Re: a really big bug [7:72463]
Cisco has updated the advisory, to version 1.3, which includes a great deal more detail regarding the vulnerability. Priscilla Oppenheimer wrote: It sounds like this is a hypothetical packet and situation that Cisco quality assurance discovered. I thought it was something already being exploited, but it doesn't sound like it. In that case, I guess I support Cisco not telling us more about it. It's sort of an age-old security question of how much info to publish. The info would help the white hats, but also the black hats. Unfortunately, I can't look at bug reports (even with my guest access!?) Maybe there's more in the bug reports. I still want to know more about these packets. :-) But I guess I'll have to do more research Priscilla M.C. van den Bovenkamp wrote: Duncan Maccubbin wrote: I was on a conference call with Cisco and the Cisco rep felt we were overreacting by rushing to change our code right away, He said that the packet was extremely difficult to create and the person would have to be a genius to make it. As we don't know exactly *what* you need to do, it's difficult to say whether he's right or not. But my gut says he's wrong; as soon as you *do* know, there are 'packetfactory'-tools enough about... Regards, Marco. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72541t=72463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access-list ?? [7:71696]
Jans van Deventer wrote: I have a 1600 router running a 12021 IP PLUS --- I have tried to add access-lists to block all sites incoming except 192.100.34.100- 150. Can someone help with the correct lists. - jvd wrote: This is interesting. Obviously one solution is to deny the 50 hosts with 50 deny statements. Since he wants to block all *except* the range of 50, wouldn't this be a better option? access-list 110 permit ip 192.100.34.100 0.0.0.3 ! 100-103 access-list 110 permit ip 192.100.34.104 0.0.0.7 ! 104-111 access-list 110 permit ip 192.100.34.112 0.0.0.15 ! 112-127 access-list 110 permit ip 192.100.34.128 0.0.0.15 ! 128-143 access-list 110 permit ip 192.100.34.144 0.0.0.3 ! 144-147 access-list 110 permit ip 192.100.34.148 0.0.0.1 ! 148-149 access-list 110 permit ip 192.100.34.150 0.0.0.0 ! 150 access-list 110 deny ip any any -jm Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71767t=71696 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT/Look at the requirements of this position!! [7:71173]
Mike Mandulak wrote: .. and Openview and Sniffers and SNA and MVS and Unix and clusters and VAX and Concord and etc... Your probably right about the downsizing, if that's the case I pity the poor soul who takes the 4 jobs. BTDT, they gave me the tee-shirt. I burned mine, and I ain't goin back Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71232t=71173 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Bizzare Routing/VPN Issue [7:64301]
I can solve that issue with 4 stars - Original Message - From: The Long and Winding Road To: Sent: Monday, March 03, 2003 9:04 PM Subject: Re: Bizzare Routing/VPN Issue [7:64301] this is a complex situation that requires that you fly me out your way and pay my stay at a five star hotel and full salary plus travel bonus for the 6 to 8 weeks it will take me to solve the problem :- -- TANSTAAFL there ain't no such thing as a free lunch John Brandis wrote in message news:[EMAIL PROTECTED] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64318t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Who likes BGP? [7:64123]
That's actually an accurate statement. From the White House's 'National Strategy to Secure Cyberspace', (iii) Border Gateway Protocol. Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale. BGP, along with IP and DNS were identified in their document as three key protocols whose security and reliability are Essential to the security of the Internet infrastructure. There has been a significant amount of work/discussion over the last few years to find ways to secure BGP so that some malicious/incompetent BGP-speaker couldn't create substantial black holes in the internet. As there is no global standard for using the Routing Registries, or any other registry-like entity, there is no global method in place for validating an announcer's authority for an AS, nor a prefix. Of course, like nearly anything else in our industry, there are a number of schools of thought on the Best Way (tm). There is also a new iteration of this discussion over on NANOG, I'm sure it will turn into yet another entertaining thread. -jm - Original Message - From: Amazing To: Sent: Friday, February 28, 2003 9:30 PM Subject: Re: Who likes BGP? [7:64123] LMAO the Bush Administration recently pointed to BGP as critical technology that needs to be secured. The Long and Winding Road wrote