Re: TCP SYNSENT Timeout [7:66178]

[Marc Thach Xuan Ky]

I don't know any Java but standard UNIX sockets allow a non-blocking
connect.  Thus you don't care what the underlying stack is doing, you
just time-out at the application layer.
rgds
Marc

John Neiberger wrote:
 
 One of our programmers is asking me about this and I really don't have an
 answer.  I've checked RFC 793 and haven't spotted the answer yet.
 
 Is there a default time specified in TCP to remain in the SYN SENT state?
 If a device sends a SYN and doesn't receive a response, is the timeout a
 built-in TCP parameter or is that a function of the application or
operating
 system?
 
 I'm starting to think that this is specific to the operating system, but we
 have a need to make it specific to a certain connection without affecting
 all TCP connections.  To be specific, they're writing something in Java
 1.3.1 (I think) and it doesn't have the capability to tweak TCP parameters.
 For a particular set of connections they'd like the timeout to be 10
 seconds, but it seems to be defaulting to 45.
 
 They tell me that if we were using Java 1.4 they'd be able to adjust these
 parameters, which makes me think this is an application or OS-specific
 parameter and is only relevant to a particular TCP implementation and could
 vary from platform to platform.
 
 Any thoughts on this?
 
 Many thanks,
 John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66286t=66178
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Upgrading IOS with new flash on my 2500's [7:65472]

[Marc Thach Xuan Ky]

Bill,
I've just done four this evening, I used the technique shown here:
http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800941aa.shtml
or http://www.cisco.com/warp/public/471/13.pdf
rgds
Marc

Scott Roberts wrote:
 
 I can honestly say that I've never upgraded my IOS's by console cable. I
 didn't even know that the 2500 supported that, I only thought that it was
 the 3600 that supported transfer over the console cable? has anyone done a
 console cable transfer with a 2500?
 
 william, you can do your upgrade in one of two ways, put the new flash into
 the secondary flash bank and tftp copy to the second flash partition or you
 can boot to the rom boot-helper with your new flash in the first bank and
 then tftp. another possibility i suppose you could do is have enough dram
 memory and do a network boot and then do a tftp copy to the flash.
 
 scott
 
 Clements, William (Bill)  wrote in message
 news:[EMAIL PROTECTED]
  All,
  I recently bought some new flash for my 2500's and would like to know
 if
  there is an easier way to upload the newest IOS, other than with the
 console
  cable.
 
  Thanks,
 
  Bill Clements MCSE, CCNP
  Network Engineer
  INS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65690t=65472
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: What is a distributed/collapsed backbone? [7:65225]

[Marc Thach Xuan Ky]

Thanks for all the replies, I haven't yet looked at Priscilla's Top Down
but probably will.  I have found the official guides useful in the past
since they often come up with some unusual and Cisco-centric ideas,
which you need to know for the exams.
rgds
Marc

aletoledo wrote:
 
 she was too modest to mention it, but you're best bet for a design
education
 is from Priscillas book.
 
 its well worth twice the price (twice the discounted bookpool price that
 is!! ;)).
 
 scott
 
 Marc Thach Xuan Ky  wrote in message
 news:[EMAIL PROTECTED]
  Hi all,
  I thought I'd do 640-025 CID before it disappears, so I started reading
  the Ciscopress book, CID exam certification guide.  Now in chapter 2,
  section Issues facing campus LAN designers (I'm using Safari books
  online so I don't know the page number) it shows figs 2.4 and 2.5
  distributed and collapsed backbones respectively.  The distributed
  backbone shows per floor, one router and one switch, the collapsed
  backbone shows a single router for the building fanning out to one
  switch per floor.  Fair enough I guess, but the scenario 1, Q2 in the
  same chapter asks what backbone to use in a particular case and then
  answers it with distributed backbone and a picture fig 2.8 that looks
  rather like the collapsed backbone shown earlier.  I obviously have to
  learn Ciscospeak for the exam so can anybody tell me, which is it?
  rgds
  Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65368t=65225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

What is a distributed/collapsed backbone? [7:65225]

[Marc Thach Xuan Ky]

Hi all,
I thought I'd do 640-025 CID before it disappears, so I started reading
the Ciscopress book, CID exam certification guide.  Now in chapter 2,
section Issues facing campus LAN designers (I'm using Safari books
online so I don't know the page number) it shows figs 2.4 and 2.5
distributed and collapsed backbones respectively.  The distributed
backbone shows per floor, one router and one switch, the collapsed
backbone shows a single router for the building fanning out to one
switch per floor.  Fair enough I guess, but the scenario 1, Q2 in the
same chapter asks what backbone to use in a particular case and then
answers it with distributed backbone and a picture fig 2.8 that looks
rather like the collapsed backbone shown earlier.  I obviously have to
learn Ciscospeak for the exam so can anybody tell me, which is it?
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65225t=65225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: kbit vs. Kbit kByte vs. KByte (was BW Calc) [7:65211]

[Marc Thach Xuan Ky]

This is all very well but sometimes when people write 500 they really
mean 512, so where does that leave you ?8-)
Marc

s vermill wrote:
 
 Here's a perfectly illustrative example of how common it is to jumble all
 this terminology up...
 
 I often use a download test site at PC Pitstop:
 
 http://www.pcpitstop.com/internet/Bandwidth.asp
 
 I ran a quick download test that transferred a 500 KB block of text to my
 machine.  It took 2.744 seconds to complete.  Thus, the result was returned
 as 1458 Kb/s.  Here's the math:
 
 (assuming decimal)
 
 500 * 1000 * 8 = 4,000,000 bits / 2.77 seconds = ~1,458,000 bits/sec =
~1458
 decimal kbits/sec or ~1423 binary Kbits/sec
 
 Now...
 
 (assuming binary)
 
 500 * 1024 * 8 = 4,096,000 bits / 2.77 seconds = ~1,478,000 bits/sec =
~1478
 decimal kbits/sec or ~1443 binary Kbits/sec
 
 So, in spite of the fact that they are using the binary upper-case K
 throughout, they are obviously meaning the decimal lower-case k, which
 makes sense given that throughput is expressed that way.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65236t=65211
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question concerning a new 2501 router in home lab [7:64170]

[Marc Thach Xuan Ky]

When you run your hand across the keyboard, do you touch it or is this a
psychic thing :-)
I'd check the parity on your terminal.  It may be setting the wrong
parity for the router but ignoring incorrect received parity.
Marc

Jim wrote:
 
 I recently acquired a used 2501 router for my home lab that is booting with
 no problem. There is no configuration so it asks if you want to auto
config.
 I try to enter an N at this point and get nothing it seems as if the
 keystroke is not seen by the router. If I just run my hand across the
 keyboard the router responds with enter a yes or no to continue. Any
 suggestions to assist is greatly appreciated.
 
 Jim Valentine




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64181t=64170
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help,token ring connection without mau [7:61954]

[Marc Thach Xuan Ky]

Not to mention that a TR card goes through a lobe test before attempting
insertion into the ring.  The lobe test is effectively a loopback at the
MAU, a crossover cannot do this.
rgds
Marc

Priscilla Oppenheimer wrote:
 
 ha wrote:
 
  hi
  can 2 token ring interface direct connected with a crcoss
  cable.i've
  carefully read the pinout at CCO and make sure it's right,but
  it did not
  work.
  must i buy a MAU to let them work correctly?
  thanks for your help
 
 Token Ring uses an active repeater, i.e. a MAU. A NIC sends to its
 downstream neighbor and receives from its upstream neighbor. For this to
 happen, a relay, i.e. a MAU, must relay the bits. A MAU is basically a set
 of relays.
 
 Well, that's a convoluted way to say you need a MAU. You can probably get
 one really cheap on e-Bay.
 
 Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=62003t=61954
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT [7:60784]

[Marc Thach Xuan Ky]

Dwayne,
it's most likely that any NAT implementation would overwrite the header
data that it wishes to change, rather than rewrites the header in its
entirety.  Of course the end result would look the same when you view
the packet, however you can recalculate the checksum from the old and
new IP addresses without reading the entire packet, so that's a gain for
not using the full header creation code.
Note though that some protocols which don't pass well through NAT are
handled by an ALG (Application Level Gateway), and these modules will
rewrite the IP data.  Now if I were coding an ALG I'd certainly create
the entire header for scratch, and I might need to do the same with the
data.  Think of an FTP ALG for example.  Here the length of the data may
be changed, in particular it may grow.  The buffer that is currently
allocated for the packet may not have room to grow, so in that case,
you'd need to copy the data into a larger buffer probably as you parse
and alter the data.
rgds
Marc


Dwayne Saunders wrote:
 
 Hi all,
 Was just wondering if any one could put me on to a good link in
 regards NAT and packet headers, simply what I am trying to find out is the
 packet header total rewritten or just the ip address part of the header and
 checksum, Or is a new header written to envelope the original header.
 
 Or does each application do it differently.
 
 Any help would be great.
 
 Regards
 
 D'Wayne Saunders




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60802t=60784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNA/CCNP home Lab setup [7:60727]

[Marc Thach Xuan Ky]

I've found that it's useful to have a variety of kit, and as many
routers as possible.  Cisco prices on eBay have fallen through the
floor.  A 4000 series with NP-4Ts is a good frame switch. 2500 are good
workhorses, best to get one with an ISDN BRI (I didn't and regretted
it).  Once you have a couple of ethernet-based routers, don't discount
token-ring 2500s if they are cheap or any 3000 series router.  3000s are
ludicrously cheap at the moment and can run 2500 IOS 12.0 images.  Don't
buy multiple 2600s unless you're rich. Two 12-port switches allows
better practise that one 24-port.
rgds
Marc

McManus, Robert BGI SDC wrote:
 
 Could someone give me advice on what I would need (models) for a home lab
 setup for my CCNA/CCNP training?  Any advice would be appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60804t=60727
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing NAT [7:60663]

[Marc Thach Xuan Ky]

Doug,
I used the term horrible kludge several hours before I saw your post. 
The multiple NAT pool kludge is horrible because it is neither scalable
nor maintenance-free, nor does it include any dynamic distribution of
load across the resultant multiple (outside local) addresses in use.  It
almost removes the requirement for the load-balancing part of the
load-balancers, leaving them with server failover tasks only.  As I
stated in my post, I'd be looking for a different form of sticky (or a
different NAT device).
rgds
Marc

Doug S wrote:
 
 I liked the comment and definitely agree that some of the authors of Cisco
 training material should be named and publicly humiliated, although the
 sheer volume of mistakes could make this a somewhat overwhelming task for
 the public doing the humiliating. Still, I want to add my opinion that
Cisco
 documentation and training material is of a lot higher quality a lot of
 what's out there, not to name names like MS Press or anything.
 
 The reason I blindly accepted and posted that particular quote is because
it
 DOES match my personal experience, which, I admit is considerably less than
 the other posters in this thread.  The only experience I have is in a lab
on
 2500's and 2600's running something around IOS 12.1(T).
 
 I also want to point of that this behavior of only overloading the first
 address in the pool sounds like exactly what the original poster is
 experiencing.  The fact that Emilia's and my experience contradicts Peter's
 and TLaWR makes me think that there are differences in how this works on
 different platforms, as TJ suggests.
 
