OT: Anyone use Solarwinds Orion? [7:75198]
I'm curious if anyone here uses or has used the Orion network monitoring software from Solarwinds. We currently use Network Node Manager but since we use it primarily for fault reporting and statistics gathering I'm toying with the idea of using a product more tailored to our needs. If you've used it before I'm curious about how it performed, how easy was it to understand and configure, was it reliable, etc. It looks like a pretty nifty product from what I can tell from their online demo, but looks can be deceiving. Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75198t=75198 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Hyper Terminal - 2500 [7:75065]
If you have flow control turned on, turn it off. What are your other terminal settings? For the 2500 series I believe you should be set to 9600, 8-bit, No parity, 1 stop bit. Some Cisco devices request that you use two stop bits so you might try that as well, but my guess is that it's a flow control problem. Regards, John Johan Bornman 9/9/03 9:19:56 AM I don't get any response when configuring a 2500 series router (no key strokes) through Hyper Terminal, 3 2500's doing the same thing. When I restart the router by resetting it I can see the boot process fine. Any ideas? Thanks in advance. This e-mail may contain confidential information and may be legally privileged and is intended only for the person to whom it is addressed. If you are not the intended recipient, you are notified that you may not use, distribute or copy this document in any manner whatsoever. Kindly also notify the sender immediately by telephone, and delete the e-mail. When addressed to clients of the company from where this e-mail originates (the sending company ) any opinion or advice contained in this e-mail is subject to the terms and conditions expressed in any applicable terms of business or client engagement letter . The sending company does not accept liability for any damage, loss or expense arising from this e-mail and/or from the accessing of any files attached to this e-mail. At present, the integrity of e-mail across the Internet cannot be guaranteed and messages sent via this medium are potentially at risk. The recipient should scan any attached files for viruses. All liability arising as a result of the use of this medium to transmit information by or to e-Innovation is excluded to the extent permitted by law. **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75075t=75065 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Good network monitor prog. ??? [7:75081]
Steven Aiello 9/9/03 11:18:51 AM Any one know of a good network monitor prog.? It doesn't have to be free but not to expensive. My budget is nill. Any recomendations? Thanks, Steve Wouldn't it _have_ to be free if your budget is nil? ;-) You might want to check out MRTG and WhatsUp Gold: http://mrtg.hdl.com/mrtg.html http://www.ipswitch.com/products/WhatsUp/index.html HTH, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75089t=75081 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Please Help - CIDR - How the bits work What I figured out [7:75094]
The key is that you must completely unlearn classful thinking. Forget that you ever learned it. Completely ignore any prior classful subnet boundaries that you were forced to memorize. It's all just one big IP address space that you choose to carve up any way you like. As long as you do it correctly and don't have any overlap the subnetting scheme is up to you. Another helpful tip: don't ever use classful terminology any more! Don't say Class A to refer to an 8-bit prefix or subnet mask; don't say Class C to refer to a 24-bit mask, or /24. That will help move your brain away from that type of thinking. Think of your address space as a big pie, and each time you cut a segment in half you're adding one more bit to the subnet mask. Here's an example: You start with 10.20.30.0/24 (255.255.255.0) and we'll think of that as a whole pie. You don't need that many addresses in your subnet so you decide to break it up into smaller pieces. What do you do? Cut your pie in half (draw this out, it helps!). Your pie now has two halves and these represent two subnets with /25 masks with no overlap. Let's say you want to further subnet one of those subnets. Cut it in half again! You now have a /25 and two /26s with no overlap. If you further cut one of those /26 subnets into two pieces you have two /27s. See how easy that is? Draw this out on paper and write down your subnet information as you go, like this: 10.20.30.0/24 (10.20.30.0-255) becomes 10.20.30.0/25 (10.20.30.0-127) and 10.20.30.128/25 (10.20.30.128-255) 10.20.30.128/25 further subnetted becomes 10.20.30.128/26 (10.20.30.128-191) and 10.20.30.192/26 (10.20.30.192-255) And so on... practice it this way for a while and after a short time it will be second nature for you to subnet existing networks without accidentally overlapping them. HTH, John Steven Aiello 9/9/03 12:03:06 PM I was stuck on the idea that you could ONLY re subnet a remaining piece of a subnetwork. And not apply a mask to the whole span of the total available network. You can (unless I'm incorrect here) you just have to watch out for address over lap neer your subnetwork boundries. I think I got it. Man I love this news group! Steve Priscilla Oppenheimer wrote: Reimer, Fred wrote: No offense, but this is CCNA material. Do they still teach classful for CCNA, though? Perhaps the only thing that's hard for him is that 192.168.24.0 has a mask of 255.255.255.0 in a classful system. Moving the prefix over to the left of that classful boundary isn't something they teach for CCNA yet. (They will soon. The new Networking Academy books teach it from the start now.) Priscilla If you are going for your CCNP, then you should already have your CCNA and know the answer. But anyway... If you need a network with 400 hosts, the smallest subnet would have a /23 mask. So take the first part of your given network and assign it to that: 192.168.24.0/23 (192.168.24.0-192.168.25.255) Then you need one with 200 hosts. Well, that could fit within a /24 subnet, so assign the next available to that: 192.168.26.0/24 (192.168.26.0-192.168.26.255) Now you only have 192.168.27.0/24 left from the original 192.168.24.0/23 (which covered 192.168.24.0-192.168.27.255). You need two 50's, so that should fit within /26 subnets each. Assign them: 192.168.27.0/26 (192.168.27.0-192.168.27.63) 192.168.27.64/26 (192.168.27.64-192.168.27.191) Finally, you need three subnets that can have two hosts each, which would fit within /30 subnets. So assign: 192.168.27.192/30 192.168.27.196/30 192.168.27.200/30 Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Steven Aiello [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 8:02 AM To: [EMAIL PROTECTED] Subject: Please Help - CIDR - How the bits work [7:75050] I just started my routing class for my CCNP. We are covering CIDR. The book is VEERY vague on how the bit patterns break down and are used. This was a problem posed in one of my CCNP labs I have network number 192.168.24.0 / 22 from this I need networks with 400 hosts 200 hosts 50 hosts 50 hosts 2 hosts (for serial int - no ip un-numbered allowed ) 2 hosts 2 hosts Also no NATing Thanks all I really could use the help Steve **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http
RE: route redistribution [7:74856]
Hmmm... Maybe it the fact that I forgot that the route needs to exist in the route table to be redistributed. If all intents and purposes, I will associate the application of new metrics burden on the receiving protocol. I feel safe in that assumption. Thanks for the clarification... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74929t=74856 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Amazing Spanning Tree [7:74594]
Also remember that the blocked port isn't in a down state because it still needs to listen to BPDUs to know when a topology change occurs. If it didn't, it wouldn't know when it needs to transition to forward state, if necessary. Just my 0.02... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74930t=74594 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
route redistribution [7:74856]
I am studying for CCIE Written and lately have been concentrating on redistribution. I have come across two statements in Doyle's V.1 that I am a bit confused about. On page 698 under the Metric section, he states that a cost must be assigned to each EIGRP route **BEFORE** passing it into OSPF and vice versa. What confuses me is that on page 712 under Configuring Redistribution it states under #1 that the redistribution configuration command and information is placed on the protocol that is to **RECEIVE** the distibuted routes, which I assume will be applied **AFTER** the route has been received. This seems to contradict to me. Could anyone shed some light on this? It would help my understanding... Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74856t=74856 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
2620XM vs. 1721 Routers [7:74727]
I'm not very familiar with the 1721 routers and while I'm researching them I wanted to get some opinions. Isn't the 1721 really just a baby 2600 with a slighly smaller processor and no network module slot? Are there any other significant differences between them? We've been using 2600, and later the 2620XM, but we've recently got rid of the need for a network module, leaving us with a current need of one WIC. It seems like a waste of money to buy a 2620XM if we're only going to pop a WIC-2T into it. :-) I'm sure there's a performance hit, but it's not like I'm trying to drive a DS-3 with this thing. I'll need a T-1 connection, a low-speed serial connection, and fast ethernet. Nothing too fancy. Any thoughts? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74727t=74727 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: BGP PEERGROUP PROBLEM [7:74725]
Perhaps a config would be helpful. Or do you expect us to use our psychic abilities to determine the problem? ;-) JMC Nel 9/3/03 12:29:06 PM Could someone please assist me? I set up a customer to received the Partial TABLE but for some reason the customer is receiving the Full Table. I checked the filter list but that does not seem to be the problem. Any assistance will be greatly appreciated. Thanks GP _ Get MSN 8 and enjoy automatic e-mail virus protection. http://join.msn.com/?page=features/virus **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74728t=74725 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: 2620XM vs. 1721 Routers [7:74727]
John Neiberger 9/3/03 1:09:32 PM I'm not very familiar with the 1721 routers and while I'm researching them I wanted to get some opinions. Isn't the 1721 really just a baby 2600 with a slighly smaller processor and no network module slot? Are there any other significant differences between them? We've been using 2600, and later the 2620XM, but we've recently got rid of the need for a network module, leaving us with a current need of one WIC. It seems like a waste of money to buy a 2620XM if we're only going to pop a WIC-2T into it. :-) I'm sure there's a performance hit, but it's not like I'm trying to drive a DS-3 with this thing. I'll need a T-1 connection, a low-speed serial connection, and fast ethernet. Nothing too fancy. Any thoughts? Thanks, John Once again, I'm replying to my own message. After further review, according to the Cisco Software Advisor the 1721 is fairly handicapped compared to the 2600XM platform. I don't know that I'm willing to lose that much potential functionality. Heck, according to Software Advisor the 1721 doesn't support ISL or 802.1Q vlans! In my book that makes it a non-starter. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74734t=74727 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Pix VPN SMTP [7:74527]
I have a Pix 501 setup for VPN for a few users, now the outgoing SMTP server for all their email (from Bell Sympatico) only allows relaying when on the Bell domain. So everything works fine when people are in the office but if they go home and use say Rogers to connect to the internet, then VPN into the office and try to send an email out it won't work. There is a split tunnel setup so only traffic going to the local network 192.168.1.x will get pushed through the VPN Tunnel. And since Pix doesn't allow someone to come in on the outside interface then go out again. Anyone have any thoughts to fix this? Any router models similar in price/function to the pix 501 that might not cause this problem. Thanks John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74527t=74527 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX VPN Setup [7:74367]
I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 1 isakmp policy 40 lifetime 86400 ! vpngroup VPNUSER address-pool REMOTEUSER vpngroup VPNUSER dns-server vpngroup VPNUSER default-domain cisco.com vpngroup VPNUSER split-tunnel 90 vpngroup VPNUSER idle-time 1800 vpngroup VPNUSER password vpngroup john address-pool REMOTEUSER vpngroup john dns-server vpngroup john default-domain cisco.com vpngroup john idle-time 1800 vpngroup john password Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74367t=74367 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX VPN Setup [7:74369]
I'm setting up a small VPN just for home use so me and a few friends can log in remotely via a PIX 501 w/ 3DES over my cable connection. Now I've got it working, but found a few strange things I had questions about. I have each user setup with the VPNGROUP config lines. (I will post config below), everyone uses the Cisco VPN client to connect. Now I noticed that I never set an isakmp pre-share key and there is no spot to add one in the Cisco client only user/pass I would think that should be needed for secure connectivety. The other setup I did was have a split-tunnel applied to the user when they connect to only encrypt traffic destined for the local network and any regular internet traffic would still go out the persons internet connection. In testing I tried to get all traffic to flow through the VPN but I think the pix prevents traffic coming in on the outside interface to leave on that same interface (as it would with internet traffic) . Any way to do this or do you need another interface? Also just wondering if there is a better way to write this config or any other tips are appreciated. Here is an edited config with only the relevant portions. Thanks for any help John PIX Version 6.3(1) ! access-list 80 permit ip any host 192.168.1.75 access-list 80 permit ip any host 192.168.1.76 access-list 80 permit ip any host 192.168.1.77 access-list 80 permit ip any host 192.168.1.78 access-list 80 permit ip any host 192.168.1.79 ! access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.75 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.76 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.77 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.78 access-list 90 permit ip 192.168.1.0 255.255.255.0 host 192.168.1.79 ! ip address outside dhcp setroute ip address inside 192.168.1.254 255.255.255.0 ip local pool REMOTEUSER 192.168.1.75-192.168.1.79 ! global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 floodguard enable ! crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside ! isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 1 isakmp policy 40 lifetime 86400 ! vpngroup VPNUSER address-pool REMOTEUSER vpngroup VPNUSER dns-server vpngroup VPNUSER default-domain cisco.com vpngroup VPNUSER split-tunnel 90 vpngroup VPNUSER idle-time 1800 vpngroup VPNUSER password vpngroup john address-pool REMOTEUSER vpngroup john dns-server vpngroup john default-domain cisco.com vpngroup john idle-time 1800 vpngroup john password Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74369t=74369 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: FXS Problem - Always getting a busy signal on either [7:74294]
Everyone, I have found the solution. It was to do with my phones. If you connect a non US phone to port 0 it wont work :) Here is a url that might help anyone else in the future. http://www.cisco.com/en/US/tech/tk652/tk653/technologies_tech_note09186a0080094fac.shtml The information under Pinout Information Port 0 on a VIC-2FXS is designed to accommodate a US style 2-line phone, instead of the usual European style 1-line phone. This means that in addition to pins 3 and 4 being used, pins 2 and 5 are also monitored. With some phone handsets it is possible that pins 2 and 5 are wired up to allow last number re-call or call-forwarding. If this is the case, Port 0 on the VIC will assume you have a 2-line phone, and shutdown port 1. Hope this helps John Maria wrote in message news:[EMAIL PROTECTED] GDay Everyone, Just hoping you all may be able to shed some light onto this for me. This is the fist time I have tired to configure FXS ports and its proving to be getting the better of me. I have 2 routers (2610XM) connected together via a serial back to back. in each of these routers I have a VIC-2FXS card in each NM-2V module. I have followed a basic configuration and I get a dial tone in the ear handset but for the life of me I am continually getting a busy tone from each phone. When the phone is taken off hook I do get a green light on the vic. Below is the configuration Router A hostname Router-A voice-port 1/0/0 voice-port 1/0/1 dial-peer voice 1 pots destination-pattern port 1/0/0 dial-peer voice 2 voip destination-pattern session target ipv4:10.1.1.2 interface Serial0/0 ip address 10.1.1.1 255.255.255.0 no fair-queue Router B hostname Router-B voice-port 1/1/0 voice-port 1/1/1 dial-peer voice 1 pots destination-pattern port 1/1/0 dial-peer voice 2 voip destination-pattern session target ipv4:10.1.1.1 interface Serial0/0 ip address 10.1.1.2 255.255.255.0 no fair-queue clockrate 400 I can ping from either router the other router OK. Any thoughts would be of great advantage. Thanks for you assistance John **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74294t=74294 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Is it possible to upgrade 2500 series to a 2600 series [7:74124]
Sleek 8/18/03 2:33:01 PM Hi all, I would like to know if it is possible to upgrade a 2500 series router to a 2600 series router and if it is possible I would also want to know the required materials for upgrade. Regards, Osaz. CCNA No, this is not possible. They are entirely different platforms, not to mention that the 2600 series is modular and the 2500 series mostly isn't. If you want a 2600, you'll have to buy a 2600, unfortunately. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74124t=74124 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Data Center Design [7:74126]