in message news:[EMAIL PROTECTED] Edwin R. Gonzalez wrote in message news:[EMAIL PROTECTED] I came across this article about BGP earlier today, check it out; http://news.com.com/2100-1009-990608.html yada yada yada :- the big point seems to be the misconfigured router incident, and it is highly unlikely that any system or protocol could have prevented that from happening. afterall, that router was trusted by it's neighbors, as it should have been. against stupidity the gods themselves contend in vain. ( OK, I agree in concept. but the article fails to make it's case by citing idiocy as a driving factor ) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64152t=64123 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPLS and CEF [7:62993]
MPLS uses the CEF table adjacencies in establishing a Label Switched Path. Additionally, each VPN Routing and Forwarding (VRF) uses a derived CEF table, in addition to its own forwarding table. There's a pretty good list 'mpls-ops' hosted at mplsrc.com if you want to get more involved in MPLS. Jim Guichard is an active participant on the list so you can drill down about as deep as you want and get pretty good answers. HTH, John - Original Message - From: Anne Beatriz To: Sent: Friday, February 14, 2003 6:33 AM Subject: Re: MPLS and CEF [7:62993] Hello, I think MPLS require CEF because some mechanisms like: Packets are switched in the interrupt code using the CEF cache (FIB table). It supports per-packet load balancing (previously only supported by process switching), per-source/destination load balancing (only supported by CEF switching), fast destination look-up and many other features not supported by other switching mechanisms. The FIB table is essentially a replacement for the standard routing table. Regards!! Anne Router Kid wrote:anyone knows why MPLS require CEF to be enable on the cisco routers ? Regards! Router Kid~! ** Anne Beatriz [EMAIL PROTECTED] ** - Busca Yahoo! O servigo de busca mais completo da Internet. O que vocj pensar o Yahoo! encontra. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63022t=62993 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Simple Ip issue (need help) [7:62728]
If you're asking what I think you're asking, then I think your answer is yes, but you won't be able to pass any traffic across the circuit. Unless you've confused me (it doesn't seem I would be the only one), then the answer might not be the same. - Original Message - From: Monu Sekhon To: Sent: Monday, February 10, 2003 12:13 AM Subject: Simple Ip issue (need help) [7:62728] Hi All, I have very simple question, Can we use duplicate ips on serial interfaces among them seleves although we cannot use duplicate ip on serial with Ethernet(lan interface) or loopback interface. My topology is like this Client router server router(connected back to back) 2 interfaces 2 inetrfaces these routers connected back to back configuration int serial 0/0 encap hdlc ip address 1.1.1.1 255.255.255.0 int serial 0/1 ip address 1.1.1.1 255.255.255.0 encap hdlc now if all the two interfaces of serial even if given duplicate ip among themselves works fine. no error from cli .interfaces are up and i am able to ping remote side. The ques is that 1) Lan interface also was in different subnet but serial interface doesnot accept that ips as duplicate or of loopback 2)What Implication such have on my design ,any limitation it has Does this type of design can be used, This is small thing is confusing me about ip. Thanx in advance Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62759t=62728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Distribute-list out in ISIS - NOT working!!....Why?? [7:62672]
I know I said earlier this doesn't work, but I was doing some other testing in the lab today, and we use IS-IS as our IGP, so I decided to play with this for fun. IOS is 12.0(23)S1, on a 12016, the neighbor is a Cat6k-MSFC2 running 12.1(8a)E5, adjacency is across SRP, so YMMV router isis advanced redistribute connected route-map ISIS_Deny_Redist net 49.2901.1720.3124.0065.00 metric-style wide no hello padding ! route-map ISIS_Deny_Redist deny 10 match ip address ISIS-test ! route-map ISIS_Deny_Redist permit 20 ! ip access-list standard ISIS-test permit 172.30.150.0 The routes we're redistributing CR1ADVMO#sh ip ro connected 66.0.0.0/8 is variably subnetted, 13 subnets, 4 masks C 66.189.240.16/28 is directly connected, GigabitEthernet9/0 C 66.189.240.32/28 is directly connected, SRP1/0 C 66.189.240.128/28 is directly connected, FastEthernet2/4 C 66.189.240.252/30 is directly connected, FastEthernet2/0 172.31.0.0/32 is subnetted, 10 subnets C 172.31.240.65 is directly connected, Loopback0 172.30.0.0/16 is variably subnetted, 18 subnets, 6 masks C 172.30.150.0/30 is directly connected, POS7/2 