 I'd also like to hear people's opinions on why my solution is a horrible
 kludge, as opposed to just a plain old vanilla kludge.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60858t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing NAT [7:60663]

[Marc Thach Xuan Ky]

IIRC when I last looked at this, it worked as you require, but that
might have been v2 NAT rather than v3 which is current.  Have you
restarted the router, superstition dictates that you should.  Failing
this, how many app servers are there?  You *could* use multiple NAT
pools, which  would admittedly be a horrible kludge, depends on how
desperately you want this.  Is there not a better way of using sticky on
the load-balancers?  Are you in a position to change the app to use
cookies for example? or maybe persistent connections so the LBs aren't
responsible for sticky?
rgds
Marc

Emilia Lambros wrote:
 
 I'm looking more for a way to play with how the nat pool I have behaves
with
 IP address use.  The NAT config and translations are all working, however I
 can't find a situation online that shows me how I can force translations to
 not overload quite so much, or how I can make more IP addresses be used so
 my load balancing works with sticky sessions set.
 
 For as long as only 1 IP is being used, all connections to the application
 servers go to one application server.  Even with 2 IPs being used, I would
 have more of a chance of connections going to the 2nd application server to
 create some load balancing but as I said, I'm sitting on 8500 connections
 and 1 IP being used.  I know in theory I can go up to 65K+ connections on
 that 1 IP, but I would prefer more like a couple of hundred per IP.
 
 The majority of articles I've read show how to configure, say rotary pools
 or tcp load distribution but not examples of how you can use it another way
 that I could perhaps, adapt.  As I said though, I can't play with the
config
 because its a live environment so its a little harder to play and test
with,
 without a guarantee that it will work :)
 
 -Original Message-
 From: The Long and Winding Road
 [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, 9 January 2003 11:24 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Load balancing  NAT [7:60663]
 
 if you have a CCO customer account, there are a lot of articles in the TAC
 database
 
 this one is a good start, I believe.
 

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note0
 9186a0080093fca.shtml
 watch the wrap.
 
 HTH
 
 --
 TANSTAAFL
 there ain't no such thing as a free lunch
 
 Emilia Lambros  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi all,
 
  I have an application being load balanced at one site (sticky sessions
set
  such that each connection from 1 IP will continue its transactions to the
  same server it started on) and at another site, the users accessing the
 load
  balanced application.
 
  The users come in from different office locations across private WAN
 links,
  nat inside is on each of their interfaces and on each interface out of
the
  router those WAN links connect to, is nat outside.
 
  I have changed their initial configuration based on NAT overload to an
  interface IP address to be a pool of addresses overloaded.  I was hoping
  that the connections would spill over to the second IP in the pool at
some
  stage sooner than the 8500 NAT connections I have currently, but no go. 
I
  may as well have NAT'd to 1 IP again :)
 
  Is there a way to overload NAT, but have it using more than 1 IP in the
  pool?  e.g. a pool of 30 IPs, its currently using 1.. I'd love the router
 to
  even round robin the use of IPs out of the pool but I can't play with the
  config to try it (live environment) and can't find any documentation
 online
  explaining exactly what I need NAT to do/not do :(
 
  Thanks,
 
  Em :)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60693t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Slightly OT - but important [7:60687]

[Marc Thach Xuan Ky]

This is hardly earth-shattering news.  You can see this happening every
time you sniff a LAN.  Empty TCP segments (e.g. acks) with six bytes of
random data.  The only thing the report points out is that the data
may previously have been used on another interface or it may be other
non-network data, although I suspect that the latter is highly unlikely
since NIC ring buffers would generally be pre-allocated early on in the
driver initialisation code.  I could be wrong but I would expect a NIC
driver to block or drop if the TX or RX ring was full, rather than try
and get a new buffer allocated.  Where the random data is network
data... well on shared media you should assume it's already been sniffed
anyway, that's what ssh is for :-)
Gotta go now, I've got a CCNP exam in an hour, wish me luck.
rgds
Marc


The Long and Winding Road wrote:
 
 saw this one come through today.
 
 I checked the link down at the bottom of the page. I thought it quite
 interesting that Cisco and Microsoft are noted as not vulnerable while
 just about every *nix out there is listed as unknown One sad note - my
 firewall of choice is shown as unknown also.
 
 I am presuming that testing is still going on with all these other
products.
 unknown may not necessarily mean vulnerable
 
 ---
 
 *CERT WARNS OF POTENTIALLY WIDESPREAD VULNERABILITY
 By SWD Staff
 The Computer Emergency Response Team (CERT) Monday warned of a
 vulnerability affecting Ethernet device driver software running on
 multiple platforms that could allow a remote attacker to harvest
 potentially sensitive information from network traffic.
 
 A research paper by information security firm @stake says, Multiple
 platform Ethernet Network Interface Card (NIC) device drivers incorrectly
 handle frame padding, allowing an attacker to view slices of previously
 transmitted packets or portions of kernel memory. This vulnerability is
 the result of incorrect implementations of RFC requirements and poor
 programming practices, the combination of which results in several
 variations of this information leakage vulnerability.
 
 It is trivial to exploit and has potentially devastating consequences.
 Several different variants of this implementation flaw result in this
 vulnerability, @stake continues. The number of affected systems is
 staggering, and the number of vulnerable systems used as critical network
 infrastructure is terrifying.
 
 CERT recommends applying patches as soon as they are available and using
 encryption to protect network traffic, though it won't protect sensitive
 information leaked from non-network sources, such as kernel memory.
 
 For an updated list of affected vendors, please consult the CERT
 vulnerability note.
 http://www.kb.cert.org/vuls/id/412115
 http:[EMAIL PROTECTED]/research/advisories/2003/index.html#010603-1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60695t=60687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: virtual labs [7:60700]

[Marc Thach Xuan Ky]

I have used the Sybex virtual trainer, which was OK for Routing but not
so helpful for BCRAN.  I haven't used the other two subjects yet.  You
should note that it is designed to accompany the Sybex books, so if you
are not buying those then it is less helpful.  If you are cash-strapped
and want a couple of routers to practise with, then 3000 series are very
cheap on eBay.  I have seen these running IOS 12.0 2500 images, you'll
probably need to upgrade the flash/RAM.  If you're unemployed, don't try
to pass well, try to pass quickly. Good luck.
rgds
Marc

reddyred wrote:
 
 Has anyone found any cheap, USEFUL virtual labs for the CCNP track. I'm
 currently an unemployed CCNA and don't have $1,000 bucks for online labs
nor
 equipment




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60712t=60700
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco 2501 dot1q encapsulation ? [7:60699]

[Marc Thach Xuan Ky]

I've just configured dot1q on a 4500 with NP6E and IOS 12.2, I haven't
tested whether its working.
rgds
Marc

Francisco Sedano/Inf-Pronet wrote:
 
 4000? Could you expand on it? Which model/IOS? I have a plain 4000 with
 12.1(11) and it doesn't support it..
 
 cebuano
 Enviado por: [EMAIL PROTECTED]
 09/01/2003 22:04
 Por favor, responda a cebuano
 
 Para:   [EMAIL PROTECTED]
 cc:
 Asunto: RE: Cisco 2501  dot1q encapsulation ? [7:60699]
 
 This is possible with certain models of the 2600 series, and the
 cheapest router to support this with 10Mb Ethernet is the 4000 series.
 HTH.
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 Larry Letterman
 Sent: Thursday, January 09, 2003 12:32 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Cisco 2501  dot1q encapsulation ? [7:60699]
 
 I dont believe so either, since they only support a 10BT
 ethernet connection...
 
 Larry Letterman
 Network Engineer
 San Jose Transport
 Cisco Systems Inc.
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
  John Neiberger
  Sent: Thursday, January 09, 2003 7:43 AM
  To: [EMAIL PROTECTED]
  Subject: Re: Cisco 2501  dot1q encapsulation ? [7:60699]
 
 
  I don't believe that any of the 2500 series routers support trunking
 of
  any variety.  If I'm wrong someone will surely correct me.
 
  John
 
   Thomas Muller  1/9/03 8:21:59 AM 
  Hi,
 
  I've tried to configure dot1q on the LAN interface on my Cisco 2501
  running
  12.2 (IP Plus)
  but it doesn't seem to know the encapsulation dot1q command.
 
  Does anyone know if the 2500 series supports dot1q ?
 
  Thanks, Thomas
  [EMAIL PROTECTED]
 
  --
  +++ GMX - Mail, Messaging  more  http://www.gmx.net +++
  NEU: Mit GMX ins Internet. Rund um die Uhr f|r 1 ct/ Min. surfen!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60767t=60699
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: fragmentation question [7:60643]

[Marc Thach Xuan Ky]

MTU 1500 means that the network layer datagram size is 1500 max.  For IP
this is the IP datagram including IP header and transport (TCP/UDP)
header  and data.  Fragmentation occurs at the IP level and only the IP
header is duplicated (except offset, checksum etc) into each fragment. 
The TCP/UDP headers are merely the first part of the data as far as IP
is concerned and are therefore left untouched.
HTH
Marc

Paul Dong So wrote:
 
 Hi All,
 
 Please shed a light on this as I am confused.
 
 Fragmentation for UDP/TCP:
  * Only the first fragment contains the UDP or TCP header, not the
 sequencial fragments?
 
 Fragementation for IP packets
  * every fragmented packet will contains ip header?
 
 MTU 1500 bytes, doesn't it mean the data payload can not exceed 1500
 bytes or the whole packet size(payload+header) can not exceed 1500
 bytes?
 
 Thanks in advance
 
 Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60653t=60643
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS process scheduler algorithm [7:60206]

[Marc Thach Xuan Ky]

Thanks Mark,
I get it now I think.  I was envisaging processes remaining in the queue
and a pointer selecting each in turn.  In fact of course, because it's
not a pre-emptive OS, this doesn't occur, the processes are removed (as
in fact stated in the book) and put on either the idle or dead queue. 
Also I was envisaging an equal number of processes in each queue whereas
after further consideration I would guess that most processes are high
or medium.
thanks again,
Marc

Vicuna, Mark wrote:
 
 Nope - From step 34 in the book.
 
 There are no counters for critical and high priority queues either.  The
 'failsafe' for servicing the medium priority is when all the processes
 in the critical and high ready queues have been executed or when a
 medium priority instance is found when servicing the low priority queue
 (intervleave) - all the medium processes will be executed.
 
 The scheduler will not service the low priority queue within 15 times of
 skipping the low queue - and even then, if the scheduler is executing
 low priority instances it will still service a medium (or critical or
 high) process if one is found in the ready queue.
 
 hth,
 Mark.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60365t=60206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - More Bitching about Cisco's New Web Site [7:60308]

[Marc Thach Xuan Ky]

Well I thought the site was very slow - until I realised I'd stuck a
clock rate 64000 on my frameswitch router so that I could see some
queueing :-) I now go straight for the search button, but there are some
horrors in there.  There seem to be more pdfs as well which is good, but
then sometimes there is only a pdf.  Theres a bit under technologies
where I burrowed down through QoS, congestion management, through
queuing and then to WFQ to find a short paragraph telling me what it
was.  I'd really wanted a white paper detailing algorithms!
I'm sure I'll crack it sometime.
rgds
Marc

The Long and Winding Road wrote:
 
 Is it just me? More broken links? Harder to find the everyday tools?
 lower  - a LOT slower - navigating around?
 
