RE: IOS for Home Lab [7:62830]

[Mark W. Odette II]

... it's been posted before that 12.1(5)T is supposed to be running on
the Routers in the CCIE Lab.  I have not attended the LAB, so I can't
say for sure.  I think it may even be listed on the Cisco Website for
the CCIE Track.

My advice- if you can afford it (and memory is really cheap), I would
max out the RAM and FLASH on all of your routers.  You might spend a
total of 300.00 USD on this, but it will be worth it.

-Original Message-
From: Azhar Teza [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 11, 2003 4:29 PM
To: [EMAIL PROTECTED]
Subject: IOS for Home Lab [7:62830]

I purchased some Cisco 4500/3810/2600 routers to setup the home lab.
They
all have old IOS and with only  4MB of flash for 4500s, but 3810s and
2600s
have 8MB of flash. I like to upgrade to atleast version 12.  Can you
guys
recommend what IOS will be best for the real CCIE Lab? By the way,  does
any
of you know which IOS version is used in real CCIE Labs? Regards, Teza

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62850&t=62830
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Easy VPN [7:62962]

[Mark W. Odette II]

Haven't done it myself, but I think you have to use the RADIUS function
and the RADIUS server would be Win2K IAS feature for Radius.

I'm sure someone else can give you a more definitive answer.

-Mark

-Original Message-
From: giri g [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 13, 2003 9:25 AM
To: [EMAIL PROTECTED]
Subject: Easy VPN [7:62962]

I have setup the Easy VPN in 827 router(CPE) .I am able to configure
Extended authentication as local .But i want to configure the nt domain
authentication.Can anyone suggest how this setup can be achieved .

Thanks
Giri




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62965&t=62962
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]

[Mark W. Odette II]

Look into Dynamic map configuration. It's an extension of the Crypto
Map, as you can only apply one crypto map to the interface (outside).

See CCO website for more details (search Google for "dynmap" and PIX,
and you should find several examples).  On CCO's site, do a search on
Technical Tips on PIX

HTH's
-Mark

-Original Message-
From: Kim Seng [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, February 15, 2003 11:26 AM
To: [EMAIL PROTECTED]
Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100]

Greetings,

Can I configure the PIX to do both site-to-site and
Remote access VPN at the same time?

I think it is impossible since I can only apply only
one crypto map to the outside interface.

Can someone confirm?

Kim.

__
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63102&t=63100
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: modem compression techniques [7:63253]

[Mark W. Odette II]

Very well put Mohamed! Kudos to you for not lowering yourself to his
level in reply.

Unfortunately, I don't have the answer to your S-Register question...
sure wish I did.  I haven't tried it myself, but maybe you can do a
search on S Register or S21 and Modem Compression with Cisco (Via
Google).  That might yield an answer.

Regards,
Mark

-Original Message-
From: Mohamed Elkomy [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 18, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: Re: modem compression techniques [7:63253]

Dear wise man,

First of all ,I think there's a more polite way we can discuss such
issues
with each other.

Second none of those S register parameters is related to the modem
compression

S27 > enable/disable V.25 calling tone
S28--> Guard tone
S30---> Max connect rate
S43---> V.34 carrier frequency

The parameters related to compression are:

S21 -> specify permited methods of data compression.

but I need to know the value of S21 to enable compression (S21=??)

   Regards,
   Mohamed


""Chivertison Micheal""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> are u stupid man?
> it is very very easy
> modemcap entry elkomy s27=12s28=12s30=13&&s43=67
> interface group-async 0
> ip unnumbered fastethernet x/x
> encapsulation ppp
> group-range x/x y/y
> compress stac
> ip tcp header-compression




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63276&t=63253
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ADSL and PIX puzzle [7:63458]

[Mark W. Odette II]

A Couple of pointers from my humble experience (granted this is also
provided from a very tired engineer that needs to go to bed :) ):

Put 200.10.10.36/30 on the Dialer Interface.  ... I think you need to be
using the VPDN Group commands to get the DSL working.  There are a
couple of ways to connect to the ISP DSLAM, i.e., Dialer Interface with
VPDN, or BVI interfaces (which is what I would expect with the scenario
you describe utilizing the ADSL interface rather than a Service Provider
DSL Modem and a PPPoE compliant Eth0 interface).

If you go with BVI interface config, then put the 200.10.10.36/30 on the
BVI interface.

Put 200.10.15.184/29 on the Ethernet0 of the DSL Router...

Put 200.10.15.185/29 on the PIX Outside Interface...

Do NAT on the PIX ONLY.

Static NAT for the Web Server with another one of those IPs in the block
you have been issued, or PAT to the Webserver with Port Redirection.

Default Route to the DSL Router on the PIX, Default Route to the
Upstream provider on the DSL Router.

Seems like a pretty straight forward config for both devices.

HTH's.

Mark
-Original Message-
From: dlci_16 [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: ADSL and PIX puzzle [7:63458]

Hello networkers,

I am trying to "conjure up" a working config for an ADSL link with
static IPs
for a 827 series router,
these public IPs are supposed to point to, say a webserver, that sits
behind
a
pix firewall
(which is directly connected to 827 router4s ethernet interface),
problem is when I try to come up with a working config. I find myself
getting into trouble.
(The catch is, I need the webserver behind that pix.)
Now this gets me using NAT twice to get a public IP from
the internet through the router past the pix and into my webserver,
I know it doesn4t sound right and obviously does not work either ;),
Any help/clue/criticisms are most welcome ;)
Ok,
What it looks like so far:


 [internet] >[router] ->[pix] ->[lan/webserver]
[827series]->[506E]--->[lan/webserver]


IP addresses:
For internet access I have 200.10.10.136 mask 255.255.255.0
Public IPs: 200.10.15.184 255.255.255.248 (for example)
Public IP for my webserver is 200.10.15.189


Router 827:
--

!
int eth0
  ip address 192.168.0.200 255.255.255.255.0
  ip nat inside
!
int atm0
  no ip address
  dsl operating-mode auto
!
int atm0.1 point-to-point
   no ip address
   pvc 0/35
pppoe-cliente dial-pool-number 1
!
int dialer1
  ip address 200.10.10.136 255.255.255.0
  ip nat outside
  dialer pool 1
!
ip nat inside source list 1 interface dialer1 overload
ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80
extendable
access-list 1 permit 192.168.0.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 interface dialer1
!


PIX 506E:
-

!
nameif eth0 outside security0
nameif eth1 inside security 100
!
ip address outside 192.168.0.201 255.255.255.0
ip address inside 192.168.1.21 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.200 1
!
global (outside) 1 192.168.0.202-192.168.0.248
nat (inside) 1 192.168.0.0 255.255.255.0
!
name 192.168.1.30 webserver
!
static (inside,outside) 200.10.15.189 webserver
!
access-list acl_out permit tcp any host 200.10.15.189 eq 80
!
access-group acl_out in interface outside
!


Maby I am going about this the wrong way,
maby there is still hope just by tweaking my static nat translation at
the
router.
If you have reached this far, thank you for your time and effort.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63480&t=63458
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Frame-Relay issue [7:63446]

[Mark W. Odette II]

>>in show ip interface it shows as protocol down , physical link up.
>>sh frame-relay pvs shows as inactive.no lmi are exchanged.

Usually "Protocol Down, Link Up" indicates that you have mismatched
encapsulation, LMI-Type, or even incorrect IP Addressing (wrong Subnet
or incorrect Subnet Mask) between your end and the other end of the FR
Network.

If no LMI is exchanged, then the LMI-Type is incorrect between that
Serial Interface and the Service Provider Frame Switch.

If this is a Frame Relay LAB setup, double-check your Frame Relay
"Switch" configuration.

If this is a Production Setup, contact your ISP and verify your Frame
Relay configuration parameters. (LMI-Type, DLCI, etc.)


On the No Shut command, I'd use it last on each interface you configure.

-Mark

-Original Message-
From: Monu Sekhon [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 20, 2003 7:40 PM
To: [EMAIL PROTECTED]
Subject: Re: Frame-Relay issue [7:63446]

Hi Larry/John,
I forgot to mention no shut in the above confif while writing here,
Its still there and connection does not come out
See I mentioned that while giving command by command manually connection
comes out.
It seems to me that while the interface is down during that frame-relay
LMIs
think that interface is down and make the link down.
I am rather confused.I dont know but this is happening.

again writing config:
--
interface Serial0 
shut (if i give here no shut then link comes up at one go) 
encapsulation frame-relay 
frame-relay lmi-type cisco 
no shut
exit 
interface Serial0/0.1 point-to-point 
no shutdown 
ip address 1.1.1.1 255.255.255.0 
frame-relay interface-dlci 108 
exit 


and also John try these in your router but at one go the interface will
not
come up as far i know .I agree with ur confguration and mine is also
correct
.Its said by Prisicilla and others that shutting a interface is  good
practise while  configuring encap types.This i read in one of the
previous
Posts.
so can u all reply what is the problem here
in show ip interface it shows as protocol down , physical link up.
sh frame-relay pvs shows as inactive.no lmi are exchanged.
any help will be appreciated.


-
Larry Letterman wrote:
> 
> enter the no shut command into your cut and paste script for
> the Int Ser0 and it will
> come up..all interfaces in a router are always defaulted to
> shutdown..In your case the
> Main interface needs to be no shut in order for the logical
> interface to work...
> 
> --
> 
> Larry Letterman
> Network Engineer
> Cisco Systems
> 
> 
> ""Monu Sekhon""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi All
> > Hey I am facing a strange problem in frame-relay
> >
> > My config
> > --
> > my initial config
> > int serial 0
> > (nothing confgured initially)
> >
> > Then I cut paste this config and my link does not come up
> means Interface
> > does not come up.
> >
> > interface Serial0
> > shut (if i give here no shut then link comes up at one go)
> > encapsulation frame-relay
> > frame-relay lmi-type cisco
> > exit
> > interface Serial0/0.1 point-to-point
> > no shutdown
> > ip address 1.1.1.1 255.255.255.0
> > frame-relay interface-dlci 108
> > exit
> >
> > I have to do shut and no shut on main interface why ?
> >
> > if the above commands i execute one by one then the link
> comes up.
> >
> > Is it a differnece between pasting the config at one go or
> what when i give
> > command single by single.
> > I enable debugging for frame-relay packets and it shows
> encap faiiled once
> > only  on the above sub interface.is anything frame-relay
> lmis has anything
> > to do.
> > I am very confused.
> > Thanx in advance
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63482&t=63446
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ADSL and PIX puzzle [7:63498]

[Mark W. Odette II]

Strictly speaking, I didn't do the math and verify (since you specified
"for example") the ip net block against your example subnet mask.  You
specified .248 as your mask before, now you're indicating it as /24
mask.  Which ever it is, the point was this:

If the ISP has assigned you a two-host subnet for the ADSL connection to
them (Just like a Point-to-Point T1), and they've also assigned you a
block of 8 addresses (1 used for Net boundary, 1 used for Broadcast, 1
used for the Router, 5 used for what ever you feel like), then you would
follow the suggestions for addressing that I laid out.

If you were assigned full Class C addresses for either the DSL
Connection OR the "Client" Public block (which represents hosts like
your WebServer via NAT), then simply put the /24 mask on each interface.
For the ADSL connection itself though, that would be a gross waste of
addresses.

Also, if you were given TWO Class C blocks, then you could simply put
one IP from the first block on your Dialer Interface, one IP from the
same block on the Ethernet0 Interface, and one IP from the same block on
the Outside Interface of the PIX.  You'd then put 1 IP address from the
second block on the Inside interface, and DHCP/STATIC Assign the rest of
that block to any host on the Inside network (alternatively, if you had
a PIX that had the DMZ NIC, you could put the second block on that, but
the address assignment still applies in practice).  This would work for
the application of your web server hosting a max of 253 Unique
.com/.net/.org/.whatever websites- each with its own unique public
address (you can assign a whole class C to a single NIC).  This would,
of course be a waste of addresses if your web server is only hosting a
couple of websites and you don't even have a LAN that uses all 254
addresses of that second public block.


Doing Double-Nat is only really necessary (from my limited experience)
for situations where you are trying to connect two LANs together that
were previously numbered with the same net block/mask, i.e., LAN A and
LAN B are on the 172.16.30.x/24 network.  You have to introduce an
additional router/firewall into the mix on ONE of the ends to make the
connection work (whether it be GRE Tunneling from LAN to LAN, VPN Tunnel
from LAN to LAN, etc.).

I'm quite sure others will expand on or correct me where I'm not hitting
the mark :)

-Mark

-Original Message-
From: dlci dlci [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 21, 2003 4:25 AM
To: [EMAIL PROTECTED]
Subject: RE: ADSL and PIX puzzle [7:63498]

I would like to thank everyone who helped out with my Pix horror picture

show.
This has aroused some possiblities where previously I couldn4t, lets say

"see
the trees from the forest"(or is it the other way around ;)
However this has also brought up some questions about all your
suggestions.

..the story so far:
Network number: 200.10.10.136/30
So I use 200.10.10.138 255.255.255.0 since provide uses the other
available 
IP

Public IPs: 200.10.15.184/29
webserver is 200.10.15.189

Ok, following Mark4s tip I would put 200.10.10.138 255.255.255.0 on
Dialer 
int.
Mark then suggests "Put 200.10.15.184/29 on the Ethernet0 of the DSL 
Router..."
and "Put 200.10.15.185/29 on the PIX Outside Interface..."

umm, the IP on eth0 is my network number for public IP space, so,
shouldn4t 
eth0 on router
be 200.10.15.185/24 ? If so wouldn4t I be wasting 1 IP to get to the
pix?

Albert Lu suggests using ip unnumbered eth0, on the Dialer int,
ok, then if I use 200.10.10.138/24 on eth0 on the router(ISP uses the
other 
available IP)
what other IP could I use on the pix eth0 (interface directly connected
to 
router4s eth0)?

Why wouldn4t I want to use NAT on both router and pix, and go with Kent 
Hundley suggestion?

_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63518&t=63498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: GRE tunneling in multicast [7:63655]

[Mark W. Odette II]

... don't have much experience with GRE tunnels, but if they operate
anything like VPN tunnels, then I would expect the GRE Tunnel needs to
be terminated between R1 and R5.  The dependency for this is that R1 and
R5 can successfully communicated to each other for the GRE Protocol
(i.e., there are no ACLs along the way that are filtering out GRE
Protocol).

HTH's
Mark

-Original Message-
From: Masaru Umetsu [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 24, 2003 4:17 PM
To: [EMAIL PROTECTED]
Subject: GRE tunneling in multicast [7:63655]

Because I use multicast,I'm considering to use GRE tunneling.
The equipments are all cisco. Network diagram is like below.


Multicast-R1-passport--LL--passport-R2-LAN-R3--FR--R4--LL--R5--Client
 Server
  
GRE tunneling

LL:leased line
Passport:Nortel Passport

Do I have to need configuring GRE tunneling only between R1 and R2?
Or should I configure GRE tunneling between R2 and R5 ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63679&t=63655
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Problems with ADSLWICs? [7:63761]

[Mark W. Odette II]

I haven't had any issues with IOS; my issues have been with the cards
themselves.  In one case, after replacing the WIC-1ADSL 2 times, I was
finally able to get a good WIC-1ADSL card that didn't have some kind of
hardware issue.  TAC said they didn't have any cases of bad cards, but
the reseller I bought the cards from indicated that there a few batches
of these WICs that went onto the "street" defective.

This experience was over 9 months ago, so who knows, they may have taken
care of the problem.

Just my .02 on this topic.

-Original Message-
From: John Neiberger [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 25, 2003 12:19 PM
To: [EMAIL PROTECTED]
Subject: Problems with ADSLWICs? [7:63761]

I know that when the WIC-1ADSL cards first came out they had some
problems playing well with others, but that was many months ago and I'm
considering these again.  I have a few of them lying around but we never
implemented them.

Anyone here running a recent release of 12.2T with these cards?  If so,
any problems?

Thanks,
John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63780&t=63761
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Voice degradation problem in Cisco VoIP network [7:63823]

[Mark W. Odette II]

A couple of things to check/answer that should point you in the
direction of the corrective actions.

1. Is Data and Voice over IP traffic going over this FR link?
2. If 1 is yes, then, has it always been this way?
3. If 2 is no, then, what has changed in terms of traffic across the
link?  You might need to look into implementing LLQ traffic shaping to
manage/protect the time-sensitive Voice traffic.
4. If 2 is yes, then 
   A) check to see if your configuration on the routers has changed in
regards to the traffic queuing mechanism you have in place
   B) check your Serial Interface stats to see if there are CRC errors
or other types of circuit problems, or check the Frame Relay stats for
FECN/BECN issues, etc.



HTH's
Mark

-Original Message-
From: K A [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 25, 2003 10:05 PM
To: [EMAIL PROTECTED]
Subject: Voice degradation problem in Cisco VoIP network [7:63823]

Hi,

I am getting voice degradation problem b/w our two sites. Both of these
2
sites are connected using Framerelay with a very good bandwidth. Routers
on
both sides are 2600 Series with VoIP cards. Calls from one PBX are
forwarded
to my 2600 router and then it will transmit the VoIP packets to next
2600
Series which will get it back to the destination.

The problem is the voice quality which is really terrible. Can you
please
kindly let me know what are the factors that I should work over now.

I am new to Cisco Ip Telephony. So please let me know the basic points
or
factors on which I should base my research now. I will do my hardwork to
resolve it if you guys can give me the basic points to work on.

I will really appreciate your co-operation.

Thanks alot in advance.

K Ali




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63833&t=63823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Help making a frame relay switch [7:64224]

[Mark W. Odette II]

If I recall correctly, Asynch ports run at 115Kbps line rate (referred
to as 'low-speed serial ports').

The idea behind using such a piece of hardware in the 2600/3600 routers
is to make that specific router the "Terminal Server" to console into
all the other routers.

You could also connect back-to-back asynchs, I suppose, but I've never
done it myself.



-Original Message-
From: hepppy [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 02, 2003 10:11 PM
To: [EMAIL PROTECTED]
Subject: Help making a frame relay switch [7:64224]

Hi all,

Sorry for being Naive. I am interested in creating a lab with some 10 X
26xx
routers. I need to create a frame realy switch. I am not sure what to
use. I
have seen a Lab a couple of months back which had 8  DB60 serial cables
connected to the 26xx router. Now I don;t have one of those with me,
hence
was
searching on the net to purchase one. And I found a Description of 8
port
Asynch/Synch and 2 port serial. The question is Is Asynch port the same
as
serial ports. Can I connect DB60 back to back cables to Asynch ports.

Any other suggestions or help to make this Frame realy switch will be
appreciated

Thanks to all...

regds
hepppy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64234&t=64224
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PATCH PANEL stuff [7:64503]

[Mark W. Odette II]

Sam- You're in for some fun.

If you try to move the patch panel, the only defining factor is the
length of the cables going to the panel.  You obviously can only move in
the direction in which the cables are coming from.  If you have some of
the cables coming from the bottom of the rack and the rest coming from
the top, you're going to have to pull the bottom cables or the top
cables, moved the panel, and then re-punch the cables that were pulled.
While moving the panel, any cables still attached should be zip-strapped
very securely to the panel all the way to the outside edge i.e.,
immobilizing the cables.  If you don't, you might as well remove and
re-punch them all.  Think of the issue as like that of the Telco
engineer in the CO or Panel box down in the hole... if is isn't
extremely careful (which they usually aren't), he's going to break a few
line pairs' connections ever so slightly while working on another pair
(which of course then causes your phone line or T1 to be down until the
returns to fix what he broke without realizing it).  Same premise for
the Ethernet cables.

