Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525

[KY]

Sean,

Have you guys compared FreeBSD with Linux for the firewall?

Thanks

KY
""Sean Young"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ken,
> Thank you very much for the advice.  This past Friday, my company has
> decided to use Linux as our company Firewall.  Furthermore, we've decided
> that this Firewall will be running kernel 2.4.2 with only two services
> running on it, SSH and netfilter (aka iptables).  I've tested kernel
> 2.4.2 in the lab and notice it performs better than kernel 2.2.x.  I've
also
> performed various intrusion detection tests on the box using
> Cisco NetSonar, Cybercop, ISS, Axent Netrecon but is unable to break
> it.  The linux box is rock-solid.  I am also running portsentry (IDS)
> on the Firewall itself.
>
> Also, we decide to running our squid proxy server on another linux box
> to provide transparent caching for our internal users.  As far as VPN is
> concerns, we are going to implement FreeS/WAN on another box.  I think
> in the long run, it is going to save the company a lot of money.  We
> end up not buying the PIX and web-caching engine from Cisco.  Oh, the
> networking guy in our group who recommends Cisco PIX and Cisco web-
> caching engine as a solution, he has been fired.  Go figure.
>
> Regards,
> Sean
> P.S.  Priscilla, why not implementing TRANSPARENT caching by using squid
> to speed up internet connection for your users?  Squid is free and very
> secure and easy to use.
>
> >From: [EMAIL PROTECTED]
> >Reply-To: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED], "Stuart Brockwell" <[EMAIL PROTECTED]>
> >Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
> >PIX 525
> >Date: Sat, 24 Mar 2001 20:02:26 -0800
> >
> >Sean,
> >
> >Comments imbedded:
> >
> >On 23 Mar 2001, at 16:12, Stuart Brockwell wrote:
> >
> > > Hi Sean,
> > >   I am a Linux head my self, and one of our firewalls is in fact
> > >   running
> > > on a Linux box.  The only problem with this type of firewall is that
> > > you inherit all of the known bugs that the software has.  Given that
> > > the source code to Linux is widely available, you have a lot of very
> > > talented people out there who know these holes and are able to exploit
> > > them very easily.
> >
> >It also means that there are a lot of talented people who are looking
> >at the code to make sure that any holes are patched.  In fact, when
> >new exploits are found, Linux is usually the fastest platform to have
> >a patch available.  Compare this to having to wait weeks for vendor
> >patches or having to prove to a vendor that a problem exists.
> >
> >Also, a service can only be exploited if it is running.  A properly
> >configured firewall doesn't run unecessary services, this makes it
> >very difficult to exploit.  Essentially, it would come down to trying to
> >DoS it or running a password guessing program against it to get
> >remote access.
> >
> >
> >If you
> > > maintain your own Linux firewall, you will need to continuously look
> > > for the latest bug fixes to install on your Linux box to address the
> > > latest round of holes that have been released.
> >
> >If the Linux firewall is properly setup, the only services running on it
> >are ipchains and SSH.  This means that you have to be aware of 2
> >services.  While there could always be a local exploit, if only
> >trusted admins have access, the trouble with keeping up patches
> >is minimal.  It is certainly no more trouble than keeping up with
> >bugs on a vendor platform.
> >
> > >
> > > Cisco and companies such as Watch Guard closely guard their source
> > > code, often you can elect to take on a maintenance contract with the
> > > firewall where you recieve all the latest fixes for a 12 month period
> > > (this is what we did).  As this is their bread and butter, they spend
> > > a lot of time looking for holes and fixes to known bugs.
> > >
> >
> >While true, this doesn't mean that their code will have fewer bugs
> >or that the bugs will be patched quicker.  There is a very large
> >support community for Linux that is very technical.  Most bugs are
> >patched in a matter of days, sometimes hours.
> >
> >
> > > the main plus for each of
> > > the commercial packages is that there is large support base, where as
> > > skilled Linux admin staff who can lock down a firewall are very few
> > > and far between.

Re: Private Vlans - Is this a good idea

[KY]

Roberts,

I don't think 5500 supports pvlan, it has to be 6500, but I heard from
somewhere those lower end 2948/4000 also will be able to support pvlan very
soon.

pvlan, from my understanding, does not give you more security among vlans.
It only controls ports within the same vlan by preventing them from talking
to each other without your control. It is more of a way of saving vlans for
service providers.
I believe the doc of 6500 explains it pretty well.

If your customer is concerned about vlan leak, I am afraid you will probably
have to give them a seperate switch or they can use some kind encryption
before sending out any traffic.

Just my 2 cents.

HTH
KY

""Roberts, Timothy"" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> I have some customers that need to be connected to my network.  They
insist
> on not having their servers connected to a switch that has other customers
> on it.  They will not pay for an additional switch.  I was considering
> recommending private vlans?  That way things are more secure on the
switch.
> Is this a good idea?  The current switches are catalyst 5500.  Does this
> hardware support private vlans?  I have checked the documentation and I
have
> only found that the software needs to be 5.4(1) but they make no mention
of
> hardware requirements.
> Thanks
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP over two ISP links

[KY]

Well said Howard, I always believe reading Halabi's book only makes
understand BGP and know how to configure it on Cisco. But there is no way
you can play a peer router in a NAP just based on that knowledge. You will
mostly screw it up.
As you said, most of things are not documented, it is really hard to find
good reference on how to setup an ISP from scratch.
Looking forward to your book. I would suggest that if you could put more
real cases/examples of setup peer routers, verify/update peer policy and
trouble-shooting routing problems. Also it would be great if you could,
based on your wide contact in the industry, give us something like this, for
example:
This is how UUnet updates their peer policy everyday, they use a Perl script
to grap daily updates from whois.radb.net database, and automatically update
their peer routers. The script looks like this:. Other ISPs do it other
ways like  uses xxx and xxx uses xxx.

I bet most of people, especially who works for ISPs but not at the top
level, would pay their money for.

Just my 2 cents.
KY


""Howard C. Berkowitz"" <[EMAIL PROTECTED]> wrote in message
news:p05001902b6ea44b7d429@[63.216.127.100]...
> Believe me, I sympathize. My first attempt to connect to the Internet
> failed due to not considering publishing my policy in a routing
> registry (e.g., RADB).  See http://www.radb.net, or the routing
> registry areas at http://www.arin.net and http://www.ripe.net.
>
> One of my concerns with the way that Internet routing is taught is
> that most presentations are about the configuration of a router or
> two, when it is essential first to understand how the routers fit
> into the global routing system.  Playing in the global routing system
> involves a lot more than BGP announcements.  As you have observed, it
> involves address assignment, AS number assignment, and registering a
> routing policy at the very least.  Reverse DNS, swip/rwhois,
> filtering, and many other factors will enter into real-world
> operations.
>
> It's also often unclear what people are trying to do when they want
> anything beyond single-link, default-routed connectivity to an ISP.
> Have you ever been to a convention where officious people push you
> around with no explanation other than muttering "security?"  I'm
> afraid I often hear "load-sharing" muttered in the same way with
> respect to Internet connectivity.  There is no single thing that is
> defined as load sharing, and there are different reasons to want or
> not want different load sharing options.
>
> In my BGP tutorials at CertificationZone (member area), I've tried to
> emphasize "define policy first, then think about configuration."
> You'll also see this philosophy in my tutorials at NANOG, and in my
> upcoming book (end of the year) on building service provider networks.
>
> The message remains, whenever someone thinks they are ready to
> configure BGP on a live router to an ISP, if that is all they think
> they need to do to get connected, they are not ready.  Since a lot of
> this isn't written down, it's very wise to find a knowledgeable ISP
> and work with their presales people very closely.
>
> Finding the clueful people can be a crapshoot, I will admit. I can
> think of one national carrier with whom I've dealt in different
> cities. For the account in Washington DC, which literally did have
> Presidential priority, the particular carrier was slow and
> inflexible.  For a different account with the same provider in
> Nashville, the account team couldn't have been more responsive, both
> at sales and engineering levels.
>
>
> >I know that in our case, trying to use BGP for failover between two
> >providers, we
> >(a) were required to have a /24  ... no problem
> >(b) were required to have an AS# ... no
> >problem
> >(c) PSI *required* us to 'take posssession' of the maintainer object for
our
> >/24 ... still working on that part
> >a. < >frustrating>>
> >(d) once we finish (c) we *should* be all set .. unless PSInet finds
another
> >way to delay us.
>
>
> Unless, of course, PSInet simply goes into bankruptcy.  I wish them
> well, but the financial press does seem to suggest that the vultures
> are getting very close.
>
> >
> >I only send this because the "RADB/ Maintainer Object" part has been a
> >really painful delay .. but, that should be resolved today :).
> >
> >
> >Thanks!
> >TJ
> >
> >  -Original Message-
> >From: John Neiberger [mailto:[EMAIL PROTECTED]]
> >Sent: Thursday, March 29, 2001 17:08
> >To: [EMAIL PROTECTED]
> >Cc: [EMAIL PROTECTED]
> >Subject: Re: BGP o

Re: What ISP do you recommend for BGP?? [7:1295]

[KY]

I think you may want to stay away from Qwest, ATT seems not too bad
sometimes.
But, IMO, just different extend of pain most of the time for all those big
names, especially if you are a tiny little customer.

Just my two cents.

Good Luck

KY


""BH""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
> Does anyone have a recommendation or horror story for best ISP to work
with
> for implementing BGP?
> I am thinking of picking between Worldcom, ATT and Qwest.
> Thanks
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1302&t=1295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Juniper on FreeBSD [7:1303]

[KY]

All,

Any of you ever had luck on porting Juniper to a FreeBSD box?
I heard that you could download the Junos and then tweak the BSD so that
make it just like the real box. I know Olive, but I guess that is something
else, although anybody can give me or tell me how to get a copy of Olive
would be appreciated.

I could not find any thing from FreeBSD sites, any input would be helpful.

Thanks

KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1303&t=1303
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Juniper on FreeBSD [7:1303]

[KY]

Phil,

Thanks for the infor.
I am trying to download the JunOS from our internal company website. I just
want to verify if I will have to make it LS120 image. As I don't have LS120
handy, but I do have some spare hard drives. I wonder if it can boot from
LS120, should it be bootable from normal hard drive?
I guess I will have to format the hard drive from BSD, and copy the file to
it, just wonder if you or others have done this before. If  LS120 is the
only or easiest way, I will just go and get one.

Thanks
KY


""Phillip Heller""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The Olive is simply the JunOS code running on a compatible PC.
>
> If you've got the JunOS package, make the LS120 image, get an intel based
> pc with an LS120 drive.  The image should just boot.
>
> Regards,
>
> --phil
>
> On Thu, 19 Apr 2001, KY wrote:
>
> All,
>
> Any of you ever had luck on porting Juniper to a FreeBSD box?
> I heard that you could download the Junos and then tweak the BSD so
that
> make it just like the real box. I know Olive, but I guess that is
> something
> else, although anybody can give me or tell me how to get a copy of
Olive
> would be appreciated.
>
> I could not find any thing from FreeBSD sites, any input would be
> helpful.
>
> Thanks
>
> KY
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=1402&t=1303
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: RFC 1149 is in use [7:3244]

[KY]

I would imagine the icmp timeout value is worth more concern.
It does not hurt if the TTL set to infinite, does it?


""Chuck Larrieu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I would imagine that the TTL is in inverse proportion to the number of
> hawks, owls, eagles, or hunters along the route.
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Allen May
> Sent: Monday, May 07, 2001 9:09 AM
> To: [EMAIL PROTECTED]
> Subject: Re: RFC 1149 is in use [7:3244]
>
> What's the timeout set to for TTL on these suckers?
>
> - Original Message -
> From: "EA Louie"
> To:
> Sent: Friday, May 04, 2001 5:41 PM
> Subject: Re: RFC 1149 is in use [7:3244]
>
>
> > I want nothing to do with the "dropped bits" from RFC 1149.
> >
> > thank you very much
> >
> > -e-
> >
> > - Original Message -
> > From: "John Hardman"
> > To:
> > Sent: Friday, May 04, 2001 2:31 PM
> > Subject: OT: RFC 1149 is in use [7:3244]
> >
> >
> > > Hi All
> > >
> > > Checkout
> > > http://news.cnet.com/news/0-1003-200-5825807.html?tag=tp_pr
> > >
> > > RFC 1149 in a successful test!
> > > --
> > > John Hardman CCNP MCSE
> > > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3478&t=3244
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Juniper CERTS and Olive [7:4957]

[KY]

Peter,

People looking for Olive donot expect any support from Juniper in any sense.
I remember some guys on the list use LS120 on FreeBSD to boot JunOS, I never
tried it myself.

KY

""Peter Van Oene""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> JunOS is only intended for use with Juniper routers.  The olive was a
> testing device that has long since been retired and is not supported in
any
> sense by Juniper.
>
> Peter
>
>
> *** REPLY SEPARATOR  ***
>
> On 5/18/2001 at 4:55 AM Valeri Marinski wrote:
>
> >Hi Group!
> >People are talking pretty much about Juniper certs and the lack of
> >learning equipment
> >i am just curious if Olive / PC port of JunOS is something illegal.
> >If not i'd like to get my hands on it.
> >I was looking on the net and found nothing on it
> >so any comments/links/infos are very much appriciated
> >thanks in advance
> >regards
> >Valeri
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5052&t=4957
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Washington DC Router Roast Saturday [7:5460]

[KY]

Pity I will not be able to make it. Have to take a test in the morning and
have my tires replaced in the afternoon. Got I coupon from the garage and
have to use it before this weekend.
Have a fun!!


KY
""Bruce Evry""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear Fellow Students of Ciscology,
>
> Our DC Cisco group will be holding its May picnic on:
> Saturday, May 26, 2001
> Time: 10 am to 4 pm
> Place: Bruce's House
>
> We will be discussing various topics, including but not limited
> to: Job-hunting, Certifications, The Economy, and interconnections between
> all 3 topics. Volunteers for talks are most welcome!
>
> We will also drag the routers and switches out if the weather is
> nice and practise various arcane Cisco technologies under the trees
>
> As usual there is no charge or fee, but it's always appreciated if
> you bring desserts, snacks, sodas, routers, switches, and laptops. Make
> sure all the equipment is well-marked so that we can send it home with the
> person who brought it. (Do not mark the potato chips please)
>
> Yours Truly - Bruce Evry
>
>
>   DIRECTIONS TO THE HOUSE
>
> 1607 Thomas Road,
>Fort Washington, MD 20744
>
> From Maryland take I-95 to exit 3a in MD,
> From Virginia take Exit 2 in MD
>
>To the Indian Head Highway South.
>
> Go about 3 miles, turn Left on Old Fort Road.
>
>  Go exactly 2 miles on Old Fort Road,
>Turn Right on Thomas Road.
>  We are 1607 Thomas Rd,
> almost all the way down the street on the left.
>
> Look for the pumpkin & a long gravel driveway
>  With no House visible from street!
>
> If lost, our phone # is 301-292-5231, call us!
> Please E-mail to [EMAIL PROTECTED], thanks.
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5480&t=5460
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Isn't MPLS basically just ATM PNNI, but for layer 3? [7:6074]

[KY]

Peter,

 The  difference is Juniper's IS-IS has TLVs( metric wide-only) enabled by
default.