 Seems like just about every day I'm filling out one of those feedback forms
 to report a problem. assuming I've found the basic page I'm looking for
 anyway.
 
 For example - check out the links on this page.
 

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r
 /iprprt2/index.htm
 watch the wrap
 
 and whatever happened to the tool index? It was no fun searching for the
 Software Advisor and the IOS Upgrade Planner this morning.
 
 grumble grumble grumble
 
 --
 TANSTAAFL
 there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60308t=60308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS process scheduler algorithm [7:60206]

[Marc Thach Xuan Ky]

Hi all,
I am reading Cisco Press Inside Cisco IOS Software Architecture and
have some outstanding questions about the scheduler, maybe somebody can
help me.  The text describes how the low priority queue is only skipped
15 times before it is serviced even when there are processes queuing at
higher priorities.
Does this count up to 15 include the times that both medium and low
priority queues are skipped?
There seems to be no similar counter for the medium queue, am I correct
then in assuming that the only failsafe servicing of the medium priority
queue is acheived via the interleaving occuring during failsafe
servicing of the low priority queue, which would imply the answer to the
first question?
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60206t=60206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco career advice needed [7:60013]

[Marc Thach Xuan Ky]

In the last place I worked, rumour has it that one of my colleagues was
interviewed and thus obtained a UK visa on the basis of his CCIE, and
this later turned out to be written only.  HR departments / technical
management aren't always as rigorous as you may think :-)
If this is true then I think you could definitely say that it can be of
benefit.
rgds
Marc

Frank Jimenez wrote:
 
 Where I *have* seen it helpful is in specific cases where a company was
 anticipating needing a CCIE-level applicant at a future date.
 
 So the following:
 
 CCIE Routing/Switching - Lab Scheduled 6/2003
 
 Might be helpful.  The CCIE written qualification alone hasn't helped
 anybody that I know of.
 
 Frank Jimenez, CCIE #5738
 Systems Engineer
 Cisco Systems, Inc.
 [EMAIL PROTECTED]
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 irfan siddiqui
 Sent: Tuesday, December 31, 2002 3:23 AM
 To: [EMAIL PROTECTED]
 Subject: Cisco career advice needed [7:60013]
 
 Hi,
 Does the CCIE qualification exam itself have any worth. I know that your
 not
 a CCIE without giving the actual Lab part of the exam, but how does the
 CCIE
 written exam scale on its own, career wise. Does it help improve job
 prospects. What are the benefits of this exam on its own, or is it
 totally
 useless without the LAB part.
 Say if i never appear for the LAB, for any reason, would the written
 exam be
 any worth of mention, like say on my resume or as a credential. Thanks
 for all your advice in advance. Irfan
 
 _
 Protect your PC - get McAfee.com VirusScan Online
 http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60224t=60013
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Vs. BS or MS degree [7:59481]

[Marc Thach Xuan Ky]

Thomas Larus wrote:
snip
 As for nrf, - his contributions to groupstudy have been almost entirely
 negative. While it is helpful to have some discussion of things like the
job
 market and the question of whether it is better to invest time and effort
in
 a degree versus certification is useful, constantly chiming in with
negative
 thoughts and assessments is not very helpful.  This is something of a
 support group, and in these difficult times, those of us who have already
 set out to achieve certification goals need encouragement and technical
 advice.

I have recently strongly disagreed with nrf, but I do not find him
negative as you suggest.  I think it's a shame if people cannot
contribute without being personally attacked in such a generalised
manner.
 
 I do not know if nrf is one of these people (he could just be negative for
 no particular reason), there are some people who come to these discussion
 groups to discourage others from pursuing dreams the achievement of which
 might bring about a greater number of certified IT professionals and
perhaps
 exert downward pressure on salaries.

I don't know nrf personally but I doubt that he's that influential. 
Anybody who gets put off the cert process by reading a discouraging
viewpoint on this list probably doesn't have the mettle to see it
through anyway.

rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60271t=59481
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Test for MCast...Any?? [7:58269]

[Marc Thach Xuan Ky]

Hi Phil,
I came across this link and thought it might be useful to you.
http://www.videolan.org/
rgds
Marc

Cisco Nuts wrote:
 
 Hello,Is there a way to test/practise MCast configs. on the Internet? I
 have a cable-modem connected to a 2514 router and would like to configure
 MCast on it as well as my Lab routers behind that for PIM-SM. I have a
 laptop connected as a client to one of the routers. How can I verify that
 MCast is working on the laptop? I mean, is there a freeware/shareware
  application that I can install on my laptop to test (since I cannot
 obviously have IP/TV client on my laptop).Or is there any other way to do
 it in the Lab routers themselves.Any basic configs/examples provided is
 greatfully appreciated.Thank you for your help.Sincerely,CN
 
 
 
 MSN 8 with e-mail virus protection service: 2 months FREE*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59472t=58269
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic but interesting - RS networking future? [7:59376]

[Marc Thach Xuan Ky]

A few points:
When I was fresh in the IT industry (over 20 years ago) the old-timers
who had been working maybe four years already would tell me that there
was no future in programming, after all they said, who uses a chauffeur
now that cars are so easy to drive?
Cars need very little maintenance now, there are still plenty of
mechanics because there are more cars.
Phone companies still employ a lot of telephone engineers, large
corporates often have on-site telephone staff.  There are more phone
companies now.  Voice is a commodity.
Here in London during the 80's property boom, electricians and plumbers
on the large contracts were being paid a lot more than any network
engineer I heard of at the time.
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59376t=59376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic but interesting - RS networking future? [7:59402]

[Marc Thach Xuan Ky]

nrf wrote:
 
 I would just add that many times (actually, more often than not,
predictions
 actually turn out to be correct).

We could trade predictions forever :-) What about the bloke who said
nobody will ever need more than 640k RAM?  He still got rich.

 And even for those jobs that didn't
 decline, there was significant change in what they did.  Mechanics can't
 just know how to fix carburetors, now they have to understand
 fuel-injection.

Definitely.  Janitors now use vacuum-cleaners as well as brooms. 
Telephone operators now use keyboards, not patchcords.  Networkers will
need to know more than just layers 2 and 3.  But there will be a
continued demand for R/S as part of the networkers job.

Another point is that bandwidth is not necessarily cheap all over the
world, Europe is more expensive than the US, and Asia even worse, so
engineering is required, in fact surely traffic engineering is all the
rage at the moment.

I guess what I want to say is that when an economy is booming, people
unrealistically believe it's forever and they will be millionaires by
next June.  Conversely when the economy is in a trough then people get
gloomy and believe that they'll never pay off their credit card bills. 
Neither view is realistic.  R/S is not dead, it's sleeping and will wake
up.  Granted there will not be the insane rush into network builds that
we saw a few years ago but the wireless boom is around the corner

rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59402t=59402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Are you trying to make the window smaller?
rgds
Marc

s vermill wrote:
 
 On a W2k machine, I've tried several different recommendations for
adjusting
 the TCP receive window size.  None of them, including those directly from
 Microsoft, seem to have any impact.  I'm capturing my own traffic and my
 advertised window is always in the 64k range.
 
 I've tried editing the \tcpip\parameters to include 'TcpWindowSize' and
 'GlobalMaxTcpWindowSize' - neither of which had any effect.  I've tried
 editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no effect.
 
 Anyone know how to manipulate the rcv window that my machine will
 advertise.  For that matter, what about the other MS OSes?  XP?  Win98?
 
 Thanks all,
 
 Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59405t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Scott,
A clue from this webpage:
http://www.psc.edu/networking/perf_tune.html
Describing Win98 it says DefaultRcvWindow is a string type and the
value describes the default receive windowsize for the TCP stack.
Otherwise the windowsize has to be programmed in apps with setsockopt.
Perhaps the app is setting it differently.  It also seems to imply that
GlobalMaxTcpWindowSize should do it since the OS should enforce this on
the app.  Do you know what units the variable uses? that website
indicates that the default is a gig, so it may be measured in K or M,
just a thought.
rgds
Marc


s vermill wrote:
 
 Marc Thach Xuan Ky wrote:
 
  Are you trying to make the window smaller?
  rgds
  Marc
 
 Yes.  I was hoping to set up a demonstration on the impact of high
 bandwidth*delay product networks without actually having a high
 bandwidth*delay product network.  By artifically enforcing a small rcv
 window, I should get about the same result.
 
 Thanks Marc,
 
 Scott
 
 
  s vermill wrote:
  
   On a W2k machine, I've tried several different
  recommendations for adjusting
   the TCP receive window size.  None of them, including those
  directly from
   Microsoft, seem to have any impact.  I'm capturing my own
  traffic and my
   advertised window is always in the 64k range.
  
   I've tried editing the \tcpip\parameters to include
  'TcpWindowSize' and
   'GlobalMaxTcpWindowSize' - neither of which had any effect.
  I've tried
   editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no
  effect.
  
   Anyone know how to manipulate the rcv window that my machine
  will
   advertise.  For that matter, what about the other MS OSes?
  XP?  Win98?
  
   Thanks all,
  
   Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59416t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Perhaps O/T: Window TCP Rcv Window [7:59400]

[Marc Thach Xuan Ky]

Richard,
that looks like a gem!  We should all have one of those.
Thanks,
Marc

Larkin, Richard wrote:
 
 A much much much easier way is to use a PC, load the dummynet image on a
 floppy disk, then in about 5 minutes with the right configuration, you have
 a simulated WAN, including bandwidth and delay.
 
 Dummynet works on FreeBSD or, as we do, you can download the version that
 fits on a floppy and boot from it. We use it to teach our application
 developers the hard lesson that not everyone has 100Mbps link to the
 servers, most sites have 64kbps.
 
 Rik
 
 -Original Message-
 From: s vermill [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, 18 December 2002 6:40 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Perhaps O/T: Window TCP Rcv Window [7:59400]
 
 Marc Thach Xuan Ky wrote:
 
  Are you trying to make the window smaller?
  rgds
  Marc
 
 Yes.  I was hoping to set up a demonstration on the impact of high
 bandwidth*delay product networks without actually having a high
 bandwidth*delay product network.  By artifically enforcing a small rcv
 window, I should get about the same result.
 
 Thanks Marc,
 
 Scott
 
 
  s vermill wrote:
  
   On a W2k machine, I've tried several different
  recommendations for adjusting
   the TCP receive window size.  None of them, including those
  directly from
   Microsoft, seem to have any impact.  I'm capturing my own
  traffic and my
   advertised window is always in the 64k range.
  
   I've tried editing the \tcpip\parameters to include
  'TcpWindowSize' and
   'GlobalMaxTcpWindowSize' - neither of which had any effect.
  I've tried
   editing \VxD\MSTCP to include 'DefaultRcvWindow' - also no
  effect.
  
   Anyone know how to manipulate the rcv window that my machine
  will
   advertise.  For that matter, what about the other MS OSes?
  XP?  Win98?
  