Larry just about designed my one also, so I recommend him as a vital source of info. Its still going strong here. -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Tuesday, 19 August 2003 10:49 AM To: [EMAIL PROTECTED] Subject: RE: Data Center Design [7:74126] Are you interested in doing the ground up, or just the network Side..I have been involved in both... Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Juan Blanco Sent: Monday, August 18, 2003 2:22 PM To: [EMAIL PROTECTED] Subject: Data Center Design [7:74126] Team, Where will I be able to find information about designing a Data Center Room. As always I appreciate your help and recommendation. Thanks, Juan **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.solution6.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74138t=74126 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Loopback Interface [7:73305]
You've got it! They can be used for iBGP, DNS resolution, GRE tunnel endpoints, OSPF/BGP Router IDs, route summarization...the list goes on. Robert Edmonds 8/5/03 3:26:35 PM So, if I understand correctly, aside from OSPF router ID's and the like, just use a loopback interface when you want an always up/up interface. That's pretty simple. John Neiberger wrote in message news:[EMAIL PROTECTED] Exactly right. Sometimes it's nice to have a virtual interface whose status is not tied directly to a physical interface. We've mentioned several configurations where this is the case. From the routers perspective it may have a couple of special properties, since it's virtual, but it's still just another interface, as Dave said. MADMAN 8/5/03 1:25:25 PM I think your thinking way too hard about this;) A loobback is nothing more than a logical interface as opposed to a physical interface. As far as the routing process is concerned it's just another interface. Don't know how to articulate it any further. Dave Robert Edmonds wrote: You gentlemen have pointed out some good uses for loopback interfaces. However, my dilema still remains that I have yet to have somebody solidly explain loopback interfaces in a way that my simple mind can understand. I have also been unsuccessful in finding any website that accomplish this. Any takers? Robert p b wrote in message news:[EMAIL PROTECTED] terminate iBGP sessions on **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73566t=73305 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Cisco BGP Exam [7:73516]
Hmm...that's interesting. I found Halabit to be very easy to understand, but that was after reading Stewart. Stewart's book is incredibly easy to understand, especially considering how short it is. Quite concise, yet readable. I have Doyle Vol. II but I stopped studying for attempt #2 before I got to the BGP section. I should read through it as a refresher and to compare it to Halabi. But Dre? Despise?? :-) That's pretty harsh! However, I guess I can understand your point. BGP can be pretty easy to understand when it's explained correctly, and can be very difficult to understand when explained poorly. John Pintens, Koen wrote in message news:[EMAIL PROTECTED] I agree with Dre I also got both books and Jeff Doyle's is so much easier to read and understand then Halabi's Koen Pinten Network Engineer CCNP CCDP MCSE MCSA MCDBA -Original Message- From: dre [SMTP:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Re: Cisco BGP Exam [7:73516] juniper wrote in message ... Can anyone recommend a good book for the BGP exam I personally despise Halabi's authortative, the BGP-bible IRA book. It is awful. It is the sole reason nobody understands BGP. It's confusing, boring, and downright awful to read and understand such simple concepts. I passed the Cisco BGP exam (took the beta), and I did not even open Halabi or Stewart (I do like Stewart, but for this exam, his information is not really on-topic). Normally, I'd say read the RFC's, but they are also not going to help you on this exam. I used a) the outline provided by Cisco b) Jeff Doyle's TCP/IP Routing Volume II (first 318 pages) Jeff Doyle is the master of routing protocols...this misconception that Volume II was not as good as Volume I reminds me of 14 year old pimply-faced kids arguing about Star Wars vs. Empire or Matrix 1 vs. Matrix: Reloaded. These are all good movies... however, Star Wars: Episode I and II are more remniscient of HalabiIMO. -dre **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html ** This electronic message together with any attachments is confidential. If you receive it in error: (i) you must not use, disclose, copy or retain it; (ii) please contact the sender immediately by reply email and then delete the emails. Views expressed in this email may not be those of the Airways Corporation of New Zealand Limited ** **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73577t=73516 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: WIC-1T Serial WAN [7:73752]
Joseph R. Taylor 8/8/03 1:53:53 PM Team, Are WIC-1T interfaces to be used between locations only useful when hooked up to an external CSU/DSU? If so what technology is the local loop? Thank you, JoeT MCSE, CCNP A CSU/DSU is a physical layer device. If you're using a WIC-1T the physical layer of your local loop is T-1. In some cases the service provider will use high speed DSL lines to get the service to you and then convert it to T-1, but from your perspective you're still getting a T-1. HTH, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73754t=73752 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
traffic flow [7:73495]
Hey All, Got a question about traffic flow into and out of a branch office. I have a branch office with only a handful of users, but with high demands on the WAN. This particular office has a 256k/32k frame connection into me (the HQ) but a crying out for greater bandwidth and pipe access. What my problem is, is understanding how these users are using up all there network bandwidth. I have no access list in place between me and them (however I will be going down this road). Whats I want to do, is have a look at the traffic and determine what type of traffic it is. I bet we have people in that office just watching video of the CEO from the HQ. I have enabled IP NBAR on the serial and Ethernet interfaces and have noticed that 70% of the traffic, is unclassified. How can I view this data to just get then router to tell me the IP source and the port number associated with this traffic? I also would like to put down a quality of service map for known business applications, and grant them priority over any other traffic. Has any one done this and if so can you send snippets of your config or link to doco's Thanks all for your help John Sydney Australia ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.solution6.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73495t=73495 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Cisco inspection fee for used gear?? [7:73788]
There are two separate issues here. The first is the software licensing, and I'd agree with you that if you own the router *and* have a valid license for the software then you should be able to sell the router along with the software license to whomever you please. Cisco feels differently and if you use their software then you have agreed to the wording of the license that explains their opinion and lays down the restrictions. Secondly, you have the inspection problem and the blame for that falls squarely on the users. For quite a while it was common for someone to buy hardware that they *knew* was faulty, and then get cheap smartnet for it so they could get a working replacement. Cisco finally caught on to this and we now have to get used equipment inspected before it can be covered. I know, it sucks, but blame those who abused the SmartNet program. This is their fault. John Gary Crouch 8/11/03 1:15:02 PM This is out right theft by the hardware venders You pad for the software when you bought you should be able to transfer it. We sould demand right to transfer or buycot these companies -Original Message- From: Colin Weiner [mailto:[EMAIL PROTECTED] Sent: Sunday, August 10, 2003 6:40 PM To: [EMAIL PROTECTED] Subject: Cisco inspection fee for used gear?? [7:73788] Interesting article about buying used network equipment (I buy all my lab stuff of ebay or other vendors) http://www.infoworld.com/article/03/08/08/31FEfair_1.html I made the mistake of showing a visiting Cisco rep the 2611 router I'd purchased on eBay for $1,200, says Mark Payton, director of IT at the Vermont Academy, a school in Saxtons River, Vt. Not only are they asking me to pay to relicense the software, but they are expecting me to get a one-year SmartNet maintenance agreement and to pay an inspection fee. Colin **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73891t=73788 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
IPv6 in the Enterprise Network [7:73667]
And I don't mean the Starship Enterprise. :-) I'm pretty sure they do use IPng, though. Seriously, regarding IPv6. Who's currently migrating to it? Any enterprise networks that aren't providers of some sort? I'm going to assume that at some unknown point in the future IPv6 will finally push IPv4 completely off the radar. Any guesses about how long we'll be waiting for that day to come? Other than for the intellectual enjoyment of it, is there any reason why Joe or Jane Engineer should really start learning IPv6 right now? Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73667t=73667 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
mrtg [7:73702]
Hey All, Still going with my traffic analysis. God a small problem with MRTG. Does any one here know how to integrate the output of multiple nodes through the instance of a single mrtg.cfg file? At the moment, I am using multiple mrtg.cfg. fles and have a hard tme navigating between all the different nodes.. John ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.solution6.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73702t=73702 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Networkers 2002 PDFs [7:73522]
Fred, You've been bitten by the URL in the first line problem. If the first line in a post is a URL it sometimes gets munged. It's helpful to add some padding at the beginning to get the URL off of the first line. John Reimer, Fred 8/5/03 12:23:39 PM Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: YASSER ALY [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 10:54 AM To: [EMAIL PROTECTED] Subject: Networkers 2002 PDFs [7:73522] Dear All, Anybody knows the URL to download Cisco networkers 2002 PDFs Are PDFs for 2003 available for download ? Regards, Yasser _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73548t=73522 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Cisco BGP Exam [7:73516]
juniper 8/5/03 8:32:50 AM Hi, Can anyone recommend a good book for the BGP exam Mark My two personal favorite BGP books are: Internet Routing Architectures, 2nd Edition, by Halabi BGP4: Interdomain Routing in the Internet, by Stewart If you have a subscription to CertificationZone, Howard has some wonderful BGP tutorials that I referred to often when studying for the CCIE written some time ago. [Disclaimer: I have done a minor amount of work for CZ.] Oh, I almost for the BGP Command Reference by Cisco Press. Excellent book, and well worth your time and money. HTH, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73523t=73516 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Access server 2511 Reverse Telnet [7:73656]
Wallis Short 8/7/03 9:08:01 AM Hi Oliver Many thanks for your reply. Just to clarify, I am using the Octal cable to connect to the console of the switch. Are you saying I should connect a crossover cable to the end of the octal cable and then connect the cross over into the console port of the switch ?? Cheers Wallis The octal cable is already a ROLLOVER cable, *not* a crossover cable. There is an important difference and quite often people mix the terms on accident. If you would normally need a rollover cable to connect to that particular console port then simply connect the octal cable and you're good to go. If you need a straight cable for some reason then you will need an adapter to roll the cable again. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73665t=73656 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Loopback Interface [7:73305]
Exactly right. Sometimes it's nice to have a virtual interface whose status is not tied directly to a physical interface. We've mentioned several configurations where this is the case. From the routers perspective it may have a couple of special properties, since it's virtual, but it's still just another interface, as Dave said. MADMAN 8/5/03 1:25:25 PM I think your thinking way too hard about this;) A loobback is nothing more than a logical interface as opposed to a physical interface. As far as the routing process is concerned it's just another interface. Don't know how to articulate it any further. Dave Robert Edmonds wrote: You gentlemen have pointed out some good uses for loopback interfaces. However, my dilema still remains that I have yet to have somebody solidly explain loopback interfaces in a way that my simple mind can understand. I have also been unsuccessful in finding any website that accomplish this. Any takers? Robert p b wrote in message news:[EMAIL PROTECTED] terminate iBGP sessions on **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73553t=73305 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: More on Autonegotiation [7:73195]
David Vital 8/1/03 8:04:21 AM I have to ask what you are basing that statement on. I'm not trying to dispute you, just to gain moe information. I have never seen anything that would indicate a change in Duplex when set to 100 full on each end. Are you suggesting that 100/half is the way to go with this? David Yes, that's what I'm saying. It's difficult to find this information but I was able to find it at one time and it's been proving out experientially in our network. We tend to buy a lot of one particular major computer manufacturer, and the NICs they use will do this. In fact, most of the NICs on our newer computers behave this way. It's almost a weekly issue around here since we started rolling out newer Cisco switches. It was not a problem with the 2924XL and Cat 5000, but it became a huge problem when we upgraded to a 6500, 2948G, 2980G, and 2950s. I'll look around to see if I can find those references for you and I'll post them if I'm successful. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73345t=73195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Thursday Follies [7:73323]
John Neiberger 7/31/03 5:02:31 PM Here's an interesting troubleshooting issue for you to chew on. There is a fairly simple solution that may or may not be obvious at first. Heck, I might have missed an even simpler solution. This is for the beginner-to-intermediate level people. All you advanced people please refrain from giving away the answer too quickly. :-) Here's the scenario: Imagine a location with a decent sized flat LAN where all hosts are supposed to get their IP addressing information via DHCP. Well, DHCP was implemented relatively recently and there is an old PC that was never converted to DHCP that is now trying to connect to the network. It has a hard-coded IP address that conflicts with one already in use, and the conflict causes the PC to disconnect from the network when it detects that its IP address is being used. 1. Using tools available only on the router or switch, how do you find out exactly which IP address is causing the conflict? 2. Hint: how might a device determine if its own IP address is in use? Have fun! John Okay, here's my solution to this issue. On the router, use 'debug arp'. When a device comes online it will send an ARP request for its own IP address to make sure it isn't in use. If a device is already using that IP address it will respond. In the case I saw I was not able to see unicast responses. However, the second device subsequently sent out an ARP request for its own IP address immediately after seeing someone else trying to nab its address. So, in the output of debug arp you should see two consecutive or nearly-consecutive ARP requests for the same IP address coming from different MAC addresses. If it were necessary you could use that information to find the device in the MAC address tables on the switch. Perhaps a Friday follies is to follow later today John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73357t=73323 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com
Friday Follies #1 [7:73370]
You have a device that is reachable only via telnet or console that you've preconfigured with an IP address, subnet mask, and default gateway and subsequently shipped out to a remote location to be installed. Once the device was in place you realized that you've configured it with the wrong addressing information. The subnet you used actually exists at another location so this device is currently unreachable via IP. If you could somehow reach the device you'd be able to correct your mistake without having someone ship the device back to you. What can you do to restore IP connectivity to this device in its current location and make it reachable from both the local router and remote routers? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73370t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com
Friday Follies #2 [7:73371]
[This isn't the usual type of follies question where you have to figure something out. In this case, you either know the answer or you don't. If you don't, you can probably figure out how to look it up and it would be good information to have in case you see this in your own network.] Your network uses RFC 1918 private IP address space (10.0.0.0/8) for your addressing. You have a logging access list configured on a LAN interface and you begin seeing traffic from devices in the 169.254.0.0/16 subnet destined for 169.254.255.255. You don't have any machines configured with addresses in this subnet, so what could it be? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73371t=73371 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com
