thanks
Thank to everyone on the list and their insightful questions/comments, etc. I passed the CCIE written... And now on to the lab... K - Kristopher B. Climie, CCNP, CCDP **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame-relay lmi question...
Yes, that is correct. IOS 11.2 and later will autosense the LMI type. It is possible that the LMI cannot be decoded, and in that event, you may have to manually set the type. (i.e. frame-relay lmi-type ansi ) http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/w an_c/wcfrelay.htm#xtocid234328 K - Kristopher B. Climie, CCNP, CCDP ""Johns, Andrew M ETC (CNE N654)"" [EMAIL PROTECTED] wrote in message 83C7493FDD74D411859D0001029FBE0DE236@CNE-MAIL2">news:83C7493FDD74D411859D0001029FBE0DE236@CNE-MAIL2... I found in my CCNA notes that the LMI-type only needs to be specified for IOS ver 11.1 and earlier, 11.2 and up its autosensed. It says if using 11.1 or earlier, specify the type used by the switch (telco). It should not matter at all whats on the other end, its is only concerned with the local connection between the local router and the local telco switch. Does that sound right? -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 20, 2000 6:35 PM To: 'Stull, Cory'; '[EMAIL PROTECTED]' Subject: RE: frame-relay lmi question... I am on your side Cory - the L in LMI stands for LOCAL, and the LMI type has to be the same between your router and the frame-relay switch it is connecting to. I found some more info about it here... http://www.ieng.com/warp/public/779/smbiz/service/troubleshooting/ts_fr.htm# Step%202 (watch for wordwrap) If someone has a different opinion, please copy me in on the reply. Hth, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.insync.net/~drews/ccnp -Original Message- From: Stull, Cory [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 20, 2000 11:23 AM To: '[EMAIL PROTECTED]' Subject: frame-relay lmi question... I'm reading a CIT book that is saying that not only does frame-relay encapsulation have to be the same on both sides (central site to remote site router) but the LMI does also... I thought the LMI type was only significant from that router to its telco frame-relay switch. Comments? thanks Cory R. Stull MCSE, Bay Router Specialist, CCNA,CCDA Communications Concepts Unlimited 262-814-7214 **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Route Print
Here is a nice primer on the subject. http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ip.htm#xtocid2236314 K - Kristopher B. Climie, CCNP, CCDP ""Rodgers Moore"" [EMAIL PROTECTED] wrote in message 8qeceq$uq1$[EMAIL PROTECTED]">news:8qeceq$uq1$[EMAIL PROTECTED]... Pure curiosity. Can you provide the source of the ICMP redirect limitation? This is the first time I've ever heard this and I need to follow up on it if it's true. Rodgers Moore ""Rodney Jackson"" [EMAIL PROTECTED] wrote in message 002b01c02433$1c2c2100$[EMAIL PROTECTED]">news:002b01c02433$1c2c2100$[EMAIL PROTECTED]... The router was not sending ICMP Redirects. I have since figured it out. Thanks for responding to my email. FYI... I found out that any Cisco Router can only send ICMP Redirect twice a second - Original Message - From: Ejay Hire To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, September 21, 2000 11:00 AM Subject: Re: Route Print Confused.Is your router sending you the route by DHCP?Is your traffic not leaving the 7600?Post what it willl and will not ping to/from, and a copy of"show Ip route"Original Message FollowsFrom: "Rodney Jackson" [EMAIL PROTECTED]Reply-To: "Rodney Jackson" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Route PrintDate: Wed, 20 Sep 2000 13:00:59 -0500Guys,I have a problem:I have a 7206 with static routes and when I try to access a remote network the 7206 will not pass back the route the traffic should take. But when I connect a 2501 with static routes, the 2501 will pass the routes back to the PC. I'm lost and in of helpRodney Jackson817 7843072_Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.Share information about yourself, create your own public profile at http://profiles.msn.com.**NOTE: New CCNA/CCDA List has been formed. For more information go tohttp://www.groupstudy.com/list/Associates.html_UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.htmlFAQ, list archives, and subscription info: http://www.groupstudy.comReport misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: max no of connections for vty