   Thanks all,
  
   Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59420t=59400
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Selective NAT [7:59287]

[Marc Thach Xuan Ky]

IIRC when you use route-maps you should note that the NAT is
session-based (like with twice-NAT) with various consequences:
you cannot make new connections into the inside global address
without NAPT (PAT) you may use your pool addresses rather quicker than
you envisaged
rgds
Marc


The Long and Winding Road wrote:
 
 wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Is it possible to use extended ip access-lists for NATing. Basically i
 want
  traffic from a particular subnet destined for a particular subnet only to
 be
  NATed?? All other traffic should not be NATed.
 
 
 as a follow up - here is an excerpt from the link in the previous message:
 
 Route Map Approach
 The correct way to configure the example in this document is to use route
 maps. With a route map approach, you would do the following to translate
the
 hosts on 10.1.1.0:
 
 ip nat pool pool-108 131.108.2.1 131.108.2.254 prefix-length 24
  ip nat pool pool-118 131.118.2.1 131.118.2.254 prefix-length 24
 
  ip nat inside source route-map MAP-108 pool pool-108
  ip nat inside source route-map MAP-118 pool pool-118
 
  interface ethernet0
ip address 10.1.1.1 255.255.255.0
ip nat inside
  interface ethernet1
ip address 10.1.2.1 255.255.255.0
ip nat outside
 
  access-list 108 permit ip 10.1.1.0 0.0.0.255 131.108.1.0 0.0.0.255
  access-list 118 permit ip 10.1.1.0 0.0.0.255 131.118.1.0 0.0.0.255
 
  route-map MAP-108 permit 10
  match ip address 108
 
  route-map MAP-118 permit 10
  match ip address 118
 
 
  Cheers
  Simon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59314t=59287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Power Cable [7:58614]

[Marc Thach Xuan Ky]

Sounds like a standard IEC kettle lead to me.  At least here in the UK,
thats what they're for, electric kettles. IIRC these plugs are used for
temperature-resistant leads, and the notch allows you to use a
temperature-resistant lead in any application, but to disallow the
incorrect lead in your kettle or other hot object.  This may be an
indication that your 7000 is going to suck some serious power 8^)
In the UK you can get one of these in the local electical store, YMMV.
rgds
Marc

NetEng wrote:
 
 I bought a 7000 router off of ebay. It did not come with a power cable
 and I can not find one for the life of me. I purchased and received
 CAB-7KAC=,
 but this cable does not fit. It says on the package thats its a 7500 series
 AC power cord. On ciscos website its says to order this cable but, again,
it
 does not fit. Below is a layout of the power supply connector. Does anyone
 know the correct power cable to order (and where) to get it? TIA . The
 connector is like evey other one (router/monitor/PC) except it has a small
 ridge between the top prongs.
 
  
 |  []  U  [] |
 |   |
 |   [] |
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58695t=58614
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: O/T too much time on my hands? [7:57484]

[Marc Thach Xuan Ky]

Hi Priscilla,
At the end of the slideshow you ask for other methods, well I've got one
and it's really easy.  Before I start you should note that my emoticons
have broken down so you may need to insert your own.
Unfortunately my first attempt to implement the method that I'm about to
describe was error-prone and gave the answer as 31 triangles.  Now, the
shape is five-way symmetrical (which indicated that 31 was probably not
correct), it's a five-point star with the pointy nodes joined together
by extra links.  We'll call the five pointy bits distribution nodes, and
the five intersections in the middle we'll call core nodes.  The area
outside the shape is the access area.  Now any given triangle can have
either 3 distribution, 2 distribution / 1 core, 1 distribution / 2 core,
or 3 core (except that the core isn't meshed so this is zero).  We will
abbreviate these types as 3D, 2D/1C, 1D/2C, and 3C because we like
jargon. Inspection also shows that the 3D types can be subdivided into
long triangles and fat triangles (3LD and 3FD) 2D/1C types can also be
subdivided, into adjacent D's and non-adjacent D's (2AD/1C and 2ND/1C). 
With me so far?  Good because we now subdivide the 2AD/IC into three
subtypes: straight down, hanging left and hanging right (2AD/1Cbis,
2AD/1C(L) 2AD/1C(R)).  Anyway all told we now have eight categories of
triangle, we can count each category (please don't count the 3Cs during
your leisure time).
So by breaking the problem down this way, it is easier to count and thus
much quicker to implement. In fact we now just have to count from one to
five several times.  Of course if we employed a project manager the
probleem could be shared between seven triangle-counters working in
parallel.  This could bring the end-date in by a full ten percent.
Disclaimer: Note that if working in a quality-assured environment you
will need eight triangle-counters.  The 3C type cannot be assumed to
have no triangles.  Time-savings shown are for example only and cannot
be guaranteed.
Just to close, there is a further refinement of the technique.  Because
the shape is five-way symmetrical, you in fact only have to count to
one, what could be more straightforward than that?  This has the added
benefit of enabling the project to be broken up into even smaller and
more manageable tasks.
One more thing, perhaps it's a trick question.  All nodes may run STP so
all loops are removed, hence the correct answer could be zero.
BTW if you were wondering about the access area, it's not actually
relevant.
rgds
Marc TXK

Priscilla Oppenheimer wrote:
 
 I added a Topology Troubleshooting Puzzle to my Web site. It's not
 Cisco-specific. Well, to be honest, it's not even networking specific! ;-)
 But it does make you think and wonder how you could be so blind, if you're
 like me when I first did it. Be sure to actually try it before going on to
 the solution. OK, is that enough filler? The URL is here:
 
 http://www.troubleshootingnetworks.com/triangles/index.htm
 
 Offline, let me know what you think (if you have my address, which I can't
 publish due to commercial unsolicited e-mail.)
 
 Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57502t=57484
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: build tcp/ip on PC serial port [7:56885]

[Marc Thach Xuan Ky]

Hi Cable,
A normal PC serial port is async, as in U.Async.R.T, so will not connect
to standard sync cisco port.  If you really want to run sync then yes,
you will need a sync port on the PC but this is minority interest
hardware and will not be cheap.  Try manufacturers such as Eicon.  I
would expect a sync serial card to have IP software available but then
I've never done it myself.  Where is this technical requirement coming
from?
rgds
Marc TXK

Cable Guy wrote:
 
 Ah, you want remote access. You want to let the PC join the network even
 though it's connected via its serial port. That's very doable. It used to
 be
 pretty common for PCs to connect that way in the olden days.
 
 Check out the Cisco docuemntation on terminal services or access servers.
 Or
 maybe somebody can just tell you how to do it. Someone who has recently
 studied BCRAN could help maybe?
 
 I am talking about ppp over serial (BCRAN topic) but not remote access with
 modems, aux ports, or asynch ports.
 
 Take a standard back to back router1 serial0 to router2 serial0, each with
 configured IPs. Keep this picture in mind, but replace one of the routers
 with a PC. Back to back WAN connection from PC to router's serial0.
 
 I think finding a serial port with a driver that allows tcp/ip to bind on
 it, is the correct way to describe the obstacle here?
 
 _
 The new MSN 8: smart spam protection and 2 months FREE*
 http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57044t=56885
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: build tcp/ip on PC serial port [7:56885]

[Marc Thach Xuan Ky]

Am I being thick or something, isn't this what Windows dial-up
networking is for? or *NIX pppd?  Alternatively, what about some pre-MS
stack for Windows or DOS ?8^)
rgds
Marc TXK

Cable Guy wrote:
 
 The fact that you can dial into the Internet is more proof that you can
run
 TCP/IP over the PC's serial port.
 
 Hmm, why do people need proof of this? Maybe I should read the archives.
 Tcp/ip can be bound to anything. Build an interface that sends electrical
 signals down two thin water streams, code a driver, and you can bind tcp/ip
 to water.
 
 Anyway, that USB pdf link site is down and I can't access it now. I see
 there are some USB network hubs. Do these work with only USB network
 machines? Hmm, these could be slip/ppp then. An entire hub of slip/ppp...I
 wonder. The ones that interface directly with rj-45 are no hope. I wonder
 even if the signal actually coming out of the USB port is slip/ppp framed,
 then converted outside, or just straight ethernet framed off before exiting
 USB port. I do see some USB network card implementations are just a plug
 into the USB port with no wires exposed, and a rj-45 plugin dongle like
 thing. I guess I need one with wires exposed to cut into them, and with
 slip/ppp.
 
 Surely there is a serial card with boundable driver out there somewhere?
 Help.
 
 _
 Add photos to your e-mail with MSN 8. Get 2 months FREE*.
 http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56984t=56885
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Was Re: build tcp/ip on PC serial port [7:56885] now OT [7:56999]

[Marc Thach Xuan Ky]

Dom,
please don't embarrass me on-list, I was pretending not to know you!  I
was actually thinking of Ice, but then I'm really old.  I don't have
time for video anyway, not now I've discovered cisco certification.
Marc


[EMAIL PROTECTED] wrote:
 
 Hi Marc,
 
 You mean something like Trumpet mate?
 
 BTW, how do you program your video? Have you ported QNX to it yes?
 
 Regards,
 
 Dom Stocqueler.
 
 
   Marc Thach Xuan
 Ky
 
 cc:
   Sent by: Subject: Re: build
 tcp/ip on PC serial port [7:56885]
 
 [EMAIL PROTECTED]
 
 
   06/11/2002 10:39
 AM
   Please respond to
 Marc
   Thach Xuan
 Ky
 
 
 
 Am I being thick or something, isn't this what Windows dial-up
 networking is for? or *NIX pppd?  Alternatively, what about some pre-MS
 stack for Windows or DOS ?8^)
 rgds
 Marc TXK
 
 Cable Guy wrote:
 
  The fact that you can dial into the Internet is more proof that you can
 run
  TCP/IP over the PC's serial port.
 
  Hmm, why do people need proof of this? Maybe I should read the archives.
  Tcp/ip can be bound to anything. Build an interface that sends electrical
  signals down two thin water streams, code a driver, and you can bind
 tcp/ip
  to water.
 
  Anyway, that USB pdf link site is down and I can't access it now. I see
  there are some USB network hubs. Do these work with only USB network
  machines? Hmm, these could be slip/ppp then. An entire hub of
 slip/ppp...I
  wonder. The ones that interface directly with rj-45 are no hope. I wonder
  even if the signal actually coming out of the USB port is slip/ppp
 framed,
  then converted outside, or just straight ethernet framed off before
 exiting
  USB port. I do see some USB network card implementations are just a plug
  into the USB port with no wires exposed, and a rj-45 plugin dongle like
  thing. I guess I need one with wires exposed to cut into them, and with
  slip/ppp.
 
  Surely there is a serial card with boundable driver out there somewhere?
  Help.
 