C 172.30.159.252/30 is directly connected, POS6/0 Let's go find a neighbor. CR1ADVMO#sh clns is-neighbors System Id Interface State Type Priority Circuit Id Format TS1ADVMO SR1/0 Up L1L2 64/64 TSK1ADVMO.02Phase V SWC1ADVMO Fa2/4 Up L1L2 64/64 SWC1ADVMO.04Phase V SWC1ADVMO Gi9/0 Up L1L2 64/64 SWC1ADVMO.03Phase V ER1ADVMO Fa2/0 Up L1L2 64/64 ER1ADVMO.01 Phase V TSK1ADVMO SR1/0 Up L1L2 64/64 TSK1ADVMO.02Phase V And the neighbors routes? SWC1ADVMO#sh ip ro 172.30.150.0 % Subnet not in table SWC1ADVMO#sh ip ro 172.31.240.65 Routing entry for 172.31.240.65/32 Known via isis, distance 115, metric 20, type level-1 Redistributing via isis Last update from x.x.x.x on Vlan4, 01:06:02 ago Routing Descriptor Blocks: * x.x.x.x, from 172.31.240.65, via Vlan5 Route metric is 20, traffic share count is 1 x.x.x.x, from 172.31.240.65, via Vlan4 Route metric is 20, traffic share count is 1 So, it looks like it works after all. If I have time later in the week I'll try and mock it up on some of the smaller gear... HTH, sorry for the misinformation earlier... John - Original Message - From: Cisco Nuts To: Sent: Friday, February 07, 2003 9:46 AM Subject: Distribute-list out in ISIS - NOT working!!Why?? [7:62641] Hello,I am trying to use a distribute-list out serial 1 in isis...basically blocking an Ospf route from being leaked into the Isis domain. It lets me type in the commands but when I do a show run, the commands are not there!! Why??On the neighboring isis router, I do not even get an option to set the distribute-list in??Now I know, in Ospf the distribute-list out does not work but did not know about this in Isis?Can anyone shed light on this? I had to use a redistribute connected with a route-map option.Here is my config:R3-B(config)#router isis R3-B(config-router)#distribute-list 51 out serial 1 R3-B(config-router)#endR3-B#rbr router isis redistribute connected metric 3 route-map serial level-1 redistribute rip metric 3 level-1 net 00...0003.00 is-type level-1 Thank you.Sincerely,CN Help STOP SPAM with the new MSN 8 and get 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62672t=62672 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3640 and 2 NM-2FE-2W? [7:62346]
Ben, According to CCO you need 12.0(7)XK, 12.1(1)T, 12.2, or 12.2T. http://www.cisco.com/warp/public/107/nm-fe2w.shtml Best Regards, John - Original Message - From: Ben Hockenhull To: Sent: Monday, February 03, 2003 8:15 AM Subject: 3640 and 2 NM-2FE-2W? [7:62346] I've got a 3640 running 12.2.x software and currently have one NM-2FE-2W installed, with 2 WICs in it. I tried to install another NM-2FE-2W and use the WIC slots in that NM as well, but none of the interfaces show up. I can't find any documentation one way or another about support for multiple NM2-FE-2Ws in a 3640. Anyone know if this is supported? I'm not concerned about overutilizing the backplane with 4 FE interfaces, as I won't use all 4. Ben -- Ben Hockenhull [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62408t=62346 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco uBR924 and Internet problems... [7:61754]
Leonardo, You shouldn't be able to change the MAC address on the Cable Interface. That's how the cable modem is associated to the customer and receives it's correct address scope for Class of Service, etc. The reason your 924 is receiving the disabled.bin config file is because your MAC address is unconfigured in the provisioning system. Unfortunately, the last I heard, none of the MSOs allow Cable Modem Routers on residential service. Maybe you'll get lucky. Peter, to answer your question, if the Cable Modem/Router remains 'unregistered' it will continue to range and seek an uplink. This takes up RF space and precious CPU cycles on several upstream elements. Using the disabled.bin allows the MSO to sync the Cable Modem/Router and thereby stop it from ranging and taking up bandwidth. John - Original Message - From: Leonardo FUK To: Sent: Saturday, January 25, 2003 2:28 AM Subject: Re: Cisco uBR924 and Internet problems... [7:61754] Yes, you're write. I called them to confirm the issue and I provided my MAC address so they will research and see if it's allowed according to their policy. There's one more question, if you don't mind: I am able to change the MAC address of my Ethernet interface, using the mac-address command through IOS. But the same command is not available to the cable-modem interface. I'm not sure if it is not allowed at all or if it's a limitation of my IOS version. Do you know if it's possible to manually set up a MAC address on the cable-modem interface? Thank you!! Leonardo Furtado Peter van der Voort wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Leonardo, Basically, you're answering your own question: the provider lets you download