Free Rack Time [7:75273]
I need 10-20 people to beta test a new online cisco lab time rental system. Anyone who would like free lab time and can answer a couple questions after, please respond. -- Jay Greenberg CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75273&t=75273 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Latest Cisco PIX? [7:73084]
The 506 was discontinued, but it didn't really go away. It was replaced by the 506E. The same goes for the 515 (replaced by the 515E). Information on all of the current PIX firewalls is located at http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian W. Sent: Sunday, July 27, 2003 8:14 PM To: [EMAIL PROTECTED] Subject: Re: Latest Cisco PIX? [7:73084] There was a 506 that was discontinued.. Brian - Original Message - From: "Shawn Xu" To: Sent: Sunday, July 27, 2003 2:23 PM Subject: Latest Cisco PIX? [7:73084] > Hi, > > I heard Cisco has PIX 560. However, I couldn't find Cisco PIX 560 from > www.cisco.com. The latest one is PIX 535. Is it right? > > Thanks > > Shawn Xu > > _ > The new MSN 8: advanced junk mail protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73091&t=73084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2500 Flash Upgrade [7:72618]
Has anyone noticed that a 16MB flash upgrade for the 2500 costs almost as much as a 2500 ? Does anyone know where I can get cheap 8MB flash sticks? -- Jay Greenberg CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72618&t=72618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN ... connectivity [7:72051]
Although I have never tried this, due to not having the hardware, I have been told something like this is possible: ROUTERA-S/T---xover---ROUTER-S---xover---S/T-ROUTERB ROUTERs A and B ISDN BRI S/T interface ROUTER-S (acting as the switch) NM-2V and VIC-2BRI-S/T-TE or NT I may even have a config that shows the setup. If interested get back to me offline and I'll see if I can find it. - Original Message - From: "Bob by The Bay" To: Sent: Thursday, July 10, 2003 12:51 AM Subject: Re: ISDN ... connectivity [7:72051] > not possible with ISDN > > ""H T"" wrote in message > news:[EMAIL PROTECTED] > > Hi, > > Can we connect 2 ISDN ports back to back for test ? (with out ISDN > > simulation device) > > Is there any kind cable to do this job? > > > > > > > > cheers > > Heiman. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72135&t=72051 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Upgrading PDM on a PIX firewall [7:70261]
The command is: copy tftp flash:pdm Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com Nunquam Facilis Est >I was trying to find out what the proper procedure for upgrading the PDM >on a PIX box is. The documentation on Cisco's site cover installation >(including on an existing box) but it doesn't seem to address >specifically the upgrade. Can I simply send the binary via TFTP? The >Cisco documentation doesn't seem to specify whether it will affect the >firewall config or not. I wouldn't assume that it would but we all know >what we get when we assume > > > >Bruce Fyfe, Network Engineer > >LAKESIDE INDUSTRIES > >(425) 313-2600 > >[EMAIL PROTECTED] http://www.ktc.net/ Don't Forget To UPDATE your ANTI-VIRUS Software Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70273&t=70261 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
April Fools [7:66613]
-- Jay Greenberg CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66613&t=66613 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: regulations [7:66267]
I have always found it impossible to get a definitive answer on what has to be done (or not done) for any particular environment (e.g. DoD, HIPAA, Section 508, etc.). Trying to read and then comply 100% with the actual regulations is always open to interpretation. A large part of regulatory compliance is documenting a security policy, disaster recovery, etc. I would suggest you look into getting a copy of "All In One CISSP Exam Preparation Guide" by Shon Harris (sorry, I don't have the ISBN). Most of the regulations you are concerned about will follow the principles of the common base of knowledge (CBK) described in this book. It will also give you a good foundation on general security principles that should be applied in any environment. Go to http://www.nsa.gov/snac/cisco/download.htm for information on securing a router. I don't have a URL, but search for EAL4 on cisco's site. You should be able to find a document on how to install and configure a pix for common criteria EAL4 compliance. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stull, Cory Sent: Wednesday, March 26, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: regulations [7:66267] Where could I go to find information on network security regulations for banks and medical offices?. Information on firewalls and rules they have to abide by and that sort of thing? Thanks God Bless our troops. Cory Stull CCNP,CCDP,MCSE4/2k Communications Concepts Unlimited 262-814-7214 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66316&t=66267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Server Load Balancing Options [7:66272]
Hello, would someone please validate this list, and or recommend less alternatives? I would appreciate it a lot! Our requirements: 1) Server Load Balancing (IP address translation) LAYER 3 ONLY 2) Server availability monitoring (ping?) 3) Redundant Switch Capability (SLB HSRP?) 4) medium load - DNS, LDAP, mail, radius, etc.. As far as I can tell, my options are 1) 6500 SLB CSM - 40-100 grand ?? what modules are needed here? 2) 6500 cat/native OS SLB ??? what modules are needed here? 3) 4840G - 30 grand 4) 7200 Router IOS SLB CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66272&t=66272 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
I'm pretty sure this can't be done because the pix doesn't do ipsec pass through. The good news is that the pix ios 6.3 is supposed to fix this. I don't have the url anymore, but there is a page on the cisco web that describes the new features in 6.3 and this capability is specifically listed. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 9:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. >From: "Greg Owens" >Reply-To: "Greg Owens" >To: [EMAIL PROTECTED] >Subject: Re: VPN Client behind PIX [7:64358] >Date: Tue, 4 Mar 2003 19:09:16 GMT > >You just need to open the ports you are using, ie 500, 47 1 > > > > From: "Steve Smith" > > Date: 2003/03/04 Tue AM 11:15:21 EST > > To: [EMAIL PROTECTED] > > Subject: VPN Client behind PIX [7:64358] > > > > OK gang here is the scenario. We have a PIX at work running VPN. I have > > a 515 at home. Before I put the 515 at home in I could use the VPN > > client to connect to work. Now I can not. I remember a year or so back > > reading a Cisco article about this and that you had to use a certain IP > > range on the remote (my house) network. Does anyone know anything about > > this? Any suggestions? > > > > Thanks! > > > > Steve Smith > > Enterprise Engineer > > 901-758-8179 ext. 108 > > TEKSELL > > [EMAIL PROTECTED] >Greg Owens >202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64456&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Policy Routing on the 3550? [7:64074]
PBR is not available in current image. I understand it will be available soon. - Original Message - From: "W. Alan Robertson" To: Sent: Friday, February 28, 2003 9:04 AM Subject: Policy Routing on the 3550? [7:64074] > Howdy folks... > > I need to set the next hop on a 3550 (with the EMI Image) based on the > protocol type. We've got a number of transparent proxy servers, each > one handling a different type of traffic (One for HTTP... One for > SMTP... Etc.). > > No problem, right? Wrong. > > Merrily, I configured my access-lists to identify the various traffic > types. I then created the route-map statements to set ip next-hop for > each of the types of traffic. I then went to my vlan interface to > apply the route-maps, but lo and behold, no "ip policy" command. > > How can I apply the route-maps to my interface? > > Is there another way to accomplish this? > > Thanks, > > Alan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64121&t=64074 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix + router, design issue [7:63244]
In this design the CPE router IS the border router. Whatever controls the customer would like to exercise (e.g. packet filters, ACL, etc) would really be best if placed on the CPE device. Maybe the service provider will configure their router by request. How many interfaces in the Pix? If there are only 2, the best solution is to place the "border router" on the inside. LAN Border Router Pix CPE Router This would allow for a screened subnet (dmz). Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 3:42 AM To: [EMAIL PROTECTED] Subject: pix + router, design issue [7:63244] I have a case with a customer that I am installing a PIX and a border router for, He want4s to have controle over the border router, but the Service Provider, is providing their router as the CPE. one interface on the Service Providers router has an ip address from the customers public ip address range, so I am thinking about what would be the best way to config the customers border router, as it will need to be sending some ip address that is on the interface connected to the CPE router back to the pix. - -- -- - - -- -- - - -- -- - PIX 213.100.1.10 Border RouterCPE Router 213.100.1.1 I am beeing a little slow to day, so I would like to get some input on how you would handle this secenario. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63332&t=63244 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF - FR/P2MP Question [7:62716]
When configuring OSPF over FR, with type of point-to-multipoint it generates host routes for each router, participating. Other that using an access-list is there any way to prevent these routes ? Thank you Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62716&t=62716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 7500 Router CPU rocketing to 90% [7:62530]
Are you using DLSw+ or bridging on the router? On Wed, 2003-02-05 at 14:18, Mohsin Hussain wrote: > We have 2 7500 routers with CIPs installed. Recently the router started to > have its CPU shooting upto 90%. When show process cpu is run. It does not > show what process is causing this because none of the processes are or add > upto 80 or 90%. Only two processes: IP input at 10% and cls background at > 14%. The rest of the processes are at 0 or 0.1%. -- Jason Greenberg, CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62532&t=62530 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Self-Employment [7:62357]
Any CCIEs on the list in business for themselves? What's the money like, what sort of companies do you work for? Do you do short-term or long term contracts? Hourly work? Thanks, -- Jason Greenberg, CCIE #11021 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62357&t=62357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN client: Cisco or Microsoft? [7:61500]
We have a client with a requirement to set up win2k help desk stations at all of its remote plant locations. These stations are dedicated to the help desk function and should not allow any other traffic or web surfing. These stations also need to be idiot proof so the idea is to establish a restricted VPN connection automatically at bootup. To do this we have chosen to use win2k's built-in ipsec capability. We administratively create an ipsec policy that will only allow the machine to connect to the pix at the central site. The policy also restricts traffic to http between the host and central site destination. Normally I would agree that the Cisco client is "better", but as with most things circumstance dictates the best choice. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Amazing Sent: Tuesday, January 21, 2003 7:16 PM To: [EMAIL PROTECTED] Subject: Re: VPN client: Cisco or Microsoft? [7:61500] cisco. dont know too much about windows client but with the cisco we are able to set the group name and password without the end user knowing them. this just adds a poor man's version of something you have something you know authentication. the user has the group name and password on their pc and then knows their own username and password to access the network. ""Sam Sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Which do most of you use for Remote Access VPN? > Pro's and cons? > > Thanks alot. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61551&t=61500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ISDN - OSPF DEMAND CIRCUIT [7:61310]
When using IP OSPF DEMAND-CIRCUIT are there any restrictions with using PPP MULTLINK as well ? Noticed that when PPP MULTILINK is configured on either the BRI or the DIALER interface, when the Serial interface is shutdown between the two routers and then brought back up, the ISDN continues to dial the second router. Checking the Dialer interface using "sh ip ospf int" it shows that Hellos are suppressed. When PPP MULTILINK is NOT configured, performing the same steps, i.e. shutdown Serial, bring it back up, the ISDN will disconnect and stay disconnected. Which makes me believe it is configured corrcetly. Any thoughts appreciated. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61310&t=61310 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
6500 / 7600 Differences [7:60503]
Does anyone know what the difference is between a 6500 and a 7600 ? They both look like they will take the same modules / software, etc.. Are there any fundamental hardware differences? Jay Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60503&t=60503 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
6500 IOS / CatOS [7:60499]
What would be better suited to a large ISP's Gigabit Backbone? 6500 SUP2/MSFC2/PFC2 with CatOS or IOS? Is it just about personal preference or are there stability / usability issues? Thanks, Jay Greenberg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60499&t=60499 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dumb question [7:58783]
You are absolutely right. It didn't occur to me. It seemed to me that one would have to go out of their way to create a loop in a hub environment. Then after reading your response, I realized I encountered something like this just a few months ago. 2 dual homed Citrix servers using 2 logical subnets but sharing the same physical network. The end user had enabled forwarding between the nics on one of the servers. Guess what the problem was? Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 12:10 PM To: [EMAIL PROTECTED] Subject: RE: Dumb question [7:58783] Jay Dunn wrote: > > A "hub" or "repeater" operates at layer 1 and makes no > intelligent > decision about what to forward. A packet enters a port and is > forwarded > out all other active ports on the hub. The concept of a loop > only exists > at higher layers. A loop could exist at the physical layer too. A newbie could connect the hubs in such a way that there was a loop. And it could indeed cause problems due to the fact that a hub doesn't make any intelligent decisions about what it forwards, as you say, and doesn't participate in higher-layer loop-avoidance solutions such as STP, Dijkstra, split horizon, etc. There would be nothing to stop the looping bits. The very idea makes me cringe. :-) It's kind of funny that nobody thinks about this. A network of hubs must be designed in a hierarchical fashion. I guess that is just second-nature to people who grew up with hubs. When hubs entered the market they allowed us to move away from the ubiquitous bus topology and into a star (hub-and-spoke) topology. They allowed us to start using the structured cabling that AT&T and other vendors were starting to install, rather than the Christmas-tree-lights topology so popular with coax cable and so prone to problems. As networks grew, it became necessary to connect multiple hubs. The term that was often used was "cascating hubs." Hubs cascaed from other hubs, within the rules related to Ethernet propagation delay and collision detection. Priscilla > > Jay Dunn > IPI*GrammTech, Ltd. > www.ipi-gt.com > Nunquam Facilis Est > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of > Han Chuan Alex Ang > Sent: Monday, December 09, 2002 3:44 AM > To: [EMAIL PROTECTED] > Subject: Dumb question [7:58783] > > I am wondering if Hub could be subjected to loop problems , if > not, what > will happen if there is a loop within a Hub enviroment Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58868&t=58783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dumb question [7:58783]