  _
  Add photos to your e-mail with MSN 8. Get 2 months FREE*.
  http://join.msn.com/?page=features/featuredemail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56999t=56999
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Study group:UK [7:56900]

[Marc Thach Xuan Ky]

Hi Greg,
Where about in London are you?  I'm in SE14 and would certainly be
interested in forming a local group.
rgds
Marc TXK
[EMAIL PROTECTED]

Greg Nathan wrote:
 
 Hi
 Anyone in London, UK want to form a study group where we can bounce around
a
 few ideas and lab practise strategies? I have a fully kitted lab with 7
 routers with voice, 2 switches, ISDN simulator etc. I am based in London,
 would prefer something a little less virtual if possible.
 Lemme know.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56910t=56900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Getting slightly back on Topic - VOTE [7:56758]

[Marc Thach Xuan Ky]

Priscilla Oppenheimer wrote:
 
 What will it be when we're old geezers that we won't get? There will
 probably be some technology that the young people all get that we will be
 clueless about. I won't like that. ;-)
 

Wot? do you mean you can you work the video?
rgds
Marc TXK




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56946t=56758
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: router boots in to rommon [7:54591]

[Marc Thach Xuan Ky]

Hi,
I had a very similar message, I changed the cache and main RAM, but I
just got different error messages.  I concluded that I had a bad
backplane.  However, I swapped around the NP modules, and it's been
working fine since 
rgds
Marc

nettable_walker wrote:
 
 Thank you
 I already swapped memory once, but I will try it again.
 
 Kim Graham  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Check your flash for crash info files. You can read through these and or
  download them to add to your TAC case.  You have a memory error and may
 need
  to swap out a stick of memory.
 
  Searching Cache Error Exception 4700 and Cache Parity Exception 4500
  separately gives you many links that will help you to understand what is
  happening.  You do not need a CCO account to do this search.
 
  Kim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54636t=54591
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why does IOS only allow ICMP granularity on destination [7:42609]

[Marc Thach Xuan Ky]

The ICMP type specified is not related to either source or destination
address.  It is not like a port, it is just the type of frame.  You
could ask why the syntax is not:

permit icmp echo any any

It just isn't, possibly for historical reasons, maybe just arbitrary. 
More to the point, why do cisco bundle together type and code into one
descriptor, such as the ridiculous *packet-too-big* keyword?
rgds
Marc TXK

Anthony Pace wrote:
 
 for instance :
 
 access-list 101 permit icmp any host 207.122.1.5 echo
 access-list 101 permit icmp host 207.122.2.3 any echo-reply
 
 but not
 
 access-list 101 permit icmp any echo-reply any
 
 Anthony Pace




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42609t=42609
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Using a Router to redirect IP traffic [7:42217]

[Marc Thach Xuan Ky]

Hi Trevor,
Assuming that your servers have unique public IP addresses and you can
get a small new address space from the colocation provider (for use as a
NAT pool) then this would be technically feasible using twice-NAT. 
However, you would be paying your current colo provider for twice the
bandwidth that you already consume plus your new provider.  You would
add hops, delay, packet loss, and complexity.  If you do not have at
least one spare server (assuming similar platforms) then you will
require downtime whne you move each server anyway, so you could change
the DNS entry then.  Note that you must lower the TTL of DNS entries so
as to let cached records expire in time for the change.  Note also that
if all traffic is web, then you might like to consider HTTP redirection
as a technique in case your current DNS TTLs are already too long.
rgds
Marc

Trevor Jennings wrote:
 
 Hello,
 
  Where I work, we have a number of servers being co-located at one
 location and are planning on moving those servers to another co-location
 provider soon. My boss asked me why we could not, when we move the
 servers, just place a router at the original ISP to redirect all traffic
 from the original ip's to the new ip's rather than having duplicate
 servers or adjusting the DNS at the same time. I told him that I wasnt
 sure whether it was possible and was told by a friend that its not
 really possible to do that. Can anyone confirm that or rather explain why
 that is not possible? My Boss's theory was that we would have a router
 with 2 ethernet ports and redirect the original ip's to the new ip's
 through the second ethernet.
 
 Cheers,
 
  - Trevor




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42223t=42217
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ACL - Let's put some numbers on... [7:41738]

[Marc Thach Xuan Ky]

Some time ago I was messing about with a 3640 and IIRC I measured about
70k pps (unidirectional traffic) with no acls.  An acl where the traffic
was permitted on the first line dropped it to about 55k pps.  Pushing
the permit acl lines down the list dropped another approx 1%
throughput for each line processed.  The IOS was probably 11.2.
rgds
Marc

Ole Drews Jensen wrote:
 
 My first line of defence is a 3620, and I am using and ACL on the outside
 interface for incoming traffic, trying to stop some of 'bad' traffic before
 it continue to my firewall. I know how to design the access-list so the
most
 often received traffic is checked first, and so on, and I know that I
should
 keep it as simple as possible and not creating a huge access-list with
100's
 of lines.
 
 However, it got me wondering. How much does it slow down the incoming
 traffic everytime I add a new line to my access-list. This is a very hard
 question to answer though, because if created well, most traffic should be
 filtered out before halfway through the access-list, and I guess it also
 depends on the speed of the processor.
 
 If we look at the 3620, it has an 80Mhz RISC processor, so if can someone
 give me a result here?
 
 If we have a full T1 fully loaded with incoming traffic. How long delay
 would there be per line-to-be-checked in an ingoing extended ACL?
 
 Thanks for your comments...
 
 Ole
 
 ~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~
  http://www.RouterChief.com
 ~
  Need a Job?
  http://www.OleDrews.com/job
 ~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42233t=41738
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Riddle [7:41491]

[Marc Thach Xuan Ky]

The last time I looked, a Cisco router would send an ICMP
administratively unreachable message when an access list blocked a
packet.  What the source host does with that is not up to the router.
Marc

Dimitris Vassilopoulos wrote:
 
 Team,
 
 I was wondering
 Is it possible to make a router respond to an access-list blocking,
 using a custom-made user defined phrase?
 
 For example, if we deny telnet from a host we need to reply to
 him Access-list blocks incoming telnet...
 
 ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=41579t=41491
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: A little help in the right direction [7:41500]

[Marc Thach Xuan Ky]

Joel,
Start with a management summary which includes a statement that it will
save your business X thousand creds per year, recouping capital and
manpower implementation costs within Y months.  Then write a load of
blurb to prove it.  Job done.  Remember to think business, not
technical, and that at the moment, only you know why it should be done.
rgds
Marc

Joel Panetta wrote:
 
 Can anyone point me in the right direction to implement a pros and cons
 document for a back bone and infrastructure upgrade? we have a Catalyst
5000
 back bone I want to push to 6509 with redundancy but have to put it all on
 paper.
 
  Thanks
 
 Joel Panetta - CCNA, MCP
 Network Engineer - Anda, Inc
 954-217-4797
 [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=41584t=41500
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Signature for blocking telnet to SMTP server [7:41565]

[Marc Thach Xuan Ky]

Timing was my first reaction, but this whole thing may not be a good
idea anyway.  If you cannot stop the TCP connection establishment, then
blocking further access is pretty futile.  Anyone who can telnet to you
could also put up an SMTP server of their own or script a session.  I
think that refusal of connections on mailservers is generally at the
application layer based on source IP address, by address range and/or
DNS PTR record lookup.  There are lists of dialup IPs and also various
email blacklists,  see http://mail-abuse.org.  It doesn't seem very
scientific or rigorous but if you have a public SMTP server then it's
public.  At least that way your server gets to tear down the TCP
session.
rgds
Marc

Priscilla Oppenheimer wrote:
 
 When people Telnet to SMTP server, what do they then do? Do they manually
 send the normal SMTP commands? Sorry, if that's a dumb question, but I'm
 just trying to figure out the situation.
 
 If they are not Telnetting in order to send ordinary SMTP commands (HELO,
 RSET, RCPT, DATA, etc). then of course, you could recognize them because by
 what they aren't doing.
 
 Let's say they are sending ordinary SMTP commands. Would it be possible
 then to recognize this by the timing? Even the fastest typist can't send
 those commands as fast as e-mail software can.
 
 That's my $0.0010. Please do answer, though. I'm trying to learn more
 about this curious thing of Telnetting to ports other than 23.
 
 Priscilla
 
 At 02:51 AM 4/16/02, Cisco Breaker wrote:
 Hi,
 
 Is it possible to block telnet to SMTP server from port 25 with IDS. I
want
 to create a custom signature for this but I don't know how this can be
done.
 If  I write a signature beginning with hello it will block all mail
traffic
 because all of them starts with hello as I know.  And are there any
 resources that tells how to write a custom signature. We are using CSPM
 2.3.3i.
 
 Any help will be appreciated.
 
 Best regards,
 
 Cisco Breaker
 
 
 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=41668t=41565
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what does 0 in 0Xnnnn mean? [7:40372]

[Marc Thach Xuan Ky]

I guess then when you are writing a parser for a compiler then it helps
if all numeric constants start with a numeric.
Marc

Wes Stevens wrote:
 
 We need to find an old ibm'er for that answer I think. I know that 0x has
 been used on ibm systems since before cisco made it's first router.
 
 From: Priscilla Oppenheimer
 Reply-To: Priscilla Oppenheimer
 To: [EMAIL PROTECTED]
 Subject: Re: what does 0 in  0X mean? [7:40372]
 Date: Wed, 3 Apr 2002 17:22:17 -0500
 
 I think editors like to thrown in leading zeros. For example, you will
 notice that they never let you get away with saying something like .534.
It
 has to be 0.534. Supposedly that's easier to read.
 
 I didn't know octal was 0d. I bet they had to do that because of the other
 rule that you have to start with 0. 0o or 0O would be too hard to parse if
 they were to use o or O for octal. ;-)
 
 Priscilla
 
 At 04:40 PM 4/3/02, John Neiberger wrote:
  I think the question is what does the '0' specifically refer to?  We
  know that 0x indicates hex, but I'm guessing he's asking why we don't
  simply use x instead of 0x, or d for octal instead of 0d.
  
  Speaking of that, why is octal 0d?  I'd think that 'd' should mean
  decimal.
  
  John
  
Persio Pucci  4/3/02 2:16:55 PM 
  That indicates that the notation in use is hexadecimal for the
  registry
  number i.e. 0x2102 set the registry bits to 110010
  
  Persio
  
  - Original Message -
  From: Jeffrey Reed
  To:
  Sent: Wednesday, April 03, 2002 5:12 PM
  Subject: what does 0 in 0X mean? [7:40372]
  
  
Here s a good question an intern asked me and I couldn t even
  make-up an
answer
   
I was working with him showing how to recover a password and we were
changing the confreg setting. He asked what the leading 0 before the
  X
represented. I m not sure  any help from the group is
  appreciated.
   
Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290
 
 
 Priscilla Oppenheimer
 http://www.priscilla.com
 _
 Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40456t=40372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT overlapping example....Does not work? [7:38838]

[Marc Thach Xuan Ky]

I just tried this and it worked OK, but it needed a default route to the
outside.  I also tried it making the inside network routed rather than
connected, and it still worked.  I think that IOS 11.2 and earlier won't
work.  You have to set up a translation from one direction before you
have a pool address that you can ping from the other direction, because
both ways are dynamically mapped.
rgds
Marc

Cisco Nuts wrote:
 
 Hello,
 Does anyone know of any links or examples for NAT overlapping? I tried to
 use the one in the CCNP Remote Access Support Book exactly as it was shown
 but looks like the author might have missed somethingas it's not
 working...Basically pings don't work.
 Thank you.
 