KY

""Peter Van Oene""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Ahh, thanks for the insight.  I didn't realize that was the case.  My MPLS
> experience is restricted to Juniper at this point.
>
> Pete
>
>
> *** REPLY SEPARATOR  ***
>
> On 5/26/2001 at 8:58 AM Michael Cohen wrote:
>
> >Yes, that's true.  TLV's #22 and #135 are used to carry information
needed
> >for MPLS TE however, in order to enable these TLV's on a cisco router,
wide
> >metric support is required...
> >
>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/12
0
> >t/120t7/te120_7t.htm#xtocid214168
> >
> >
> >Cheers,
> >
> >-Michael Cohen
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >Peter Van Oene
> >Sent: Saturday, May 26, 2001 1:02 AM
> >To: [EMAIL PROTECTED]
> >Subject: RE: Isn't MPLS basically just ATM PNNI, but for layer 3?
> >[7:6015]
> >
> >
> >A small correction.  Traffic engineering databases are populated via new
> >TLV's in IS-IS (see Draft-ietf-isis-traffic-0x.txt).  Wide metric support
> >is
> >not required.
> >
> >*** REPLY SEPARATOR  ***
> >
> >On 5/25/2001 at 12:06 PM Michael Cohen wrote:
> >
> >>Quite right.  RSVP-TE is only for path creation and setup.  Actual
> >>bandwidth
> >>allocation information is disseminated to all TE devices using the IGP
> >>(OSPF
> >>Opaque LSA's and IS-IS wide metrics).  This also leads to the current
> >>limitation of only running MPLS-TE within a single area of the link
state
> >>IGP since the bandwidth information doesn't cross area boundaries.  Each
> >>head end of TE tunnels should know what bandwidth is available through
the
> >>entire tunnel path prior to RSVP signaling.
> >>
> >>Cheers,
> >>
> >>-Michael Cohen
> >>
> >>-Original Message-
> >>From: Irwin Lazar [mailto:[EMAIL PROTECTED]]
> >>Sent: Friday, May 25, 2001 10:25 AM
> >>To: 'Michael Cohen'; [EMAIL PROTECTED]
> >>Subject: RE: Isn't MPLS basically just ATM PNNI, but for layer 3?
> >>[7:5765]
> >>
> >>
> >>Just to clarify, most other vendors are now heading down the RSVP-TE
road
> >>for MPLS LDP provisioning (or at the very least, they are agreeing to
> >>support RSVP-TE).  The RSVP-TE vs. CR-LDP argument seems to finally be
> >>dying
> >>down.
> >>
> >>It should be noted that RSVP-TE is only for path creation and setup, it
> >>doesn't perform the same role as was envisioned for IntServ.
> >>
> >>If anyone is interested in comparing the two protocols, Data Connection
> >has
> >>a good white paper on their site, which I link to from the MPLS Resource
> >>Center - www.mplsrc.com.
> >>
> >>
> >>Irwin
> >>
> >>
> >>-Original Message-
> >>From: Michael Cohen [mailto:[EMAIL PROTECTED]]
> >>Sent: Thursday, May 24, 2001 2:17 PM
> >>To: [EMAIL PROTECTED]
> >>Subject: RE: Isn't MPLS basically just ATM PNNI, but for layer 3?
> >>[7:5765]
> >>
> >>
> >>I think there might be some confusion as to where RSVP and CR-LDP are
> >being
> >>used.  Steve is correct in saying that Cisco is using RSVP and most
other
> >>vendors are using CR-LDP for Traffic Engineering.  Cisco is also using
the
> >>proprietary TDP to distribute tags in their MPLS solution while other
> >>vendors are conforming to the MPLS standard LDP.  Cisco does support LDP
> >>for
> >>tag distribution in their 12.0.10ST and higher software and plans on
> >>deploying it in 12.2T for availability on most platforms.  I haven't
heard
> >>Cisco planning support for CR-LDP with Traffic Engineering in the near
> >>future...
> >>
> >>-Mike
> >>
> >>-Original Message-
> >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> >>Stephen Skinner
> >>Sent: Thursday, May 24, 2001 12:13 PM
> >>To: [EMAIL PROTECTED]
> >>Subject: RE: Isn't MPLS basically just ATM PNNI, but for layer 3?
> >>[7:5758]
> >>
> >>
> >>guys,
> >>
> >>thanks for your imput .
> >>
> >

Re: Does MPLS really live up to all its hype? [7:6151]

[KY]

""Howard C. Berkowitz""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  A great audience comment at the Atlanta NANOG, with
> respect to 2547, was "if this is the answer...it must have been a
> pretty stupid question."

Howard,

I remember you quoted this as a comment for virtual router design, which I
think is more appropriate.


KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6160&t=6151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Does MPLS really live up to all its hype? [7:6151]

[KY]

""NRF""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

> And even the idea of higher throughput has been questioned by the mother
of
> all networking, Radia Perlman:
> " Originally [MPLS] was designed to make it possible to build fast
routers,
> but then, using techniques such as [trie searches, parallelism, K-ary
> searches] people built routers fast enough on native IP packets.  So now
> MPLS is thought to be mostly a technique for classifying the type of
packet
> for quality of service or for assigning routes for traffic engineering..."
> (Interconnections, 2nd Ed., p. 347-348).  And I think we would all agree
> that anything Ms. Perlman says must be given serious weight.


Her book was published on 01/2000, I would imagine the actual context must
be written 6 month earlier than that date, so her comments on MPLS was
almost two years old, we all know in our network world two years means what.
Just read all those RFCs/Drafts since late 1999.
I believe MPLS will play a key role in the optical world, such as DWDM.

KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6161&t=6151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Does MPLS really live up to all its hype? [7:6151]

[KY]

No.
Ms.Radia's comments were absolutely correct at the time of her writing, she
just could not say anything that had not happened while she wrote the book.
Tag switching and other proprietary similar technologies, on which MPLS was
built, were faster than IP switching when ip switching was way slower. When
MPLS came out, the speed of ip switching was already greatly improved by new
hardware. So MPLS's design and implementation not focus on beating ip
switching on speed anymore. Traffic engineering, VPN(both cisco and
juniper), integrating ip into ATM and DWDM are the  arenas for MPLS, my
opinion.

KY


""NRF""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> So are you saying that what Radia wrote is outdated and that MPLS is
indeed
> significantly faster than straight IP forwarding?  Bill St. Arnaud and
> Howard Berkowitz would emphatically disagree with that, so could you point
> me to some evidence supporting this contention that MPLS is indeed much
> faster?
>
> Not trying to flame, just trying to learn.
>
>
> ""KY""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > ""NRF""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> > > And even the idea of higher throughput has been questioned by the
mother
> > of
> > > all networking, Radia Perlman:
> > > " Originally [MPLS] was designed to make it possible to build fast
> > routers,
> > > but then, using techniques such as [trie searches, parallelism, K-ary
> > > searches] people built routers fast enough on native IP packets.  So
now
> > > MPLS is thought to be mostly a technique for classifying the type of
> > packet
> > > for quality of service or for assigning routes for traffic
> engineering..."
> > > (Interconnections, 2nd Ed., p. 347-348).  And I think we would all
agree
> > > that anything Ms. Perlman says must be given serious weight.
> >
> >
> > Her book was published on 01/2000, I would imagine the actual context
must
> > be written 6 month earlier than that date, so her comments on MPLS was
> > almost two years old, we all know in our network world two years means
> what.
> > Just read all those RFCs/Drafts since late 1999.
> > I believe MPLS will play a key role in the optical world, such as DWDM.
> >
> > KY
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6171&t=6151
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Does MPLS really live up to all its hype? [7:6151]

[KY]

Mike,

I agree with you. cisco definitely made a fatal mistake here and leave a
huge room for at least one company, Juniper.

I do not know anything inside and just talking about this off the top of my
head, if Juniper can
recruit those optical R&D people from cisco, and developed its own
lamdarouter, cisco will loose its core market forever.
I have heard some big carriers are replacing their GSR with Juniper, if
Juniper can use their credit and make some solid optical routers, the rest
of market will be shared by Lucent, Nortel and some others, there is no
place for cisco at the core.

KY


""Michael Cohen""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On a related subject that Howard brought up regarding GMPLS what does
> everyone think of Cisco's decision to dump the 15900 Wavelength Router?
It
> was slated to be one of the first commercial Multi Protocol Lambda
Switching
> boxes using SRP however, on April 4th it suddenly dissappeared from
Cisco's
> web site.  They've stated that due to the economy it was not profitable to
> continue development of that product and that Cisco would instead pursue
> more immediate demands such as metro DWDM.
>
> In my opinion removing yourself from the Lambda Switching market is not a
> wise direction for the future.  The idea of unifying the intelligence and
> services of todays layer 3 (and up) boxes with the speed and redundancy of
> next-generation optical platforms is extremely profitable in the near
> future.  This should be where the market leaders in networking spend most
of
> their R&D on.  I've heard Lucent and Nortel (among many others) are very
> active in developing intelligent optical switching.
>
> Any other opinions?
>
> -Michael Cohen
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> David Chandler
> Sent: Tuesday, May 29, 2001 10:49 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Does MPLS really live up to all its hype? [7:6151]
>
>
> of those functions already has an established (and often better)
> solution.  Would any vendor be recommending MPLS if it did not require
> an upgrade? $
>
>
> I vote:Floor Wax   :->
>
>
> PS: Where can I find the article?
>
> DaveC
>
>
>
> Irwin Lazar wrote:
> >
> > A collegue of mine wrote an article some time back entitled "MPLS:
Desert
> > Toping or Floor Wax"
> >
> > MPLS originally was created to solve the problem of slow, software-based
> > routers.  Hardware-based (aka Layer 3 switches) routers alleviated that
> > requirement.  Since then MPLS is being used for all sorts of different
> > functions including:
> >
> > - traffic engineering
> > - IP-based virtual private networks
> > - L2 encapsulation within L3 networks
> > - Reservation of L1/2 resources by L3-based control mechanisms
> >
> > IMHO, the basic goal of MPLS is to converge the various L1/2-specific
> > control mechanisms into a single, unified control plane capable of
> > provisioning and managing a path across a packet-based network
> > infrastructure.  But who knows where we will be in five years.
> >
> > Irwin
> >
> > -Original Message-
> > From: David Chandler [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, May 29, 2001 8:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Does MPLS really live up to all its hype? [7:6151]
> >
> > No Way!!!
> >
> > The Marketing people NEVER exagerate.:->
> >
> > MPLS does seem like a solution to a problem that was fixed some time
> > ago...ie: fast-switching, CEF etc...
> >
> > DaveC
> >
> > NRF wrote:
> > >
> > > Mr. Berkowitz, please read this post and respond.
> > >
> > > Okay, I am going to run the risk of starting a religious war here.
But
> I
> > do
> > > have to ask, is MPLS really as great as people say?
> > >
> > > I know many people, on newsgroups and in real-life, champion MPLS as
the
> > > perfect answer to the problems of the core Internet.  Faster IP
> > forwarding,
> > > traffic engineering, VPN capabilities, etc., it seems to have some
> > powerful
> > > features.No doubt, this attitude is sparked by Juniper, which is
> using
> > > MPLS as a strategic weapon against Cisco, and since Juniper keeps
eating
> > > Cisco's lunch, it stands to reason that MPLS has something to do with
> it.
> > > In fact, many network engineers treat MPLS as nothing less than the
holy
> > > grail.
> > >
> > > But I wonder if the hype has be

Re: another OT: why you UNIX guys look down on we NT guys? [7:6334]

[KY]

Not any more, if it was one.

Why you guys just could not ignore those trash, this is not the first one
and simply will not be the last.


""ElephantChild""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Tue, 29 May 2001, Jim Bond wrote:
>
> > UNIX guys,
> >
> > I make $240K per year, how much you make? Why you guys
> > look down on us??? I don't get it...
> >
> > Jim
> > NT guy
>
> That's a troll, right?
>
> --
> "Someone approached me and asked me to teach a javascript course. I was
> about to decline, saying that my complete ignorance of the subject made
> me unsuitable, then I thought again, that maybe it doesn't, as driving
> people away from it is a desirable outcome." --Me
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6334&t=6334
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco May Bid for Marconi [7:7024]

[KY]

Geeze!! Why not? I guess they already had this on mind when deciding to
cut their own 15900 Lambda router. Now it makes more sense.

Kent
""Circusnuts""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Geeze !!! Why !!!
>
> Phil
> - Original Message -
> From: Natasha
> To:
> Sent: Sunday, June 03, 2001 10:52 PM
> Subject: Cisco May Bid for Marconi [7:7024]
>
>
> > London, June 3 (Bloomberg) -- Cisco Systems Inc. may make a 12 billion
> > pound ($17 billion) bid for the U.K.'s Marconi Plc to increase sales in
> > Europe, Sunday Business reported, citing unidentified industry sources.
> >
>
http://www.bloomberg.com/fgcgi.cgi?T=marketsquote99_news.ht&s=AOxpdARUzQ2lzY
> 28g
> >
> > Does anybody know anything about this?
> > Thanks
> >
> > --
> > Natasha Flazynski
> > CCNA, MCSE
> > http://www.ciscobot.com
> > My Cisco information site.
> > http://www.botbuilders.com
> > Artificial Intelligence and Linux development
> > 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7034&t=7024
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco May Bid for Marconi [7:7024]

[KY]

Noted the officials from both companies declined to comment, it is so
obviouse to me that they must be doing something.

Kent
""hal9001""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> They have a pretty poor history as a defence contractor though.  They
> managed to squander millions/billions on a British Version of AWACS which
> bellyflopped.  We ended up buying American again. They could not get the
> Radar to work properly.  Apparently had stationary brick walls moving at
100
> m.p.h. etc etc I trust that if Cisco acquire then they get rid of that
> division to some one who wants it, Lockheed-Martin perhaps!
>
> Karl
> - Original Message -
> From: "Philip Barker"
> To:
> Sent: Monday, June 04, 2001 2:04 PM
> Subject: Re: Cisco May Bid for Marconi [7:7024]
>
>
> > Natasha,
> >  Marconi are making no comment citing that the top execs are in
> > Atlanta at a trade show 
> > My own personal thought would be that the Marconi execs would have
issued
> a
> > statement if their was
> > NO truth in the matter, since Marconi shares are up 6% today on this
> rumour.
> >
> > Q: What have Marconi got that Cisco want ?
> > A: Strong European foothold.
> >
> > Regards,
> >
> > Phil.
> >
> > - Original Message -
> > From: "Natasha"
> > To:
> > Sent: Monday, June 04, 2001 3:52 AM
> > Subject: Cisco May Bid for Marconi [7:7024]
> >
> >
> > > London, June 3 (Bloomberg) -- Cisco Systems Inc. may make a 12 billion
> > > pound ($17 billion) bid for the U.K.'s Marconi Plc to increase sales
in
> > > Europe, Sunday Business reported, citing unidentified industry
sources.
> > >
> >
>
http://www.bloomberg.com/fgcgi.cgi?T=marketsquote99_news.ht&s=AOxpdARUzQ2lzY
> > 28g
> > >
> > > Does anybody know anything about this?
> > > Thanks
> > >
> > > --
> > > Natasha Flazynski
> > > CCNA, MCSE
> > > http://www.ciscobot.com
> > > My Cisco information site.
> > > http://www.botbuilders.com
> > > Artificial Intelligence and Linux development
> > > 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7142&t=7024
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Lab Remote (was RE: Current Wait time on the lab) [7:12748]

[KY]

Brian,

>Cisco needs to put safeguards in that don't allow people take the
> test to often to solve this problem and I don't mean a weak solution like
> the 20 points on day one. I bet the average CCNP could get 20 points on
day
> one.

Could you tell us why Cisco would not want to people take millions of labs
to get a certificate?

It does not matter to cisco either all CCIEs can get 200K/year or none of
the CCIEs can even find a job based on CCIE certificates. From cisco's stand
point, CCIE certification is a just business.
I donot see how Microsoft got hurt by the reputation of MCSE. The only
loosers are those who put money and time on their MCSE certification, I
donot see why CCIE won't be the second MCSE, sooner or later, that day will
come, seems to me it is just a matter of a year or two.

KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12748&t=12748
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE market FLOOD !! was: Current Wait time on the lab [7:12750]

[KY]

Tony,

> !!!  Experience is KING !!
>
> Certifications are nice,  but what the employeers that I have interviewed
> with lately really what is mega experience.  Something I don't have yet.


Here is what I came across from   Mentortech's web site on the experience of
a receiptionist they are looking for:
"Education & Experience:
At least one year previous experience as a receptionist, with multi-line
phone system."

What kind of phone system needs someone to get to level of being able to use
it a year later?
A 12 year old can learn how to use any phone system in the world in less
than 20mins.

I guess in mentortech, they are looking for the Queen of experience.

I know the reality is every employer is looking for experienced people, but
it does not mean it is not rediculous, at least in my eyes. The first one
implented MPLS on their proudction network had to use "inexperienced"
engineers doing it, I am pretty sure about that.