a file that disables your service. Normally, this file specifies the Class Of Service you get from your provider, like upstream and downstream bandwidth. Now for some reason, the provider doesn't want to give you any service and therefore let you download a file which denies access. There is one thing that I don't understand, though. If you didn't buy this modem from your provider (or did you?) then the modem's MAC address is not registered with them. Therefore, why would they allow the DHCP server to give your modem an IP address? That doesn't make sense. On the other hand, if you did buy the modem from the ISP, then like I said, they just doesn't want to give you access for some reason (not paying your subscription fee springs to mind ;)) Bottom line: you have to contact them. Good luck Peter -Original Message- From: Leonardo FUK [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 7:29 AM To: [EMAIL PROTECTED] Subject: Cisco uBR924 and Internet problems... [7:61754] Hello everyone!! I have a question here, I need your help! Recently I bought a Cisco uBR924 and I've been trying to connect it at home, so I can expand my home lab capabilities. My service provider is Time Warner (Road Runner) and I simply can't connect it to the Internet. This router has one cable-modem interface, four ethernet ports (represented as 1 ethernet interface) and two FXS voice-ports. According to the Cisco's documentation, the service establishment process of a cable-modem-router like this one is as follows: - Scan for a downstream channel and establish synchronization with the CMTS. - Obtain upsteam channel parameters. - Start ranging for power adjustments. - Establish IP connectivity - Establish the time of day - Establish security - Transfer operational parameters - Perform registration - Comply with baseline privacy - Enter the operational maintenance state When I issue show int cable-modem 0, I notice a lot of interface resets displayed by the output. Further investigation required me to run some debug commands and - I love this one - show controllers cable-modem 0 mac log, which probably identified the problem. I could see almost all CMAC_LOG_STATE_CHANGE events, but during the registration process (registration_state), the modem received a RESET_AUTHENTICATION_FAILURE. I pasted part of the output so my question may be answered by someone: The steps from scanning downstream to establish security seem to be fine: 1041.159 CMAC_LOG_STATE_CHANGE wait_for_link_up_state 1041.159 CMAC_LOG_STATE_CHANGE ds_channel_scanning_stat 1043.540 CMAC_LOG_STATE_CHANGE wait_ucd_state 1046.319 CMAC_LOG_STATE_CHANGE wait_map_state 1046.371 CMAC_LOG_STATE_CHANGE ranging_1_state 1047.337 CMAC_LOG_STATE_CHANGE ranging_2_state 1048.112 CMAC_LOG_STATE_CHANGE dhcp_state 1048.404 CMAC_LOG_DHCP_ASSIGNED_IP_ADDRESS 10.47.170.200 1048.404 CMAC_LOG_DHCP_TFTP_SERVER_ADDRESS
Re: O/T Funny Network Song [7:61454]
Thanks Jason, I needed a laugh this morning Oh, Field Notice, Please Help Us John - Original Message - From: Barbee Jason To: Sent: Tuesday, January 21, 2003 8:14 AM Subject: O/T Funny Network Song [7:61454] I haven't seen this posted here yet, sorry if I missed it in recent threads. http://www.dude.ru/music/gigflapping.html Click the MP3 link there, the words are printed for you. It's the funniest networking thing I've seen in a long time! -Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61464t=61454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routes across ISIS areas. [7:61433]
Rajesh, 47.0001 will not form an adjacency with 47.0002. For them to exchange L1 routes you need to change their ISIS Area IDs in their NET so they're in the same area. Alternatively you could insert a third router as an L2, and leak your routes from the L2 into the L1s. You'll also need to redistribute those OSPF routes into ISIS if you want them announced to R2... HTH, John - Original Message - From: Rajesh Kumar To: Sent: Monday, January 20, 2003 10:26 PM Subject: Routes across ISIS areas. [7:61433] Hi all, I have a scenario like this : Area 1 Area 2 R1 R2 s2/0.1 s2/0.1 Both are point to point networks. The configuration for R1 is int s2/0.1 point-to-point ip router isis router isis net 47.0001.0002.0003.0004.00 and for R2 is int s2/0.1 point-to-point ip router isis router isis net 47.0002.0001.0003.0004.00 = The problem is that I am not able to see R1's routes in R2. R1 has a couple of OSPF routes coming in from other routers - but never gets passed on to R2. Any experts comments? Thanks, Rajesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61435t=61433 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP problem [7:60338]
