers? [7:47655]
> >
> >
> >I know this probably isn't the best forum, but I thought I'd post it here
> >since I'm sure some of you guys have insight and opinions...
> >
> >I've seen so many problems in the carrier market in the last few years
that
> >I'm no longer sure who to trust when they tell me that they're
financially
> >stable.
> >
> >Global Crossing is very weak.  We all know about WorldCom/UUNET.  Qwest
is
> >struggling.
> >
> >Who, in your experience, is still a stable, major player in the US
carrier
> >/ dedicated transmission market?
> >Genuity?
> >AT&T?
> >Cable and Wireless?
> >Time Warner Telecom?
> >
> >Who would be your first choice for carrier in today's economy?
> >
> >Craig
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47895&t=47893
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Its not fair! [7:47868]

[Gaz]

Just in case you're under the impression that these changes have been
brought in some time during your classes and it's Cisco's fault for not
telling you:

Unless you've been studying for at least 4 or 5 years (or thereabouts), then
nothing has changed. It's been this way for a long time.
Make sure you have not misunderstood your teachers though before you shove
it down their necks.


Gaz



""Morgan Hansen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> WOW! Im getting this form everyone now it seams;
>
> Enable secret works over enable password.   So if you
> have an enable secret you do not need an enable
> password.
>
>
> And if this is correct, then ok, cool, im fine with it, no problem and
> thanx allot guys!
>
> What I DO have problems with though is paying allot of $$$ to some
> "school" here in Noway where I live, joining the CNAP program, studying
> the Curriculum day in day out, being told a COMPLETELY DIFFERENT THING
> by my CCNA/CNAP teachers (Not mentioning Cisco and their Curriculum!)
> and because of l this maybe failing my CCNA exam because of a
> misseducated mind! It's not fair!
>
> I mean. Come on?? Im sorry, but im really frustrated right now and I
> hope you can understand that :-(
> I mean, ok?? So weve used a Curriculum a little old, or at least older
> than what you need to be reading to pass the 640-607 exam, BUT:
> Wouldn't you agree, that it would be nice if Cisco could have sent us
> updates on important things like this here during our CNAP program?!
> If not, at least made sure our teachers knew about updates like this
> knowing they where gonna be asking us these questions on our exams :-(
>
> Nah, its not fair, its just not fair! (sad)
>
> Morgan
> mailto:[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47879&t=47868
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Flash init failed (permission denied). [7:47825]

[Gaz]

You don't seem to have any flash in there. Open the box and re-seat the
flash chip if there's one there.


""Marian Iordanescu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi group,
>
> I have the folowing problem. have Found You the solution for this
> problem yet?
>
> C2950 Boot Loader (CALHOUN-HBOOT-M) Version 12.0(5.3)WC(1), MAINTENANCE
> INTERIM
> SOFTWARE
> Compiled Mon 30-Apr-01 07:56 by devgoyal
> WS-C2950-24 starting...
> Base ethernet MAC Address: 00:07:84:f9:09:40
> Unable to initialize flash device at 0xBF00 -- device not found.
> Xmodem file system is available.
> Initializing Flash...
> ...no flash filesystems found.
>
> The system has been interrupted, or encountered an error
> during initializion of the flash filesystem.  The following
> commands will initialize the flash filesystem, and finish
> loading the operating system software:
>
> flash_init
> load_helper
> boot
>
> switch: dir flash:
> unable to stat flash:/: permission denied
> switch: flash_init
> Initializing Flash...
> ...no flash filesystems found.
> switch: copy xmodem: flash:c2950-c3h2s-mz.120-5.3.WC.1.bin
> Begin the Xmodem or Xmodem-1K transfer now...
> CCBB0flash:c2950-c3h2s-mz.120-5.3.WC.1.bin: permission denied
> switch:
>
>
> Thank you in advance ,
>
> Marian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47875&t=47825
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: need clarification on some PIX terms [7:47786]

[Gaz]

Must admit I've not seen it without the (interface) option. Does the "nat 1
0 0" format equate to:

nat (inside) 1 0 0
and
nat (DMZ) 1 0 0

or just the inside interface?
Not got a Pix to try it on until tomorrow, or at least if I do I'll probably
lose the Pix I'm VPN'ing through :-)


Gaz


""Peter zhang""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> what is the difference between
> nat (inside) 1 0 0
> and
> nat 1 0 0
>
> They are the same, nat all inside networks
> 
>
> I am completely lost when to use "netmask" when not. Some statements are
> required to have one some not. Is there any rule about it that or I just
> have to memorize all.
> example
> static (inside,outside) 200.1.1.1 10.1.1.1 -->> no netmask statement
>
> it will give you static translation with 32/bit mask
> ###
>
> isakmp key mykey address 200.1.1.1 netmask 255.255.255.255
>
> defaults to 32/bit mask of specified peer address if no mask defined
>
> ##
> interface outside 200.200.200.10 255.255.255.0 -->> no netmask statement
> gobal (outside) 200.1.1-200.1.1.20 netmask 255.255.255.0
>
> it will give a default mask depends on ip address class if no netmask
defined




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47874&t=47786
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written DPT/SRT - huh? [7:47807]

[Gaz]

Hi Nick,

You sure it was SRT? SRP makes more sense when linked with DPT.

URL below may help if that's the case:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/srpapsgs.htm#xtocid1


watch the wrap

Gaz


""Nick Lesewski""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On the requirements for new CCIE Written Beta they listed DPT/SRT under
the
> WAN section, but I can't find any references these in the groupstudy
> archives or on the Cisco website.  Anybody have any idea what they might
be
> asking about?
>
> NIC
>
>
>
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47809&t=47807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Permit Ping access thru PIX FW [7:47193]

[Gaz]

Yep - that conduit would do for the DMZ.
You've also got to remember that the Pix 'always' translates, so you've got
to have some form of translation from DMZ to inside.
Sounds like you must have had the translation from outside to inside for the
outgoing ping to work.
At a minimum fro the DMZ you would need:

static (inside,DMZ1) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 0 0

where 10.10.10.0 is your inside network.

This is telling it to translate 10.10.10.0 addresses to 10.10.10.0
(basically it just passes it through untranslated from DMZ to inside).

Of course you may have been using Global and Nat statements. In which case
you need a global statement on the DMZ interface to match up with the NAT on
the inside interface.


Regards,

Gaz



""Karagozian Sarkis""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Gaz,
>
> Thanks for yr the explanations. (I am refering to MCNS Man.p.5-41)
> So infact it should be: conduit permit icmp any any echo-reply
> for allowing icmp replys back in from ouside or dmz.
>
> Also why then Iwas able for example: ping outside 4.22.122.10
> But, Not able to ping dmz 199.16.1.3 (unless the dmz intfc. was shut)
>
> So inorder to be able to ping the dmz intfc 192.168.6.3 I need a conduit
> command like : conduit permit icmp host 192.168.6.3 any
>
> Can you explain or correct me on this???
> Thanks.
> Sarkis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47242&t=47193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Permit Ping access thru PIX FW [7:47193]

[Gaz]

Hi Sarkis

The short answer is - no.
The conduit command in this case is just allowing the reply to come back in.
The outgoing ping will be allowed out by default.
Unlike access lists the conduit does not specify which interface the 'rule'
is to be applied to, so, with the conduit command you will be letting
replies in from outside and from the DMZ.

An access list doing the same thing would need to be applied to both the DMZ
and the outside interface. For this reason, the conduit is nice for testing,
because it's one command instead of 3 minimum.


Gaz


""Karagozian Sarkis""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> HI all
>
> BCMS book says: permit ping access thru the PIX Firewall with the
> conduit permit icmp any any command, letting hosts on the inside ping
> outside hosts.
>
> Does this mean I can't ping the dmz interface?? and it only allows pings
> from inside Interface to the Outiside global hosts ??
>
> for example: ping outside 4.22.122.xx  (able to ping)
> But, ping dmz 199.16.1.3 (Not able to ping)
>
> Thanks
> Sarkis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47228&t=47193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN [7:47220]

[Gaz]

Surely not.
Is ISDN used so infrequently in the states now??
It's still used widely in the UK at least. Can't believe they'd get rid of
it yet.
If there is truth in this rumour, I'd be amazed.


Gaz

""Terry Hines""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Has there been any indication as to the status of ISDN in the CCNP / IP
> Tests. I have heard that ISDN is going away as the New NP tests are
> introduced.
>
> Terry Hines
> Principal Enterprise Architect
> CompuTouch Data Solutions




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47229&t=47220
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Router 3DES VPN to Pix Failover [7:46813]

[Gaz]

In case anybody is interested:
Managed to find the answer eventually. Stateful failover is not supported
for VPN (from TAC), so the SA's must be cleared every time a change of
active Pix occurs.
Had the right idea with th lifetime of the CA's but applying it incorrectly.
Have managed to get the devices to do this automatically by using isakmp
keepalive 120 (crypto isakmp keepalive 120 for routers).
This means there is some extra overheads as the SA's are cleared every 2
minutes, but at least the VPN re-establishes itself.



Gaz



""Gaz""  wrote in message
news:[EMAIL PROTECTED]...
> Hi all,
>
> Anybody got any experience using 3DES to Pix Failover.
>
> I have a 2621 with 3DES using VPN to Pix 515 Failover bundle.
>
> All works fine after initial boot. Fails over to secondary Pix when I kill
> the Primary.
>
> If I try to fail back to Primary, it does not come back up. Does not seem
to
> pick up the SA. Clear SA on the router brings it back up.
> Knocked the liftime down to 60 seconds in the ISAKMP policy, but seems to
> have no effect.
>
> Failover is working fine, it's just the VPN that doesn't come back up.
>
> Pix is 6.2, router is 12.1(5)T12.
>
> Any similar experiences?
>
> More details to follow if there are any bites  :-)
>
>
> Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46900&t=46813
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN -- challenge! [7:46496]

[Gaz]

Your dialer map statement associates the IP address 172.16.1.2 with the
telephone number 5554000. All that isdn1 knows is that it must dial 5554000
if it needs to get to 172.16.1.2.

By adding the name statements, when isdn1 receives a call from isdn2 it
associates this call with the dialer map statement i.e. it knows it already
has that link up and will not try to open another one when it needs to get
back to 172.16.1.2.

Whether this is the correct terminology/logic I do not know, but it seems to
be the way it works and it's the way I keep it straight (ish) in my head.

If you find the real explanation (if it's different) I'd be interested to
hear.

Cheers,


Gaz


""Pierre-Alex Guanel""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ok, here are the result of my tests (cummulative)
>
> 1) I gave the loopbacks unique IP addresses and tested
>
> result: no change
>
> 2) I  assigned isdn1 f0/0 to vlan11 and isdn f0/0 to vlan12
> on isdn1 f0/0 ip address was 192.168.10.1/24
> on isdn2 f0/0 ip address was 192.168.20.1/24
>
> I left the default route unchanged on both routers and tested
>
> result: no change
>
>
> 3) I remove the default route and created specific routes instead
>
> on isdn1: ip route 192.168.10.0 255.255.255.0 172.16.1.2
> on isdn2: ip route 192.168.20.0 255.255.255.0 172.16.1.1
>
> result: no change. When the first bri channel was up, I was able to ping
nor
> the two fast ethernet interfaces nor the two bri interface. Strange!!!
>
>
> 4) I added the keyword "name" to each map statement (as suggested by Gaz)
>
> on isnd1:dialer map ip 172.16.1.2 name isdn2 broadcast 5554000
> on isdn2:dialer map ip 172.16.1.1 name isdn1 broadcast 5551234
>
> result: double success. RouterA (isdn1) did not try to initiate another
> connection AND I was able to ping the fast ethernet interfaces and the bri
> interfaces.
>
> See below:
>
> isdn2#ping 192.168.10.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
>
> 01:12:30: ISDN BR0/0: RX  on B1 at 64 Kb/s
> 01:12:30: ISDN BR0/0: Event: Accepting the call id 0x10
> 01:12:131009057551: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to
up
> 01:12:30: ISDN BR0/0: TX -> CALL_PROC pd = 8  callref = 0x94
> 01:12:30: Channel ID i = 0x89
> 01:12:30: ISDN BR0/0: TX -> CONNECT pd = 8  callref = 0x94
> 01:12:30: Channel ID i = 0x89
> 01:12:30: ISDN BR0/0: RX  03:55:06: %LINK-3-UPDOWN: Interface BRI0/0:1,
changed state to up.
> 01:12:32: BR0/0:1 DDR: dialer protocol up.!!!
> Success rate is 60 percent (3/5), round-trip min/avg/max = 32/32/32 ms
> isdn2#
> 01:12:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed
> state to
> up
> 03:55:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed
> state to
> up
>
> Now that the problem is solved (thanks Gaz, Daniel, Ahoang and Thomas), we
> need to understand the reasons for the behavior of router A . To
summarize:
>
> 1) Without the "name" keyword, routerA attempts to initiate a connection
on
> receiving a connection initiated by router B.
>
> 2) Once the channel setup from B is up, data traffic does not flow even
with
> proper routes.
>
> My gut feeling is that "name" keyword is preventing data traffic to flow
> between the two routers , even when the channel is up! This would explain
> why routeA is attempting to open a new connection even though there is a
> channel already up. routerA must be thinking that it is not allowed to use
> the already existing channel to reply to router B ... but then it would
mean
> that something must have leaked from A to B to prone routerA to initiate a
> connection ...
> but what if not ip data?
>
> I will do some more research on this and post my findings&remaks&questions
> in a next post.
>
>
> Pierre-Alex




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4&t=46496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 Upgrade [7:46519]

[Gaz]

Yeah - it was only a minor observation really.
I take it you used the ROMMON method, as if you had just used copy tftp
flash it wouldn't have asked if you wanted to enter a new activation key.

The ROMMON method just means more down time if that's important to you.