Your best bet is to simply pull them all, and re-punch them.  It's time
consuming, but it does the job right the first time.  This still means
you need to move the panel in the direction of the cable (unless you
have a serious amount of excess cable for all of the cable runs coiled
up in the ceiling or the raised floor.

As far as how long it takes to punch them down- 10 to 30 seconds.
Labeling them as you pull them off the patch panel depends on if you are
using a P-touch labeler or hand-writing on some kind of tape.

As always, Your mileage may vary.

-Mark 

-Original Message-
From: Sam [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 05, 2003 12:20 PM
To: [EMAIL PROTECTED]
Subject: PATCH PANEL stuff [7:64503]

Hey Guys,
In my wiring closet, I have about 3 racks and about 10 patch panels(The
Racks got capacity for at least 30 PP's)

I need to move a patch panel out and to the rack next to the one it
currently is on. What is the best way to do this? Do i have to follow
this
kind of procedure:

-remove all the cables connected to the back of this patch panel and
then
label the cables
-move the patch panel to the other rack
-looking at the labels, again punch-down these cables to their
appropriate
locations.

Would this be the normal way of doing it? Or can I simply unscrew the
patch
panel from the rack and then somehow move it with the cables still
connected
to the other rack. This way, the cables won't be sorted as good as they
would be normally but it should be ok i think..

My other question is how long does it take on an average to punch down a
single cable(4pairs) onto the back of the patch panel? I've never done
it,
though I think after I buy the tools, I would be able to figure it out.
Please give me an approximation. For eg. Making a straight-cable takes
about
4-6 minutes

Thx
Sam




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64519&t=64503
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multiple WAN Connections to a Network [7:64469]

[Mark W. Odette II]

Can you even obtain an AS for BGP without a full Class C block of your
own??

I am inexperienced with BGP, but I would think that from my brief
readings of Howard's and others' postings in the last couple of years on
BGP, that you would have to have the ISPs do some sort of co-operative
setup for BGP routing the /27 block(s) you've been assigned.  I could be
totally wrong though.

This will be an interesting thread :)

-Mark

-Original Message-
From: Terry Oldham [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 05, 2003 11:23 AM
To: [EMAIL PROTECTED]
Subject: Re: Multiple WAN Connections to a Network [7:64469]

That is correct

It is not a large setup (6-10 Servers with some MACs on the other side
that
will have multiple IP's.   I have actually started to look at BGP but I
am
quite unfamilar with it.

We were going to use short TTL's for the DNS and hope that the time out
would quickly redirect but it looks like that is probably not a good
idea

Do you think we should go the BGP route?

Thanks
""Troy Leliard""  wrote in message
news:[EMAIL PROTECTED]
> If I follow, you have two wan conncetions providing access to you
server
> farm. Some of the servers on this farm will have 2 public IP address,
one
> from each of your providers?
>
> Presumably you aren't of a large enough size to warrant applying for
you
own
> AS, and using BGP,m which is the preferred solution. (as you will see
why
> below).
>
> The next question is how do you invisage doing load balancing / fault
> tolerance.  Presumably you will have two dns entries for your server,
eg
> www.mywebserver.,com has two a records, on pointing to the Sprint IP,
and
> one pointing to the Qwest IP.  If either of your wan links go down,
dns is
> not intelligent enough to stop routing to the "down" ip address and
you
will
> still have 50% traffic being dropped due to the round robin  nature of
DNS.
>
> Terry Oldham wrote:
> >
> > Hello,
> >
> > Our goal is to setup the two WAN connections for both fault
> > tolerance and
> > load balancing via the router.
> >
> > We want some of the server machines to have direct access to
> > the internet
> > and then the rest will go through our proxy server. The
> > computers that we
> > want to connect directly will be issued an IP address from the
> > block of IP
> > that we were given, in fact they will be given 2 ip addresses,
> > one from
> > Qwest and one from Sprint.
> >
> > I too am a lowly CCNA just looking for answers...
> >
> > Thanks
> >
> > ""Steven Aiello""  wrote in message
> > news:[EMAIL PROTECTED]
> > > Terry,
> > >
> > >I'm not totally sure what you are doing with your setup.
> > Are you web
> > > hosting and you have the 2 connections up for fault
> > tolerance?  or some
> > > other reason.  Unless I am mistaken is you are running
> > between to AS's
> > > on the net you need to use BGP.  ( Please all correct me if
> > I'm wrong,
> > > I'm still a lowly CCNA ) But I know that when we had our
> > Qwest line
> > > installed they asked us if we had another service provider
> > for this
> > > reason.  Also if you are a stub network why not use default
> > routes?
> > > Like I said it's hard to say for sure with out knowing what
> > your doing.
> > >That's just what occurred to me.  Hope it helps.
> > >
> > > Again please to all in the group correct me if I am mistaken,
> > I'm more
> > > than happy to be corrected if it means I have a greater
> > understanding of
> > > the subject.
> > >
> > > Steve




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64521&t=64469
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN switch (beyond simulator) [7:64628]

[Mark W. Odette II]

I don't know much on them, but perhaps the Adtran Atlas line of products
might be able to help.  I know they can do voice and data PRI's, along
with ISDN, but beyond that, I am without experience. :(  

Just thought I'd throw that out as an option.

-Mark

-Original Message-
From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 06, 2003 11:45 AM
To: [EMAIL PROTECTED]
Subject: ISDN switch (beyond simulator) [7:64628]

We've all dealt with ISDN simulators, that look like a CO to a single 
or small set of interfaces. I'm dealing with a situation where I need 
to interconnect several simulated training sites (i.e., physically in 
the same room) and telephony servers through a PSTN simulation.

In other words, I need a small CO switch, with the ability at least 
to interconnect several trunks (probably both T1 E&M and ISDN PRI), 
with a static calling plan among tens of telephones. The switch would 
emulate several end offices, plus the PSTN interoffice connectivity 
between them. For the latter, however, I don't need to have physical 
interoffice trunks as long as I can simulate their effect in a 
dialing plan.

The switch should also be able to simulate dedicated data links between
sites.

In the real world, this is no problem to do with off-the-shelf 
equipment that would support thousands of lines. Within the Cisco 
product line, I suspect I get close with an MGX or the like, but 
probably fall short in circuit-switch call supervision and routing.

Thoughts? I'm going to review my Nortel Passport documents to see if 
it has the loop supervision capabilities available; I vaguely 
remember a version that might.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64633&t=64628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: New Voice CCIE [7:64620]

[Mark W. Odette II]

I'm ALL FOR THIS:
It's too bad that they don't do this with the C/S.  If they would test
features available only on 7500's and up, that would mean that a greater
percentage of C/S candidates would be actual ISP engineers, not
lab-rats,
which would be good for the program.

JUST SO LONG AS: the hiring manager/HR Puppet doesn't require prior
experience in "an enterprise network environment" just to get an
interview.  That was EXACTLY the catch-22 I faced getting into this
industry 9 years ago.  "What, no experience?!?! Then why would I want to
hire you and put you in the seat of managing my 2000 node
network?...shyaa right!  You aren't touchin' this network with a 10 foot
pole!"

OJT is not what it used to be in the 80's.  You got hired for more then
the ability to pass the basic math test.  You were hired because of your
aptitude proven in the interview.  Then you were sent to training
classes for the first several weeks of your new job.  Then you were
placed under a supervisor and mentored for a time period.  

These days, there are reasons why they put the "must be able to work
with minimal to zero supervision" in the description of the IT Job
posting.  And they don't have any interest or plan in putting you
through any kind of training... 

... so the Ol' Catch-22 returns in vogue just like the bell-bottoms.

... and one more thing:  Am I just living in a bubble or something, cuz'
I just don't see this phenomenon of thousands of geeks like myself
scoffing up gear in their homes here in the D/FW, Texas area to take a
smack at the R/S or C/S labs ... is this geographic by nature or
something by economic demographic?? (read - is this something observed
in the California, N.Y., Illinois, or Virginia area)

-Mark


-Original Message-
From: nrf [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 06, 2003 7:20 PM
To: [EMAIL PROTECTED]
Subject: Re: New Voice CCIE [7:64620]

""The Long and Winding Road""  wrote in
message news:[EMAIL PROTECTED]
> ""DAve Diaz""  wrote in message
> news:[EMAIL PROTECTED]
> > how are you supposed to prepare for this buty all that equipment no
thanks
> >
>
>
> there would be a distinct advantage to substantial hands on
experience.
> maybe this marks the start of the trend away from the "paper" ( some
use
the
> term "lab rat" ) CCIE's of the last couple of years?

Yeah, so maybe that's precisely the point.  They don't want guys to just
get
a bunch of stuff in a home lab and -presto- another CCIE comes out
without
ever having used the gear in a production environment in his life, and
thereby cheapening the value of the cert.  Perhaps they figure that if
they
require candidates to have a lot of hands-on experience with high-end
gear,
then most of the candidates will be employees of companies with large
networks, which was the precise target demographic of the CCIE in the
first
place.

It's too bad that they don't do this with the C/S.  If they would test
features available only on 7500's and up, that would mean that a greater
percentage of C/S candidates would be actual ISP engineers, not
lab-rats,
which would be good for the program.

>
>
> >
> >
> >
> >
> > >From: "Maurizio Moroni"
> > >Reply-To: "Maurizio Moroni"
> > >To: [EMAIL PROTECTED]
> > >Subject: New Voice CCIE [7:64620]
> > >Date: Thu, 6 Mar 2003 16:12:11 GMT
> > >
> > >Hi Group,
> > >
> > >I would like to know what's your take on the new CCIE Voice
Certification
> > >Track
> >
>(http://www.cisco.com/warp/customer/625/ccie/ccie_program/whatsnew.html
)
> > >
> > >Regards,
> > >Maurizio
> > _
> > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> > http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64678&t=64620
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco 1750 DSP's are making me nuts! [7:65272]

[Mark W. Odette II]

You would be correct. DSP=1=2V and DSP=2=4V

-Original Message-
From: H Howard Lewis Bloom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 13, 2003 12:42 AM
To: [EMAIL PROTECTED]
Subject: Cisco 1750 DSP's are making me nuts! [7:65272]

Just what makes a 1750 a 2V or a 4V?

I have several routers with DSP's and I'm having a very hard time
identifying what I have from Cisco's website.

Here is a show diag from RouterA:

Router#show diag
Slot 0:
C1750 1FE VE Mainboard port adapter, 1 port
Port adapter is analyzed 
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware revision 5.1   Board revision B0
Serial number 3857504071Part number73-3743-05
Test history  0x0   RMA number 00-00-00
EEPROM format version 1
EEPROM contents (hex):
  0x20: 01 C9 05 01 E5 EC D7 47 49 0E 9F 05 00 00 00 00
  0x30: 58 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00

Packet Voice DSP Module:
Hardware Revision: 2.2
Part Number  : 73-3741-01
Board Revision   : A0
Deviation Number : 0-0
Fab Version  : 02
PCB Serial Number: ICP042700CG
RMA Test History : 00
RMA Number   : 0-0-0-0
RMA History  : 00
 --More-- Processor type   : 02 
Number of DSP's  : 1
Type of DSP  : TMS320C549
EEPROM format version 4
EEPROM contents (hex):
0x00:   04 FF 40 01 5A 41 02 02 82 49 0E 9D 01 42 41 30 
0x10:   80 00 00 00 00 02 02 C1 8B 49 43 50 30 34 32 37 
0x20:   30 30 43 47 03 00 81 00 00 00 00 04 00 09 02 FF 

Notice is shows the number of DSP's as 1.  Is this a 2V?

And this router shows 2 DSP's.  Is it a 4V?

1750-2V#show diag
Slot 0:
C1750 1FE VE Mainboard Port adapter, 5 ports
Port adapter is analyzed 
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision: 8.1
PCB Serial Number: JAD05270RBU
Part Number  : 73-3743-08
Board Revision   : A0
Fab Version  : 04
EEPROM format version 4
EEPROM contents (hex):
  0x00: 04 FF 40 00 C9 41 08 01 C1 8B 4A 41 44 30 35 32
  0x10: 37 30 52 42 55 82 49 0E 9F 08 42 41 30 02 04 FF
  0x20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Packet Voice DSP Module Slot 0:
Hardware Revision: 2.2
 --More-- Part Number  :
73-3815-01
Board Revision   : A0
Deviation Number : 0-0
Fab Version  : 02
PCB Serial Number: ICP050800H5
RMA Test History : 00
RMA Number   : 0-0-0-0
RMA History  : 00
Processor type   : 02 
Number of DSP's  : 2
Type of DSP  : TMS320C549
EEPROM format version 4
EEPROM contents (hex):
0x00:   04 FF 40 01 5B 41 02 02 82 49 0E E7 01 42 41 30 
0x10:   80 00 00 00 00 02 02 C1 8B 49 43 50 30 35 30 38 
0x20:   30 30 48 35 03 00 81 00 00 00 00 04 00 09 02 FF 

WIC Slot 0:
Dual FXS Voice Interface Card WAN daughter card
Hardware revision 1.1   Board revision A0
Serial number 0026342912Part number800-02493-03
Test history  0x00  RMA number 00-00-00
Connector typeWAN Module
 --More-- EEPROM format version 1
EEPROM contents (hex):
0x20:   01 0E 01 01 01 91 F6 00 50 09 BD 03 00 00 00 00 
0x30:   50 00 00 00 01 06 26 01 FF FF FF FF FF FF FF FF




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65335&t=65272
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft IAS and VPN 3000/Client Authentication [7:66703]

[Mark W. Odette II]

Though I haven't done it myself, you should be able to keep the IAS box
(Windows 2000 Member Server) and the NT4PDC Box separate.

You're authentication AND access can be defined by the IAS box.

You would only need to allow RADIUS Ports...

1645 RADIUS Authentication 
1646 RADIUS Accounting

OR

1812 RADIUS server 
1813 RADIUS accounting

..on the PIX between the concentrator and the IAS box.

It would be more advisable to put the VPN Concentrator on the DMZ port
of the PIX if you have it; this is left to interpretation and opinion.

NOTE: I have no experience with the Concentrators, so, your mileage may
vary.

-Mark

-Original Message-
From: kwindancer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 02, 2003 11:27 AM
To: [EMAIL PROTECTED]
Subject: Microsoft IAS and VPN 3000/Client Authentication [7:66703]

Hello All: I'm looking into using Microsoft IAS and Windows NT4 PDC  to
authenticate VPN client users who are accessinga VPN 3000 concentrator.
I
want home VPN client users to utilize the NT4 PDC for their login
authentication. The VPN 3000 concentrator is located on the outside
interface of the PIX while the NT 4 PDC is located on the inside. My
questions are: a) Should I combine the PDC and IAS into one server?  My
preference is to use separate servers, and would this scenario works? b)
What ports should I open to allow Radius and NT authentication from the
outside to the inside?   Thanks. Ken

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66710&t=66703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts [7:69779]

[Mark W. Odette II]

Charles-
I could be wrong, but my interpretation of the doc's covering the Alias
command says that you can't have your cake and eat it too. :)

What I mean is, I don't believe you can DNS-Doctor and Destination-NAT
at the same time.  Like I said, I could be wrong.

>From what I understand, you need to do your translation with a static
command:

"Static (inside,dmz) 10.3.3.1 10.1.1.x netmask 255.255.255.255 0 0"

..and then set up your DNS-Doctor Alias.

"Alias (inside) 10.1.1.x 10.3.3.1 255.255.255.255"

Note:

Verify that the DNS server resolves your host/domain name to the global
IP address of the web server by issuing an nslookup command. The result
of the nslookup on the client PC should be the internal IP address of
the server (10.1.1.x), because the DNS reply gets doctored as it passes
through the PIX.

Also note that, for DNS fixup to work properly, proxy-arp has to be
disabled. If you are using the alias command for DNS fixup, disable
proxy-arp with the following command after the alias command has been
executed.

"sysopt noproxyarp internal_interface"

If you are also trying to maintain DNS integrity from the outside point
of view, I believe the 'DNS' keyword is all that is needed in the
following command (to allow the outside world to also reach the DMZ
host).

"Static (dmz,outside) 10.3.3.1 10.2.2.1 dns netmask 255.255.255.255"

Or, taking the concepts from the Alias Doc's, you could do this.

"Alias (outside) 10.2.2.1 10.3.3.1 255.255.255.255" ...but I think this
might be the older way of doing it.

Don't forget your ACL's so that DNS and whatever other services need to
be accessed on the DMZ host (one ACL for the Inside, one for the
Outside).

HTH's

-Mark

-Original Message-
From: Charles  Riley [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2003 7:22 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall 6.2.2 Inside network can not reach DMZ hosts
[7:69756]

Hi, all,

I have a problem that is making me scream and shout, gonna knock myself
out.
It has to do with my PIX firewall configuration.

The long and short of my problem is that the inside network can only
reach
inside hosts and outside networks:  it can not reach any host on on the
DMZ,
depsite the fact that there are numerous statics and alias configured to
permit it to do so.

I have a 515 6.2 with the following networks configured:

Inside 10.1.1.0/24
Outside 10.2.2.0/24
DMZ 10.3.3.0/24

First, we have names for ServerA located on the DMZ network:

name 10.3.3.1 SERVERA_DMZ
name 10.2.2.1 SERVERA_OUTSIDE

ServerA actually is addressed with 10.3.3.1 because it is on the DMZ;
the
10.2.2.1 is its outside address (as well as being its registed DNS
name).


If an inside networker DNS queries for SERVERA, the following commands
are
supposed to swap the outside address for the DMZ address.  IN other
words,
intercept the DNS repy and change it so that the inside network will
then
establish a session to 10.3.3.1 (dmz address), not to 10.2.2.1 (outside
nat'ed address)

alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255
alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255

Initial DNS tests shows that this is not happening:  the inside network
DNS
requeries are getting outside addresses.

Compounding the problem is translation process itself.  The below states
that when Inside networks go to the DMZ network, PAT their address to
10.3.3.9, excepting those sessions listed in ACL 100 (which upon
checking do
not affect the tranlation in this particular case).

nat (inside) 0 access-list 100
nat (inside) 1 10.1.1.0 255.255.255.0 0 0

global (DMZ) 1 10.3.3.9 netmask 255.255.255.0


So, in a happy world,  the inside network should DNS query for SERVERA,
the
PIX should intercept replies and change to a DMZ address (alias), and
NAT
should then translate as appropriate.

In the words of Larry King, it ain't happening, gang...and I don't know
why.
I beseech, oh, Group of Infinite Wisdom, for you assistance.

As a closer, my problems started when I upgraded to 6.3.1...what a
mistake.
I have since downgraded it back to 6.2, and have checked and rechecked
the
config...there are no commands missing.

TIA,

Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=69779&t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall 6.2.2 Inside network can not reach [7:69779]

[Mark W. Odette II]

Richard- 
As I had said in my last post, in analyzing his syntax, it appears he's
trying to do Destination NAT and DNS Doctoring at the same time, for which
it obviously doesn't work.

I couldn't tell you if line 2 is auto-reversing what line 1 does by the
PIX's operating code, but you are correct that only one line is needed.
>From what I gathered of the documentation, he also needed to do a second
Alias statement against the DMZ interface, or he needed to do a Static
statement utilizing the DNS keyword; example:
"static (dmz,outside) pub.lic.ip.addr dmz.host.ip.addr dns netmask
255.255.255.255 0 0"

I don't have a 3-interface pix to test these possible solutions on, so I
can't say for certain that I'm correct. :(

-Mark
-Original Message-
From: Richard Botham [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 7:12 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX Firewall 6.2.2 Inside network can not reac [7:69779]

Charles/Mark,

No infinate wisdom i'm afraid - just my #0.2.

Is it because the statements below effectively do nothing due to the fact
the statement 2 undoes what statement one has just done ?
[or have i missed the point.]