The message format is FACILITY-SEVERITY-MNEMONIC. So this is a message from the BGP Facility, the severity indicates functionality may be affected, and the message identifier is 'Notification.' In this case the Error Code is 2 (Open) and the SubCode is 7 (Unsupported Capability - see RFC2842). The only time I've seen this is when there is an address-family mismatch, i.e., one peer is ipv4 only, one peer is vpnv4 with ipv4-unicast disabled, specifically when configuring MPLS VPNs using MBGP, but I'd expect you'd see the same message if you had any sort of address family (or other optional capability) mismatch. Of course, I don't have a PhD, nor my CCIE # yet, so I may not actually be worthy of the response I've typed. Best Regards, John - Original Message - From: Charles To: Sent: Sunday, January 05, 2003 3:43 PM Subject: Re: BGP problem [7:60338] hey, %BGP-3-NOTIFICATION: sent to neighbor x.x.x.x 2/7 BGP-3 means it's a BGP UPDATE message error 2/7 are the error subcodes (I believe!) 2- unrecognized well known attribute 7- AS Routing loop take a closer look at your configs, etc... is it possible you've got a loop on your hands? hope this helps, Charles Amr Essam wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all I have been receiving this msg in all my routers during the past month and I have searched on how I can remove it but I didn't have any luck to find anything can tell on how to remove this entry to appear in my log The entry is: %BGP-3-NOTIFICATION: sent to neighbor x.x.x.x 2/7 (unsupported/disjoint capability) 0 bytes I hope I can find some advice on how to remove this entry to appear in my router logs Regards Amr Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60392t=60338 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to search TAC for IOS Bugs? [7:60381]
You can do a google site search, 'site:www.cisco.com caveats' a search for 12.2 caveats results in: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cavs/122m cavs.htm#wp272109 - Original Message - From: Wei Zhu To: Sent: Sunday, January 05, 2003 7:16 PM Subject: How to search TAC for IOS Bugs? [7:60381] How to search the TAC for IOS bugs? Thanks Wei - Original Message - From: The Long and Winding Road To: Sent: Sunday, January 05, 2003 7:24 PM Subject: Re: revisited: OSPF stub/stub no-summary O*IA routing table [7:60378] you may have discovered a new bug. lucky you! I just got through checking CCO TAC for known OSPF bugs in 12.2 code. There are a couple listed that relate to NSSA and a couple of others that relate to default routes, but none of the listings described the exact phenomenon you reported. Oh well. Glad I could provide at least a sanity check for you. Chuck -- TANSTAAFL there ain't no such thing as a free lunch Wei Zhu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Chuck, When I changed the IOS to 12.1.5T10, and problem solved. Don't know what is changed for nssa after 12.2, I tried encap ppp on serial ports, and even cannot see any O*N2 entries. Thank you Wei - Original Message - From: The Long and Winding Road To: Sent: Sunday, January 05, 2003 1:19 PM Subject: Re: revisited: OSPF stub/stub no-summary O*IA routing table [7:60352] well, you got me. I haven't a clue as to why you are getting the result you describe. In my own setup, the routers in question are running 12.1.2d on the stub router, and 12.1.5T10 on the other two. I am pretty sure these are enterprise plus versions, but I'd have to do a bit more digging to verify that. I know my reason for loading the 12.2 image was that I was searching for NBAR support, which apparently is just not available on the 25xx series. Do you agree that I am showing the desired result in my testing? Everything I see matches what I would expect to see, based on the configurations. -- TANSTAAFL there ain't no such thing as a free lunch Wei Zhu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I tried serial back-to-back instead of frame relay, but got same result, the show ip ospf nei resulted the same as yours. Instead of assigning ip directly to s0 and s1, I put on loopback 1 and 2, then on s0 and s1, do ip unumber loopback 1 and 2 (although for ospf, it's not supposed to put one end unnumbered but the other end not), and I got the result!!! Tow O*N2 entries. I also tried the following senario: R1(ASBR) | (Area 0) | R2(ABR) / \ (Area 1) /\ R3R4 \/ \ / R5 With normal configuration, I only can see one O*N2 entry on R5, but with ip unnumbered with serail ports on R2, I can see both O*N2 0.0.0.0/0 using R3 and R4. I am really confused. With regular ospf area, stubby, totally stubby, it works fine, just doesn't like the NSSA. I checked RFC 2328, the differece between unnumbered and ip assigned point-to point is the Link Data info in LSA, is that which causes the problem? Chuck, thank you very much for you help, BTW, can you give me your IOS version? (Hopefully I am not tired yet of another try) Wei - Original Message - From: The Long and Winding Road To: Sent: Friday, January 03, 2003 11:30 PM Subject: Re: revisited: OSPF stub/stub no-summary O*IA routing table [7:60278] Wei Zhu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Chuck, I tried point-to-point instead of frame relay and still could not get through.