 _
 MSN Photos is the easiest way to share and print your photos:
 http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39591t=38838
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT Order of Operation [7:38021]

[Marc Thach Xuan Ky]

I have to eat my words in public!  I just had a go (IOS 12.0) at the
overlapping NAT example from the Cisco BCRAN book, and after minor mods,
the config worked like magic.  The outbound packets were indeed routed
before the destination address was known, incredible.
Marc

Marc Thach Xuan Ky wrote:
 
 John,
 I have never had great faith in that page.  Taken literally, since
 outside to inside packets are NAT'd before routing, it means that if you
 have more than one outside interface, then a packet bound from one to
 the another will get translated twice.  If there was not an existing
 suitable mapping then that would then imply that the inbound packet
 would be dropped.  Now i haven't tried this, so I don't know whether it
 happens or not, but if it were the case, I'm sure somebody would have
 complained by now.  If it doesn't happen then the page does not
 correctly describe the operation.
 The flip side of that situation is that with a twice-NAT configuration a
 packet bound inside-outside is routed before the router knows the actual
 (translated) destination address.  How can that be?
 I haven't done that much with NAT since 11.2, but I have seen twice-NAT
 configurations where a ping has gone through and been replied to OK but
 when a debug was running, five translations occurred instead of four, I
 can't remember what the extra one was.  I have also seen a case where an
 inbound access list was inspected both before and after translation.
 Now I understand that the NAT code has been rewritten since then but my
 early experience with Cisco NAT has left me somewhat sceptical.
 Marc
 
 John Neiberger wrote:
 
  Someone just posted something on the CCIE list and while researching the
  answer I found this page:
 
  http://www.cisco.com/warp/public/556/5.html
 
  After looking at that page, it appears to me that it's safe to say the
  if you're in an environment that uses both NAT and Policy-Based Routing,
  the IP addresses you use in the policy maps are _always_ local
  addresses, either inside local or outside local.  Is that correct?  It
  seems that it would never be the case where you'd use an outside local
  or outside global address within a route map.
 
  Is that a true statement?
 
  Thanks,
  John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39588t=38021
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco's pps claims [7:38956]

[Marc Thach Xuan Ky]

I don't really know what the overhead of that specific stuff is, but
it's all part of a packet coming up the stack to the routing layer, and
it has to be done per packet, so packet size is irrelevant to that. 
Using traditional routing techniques such as process or fast switching,
the packet will be decapsulated to IP regardless of the underlying
layers.  I imagine that most of the framing work is done in hardware.
Marc

John Green wrote:
 
 the routing decision consumes the bulk of the CPU
 bandwidth, shovelling the rest of the packet through
 is low-overhead.
 
 say a router connects a between ethernet and Frame
 Relay or between two dissimilar Layer2 networks. Then
 the router would be stripping off one networks' layer2
 frame and replace it with the layer2 frame of the
 other network where the packet is to be sent. Would
 you call this low-overhead as well ?
 I guess your example would be if the router were to
 connect between same Layer2 networks ie say both
 networks are ethernet. right ? just want to make
 sure...
 
 --- Marc Thach Xuan Ky
 wrote:
  Sam,
  I think the question is: what is your average packet
  size?  Using
  process or fast switching I should think that the
  packet size is almost
  irrelevant to the router.  I have benchmarked many
  PCs and NICs running
  certain routing software.  On a PCI bus PC the pps
  difference between 64
  and 1518 octet frames was in the order of ten to
  twenty percent, i.e.
  the routing decision consumes the bulk of the CPU
  bandwidth, shovelling
  the rest of the packet through is low-overhead.
  Marc
 
  sam sneed wrote:
  
   I noticed Cisco uses pps when they give their
  specs for routers, firewalls,
   etc. What is the assumed packet size when they
  come up with these specs?
  I'm
   planning on using 2 2621's in HSRP mode (getting
  default routes via BGP)
  and
   need to be able to support a constant 10 Mb/sec
  and would like know if
  these
   routers will do the trick.
   thanks
 [EMAIL PROTECTED]
 
 __
 Do You Yahoo!?
 Yahoo! Movies - coverage of the 74th Academy Awards.
 http://movies.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39017t=38956
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: nat pool problem [7:38872]

[Marc Thach Xuan Ky]

Have you got a route to the pool?
Marc

george wrote:
 
 I having problems staticaly translatinga server to the outside world , bu=
 t
 looking at my config is their somthing im misssing=0D
 =0D
 =0D
 ostname Router=0D
 !=0D
 logging buffered 8192 debugging=0D
 enable secret 5 $1$D7U1$YMuIAg0B3iJtwD0vt0ZWn0=0D
 !=0D
 username Router password 7 097C4F1A0A1218000F=0D
 !=0D
 !=0D
 !=0D
 !=0D
 !=0D
 dial-peer voice 1 pots=0D
  call-waiting=0D
  ring 0=0D
  port 1=0D
  destination-pattern 6688594=0D
 !=0D
 dial-peer voice 2 pots=0D
  call-waiting=0D
  ring 0=0D
  port 2=0D
  destination-pattern 6688549=0D
 !=0D
 pots country US=0D
 !=0D
 ip subnet-zero=0D
 no ip source-route=0D
 !=0D
 isdn switch-type basic-ni=0D
 !=0D
 !=0D
 !=0D
 interface Ethernet0=0D
  ip address 192.168.9.102 255.255.255.0=0D
  ip access-group 121 in=0D
  no ip proxy-arp=0D
  ip nat inside=0D
 !=0D
 interface BRI0=0D
  no ip address=0D
  encapsulation ppp=0D
  dialer pool-member 1=0D
  isdn switch-type basic-ni=0D
  isdn spid1 95666885940101 6688594=0D
  isdn spid2 95666885490101 6688549=0D
  isdn incoming-voice modem=0D
  ppp authentication chap pap callin=0D
  ppp multilink=0D
 !=0D
 interface Dialer1=0D
  description ISP=0D
  ip address 66.85.189.9 255.255.255.248=0D
  ip access-group 121 in=0D
  no ip proxy-arp=0D
  ip nat outside=0D
  encapsulation ppp=0D
  no ip split-horizon=0D
  dialer remote-name Cisco1=0D
  dialer pool 1=0D
  dialer idle-timeout 2147483=0D
  dialer string 9840559 class DialClass=0D
  dialer hold-queue 10=0D
  dialer load-threshold 1 either=0D
  dialer-group 1=0D
  pulse-time 0=0D
  ppp authentication chap pap callin=0D
  ppp chap hostname loopcold=0D
  ppp chap password 7 04560807032D4940=0D
  ppp pap sent-username loopcold password 7 09414D081509121C=0D
  ppp multilink=0D
 !=0D
 ip nat pool ISPNATPool 66.85.189.11 66.85.189.14 netmask 255.255.255.248=0D
 ip nat inside source list 18 pool ISPNATPool overload=0D
 ip nat inside source static 192.168.9.101 66.85.189.10=0D
 no ip http server=0D
 ip classless=0D
 ip route 0.0.0.0 0.0.0.0 Dialer1=0D
 !=0D
 !=0D
 map-class dialer DialClass=0D
  dialer isdn speed 56=0D
 access-list 18 permit 66.85.189.8 0.0.0.7=0D
 access-list 121 deny   udp any eq netbios-dgm any=0D
 access-list 121 deny   udp any eq netbios-ns any=0D
 access-list 121 deny   udp any eq netbios-ss any=0D
 access-list 121 deny   tcp any eq 137 any=0D
 access-list 121 deny   tcp any eq 138 any=0D
 access-list 121 deny   tcp any eq 139 any=0D
 access-list 121 permit ip any any time-range TIME=0D
 dialer-list 1 protocol ip permit=0D
 !=0D
 line con 0=0D
  exec-timeout 120 0=0D
  transport input none=0D
  stopbits 1=0D
 line vty 0 4=0D
  exec-timeout 0 0=0D
  password 7 082F435A0809041E1C=0D
  login
 
 [GroupStudy.com removed an attachment of type image/gif]
 
 [GroupStudy.com removed an attachment of type Image/jpeg]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38913t=38872
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: clock rate [7:38908]

[Marc Thach Xuan Ky]

1. Because its 64000 bps, built by humans, not computer memory.
3. huh? Note that if you earn 50k you will get 5 (less tax)
Marc

Ellis Lam wrote:
 
 Two Qs,
 
 1. in FR, when we specify clock rate for 64k, we use clock rate 64000, why
 not 64 x 1024 = 65536 ? and for 1.544 mbps, we use 148000, why not 1.544 x
 1024 x 1024 ?
 
 2. in OSPF, when config a loop back interface with address 128.10.10.10/24
 and in other router, we can see the rout to 128.10.10.10/32 ?? but if we
 config an ethernet interface, it is 128.10.10.10/24, any reason ?? or
simply
 the behaviour in OSPF ?
 
 Thanks
 
 Ellis




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38915t=38908
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
I said that you have the same network on both sides of the NAT router
because the pool is a network, and in this case it is an inside pool so
exists on the inside .

Sorry about this, but I had another look at your mail and the second
type of NAT is not twice-NAT like I said, but overloaded NAT which is
sometimes called NAPT or PAT (Network Address Port Translation is the
RFC-compliant term).  One important difference is the NAPT will not
easily allow inbound connections.
I've now seen the example referred to by Cisco Nuts in another post.  I
can't see how that can work at all.  My policy with any single-stack NAT
device is to avoid an overlap.

Q1. ans. If I understand you correctly, the question is about routing
within the outside network to the NAT router.  I don't know.  Maybe the
router is doing proxy arp for pool addresses when there's an overlap?  I
take it that the configuration is currently working, is that right?

Q2. ans. Again, this is about routing within the outside network, which
may not be in your control, therefore the exchange is dictating the
terms here.

Q3. ans. I don't know whether you can use the same IP address for the
pool and the interface with IOS.  Why not try it?

This overlap thing is beginning to puzzle me and I thought I knew a lot
abot NAT, I can't see how it works, but you seem to be saying that it is
working for you.  I need to switch my routers on and have a further
look.
rgds
Marc



Sim, CT (Chee Tong) wrote:
 
 Hi Marc and dear all,
 
 You cannot have the same network on both sides
 of the NAT router.
 
 Why you said that I had same network on both side of the NAT router? I have
 50.100.165.X and 192.168.3.X on both side of the NAT router.
 


  interface Ethernet0
   description Interface facing Financial Service Provider
   ip address 192.168.3.1 255.255.255.0
   ip nat outside
 
  interface Ethernet1
   description Interface facing Rabobank (Trusted) network
   ip address 50.100.165.240 255.255.255.0
   ip nat inside
 
  ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0
  ip nat inside source list 1 pool XXY


 
 I am not the one who configured this NAT router previously.
 
 Q1)what I don't understand is when we establish the connection from
 50.100.165.50 (for eg) to 192.168.3.50(for eg).  The source IP will change
 to 192.168.3.111 (for eg) after it pass thru the NAT router and reach the
 destination 192.168.3.50.  When it replies back the source IP is
 192.168.3.50 and the destination IP is 192.168.3.111.  How do the packet
 know it have to go to Ethernet0 of the NAT router, as the IP of NAT
router's
 Ethernet0 is 192.168.3.1 not 192.168.3.111.
 
 Q2)
 Normally I would want to use a NAT pool that was not present on either
 side of the router.
 