A "hub" or "repeater" operates at layer 1 and makes no intelligent decision about what to forward. A packet enters a port and is forwarded out all other active ports on the hub. The concept of a loop only exists at higher layers. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Han Chuan Alex Ang Sent: Monday, December 09, 2002 3:44 AM To: [EMAIL PROTECTED] Subject: Dumb question [7:58783] I am wondering if Hub could be subjected to loop problems , if not, what will happen if there is a loop within a Hub enviroment Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58787&t=58783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CISSP Certification [7:57757]
Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 1:00 AM To: [EMAIL PROTECTED] Subject: CISSP Certification [7:57757] Can somebody please send me a url where I can find out more about this certification. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57760&t=57757 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Accessing Work Lab From Home Through PIX [7:55844]
You can accomplish this with a vpn. Go to the cisco web site and do a search on vpn pix. It will return several links with configuration examples. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com] On Behalf Of Kevin Love Sent: Thursday, October 17, 2002 8:16 PM To: [EMAIL PROTECTED] Subject: Accessing Work Lab From Home Through PIX [7:55844] GroupStudy Team: I am fortunate enough to have access to a lab at work that I would like to access from home. We have a PIX 515 for our firewall at work. A friend has helped me configure the PIX so that I can SSH to it from home. But the PIX won't allow me to telnet to the lab equipment. Does anybody have experience configuring a PIX to allow a secure connection to a device on an internal network through the internet? Thanks! Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55862&t=55844 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CallManager query to Win2k Active Directory [7:55789]
To be honest, I'm not sure what I'm talking about. However, I've read over the link you provided and this looks like what I need. At least it's a good place to start. Thanks Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com] On Behalf Of Steven A. Ridder Sent: Thursday, October 17, 2002 4:17 PM To: [EMAIL PROTECTED] Subject: Re: CallManager query to Win2k Active Directory [7:55789] ONe place is the corporate directory, which is usually in the DC direcrotry. YOu get that by clicking on the directory button. Is that what you are talking about, or are you talking about personal directory, or the AD plugin, or the Exchange PAB plug-in? If it's what I think it is, the Active Directory, you probably have to run the Active Directory Plug in again: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note0 9186 a0080094493.shtml ""Jay Dunn"" wrote in message news:200210170828.IAA04931@;groupstudy.com... > I have inherited responsibility for our IP phone system and am using OJT > to figure everything out. We are using CallManager 3.2 and receiving our > directory user lists from our win2k AD. The tech that originally set > this up created separate OUs in AD for onsite and offsite personnel. > CallManager only queries the onsite OU for our user directory list. A > user's phone extension is looked up in the "telephone number" field in > the user's AD profile. I now have reason to change the OU hierarchy in > AD. I would also like to change the field where CallManager looks up a > user's extension. Could someone point me in the right direction for > determining where these queries are configured? I've examined the system > parameters and the ASP pages referenced in the directory URL as well as > the registry on the CCM server. I've also run the AD plug-in, but I'm > stumped. > > > > Thanks.. > > > > Jay Dunn > > IPI*GrammTech, Ltd. > > www.ipi-gt.com > > Nunquam Facilis Est Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55861&t=55789 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
5513 reporting a bad port number [7:55806]
On a show cam dynamic, one of the entries on my 5513 is listed as: 283 00-60-70-ff-51-00 R 16/64 [ALL] Where would it be getting port 16/64 from?? I can't find any reference to it. Is this a software bug? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55806&t=55806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CallManager query to Win2k Active Directory [7:55789]
I have inherited responsibility for our IP phone system and am using OJT to figure everything out. We are using CallManager 3.2 and receiving our directory user lists from our win2k AD. The tech that originally set this up created separate OUs in AD for onsite and offsite personnel. CallManager only queries the onsite OU for our user directory list. A user's phone extension is looked up in the "telephone number" field in the user's AD profile. I now have reason to change the OU hierarchy in AD. I would also like to change the field where CallManager looks up a user's extension. Could someone point me in the right direction for determining where these queries are configured? I've examined the system parameters and the ASP pages referenced in the directory URL as well as the registry on the CCM server. I've also run the AD plug-in, but I'm stumped. Thanks.. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55789&t=55789 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
You can have multiple NAT statements. NAT 0 will stop nat for whatever is defined in the access list. We have a 515 with a DMZ interface. Our inside network is 10.50.0.0/16 and our dmz network is 172.16.1.0/24. Here is an example from our PIX. access-list 101 permit ip 10.50.0.0 255.255.0.0 10.50.0.0 255.255.0.0 access-list 101 permit ip 10.50.0.0 255.255.0.0 172.16.1.0 255.255.255.0 access-list 101 permit ip 172.16.1.0 255.255.255.0 10.50.0.0 255.255.0.0 ip address inside 10.50.1.2 255.255.0.0 ip address dmz 172.16.1.1 255.255.255.0 ip local pool vpn-pool 10.50.8.1-10.50.8.50 global (outside) 1 x.x.x.196-x.x.x.248 netmask 255.255.255.x global (outside) 1 x.x.x.195 netmask 255.255.255.x nat (inside) 0 access-list 101 nat (dmz) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Theodore Stout Sent: Tuesday, October 15, 2002 4:28 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] But doesn't NAT 0 stop nat for whatever is defined afterwards? If I remember right, and I just might not, I used it when I wanted to avoid NAT on VPN traffic. I would defined VPN traffic with an access-list and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. Dude, I still can't figure out why Gurugrasad's config won't work. Got me totally bummed out. Theo "Jay Dunn" Sent by: [EMAIL PROTECTED] 10/15/2002 05:59 PM Please respond to "Jay Dunn" To: [EMAIL PROTECTED] cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of t
RE: With PIX unable to reach DMZ from LAN [7:55608]
Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo "Guruprasad Sanjeevi" Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to "Guruprasad Sanjeevi" To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] &i=55608&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55620&t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: traffic shapping and rate-limit [7:52468]
I would have to disagree. From an ISP standpoint, when we supply a capped service to a customer, we use a combination of rate-limiting and traffic shaping. I Rate-limit the input, and traffic shape the output. I suppose it is more resource-intensive on our end, however don't you agree that it is better quality of service from the ISP? On Sun, 2002-09-01 at 04:29, YASSER ALY wrote: > Rate-limiting is what we call policing and it is done from the ISP side. > It is bi-directional so you can rate limit input & output. You can define > what is the policy to be followed when traffic is within range and what > to be done once exceeded like pass, mark, drop. > > Traffic-shapping is done from the client side and it is unidirectional ( > Controlling the outgoing traffic from an interface. Shapping helps when 2 > sites are communicating with each other, one of them is 1M while the > other is 256K, traffic shapping would be defined from the 1M side inorder > not to flood the 256K link and lots or retransmission occurs. > > >From: "Mohamed Saro" > >what is the difference and the direction of > rate-limit and traffic shapping > >FAQ, list archives, and subscription > info: http://www.groupstudy.com/list/cisco.html >Report misconduct and > Nondisclosure violations to [EMAIL PROTECTED] > > > > Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52665&t=52468 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE OR CCNP [7:52413]
Regardless, it's not as if CCNP study would be a waste of time. Just take the CCNP and consider it part of your CCIE study. Unless you could pass the 4 CCNP tests without studying, then CCNP would be a good place to start. It provides the basic knowledge needed for beginning your CCIE studies. I found that CCNP covered about 50 percent of the basic CCIE topics. After I was done CCNP, I had to learn some basics by myself, such as LAN frame formats, token ring, multicast, voice, dslw+, etc, etc., etc. Anyway, see if you can pass the CCNP tests without studying (maybe buy some practice tests if you don't want to pay the real thing yet). They should be brainless to a CCIE candidate. Jason Greenberg, CCNP On Fri, 2002-08-30 at 22:13, sisco wrote: > Thanks Dan, > i've been on cisco routers for almost six yrs and i was force to take the > ccna exam because of the growing certified networkers.. > > > > > ""Dan Penn"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Unless you've been doing this a long time you need to be looking at > > either CCNP or CCIP. CCIE is not a read a book pass a test kind of > > certification. > > > > Dan > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > > sisco > > Sent: Friday, August 30, 2002 6:37 PM > > To: [EMAIL PROTECTED] > > Subject: CCIE OR CCNP [7:52413] > > > > Hi All! > > I just passed a ccna exam and i'm just confused if i'm going to > > take CCNP or jump into CCIE exam. > > > > Need ur opinion. > > > > thnks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=52422&t=52413 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Wireless Field Engineer exam [7:51549]
This exam is currently given over the web at a cost of $35. It is due to change to a proctored exam given at Prometric or VUE in less than 2 weeks. My advice is to try and take it on the web ASAP. There are approx. 78 questions. The video on demand covers just about everything you need to know. Make sure you know the different aironet products and their capabilities. Good luck. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Friday, August 16, 2002 8:39 PM To: [EMAIL PROTECTED] Subject: Wireless Field Engineer exam [7:51549] Is anyone here work for a company that is a partner for Cisco and have taken the field engineer wireless exam. Can anyone give me the details on this like is it given online study material and such. I have watched Cisco's recommended video on demand but it sure seems to basic for a cisco exam. My job has asked me to try and complete this by the end of the month I would appreciate any advice anyone can give me. I am looking for How many questions What score to pass Is the test given online or a prometric exam? Study material. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51559&t=51549 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Standby Virtual MAC [7:50528]
To solve a problem, as a hack, I used HSRP to create a virtual MAC address that just applied to *1* subinterface on an ISL trunk. The rest of the subinterfaces use the BIA. To try to clean this up, is there any other way to use a virtual mac address on a subinterface? I noticed I don't have the #mac-address command available on the subinterface. Jay Greenberg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50528&t=50528 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Policy Based Routing [7:50412]
Is it possible to policy-route on the source mac address of the Ethernet frame? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50412&t=50412 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Summarizing External LSAs at the ABR [7:50395]
How can you summarize external LSAs when the LSAs come from different ASBRs? summary?-ABR--ASBR-external-lsa area 0\area 1 \ \ASBR-external-lsa area-range (on the ABR) doesn't summarize type 5 lsa's, and you can only use summary-address on ASBRs. If there are any Cisco employees on the list - if this functionality has not been developed, could it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50395&t=50395 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF External Summarization Problem [7:50260]
Hello group, I seem to have a problem with OSPF external LSA summarization. I have an Ethernet segment in area 4. There are 2 ASBRs (RAS Gear), and 1 ABR (the router connected to my backbone). Suppose for now, that ASBR1 is injecting 192.168.0.1/32 into OSPF as an E2 LSA, and ASBR2 is injecting 192.168.0.128/25 into OSPF as an E2 LSA. I would like the other areas to just understand that 192.168.0.0/24 is reachable via the area 4 ABR, however, #area 4 range 192.168.0.0 255.255.255.0 will not work, because it will not summarize external routes, and I cannot use summary-address (or can I?) on the ABR, because it is only supposed to be used by ASBRs. My question is: How can I get the ABR to summarise the /24? Jay Greenberg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50260&t=50260 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Radius [7:50090]
Yes. Win2k server has an installable service called IAS (Internet Authentication Service) that provides RADIUS authentication. We haven't tried it with router IOS, but it does work with a PIX terminated VPN. However, it does not support LEAP and therefore won't authenticate Aironet wireless connections. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Brandis Sent: Monday, July 29, 2002 11:19 PM To: [EMAIL PROTECTED] Subject: Radius [7:50090] hi All Please forgive the question, however, does Win2k Server have its own Radius Server so we can authenticate with it ? Thanks all and sorry for the question. John Brandis Desk: 02-9278-0629 Mobile: 0414-495-320 [EMAIL PROTECTED] www.solution6.com ** visit http://www.solution6.com visit http://www.eccountancy.com - everything for accountants. UK Customers - http://www.solution6.co.uk * This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50097&t=50090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISP QoS Architecture Question [7:49767]