Yup, I don't have the enterprise edition, you do. K - "Fanglo MA" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I try on my 2611 with IOS 12.0 (8) Enterprise. line vty 0 133 is allowed. "Kristopher B. Climie" wrote: I cannot find anyway of getting it to work on my 2620. I have tried both "vty 0 29" and the "ip alias 192.168.1.1 3001" suggestion. Below is the output. (and if you arent set up for a monotype font, the ^ is below the 5) K 2620#conf t Enter configuration commands, one per line. End with CNTL/Z. 2620(config)#int loopback 0 2620(config-if)#ip address 192.168.1.2 255.255.255.0 2620(config-if)#ip alias 192.168.1.1 3001 2620(config)#line vty 5 29 ^ % Invalid input detected at '^' marker. 2620(config)# - Kristopher B. Climie, CCNP, CCDP ""John Kaberna"" [EMAIL PROTECTED] wrote in message 03da01c01efa$ac4c1b20$[EMAIL PROTECTED]">news:03da01c01efa$ac4c1b20$[EMAIL PROTECTED]... Maybe it works on 2500's and not 2600's. Anyone have a 2600 to try on? - Original Message - From: Atif Awan [EMAIL PROTECTED] To: John Kaberna [EMAIL PROTECTED]; Thomas Peroutka [EMAIL PROTECTED]; jason yee [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 15, 2000 2:53 AM Subject: Re: max no of connections for vty works on my 2509.. Actually you need a terminal server for it i think ,, am not that sure .. - Original Message - From: "John Kaberna" [EMAIL PROTECTED] To: "Thomas Peroutka" [EMAIL PROTECTED]; "jason yee" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 15, 2000 1:20 PM Subject: Re: max no of connections for vty I tried on my 2600 at home. Wouldnt allow it. Have you actually done it? - Original Message - From: Thomas Peroutka [EMAIL PROTECTED] To: jason yee [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 15, 2000 12:59 AM Subject: Re: max no of connections for vty router(config)#line vty 0 197 197 is the maximum number of telnet sessions; you can use any number in between, so for your constellation (24 students, one teacher) for example router(config)#line vty 0 25 Friday, September 15, 2000, 7:24:13 AM, you wrote: jy hi , jy I am a instructor currently delivering CCNA course.The jy setup of the classroom consists of 2 routers but I jy have got 24 students telnetting to the 2 routers . I jy have problems for them telnetting to the routers jy because the max no of connections for the telnet jy sessions are 5 , my question is how can I increase the jy no. of connections so as to accomodate all the jy students without buying more routers. jy thanks jy suaveguru jy __ jy Do You Yahoo!? jy Yahoo! Mail - Free email you can access from anywhere! jy http://mail.yahoo.com/ jy **NOTE: New CCNA/CCDA List has been formed. For more information go to jy http://www.groupstudy.com/list/Associates.html jy _ jy UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html jy FAQ, list archives, and subscription info: http://www.groupstudy.com jy Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] -- Viele GrĂ¼sse/ Best regards, Thomas mailto:[EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more inform
Re: Obscure (?) questions
Sorry, suppose I should have mentioned that- In the Exam Cram for CCIE, on pp. 396, the question asks what the rif is from PC-a to PC-c. PC-a is on a token ring and pc-c isn't, it is on etherenet. Well, that is great I understand that the RIF will be removed. However, the question got me thinking, what about the RIF from PC-a to PC-b which is on a seperate token ring. The disparraging part is that the virtual ring on bridge 1 is 10 and the virtual ring on bridge 2 is 0x10 (or 16). My question is this -- doesn't the virutal ring number need to be the same among all bridges? Also, while going over ATM LANE, I began to wonder exactly how broadcasts are handled. I understand that the BUS is supposed to handle all broadcasts, and also that an LE_ARP request is maps MAC address to ATM addresses. That got me wondering how an IP ARP request is handled. Does the client send the ARP to the BUS, which then forwards it via its point-to-Multicast Forward vcc, or does the BUS just handle it on its own? Thanks, K - Kristopher B. Climie, CCNP, CCDP ""Atif Awan"" [EMAIL PROTECTED] wrote in message 005001c0203d$538828a0$291a87cb@atifawan">news:005001c0203d$538828a0$291a87cb@atifawan... Can you please tell us from where did you get hold of these questions ? Something wrong here :-) **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Obscure (?) questions