Re: Friday Follies #1 [7:73370]
What configuration steps would be necessary to configure Local Area Mobility? How do you make sure local and remote devices can reach this device? Jason Viera 8/1/03 2:26:36 PM Depending upon the topology you may be able to use Local Area Mobility, and this is a stretch unless you have the right topology Mobile IP?? Just a guess! Need to take the edge off before my first lab attempt on Monday!! Thanks for keeping us thinking! Jason John Neiberger wrote in message news:[EMAIL PROTECTED] You have a device that is reachable only via telnet or console that you've preconfigured with an IP address, subnet mask, and default gateway and subsequently shipped out to a remote location to be installed. Once the device was in place you realized that you've configured it with the wrong addressing information. The subnet you used actually exists at another location so this device is currently unreachable via IP. If you could somehow reach the device you'd be able to correct your mistake without having someone ship the device back to you. What can you do to restore IP connectivity to this device in its current location and make it reachable from both the local router and remote routers? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73381t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #2 [7:73371]
Possibly, but you have to give more detail to win the prize. :-) [Notice: there is no prize associated with this question. ] Jason Viera 8/1/03 2:22:32 PM Bill Gates leaving his mark on your network?? Jason [This isn't the usual type of follies question where you have to figure something out. In this case, you either know the answer or you don't. If you don't, you can probably figure out how to look it up and it would be good information to have in case you see this in your own network.] Your network uses RFC 1918 private IP address space (10.0.0.0/8) for your addressing. You have a logging access list configured on a LAN interface and you begin seeing traffic from devices in the 169.254.0.0/16 subnet destined for 169.254.255.255. You don't have any machines configured with addresses in this subnet, so what could it be? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73379t=73371 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #1 [7:73370]
This would work but it might be temporarily disruptive to the network that is using that subnet address legitimately. Is there another way to do it that is not disruptive? Charles Cthulu Riley 8/1/03 2:56:41 PM Assign an address (as secondary) from the incorrect range to the router interface to which this device is connected, and from that router, connect (telnet or ssh) to that device, fix the ip, (get disconnected in process, of course), and remove the incorret secondary from the router...voila and other French words I don't understand. John Neiberger wrote in message news:[EMAIL PROTECTED] You have a device that is reachable only via telnet or console that you've preconfigured with an IP address, subnet mask, and default gateway and subsequently shipped out to a remote location to be installed. Once the device was in place you realized that you've configured it with the wrong addressing information. The subnet you used actually exists at another location so this device is currently unreachable via IP. If you could somehow reach the device you'd be able to correct your mistake without having someone ship the device back to you. What can you do to restore IP connectivity to this device in its current location and make it reachable from both the local router and remote routers? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73385t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Friday Follies #2 [7:73371]
Yes! Daniel mentions the RFC and Kevin Wigle mentioned APIPA, or Automatic Private IP Addressing. You can find out more about that at: http://www.webopedia.com/TERM/A/APIPA.html This means that Daniel and Kevin get to share the extra credit prize! Thanks to all who participated, John Daniel Cotts 8/1/03 3:16:24 PM pad pad pad ftp://ftp.rfc-editor.org/in-notes/rfc3330.txt -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 2:00 PM To: [EMAIL PROTECTED] Subject: Friday Follies #2 [7:73371] [This isn't the usual type of follies question where you have to figure something out. In this case, you either know the answer or you don't. If you don't, you can probably figure out how to look it up and it would be good information to have in case you see this in your own network.] Your network uses RFC 1918 private IP address space (10.0.0.0/8) for your addressing. You have a logging access list configured on a LAN interface and you begin seeing traffic from devices in the 169.254.0.0/16 subnet destined for 169.254.255.255. You don't have any machines configured with addresses in this subnet, so what could it be? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73388t=73371 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #1 [7:73370]
Jason gave the answer I was looking for: Local Area Mobility. On the interface to which the device is connected add the following two lines: ip proxy-arp ip mobile arp Then add: ip route a.b.c.d 255.255.255.255 (interface) Where a.b.c.d is the IP address of the device. This creates a /32 host route in the routing table. Redistribute this into your routing protocol and you have local and remote connectivity to this single host even though it is not on the correct LAN subnet. John - Original Message - From: Jason Viera To: Sent: Friday, August 01, 2003 1:53 PM Subject: Re: Friday Follies #1 [7:73370] Depending upon the topology you may be able to use Local Area Mobility, and this is a stretch unless you have the right topology Mobile IP?? Just a guess! Need to take the edge off before my first lab attempt on Monday!! Thanks for keeping us thinking! Jason John Neiberger wrote in message news:[EMAIL PROTECTED] You have a device that is reachable only via telnet or console that you've preconfigured with an IP address, subnet mask, and default gateway and subsequently shipped out to a remote location to be installed. Once the device was in place you realized that you've configured it with the wrong addressing information. The subnet you used actually exists at another location so this device is currently unreachable via IP. If you could somehow reach the device you'd be able to correct your mistake without having someone ship the device back to you. What can you do to restore IP connectivity to this device in its current location and make it reachable from both the local router and remote routers? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73401t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: Friday Follies #1 [7:73370]
'ip mobile arp' is what allows that device to communicate with the local router interface. Without that command you'll never end up with an entry for the errant device in the ARP table of the router. Without an entry in the ARP table no communication will occur. 'ip proxy-arp' is there to allow the router to act as a proxy default gateway. The errant device currently has a default gateway configured that exists elsewhere in the network. Before it can communicate with the default gateway it will ARP for its MAC address because the device doesn't realize that it isn't really on the same segment as the configured default gateway. The router knows this, and if you have proxy arp configured the router will answer this ARP request with its own MAC address. So far we still haven't done anything to the routing table, so the static route is necessary so that the local router knows that there is a /32 host on that LAN that doesn't belong there. Redistribution into the routing protocol allows the rest of the network to become aware of this host route. John - Original Message - From: Zsombor Papp To: Sent: Friday, August 01, 2003 8:17 PM Subject: Re: Friday Follies #1 [7:73370] Why do you need the 'ip mobile arp' command? I would think the static route (with the default 'ip proxy-arp', if its a broadcast interface) would provide local connectivity and redistributing the static route into the IGP will provide global connectivity (well, except connectivity to devices that are on the subnet where the misconfigured router thinks it is). Also, in the solution I suggested above the looback interface is not needed if the gateway has a route to the IP address the misconfigured router thinks the gateway is, or if the link to the misconfigured router is a point-to-point one. Thanks, Zsombor John Neiberger wrote: Jason gave the answer I was looking for: Local Area Mobility. On the interface to which the device is connected add the following two lines: ip proxy-arp ip mobile arp Then add: ip route a.b.c.d 255.255.255.255 (interface) Where a.b.c.d is the IP address of the device. This creates a /32 host route in the routing table. Redistribute this into your routing protocol and you have local and remote connectivity to this single host even though it is not on the correct LAN subnet. John - Original Message - From: Jason Viera To: Sent: Friday, August 01, 2003 1:53 PM Subject: Re: Friday Follies #1 [7:73370] Depending upon the topology you may be able to use Local Area Mobility, and this is a stretch unless you have the right topology Mobile IP?? Just a guess! Need to take the edge off before my first lab attempt on Monday!! Thanks for keeping us thinking! Jason John Neiberger wrote in message news:[EMAIL PROTECTED] You have a device that is reachable only via telnet or console that you've preconfigured with an IP address, subnet mask, and default gateway and subsequently shipped out to a remote location to be installed. Once the device was in place you realized that you've configured it with the wrong addressing information. The subnet you used actually exists at another location so this device is currently unreachable via IP. If you could somehow reach the device you'd be able to correct your mistake without having someone ship the device back to you. What can you do to restore IP connectivity to this device in its current location and make it reachable from both the local router and remote routers? **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73403t=73370 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: L2 vs L3 [7:73255]
You have a lot of options. I recommend Sprint first, then Level-3, then GX. Unless you are already in bed with Qwest or ATT, they won't give you the time-of-day for support (and you are going to need good support for an offering like this). In particular, I recommend Sprint's PW option (UTI on Cisco GSR), and Level-3's (3)Packet MPLS-VPN option (Martini L2VPN on Laurel Networks). I just checked the Sprintbiz site and they seem to offer a network-based IP VPN and a CPE-based IP VPN. It appears to me that these are both L3 VPNs. It's hard to find much more than marketing materials on their site, though, and I'd love to read more details. Are those the Sprint services you were referring to? And what is the PW option you refer to? I've already read a little about the Level-3 MPLS-VPN and it sounded like a good option but we come back to the full-mesh issue. It would take over 5300 PVCs to create a full mesh with their L2 VPN. A full mesh isn't a requirement, but it is a very nice feature of the Qwest PRN service and given our network design and traffic flow, that is a great benefit. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73285t=73255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: L2 vs L3 [7:73255]
John Neiberger 7/31/03 10:36:14 AM You have a lot of options. I recommend Sprint first, then Level-3, then GX. Unless you are already in bed with Qwest or ATT, they won't give you the time-of-day for support (and you are going to need good support for an offering like this). In particular, I recommend Sprint's PW option (UTI on Cisco GSR), and Level-3's (3)Packet MPLS-VPN option (Martini L2VPN on Laurel Networks). I just checked the Sprintbiz site and they seem to offer a network-based IP VPN and a CPE-based IP VPN. It appears to me that these are both L3 VPNs. It's hard to find much more than marketing materials on their site, though, and I'd love to read more details. Are those the Sprint services you were referring to? And what is the PW option you refer to? I've already read a little about the Level-3 MPLS-VPN and it sounded like a good option but we come back to the full-mesh issue. It would take over 5300 PVCs to create a full mesh with their L2 VPN. A full mesh isn't a requirement, but it is a very nice feature of the Qwest PRN service and given our network design and traffic flow, that is a great benefit. John I hate to follow-up on my own posts but after further reading about Sprint's IP VPN network it appears to be very similar to the Qwest PRN except that it uses IS-IS at the core instead of OSPF, while they both appear to use IPSec for tunneling. Could it be that they're both based on 2764? I'm going to call our Sprint account rep and ask her about this service. She could probably put me in touch with an engineer who could answer some of these questions. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73288t=73255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: SSL Remote Access VPNs [7:73253]
Joseph Brunner 7/30/03 5:24:39 PM www.netscaler.com their box does compression, and it has so many dos prevention and other killer things it blows away the competition. We went with it based on the performance it had during a syn flood blizard, and their ssl vpn rocks! That's one of the units I've been asked to look at. It looks good on paper. What sorts of applications are you using it for? Are you doing much telnet/TN3270 or SSH? How about LDAP authentication? John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73308t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: SSL Remote Access VPNs [7:73253]
Joseph Brunner 7/31/03 4:10:58 PM I am running compression based ssl vpn for extranet. this allows without a client 8 to 1 or so compression ratio for mostly spreadsheets sent over port 80. also the box is managed by ssh.. what do you mean by telnet ? most protocols such as ldap, exchange, etc, are very well compressed and work over the ssl vpn. By telnet I was asking if you were using a web-based telnet client to allow telnet or SSH access to internal devices like routers, switches, or servers. I'm especially interested if you're allowing TN3270 access to mainframe applications. Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73322t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Thursday Follies [7:73323]
Here's an interesting troubleshooting issue for you to chew on. There is a fairly simple solution that may or may not be obvious at first. Heck, I might have missed an even simpler solution. This is for the beginner-to-intermediate level people. All you advanced people please refrain from giving away the answer too quickly. :-) Here's the scenario: Imagine a location with a decent sized flat LAN where all hosts are supposed to get their IP addressing information via DHCP. Well, DHCP was implemented relatively recently and there is an old PC that was never converted to DHCP that is now trying to connect to the network. It has a hard-coded IP address that conflicts with one already in use, and the conflict causes the PC to disconnect from the network when it detects that its IP address is being used. 1. Using tools available only on the router or switch, how do you find out exactly which IP address is causing the conflict? 2. Hint: how might a device determine if its own IP address is in use? Have fun! John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73323t=73323 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Loopback Interface [7:73305]
Loopbacks are handy for use with ip unnumbered. If you have a multipoint interface using subinterfaces you could give every subinterface the same address and keep everything on the same subnet. They're also handy for DNS. If your router hostname resolves to its loopback address you'll be able to reach the router using the hostname as long as there is at least one real interface up. If you were to resolve the name to an actual interface address you wouldn't be able to reach the router at all of that interface were down. John Wilmes, Rusty 7/31/03 4:49:11 PM our remote routers are configured to do ddr through the loopback interface. -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: RE: Loopback Interface [7:73305] To monitor the router, since its up/up if the router is up. Larry Letterman Cisco Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeVoe, Charles (PKI) Sent: Thursday, July 31, 2003 12:16 PM To: [EMAIL PROTECTED] Subject: Loopback Interface [7:73305] I know the loopback interface is useful for assigning the router ID. Is there any other purpose? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73324t=73305 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: SSL Remote Access VPNs [7:73253]
We've researched a couple of SSL VPN products like the Neoteris box, for example, and we're starting to look into a few others. We're looking for something to allow secure remote access to select internal applications. Support for telnet, SSH, and TN3270 is required, and we prefer clientless solutions. We also require secure LDAP authentication and support for two-factor authentication whether that be smart cards, client-side certificates, or whatever. A number of solutions are available from a number of vendors including Nortel, Neoteris, Aventail, Netilla, Whale, and Aspelle. If any of you are using these products would you care to comment on your impressions? Any pros and cons regarding your chosen solution or product? Many thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73253t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPNs: L2 vs L3 [7:73255]