Gaz


 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Just loaded 6.2 onto a 501...  If you're loading the new OS ver, it's
going
> to ask you to either retain the original key or enter a new one; so it's
> just as easy to enter the new key if you have it available.
>
> MKJ
>
> -Original Message-
> From: Gaz [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 14, 2002 2:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX 501 Upgrade [7:46519]
>
>
> If you're going to upgrade to 6.2, you may as well just upgrade it
normally
> (not through ROMMON) and then use the activation-key command.
> Became available in 6.2 so you don't need to re-install the image to
> re-enter activation key.
> Must admit I've not done it on 501's yet, so anyone please correct me if
> it's not available, but I'd be 99% certain it will be. Used it on 506's
and
> 515's
>
> Gaz
>
>
> ""Brad Ellis""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Yes, you need to install the OS on there again.  You might as well put
on
> > 6.2(1) while you're at it.  Ive been using it for a couple weeks and
it's
> > been pretty stable.
> >
> > thanks,
> > -Brad Ellis
> > CCIE#5796 (R&S / Security)
> > [EMAIL PROTECTED]
> > Cisco home labs:  www.optsys.net
> > ""Rick""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I have not been able to find a way to upgrade mine from DES that it
came
> > > with
> > > to a 3DES that I purchased. According to the docs the only way to
> upgrade
> > > the license is to reinstall the OS and it recommends upgrading at the
> same
> > > time.
> > > How do I enter the key?
> > >
> > > Cisco PIX Firewall Version 6.1(2)
> > > Cisco PIX Device Manager Version 1.1(2)
> > >
> > > Compiled on Fri 16-Nov-01 14:28 by morlee
> > >
> > > pixfirewall up 10 days 22 hours
> > >
> > > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > > Flash E28F640J3 @ 0x300, 8MB
> > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> > >
> > > 0: ethernet0: address is 0009.7c48.c239, irq 9
> > > 1: ethernet1: address is 0009.7c48.c23a, irq 10
> > >
> > > Licensed Features:
> > > Failover:   Disabled
> > > VPN-DES:Enabled
> > > VPN-3DES:   Disabled
> > > Maximum Interfaces: 2
> > > Cut-through Proxy:  Enabled
> > > Guards: Enabled
> > > Websense:   Enabled
> > >
> > > Thanks,
> > > Rick
> > >
> > >
> > >
> > > ""Brad Ellis""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Rick,
> > > >
> > > > You do NOT need to upgrade your PIX to run 6.2 OS, here's my pix 501
> I'm
> > > > using with 6.2(1) and 3DES:
> > > >
> > > > brad-vegas# sh ver
> > > >
> > > > Cisco PIX Firewall Version 6.2(1)
> > > > Cisco PIX Device Manager Version 1.1(2)
> > > >
> > > > Compiled on Wed 17-Apr-02 21:18 by morlee
> > > >
> > > > brad-vegas up 2 days 0 hours
> > > >
> > > > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > > > Flash E28F640J3 @ 0x300, 8MB
> > > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> > > >
> > > > 0: ethernet0: address is 0008.a3f7.c052, irq 9
> > > > 1: ethernet1: address is 0008.a3f7.c053, irq 10
> > > > Licensed Features:
> > > > Failover:   Disabled
> > > > VPN-DES:Enabled
> > > > VPN-3DES:   Enabled
> > > > Maximum Interfaces: 2
> > > > Cut-through Proxy:  Enabled
> > > > Guards: Enabled
> > > > URL-filtering:  Enabled
> > > > Inside Hosts:   10
> > > > Throughput: Limited
> > > > IKE peers:  5
> > > >
> > > >
> > > > thanks,
> > > > -Brad Ellis
> > > > CCIE#5796 (R&S / Security)
> > > > Network Learning Inc
> > > > [EMAIL PROTECTED]
> > > > www.optsys.net (Cisco hardware)
> > > >
> > > > ""Rick""  wrote in message
> > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > Has anyone upgraded a PIX 501. All of the current 6.x
> > > > > files all say they require 32meg DRAM and this 501 only has
> > > > > 16meg. The problem I have is I need to upgrade to a 3DES
> > > > > license and it requires that I load a new image and I don't
> > > > > want to take a chance with not being able to get the current
> > > > > releases to work. The funny thing is this came with 6.12 on it.
> > > > > Rick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46659&t=46519
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN -- challenge! [7:46496]

[Gaz]

Oh you had to ruin it and make me explain my half-arsed guestimate shot in
the dark theory :-)

My reasoning was based only on the fact that isdn2 is the exact hostname of
the other router, and I was just wondering whether it was causing confusion
somehow.

But... I think I changed my mind.

Can you change your dialer map statements to:

dialer map ip 172.16.1.2 name isdn2 broadcast 5554000   (on isdn1)

and

dialer map ip 172.16.1.1 name isdn1 broadcast 5551234 (on isdn2)


Gaz



""Pierre-Alex Guanel""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Gaz, you are going to have to educate me on cultural issues ...
>
> What is wrong with those numbers ?
>
> (ip host isdn2 2065 1.1.1.1)
>
> Pierre-Alex




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46644&t=46496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 501 Upgrade [7:46519]

[Gaz]

If you're going to upgrade to 6.2, you may as well just upgrade it normally
(not through ROMMON) and then use the activation-key command.
Became available in 6.2 so you don't need to re-install the image to
re-enter activation key.
Must admit I've not done it on 501's yet, so anyone please correct me if
it's not available, but I'd be 99% certain it will be. Used it on 506's and
515's

Gaz


""Brad Ellis""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Yes, you need to install the OS on there again.  You might as well put on
> 6.2(1) while you're at it.  Ive been using it for a couple weeks and it's
> been pretty stable.
>
> thanks,
> -Brad Ellis
> CCIE#5796 (R&S / Security)
> [EMAIL PROTECTED]
> Cisco home labs:  www.optsys.net
> ""Rick""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have not been able to find a way to upgrade mine from DES that it came
> > with
> > to a 3DES that I purchased. According to the docs the only way to
upgrade
> > the license is to reinstall the OS and it recommends upgrading at the
same
> > time.
> > How do I enter the key?
> >
> > Cisco PIX Firewall Version 6.1(2)
> > Cisco PIX Device Manager Version 1.1(2)
> >
> > Compiled on Fri 16-Nov-01 14:28 by morlee
> >
> > pixfirewall up 10 days 22 hours
> >
> > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > Flash E28F640J3 @ 0x300, 8MB
> > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> >
> > 0: ethernet0: address is 0009.7c48.c239, irq 9
> > 1: ethernet1: address is 0009.7c48.c23a, irq 10
> >
> > Licensed Features:
> > Failover:   Disabled
> > VPN-DES:Enabled
> > VPN-3DES:   Disabled
> > Maximum Interfaces: 2
> > Cut-through Proxy:  Enabled
> > Guards: Enabled
> > Websense:   Enabled
> >
> > Thanks,
> > Rick
> >
> >
> >
> > ""Brad Ellis""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Rick,
> > >
> > > You do NOT need to upgrade your PIX to run 6.2 OS, here's my pix 501
I'm
> > > using with 6.2(1) and 3DES:
> > >
> > > brad-vegas# sh ver
> > >
> > > Cisco PIX Firewall Version 6.2(1)
> > > Cisco PIX Device Manager Version 1.1(2)
> > >
> > > Compiled on Wed 17-Apr-02 21:18 by morlee
> > >
> > > brad-vegas up 2 days 0 hours
> > >
> > > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > > Flash E28F640J3 @ 0x300, 8MB
> > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> > >
> > > 0: ethernet0: address is 0008.a3f7.c052, irq 9
> > > 1: ethernet1: address is 0008.a3f7.c053, irq 10
> > > Licensed Features:
> > > Failover:   Disabled
> > > VPN-DES:Enabled
> > > VPN-3DES:   Enabled
> > > Maximum Interfaces: 2
> > > Cut-through Proxy:  Enabled
> > > Guards: Enabled
> > > URL-filtering:  Enabled
> > > Inside Hosts:   10
> > > Throughput: Limited
> > > IKE peers:  5
> > >
> > >
> > > thanks,
> > > -Brad Ellis
> > > CCIE#5796 (R&S / Security)
> > > Network Learning Inc
> > > [EMAIL PROTECTED]
> > > www.optsys.net (Cisco hardware)
> > >
> > > ""Rick""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Has anyone upgraded a PIX 501. All of the current 6.x
> > > > files all say they require 32meg DRAM and this 501 only has
> > > > 16meg. The problem I have is I need to upgrade to a 3DES
> > > > license and it requires that I load a new image and I don't
> > > > want to take a chance with not being able to get the current
> > > > releases to work. The funny thing is this came with 6.12 on it.
> > > > Rick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46615&t=46519
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN -- challenge! [7:46496]

[Gaz]

This may sound daft, and I'm almost embarrassed to suggest it, but will you
humour me and remove the "ip host isdn2 2065 1.1.1.1" command from
Router-isdn1.
Distant memories are haunting me.

I haven't got an ISDN simulator to play with at home, but I'm stumped too.


Gaz


""Pierre-Alex Guanel""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> No I am not running any routing protocol!
>
> Here are my configs:
>
> isdn1 (router A)
>
> isdn1#show run
> Building configuration...
>
> Current configuration : 1166 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname isdn1
> !
> enable secret 5 $1$9PdI$e3RshbiT8O9CiQxW317VQ0
> !
> username isdn2 password 0 cisco
> username isdn3 password 0 cisco
> ip subnet-zero
> !
> !
> no ip domain-lookup
> ip host isdn2 2065 1.1.1.1
> !
> isdn switch-type basic-ni
> !
> !
> !
> interface Loopback0
>  ip address 1.1.1.1 255.255.255.255
> !
> interface FastEthernet0/0
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface Serial0/0
>  no ip address
>  shutdown
>  no fair-queue
> !
> interface BRI0/0
>  ip address 172.16.1.1 255.255.255.0
>  encapsulation ppp
>  dialer map ip 172.16.1.2 broadcast 5554000
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 51055512340001
>  isdn spid2 51055512350001
>  ppp authentication chap
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface Serial0/1
>  no ip address
>  shutdown
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.1.2
> ip http server
> ip pim bidir-enable
> !
> dialer-list 1 protocol ip permit
> !
> line con 0
>  escape-character 19
> line aux 0
>  no exec
>  transport input all
> line vty 0 4
>  password san-fran
>  login
> !
> no scheduler allocate
> end
>
> 
>
> isdn 2 (Router B)
>
> isdn2#show run
> Building configuration...
>
> Current configuration : 1115 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname isdn2
> !
> logging rate-limit console 1
> enable secret 5 $1$8Z95$B21CJMn0N8R9EqeGB8olj1
> !
> username isdn1 password 0 cisco
> ip subnet-zero
> !
> !
> no ip domain-lookup
> ip host switch 2065 1.1.1.1
> !
> isdn switch-type basic-ni
> !
> !
> !
> interface Loopback0
>  ip address 1.1.1.1 255.255.255.255
> !
> interface FastEthernet0/0
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface BRI0/0
>  ip address 172.16.1.2 255.255.255.0
>  encapsulation ppp
>  dialer map ip 172.16.1.1 broadcast 5551234
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 5105554001
>  isdn spid2 51055540010001
>  ppp authentication chap
> !
> interface FastEthernet0/1
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 172.16.1.1
> no ip http server
> ip pim bidir-enable
> !
> access-list 1 permit any
> dialer-list 1 protocol ip list 1
> !
> line con 0
>  escape-character 18
> line aux 0
>  no exec
>  transport input all
> line vty 0 4
>  password san-fran
>  login
> !
> no scheduler allocate
> end




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46614&t=46496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 6.2 [7:46454]

[Gaz]

Doh!


Thanks for info I think

I'd like to see the test plan for it.

Does it look pretty (Yes/No)
Does it give Marketing something to spout off about (Yes/No)
End

Everyone seems to be doing the Microsoft thing at the moment (Live Beta
testing). Foundry's Ironview is entertaining as well.

Gaz

""Lidiya White""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> By the way, PDM 2.0.1 is deferred now. Wait for 2.0.2...
>
> -- Lidiya White
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Roberts, Larry
> Sent: Thursday, June 13, 2002 10:16 AM
> To: [EMAIL PROTECTED]
> Subject: RE: PIX 6.2 [7:46454]
>
> No, but 6.2(1) is :)
>
> PDM 2.0 is also available. Have both in my lab and they seem pretty
> stable
> so far.
>
> Thanks
>
> Larry
>
> -Original Message-
> From: Clayton Dukes [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 13, 2002 9:12 AM
> To: [EMAIL PROTECTED]
> Subject: PIX 6.2 [7:46454]
>
>
> Howdy,
> Dows anyone know if the PIX 6.2 software is available yet?
>
>
> Clayton Dukes
> Cisco Info Center SE
> CCNA, CCDA, CCDP, CCNP, NCC




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46612&t=46454
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 6.2 [7:46454]

[Gaz]

We put it straight on our production Pix's along with the new PDM (VIPs,
groups etc).
We decided that if we didn't have any faith why should any of our customers,
and we really wanted to play with the Groups anyway.
No problems so far. Must be a month or so now.

Gaz

""Clayton Dukes""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Howdy,
> Dows anyone know if the PIX 6.2 software is available yet?
>
>
> Clayton Dukes
> Cisco Info Center SE
> CCNA, CCDA, CCDP, CCNP, NCC




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46514&t=46454
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: So not one person here knows how to post... [7:46381]

[Gaz]

You're just messin' with our minds Kris.

You posted your 4 Cisco items to it yesterday.

How did you do it anyway? I couldn't see how to do it either.
In fact I didn't know it existed until you brought it to light.

Was it just a clever publicity stunt?   :-)

Gaz



""Kris Keen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On For Sale? intresting.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46512&t=46381
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS Caveats: Do I just need more coffee?? [7:46346]

[Gaz]

Hi John
Resolved Caveats in Release 12.1(11b)E4

  a.. VLANs in the 1002 to 1005 range are disabled by default in Catalyst
software. In the Cisco IOS images for the Catalyst 6000 family switches and
Cisco 7600 series Internet Routers, the VLANs are in the forwarding state by
default. This default discrepancy might cause a problem in a situation where
a system running Cisco IOS Release 12.1(8a)E3 or later on the supervisor
engine and the MSFC is connected through an 802.1 Q tunnel to a system
running Catalyst software. If the system running Cisco IOS software sends
BPDUs for reserved VLANs in the 1002 to 1005 range, the system running
Catalyst software drops these BPDUs and increments the rxTotalDrop counter.
This problem is resolved in Release 12.1(11b)E4. (CSCdx28347)


  b.. When the VLAN-bridge protocol is used, VLAN bridge BPDUs are not sent
even though the interface BPDU counters indicate that BPDUs are sent. This
problem is resolved in Release 12.1(11b)E4. (CSCdw80500)


  c.. The following error message displays when an SNMP cardTable MIB walk
is performed:

c6k_pwr_get_fru_present(): can't find fru_info for fru type 6, #66


  This problem is resolved in Release 12.1(11b)E4. (CSCdx41473)



  a.. When you enter the no ip routing command followed by the ip routing
command, the following error message appears:

A%FIB-4-FIBCBLK


  This problem is resolved in Release 12.1(11b)E4. (CSCin09681)


""John Neiberger""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just don't get this.  I'm looking at the IOS releases for the Cat6k
> and I see there is now 12.1(11b)E4 and we're running 12.1(11b)E3.  So, I
> check to see if there are any new features...none listed.  Then, more
> interestingly, I check the resolved caveatsnone listed.
>
> So, if there are no resolved caveats and no new features, why is there
> an E4 release in the first place??  With no bug fixes and no new
> features, how is E4 different than E3?
>
> Okay, back to work
>
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46367&t=46346
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 515 FO license [7:46075]

[Gaz]

Anybody actually seen this happen though?

I'll be a bit gutted if my primary pix fails, and while I am getting the
Primary replaced, the active secondary reboots every 24 hours, or even once
for that matter.