(Everything is fine except nssa) In my understanding, the External type LSA (E1 or E2) will flood everywhere, while for NSSA area, it change from type 5 to type 7. I'm not sure, but I believe that for routes INTO an NSSA, type 5's are blocked, not changed to type 7. The ABR will change type 7's to type 5's OUT of the NSSA ( into the rest of OSPF ) yeah - looking at the RFC, that's what it states - external type-5's are not imported into the NSSA When I tried show ip ospf database external on R2, I could see the LSA with forward address 0.0.0.0, but on R5, the forward address changed to 192.168.1.33(or 192.168.1.17). How did this happen? I think that's the reason why I only can see on O*N2 entry insteady of 2. I am using 2500 serial routers. For this experiment, I used
Re: MPLS VPN [7:60205]
Currently the 6500/7600 can only function as a PE with an OSM. Assuming you have one, you would configure the ethernet port your 2500 is connecting to into a unique vlan, then configure one of the Gig-E ports on the OSM as your 'upstream' using dot1q encapsulation, and terminate your VRF there. I've included an example below, HTH. Best Regards, John interface GE-WAN4/1.10 description 2500-MPLS-VPN-A encapsulation dot1Q 10 ip vrf forwarding vpnA ip address 10.1.2.3 255.255.255.252 mpls label protocol both end - Original Message - From: To: Sent: Friday, January 03, 2003 7:12 AM Subject: MPLS VPN [7:60205] I know how to set MPLS VPN in a network with 7507 as the Core routers. But what is necessary to integrate a 6500 switch with FlexWan module and PA-HSSI/PA-ATM cards in the Core and keep the MPLS VPN service in the location served by the switch? The network is like that: 2500-vpn-A--7500=7500-vpn-A---2500 |||| |||| 2500vpn-A---6509=== Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60207t=60205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT finding station trying to become MasterBrowser [7:58701]
I would suspect a Linux box somewhere on your net that has a new Samba install on it. The default configuration is set for the box to attempt to be the Master Browser. A tool like NMAP will help you identify the type of device you're dealing with, this could help in a process of elimination, otherwise ARP and CAM tables will find it, assuming you have switches and not hubs... - Original Message - From: Priscilla Oppenheimer To: Sent: Friday, December 06, 2002 12:22 PM Subject: OT finding station trying to become MasterBrowser [7:58701] I don't think there's any answer to this, but I thought I would check. How can I find the physical location of a system if I know the following: NetBIOS name, IP address, MAC Address, and the Domain it is attached too. I have a system that is trying to become the Master Browser and I've discovered all of the above information. The problem is, it's a large flat network, so the IP address comes from a huge pool and doesn't help identify a network segment. The NetBIOS name isn't helpful and the vendor code in the MAC address is shared by almost all the systems. Any utilities that you know of that could help find this station? It's a city-wide school system and driving around from school to school isn't practical, although it is a rather small city... :-) Any info would be great. Thanks. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58742t=58701 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Darth Reid R1 Access-list [7:58644]
Actually he *did* answer it. Write it out in binary, it should be crystal clear. - Original Message - From: Ted Marinich To: Sent: Friday, December 06, 2002 7:00 PM Subject: Re: Darth Reid R1 Access-list [7:58644] The Long and Winding Road: As you can see from my original post, the binary equivelents are represented in decimal format one octet at a time. The question is - has anyone approached this question froma a different angle to get a more realistic answer. The first octet should allow 131 and 135 only, but as you can see it allows 14 other octets!??? I thank you for your response, but you didn't answer the question. Want to try again? Ted P.S. Just want to compare notes with anyone who has attempted the question and has an explaination for their answer. Cisco Press answer is one single ACL, but I calculate a need for three in order to deny only those IPs in the original question an no others. Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58743t=58644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]