1)alias (inside) SERVERA_DMZ SERVERA_OUTSIDE 255.255.255.255 
2)alias (inside) SERVERA_OUTSIDE SERVERA_DMZ 255.255.255.255 

I would have thought that you would only need the statement one - why do you
need to reverse what you did in statement one fro the hosts on the inside
net ?

regards
Richard




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70004&t=69779
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Virtual MAC and Port Security [7:70030]

[Mark W. Odette II]

David- it's been a while since I did this, but from what I understand
you to say, you are trying to provide fault tolerance (fail-over) at the
NIC level for these servers.

I can't vouch for the 6500s, but on the 5500s that I used to manage, we
used Intel NICs in a "teaming" fashion (which was to provide said fault
tolerance).  These NICs had their FastEthernet cables going to each
switch respectively. (4 NICs in each Server, 2 CAT5500's to plug into).

The virtual mac's of the Teaming group was plugged into the port
security table on the CATs.  The CATs were also Trunk'd together via
GBICs, so STP would block one Fast-Ether-Channel group of NIC cables on
one switch while allowing the other group to operate.

So, the short of it is, I believe you'll have to set up an EtherChannel
with the NIC Pool(s) and it's assumed that you already are Trunking
between your 6500's for backbone redundancy.  Port Security should be
straight forward- just one Virtual-MAC per NIC Pool to be plugged into
the MAC Security Table, and reference the security mac table on the
ports you want to enable port security.

It's been a couple of years since I did this, so hopefully I remembered
all the steps required. YMMV :)

HTHs
-Mark
-Original Message-
From: David Vital [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: Virtual MAC and Port Security [7:70030]

I have several Servers that are going to be doing NIC pooling.  So I'm
supposed to see a virtual MAC address instead of the actual physical
address
of the NIC's.  I run the NICs from one server to different switches for
fault tolerance.  If I have several 6500 series switches how can I set
it up
for Port Security?  I know I can set up the ports to handle several
MAC's
but if they are running the same virtual MAC what's the answer?

David




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70045&t=70030
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: multiple isakmp policies question-No authentication [7:70051]

[Mark W. Odette II]

Richard- Google is your friend 

Fluf-fluf http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html



-Original Message-
From: Richard Campbell [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 02, 2003 11:37 PM
To: [EMAIL PROTECTED]
Subject: RE: multiple isakmp policies question-No authentication
[7:70043]

Hi..  Sorry me again, I just realise that W2K can act as a RADIUS
server, is 
it true??  I tried to installed cisco CSACS software on my W2K server,
it 
prompt me that another program is using RADIUS port, pls disable it, it 
means my W2K server come with RADIUS?  Where to configure it?

the aaa.bbb.ccc.10 (shown below) is the IP of my W2K server?  I should 
configure my W2k Radius server to have the same key "PASSWORD HERE" as
the 
PIX515 right?  Where can I enter this value in my W2k server?

>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
>10

>From: Daniel Cotts 
>To: "'Richard Campbell'" , [EMAIL PROTECTED]
>Subject: RE: multiple isakmp policies question-No authentication
[7:69996]
>Date: Mon, 2 Jun 2003 18:25:38 -0500
>
>In the following config RADIUS is used to authenticate the Clients.
IIRC 
>The
>group password is sufficient to allow a client to connect - although
not 
>too
>secure as all clients would have one password.
>crypto map FF_fw_int0 client authentication AuthInbound
>aaa-server RADIUS protocol radius
>aaa-server AuthInbound protocol radius
>aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE
timeout 
>10
>
> > -Original Message-
> > From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 02, 2003 8:07 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: multiple isakmp policies question-No authentication
> > [7:69996]
> >
> >
> > Hey...  thanks..  finally I got response from my PIX515, but
> > it just hang at
> > securing communication channel stage (see below) and it
> > doesn't authenticate
> > the users.  What config should I add to point it to my
> > authentication server
> > 192.168.1.201?  For your info, my VPN client is installed at
> > Win95 and my
> > authentication server is a W2K server.
> >
> > Initializing the connection...
> > Contacting the gateway at 100.100.100.101...
> > Negotiating security policies...
> > Securing communication channel...
> >
> > I remember in VPN3000 server, I need to specify the
> > authentication server
> > for VPN group, but why in PIX515 sample on the net, why it
> > doesn't have this
> > entry
> >
> > >From: Andrew Larkins
> > >
> > >from what I remember about this, they will try each policy
> > until a match is
> > >amde, otherwise the connection terminates
> > >
> > >-Original Message-
> > >From: Richard Campbell [mailto:[EMAIL PROTECTED]
> > >
> > >hey..  I have a PIX 515 and have a PIX to PIX connection to
> > London and NY
> > >using pre-shared key des, hash sha and dh group 1 and I am
> > going to let
> > >VPN3000 client 3.X connect to here as here and I created
> > another isakmp
> > >policy 20, with hash md5, dh group 2 as shown below.  Can u
> > take a look
> > >whether the config is correct?
> > >
> > >And my question is I have 2 isakmp policies here, how does
> > the PIX-PIX and
> > >VPN 3000 3.X client know which isakmp policy to take?
> > >
> > >crypto ipsec transform-set newset esp-des
> > >crypto dynamic-map dynmap 30 set transform-set newset
> > >crypto map newmap 10 ipsec-isakmp
> > >crypto map newmap 10 match address 101
> > >crypto map newmap 10 set peer nyapix
> > >crypto map newmap 10 set transform-set newset
> > >crypto map newmap 20 ipsec-isakmp
> > >crypto map newmap 20 match address 102
> > >crypto map newmap 20 set peer ldnpix
> > >crypto map newmap 20 set transform-set newset
> > >crypto map newmap 30 ipsec-isakmp dynamic dynmap
> > >crypto map newmap interface outside
> > >isakmp enable outside
> > >isakmp key  address ldnpix netmask 255.255.255.255
> > >isakmp key  address nyapix netmask 255.255.255.255
> > >isakmp identity address
> > >isakmp policy 10 authentication pre-share
> > >isakmp policy 10 encryption des
> > >isakmp policy 10 hash sha
> > >isakmp policy 10 group 1
> > >isakmp policy 10 lifetime 86400
> > >
> > >isakmp policy 20 authentication pre-share
> > >isakmp policy 20 encryption des
> > >isakmp policy 20 hash md5
> > >isakmp policy 20 group 2
> > >isakmp policy 20 lifetime 86400
> > >
> > >vpngroup CLIENTS address-pool REMOTEIPPOOLS
> > >vpngroup CLIENTS dns-server 192.168.1.201
> > >vpngroup CLIENTS wins-server 192.168.1.201
> > >vpngroup CLIENTS default-domain xyz.com
> > >vpngroup CLIENTS idle-time 1800
> > >vpngroup CLIENTS password 
> > >
> > >_
> > >Protect your PC - get McAfee.com VirusScan Online
> > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> > _
> > Add photos to your messages with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=feature

RE: Please explain the numbers in the source-bridge statement?? [7:70094]

[Mark W. Odette II]

I hope I don't embarrass my self here, but if I remember correctly:

..the 9 and 3 are the two Rings that you want to bridge, and the 23 is
the bridge id.

Hope my memory served me correctly today.

I'm sure Priscilla will tell us for sure. :)

-Mark

-Original Message-
From: Robert Perez [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 03, 2003 3:01 PM
To: [EMAIL PROTECTED]
Subject: Please expalin the numbers in the source-bridge statement??
[7:70090]

interface TokenRing0
 ip address 192.168.34.3 255.255.255.0
 ring-speed 4
 source-bridge 9 3 23 < What do all these mean?
 source-bridge spanning




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70094&t=70094
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: number of CCIE [7:70151]

[Mark W. Odette II]

Here's a question for those recruiters, headhunters and HR People- Out of
CCIE 1025-, how many of them do you think are still actively with the
program, still working in the industry, still are at the top of their game
(i.e., could go back in and take the OLD LAB again), and are the Crhme of
the crop that they have so valued them as??!?!?!

There are reasons of human physiology and psychology that proves that the
old saying is true... If you don't keep practicing a skill or knowledge
through repetition, you simply will loose your "edge".  My hat is off to
CCIE #1058 if he can still complete the OLD LAB blind folded and run circles
around CCIE #10,269 in regards to the complex multi-protocol setup of
DECNet, IPX, SNA, IP (w/ BGP, OSPF, EIGRP), and AppleTalk for a 8-10+ router
network that was the result of 2 or more multi-hundred-thousand-node
companies merging.  But I must insert my own pessimism that I seriously
doubt this is the case.  This could be for any number of reasons, but I'm
sure the number one reason is that it was too time-consuming and expensive
to maintain such "prestige".  Not to mention, they probably got laid off for
one reason or another in the past 3-5 years.

Headhunters and Recruiters are more arrogant than those CCIE's that have
been minted in the past 24 months.  And they've been that way for at least
the last decade.  An engineer with Blah-blah-blah certifications is nothing
but a potential for them making a huge commission for "hooking up" that
engineer with the employer.  And because of this arrogance, they have these
BS ideals that CCIE# 6328 is truly expert, and CCIE #10524 doesn't deserve
the respect of knowing much more than how to power on a piece of Cisco
equipment.  To put in your analogy format, that's like saying the M.D. that
got his PHD 20 years ago, but got bored with continually going back to those
medical conferences and continued education on advances in medical science
is more preferential than the Doctor that has been practicing medicine for
only the past 3 years.  I bet is that the older Doc is going to continue
performing "tried and true" procedures that have a greater risk of failure
or permanent damage of some sort (could be scars, amputated limb, etc.) than
the younger Doc that is current with procedures that result in more
favorable outcomes for the same medical situations.

NRF- You've said yourself in the past that Cisco has changed the CCIE
program for financial reasons, be it for increased revenue or wiser
financial efficiency in maintaining the equipment, facilities, etc.  What
about simple relevance?  True, not as many routing protocol technologies are
being tested on... but they make up for that by testing on new technologies
such as Voice, Security, etc.   So, because Cisco tests on new technologies,
that makes it acceptable for the "market" and all those Headhunters,
Recruiters, and HR folks to deem the CCIE not as valuable as it once was?!?
They obviously have a jaded/ill-informed point of reference in comparing the
"old" with the "new".

Out of curiosity, just exactly what are the names of all these "brain-dump"
groups/sites that make the CCIE LAB a cake-walk?!?  If they are so common
knowledge, I have a hard time believing that Cisco would allow them to
continue operating.  I'm sure Mr. Chambers is intelligent enough to look
ahead and realize he would be preempting the demise of his own company if
his company perpetuated the cycle of braindump-prepared CCIEs will equal
less positive reputation for support and value of the products themselves. 
Or in more simplistic terms, surely he's smart enough to foresee the
cause-and-effect scenario of allowing hundreds of CCIE's to be minted per
month.

If the economy is so dismal for a majority (read 70%+) of the country,
especially the IT industry, just exactly how are all these New CCIE's
affording to pay for braindump memberships, Bootcamps, rack rentals and/or
personal lab purchases to prepare for the O-so-easy CCIE LAB?!?!  I guess my
point is, I must be continuing to perpetuate myself in this little naove
bubble that makes me have a hard time believing/accepting the CCIE program
is being overran in record time with wannabe CCIE's that just simply
"bought" their certification rather than earning it.

Give us some facts that can give merit to the "free market's" delusion that
Computer Networking isn't worth the nickel it used to be.  And yes, I
believe the "free market" is under delusional control.  Most of which has
been perpetuated by the "Dot.Bomb" era (which has been nothing but
pessimistic influence of the US Media [and yes, I know part of it was a
result of bad financial decisions by some start-up companies and some of the
Telco's, but the ripple affects caused in short by the media is why all the
other businesses have experienced demise]).  Real Estate and Oil had its
"big boom" period too, but that hasn't seemed to have had an affect on the
purchases of houses and gas in the past 15 years..

RE: number of CCIE [7:70151]

[Mark W. Odette II]

Ok, just so you'll(NRF) be happy.

I, for one, would NOT want to trade my Higher Number CCIE designation
for a lower number designation.  Call me stupid, ignorant, clueless,
whatever... but I simply do not see the "value" in having a lower
number.  To me, they are all the same- every last number issued (and
yes, I'm being brutally honest with you and myself, as I don't know of
any other way:-]).  It's the person maintaining the certification that
has to answer to the rest of the CCIE clan when they don't maintain the
expertise.

And just so you know, all those recruiters, HR folk, and the such get
their ideas/beliefs about the "value"/credibility of ANY certification
from hear-say, colleagues that don't necessarily have the true low-down
on the subject themselves, advertising and individuals that perpetuate a
statement such as "Certification X is not worth the paper it's written
on because more often than not the individual holding said Certification
probably doesn't have the skill to back it up".

I have met my fair share of individuals that did not have the skills
that their certifications indicated they had, and I have also met my
fair share of individuals that were top notch, but I don't have the
mentality of already deciding that "well, 'they' all say the MCSE is
just a paper-cert and isn't worth a dime, so I wasted my time getting
mine" nor do I behave the same for my CCNP certification.  I DO believe
though that with the "market" and "economy" the way it is, that even
though there are 100,000 souls that have acquired the MCSE designation
and approx. 40,000 (not an exact number- I couldn't find it on Cisco's
site) souls have acquired the CCNP designation, that there simply are
not that many individuals still pursuing IT careers.  So, I'm not too
entirely concerned with competition.  I think the real issue at hand for
hire-ability is simply a question of how cheap the next HR/Recruiter
wants to hire the IT engineer for.  But of course, hasn't that always
been the case!?!?! :-)

Bottom line (for me at least) is that I am comfortable with my
certifications, as I earned them fair and square (read no cheat-sheets,
brain dumps, etc.), and I'll feel the same way for the CCIE when I
obtain it.  If the HR/Recruiter Dolt wants to get picky with my
"Numbers", I'll simply insist upon the hiring manager providing a
technical interview to verify my skills.  If I don't even get the
benefit of the request because the HR/Recruiter Dolt tossed my
Resume/Application in the trash based solely on this lack of "lower
numbers" BS, then that company wasn't worth working for anyway.

Now, if you'll excuse me, I've got to get back to trying to obtain my
High-Number CCIE designation (which will take at least another year).

-Oh, yeah, and one more thing, I seem to have a keen knack for
troubleshooting, so I think I'm gonna fit right in with the likes of
those "lower number" CCIEs that may or may not feel like I am as good as
them because I only had a 1-day LAB.  They simply have an insecurity
issue to deal with, so they can just get over it.  We have networks to
maintain.


-Original Message-
From: n rf [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 09, 2003 12:34 AM
To: [EMAIL PROTECTED]
Subject: RE: number of CCIE [7:70151]

Mark W. Odette II wrote:
> 
> Here's a question for those recruiters, headhunters and HR
> People- Out of CCIE 1025-, how many of them do you think
> are still actively with the program, still working in the
> industry, still are at the top of their game (i.e., could go
> back in and take the OLD LAB again), and are the Crhme of the
> crop that they have so valued them as??!?!?!
> 
> There are reasons of human physiology and psychology that
> proves that the old saying is true... If you don't keep
> practicing a skill or knowledge through repetition, you simply
> will loose your "edge".  My hat is off to CCIE #1058 if he can
> still complete the OLD LAB blind folded and run circles around
> CCIE #10,269 in regards to the complex multi-protocol setup of
> DECNet, IPX, SNA, IP (w/ BGP, OSPF, EIGRP), and AppleTalk for a
> 8-10+ router network that was the result of 2 or more
> multi-hundred-thousand-node companies merging.  But I must
> insert my own pessimism that I seriously doubt this is the
> case.  This could be for any number of reasons, but I'm sure
> the number one reason is that it was too time-consuming and
> expensive to maintain such "prestige".  Not to mention, they
> probably got laid off for one reason or another in the past 3-5
> years.

Unfortunately, I'm afraid you're missing the point.  The value of the
CCIE
program was never really its immediate technology re

RE: RE: RE: RE: number of CCIE??? [7:70328]

[Mark W. Odette II]

Robert, the way you described your hiring/screening process is the way I
wished all Corporate America job providers did it.

It's nice to know that at least one business out there doesn't hide
behind an HR group that isn't prepared to perform the screening process
properly and/or fairly.


-Mark

-Original Message-
From: Robertson, Douglas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 11, 2003 1:58 PM
To: [EMAIL PROTECTED]
Subject: RE: RE: RE: RE: number of CCIE??? [7:70328]

This has been an entertaining thread, but the way I see it is this.
Maybe
the high/low CCIE would work with the headhunters and that is a
different
story, but we have interviewed/employed a number of IT guys over the
past
couple of months, CCIE's included and to be honest I do not look to the
CCIE
number for a reference of technical ability (I do look that it is a
valid
CCIE number). The candidates that we interview complete a test, written
and
lab, tiered in difficulty. We make an evaluation based on experience,
team
orientation, and test/lab results. There is no pressure to answer or
complete the test/lab however that is how we determine the level/tier of
the
prospective candidate, not the CCIE number. That is just how we do it.

My two cents

Doug  

-Original Message-
From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 11, 2003 12:42 PM
To: [EMAIL PROTECTED]
Subject: RE: RE: RE: RE: number of CCIE??? [7:70328]


STOP IT! Both of you! :-)

Shawn K.

P.S. This thread has been highly entertaining!

-Original Message-
From: n rf [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 11, 2003 10:28 AM
To: [EMAIL PROTECTED]
Subject: RE: RE: RE: RE: number of CCIE??? [7:70328]

>Jack Nalbandian wrote:

Boy, for a guy who says that he wants to close the thread, you really
have a
lot to say.

> 
> 1. Attacking his motives and attacking his character are
> mutually exclusive
> endeavors.  I attack his motive of defaming the certification
> process itself
> in a series of different topics.  I have not criticized any
> such commentary
> that balances all facts, but NRF's overall commentary does no
> such thing.

Uh, how's that?  At the end of the day you are refusing to deal with the
issues at hand.  Whether you choose to attack my motives or my character
-
whatever you want to call it - it's still out of bounds.  You are either
talking about the actual issues at hand, or you're not.  Simple as that.

Besides, character and motives are basically one and the same.  Wouldn't
somebody with bad character necessarily have bad motives?  Is there
really
such a thing as a guy with bad character having good motives?  Or vice
versa? I don't think so.  So really, when you say that you're
questioning my
motives but not my character, that's really a distinction without a
difference.

Look, the bottom line is this.  I don't question your motives or your
character.  Don't do it to me.



> 
> 2. There is the issue of devaluation of certifications due to
> the "forces
> majeur" that you mention, but the actual argument, it seems,
> you have missed
> as well.  The entire focus seems to be on "certification
> tracks" and how
> "worthless they are," not due to the actual market forces at
> play, but due
> to the very (alleged) "inherent weakness" of the certification
> process
> itself.  Therefore, your well-thought out and long-winded (not
> meant as a
> pejorative) is too far off the mark.

Why do you keep insisting on telling me what my own focus is?  Don't you
think I would know the focus of my own posts?   When have I said in this
particular thread that all certifications were worthless?

In fact, you could easily say quite the opposite - I have said several
times
that certain certifications, namely low-number CCIE's, are in fact quite
valuable.  So how does that jive with your accusation that I am somehow
painting all certifications as worthless, when in fact I have singled
out a
certification subset as worthy?


Oh, but I get it, you keep insisting that I am actually bashing all
certs as
a "stealth undercurrent thesis", despite the fact that I think everybody
in
this ng would agree that I don't exactly "do" stealth.  If I want to say
something, I'm going to say it.