Just my .02.

KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12750&t=12750
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what's wrong with CCIE today? [7:13151]

[KY]

Okay, what is BASIC?
Knowing how to change network configuration of windows is basic, because
most people use windows on their PCs. If some CCIEs do not know how to
configure Unix boxes and still finish their daily tasks, this means to these
CCIEs Unix skills are not basic.
When you hire them, you should know what they can do, if you want to them to
do something they still do not know yet, let them know your requirement and
give them time or some training to learn it. All CCIEs know how to learn,
this is how they got their numbers.
If I am not the administrator of a box, the last thing I want to do is to
touch the box without letting the admin know it, we all know this typical
story happening to everyone all the time:"
You walk into a computer room, put a card on a router, the time you finish
this, the router on a seperate rack 30 feet away reboots itself, you are the
only one in the computer room, so you, to some extend on your boss mind, are
resposible for this."

KY


""Sean Young""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Come on guys.  Everyone's point is very well taken.  I am NOT saying that
> a CCIE also has to be an expert with Unix.  All I am saying is that at
> the very least, have a basic understand of Unix OS so that one can
> accomplish basic tasks required by the job.  I bet that all CCIEs knows
> how to change the network configuration in microsoft windows but not all
> CCIEs know how to do the same thing to a Unix system.  The point I am
> trying to make here is that know the basic.  I do notice the older CCIEs
> (#3500 and lower) are very well diversifed with both their Cisco and Unix
> skills.  The newer only know "point and click".
>
>
>
> >From: "John Neiberger" >Reply-To: "John Neiberger" >To:
> [EMAIL PROTECTED] >Subject: Re: what's wrong with CCIE today?
> [7:13151] >Date: Fri, 20 Jul 2001 19:32:53 -0400 > >Last time I checked,
> there was none of the following on the CCIE written >or lab: > >Unix
> >Tacacs Server Configuration >X-application tunneling over SSL > >Would
> you also expect a CCIE to be able to configure CICS on your >mainframe
> and troubleshoot terminal controller problems in VTAM on your >FEP? >
> >No, I don't think so. Remember, the first "C" in CCIE stands for
> >"CISCO". Just because it's incredibly hard to get does not mean it's
> >the ultimate pinnacle of networking achievement and there is nothing
> >left to learn. > >In fact, I relate it to a black belt in martial arts.
> Those with >experience understand that a black belt is yet another
> starting point, >it's not the end of the road. > >Okay, enough rambling.
> Time to go home! > >John > > >>> "Sean Young" 7/20/01 5:14:47 PM >>>
> >What's wrong with CCIEs today? I know that I am making a general
> >assumptions; however,this is the second time that it has happend to >the
> >company that I work for. We have several tacacs servers that use to
> >authenticate users. These tacacs servers are running on a combination
> >of >Linux and Solaris platforms. While I was away at the Networker
> >Conference, one of our tacacs servers (solaris) die due to hardware
> >failure and the amazingly the tacacs process on the Linux die. >Because
> >of this, everyone has to login to the routers and switches via local
> >account. We hire these CCIEs to maintain the network while I am away
> >for >a few weeks. None of these CCIEs have any background with tacacs
> >servers >running on Unix platforms. As to our problems, the simple to do
> is >just >to restart the tacacs process byfirst: "killall tac_plus" and
> second >"/usr/sbin/tac_plus -C /etc/tacacs/tac_plus.cfg" but these CCIEs
> guys >have absolutely no clues. Furthermore, they don't even know how to
> >use >editing in Unix (i.e vi or emacs) and ended up screwing up my
> tacacs >configuration files. We have a few employees that need tacacs
> account >but these CCIEs guys have no clues how to addnew users to a
> >configuration >file which if anyone has done tacacs on the unix platform
> know that >you >just modify the configuration file tac_plus.conf and
> restart tacacs >process. These CCIE guys say that they come from a
> windows >environment >so they don't have too much with Unix platforms. I
> also notice that a >lot of CCIEs these days lack the Unix skills that are
> required for the >Service Providers environment. Most don't even know how
> to tunnel >X-application through Secure Shell (SSH). I still remember
> those days &

Re: FrameRelay Over Utilized [7:13349]

[KY]

Raul is right, if you see lot of CRCs and interfaces resets(because of the
CRCs), it has nothing to do with the utilization of the circuit. Just beat
up your teleco, I have seen this thousands times, if you are sure your
router and its card is okay, just let them test the circuit with T-bird and
even rebuild the PVC from their side.

Good Luck

KY
""Raul F. Fernandez""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> CSICO routers prioritize the LMI packets so they will drop data frames
> before LMI packets.
> This was told to us by TAC.
>
> Raul
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, July 23, 2001 8:16 PM
> To: [EMAIL PROTECTED]
> Subject: FrameRelay Over Utilized [7:13349]
>
>
> Well, if it's really really overloaded, it can cause the circuit to drop
if
> LMI packets aren't getting through to/from the FR switch.  But it's got to
> be pretty chockers for that to happen.
> You could bung traffic shaping on it and throttle back the traffic, so the
> service isn't over-utilised, and see if you still get CRCs/errors/drops.
> If you do, you then have some extra evidence to beat your telco over the
> head with.
>
> Is dlci 501 the only PVC on that service?  If not, do the other PVCs drop
> as well?  If it's only one PVC affected, I'm not sure how over-utilising
it
> could cause the PVC to drop out.
>
> JMcL
>
> -- Forwarded by Jenny Mcleod/NSO/CSDA on 24/07/2001
> 09:51 am ---
>
>
> "Jeff" @groupstudy.com on 23/07/2001 11:20:11 pm
>
> Please respond to "Jeff"
>
> Sent by:  [EMAIL PROTECTED]
>
>
>
> To:   [EMAIL PROTECTED]
> cc:
>
>
> Subject:  FrameRelay Over Utilized [7:13349]
>
>
> Hello,
> If I have a frame relay switch which is being over utilized will that
cause
> the connection to drop.  After looking in the log I see dlci 501 state
> changed
> to inactive, line protocol on interface s0/0.1 changed to down, dlci 501
> active, this keeps going and going through out the log.  The local telco
> insists that the circuit is overutilized and this is why the connection is
> dropping.  I think it is a telco or csu problem.  Also doing a show
> interface
> is showing 3000 crc errors and 500 interface resets for the past 3 days.
> Is
> there any way to tell for sure whether it is overutilization or a telco
> problem??




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=13456&t=13349
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

wccp question [7:16558]

[KY]

Hi all,

Can I run the normal web caching( for outbound traffic) and reverse proxy
caching at the same time on the same content engine?

Thanks

KY




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16558&t=16558
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Any decent ISP will refuse DNS recursion from any IP address that is not
within its own address space.  This is fundamental to DNS security.   
You need to rewrite the destination IP address.  Note that Cisco's NAT
is not suitable for this because of the DNS ALG.  The easiest thing to
do may be to provide an on-site cacheing DNS using the old ISPs DNS
addresses.  If you've got a lot of workstations and a decent bandwidth
to the Internet, you will probably find that running your own DNS cache
will be more satisfactory anyway.
rgds
Marc TXK


Godswill HO wrote:
> 
> You can still use your former ISP's DNS records while using the new ISP's
> bandwidth. It does not matter who owns the DNS server. Everybody have
access
> to it once they are in the internet. Except when they are specifically
> filtered.
> 
> The only drawn back is that, Your new ISP have to forward the packet in a
> round trip to the old ISP's network through the internet before they are
> resolved and sent back to you machine, had it been you are using the DNS of
> your new ISP, these request would stop there. Do not loose your sleep,
> because at the worst these delays are in milisseconds and not easily
> noticeable by the eye, more each machine have a cache so it does not
forward
> every request. Great if you have a Cache Engine to compliment the machine's
> cache.
> 
> Whatever, you are kool and everything will be fine, switch to your new ISP
> and enjoy.
> 
> Regards.
> Oletu
> - Original Message -
> From: Michael Hair
> To:
> Sent: Sunday, February 17, 2002 8:07 PM
> Subject: DNS Request Redirection [7:35703]
> 
> > I was wondering what is the best way to take care of the following:
> >
> > I have been using a private address space behind a Cisco 4500 router
> > connected up to our current ISP using NAT, now we want to move our
> > connection from our current ISP to a new ISP with better bandwidth. My
> > problem is that we don't want to change all our client machines TCP/IP
> > settings, which are all static, for some reason or another they were all
> > setup to use our ISP's DNS. Not my idea but that another problem. So how
> can
> > I setup our router to forward requests looking from our current ISP's DNS
> to
> > our new ISP's DNS without touching all the client machines.
> >
> > Would the best way be to use policy-base routing?
> >
> > Would a static route work?
> >
> > Could I use a static route under NAT?
> >
> > If someone could proved me a sample of how you could do this I would be
> > greatful...
> >
> > Thanks
> > Michael
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35743&t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Recursion is precisely what he was concerned about.  As you have
alluded, there are two roles for a DNS server, cacheing (which requires
recursion), and authoritataive.  An ISP does not need to publish the
addresses of a authoritative nameserver, those addresses are stored in
the distributed database and are therefore found naturally.  The only
reason for publishing an ISPs DNS server addresses to their customers is
for use as cacheing servers (often confusingly called resolvers). 
Whereas using another ISPs DNS cache servers may be technically possible
right now because of lax practices, I wouldn't want all my users to be
cut off by events beyond my control e.g. when said lax ISP engages a
half-decent DNS consultant.  Within DNS circles the practice is frowned
upon, and it might be held that it is actually criminal in several
juridsdictions.  My own belief is that running your own cacheing DNS
server is almost always the best solution, but then I am biased since
DNS is my specialism :-)
rgds
Marc TXK

Priscilla Oppenheimer wrote:
> 
> At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote:
> >Any decent ISP will refuse DNS recursion from any IP address that is not
> >within its own address space.
> 
> He wasn't asking about recursion. He was asking about the initial query
> from the end host. Although I could believe you that a service provider
> should make sure these queries only come from customers, my experience is
> that service providers don't do this. I can set my PC to use a variety of
> DNS servers around the Internet and it works.
> 
> I think it's because it's tricky to do, especially for small ISPs. Some
> ISPs might have only one DNS server. The same server that provides DNS
> services to Internet-access customers may also be the authority for various
> names managed by the ISP. The ISP may be doing Web hosting and be the
> authority for a bunch of names. In that case, it can't filter out DNS
> queries coming from the Internet.
> 
> For example, say your PC asks your local DNS server to resolve
> www.priscilla.com. Your server can't do it. It asks its upstream server,
> probably one of the root servers. The root server figures out that
> petiteisp.com owns www.priscilla.com and tells your server the IP address
> of the authoritative name server at petiteisp.com. Your server queries
> petiteisp.com which gives your server the IP address for www.priscilla.com.
> Your server finally responds to your PC.
> 
> Notice that the query to petiteisp.com came from some unexpected IP address
> that can't be anticipated in a filter. If petiteisp.com had a filter to
> allow queries only from its customers, the query from your server would
> have failed.
> 
> Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger
> ISPs have more than one DNS server, one for Internet access customers, and
> one that is the authority for names owned by the ISP.
> 
> Priscilla
> 
> >  This is fundamental to DNS security.
> >You need to rewrite the destination IP address.  Note that Cisco's NAT
> >is not suitable for this because of the DNS ALG.  The easiest thing to
> >do may be to provide an on-site cacheing DNS using the old ISPs DNS
> >addresses.  If you've got a lot of workstations and a decent bandwidth
> >to the Internet, you will probably find that running your own DNS cache
> >will be more satisfactory anyway.
> >rgds
> >Marc TXK
> >
> >
> >Godswill HO wrote:
> > >
> > > You can still use your former ISP's DNS records while using the new
ISP's
> > > bandwidth. It does not matter who owns the DNS server. Everybody have
> >access
> > > to it once they are in the internet. Except when they are specifically
> > > filtered.
> > >
> > > The only drawn back is that, Your new ISP have to forward the packet
in a
> > > round trip to the old ISP's network through the internet before they
are
> > > resolved and sent back to you machine, had it been you are using the
DNS
> of
> > > your new ISP, these request would stop there. Do not loose your sleep,
> > > because at the worst these delays are in milisseconds and not easily
> > > noticeable by the eye, more each machine have a cache so it does not
> >forward
> > > every request. Great if you have a Cache Engine to compliment the
> machine's
> > > cache.
> > >
> > > Whatever, you are kool and everything will be fine, switch to your new
> ISP
> > > and enjoy.
> > >
> > > Regards.
> > > Oletu
> > > - Original Message -
> > > From: Michael Hair
> > > To:
> > > Sent: Sunday, Fe

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Tim,
If you wish to provide authoritative DNS service from behind a NAT
router, then with a Cisco the NAT code contains various ALGs
(application level gateway I think) including one for DNS.  This ALG
translates A records, MX and PTR records where it can.  IIRC if it can't
then the response is not passed at all (which many people believe is a
major issue).  So if the DNS server is behind the same NAT boundary as
the servers, all well and good, just use the private addresses in the
DNS and they'll be translated.  However if the DNS server is not behind
the same NAT boundary as the servers, then you're stuffed.  In DNS
circles, the purists don't like all this because this technique is
probably not possible to maintain for more complex DNS record types, and
I believe it only does UDP, so I guess that it isn't "best practice".
rgds
Marc TXK


Tim Booth wrote:
> 
> Out of curiosity, what is the "best practice" for someone who has a
> DNS server on their private network with a private IP address? How would
> one go about doing this with a router? Is it impossible? Is the "best
> practice"/only possibly way to have the DNS server having a public IP
> address (in a DMZ)?
> 
> Kind Regards,
> Tim Booth
> MCDBA, CCNP, CCDP, CCIE written
> -
> Those who would give up essential liberty to purchase a little temporary
> safety deserve neither liberty nor safety.
> Benjamin Franklin, 1759
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 18, 2002 13:16
> To: [EMAIL PROTECTED]
> Subject: Re: DNS Request Redirection [7:35703]
> 
> hhmmm.
> 
> as I understand the original question, each workstation in the network
> in
> question is hard coded for DNS.
> 
> So, if for example, my machine is hard coded for DNS server
> 207.126.96.162
> ( my ISP DNS server ) and I change ISP's, and make no changes to my
> workstation, then any DNS request will have a destination address of
> 207.126.96.162
> 
> The question, as I understand, if how to change that destination address
> without making workstation visits.
> 
> Policy routing can change next hop, but not destination address. NAT
> outbound changes source address, not destination address.
> 
> Unless there is a packet interceptor that takes all DNS requests, and
> physically changes the destination address, the user has few options.
> 
> Again, IF the former ISP does not restrict DNS requests to its own
> address
> space, i.e. accepts DNS requests from anywhere, then there is no
> problem,
> and no changes need be made.
> 
> However IF ( and this would be good practice for a lot of reasons ) the
> former ISP does indeed restrict DNS requests to source addresses within
> its
> own space, then there will have to be additional changes on the user
> network.
> 
> This whole discussion illustrates why people SHOULD follow best practice
> from the get go. If they want to hard code IP's, then I believe DHCP can
> be
> configured so that it provides only DNS info and default gateway info,
> for
> example. the people who have insisted that their network hard code
> everything are now learning the hard lesson.
> 
> Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35807&t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bit / bytes [7:36562]

[Marc Thach Xuan Ky]

Bytes are not part of the OSI model until at least the presentation
layer (I can't remember whether there is an ASN1 byte datatype).  Comms
engineers talk about octets but note that by the time we get down to
layer 2 we start to encounter techniques such as bit-stuffing, so a
frame may not even have a multiple of eight bits in it.  So from this we
must assume that there is no conversion from bits to bytes or
vice-versa.
rgds
Marc