No, we have loads of bandwidth, but I have heard some people, including Cisco Engineers claim that bandwidth won't solve your delay problems. On Mon, 2002-07-29 at 15:23, Kent Yu wrote: > Jay, > > Does this mean you have determined your network is the bottleneck of your > http traffic? > If you think the congestion in your network is slowing down the response > time, then doing the QoS stuff surely will help, of course, as long as the > traffic stays within your network, > but why adding bandwidth to solve the congestion problem is not a choice? I > think it is better than playing with QoS. > If you want to go down this road, you may also want to make sure the users > could verify that your network is not slowing down their http traffic, if > you only prioritize http, the users may use ping to verify the response. you > could add icmp to high priority too, but why not just giving icmp a high > priority, this way they will always see your network is responding pretty > quick :-). > > I think there are some networks are selling QoS as a service, but IMHO if > you just want to improve the response time, it may not be worth the trouble. > > Just my .02 > > Kent > > - Original Message - > From: "Jay Greenberg" > To: > Sent: Friday, July 26, 2002 9:49 AM > Subject: ISP QoS Architecture Question [7:49767] > > > > I am considering deploying QoS features in our ISP. The ISP has about > > 60 thousand users in total, and I was thinking of setting a general > > traffic policy.E.g., I would like to set HTTP traffic down to a very > > low delay, to make the network seem faster to end users. I suppose > > what I am asking is - has anyone done this for an ISP, and if so, how > > did it turn out? > > > > > > Jay Greenberg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50047&t=49767 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Looking for BSCN in PDF format [7:50039]
Sure, 150 bucks, and I'll even give you a *real* book instead of the pdf. Wouldn't it be nice if everything were free? On Mon, 2002-07-29 at 13:28, Bond, Jeffrey T wrote: > Does anyone have a copy of BSCN in pdf format that they wouldn't mind > sharing. > > > thanks > > > Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50041&t=50039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Catalyst 5500 %MLS-4-MOVEOVERFLOW [7:50038]
Catalyst 5500 %MLS-4-MOVEOVERFLOW error I am receiving this error from a catalyst 5513. I am aware that it is the result of a layer 2 mac loop, and I believe that there is an undocumented command that allows you to see which ports and vlans the macs are switching around to and from. Whenever I have this problem on an IOS switch, I use #debug ethernet-cont address. Does anyone know what that troubleshooting command is for CatOS? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50038&t=50038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Consulting Work [7:50006]
Are there any CCIEs doing consulting work on the list? If so, how much work is there (and what city), what is the money like, and how easy is it to transition to self-employment for an employee? Jay Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=50006&t=50006 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP and HSRP [7:49807]
I'm not sure what you mean. Generally, HSRP is just used for *your* router redundancy, not the upstream ISP. One feature, however, is that you can change priorities based on the status of an interface, which you know, but that doesn't apply here because your interface will likely never go down if there is a problem upstream of you. Your indication of a problem will be the absence of the BGP default route, sent from either side of the ISP. If one disappears, your routers and hosts need to know which of your gateway routers to use. If you have the hosts' default gateways set statically, then that's ok because if your 2 edge routers are running iBGP between each other, they will redirect any traffic to the wherever the default is coming from. (Usually from the upstream router, but upon failure, it will be known via iBGP from your other edge router) A couple of suggestions: 1) If you run iBGP, be *sure* not to advertize the default route learned from one edge router, through iBGP to the other edge router, and back out the other upstream. You can use a filter list to prevent that. 2) I would highly recommend running an IGP such as OSPF on all your routers. Remember, that's what routers are there for; routing protocols don't make things more complicated or flakey, but in fact it simplifies things and makes your network more robust. I notice this is a common misconception about using only static routes, and I have much experience on the matter. Static routes break things, especially when you have more than one potential path, like you are suggesting. Don't be afraid to let your firewall learn the correct default route from the redistributed EGP. On Sat, 2002-07-27 at 01:19, Jason Viera wrote: > It seems to me the ISP would have some degree of redundancy built into > itself. Am I missing something? > Jason > - Original Message - > From: ""Jay Greenberg"" > Newsgroups: groupstudy.cisco > Sent: Friday, July 26, 2002 2:52 PM > Subject: Re: BGP and HSRP [7:49807] > > > > If you don't want the run the IGP on the firewall, then just run > > something between the 2 gateway routers. iBGP would do the trick, and > > you are running BGP anyway. You could still use HSRP for your own extra > > router redundancy, but not for upstream selection. > > > > On Fri, 2002-07-26 at 16:28, sam sneed wrote: > > > I have a very small network, only 3 networks so i really don;t want to > run > > > an IGP. I especially don't want to run it on my firewall. The ISP > suggested > > > the HSRP solution since we are using static route between our firewall > and > > > these 2 routers. I know there has to be way to do this and am trying to > > > figure it out. I don't have enough routers to set up a lab so I can't > test > > > it before i put it in production. > > > > > > Thanks. > > > > > > ""Jay Greenberg"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > If I understand you correctly, I don't think that HRSP is what you > > > > need. HRSP is good if upstream serial interfaces go down, or > something > > > > like that, or for router redundancy, but in your situation I would > > > > suggest letting your IGP determine which upstream is active, based on > > > > who is still advertising the default BGP prefix. If you are using > OSPF, > > > > you could use #default-information originate. If the BGP default > prefix > > > > is the only default route on your edge routers, the OSPF default will > > > > disappear if the BGP default disappears. If you don't use OSPF, just > > > > redistribute the BGP default into your IGP. > > > > > > > > I am assuming that when your ISP goes "down", they stop sending the > BGP > > > > default. > > > > > > > > This will allow 1 of 2 things to happen. If your downstream devices > are > > > > IGP routers, they will already know the best to the good BGP upstream. > > > > If they are hosts with static default routes, then their default > gateway > > > > could always relay the packet, or suggest an ICMP redirect to the > host. > > > > > > > > Let me know if this helps! > > > > > > > > Jay Greenberg > > > > > > > > On Fri, 2002-07-26 at 14:50, sam sneed wrote: > > > > > I have a pair of 2621's and 2 reduandant ethernet handoffs to my > ISP. 1 > > > is > > > > a > > > > > primary and the other is a backup which shou
ISP QoS Architecture Question [7:49767]
I am considering deploying QoS features in our ISP. The ISP has about 60 thousand users in total, and I was thinking of setting a general traffic policy.E.g., I would like to set HTTP traffic down to a very low delay, to make the network seem faster to end users. I suppose what I am asking is - has anyone done this for an ISP, and if so, how did it turn out? Jay Greenberg Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49767&t=49767 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP and HSRP [7:49807]
If I understand you correctly, I don't think that HRSP is what you need. HRSP is good if upstream serial interfaces go down, or something like that, or for router redundancy, but in your situation I would suggest letting your IGP determine which upstream is active, based on who is still advertising the default BGP prefix. If you are using OSPF, you could use #default-information originate. If the BGP default prefix is the only default route on your edge routers, the OSPF default will disappear if the BGP default disappears. If you don't use OSPF, just redistribute the BGP default into your IGP. I am assuming that when your ISP goes "down", they stop sending the BGP default. This will allow 1 of 2 things to happen. If your downstream devices are IGP routers, they will already know the best to the good BGP upstream. If they are hosts with static default routes, then their default gateway could always relay the packet, or suggest an ICMP redirect to the host. Let me know if this helps! Jay Greenberg On Fri, 2002-07-26 at 14:50, sam sneed wrote: > I have a pair of 2621's and 2 reduandant ethernet handoffs to my ISP. 1 is a > primary and the other is a backup which should only be used if the primary > fails. On my side i am running HSRP for fault tolerance RA is configured > asprimary in my HSRP group. I will be doing BGP peering with my provider. I > only want to receive default routes. I almost have the full config but am > confused on 1point. If ISPA goes loses connectivity a couple hops upstream > HSRP will not fail over becasue my link is physically up so all my internal > hosts will still go through RA eth0. How do I get them to go through RA eth0 > then to RB eth0 and then eventually through the backup ISP link, ISP B. Keep > in mind its the same ISP, AS#, just a different connection. Its a huge ISP. > Is there some kind of peering needed between RA and RB, maybe some special > commands? > Am I at least on the right track? > My configs are posted below. > > If the ascii art gets confusing I have posted good a diagram as a gif at : > > http://sbnet.freeservers.com/bgp.gif > > virtual router > All routers use AS100 > > __ > 172.16.20.0 --->| 172.16.10.2--->RA| > 192.168.133.1--->|ISPA 192.168.133.2 | ->internet > 172.16.30.0 --> | | (RA eth1) > |__| > 172..16.10.0 ---> | 172.16.10.1-->HSRP | > | --- | > |172.16.10.3>RB | > _ > |___| > 192.168.100.1->|ISPB 192.168.100.2|-->internet > > (RB eth1)|| > > > Router A > --- > > interface FastEthernet0/0 > ip address 172.16.10.2 255.255.255.0 > standby priority 105 > standby 244 ip 172.16.10.1 > standby 244 preempt > standby 244 track FastEthernet0/1 > ! > interface FastEthernet0/1 > ip address ip address 192.168.100.1 255.255.255.252 > > > router bgp 100 > no synchronization > network 172.16.10.0 > network 172.16.20.0 > network 172.16.30.0 > neighbor 192.168.133.2 remote-as 100 > neighbor 192.168.133.2 prefix-list ABC in > neighbor 172.16.10.3 remote-as 100 > no auto-summary > ! > > ip prefix-list ABC seq 5 permit 0.0.0.0/0 > > end > > > > > Router B > > interface FastEthernet0/0 > ip address 172.16.10.3 255.255.255.0 > standby priority 100 > standby 244 ip 172.16.10.1 > standby 244 preempt > standby 244 track FastEthernet0/1 > ! > interface FastEthernet0/1 > ip address ip address 192.168.100.1 255.255.255.252 > > router bgp 100 > no synchronization > network 172.16.10.0 > network 172.16.20.0 > network 172.16.30.0 > neighbor 192.168.100.2 remote-as 100 > neighbor 192.168.100.2 prefix-list ABC in > neighbor 172.16.10.2 remote-as 100 > no auto-summary > ! > ip prefix-list ABC seq 5 permit 0.0.0.0/0 > > end Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49820&t=49807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP and HSRP [7:49807]
If you don't want the run the IGP on the firewall, then just run something between the 2 gateway routers. iBGP would do the trick, and you are running BGP anyway. You could still use HSRP for your own extra router redundancy, but not for upstream selection. On Fri, 2002-07-26 at 16:28, sam sneed wrote: > I have a very small network, only 3 networks so i really don;t want to run > an IGP. I especially don't want to run it on my firewall. The ISP suggested > the HSRP solution since we are using static route between our firewall and > these 2 routers. I know there has to be way to do this and am trying to > figure it out. I don't have enough routers to set up a lab so I can't test > it before i put it in production. > > Thanks. > > ""Jay Greenberg"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > If I understand you correctly, I don't think that HRSP is what you > > need. HRSP is good if upstream serial interfaces go down, or something > > like that, or for router redundancy, but in your situation I would > > suggest letting your IGP determine which upstream is active, based on > > who is still advertising the default BGP prefix. If you are using OSPF, > > you could use #default-information originate. If the BGP default prefix > > is the only default route on your edge routers, the OSPF default will > > disappear if the BGP default disappears. If you don't use OSPF, just > > redistribute the BGP default into your IGP. > > > > I am assuming that when your ISP goes "down", they stop sending the BGP > > default. > > > > This will allow 1 of 2 things to happen. If your downstream devices are > > IGP routers, they will already know the best to the good BGP upstream. > > If they are hosts with static default routes, then their default gateway > > could always relay the packet, or suggest an ICMP redirect to the host. > > > > Let me know if this helps! > > > > Jay Greenberg > > > > On Fri, 2002-07-26 at 14:50, sam sneed wrote: > > > I have a pair of 2621's and 2 reduandant ethernet handoffs to my ISP. 1 > is > > a > > > primary and the other is a backup which should only be used if the > primary > > > fails. On my side i am running HSRP for fault tolerance RA is configured > > > asprimary in my HSRP group. I will be doing BGP peering with my > provider. I > > > only want to receive default routes. I almost have the full config but > am > > > confused on 1point. If ISPA goes loses connectivity a couple hops > upstream > > > HSRP will not fail over becasue my link is physically up so all my > internal > > > hosts will still go through RA eth0. How do I get them to go through RA > > eth0 > > > then to RB eth0 and then eventually through the backup ISP link, ISP B. > > Keep > > > in mind its the same ISP, AS#, just a different connection. Its a huge > ISP. > > > Is there some kind of peering needed between RA and RB, maybe some > special > > > commands? > > > Am I at least on the right track? > > > My configs are posted below. > > > > > > If the ascii art gets confusing I have posted good a diagram as a gif at > : > > > > > > http://sbnet.freeservers.com/bgp.gif > > > > > > virtual router > > > All routers use AS100 > > > > > > __ > > > 172.16.20.0 --->| 172.16.10.2--->RA| > > > 192.168.133.1--->|ISPA 192.168.133.2 | ->internet > > > 172.16.30.0 --> | | (RA eth1) > > > |__| > > > 172..16.10.0 ---> | 172.16.10.1-->HSRP | > > > | --- | > > > |172.16.10.3>RB | > > > _ > > > |___| > > > 192.168.100.1->|ISPB 192.168.100.2|-->internet > > > > > > (RB eth1)|| > > > > > > > > > Router A > > > --- > > > > > > interface FastEthernet0/0 > > > ip address 172.16.10.2 255.255.255.0 > > > standby priority 105 > > > standby 244 ip 172.16.10.1 > > > standby 244 preempt >
Re: Static routes ... [7:49517]
That's actually not the fact. The router has no way of ever knowing whether x.x.x.x is down. I think MADMAN means that if x.x.x.x's corresponding route interface leaves up/up, only a 'permanent' route will persist. Jay greenberg On Wed, 2002-07-24 at 09:57, MADMAN wrote: > If x.x.x.x is down the static route is no longer valid and is purged > unless you add the "permenant" keyword. > > Dave > > Antonio Montana wrote: > > > > Hi, > > > > if there is a packet for the destination 10.2.2.6 > > and x.x.x.x is down. > > Is the router permanently trying to send it via x.x.x.x (because of its > > lower AD of 202) and drop it all the time ?!? > > > > Or is it going to send it via y.y.y.y (ignoring the higer AD of 203) ? > > > > S 10.0.0.0/8 [202/0] via x.x.x.x > > S 10.2.2.4/30 [203/0] via y.y.y.y > > > > thanks > > monti Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49531&t=49517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Lab wait time [7:46238]
How long is the CCIE Lab wait time from the time you book it? (Once you pass the Qualification). Jay Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46238&t=46238 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Networkers Orlando (Was Re: San Diego) [7:46151]