 Yes, I saw this on my book as follows
 
 
 Ip nat pool ovrld-nat 172.16.2.2 172.16.2.2 netmask 255.255.255.0
 Ip nat inside source list 1 pool ovrld-nat overload
 !
 interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 ip nat inside
 !
 interface serial0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat outside
 !
 access-list 1 permit 10.1.1.0 0.0.0.255
 
 
 OK, I understand this, whenever the packets from 10.1.1.X network go out,
 the source IP will all become 172.16.2.2, but what the packet got reply,
the
 destination will become 172.16.2.2, How the hell the packet know it should
 go to serial0/0, as its IP is 192.168.3.1 not 172.16.2.2.  Unless, there is
 a route added in the target host. But how can expect to add the route entry
 in all the hosts.
 
 Q3)I did NAT with checkpoint firewall for my internet access, my firewall
 has two IPs 50.100.100.1 (internal) and 200.100.100.64 (external).  I
 configured it in such a way that all the outgoing packets's source IP
become
 200.100.100.64 after passing thru firewall and it works as I think the
 replying packet the destination will be the firewall's external IP.
 
 Can we configured the same thing with my cisco router as shown below.
 
 
 Ip nat pool ovrld-nat 192.168.3.1 192.168.3.1 netmask 255.255.255.0
 Ip nat inside source list 1 pool ovrld-nat overload
 !
 interface Ethernet0/0
 ip address 10.1.1.10 255.255.255.0
 ip nat inside
 !
 interface serial0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat outside
 !
 access-list 1 permit 10.1.1.0 0.0.0.255
 
 
 Will it works?
 
 -Original Message-
 From: Marc Thach Xuan Ky [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, March 19, 2002 8:49 PM
 To: Sim, CT (Chee Tong)
 Cc: [EMAIL PROTECTED]
 Subject: Re: NAT questions-will overlap occur? [7:38764]
 
 Hi Tong,
 The second method you use is twice-NAT, both source and destination
 addresses are converted.  This does not work well on Cisco routers
 unless all NAT entries are defined statically.  This is sometimes a good
 policy anyway where there are only a small number of known connections,
 which is often the case when connecting to exchange feeds for instance.
 
 You have an address clash.  Note that a NAT router has only one IP stack
 and one

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
I've reread the BCRAN book.  The example given of NAT overlap is when
the two real network spaces overlap, not when a pool overlaps with the
real space.  I still don't see how this can work.
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38932t=38764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco's pps claims [7:38956]

[Marc Thach Xuan Ky]

Sam,
I think the question is: what is your average packet size?  Using
process or fast switching I should think that the packet size is almost
irrelevant to the router.  I have benchmarked many PCs and NICs running
certain routing software.  On a PCI bus PC the pps difference between 64
and 1518 octet frames was in the order of ten to twenty percent, i.e.
the routing decision consumes the bulk of the CPU bandwidth, shovelling
the rest of the packet through is low-overhead.
Marc

sam sneed wrote:
 
 I noticed Cisco uses pps when they give their specs for routers, firewalls,
 etc. What is the assumed packet size when they come up with these specs?
I'm
 planning on using 2 2621's in HSRP mode (getting default routes via BGP)
and
 need to be able to support a constant 10 Mb/sec and would like know if
these
 routers will do the trick.
 thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38983t=38956
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT questions-will overlap occur? [7:38764]

[Marc Thach Xuan Ky]

Hi Tong,
The second method you use is twice-NAT, both source and destination
addresses are converted.  This does not work well on Cisco routers
unless all NAT entries are defined statically.  This is sometimes a good
policy anyway where there are only a small number of known connections,
which is often the case when connecting to exchange feeds for instance.

You have an address clash.  Note that a NAT router has only one IP stack
and one routing table.  You cannot have the same network on both sides
of the NAT router.  In your case it might be possible to use a /25 mask
and use .129-.254 for the pool, however, I would not recommend this
without further information from you.

Normally I would want to use a NAT pool that was not present on either
side of the router.  Is there a reason that you are using that pool
anyway?  Is this dictated by the provider, or are they happy to route to
a network that you specify?
You need to know how many servers will be contacted within the financial
services provider, and how many clients on your network, also which way
is the connection made?  Is it a persistent connection?  Is there any
name resolution across the router?

rgds
Marc TXK


Sim, CT (Chee Tong) wrote:
 
 I found my previous administrator configured the following NAT for my
router
 (shown below). Our network is in 50.100.X.X and we need to contact a
 workstation in 192.168.3.X network (192.168.3.1-192.168.3.100). That's why
 he defined the source pool to be from 192.168.3.101 192.168.3.240
 


 interface Ethernet0
  description Interface facing Financial Service Provider
  ip address 192.168.3.1 255.255.255.0
  ip nat outside
 
 interface Ethernet1
  description Interface facing Rabobank (Trusted) network
  ip address 50.100.165.240 255.255.255.0
  ip nat inside
 
 ip nat pool XXY 192.168.3.101 192.168.3.240 netmask 255.255.255.0
 ip nat inside source list 1 pool XXY
 
 ##
 
 Q1)But, when I show IP nat trans. I saw the following, I understand the
 first two, but not line 3.  the 192.168.3.118 should be the source address
 of returning packet, what is 192.168.3.119 ?
 
 RBFW2514#sh ip nat trans
 Inside global Inside local  Outside localOutside global
 --- 192.168.3.117  50.100.165.81 ---   ---
 --- 192.168.3.118  50.100.165.210---   ---
 --- 192.168.3.119  192.168.3.118


 
 Q2)I understand there is another kind of NAT which work like the following.
 Inside global Inside local  Outside localOutside global
 192.168.2.2:1234  10.0.0.1:1234  172.21.3.1:23
 192.168.2.2:  10.0.0.2:  172.21.3.2:23
 192.168.2.2:  10.0.0.3:  172.21.3.4:23
 
 What is the difference these method.  I think both NAT can work.  Why we
 don't use these one?
 
 Q3)But in this method, I found a problem what if 10.0.0.1 and 10.0.0.2 use
 the same port .  There will be 2X 192.168.2.2: in the inside
global.
 Will be 192.168.2.2: have problem identify which to be NAT back to
 10.0.0.1 or 10.0.0.2.
 
 Thanks a lot
 Tong
 
 ==
 De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
 is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
 onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
 de afzender direct te informeren door het bericht te retourneren.
 ==
 The information contained in this message may be confidential
 and is intended to be exclusively for the addressee. Should you
 receive this message unintentionally, please do not use the contents
 herein and notify the sender immediately by return e-mail.
 
 ==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38771t=38764
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT with printer [7:38781]

[Marc Thach Xuan Ky]

Have you disallowed the printer address with an acl for the pool?
Marc

Zolla Zimmerman wrote:
 
 Hi All,
 
 I really have a problem. I have enabled NAT on the router. I am able to
 reach all PCs but the printer. Here is the senario:
 
 192.168.1.0192.168.3.0
  | |
  | |
   --Router1-Router2--
|
|
192.168.3.252
 (Printer)
 
 1. We have enabled NAT on router2 to translate 192.168.3.0 0.0.0.250 to a
 pool 192.168.8.0
 2. Enabled static NAT for printer to 192.168.8.252
 
 Please help
 
 Zolla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38800t=38781
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: HELP !! CCIE 2B or NOT? [7:36542]

[Marc Thach Xuan Ky]

I was under the impression that some asian countries used the
numerically consistent notation y/m/d :-)  This of course demonstrates
that the world is a big place with many different outlooks.  We should
be able to accomodate them all and Tim is therefore free to put whatever
sig he likes at the bottom of his mails.
rgds
Marc

Tom Lisa wrote:
 
 Everywhere except U.S. civilian usage.  U.S. Military uses day/mo/yr
 format.  At least
 it did when I was a member 20 years ago.
 
 Prof. Tom Lisa, CCAI
 Community College of Southern Nevada
 Cisco ATC/Regional Networking Academy
 
 [EMAIL PROTECTED] wrote:
 
  european-format?  I thought it was everywhere except the US format!
  ;-)
 
  JMcL
  - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 01:47 pm -
 
  Steven A. Ridder
  Sent by: [EMAIL PROTECTED]
  28/02/2002 12:26 pm
  Please respond to Steven A. Ridder
 
 
  To: [EMAIL PROTECTED]
  cc:
  Subject:Re: HELP !! CCIE 2B or NOT? [7:36542]
 
  Australia uses european-format time as well?
 
  --
 
  RFC 1149 Compliant.
 
   wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   However if you do this I suggest you use a less ambiguous date format -
  my
   first reaction is oh, so you did the lab in January - but did you
  pass??
  
   JMcL
   - Forwarded by Jenny Mcleod/NSO/CSDA on 28/02/2002 10:57 am -
  
  
   Jeff Buehler
   Sent by: [EMAIL PROTECTED]
   28/02/2002 09:29 am
   Please respond to Jeff Buehler
  
  
   To: [EMAIL PROTECTED]
   cc:
   Subject:Re: HELP !! CCIE 2B or NOT? [7:36542]
  
  
   Perhaps it would be more appropriate to put your lab date instead of
the
   CCIE Written if you want to demonstrate where you are in your
   pursuit...for example.
  
   CCIE R/S LAB 6-1-2002 RTP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38244t=36542
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NAT concepts [7:37815]

[Marc Thach Xuan Ky]

As far as I can tell this is another one of those Cisco quirks.  Unless
Cisco plan for the future a mechanism whereby the route to the NAT pool
is dynamically advertised, then the subnet mask has no *real* function. 
IMO while routes to the pool are statically defined and then redist, it
remains a mere annoyance.
rgds
Marc

saleem bilal wrote:
 
 Dear Paul:
 
 according to my perception:when we have a pool of addresses hired from
 certain operator/internic we configure it to be used statically or through
 NAT.we may not need to use all IP addresses for nAT lonely but some of them
 can be used for static trans.thats why we describe the start IP abbresses
 and end ip Address.NAT function should know the subnet mask coz when a
 packet from private addresse comes in it is translated thru NAT with
 subnetmask attached .Subnetmask in this case will help the routing of the
 packet when it comes back to the oronating system through different
 routers.Plus in all IP address scenarios we need to mention IP adress with
 mask as router do the AND operation to extract original IP address.It would
 not have been possible for any router in the path to extract orinal network
 without having subnetmask
 
 i hope u understand whay i m saying




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37844t=37815
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

2500 flash memory SIMMs don't work [7:37586]

[Marc Thach Xuan Ky]

A couple of months ago I bought some (non-approved) 8M flash for c2500
for $76 per SIMM (ouch).  I couldn't write to them.  I have now upgraded
to bootrom version 11.0(10c)XB2.  I still can't write to them.  The
SIMMs are marked SMART SM73228XV1CAVS0.  Does anybody know whether these
modules should work?  The vendor is a bit unresponsive.
rgds
Marc




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37586t=37586
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Reverse Telnet SW for PC? [7:37246]

[Marc Thach Xuan Ky]

Have you tried Linux?
Marc

Johan Hjalmarsson wrote:
 
 Does anybody know if there's any software out there to turn a PC into a
 Cisco 2509?
 What I need is the abillity to telnet to the PC and get the telnet traffic
 redirected out a COM port, just like reverse telnet in the Cisco.
 One solution is of course to get a 2509, but for the moment my budget
woun't
 let me :-( and I've already got a PC with 8 COM ports.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37248t=37246
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Bit / bytes [7:36562]

[Marc Thach Xuan Ky]

Bytes are not part of the OSI model until at least the presentation
layer (I can't remember whether there is an ASN1 byte datatype).  Comms
engineers talk about octets but note that by the time we get down to
layer 2 we start to encounter techniques such as bit-stuffing, so a
frame may not even have a multiple of eight bits in it.  So from this we
must assume that there is no conversion from bits to bytes or
vice-versa.
rgds
Marc

Pierre-Alex Guanel wrote:
 
 This is clear. Thank you!
 