Pierre-Alex Guanel wrote:
> 
> This is clear. Thank you!
> 
> Pierre-Alex
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Priscilla Oppenheimer
> Sent: Tuesday, February 26, 2002 8:27 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Bit / bytes [7:36562]
> 
> Layer 1 just understands bits. Hardware, in general, understands voltage
> and no voltage (one or zero). I guess it could understand high voltage and
> low voltage. In fact, there's even ternary systems that understand high,
> kinda high, and low.
> 
> Back in the early days, software engineers got kind of sick of having to
> deal with long streams of numbers and decided to aggregate them. An 8-bit
> byte worked out for many systems. (There used to be systems that used a
> 12-bit byte).
> 
> So anything that is implemented in software (or software that has become
> firmware) uses bytes or perhaps nibbles or words. Most NICs that handle
> data-link-layer processes have some software (driver) or firmware (chip
> set). Thus, I would say that they deal with bytes or nibbles or words or
> floating integers or arrays or link lists or symbol tables or at least
> something of a higher order than voltage being present or not.
> 
> Priscilla
> 
> At 07:12 PM 2/26/02, you wrote:
> >Is conversion of bits into bytes and vice versa a function of Layer 1 or
> >Layer 2?
> >
> >I have seen contradictory info.
> >
> >(I would say it is a layer 2 function because Layer 1 is only physical
> >matters like voltage etc... but some one may have a logic to prove me
> wrong)
> >
> >
> >thanks,
> >
> >Pierre-Alex
> 
> 
> Priscilla Oppenheimer
> http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36750&t=36562
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Reverse Telnet SW for PC? [7:37246]

[Marc Thach Xuan Ky]

Have you tried Linux?
Marc

Johan Hjalmarsson wrote:
> 
> Does anybody know if there's any software out there to turn a PC into a
> "Cisco 2509"?
> What I need is the abillity to telnet to the PC and get the telnet traffic
> redirected out a COM port, just like reverse telnet in the Cisco.
> One solution is of course to get a 2509, but for the moment my budget
woun't
> let me :-( and I've already got a PC with 8 COM ports.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37248&t=37246
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 flash memory SIMMs don't work [7:37586]

[Marc Thach Xuan Ky]

A couple of months ago I bought some (non-approved) 8M flash for c2500
for $76 per SIMM (ouch).  I couldn't write to them.  I have now upgraded
to bootrom version 11.0(10c)XB2.  I still can't write to them.  The
SIMMs are marked SMART SM73228XV1CAVS0.  Does anybody know whether these
modules should work?  The vendor is a bit unresponsive.
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37586&t=37586
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT concepts [7:37815]

[Marc Thach Xuan Ky]

As far as I can tell this is another one of those Cisco quirks.  Unless
Cisco plan for the future a mechanism whereby the route to the NAT pool
is dynamically advertised, then the subnet mask has no *real* function. 
IMO while routes to the pool are statically defined and then redist, it
remains a mere annoyance.
rgds
Marc

saleem bilal wrote:
> 
> Dear Paul:
> 
> according to my perception:when we have a pool of addresses hired from
> certain operator/internic we configure it to be used statically or through
> NAT.we may not need to use all IP addresses for nAT lonely but some of them
> can be used for static trans.thats why we describe the start IP abbresses
> and end ip Address.NAT function should know the subnet mask coz when a
> packet from private addresse comes in it is translated thru NAT with
> subnetmask attached .Subnetmask in this case will help the routing of the
> packet when it comes back to the oronating system through different
> routers.Plus in all IP address scenarios we need to mention IP adress with
> mask as router do the AND operation to extract original IP address.It would
> not have been possible for any router in the path to extract orinal network
> without having subnetmask
> 
> i hope u understand whay i m saying




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37844&t=37815
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: HELP !! CCIE 2B or NOT? [7:36542]

[Marc Thach Xuan Ky]

I was under the impression that some asian countries used the
numerically consistent notation y/m/d :-)  This of course demonstrates
that the world is a big place with many different outlooks.  We should
be able to accomodate them all and Tim is therefore free to put whatever
sig he likes at the bottom of his mails.
rgds
Marc

Tom Lisa wrote:
> 
> Everywhere except U.S. civilian usage.  U.S. Military uses day/mo/yr
> format.  At least
> it did when I was a member 20 years ago.
> 
> Prof. Tom Lisa, CCAI
> Community College of Southern Nevada
> Cisco ATC/Regional Networking Academy
> 
> "[EMAIL PROTECTED]" wrote:
> 
> > "european-format"?  I thought it was "everywhere except the US format"!
> > ;-)
> >
> > JMcL
> > - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 01:47 pm -
> >
> > "Steven A. Ridder"
> > Sent by: [EMAIL PROTECTED]
> > 28/02/2002 12:26 pm
> > Please respond to "Steven A. Ridder"
> >
> >
> > To: [EMAIL PROTECTED]
> > cc:
> > Subject:Re: HELP !! CCIE 2B or NOT? [7:36542]
> >
> > Australia uses "european-format" time as well?
> >
> > --
> >
> > RFC 1149 Compliant.
> >
> >  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > However if you do this I suggest you use a less ambiguous date format -
> > my
> > > first reaction is "oh, so you did the lab in January - but did you
> > pass??"
> > >
> > > JMcL
> > > - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 10:57 am -
> > >
> > >
> > > "Jeff Buehler"
> > > Sent by: [EMAIL PROTECTED]
> > > 28/02/2002 09:29 am
> > > Please respond to "Jeff Buehler"
> > >
> > >
> > > To: [EMAIL PROTECTED]
> > > cc:
> > > Subject:Re: HELP !! CCIE 2B or NOT? [7:36542]
> > >
> > >
> > > Perhaps it would be more appropriate to put your lab date instead of
the
> > > "CCIE Written" if you want to demonstrate where you are in your
> > > pursuit...for example.
> > >
> > > CCIE R/S LAB 6-1-2002 RTP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38244&t=36542
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
The second method you use is twice-NAT, both source and destination
addresses are converted.  This does not work well on Cisco routers
unless all NAT entries are defined statically.  This is sometimes a good
policy anyway where there are only a small number of known connections,
which is often the case when connecting to exchange feeds for instance.

You have an address clash.  Note that a NAT router has only one IP stack
and one routing table.  You cannot have the same network on both sides
of the NAT router.  In your case it might be possible to use a /25 mask
and use .129-.254 for the pool, however, I would not recommend this
without further information from you.

Normally I would want to use a NAT pool that was not present on either
side of the router.  Is there a reason that you are using that pool
anyway?  Is this dictated by the provider, or are they happy to route to
a network that you specify?
You need to know how many servers will be contacted within the financial
services provider, and how many clients on your network, also which way
is the connection made?  Is it a persistent connection?  Is there any
name resolution across the router?

rgds
Marc TXK


"Sim, CT (Chee Tong)" wrote:
> 
> I found my previous administrator configured the following NAT for my
router
> (shown below). Our network is in 50.100.X.X and we need to contact a
> workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why
> he defined the source pool to be from 192.168.3.101 192.168.3.240
> 
>

> interface Ethernet0
>  description Interface facing Financial Service Provider
>  ip address 192.168.3.1 255.255.255.0
>  ip nat outside
> 
> interface Ethernet1
>  description Interface facing Rabobank (Trusted) network
>  ip address 50.100.165.240 255.255.255.0
>  ip nat inside
> 
> ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0
> ip nat inside source list 1 pool XXY
> 
> ##
> 
> Q1)But, when I show IP nat trans. I saw the following, I understand the
> first two, but not line 3.  the 192.168.3.118 should be the source address
> of returning packet, what is 192.168.3.119 ?
> 
> RBFW2514#sh ip nat trans
> Inside global Inside local  Outside localOutside global
> --- 192.168.3.117  50.100.165.81 ---   ---
> --- 192.168.3.118  50.100.165.210---   ---
> --- 192.168.3.119  192.168.3.118
>

> 
> Q2)I understand there is another kind of NAT which work like the following.
> Inside global Inside local  Outside localOutside global
> 192.168.2.2:1234  10.0.0.1:1234  172.21.3.1:23
> 192.168.2.2:  10.0.0.2:  172.21.3.2:23
> 192.168.2.2:  10.0.0.3:  172.21.3.4:23
> 
> What is the difference these method.  I think both NAT can work.  Why we
> don't use these one?
> 
> Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use
> the same port .  There will be 2X 192.168.2.2: in the inside
global.
> Will be 192.168.2.2: have problem identify which to be NAT back to
> 10.0.0.1 or 10.0.0.2.
> 
> Thanks a lot
> Tong
> 
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
> de afzender direct te informeren door het bericht te retourneren.
> ==
> The information contained in this message may be confidential
> and is intended to be exclusively for the addressee. Should you
> receive this message unintentionally, please do not use the contents
> herein and notify the sender immediately by return e-mail.
> 
> ==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38771&t=38764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT with printer [7:38781]

[Marc Thach Xuan Ky]

Have you disallowed the printer address with an acl for the pool?
Marc

Zolla Zimmerman wrote:
> 
> Hi All,
> 
> I really have a problem. I have enabled NAT on the router. I am able to
> reach all PCs but the printer. Here is the senario:
> 
> 192.168.1.0192.168.3.0
>  | |
>  | |
>   --Router1-Router2--
>|
>|
>192.168.3.252
> (Printer)
> 
> 1. We have enabled NAT on router2 to translate 192.168.3.0 0.0.0.250 to a
> pool 192.168.8.0
> 2. Enabled static NAT for printer to 192.168.8.252
> 
> Please help
> 
> Zolla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38800&t=38781
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: nat pool problem [7:38872]

[Marc Thach Xuan Ky]

Have you got a route to the pool?
Marc

george wrote:
> 
> I having problems staticaly translatinga server to the outside world , bu=
> t
> looking at my config is their somthing im misssing=0D
> =0D
> =0D
> ostname Router=0D
> !=0D
> logging buffered 8192 debugging=0D
> enable secret 5 $1$D7U1$YMuIAg0B3iJtwD0vt0ZWn0=0D
> !=0D
> username Router password 7 097C4F1A0A1218000F=0D
> !=0D
> !=0D
> !=0D
> !=0D
> !=0D
> dial-peer voice 1 pots=0D
>  call-waiting=0D
>  ring 0=0D
>  port 1=0D
>  destination-pattern 6688594=0D
> !=0D
> dial-peer voice 2 pots=0D
>  call-waiting=0D
>  ring 0=0D
>  port 2=0D
>  destination-pattern 6688549=0D
> !=0D
> pots country US=0D
> !=0D
> ip subnet-zero=0D
> no ip source-route=0D
> !=0D
> isdn switch-type basic-ni=0D
> !=0D
> !=0D
> !=0D
> interface Ethernet0=0D
>  ip address 192.168.9.102 255.255.255.0=0D
>  ip access-group 121 in=0D
>  no ip proxy-arp=0D
>  ip nat inside=0D
> !=0D
> interface BRI0=0D
>  no ip address=0D
>  encapsulation ppp=0D
>  dialer pool-member 1=0D
>  isdn switch-type basic-ni=0D
>  isdn spid1 95666885940101 6688594=0D
>  isdn spid2 95666885490101 6688549=0D
>  isdn incoming-voice modem=0D
>  ppp authentication chap pap callin=0D
>  ppp multilink=0D
> !=0D
> interface Dialer1=0D
>  description ISP=0D
>  ip address 66.85.189.9 255.255.255.248=0D
>  ip access-group 121 in=0D
>  no ip proxy-arp=0D
>  ip nat outside=0D
>  encapsulation ppp=0D
>  no ip split-horizon=0D
>  dialer remote-name Cisco1=0D
>  dialer pool 1=0D
>  dialer idle-timeout 2147483=0D
>  dialer string 9840559 class DialClass=0D
>  dialer hold-queue 10=0D
>  dialer load-threshold 1 either=0D
>  dialer-group 1=0D
>  pulse-time 0=0D
>  ppp authentication chap pap callin=0D
>  ppp chap hostname loopcold=0D
>  ppp chap password 7 04560807032D4940=0D
>  ppp pap sent-username loopcold password 7 09414D081509121C=0D
>  ppp multilink=0D
> !=0D
> ip nat pool ISPNATPool 66.85.189.11 66.85.189.14 netmask 255.255.255.248=0D
> ip nat inside source list 18 pool ISPNATPool overload=0D
> ip nat inside source static 192.168.9.101 66.85.189.10=0D
> no ip http server=0D
> ip classless=0D
> ip route 0.0.0.0 0.0.0.0 Dialer1=0D
> !=0D
> !=0D
> map-class dialer DialClass=0D
>  dialer isdn speed 56=0D
> access-list 18 permit 66.85.189.8 0.0.0.7=0D
> access-list 121 deny   udp any eq netbios-dgm any=0D
> access-list 121 deny   udp any eq netbios-ns any=0D
> access-list 121 deny   udp any eq netbios-ss any=0D
> access-list 121 deny   tcp any eq 137 any=0D
> access-list 121 deny   tcp any eq 138 any=0D
> access-list 121 deny   tcp any eq 139 any=0D
> access-list 121 permit ip any any time-range TIME=0D
> dialer-list 1 protocol ip permit=0D
> !=0D
> line con 0=0D
>  exec-timeout 120 0=0D
>  transport input none=0D
>  stopbits 1=0D
> line vty 0 4=0D
>  exec-timeout 0 0=0D
>  password 7 082F435A0809041E1C=0D
>  login
> 
> [GroupStudy.com removed an attachment of type image/gif]
> 
> [GroupStudy.com removed an attachment of type Image/jpeg]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38913&t=38872
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: clock rate [7:38908]

[Marc Thach Xuan Ky]

1. Because its 64000 bps, built by humans, not computer memory.
3. huh? Note that if you earn 50k you will get 5 (less tax)
Marc

Ellis Lam wrote:
> 
> Two Qs,
> 
> 1. in FR, when we specify clock rate for 64k, we use clock rate 64000, why
> not 64 x 1024 = 65536 ? and for 1.544 mbps, we use 148000, why not 1.544 x
> 1024 x 1024 ?
> 
> 2. in OSPF, when config a loop back interface with address 128.10.10.10/24
> and in other router, we can see the rout to 128.10.10.10/32 ?? but if we
> config an ethernet interface, it is 128.10.10.10/24, any reason ?? or
simply
> the behaviour in OSPF ?
> 
> Thanks
> 
> Ellis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38915&t=38908
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Order of Operation [7:38021]

[Marc Thach Xuan Ky]

John,
I have never had great faith in that page.  Taken literally, since
outside to inside packets are NAT'd before routing, it means that if you
have more than one outside interface, then a packet bound from one to
the another will get translated twice.  If there was not an existing
suitable mapping then that would then imply that the inbound packet
would be dropped.  Now i haven't tried this, so I don't know whether it
happens or not, but if it were the case, I'm sure somebody would have
complained by now.  If it doesn't happen then the page does not
correctly describe the operation.
The flip side of that situation is that with a twice-NAT configuration a
packet bound inside-outside is routed before the router knows the actual
(translated) destination address.  How can that be?
I haven't done that much with NAT since 11.2, but I have seen twice-NAT
configurations where a ping has gone through and been replied to OK but
when a debug was running, five translations occurred instead of four, I
can't remember what the extra one was.  I have also seen a case where an
inbound access list was inspected both before and after translation. 
Now I understand that the NAT code has been rewritten since then but my
early experience with Cisco NAT has left me somewhat sceptical.
Marc


John Neiberger wrote:
> 
> Someone just posted something on the CCIE list and while researching the
> answer I found this page:
> 
> http://www.cisco.com/warp/public/556/5.html
> 
> After looking at that page, it appears to me that it's safe to say the
> if you're in an environment that uses both NAT and Policy-Based Routing,
> the IP addresses you use in the policy maps are _always_ local
> addresses, either inside local or outside local.  Is that correct?  It
> seems that it would never be the case where you'd use an outside local
> or outside global address within a route map.
> 
> Is that a true statement?
> 
> Thanks,
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38918&t=38021
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
I said that you have the same network on both sides of the NAT router
because the pool is a network, and in this case it is an inside pool so
exists on the inside .

Sorry about this, but I had another look at your mail and the second
type of NAT is not twice-NAT like I said, but overloaded NAT which is
sometimes called NAPT or PAT (Network Address Port Translation is the
RFC-compliant term).  One important difference is the NAPT will not
easily allow inbound connections.
I've now seen the example referred to by Cisco Nuts in another post.  I
can't see how that can work at all.  My policy with any single-stack NAT
device is to avoid an overlap.