As some of you can tell I'm on a VPN-related kick lately. Sorry. I just finished reading an interview with Luca Martini and that got me interested in finding out more about L2 VPNs. I'm already getting fairly familiar with RFC 2764-style L3 VPNs, particularly Qwest's PRN offering. After reading the interview I checked into Level3's (3)Packet Data Services solution and it seems to be pretty cool, as well. However, I'm still leaning toward L3 VPNs and here's why. Right now we have a frame relay network where most of our locations has at least two or three PVCs and sometimes as many as four or five that carry the bulk of their traffic. When considering a move to VoIP or expanded video conferencing this can create some traffic shaping issues. For example, in frame relay you want to shape your traffic such that no PVC can burst over its CIR. If you have three PVCs that limits each of them to 512k even when no critical traffic is present! This is not flexible, and during our VoIP testing it really irritated our LAN group who were used to transferring large amounts of data at night to these locations. As I understand L2 VPNs, at least the Martini/Level3 variety, we'd still end up with a large, hub-and-spoke, point-to-point network and hence would have similar traffic shaping issues. Perhaps the big benefit is that we don't have the CIR limitation so we might not have to be so restrictive with our traffic shaping. In fact, traffic shaping might not be necessary; LLQ might be all that is necessary. I'll have to ponder that some more. Regardless, with a 2764-style VPN like the Qwest PRN we'd end up with a fully-meshed network where all nodes appear to be one-hop away from all other nodes. It's a multipoint solution where each location gets to use the full access pipe into the network without worrying about shaping or queueing on a per-PVC basis. Since we're still considering moving to IP Telephony and we're expanding our use of video conferencing this provides some amazing benefits from a functional perspective but it also greatly reduces the complexity of our router configuration. There are some operational trade-offs but I think those are workable. My feeling after spending a few days reading about this is that given a moderately large hub-and-spoke network, a L3 VPN might be of more benefit than a L2 VPN. Any thoughts? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73255t=73255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 12.3T Not for 2500 and 2600 ? [7:73249]
Chuck Whose Road is Ever Shorter 7/30/03 4:36:57 PM Reimer, Fred wrote in message news:[EMAIL PROTECTED] All of those routers are EOL'd. They can't support them forever (although the non-XM 2600's surely didn't last too long)... well, this is one way to solve the problem of CCIE glut - make it impossible for folks to be able to afford the necessary equipment for home labs ;- Why not? I think Juniper has been doing that from the beginning! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73257t=73249 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: SSL Remote Access VPNs [7:73253]
How does it compare with other vendors - Neoteris?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73259t=73253 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: L2 vs L3 [7:73255]
John Neiberger wrote in message ... bulk of their traffic. When considering a move to VoIP or expanded video conferencing this can create some traffic shaping issues. For VoIP, you want to consider a control/data plane that makes this traffic forwarding optimal...the topology is of less concern, no? The topology is not much of a concern for VoIP. Assuming point-to-point links we'd need each location to have at least two routes back to the hub for other reasons. This increased the number of frame relay PVCs at each location, which in turn caused over-restrictive-yet-necessary traffic shaping issues. traffic shaping. In fact, traffic shaping might not be necessary; LLQ might be all that is necessary. I'll have to ponder that some more. You'll probably want outbound queue and drop mechanisms on a class-based model (e.g. CBLLQ with WRED). Shaping and FR Interworking seem to over-complicate what you are trying to do. Regardless, with a 2764-style VPN like the Qwest PRN we'd end up with a fully-meshed network where all nodes appear to be one-hop Where did you read that L2VPN's (or L2TPv3 Pseudowires) don't do full-mesh? I guess that was an assumption. After reading the interview with Martini I took a look at Level3's offering and it is point-to-point. In my mind I just assumed that meant more of a traditional hub-and-spoke design and not a full mesh. A full mesh in our network would require the creation and management of over 5300 PVCs. Is that reasonable? on a per-PVC basis. Since we're still considering moving to IP Telephony and we're expanding our use of video conferencing this You have a lot of options. I recommend Sprint first, then Level-3, then GX. Unless you are already in bed with Qwest or ATT, they won't give you the time-of-day for support (and you are going to need good support for an offering like this). In particular, I recommend Sprint's PW option (UTI on Cisco GSR), and Level-3's (3)Packet MPLS-VPN option (Martini L2VPN on Laurel Networks). I haven't checked into Sprint yet and I've just browsed through the marketing blurbs of Level-3's option. We are heavily in bed with Qwest, but they also have the benefit of infrastructure in Denver. They might even be better prepared to handle our network than Level-3. I don't know if these other providers have the infrastructure in Colorado to support our network. As an example, I checked into one offering over a year ago--I think it was Worldcom, but I'm not sure--and they only had a single POP in Denver, and there may have been only a single router, with some redundancy, to handle our entire network. That sounded a little silly to me. Do you really get the benefit of MPLS when your traffic never leaves the router? :-) Besides, they also said that they would have to especially provision new big pipes out to some outlying cities in order to reach many of our branches. It would simply have been too much of a pain to deal with. At least with Qwest our connectivity would be quite diverse and there wouldn't be a single point of failure. Perhaps competitor's networks have been built out enough that this is no longer an issue. Regardless of the possibilities of failure, Qwest can reach *every* branch--including the few in California--right now. Still, I will check further into these other options. I'm really enjoying learning about the possibilities. Any other VPN offering sounds iffy to mecoming from my experience, but you should seek other opinions and do a full analysis for yourself. I had never even heard of RFC 2764 before, and I've never been impressed by the Passport/Accelar/etc. The Qwest PRN runs on the Shasta BSN-5000 platform. My feeling after spending a few days reading about this is that given a moderately large hub-and-spoke network, a L3 VPN might be of more benefit than a L2 VPN. I'm curious as to how you came to this conclusion, what did you read/hear? -dre That was only an initial supposition, really, not a solid position, and that's based primarily on my assumption that a full mesh with an L2 VPN would be cumbersome. If that's not true then I'll have to rethink my supposition. Keep in mind that I'm a newby with this VPN stuff. :-) It's very interesting but I've really only digging into it deeply for a handful of days. Many thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73262t=73255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NM-1HSSI w/kentrox DataSMART T3/E3 [7:73129]
Mike, I'd try replacing the cable first if you have one available. Even if the DS3 isn't configured correctly your interface should be up if you're router is speaking to your IDSU. I'd also try resetting the IDSU to its defaults just to make sure something in the config on the IDSU isn't breaking communication with the router. If the serial line comes up at that point you'll know it's a config issue. It's been a while since I even looked at an IDSU (even though we have almost an identical setup) and I don't recall what options are available so I might be way off base. If I can find the documentation I'll take a look at it and see if anything else comes to mind. Regards, John Jablonski, Michael 7/28/03 5:06:53 PM Has anyone had any experience w/the following combination? 3640 NM-1HSSI Kentrox DataSMART T3/E3 IDSU I've been trying, to no avail, to bring the HSSI up for a 12M DS3 The CSU/DSU, according to the lights, is ready to send and receive data; but when I bring up the int on the router, it shows down down. Here's the router info: ~~~ interface Hssi1/0 bandwidth 12000 ip address x.x.x.x 255.255.255.252 serial restart_delay 0 no cdp enable Hssi1/0 is down, line protocol is down Hardware is M1T-HSSI-B Internet address is x.x.x.x/30 MTU 4470 bytes, BW 12000 Kbit, DLY 200 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Restart-Delay is 0 secs Last input never, output never, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 parity 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 applique, 8 interface resets 0 output buffer failures, 0 output buffers swapped out 13 carrier transitions LC=down CA=down TM=down LB=down TA=up LA=down Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73170t=73129 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FORTEZZA for Cisco router? [7:73114]
By the way, FORTEZZA is used for more that sensitive but unclassified traffic. That's just one application. What you're probably looking for is a product that falls in the NSA Type 2 category. We can discuss more offline if you want to... Out of curiosity, what is currently used for classified traffic? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73183t=73114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Multicast Removed from CCIP Track? [7:73181]
It appears that Cisco is updating the CCIP track and removing multicast from the requirements. Is that really the case, and if so, why? As far as I know multicast is still in the CCNP track and it's got to be on the CCIE written and lab, so why remove such an important topic from CCIP? I suppose it could simply be a matter of focus, and the CCNP is aimed at the enterprise customer while CCIP seems to be aimed at the carrier or provider customers. Any thoughts? John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73181t=73181 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
More on Autonegotiation [7:73195]
Continuing our ongoing discussions of autonegotiation and the behavior of newer switches I thought I'd forward the following link: http://www.psiber.com/lm25ap01.htm The introduction on that page does an excellent job of explaining some of the problems we've been running into. I take issue with one statement, though. They suggest that you use AUTO when possible, or hard-set each end-device to the same commanded mode, whether 100/Full or 100/Half. I contend that with many modern NICs, a commanded setting of 100/Full is the worst possible setting and you should only use half duplex modes when choosing manual settings. Many NICs will fall back to half duplex when they detect a commanded mode link partner, and they usually don't give you any indication that this has occurred! Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73195t=73195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Provider VPN Caveats [7:73207]
I've been researching different types of service provider VPNs in general and Qwest's PRN, in particular. From what I can gather their PRN is a 2764-based VPN offering using IPSec tunneling. I've run into two fairly obvious caveats already and I'm wondering what other caveats might await that aren't so obvious. First, and most obvious, is that without the use of GRE or something similar we won't get multiprotocol capability. Second, and a little less obvious until you think about it, is that we would lose multicasting capabilities without jumping through some GRE hoops. To those of you more familiar with this sort of thing, are there any other operational caveats like these that I'd need to be aware of? BTW, I think it was dre who suggested I read the RFCs, which I've started to do, and suggested I check out the www.lightreading.com website. That site is great! I did do a search on Kompella vs. Kompella. I feel that Kompella has some good points, but so does Kompella. ;-) I guess the real questions is which Kompella is most compelling? I didn't realize that there were so many competing VPN groups and technologies. At this rate, by the time we agree on any standard methods all of the technologies will be obsolete! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73207t=73207 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RFC 2547 vs. RFC 2764 VPNs [7:73048]
Also worth looking at is the hardware component: what will run on the hardware you've already got (if anything)? IF you already have most or all of the hardware pieces to implement Cisco's version, then Cisco's probably makes sense. IF you already have the requisite Nortel gear (Passports?), you're probably only looking at upgrading to a new PCR (software version). One of the benefits of the solution I'm considering is that we don't have to change much at all on our CPE. Our branch sites would require static routing only, while two or three other sites would need to run OSPF. The OSPF-speaking routers form adjacencies with the Qwest PRN and will dynamically learn the routes to our spoke locations. One operational downside is that in order to add a new subnet at a spoke site I have to call Qwest and have them manually add a static route in the PRN, which will then be redistributed into OSPF. It seems like a pretty decent solution and it solves all sorts of problems we're having with the frame relay network. A solution like this would allow us to finally move to IP telephony and not run into serious bandwidth constraints and other issues caused by the use of FRTS. It would also allow us to expand the number of sites involved in video conferencing. All of this could occur without experiencing the shaping issues created when you have 3+ PVCs at most locations. For reference, Qwest is using the BSN-5000 (Shasta) for this service. There are still a few remote sites where we'd connect to some Juniper router but Shasta's do the bulk of the work. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73106t=73048 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: New Network IPX [7:73113]
Here you go: http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/atip x_c/ipx/2cdipx.htm HTH, John J B 7/28/03 11:35:43 AM I'm not really familiar with IPX and I have to connect 3 remote branches to a central site where the Novell server is located. Can anybody point me to some sample configurations. Thanks JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73117t=73113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FORTEZZA for Cisco router? [7:73114]
Howard C. Berkowitz 7/28/03 11:37:44 AM Does anyone know if there's a FORTEZZA encryption product available, presumably third-party, for Cisco routers? It's a NSA-approved chipset, usually on PC card, for government sensitive but unclassified traffic. CCO search doesn't give any hits. My first thought was a company called SafeNet, www.safenet-inc.com, but it appears that they don't have anything that does Fortezza. I then ran across this product: http://niap.nist.gov/cc-scheme/TTAP-CC-0001.html Is that the sort of thing you're looking for? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73118t=73114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Friday Funnies [7:73016]
Those are great! But I think a few of them need to be translated for us Americans. ;-) Mark E. Hayes 7/25/03 7:43:02 AM Thank you, I needed that! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dom Sent: Friday, July 25, 2003 5:53 AM To: [EMAIL PROTECTED] Subject: OT: Friday Funnies [7:73016] Two peanuts walk into a rather rough bar, not looking for any trouble. Unfortunately, one was a salted. - A jump lead walks into a bar. The barman says, I'll serve you, but don't start anything. - A dyslexic man walks into a bra. - A man walks into a bar with a roll of tarmac under his arm and says: Pint please, and one for the road. - A man goes to a fancy dress party dressed only in his Y-fronts. A Woman comes up to him and says, What are you supposed to be? The man saysA premature ej*culation. What? says the woman? The man explains,I've just come in my pants. - Two aerials meet on a roof, fall in love get married. The ceremony was rubbish but the reception was brilliant. - Two cannibals are eating a clown. One says to the other: Does this taste funny to you? - Man with a strawberry stuck up his bum goes to the doctor. The Doctor says, I'll give you some cream to put on it. - Doc, I can't stop singing 'The green, green grass of home'. That sounds like Tom Jones syndrome. Is it common? Well...It's not unusual. - Two cows standing next to each other in a field, Daisy says to Dolly I was artificially inseminated this morning. I don't believe you, said Dolly. It's true, straight up, no bull! - A guy walks into the psychiatrist wearing only cling film for shorts. The shrink says, Well, I can clearly see you're nuts. - Two hydrogen atoms walk into a bar. One says, I think I've lost an Electron. The other says, Are you sure? The first replies, Yes, I'm positive. - Deja Moo: The feeling that you've heard this bullsh!t before - A man takes his Rottweiler to the vet and says, My dog's cross-eyed, Is there anything you can do for him? Well, says the vet, let's have a look at him So he picks the dog up and examines his eyes, then checks his teeth. Finally, he says, I'm going to have to put him down. What? Because he's cross-eyed? No, because he's really heavy - Two elephants walk off a cliff .. boom boom! - Apparently, 1 in 5 people in the world are Chinese. And there are 5 people in my family, so it must be one of them. It's either my mum or my dad. Or my older brother Colin. Or my younger brother Ho-Cha-Chu. But I think it's Colin. - I went to buy some camouflage trousers the other day but I couldn't find any. - I went to the butchers the other day and I bet him 50 quid that he couldn't reach the meat off the top shelf. And he said, No, you're right he said, the steaks are too high. - My friend drowned in a bowl of muesli. He was pulled in by a strong currant. - I went to a really energetic Seafood Disco last week and pulled a mussel. - Two Eskimos sitting in a kayak were chilly; but when they lit a fire in the craft, it sank, proving once and for all that you can't have your kayak and heat it too. - A man walks into doctor's office. What seems to be the problem? asks the doc. It's ... um ... well ... I have five peni*es. replies the man. Blimey! says the doctor, How do your trousers fit? Like a glove. - Our ice cream man was found lying on the floor of his van covered with Hundreds and thousands. Police say that he topped himself.