Gaz



""Lidiya White""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> It'll reboot I believe every 24 hours.
>
> -- Lidiya White
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Sam Wong
> Sent: Friday, June 07, 2002 11:57 PM
> To: [EMAIL PROTECTED]
> Subject: PIX 515 FO license [7:46075]
>
> I've seen some PIX 515s on eBay lately that are PIX-515-FO (failover
> option).  Can anyone tell me what would happen if you tried running it
> as a primary firewall and not a secondary?  I don't recommend this, but
> one of my clients is asking about this and I've never tried to do it
> myself.
>
> Thanks,
>
> Sam




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46297&t=46075
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access List Problem!! [7:46262]

[Gaz]

deny ip any any

We may have a few other addresses caught up in there though. Were there any
other requirements like permitting anything else?

Sorry - Pedantic as ever:-)

No - can't do it in one line.



Gaz



""Mahmood""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanx in advance dear friends,
> But is there any way to do this in one line?
>
> Thanx again
>
>
> - Original Message -
> From: "Daniel Cotts"
> To: "'Mahmood'" ;
> Sent: Tuesday, June 11, 2002 7:17 PM
> Subject: RE: Access List Problem!! [7:46262]
>
>
> > Break it into pieces.
> > Deny the range of 192.168.32.0 to 192.168.32.31
> > Deny the range of 192.168.32.32 to 192.168.32.36
> > Deny the host 192.168.32.37
> > Since 192.168.32.0 is not a valid host address I see no problem with
> > including it.
> >
> > > -Original Message-
> > > From: Mahmood [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, June 11, 2002 10:02 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Access List Problem!! [7:46262]
> > >
> > >
> > > Hi,
> > > My question is taht : How Can I Deny this range: 192.168.32.1 to
> > > 192.168.32.37
> > > ?
> > >
> > > Thanks in advance
> > >
> > > Mahmood




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46308&t=46262
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Problem at 2509 access server, please need a help [7:46146]

[Gaz]

Do the password recovery sequence up to copying the start up config to
running, then have a look at the config related to the console port.

Post it here if necessary.

Gaz


""Mohannad Khuffash""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear all,
> I have a problem with Cisco 2509-RJ access server as follow:
> When i reboot the router to it load the IOS installed in the flash, a
> warning message is appear
> (Configurations from version 12.0 may not be correctly under stood)
> after loading, the (Press RETURN to get started) normal  message is pop up
> at the console, but when i press Enter nothing happen only the message (
> Press RETURN to get started) appear again.
>
> I thought that the problem may be from the IOS installed where it give me
a
> warning at the beginning, so when i tried to go to the ROMON mode to
install
> a new IOS (i can't reach the router through any other interface) by press
> Ctrl+Break i got the following mode :
>
>
> >
>
> and the only available command are
> > ?
> B [filename] [TFTP Server IP address | TFTP Server Name]
>  Load and execute system image from ROM or from TFTP server
> C [address]  Continue execution [optional address]
> D /S M L V   Deposit value V of size S into location L with modifier M
> E /S M L Examine location L with size S with modifier M
> G [address]  Begin execution
> HHelp for commands
> IInitialize
> KStack trace
> L [filename] [TFTP Server IP address | TFTP Server Name]
>  Load system image from ROM or from TFTP server, but do not
>  begin execution
> OShow configuration register option settings
> PSet the break point
> SSingle step next instruction
> T function   Test device (? for help)
>
> Deposit and Examine sizes may be B (byte), L (long) or S (short).
> Modifiers may be R (register) or S (byte swap).
> Register names are: D0-D7, A0-A6, SS, US, SR, and PC
>
> so how can i upgrade the IOS in this mode, or is there any other method to
> solve the problem.
>
> Thanks
> --
>
>
>
>
> Mohannad N. Khuffash
> Network Administrator
> Palestine Telecom
> Tel : 00970-09-2390509




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46299&t=46146
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Static and Conduit [7:46002]

[Gaz]

It's probably better worded as

static (high,low) [low IP address] [high IP address] netmask 255.255.255.255

Where high and low actually mean Higher security interface and Lower
Security interface.

Hopefully I haven't confused the issue, and looking at the date, hopefully
there isn't another 40 posts to this thread that I haven't got to yet.

Regards,

Gaz


""Karagozian Sarkis""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I am preparing for MCNS - Manual Ver 2.1 Page 6-22and not clear about
Static
> and Conduit commands with fixup protocol smtp 25.
>
> I Don't understand the static (inside,outside) global-ip local-ip ...
> when I compare it with the below stated static command:
> static (dmz2,dmz1) 172.16.1.10 10.1.1.1 netmask 255.255.255.255.
>
> Question?
> Is static command always from lower nameif(dmz2)to higher nameif (dmz1)?
> If so why is it always stated as:
> static (inside,outside)? and not (Outside,Inside) 
>
> I am reading on page 6-22:
> That the Mail Guard feature removes the need for an external Mail Relay
> (Bastion Host) in the perimeter of DMZ network
>
> Once you create the Static and Conduit commands for an SMTP mail server,
use
> the fixup protocol 25 command to enable the PIX Firewall's Mail Guard
> feature in PIX FW release 4.2 and later.
>
> Then says, The first IP address you specify in the static command is the
1st
> IP address you specify in the conduit command as in example :
>
> static (dmz2,dmz1) 172.16.1.10 10.1.1.1 netmask 255.255.255.255
> conduit permit tcp host 10.1.1.1 10.1.1.0 255.255.255.0
> fixup protocol smtp 25
>
> Also says:
> The static command maps the adderess 10.1.1.1 on the dmz1 intf. so that
> users on the dmz1 intf. can access the 172.16.1.10 host on the dmz2 intf.
> The conduit command permits any users in the 10.11.1.0 network access the
> 10.1.1.1 address over any tcp port.
>
> Is this correct? or should it say:
> static (dmz1,dmz2) 172.16.1.10 10.1.1.1 netmask 255.255.255.255
> Can someone explain the above??? thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46293&t=46002
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX 506 port translation with DHCP [7:45945]

[Gaz]

Pinging the Pix interface itself is not controlled by access lists. You need
to use   "icmp deny any outside".
If your pix doesn't allow the command, your image is too old for it. I can't
remember exactly when it came in.  The fact that you're using conduits
suggests your Pix may have been there for a while?
If you want to ping out, just use "conduit permit icmp any any echo-reply"

Use some logging to work out what's getting dropped:

logging on
logging console 4  (or 5)


Regards,

Gaz




""Parmjit""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> hi,
> Thanks I tried "static (inside,outside) tcp interface ftp armada ftp
netmask
> 255.255.255.255 10 0" where armada is the name of the internal ftp server,
I
> also used a conduit permit ip any any and I still can't ftp to it.
> I should also mention there is another problem unless I use a conduit
permit
> icmp any any I cannot ping out, if I prefix this with a "no" so I can't
> ping, people on the net can still ping my pix, there is nothing in the
> config in the way of access lists etc. Having read the section in the book
a
> pix by default should allow internal users to ping out but not the other
way
> around, is there a fix for this also?
>
> thanks
>
> ""brian charles""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > If you have version 6.0 or greater you can do port redirection with the
> > static command. Create an acl to allow the traffic
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.h
> tm#xtocid20
> >
> >
> > static
> > Maps a local IP address to a global IP address (NAT) and supports TCP
and
> > UDP port redirection (static PAT). (Configuration mode.)
> >
> > [no] static [(internal_if_name, external_if_name)] {tcp | udp}
{global_ip
> |
> > interface} global_port local_ip local_port [netmask mask] [max_conns
> > [em_limit]] [norandomseq]
> >
> > show static




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45988&t=45945
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-list question? [7:45585]

[Gaz]

It's very possible after a few beers that I'm not thinking straight, so I
won't linger on the point, but what is that wild card mask doing?

0.0.6.255

0110 

Won't this work for all the odd subnets within the specified range
(192.168.1.0, 192.168.3.0.192.168.7.0)

If it's still allowed...Are non contiguous wild card masks still allowed?
Dunno.. I seem to remember hearing they weren't any more.

Gaz

""Adams Josh""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If you are trying to limit access on connections to the vty lines then you
> should use a standard access list.
> Your config will look like the following:
>
> access-list 1 permit 192.168.1.0 0.0.6.255
> line vty 0 4
> transport input telnet
> access-class 1 in
>
>
> If you are trying to limit access for telnet sessions originating from
your
> router connecting to other devices; then your config will look like this:
>
> access-list 1 permit 192.168.1.0 0.0.6.255
> access-list 1 permit 192.168.1.0 0.0.6.255
> line vty 0 4
> transport input telnet
> transport output telnet
> access-class 1 out
>
> The reasoning here is that you dont need to go so far as to specify the
> transport protocol with an extended ACL when you can simply disable all
> other transport types on your VTYs and have fewer ACL headaches.
>
> You can combine these techniques to limit telnet sessions both inbound and
> outbound, but be careful not to "lock your keys in the car"!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45773&t=45585
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-list question? [7:45585]

[Gaz]

If you are trying to restrict telnet access to the router to only those
addresses (192.168.1.0 to 192.168.7.0), you need at least two lines in the
access list.
If you can let 192.168.0.0 /24 through as well, then you can get it down to
one line.

Rather than using an extended access list, you can use a standard access
list and then apply it as an access class to the VTY lines.
Something like this:


access-list 31 deny 192.168.0.0 0.0.0.255
access-list 31 permit 192.168.0.0 0.0.0.7.255

line vty 0 4
 access class 31 in

Forget the first line if you can let 192.168.0.0 /24 through.

Anybody's welcome to chip in if I missed something, or even totally screwed
it up. World Cup fever has hit and still recovering. (Any French list
members - ho ho - sorry!)

What do you call a Frenchman in the 2nd round of the world cup?
Referee!


Gaz


""GEORGE""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If I wanted to apply a access list to allow only  networks from
> 192.168.1.0 to 192.168.7.0 and apply it to the vty lines
>
> is this correct
>
> access-list 101 allow tcp  192.168.1.0 0.0.6.255 eq 23 any
> ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45588&t=45585
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DHCP [7:45338]

[Gaz]

You need the IP-Helper address on the router interface which is nearest to
your DHCP clients, so if I'm understanding your set-up, it would be on the
1720 ethernet and the helper address would be that of your DHCP server.
Obviously you will have to have a scope on your DHCP server which
corresponds to the ethernet subnet on your 1720.
You may want to control which ports are forwarded as an IP helper address
sends a lot more than just DHCP, such as TFTP, Bootp, DNS, and a few others
IIRC, so use no ip forward-protocol udp [port number]

I'm sure others will chip in with pointers for ISDN usage.


Gaz

""Shane Stockman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have a Cisco 1720 router with 2 x BRI modules and a cisco switch
connected
> with a couple of PC's.These dial into a Cisco 3640 router.I want to setup
> DHCP.I have a DHCP server on the 3640 side with an address range.I looked
> for a sample config on Cisco.com but all I got was how to configure a
Router
> as a DHCP server.
>
> Does anyone have a sample config on how to set this up.I know that one has
> to use ip helper address but where ???
>
> Thanks
>
>
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45351&t=45338
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what's the difference btw the two routers config? [7:45337]

[Gaz]

Can't see anything obvious in the config, so I will have to just have a
guess.
Could this be an ARP problem? If the firewall has the MAC address of RT2
cached.
Can you either clear the firewall ARP entries, or if you have the luxury,
reboot the firewall when you install the new router.

I don't want to teach you to suck eggs, but just checking as you gave us
Show Conf. You know that Show Conf gives you the start up config and not the
running config (in case there is any difference).


Gaz

""Kenny Smith""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi..  Could you please check for me what is the difference between the
> following two router config ? RT1 and RT2.  I can connect to internet
using
> RT2 but not RT1.  And I can't even telnet to RT1 from my firewall.  But
both
> of them are having same config and IP.  Why?
>
>
> RT1#sh conf
> Using 2824 out of 32762 bytes
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname RT1
> !
> enable secret 5 
> enable password 7 xx
> !
> ip subnet-zero
> no ip source-route
> no ip finger
> ip name-server 200.116.1.93
> ip name-server 200.116.254.150
> !
> !
> !
> interface Ethernet0
> description To Office Ethernet
> ip address 61.8.237.113 255.255.255.240
> no ip directed-broadcast
> ip accounting output-packets
> ip route-cache same-interface
> !
> interface Serial0
> description RT1 leased line :512k
> bandwidth 512
> ip address 100.24.9.58 255.255.255.252
> no ip directed-broadcast
> ip accounting output-packets
> traffic-shape group 105 30 32 32 1000
> !
> interface Serial1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> ip nat translation timeout never
> ip nat translation tcp-timeout never
> ip nat translation udp-timeout never
> ip nat translation finrst-timeout never
> ip nat translation syn-timeout never
> ip nat translation dns-timeout never
> ip nat translation icmp-timeout never
> ip classless
> ip route 0.0.0.0 0.0.0.0 100.24.9.57
> ip route 50.198.164.0 255.255.252.0 61.8.237.114
> !
> access-list 105 permit tcp any any eq ftp
> access-list 105 permit tcp any eq ftp any
> access-list 105 permit tcp any any eq smtp
> access-list 105 permit tcp any eq smtp any
> tftp-server flash \tftpboot\IGS-IN-L.BIN
> snmp-server community X RO
> banner exec ^C
> Router-name: RT1
> Platform   : Cisco2500
> ^C
> banner login ^C
>
> Unauthorised access is prohibited and may lead to
> legal or disciplinary action being taken against you
> ^C
> !
> line con 0
> exec-timeout 30 0
> login
> transport input none
> line aux 0
> exec-timeout 30 0
> password 7 
> transport input all
> line vty 0
> exec-timeout 15 0
> password 7 x
> login
> length 0
> line vty 1
> exec-timeout 0 0
> password 7 x
> login
> length 25
> line vty 2 4
> exec-timeout 15 0
> password 7 x
> login
> !
> end
>
> RT2#sh conf
> Using 1517 out of 32762 bytes
> !
> version 10.3
> no service finger
> service timestamps debug uptime
> service password-encryption
> no service udp-small-servers
> no service tcp-small-servers
> !
> hostname RT2
> !
> enable secret 5 xx
> !
> ip subnet-zero
> no ip source-route
> !
> interface Ethernet0
> description To Office Ethernet
> ip address 61.8.237.113 255.255.255.240
> no ip directed-broadcast
> ip accounting output-packets
> ip route-cache same-interface
> !
> interface Serial0
> description RT2 leased line :512k
> ip address 100.24.9.58 255.255.255.252
> no ip directed-broadcast
> ip accounting output-packets
> bandwidth 512
> !
> interface Serial1
> no ip address
> shutdown
> !
> ip name-server 200.116.1.93
> ip name-server 200.116.254.150
> ip classless
> ip route 0.0.0.0 0.0.0.0 100.24.9.57
> ip route 50.198.164.0 255.255.252.0 61.8.237.114
> logging buffered
> access-list 105 permit tcp any any eq ftp
> access-list 105 permit tcp any eq ftp any
> access-list 105 permit tcp any any eq smtp
> access-list 105 permit tcp any eq smtp any
> tftp-server flash \tftpboot\IGS-IN-L.BIN
> snmp-server community X RO
> banner exec ^C
> Router-name: RT2
> Platform   : Cisco2500
> ^C
> banner login ^C
>
> Unauthorised access is prohibited and may lead to
> legal or disciplinary action being taken against you
> ^C
> !
> line con 0
> line aux 0
> transport input all
> line vty 0
> exec-timeout 15 0
> password 7 xx
> login
> length 0
> line vty 1
> exec-timeout 0 0
> password 7 xx
> login
> line vty 2 4
> password 7 xx
> login
> !
> end
>
>
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45349&t=45337
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Ip Helper info in the lab [7:45045]

[Gaz]

I suppose if one was consistently faster than the other you would have this
situation.
Was one of them steam powered, or did it have significantly different
network connectivity.
I suppose if one were even minutely faster than the other then it would be
used exclusively.