Q1. ans. If I understand you correctly, the question is about routing
within the outside network to the NAT router.  I don't know.  Maybe the
router is doing proxy arp for pool addresses when there's an overlap?  I
take it that the configuration is currently working, is that right?

Q2. ans. Again, this is about routing within the outside network, which
may not be in your control, therefore the exchange is dictating the
terms here.

Q3. ans. I don't know whether you can use the same IP address for the
pool and the interface with IOS.  Why not try it?

This overlap thing is beginning to puzzle me and I thought I knew a lot
abot NAT, I can't see how it works, but you seem to be saying that it is
working for you.  I need to switch my routers on and have a further
look.
rgds
Marc



"Sim, CT (Chee Tong)" wrote:
> 
> Hi Marc and dear all,
> 
> >You cannot have the same network on both sides
> >of the NAT router.
> 
> Why you said that I had same network on both side of the NAT router? I have
> 50.100.165.X and 192.168.3.X on both side of the NAT router.
> 
>
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
> > interface Ethernet0
> >  description Interface facing Financial Service Provider
> >  ip address 192.168.3.1 255.255.255.0
> >  ip nat outside
> >
> > interface Ethernet1
> >  description Interface facing Rabobank (Trusted) network
> >  ip address 50.100.165.240 255.255.255.0
> >  ip nat inside
> >
> > ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0
> > ip nat inside source list 1 pool XXY
>
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
> 
> I am not the one who configured this NAT router previously.
> 
> Q1)what I don't understand is when we establish the connection from
> 50.100.165.50 (for eg) to 192.168.3.50(for eg).  The source IP will change
> to 192.168.3.111 (for eg) after it pass thru the NAT router and reach the
> destination 192.168.3.50.  When it replies back the source IP is
> 192.168.3.50 and the destination IP is 192.168.3.111.  How do the packet
> know it have to go to Ethernet0 of the NAT router, as the IP of NAT
router's
> Ethernet0 is 192.168.3.1 not 192.168.3.111.
> 
> Q2)
> >Normally I would want to use a NAT pool that was not present on either
> >side of the router.
> 
> Yes, I saw this on my book as follows
> 
> &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
> Ip nat pool ovrld-nat 172.16.2.2 172.16.2.2 netmask 255.255.255.0
> Ip nat inside source list 1 pool ovrld-nat overload
> !
> interface Ethernet0/0
> ip address 10.1.1.10 255.255.255.0
> ip nat inside
> !
> interface serial0/0
> ip address 192.168.3.1 255.255.255.0
> ip nat outside
> !
> access-list 1 permit 10.1.1.0 0.0.0.255
> &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
> 
> OK, I understand this, whenever the packets from 10.1.1.X network go out,
> th

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
I've reread the BCRAN book.  The example given of NAT overlap is when
the two real network spaces overlap, not when a pool overlaps with the
real space.  I still don't see how this can work.
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38932&t=38764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco's pps claims [7:38956]

[Marc Thach Xuan Ky]

Sam,
I think the question is: what is your average packet size?  Using
process or fast switching I should think that the packet size is almost
irrelevant to the router.  I have benchmarked many PCs and NICs running
certain routing software.  On a PCI bus PC the pps difference between 64
and 1518 octet frames was in the order of ten to twenty percent, i.e.
the routing decision consumes the bulk of the CPU bandwidth, shovelling
the rest of the packet through is low-overhead.
Marc

sam sneed wrote:
> 
> I noticed Cisco uses pps when they give their specs for routers, firewalls,
> etc. What is the assumed packet size when they come up with these specs?
I'm
> planning on using 2 2621's in HSRP mode (getting default routes via BGP)
and
> need to be able to support a constant 10 Mb/sec and would like know if
these
> routers will do the trick.
> thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38983&t=38956
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco's pps claims [7:38956]

[Marc Thach Xuan Ky]

I don't really know what the overhead of that specific stuff is, but
it's all part of a packet coming up the stack to the routing layer, and
it has to be done per packet, so packet size is irrelevant to that. 
Using traditional routing techniques such as process or fast switching,
the packet will be decapsulated to IP regardless of the underlying
layers.  I imagine that most of the framing work is done in hardware.
Marc

John Green wrote:
> 
> ""the routing decision consumes the bulk of the CPU
> bandwidth, shovelling the rest of the packet through
> is low-overhead.""
> 
> say a router connects a between ethernet and Frame
> Relay or between two dissimilar Layer2 networks. Then
> the router would be stripping off one networks' layer2
> frame and replace it with the layer2 frame of the
> other network where the packet is to be sent. Would
> you call this low-overhead as well ?
> I guess your example would be if the router were to
> connect between same Layer2 networks ie say both
> networks are ethernet. right ? just want to make
> sure...
> 
> --- Marc Thach Xuan Ky
> wrote:
> > Sam,
> > I think the question is: what is your average packet
> > size?  Using
> > process or fast switching I should think that the
> > packet size is almost
> > irrelevant to the router.  I have benchmarked many
> > PCs and NICs running
> > certain routing software.  On a PCI bus PC the pps
> > difference between 64
> > and 1518 octet frames was in the order of ten to
> > twenty percent, i.e.
> > the routing decision consumes the bulk of the CPU
> > bandwidth, shovelling
> > the rest of the packet through is low-overhead.
> > Marc
> >
> > sam sneed wrote:
> > >
> > > I noticed Cisco uses pps when they give their
> > specs for routers, firewalls,
> > > etc. What is the assumed packet size when they
> > come up with these specs?
> > I'm
> > > planning on using 2 2621's in HSRP mode (getting
> > default routes via BGP)
> > and
> > > need to be able to support a constant 10 Mb/sec
> > and would like know if
> > these
> > > routers will do the trick.
> > > thanks
> [EMAIL PROTECTED]
> 
> __
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards.
> http://movies.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39017&t=38956
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT overlapping example....Does not work? [7:38838]

[Marc Thach Xuan Ky]

I just tried this and it worked OK, but it needed a default route to the
outside.  I also tried it making the inside network routed rather than
connected, and it still worked.  I think that IOS 11.2 and earlier won't
work.  You have to set up a translation from one direction before you
have a pool address that you can ping from the other direction, because
both ways are dynamically mapped.
rgds
Marc

Cisco Nuts wrote:
> 
> Hello,
> Does anyone know of any links or examples for NAT overlapping? I tried to
> use the one in the CCNP Remote Access Support Book exactly as it was shown
> but looks like the author might have missed somethingas it's not
> working...Basically pings don't work.
> Thank you.
> 
> _
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39591&t=38838
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Order of Operation [7:38021]

[Marc Thach Xuan Ky]

I have to eat my words in public!  I just had a go (IOS 12.0) at the
overlapping NAT example from the Cisco BCRAN book, and after minor mods,
the config worked like magic.  The outbound packets were indeed routed
before the destination address was known, incredible.
Marc

Marc Thach Xuan Ky wrote:
> 
> John,
> I have never had great faith in that page.  Taken literally, since
> outside to inside packets are NAT'd before routing, it means that if you
> have more than one outside interface, then a packet bound from one to
> the another will get translated twice.  If there was not an existing
> suitable mapping then that would then imply that the inbound packet
> would be dropped.  Now i haven't tried this, so I don't know whether it
> happens or not, but if it were the case, I'm sure somebody would have
> complained by now.  If it doesn't happen then the page does not
> correctly describe the operation.
> The flip side of that situation is that with a twice-NAT configuration a
> packet bound inside-outside is routed before the router knows the actual
> (translated) destination address.  How can that be?
> I haven't done that much with NAT since 11.2, but I have seen twice-NAT
> configurations where a ping has gone through and been replied to OK but
> when a debug was running, five translations occurred instead of four, I
> can't remember what the extra one was.  I have also seen a case where an
> inbound access list was inspected both before and after translation.
> Now I understand that the NAT code has been rewritten since then but my
> early experience with Cisco NAT has left me somewhat sceptical.
> Marc
> 
> John Neiberger wrote:
> >
> > Someone just posted something on the CCIE list and while researching the
> > answer I found this page:
> >
> > http://www.cisco.com/warp/public/556/5.html
> >
> > After looking at that page, it appears to me that it's safe to say the
> > if you're in an environment that uses both NAT and Policy-Based Routing,
> > the IP addresses you use in the policy maps are _always_ local
> > addresses, either inside local or outside local.  Is that correct?  It
> > seems that it would never be the case where you'd use an outside local
> > or outside global address within a route map.
> >
> > Is that a true statement?
> >
> > Thanks,
> > John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39588&t=38021
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what does 0 in 0Xnnnn mean? [7:40372]

[Marc Thach Xuan Ky]

I guess then when you are writing a parser for a compiler then it helps
if all numeric constants start with a numeric.
Marc

Wes Stevens wrote:
> 
> We need to find an old ibm'er for that answer I think. I know that 0x has
> been used on ibm systems since before cisco made it's first router.
> 
> >From: "Priscilla Oppenheimer"
> >Reply-To: "Priscilla Oppenheimer"
> >To: [EMAIL PROTECTED]
> >Subject: Re: what does 0 in  0X mean? [7:40372]
> >Date: Wed, 3 Apr 2002 17:22:17 -0500
> >
> >I think editors like to thrown in leading zeros. For example, you will
> >notice that they never let you get away with saying something like .534.
It
> >has to be 0.534. Supposedly that's easier to read.
> >
> >I didn't know octal was 0d. I bet they had to do that because of the other
> >rule that you have to start with 0. 0o or 0O would be too hard to parse if
> >they were to use o or O for octal. ;-)
> >
> >Priscilla
> >
> >At 04:40 PM 4/3/02, John Neiberger wrote:
> > >I think the question is what does the '0' specifically refer to?  We
> > >know that 0x indicates hex, but I'm guessing he's asking why we don't
> > >simply use x instead of 0x, or d for octal instead of 0d.
> > >
> > >Speaking of that, why is octal 0d?  I'd think that 'd' should mean
> > >decimal.
> > >
> > >John
> > >
> > > >>> "Persio Pucci"  4/3/02 2:16:55 PM >>>
> > >That indicates that the notation in use is hexadecimal for the
> > >registry
> > >number i.e. 0x2102 set the registry bits to 110010
> > >
> > >Persio
> > >
> > >- Original Message -
> > >From: "Jeffrey Reed"
> > >To:
> > >Sent: Wednesday, April 03, 2002 5:12 PM
> > >Subject: what does 0 in 0X mean? [7:40372]
> > >
> > >
> > > > Here s a good question an intern asked me and I couldn t even
> > >make-up an
> > > > answer
> > > >
> > > > I was working with him showing how to recover a password and we were
> > > > changing the confreg setting. He asked what the leading 0 before the
> > >X
> > > > represented. I m not sure  any help from the group is
> > >appreciated.
> > > >
> > > > Jeffrey Reed
> > > > Classic Networking, Inc.
> > > > Cell 717-805-5536
> > > > Office 717-737-8586
> > > > FAX 717-737-0290
> >
> >
> >Priscilla Oppenheimer
> >http://www.priscilla.com
> _
> Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40456&t=40372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question concerning a new 2501 router in home lab [7:64170]

[Marc Thach Xuan Ky]

When you run your hand across the keyboard, do you touch it or is this a
psychic thing :-)
I'd check the parity on your terminal.  It may be setting the wrong
parity for the router but ignoring incorrect received parity.
Marc

Jim wrote:
> 
> I recently acquired a used 2501 router for my home lab that is booting with
> no problem. There is no configuration so it asks if you want to auto
config.
> I try to enter an N at this point and get nothing it seems as if the
> keystroke is not seen by the router. If I just run my hand across the
> keyboard the router responds with enter a yes or no to continue. Any
> suggestions to assist is greatly appreciated.
> 
> Jim Valentine




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64181&t=64170
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

What is a distributed/collapsed backbone? [7:65225]

[Marc Thach Xuan Ky]

Hi all,
I thought I'd do 640-025 CID before it disappears, so I started reading
the Ciscopress book, CID exam certification guide.  Now in chapter 2,
section "Issues facing campus LAN designers" (I'm using Safari books
online so I don't know the page number) it shows figs 2.4 and 2.5
distributed and collapsed backbones respectively.  The distributed
backbone shows per floor, one router and one switch, the collapsed
backbone shows a single router for the building fanning out to one
switch per floor.  Fair enough I guess, but the scenario 1, Q2 in the
same chapter asks what backbone to use in a particular case and then
answers it with "distributed backbone" and a picture fig 2.8 that looks
rather like the collapsed backbone shown earlier.  I obviously have to
learn Ciscospeak for the exam so can anybody tell me, which is it?
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65225&t=65225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: kbit vs. Kbit & kByte vs. KByte (was BW Calc) [7:65211]

[Marc Thach Xuan Ky]

This is all very well but sometimes when people write 500 they really
mean 512, so where does that leave you ?8-)
Marc

s vermill wrote:
> 
> Here's a perfectly illustrative example of how common it is to jumble all
> this terminology up...
> 
> I often use a download test site at PC Pitstop:
> 
> http://www.pcpitstop.com/internet/Bandwidth.asp
> 
> I ran a quick download test that transferred a "500 KB" block of text to my
> machine.  It took 2.744 seconds to complete.  Thus, the result was returned
> as "1458 Kb/s."  Here's the math:
> 
> (assuming decimal)
> 
> 500 * 1000 * 8 = 4,000,000 bits / 2.77 seconds = ~1,458,000 bits/sec =
~1458
> decimal kbits/sec or ~1423 binary Kbits/sec
> 
> Now...
> 
> (assuming binary)
> 
> 500 * 1024 * 8 = 4,096,000 bits / 2.77 seconds = ~1,478,000 bits/sec =
~1478
> decimal kbits/sec or ~1443 binary Kbits/sec
> 
> So, in spite of the fact that they are using the binary upper-case K
> throughout, they are obviously meaning the decimal lower-case k, which
> makes sense given that throughput is expressed that way.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65236&t=65211
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: What is a distributed/collapsed backbone? [7:65225]

[Marc Thach Xuan Ky]

Thanks for all the replies, I haven't yet looked at Priscilla's Top Down
but probably will.  I have found the official guides useful in the past
since they often come up with some unusual and Cisco-centric ideas,
which you need to know for the exams.
rgds
Marc

aletoledo wrote:
> 
> she was too modest to mention it, but you're best bet for a design
education
> is from Priscillas book.
> 
> its well worth twice the price (twice the discounted bookpool price that
> is!! ;)).
> 
> scott
> 
> ""Marc Thach Xuan Ky""  wrote in message
> news:[EMAIL PROTECTED]
> > Hi all,
> > I thought I'd do 640-025 CID before it disappears, so I started reading
> > the Ciscopress book, CID exam certification guide.  Now in chapter 2,
> > section "Issues facing campus LAN designers" (I'm using Safari books
> > online so I don't know the page number) it shows figs 2.4 and 2.5
> > distributed and collapsed backbones respectively.  The distributed
> > backbone shows per floor, one router and one switch, the collapsed
> > backbone shows a single router for the building fanning out to one
> > switch per floor.  Fair enough I guess, but the scenario 1, Q2 in the
> > same chapter asks what backbone to use in a particular case and then
> > answers it with "distributed backbone" and a picture fig 2.8 that looks
> > rather like the collapsed backbone shown earlier.  I obviously have to
> > learn Ciscospeak for the exam so can anybody tell me, which is it?
> > rgds
> > Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65368&t=65225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Upgrading IOS with new flash on my 2500's [7:65472]

[Marc Thach Xuan Ky]

Bill,
I've just done four this evening, I used the technique shown here:
http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800941aa.shtml
or http://www.cisco.com/warp/public/471/13.pdf
rgds
Marc