Hello, all. I am trying to find the answers to some questions, but have looked all over Cisco's web site and in every book I have. Since I am having such a hard time finding the answers, I thought I would post them here, and hopefully help someone else out in the process. 1) Host A (on ring 001) and Host B (on ring 003) are separated by two Cisco routers acting as bridges. The virtual ring number of Router A is 19 and the virtual ring number of Router B is 0x19. What is the RIF for a packet transmitted from Host A to Host B? Or is this not even a valid config? _ |A|bn1--- /_ ---bn1-|B| 2) Host A and Host B are separated by two Cisco routers configured to route IP packets. The two routers are separated by a serial line using HDLC encap. During a packet transmission from Host A to Host B, the serial line takes a hit. Who is responsible for retranslating the packet? _ |A|rt1--- /_ ---rt2-|B| 3) In an ATM lane setup, where are IP ARP requests sent? Thanks a bunch... K - Kristopher B. Climie, CCNP, CCDP **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to get rid of Loading network-config ... [timed out]
Try, "no service config". For some reason, the router tries to load the files from a tftp server first, so you tell it not to with that command. K - Kristopher B. Climie, CCNP, CCDP From: [EMAIL PROTECTED] (Roger Wright) Organization: GroupStudy.com Discussion Groups Newsgroups: groupstudy.cisco Date: 15 Sep 2000 15:08:53 -0400 Subject: How to get rid of "Loading network-config ... [timed out] Dear Networkers, Please tell me how to configure my 2611 router so that I don't constantly get the following messages: Loading network-confg ... [timed out] Loading cisconet.cfg ... [timed out] Loading routera-confg ... [timed out] Loading routera.cfg ... [timed out] Thanks in advance, Roger Get free email and a permanent address at http://www.netaddress.com/?N=1 **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP study question
Here is a question I am just going to throw out there: Look at the example below. Router B has two connections out of its network to router D, one through router A and router C. All are running eBGP. What is the best way to get Router B to use Router C, using the MED or the Local_Pref? Why? D -- C || || || A---B **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help about a technical interview I had PLEASE!
1. The question is ambiguous. If it is asking what is the Token Frame size, the answer is 3-bytes. (Starting Delimiter, 1-byte, Access Control, 1-byte, and End Delimeter, 1-byte). You are right in your answer, the Frame size in TR is variable, I would have answered it the same way. 2. The average MTU for Token is 4,464, however, the data portion can contain up to 17,800 bytes, for a MAXIMUM MTU (sorry for the redundant redundancy) is 17,997. Cisco supports MTUs of 68-17,997 bytes. The MTU for FDDI is 4,500. 3. Routing decision: 1) Most specific route 2) Administrative Distance For instance, you might have a Routing table that says: Gateway of last resort not set R39.0.0.0/8 [120/1] via 172.16.1.20, FastEthernet0/0 R39.0.1.0/24 [120/1] via 172.16.1.19, FastEthernet0/0 C 172.16.0.0 is directly connected, FastEthernet0/0 If you send a packet to 39.0.1.33, it is going to use 172.16.1.19, and not 172.16.1.20 because it is the most specific route. If the route through 172.16.1.19 was not in there, and there was both an EIGRP learned route, and the RIP route shown to 39.0.1.0, the EIGRP route would be used. Why? Because its route has a lower Administrative Distance. Remember, the router only places multiple equal-cost routes in the table, or the single route with the lowest Administrative Distance. Metrics are only used in path selection within a specific routing process, not for final path selection. That is why we all had to learn iBgp = 200, RIP=120, OSPF=110, IGRP=100, EIGRP=90, eBgp=20, etc. Each routing process will present its BEST route (based on the metrics available to it) for final path selection. That final path is chosen from the type of route it is. K - Kristopher B. Climie, CCNP, CCDP "John Barnes" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I had technical with a CCIE interview yesterday, and I'm not really sure were to go with this. He asked me a lot of pretty high level questions and some not so high level, the problem is, I feel some of the answers he wanted were wrong. I'm going to post the questions, the answers I gave, and the answers he claimed to be correct. If I'm wrong on these, I'd like to know. If I'm right, how would you deal with this kind of thing? 1) What is the size of a token ring frame? My answer: Token ring has a variable frame size. His answer: 3 bytes.. Isn't that the size of the Token frame? 