I am looking forward to it as well, I'll see you there on Monday. I got a free* Token ring module for a 3640 I have, and was able to practice SRB and DLSw+ until I was very comfortable with it. I'm more worried about voice. Jay Greenberg On Sun, 2002-06-09 at 13:57, Christopher Supino wrote: > Jay, > > I am scheduled for the Monday CCIE power session in Orlando. Looking > forward to it. I was originally scheduled for the 24th of July in RTP, > but common sense prevailed and I probably will be looking for a date > sometime in the fall. I have been using Cisco's ASET labs and reading > some of the books on the reading list, but do not feel quite ready, as > some of the technologies on the labs I have never worked with (DLSW, > SRB, etc..). Also, I was thinking about attending one of the bootcamps, > either Boson or CCBootcamp. They both come pretty highly recommened. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46162&t=46151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Networkers Orlando (Was Re: San Diego) [7:46151]
I'm taking the CCIE Power session in Orlando, is anyone else? Jay Greenberg On Wed, 2002-06-05 at 18:44, Oleg Oz wrote: > I think I saw a thread on this a few weeks ago but can no longer find it.. > Is anyone going to networkers in San Diego.. Taking power sessions? > > Oleg. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46151&t=46151 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Split horizon behaviour - explain me this one! [7:46102]
Split Horizon is a loop avoidance feature for distance vector routing protocols. OSPF, being a Link-State RP, has loop avoidance properties derived from it's nature, so the SH rule does not apply (look into how information is shared on a NBMA or BROADCAST network between DR/BDR/DROTHERs). If you redistribute a DVRP into a LSRP that runs over the same set of routers, you're likely going to create routing loops. Jay Greenberg On Sat, 2002-06-08 at 02:37, Chuck wrote: > 179 days and counting. Going through my protocol by protocol review. > > 192.168.1.0/24 > -- > | || > | >R1 R2 R3R4 > > > R2 redistributes IGRP into RIP > > the purpose of the exercise is to review the purpose and function of the > default-metric command under RIP in a redistribution situation. > > Now consider that R2 learns certain routes from IGRP via the ethernet > interface, and is supposed to redistribute those routes into RIP, and > advertise those routes out the ethernet interface to R1. > > However, based on my observation, it would appear that split horizon is > preventing this. Observe: > > IGRP on R2 > > 01:48:12: RIP: build update entries > 01:48:12: network 192.168.1.0 metric 1 > 01:48:12: network 192.168.10.0 metric 2 > 01:48:12: network 192.168.30.0 metric 5 > 01:48:12: network 192.168.40.0 metric 5 > 01:48:39 > > Router_1#ir > > C192.168.10.0/24 is directly connected, Loopback0 > R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:16, Ethernet0 > C192.168.1.0/24 is directly connected, Ethernet0 > > > Note that while R2 is creating the RIP routes, R1 does not receive them > > But if I disable split horizon on the ethernet interface, then observe: > > Router_1#ir > > R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0 > C192.168.10.0/24 is directly connected, Loopback0 > R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0 > R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:12, Ethernet0 > C192.168.1.0/24 is directly connected, Ethernet0 > > Now before leaping to conclusions about the nature of split horizon, I did a > sanity check using OSPF. Interesting difference: > > Router_1#ir > > R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0 > C192.168.10.0/24 is directly connected, Loopback0 > R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0 > R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:14, Ethernet0 > C192.168.1.0/24 is directly connected, Ethernet0 > > no problem here. so let's try the last sanity check, using EIGRP: > > Router_2# > 02:16:18: %SYS-5-CONFIG_I: Configured from console by console > 02:16:28: RIP: sending v1 update to 255.255.255.255 via Ethernet0 > (192.168.1.2) > 02:16:28: RIP: build update entries > 02:16:28: network 192.168.20.0 metric 1 > 02:16:28: RIP: sending v1 update to 255.255.255.255 via Loopback0 > (192.168.20.1) > > 02:16:28: RIP: build update entries > 02:16:28: network 192.168.1.0 metric 1 > 02:16:28: network 192.168.10.0 metric 2 > 02:16:28: network 192.168.30.0 metric 5 > 02:16:28: network 192.168.40.0 metric 5 > 02:16:28: RIP: received v1 update from 192.168.1.1 on Ethernet0 > > Router_1#ir > > C192.168.10.0/24 is directly connected, Loopback0 > R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:09, Ethernet0 > C192.168.1.0/24 is directly connected, Ethernet0 > > aha! no routes from R2 > > but when I disable split horizon on R2 > > Router_2(config)#int e 0 > Router_2(config-if)#no ip split > Router_2(config-if)#^Z > Router_2# > > then I see routes on R1: > > Router_1#ir > > R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:24, Ethernet0 > C192.168.10.0/24 is directly connected, Loopback0 > R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:24, Ethernet0 > R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:24, Ethernet0 > C192.168.1.0/24 is directly connected, Ethernet0 > Router_1# > > Conclusion: there is something else here, beyond the obvious. buried within > the IOS code I would surmise there is a "split horizon" process, and if a > routing protocol is one that honors split horizon, then split horizon is > invoked, no matter what the source and destination protocols. make sense? > > Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46150&t=46102 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid Access-List/VLAN question [7:43128]
No, that's not the case. If you think of it visually, INTERNET->ROUTER->INTERFACE->ACL->LAN Then you will see that the internet can still access the interface, and it's address. Because really, you are pinging the router, not the interface or the LAN. On Thu, 2002-05-02 at 14:22, Michael Williams wrote: > Jay, > > Thanks for your input. But shouldn't ACL keep anything from other VLANs > from even pinging the gateway IP of VLAN511? > > Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43168&t=43128 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Stupid Access-List/VLAN question [7:43128]
If 10.51.1.1 is the only IP active on that subnet, then the traffic is not being sourced from that network, thus rendering the ACL irrelevant. If, however, your host was connected to one of the ports on vlan 511, you would not be able to communicate with the RSM past the ACL. So, in other words, you are pinging from the other (open) side of the ACL. On Thu, 2002-05-02 at 11:43, Michael Williams wrote: > Here's the deal... I have a 5500 with RSM with a few VLANs on it, > each VLAN with an IP and the RSM is handling the routing for all VLANs. > I've got one VLAN in particular (511) that I'm experimenting with I > made the following access list: > > Router#(config)access-list 10 deny any log > > (I know this seems stupid because of the implicit deny, but I'm > experimenting) > > then applied this to VLAN 511: > > Router#config t > Router#(config)#int vlan 511 > Router#(config-if)#ip access-group 10 in > Router#(config-if)#ip access-group 10 out > > This VLAN 511 interface has an IP of 10.51.1.1 and it's the only IP active > in that subnet (10.51.1.0/24) as there are no devices setup yet. I > do have a port on that VLAN connected to another (Nortel) switch, so the > VLAN511 interface shows up/up when you do a 'sh int vlan511'. > > Here's my deal I'm in a different subnet a few hops away > (10.1.0.0/16, let's say) and I can still ping 10.51.1.1 from my PC > shouldn't that access list deny all traffic coming in/out of that VLAN?!?! > I check the log file after pinging (that VLAN IP from my PC) and there's > nothing...(note the log argument was used on the access-list) > > I have a couple of 2500s with CSUs and crossover T1 cable, and I applied the > same access list to one of the serial interfaces, and when pinging from the > other 2500, I get the expected timeouts... So why wouldn't applying this > access list to a VLAN interface on an RSM do the same thing and prevent me > from pinging the IP on that VLAN interface?!?!? > > Am I missing something? Is there something different about how the ACLs are > applied to VLANs in an RSM as opposed to a physical interface on a router? > I'm not aware of any such differences... > > Please feel free to humiliate and make fun me when telling me the simple > something that I'm just not getting =) > > TIA, > Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43135&t=43128 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN and VPN (IPSEC 3DES) [7:40807]
Are the ISDN routers NATing? I don't believe you can terminate a NATed IPSec VPN connection at a PIX. Cisco VPN concentrators support this, but the PIX doesn't. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: ISDN and VPN (IPSEC 3DES) [7:40807] Guys Any of you familier with issues between ISDN and Cisco VPN Client (IPSEC 3DES). All of my ISDN users unable to VPN using Cisco VPN Client, and we have pICX 515. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40903&t=40807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
OK, OK, well what about my question then? Is there any way to do this? > >this: (which you can't do) > > > >int tunnel0 > > tun sour 10.10.10.1 > > tun dest 10.20.20.1 > > bridge-group 1 > > > >int eth0 > > bridge-group 1 On Mon, 2002-04-08 at 14:15, Priscilla Oppenheimer wrote: > The original question was: > > "how can I make the netbios over Internet except the dlsw+ ?" > > He didn't say bridging. You did. > > Priscilla > > At 01:29 PM 4/8/02, Jay wrote: > >This thread has been taken out of context. The real initial question > >was whether or not you could bridge over the internet. E.g., have 2 > >LANs that are Layer 2 Bridged over the internet. Somewhat like DLSw+ > >can do for NetBIOS and SNA. It would have the same effect as doing > >this: (which you can't do) > > > >int tunnel0 > > tun sour 10.10.10.1 > > tun dest 10.20.20.1 > > bridge-group 1 > > > >int eth0 > > bridge-group 1 > > > >Somehow IP would have to encapsulate the incoming MAC frame as the data > >portion of the packet, and then release it as an ethernet frame on the > >other end. > > > > > > > >On Mon, 2002-04-08 at 12:58, Priscilla Oppenheimer wrote: > > > NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should > > > supposedly work over the Internet. For example, can't you do file sharing > > > over the Internet? That uses NetBIOS and SMB of CIFS. > > > > > > (I'm a Mac person, but in theory it should work. ;-) > > > > > > Priscilla > > > > > > At 10:43 AM 4/8/02, Jay wrote: > > > >Is it possible to send nonroutable traffic through a GRE Tunnel? > > > > > > > >On Mon, 2002-04-08 at 10:12, Engelhard M. Labiro wrote: > > > > > How about NetBIOS over TCP/IP (NBT) and encapsulate > > > > > it with IPSec. Another idea is using a GRE tunnel to > > > > > pass the NetBIOS to the next hop. > > > > > > > > > > > > > > > > I don't think you can, besides bridging on every internet hop. > > > > > > > > > > > > On Sun, 2002-04-07 at 23:14, cage wrote: > > > > > > > how can I make the netbios over Internet except the dlsw+ ? > > > > > > > > > Priscilla Oppenheimer > > > http://www.priscilla.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40847&t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
This thread has been taken out of context. The real initial question was whether or not you could bridge over the internet. E.g., have 2 LANs that are Layer 2 Bridged over the internet. Somewhat like DLSw+ can do for NetBIOS and SNA. It would have the same effect as doing this: (which you can't do) int tunnel0 tun sour 10.10.10.1 tun dest 10.20.20.1 bridge-group 1 int eth0 bridge-group 1 Somehow IP would have to encapsulate the incoming MAC frame as the data portion of the packet, and then release it as an ethernet frame on the other end. On Mon, 2002-04-08 at 12:58, Priscilla Oppenheimer wrote: > NetBEUI is non-routable. NetBIOS is routable. NetBIOS over TCP/IP should > supposedly work over the Internet. For example, can't you do file sharing > over the Internet? That uses NetBIOS and SMB of CIFS. > > (I'm a Mac person, but in theory it should work. ;-) > > Priscilla > > At 10:43 AM 4/8/02, Jay wrote: > >Is it possible to send nonroutable traffic through a GRE Tunnel? > > > >On Mon, 2002-04-08 at 10:12, Engelhard M. Labiro wrote: > > > How about NetBIOS over TCP/IP (NBT) and encapsulate > > > it with IPSec. Another idea is using a GRE tunnel to > > > pass the NetBIOS to the next hop. > > > > > > > > > > I don't think you can, besides bridging on every internet hop. > > > > > > > > On Sun, 2002-04-07 at 23:14, cage wrote: > > > > > how can I make the netbios over Internet except the dlsw+ ? > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40840&t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
It's not default for the same reason why unicast rpf (antispoofing) is not default in ISO; because people are stupid, and under poor design, it could produce very undesirable and hard to troubleshoot results. In other words, if you don't know why you are disabling synchronization, don't do it. Take the following scenario: A multihop iBGP link between routers (A) and (B) in which a non-bgp IGP router (C) is routing packets between them. Both BGP links are advertising full tables to each other, and, under your suggested default config, would attempt to forward packets to destinations that router C has no clue about. Then what does router C do with these destinations? The answer, of course, is to set up a iBGP full mesh, and then to disable synchronization , and if you are smart, design your network so that your IGP learns only about downstream routes and set a default route up to the core of your network. Anyway, the point being, sync is enabled by default because you really should know what you are doing before you disable it. On Mon, 2002-04-08 at 10:44, MADMAN wrote: > I can think one one good reason why you would disable sync, you can't > redistribute 100K routes into ANY IGP. Why are you so concerned about > disabling sync?? It should be default. > > Dave > > Jay wrote: > > > > BGP Rules of thumb: > > > > BGP advertised prefix must also exist in local IGP table. > > iBGP learned prefix must also exist in local IGP table > > -or use #no sync on iBGP learning router, but if you do, you'd sure as > > hell better know why you disabled it. > > > > On Sun, 2002-04-07 at 09:22, Phil Barker wrote: > > > Hi Group, > > > > > > Hope someone can help out with this as I don4t have > > > access to my kit at the moment. > > > > > > I tried to set up my first BGP lab last week. > > > I configured a full iBGP mesh, three routers connected > > > in a triangle via serial lines. > > > > > > I set up (neighbour( statements on each router (Hope > > > Radia can forgive the extra vowel !!!) and advertised > > > the networks. > > > > > > I got the BGP table working but nothing was promoted > > > to the main routing table, and therefore could4nt ping > > > non directly connected interfaces. I tried various > > > approaches like putting a default route in and running > > > an IGP but still no promotion to the main table. > > > > > > Should this be possible with iBGP ? or is it a matter > > > of loop avoidance i.e the AS Numbers won4t be > > > prepended for the case of iBGP peers. > > > > > > Phil. > > > > > > __ > > > Do You Yahoo!? > > > Everything you'll ever need on one web page > > > from News and Sport to Email and Music Charts > > > http://uk.my.yahoo.com > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40818&t=40741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