Here's an idea, Jack.  Instead of debating me on what you believe the
undercurrents of my words are saying, why not debate me on what I'm
ACTUALLY
saying?  To do otherwise is really to engage in that character
assassination
and shooting-of-the-messenger that is simply uncouth.

> 2b. The second repetitively implied undertext is that of the
> (alleged)
> "superiority" of college education, the original method of
> degradation and
> defamation of the certificiation process itself.  I dismissed
> this as a
> comparison between apples and oranges with the intent to
> devalue oranges by
> judging their value in apple terms.  If you have read my posts
> at all, you
> will know my position on this. I can repost the relevant
> content if you
> wish.
> 

There 

RE: Network Lag on Cisco? [7:70648]

[Mark W. Odette II]

Anil-

I'll try to take a stab at this...

For your network:
Verify that you are not experiencing packet loss on the uplink from your
Procurve switch to the Cisco Router.  Make sure you have the speed and
duplex setting hard-coded on each end.

Aside from that, I would look into congestion management, as you may
need to implement CBWFQ on the Router (assuming that the telnet sessions
have lag, and are having to cross the T1 circuit.  I seriously doubt
this would be the issue on the Ethernet/FastEthernet interface.  In
fact, if Telnet is lagging from inside the network and the only device
that has to be crossed is the switch, I'd check the connection between
the Linux box and the switch, as well as the Subnet Mask/Default Gateway
to ensure those are set correctly.

For the friend's network:
See "aside from that,..." comment above.

HTHs,
Mark
-Original Message-
From: Anil Gupte [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 13, 2003 10:28 PM
To: [EMAIL PROTECTED]
Subject: Network Lag on Cisco? [7:70648]

Our network is running a 3640 as a core router and several other smaller
routers plus an HP Procurve for the Servers and LAN.  We run BGP across
two
upstream networks.  Now, for a long time we have had a slight lag on our
network.  For example, whenever I am logged into our Linux servers, I
will
be typing something and I will lose the cursor, then suddenly a bunch of
letters will appear at the cursor.  There are other examples.  We have
hunted up and down and not found a problem/solution.

Now comes the interesting part.  A friend of mine who has been running
Linux
for years used a Linux machine as a router for the last 3.5 years.  At
my
urging he decided to try a Cisco because his server was getting old and
needed an overhaul.  Yesterday he did and now has the same problem.  His
config is very simple - he has a 2640 router running IOS 12.1 - one T-1
and
one Ethernet port to which he has connected his Dialup equipment (he is
a
Dialup ISP).

What gives?  He is now bad mouthing Cisco even more than he did before!

Any ideas appreciated.
Thanx,
Anil Gupte




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70653&t=70648
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN How To: [7:70775]

[Mark W. Odette II]

Simple search via Cisco's home page for 'router to router vpn' yielded
the following:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a008009448f.shtml

or

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
xample09186a00800949ef.shtml

Be careful though, as some "TAC Authored" examples sometimes have a few
bugs in format/syntax.

HTH's
Mark

-Original Message-
From: Justin M. Morgenthaler [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 16, 2003 10:29 PM
To: [EMAIL PROTECTED]
Subject: VPN How To: [7:70775]

Can anyone point me to some in depth but simple documentation on setting
up
a point to point encrypted link between a 1603 and a 2514?

Justin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=70785&t=70775
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco exam 9E0-111 or 642-521 [7:71048]

[Mark W. Odette II]

Kailash-

Your answers are best answered by contacting Cisco at the Certification
and Training number (see website for number).

As far as the question of which test to take, it's simple.  If 9E0-111
expires Sept. 30, and you are still pursuing the Firewall Specialist
cert, then you have to take whatever exam is available- it's that
simple.  If an exam is indicated to expire by X Date, that means it
won't be offered after that date.  The logical step (in my opinion) is
to take the newest exam, so that you will have the most current exam on
your record.  This ensures that you will not be behind the curve on
Cisco's certification track updates that may make a certain Cert Title
obsolete/expire in a time table that you aren't satisfied with
accepting.

As far as test difficulty, that varies by test taker.  If you are well
experienced in the technology, then you'll obviously do well on the
exam.  If you are not so familiar with it, then you'll either pass by a
slim margin, or you'll simply fail.  My motto is: Don't take the exam
until you really know the subject material like the back of your hand.

Just my 2 cents.

Hope your questions were answered satisfactorily.

-Mark

-Original Message-
From: kailash pant [mailto:[EMAIL PROTECTED] 
Sent: Saturday, June 21, 2003 1:11 AM
To: [EMAIL PROTECTED]
Subject: Cisco exam 9E0-111 or 642-521 [7:71048]

Dear All,
I am planing to go for Cisco firewall exam, as of now
two exams are available there 9E0-111 and 642-521 I am
bit confused which one should I opt. other doubt I
have is if I opt for exam 9E0-111, as per the site it
will expire on 30 September but would it be valid for
me to complete the security certification or I would
have to go for the 642-521 again if I want to get the
CISCO Firewal expert certificate after 30 September.
Also I have the CSPFA 2.0 book how difficult it is to
pass any of these exam by reading this book. I would
also want to know which exam is good and more
practical/realistic. Would you suggest any test exam
for this (I am a CCNP certified) how difficult would
it be to pass this for an average exprienced person.

Thanks in advance for all your inputs.

Ragrds
Kailash 

__
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71063&t=71048
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3745 stumper [7:71146]

[Mark W. Odette II]

Could it be the CSU/DSU?!?!

Not like that hasn't happened before.

Just an Idea...

-Original Message-
From: Puckette, Larry (TIFPC) [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2003 11:24 AM
To: [EMAIL PROTECTED]
Subject: 3745 stumper [7:71146]

I'm resending to correct myself. - The routers crash with either inbound
or
outbound, 200-300kbps traffic through the DSU and Internet access. ---
should have proofread before sending and gotten this correct on the
first
send. !!!
__-
Hi all, I don't normally have anything to actively contribute, so I just
lurk and learn. But, we have one now that may generate interesting
conversation. We are installing a new Internet access and have Cisco
3725
routers. The internal DSU has BNC connections to the DS3. We are using
PPP
protocol. While testing everything seems fine until approaching
200-300kbps.
The traffic is HTTP and HTTPS. The routers crash when the slightest
stress
of traffic. The symptoms are constant for both the primary and the
secondary
routers. TFTP traffic through internal interfaces cause no problems,
only
traffic that is outbound through the DSUs towards the DS3. The IOS
versions
have been upgraded to current and then downgraded to less current while
troubleshooting. Cisco is now looking into IOS problems, but I thought
I'd
throw this out there for all you GURUs and give you a chance at it too.

Have a GREAT day and thanx tons for the forum. 

Larry Puckette
Senior Network Analyst
Temple Inland/Austin Data Center
512/434-1838
[EMAIL PROTECTED]

Where the only idol is money and power, there is no hope for integrity.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71157&t=71146
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how about ccie salary in US? [7:71143]

[Mark W. Odette II]

That being said... I think the OP would just like a general answer.

Ball-park figures aren't lies, as so long as they are indicated as
ball-park figures.

It's not a lie if you just simply state/indicate what the average figure
is that you've seen in your area.

So, if someone can contribute such an answer, let them do so.  I'm sure
the OP was just trying to get a general idea- Scholar or not.

Geeesh... sometimes it amazes me how simple answers are so hard to come
by on this list.

No offense intended NRF.

As for myself, I don't know what the going salary/consulting rate is in
the D/FW area of Texas for a CCIE... So I can't comment on such.

-Mark
-Original Message-
From: n rf [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 23, 2003 7:39 PM
To: [EMAIL PROTECTED]
Subject: Re: how about ccie salary in US? [7:71143]

- jvd wrote:
> 
> I wonder if anybody is going to have anything positive to say
> about this post?

So basically, you want us to lie, eh?  ;->.  

Seriously, CCIE salaries have been down for awhile and any honest
discussion
about salaries is going to be necessarily negative.  When something's
black,
it would be a lie to call it white.

As far as the original question, so much depends on your experience
level,
the geographical location, things like holding a degree (or not).
Strong
candidates that have lots of experience, are well educated, and are in
places can still pull nice salaries.  But I'm also aware of CCIE's
applying
for positions that pay less than 30k - and not getting them.  The point
is
that the CCIE by itself guarantees nothing.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=71206&t=71143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: POS interface of CISCO7204 [7:55623]

[Mark W. Odette II]

This could be too simple, but have you performed a 'WR MEM' on this bad
boy?!?!  I assume you find this interface to be shut after a reboot of
the router, whatever the cause of the reboot is.

IF this router gets its config from a TFTP Server, I'd update the config
file on the TFTP server to resolve the issue.

Mark

-Original Message-
From: mao mao [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 15, 2002 4:47 AM
To: [EMAIL PROTECTED]
Subject: POS interface of CISCO7204 [7:55623]

Hi,group

I use the pos(packet over SDH-115M) interface with CISCO 7204 to access
the
internet network.

following the configuration  of the POS interface:
interface POS2/0
 description Connected to internet outside
 bandwidth 45000
 ip address 211.x.x.x 255.255.255.252
 encapsulation ppp
 shutdown
 crc 32
 pos framing sdh
 pos flag s1s0 2


Problem:the pos interface often shut.Why?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55654&t=55623
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: can't ping windows XP machine [7:55767]

[Mark W. Odette II]

Personal Firewall == Internet Connection Firewall

Disable the Internet Connection Firewall on both XP workstations, and
then reboot the computers.  If this doesn't solve your problem, there is
something else wrong with the XP workstation for it to be filtering PING
tests.


-Original Message-
From: Sim, CT (Chee Tong) [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 17, 2002 12:13 AM
To: [EMAIL PROTECTED]
Subject: Re: can't ping windows XP machine [7:55767]

Hi.. My friend told me he has enabled the "internet connection firewall"
under and "Local Area Connection Properties"->Advanced tab.  Is there
any
other firewall setting on Win XP.  For eg "Personal Fireall" that you
are
refering? If yes, where is it? Sorry I am not that familiar with XP.

Answer to Nathan: We got a request timed out

-Original Message-
From: Jason Viera [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 17, 2002 11:12 AM
To: "Sim, CT (Chee Tong)"
Subject: Re: can't ping windows XP machine [7:55767]


Disable the personal firewall!
Jason

From: Nathan Nakao [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 17, 2002 11:48 AM
To: [EMAIL PROTECTED]
Subject: RE: can't ping windows XP machine [7:55767]


Do you get a "Ping time out" or "Destination Unreachable"?

- Original Message -
From: ""Sim, CT (Chee Tong)"" 
Newsgroups: groupstudy.cisco
Sent: Wednesday, October 16, 2002 7:42 PM
Subject: can't ping windows XP machine [7:55767]


> Hi..  My friend can brought two PCs with Windows XP and link up each
> other with a cross cable.  But he found that they can't ping each 
> other.  I have found the following things are correct.
>
>
>
> 1)   both IP in same subnet
>
> 2)   cross cable has no problem
>
> 3)   both NICs has been set to same speed and duplex or even both
auto,
> but still not working
>
> 4)   both NICs has light when the cable is connecting to it
>
> 5)   when I used a fluke meter to test to connectivity by
connecting
> directly to one of the windows XP PC, I found the windows XP PC can
> ping
the
> fluke but the fluke can't ping the windows XP PC.
>
>
>
> What I can think of is that the windows XP may has some security
> setting (kind of firewall) to prevent other to ping it, but it has no 
> problem ping other, but my friend told me he has disable the firewall 
> service.  What
can
> you think of?
>
>
>
> Thanks a lot
>
>
>
>
>
>
>
>
>
>
> ==
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de 
> afzender direct te informeren door het bericht te retourneren. 
> ==
> The information contained in this message may be confidential and is 
> intended to be exclusively for the addressee. Should you receive this 
> message unintentionally, please do not use the contents herein and 
> notify the sender immediately by return e-mail.
>
>
> ==
==
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
==
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.


==




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55781&t=55767
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX License Help! [7:56060]

[Mark W. Odette II]

This 10/50 user license config is only for the PIX 501... which is
targeted at SOHO's and other Small Businesses with simple networks.

HTH's

-Mark

-Original Message-
From: Juli Hato [mailto:julihato@;hotmail.com] 
Sent: Tuesday, October 22, 2002 1:28 AM
To: [EMAIL PROTECTED]
Subject: PIX License Help! [7:56060]

Dear Ciscoer,

Just wanna know why Cisco PIX also has a user Licensing methode?
AFAIK Cisco only sell the Restricted and Unrestricted License. Can
anyone 
here explains for me?

10-User License
The Cisco PIX 501 Firewall 10-user license supports up to 10 concurrent 
source IP addresses from your internal network to traverse through the
PIX 
501. The integrated DHCP server supports up to 32 DHCP leases.

50-User License
The Cisco PIX 501 Firewall 50-user license supports up to 50 concurrent 
source IP addresses from your internal network to traverse through the
PIX 
501. The integrated DHCP server supports up to 128 DHCP leases. As your 
needs grow, a 10-to-50 user upgrade license is also available, which
allows 
you to extend your investment in PIX 501 equipment.

Best Regards,
HATO




_
Surf the Web without missing calls! Get MSN Broadband. 
http://resourcecenter.msn.com/access/plans/freeactivation.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56064&t=56060
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX License Help! [7:56060]

[Mark W. Odette II]

50 == 50, not 50 == 80... 

150+ users can be behind a PIX 501 with a 50 user license enablement,
but only a maximum of 50 concurrent higher-security zone ip hosts can
conduct communications across the "internet"/least-secure interface of
the PIX.

AFAIK, all other PIX models only have the restricted/unrestricted
specification for connection licensing... and don't quote me on this,
but I believe the Restricted License covers 10,000 concurrent
connections through the "internet"/least-secure interface.

-Mark

-Original Message-
From: Juli Hato [mailto:julihato@;hotmail.com] 
Sent: Tuesday, October 22, 2002 9:25 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX License Help! [7:56060]

Helo all,

Is it possible to have a 100 user and 80 user wanna go to Internet
(passing 
through the PIX). Can 50-users license cover the 80-users to passing to
the 
PIX?

Best Regards,
HATO


>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: RE: PIX License Help! [7:56060]
>Date: Tue, 22 Oct 2002 14:39:17 -0400
>
>The DHCP is for people who do not have a DHCP server on their network.
At
>some companies not everyone needs to go out on the internet. Therefore,
50
>users could and everyone on your 100 user network can get an ip
address.
>Remember licensing is pure profit. The unrestricted is the cheapest way
in
>the long run but it all depends on your budget as to how you want to
go.
>
>Steve
>
>-Original Message-
>From: Juli Hato [mailto:julihato@;hotmail.com]
>Sent: Tuesday, October 22, 2002 1:28 AM
>To: [EMAIL PROTECTED]
>Subject: PIX License Help! [7:56060]
>
>
>Dear Ciscoer,
>
>Just wanna know why Cisco PIX also has a user Licensing methode?
>AFAIK Cisco only sell the Restricted and Unrestricted License. Can
anyone
>here explains for me?
>
>10-User License
>The Cisco PIX 501 Firewall 10-user license supports up to 10 concurrent
>source IP addresses from your internal network to traverse through the
PIX
>501. The integrated DHCP server supports up to 32 DHCP leases.
>
>50-User License
>The Cisco PIX 501 Firewall 50-user license supports up to 50 concurrent
>source IP addresses from your internal network to traverse through the
PIX
>501. The integrated DHCP server supports up to 128 DHCP leases. As your
>needs grow, a 10-to-50 user upgrade license is also available, which
allows
>you to extend your investment in PIX 501 equipment.
>
>Best Regards,
>HATO
>
>
>
>
>_
>Surf the Web without missing calls! Get MSN Broadband.
>http://resourcecenter.msn.com/access/plans/freeactivation.asp
_
Choose an Internet access plan right for you -- try MSN! 
http://resourcecenter.msn.com/access/plans/default.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56121&t=56060
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Server Inventory System [7:56240]

[Mark W. Odette II]

Doug-

I don't know how well it scales (you'll have to look into it more), but
one of my clients is using the software from the following company to do
what your talking about... my client, of course, is on a smaller scale
though.

http://www.blueocean.com/alternate.asp

-Mark

-Original Message-
From: Doug Korell [mailto:nobody@;groupstudy.com] 
Sent: Friday, October 25, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: OT: Server Inventory System [7:56240]

I'm looking for something already out there that can keep an inventory
of
servers, contact names, documentation, etc. Instead of having a database
for
server hardware specifics, a folder for documentation, it would be nice
to
bring it all together. I'm not looking for something to actually detect
hardware like Landesk or SMS.

I wonder what companies are doing that have 100's or 1000's of servers.
They
must be able to manage all aspects of their servers in one central
location
where anyone can find it. Something better than a share on a server.

Anyone know of something already for sale? It would save a lot of time
not
to have to write it in house.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56309&t=56240
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Lock out by PIX [7:56342]

[Mark W. Odette II]

... to keep from being locked out, you should remove the crypto map from
the interface, i.e., "no crypto map  interface outside".

This will kill any new crypto sessions from being initiated, and I am
not sure if it also kills the current crypto sessions, but it will keep
you from being locked out.  If you don't do this, you will experience
the problem you are having.  The PIX is still functioning, and doing its
job, its just doing its job extra well now because it has no crypto
definitions to run against in its process of analyzing packets coming in
from the outside.

Bounce the PIX (by calling someone to do it for you), and you should
have your access restored.

-Mark 
-Original Message-
From: Leo Song [mailto:lsong@;dataphile.ca] 
Sent: Friday, October 25, 2002 11:02 PM
To: [EMAIL PROTECTED]
Subject: Lock out by PIX [7:56342]

Hi, there.

I connected to a PIX through Outside interface by using SSH, and to do
some changes on the VPN tunnel, first of all I remove the  "crypto map
xxx match address xxx" in order to change that ACL, but just after that
I was locked out and lost the connection to that PIX, and now I can't
even ping that PIX while I can do so before, and my concern and
questions is:

1. is that PIX still working "properly", say the users could get access
Outside from Inside, and it just lock SSH out or any access from
Outside.

2. what's the general suggested methods or steps when dealing with ACL
or Tunnel changes on a PIX, in order to avoid being locked out.

3. is there any remedy sloution at present, (and I don't have physical
access to that PIX right now?


Appreciate all of your help.

Leo
Best Regards.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56343&t=56342
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ack attack or config prob? [7:56341]

[Mark W. Odette II]

I don't have an answer to your question, though it does sound like a DoS
attack to me...

My only input is that if you are running NT 4.0 Servers, definitely
ensure they are running Service Pack 6a, which you can get from MS's
site.  Also, if you are running Exchange, make sure you have SP 4
installed, as it fixes several issues relating to some critical Exchange
functions.  For more info, review the release notes for both service
packs before installing.

Let us know what the ISP's security folks find... this would be an
interesting learning experience.

-Mark
-Original Message-
From: Garrett Allen [mailto:garrett.allen@;erols.com] 
Sent: Friday, October 25, 2002 10:51 PM
To: [EMAIL PROTECTED]
Subject: ack attack or config prob? [7:56341]

heys,

ran into something interesting today.  not sure if it is a dos attack or
if
it
indicates an ip stack misconfig. here is the symptom:

periodically through the day today we received 100,000 packet bursts on
a t-1
circuit.  this is a name-brand provider.  when the burst occurs it is
from
the
same ip address.  on some bursts the packets are all acks.  on others
they
are
all fin acks.  they are directed at our email servers.  when they occur
the
packets in a burst are all sourced from the same ip address.  in the one
case
where we resolved the ip address back it was another orgs email server. 
based
on the router interface stats the traffic is coming from the outside and
is
not an internal broadcast storm.

per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer
will
retransmit the SYN-ACK 5 times, doubling the time-out value after each
retransmission."   if the same logic holds for other parts of the
handshake
then i'm at a loss to explain tens of thousands of packets unless it is
an
exploit of a weakness in the stack that allows for virtually unlimited
retries.

anyone run into this kind of situation before and was the resolution a
service
pack or other such server upgrade?  it caused considerable slowness on
external accesses as you might imagine.  i grabbed a number of traces
documenting it and we did contact our provider (they opened a ticket
with
their security folk).

thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56360&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how to telnet to other FROM PIX? [7:56435]

[Mark W. Odette II]

Kenny,

...Never had working on a PIX that didn't have any Encryption installed,
I wouldn't know if it is absolutely true that you have to have it just
to use the GUI, but if the requirements are such, then you need to go
onto Cisco's website and apply for the free DES license key.