2) What the MTU of a token ring frame? (Isn't this about the same question as #1?) My answer: slightly larger that 16K (I couldn't remember the exact number) His answer: about 4470 bytes . Ahh... what? He claimed I was thinking about FDDI.g Ah. Who's thinking about what? 3) What is the decision making process involved when a packet enters a router? What three criteria are used to make this decision? My answer: It depends. Is this the first packet with this destination to arrive at this router? What switching mode is the router configured for. His answer: Forget about that stuff. how does it determine which route to use. My answer: longest match in the routing table His answer: What if multiple routes exist in the table. My answer: It depends. Ok...I'm gonna cut to the chase. The answer he wanted was longest match, Administrative distance, then metric. Ahh.. I'm pretty sure is wrong. The router looks at AD and Metrics long before the packet enters the router. The router uses AD and metric to populate the routing table, and then longest match from the routing table to make the decision once the packet actually enters the router. Comparing AD and metric on every known route every time would place unnecessary burden on the CPU. Compare it once, make the decision, and enter it in the RIT. Even in the case of IGRP/EIGRP with variance, the next eligible route is determined before the packet enters the router. Maybe I should have picked up on this stuff when the recruiter asked me with BGP was a DV or LS based routing protocol. My answer. ahh.neither, it's path vector. I'm basically sending this out to get thoughts, and hopefully Howard, Priscilla or someone can tell me wether I'm off technically or not. THANKS! -john __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/li
Re: SPF timers
If the routers are not calculating their topology table at the same interval, it would not take long for their tables to become completely out-of-whack. For instance, lets say you have 10 routers in your network, and your spf-delay times vary by 5 seconds on each router -- not a long time at all. But by the time you get to the 10th router, the delay is off 50-seconds, and its convergence would be worse than RIPs! The only way that OPSF can be sure that the topology table is consistent among all routers is that their timers match. Remember, one of the main benefits of OSPF is that all the routers converge at the same time when a change in topology occurs. If router A converges, and Router B doesn't converge for another 10 seconds, Router A cannot be sure of the validity of its own table. OSPF depends on every router having a valid view of the network, with itself as the root, to have the most accurate information available to it to make a decision. K - Kristopher B. Climie, CCNP, CCDP [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At http://www.cisco.com/cpress/cc/td/cpress/design/ospf/on0407.htm#xtocid163652 3 (which is an extracted chapter from 'OSPF Network Design Solutions', by Tom Thomas), there is a bit that states... "Cisco's OSPF implementation enables you to alter certain interface-specific OSPF parameters, as needed. You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network. Those are the parameters set by the following commands: ip ospf hello-interval ip ospf dead-interval ip ospf authentication-key timers spf spf-delay spf-holdtime Therefore, be sure that if you do configure any of these parameters, the configurations for all routers on your network have compatible values. " The first three I can understand, and I don't have a problem with these parameters having to match on all routers on the network. But I can't see why the spf timers should have to match. And in any case, that one's not an interface-specific parameter. For those who haven't used this command before, 'spf-delay' is the delay time, in seconds, between when OSPF receives a topology change and when it starts a SPF calculation. 'spf-holdtime' is the minimum time, in seconds, between two consecutive SPF calculations. The command reference on CCO doesn't mention that the spf timers have to match on all routers. I can see that if they are mismatched by too much, it will take longer for routers to converge to a consistent view of the network, but would it cause any other problems? I've had a look at RFC 2328, and am no wiser, although I will happily admit I did not read all 240 pages. Why would one router care how long another router has waited between SPF calculations? Or is this an error in the book/website - can they in fact be different everywhere (obviously it's simpler if they're the same, but does it do nasty things to OSPF if they're not)? JMcL **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help about a technical interview I had PLEASE!