Scott Roberts wrote:
> 
> I can honestly say that I've never upgraded my IOS's by console cable. I
> didn't even know that the 2500 supported that, I only thought that it was
> the 3600 that supported transfer over the console cable? has anyone done a
> console cable transfer with a 2500?
> 
> william, you can do your upgrade in one of two ways, put the new flash into
> the secondary flash bank and tftp copy to the second flash partition or you
> can boot to the rom boot-helper with your new flash in the first bank and
> then tftp. another possibility i suppose you could do is have enough dram
> memory and do a network boot and then do a tftp copy to the flash.
> 
> scott
> 
> ""Clements, William (Bill)""  wrote in message
> news:[EMAIL PROTECTED]
> > All,
> > I recently bought some new flash for my 2500's and would like to know
> if
> > there is an easier way to upload the newest IOS, other than with the
> console
> > cable.
> >
> > Thanks,
> >
> > Bill Clements MCSE, CCNP
> > Network Engineer
> > INS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65690&t=65472
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TCP SYNSENT Timeout [7:66178]

[Marc Thach Xuan Ky]

I don't know any Java but standard UNIX sockets allow a non-blocking
connect.  Thus you don't care what the underlying stack is doing, you
just time-out at the application layer.
rgds
Marc

John Neiberger wrote:
> 
> One of our programmers is asking me about this and I really don't have an
> answer.  I've checked RFC 793 and haven't spotted the answer yet.
> 
> Is there a default time specified in TCP to remain in the SYN SENT state?
> If a device sends a SYN and doesn't receive a response, is the timeout a
> built-in TCP parameter or is that a function of the application or
operating
> system?
> 
> I'm starting to think that this is specific to the operating system, but we
> have a need to make it specific to a certain connection without affecting
> all TCP connections.  To be specific, they're writing something in Java
> 1.3.1 (I think) and it doesn't have the capability to tweak TCP parameters.
> For a particular set of connections they'd like the timeout to be 10
> seconds, but it seems to be defaulting to 45.
> 
> They tell me that if we were using Java 1.4 they'd be able to adjust these
> parameters, which makes me think this is an application or OS-specific
> parameter and is only relevant to a particular TCP implementation and could
> vary from platform to platform.
> 
> Any thoughts on this?
> 
> Many thanks,
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66286&t=66178
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Riddle [7:41491]

[Marc Thach Xuan Ky]

The last time I looked, a Cisco router would send an ICMP
"administratively unreachable" message when an access list blocked a
packet.  What the source host does with that is not up to the router.
Marc

Dimitris Vassilopoulos wrote:
> 
> Team,
> 
> I was wondering
> Is it possible to make a router respond to an access-list blocking,
> using a custom-made user defined phrase?
> 
> For example, if we deny telnet from a host we need to reply to
> him "Access-list blocks incoming telnet..."
> 
> ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41579&t=41491
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: A little help in the right direction [7:41500]

[Marc Thach Xuan Ky]

Joel,
Start with a management summary which includes a statement that it will
save your business X thousand creds per year, recouping capital and
manpower implementation costs within Y months.  Then write a load of
blurb to prove it.  Job done.  Remember to think business, not
technical, and that at the moment, only you know why it should be done.
rgds
Marc

Joel Panetta wrote:
> 
> Can anyone point me in the right direction to implement a pros and cons
> document for a back bone and infrastructure upgrade? we have a Catalyst
5000
> back bone I want to push to 6509 with redundancy but have to put it all on
> paper.
> 
>  Thanks
> 
> Joel Panetta - CCNA, MCP
> Network Engineer - Anda, Inc
> 954-217-4797
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41584&t=41500
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Signature for blocking telnet to SMTP server [7:41565]

[Marc Thach Xuan Ky]

Timing was my first reaction, but this whole thing may not be a good
idea anyway.  If you cannot stop the TCP connection establishment, then
blocking further access is pretty futile.  Anyone who can telnet to you
could also put up an SMTP server of their own or script a session.  I
think that refusal of connections on mailservers is generally at the
application layer based on source IP address, by address range and/or
DNS PTR record lookup.  There are lists of dialup IPs and also various
email blacklists,  see http://mail-abuse.org.  It doesn't seem very
scientific or rigorous but if you have a public SMTP server then it's
public.  At least that way your server gets to tear down the TCP
session.
rgds
Marc

Priscilla Oppenheimer wrote:
> 
> When people Telnet to SMTP server, what do they then do? Do they manually
> send the normal SMTP commands? Sorry, if that's a dumb question, but I'm
> just trying to figure out the situation.
> 
> If they are not Telnetting in order to send ordinary SMTP commands (HELO,
> RSET, RCPT, DATA, etc). then of course, you could recognize them because by
> what they aren't doing.
> 
> Let's say they are sending ordinary SMTP commands. Would it be possible
> then to recognize this by the timing? Even the fastest typist can't send
> those commands as fast as e-mail software can.
> 
> That's my $0.0010. Please do answer, though. I'm trying to learn more
> about this curious thing of Telnetting to ports other than 23.
> 
> Priscilla
> 
> At 02:51 AM 4/16/02, Cisco Breaker wrote:
> >Hi,
> >
> >Is it possible to block telnet to SMTP server from port 25 with IDS. I
want
> >to create a custom signature for this but I don't know how this can be
done.
> >If  I write a signature beginning with hello it will block all mail
traffic
> >because all of them starts with hello as I know.  And are there any
> >resources that tells how to write a custom signature. We are using CSPM
> >2.3.3i.
> >
> >Any help will be appreciated.
> >
> >Best regards,
> >
> >Cisco Breaker
> 
> 
> Priscilla Oppenheimer
> http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41668&t=41565
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Using a Router to redirect IP traffic [7:42217]

[Marc Thach Xuan Ky]

Hi Trevor,
Assuming that your servers have unique public IP addresses and you can
get a small new address space from the colocation provider (for use as a
NAT pool) then this would be technically feasible using twice-NAT. 
However, you would be paying your current colo provider for twice the
bandwidth that you already consume plus your new provider.  You would
add hops, delay, packet loss, and complexity.  If you do not have at
least one spare server (assuming similar platforms) then you will
require downtime whne you move each server anyway, so you could change
the DNS entry then.  Note that you must lower the TTL of DNS entries so
as to let cached records expire in time for the change.  Note also that
if all traffic is web, then you might like to consider HTTP redirection
as a technique in case your current DNS TTLs are already too long.
rgds
Marc

Trevor Jennings wrote:
> 
> Hello,
> 
>  Where I work, we have a number of servers being co-located at one
> location and are planning on moving those servers to another co-location
> provider soon. My boss asked me why we could not, when we move the
> servers, just place a router at the original ISP to redirect all traffic
> from the original ip's to the new ip's rather than having duplicate
> servers or adjusting the DNS at the same time. I told him that I wasnt
> sure whether it was possible and was told by a friend that its not
> really possible to do that. Can anyone confirm that or rather explain why
> that is not possible? My Boss's theory was that we would have a router
> with 2 ethernet ports and redirect the original ip's to the new ip's
> through the second ethernet.
> 
> Cheers,
> 
>  - Trevor




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42223&t=42217
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ACL - Let's put some numbers on... [7:41738]

[Marc Thach Xuan Ky]

Some time ago I was messing about with a 3640 and IIRC I measured about
70k pps (unidirectional traffic) with no acls.  An acl where the traffic
was permitted on the first line dropped it to about 55k pps.  Pushing
the permit acl lines down the list dropped another approx 1%
throughput for each line processed.  The IOS was probably 11.2.
rgds
Marc

Ole Drews Jensen wrote:
> 
> My first line of defence is a 3620, and I am using and ACL on the outside
> interface for incoming traffic, trying to stop some of 'bad' traffic before
> it continue to my firewall. I know how to design the access-list so the
most
> often received traffic is checked first, and so on, and I know that I
should
> keep it as simple as possible and not creating a huge access-list with
100's
> of lines.
> 
> However, it got me wondering. How much does it slow down the incoming
> traffic everytime I add a new line to my access-list. This is a very hard
> question to answer though, because if created well, most traffic should be
> filtered out before halfway through the access-list, and I guess it also
> depends on the speed of the processor.
> 
> If we look at the 3620, it has an 80Mhz RISC processor, so if can someone
> give me a result here?
> 
> If we have a full T1 fully loaded with incoming traffic. How long delay
> would there be per line-to-be-checked in an ingoing extended ACL?
> 
> Thanks for your comments...
> 
> Ole
> 
> ~
>  Ole Drews Jensen
>  Systems Network Manager
>  CCNP, MCSE, MCP+I
>  RWR Enterprises, Inc.
>  [EMAIL PROTECTED]
> ~
>  http://www.RouterChief.com
> ~
>  Need a Job?
>  http://www.OleDrews.com/job
> ~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42233&t=41738
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why does IOS only allow ICMP granularity on "destination" [7:42609]

[Marc Thach Xuan Ky]

The ICMP type specified is not related to either source or destination
address.  It is not like a port, it is just the type of frame.  You
could ask why the syntax is not:

permit icmp echo any any

It just isn't, possibly for historical reasons, maybe just arbitrary. 
More to the point, why do cisco bundle together type and code into one
descriptor, such as the ridiculous *packet-too-big* keyword?
rgds
Marc TXK

Anthony Pace wrote:
> 
> for instance :
> 
> access-list 101 permit icmp any host 207.122.1.5 echo
> access-list 101 permit icmp host 207.122.2.3 any echo-reply
> 
> but not
> 
> access-list 101 permit icmp any echo-reply any
> 
> Anthony Pace




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42609&t=42609
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Study group:UK [7:56900]

[Marc Thach Xuan Ky]

Hi Greg,
Where about in London are you?  I'm in SE14 and would certainly be
interested in forming a local group.
rgds
Marc TXK
[EMAIL PROTECTED]

Greg Nathan wrote:
> 
> Hi
> Anyone in London, UK want to form a study group where we can bounce around
a
> few ideas and lab practise strategies? I have a fully kitted lab with 7
> routers with voice, 2 switches, ISDN simulator etc. I am based in London,
> would prefer something a little less virtual if possible.
> Lemme know.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56910&t=56900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Getting slightly back on Topic - VOTE [7:56758]

[Marc Thach Xuan Ky]

Priscilla Oppenheimer wrote:
> 
> What will it be when we're old geezers that we won't get? There will
> probably be some technology that the young people all get that we will be
> clueless about. I won't like that. ;-)
> 

Wot? do you mean you can you work the video?
rgds
Marc TXK




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56946&t=56758
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: build tcp/ip on PC serial port [7:56885]

[Marc Thach Xuan Ky]

Am I being thick or something, isn't this what Windows dial-up
networking is for? or *NIX pppd?  Alternatively, what about some pre-MS
stack for Windows or DOS ?8^)
rgds
Marc TXK

Cable Guy wrote:
> 
> >The fact that you can dial into the Internet is more proof that you can
run
> >TCP/IP over the PC's serial port.
> 
> Hmm, why do people need proof of this? Maybe I should read the archives.
> Tcp/ip can be bound to anything. Build an interface that sends electrical
> signals down two thin water streams, code a driver, and you can bind tcp/ip
> to water.
> 
> Anyway, that USB pdf link site is down and I can't access it now. I see
> there are some USB network hubs. Do these work with only USB network
> machines? Hmm, these could be slip/ppp then. An entire hub of slip/ppp...I
> wonder. The ones that interface directly with rj-45 are no hope. I wonder
> even if the signal actually coming out of the USB port is slip/ppp framed,
> then converted outside, or just straight ethernet framed off before exiting
> USB port. I do see some USB network card implementations are just a plug
> into the USB port with no wires exposed, and a rj-45 plugin dongle like
> thing. I guess I need one with wires exposed to cut into them, and with
> slip/ppp.
> 
> Surely there is a serial card with boundable driver out there somewhere?
> Help.
> 
> _
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56984&t=56885
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Was Re: build tcp/ip on PC serial port [7:56885] now OT [7:56999]

[Marc Thach Xuan Ky]

Dom,
please don't embarrass me on-list, I was pretending not to know you!  I
was actually thinking of Ice, but then I'm really old.  I don't have
time for video anyway, not now I've discovered cisco certification.
Marc


"[EMAIL PROTECTED]" wrote:
> 
> Hi Marc,
> 
> You mean something like Trumpet mate?
> 
> BTW, how do you program your video? Have you ported QNX to it yes?
> 
> Regards,
> 
> Dom Stocqueler.
> 
> 
>   "Marc Thach Xuan
> Ky"
> 
> cc:
>   Sent by: Subject: Re: build
> tcp/ip on PC serial port [7:56885]
> 
> [EMAIL PROTECTED]
> 
> 
>   06/11/2002 10:39
> AM
>   Please respond to
> "Marc
>   Thach Xuan
> Ky"
> 
> 
> 
> Am I being thick or something, isn't this what Windows dial-up
> networking is for? or *NIX pppd?  Alternatively, what about some pre-MS
> stack for Windows or DOS ?8^)
> rgds
> Marc TXK
> 
> Cable Guy wrote:
> >
> > >The fact that you can dial into the Internet is more proof that you can
> run
> > >TCP/IP over the PC's serial port.
> >
> > Hmm, why do people need proof of this? Maybe I should read the archives.
> > Tcp/ip can be bound to anything. Build an interface that sends electrical
> > signals down two thin water streams, code a driver, and you can bind
> tcp/ip
> > to water.
> >
> > Anyway, that USB pdf link site is down and I can't access it now. I see
> > there are some USB network hubs. Do these work with only USB network
> > machines? Hmm, these could be slip/ppp then. An entire hub of
> slip/ppp...I
> > wonder. The ones that interface directly with rj-45 are no hope. I wonder
> > even if the signal actually coming out of the USB port is slip/ppp
> framed,
> > then converted outside, or just straight ethernet framed off before
> exiting
> > USB port. I do see some USB network card implementations are just a plug
> > into the USB port with no wires exposed, and a rj-45 plugin dongle like
> > thing. I guess I need one with wires exposed to cut into them, and with
> > slip/ppp.
> >
> > Surely there is a serial card with boundable driver out there somewhere?
> > Help.
> >
> > _
> > Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56999&t=56999
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: build tcp/ip on PC serial port [7:56885]

[Marc Thach Xuan Ky]

Hi Cable,
A normal PC serial port is async, as in U.Async.R.T, so will not connect
to standard sync cisco port.  If you really want to run sync then yes,
you will need a sync port on the PC but this is minority interest
hardware and will not be cheap.  Try manufacturers such as Eicon.  I
would expect a sync serial card to have IP software available but then
I've never done it myself.  Where is this technical requirement coming
from?
rgds
Marc TXK

Cable Guy wrote:
> 
> >Ah, you want remote access. You want to let the PC join the network even
> >though it's connected via its serial port. That's very doable. It used to
> >be
> >pretty common for PCs to connect that way in the olden days.
> >
> >Check out the Cisco docuemntation on terminal services or access servers.
> >Or
> >maybe somebody can just tell you how to do it. Someone who has recently
> >studied BCRAN could help maybe?
> 
> I am talking about ppp over serial (BCRAN topic) but not remote access with
> modems, aux ports, or asynch ports.
> 
> Take a standard back to back router1 serial0 to router2 serial0, each with
> configured IPs. Keep this picture in mind, but replace one of the routers
> with a PC. Back to back WAN connection from PC to router's serial0.
> 
> I think finding a serial port with a driver that allows tcp/ip to bind on
> it, is the correct way to describe the obstacle here?
> 
> _
> The new MSN 8: smart spam protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57044&t=56885
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: O/T too much time on my hands? [7:57484]

[Marc Thach Xuan Ky]