RFC 2547 vs. RFC 2764 VPNs [7:73048]
I'm just now digging deeper into current VPN technologies since I'm researching Qwest's PRN service. I'm awaiting a definitive answer from them but it appears that their PRN service is 2764-based, which apparently means it does not use MPLS like 2547-based VPNs. I'm curious about the implications of choosing one model over the other. I thought the market trend was toward MPLS-based VPNs but 2764 seems to argue against that. What are the implications of choosing one model over the other? Are there any major drawbacks to either one that the other addresses? I'm also a little concerned about vendor choices. Nortel seems to be pushing 2764, while Cisco and possibly Juniper are pushing 2547 and MPLS. Is that correct? If so, is that really that important to the customer? Forgive me if these questions seem pretty vague. I'm still learning about the technologies involved and I'm not very familiar with the specifics and the terminology. I'll put in a plug here for Howard's book _Building Service Provider Networks_. Among a number of things it discusses some of these VPN technologies and has been very helpful the last couple of days during my research. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73048t=73048 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 2950: The Spawn of the Devil? [7:72821]
In many cases they are autonegotiation issues, but those seem to be mostly resolved, especially if your end devices are using newer NICs with updated drivers. In the case of this morning we're dealing with devices that only run 10/half and the switch is hard-coded for 10/half. Quite a mess but it's not consistent and we're still trying to discover all of the commonalities. Out of six or seven locations that were upgraded last night, three reported problems this morning and all problems related to the same type of PC with the same type of NIC. However, none of the other locations that also have this same PC and NIC have problems. To make it more frustrating, the problems often don't show up immediately, but instead show up several days later. Assuming good code, I'm now an advocate of using auto everywhere unless you need to fix a specific problem. In that case, use 100/Half or 10/half. I never recommend hard-coding 100/Full on newer switches like the 2950 and 6500. It might work but you're just asking for problems. With the majority of the NICs in our PCs, if you hardset both sides to 100/full you will get a duplex mismatch when the PC NIC falls back to half duplex when autonegotiation fails. This behavior is relatively new, and was not present in the 2924XL, the forerunner of the 2950. Just last year we added a bunch of newer Cisco switches to our network and it took quite a while to figure out that most of our new connectivity problems were due to this change in philosophy within Cisco switches. John Reimer, Fred 7/23/03 12:31:16 PM They don't happen to be autonegotiation issues, do they? Cisco used to have a nice write-up on autonegotiation troubleshooting and best practices that recommended hard-coding everything except for transient devices. Some crack-head at Cisco decided to update that recently and now I suppose their official stance is to use autonegotiation, ostensibly because they follow the standard correctly, so as long as everyone else does it should work! I have not met a Cisco engineer yet that agrees with that though. Hard-code your speed and duplex, unless it is for ports in an area like a conference room where you will have transient devices. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: Catalyst 2950: The Spawn of the Devil? [7:72821] All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're not the only company with a few older NICs in the network. If you're considering replacing existing switches with the 2950 prepare yourself for deluge of conenctivity problems. You have been warned! [Side note to Cisco: How hard is it to build an access switch that works?? We're on 12.1(13)EA1b and we still have BASIC connectivity bugs??? This is ridiculous. Bugs in the more obscure portions of the code are to be expected, but shouldn't the connectivity bugs be given a little higher priority? When we buy a new switch it would be nice if *all* of our end users could actually connect to the network. Maybe we'll go back to using Nortel switches. ] -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72922t=72821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cat 4000 Connectivity Issues! [7:72823]
This is reminiscent of the following vulnerability: http://www.cisco.com/warp/public/707/cisco-sa-20030709-swtcp.shtml However, Stevo is running IOS, not CatOS. I wonder if there's a similar problem with Cat4K IOS? John MADMAN 7/24/03 10:11:26 AM Are you sure you don't have a duplicate address or fualty addressing somewhere?? Dave Stevo wrote: LOL - I just re-read my post... to clarify - I can not ping it, but I can console to it... And none of the VTYs are in use. In fact, when I'm consoled into the device it can telnet itself just fine! Really bizarre... MADMAN wrote in message news:[EMAIL PROTECTED] John Neiberger wrote: Stevo 7/23/03 12:02:28 PM Hey All, I have a Cat 4006 running in native mode (running IOS 12.1(13) and can not ping or telnet to it anymore. It is passing traffic just fine however the only way I can connect to it is to ping it Are you sure you haven't used all your VTY's? Do you get a connection refused when trying to connect? You could be so low on memory that it's unable to create and exec and will crash on it's own in time. Dave I'm confused. Can you ping it or not? :-) -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 Government can do something for the people only in proportion as it can do something to the people. -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72960t=72823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE required in UAE. [7:72879]
Not to mention hazard pay. John Chuck Whose Road is Ever Shorter 7/24/03 11:01:50 AM according to my source, this actually translates to appx 5500 USD. also - you don't know the entire package - living expenses, housing etc http://www.xe.com/ucc/convert.cgi Walker, James - Is wrote in message news:[EMAIL PROTECTED] That is only $2118.51 a month? -Original Message- From: afshin mehrpouya [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2003 1:24 AM To: [EMAIL PROTECTED] Subject: CCIE required in UAE. [7:72879] CCIE required in UAE-Dubai for an international solution provider company. Min salary 2 derhems/month. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72961t=72879 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Per-destination load balancing [7:72944]
Tim Champion wrote: Could someone please confirm the following to be true (taken from CCO): Per-destination load balancing allows the router to distribute packets based on the destination address, and uses multiple paths to achieve load sharing. Packets for a given source-destination host pair are guaranteed to take the same path, even if multiple paths are available. For example, given two paths to the same network, all packets for destination1 on that network go over the first path, all packets for destination2 on that network go over the second path, and so on. Per-destination load balancing is enabled by default when you start the router, and is the preferred load balancing for most situations. It was my understanding that per-destination load balancing was based on the destination address only and not on the source/destination pair. If someone could clarify it would be much appreciated. Cheers Tim This probably depends on the switching mechanism in place. Fast switching, as I recall, simply caches the outgoing interface for any given destination so it's relying on the destination information only. CEF uses both the source and destination. Multiple sources trying to reach the same destination might not use the same outgoing interface. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72962t=72944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Per-destination load balancing [7:72944]
If there are multiple levels of Heaven and our final destination has been predetermined in order to equalize the number of people in each level, would this be considered pre-destination load-balancing? Priscilla Oppenheimer 7/24/03 1:24:34 PM Packets for a given source-destination pair are a subset of packets for a given destination. It's true that with per-destination load balancing, all packets for a destination go out the same interface. Thus, it is true that all packets for a given source-destination pair go out the same interface. But I doubt the router acutally looks at the source address with basic packet forwarding, so the tech writer who wrote the paragraph below probably should not have embellished it with that addition, unless it was somehow relevant to some other part of the discussion. It's hard to tell without seeing the entire context. Hope that makes sense. Priscilla Tim Champion wrote: Could someone please confirm the following to be true (taken from CCO): Per-destination load balancing allows the router to distribute packets based on the destination address, and uses multiple paths to achieve load sharing. Packets for a given source-destination host pair are guaranteed to take the same path, even if multiple paths are available. For example, given two paths to the same network, all packets for destination1 on that network go over the first path, all packets for destination2 on that network go over the second path, and so on. Per-destination load balancing is enabled by default when you start the router, and is the preferred load balancing for most situations. It was my understanding that per-destination load balancing was based on the destination address only and not on the source/destination pair. If someone could clarify it would be much appreciated. Cheers Tim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72970t=72944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ccnp tests [7:72972]
You get three years to pass them all (Switch, Routing, Remote, Support) from the time of your CCNA or from the time you take/pass your first of the four CCNP tests, unless they chaged something since Dec 2002. HTH's Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72994t=72972 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE TUNNEL/Ethernet-broadcast-like? [7:72738]
Fred, A few years ago this list was opened up to questions and discussions that aren't necessarily related to certification. In fact, discussions don't even have to be Cisco-related, although they usually are. You'll quite often see stuff like this around here, and many times people simply want to know if something can be done, not whether it's a good idea for it to be done. :-) I have my doubts that this could be configured in such a way as to be reliable and stable, but who knows. I even gave a suggestion earlier that I now think won't work. I'm too tired at the moment to try it out, though. John - Original Message - From: Reimer, Fred To: Sent: Tuesday, July 22, 2003 9:29 PM Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] 12.2(15)T5 is a recommended version for the IP v4 exploit, as far as I know, see (http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml). Are you suggesting that it is not appropriate? Do you recommend that we configure an unreleased and unsupported feature? I would not recommend that in a CCIE lab, as they are historically behind in IOS releases, and will not likely support a configuration in a 12.3 version specific command, as a valid solution since they are not even going to support 12.2 until this Fall... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 10:02 PM To: 'Reimer, Fred'; [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Uhm, Why don't you just put the command there and see what's going on. I don't mess with 12.2.15Tx any more since, FYI, it has a bug with EIGRP stub connected - forgot the bugID, but if you have a spoke with that command, the hub won't withdraw routes even if the hub doesn't have that route any longer. Okay, to the main topic - I run 12.3.1 on a 7206VXR and I could configure bridge-group on the tunnel interface. interface Tunnel10 bandwidth 1500 ip unnumbered Loopback1 ip mtu 1440 ip hello-interval eigrp 2002 10 ip hold-time eigrp 2002 40 keepalive 10 4 tunnel source 172.16.1.140 tunnel destination 172.16.3.144 bridge-group 1 bridge-group 1 spanning-disabled But it does say this : CS140(config-if)#bridge-group 1 % This command is an unreleased and unsupported feature -luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reimer, Fred Sent: Tuesday, July 22, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Wow, I hope you don't try that on your CCIE lab! Last I heard, bridging was not supported on tunnel interfaces. At least it's not on the 12.2(15)T5 running on a 2651XM router I just tested. If you find a (recent, supported) version of IOS that supports bridge-group in a tunnel interface please let me know. I think proxy ARP is more what is needed here, if we are talking about IP traffic. If not, then IOS should support the other protocol in the tunnel (it supports AppleTalk, Banyan VINES,CLNS, DECnet, IP, or IPX). If it's raw NetBIOS or SNA, then setup DLSW peers... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 4:20 PM To: [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Uhm. Never done this or heard of this before. I would just do something like: Interface LAN 1 Bridge-group 1 Interface tunnel 1 Source WAN Destination REMOTE_WAN Bridge-group 1 Since, concurrent routing and bridging makes it possible to both route and bridge a specific protocol on separate interfaces within a router, then WAN just route and LAN/Tunnel just bridge :) If that not work for you, then maybe
RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738]
Yep, I would agree with Fred unless I tested it thoroughly. This may be one of those situations where it might seem to work but I wouldn't trust it in production. If it's simply an intellectual exercise it would be interesting to mock it up and see what happens when user traffic actually starts to cross the network. However, if this is for a production environment--or even for lab study--I don't know that I'd spend much time on it. Find a different way to do it! :-) John Reimer, Fred 7/23/03 7:48:37 AM Oops, I was typing bridge? And it wasn't showing up, so I assumed that it was not available in 12.2(15)T5. It appears that it is, but you have to type out the whole command. Still, I wouldn't use it. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 8:50 AM To: 'Reimer, Fred' Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Hello, I was just trying to suggest maybe put the command bridge-group there to see if 12.2.15T5 takes it or not - whether that will work...etc, is a different story - just for information - didn't mean it in the context of ccie lab -luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reimer, Fred Sent: Tuesday, July 22, 2003 11:30 PM To: [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] 12.2(15)T5 is a recommended version for the IP v4 exploit, as far as I know, see (http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml). Are you suggesting that it is not appropriate? Do you recommend that we configure an unreleased and unsupported feature? I would not recommend that in a CCIE lab, as they are historically behind in IOS releases, and will not likely support a configuration in a 12.3 version specific command, as a valid solution since they are not even going to support 12.2 until this Fall... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Luan Nguyen [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2003 10:02 PM To: 'Reimer, Fred'; [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Uhm, Why don't you just put the command there and see what's going on. I don't mess with 12.2.15Tx any more since, FYI, it has a bug with EIGRP stub connected - forgot the bugID, but if you have a spoke with that command, the hub won't withdraw routes even if the hub doesn't have that route any longer. Okay, to the main topic - I run 12.3.1 on a 7206VXR and I could configure bridge-group on the tunnel interface. interface Tunnel10 bandwidth 1500 ip unnumbered Loopback1 ip mtu 1440 ip hello-interval eigrp 2002 10 ip hold-time eigrp 2002 40 keepalive 10 4 tunnel source 172.16.1.140 tunnel destination 172.16.3.144 bridge-group 1 bridge-group 1 spanning-disabled But it does say this : CS140(config-if)#bridge-group 1 % This command is an unreleased and unsupported feature -luan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Reimer, Fred Sent: Tuesday, July 22, 2003 5:48 PM To: [EMAIL PROTECTED] Subject: RE: GRE TUNNEL/Ethernet-broadcast-like? [7:72738] Wow, I hope you don't try that on your CCIE lab! Last I heard, bridging was not supported on tunnel interfaces. At least it's not on the 12.2(15)T5 running on a 2651XM router I just tested. If you find a (recent, supported) version of IOS that supports bridge-group in a tunnel interface please let me know. I think proxy ARP is more what is needed here, if we are talking about IP traffic. If not, then IOS should support the other protocol in the tunnel (it supports AppleTalk, Banyan VINES,CLNS, DECnet, IP, or IPX). If it's raw NetBIOS or SNA, then setup DLSW peers... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA
Re: IOS upgrade [7:72799]