I seem to be having a problem getting my posts to go through. My apologies if this shows up multiple times. K --- 1. The question is ambiguous. If it is asking what is the Token Frame size, the answer is 3-bytes. (Starting Delimiter, 1-byte, Access Control, 1-byte, and End Delimeter, 1-byte). You are right in your answer, the Frame size in TR is variable, I would have answered it the same way. 2. The average MTU for Token is 4,464, however, the data portion can contain up to 17,800 bytes, for a MAXIMUM MTU (sorry for the redundant redundancy) is 17,997. Cisco supports MTUs of 68-17,997 bytes. The MTU for FDDI is 4,500. 3. Routing decision: 1) Most specific route 2) Administrative Distance For instance, you might have a Routing table that says: Gateway of last resort not set R39.0.0.0/8 [120/1] via 172.16.1.20, FastEthernet0/0 R39.0.1.0/24 [120/1] via 172.16.1.19, FastEthernet0/0 C 172.16.0.0 is directly connected, FastEthernet0/0 If you send a packet to 39.0.1.33, it is going to use 172.16.1.19, and not 172.16.1.20 because it is the most specific route. If the route through 172.16.1.19 was not in there, and there was both an EIGRP learned route, and the RIP route shown to 39.0.1.0, the EIGRP route would be used. Why? Because its route has a lower Administrative Distance. Remember, the router only places multiple equal-cost routes in the table, or the single route with the lowest Administrative Distance. Metrics are only used in path selection within a specific routing process, not for final path selection. That is why we all had to learn iBgp = 200, RIP=120, OSPF=110, IGRP=100, EIGRP=90, eBgp=20, etc. Each routing process will present its BEST route (based on the metrics available to it) for final path selection. That final path is chosen from the type of route it is. K - Kristopher B. Climie, CCNP, CCDP "John Barnes" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I had technical with a CCIE interview yesterday, and I'm not really sure were to go with this. He asked me a lot of pretty high level questions and some not so high level, the problem is, I feel some of the answers he wanted were wrong. I'm going to post the questions, the answers I gave, and the answers he claimed to be correct. If I'm wrong on these, I'd like to know. If I'm right, how would you deal with this kind of thing? 1) What is the size of a token ring frame? My answer: Token ring has a variable frame size. His answer: 3 bytes.. Isn't that the size of the Token frame? 2) What the MTU of a token ring frame? (Isn't this about the same question as #1?) My answer: slightly larger that 16K (I couldn't remember the exact number) His answer: about 4470 bytes . Ahh... what? He claimed I was thinking about FDDI.g Ah. Who's thinking about what? 3) What is the decision making process involved when a packet enters a router? What three criteria are used to make this decision? My answer: It depends. Is this the first packet with this destination to arrive at this router? What switching mode is the router configured for. His answer: Forget about that stuff. how does it determine which route to use. My answer: longest match in the routing table His answer: What if multiple routes exist in the table. My answer: It depends. Ok...I'm gonna cut to the chase. The answer he wanted was longest match, Administrative distance, then metric. Ahh.. I'm pretty sure is wrong. The router looks at AD and Metrics long before the packet enters the router. The router uses AD and metric to populate the routing table, and then longest match from the routing table to make the decision once the packet actually enters the router. Comparing AD and metric on every known route every time would place unnecessary burden on the CPU. Compare it once, make the decision, and enter it in the RIT. Even in the case of IGRP/EIGRP with variance, the next eligible route is determined before the packet enters the router. Maybe I should have picked up on this stuff when the recruiter asked me with BGP was a DV or LS based routing protocol. My answer. ahh.neither, it's path vector. I'm basically sending this out to get thoughts, and hopefully Howard, Priscilla or someone can tell me wether I'm off technically or not. THANKS! -john __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can you shutdown a console port?
Actually, setting bit 8 to 0 disables the break feature when the routing is running normally, NOT during boot (this is the default). Setting this bit to 1, some shmoe could press the break key while it is up and routing normally, the router would drop into ROM mode, thereby stoping the forwarding of all packets. As you might imagine, this is a VERY dangerous bit to play with. Again, we come back to the viability of a big padlock... K - Kristopher B. Climie, CCNP, CCDP "Ole Drews Jensen" [EMAIL PROTECTED] wrote in message 2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR">news:2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR... Well, the "no service password-recovery" is an unknown command on my Routers / Switches, but you could set the config register bit 8 to 0, which would disable the BREAK feature. Hth, Ole ~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~ -Original Message- From: Chris McCoy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 12, 2000 10:50 PM To: Bob Wilson; [EMAIL PROTECTED] Subject: Re: can you shutdown a console port? I've tried this configuration before, and all I can say is it must set a bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM monitor could parse the config in NVRAM. It also has dependencies on the system being configured a certain way. For instance, the bit that determines whether the router ignores the startup-configuration must be cleared for no service password-recovery to work. In fact, it complains otherwise. When no service password-recovery is configured, ROM monitor simply refuses to respond to breaks. This could definitely suck if you need to break into a router for legitimate reasons. This is probably why it is undocumented. I would imagine if you could somehow wipe out NVRAM, you could bypass it. To make a long story short, there is no substitute for physical security. Chris M. - Original Message - From: "Bob Wilson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 12, 2000 7:55 PM Subject: Re: can you shutdown a console port? Correct me if I'm wrong -- if you input something like 'no service password-recovery' doesn't it go into the running config, and then into flash if you save the running config there? So if you restart the router with a cable in the console and send it a break, you'll boot into ROMMON and it will never look at the config that's in flash, and you can have your way with it. Right? - Original Message - From: Chris McCoy [EMAIL PROTECTED] To: John Kaberna [EMAIL PROTECTED]; beth shriver [EMAIL PROTECTED]; David L. Blair [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 12, 2000 9:18 PM Subject: Re: can you shutdown a console port? There's an undocumented command called 'no service password-recovery' which will keep people from breaking into routers. Make sure you have a way in, otherwise! Chris M. - Original Message - From: "John Kaberna" [EMAIL PROTECTED] To: "beth shriver" [EMAIL PROTECTED]; "David L. Blair" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 12, 2000 2:43 PM Subject: Re: can you shutdown a console port? The last statement was incorrect!! Console and aux ports DO NOT require a password. VTY's do however. You should set a complex password on your console and aux port. The other thing you can do is setup local authentication which will require a username and matching password. This will make it even harder to break. You can also weed out a few amatuers by changing your console speed to something other than 9600. When I tested mine I didn't even get ascii text so there is no indication the speed is set wrong. That may be different with other terminal programs though (I'm using SecureCRT 3.1). You should be ok as long as you have physical security and good passwords you likely won't have any problems. John - Original Message - From: beth shriver [EMAIL PROTECTED] To: David L. Blair [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 12, 2000 12:52 PM Subject: Re: can you shutdown a console port? if you use the password recovery technique and hit break during boot . and go to rommon mode.. would the router even know there is a password on the console? thanks Beth --- "David L. Blair" [EMAIL PROTECTED] wrote: require a password on the console port and do not supply a password. That will effectively deny all access via the console port. -dlb - Original Message -
Re: 2509 Router configuration
The enternet port on this AS is just 10/half. There is no way of setting it to full. It is the same as on my 2503. These devices all have the AUI port on them, with apparently, no support for full duplex. K - Kristopher B. Climie, CCNP, CCDP ""Germain, PJ"" [EMAIL PROTECTED] wrote in message 90AC1E60E79BD31187C900062938329501532C5B@COOPTSS4">news:90AC1E60E79BD31187C900062938329501532C5B@COOPTSS4... I know that this is a very limited Access Server, but has anyone ever heard of setting full duplex on the Ethernet port??? It doesn't appear to have the capability and I have check the web and the manual. Any help would be greatly appreciated. Thank you **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix
It looks to me that you conduit is wrong. Your line is "conduit permit tcp host 128.200.111.100 eq 135 host 128.200.111.150 eq 135" In plain english what this says is, "Let any traffic originating from 128.200.111.100 on TCP port 135 go to server 128.200.111.150, to TCP port 135." The key to the reason that it is not working is the first "eq 135". Personally, I have not found a way to specify what the originating port is at the server. Usually the source port is a randomly generated port number, and the important one is the destination port. The line should read, "conduit permit tcp host 128.200.111.100 host 128.200.111.150 eq 135" K - Kristopher B. Climie, CCNP, CCPD [EMAIL PROTECTED] wrote in message D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN">news:D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN... Hi, You need to add a static statement to the internal server but something that goes like that: Static (inside,outside/dmz-I didn't really understood from you mail where it is located) 10.10.1.150 10.10.1.150. The conduit you already have. The static statement that I wrote actually say that IP address can be reach but the appropriate conduit. This is the way I usually do it. GIL CCNA,CCDA -Original Message- From: SH Wesson [mailto:[EMAIL PROTECTED]] Sent: ??? ??? 11 ?? 