Is it possible to send nonroutable traffic through a GRE Tunnel? On Mon, 2002-04-08 at 10:12, Engelhard M. Labiro wrote: > How about NetBIOS over TCP/IP (NBT) and encapsulate > it with IPSec. Another idea is using a GRE tunnel to > pass the NetBIOS to the next hop. > > > > I don't think you can, besides bridging on every internet hop. > > > > On Sun, 2002-04-07 at 23:14, cage wrote: > > > how can I make the netbios over Internet except the dlsw+ ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40813&t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: iBGP full mesh ? [7:40741]
BGP Rules of thumb: BGP advertised prefix must also exist in local IGP table. iBGP learned prefix must also exist in local IGP table -or use #no sync on iBGP learning router, but if you do, you'd sure as hell better know why you disabled it. On Sun, 2002-04-07 at 09:22, Phil Barker wrote: > Hi Group, > > Hope someone can help out with this as I don4t have > access to my kit at the moment. > > I tried to set up my first BGP lab last week. > I configured a full iBGP mesh, three routers connected > in a triangle via serial lines. > > I set up (neighbour( statements on each router (Hope > Radia can forgive the extra vowel !!!) and advertised > the networks. > > I got the BGP table working but nothing was promoted > to the main routing table, and therefore could4nt ping > non directly connected interfaces. I tried various > approaches like putting a default route in and running > an IGP but still no promotion to the main table. > > Should this be possible with iBGP ? or is it a matter > of loop avoidance i.e the AS Numbers won4t be > prepended for the case of iBGP peers. > > Phil. > > __ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40806&t=40741 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: netbios over internet [7:40784]
I don't think you can, besides bridging on every internet hop. On Sun, 2002-04-07 at 23:14, cage wrote: > how can I make the netbios over Internet except the dlsw+ ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40804&t=40784 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE LAB test questions [7:40793]
The Cisco site says you are responsible for anything in IOS 12.1. If the test were any more specific, it wouldn't be as highly regarded as it is. On Mon, 2002-04-08 at 02:52, [EMAIL PROTECTED] wrote: > Hi all, > > I passed my written test a few months ago and just finished to build a > lab at home. > > I'm curious to know what subjects are asked at the LAB test Routing & > Switching. I do not want to know in detail whats happening at the > test but just the topics like: > > BGP > OSPF > ISDN Frame > VPN > IPsec etc > > Is their anybody out their who has an answer because at the Cisco site > its not very clear what to do . > > cheers Ronald > > The Netherlands Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40803&t=40793 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: Puzzles -> WAS RE: My interview story [7:40553]
Agreed. There are too many variables here. Even if the question stated that an exact answer could be derived given this information then one of two possibilities could exist: 1) The rope is 4 feet off the ground in this configuration: | | | | | | | | |---| | | 2) the Lowest point of the rope is 0' |\| | \ | | \ | | \ | |\| Perhaps these questions were formulated to compell the prospective employee to demonstrate that he/she is capable of demanding all the necessary information to complete the puzzle. This would be required of a sales engineeer, e.g.. On Sat, 2002-04-06 at 16:10, John Neiberger wrote: > > On the second question about the poles, I found it entirely too > vague. It never stated where the ropes were attached to the > poles or even if the poles were aligned vertically. What if > the poles were horizontal and the rope was attached to the > middle? :-) > > John > > On Sat, 6 Apr 2002, Roberts, Larry > ([EMAIL PROTECTED]) wrote: > > > Might I ask how your going to lock his box ? The courier > would steal it > > if > > he gets his hands on it the dang courier. > > > > Thanks > > > > Larry > > > > -Original Message- > > From: John Neiberger [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, April 06, 2002 2:11 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Re: Puzzles -> WAS RE: My interview story > [7:40553] > > > > > > But the courier will steal anything that isn't locked up, > > including a key! I believe the solution is as follows: > > > > Your friend sends you his box, unlocked, by courier. You > place > > your key inside his box, lock it, and send it back. You > then > > place the diamond into your box, lock it, and send it over. > He > > can unlock your box because he has your key. > > > > John > > > > > > > > On Fri, 5 Apr 2002, Kent Yu ([EMAIL PROTECTED]) wrote: > > > > > Daniel, > > > > > > I think the first answer could be just lock the stone in the > > box, give > > > the > > > box and your key to the courier. > > > > > > Kent > > > > > > ""Daniel Cotts"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > I'll bite. > > > > a) Boxes and diamond. Gordian Knot technique. Lock the > > diamond in your > > > box > > > > and send it to your friend. He breaks the lock or cuts > open > > the box. > > > > b) Poles and rope. The poles are touching. > > > > > > > > > -Original Message- > > > > > From: Dusty Harper > [mailto:[EMAIL PROTECTED]] > > > > > Sent: Friday, April 05, 2002 4:55 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: My interview story [7:40553] > > > > > > > > > The goal is to determine how you think. Most real world > > solutions > > > to > > > > > problems can be applied to technological hurdles, or > > problems. > > > > > > > > > > As an example: > > > > > > > > > > Prep: > > > > > You have an empty box, a lock, a key for your lock, and > a diamond. > > > > > Your friend has an empty box, and a lock for his box. > > > > > > > > > > Goal: > > > > > You want to get the diamond to your friend via courier. > > However > > > > > the courier will steal anything that is not locked. How > > do you do > > > > > this? > > > > > > > > > > > > > > > Another example: > > > > > > > > > > If you have 2 20' poles, a 32' rope strung between them, > > and the > > > > > lowest point of the rope is 4' off of the ground, how > far > > apart are > > > > > the poles? > > > > > > > > > > It gauges how one thinks and handles situations. > > [EMAIL PROTECTED] > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40706&t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: Puzzles -> WAS RE: My interview story [7:40553]
I don't see why your friend can't send you his lock (without the key), allowing you put diamond in any your box but lock it with his lock, and send it back. I guess I don't understand what the courier is going to steal. Will he take anything, including boxes and locks, or just diamonds? On Sat, 2002-04-06 at 14:21, Kent Yu wrote: > John, > > I did not think of the key, but the couier could steal the unlocked box, > right? > I think John Allhiser got it right. I guess I need spend more time on > security. > > Kent > > ""John Neiberger"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > But the courier will steal anything that isn't locked up, > > including a key! I believe the solution is as follows: > > > > Your friend sends you his box, unlocked, by courier. You place > > your key inside his box, lock it, and send it back. You then > > place the diamond into your box, lock it, and send it over. He > > can unlock your box because he has your key. > > > > John > > > > > > > > On Fri, 5 Apr 2002, Kent Yu ([EMAIL PROTECTED]) wrote: > > > > > Daniel, > > > > > > I think the first answer could be just lock the stone in the > > box, give > > > the > > > box and your key to the courier. > > > > > > Kent > > > > > > ""Daniel Cotts"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > I'll bite. > > > > a) Boxes and diamond. Gordian Knot technique. Lock the > > diamond in your > > > box > > > > and send it to your friend. He breaks the lock or cuts open > > the box. > > > > b) Poles and rope. The poles are touching. > > > > > > > > > -Original Message- > > > > > From: Dusty Harper [mailto:[EMAIL PROTECTED]] > > > > > Sent: Friday, April 05, 2002 4:55 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: RE: My interview story [7:40553] > > > > > > > > > The goal is to determine how you think. Most real world > > solutions > > > to > > > > > problems can be applied to technological hurdles, or > > problems. > > > > > > > > > > As an example: > > > > > > > > > > Prep: > > > > > You have an empty box, a lock, a key for your lock, and a > > > > > diamond. > > > > > Your friend has an empty box, and a lock for his box. > > > > > > > > > > Goal: > > > > > You want to get the diamond to your friend via courier. > > However > > > > > the courier will steal anything that is not locked. How > > do you do > > > > > this? > > > > > > > > > > > > > > > Another example: > > > > > > > > > > If you have 2 20' poles, a 32' rope strung between them, > > and the > > > > > lowest point of the rope is 4' off of the ground, how far > > apart are > > > > > the poles? > > > > > > > > > > It gauges how one thinks and handles situations. > > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40703&t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: My interview story [7:40553]
This test may sound stupid, but based on Mark's description I'd say they were attempting to assess creativity and troubleshooting skills. Sometimes pure technical skills aren't enough. Thinking "outside the box" is a big part of what an employer is looking for. I'd say a company as big as SNS has plenty of experience in hiring and knows what they're doing in making this part of the interview. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Neiberger Sent: Thursday, April 04, 2002 8:39 PM To: [EMAIL PROTECTED] Subject: Re: My interview story [7:40553] Why would you want to work for a place with such stupid interviews in the first place? If they select their employees based on how they play "Stranded in the Desert" or whatever the heck that was, then it's probably best you don't work there. I'm sure the management there is awful. Stuff like that is a sure sign their managers have too much time on their hands, and there's almost nothing worse than a clueless manager with too much time. Someone needs to send those managers a Dilbert calendar! I'm sorry to hear it didn't go well, but you should forget about them and move on to a better company. John On Thu, 4 Apr 2002, Mark Zhang ([EMAIL PROTECTED]) wrote: > hi,everybody,I have a interview appointment at 9:00 AM. > The position is Network Engineer in SNS(schlumberger network solutions > sector).But I falled,at least i think so. > At first,every candidater have a chance to intraduce oneself for 1 > minute in > English.Then every 5 person get a group to play a game named Desert > Survive.Game as this:Just image you and some people lose in a deep > desert by > an airplane problem,so plz list the most important thing to the lest > from 15 > tools you could use,first time by your own choose,the second by your > group. > Maybe I do not show good in the self-introduce,then I paly the game,I > choose > more close to the expert answer the my group,but the schlumberger do not > think I as the right person they are looking for. > what a pity!I experienced in Motorola and a network company,have design > a > large scare voip network include about 40 nods,familiar with Cisco,But > why?Just because a lose in the game? > > B.RMark Zhang > > > - > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40569&t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TCP/IP and DOD [7:39657]
I wonder if its just urban legend, but I've always heard that the reason IPv4 is expressed in decimal (as opposed to hex) is because a military review (i.e. a general) nixed it. "Those aren't numbers. Those are letters." Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Priscilla Oppenheimer Sent: Wednesday, March 27, 2002 2:27 PM To: [EMAIL PROTECTED] Subject: Re: TCP/IP and DOD [7:39657] The history of TCP/IP is somewhat muddy, as you can imagine. At 02:04 PM 3/27/02, Steven A. Ridder wrote: >I am a technical reviewer for a book, and someone wrote that TCP/IP was >written by the Depertment of Defense. I agree that you should question that. > I am confident that ARPAnet was >commissiond by the DoD in the 60's to BBN Yes, you could say that. The Information Processing Techniques Office (IPTO) of ARPA awarded the contract to build the Interface Message Processors (IMP) for ARPANET to BBN in late 1968. IMPs were the early routers. BBN built the IMPs with the help (or hindrance if you believe some reports) of Honeywell. Honeywell developed and manufactured the hardware. BBN did the software. Descriptions of the "network layer" software that ran on these IMPs doesn't sound much like IP at all. It was connection-oriented, for one thing, and handled error correction. It was very East-Coast anal-retentive stuff. ;-) The software that evolved into TCP/IP was a West-Coast hippy-dippy geeky phenomenon. UCLA, SRI, UC Santa Barbara, USC, and University of Utah graduate students and researchers worked on it. Originally they had to make sure their software interoperated with the IMPs of the ARPANET. They developed a protocol called the Network Control Protocol (NCP) that worked on the end devices that communicated with the IMPs. It was a host-to-host protocol that could be considered a predecessor to TCP. NCP worked only with ARPANET. By 1973 or so, ARPANET wasn't the only game in town though. There was packet radio (which evolved into Ethernet), SATNET, and others. A more general-purpose protocol was needed. Vint Cerf who was with UCLA at the time and Bob Kahn, who had been at BBN but now worked for ARPA directly, worked on a new protocol called Transmission Control Protocol (TCP) that was general-purpose. They made the assumption that the underlying network was unreliable. The new protocol shifted the job of reliability from the network to the destination hosts. Originally TCP handled the routing of packets also. TCP had jobs that we would today assign to the network and transport layers. And finally, in 1978, we come to the birth of the Internet Protocol (IP). In 1978, the job of routing packets was broken away from TCP. TCP was given the task of breaking messages into packets, reassembling them at the other end, detecting errors, resending anything lost, and putting packets in the right order. IP was simply responsible for forwarding individual packets. The specifications for how this should work were written by Cerf at UCLA, and Postel and Cohen from the University of Southern California's Information Sciences Institute (ISI). In the early 1980s, the ARPANET got really congested and the National Science Foundation created its own network for the academic computer science community. It used TCP/IP and is sometimes considered the real forerunner of "the Internet," although it probably could never have happened without the work that went into the ARPANET. ARPANET converted to TCP/IP in 1983. It also divided into MILNET and ARPANET. It had connectivity with all the other networks by then. Later it got decommissioned. By 1989, it was gone, but its legacy lived on. May it RIP. ;-) Here's a recommendation for a terrific book about the history of the Internet: "Where Wizards Stay Up Late: The Origins of the Internet" by Katie Hafner and Matthew Lyon. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39739&t=39657 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DHCP across PIX [7:37286]
Im not sure about the new 6.0 code but 5.0 code and below will not allow the PIX to pass broadcasts. ""kenairs"" wrote in message news:[EMAIL PROTECTED].; > Hi, > My pc are located in one of the PIX interface. There is an DHCP server in > the other interface. > How to let the DHCP packet go through ? Broadcast ? > > Tks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37327&t=37286 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN problem [7:35715]