Ants 7/23/03 8:27:03 AM Hi, Have a couple of ws-c2950 and ws-c2912xl switches running IOS 12.0(5.3)WC1 version. Recent Cisco vulnarabilty recommends upgrade but for this version it recommends 12.0T or 12.1 What version will be best suited for upgrading these swicthes? anyone knows whether 12.1(19) will be ok for these switch upgrades? thanks in advance. At this very moment I'm wrestling with a 2950-24 that is running 12.0(5.3)WC1 and I'm trying to upgrade it to 12.1(13)EA1b. Is 12.1(19) available for them? As of yesterday, 12.1(13)EA1c was the latest available for the 2950. I seem to be running into a bug that is causing excessive CPU usage on the switch, so much so that it's not letting me download a new image successfully. To make matters worse, to personally tend to this switch I'd have to hop on a plane and go to California. I *really* hope I don't mess this thing up! John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72812t=72799 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Catalyst 2950: The Spawn of the Devil? [7:72821]
All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're not the only company with a few older NICs in the network. If you're considering replacing existing switches with the 2950 prepare yourself for deluge of conenctivity problems. You have been warned! [Side note to Cisco: How hard is it to build an access switch that works?? We're on 12.1(13)EA1b and we still have BASIC connectivity bugs??? This is ridiculous. Bugs in the more obscure portions of the code are to be expected, but shouldn't the connectivity bugs be given a little higher priority? When we buy a new switch it would be nice if *all* of our end users could actually connect to the network. Maybe we'll go back to using Nortel switches. ] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72821t=72821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cat 4000 Connectivity Issues! [7:72823]
Stevo 7/23/03 12:02:28 PM Hey All, I have a Cat 4006 running in native mode (running IOS 12.1(13) and can not ping or telnet to it anymore. It is passing traffic just fine however the only way I can connect to it is to ping it I'm confused. Can you ping it or not? :-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72828t=72823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 2950: The Spawn of the Devil? [7:72821]
Actually, Fred, the problem is that some NICs will check for an autonegotiating partner even if they are hard coded, while other NICs do not. Newer Cisco switches completely disable autonegotiation if you hardset the speed and duplex, while many NIC manufacturers decided it was a great idea to still check for an autonegotiating partner regardless of speed/duplex setting. These NICs *will* fall back to half duplex if they do not detect autonegotiation on the wire. I've seen the documentation that proves this and I've seen it demonstrated almost daily for months now. The problem arose when Cisco changed their switch behavior. The 2924XL used to behave the same way as most NICs do now. Even if you hard set the speed and duplex they would be friendly with other NICs that checked for autonegotiation. In other words, they still participated in autonegotiation but they only offered the speed and duplex they were configured for to the link partner. Newer Cisco switches do not do this. Nway (autonegotiation) is disabled completely if you hardset the speed and duplex. If you set the switch to 100/Full it will stay at 100/Full no matter what. If you subsequently attach certain NICs to that port and you hardset the NIC to 100/Full it will still check the link for an autonegotiating partner. When it doesn't detect one it makes the faulty assumption that full duplex is not possible and it falls back to half duplex. To make matters worse, most NICs don't report this. When you check their speed and duplex settings they'll still report 100/Full. Every 2950, 2948G, 2980G, and 6500 in our network behaves in the newer fashion, while probably 98% of the PC and server NICs in our network still check for the presence of Nway signalling. It took months of troubleshooting involving several people of different backgrounds in our department along with resources from Novell and Cisco to figure out what was going on, and the real answer actually came from responses I had on Usenet by people who really understood Nway and the fast ethernet standard. The only method for setting speed and duplex mentioned in the standard is the use of autonegotiation. The behavior of NICs when auto is not used is unspecified. There are basically two common behaviors among NICs when you disable autonegotiation and the real problems occur when you have a mix of NICs with different philosophies. John Reimer, Fred 7/23/03 12:53:14 PM I never recommend hard-coding 100/Full on newer switches like the 2950 and 6500. It might work but you're just asking for problems. With the majority of the NICs in our PCs, if you hardset both sides to 100/full you will get a duplex mismatch when the PC NIC falls back to half duplex when autonegotiation fails. This behavior is relatively new, and was not present in the 2924XL, the forerunner of the 2950. I'd have to disagree with you there. If you hard-code a device it can't fail autonegotiation. The two are diametrically opposed. It's any oxymoron. Illogical to the nth degree. And this behavior is notstay Reimer, Fred 7/23/03 12:31:16 PM They don't happen to be autonegotiation issues, do they? Cisco used to have a nice write-up on autonegotiation troubleshooting and best practices that recommended hard-coding everything except for transient devices. Some crack-head at Cisco decided to update that recently and now I suppose their official stance is to use autonegotiation, ostensibly because they follow the standard correctly, so as long as everyone else does it should work! I have not met a Cisco engineer yet that agrees with that though. Hard-code your speed and duplex, unless it is for ports in an area like a conference room where you will have transient devices. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: Catalyst 2950: The Spawn of the Devil? [7:72821] All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're
RE: Catalyst 2950: The Spawn of the Devil? [7:72821]
In many cases they are autonegotiation issues, but those seem to be mostly resolved, especially if your end devices are using newer NICs with updated drivers. In the case of this morning we're dealing with devices that only run 10/half and the switch is hard-coded for 10/half. Quite a mess but it's not consistent and we're still trying to discover all of the commonalities. Out of six or seven locations that were upgraded last night, three reported problems this morning and all problems related to the same type of PC with the same type of NIC. However, none of the other locations that also have this same PC and NIC have problems. To make it more frustrating, the problems often don't show up immediately, but instead show up several days later. Assuming good code, I'm now an advocate of using auto everywhere unless you need to fix a specific problem. In that case, use 100/Half or 10/half. I never recommend hard-coding 100/Full on newer switches like the 2950 and 6500. It might work but you're just asking for problems. With the majority of the NICs in our PCs, if you hardset both sides to 100/full you will get a duplex mismatch when the PC NIC falls back to half duplex when autonegotiation fails. This behavior is relatively new, and was not present in the 2924XL, the forerunner of the 2950. Just last year we added a bunch of newer Cisco switches to our network and it took quite a while to figure out that most of our new connectivity problems were due to this change in philosophy within Cisco switches. John Reimer, Fred 7/23/03 12:31:16 PM They don't happen to be autonegotiation issues, do they? Cisco used to have a nice write-up on autonegotiation troubleshooting and best practices that recommended hard-coding everything except for transient devices. Some crack-head at Cisco decided to update that recently and now I suppose their official stance is to use autonegotiation, ostensibly because they follow the standard correctly, so as long as everyone else does it should work! I have not met a Cisco engineer yet that agrees with that though. Hard-code your speed and duplex, unless it is for ports in an area like a conference room where you will have transient devices. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: Catalyst 2950: The Spawn of the Devil? [7:72821] All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're not the only company with a few older NICs in the network. If you're considering replacing existing switches with the 2950 prepare yourself for deluge of conenctivity problems. You have been warned! [Side note to Cisco: How hard is it to build an access switch that works?? We're on 12.1(13)EA1b and we still have BASIC connectivity bugs??? This is ridiculous. Bugs in the more obscure portions of the code are to be expected, but shouldn't the connectivity bugs be given a little higher priority? When we buy a new switch it would be nice if *all* of our end users could actually connect to the network. Maybe we'll go back to using Nortel switches. ] -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72834t=72821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS upgrade [7:72799]
Thanks, but I think it would be a bit of a drive for you. Isn't it quite a ways from your place down to Palm Desert? Besides, I wouldn't be able to pay you except perhaps with beer! Anyway, I was finally able to get the switch upgraded and the problem I was seeing went away. I never did figure out exactly what was going on. The switch seemed to think it was suffering from a broadcast storm when it was not. Rebooting to a new image cleared up the problem. However, that led to the problem I'm discussing in the other thread! :-( John Chuck Whose Road is Ever Shorter 7/23/03 1:36:52 PM where's the switch and what are your passwords, John? if it's close enough, I'll be happy to help you out ;- John Neiberger wrote in message news:[EMAIL PROTECTED] Ants 7/23/03 8:27:03 AM Hi, Have a couple of ws-c2950 and ws-c2912xl switches running IOS 12.0(5.3)WC1 version. Recent Cisco vulnarabilty recommends upgrade but for this version it recommends 12.0T or 12.1 What version will be best suited for upgrading these swicthes? anyone knows whether 12.1(19) will be ok for these switch upgrades? thanks in advance. At this very moment I'm wrestling with a 2950-24 that is running 12.0(5.3)WC1 and I'm trying to upgrade it to 12.1(13)EA1b. Is 12.1(19) available for them? As of yesterday, 12.1(13)EA1c was the latest available for the 2950. I seem to be running into a bug that is causing excessive CPU usage on the switch, so much so that it's not letting me download a new image successfully. To make matters worse, to personally tend to this switch I'd have to hop on a plane and go to California. I *really* hope I don't mess this thing up! John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72844t=72799 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Catalyst 2950: The Spawn of the Devil? [7:72821]
Believe me, Chuck, I've harped on our LAN people about this forever and they finally have made great progress in that area. Today's problems arise from some P133s with 10baseT ISA cards in them. With previous versions of the 2950 IOS we'd hardset the ports to 10/half and then reboot the PC about five times (yes, I said five times!) and from that point on they'd have no problems. I have no explanation. As of the latest version of software, the connections to these NICs seem to be on even shakier ground but we seem to be getting them under control. The real solution is to upgrade the NICs in all of those machines but that's easier said than done consider the locations of these machines relative to ours. :-) John Chuck Whose Road is Ever Shorter 7/23/03 1:35:37 PM lazy boy. upgrade your NIC drivers. :- NIC problems with Cisco switches have been issues for several years that I can think of. ;- John Neiberger wrote in message news:[EMAIL PROTECTED] All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're not the only company with a few older NICs in the network. If you're considering replacing existing switches with the 2950 prepare yourself for deluge of conenctivity problems. You have been warned! [Side note to Cisco: How hard is it to build an access switch that works?? We're on 12.1(13)EA1b and we still have BASIC connectivity bugs??? This is ridiculous. Bugs in the more obscure portions of the code are to be expected, but shouldn't the connectivity bugs be given a little higher priority? When we buy a new switch it would be nice if *all* of our end users could actually connect to the network. Maybe we'll go back to using Nortel switches. ] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72843t=72821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 2950: The Spawn of the Devil? [7:72821]
Yep, that will happen. Paul (the list owner) said that he thinks there is a bug in the anti-mime software but he hasn't had time to check into it yet. So, word to the wise: don't use greater-than or less-than signs in your emails for a while! It definitely mangles posts if you use those symbols. John Reimer, Fred 7/23/03 3:15:06 PM Man, someone remind me not to use the greater than and less than symbols on this list! Apparently they are striped out as some type of evil HTML code or something by the software... Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Reimer, Fred [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: RE: Catalyst 2950: The Spawn of the Devil? [7:72821] I never recommend hard-coding 100/Full on newer switches like the 2950 and 6500. It might work but you're just asking for problems. With the majority of the NICs in our PCs, if you hardset both sides to 100/full you will get a duplex mismatch when the PC NIC falls back to half duplex when autonegotiation fails. This behavior is relatively new, and was not present in the 2924XL, the forerunner of the 2950. I'd have to disagree with you there. If you hard-code a device it can't fail autonegotiation. The two are diametrically opposed. It's any oxymoron. Illogical to the nth degree. And this behavior is notstay Reimer, Fred 7/23/03 12:31:16 PM They don't happen to be autonegotiation issues, do they? Cisco used to have a nice write-up on autonegotiation troubleshooting and best practices that recommended hard-coding everything except for transient devices. Some crack-head at Cisco decided to update that recently and now I suppose their official stance is to use autonegotiation, ostensibly because they follow the standard correctly, so as long as everyone else does it should work! I have not met a Cisco engineer yet that agrees with that though. Hard-code your speed and duplex, unless it is for ports in an area like a conference room where you will have transient devices. Fred Reimer - CCNA Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 NOTICE; This email contains confidential or proprietary information which may be legally privileged. It is intended only for the named recipient(s). If an addressing or transmission error has misdirected the email, please notify the author by replying to this message. If you are not the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 23, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: Catalyst 2950: The Spawn of the Devil? [7:72821] All those who consider any version of this platform beware. As far as I can tell there are no reliable software versions for this switch that do not suffer from connectivity bugs. We thought 12.1(13)EA1b solved our problems so we started rolling out this version. Upon reloading we have a number of users complaining and we're not able to resolve the connectivity issue. Granted, this particular problem is between the 2950 and an old NIC but I'm sure we're not the only company with a few older NICs in the network. If you're considering replacing existing switches with the 2950 prepare yourself for deluge of conenctivity problems. You have been warned! [Side note to Cisco: How hard is it to build an access switch that works?? We're on 12.1(13)EA1b and we still have BASIC connectivity bugs??? This is ridiculous. Bugs in the more obscure portions of the code are to be expected, but shouldn't the connectivity bugs be given a little higher priority? When we buy a new switch it would be nice if *all* of our end users could actually connect to the network. Maybe we'll go back to using Nortel switches. ] -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72857t=72821 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE TUNNEL/Ethernet-broadcast-like? [7:72738]
Ricardo J Castaneda 7/22/03 12:18:17 PM Hello, A question barely came up to mind: Would it be possible to join a broadcast domain, not by means of a LAN switch but from one remote router to another, using GRE Tunnels? Since I haven't done it before, I kind of thought that it'll be possible. For instance, having: R1eth0(no ip address)--GRE TUNNEL-Ser0--CLOUD--GRE_TUNN--Ser1---R2eth0(no ip address) , where arp packets may flow from R1 to R2 via this GRE Tunnel. Under this scenario and simply put, can R1'sLAN be also part of R2'sLAN? If it's possible, how could the config be like? Best regards, It's been a while since I played with configs like this but I believe you could configure Integrated Routing and Bridging first, and then one each end of the connection you bridge the ethernet traffic to the tunnel. HTH, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72741t=72738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Superstitious Switches? [7:72746]