2000 13:14 To: [EMAIL PROTECTED] Subject: pix I am using a Cisco PIX 520 with an inside interface and an outside interface. I have the following scenario: Internal server has an address of 10.10.1.150, the external server has an ip address of 128.200.111.100. The external server is in the dmz zone. The internal server has been assigned a global address 0f 128.200.111.150 that maps to the inside server of ip address 10.10.1.150. I want the external server of 128.200.111.100 to be able to communicate with the inside server only through port 135. I assigned a static ip address to the inside host with the following command: static (inside,outside) 128.200.111.150 10.10.1.150 netmask 255.255.255.255 0 0 I assigned the permission for the external server to be able to access the inside server only via port 135 using the following command. conduit permit tcp host 128.200.111.100 eq 135 host 128.200.111.150 eq 135 Is this the right way of doing it? If I'm doing it wrong, can someone show me how to do this. Thanks. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] This email was scanned using ESPG @ PubliCom Haifa. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX515 and IPsec
Hi, what you will want to do is download the latest version of the PIX IOS from Cisco (the latest version that I see is 5.2(1)_ED) and tftp it to the Pix. Reload your Pix and hit Esc with ten seconds. From the monitor prompt, enter in the commands: interface 1 (can be 0 - 5) address 192.168.1.1 (int for your pix interface) server 192.168.1.2 (IP of tftp server) file filename.rom tftp (starts the tftp download) At some point it will ask you for the new activation code. Type in the new code from Cisco now, as it will enable IPsec. It will also reboot, and it should be booted off the new code as well. K - Kristopher B. Climie, CCNP, CCDP From: [EMAIL PROTECTED] (John lay) Organization: GroupStudy.com Discussion Groups Newsgroups: groupstudy.cisco Date: 12 Sep 2000 09:39:23 -0400 Subject: PIX515 and IPsec Hi Guys, I ordered the PIX515 with the IPsec License. What should I do to enable the IPsec License on the PIX ? Thanx ___ Say Bye to Slow Internet! http://www.home.com/xinbox/signup.html **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: pix
Technically, the Pix doesn't work with destination / source. The syntax is: usage: [no] conduit deny|permit protocol g_ip g_mask [operator port [port]] f_ip f_mask [operator port [port]] conduit deny|permit icmp g_ip g_mask f_ip f_mask [icmp_type] Where g = global address and f = foreign address. However, Rodgers, you are right, and I stand corrected. The proper line should be: conduit permit tcp host 128.200.111.150 eq 150 host 128.200.111.100 Sorry for the confusion, I need to remember not to post until I've had my coffee. K - Kristopher B. Climie, CCNP, CCDP From: [EMAIL PROTECTED] ("Rodgers Moore") Organization: GroupStudy.com Discussion Groups Newsgroups: groupstudy.cisco Date: 12 Sep 2000 08:47:50 -0400 Subject: Re: pix The PIX does it backwards to the rest of Cisco. In conduits, it's destination, source not the other way around. Rodgers Moore ""Kristopher B. Climie"" [EMAIL PROTECTED] wrote in message 8pl3cd$8cu$[EMAIL PROTECTED]">news:8pl3cd$8cu$[EMAIL PROTECTED]... It looks to me that you conduit is wrong. Your line is "conduit permit tcp host 128.200.111.100 eq 135 host 128.200.111.150 eq 135" In plain english what this says is, "Let any traffic originating from 128.200.111.100 on TCP port 135 go to server 128.200.111.150, to TCP port 135." The key to the reason that it is not working is the first "eq 135". Personally, I have not found a way to specify what the originating port is at the server. Usually the source port is a randomly generated port number, and the important one is the destination port. The line should read, "conduit permit tcp host 128.200.111.100 host 128.200.111.150 eq 135" K - Kristopher B. Climie, CCNP, CCPD [EMAIL PROTECTED] wrote in message D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN">news:D528DF24AEBCD311A17700508B92CBBF101F47@NEWMAN... Hi, You need to add a static statement to the internal server but something that goes like that: Static (inside,outside/dmz-I didn't really understood from you mail where it is located) 10.10.1.150 10.10.1.150. The conduit you already have. The static statement that I wrote actually say that IP address can be reach but the appropriate conduit. This is the way I usually do it. GIL CCNA,CCDA -Original Message- From: SH Wesson [mailto:[EMAIL PROTECTED]] Sent: ??? ??? 11 ?? 2000 13:14 To: [EMAIL PROTECTED] Subject: pix I am using a Cisco PIX 520 with an inside interface and an outside interface. I have the following scenario: Internal server has an address of 10.10.1.150, the external server has an ip address of 128.200.111.100. The external server is in the dmz zone. The internal server has been assigned a global address 0f 128.200.111.150 that maps to the inside server of ip address 10.10.1.150. I want the external server of 128.200.111.100 to be able to communicate with the inside server only through port 135. I assigned a static ip address to the inside host with the following command: static (inside,outside) 128.200.111.150 10.10.1.150 netmask 255.255.255.255 0 0 I assigned the permission for the external server to be able to access the inside server only via port 135 using the following command. conduit permit tcp host 128.200.111.100 eq 135 host 128.200.111.150 eq 135 Is this the right way of doing it? If I'm doing it wrong, can someone show me how to do this. Thanks. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] This email was scanned using ESPG @ PubliCom Haifa. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure viola
Re: can you shutdown a console port?