You need to enable split-tunnel. This will require an access list permitting ip from your internal network range to your vpn pool range. Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:17 AM To: [EMAIL PROTECTED] Subject: VPN problem [7:35715] I am having problems with clients, that connect to the pix, when they are connected, they can4t go back out to the internet through the same pix here is a part of the configuration ip local pool heima 192.168.15.50-192.168.15.100 vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 ppp encryption mppe 40 vpdn group 1 client configuration address local heima vpdn group 1 client configuration dns 157.157.144.30 vpdn group 1 client configuration wins 157.157.144.10 vpdn group 1 client authentication local any sugestions ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35725&t=35715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IDS test network [7:31289]
Hello all, I'm thinking about buying a director to play with for studying the IDS test. How many of you would be interested in buying time on a network setup for IDS. Let me know so I can get a head count as well as any recommendations (aka packet generator, topology, Software). Oh and whats a typical cost for, lets say 8 hours. thanks Jay Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=31289&t=31289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IDS Test [7:30806]
Does anyone have any info on the IDS test. Specifically, Do you have to memories the couple hundered pages of Signatures in the IDS book ? Thanks Jay Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30806&t=30806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Telnet Error Message [7:30332]
Does anyone know how to get ride of the %Bad Password message on a telnet connection after 3 bad password attempts? Any help would be appreciated. Jay. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30332&t=30332 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: recertify time [7:30208]
The certs are good for 3 years. I earned my CCNA in the summer of 1998. It expired in September. Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com Nunquam Facilis Est >Does anyone know what the recertification rule is I know it came into effect >in 2000-2001, but how does that effect those who got their certification in >1999, when does the recert clock start ticking for us, I received my CCNA in >April of 1999(does it start then) or does it start in 2001 being that the >rule was just implemented. > > >rick > >_ >Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=30234&t=30208 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: upgrade 1605 IOS through console [7:27613]
Hi Jim, Yes the 1605 will support 115200 baud on the console port for xmodem. As far as the error message you are receiving, Ive never heard of that one. First thing I would look at is your config register settings. More than likely its an error coming from the ROM operating software complaining about the modem. Could be that the modem is configured in such a way that the when you start your xmodem the router is unable to proceed. If all else fails load a tftp server on-site and "tftpdnld". - Hello, I have a 1605 in Europe that I can dial into its console. I was trying to load IOS but failed several times with error message "limit error exceeded". I was using Hypertermial. Anyone knows what's wrong? Also, I'd like to change speed to 115K, does 1605 support it? Thanks in advance. Jim __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27680&t=27613 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PPTP Through a PIX Firewall [7:26519]
To get Microsoft PPTP tunnels thru a pix firewall from outside to in you must have a static NAT to an internal host as well as a conduit or access-list permiting UDP port 1723 and the GRE(47) protocol. This is a tried and true resolution that I have implemented many times. Have a try... Jay - Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rizzo, Damian Sent: Friday, November 16, 2001 1:13 PM To: [EMAIL PROTECTED] Subject: PPTP Through a PIX Firewall [7:26519] Hello all; We have a challenge. It appears that we can not VPN through our PIX firewall using PPTP to a remote location. Note, we are NOT using PPTP on the PIX itself; we just want it to pass the traffic through it. Anyone see this issue before and/or have any ideas to a possible solution? Thanks all in advance, -Rizzo This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying, or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by replying to e-mail and destroy message. Opinions, conclusions, and other information in this message that do not relate to the official business of MARAKON ASSOCIATES shall be understood to be neither given nor endorsed by the company. When addressed to MARAKON clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26553&t=26519 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX line up protocol down [7:26349]
Are you using a strait-thru or cross-over cable ? - Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kent Hawkins Sent: Thursday, November 15, 2001 4:29 AM To: [EMAIL PROTECTED] Subject: PIX line up protocol down [7:26349] Hi Guys I have a pix 520 that has 3 interfaces configured. Ethernet 1 and 2 are normal and have line up, protocol up. Ethernet 0 is down with line up , protocol down. There is a link light on both the Ethernet 0 interface and switch port. This is not a duplex issue since I have already set the Ethernet 0 interface to auto negotiate and back to 100full. Has anybody got any ideas?? _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26365&t=26349 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Why can't I ping my own interface address? [7:25040]
You might need to put some kind of clocking on the dce side of the serial connection. Jay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of EA Louie Sent: Friday, November 02, 2001 8:46 AM To: [EMAIL PROTECTED] Subject: Re: Why can't I ping my own interface address? [7:25040] > This happen often when there is duplicate address. Make sure you do not have > a duplicate address. Some times even when you remove the duplicate address, > you still need to restart the interface. > Also, oftentimes, it means that there's no return route for the ICMP reply from the target PINGed address. > > > > I am not being able to ping a local interface on a router. > > The encapsulation is default and is connected back to back > > on a serial interface to the next router. The output of show interface > > shows that the interface is up. > > > > I would appreciate if someone could shed some light into this problem. > > > > Thanking in advance. > > > > Zahid _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25071&t=25040 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
telco looping [7:24972]
When troubleshooting a typical T1 with telco and they say they have your CSU looped. Are they actually able to give the CSU inside the Cisco Router a command to be looped or are they really just looping the smart-jack/demark ? I've been on the phone with telco and seen that when they claim to have the CSU\DSU looped, what they are actually doing is looping the smart-jack/demark, which will loop all traffic from the csu back on itself. Jay _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24972&t=24972 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FTP Server [7:24525]
This should explain it ... http://www.cisco.com/warp/public/759/ipj_2-3/ipj_2-3_oneb.html - Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -Original Message- From: Jill Johnson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 30, 2001 11:25 PM To: [EMAIL PROTECTED] Subject: Re: FTP Server [7:24525] [ Part 1, Text/PLAIN 55 lines. ] [ Unable to print this part. ] Thank you very much for all your help. I still don't quite understand about the Passive Mode. The idea of setting up this access-list is for the users to dial in from home and to be able to do FTP to the servers at work. Thanks. Jill Jonathan Hays wrote: Priscilla Oppenheimer wrote: > If it's not passive mode, the data channel is initiated by the server from > port 20 (FTP data) to the ephemeral port provided by the client in its PORT > command. Ephemeral just means a short-lived port with a number greater than > 1023. > > If it is passive mode, then the data channel is initiated by the client > from an ephemeral port to an ephemeral port provided by the server in its > PASV command. > > In other words, access lists with FTP are tricky. > > Priscilla > > At 03:14 PM 10/30/01, Jonathan Hays wrote: > >Don't we also want a ACL line for the ftp data channel? > > > >access-list 110 permit tcp any host 192.3.10.10 eq ftp-data > > > >And if the server is using passive ftp > > > >access-list 110 permit tcp any host 192.3.10.10 gt 1023 established Oops, you're right! I'm getting a bit rusty... The "ftp-data" entry would allow data connections from an external ftp server to ftp sessions initiated by the LAN client which is not what the original poster wanted. However, the "gt 1023 established" entry should allow access for Internet clients to the LAN ftp server doing passive ftp. But it does open things up a bit too much for the comfort of most paranoid sysadmins. [EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24858&t=24525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to find serial number of router? [7:24765]
Execute this command to get the serial number "Show diag" ---- - Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -Original Message- From: Debbie Westall [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 7:02 AM To: Symon Thurlow; [EMAIL PROTECTED] Subject: Re: How to find serial number of router? [7:24765] I know of no way to get the serial number from the router without looking at the box itself. If you are running a SNMP program once you have that number you can go in and manually enter the serial number, so from then on you can have the number. The serial number that is reflected when you do a show version is the serial number of the motherboard inside the router NOT the serial number of the router. This has been discussed before, you can search the archives of groupstudy for the results. Debbie Westall --- Symon Thurlow wrote: > sh ver usually does it > > Use a MIB browser via SNMP and you will probably > find it. > > Symon > > --- > > Hi Guys, > > > > Can anyone here please help what are the possible > software ways to > findout > > the serial number of router without looking at the > hardware itself?? > > > > Can we findout by using any management software > like Cisco resource > manger > > or etc?? > > > > Thanks for help. > > > > > _ > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > [EMAIL PROTECTED] > > > Cheers, > > Symon [EMAIL PROTECTED] __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24864&t=24765 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF across PIX [7:24608]
The best way to get any routing protocol thru a pix is inside of a gre tunnel. Go to CCO and search for a config for tunneling multicast thru pix. You should come up with smething. - Jay C Creasy Cisco Certified Network Professional + PIX Microsoft Certified Professional Inet Email [EMAIL PROTECTED] AIM ID HaltItAll Work # 713-548-3346 Home # 713-263-1939 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Allen May Sent: Tuesday, October 30, 2001 7:15 PM To: [EMAIL PROTECTED] Subject: Re: OSPF across PIX [7:24608] OK maybe...but wouldn't that be translating an IP address of the neighboring router to something it really isn't & botch up the OSPF table on the remote router? Or are you suggesting something different than what I'm thinking? My first impression is that this probably can't be done but I'm always open to finding ways to do the impossible ;) - Original Message - From: "Gareth Hinton" To: Sent: Tuesday, October 30, 2001 6:35 PM Subject: Re: OSPF across PIX [7:24608] > Can you set up a network address translation both ways so that the routers > think they're talking to a router on the same subnet? > > Big guessing going on here (on my part). > > > Gareth > > > ""pat"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Thanks for your repply. > > > > When I try to specify outside router as neighbor using > > neighbor command > > I get "OSPF: Neighbor address does not map to an > > interface". How do I resolve > > this issue ? > > > > What do you mean by "If you are doing NAT then a > > global and > > nat combination need to represent the internal IP > > addresses > > to the outside network"...? Can you give can example? > > > > I am doing NAT on firewall. > > > > The Ip address are as follows > > > > Inside router Ethernet 10.10.2.1 > > Firewall inside 10.10.2.1 > > Firewall outside 138.12.48.2 > > Outside Router ethernet 138.12.48.1 > > > > > > Thanks a lot for everybody's response. > > > > > > > > --- "Engelhard M. Labiro" > > wrote: > > > Sorry, replying my own message. > > > The access-list below assumes that you are able to > > > use nat 0 command (no NAT translation will occur > > > for the internal IP addressess to be seen from > > > outside > > > network). If you are doing NAT then a global and > > > nat combination need to represent the internal IP > > > addresses > > > to the outside network, before applying the > > > access-list below. > > > > > > Hope you get the idea. > > > > > > > Since OSPF uses IP protocol 89, permit this > > > protocol between > > > > the two OSPF routers with access-list applied at > > > outside and inside > > > > PIX interfaces, something like this: > > > > access-list 101 permit 89 host 1.1.1.1 host > > > 2.2.2.2 > > > > access-list 102 permit 89 host 2.2.2.2 host > > > 1.1.1.1 > > > > access-group 101 interface inside > > > > access-group 102 interface outside > > > > > > > > At the OSPF routers, put neighbour command, so > > > they can speak > > > > each other directly without multicasting the hello > > > packets. > > > > > > > > Hope you get the idea. > > > > > > > > - Original Message - > > > > From: "pat" > > > > To: > > > > Sent: Tuesday, October 30, 2001 1:01 PM > > > > Subject: OSPF across PIX [7:24608] > > > > > > > > > > > > > Does anybody has any ideas on how to run OSPF > > > across > > > > > firewall. What ports to be open & how to make > > > router > > > > > esablish nighbour relations across firewall. > > > > > > > > > > Any thought on this will be greatly appriciated. > > > > > > > > > > Thanks, > > > > > patterson. > > > > > > > > > > > > > __ > > > > > Do You Yahoo!? > > > > > Make a great connection at Yahoo! Personals. > > > > > http://personals.yahoo.com > > [EMAIL PROTECTED] > > > > > > __ > > Do You Yahoo!? > > Make a great connection at Yahoo! Personals. > > http://personals.yahoo.com _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24803&t=24608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX advanced exam [7:24478]
Cisco hasn't releast the cisco advanced pix firewall book yet. Shoud be out in a couple of months. What books did you use to study for the exam? Bill Harrison -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Crane Sent: Tuesday, October 30, 2001 9:32 AM To: [EMAIL PROTECTED] Subject: RE: PIX advanced exam [7:24478] Go buy the Boson exams, they are 98% accurate. Matthew Mohamed El Komy wrote: > > Hi all, > > I'm preparing for taking the PIX advanced exam within 2 days > but I need to > know how the exam looks like...type of questions and main > points to focus on > in my study. > Any help greatly appreciated. > > BR, > komy _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24678&t=24478 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test 1 [7:24674]
_ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24674&t=24674 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BSCI [7:23323]