This is not a joke, I promise, but it is very strange. Have any of you noticed that by far the most problematic port on the Catalyst 2950 switches is port 13? I'd bet money that at least 20% of the time we have a problem with a device connected to these switches they're connected to port 13. Just in the last two days we've had to troubleshoot *three* separate instances of users in port 13 on these switches, and I can think of at least three more in the past. I once had to RMA a 2950 because port 13 died. Doesn't this seem a little odd? I think I'm going to stop walking underneath ladders until I get this resolved! John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72746t=72746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a song for all of us [7:72729]
Howard C. Berkowitz 7/22/03 3:59:01 PM Don't forget relevant folk: Pete Seeger: This LAN is Your LAN Kingston Trio: MTA (triple duty for email, token management, and looping) Peter Paul Mary: If I had a token, I'd ring it in the morning And surely there must be a version of Alice's Restaurant sung by Cisco Sales. You can get any bug you want at the Chamber's Restaurant... John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72752t=72729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Anyone using Qwest PRN ? [7:72704]
Are any of you using Qwest PRN? If so, I have a few questions for you: 1. How do you like it so far? 2. Did you migrate from something else? If so, how did the migration go? 3. Any 'gotchas' that you learned later that you wish you'd learned sooner? 4. How does the service compare to what you were using before? 5. How many sites do you have? Is this solution scaling well for you? Of course, it's not necessary to answer every question. I'm just doing some research on their solution and thought I'd check around here for references. Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72704t=72704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ODR, was RE: CCDA: changes in syllabus. [7:72380]
In addition to that, how many times have you heard that we should disable CDP for security reasons? I'm sure there are some companies that aren't allowed to run CDP for this reason. Then again, that's usually a big company that probably wouldn't want to run ODR in the first place. John Tom Martin 7/21/03 10:05:02 AM John, I have come across ODR in production a couple of times. Up until recently I had thought that ODR worked quite well for hub and spoke topologies... My most recent involvement with ODR occurred when replacing a 2621 with a 3745, which was the hub of the hub-and-spoke topology. I quickly learned that the 3745 doesn't enable CDP by default. I was also reminded that Cisco doesn't save configuration commands that are considered default... What ended up happening was CDP was not enabled by default and when I enabled it (cdp run) the command wouldn't save because it was considered a default command! Each time the router booted CDP was disabled again! I recommend to everyone that ODR not be used in a Cisco production environment. You never know when an IOS (platform?) bug will render your WAN unusable! - Tom John Neiberger wrote: I've never heard of anyone using ODR. Anyone here know of anyone using ODR in a production environment? Are there any environments where ODR is recommended over other options? John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72702t=72380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Anyone using Qwest PRN ? [7:72704]
Peter van Oene wrote: At 04:31 PM 7/21/2003 +, John Neiberger wrote: Are any of you using Qwest PRN? If so, I have a few questions for you: 1. How do you like it so far? 2. Did you migrate from something else? If so, how did the migration go? 3. Any 'gotchas' that you learned later that you wish you'd learned sooner? 4. How does the service compare to what you were using before? 5. How many sites do you have? Is this solution scaling well for you? Hey John, What is PRN? Private routed network? Can't seem to find much about it in my brief googling. Of course, it's not necessary to answer every question. I'm just doing some research on their solution and thought I'd check around here for references. Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72709t=72704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Anyone using Qwest PRN ? [7:72704]
Peter van Oene wrote: At 04:31 PM 7/21/2003 +, John Neiberger wrote: Are any of you using Qwest PRN? If so, I have a few questions for you: 1. How do you like it so far? 2. Did you migrate from something else? If so, how did the migration go? 3. Any 'gotchas' that you learned later that you wish you'd learned sooner? 4. How does the service compare to what you were using before? 5. How many sites do you have? Is this solution scaling well for you? Hey John, What is PRN? Private routed network? Can't seem to find much about it in my brief googling. Oops. Accidentally hit post before adding any content. ;-) Yes, it stands for Private Routed Network. It's a very interesting solution. Our hub sites would participate in OSPF with their network, while our spoke sites would use static routing. The PRN would have static routes pointing to our spoke sites and those statics would be redistributed into OSPF. The biggest downside to this is that we'd have to contact Qwest each time we added a new subnet at a branch, but I suppose that just means we'd need to plan ahead better. This solution buys us a few things over our current frame relay network. Each site has a full pipe into the PRN instead of multiple PVCs sharing a single link, and we don't have to deal with CIR. From the perspective of our routers each site is one hop away from any other site. These combination of these features will allow us to proceed with VoIP throughout our network, which is not feasible with the current frame relay network. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72710t=72704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Anyone using Qwest PRN ? [7:72704]
I think this actually is an MPLS VPN, of sorts. It's been fairly hard for me to get the nitty gritty details. As I see it, it's a layer 3 MPLS vpn with OSPF as our 'interface' to their network but I may be wrong about that. As someone else just mentioned, this service is expensive compared to frame relay. In fact, at the moment it's about twice the monthly cost, but we're quickly growing to a point where the frame network is not going to support our goals. This solution looks pretty slick, I must admit. John Chuck Whose Road is Ever Shorter 7/21/03 1:50:51 PM so, John, whatever happened to the MPLS network they were trying to sell you a while back? what advantage does PRN have vis a vis MPLS such that Quest is no longer trying to convince you to buy it? inquiring minds need to know :- John Neiberger wrote in message news:[EMAIL PROTECTED] Peter van Oene wrote: At 04:31 PM 7/21/2003 +, John Neiberger wrote: Are any of you using Qwest PRN? If so, I have a few questions for you: 1. How do you like it so far? 2. Did you migrate from something else? If so, how did the migration go? 3. Any 'gotchas' that you learned later that you wish you'd learned sooner? 4. How does the service compare to what you were using before? 5. How many sites do you have? Is this solution scaling well for you? Hey John, What is PRN? Private routed network? Can't seem to find much about it in my brief googling. Oops. Accidentally hit post before adding any content. ;-) Yes, it stands for Private Routed Network. It's a very interesting solution. Our hub sites would participate in OSPF with their network, while our spoke sites would use static routing. The PRN would have static routes pointing to our spoke sites and those statics would be redistributed into OSPF. The biggest downside to this is that we'd have to contact Qwest each time we added a new subnet at a branch, but I suppose that just means we'd need to plan ahead better. This solution buys us a few things over our current frame relay network. Each site has a full pipe into the PRN instead of multiple PVCs sharing a single link, and we don't have to deal with CIR. From the perspective of our routers each site is one hop away from any other site. These combination of these features will allow us to proceed with VoIP throughout our network, which is not feasible with the current frame relay network. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72718t=72704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Anyone using Qwest PRN ? [7:72704]
Peter van Oene 7/21/03 3:26:30 PM Oops. Accidentally hit post before adding any content. ;-) Yes, it stands for Private Routed Network. It's a very interesting solution. Our hub sites would participate in OSPF with their network, while our spoke sites would use static routing. The PRN would have static routes pointing to our spoke sites and those statics would be redistributed into OSPF. Cool. I thought it was a IP VPN based network, but wasn't completely sure. You might consider BGP at the hub site just to isolate your hub. If they wack up their PE box and give you way to many routes, it might become painful. Usually I recommend the provider asked the customer to run BGP or RIP vs OSPF for this reason, but it makes sense from the customers perspective as well. This also mitigates some messy backdoor scenarios that come up with spokes gain spoke to spoke or non VPN spoke to hub connections. They mentioned that iBGP was an option but given our network design this would complicate matters, at least as I understand it. The biggest downside to this is that we'd have to contact Qwest each time we added a new subnet at a branch, but I suppose that just means we'd need to plan ahead better. Spoke wise, can you not pre-provision some aggregate blocks to the spokes inline with growth expectations? This would ease your provisioning pain. I'd ask for portal capability for this as well (spoke static route adds). They likely don't have it, but it isn't that hard to do and would likely be consistent with stuff they may already be considering. In other words, they won't likely be able to do it, but you might help them make it happen sooner than later. To some extent we can preprovision, especially if we stick to our addressing scheme! Portal capability would be nice. I'll have to ask them about that. Right now, route adds require a telephone call, or possibly an email. If I had some web-based control, for example, I'd be quite thrilled. I should note that I'm not directly familiar with their offering. This solution buys us a few things over our current frame relay network. Each site has a full pipe into the PRN instead of multiple PVCs sharing a single link, and we don't have to deal with CIR. From the perspective of our routers each site is one hop away from any other site. These combination of these features will allow us to proceed with VoIP throughout our network, which is not feasible with the current frame relay network. I take it sharing routing information wasn't a big concern for your company? It seems to be for some, but I never saw the risk myself. It was a concern for a moment, but upon further reflection we decided that we're not really any worse off than we are right now. We're already at the mercy of the provider, and if they have people internally who are willing to attempt to gain useful information from our network connections then we're in trouble already. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72721t=72704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IS-IS and IOS ver. 11.1 [7:72648]
I am trying to implement IS-IS for study on the first of three routers in my home lab (3x 2501 routers) with IOS 11.1 and having some diffculty. When I look at the configuration guide on Cisco's web site, the first command that needs to be entered in config mode is router isis. Usually with all other routing protocols like RIP or OSPF, it puts you into a config-router mode to continue configuration. To my dismay, I type router isis and nothing happens (no config-router mode). I check the running-config and indeed nothing has happened. Without this I can't go any further. On the 2522 router running 12.2 at work, it seems to work just fine. Anyone have any ideas? Thanks. Acer0001 --- Cisco Internetwork Operating System Software IOS (tm) 3000 Software (IGS-I-L), Version 11.1(24a), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Fri 09-Mar-01 19:43 by pnicosia Image text-base: 0x03020728, data-base: 0x1000 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1) Router uptime is 59 minutes System restarted by power-on System image file is flash:igs-i-l.111-24a.bin, booted via flash cisco 2500 (68030) processor (revision F) with 4096K/2048K bytes of memory. Processor board ID 04854501, with hardware revision Bridging software. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. 1 Ethernet/IEEE 802.3 interface. 2 Serial network interfaces. 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname Router ! interface Ethernet0 ip address 192.168.1.10 255.255.255.0 ! interface Serial0 ip address 10.0.0.20 255.0.0.0 no fair-queue ! interface Serial1 no ip address shutdown ! no ip classless logging buffered ! line con 0 line aux 0 line vty 0 4 login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72648t=72648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Command rejected: FastEthernet5/14 not an access port. [7:72674]
Hi all, I am wishing to implement port security on my 4006 + supIII using Version 12.1(13)EW1 I tried to enter the command SYD_CORE1(config)#int fastEthernet 5/14 SYD_CORE1(config-if)#switchport port SYD_CORE1(config-if)#switchport port-security max SYD_CORE1(config-if)#switchport port-security maximum 2 ? SYD_CORE1(config-if)#switchport port-security maximum 2 Command rejected: FastEthernet5/14 not an access port. I then confirmed my config for the port interface FastEthernet5/14 description a computer internal switchport access vlan 11 no snmp trap link-status Can any one tell me why I would get the error? I have tried this on a few ports now and got the same error every time. I looked on the cisco site and around deja, and found nothing about the error. Can any one provide some help John ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.solution6.com ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72674t=72674 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IS-IS and IOS ver. 11.1 [7:72648]
Thanks for the reply. I had a hunch, but wasn't sure... Why not remove the command from the config mode if it can't be used in a certian version? Go figure... I guess it's off to more memory and get 12.2 IOS loaded. ;) John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72675t=72648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: a really big bug [7:72463]
On Dec 7, 2:55pm, Kazan, Naim wrote: } } Cisco advised us of a new catastrophic bug CSCeb56052 within the new IOS. I tried looking that one up and got an error saying that it couldn't be displayed. }-- End of excerpt from Kazan, Naim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72566t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Oh man... Now Fred *and* Pete are on this list? What is happening to this place?? :-) It's good to see both of you here. John Peter Benac 7/18/03 6:20:47 AM I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72571t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3524XL Error Message [7:72563]
Firesox 7/18/03 6:03:15 AM Folks, I am troubleshooting the 3524XL and get the following message at the boot. C3500XL POST FAILURE: front-end post: GigabitEthernet0/2: C3500XL POST FAILURE: looped-back packet not received It is connected to 2950G-24. 2950 is seeing the 3524XL via CDP, but not vice versa. Has anyone seen this error messgae/condition? Thanks in advance. http://www.cisco.com/warp/public/473/164.html#topicsub1 It appears that your 3500XL has faulty hardware on that interface. If this is a new switch you need to return it with an RMA, or you can get a replacement if you have it under contract. HTH, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72572t=72563 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Speaking of PIX Translation Problems... [7:72573]