After that, if you want to connect to a remote PIX using the GUI, you
will need to follow the cook-book solution Cisco has posted on CCO for
establishing a VPN tunnel between the two PIXen in question, and then
you can use the GUI to remotely manage the other PIX.  Your best bet is
to just forget about the GUI for now, and set up SSH on each PIX, and
connect using that.  Learn the CLI well, and then use the GUI for all it
really is good for- Monitoring functions.

My biggest pet peeve is that the GUI does not support ALIAS commands in
your PIX config... as well as a few other items like the such that are
more advanced.

For the time setting, just set the clock using the following syntax:

Usage:  clock set  {  |  } 

clock summer-time  recurring [   
   ] []

clock summer-time  date {  |  } 
 {  |  }  
[]

no clock summer-time

clock timezone   []

no clock timezone

show clock [detail]


Hope that helps.

Mark
-Original Message-
From: Kenny Smith [mailto:fwdog@;hotmail.com] 
Sent: Wednesday, October 30, 2002 12:04 AM
To: [EMAIL PROTECTED]
Subject: RE: how to telnet to other FROM PIX? [7:56435]

Hi..  Thanks for your information.  I think I didn't fullfil the
following 
two requirements in order to connect to the PIX via GUI.

  e. The PIX Firewall clock is set to UTC. To determine if the PIX
Firewall 
clock is set to UTC, enter the show clock command and check the output.

singpix01(config)# sh clock
06:54:07 Oct 30 2002

May I know how to set clock to UTC, I found that I can't set the
timezone.  
Why we need to set the clock to UTC in order to connect PIX via GUI?

   f. You have the activation key to use DES or above.

I don't have it as shown below.  Do I need to buy ?
singpix01(config)# sh ver

Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)

Compiled on Thu 17-May-01 20:05 by morlee

singpix01 up 9 days 22 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.6bf6.e752, irq 11
1: ethernet1: address is 0003.6bf6.e753, irq 10
2: ethernet2: address is 00e0.b603.4830, irq 9
3: ethernet3: address is 00e0.b603.482f, irq 9
4: ethernet4: address is 00e0.b603.482e, irq 9
5: ethernet5: address is 00e0.b603.482d, irq 9

Licensed Features:
Failover:   Enabled
VPN-DES:Disabled
VPN-3DES:   Disabled
Maximum Interfaces: 6
Cut-through Proxy:  Enabled
Guards: Enabled
Websense:   Enabled
Throughput: Unlimited
ISAKMP peers:   Unlimited

Serial Number:  (XXX)
Activation Key: X

>From: "Ritchie, Brian" 
>Reply-To: "Ritchie, Brian" 
>To: [EMAIL PROTECTED]
>Subject: RE: how to telnet to other FROM PIX? [7:56435]
>Date: Tue, 29 Oct 2002 09:54:03 GMT
>
>The PIX does not support telnet in the same way that a router or switch
>does, you can telnet to the PIX but you cannot telnet from it to other
>hosts.
>
>To manage the PIX using a web browser you use HTTPS not HTTP, so the
'url'
>would be https://PIX_IP_Address. This will allow you to browse to it
>assuming all other configuration tasks have been completed. If you are 
>still
>having problems visit
>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/pdm_in
/impr
>ove.htm#xtocid1 for more help.
>
>Hope this helps, Brian
>
>
>-Original Message-
>From: Kenny Smith [mailto:fwdog@;hotmail.com]
>Sent: 29 October 2002 06:56
>To: [EMAIL PROTECTED]
>Subject: how to telnet to other FROM PIX? [7:56435]
>
>
>Hi.. May I know how to telnet to other hosts FROM the PIX firewall,
when I
>type the following, it gives me no available command
>
>singpix01# telnet 10.100.100.49
>Type help or '?' for a list of available commands.
>
>Besides, can I manage the PIX with the web interface by point my web 
>browser
>
>to the following.  http://PIX_IP_ADDRESS.  But it doesn't work
>
>I thought below is the necessary confi, and 10.100.100.199 is my 
>workstation
>
>IP
>
>http server enable
>http 10.100.100.199 255.255.255.255 inside
>
>
>_
>Surf the Web without missing calls! Get MSN Broadband.
>http://resourcecenter.msn.com/access/plans/freeactivation.asp
>This e-mail and any files transmitted with it are intended solely for
the
>addressee and are confidential. They may also be legally privileged.
>Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and
>they must not be disclosed to, or used by, anyone other than the
addressee.
>
>If you have received this e-mail and any accompanying files in error,
you
>may not copy, publish or use them in 

RE: Cisco IOS 12.2.12a [7:56650]

[Mark W. Odette II]

I think the version of IOS in the LAB is 12.1(5T).  Chuck could confirm
this, as well as I believe it is on the CCO site.

As for what Feature Set- Again, Chuck should have the answer... :)

Mark

-Original Message-
From: Sam S. [mailto:ao.ut@;comcast.net] 
Sent: Thursday, October 31, 2002 9:50 PM
To: [EMAIL PROTECTED]
Subject: Cisco IOS 12.2.12a [7:56650]

I am putting a ccie lab together for R/S. I have a 2501,2502,2503 and
2504
router.

>From the latest 12.2.12a IOS list below what do you recommend for me to
upgrade to?

IP/IBM/SNASW
REMOTE ACCESS SERVER
IP/IPX/AT/DEC
IP/IPX/AT/DEC/FW PLUS
IP/IPX/AT/DEC PLUS
ISDN
IP
IP/FW PLUS IPSEC 56
IP PLUS IPSEC 56
IP/FW
IP PLUS
IP/H323
ENTERPRISE PLUS
SERVICE PROVIDER
SERVICE PROVIDER WITH PT/TARP

Thanks in advance. Sam




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56654&t=56650
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: configuring NTP [7:56811]

[Mark W. Odette II]

... even better yet... I've yet to see the clock-period command
"automatically generate" after setting up NTP on a Cisco Router.  Is
there a specific version of IOS I should observe this behavior in??

-Mark

-Original Message-
From: Tony Chen [mailto:tonychen@;ballfoundation.org] 
Sent: Monday, November 04, 2002 9:26 AM
To: [EMAIL PROTECTED]
Subject: configuring NTP [7:56811]

I found the reference to the NTP command which states the need to remove
one
of the commands when copying the config file (I still don't fully
understand
why):

=
Caution   The ntp clock-period command is automatically generated to
reflect
the constantly changing correction factor when the copy
running-configuration startup-configuration command is entered to save
the
configuration to NVRAM. Do not attempt to manually use the ntp
clock-period
command. Ensure that you remove this command line when copying
configuration
files to other devices.
=


If anyone know why do they suggest to remove this command, please
explain. 
I thought the start-up config is only passively stored in the NVRAM and
waiting to be copy to running-config.

Tony




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56813&t=56811
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 1548-M Cisco Micro Switch [7:56902]

[Mark W. Odette II]

If it weren't for the hum of all the other machines, I MIGHT here
mine... but to answer your question, it's pretty quiet. :)

Regards,
-Mark

-Original Message-
From: Symon Thurlow [mailto:sthurlow@;webvein.com] 
Sent: Tuesday, November 05, 2002 8:44 AM
To: [EMAIL PROTECTED]
Subject: 1548-M Cisco Micro Switch [7:56902]

Hi Guys,

Has anyone used a 1548-M switch before? Are they quiet? :)

Cheers,

Symon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56951&t=56902
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX site-to-site VPN question... [7:57648]

[Mark W. Odette II]

The only way that you could put private addresses on the OUTSIDE
interface of the PIX (Site A), and still successfully set up a Tunnel to
another PIX across the internet that is behind an edge router of your
own control (Site B), is to build a GRE Tunnel between the Edge Routers.

EX: Public Addresses
PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2
Pvt. Addresses  G  R  E  Tunnel Pvt. Addresses

If you tried to set up NAT on the two Edge Routers to Static Translate
for the PIX Hosts on their outside interfaces, the Tunnel would never
establish.  Even though you would define the Crypto Peer as a public
address, when the packet arrives at the far side, it would have the
private address headers, and thus the tunnel would never come up, and is
why you would need a GRE Tunnel between the two routers to use private
addresses between the two PIXen end-points.


I have set up the scenario you speak of in production, but the ISP
assigned a /30 for the routers connecting to the ISP, AND they assigned
/27's for the customer's own use.  So, with this, I configured the S0
interfaces of each router as part of the /30's, and configured the Fa0
interfaces of the Routers and the Pix Outside interfaces as hosts in the
/27 blocks that were assigned to each site, while creating a PAT pool
and NAT statics for appropriate hosts behind the PIX.  The "Inside"/DMZ
side of the PIXen were configured with RFC1918 addresses.  Site to Site
VPN's were established using the Public IP addresses on the "Outside"
interface of each PIX.

HTH's
Mark

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]

thanks for your help, elijah...however, i think are still missing the
full point of my question...i am looking for a complete solution rather
than just 'what's possible' at different points in the network.

i did mean to use a /29 in my example.  i used that b/c if i was only
given one IP address from my ISP, and used it for the outside interface
of the PIX (as you suggested), then how do i configure the perimeter
router?  what IP addresses does that use?

let's go with this example to answer my question for now--with using
public addresses.  just fyi, however, here is a diagram on CCO which
uses private addressing on the outside interface of the PIX in a VPN
solution (doesn't show the perimeter routers, though)...

thanks,

ed

-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 8:13 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


You have to use the public ip addresses as I stated in my last email
private is non routeable on the net, though I have seen sprint route
private by mistake from time to time :)

But that is not what confused me, what is confusing me is your ip
addressing problem do you have one? A /29 is a 255.255.255.248 subnet
mask which will give you 6 usable addresses. So I am not sure I see a
problem unless you want to use private on the outside then yes you have
a problem.

-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
> 
> You should use private addressing behind the pix and use static's from

> the /29 to m

RE: VoIP Question AGAIN... [7:57747]

[Mark W. Odette II]

Andrew-

Without having done this, I could be wrong, but from your excerpt "You
can think of the ephones with the numbers that were assigned to the
ephone-dn's as FXS ports on the routers.", I would say then that all you
have to do is create your dial-plan, and then define VOIP Dial-peers
with the destination target being the IP address of the IP Phones.  If
it is that simple, then you will up and running in a heartbeat.

Be sure and look at cisco's router to router (FXS to FXS) dial-peer
samples to get an idea of your syntax.  You may have to play around with
voice quality settings though.

Good luck

Mark (Aspiring AVVID Engineer/Architect) :)
-Original Message-
From: Andrew Dorsett [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 20, 2002 8:07 AM
To: [EMAIL PROTECTED]
Subject: Re: VoIP Question AGAIN... [7:57747]

Bruce -
Actually I'm not missing any pieces.  Check out this link on the CCO to
see exactly what I'm trying to accomplish:
http://www.cisco.com/en/US/tech/tk652/tk701/technologies_configuration_e
xample09186a00800ffdcc.shtml#background

The router (3640,etc) utilizes the ITS feature set to act as the call
manager for the network and create a small IP Key system without a few
of
the call manager features that I don't need in this case.  And yes I
want
to use the 79xx phones behind the switch that I didn't mention is behind
the
router.  I will use the FXO
ports on the router to plug the incoming lines into.  The page shows
everything from how to do hold music to how to configure the phones XML
interface.  However it leaves out the PSTN setup section which is where
I'm stuck at.  I think I can do a session target to the ephone-dn but
I'm
not sure of the syntax.

"Configuring the PSTN Connection on the Cisco ITS Router
Assuming that the ITS router has voice interface cards, you will now
want
to configure those cards so that calls can be placed to and from the IP
phones.  This is not significantly different than other voice
connections
on a router.  You can think of the ephones with the numbers that were
assigned to the ephone-dn's as FXS ports on the routers."

Thanks,
Andrew

On Wed, 20 Nov 2002, Bruce Enders wrote:

> Andrew,
> You are asking how to set something up without all the pieces
necessary
> to make it work. And you are describing developing a dialplan that
does
> not adhere to common conventions. That part is okay, you can define
how
> you route calls in-to and out-of your own voice network pretty much
any
> way you want.
> The 3640 with an analog FXO is okay to act as a gateway to the PSTN.
The
> same router with FXS VIC ALSO will allow you to connect and originate
> calls internally. However, you state you want to place "VOIP" phones
on
> the network behind the 3640. What "VOIP" phones would those be? If you
> mean 79XX series IP Telephones from Cisco, you also need a CallManager
> Server to control those phones.
> As far as the dialing rules in this network, it is up to you what you
use
> to direct calls out to the world. Using "9" to classify all telephone
> numbers that follow it as being sent to the PSTN is a convention not a
> rule. The only real rule is that you have to give the system the means
to
> route a call based on what the User dials. AND, if you are handing the
> call off to the PSTN or any other telephone switch, you have to give
that
> switch the call routing information  (telephone number) that it needs
to
> route the call.
> In coming calls are a whole different topic. Try reading one of the
many
> VoX books that are now available.
> Hope this helps,
> Bruce
>
> Andrew Dorsett wrote:
>
>   Second call for this one.  I never received any answers to my
question. 
I
>   want to know how to setup the link between the VoIP phones and the
FXO's.
>   Basically a dialplan, but how do I route inbound calls from the PSTN
to
>   the VoIP phones?  And how do I route outbound calls from the VoIP
phones
> over
>   the FXO to the PSTN?  I would like to avoid a system that uses 9 to
dial
>   an outside line.  I want to do direct dialing to the PSTN without
>   any special steps.
>
>   Thanks,
>   Andrew
>
>   On Thu, 14 Nov 2002, Andrew Dorsett wrote:
>
> Hey everyone, I'm playing with an idea.  I want to get ahold of a
3640
> with FXO's and interface it to the PSTN and connect to some VOIP
phones
> on
> a network behind it.  I have done all of my research on the CCO
and
have
> found how to configure everything for phone connection and FXO
>
>   configuration.
>
> However I haven't found out how to configure dialplans to dial the
> outside
> world.  I basically need one that would say "all 4 digit dialed
calls
are
> VoIP phones and all other numbers are outside PSTN phone numbers."
And
> another question that I haven't found is how to link inbound calls
from
> the PSTN to my VoIP phones.  Say I have 555-1221 for one line and
I
want
> it
> as line 1 on my phones, and
> 555-1234 as the other line on my phones.  I haven't found

RE: OT: Is it worth it to pursue CCIE R&S and CCIE Security [7:57971]

[Mark W. Odette II]

"It's that telephone-looking-thingy that plugs your computers, routers,
switches, etc. into each other, and it's carrying electrical current
that is considered 'low-voltage', so it won't kill you if you put your
tongue on the end of it at just the moment it's being charged with an
electrical pulse... OK, can we get back on topic of how to perform
password recovery?!" 

:)

 (Pondering to ones' self... "I wonder if I could be a good CCNA
teacher... hmmm...)


-Original Message-
From: The Long and Winding Road
[mailto:[EMAIL PROTECTED]] 
Sent: Saturday, November 23, 2002 2:31 PM
To: [EMAIL PROTECTED]
Subject: Re: OT: Is it worth it to pursue CCIE R&S and CCIE Security
[7:57959]

""B.J. Wilson""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I agree.  If you have some janitor who's been saving up for months or
years
> to be able to afford your class, and he asks what a Cat 5 cable is,
what
do
> you say?  "Sorry, I will not answer that question"?  How
unprofessional.


CL: the question in my mind is at what point do the digressions
interfere
with the learning process? Unfortunately, I have been in far too many
classrooms where the non sequeters and the digressions take too much
away
from the topics that most students are there to learn.

CL: besides - other than the fact that there is such a thing as cat 5
cable,
what more needs to be said, particularly in a routing class? should the
teacher stop and discuss the intricacies - the history of twisted pair,
the
different TP categories, the number of twists per inch, the low down
ieee
standard, the physics of the wire? because that's really the answer to
the
question. Not really relevant to routing, network addressing, and other
CCNA
topics.



>
> BJ
>
>
> - Original Message -
> From: "Alan"
> To:
> Sent: Saturday, November 23, 2002 2:57 PM
> Subject: Re: OT: Is it worth it to pursue CCIE R&S and CCIE Security
> [7:57954]
>
>
> > If you arent teaching what a CAT 5 cable is or what and network is,
then
> you
> > arent teaching the CCNA course as Cisco lays it out . Maybe your
fault
> > doesn't lay with the student but the teachers..?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57971&t=57971
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: off topic: Win2K 802.1q support? [7:57979]

[Mark W. Odette II]

... Actually, the Intel Pro/100+ NIC with the 82559 Controller chip
supports 802.1q VLAN-aware communications.

I believe the original poster was asking about what specific Intel NICs
support 802.1q VLAN management at the workstation.

In any case, check out the following link, and look for drivers from
there.

http://www.intel.com/network/connectivity/products/pro100mgmt.htm


-Mark
BTW- Some Intel NICs appear to only support ISL encapsulation, while
others look like they only support .1q encapsulation.  Be sure to look
closely!

-Original Message-
From: puro prasad [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 25, 2002 1:17 PM
To: [EMAIL PROTECTED]
Subject: RE: off topic: Win2K 802.1q support? [7:57979]

Hi,
VLANs are NOT created on the PC. U need to create them on a switch. 
if ur connecting the win2k box to an access port on the switch, no
special
lan card is required. What u have should work.
802.1q is a trunking protocol which will allow a trunk to carry more
than
one VLANs. Theres nothing like 802.1q VLAN.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58058&t=57979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco DTE/DCE Cable [7:58103]

[Mark W. Odette II]

Check out the following, as it may be cheaper than building your own...

http://www.kg2.com/dbcrosdtedca.html

Another vendor would be Anthonypanda.com...

You can't beat 30.00 in my opinion...

-Mark

-Original Message-
From: Reza Sharifi [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 26, 2002 7:46 AM
To: [EMAIL PROTECTED]
Subject: Cisco DTE/DCE Cable [7:58103]

I am looking for the pinouts for DB60 (DTE) to DB50 (DCE).  The cable is
configured as DB60 (DTE) to DB50 (DCE).  I need to switch it due to
device
configuration issues. (my 2522 is my frame relay switch and need to be
DCE)
Can someone point me in the right direction.  I check
CCO, but have not been able to find this particular configuration.

Thanks in advance.

Reza




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58106&t=58103
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: I seems Confused.....Peer-to-to TCP/IP Network [7:58255]

[Mark W. Odette II]

Check your subnet masks for each computer.
Either specify Computer B as the default gateway for Computer A and
vice-versa, or don't specify a default gateway at all.

After that, you have to configure the lmhosts/hosts files if you want to
resolve machine names between each other (quickly).

Verify that your cross-over cable is good, or plug each computer into a
hub/switch.

It's that simple.

Cheers!
-Mark

-Original Message-
From: Godswill Oletu [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, November 28, 2002 6:26 PM
To: [EMAIL PROTECTED]
Subject: I seems Confused.Peer-to-to TCP/IP Network [7:58255]

Hi all,

Where are mine going wrong? Has anyone implemented a Peer-to-Peer
network
involving just two computers with ONLY TCP/IP Protocol?