Hi, I took the Beta BSCI. I found that is was the same topics as the BSCN just with some IS-IS. I have heard that Cisco are planning to relaese a press book for the BSCI, but if you can't wait use the BSCN book and then get the IS-IS info from CCO. Hope this helps, Jay. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23341&t=23323 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PRI NM for 7206?? [7:20971]
On Tue, 25 Sep 2001, Cisco Lover wrote: > H guys, > > Any idea which one is module/Part no for 7206 PRI ISDN ??? PA-MC-2T1 - 2 T-1/PRIs PA-MC-4T1 - 4 T-1/PRIs PA-MC-8T1 - 8 T-1/PRIs -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20971&t=20971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Partner Specialization exams - how tough? [7:16773]
This exam is web based. It costs $35 and there is no time limit (other than a session time out if you decide to go to lunch in the middle). I forget how many questions, but its less than 50. You should understand the basics of 802.11 and know some Cisco Aironet specifics (AP and bridge models, antennas, etc.). I would recommend having a web link open to Cisco Aironet 340 product pages so you can reference part numbers. Somewhere in the partner certifications area of CCO there is a link to web based training for this. The video and the powerpoint presentations are sufficient to cover the test. Jay Dunn, MCSE expired in June, CCNA/CCDA to expire in Sept, TIRED of exams IPI GrammTech, Ltd. 210.694.4313 http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Torren Craigie-Manson Sent: Wednesday, August 22, 2001 12:43 AM To: [EMAIL PROTECTED] Subject: Partner Specialization exams - how tough? [7:16773] Hi all, Can anyone provide feedback on the partner specialization exams? In particular, I'm interested in the Field Engineer and Systems Engineer exam for wireless LANs. On the scale of "regurgitate these marketing factoids to win a free t-shirt" to "CCNP", how tough is this guy? Any idea of how many questions and how much time is allowed? Cheers, Torren Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16780&t=16773 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT / citrix connectivity [7:7709]
This may be more than the solution calls for, but have you considered using the web client? You haven't mentioned how much flexibility the clients have or require in configuring their own connections, but if this is not an issue using the web will allow you complete control of all server connection parameters. The client just needs to know a URL. Worst case scenario you have to do a little (very little) html programming, but if you get NFuse even that's eliminated. Jay Dunn IPI GrammTech, Ltd. 210.694.4313 http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lopez, Robert Sent: Monday, June 11, 2001 10:13 AM To: [EMAIL PROTECTED] Subject: RE: NAT / citrix connectivity [7:7709] Shrug, You indicated that even if we use NAT, client-side changes will still have to be made. I found one document on the citrix site that speaks of "ICA Browsing with firewall address translation - NAT". This document provides a straight-forward solution but requires making a change on both the client and server side. Is there any other documentation that states the need to configure the client as well. My dilemma is that I've been asked to provide a solution that will allow the citrix client to create a session to the citrix server in the new subnet - and doing so without touching the client-side. Any help will be greatly appreciated. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, June 08, 2001 1:52 PM To: [EMAIL PROTECTED] Subject: Re: NAT / citrix connectivity [7:7709] On Fri, 8 Jun 2001, Lopez, Robert wrote: > establish a session. This is where my problem lies...the citrix server ip > address will change once it's in the new subnet...the client will not be > able to connect. > > It was suggested that we implement NAT to allow the client to connect to the > citrix server. This is a quick snapshot of what we have... I'm assuming that notifying the users and having them change the IP is not a feasable option? Even if you DID use NAT to translate the old IP to the new IP, client-side changes will have to be made. (and i think the server will bave to be set up appropriately too..I'm only familar with the client side.) The client end will have to, going from a bad memory, change their firewall settings to allow them to connect to the server-behind-nat. There is an option along the lines of "use alternate IP address" or something...its been about 4 months since I did this and havent been in front of a citrix client in at least 2...its a well documented bit. The /better/ solution of course would be to assign a FQDN to the IP addresses and have the clients change to THAT, so that it is only done once...and then you can change the IP at will. ~shrug~ ...david > NAT config on cat6509sw1r1 > ip nat inside source static 10.101.99.20 164.42.100.25 If I read this right, it appears that you are doing the translation at the /client/ end, not the server end...that is totally wierd, to me. But, in that case, should that not be ip nat OUTSIDE source static since that is the direction we need to go? but I'm still rather confused why you are doing the NAT at the client side instead of the server side.. david --- david raistrick (deep in the south georgia woods) [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=8125&t=7709 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Secure VPN Client for windows 2k [7:3427]
Actually, Cisco has released a Win2K client. We downloaded it last week (sorry, I don't have the URL). We specifically wanted to use it to connect to our PIX. Then we found out that it requires PIX IOS v6 which is not "scheduled" for release until late this week. Jay Dunn IPI GrammTech, Ltd. 210.694.4313 http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 07, 2001 2:41 AM To: [EMAIL PROTECTED] Subject: Cisco Secure VPN Client for windows 2k [7:3427] I am using IOS based VPN software on my 3640. The Secure VPN Client will not work on a win2k box. I Have heard rumors that there is a beta version that will load on a 2k box. Does any body know of it or is there a work around for building a VPN to the router using IOS feature set. Thanks in advance George FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3430&t=3427 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX has been brought to its knee
What version of the code was he running? I seem to remember reading somewhere recently a cross-vendor firewall evaluation where the PIX came out very well in the anti-DoS category. Thanks, Jay ""Sean Young"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi everyone, > I have a story that wish to share with everyone. One of my friends > works for a company that uses Cisco PIX as the firewall. This afternoon, > he called and told me that the company firewall is experiencing a Denial > of Service (DOS) attack. The attack is so heavy that the PIX is just > simply gives up. The company contacts Cisco and the TAC told my friend > that there is a bug in the Cisco PIX code and he will have to wait a > few days for the new code to arrive. Frustrated, he decides to use his > workstation which is running NetBSD, put in an extra NIC, shutoff all > essential services but SSH and netfilter. Amazingly, the new BSD > firewall withstand the DOS and connectivity is restored. > > The point of the story. Not everything from Cisco is good. Their code > is just buggy as everyone else. Just because it carries the name Cisco > doesn't mean it is safe. > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TFTP Error - 3
It's trying to do autoinstall. Here's the Cisco documentation: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/fun_ c/fcprt1/fcd102.htm Jay ""Arthur Simplina"" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This is a continuation of my earlier posting. > > I am doing hands-on lab exercises during my off-class hours. Normally, in > one chapter there 7-9 different router set-ups which involve 3-5 routers and > 2-3 switches (2900XL). So after,completing one lab exercise, I have to erase > all the router configurations and do a reload > to have a clean start for the next lab exercise. > > As shown below, the router is booting up and there is this "%error opening > tftp:...", this takes a while waiting before I can start configuring the > router. I compared the "show ver" of this router and the other router > (Router-A) which does not exhibit this tftp error and > there are no differences in the image files, configuration registers, etc. > Another router has the same problem and again there are no differences. > > But this behavior is not consistent. At one time, after the reload and > rebooting, the router will not show this tftp error and then in another > instance, this tftp error appears. > > The command "#no service config" will be effective only for that session but > after clearing up and reloading, this tftp error appears. > > Did anybody experience this before? I would highly appreciate if you can > share your solution. > > Thanks. > > Arthur > > PS: As suggested, we performed a password recovery on the routers to remove > the "%tftp error... it also did not work. > > > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Implementing SSH on Cisco IOS
> Supported Platforms > Cisco 1700 series > Cisco 2600 series > Cisco 3600 series > Cisco 7200 series > Cisco 7500 series > Cisco ubr920 series > > But it does require a DES or 3Des software image. For people with a lot of centralized equipment, another option might be to use a terminal server for console access, shut off telnet, then SSH into the terminal server. Jay _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: bri flapping with demand cirquit/igrp redistribution
I am not sure CDP will keep the line up ? And ur interesting traffic is permit ip any any . I dont think CDP will keep the line up. When u do a debug ip pack.. u can nvr see CDP.. CDP is layer 2. my 0.02 - Original Message - From: "Chris Larson" <[EMAIL PROTECTED]> To: "Bob Boone" <[EMAIL PROTECTED]>; "Jay Chandradas" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, March 23, 2001 2:40 PM Subject: RE: bri flapping with demand cirquit/igrp redistribution > Will CDP keep the line up? Turn off CDP. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Bob Boone > Sent: Friday, March 16, 2001 5:30 PM > To: Jay Chandradas; [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: bri flapping with demand cirquit/igrp redistribution > > > Yes i do have passive BRI on IGRP, and also, the way it is done now, it > restricts ALL networks, if you look at the access-list 15 it has one > statement and then explisit deny all. > still not working. > > - Original Message - > From: "Jay Chandradas" <[EMAIL PROTECTED]> > To: "Netguy" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Friday, March 16, 2001 12:22 PM > Subject: Re: bri flapping with demand cirquit/igrp redistribution > > > > 1. DO u have a passive interface on bri0 under router IGRP > > > > 2. I wud do this way !! when u r redisributing into OSPG .. allow only the > > IGRP networks ( including the network conneted with is running IGRP ) > > > > Jay > > > > when u r redistributing into > > - Original Message - > > From: "Netguy" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > Sent: Friday, March 16, 2001 12:01 PM > > Subject: bri flapping with demand cirquit/igrp redistribution > > > > > > > > Hello all you happy people. > > > > Router A has ospf/igrp mutual redistribution and bri > > > > int dialing elsewhere with demand circuit. it keeps > > > > flapping. > > > > i followed someone's advice and created a route/map > > > > filter to filter out bri network from igrp > > > > redistributing back into ospf. > > > > what the hell am i doing wrong? i know its a big > > > > thing > > > > that lots of people had problems with. > > > > here's the key configs: > > > > interface BRI0/0 > > > > ip address 173.5.8.1 255.255.255.252 > > > > encapsulation ppp > > > > ip ospf demand-circuit > > > > dialer idle-timeout 15 > > > > dialer map ip 173.5.8.2 name R5 broadcast 8667007 > > > > dialer map ip 173.5.8.2 name R5 broadcast 8667008 > > > > dialer load-threshold 128 outbound > > > > dialer-group 1 > > > > isdn switch-type basic-dms100 > > > > isdn spid1 9258667005 > > > > isdn spid2 9258667006 > > > > ppp authentication chap > > > > ppp chap hostname CCIE > > > > ppp multilink > > > > > > > > > > > > router ospf 1 > > > > log-adjacency-changes > > > > area 0 authentication message-digest > > > > area 0 range 173.5.1.0 255.255.255.0 > > > > summary-address 173.5.10.0 255.255.255.0 > > > > redistribute igrp 100 metric 100 subnets route-map > > > > stuff > > > > network 1.1.1.0 0.0.0.3 area 0 > > > > network 173.5.1.0 0.0.0.15 area 0 > > > > network 173.5.7.0 0.0.0.7 area 3 > > > > network 173.5.8.0 0.0.0.3 area 3 > > > > network 173.5.10.0 0.0.0.127 area 3 > > > > network 173.5.17.0 0.0.0.255 area 0 > > > > access-list 15 permit 173.5.8.0 0.0.0.3 log > > > > route-map stuff deny 5 > > > > match ip address 15 > > > > ! > > > > route-map stuff permit 10 > > > > set tag 4 > > > > > > > > __ > > > > Do You Yahoo!? > > > > Get email at your own domain with Yahoo! Mail. > > > > http://personal.mail.yahoo.com/ > > > > > > > > > __ > > > Do You Yahoo!? > > > Get email at your own domain with Yahoo! Mail. > > > http://personal.mail.yahoo.com/ > > > > > > ___ > > > To unsubscribe from the CCIELAB list, send a message to > > > [EMAIL PROTECTED] with the body containing: > > > unsubscribe ccielab > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > _ > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: bri flapping with demand cirquit/igrp redistribution
1. DO u have a passive interface on bri0 under router IGRP 2. I wud do this way !! when u r redisributing into OSPG .. allow only the IGRP networks ( including the network conneted with is running IGRP ) Jay when u r redistributing into - Original Message - From: "Netguy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Friday, March 16, 2001 12:01 PM Subject: bri flapping with demand cirquit/igrp redistribution > > Hello all you happy people. > > Router A has ospf/igrp mutual redistribution and bri > > int dialing elsewhere with demand circuit. it keeps > > flapping. > > i followed someone's advice and created a route/map > > filter to filter out bri network from igrp > > redistributing back into ospf. > > what the hell am i doing wrong? i know its a big > > thing > > that lots of people had problems with. > > here's the key configs: > > interface BRI0/0 > > ip address 173.5.8.1 255.255.255.252 > > encapsulation ppp > > ip ospf demand-circuit > > dialer idle-timeout 15 > > dialer map ip 173.5.8.2 name R5 broadcast 8667007 > > dialer map ip 173.5.8.2 name R5 broadcast 8667008 > > dialer load-threshold 128 outbound > > dialer-group 1 > > isdn switch-type basic-dms100 > > isdn spid1 9258667005 > > isdn spid2 9258667006 > > ppp authentication chap > > ppp chap hostname CCIE > > ppp multilink > > > > > > router ospf 1 > > log-adjacency-changes > > area 0 authentication message-digest > > area 0 range 173.5.1.0 255.255.255.0 > > summary-address 173.5.10.0 255.255.255.0 > > redistribute igrp 100 metric 100 subnets route-map > > stuff > > network 1.1.1.0 0.0.0.3 area 0 > > network 173.5.1.0 0.0.0.15 area 0 > > network 173.5.7.0 0.0.0.7 area 3 > > network 173.5.8.0 0.0.0.3 area 3 > > network 173.5.10.0 0.0.0.127 area 3 > > network 173.5.17.0 0.0.0.255 area 0 > > access-list 15 permit 173.5.8.0 0.0.0.3 log > > route-map stuff deny 5 > > match ip address 15 > > ! > > route-map stuff permit 10 > > set tag 4 > > > > __ > > Do You Yahoo!? > > Get email at your own domain with Yahoo! Mail. > > http://personal.mail.yahoo.com/ > > > __ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > > ___ > To unsubscribe from the CCIELAB list, send a message to > [EMAIL PROTECTED] with the body containing: > unsubscribe ccielab _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: WAN degree?