I thought I'd share an embarrassing moment from yesterday in hopes that others will learn from my mistake. I have a router on the outside of a firewall that needed to be upgraded after the advisory yesterday. In order to reach the TFTP server I needed to add a static translation in the PIX. No problem. I should also mention that this server is one of our internal DNS servers. The file transfer doesn't take long at all and I remove the conduit and static translation from the PIX as soon as I'm done. As far as I'm concerned this is the end of it. I was wrong. We later start receiving reports that certain web pages have become inaccessible, while others are still responding. My first thought is that I've hosed something with the IOS upgrade, but after checking things out I was satisfied that everything there was working properly. So, I check the firewall logs which leads me to check the xlate table. Lo and behold, the static translation that I'd previously added--and removed--is still there! [I hear knowing laughter already.] It's in the table but somehow traffic is being hosed. Our DNS server is sending queries to our external server and replies are coming back, but something is wrong and communications continue to fail. I clear the xlate table and all is immediately fixed. This caused a fair amount of irritation with me but my boss was even more irritated. I presumed this was a 'feature' or a bug because it was my _assumption_ that the removal of the static translation from the config would also clear it from the xlate table. Wrong! I looked up the command on CCO and there is this little tidbit: Usage Guidelines The clear xlate command clears the contents of the translation slots. (xlate means translation slot.) The show xlate command displays the contents of only the translation slots. Translation slots can persist after key changes have been made. Always use the clear xlate command after adding, changing, or removing the aaa-server, access-list, alias, conduit, global, nat, route, or static commands in your configuration. So, there are two morals to this story. First, don't get into the habit of making assumptions about commands that you think you're familiar with, because there may be unforeseen consequences. Second, don't get into the habit of making changes to critical production equipment even when you think those changes are insignificant. Of course, I'll continue to make what I think are insignificant changes but I'm going to be a lot more careful in the future. Let that be a lesson to you, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72573t=72573 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Zsombor Papp 7/18/03 8:40:09 AM Perhaps you slightly misunderstood my attitude and are jumping to conclusions so that you can put a convenient label on me. From my vantage point this does seem to be a misunderstanding among those involved. I don't think people were trying to label you, per say, they just sensed that you were 'copping an attitude' when it sounds like you weren't. My vote is that we chalk it up to misunderstanding, knowing that postings and emails often don't do a great job of conveying intent or emotion. Regarding your change of address, I'd prefer that you stick with the Cisco address. There are a few participants that work for Cisco and we all understand that they participate for personal reasons, not as official representatives of Cisco. Besides, the last thing we need is more Yahoo users. ;-) Regards, John I am not saying that Cisco should keep security problems a secret, rather that dissemination of information about sensitive issues posing a security threat to many should be carefully considered and coordinated. If you have access to the applicable bug reports, you will see that it was exactly the PSIRT team who carefully edited/removed all enclosures to make sure that the information necessary to reproduce the attack is not easily extracted. All the protocol names were replaced by XXX, for example. Personally, I was impressed by the thorough job they did. The only hints I could find were the code diffs. Now, does this mean that Cisco wants to hide the problems? Not at all. As you say, Cisco has always been good at publishing security flaws. The Security Advisory in question is still being updated, too. So I think Cisco has deserved some patience and the right to decide when to publish what information. Having said that, I am not writing to this mailing list as a representative of Cisco. What I say is my personal opinion (and believe it or not, it is not influenced by the fact that I work for Cisco -- only what I do *not* say is influenced by that fact). I am using my Cisco email because it is convenient. I have hoped that people on this list are mature enough to realize this, but perhaps I was wrong. I will switch to Yahoo now. Perhaps we should send your response to this to John Chambers and see what he will say. Will you also tell your daddy/bigger brother about me? :) Thanks, Zsombor At 11:43 AM 7/18/2003 +, Peter Benac wrote: I am glad you are not representative of the current Cisco Culture. Your attitude in this matter really is not acceptable and I would hope that Cisco's attitude would be better. Any exploit hypothetical or not quickly spreads acrossed the internet faster then Bill Gates can find another security flaw in Windows. My Solaris Servers that face the internet are under constant bombardment from would be windows script kiddies. It doesm't matter to them whether I have a Solaris System or a Windows System. They want to be real hackers and will try anything that is posted. This applies to other systems as well. Cisco has the major market share and therefore is the primary target. Cisco is not Microsoft, and never has been. They have always put their flaws right in peoples faces. The infamous SNMP bug was published and fixed long before CERT published it. Cisco has a PSIRT team whose soul function in life is security risk accessment. I have never known Cisco to call a potential Security threat Entertainment. Perhaps we should send your response to this to John Chambers and see what he will say. I still remember his e-mail address since I too am an ex-cisco employee. Regards, Pete Peter P. Benac, CCNA Emacolet Networking Services, Inc Providing Systems and Network Consulting, Training, Web Hosting Services Phone: 919-847-1740 or 866-701-2345 Web: http://www.emacolet.com Need quick reliable Systems or Network Management advice visit http://www.nmsusers.org To have principles... First have courage.. With principles comes integrity!!! I sincerly hope that Cisco is not becoming Microsoft. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72576t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Static Routes and Administrative Distance [7:72495]
I accidentally deleted the posting about this but I wanted to make a point. It's been said that a static route has an AD of 1 unless it points directly out an interface, in which case it has an AD of 0. Sasa just mentioned that this has been discussed in the past and is a myth. However, I'd like to agree with the 'myth'. A directly connected route has an AD of 0. If you create a static route pointing directly out an interface, that route will show up as directly connected in the routing table, and would therefore have an AD of 0. In fact, if you look at a static route you'll see the usual [AD/metric] listed as [1/0]. However, if you look at a static route pointing out an interface this is missing. This is because the router treats that route as if it were directly connected to the interface. If I'm wrong about this--and I certainly might be--please let me know where my reasoning is incorrect. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72495t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static Routes and Administrative Distance [7:72495]
John Neiberger 7/17/03 12:12:42 PM I accidentally deleted the posting about this but I wanted to make a point. It's been said that a static route has an AD of 1 unless it points directly out an interface, in which case it has an AD of 0. Sasa just mentioned that this has been discussed in the past and is a myth. However, I'd like to agree with the 'myth'. A directly connected route has an AD of 0. If you create a static route pointing directly out an interface, that route will show up as directly connected in the routing table, and would therefore have an AD of 0. In fact, if you look at a static route you'll see the usual [AD/metric] listed as [1/0]. However, if you look at a static route pointing out an interface this is missing. This is because the router treats that route as if it were directly connected to the interface. If I'm wrong about this--and I certainly might be--please let me know where my reasoning is incorrect. Regards, John Nevermind, I've answered my own question by testing. A static route definitely has an AD of 1 regardless of the destination. If you simply do a show ip route static you won't see an administrative distance listed; it will show as directly connected. However, if you look at a specific static route, like 'show ip route 10.1.1.1', no matter which destination you used it will look like this: Router#sho ip route 20.1.1.1 Routing entry for 20.1.1.1/32 Known via static, distance 1, metric 0 (connected) Redistributing via eigrp 1 Routing Descriptor Blocks: * 172.16.10.75 Route metric is 0, traffic share count is 1 directly connected, via Ethernet0/2 Route metric is 0, traffic share count is 1 This output is caused by having both flavors of static route in the routing table at the same time. If the AD of one of them was actually zero it would be the only one listed. In this case, they both have an AD of 1. Regards, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72500t=72495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: a really big bug [7:72463]
Cisco has updated the advisory, to version 1.3, which includes a great deal more detail regarding the vulnerability. Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72541t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Slightly OT: Corrupted Emails on POP Server [7:72397]
I ran into this problem a couple of days ago and I'm interested if anyone else has experienced something similar. I opened up my email client at home the other day and noticed that it was continually downloading the same messages over and over again. It would get to the same message each time and the POP server would stop responding and those messages were not removed from the server. So, several minutes later the cycle would repeat. I called Comcast tech support and they said that I must have a corrupted email on the server. The solution was to login with the web-based mail utility and delete the offending message. I never did figure out which message was the culprit so I deleted all of them. This has resolved the problem but I can't figure out what would have caused the problem to begin with. What sort of 'corruption' could occur to an email that would cause this sort of behavior? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72397t=72397 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Slow File Transfers After Server Upgrade [7:72402]
We have a Windows server connected to a 6513 at 100/Full that does nightly backups (about 20GB) to a Solaris server connected to the same switch via gigabit ethernet. Prior to a recent upgrade the Windows server could upload approximately 5MBytes/s to the Solaris server. The Solaris server was replaced with much faster hardware and the OS was upgraded from Solaris 8 to Solaris 9. Novell servers doing backups to this server have continued to upload at about the same speed as before, while other Solaris servers seem to be uploading faster than before. The weird thing is that the Windows server uploads have dropped in speed by about 80%! We now see only about 1MB/s. This drop was seen on all Windows servers doing backups to this Solaris server. My guess is that there is some funky issue with TCP between Windows and Solaris 9. I'm going to capture some transfers to see if I can spot the problem. Any ideas on what to look for right off the bat? Any tips from anyone who has seen this sort of thing before? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72402t=72402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Slightly OT: Corrupted Emails on POP Server [7:72397]
That's very interesting, and it sounds like exactly what I was experiencing. If it ever happens again I'll try harder to find the offending email to see if this is the issue. Many thanks, John Vijay Ramcharan 7/16/03 11:11:47 AM I once had a similar problem that was being caused by version 3.0x of Symantec's Antivirus/Filtering software which ran on Exchange. Our Windows users had no problems receiving mail but our Mac users ran into a problem where a message that was flagged as spam and had its body replaced was incorrectly being terminated. The user would get all messages up to the offending one but couldn't get past it. The only solution at the time was to delete the offending message using Outlook Web Access or log in using MAPI on a PC. Symantec has since corrected the problem. --- Excerpt from Symantec's Knowledge Base POP3 session hangs while retrieving mail Symptom: A POP3 mail client (for example, Outlook Express) stops responding while retrieving one or more messages that were modified by Symantec AntiVirus/Filtering for Microsoft Exchange with a text substitution. This problem only affects single-part MIME messages formatted as HTML or RTF. Microsoft Outlook and Outlook Express cannot send messages in this format, so the problem is only seen in mail sent with other mail clients. Solution: POP3 messages must end with a period (.) on a new line. When Symantec AntiVirus/Filtering for Microsoft Exchange replaces an attachment or message body, it appends a carriage return (CR) to the substituted text. However, if the source format of the message was HTML or RTF, Symantec AntiVirus/Filtering for Microsoft Exchange was converting the CR to for HTML or /par for RTF. This caused the message to hang when retrieved with a POP3 mail client, because the final period (.) was no longer on a new line. The code was fixed to add the CR after the message is converted to HTML or RTF. This ensures that the final period (.) is on a new line. Vijay Ramcharan, MCSE, CCNP/DP -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: Slightly OT: Corrupted Emails on POP Server [7:72397] I ran into this problem a couple of days ago and I'm interested if anyone else has experienced something similar. I opened up my email client at home the other day and noticed that it was continually downloading the same messages over and over again. It would get to the same message each time and the POP server would stop responding and those messages were not removed from the server. So, several minutes later the cycle would repeat. I called Comcast tech support and they said that I must have a corrupted email on the server. The solution was to login with the web-based mail utility and delete the offending message. I never did figure out which message was the culprit so I deleted all of them. This has resolved the problem but I can't figure out what would have caused the problem to begin with. What sort of 'corruption' could occur to an email that would cause this sort of behavior? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72413t=72397 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: do you know why? [7:72352]
PIXes, at least with previous releases, are highly directional in nature and will apply a different set of rules depending on the origin of the traffic. For example, traffic originating on an 'inside' interface is subject to far fewer restrictions, by default, whereas traffic originating on the outside is blocked by default. As has already been mentioned, ICMP has another set of rules that need to be dealt with in addition to the usual rules. John Wilmes, Rusty 7/16/03 11:31:51 AM I'd think that if it was an access list that it would either work or not work but NOT not work until you try it from the other side. -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 8:23 PM To: [EMAIL PROTECTED] Subject: Re: do you know why? [7:72352] I'm not very familiar with the newer releases of PIX software, but do you have to enable ICMP on those interfaces? It looks to me like you only have ICMP allowed going one direction. This is a very common problem and easily fixed. Also, if something is being blocked it should be apparent from the logs why it was blocked. HTH, John - Original Message - From: Vajira Wijesinghe To: Sent: Tuesday, July 15, 2003 4:23 PM Subject: do you know why? [7:72352] I have a pix firewall and i have a strange problem. If any one of you have come across this pls let me know the solution. I have few servers at both sides of the PIX. eg. Server-A at Outside zone and Server-B at Inside zone. 1. When I ping from Server-B to Server-A, I get request timeout. 2. Now I go to Server-A and start a ping to Server-B. It works fine. 3. Then again I go back to Server-B to ping to Server-A, and now it starts pinging!!! Can anyone of you explain this??? I need to get this thing resloved and straight away ping from B to A. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72417t=72352 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ODR, was RE: CCDA: changes in syllabus. [7:72380]
The sixth module is on routing protocols. Top-Down Network Design would meet your needs there with a couple exceptions. The new course covers IS-IS and On Demand Routing (ODR). (Does anyone really use ODR, I wonder??) I've never heard of anyone using ODR. Anyone here know of anyone using ODR in a production environment? Are there any environments where ODR is recommended over other options? John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72418t=72380 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slightly OT: Corrupted Emails on POP Server [7:72397]
Did you download the transition software? :-) Other than this odd problem I haven't had any issues since the transition. I wasn't impressed with the amount of time I spent waiting for support, though. John annlee 7/16/03 3:38:55 PM begin vent-- I am having continuing problems with comcast -- attbi was a *whole* lot better. My NAV has trouble scanning incoming or outgoing mail, though ZoneAlarm's MailSafe function has zero trouble. Oddly, my Outlook has tons more problems than my husband's Eudora client, though he also uses NAV. I expect to switch to another mail server and use comcast as nothing more than a dumb pipe. I think they may be able to handle that. --end vent Annlee James Gosnold wrote in message news:[EMAIL PROTECTED] John, I too would be interested to hear the thoughts of anyone knowledgable on this. I just opened up your message after deleting the offending mail from our ISP's POP server too! One thing you can do to check out the offending mail in future is use a utility to pull down the mail called 'pullmail'. You can download it from these people: http://www.swsoft.co.uk/index.asp?page=freesoftware It runs a batch script so what you can do is start up a command prompt and run the script, it then shows the process mail by mail so you can see where it is bombing out and delete that mail only. Seems to relate quite often to the senders address, not sure why but it does. James. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72435t=72397 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]