Gaz

""Chuck""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> interesting. I did find a couple of things in the various command
references
> and in some TAC docs that indicated your answer is better than mine.
>
> OTOH, that still does not explain why 250 computers in eight different
> offices were all hitting the same DHCP server. The reason I know it to be
> true is that I had different scopes on each of the two servers. For
example
> 192.168.4.50 through 150 on one server and 192.168.4.151 through 250 on
the
> other.
>
> Chuck
>
>
> ""Chris Camplejohn""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Multiple "ip helper-address" on an interface has been supported for a
long
> > time.  There is no sequential order per se.  The UDP broadcast packet is
> > converted to a unicast and sent to each address listed by a helper.  I
> would
> > recommend using a sniffer on the target network to ensure you are
getting
> > both helpered packets.
> >
> > You might be hitting an IOS bug, but a quick scan didn't turn up any
good
> > hits...
> >
> > Chris
> >
> >
> > ""Elijah Savage""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Seeing the other ip helper question made me think of what I was
working
> on
> > > in my lab. On Friday morning I get into work and there was a severity
1
> > > ticket where about 800 employees could not log in. We discovered that
> one
> > > of the dhcp servers was down but we have 2 so in theory all should
have
> > > been fine, on all of our routers we have both dhcp servers for ip
> helper.
> > > From reading some place in my long journey I am sure I read that ip
> helper
> > > would take a broadcast and change it to unicast and send traffic to
all
> ip
> > > helper addresses regardless if it is down or not. But in this case
that
> > > did not happen. To get everything back up I actually had to change the
> > > order that I had the ip helper addresses in. The server that was down
I
> > > put it last and put the server that was up first and then everything
> > > started to work. So it seems as if some primary secondary thing is
going
> > > on here. We are running ospf on our backbone with a variety of
equipment
> > > configurations 6500's 5500's 3600's 2600's. All routers has a
different
> > > version of IOS we have not had a chance to bring them all up to the
same
> > > code what is similiar is they all have at least 12.0 on them. I want
to
> > > try and figure this out myself so I started playing with this in the
lab
> > > with 2600's running 12.1(5) IOS and I came across the same exact
thing.
> > > Did this change with IOS 12 or something has anyone else experienced
> this?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45066&t=45045
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Doyle on Lab Rats [7:44611]

[Gaz]

It seems to me that this group spends more time bumping it's gums about what
makes a good engineer, than it does discussing the actual engineering.
Yes, I tend to join in myself sometimes. I suppose everybody does it, but I
was just wondering - head count - is anybody actually studying as well as
doing all this banter.
No offence meant to anyone in particular - I'm British, so excel in
upsetting every bugger at the same time..

Gaz




You're right. We could sit around here all day talking, passing resolutions,
making clever speeches. It's not going to shift one Cisco Exam!
So, let's just stop gabbing on about it. It's completely pointless and it's
getting us nowhere!
I agree. This is a complete waste of time.
Right! This calls for immediate discussion!
Completely new motion, eh, that, ah-- that there be, ah, immediate action--
Ah, once the vote has been taken.
Well, obviously once the vote's been taken. You can't act another resolution
till you've voted on it...

1 point for the film
2 points for the discussion group

""Michael L. Williams""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> "nrf"  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > The fact is, arrogance and insecurity cuts both ways.  Both sides (the
> > experienced guys and the inexperienced guys) are guilty from time to
time.
> > And it's bad no matter who's doing it.
>
>
> Agreed 100%
>
> Mike W.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45038&t=44611
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Pix SSH to outside interface [7:45031]

[Gaz]

Hi all,

I'm not sure whether this is possible or not , it could be a piece of cake,
but I'm without a pix at the moment to try it on.
If the outside interface is a private address (all registered addresses are
just routed to the pix and translated to internal addresses), is it still
possible to SSH to the Pix somehow?
Obviously it's not possible to SSH to the outside private address over the
internet, but is there a trick to do something like NAT (translating a
registered address to the outside address) or port redirection.
I suppose this could be done on the Internet router, but I'm trying to find
a way of doing it on the pix alone.
I seem to remember trying to SSH through the pix to an inside interface, and
I don't think this was possible (this was for a slightly different scenario
where the registered addresses were actually used on the inside network, but
I'd be interested to hear ideas for that too).

Any ideas?

Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45031&t=45031
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why do my switches keep pinging their default gateways!? [7:44897]

[Gaz]

I take it this is something to do with testing the default gateway.
Does it make sure the gateway is still there, otherwise tries for something
that will respond with a proxy ARP?
Can you change the default gateway to the 6509 and let it route to the
firewall if necessary.
Not going to stop the pings, but won't clog the log.
I wouldn't have thought it's ideal to have the firewall as default gateway
anyway. Can the firewall redirect inside if necessary?

Totally guessing to be honest, anybody else know for sure.

Gaz



""Wilson, Christian""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have 4 2948g's in 4 different wiring closets all wired to a core 6509
> through gig uplinks.  The interfaces on the switches are all assigned to
> VLAN 2, my management VLAN.  The only way to access VLAN 2 is through a
> checkpoint firewall running NG.  All switches have the firewall interface
> address as their default gateway.  I am able to telnet to all switches and
> manage them remotely just fine.  I am able to ping all other subnets in my
> network from the switches, routing seems fine.
>
> My firewall logs show that all five switches are constantly pinging the
> firewall interface, icmp-type 8 icmp-code 0.  No one is connected to my
> switches issuing a ping.  These are echos, not echo-replies.  When I run a
> sniffer on the VLAN, I show nothing going to the swithes in the way of IP
> traffic, just the echos coming from the switches.  Each 2948g has about 15
> 2924-xl-en's attached to it through trunking.  None of the 2924's are
trying
> to ping the firewall, although they all have the same VLAN assignment on
> their mgmt interfaces, the same default gateway, and are in the same
subnet.
> There is no CGMP enabled, no DNS, no IP redirects.  The icmp packets have
a
> TTL of 1, the sniffer reporting a TTL expired message.  The icmp traffic
is
> constant, one every second.  How can I stop this?  Why is it happening?
Why
> don't my 2924's ping but my 2948g's and 6509 do?  Please help!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44897&t=44897
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN-BRI [7:44867]

[Gaz]

Steven,

Quick - someone else is using your computer :-)

Have you really got a cable that connects two ISDN ports together. If it's
cheaper than my ISDN simulator I'll order two.

Have I misunderstood the question, or did you?


Gaz


""Steven A. Ridder""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm going to guess that it would need to be crossover as well, but I'm not
> sure. Probaly though.
>
>
> ""Steven A. Ridder""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I believe any cable with pins 3456 active will work.
> >
> >
> > ""jb""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Team,
> > > I have two routers with a BRI module, which cable should I used in
order
> > for
> > > each router be able to talk to the other via ISDN. I do not have an
ISDN
> > > simulater..
> > >
> > > J




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44884&t=44867
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Chuck Semeria's IP Addressing Tutorial - Gone? [7:44865]

[Gaz]

Is this the one you're after?

http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf



""Robert Kulagowski""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I remember downloading the tutorial a few years ago.  Looks like it's gone
> now - google shows it on the 3com website, but when you go there all you
get
> is a blank page that says "Technical Papers".  Doing a search on the 3Com
> website doesn't come up with any hits.  Other links on google all point
back
> to various places on the 3Com website that don't exist anymore.
>
> Anyone still have the original PDF?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44881&t=44865
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VTP Concentrator - client to client [7:44276]

[Gaz]

Hi all

Someone was banding this question around at work today, so although it's
possibly a little off topic, I don't feel too guilty because I don't need
the answer, just interested.

If two clients each access a network via the internet in to one VPN
concentrator, is it possible in any way to let the two separate clients also
access each other's networks?

We had a few off the cuff ideas, but nothing that would seem to be a go'er.
Things like running overlapping NAT on an internal router with two
interfaces.

Anybody got any mad ideas, or possibly any sane ones?

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44276&t=44276
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE- I WILL BE [7:43969]

[Gaz]

How about this one:

We used to provide troubleshooting support for a forces network which
included some large sites and a few very minor (one or two user) sites.
There had been problems with one of these small sites intermittently for a
few weeks, but things got worse until it was dropping three or 4 times per
day.

The router seemed to be rebooting every time there was a problem. We found
no relevant bugs, and though the site wasn't on UPS, site services didn't
believe there was any problem with power and assured us that the power to
the cabinet was an unswitched fused spur.
We initially upgraded the image and then swapped the router out, leaving the
old router in the cabinet powered up as well, but not connected.
The new router rebooted as well, and when we went back to site with the
intention of putting a small UPS in the cabinet, the old router had rebooted
at exactly the same time, which seemed to support our idea.
The previous 2 times on site I had just carried out the work and left. This
time I accepted the offer of a coffee while I fitted the UPS in.
All of a sudden the power went off to the whole cabinet.
What a relief. What a laugh. Next to the kettle in the room next door was a
double socket, one of them  labelled "Do not unplug", the other connected to
a radio. The cable ran through trunking, and through the wall, then trunking
all the way around the room to the comms cabinet.
Experience had taught the caretaker that nothing seemed to go wrong when the
plug was taken out, but he always plugged it back in just in case. It was
either that or his radio.

Doh!

Gaz




While
""Chuck""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> my favorite story was the company whose network went down every morning
for
> a few minutes just about the time the work force was sitting down, turning
> on their PC's, and getting ready for the day. Now the obvious conclusion
is
> "it's just busy that time of day" Except that it didn't necessarily happen
> every day.
>
> To make a long story short, a couple of power users had decided they
needed
> more data jacks in their area, had purchased some switch or other at one
of
> the chain stores, and dual homed it into the LAN infrastructure. Being
> conservation conscious folks, they powered down all their equipment when
> they went home for the day, and turned it on every morning when they came
> in.
>
> the result was a campus wide spanning tree recalculation every time they
> brought their switch on line.
>
> I forget how the customer told me this was discovered.
>
>
> ""Priscilla Oppenheimer""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > And add to that cranky users who are entirely dependent on the network
but
> > won't tell you the whole story when reporting problems. ;-)
> >
> > Priscilla
> >
> > At 09:52 PM 5/12/02, Michael L. Williams wrote:
> > >"Larry Letterman"  wrote in message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > A 40 router lab is nice, but its not the same as troubleshooting a
> > > > production network with 20,000 + users at multiple sites.
> > >
> > >Here here and to add to that.  "... a production network with
> > >20,000+ users at multiple sites..." running a variety of multiprotocol,
> > >quirky, sometimes custom-written (read: homemade) applications that are
> > >trying to do whatever on the network coupled with devices from
> whatever
> > >manufacturers that don't play nice ("oh, you need this device in it's
own
> > >VLAN because broadcast traffic makes it crash"), etc, etc
> > >
> > >Mike W.
> > 
> >
> > Priscilla Oppenheimer
> > http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44270&t=43969
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Let the flamin' begin....dumbass beginner ques [7:43759]

[Gaz]

I don't think it was misinformation Brian.

Not sure whether it's all IOS's, but all the ones I have on my routers take
both commands although the clockrate method is a hidden one.

Not important in the least, just thought I'd mention it.


Gaz


""Brian Umbarger""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Whoopsies.forgot the space
>
> The command is:
>
> Router (config-if)# clock rate 56000
>
> Sorry about the misinformation!!
>
> -Brian




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43968&t=43759
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix load balance? [7:42974]

[Gaz]

What's the reason?
I'm not disputing the fact, just wondering what the limitation is. I take it
that the limitation is only that it cannot do stateful failover with two
active PIXes?

Cheers,

Gaz

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Yeah, I asked the same questions last month.  They can not.  If you really
> need firewall and Load balancing, FW-1 is the way to go.
>
> Theo
> CSS1, CCNP, CCSE
>
>
>
>
>
>
> "Patrick"
> Sent by: [EMAIL PROTECTED]
> 05/06/2002 06:28 AM
> Please respond to "Patrick"
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Pix load balance? [7:42974]
>
>
> No.
>
> ""GEORGE""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Can you load balance to pix firewalls?
> > Has anyone done this?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43478&t=42974
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX OS upgrade [7:43264]

[Gaz]

Hi Sam,

I take it that you have a CCO log on. Go to the URL below:

http://www.cisco.com/cgi-bin/Software/SWSearch/SWSearch.cgi

and do a software search for files containing Pix.
You should get everything you need.

Regards,

Gaz


""Sam Wong""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello.
>
> I need to upgrade an old PIX 520 to a version of the PIX OS that will
> support VPN-DES.  Cisco says I need PIX OS v5.0(3) or greater.  I only
have
> 2MB of flash RAM, so I can't run v5.2(x) or greater.  Cisco has removed
> pix503.bin from their CCO download site.  Does anyone have pix503.bin that
> you can send me?
>
> I also have pix514.bin, but it's too large to fit on a floppy disk so I
need
> a boothelper file.  As my luck would go, Cisco has also removed all the
> v5.1(x) boothelpers from their download site.  If anyone has a bh51?.bin,
> that should work for me as well.
>
> Thanks in advance.
>
> Sam




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43273&t=43264
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switching and Keepalives [7:43141]

[Gaz]

A little off topic, but has anybody tried similar with Foundry. Got it to
work yet?
Got it to fail properly when the service is unavailable or does it pass the
ICMP health check, then fail the layer 7 check and flap forever.
Can't believe how flaky Foundry is turning out to be recently.

I've got a bee in my bonnet... Layer 3 filtering on Foundry NetIrons
contained in all the documentation. Tried to implement it, didn't work,
reported to Foundry. Informed that NetIrons do not now support it. Sure
enough, the documentation was almost immediately updated. They've just
binned it - one of many. Bit late when you've sold it.

Tried adding/removing ports from VLAN's with the web management. Doh!