Maybe I should have read the entire thread first... In answer to the question, "Is there anyway to keep someone from plugging in a console port and using password recovery procedure to get into a router? " the answer is an unequivocal yes. How can that be, seeing as when you hit the break at boot you get the rmon prompt? Easy -- put the router in a lockable rack case, in a locked room. As the thief who took my cell phone and $3 sunglasses from my car this weekend proved, if you want something bad enough, no matter how worthless it is, there is always a way to get it (And no, that was not a typo, someone stole my $3 sunglasses -- may they rot for it too!). K - Kristopher B. Climie, CCNP, CCDP From: [EMAIL PROTECTED] ("Kristopher B. Climie") Organization: GroupStudy.com Discussion Groups Newsgroups: groupstudy.cisco Date: 12 Sep 2000 19:40:16 -0400 Subject: Re: can you shutdown a console port? Don't forget about TACACS+ and Radius... K - Kristopher B. Climie, CCNP, CCDP From: [EMAIL PROTECTED] ("John Kaberna") Organization: GroupStudy.com Discussion Groups Newsgroups: groupstudy.cisco Date: 12 Sep 2000 17:48:38 -0400 Subject: Re: can you shutdown a console port? The last statement was incorrect!! Console and aux ports DO NOT require a password. VTY's do however. You should set a complex password on your console and aux port. The other thing you can do is setup local authentication which will require a username and matching password. This will make it even harder to break. You can also weed out a few amatuers by changing your console speed to something other than 9600. When I tested mine I didn't even get ascii text so there is no indication the speed is set wrong. That may be different with other terminal programs though (I'm using SecureCRT 3.1). You should be ok as long as you have physical security and good passwords you likely won't have any problems. John - Original Message - From: beth shriver [EMAIL PROTECTED] To: David L. Blair [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 12, 2000 12:52 PM Subject: Re: can you shutdown a console port? if you use the password recovery technique and hit break during boot . and go to rommon mode.. would the router even know there is a password on the console? thanks Beth --- "David L. Blair" [EMAIL PROTECTED] wrote: require a password on the console port and do not supply a password. That will effectively deny all access via the console port. -dlb - Original Message - From: "beth shriver" [EMAIL PROTECTED] Newsgroups: groupstudy.cisco Sent: Tuesday, September 12, 2000 8:43 AM Subject: can you shutdown a console port? Is there anyway to keep someone from plugging in a console port and using password recovery procedure to get into a router? for instance if you have a router at a remote site and someone decides they want to alter your config etc. what could stop them? (besides a huge padlock ?) __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html
Re: can pix act as a proxy ???
Depends on your definition of a proxy server. If by proxy you mean as a cache engine, then no, obviously not. But if you mean as a centralized point of exit to the internet that is capable of hiding your private network, then yes. By using TACACS+ or RADIUS, you can even authenticate users. The PIX will prompt the user for a username and password on their first try at getting to the net, then check that u/p with the authentication server. Once the server respondes with that users authorization level the user is granted/denied access to that service. If by proxy, you mean as a URL filter, the answer is yes, by only in conjunction with a third part piece of software like WebSense. All user requests are first forwarded to the WebSense server and checked for the policy of it. If it is acceptible, the request is then passed to the Internet, but if it is denied the request is denied and either a custom page can be returned to the user telling them it is a site that violates your policy, or my favorite, returns a generic site error, making them believe that the site is down. K - Kristopher B. Climie, CCNP, CCDP *I am in no way affiliated with any companies mentioned in this post, so please, no flames* "Achal Kataria" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I just have a simple query. I have PIX firewall and just wanted to know whether PIX could act as a proxy server for the users for accessing internet. Achal Kataria [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]