I have been trying to do it but keeping failing. NetBEUI is working
fine, I
can transfer files in between both computers. But TCP/IP protocolis not
working across. Am trying to connect a Window NT to Windows 98 Machine.
I
used
the normal cross over cable (1-3, 2-6, 3-1, 6-2) connection. localhost
pings
alright, IP-address to each machine can be pinged from that very machine
only.
Hosts file have been edited and it is resolving fine...but I can ping
one
machine from the other.

I have double checked everything but cannot figure out whats happening.
I
know
I have been implementing peer-to-peer networks but I had not gotten into
this
kind of scenario..

Any forethought would help, thanks

Godswill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58257&t=58255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: I seems Confused.....Peer-to-to TCP/IP Network [7:58255]

[Mark W. Odette II]

Oletu-
What you are trying to do is not impossible.  Many of us do this all the
time to migrate data from one machine to another without burdening the
Hub-based LAN or if the computer is all by itself and is being upgraded.
Case in point is the situation where a Win9x/Pentium 166Mhz workstation
is being replaced with a Windows XP/Pentium III 1.8Ghz workstation...
NetBEUI isn't a protocol option on XP, as it isn't supported anymore-
So, it's TCP/IP or IPX!

Configuration of each computer is correct; the fact that you can operate
with success running NetBEUI says that your physical layer is also
solid, i.e., NIC's and Cross-over cable.

Next thing to do is (for informational purposes) to 'route print' or a
'netstat -r' at the command line to determine the TCP/IP stack has
proper routing information.  Optionally issue the 'nbtstat -c' or
'nbtstat -r' to see if you are getting any netbios caching...

After collecting this information, I would remove the TCP/IP protocol,
reboot, reinstall TCP/IP protocol, install most recent SP for OS, and
test again...  If that doesn't resolve the problem, then seek out
replacement drivers for the NIC(s).

This pretty much addresses every possibility of failure between two
Windows-based computers that are directly connected to each other with a
cross-over cable.

... One other thought- You wouldn't have some kind of personal firewall
installed/previously installed on either one of these computers by
chance, would you!?!?!

I have seen all kinds of crazy stuff occur on MS boxes that had had any
of the different flavors of "Personal Firewalls" installed, which
usually required complete removal of the TCP/IP protocol, and then
sifting through the networking portion of the registry to recover the
machine.  The alternative was to reinstall the OS from scratch.  The
firewalls in question were the Norton Personal Firewall, the Network
Associates Desktop Firewall, BlackIce, and one other I can't recall the
name of.  Just some extra info to chew on for possibility.

Good luck, and let us know what you find...

-Mark


-Original Message-
From: Godswill Oletu [mailto:[EMAIL PROTECTED]] 
Sent: Friday, November 29, 2002 12:04 PM
To: Mark W. Odette II; [EMAIL PROTECTED]
Subject: Re: I seems Confused.Peer-to-to TCP/IP Network [7:58255]

Hi Mark,

I have done all that. The crossover cable is okay. NeTBEUI is working
fine.
I can see both computers through Network Neigbourhood; copy files from
one
computer to the other. Everthing about NetBEUI is kool. I have alos
edited
the hosts/lmhost files on each computer (this only help to resolve the
IP
Address to the netbios name.)

IP addresses are Computer A=192.168.0.1/255.255.255.0 and Computer
B=192.168.0.2/255.255.255.0

On Computer A, I can ping 192.168.0.1, localhost and 127.0.0.1 and it
will
response fine. On Computer B, I can also ping 192.168.0.2, localhost and
127.0.0.1 and it will response fine. (TCP/IP stack seems perfectly
installed)!!!

But I cannot ping A from B, neither can I ping B from A.

This is the dumbest thing I have ever done and it is messing me up.

Or is it impossible?

- Original Message -
From: Mark W. Odette II 
To: 
Sent: Thursday, November 28, 2002 8:22 PM
Subject: RE: I seems Confused.Peer-to-to TCP/IP Network [7:58255]


> Check your subnet masks for each computer.
> Either specify Computer B as the default gateway for Computer A and
> vice-versa, or don't specify a default gateway at all.
>
> After that, you have to configure the lmhosts/hosts files if you want
to
> resolve machine names between each other (quickly).
>
> Verify that your cross-over cable is good, or plug each computer into
a
> hub/switch.
>
> It's that simple.
>
> Cheers!
> -Mark
>
> -Original Message-
> From: Godswill Oletu [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 28, 2002 6:26 PM
> To: [EMAIL PROTECTED]
> Subject: I seems Confused.Peer-to-to TCP/IP Network [7:58255]
>
> Hi all,
>
> Where are mine going wrong? Has anyone implemented a Peer-to-Peer
> network
> involving just two computers with ONLY TCP/IP Protocol?
>
> I have been trying to do it but keeping failing. NetBEUI is working
> fine, I
> can transfer files in between both computers. But TCP/IP protocolis
not
> working across. Am trying to connect a Window NT to Windows 98
Machine.
> I
> used
> the normal cross over cable (1-3, 2-6, 3-1, 6-2) connection. localhost
> pings
> alright, IP-address to each machine can be pinged from that very
machine
> only.
> Hosts file have been edited and it is resolving fine...but I can ping
> one
> machine from the other.
>
> I have double checked everything but cannot figure out whats
happening.
> I
> know
> I have been implementing peer-to-peer networks but I had not gotten
in

RE: A dumb question (hit me or ignore me ;)) [7:58288]

[Mark W. Odette II]

... I was going to suggest verification that Port Security hasn't been
enabled, along with what you suggested :)

-Mark

-Original Message-
From: The Long and Winding Road
[mailto:[EMAIL PROTECTED]] 
Sent: Friday, November 29, 2002 12:13 PM
To: [EMAIL PROTECTED]
Subject: Re: A dumb question (hit me or ignore me ;)) [7:58288]

""deltan""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Why can't I directly hook up a laptop to a 6509 switch
> port that enables "stp portfast" (using straight-thru
> cable)?


troubleshooting 101. can you do what you need to do if portfast is NOT
enabled on that port?

there have been well documented problems with NIC's of various sorts. so
the
question becomes, what NIC is in your laptop? do you have other laptops
that
CAN connect, and if so, what NICS are in those?

HTH



>
> I can't ping anything in the same subnet (as the
> port's VLAN's) and there's no ARP entry in either my
> laptop or in 6509.
>
> Any words will be appreciated. :)
>
> Bill
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58297&t=58288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Re[2]: off topic: Win2K 802.1q support? [7:57979]

[Mark W. Odette II]

It has nothing to do with N.O.S; it has to do with what the MANUFACTURER
of the NIC produces for DRIVERS on a given platform!

... and as far as I know, if it is supported on *nix, it definitely is
supported on M$.  The CHIPSET of the NIC depicts what type of VLAN
support is provided- NOT THE O.S.!

The same is true for the ASICs in the Routers and Switches, which is why
some Routers and Switches only support ISL and others support both.

-Mark

-Original Message-
From: thinkworker [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, November 30, 2002 2:05 AM
To: Mark W. Odette II
Subject: Re[2]: off topic: Win2K 802.1q support? [7:57979]

In fact I can make VLAN with Intel Pro10/100 with my FreeBSD box. That
is why I am so corious M$ do not support it.

On Mon, 25 Nov 2002 20:03:41 GMT
"Mark W. Odette II"  wrote:

> .. Actually, the Intel Pro/100+ NIC with the 82559 Controller chip
> supports 802.1q VLAN-aware communications.
> 
> I believe the original poster was asking about what specific Intel
NICs
> support 802.1q VLAN management at the workstation.
> 
> In any case, check out the following link, and look for drivers from
> there.
> 
> http://www.intel.com/network/connectivity/products/pro100mgmt.htm
> 
> 
> -Mark
> BTW- Some Intel NICs appear to only support ISL encapsulation, while
> others look like they only support .1q encapsulation.  Be sure to look
> closely!
> 
> -Original Message-
> From: puro prasad [mailto:[EMAIL PROTECTED]] 
> Sent: Monday, November 25, 2002 1:17 PM
> To: [EMAIL PROTECTED]
> Subject: RE: off topic: Win2K 802.1q support? [7:57979]
> 
> Hi,
> VLANs are NOT created on the PC. U need to create them on a switch. 
> if ur connecting the win2k box to an access port on the switch, no
> special
> lan card is required. What u have should work.
> 802.1q is a trunking protocol which will allow a trunk to carry more
> than
> one VLANs. Theres nothing like 802.1q VLAN.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58346&t=57979
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: FXO ports to connect two PBX's [7:58410]

[Mark W. Odette II]

If you have FXS ports on the PBX, then the answer is yes; but as far as
I know, you will either have FXO or E&M ports on the PBX, which means
you need FXS ports on the Routers for the FXO "Cross-Connect", or E&M
ports to cross-connect to the E&M ports on the PBX... don't quote me on
the E&M ports though... it's been quite a while since I looked into E&M
configurations... :)

Of course, once you put the FXS ports on the Routers, you'll need to
develop a dial-plan for routing between the two routers over the FR
link(s).

Good Luck!

-Mark

-Original Message-
From: neil K. [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 02, 2002 1:39 PM
To: [EMAIL PROTECTED]
Subject: FXO ports to connect two PBX's [7:58410]

Hi All,

Can we use FXO ports in routers to connect two locations with PBX's. I
have
PBX at locaton "A", and a PBX and location "B". I want to run VoIP
between
the two locations over Frame Relay link. Can I use FXO cards in the
Router
on Location "A" and FXO on the router at location "B" and have VoIP run
between the sites.

The setup would look like this PBX to FXO --Frame
Relay FXO to PBX.
Any help will be highly appreciated.

Thanks,

Neil K.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58421&t=58410
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PDM and Manual configuration [7:58555]

[Mark W. Odette II]

The PDM doesn't support commands such as the 'alias' command; if your
config has an unsupported command (from the PDM point of view) in it,
when you load the PDM, it will only let you have access to the Monitor
Tab.  Hopefully, they'll fix this in the next revision... but one can
only hope.

-Mark 

-Original Message-
From: Brian [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, December 04, 2002 11:27 AM
To: [EMAIL PROTECTED]
Subject: Cisco PDM and Manual configuration [7:58555]

I have a quick question for the group.  Normally I configure
PIX's by hand, manual, straight forward configs.  I seem to 
remember that it use to be a no-no to mix manual configuration
of a PIX with PDM configuration, something about PDM 
getting confused, or the manual configuration getting hosed
by PDM.  Is it still that way, or is it safe to use PDM and then
from time to time do something manual?

Thanks,

Brian
-- 
---
Brian Feeny, CCIE #8036e: [EMAIL PROTECTED]
Network Engineer   p: 318.222.2638x109  
ShreveNet Inc. f: 318.221.6612




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58599&t=58555
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 501 PPOE Verizon [7:58796]

[Mark W. Odette II]

Search CCO for PIX CONFIG and PPPOE...

The key to your answer will be with VPDN Group definitions.

HTHs,
Mark

-Original Message-
From: Curious [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 09, 2002 10:01 AM
To: [EMAIL PROTECTED]
Subject: PIX 501 PPOE Verizon [7:58796]

Any one of you every use PIX 501 with Verizon DSL modem, which uses
PPOE.
How we can specify and user name and password in PIX 501 so that it can
connect with Verizon DSL modem.


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58799&t=58796
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dumb question [7:58783]

[Mark W. Odette II]

>It's kind of funny that nobody thinks about this. A network of hubs must be
>designed in a hierarchical fashion. I guess that is just second-nature to
>people who grew up with hubs.

I thought about it too (and was shaking my head to the uh-uh fashion), but
was waiting for your reply... :)
(The thought that ran through my head was :
O, Priscilla's gonna love this one, hehehe...
 
Have a good one!
 
-Mark

-Original Message- 
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Mon 12/9/2002 12:10 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: Dumb question [7:58783]



Jay Dunn wrote:
>
> A "hub" or "repeater" operates at layer 1 and makes no
> intelligent
> decision about what to forward. A packet enters a port and is
> forwarded
> out all other active ports on the hub. The concept of a loop
> only exists
> at higher layers.

A loop could exist at the physical layer too. A newbie could connect the
hubs in such a way that there was a loop. And it could indeed cause problems
due to the fact that a hub doesn't make any intelligent decisions about what
it forwards, as you say, and doesn't participate in higher-layer
loop-avoidance solutions such as STP, Dijkstra, split horizon, etc. There
would be nothing to stop the looping bits. The very idea makes me cringe.
:-)

It's kind of funny that nobody thinks about this. A network of hubs must be
designed in a hierarchical fashion. I guess that is just second-nature to
people who grew up with hubs.

When hubs entered the market they allowed us to move away from the
ubiquitous bus topology and into a star (hub-and-spoke) topology. They
allowed us to start using the structured cabling that AT&T and other vendors
were starting to install, rather than the Christmas-tree-lights topology so
popular with coax cable and so prone to problems. As networks grew, it
became necessary to connect multiple hubs. The term that was often used was
"cascating hubs." Hubs cascaed from other hubs, within the rules related to
Ethernet propagation delay and collision detection.

Priscilla

>
> Jay Dunn
> IPI*GrammTech, Ltd.
> www.ipi-gt.com
> Nunquam Facilis Est
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On
> Behalf Of
> Han Chuan Alex Ang
> Sent: Monday, December 09, 2002 3:44 AM
> To: [EMAIL PROTECTED]
> Subject: Dumb question [7:58783]
>
> I am wondering if Hub could be subjected to loop problems , if
> not, what
> will happen if there is a loop within a Hub enviroment




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58817&t=58783
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hello (long response) [7:58824]

[Mark W. Odette II]

Man, talk about being just past adult-hood, but way short of being
classified as an adult- much less a professional.

Just a touch of advice:  Never EVER Gloat about terminating people, much
less talk about it in a public forum... for all you know, those CCIE's
you allegedly fired could be on this list too... and I'm sure their
building the warm fuzzy about exacting some sort of revenge on your
smart-elecky little @$$..

You were just about to crawl into a hole "poor me" two weeks ago about
possibly being unemployed, but yet now you revel in the unemployment of
others because you're on a power trip!  Puleeez.  You and your manager
both need to get a Clue!  

Oh yeah, and what was the name of that consulting firm you said you now
work for again??  I just would like to know so that I can steer clear of
your company... 

Just so you know, you most probably have a "Kick me HARD" sticker stuck
on your back... watch those corners... and get your scooter fixed- it
has an obnoxiously squeaky wheel.


-Original Message-
From: adrian jones [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 09, 2002 3:17 PM
To: [EMAIL PROTECTED]
Subject: Re: Hello (long response) [7:58824]

Elping, 
Please do NOT make any statements regarding CheckPoint Firewall without 
knowing all the facts.  I've been working with both Checkpoint and Pix
firewalls.  I
even build a few "franken" pix firewalls so that I can learn as much as
I
can about
Cisco Pix firewalls.  The "franken" pix firewall actually help me landed
my
current job
that pays 100k/year.  Both CheckPoint and Pix firewalls have its
strength
and
weaknesses.  I agree that Cisco TAC is much superior than CheckPoint
support.
The "no text configuration" that you refer to in CheckPoint, you must be
refered to
running CheckPoint on Winblows platforms.  NEVER RUN FIREWALL ON A 
GENERAL PURPOSE OPERATING SYSTEM.  If you worry about cost, check out 
CheckPoint SecurePlatform.  If you are "unix" literate, does the term
"tcpdump"
mean anything to you?  That's how you troubleshoot my friend. 
Now if you are talking about cost, Cisco Pix will beat CheckPoint by a
long
shot in
term of performance for your $.  However, for a small/medium business,
Checkpoint
does come with a lot of features such as URL filtering (native), http
load
balancing,
etc which Pix doesn't have (without 3rd party products).  For enterprise
environment,
CheckPoint does come with ClusterXL (aka, load-sharing or Active/Active
Firewall),
which again, Pix doesn't support.  Last but not least, CheckPoint does
have 
a very nice Management piece called "provider-1" that Cisco Pix doesn't
have.
I do have to say that the price for CP products is totally "outrageous";
however, CP
is a good product. 
In terms of hardware product, you can run CheckPoint on Nokia Platforms
which is
very stable and proven product.  New version of Nokia firewalls do come
with 
Flash instead of hard-drive so that the reliability is very high.  Nokia
is
a big partner
with CP.  You can get CP support if you purchase Nokia firewalls from
Nokia.  Nokia
TAC is just as good as Cisco TAC. 
I've completed my first week at my new job as a Security Engineer and I
am
amazed
at the # of Cisco Certified folks at my company that are completely
incompetent and
downright clueless at what they can do.  We are a consulting company and
being in
the consulting business, you are forced to know pretty much about
everything.
I have a couple of CCIEs in the office came to me and ask me how to
restart 
sendmail and postfix (we are a linux shop) in linux.  Another CCIE asked
me
how to
use "nmap" in unix.  The last one is down right funny, one CCIE asked
how to
start
Apache in Solaris.  It just seems to me like R&S are all they know and
nothing else.
We also do R&S here but at these times, demands for those have not been
that 
great.  Therefore, we have to branch into other things such as Security
(PIX,
CheckPoint, Wireless, IDS, etc...) 
I brought these issues to my boss attention last wednesday and on
thursay he 

ordered me to 'clean' house.  The first thing I did was to send "pink"
slips
to all

4 CCIEs in the group and told them that they are fired because they
don't
know

anything other than R&S.  They were making $130k/year and sucking almost
all
of

our budget.  

My advice to everyone out there is to keeping learning other things in
addition to

the R&S.  The market for CCIEs is not as good as it used to be.  You
better
know

other things especially Unix and Firewalls than just merely R&S.  There
will
be lot

of good peopel competing for the same jobs and the only way you can show
the 

potential employers that you are better than the other guy is by showing
them that

you know other things not just R&S.  

Just my .02c.

Adrian

 

 elping  wrote:
I work with the checpoint firewall ...and let me tell you they are gui
based
and very
easy to coinfigure...but do they suck.ther is no text configuration
FAQ, list archives, and subscription info: http://www.groups

RE: Resricicting Certain Users -Pix 515 UR [7:58861]

[Mark W. Odette II]

Amen Brotha!

Keep it real, as some have said in the past :)

-Mark
A+, CCNP, MCSE, pursuing CCSP(Cisco), AVVID, CCSE(CPFW), and eventually
CCIE.

-Original Message-
From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] 
Sent: Monday, December 09, 2002 8:26 PM
To: [EMAIL PROTECTED]
Subject: Resricicting Certain Users -Pix 515 UR [7:58861]

Hi All,

I would like to create a group lets say x,x,x,x-x.x.x.x and restrict
them to 
only certain websites, I am guessing I will have to use ip addresses of 
those sites, but still allow them to access the local network..
Whats the best way to go about this.
I have been using groups in my configs thus far..

BTW- I love you guys in this group, it has to be the best news group
around 
right now, lets keep the standards high and weed out the slackers that
are 
trying to water down the CCIE's. We are doing more work for less money
and 
the main reason why is because we are settling, we work damn hard and
invest 
time and money to achieve these goals, and should be awarded as such. I
dont 
see doctors building practice labs in there homes to cure patients, nor 
lawyers building practice court rooms..

Sorry for the ranting but every year it seems you have to have more and
more 
letters after your name to earn a decent living in this technology
arena, 
when we are the ones that are enabling these million and billion dollar 
companies to do business seemlessly anytime and anywhere..

-Kevin

_
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58866&t=58861
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX and the Activation Key [7:59574]

[Mark W. Odette II]

Depending on the version of PIX code the unit is running, you might not
have to do too much.