Thank you Howard for taking the time to respond to my post! You made some very good and greatly appreciated points in your response. I think the reason I asked the group the question stems from the fact that a friend of mine just received his Bachelor's in Computer Engineering, and is having a very difficult time finding a job. I quite honestly think that the problem is that he is very well rounded, but doesn't really know alot about any one area (i.e. programming, networking, etc...). So, here I am, working as a Systems Administrator for a well known company, wanting to get away from the "NT babysitting" I find myself doing on a daily basis, and getting into something more WAN intensive. I am just fearful that if I elect to finish my Bachelor's in CE, CS, or MIS, I will not gain the same level of "relevant" information that I would if I had used the time to study for a vendor specific certification such as the CCIE (or something much more specialized such as the Bachelor's degree in networking I originally inquired about), nor will the degree help me find a job any quicker than the CCIE would (based upon one individual I have observed). I guess my first question should have been, "OT: Certs or degees, which one(s) first?" Thank you again, jay >From: "Howard C. Berkowitz" <[EMAIL PROTECTED]> >Reply-To: "Howard C. Berkowitz" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: OT: WAN degree? >Date: Sat, 24 Feb 2001 12:46:25 -0500 > > >Hello, > > > > I am currently a MCSE/CCNA and I am finishing up my AA degree at >the > >local junior college, and looking to start my 3rd year in the fall. Are > >there any colleges that offer a Bachelor's degree in networking? I have > >visited several college websites and it seems that they all offer just > >Computer Engineering, Computer Science, or Management Information Systems > >degrees. After reviewing the individual coarse outlines, there appears to >be > >very few classes relating to networking. If anyone can offer there >advise > >on this issue, I would greatly appreciate it! > > >I have seen telecommunications management courses at the master's >level, and networking concentrations in all the programs you mention. >But if I might try to read between the lines of your post, let me >offer some observations about relevance. > >Being good in networking means lifelong study. While you may not see >specific networking references in some of the course descriptions, >many of the courses cover subjects that will equip you to learn and >continue to learn, at a level beyond relying on vendor manuals. >Don't get me wrong -- it is possible to learn this sort of theory on >your own. I did, but courses weren't available at the time I entered >the field. > >Most computer science programs have a course in operating system >design at the sophomore or junior level. Without understanding how >operating systems work, you won't ever really understand how buffers >are managed, how interrupts affect processor throughput, why >different amounts of memory are required, etc. > >Typically, there will be a course called something like "discrete >mathematical structures." You may have gotten information on finite >state machines in a programming course, but you need to refine finite >state machine/automata theory if you are ever going to feel >comfortable picking up a protocol RFC and understanding the >definitions. Such a course also will give an introduction to >information theory and coding algorithms, which underlie compression, >modulation, and error detection and correction. > >In the more MIS courses, you are going to get some business analysis >techniques that can be important in understanding customer >requirements. I slept through economics 101 -- literally, I >overslept the final and flunked the course -- but I've had to go back >and study economics to be able to give the best solution >recommendation to clients, such as the tradeoffs between acquisition >cost and life cycle cost. > >Statistics courses are a strong foundation to performance measurement >and capacity planning. Unfortunately, many academic programs spend >too much time on mathematical analysis ("calculus"), and not enough >on the things you really use, such as statistics, operations >research, and the oddly named abstract algebra. (Yes, I recognize >analysis underlies statistics. But in the real world, a network >engineer needs to recognize and use such things as probability >distribution functions, not derive them. My attitude there is >"yup...that derivation involves an incomplete gamma functio
OT: WAN degree?
Hello, I am currently a MCSE/CCNA and I am finishing up my AA degree at the local junior college, and looking to start my 3rd year in the fall. Are there any colleges that offer a Bachelor's degree in networking? I have visited several college websites and it seems that they all offer just Computer Engineering, Computer Science, or Management Information Systems degrees. After reviewing the individual coarse outlines, there appears to be very few classes relating to networking. If anyone can offer there advise on this issue, I would greatly appreciate it! _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Citrix is faster via Internet than LAN/WAN
Based upon the information given and all things being equal, it would seem that the problem has to be either in the 3660 or that the LAN/WAN clients have some configuration that is different from the remote sites. Are the LAN/WAN clients on VLANs?. Do they possibly have an older ICA client than the remotes? Are they running some application that the remotes do not? I would start by plugging a "clean" laptop (nothing running but ICA client) into the LAN and connecting. If you get a better response, the problem is with the clients. If not, it's in the LAN/WAN configuration. Jay Dunn IPI GrammTech, Ltd. 210.694.4313 http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Germain, PJ Sent: Monday, February 19, 2001 9:46 AM To: '[EMAIL PROTECTED]' Subject: Citrix is faster via Internet than LAN/WAN Hello all ! I'm hoping someone out there can help me with this. We are stumped. We are running the latest version of Citrix on an 8 server ( Proliant 6400) farm. Internally, we get to it via a couple of 2948G switches and a 3660 Core Router. But, if I go to one of our remotes sites that has a DSL connection to the Internet, they access our Citrix farm through our 2612 Internet router, then a Catalyst 2900 switch (DMZ), then through our PIX, then another 2948G, BUT they apparently bypass the 3660 and get to the farm. External access has much quicker response times than internal. The only difference I see is the 3660 router. We have 30 WAN sites and about 150 LAN hosts working through the 3660, but the CPU usage and Memory are not hurting. Could this difference just be a "traffic shaping" issue or is there something that I am just missing??? We have only a basic config on the 3660. Any assistance would be much appreciated. Thank you very much, in advance. P.J. Germain Network Support Engineer Cooper / T. Smith _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic: Citrix and PIX via Secureclient?
I assume you're talking about the ICA secureclient. I have not used it, but according to Citrix it does slightly degrade performance (vs. normal ICA). However, I can't see it being a serious degradation. For the PIX setup, the Citrix/ICA protocol works like most (e.g. ftp). It listens on one default static port and establishes a session on another from a range of available ports. As for a 56k connection, this shouldn't be a problem. I have a client whose technicians use Citrx to run a windows based client/server app from the field. They carry laptops and connect to a frame relay network via wireless modem. The wireless connections operate at 14k and the base host connects via a 56k lease line on a Cisco 1600. They're very happy with the performance. Jay Dunn IPI GrammTech, Ltd. 210.694.4313 http://www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of D Rrrr Sent: Friday, February 16, 2001 3:33 PM To: [EMAIL PROTECTED] Subject: Off Topic: Citrix and PIX via Secureclient? Assuming that anyone has done so (I seem to recall it being mentioned as possible a while back), how easy is this to setup? Just open the approriate ports on the PIX and slight config on the citrix box? I'm also curious about the performance of the secure citrix clients over the net (like on a 56k connection). TIA for any comments. _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OFF TOPIC - Where is everyone? Where's Roman Gabriel?
Roman Gabriel? Check your AARP cache. Jay Dunn IPI*GrammTech, Ltd. http://www.ipi-gt.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kathy Miihalisko Sent: Sunday, January 14, 2001 4:31 PM To: Natasha Cc: 'Chuck Larrieu'; Cisco Mail List; CCIE_Lab Groupstudy List Subject: OFF TOPIC - Where is everyone? Where's Roman Gabriel? Don't the Raiders have those nice black and silver outfits? What I'd like to know is, what happened to Roman Gabriel? Does he still play for the LA Rams? I always had such a crush on him. Don't believe those rumors that he's, um, a crossover cable. Kathy "Katyusha" M. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Natasha Sent: Sunday, January 14, 2001 4:17 PM To: Chuck Church Cc: 'Chuck Larrieu'; Cisco Mail List; CCIE_Lab Groupstudy List Subject: Re: OFF TOPIC - Where is everyone? I hate to ask this but. What's the difference between Ravens and Oakland? Who has what color outfit on? Still looks like grown men in jammies to me lol. Chuck Church wrote: > > If there's one thing tougher than the lab exam, it's winning in Oakland. > Here's hoping that the Ravens don't go onto day 2 either. Natasha Flazynski http://www.ciscobot.com My Cisco information site. http://www.botbuilders.com Artificial Intelligence and Linux development A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station... _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Livingston PortMaster 2e Comm Server for CCIE lab?
Portmasters speak RIP, OSPF, and BGP, so you might be able to use it to add some extra complications to your router setup. Only one ethernet interface, but if it's one of the ones with a WAN card maybe you could figure out some way to utilize that in the lab as well. Jay ""info"" <[EMAIL PROTECTED]> wrote in message 93o475$smf$[EMAIL PROTECTED]">news:93o475$smf$[EMAIL PROTECTED]... > Just wondering if I was missing something.and I apologize for > the generic nature of the questionbut is there any usefulness > in adding a Livingston PortMaster 2e to a CCIE practice lab > I am building? I have one sitting aroundI grabbed a document > describing it at the Lucent (they bought livingston) websitebut I > don't see how it could be useful. ..any comments are appreciated. > > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CLNS
I was noticing the removal of CLNS from the CCIE lab requirements. While I've never personally seen a lot of the more obscure protocols "in the wild", I don't even know anyone who's seen a production CLNS network. Anybody out there seen one? Jay _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
need help on a question
Choose 4 types of routers that support ISDN a. 700 series b. 1000 series c. 1600 series d. 2500 series e. 3600 series f. AS5200 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE LAB Scenarios
On 4 Nov 2000 15:16:30 -0500, Shaw, Winston Mr. <[EMAIL PROTECTED]> wrote: :Who knows where CCIE practice Lab Scenarios can be purchased http://www.fatkid.com/ Many different practice scenarios, and they also rent rack time. The scenarios are free, and quite varied. -- Jay Hennigan - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX PPTP, no NAT
On Mon, 30 Oct 2000, Andrew wrote: > The PIX absolutely has default route statements. 'ip route outside|inside' True. My APC power strip has a default route statement, does that make it a router? If you try not to think of a PIX as a router, it will be a lot easier to understand. Yes, it moves IP packets from one interface to another under certain defined conditions. Routers also do this. So do proxy servers. But, you still need the static (inside,outside) for non-NAT applications where the outside will be allowed certain conduits to the inside. And, for non-NAT the inside and outside interfaces are in the same subnet. The PIX documentation is pretty good. The description under "static" in the command reference addresses this. Without NAT, the interfaces are in the same subnet, no routing. With NAT, there's address translation taking place, but not what one would normally think of as routing. The PIX is capable of recognizing whether a destination is part of an interface's local subnet and if not forwarding it to a gateway. But, packets arriving on the outside interface with a destination of an inside (higher security) interface are not handled by routing. The outside network is unaware of the existence of the inside network without a static mapping. This static mapping can be to a different address with NAT. This isn't what I'd call routing. The static mapping can also be to the same address without NAT, in which case both interfaces are in the same network. This, IMHO, isn't routing either. -- Jay Hennigan - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX PPTP, no NAT
On Mon, 30 Oct 2000, Andrew wrote: > A PIX -is- a router (firewall router.) Hence, ip route statements and the > ability to run RIP. It's a box with two (or more) interfaces that connects > networks. Granted, it's not a box you would use for 'normal' routing > functions but to say the PIX is not a router is just wrong. UNIX and windows hosts have default route statements, and some of them will do RIP. Cisco doesn't think a PIX is a router, either. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/config.htm#xtocid109169 See step 10. -- Jay Hennigan - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX PPTP, no NAT
On Sun, 29 Oct 2000, Andrew wrote: > >According to this, it looks like you should have NAT. You have a different > >network outside than inside. > > Don't all routers that are routing between networks? ;) The PIX is not > necessarily a NAT box. It performs statefull security for established > connections (translated or not.) A PIX is not a router. > And if you're not doing NAT (using NAT 0) then you don't need statics per > say. If you are trying to allow non-established connections in from the > outside then you would need to use conduits to open those holes. But you still need the statics to map the inside to the outside addresses in order to allow outside connections to the inside. You also need a conduit (or access list in the newer software). When not using NAT, you just map the same IP on both sides of the box to itself. -- Jay Hennigan - Network Administration - [EMAIL PROTECTED] NetLojix Communications, Inc. NASDAQ: NETX - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]