We're looking at stripping out ServerIrons and putting in CSS, partly due to
the extra flexibility available with the Cisco health checking, but mainly
because the support works!
You can knock Cisco all you like, but we keep coming back to them.

Anybody got any views on this?

Gaz



""David Harrison""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This is correct. The domain name is not necessary. Since the CSS knows
> the ip address of the box it's watching it doesn't have to rely on a
> domain name to find the location of the server.
>
> However it is important that the css know the path to reach the
> reference page.
>
> I've used the following:
> service blah_blah
>   ip address 10.1.1.1
>   keepalive frequency 8
>   keepalive type http
>   keepalive uri "/.reference/arrowpoint-keepalive.html"
>   active
>
> I usually use the default "head" method vs the "get". Depends on whether
> the file you are watching is static or dynamic.
>
> Dave
>
>
> -Original Message-
> From: John Neiberger [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 03, 2002 12:19 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Content Switching and Keepalives [7:43141]
>
> I'm not positive about this but I don't believe you're supposed to
> include the domain name in the URI.  We simply use 'keepalive uri
> "/index.htm"' and that works well.  Give that a shot and see if it works
> for you.
>
> John
>
> >>> "Patrick Donlon"  5/3/02 9:54:47 AM >>>
> Hi
>
> I tested it and for some reason it didn't work,  I configured the
> following
> on the
> service:
>
> keepalive port 81,
> keepalive method get,
> keepalive type http
> keepalive frequency 25,
> keepalive retry 25
> keepalive uri  "www.blahblah.com/index.html"
>
> I then activated the service (and re-activated it a few times just in
> case)
> Any thing
> obviously wrong and  what should I check in the log
>
> cheers
>
> Pat
>
>
>
>
> Patrick Donlon wrote:
>
> > Hi All
> >
> > I have two web servers which are being load balanced behind a CSS,
> this
> > is working fine. Currently we're using the default ICMP keepalive,
> this
> > is OK if the failure is at this level but when the web services
> process
> > is stopped by the DBA the CSS thinks it's up and running. I've seen
> the
> > different options, tcp, http gets, etc, and would like to know
> anyone
> > else's experience in what is the best balance over performance and
> > detecting the lost of service
> >
> > Cheers
> >
> > Pat
> >
> > [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43272&t=43141
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: a good forum [7:42813]

[Gaz]

Aren't we???

Your point?

(Devils advocate is more fun)


""cisco""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Isn't China a nuclear power?
>
> PA
>
> -Original Message-
> From: Michael L. Williams
> Sent: Mon 4/29/2002 6:59 PM
> To: [EMAIL PROTECTED]
> Cc:
> Subject: Re: a good forum [7:42813]
>
>
>
> (Devil's advocate)  Why can we safely assume that (China has
> plenty of Cisco
> gear)?
>
> Mike W.
>
> "Peter van Oene"  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > him personally, or china in general?  you can safely assume
> that china has
> > plenty of cisco gear.
> [EMAIL PROTECTED]
>
> [GroupStudy.com removed an attachment of type application/ms-tnef which
had
> a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42878&t=42813
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why does IOS only allow ICMP granularity on "destination" [7:42662]

[Gaz]

You didn't muddy them half as much as I did!

I think mine ranks up with my most inaccurate post ever. Unfortunately, I
answered with the junk that I had in my mind, which for creating
access-lists and configuring firewall rule bases has always been close
enough to allow things to work (even if totally for the wrong reasons).
As soon as I read John's post I realised what an arse I'd made of it.

I will take a severe hand smacking for that one. Lesson learnt - get the
facts right - don't guess.
But maybe my totally incorrect answer induced John to shoot me down with a
decent answer. I'll console myself with that.
I've now read the RFC.

John Nemeth, you're a cruel man, and I totally deserved it ;-)


Joe Bloggs
(Definitely not Gaz anyway)


""Jeremy""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I think it relates to the fact that ICMP uses TYPES rather than PORTS.
> Though it still uses source and destination IP address, ports are not
used,
> so the whole source port thing doesn't really make sense with ICMP.  There
> really is no "source type", so they don't have granularity on the source
> address.  Make Sense?  Or did I muddy the waters further?
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 25, 2002 5:29 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Why does IOS only allow ICMP granularity on "destination"
> [7:42618]
>
>
> On Sep 15, 12:40pm, "Gaz" wrote:
> }
> } I don't think you will see the source as echo reply. By that, I mean
that
> } the echo reply will only be evident in the destination. The source could
> be
> } any port.
>
>  ICMP does not have "port"s; therefore, this statement is
> non-sensical.
>
> } Remember ICMP is the odd protocol, which has to be allowed both ways
> through
> } a firewall, because the reply is a totally separate session.
>
>  ICMP is a connectionless protocol; therefore, there is nu such
> thing as a "session".
>
> } If you telnet from A to B. The destination port is 23. In the reply from
B
> } to A  'source' port is 23.
>
>  Telnet uses TCP.  There is no comparison.
>
> } If you use ping though for example, from A to B. The destination will be
> } echo. In the reply from B to A, the source will not be 'echo' it could
be
> } anything. The important part will be the destination port which is
> } 'echo-reply'.
>
>  ICMP does not have "port"s.  It has "type"s and "code".  Echo is
> type 8 and Echo Reply is type 0.  Neither one uses codes, so the code
> is 0.  The only information as to the source of an ICMP message is the
> IP address.  As I said to the other guy, go read RFC 792 (especially
> before answering any more questions about it).
>
> } Hope I haven't confused. Hope even more that I haven't errored.
>
>  You have errored.  Go read the RFC, it is a simple one and will
> get you into the habit of going to the source when conducting your
> research.
>
> }-- End of excerpt from "Gaz"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42662&t=42662
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why does IOS only allow ICMP granularity on "destination" [7:42601]

[Gaz]

I don't think you will see the source as echo reply. By that, I mean that
the echo reply will only be evident in the destination. The source could be
any port.
Remember ICMP is the odd protocol, which has to be allowed both ways through
a firewall, because the reply is a totally separate session.

If you telnet from A to B. The destination port is 23. In the reply from B
to A  'source' port is 23.
If you use ping though for example, from A to B. The destination will be
echo. In the reply from B to A, the source will not be 'echo' it could be
anything. The important part will be the destination port which is
'echo-reply'.


Hope I haven't confused. Hope even more that I haven't errored.


Gaz


""Anthony Pace""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> for instance :
>
> access-list 101 permit icmp any host 207.122.1.5 echo
> access-list 101 permit icmp host 207.122.2.3 any echo-reply
>
> but not
>
> access-list 101 permit icmp any echo-reply any
>
> Anthony Pace




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42601&t=42601
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Secret Clearance [7:42499]

[Gaz]

The policies seem more lax in the US than in UK. I'm of the understanding
that it is frowned upon to advertise the fact that you have any specific
level of security clearance, particularly TS to avoid being targetted for
any reason.
I'm just guessing obviously, but seems like common sense.

Can you tell me any more about yourself ;-)

Gaz

""Paul Jin""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Was this for Secret or TS?
>
> thanks,
> Paul
>
> EMW_Tech wrote:
> >
> > I shouldn't respond to a OT thread, but FYI, I had my persoanl
> > interview by
> > a DSS agent back in Decemberstill waiting.  Oh, the process
> > began in May
> > 2000.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42599&t=42499
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

iSCSI 5420 - Anybody got views/experience [7:42472]

[Gaz]

Hi all,

I'm looking at some iSCSI devices (particularly Cisco 5420). Does anybody
have any experiences of these bits of kit yet (Positive or Negative).
I realise they're pretty new, but just on the off chance.
If you have any experiences, can you give me a brief idea of the topology
(minimum speed connection in particular) and relative speeds of transfer to
remote SCSI devices, and if used, the Fibre Channel switches in use.

Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42472&t=42472
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Summary addressing [7:41998]

[Gaz]

I'm wondering whether it's worth me trying to explain my thought process
after 6 pints of cider. But the six pints say YES - have a go.
I'm too lazy to do the binary.

You've got to get used to the size of blocks involved with each mask. By
that, I mean a /30 immediately suggests blocks of four. A /29 blocks of
eight etc.

You had four blocks of four (/30), so if they can be summarised in one
statement it will have to be a block of 16, which should immediately suggest
a /28.

But!!! The blocks of 16 will be at 0, 16, 32..128, 144, 160...

This doesn't fit your group, so you're going to need more than one
statement.


With your second example

Your /29 suggests blocks of 8. You have two blocks of 8, so IF it's going to
fit, it will be a block of 16, which is a /28.

The blocks will be 0, 16, 32, 48, 64..

and your two blocks fit fine in to the above (between 48 and 64), so the
summary address is 216.52.146.48 /28



Sorry if this is nonsense to some, but this is my thought process. I am not
capable of doing the binary in my head. This process becomes so simple once
you grasp it, and can be done in seconds for almost any summary address.
It doesn't take any special brain, because I'd be out of the running, it's
just hard to explain and grasp initally.

Please let me know if I should give up now and go to bed. Until then, the
fridge (or cooler if you like) beckons.

Cheers,

Gaz





""Kage Roc""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I promise I will not be a knowledge leech, I will contribute what I know
as
> well.   Ofcourse I do have a question regarding IP Summaization:   Up
untill
> today I thought I had summarization down cold until I tried a few self
made
> excercises.   The formula I used to gather a summ address was 2n=x.  Thats
2
> to the n power equals x.
> x is the number of subnets that you want to summarize and n will be how
much
> you subtract from the lowest mask of those subnets.  for example:
>
>
> 216.52.146.136/30
> 216.52.146.140/30
> 216.52.146.144/30
> 216.52.146.148/30
>
> using that formula the summ would be 216.52.146.136/28 which is not a
valid
> route. Hoever that formula works here:
> 216.52.146.48/29
> 216.52.146.56/29
>
> summ route: 216.52.146.48 /28
>
> I guess my question is, what is the best/effective/convient way to derive
> summary addresses?  Thanks for any input.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42268&t=41998
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Way OT: RE: CCIE Salary [7:42111]

[Gaz]

That's nothing!  I bought a 4 bedroom detached house in Shropshire UK, and I
have to share it with a woman, two children and two cats!


I can't believe we can get something cheaper than the US. 8 pints over here
is #1.80. Is your gallon the same size as ours?
Please keep it quiet - I can see a new Milk tax being introduced at the next
budget.

Gaz



""supernet""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> A friend of mine bought a 2-bedroom apartment in New York, cost him
> $500,000. And he has to share bathroom with his neighbor.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Howard C. Berkowitz
> Sent: Saturday, April 20, 2002 8:02 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Way OT: RE: CCIE Salary [7:42111]
>
> The new direction of this thread may bring new significance to "have
> a cow, man."
>
>
> >Hey, we pay about the same price for milk in the Raleigh area.  Housing
> is
> >much cheaper, though.  :-)
> >
> >- Original Message -
> >From: "Manny Gonzalez"
> >To: "Brian Dennis"
> >Cc: "'Ccielab (E-mail)'"
> >Sent: Saturday, April 20, 2002 10:20 PM
> >Subject: Re: Way OT: RE: CCIE Salary
> >
> >
> >>  Sorry Brian, we New Yorkers got you beat... A studio in a decent
> part of
> >>  Manhattan either sells for $1,000,000 or rents for at least
> $2500/month.
> >>  That is the lower end of the spectrum. Around the Battery Park City
> area
> >>  (one block from the former World Trade Center site) there are
> [bargains]
> >>  now they say for $3500 a month :-)
> >>
> >>  In the outskirts, a DECENT house (not a real big or super nice one)
> can
> >>  easily go for $400,000 and 90% of the time there is a fight and ends
> up
> >>  going for a lot more.
> >>
> >>  The 1, 2, 3, 4 million dollar homes are actually more abundant in
> the
> >>  real estate listings than lesser priced homes.
> >>
> >>  However, my usual gauge for cost of living ANYWHERE is the price of
> a
> >>  standard gallon of milk. In my neighborhood, it is $3.25 a gallon...
> >>  ___
> >>  Manny Gonzalez . CCIE# 9013
> >>  CORE Resources ... NY Presbyterian Hospital
> >>
> >>
> >>  Brian Dennis wrote:
> >>  >
> >>  > Here in the San Jose area you can forget about living on $65k a
> year.
> >>  > There are mobile homes that cost over $200k out here.
> >>  >
> >>  > Brian Dennis, CCIE #2210 (R&S/ISP Dial)
> >>  >
> >>  > -Original Message-
> >>  > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
> Behalf Of
> >>  > Scott Morris
> >>  > Sent: Friday, April 19, 2002 1:35 PM
> >>  > To: 'Matheus, Joshua'; 'Dennis'; 'Ccielab (E-mail)'
> >>  > Subject: RE: Way OT: RE: CCIE Salary
> >>  >
> >>  > Isn't $65k poverty level in New York?
> >>  >
> >>  > -Original Message-
> >>  > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of
> >>  > Matheus, Joshua
> >>  > Sent: Friday, April 19, 2002 3:50 PM
> >>  > To: 'Dennis'; Ccielab (E-mail)
> >>  > Subject: RE: Way OT: RE: CCIE Salary
> >>  >
> >>  > In New York the range can go from 65K to 250K. This is for a
> technical
> >>  > person not a "manager type". Right now I would say that 4 numbers
> >>  > without a
> >>  > good Science/Engineering Bachelors and 4 - 7 years of prestigious
> >>  > enterprise
> >>  > experience will lead to the 0$ figure very quickly. It makes you
> ponder
> >>  > the
> >>  > old days (2 years ago) when you were worth your weight in
> platinum!
> >>  >
> >>  > -Original Message-
> >>  > From: Dennis [mailto:[EMAIL PROTECTED]]
> >>  > Sent: Friday, April 19, 2002 11:01 AM
> >>  > To: Ccielab (E-mail)
> >>  > Subject: Way OT: RE: CCIE Salary
> >>  >
> >>  > Well, I can tell you the lowest... it's what I've been making in
> the
> >>  > last
> >>  > two months... $0
> >>  >
> >>  > -Original Message-
> >>  > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of
> >>  

Re: 2900 series switch password [7:41680]

[Gaz]

Type quicker!

Sounds daft, but you've got to fit it in the 30 seconds. Just cut and paste
a script if you've got fidget fingers like me.

Gaz


""Magichut""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thank you,
> I can get to the enable mode, however when I run the set enablepass, it
> requests the old password.  hence this command is useless...
> Any other ideas?
> Thanks again,
>
> ""Patrick Bass""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > use the 'set password' command to change the login password of the cli.
> > use the 'set enablepass' command to change the password for the
privileged
> > level of the cli.
> >
> >
> > ""Magichut""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hello,
> > >
> > > I have the silliest question.  It should be simple, but it's not
> > turning
> > > out that way.  I have a Cisco ws-c2900 series switch with a sup. eng.
on
> > it.
> > > It has a console port, 2 mdi ports and a reset button (no Mode
button).
> I
> > > am merely trying to reset the password.  the company that owns the
> switch
> > > lost their IT guy and need to reset the vlans.  I can get to enable
mode
> > by
> > > cycling the switch and initially logging in within seconds of boot up.
> > but
> > > cannot reset the password.  I can change the vlans, reset gateways,
and
> > > everything but reset the password.  any help would be appreciated
here.
> > >
> > > Thanks,
> > > Magichut




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41892&t=41680
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Website File Management Software [7:41621]

[Gaz]

How about the Cisco Content Networking Products (Content Manager I think
does this), and it'll save you wondering what to spend your money on. You
might not have any after you've bought it.
For larger scale job though it might answer the problem.