First, go to your PIX, and issue the 'Show Version' command.  If you are
running 6.1 or higher (I believe), you can go into config mode and issue
the 'activation-key' command followed by the 4 sets of alpha-numeric
characters.  This will "install" the 3DES license on the PIX.  The
alpha-numerics you enter are not derived from the "official-looking
document".  Rather, you are supposed to go onto the CCO site, and under
the PIX registration page, you will have a link for requesting your PIX
Activation Code.  You submit the Serial Number of the PIX (found on the
back or bottom of the unit) and the alpha-numerics found on the
"document".  In return, you'll receive an email with the activation
code.  That activation code is what you enter at the PIX console.

Now, all the code acquisition process aside, if you are running an older
version of PIX OS, then you have to tftp the PIX OS to a tftp or http
server, and then pull it back from the tftp/http server while in ROMMON
mode.  This basically is like you're installing the PIX OS.  At the end
of the download process to the PIX, and right after you reboot it,
you'll be prompted to enter new activation keys.  This is where you
enter the alpha-numerics acquired from Cisco via Email.

Good Luck!

-Mark 


-Original Message-
From: dlci_16 [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, December 19, 2002 5:59 PM
To: [EMAIL PROTECTED]
Subject: PIX and the Activation Key [7:59574]

Greetings,
I have been given the opportunity to install/configure a new 506E pix
firewall
which our client had purchased from another supplier.
Configuring it to provide basic connectivity seemed somewhat linear (I
will
not be using any IPsec features ;)  ), the client had also purchased a
168
bit
licence key.
Ok, my question is, what am I supposed to do with this serial number
provided
on a (official-looking) document that accompanied the pix?
I thought the pix would prompt me for an activation key after booting
the
flash, as explained in this url,
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_installat
ion_g
uide_chapter09186a0080089812.html#xtocid38 ?
however, it booted up normally into the default prompt ( pixfirewall> ).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59581&t=59574
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX and the Activation Key [7:59574]

[Mark W. Odette II]

Thanks for the tip!



-Mark



-Original Message-
From: eric nguyen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 8:26 PM
To: Mark W. Odette II; [EMAIL PROTECTED]
Subject: RE: PIX and the Activation Key [7:59574]



"activation-key" commands only works with version 6.2.x or higher

 "Mark W. Odette II"  wrote:

Depending on the version of PIX code the unit is running, you
might not
have to do too much.

First, go to your PIX, and issue the 'Show Version' command. If
you are
running 6.1 or higher (I believe), you can go into config mode
and issue
the 'activation-key' command followed by the 4 sets of
alpha-numeric
characters. This will "install" the 3DES license on the PIX. The
alpha-numerics you enter are not derived from the
"official-looking
document". Rather, you are supposed to go onto the CCO site, and
under
the PIX registration page, you will have a link for requesting
your PIX
Activation Code. You submit the Serial Number of the PIX (found
on the
back or bottom of the unit) and the alpha-numerics found on the
"document". In return, you'll receive an email with the
activation
code. That activation code is what you enter at the PIX console.

Now, all the code acquisition process aside, if you are running
an older
version of PIX OS, then you have to tftp the PIX OS to a tftp or
http
server, and then pull it back from the tftp/http server while in
ROMMON
mode. This basically is like you're installing the PIX OS. At
the end
of the download process to the PIX, and right after you reboot
it,
you'll be prompted to enter new activation keys. This is where
you
enter the alpha-numerics acquired from Cisco via Email.

Good Luck!

-Mark


-Original Message-
From: dlci_16 [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 19, 2002 5:59 PM
To: [EMAIL PROTECTED]
Subject: PIX and the Activation Key [7:59574]

Greetings,
I have been given the opportunity to install/configure a new
506E pix
firewall
which our client had purchased from another supplier.
Configuring it to provide basic connectivity seemed somewhat
linear (I
will
not be using any IPsec features ;) ), the client had also
purchased a
168
bit
licence key.
Ok, my question is, what am I supposed to do with this serial
number
provided
on a (official-looking) document that accompanied the pix?
I thought the pix would prompt me for an activation key after
booting
the
flash, as explained in this url,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_installat
ion_g
uide_chapter09186a0080089812.html#xtocid38 ?
however, it booted up normally into the default prompt (
pixfirewall> ).
[EMAIL PROTECTED]



  _

Do you Yahoo!?
Yahoo! Mail Plus
  -
Powerful. Affordable. Sign up now





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59598&t=59574
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX and the Activation Key [7:59610]

[Mark W. Odette II]

If you chose the "Register for purchased Feature Upgrade..." (which is
found on the link that follows) and was then prompted with the output
listed below the link, then you were in the correct place.  You have to
register the 3DES license you purchased.  To register the license, you
have to provide the CCO Account information of the client who purchased
the Firewall (Firewall has to be registered to the owner of the
firewall, and thus the owner has to have their own CCO Account).  The
exception to this rule is if your company is providing managed services
for the firewall, which includes you providing the firewall appliance
yourself.

www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Hardware:PIX&s=Softwa
re_Configuration

"License Registration

This page is for use when you have purchased and received a PIX Firewall
Connection Count or Feature License Upgrade. New PIX owners do not need
to use this page - only those users who have purchased a Connection
Count or Feature License Upgrade."

The part about New PIX owners is deceiving because it should indicate
that the rule applies to new PIX owners that purchased the firewall as a
3DES bundle with the 3DES Licensing already installed.  You still have
to register the PIX to your company/client's company, which should
automatically associate the 3DES licensing with your unit by Serial
Number of the unit itself.  If it doesn't, then you still have to
register the 3DES License.  If you still have to register, it's
recommended that you contact customer service to assist with the
registration.

My bet is (from experience) that you will have to go through the
registration page mentioned above, and then follow the installation
procedure mentioned in my previous post for activating the 3DES license.

Just a note- When you issue the Show Version command on the PIX, it
should give you a list of features Enabled or Disabled.  If you see
Enabled following to the right of the 3DES entry, then you know for sure
your 3des license has been installed.  An example follows:

Licensed Features:
Failover:   Disabled
VPN-DES:Enabled
VPN-3DES:   Enabled***
Maximum Interfaces: 2
Cut-through Proxy:  Enabled
Guards: Enabled
URL-filtering:  Enabled
Inside Hosts:   10
Throughput: Limited
IKE peers:  5

This is from my PIX 501 with 3DES License installed.

HTH's,

Mark
-Original Message-
From: Paul Van Neiberman [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 20, 2002 8:36 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX and the Activation Key [7:59610]

Hi,
Thanks to everyone who provided some 'intel',
however after doing a #show version I do get the serial number
and a Activation-Key displaying 4 sets of hexadecimal numbers, what is
this 
key used for?( its version 6.1(4))

Also the registration site at CCO
https://www.cisco.com/pcgi-bin/Software/FormManager/formgenerator.pl?pid
=221&fid=301
says "New PIX owners do not need to use this page", urmm, now I am
confused 
;))


_
Add photos to your e-mail with MSN 8. Get 3 months FREE*. 
http://join.msn.com/?page=features/featuredemail&xAPID=42&PS=47575&PI=73
24&DI=7474&SU= 
http://www.hotmail.msn.com/cgi-bin/getmsg&HL=1216hotmailtaglines_addphot
os_3mf




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59619&t=59610
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

GroupStudy Filtering?? [7:59802]

[Mark W. Odette II]

The question:



Is there some sort of filter running on GroupStudy that is substituting
the following string of text for what some folks are posting in their
messages when referring to a website??





The offending text:  @!#$.com



Or, am I just retarded, and there is now a way to access a url made up
of those special characters??



Thanx,

Mark




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59802&t=59802
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 4500 Series Router [7:59806]

[Mark W. Odette II]

Jim, Based upon 12.1 IOS...

See CCO for docs on how to copy a replacement image onto the router..
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
fun_c/fcprt2/fcd203.htm

You obviously have local access to the device, as assumed by the output
you have posted; from the console session, check the boot parameters
with a "SHOW BOOTVAR".  If you are sure the flash memory is not damaged,
then I would format the flash, and then tftp a new copy of the IOS image
onto it.

See CCO for information on setting the boot variable.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
fun_c/fcprt2/fcd205.htm#xtocid2

HTHs,
Mark

-Original Message-
From: Walker, James - Is [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, December 26, 2002 4:33 PM
To: [EMAIL PROTECTED]
Subject: 4500 Series Router [7:59806]

All,

Anyone know how to recover from a empty flash on a 4500 series router?

I'm getting the following message:

device does not contain a valid magic number
boot: cannot open "bootflash:"
an alternate boot helper program is not specified
(monitor variable "BOOTLDR" is not set)
and unable to determine first file in bootflash
loadprog: error - on file open
boot: cannot load "cisco2-C4500"

I combed the CCO, no luck.

TIA

Jim




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59814&t=59806
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Possible Attack???? [7:59813]

[Mark W. Odette II]

Nice to hear a story of a *nix box being compromised... we all know how
hush-hush that piece of news is kept ... of course we all know that only
Windows boxes get compromised all the time, cuz they're so insecure
(Tongue-in-cheek). 

... sorry, couldn't resist.  This is just a mini High-Five for all those
Winblows comments that flow so fluidly on the list...

More on topic-
It's cool to hear someone describing in detail the troubleshooting steps
taken to track down a "bad" host or two on a complex network...  You
don't hear about these stories very often.

Consider this an Attaboy Pat on the Back for a job well done in hunting
down the source to your problem with fairly efficient and well educated
network troubleshooting skills.

Have a great weekend!

-Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 27, 2002 5:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]

I was finally able to track down the infected PC's (yes, more than one).
Below is a brief description of what occurred and the fix.  First,
thanks to
all that responded to me.  

As previously mentioned, I had an attack on a customer of mines network
that
was showing up as follows:

SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP DstP
Pkts
Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00     285


The above capture is just 1 of a few hundred packets similar to it and
all
coming from a different source address on the 127.0.0.0 network.  The
amount
of traffic was so large that at times it peaked to over 20MB and as a
result
it overran my WAN interfaces causing BGP to flap / reconverge.  Just
when
BGP got a chance to come back up and learned all 115000 routes, the
attack
occured again and the links would flap.  

Pingging the 127.0.0.x IP address from the edge router where the attack
was
initially spotted did not give me any replies.  All I got were U.  I
was
also not able to ping the broadcast address as all it gave me was U
(unreachables) as well.  There was no ARP entries on that router for
that
IP.  I ended up enabling Netflow on the edge router (what you see above)
in
order to get more detail of what was going on.  I got to see what
interface
it was coming in on so I applied an access-list on the router to filter
out
these packets. That allow the router and bgp to stabilize.  The next
thing
was to move on to the switch that was connected to this FA0/1 interface.
This switch has a router module,  I ended up doing the same thing as I
did
on the edge router except this time I also connected to the sc0
interface
and I enabled one port as the mirroring port on the switch and placed a
PC
with Etherreal to monitor everything that was destined to 108.122.0.0
and I
finally got a MAC address.  I issued the show CAM command on the switch
and
it told me where it came from which was another switch.  I moved on to
that
other switch. The MAC address that was being reported was the MSM route
module of that switch.  I enabled netflow on it as well and I was able
to
see the vlan that the attack was coming on and the VLAN where it was
destined to.  Luckily there were only 2 PCs (Sun Spark Stations) on that
vlan and both were compromised.  I removed them from the network and all
is
well.  I did also have MRTG which help some with identifying when the
attack
was going on and what direction it was coming on and with the ports that
were being most heavily utilized.  This network is pretty big so it was
difficult to monitor all the ports that were suspects.  Thank you all
again
for your help.  

As far as the runt packets are concerned, to tell you the truth, I
noticed
that but did not pay to much attention to that part of the Netflow
output
since I was all wrapped up on tracking down where these packets were
coming
in from.   Right now packets with size of 1-32 account for about 50% of
all
traffic. 




Thanks, 

Mario Puras 
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410  
888.449.5766 (USA) / 888.SOLUNET (Canada) 



-Original Message-
From: jhodge [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 27, 2002 4:34 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]


Not sure if this will help, but you could enable ip accounting on the
uplink interface to the switch.  Watch for the address that is pouring
out the most requests. Then use sho ip arp x.x.x.x to find the mac
address.  From there you could go to the switch and do a show cam
dynamic or if IOS version, show mac-address-table with the mac address
found with the most requests.  This would hunt down the culprit machine
without a person walking to each individual machine.

Cheers,


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Sneed
Sent: December 27, 2002 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Attack [7:59813]

Do you run SNMP and mrtg on theswitch? You can than graphically see
w

RE: accessing files [7:60109]

[Mark W. Odette II]

Spencer-

>From your brief description, there could be a number of possibilities as
to why you get timeouts.

For the "visibility" of files via FTP... that's either a Firewall issue
between your workstation and the near-end T1, a Firewall issue between
the Server and the far-end T1, or the most likely issue-
configuration/misconfiguration of the FTP Server itself to not allow
LISTING access.  Some FTP Servers (such as MS IIS) can be configured to
allow READ access while at the same time disallowing LISTING access.
The end result is your Web Browser/FTP Client won't display the contents
of the directory... but if you already know the name of the file in that
directory, you can still request a copy of it thru the READ Access
attribute.

Kinda like blindly reaching behind a cabinet for something that fell
behind (and you say it fall behind)... you can't see it because of how
close the cabinet is to the wall, but you can at least reach your arm
behind to try grabbing it.

For the timeout issues of larger files, I would look at the egress
device (Hub or Switch) the Server is connected to for packet failures,
the Egress Router for queuing misconfigurations or packet failures
(specifically on the WAN interface).  If there is a firewall on the
Server side of the connection, check its configuration and log files for
errors too.  Do all of the same steps on the client side of the WAN
Link.

Hopefully, you'll spot the issue.  It could always be as simple as a bad
switch/hub port or a bad cable!

Good Luck!
Mark

-Original Message-
From: Spencer Plantier [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 02, 2003 9:52 AM
To: [EMAIL PROTECTED]
Subject: accessing files [7:60109]

I have a point to point t-1 connected via cisco
routers running EIGRP. I can only copy small files
from one location to another. When I try to copy large
files it times out. When we try to ftp files you cant
see the files. 

Any thoughts would be appreciated. 

=
Spencer Plantier
Internet Solutions Engineer
Cell 919-606-0049

__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60112&t=60109
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cry for help: Integrated circuit CSU config [7:60122]

[Mark W. Odette II]

Never configured a Paradyne CSU, but if it is anything like the Adtran
units I've configured, then it should be pretty straight forward.

You will be given information from your service provider(telco) about
what timeslots/channels (DS0's) the data is running on, and what
timeslots/channels the Voice is running on.  You then configure the CSU
accordingly.

Ex:  Channels 1-16 for FR Data, 17-23 for Voice.

Your CSU will have a DSX-1 port that allows you to feed the data
channels via a V.35 cable to your router.  The CSU will also have a T1
port (possibly RJ-45/48) that you will connect via a straight-thru Cat5
cable to your PBX/PABX for Voice service.

>From there, it's up to you to configure your Router and PBX to talk on
those timeslots/channels.  The CSU will take care of line-coding and
framing (which you configure on the Paradyne) for the Data Side, and the
Voice will be managed by the PBX and Telco.

HTH's
Mark

-Original Message-
From: Mossburg, Geoff (MAN-Corporate) [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 02, 2003 2:31 PM
To: [EMAIL PROTECTED]
Subject: Cry for help: Integrated circuit CSU config [7:60122]

All,
I have a question and I'm not finding any info on the web to get
the
answers I need. We have an integrated frame-relay circuit (voice and
data)
and I need to configure the CSU (Paradyne). How is this different from
configuring a CSU for a data-only circuit?
Thanks very much!
Geoff Mossburg




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60128&t=60122
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: O/T more campus design issues [7:60136]

[Mark W. Odette II]

Simplest solution is to put a WINS Server on the Subnet that can't find
the DC.  Configure it to replicate with the DC on the other Subnet, or
Statically configure the Domain Name entry for the NT Domain on the WINS
Server in the troubled subnet.  Your "DC Not Found" issue should be
resolved then.

More Administratively intensive solution is to modify the LMHOSTS file
to have the following entry on every Windows Workstation/Server in the
troubled subnet.

IP.ADD.RE.SS   MachineName   #PRE #DOM:Domain-Name


HTH's
Mark

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 02, 2003 4:16 PM
To: [EMAIL PROTECTED]
Subject: O/T more campus design issues [7:60136]

You all remember my very simple campus network re-design that I've been
helping out with? It sure has been keeping me humble. ;-)

So we upgraded the single subnet to two subnets and two VLANs.

Everything is working OK except for Windows networking. The PCs on the
new
subnet can't find a domain controller for authentication.

So, you can feel free to yell at me for not gathering more information
on
the symptoms, but the client hasn't told me much. ;-) But does this ring
a
bell with anyone? Are there standard recommendations on how to handle
this
in a subnetted VLANed internetwork.

I'm not too well informed on Windows networking. My co-author wrote that
chapter in my troubleshooting book.

Thank-you so much!

Priscilla




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60144&t=60136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 515E NAT/PAT [7:60291]

[Mark W. Odette II]

Searching CCO's public web access will yield a wealth of information if
you check it out.

http://www.cisco.com/warp/public/707/29.html

... and to answer indirectly, VPN Clients will terminate (attach) their
VPN tunnels to the PIX... so the outside interface address is what you
would use for the VPN Clients.  This means, that if you don't plan on
hosting anything else behind the PIX for the world to access without a
VPN connection, i.e., a web server for the public, you will
automatically be doing PAT for all users behind the PIX accessing the
Internet.  Hence, you will only need one Public/Registered IP Address to
support VPN Clients AND PAT.

VPN does have something to do with the Registered IP Address, as you
suspected. :)

Do some reading up and get back to us if you are still confused/stuck.


-Original Message-
From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 04, 2003 7:46 AM
To: [EMAIL PROTECTED]
Subject: PIX 515E NAT/PAT [7:60291]

I have been assigned to install and configure the PIX firewall 515E in
my
company, VPN clients will access our network through dialup connection,
we
have only two free IP addresses, one of those IP addresses will be
assigned
to the outside interface of firewall, the other one will be used with
PAT so
that inside users will be able to access the internet.
 
The question is do I need more Registered IP address to configure as NAT
instead of PAT! Or the VPN has nothing with more or less registered IP
addresses?
 
Thanks
Ismail




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60298&t=60291
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX behind DSL router [7:60307]

[Mark W. Odette II]

Might I inject that, unless there is some sort of out of the ordinary
DSL service configuration, you could perhaps enable bridging on the 675
and assign the public address of the DSL service to the Ethernet port on
the 675.  This would then make it possible (provided you have more than
just one IP address assigned to the customer end of the circuit) for you
to configure the outside interface of the PIX with a public address, and
the inside with a private address.

The alternative would be to purchase a SpeedStream modem (or some other
compatible DSL modem) (off of e..b..a..y.. perhaps) and configure it for
bridging.  Then your public address would definitely be assigned to the
outside interface of the PIX, and your problem solved.

Just an idea though... you might have already thought of it.

-Mark

-Original Message-
From: Andy Barkl [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 04, 2003 7:07 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX behind DSL router [7:60307]

The DSL router is required to terminate the line and the PIX is needed
by the customer. With only one Internet IP tied the outside of the
router, I see this as a very common scenario.

-Original Message-
From: Brian [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 04, 2003 4:08 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX behind DSL router [7:60307]

pix is a nat box, curious why youre doing that on the router??
double nat can work, havent heard of it with this combo though.