Hi Priscilla,
At the end of the slideshow you ask for other methods, well I've got one
and it's really easy.  Before I start you should note that my emoticons
have broken down so you may need to insert your own.
Unfortunately my first attempt to implement the method that I'm about to
describe was error-prone and gave the answer as 31 triangles.  Now, the
shape is five-way symmetrical (which indicated that 31 was probably not
correct), it's a five-point star with the pointy nodes joined together
by extra links.  We'll call the five pointy bits distribution nodes, and
the five intersections in the middle we'll call core nodes.  The area
outside the shape is the access area.  Now any given triangle can have
either 3 distribution, 2 distribution / 1 core, 1 distribution / 2 core,
or 3 core (except that the core isn't meshed so this is zero).  We will
abbreviate these types as 3D, 2D/1C, 1D/2C, and 3C because we like
jargon. Inspection also shows that the 3D types can be subdivided into
long triangles and fat triangles (3LD and 3FD) 2D/1C types can also be
subdivided, into adjacent D's and non-adjacent D's (2AD/1C and 2ND/1C). 
With me so far?  Good because we now subdivide the 2AD/IC into three
subtypes: straight down, hanging left and hanging right (2AD/1Cbis,
2AD/1C(L) 2AD/1C(R)).  Anyway all told we now have eight categories of
triangle, we can count each category (please don't count the 3Cs during
your leisure time).
So by breaking the problem down this way, it is easier to count and thus
much quicker to implement. In fact we now just have to count from one to
five several times.  Of course if we employed a project manager the
probleem could be shared between seven triangle-counters working in
parallel.  This could bring the end-date in by a full ten percent.
Disclaimer: Note that if working in a quality-assured environment you
will need eight triangle-counters.  The 3C type cannot be assumed to
have no triangles.  Time-savings shown are for example only and cannot
be guaranteed.
Just to close, there is a further refinement of the technique.  Because
the shape is five-way symmetrical, you in fact only have to count to
one, what could be more straightforward than that?  This has the added
benefit of enabling the project to be broken up into even smaller and
more manageable tasks.
One more thing, perhaps it's a trick question.  All nodes may run STP so
all loops are removed, hence the correct answer could be zero.
BTW if you were wondering about the access area, it's not actually
relevant.
rgds
Marc TXK

Priscilla Oppenheimer wrote:
> 
> I added a Topology Troubleshooting Puzzle to my Web site. It's not
> Cisco-specific. Well, to be honest, it's not even networking specific! ;-)
> But it does make you think and wonder how you could be so blind, if you're
> like me when I first did it. Be sure to actually try it before going on to
> the solution. OK, is that enough filler? The URL is here:
> 
> http://www.troubleshootingnetworks.com/triangles/index.htm
> 
> Offline, let me know what you think (if you have my address, which I can't
> publish due to commercial unsolicited e-mail.)
> 
> Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57502&t=57484
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Power Cable [7:58614]

[Marc Thach Xuan Ky]

Sounds like a standard IEC kettle lead to me.  At least here in the UK,
thats what they're for, electric kettles. IIRC these plugs are used for
temperature-resistant leads, and the notch allows you to use a
temperature-resistant lead in any application, but to disallow the
incorrect lead in your kettle or other hot object.  This may be an
indication that your 7000 is going to suck some serious power 8^)
In the UK you can get one of these in the local electical store, YMMV.
rgds
Marc

NetEng wrote:
> 
> I bought a 7000 router off of ebay. It did not come with a power cable
> and I can not find one for the life of me. I purchased and received
> CAB-7KAC=,
> but this cable does not fit. It says on the package thats its a 7500 series
> AC power cord. On ciscos website its says to order this cable but, again,
it
> does not fit. Below is a layout of the power supply connector. Does anyone
> know the correct power cable to order (and where) to get it? TIA . The
> connector is like evey other one (router/monitor/PC) except it has a small
> ridge between the top prongs.
> 
>  
> |  []  U  [] |
> |   |
> |   [] |
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58695&t=58614
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Selective NAT [7:59287]

[Marc Thach Xuan Ky]

IIRC when you use route-maps you should note that the NAT is
session-based (like with twice-NAT) with various consequences:
you cannot make new connections into the inside global address
without NAPT (PAT) you may use your pool addresses rather quicker than
you envisaged
rgds
Marc


The Long and Winding Road wrote:
> 
> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Is it possible to use extended ip access-lists for NATing. Basically i
> want
> > traffic from a particular subnet destined for a particular subnet only to
> be
> > NATed?? All other traffic should not be NATed.
> >
> 
> as a follow up - here is an excerpt from the link in the previous message:
> 
> Route Map Approach
> The correct way to configure the example in this document is to use route
> maps. With a route map approach, you would do the following to translate
the
> hosts on 10.1.1.0:
> 
> ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24
>  ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24
> 
>  ip nat inside source route-map MAP-108 pool pool-108
>  ip nat inside source route-map MAP-118 pool pool-118
> 
>  interface ethernet0
>ip address 10.1.1.1 255.255.255.0
>ip nat inside
>  interface ethernet1
>ip address 10.1.2.1 255.255.255.0
>ip nat outside
> 
>  access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255
>  access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255
> 
>  route-map MAP-108 permit 10
>  match ip address 108
> 
>  route-map MAP-118 permit 10
>  match ip address 118
> 
> >
> > Cheers
> > Simon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59314&t=59287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic but interesting - R&S networking future? [7:59376]

[Marc Thach Xuan Ky]

A few points:
When I was fresh in the IT industry (over 20 years ago) the old-timers
who had been working maybe four years already would tell me that there
was no future in programming, after all they said, who uses a chauffeur
now that cars are so easy to drive?
Cars need very little maintenance now, there are still plenty of
mechanics because there are more cars.
Phone companies still employ a lot of telephone engineers, large
corporates often have on-site telephone staff.  There are more phone
companies now.  Voice is a commodity.
Here in London during the 80's property boom, electricians and plumbers
on the large contracts were being paid a lot more than any network
engineer I heard of at the time.
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59376&t=59376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic but interesting - R&S networking future? [7:59402]

[Marc Thach Xuan Ky]

nrf wrote:
> 
> I would just add that many times (actually, more often than not,
predictions
> actually turn out to be correct).

We could trade predictions forever :-) What about the bloke who said
nobody will ever need more than 640k RAM?  He still got rich.

> And even for those jobs that didn't
> decline, there was significant change in what they did.  Mechanics can't
> just know how to fix carburetors, now they have to understand
> fuel-injection.

Definitely.  Janitors now use vacuum-cleaners as well as brooms. 
Telephone operators now use keyboards, not patchcords.  Networkers will
need to know more than just layers 2 and 3.  But there will be a
continued demand for R/S as part of the networkers job.

Another point is that bandwidth is not necessarily cheap all over the
world, Europe is more expensive than the US, and Asia even worse, so
engineering is required, in fact surely "traffic engineering" is all the
rage at the moment.

I guess what I want to say is that when an economy is booming, people
unrealistically believe it's forever and they will be millionaires by
next June.  Conversely when the economy is in a trough then people get
gloomy and believe that they'll never pay off their credit card bills. 
Neither view is realistic.  R/S is not dead, it's sleeping and will wake
up.  Granted there will not be the insane rush into network builds that
we saw a few years ago but the wireless boom is around the corner

rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59402&t=59402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Are you trying to make the window smaller?
rgds
Marc

s vermill wrote:
> 
> On a W2k machine, I've tried several different recommendations for
adjusting
> the TCP receive window size.  None of them, including those directly from
> Microsoft, seem to have any impact.  I'm capturing my own traffic and my
> advertised window is always in the 64k range.
> 
> I've tried editing the \tcpip\parameters to include 'TcpWindowSize' and
> 'GlobalMaxTcpWindowSize' - neither of which had any effect.  I've tried
> editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no effect.
> 
> Anyone know how to manipulate the rcv window that my machine will
> advertise.  For that matter, what about the other MS OSes?  XP?  Win98?
> 
> Thanks all,
> 
> Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59405&t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Scott,
A clue from this webpage:
http://www.psc.edu/networking/perf_tune.html
Describing Win98 it says "DefaultRcvWindow is a string type and the
value describes the default receive windowsize for the TCP stack.
Otherwise the windowsize has to be programmed in apps with setsockopt."
Perhaps the app is setting it differently.  It also seems to imply that
GlobalMaxTcpWindowSize should do it since the OS should enforce this on
the app.  Do you know what units the variable uses? that website
indicates that the default is a gig, so it may be measured in K or M,
just a thought.
rgds
Marc


s vermill wrote:
> 
> Marc Thach Xuan Ky wrote:
> >
> > Are you trying to make the window smaller?
> > rgds
> > Marc
> 
> Yes.  I was hoping to set up a demonstration on the impact of high
> bandwidth*delay product networks without actually having a high
> bandwidth*delay product network.  By artifically enforcing a small rcv
> window, I should get about the same result.
> 
> Thanks Marc,
> 
> Scott
> 
> >
> > s vermill wrote:
> > >
> > > On a W2k machine, I've tried several different
> > recommendations for adjusting
> > > the TCP receive window size.  None of them, including those
> > directly from
> > > Microsoft, seem to have any impact.  I'm capturing my own
> > traffic and my
> > > advertised window is always in the 64k range.
> > >
> > > I've tried editing the \tcpip\parameters to include
> > 'TcpWindowSize' and
> > > 'GlobalMaxTcpWindowSize' - neither of which had any effect.
> > I've tried
> > > editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no
> > effect.
> > >
> > > Anyone know how to manipulate the rcv window that my machine
> > will
> > > advertise.  For that matter, what about the other MS OSes?
> > XP?  Win98?
> > >
> > > Thanks all,
> > >
> > > Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59416&t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Richard,
that looks like a gem!  We should all have one of those.
Thanks,
Marc

"Larkin, Richard" wrote:
> 
> A much much much easier way is to use a PC, load the dummynet image on a
> floppy disk, then in about 5 minutes with the right configuration, you have
> a simulated WAN, including bandwidth and delay.
> 
> Dummynet works on FreeBSD or, as we do, you can download the version that
> fits on a floppy and boot from it. We use it to teach our application
> developers the hard lesson that not everyone has 100Mbps link to the
> servers, most sites have 64kbps.
> 
> Rik
> 
> -Original Message-
> From: s vermill [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 18 December 2002 6:40 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Perhaps O/T: Window TCP Rcv Window [7:59400]
> 
> Marc Thach Xuan Ky wrote:
> >
> > Are you trying to make the window smaller?
> > rgds
> > Marc
> 
> Yes.  I was hoping to set up a demonstration on the impact of high
> bandwidth*delay product networks without actually having a high
> bandwidth*delay product network.  By artifically enforcing a small rcv
> window, I should get about the same result.
> 
> Thanks Marc,
> 
> Scott
> 
> >
> > s vermill wrote:
> > >
> > > On a W2k machine, I've tried several different
> > recommendations for adjusting
> > > the TCP receive window size.  None of them, including those
> > directly from
> > > Microsoft, seem to have any impact.  I'm capturing my own
> > traffic and my
> > > advertised window is always in the 64k range.
> > >
> > > I've tried editing the \tcpip\parameters to include
> > 'TcpWindowSize' and
> > > 'GlobalMaxTcpWindowSize' - neither of which had any effect.
> > I've tried
> > > editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no
> > effect.
> > >
> > > Anyone know how to manipulate the rcv window that my machine
> > will
> > > advertise.  For that matter, what about the other MS OSes?
> > XP?  Win98?
> > >
> > > Thanks all,
> > >
> > > Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59420&t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Test for MCast...Any?? [7:58269]

[Marc Thach Xuan Ky]

Hi Phil,
I came across this link and thought it might be useful to you.
http://www.videolan.org/
rgds
Marc

Cisco Nuts wrote:
> 
> Hello,Is there a way to test/practise MCast configs. on the Internet? I
> have a cable-modem connected to a 2514 router and would like to configure
> MCast on it as well as my Lab routers behind that for PIM-SM. I have a
> laptop connected as a client to one of the routers. How can I verify that
> MCast is working on the laptop? I mean, is there a freeware/shareware
>  application that I can install on my laptop to test (since I cannot
> obviously have IP/TV client on my laptop).Or is there any other way to do
> it in the Lab routers themselves.Any basic configs/examples provided is
> greatfully appreciated.Thank you for your help.Sincerely,CN
> 
> 
> 
> MSN 8 with e-mail virus protection service: 2 months FREE*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59472&t=58269
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS process scheduler algorithm [7:60206]

[Marc Thach Xuan Ky]

Hi all,
I am reading Cisco Press "Inside Cisco IOS Software Architecture" and
have some outstanding questions about the scheduler, maybe somebody can
help me.  The text describes how the low priority queue is only skipped
15 times before it is serviced even when there are processes queuing at
higher priorities.
Does this count up to 15 include the times that both medium and low
priority queues are skipped?
There seems to be no similar counter for the medium queue, am I correct
then in assuming that the only failsafe servicing of the medium priority
queue is acheived via the "interleaving" occuring during failsafe
servicing of the low priority queue, which would imply the answer to the
first question?
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60206&t=60206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco career advice needed [7:60013]

[Marc Thach Xuan Ky]

In the last place I worked, rumour has it that one of my colleagues was
interviewed and thus obtained a UK visa on the basis of his CCIE, and
this later turned out to be written only.  HR departments / technical
management aren't always as rigorous as you may think :-)
If this is true then I think you could definitely say that it can be of
benefit.
rgds
Marc

Frank Jimenez wrote:
> 
> Where I *have* seen it helpful is in specific cases where a company was
> anticipating needing a CCIE-level applicant at a future date.
> 
> So the following:
> 
> CCIE Routing/Switching - Lab Scheduled 6/2003
> 
> Might be helpful.  The CCIE written qualification alone hasn't helped
> anybody that I know of.
> 
> Frank Jimenez, CCIE #5738
> Systems Engineer
> Cisco Systems, Inc.
> [EMAIL PROTECTED]
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> irfan siddiqui
> Sent: Tuesday, December 31, 2002 3:23 AM
> To: [EMAIL PROTECTED]
> Subject: Cisco career advice needed [7:60013]
> 
> Hi,
> Does the CCIE qualification exam itself have any worth. I know that your
> not
> a CCIE without giving the actual Lab part of the exam, but how does the
> CCIE
> written exam scale on its own, career wise. Does it help improve job
> prospects. What are the benefits of this exam on its own, or is it
> totally
> useless without the LAB part.
> Say if i never appear for the LAB, for any reason, would the written
> exam be
> any worth of mention, like say on my resume or as a credential. Thanks
> for all your advice in advance. Irfan
> 
> _
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60224&t=60013
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

[Marc Thach Xuan Ky]

Thomas Larus wrote:
snip
> As for nrf, - his contributions to groupstudy have been almost entirely
> negative. While it is helpful to have some discussion of things like the
job
> market and the question of whether it is better to invest time and effort
in
> a degree versus certification is useful, constantly chiming in with
negative
> thoughts and assessments is not very helpful.  This is something of a
> support group, and in these difficult times, those of us who have already
> set out to achieve certification goals need encouragement and technical
> advice.

I have recently strongly disagreed with nrf, but I do not find him
negative as you suggest.  I think it's a shame if people cannot
contribute without being personally attacked in such a generalised
manner.
 
> I do not know if nrf is one of these people (he could just be negative for
> no particular reason), there are some people who come to these discussion
> groups to discourage others from pursuing dreams the achievement of which
> might bring about a greater number of certified IT professionals and
perhaps
> exert downward pressure on salaries.