Gaz

""sam sneed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> We use rdist to push new content on to production boxes and to keep
> consistency. Here is a link:
>
> http://www.magnicomp.com/rdist/
>
> ""John Neiberger""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Wyyy  OT. sorry.  :-)
> >
> > Right now we have a couple of web servers with identical content and
> > all file updates must be handled manually by myself or someone else in
> > my group because we're the only ones with access to the secure part of
> > our network.  Even with only two servers, it gets to be a pain to
> > manually copy files out to the web servers, especially since certain
> > files can change multiple times per day.
> >
> > I'm thinking that companies that have a lot of servers, especially
> > 'mirrored' servers, must have a better way of managing all of this and
> > perhaps automating a portion of it.  However, I don't even really know
> > where to start looking.
> >
> > Do you know what products might be out there to handle this particular
> > issue?
> >
> > Thanks,
> > John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41891&t=41621
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Might be of InCisco GBIC Sourcing & Support Policy [7:41890]

[Gaz]

I can sort of see their point of view though.
Why provide the same level of support for routers which have OEM parts.
Memory can be particularly troublesome.
I bought some 1720 memory a while ago on the cheap,and it wouldn't quite fit
in the case (probably for 1750). When there's been that much attention to
detail, you may as well trim the top off it to fit it in.

If I buy a Ferrari, then put Ford bits all over it, I wouldn't expect
Ferrari to honour my warranty.

Mind you, chances of me buying a Ferrari are fairly bloody slim, so I'll not
worry too much.  :-)


At least Cisco's point of view is that if the Ford bits aren't the problem,
they'll still support the kit.


Gaz


""Ismail Al-Shelh""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Its so Obvious that Cisco is trying to be like Microsoft by monopolizing
the
> market.
>
> Ismail Al-shelh
>
>
> -Original Message-
> From: Matthew Crane [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 15, 2002 1:55 PM
> To: [EMAIL PROTECTED]
> Subject: Might be of InCisco GBIC Sourcing & Support Policy [7:41476]
>
>
> April 10, 2002
>
> Cisco GBIC Sourcing & Support Policy
>
> We are continuing to receive questions concerning the consequences of
Cisco
> end users acquiring GBICs (Gigabit Interface Converter) modules from
> non-Cisco sourced third parties or directly from GBIC suppliers for
> deployment in Cisco routers and switches.
>
> Apparently there is still some confusion on what Cisco's position and
policy
> is in respect of these third party GBIC's, which is why I would like to
> summarize those for you and highlight the main points. I would also like
to
> take this opportunity to outline what Cisco would expect from you as a
> Channel Partner when it comes to you supplying non-Cisco GBIC's together
> with Cisco equipment to end users.
>
> Cisco's policy:
> Products from non-Cisco sources do not qualify for Cisco support and may
not
> be compatible with hardware, power, or software requirements. Cisco
sourced
> GBIC's can be easily identified by the Cisco logo and trademarks on the
> label. If a GBIC does not have the Cisco label and trademarks on it, then
it
> has not been sourced from Cisco and is subject to the conditions outlined
> below.
>
> GBIC's acquired through non-Cisco sources will be subject to the following
> conditions:
>
> 1) Cisco TAC is not under an obligation to support any non-Cisco GBIC
> modules;
>
> 2) Cisco SMARTnet will not cover non-Cisco GBIC modules;
>
> 3) Cisco does not guarantee the performance or results you may obtain by
> using a non-Cisco GBIC;
>
> 4) In the event that an end user experiences a support issue that Cisco
> determines is caused by use of a third party GBIC, Cisco will not provide
> warranty support or support under SMARTNet or another Cisco support
program
> for that issue. On the other hand, where a product fault or defect occurs
in
> the network and Cisco concludes that the fault or defect is not
attributable
> to the use of a GBIC installed by our customers or partners, Cisco will
> continue to provide support for the affected product under warranty or a
> Cisco support program. The nature of the defect or error is the key to
> determining what Cisco's support obligations are.
>
> Cisco sources GBIC's from third party suppliers, who agree to follow Cisco
> quality standards.  Sometimes, Cisco disqualifies a supplier because of
> quality issues with that supplier's product, or for other reasons (i.e.
EMI
> or power requirements). Disqualified suppliers may continue to sell their
> GBIC's and please note that they or parties that have purchased from them
> may claim that their GBIC's are Cisco approved. Such statements are at
best
> unreliable and our customers should understand that only by sourcing
GBIC's
> directly from Cisco or a Cisco Authorized Channel, can our customers be
> confident they are getting Cisco approved modules that will qualify for
> Cisco support (Cisco sourced GBICs can be identified by the Cisco logo and
> trademarks on the label). We are taking appropriate legal action against
> suppliers using such false and misleading statements.
>
>
> What does Cisco expect from its Authorized Channels?
> Obviously we believe strongly that our GBIC's are superior in terms of
> quality and performance to any non-Cisco GBIC. Nevertheless, you may in
> certain instances prefer to resell third party GBIC's. As stated above,
this
> may occasionally give rise to support and warranty issues, and may cause
> confusion with the end users. In order to prevent such issues and to
protect
> Cisco's brand and

Re: Can I change Token Ring NIC's with Ethernet on the [7:41384]

[Gaz]

One minute prior to this post you sent one with your signature block on.

Cisco Certified Academy Instructor asking for free IOS.

Come on!




""Romeo""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have a PIX Firewall with IOS 4.1.4 and 2 Token Ring NIC's. I tried to
> change with various Ethernet NIC's but the IOS don't recognize them. Why?
I
> need of another version of IOS? Has someone this kind of IOS to give me?
>
> Thanks,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41384&t=41384
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Please help!!! [7:41002]

[Gaz]

I seem to remember having a bit of a mare with similar. If you have no luck,
is using one of the async ports an option?

This is a working config from a 2509 using first async port:

line 1
 autoselect ppp
 modem Dialin
 modem autoconfigure discovery
 transport input all
 stopbits 1
 speed 115200
 flowcontrol hardware


Gaz

""Hunt Lee""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I need some help for a Access Server setup.
>
> I am trying to setup a modem (netcomm 56.6k) to connect to a 2511.  The
> modem is currently connected to the AUX port.  However, no matter what I
> tried from my PC, everytime I make a connection, it comes up with a whole
> bunch of garbage.
>
> OK
>
> OK
>
> OK
>
> CARRIER 31200
>
> PROTOCOL: NONE
>
> CONNECT 31200
>

> __sSM~ErX9D`?ro"x`?@!S,@@`# B
>#o `@DZG
?@"Z(S(?|p?
>cF42EmXUj"hYLh8[$ DD<>>
06#"\(sqOKobt^U"Bt08
> 
S,,R '! P kfh(?L^H
> &E`jeD
L?ez^P}}N\NAs-)
> ^al8b.ZTa!('P"Q-7sE-aOP> qGU!'!8"d/^erK?Oni`Stn!ma}8.e"j? zCg_$!hG"3gO?P
> g77 (FE. FpO]%?XB^P
> S.TS&eT8'
>
> 1gciz$F~?*@yV
>-=T
>
>
> And here is the config for the 2511 -
>
>
> con1.hkg#sh run
> Building configuration...
>
> Current configuration:
> !
> ! Last configuration change at 16:58:36 AEST Wed Apr 10 2002
> ! NVRAM config last updated at 16:58:49 AEST Wed Apr 10 2002
> !
> version 11.2
> no service pad
> service timestamps debug datetime msec show-timezone
> service timestamps log datetime msec show-timezone
> service password-encryption
> no service udp-small-servers
> no service tcp-small-servers
> !
> hostname con1.hkg
> !
> aaa new-model
> aaa authentication login default enable
> aaa authentication login tacacs-login tacacs+ enable
> aaa authentication login NO_AUTHEN none
> aaa authorization exec tacacs+ if-authenticated
> aaa authorization commands 0 tacacs+ if-authenticated
> aaa authorization commands 1 tacacs+ if-authenticated
> aaa authorization commands 15 tacacs+ if-authenticated
> aaa accounting exec start-stop tacacs+
> aaa accounting commands 0 start-stop tacacs+
> aaa accounting commands 1 start-stop tacacs+
> aaa accounting commands 15 start-stop tacacs+
> enable secret 5 $1$oWH7$vULnq40DABAEnJCyCzTR4.
> !
> ip subnet-zero
> no ip domain-lookup
> ip host br1.hkg 2001 172.16.1.1
> ip host br2.hkg 2002 172.16.1.1
> ip host dist-sw1.hkg 2003 172.16.1.1
> ip host sw1.hkg 2004 172.16.1.1
> ip host sw2.hkg 2005 172.16.1.1
> ip host sw3.hkg 2006 172.16.1.1
> ip host sw4.hkg 2007 172.16.1.1
> ip host modem 2017 172.16.1.1
> ip name-server 10.1.0.1
> clock timezone AEST 10
> !
> interface Loopback0
>  ip address 172.16.1.1 255.255.255.255
>  no ip redirects
>  no ip unreachables
>  no ip directed-broadcast
>  no ip proxy-arp
>  no ip route-cache
>  no ip mroute-cache
> !
> interface Ethernet0
>  ip address 10.6.255.1 255.255.0.0
>  no ip redirects
>  no ip unreachables
>  no ip directed-broadcast
>  no ip proxy-arp
>  no ip route-cache
>  no ip mroute-cache
> !
> interface Serial0
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip directed-broadcast
>  no ip proxy-arp
>  no ip route-cache
>  no ip mroute-cache
>  shutdown
> !
> interface Serial1
>  no ip address
>  no ip redirects
>  no ip unreachables
>  no ip directed-broadcast
>  no ip proxy-arp
>  no ip route-cache
>  no ip mroute-cache
>  shutdown
> !
> interface Async17
>  ip unnumbered Loopback0
>  no ip redirects
>  no ip unreachables
>  no ip directed-broadcast
>  no ip proxy-arp
>  encapsulation ppp
>  no ip route-cache
>  no ip mroute-cache
>  peer default ip address pool NetOpspool
>  ppp authentication chap pap
> !
> ip local pool NetOpspool 10.6.255.17
> ip default-gateway 10.6.255.252
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.6.255.252
> logging buffered 2 debugging
> logging trap debugging
> logging 10.1.0.1
> access-list 11 deny   any
> access-list 12 permit 172.16.1.1
> access-list 12 deny   any
> access-list 99 permit 10.0.0.0 0.255.255.255
> access-list 99 permit x.x.x.x y.y.y.y
> access-list 99 deny   any
> tacacs-server host 10.1.0.1
> tacacs-server key xx
> snmp-server community roxwap37 RW 99
> snmp-server community tobyup91 RO 99
> snmp-server trap-authentication
> snmp-server system-shutdown
> s

Re: Now What???????? [7:40988]

[Gaz]

I wouldn't see anything wrong with listing on your CV the fact that you have
passed the CCIE written exam and are working towards taking the lab.
I've chuckled before at people putting CCIE written in their signature
blocks, but I think this is very different. It at least shows the employer
that there has been an intent to progress towards CCIE rather than stopping
at existing quals.

I can see your point, and I think it should be listed clearly stating that
it is just the written.
My 2 penneth anyway.

Gaz

""nrf""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Careful now.   I have been on the other side of the hiring process, and I
> know quite a few hiring directors who will instantly throw away any resume
> that says anything like "CCIE-written".  The rationale is that they are
> trying to claim a cert that doesn't exist, and so if they're willing to
push
> the envelope on that, then most likely everything else on their resume is
> greatly exaggerated, if not an out-and-out fabrication.  From what I see,
> you lose more than you gain by listing such a cert.
>
>
>
> ""x""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Juan,
> > Send me your resume and I will help you with it.  A
> > resume is a way of giving a hiring manager a 30 second
> > snapshot of your career.
> >
> > 1.) I passed the CCIE written and I consider it a big
> > accomplishment, so I have it on my resume.
> >
> > 2.) I have heard the All in one study guide is a good
> > starting point, but I haven't gotten into it yet.
> >
> > 3.) no idea
> >
> >
> >
> >
> > --- Juan Blanco  wrote:
> > > Team,
> > > After your pass the written what do you do in
> > > reference to the following:
> > >
> > > 1) Do you mention it in your resume and if you do
> > > any suggestions (I know it
> > > is not a certification).
> > > CCIE Lab(schedule for xx-xx-xx)
> > > Passed CCIE Written, Lab(schedule for xx-xx-xx)
> > > Working on the CCIE Lab
> > > Put nothing because the written is not a
> > > certification..
> > >
> > > 2) Any book which will help you to put together a
> > > very organize and
> > > structure plan of studding for the lab(very similar
> > > to Caslow's book)
> > > I already have the following books:
> > > CASLOW, HUTNIX, DOYLE
> > > 3) How similar are the labs and hardware layout from
> > > the FATKID to the real
> > > thing.I planning to use the same format (what is
> > > your recommendation)
> > >
> > > Wow, the more we think we know the less we
> > > know...I feel very
> > > goodsome people are saying that I don't have a
> > > life because all I talk
> > > about is
> > > Cisco...Cisco...routersswitchesbridges
> > >
> > >
> > > Thanks,
> > >
> > >
> > > JB
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
> > http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41360&t=40988
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How do I approach the company about my CCIE [7:40261]

[Gaz]

I think that depends on the individual company.
Our company currently has 6 CCIE's. I was dissuaded from going for CCIE by
my company. The reason, although they haven't stated it in so many words is
that they would just about double my pay from CCNP, but I would bring them
very little more income.
They would prefer me to go off and do something else that they can charge
for, like security.
I've not heard of any companies asking for CCIE security (yet). A senior
engineer with security accreditations is almost as sellable to most
companies and far cheaper to feed and water.
For a lot of jobs, the same is true for Routing/Switching. Every job our
company sends a CCIE to that could have been a Senior Engineer, they've lost
a bit off their profit margin, and in the current climate where perhaps the
jobs aren't rolling in quite so fast, there are obviously greater losses
having CCIE's sat around on quiet days.
CCIE is still the target I believe, but not everybody needs them at the
moment.
In 6/12 months if things pick up they may be pushing the CCIE again.
I believe that Cisco's hiccup last year is the only thing that has devalued
the CCIE. As Cisco gradually recovers, so will the CCIEprobably.