 Pierre-Alex
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Priscilla Oppenheimer
 Sent: Tuesday, February 26, 2002 8:27 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Bit / bytes [7:36562]
 
 Layer 1 just understands bits. Hardware, in general, understands voltage
 and no voltage (one or zero). I guess it could understand high voltage and
 low voltage. In fact, there's even ternary systems that understand high,
 kinda high, and low.
 
 Back in the early days, software engineers got kind of sick of having to
 deal with long streams of numbers and decided to aggregate them. An 8-bit
 byte worked out for many systems. (There used to be systems that used a
 12-bit byte).
 
 So anything that is implemented in software (or software that has become
 firmware) uses bytes or perhaps nibbles or words. Most NICs that handle
 data-link-layer processes have some software (driver) or firmware (chip
 set). Thus, I would say that they deal with bytes or nibbles or words or
 floating integers or arrays or link lists or symbol tables or at least
 something of a higher order than voltage being present or not.
 
 Priscilla
 
 At 07:12 PM 2/26/02, you wrote:
 Is conversion of bits into bytes and vice versa a function of Layer 1 or
 Layer 2?
 
 I have seen contradictory info.
 
 (I would say it is a layer 2 function because Layer 1 is only physical
 matters like voltage etc... but some one may have a logic to prove me
 wrong)
 
 
 thanks,
 
 Pierre-Alex
 
 
 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36750t=36562
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Any decent ISP will refuse DNS recursion from any IP address that is not
within its own address space.  This is fundamental to DNS security.   
You need to rewrite the destination IP address.  Note that Cisco's NAT
is not suitable for this because of the DNS ALG.  The easiest thing to
do may be to provide an on-site cacheing DNS using the old ISPs DNS
addresses.  If you've got a lot of workstations and a decent bandwidth
to the Internet, you will probably find that running your own DNS cache
will be more satisfactory anyway.
rgds
Marc TXK


Godswill HO wrote:
 
 You can still use your former ISP's DNS records while using the new ISP's
 bandwidth. It does not matter who owns the DNS server. Everybody have
access
 to it once they are in the internet. Except when they are specifically
 filtered.
 
 The only drawn back is that, Your new ISP have to forward the packet in a
 round trip to the old ISP's network through the internet before they are
 resolved and sent back to you machine, had it been you are using the DNS of
 your new ISP, these request would stop there. Do not loose your sleep,
 because at the worst these delays are in milisseconds and not easily
 noticeable by the eye, more each machine have a cache so it does not
forward
 every request. Great if you have a Cache Engine to compliment the machine's
 cache.
 
 Whatever, you are kool and everything will be fine, switch to your new ISP
 and enjoy.
 
 Regards.
 Oletu
 - Original Message -
 From: Michael Hair
 To:
 Sent: Sunday, February 17, 2002 8:07 PM
 Subject: DNS Request Redirection [7:35703]
 
  I was wondering what is the best way to take care of the following:
 
  I have been using a private address space behind a Cisco 4500 router
  connected up to our current ISP using NAT, now we want to move our
  connection from our current ISP to a new ISP with better bandwidth. My
  problem is that we don't want to change all our client machines TCP/IP
  settings, which are all static, for some reason or another they were all
  setup to use our ISP's DNS. Not my idea but that another problem. So how
 can
  I setup our router to forward requests looking from our current ISP's DNS
 to
  our new ISP's DNS without touching all the client machines.
 
  Would the best way be to use policy-base routing?
 
  Would a static route work?
 
  Could I use a static route under NAT?
 
  If someone could proved me a sample of how you could do this I would be
  greatful...
 
  Thanks
  Michael
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35743t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Recursion is precisely what he was concerned about.  As you have
alluded, there are two roles for a DNS server, cacheing (which requires
recursion), and authoritataive.  An ISP does not need to publish the
addresses of a authoritative nameserver, those addresses are stored in
the distributed database and are therefore found naturally.  The only
reason for publishing an ISPs DNS server addresses to their customers is
for use as cacheing servers (often confusingly called resolvers). 
Whereas using another ISPs DNS cache servers may be technically possible
right now because of lax practices, I wouldn't want all my users to be
cut off by events beyond my control e.g. when said lax ISP engages a
half-decent DNS consultant.  Within DNS circles the practice is frowned
upon, and it might be held that it is actually criminal in several
juridsdictions.  My own belief is that running your own cacheing DNS
server is almost always the best solution, but then I am biased since
DNS is my specialism :-)
rgds
Marc TXK

Priscilla Oppenheimer wrote:
 
 At 12:28 PM 2/18/02, Marc Thach Xuan Ky wrote:
 Any decent ISP will refuse DNS recursion from any IP address that is not
 within its own address space.
 
 He wasn't asking about recursion. He was asking about the initial query
 from the end host. Although I could believe you that a service provider
 should make sure these queries only come from customers, my experience is
 that service providers don't do this. I can set my PC to use a variety of
 DNS servers around the Internet and it works.
 
 I think it's because it's tricky to do, especially for small ISPs. Some
 ISPs might have only one DNS server. The same server that provides DNS
 services to Internet-access customers may also be the authority for various
 names managed by the ISP. The ISP may be doing Web hosting and be the
 authority for a bunch of names. In that case, it can't filter out DNS
 queries coming from the Internet.
 
 For example, say your PC asks your local DNS server to resolve
 www.priscilla.com. Your server can't do it. It asks its upstream server,
 probably one of the root servers. The root server figures out that
 petiteisp.com owns www.priscilla.com and tells your server the IP address
 of the authoritative name server at petiteisp.com. Your server queries
 petiteisp.com which gives your server the IP address for www.priscilla.com.
 Your server finally responds to your PC.
 
 Notice that the query to petiteisp.com came from some unexpected IP address
 that can't be anticipated in a filter. If petiteisp.com had a filter to
 allow queries only from its customers, the query from your server would
 have failed.
 
 Did that make sense? ;-) How to bigger ISPs handle this? I suppose bigger
 ISPs have more than one DNS server, one for Internet access customers, and
 one that is the authority for names owned by the ISP.
 
 Priscilla
 
   This is fundamental to DNS security.
 You need to rewrite the destination IP address.  Note that Cisco's NAT
 is not suitable for this because of the DNS ALG.  The easiest thing to
 do may be to provide an on-site cacheing DNS using the old ISPs DNS
 addresses.  If you've got a lot of workstations and a decent bandwidth
 to the Internet, you will probably find that running your own DNS cache
 will be more satisfactory anyway.
 rgds
 Marc TXK
 
 
 Godswill HO wrote:
  
   You can still use your former ISP's DNS records while using the new
ISP's
   bandwidth. It does not matter who owns the DNS server. Everybody have
 access
   to it once they are in the internet. Except when they are specifically
   filtered.
  
   The only drawn back is that, Your new ISP have to forward the packet
in a
   round trip to the old ISP's network through the internet before they
are
   resolved and sent back to you machine, had it been you are using the
DNS
 of
   your new ISP, these request would stop there. Do not loose your sleep,
   because at the worst these delays are in milisseconds and not easily
   noticeable by the eye, more each machine have a cache so it does not
 forward
   every request. Great if you have a Cache Engine to compliment the
 machine's
   cache.
  
   Whatever, you are kool and everything will be fine, switch to your new
 ISP
   and enjoy.
  
   Regards.
   Oletu
   - Original Message -
   From: Michael Hair
   To:
   Sent: Sunday, February 17, 2002 8:07 PM
   Subject: DNS Request Redirection [7:35703]
  
I was wondering what is the best way to take care of the following:
   
I have been using a private address space behind a Cisco 4500 router
connected up to our current ISP using NAT, now we want to move our
connection from our current ISP to a new ISP with better bandwidth.
My
problem is that we don't want to change all our client machines
TCP/IP
settings, which are all static, for some reason or another they were
 all
setup to use our ISP's DNS. Not my idea but that another problem. So
 how
   can
I setup our router to forward

Re: DNS Request Redirection [7:35703]

[Marc Thach Xuan Ky]

Tim,
If you wish to provide authoritative DNS service from behind a NAT
router, then with a Cisco the NAT code contains various ALGs
(application level gateway I think) including one for DNS.  This ALG
translates A records, MX and PTR records where it can.  IIRC if it can't
then the response is not passed at all (which many people believe is a
major issue).  So if the DNS server is behind the same NAT boundary as
the servers, all well and good, just use the private addresses in the
DNS and they'll be translated.  However if the DNS server is not behind
the same NAT boundary as the servers, then you're stuffed.  In DNS
circles, the purists don't like all this because this technique is
probably not possible to maintain for more complex DNS record types, and
I believe it only does UDP, so I guess that it isn't best practice.
rgds
Marc TXK


Tim Booth wrote:
 
 Out of curiosity, what is the best practice for someone who has a
 DNS server on their private network with a private IP address? How would
 one go about doing this with a router? Is it impossible? Is the best
 practice/only possibly way to have the DNS server having a public IP
 address (in a DMZ)?
 
 Kind Regards,
 Tim Booth
 MCDBA, CCNP, CCDP, CCIE written
 -
 Those who would give up essential liberty to purchase a little temporary
 safety deserve neither liberty nor safety.
 Benjamin Franklin, 1759
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Monday, February 18, 2002 13:16
 To: [EMAIL PROTECTED]
 Subject: Re: DNS Request Redirection [7:35703]
 
 hhmmm.
 
 as I understand the original question, each workstation in the network
 in
 question is hard coded for DNS.
 
 So, if for example, my machine is hard coded for DNS server
 207.126.96.162
 ( my ISP DNS server ) and I change ISP's, and make no changes to my
 workstation, then any DNS request will have a destination address of
 207.126.96.162
 
 The question, as I understand, if how to change that destination address
 without making workstation visits.
 
 Policy routing can change next hop, but not destination address. NAT
 outbound changes source address, not destination address.
 
 Unless there is a packet interceptor that takes all DNS requests, and
 physically changes the destination address, the user has few options.
 
 Again, IF the former ISP does not restrict DNS requests to its own
 address
 space, i.e. accepts DNS requests from anywhere, then there is no
 problem,
 and no changes need be made.
 
 However IF ( and this would be good practice for a lot of reasons ) the
 former ISP does indeed restrict DNS requests to source addresses within
 its
 own space, then there will have to be additional changes on the user
 network.
 
 This whole discussion illustrates why people SHOULD follow best practice
 from the get go. If they want to hard code IP's, then I believe DHCP can
 be
 configured so that it provides only DNS info and default gateway info,
 for
 example. the people who have insisted that their network hard code
 everything are now learning the hard lesson.
 
 Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35807t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]