I don't know nrf personally but I doubt that he's that influential. 
Anybody who gets put off the cert process by reading a discouraging
viewpoint on this list probably doesn't have the mettle to see it
through anyway.

rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60271&t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - More Bitching about Cisco's New Web Site [7:60308]

[Marc Thach Xuan Ky]

Well I thought the site was very slow - until I realised I'd stuck a
clock rate 64000 on my frameswitch router so that I could see some
queueing :-) I now go straight for the search button, but there are some
horrors in there.  There seem to be more pdfs as well which is good, but
then sometimes there is only a pdf.  Theres a bit under technologies
where I burrowed down through QoS, congestion management, through
queuing and then to WFQ to find a short paragraph telling me what it
was.  I'd really wanted a white paper detailing algorithms!
I'm sure I'll crack it sometime.
rgds
Marc

The Long and Winding Road wrote:
> 
> Is it just me? More broken links? Harder to find the everyday tools?
> lower  - a LOT slower - navigating around?
> 
> Seems like just about every day I'm filling out one of those feedback forms
> to report a problem. assuming I've found the basic page I'm looking for
> anyway.
> 
> For example - check out the links on this page.
> 
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r
> /iprprt2/index.htm
> watch the wrap
> 
> and whatever happened to the tool index? It was no fun searching for the
> Software Advisor and the IOS Upgrade Planner this morning.
> 
> grumble grumble grumble
> 
> --
> TANSTAAFL
> "there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60308&t=60308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS process scheduler algorithm [7:60206]

[Marc Thach Xuan Ky]

Thanks Mark,
I get it now I think.  I was envisaging processes remaining in the queue
and a pointer selecting each in turn.  In fact of course, because it's
not a pre-emptive OS, this doesn't occur, the processes are removed (as
in fact stated in the book) and put on either the idle or dead queue. 
Also I was envisaging an equal number of processes in each queue whereas
after further consideration I would guess that most processes are high
or medium.
thanks again,
Marc

"Vicuna, Mark" wrote:
> 
> Nope - From step 3&4 in the book.
> 
> There are no counters for critical and high priority queues either.  The
> 'failsafe' for servicing the medium priority is when all the processes
> in the critical and high ready queues have been executed or when a
> medium priority instance is found when servicing the low priority queue
> (intervleave) - all the medium processes will be executed.
> 
> The scheduler will not service the low priority queue within 15 times of
> skipping the low queue - and even then, if the scheduler is executing
> low priority instances it will still service a medium (or critical or
> high) process if one is found in the ready queue.
> 
> hth,
> Mark.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60365&t=60206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: fragmentation question [7:60643]

[Marc Thach Xuan Ky]

MTU 1500 means that the network layer datagram size is 1500 max.  For IP
this is the IP datagram including IP header and transport (TCP/UDP)
header  and data.  Fragmentation occurs at the IP level and only the IP
header is duplicated (except offset, checksum etc) into each fragment. 
The TCP/UDP headers are merely the first part of the data as far as IP
is concerned and are therefore left untouched.
HTH
Marc

Paul Dong So wrote:
> 
> Hi All,
> 
> Please shed a light on this as I am confused.
> 
> Fragmentation for UDP/TCP:
>  * Only the first fragment contains the UDP or TCP header, not the
> sequencial fragments?
> 
> Fragementation for IP packets
>  * every fragmented packet will contains ip header?
> 
> MTU 1500 bytes, doesn't it mean the data payload can not exceed 1500
> bytes or the whole packet size(payload+header) can not exceed 1500
> bytes?
> 
> Thanks in advance
> 
> Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60653&t=60643
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing & NAT [7:60663]

[Marc Thach Xuan Ky]

IIRC when I last looked at this, it worked as you require, but that
might have been v2 NAT rather than v3 which is current.  Have you
restarted the router, superstition dictates that you should.  Failing
this, how many app servers are there?  You *could* use multiple NAT
pools, which  would admittedly be a horrible kludge, depends on how
desperately you want this.  Is there not a better way of using sticky on
the load-balancers?  Are you in a position to change the app to use
cookies for example? or maybe persistent connections so the LBs aren't
responsible for sticky?
rgds
Marc

Emilia Lambros wrote:
> 
> I'm looking more for a way to play with how the nat pool I have behaves
with
> IP address use.  The NAT config and translations are all working, however I
> can't find a situation online that shows me how I can force translations to
> not overload quite so much, or how I can make more IP addresses be used so
> my load balancing works with sticky sessions set.
> 
> For as long as only 1 IP is being used, all connections to the application
> servers go to one application server.  Even with 2 IPs being used, I would
> have more of a chance of connections going to the 2nd application server to
> create some load balancing but as I said, I'm sitting on 8500 connections
> and 1 IP being used.  I know in theory I can go up to 65K+ connections on
> that 1 IP, but I would prefer more like a couple of hundred per IP.
> 
> The majority of articles I've read show how to configure, say rotary pools
> or tcp load distribution but not examples of how you can use it another way
> that I could perhaps, adapt.  As I said though, I can't play with the
config
> because its a live environment so its a little harder to play and test
with,
> without a guarantee that it will work :)
> 
> -Original Message-
> From: The Long and Winding Road
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 9 January 2003 11:24 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Load balancing & NAT [7:60663]
> 
> if you have a CCO customer account, there are a lot of articles in the TAC
> database
> 
> this one is a good start, I believe.
> 
>
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0
> 9186a0080093fca.shtml
> watch the wrap.
> 
> HTH
> 
> --
> TANSTAAFL
> "there ain't no such thing as a free lunch"
> 
> ""Emilia Lambros""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi all,
> >
> > I have an application being load balanced at one site (sticky sessions
set
> > such that each connection from 1 IP will continue its transactions to the
> > same server it started on) and at another site, the users accessing the
> load
> > balanced application.
> >
> > The users come in from different office locations across private WAN
> links,
> > nat inside is on each of their interfaces and on each interface out of
the
> > router those WAN links connect to, is nat outside.
> >
> > I have changed their initial configuration based on NAT overload to an
> > interface IP address to be a pool of addresses overloaded.  I was hoping
> > that the connections would spill over to the second IP in the pool at
some
> > stage sooner than the 8500 NAT connections I have currently, but no go. 
I
> > may as well have NAT'd to 1 IP again :)
> >
> > Is there a way to overload NAT, but have it using more than 1 IP in the
> > pool?  e.g. a pool of 30 IPs, its currently using 1.. I'd love the router
> to
> > even round robin the use of IPs out of the pool but I can't play with the
> > config to try it (live environment) and can't find any documentation
> online
> > explaining exactly what I need NAT to do/not do :(
> >
> > Thanks,
> >
> > Em :)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60693&t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Slightly OT - but important [7:60687]

[Marc Thach Xuan Ky]

This is hardly earth-shattering news.  You can see this happening every
time you sniff a LAN.  Empty TCP segments (e.g. acks) with six bytes of
"random" data.  The only thing the report points out is that the data
may previously have been used on another interface or it may be other
non-network data, although I suspect that the latter is highly unlikely
since NIC ring buffers would generally be pre-allocated early on in the
driver initialisation code.  I could be wrong but I would expect a NIC
driver to block or drop if the TX or RX ring was full, rather than try
and get a new buffer allocated.  Where the random data is network
data... well on shared media you should assume it's already been sniffed
anyway, that's what ssh is for :-)
Gotta go now, I've got a CCNP exam in an hour, wish me luck.
rgds
Marc


The Long and Winding Road wrote:
> 
> saw this one come through today.
> 
> I checked the link down at the bottom of the page. I thought it quite
> interesting that Cisco and Microsoft are noted as "not vulnerable" while
> just about every *nix out there is listed as "unknown" One sad note - my
> firewall of choice is shown as "unknown" also.
> 
> I am presuming that testing is still going on with all these other
products.
> "unknown" may not necessarily mean "vulnerable"
> 
> ---
> 
> *CERT WARNS OF POTENTIALLY WIDESPREAD VULNERABILITY
> By SWD Staff
> The Computer Emergency Response Team (CERT) Monday warned of a
> vulnerability affecting Ethernet device driver software running on
> multiple platforms that could allow a remote attacker to harvest
> potentially sensitive information from network traffic.
> 
> A research paper by information security firm @stake says, "Multiple
> platform Ethernet Network Interface Card (NIC) device drivers incorrectly
> handle frame padding, allowing an attacker to view slices of previously
> transmitted packets or portions of kernel memory. This vulnerability is
> the result of incorrect implementations of RFC requirements and poor
> programming practices, the combination of which results in several
> variations of this information leakage vulnerability."
> 
> It "is trivial to exploit and has potentially devastating consequences.
> Several different variants of this implementation flaw result in this
> vulnerability," @stake continues. "The number of affected systems is
> staggering, and the number of vulnerable systems used as critical network
> infrastructure is terrifying."
> 
> CERT recommends applying patches as soon as they are available and using
> encryption to protect network traffic, though it won't protect sensitive
> information leaked from non-network sources, such as kernel memory.
> 
> For an updated list of affected vendors, please consult the CERT
> vulnerability note.
> http://www.kb.cert.org/vuls/id/412115
> http:[EMAIL PROTECTED]/research/advisories/2003/index.html#010603-1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60695&t=60687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: virtual labs [7:60700]

[Marc Thach Xuan Ky]

I have used the Sybex virtual trainer, which was OK for Routing but not
so helpful for BCRAN.  I haven't used the other two subjects yet.  You
should note that it is designed to accompany the Sybex books, so if you
are not buying those then it is less helpful.  If you are cash-strapped
and want a couple of routers to practise with, then 3000 series are very
cheap on eBay.  I have seen these running IOS 12.0 2500 images, you'll
probably need to upgrade the flash/RAM.  If you're unemployed, don't try
to pass well, try to pass quickly. Good luck.
rgds
Marc

reddyred wrote:
> 
> Has anyone found any cheap, USEFUL virtual labs for the CCNP track. I'm
> currently an unemployed CCNA and don't have $1,000 bucks for online labs
nor
> equipment




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60712&t=60700
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco 2501 & dot1q encapsulation ? [7:60699]

[Marc Thach Xuan Ky]

I've just configured dot1q on a 4500 with NP6E and IOS 12.2, I haven't
tested whether its working.
rgds
Marc

Francisco Sedano/Inf-Pronet wrote:
> 
> 4000? Could you expand on it? Which model/IOS? I have a plain 4000 with
> 12.1(11) and it doesn't support it..
> 
> "cebuano"
> Enviado por: [EMAIL PROTECTED]
> 09/01/2003 22:04
> Por favor, responda a "cebuano"
> 
> Para:   [EMAIL PROTECTED]
> cc:
> Asunto: RE: Cisco 2501 & dot1q encapsulation ? [7:60699]
> 
> This is possible with certain models of the 2600 series, and the
> cheapest router to support this with 10Mb Ethernet is the 4000 series.
> HTH.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Larry Letterman
> Sent: Thursday, January 09, 2003 12:32 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Cisco 2501 & dot1q encapsulation ? [7:60699]
> 
> I dont believe so either, since they only support a 10BT
> ethernet connection...
> 
> Larry Letterman
> Network Engineer
> San Jose Transport
> Cisco Systems Inc.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> > John Neiberger
> > Sent: Thursday, January 09, 2003 7:43 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Cisco 2501 & dot1q encapsulation ? [7:60699]
> >
> >
> > I don't believe that any of the 2500 series routers support trunking
> of
> > any variety.  If I'm wrong someone will surely correct me.
> >
> > John
> >
> > >>> "Thomas Muller"  1/9/03 8:21:59 AM >>>
> > Hi,
> >
> > I've tried to configure dot1q on the LAN interface on my Cisco 2501
> > running
> > 12.2 (IP Plus)
> > but it doesn't seem to know the encapsulation dot1q command.
> >
> > Does anyone know if the 2500 series supports dot1q ?
> >
> > Thanks, Thomas
> > [EMAIL PROTECTED]
> >
> > --
> > +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
> > NEU: Mit GMX ins Internet. Rund um die Uhr f|r 1 ct/ Min. surfen!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60767&t=60699
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT [7:60784]

[Marc Thach Xuan Ky]

Dwayne,
it's most likely that any NAT implementation would overwrite the header
data that it wishes to change, rather than rewrites the header in its
entirety.  Of course the end result would look the same when you view
the packet, however you can recalculate the checksum from the old and
new IP addresses without reading the entire packet, so that's a gain for
not using the full header creation code.
Note though that some protocols which don't pass well through NAT are
handled by an ALG (Application Level Gateway), and these modules will
rewrite the IP data.  Now if I were coding an ALG I'd certainly create
the entire header for scratch, and I might need to do the same with the
data.  Think of an FTP ALG for example.  Here the length of the data may
be changed, in particular it may grow.  The buffer that is currently
allocated for the packet may not have room to grow, so in that case,
you'd need to copy the data into a larger buffer probably as you parse
and alter the data.
rgds
Marc


Dwayne Saunders wrote:
> 
> Hi all,
> Was just wondering if any one could put me on to a good link in
> regards NAT and packet headers, simply what I am trying to find out is the
> packet header total rewritten or just the ip address part of the header and
> checksum, Or is a new header written to envelope the original header.
> 
> Or does each application do it differently.
> 
> Any help would be great.
> 
> Regards
> 
> D'Wayne Saunders




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60802&t=60784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNA/CCNP home Lab setup [7:60727]

[Marc Thach Xuan Ky]

I've found that it's useful to have a variety of kit, and as many
routers as possible.  Cisco prices on eBay have fallen through the
floor.  A 4000 series with NP-4Ts is a good frame switch. 2500 are good
workhorses, best to get one with an ISDN BRI (I didn't and regretted
it).  Once you have a couple of ethernet-based routers, don't discount
token-ring 2500s if they are cheap or any 3000 series router.  3000s are
ludicrously cheap at the moment and can run 2500 IOS 12.0 images.  Don't
buy multiple 2600s unless you're rich. Two 12-port switches allows
better practise that one 24-port.
rgds
Marc

"McManus, Robert BGI SDC" wrote:
> 
> Could someone give me advice on what I would need (models) for a home lab
> setup for my CCNA/CCNP training?  Any advice would be appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60804&t=60727
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing & NAT [7:60663]

[Marc Thach Xuan Ky]

Doug,
I used the term "horrible kludge" several hours before I saw your post. 
The multiple NAT pool kludge is horrible because it is neither scalable
nor maintenance-free, nor does it include any dynamic distribution of
load across the resultant multiple (outside local) addresses in use.  It
almost removes the requirement for the load-balancing part of the
load-balancers, leaving them with server failover tasks only.  As I
stated in my post, I'd be looking for a different form of sticky (or a
different NAT device).
rgds
Marc

Doug S wrote:
> 
> I liked the comment and definitely agree that some of the authors of Cisco
> training material should be named and publicly humiliated, although the
> sheer volume of mistakes could make this a somewhat overwhelming task for
> the public doing the humiliating. Still, I want to add my opinion that
Cisco
> documentation and training material is of a lot higher quality a lot of
> what's out there, not to name names like MS Press or anything.
> 
> The reason I blindly accepted and posted that particular quote is because
it
> DOES match my personal experience, which, I admit is considerably less than
> the other posters in this thread.  The only experience I have is in a lab
on
> 2500's and 2600's running something around IOS 12.1(T).
> 
> I also want to point of that this behavior of only overloading the first
> address in the pool sounds like exactly what the original poster is
> experiencing.  The fact that Emilia's and my experience contradicts Peter's
> and TLaWR makes me think that there are differences in how this works on
> different platforms, as TJ suggests.
> 
> I'd also like to hear people's opinions on why my solution is a "horrible"
> kludge, as opposed to just a plain old vanilla kludge.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60858&t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help,token ring connection without mau [7:61954]

[Marc Thach Xuan Ky]

Not to mention that a TR card goes through a lobe test before attempting
insertion into the ring.  The lobe test is effectively a loopback at the
MAU, a crossover cannot do this.
rgds
Marc

Priscilla Oppenheimer wrote:
> 
> ha wrote:
> >
> > hi
> > can 2 token ring interface direct connected with a crcoss
> > cable.i've
> > carefully read the pinout at CCO and make sure it's right,but
> > it did not
> > work.
> > must i buy a MAU to let them work correctly?
> > thanks for your help
> 
> Token Ring uses an "active repeater," i.e. a MAU. A NIC sends to its
> downstream neighbor and receives from its upstream neighbor. For this to
> happen, a relay, i.e. a MAU, must relay the bits. A MAU is basically a set
> of relays.
> 
> Well, that's a convoluted way to say you need a MAU. You can probably get
> one really cheap on e-Bay.
> 
> Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62003&t=61954
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: router boots in to rommon [7:54591]

[Marc Thach Xuan Ky]

Hi,
I had a very similar message, I changed the cache and main RAM, but I
just got different error messages.  I concluded that I had a bad
backplane.  However, I swapped around the NP modules, and it's been
working fine since 
rgds
Marc

nettable_walker wrote:
> 
> Thank you
> I already swapped memory once, but I will try it again.
> 
> ""Kim Graham""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Check your flash for crash info files. You can read through these and or
> > download them to add to your TAC case.  You have a memory error and may
> need
> > to swap out a stick of memory.
> >
> > Searching "Cache Error Exception 4700" and "Cache Parity Exception 4500"
> > separately gives you many links that will help you to understand what is
> > happening.  You do not need a CCO account to do this search.
> >
> > Kim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54636&t=54591
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]