Gaz



""Kris Keen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Your the 1st person I've heard say the CCIE isnt worth much anymore..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40710&t=40261
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IPSEC question scenario [7:40025]

[Gaz]

CCIE (qual)?

Is this a new CCIE track?  CCIE Quality Control perhaps?

Gaz
Professor of Urinary Extraction (qual)

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Rik,
>
> You can include  a access-list on your router to permit esp,ahp and UDP
> port 500 for isakmp
> Ur access-list should like one given below,
>
> access-list acl-name permit esp src_ip dest_ip
> access-list acl-name permit ahp src_ip dest_ip
> access-list acl-name permit udp src_ip dest_ip eq isakmp
>
> Kind Regards /Thangavel
> --
> CCIE (qual),CCS,CCDP,CCNP,MCSE
> 
> 186K
> Reading,Brkshire
> Direct No   -0118 9064259
> Mobile No  -07796292416
> Post code: RG16LH
> www.186k.co.uk
>
> --
> The greatest glory in living lies not in never falling,
>  but in rising every time we fall ."
>  -- Nelson Mandela
>
> 
>
>
>
> "Ricky
> Chan"
>
> cc:
> Sent by: Fax
> to:
> nobody@groupsSubject: IPSEC question
> scenario [7:40025]
>
> tudy.com
>
>
>
> 01/04/2002
>
> 14:01
>
> Please
> respond
> to
> "Ricky
> Chan"
>
>
>
>
>
>
> Hi all,
>
> I have another scenario question and would like to hear from your
expertise
> opinion.
>
> machine A  10.10.10.1/24
> machine B  10.10.10.2/24
> machine c  10.10.100.1/24
>
> I configured IPSEC for all these machines. Machine A can talk to Machine
B,
> but Neither A and B can talk to Machine C. Obviously, Machine C belongs to
> diff network. If I put a router in between. I need to configure IPSEC in
> the
> router in order to let them talk to each other. Do you know how to
complish
> this? Thanks alot.
>
> Ricky
> **
> This e-mail is from 186k Ltd and is intended only for the
> addressee named above. As this e-mail may contain confidential
> or priveleged information, if you are not the named addressee or
> the person responsible for delivering the message to the named
> addressee, please advise the sender by return e-mail. The
> contents should not be disclosed to any other person nor copies
> taken.
> 186k Ltd is a Lattice Group company, registered in England
> & Wales No. 3751494 Registered Office 130 Jermyn Street
> London SW1Y 4UR
> **




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40243&t=40025
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: How to get running-config of cisco routers through SNMP [7:39695]

[Gaz]

Have a play with these if you like:





snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.14.11
integer 6



rem Initialise a new copy operation

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.14.11
integer 5



rem Set the ccCopySource FileType to "4" (running-config) snmpset -v1
192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.3.11 integer 4



rem Set the ccCopyDest FileType to "1" (network file)

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.4.11 integer
1



rem Set the ccCopyServerAddress to TFTP Server

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.5.11 a
192.168.80.127



rem Set the ccCopyFileName to whatever

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.6.11 s
config.txt



rem Start the process.

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.14.11
integer 1



rem Now return some states

snmpget -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.10.11
snmpget -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.10.11
snmpget -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.13.11



rem Destroy the process.

snmpset -v1 192.168.80.254 password .1.3.6.1.4.1.9.9.96.1.1.1.1.14.11
integer 6




""V\J@>|""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,mrtg#!
>
>
> Any one can tell me whether I can  get running-config of cisco routers
> through SNMP request!#
> And if we can ,what is the oid for this purpose?
> Thanks .
>
>
>
>
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39695&t=39695
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2500 Series rackmount kits [7:39487]

[Gaz]

I've never seen what I call a cheap source for them. They are the simplest
of things though and any sheet metal worker worth his salt will be able to
knock them up in no time.
As long as you've got one, they shouldn't cost you more than a few quid each
if you need more than a couple.

Otherwise:

www.rackears.com at $35

I'm sure you'll get a few other suggestions from the group.

Cheers,

Gaz


""Kevin Corbin""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Anyone know where I can get rack mount kits for 2500 series routers
CHEAP?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39492&t=39487
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sup III Problems ??? Epilogue [7:39324]

[Gaz]

Just add another rolled cable in line if you're using 2509/2511 octal
cables.

Gaz


""Phil Lorenz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Well isn't that a fine "how-do-ya-do ???"
>
> Console> Show Version
> WS-C5505 Software, Version McpSW: 4.5(12) NmpSW: 4.5(12)
> Copyright (c) 1995-2001 by Cisco Systems
> NMP S/W compiled on Apr 19 2001, 17:56:40
> MCP S/W compiled on Apr 19 2001, 17:54:16
>
> System Bootstrap Version: 3.1.2
>
> Hardware Version: 1.0  Model: WS-C5505  Serial #: 066552032
>
> Mod Port Model  Serial #  Versions
> ---  -- - 
> 1   0WS-X5530   007586158 Hw : 1.5
>   Fw : 3.1.2
>   Fw1: 3.1(2)
>   Sw : 4.5(12)
> 2   24   WS-X5224   008727049 Hw : 1.4
>   Fw : 3.1(1)
>   Sw : 4.5(12)
>
>DRAMFLASH   NVRAM
> Module Total   UsedFreeTotal   UsedFreeTotal Used  Free
> -- --- --- --- --- --- --- - - -
> 1   32768K  13763K  19005K   8192K   7518K674K  512K  108K  404K
>
> Uptime is 0 day, 2 hours, 32 minutes
>
>
> Straight through works like a charm !!!  Now the question is, how am I
> going to get this thing to work via an Access Server.
>
> Thanks Everyone !!!
> Phil
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Wow
> Sent: Saturday, March 23, 2002 10:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Sup III Problems ??? [7:39324]
>
> one of my favorite cisco gotcha's--the cable that you use to connect to
> the
> console port on a 55XX is different from the regular rollover cable on
> every
> other cat sup engine.
>
> http://www.cisco.com/warp/public/473/9.html#Cat5000III
>
> Dennis
>
> ""Phil Lorenz""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > After catching heck with version 6.3 boot variable and a few other
> newer
> > commands with the 6509s @ work, I decided to upgrade my home lab from
> a
> > Sup I Cat5k with a Sup III tote'n Cat55k.
> >
> >
> >
> > Problem:
> >
> > I fired up the switch and it goes through the POST perfectly, but
> there
> > is no output on the Hyper Term.  The Hyper Term and connections check
> > out perfectly.  I hit the reset button and tried various break
> > functions- still nothing.  I connected the switch to a router in my
> lab
> > and this is what I see.
> >
> >
> >
> > r1#sh cdp nei detail
> >
> > -
> >
> > Device ID: 066552032
> >
> > Entry address(es):
> >
> > Platform: WS-C5505,  Capabilities: Trans-Bridge Source-Route-Bridge
> > Switch
> >
> > Interface: FastEthernet0,  Port ID (outgoing port): 2/1
> >
> > Holdtime : 138 sec
> >
> > Version :
> >
> > WS-C5505 Software, Version McpSW: 4.5(12) NmpSW: 4.5(12)
> >
> > Copyright (c) 1995-2001 by Cisco Systems
> >
> > advertisement version: 1
> >
> >
> >
> > Rats !!!  No IP address.  I have tried various console speeds and
> still
> > nothing more than this CDP output.
> >
> >
> >
> > Any advice or leads ???
> >
> >
> >
> > Thanks
> >
> > Phil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39369&t=39324
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: you American need to think [7:38323]

[Gaz]

>We both know that, if not for the US,
> you'd be speaking German over there.

What d'ya mean?
My failing German at school was due to the Americans?
I'd always blamed it on a lack of interest and study time, but that does
make me feel a little better.

Which Indians we talking about here? Shall we go 50/50 on that one?

We're eternally grateful, and maybe one day soon we can help you out?
You help us with quantity, we help you with quality - Ouch!
We're probably more on the same side than ever before and we still can't get
on.

Gaz


""nrf""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> As a Brit, you're going to lecture the United States on morality?  Excuse
> me, but let's ask, say, the Irish or the Indians about the vaunted British
> morality.   You know what they say about people who live in glass
houses...
>
> And besides, let's be honest here.  We both know that, if not for the US,
> you'd be speaking German over there.
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Jim Bond
> > Sent: Thursday, March 14, 2002 4:26 PM
> > To: [EMAIL PROTECTED]
> > Subject: OT: you American need to think [7:38323]
> >
> >
> > Sorry for wasting your bandwidth, but I have to say
> > this.
> >
> > Being rich is good; being smart is good. But if you
> > treat others like sxxt, others will treat you like
> > sxxt too. Think about this: if you are a CCNA and your
> > CCIE co-worker say your "stupid" or "dumb", will you
> > respect him?
> >
> > There are so many knowledgeable and friendly people on
> > this list, but there are some rude and arrogant people
> > too.
> >
> > I agree that Bin Laden is a murderer, an evil, but you
> > American need to think why he only attacks US, not
> > Germany or Russia or Japan or others.
> >
> > Show some respect to others, it won't make you poor.
> > Also remember that there are always someone richer and
> > smarter than you.
> >
> > Over. Dismiss.
> >
> > Jim
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Sports - live college hoops coverage
> > http://sports.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39367&t=38323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: issue with PIX and dhcp ? [7:39269]

[Gaz]

Is this down to the fact that a Pix doesn't do a gratuitous ARP on boot up?
(Or does it) I know that if you replace a router with a pix of the same IP
address, that this causes problems, which can normally be rectified by
rebooting the other end device. Of course you've not always got that luxury,
so how about fitting the Pix and leaving the ARP to time out on the other
device. I think Cisco default is 4 hours isn't it? (14400 seconds).

Anybody know if there is a way of getting the Pix to send a gratuitous ARP
(at least to be able to turn it on then turn it off again), and why would
this be turned off, what is the real risk.

A few guesses going on here, so I think I'll go and have a hunt round.

Cheers,

Gaz




""Roberts, Larry""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I had the same issue with a 501 that I had. I couldn't get it to work via
> Time Warner and an associate tried on Comcast and had no luck.
> I have had success using a Cisco Router, but the PIX just wouldn't work.
> Something I did was to forge the mac address of the PIX with a linksys so
> that it would grab a DHCP address.
> I then swapped out the eq and hard coded the address. It worked for about
an
> hour then it died.
>
> With Time warner, the cable modem will see the DHCP reply that is sent to
> your device and add that to its mac/ip table.
> They have a private network between the cable modem and their eq, and use
> NAT translation at the cable modem itself.
> The cable modem ( at least in my area ) will only hold 2 MAC/IP address
> combo's so you might need to reset the cable modem
> To clear out its table.
>
> Would be curious if you have success or not, that way I can tell if it was
> just a local problem , or a Cisco PIX issue.
>
>
> Thanks
>
> Larry
>
> -Original Message-
> From: John Green [mailto:[EMAIL PROTECTED]]
> Sent: Friday, March 22, 2002 10:24 PM
> To: [EMAIL PROTECTED]
> Subject: issue with PIX and dhcp ? [7:39269]
>
>
> is any one aware of any issue with PIX501 and
> connecting via cable modem to get an ip address (dhcp)
> ?
>
>   internet-cable-PIXHOST
>modem 501
>
>  without the pix, the HOST is able to get the dhcp ip
> address fine. the pix is configured to get an
> ipaddress from dhcp for its outside interface. but it
> is failing.
> does anyone know of such issues ?
>
>
> __
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards.
> http://movies.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39289&t=39269
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VTP Servers [7:39083]

[Gaz]

Depending on the type of switch and version of software, changing mode from
Server to Client will reset the VTP configuration revision, but not on all,
so again the safest way is to confirm the revision before connecting the
switch.

Regards,

Gaz


""Arjen Dragt""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Careful about the "...configure it as a VTP client and the world will be a
> safe place." statement.  From CCO (all the following text is from CCO - no
> comments needed):
>
> Link (watch wrap):
>
>
cisco.com/warp/public/473/21.html#How%20a%20newly%20inserted%20switch%20can%
> 20mess%20up%20a%20network%20?
>
>
>
> How a Recently-Inserted Switch Can Cause Network Problems
>
> This problem occurs when you have a large switched domain, which is all in
> the same VTP domain, and you want to add one switch in the network.
>
> This switch was previously used in the lab and a good VTP domain name was
> entered. It was configured as a VTP client, and connected to the rest of
the
> network. Then, the ISL link was brought up to the rest of the network. In
> just a few seconds, the whole network is down. What could have happened?
>
> The configuration revision of the switch you inserted was higher than the
> configuration revision of the VTP domain. Therefore, your
> recently-introduced switch, with almost no configured VLANs, has erased
all
> VLANs through the VTP domain.
>
> This will happen whether the switch is a VTP client or a VTP server. A VTP
> client can erase VLAN information on a VTP server. You will know that this
> has happened when many of the ports in your network go into inactive
state,
> but continue to be assigned to a non-existing VLAN.
>
>
> Cheers!
>
> Arjen
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> David Ford
> Sent: March 21, 2002 4:38 PM
> To: [EMAIL PROTECTED]
> Subject: RE: VTP Servers [7:39083]
>
>
> Almost right.
>
> If both servers are in the same VTP domain, the one whose configuration
> counter is highest will propogate it's VLANs.  This means that if you add
a
> server that's been sitting in your lab and it has a higher configuration
> counter, you will lose the VLANs on your current switch.
>
> If the switch is not going to be a core switch, configure it as a VTP
client
> and the world will be a safe place.
>
> If it does have a higher configuration counter, change it's VTP domain to
a
> different name and then change it back.  It's counter will go back to
zero.
>
> David
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Jeffrey Reed
> Sent: Thursday, March 21, 2002 2:27 PM
> To: [EMAIL PROTECTED]
> Subject: VTP Servers [7:39083]
>
>
> If I have an existing VTP domain server with many VLANs configured and
then
> add another VTP server does the first server update the new server? No
> chance of the new server updating the old server and wiping out the VTP
> database, right?
>
> Thanks!!
>
> Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39245&t=39083
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gigastack Etherchannel [7:39033]

[Gaz]

now
> I've seen conflicting documentation that indicates 9 and 16)
>
> The link is
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/gbic/ig_gbic/mam
> oins.htm#xtocid357911
> Watch for URL wrap.
>
> Our Switchstacks contain 9 3548's here, and the uplink ports with fiber
GBIC
> modules default to full duplex, while the gigastack module ports default
to
> half duplex.  I think one of reasons for this is the fact that you are
> effectively splitting the port in half by connecting each of the two
> gigastack ports to different switches.  Hope this helps.
>
> Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
> Network Engineer
> GRC International, Inc., an AT&T company
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Gaz
> Sent: Thursday, March 21, 2002 2:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Gigastack Etherchannel [7:39033]
>
>
> Ole,
>
> Good question.. Dunno!
>
> I was just going to suggest that one 3548 could only talk to one other
> switch at full duplex. The Gigastack bus may equate to a shared media once
> another switch is attached, so needs to go to half duplex.
> This must be different for something like a 3508, as a 3508 can definitely
> take multiple full duplex connections when used as the hub of a star
> configuration.
>
> In fact now I've finished writing it, it seems reasonable. I will test
this
> tomorrow as well.
>
> Anybody pick holes in that theory?
>
>
> Gaz
>
>
>
> ""Ole Drews Jensen""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > If you have three 3548's - A, B and C, and you have 1 GigaStack module
in
> A
> > where only one connector is connected to one connector on a GigaStack
> module
> > in B, and 1 GigaStack module in C where only one connected is connected
to
> > one connector on a second GigaStack module in B. Would that make a Full
> > Duplex on the connections since only one port is used on each GigaStack
> > module, or would it end up in Half Duplex anyway, since you have a total
> of
> > three switches?
> >
> > Ole
> >
> > ~
> >  Ole Drews Jensen
> >  Systems Network Manager
> >  CCNP, MCSE, MCP+I
> >  RWR Enterprises, Inc.
> >  [EMAIL PROTECTED]
> > ~
> >  http://www.RouterChief.com
> > ~
> >  Need a Job?
> >  http://www.OleDrews.com/job
> > ~
> >
> >
> >
> >
> > -Original Message-
> > From: Georgescu, Aurelian [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 11:56 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Gigastack Etherchannel [7:39033]
> >
> >
> > They can be used in full-duplex mode on point-to-point links (aka using
> only
> > one connector on each GigaStack, one at each end of the cable). If you
> > daisy-chain them they default to half-duplex.
> >
> > Aurelian
> >
> > -Original Message-
> > From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, March 21, 2002 12:02 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Gigastack Etherchannel [7:39033]
> >
> > GigaStack GBIC's are Full Duplex:
> >
> > ELVIS#show int gigabitEthernet 0/1
> > GigabitEthernet0/1 is up, line protocol is up
> >   Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia
> > 0002.fd13.52f1)
> >   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
> >  reliability 255/255, txload 1/255, rxload 1/255
> >   Encapsulation ARPA, loopback not set
> >   Keepalive not set
> >   Auto-duplex (Full), link type is autonegotiation, media type is
> > CX_GIGASTACK
> >   output flow-control is off, input flow-control is off
> >   ARP type: ARPA, ARP Timeout 04:00:00
> >   GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down
> >   Last input 00:00:06, output 00:00:01, output hang never
> >   Last clearing of "show interface" counters 11w1d
> >   Queueing strategy: fifo
> >   Output queue 0/40, 0 drops; input queue 0/75, 0 drops
> >   5 minute input rate 107000 bits/sec, 15 packets/sec
> >   5 minute output rate 91000 bits/sec, 16 packets/sec
> >  122086095 packets input, 1719966070 bytes, 0 no buffer
> >  Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles
> >  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
> >  0 watchdog, 163799 multicast, 0 pause input
> >  16558841

Re: Coyotepoint Load Balancers [7:38953]

[Gaz]

What problems have you had with the Arrowpoint Sam?

We do mainly Foundry for load balancing, and I have to say (as I'm not using
my work e-mail address :-)) that they have been flaky as hell. We work
fairly closely with Foundry (when we can get in touch), but every box seems
to work differently with every image. You get in to the habit of finding an
image that works and leave it alone. It's a horrible feeling when security
advisories come out recommending upgrades, and you just know it's going to
introduce other issues.

We haven't deployed the Arrowpoint on any really big projects, but they do
seem to offer more functionality than the Foundry in some areas (not
forgetting the massive price difference), so I'm interested to hear what
problems have arisen with them.

Thanks,

Gaz


""sam sneed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have a pair of CS11152 (former arrowpoints) and they've been flaky. I do
> not recommend them. Not sure about coyotepoint.
>
>
> ""dre""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Coyotepoint was the first server load balancing device I had ever
> > heard of outside of your basic LSNAT configuration (I think Cisco
> > calls it NAT load-sharing or something, but there is an RFC also).
> >
> > However, I've never actually seen one in production on any
> > network.  Around 1997-8 the Cisco Local Director was the
> > only box I saw, and most people hated them.  Then, the F5
> > Big/IP box became popular (and it still sort of is).  A whole
> > bunch of people started entering the market space of SLB
> > and Global Load-Balancing.  In the past few years, companies
> > like Arrowpoint and Alteon got bought by Cisco and Nortel.
> > Now you even have places like Akamai doing GLB for places
> > like Yahoo.
> >
> > After I've read the RFC's, and patents like US6185598,
> > US108703, and US6052718, and worked with SLB and
> > GLB for years, I've finally come to a few conclusions:
> >
> > A) The SLB/GLB marketing and focus is silicon snake oil
> > B) Just like the computer security industry, "[it's] like a carnival
game,
> > where people throw ducks at balloons, and nothing is as it seems"
> > C) It really depends on *your* environment.  Just as there are
> > millions of options for web servers and web programming languages
> > (e.g. .NET, J2EE, Apache+PHP+MySQL, Apache+mod_perl, MS NT4
> > IIS/ISAPI, WebSphere vs. Weblogic, Zeus, Netscape, Xitami, etc etc),
> > there are millions of options for SLB and GLB (even deciding between
> > the two is impossible).
> > D) Even outside of products and software, you have your own
organization.
> > How the coders build web pages.  How the HTML is done.  Etc.  If you
> > don't have any dynamic content.  If you are completely dynamic content
and
> > everything besides the main page is somewhere under /cgi-bin/.  These
are
> > all organizational issues that are different with every company.
> Depending
> > on your setup, a different product may fit your needs differently.
> > E) SLB was grown out of the need for more bandwidth being pushed out
> > to the Internet by machines in the $100 to $5000 price range.  These
> > machines at the time were 486's and no ubiquitous Fast or Gigabit
> Ethernet.
> > For a high-end Unix box with Fast Ethernet, you were looking at $30,000
> > back then (at least).
> > F) Now, you can buy a Titanium Powerbook with Gigabit Ethernet running
> > Mach+BSD (MacOS X) for like $2000.  You can get 2x CPU 1U machines
> > running FreeBSD or Linux capable of pushing >2k pps for under $3000.
> > The need for SLB may have changed over the years due to the hardware
> > catching up to the bandwidth needs.
> >
> > The SLB/GLB market is so confusing, probably "nobody" has it figured
out.
> >
> > However, I can recommend one box today that stands above the others, and
> > the only one I'd like to see in any production network.  The guys at
> Radware
> > have made some significant advancements in the way SLB and GLB are done.
> > Their WSD and entire line of products are much better than any of the
> > alternatives, and it is much more versatile for any real production
> > environment.
> > This is just my opinion, but I suggest you fully research the SLB/GLB
> > industry before making your decision.
> >
> > -dre
> >
> > ""Brian Zeitz""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I hope this is not to

Re: Gigastack Etherchannel [7:39033]

[Gaz]

Thanks for all the responses.
Dug the switches out today and tested.
We were all on the right tracks I think.
I also put this to the Cisco open forum, and a Cisco CCIE answered my
original question saying it was definitely not possible to run etherchannel
between two switches with 2 Gigastack modules each.
Coming to Cisco's rescue, I received an e-mail from Tom Petzold of Cisco,
which doesn't seem to have reached the Newsgroup yet, but his answers were
spot on and confirmed by the testing I did today.
His e-mail is attached after my mumblings below.
If anybody can think of any other tests to try, they're still set up so give
me a shout before Monday evening when they get installed elsewhere.

Using all 3524 switches (called A,B and C)


Test 1:
Connect A to B with one cable - Link Auto's to full duplex
Now add a connection from B to C with one cable (on the same Gigastack
module)
Result - All links revert to half duplex

Test 2:
Connect A to B with one cable - Link Auto's to full duplex
Now add a second Gigastack module to B and connect this to C.
Result - All links stay at full duplex.

Test 3:
Connect A to B with 2 cables (one Gigastack module used in each switch)
Result - spanning tree blocks one of the connections (don't know a way of
configuring etherchannel for these - they are not subinterfaces of any kind)

Test 4:
Connect A to B with one cable - Link Auto's to full duplex
Put a second Gigastack module in both A and B
Connect these with one cable
Configure both switches for etherchannel
Result - Etherchannel works fine - all ports forwarding


Regards,

Gaz

(Tom Petzold's e-mail follows)

Let me see if I can walk through the options.
If you hook two switches up with one cable (using only one port on each
gigastack GBIC) you will have a 1Gb (2Gb full Duplex) connection.

If you have three switches cascaded and use both ports on any gigastack GBIC
you will have 1Gb half duplex shared across all the switches.

In the previous configuration you can hook the bottom switch back up to the
top switch. Since you have a loop now (a to b, b to c, c to a) one port will
go into blocking to prevent the loop.

Now your question is can I use two gigastack GBICs in both switches and
setup an etherchannel. The answer is yes. Connect GBIC 1 in switch A to GBIC
1 in switch 2 and GBIC 2 in switch A to GBIC 2 in switch 2 using 1 cable for
each GBIC pair. Then just setup the gigabit ports as an etherchannel group.
This will give you the 2Gb (4Gb full duplex) you wanted.

What you don't want to do is connect both ports on GBIC 1 to both ports on
GBIC 2. I'm not sure what would happen but I think they would go into half
duplex and not allow you to setup the etherchannel.

Tom Petzold

Cisco Systems

""Kelly Cobean""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Guys, If it helps any, here is a quote from Cisco's web siteLink
below.
>
> "Cascaded Stack Connections:
> You can connect from three to nine switches in a cascaded stack
> configuration. The cascaded stack operates in half-duplex mode."  (This
> raises the debate about how many switches in the stack again, because now
> I've seen conflicting documentation that indicates 9 and 16)
>
> The link is
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/gbic/ig_gbic/mam
> oins.htm#xtocid357911
> Watch for URL wrap.
>
> Our Switchstacks contain 9 3548's here, and the uplink ports with fiber
GBIC
> modules default to full duplex, while the gigastack module ports default
to
> half duplex.  I think one of reasons for this is the fact that you are
> effectively splitting the port in half by connecting each of the two
> gigastack ports to different switches.  Hope this helps.
>
> Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
> Network Engineer
> GRC International, Inc., an AT&T company
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Gaz
> Sent: Thursday, March 21, 2002 2:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Gigastack Etherchannel [7:39033]
>
>
> Ole,
>
> Good question.. Dunno!
>
> I was just going to suggest that one 3548 could only talk to one other
> switch at full duplex. The Gigastack bus may equate to a shared media once
> another switch is attached, so needs to go to half duplex.
> This must be different for something like a 3508, as a 3508 can definitely
> take multiple full duplex connections when used as the hub of a star
> configuration.
>
> In fact now I've finished writing it, it seems reasonable. I will test
this
> tomorrow as well.
>
> Anybody pick holes in that theory?
>
>
> Gaz
>
>
>
> ""Ole Drews Jensen""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROT

Re: Gigastack Etherchannel [7:39033]

[Gaz]

Ole,

Good question.. Dunno!

I was just going to suggest that one 3548 could only talk to one other
switch at full duplex. The Gigastack bus may equate to a shared media once
another switch is attached, so needs to go to half duplex.
This must be different for something like a 3508, as a 3508 can definitely
take multiple full duplex connections when used as the hub of a star
configuration.

In fact now I've finished writing it, it seems reasonable. I will test this
tomorrow as well.

Anybody pick holes in that theory?


Gaz



""Ole Drews Jensen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> If you have three 3548's - A, B and C, and you have 1 GigaStack module in
A
> where only one connector is connected to one connector on a GigaStack
module
> in B, and 1 GigaStack module in C where only one connected is connected to
> one connector on a second GigaStack module in B. Would that make a Full
> Duplex on the connections since only one port is used on each GigaStack
> module, or would it end up in Half Duplex anyway, since you have a total
of
> three switches?
>
> Ole
>
> ~
>  Ole Drews Jensen
>  Systems Network Manager
>  CCNP, MCSE, MCP+I
>  RWR Enterprises, Inc.
>  [EMAIL PROTECTED]
> ~
>  http://www.RouterChief.com
> ~
>  Need a Job?
>  http://www.OleDrews.com/job
> ~
>
>
>
>
> -Original Message-
> From: Georgescu, Aurelian [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 11:56 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Gigastack Etherchannel [7:39033]
>
>
> They can be used in full-duplex mode on point-to-point links (aka using
only
> one connector on each GigaStack, one at each end of the cable). If you
> daisy-chain them they default to half-duplex.
>
> Aurelian
>
> -Original Message-
> From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 12:02 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Gigastack Etherchannel [7:39033]
>
> GigaStack GBIC's are Full Duplex:
>
> ELVIS#show int gigabitEthernet 0/1
> GigabitEthernet0/1 is up, line protocol is up
>   Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia
> 0002.fd13.52f1)
>   MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
>  reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation ARPA, loopback not set
>   Keepalive not set
>   Auto-duplex (Full), link type is autonegotiation, media type is
> CX_GIGASTACK
>   output flow-control is off, input flow-control is off
>   ARP type: ARPA, ARP Timeout 04:00:00
>   GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down
>   Last input 00:00:06, output 00:00:01, output hang never
>   Last clearing of "show interface" counters 11w1d
>   Queueing strategy: fifo
>   Output queue 0/40, 0 drops; input queue 0/75, 0 drops
>   5 minute input rate 107000 bits/sec, 15 packets/sec
>   5 minute output rate 91000 bits/sec, 16 packets/sec
>  122086095 packets input, 1719966070 bytes, 0 no buffer
>  Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles
>  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>  0 watchdog, 163799 multicast, 0 pause input
>  165588418 packets output, 149633091 bytes, 0 underruns
>  0 output errors, 0 collisions, 0 interface resets
>  0 babbles, 0 late collision, 0 deferred
>  0 lost carrier, 0 no carrier, 0 pause output
>  0 output buffer failures, 0 output buffers swapped out
>
> Hth,
>
> Ole
>
> ~
>  Ole Drews Jensen
>  Systems Network Manager
>  CCNP, MCSE, MCP+I
>  RWR Enterprises, Inc.
>  [EMAIL PROTECTED]
> ~
>  http://www.RouterChief.com
> ~
>  Need a Job?
>  http://www.OleDrews.com/job
> ~
>
>
>
>
> -Original Message-
> From: Jeffrey Reed [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, March 21, 2002 10:22 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Gigastack Etherchannel [7:39033]
>
>
> I'm not sure, but I thought I read somewhere that the GigaStack GBICs are
> half duplex. I think I read somewhere that you shouldn't use them in an
> environment that requires QOS. If this is true, your throughput would be
> better with 1000B-T GBICs or Fiber GBICs running at full duplex.
>
> Jeffrey Reed
> Classic Networking, Inc.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gaz
> Sent: Thursday, March 21, 2002 10:16 AM
> To: [EMAIL PROTECTED]
>