Bri

- Original Message -
From: "Andy Barkl" 
To: 
Sent: Saturday, January 04, 2003 2:45 PM
Subject: PIX behind DSL router [7:60307]


> I'm trying to configure a PIX to sit behind a Cisco 675 DSL router (or
> is it a modem in this case) and I'm not having much luck. NAT is
> functioning on the router but I can't get from the LAN through the PIX
> and router to the Internet.
> This is a double-NAT scenario. Is this possible?
>
> I have tried adding all the usual static routes for the router and PIX
> with no success. Any first-hand experience or ideas?
>
> 10.0.0.0--->PIX--->192.168.1.0--->router--->Internet
>
> Thanks!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60380&t=60307
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: difference of copy and write command [7:60569]

[Mark W. Odette II]

As far as I know... it's just a backward compatibility function... 

The most preferred answer is "Copy Running-Config Startup-config"
though.

-Original Message-
From: Simmi Singla [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 07, 2003 10:57 PM
To: [EMAIL PROTECTED]
Subject: differnce of copy and write command [7:60569]

Hi All,
a very simple baisc question I have.what is the basic differnce between
copy
run start and write memory command(as it was supported in older
versions)
Thanx in advance




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60576&t=60569
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: frame relay stumper [7:60567]

[Mark W. Odette II]

What about bouncing the 7500... if you did the 2500, and your problem
wasn't resolved, it might just repair itself by doing the same to the
7500 (during a good maintenance window of course :) )

And, of course, everything that Chuck said too :)

-Mark

-Original Message-
From: The Long and Winding Road
[mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 07, 2003 10:24 PM
To: [EMAIL PROTECTED]
Subject: Re: frame relay stumper [7:60567]

sanitized configs would help immensely. including other subinterfaces
that
work as well as the ones that don't. from both sides.

also, IOS versions, numbers of subinterfaces,etc.

thanks

--
TANSTAAFL
"there ain't no such thing as a free lunch"




""Mossburg, Geoff (MAN-Corporate)""  wrote in
message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> How's this for nutty: We have a frame-relay point-to-point circuit
going
> between our Cisco 7500 core router and a 2500 remote router, and the
> subinterfaces have IP addys of .1 and .2, respectively. Both sides'
> subinterfaces are "up/up", but I am not able to ping either IP
address,
even
> when I am on the host router for each address! Both sides have other
working
> subinterfaces which I have tested similarly, and these use the same
physical
> circuit, so I know the circuit is good. OH... and this connection WAS
> working at some point, but I can't tell when it stopped working, due
to
the
> fact that neither router recognizes that there is a problem. I tried
> bouncing both subinterfaces and reloading the 2500, but the problem
remains.
> Any advice about what I may be overlooking would be a Godsend.
> Thanks!
> GM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60577&t=60567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: frame relay stumper [7:60567]

[Mark W. Odette II]

Jenny's comment was going to by next one...

>From what has been described of the problem, My bet's on the Telco
muckin' around with PVCs somewhere in the middle...  At least that's
been my experience with Frame Relay networks.

-Mark

-Original Message-
From: Jenny McLeod [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 08, 2003 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: frame relay stumper [7:60567]

Have you checked the underlying PVC?  show frame pvc, debug frame lmi,
beat
up carrier?
I have seen PVCs misconfigured by the carrier so they connected to
*somewhere*, so the sub-interface was up... but the PVC wasn't connected
to
the service it was supposed to be connected to, so not much was usefully
happening across the link.

JMcL

Mark W. Odette II wrote:
> 
> What about bouncing the 7500... if you did the 2500, and your
> problem
> wasn't resolved, it might just repair itself by doing the same
> to the
> 7500 (during a good maintenance window of course :) )
> 
> And, of course, everything that Chuck said too :)
> 
> -Mark
> 
> -Original Message-
> From: The Long and Winding Road
> [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, January 07, 2003 10:24 PM
> To: [EMAIL PROTECTED]
> Subject: Re: frame relay stumper [7:60567]
> 
> sanitized configs would help immensely. including other
> subinterfaces
> that
> work as well as the ones that don't. from both sides.
> 
> also, IOS versions, numbers of subinterfaces,etc.
> 
> thanks
> 
> --
> TANSTAAFL
> "there ain't no such thing as a free lunch"
> 
> 
> 
> 
> ""Mossburg, Geoff (MAN-Corporate)""  wrote in
> message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > How's this for nutty: We have a frame-relay point-to-point
> circuit
> going
> > between our Cisco 7500 core router and a 2500 remote router,
> and the
> > subinterfaces have IP addys of .1 and .2, respectively. Both
> sides'
> > subinterfaces are "up/up", but I am not able to ping either IP
> address,
> even
> > when I am on the host router for each address! Both sides
> have other
> working
> > subinterfaces which I have tested similarly, and these use
> the same
> physical
> > circuit, so I know the circuit is good. OH... and this
> connection WAS
> > working at some point, but I can't tell when it stopped
> working, due
> to
> the
> > fact that neither router recognizes that there is a problem.
> I tried
> > bouncing both subinterfaces and reloading the 2500, but the
> problem
> remains.
> > Any advice about what I may be overlooking would be a Godsend.
> > Thanks!
> > GM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60583&t=60567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DES license on PIX free? [7:61201]

[Mark W. Odette II]

Yes, it's free.  If you order your PIX with 56Des installed, you're good
to go, IIRC.

-Mark

-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 16, 2003 8:41 AM
To: [EMAIL PROTECTED]
Subject: DES license on PIX free? [7:61201]

I read in PIX book all PIX's come with the 56 bit DES license free. Can
anyone verfiy this before I spend money? I'm looking at a 501 or 506E.
Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61203&t=61201
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN Question [7:61148]

[Mark W. Odette II]

> Split tunneling has been enabled up until now.
Does this mean you have recently DISabled split tunneling??

If not, does the newest client 3.6? have a function for keeping traffic
sourced from the internet from using the Split-tunneling host from
acting as a mirror to breach the corporate network??

>From what I understand, enabling the Split Tunnel feature is a BAD
option, Cisco just created it for those clients that didn't want their
remote users surfing the net via the corporate network.

Can anybody clarify on any of these points??

-Mark

-Original Message-
From: Kim Graham [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 16, 2003 5:57 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN Question [7:61148]

Basically it performs as per stated.  We have VPN users that come into
our
concentrator from all over North American and abroad.  They have used a
variety of cable, dsl, dial-up providers and for the most part do not
have
any issues.  Split tunnelling has been enabled up until now.

As for private networks (home networks) we have some home users
utilizing
Nexlands and Ugates and probably other "Internet Sharing Boxes".  Some
cable
companies have had compatibiity issues with this but I believe the most
recent version of software on those boxes has corrected the problem. As
a
test while at Nanog I was able to log into my internal network from a
wireless laptop.

All and all it is a pretty solid client. 

Kim / Zukee




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61202&t=61148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: The effect of NAT on an interface [7:61178]

[Mark W. Odette II]

Chuck-
What about TFTPing your changes in a "new" startup-config file, then
reloading the router.  If you are pretty certain your changes won't be
bad afterwards, I don't see where you could go wrong.  If you do have a
programming issue with a route-map or acl, then you definitely are
getting to visit the client router in the morning. :)

My mentor has taught me a command that will always save your butt.

When making the changes in the fashion you mentioned:
1st command to issue is "Reload in X" ; x=number of minutes specified.

If you do this, you won't have to worry about getting locked out
over-night.

Also, create your new ACLs on the Router BEFORE you doing anything else.
This way, you can change the command that implements the new ACL last,
and you should be able to re-connect shortly afterwards.  I've had fun
with this while working on a IOS VPN solution- it was a rude awakening,
and I had to call the client office to have them bounce the router that
night.

-Mark
-Original Message-
From: The Long and Winding Road
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 15, 2003 11:22 PM
To: [EMAIL PROTECTED]
Subject: The effect of NAT on an interface [7:61178]

it's happened twice now, and the policy routing was removed from the
interface, so I'm thinking the problem has to be the NAT configuration

The problem: remote configuration of a router.

Circumstances: remove poorly constructed access-lists. replace them with
better constructed access-lists that are also in conformance with a
system
wide standard numbering convention. Change the route maps to reflect
these
new access-lists. one access-list determines whether or not a host on
the
inside can obtain a NAT translation. the other control policy routing
inbound on the WAN interface.

The process:

1) remove policy routing from the distant end WAN interface

2) delete old access-lists

3) delete old route-maps

4) paste in new access-lists

5) paste in the new route-maps

at this point I lose connection with the router.

I presume that because policy routing was disabled ( no ip policy
route-map
etc ) and the router was reloaded before step 2 was taken, that the
problem
is not with policy routing denying my own access.

That leaves NAT. The ip nat outside configured on the WAN link of the
remote
router was in place.

Now I'm racking my brains about this, because I have 9 other sites
identically configured, and I configured them remotely, and life was
good.

Well, I guess I'll be visiting a client site in the morning.
sheesh!!!




--
TANSTAAFL
"there ain't no such thing as a free lunch"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61206&t=61178
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Another CCNP is born... [7:48870]

[Mark W. Odette II]

Well, after many months of off-and-on studying as work would permit, I
finally passed the Support exam to complete the CCNP chapter in my Cisco
Career Certification saga.

For those preparing for it, let me warn that it is not an easy exam.
It's not that the technologies tested on are hard to learn, but rather
the ambiguous questions posed to test your knowledge. There are more
than a few questions that had me scratching my head and saying to myself
"Huh!?!?"

My advice... if you don't get to work with some of the technologies on a
regular basis, then based on the Test outline on CCO, read up on more
than one study source multiple times until you are dreaming of what does
what and how to tell what from what.

IF that isn't ambiguous enough... Gotta love the Cisco NDA.

Any way, I'm now off to study the CCDA and CSS1 concurrently :-)

Good luck to all those planning to take the Support exam in the near
future... it's one nasty exam.


Oh, I must also give thanks to all that have posted on this forum for
the last 2 years I've been faithfully monitoring it.  All of your input
has been quite valuable.

If you want a nice alternative to the Boson Exams for this test... I
would highly recommend CCXXProductions.com! Their study materials are
top notch... Not to mention their support staff for updates.

Cheers!
Mark Odette II
CCNP, MCSE (2K & 4.0), A+ Certified.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48870&t=48870
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Catalyst 5500 VLAN Configuration [7:48874]

[Mark W. Odette II]

For each VLAN, you have to define it on the Switch Port, i.e., if you
have 10 vlans, and you have a 12, 24, or 48 port module for module 6,
than you need to decide your vlan assignment, and then make it so on a
per port basis.

You won't assign an IP Address to the Switch Port, but you will assign
VLAN 2 to say port 6/2, VLAN 3 to Port 6/3, etc.


If you intend to route between VLANs, then you will either need the
applicable route-switch-module for the model switch you are working
with, or a router that supports the same trunking features as the switch
(ISL or dot1q)

On the router or the route-switch module, you will configure
Sub-interfaces that will define the subnet, and vlan and what
encapsulation type you are using for that vlan.


Good luck on your studies.

Mark
-Original Message-
From: John Brandis [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 15, 2002 8:23 PM
To: [EMAIL PROTECTED]
Subject: Catalyst 5500 VLAN Configuration [7:48874]

G'Day All,

Quick question on CCNP Switching topics. Have say around 10 VLAN's all
coming back to my CAT5k fastether net ports on say module 6. My Cat5k is
the
Core of my network, and as such is the VTP domain server. Forgive for
the
question if really stupid, however, do i need to configure for example

module 6 port 1, as part as VLAN 10, using ip 192.168.10.1/24 using ISL
?
And so on for every VLAN that comes back to my CAT5k ?

Thanks all for your time, really appreciate it.

John




**

visit http://www.solution6.com
visit http://www.eccountancy.com - everything for accountants.

UK Customers - http://www.solution6.co.uk

*
This email message (and attachments) may contain information that is
confidential to Solution 6. If you are not the intended recipient you
cannot
use, distribute or copy the message or attachments.  In such a case,
please
notify the sender by return email immediately and erase all copies of
the
message and attachments.  Opinions, conclusions and other information in
this message and attachments that do not relate to the official business
of
Solution 6 are neither given nor endorsed by it.
*

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=48881&t=48874
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco command [7:49152]

[Mark W. Odette II]

GEORGE-

This has been asked at least 6 times in the past 12 months.  You should
check the archives, if they are available.

The short and quick answer is, on most low end and midrange routers- NO.

On a few of the high-end routers (i.e., GSR's, 7200 VXRs, etc.), the
answer is YES (according to other list members).

If you issue the Show Diag or Show Diag cbus command, you can retrieve
Serial Number information of the System Board, and any Line Cards such
as NM's (Net Modules) and WIC's/VIC's, PA's, etc. 

... But these Serial Numbers are NOT the same as the Serial Number on
the Chassis of the Router, which is needed for Tech Support calls with
Cisco TAC, as well as registering SMART-NET contracts.

Also, I might add, the suggestion to solve this little issue is to put
in the description of a Loopback interface the Serial Information from
the chassis.  That way, if you need that information which was not
documented before deployment of the node to a remote location, you could
retrieve it by terminal session and viewing the config.

Like I said, check the archives for a definitive answer on the few
platforms mentioned, or open a Level 4 Case with Cisco TAC to get the
answer direct from the horses mouth.

Now, I must say, I think I'm the first person to mention the Level 4
Case alternative on this list... :)  

Guess those Support studies paid off; Cisco would be proud :)

-Mark Odette II
CCNP, MCSE 2K/4.0, blah, blah, blah.

-Original Message-
From: GEORGE [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 18, 2002 1:10 PM
To: [EMAIL PROTECTED]
Subject: cisco command [7:49152]

Is their a cisco command that will show you the serial number of the
router




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49166&t=49152
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: need help !!! [7:49315]

[Mark W. Odette II]

Totally off topic, but out of curiosity, does anyone ever refer to Cisco
or Cisco Systems in "Other" forums as Ci$co or Ci$co $ystems?

Just a pondering thought... after all everyone seems to agree that Cisco
charges the most for their products in comparison to competitors, and
that the competitors seem to have Internetwork Devices that are far
superior in capabilities or performance in many cases compared to
Cisco's gear.

... or is this parallelism just something perpetuated by the *nix
community?

Just something that struck my curiosity from the subtle tone of
ill-respect to Microsoft (usually referred to as MS).

No flames please... just an observation.

-Original Message-
From: Kevin Cullimore [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, July 20, 2002 10:49 PM
To: [EMAIL PROTECTED]
Subject: Re: need help !!! [7:49315]

RS generally exhibits fewer instances of weird OSPF behavior than the
OS'
associated with their other enterprise products. Given the Redmond track
record of porting & severely mutating technologies from other vendors &
platforms, I'm not sure that it's necessary to look beyond corporate
boundaries to account for strange behaviour associated with M$ products,
although it would most certainly depend upon the types of anomalies
observed. Your example doesn't necessarily correlate well with observed
RS
behavior. Do you have others?

- Original Message -
From: "cebuano" 
To: 
Sent: 20 July 2002 9:21 pm
Subject: RE: need help !!! [7:49315]


> Hmmm. I wonder if the strange OSPF behavior of W2K was inherited from
> them.
> I still haven't found out why the DR and BDR roles in W2K flap like
> every 45-60 secs. At least when I tested it in a classroom
environment.
>
> Elmer
>
> -Original Message-
> From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, July 20, 2002 9:05 PM
> To: cebuano; [EMAIL PROTECTED]
> Subject: RE: need help !!! [7:49315]
>
> At 8:31 PM + 7/20/02, cebuano wrote:
> >Dear OSPF,
> >Your W2K server has RRAS installed by default, but you need to turn
> this
> >ON or it will not route, PERIOD. Not even between its directly
> connected
> >interfaces. W2K supports both RIPv2 and OSPF (I mean, the protocol
;->
> >).
>
> RRAS, incidentally, is a port of Wellfleet/Bay RS.
>
> >HTH,
> >Elmer
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> >ospf
> >Sent: Saturday, July 20, 2002 3:15 PM
> >To: [EMAIL PROTECTED]
> >Subject: need help !!! [7:49315]
> >
> >Dear group !
> >
> >   Do you guys have ever setup a Win2000 server act like a router ?
My
> >customer
> >want to connect a branch office to their head office by dial-up from
a
> >Win2000
> >server to Cisco router.
> >
> >   I have setup the connection between router and this remote server.
I
> >have
> >added route in win2000 server. But surely a server can not forward
> >packets.
> >   Help me pls




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49367&t=49315
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Everything working now? [7:49438]

[Mark W. Odette II]

Dude- Your Getting' a Dell! :-)

Seriously, I think you could pick up a Dell Refurb 1U system with
extended warranty at a steal... and they work great!

2U would be the way to go though, that way you can get RAID 5
Hot-Swap-ability, and have plenty of cooling space for the SCSI Drives.

BTW- What server DOESN'T work with RedHat??


-Original Message-
From: Paul Borghese [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 9:21 AM
To: [EMAIL PROTECTED]
Subject: Everything working now? [7:49438]

GroupStudy is definitely causing me to age prematurely!  Ok, I think the
list, newsfeed, and website are back in operation.  I did disable the
archive search engine and may enable it later once things stabalize.

We need to obtain new hardware and we actually have the money to
purchase
said new hardware :-).  With the free bandwidth from Swiftcomm and the
selling of banner advertisements, we have been able to create quite a
trust
fund.  So I need suggestions on Intel based servers that are 1u in size.
The more redundancy and memory, the better.  Probably SCSI.  The new
server
needs to work under RedHat Linux.

Any suggestions!

Paul Borghese




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49446&t=49438
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco IOS Docs Hardcopy? [7:49444]

[Mark W. Odette II]

I just went back onto CCO, and this is what I found.  You just might
have overlooked what you were looking for.  The following is an excerpt
from the order site:

DOC-SRIOS11.3=  Cisco IOS Release 11.3 Documentation Suite
DOC-SRIOS12.0=  Cisco IOS Release 12.0 Documentation Suite
DOC-SRIOS12.1=  Cisco IOS 12.1 Documentation Suite
DOC-SRIOS12.2=  Cisco IOS Release 12.2 Documentation Set

So, it looks like, if you go looking for the above listed items, you
should find what you're looking for.  It was listed just after "Standard
Router Documentation for IOS Release ..."

Enjoy!
Mark  

-Original Message-
From: Barbee Jason [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 10:37 AM
To: [EMAIL PROTECTED]
Subject: Cisco IOS Docs Hardcopy? [7:49444]

When logged in to CCO, I can go to the Product Upgrade tool, select
documentation, and see a large list of available documentation. I would
like
to order the documentation set for 12.2, but I do not see it on the
list.
Is there a way to order the complete set? or should I just enter
quantity 1
for all the IOS documenations.
And I'm concerned about billing too, it appears it will charge our Cisco
Reseller for the shipping and/or costs.
Do these documents cost anything or is it just the cost of shipping?

I thought I had read a thread that mentioned this somewhere, but I
couldn't
find it using the groupstudy google search engine, and the older archive
search engine gave a glimpse not found error. I apologize if some of the
questions here have already been answered.

Thanks everyone,
-Jason
[EMAIL PROTECTED]
www.cciewannabe.com - Remote Cisco Lab Access




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49456&t=49444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: pix quick help [7:49450]

[Mark W. Odette II]

I believe the answer is yes.

The HTTP command specifies what node is allowed to hit the HTTP Server,
while the PDM command defines the host allowed to log into the PDM App.

I'm sure someone will rightly correct me if I'm wrong. :)

-Mark

-Original Message-
From: John Green [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 11:35 AM
To: [EMAIL PROTECTED]
Subject: pix quick help [7:49450]

to allow a workstation access so as to be able to use
and configure via the PDM, we give the command
http server enable
http 165.12.55.12 255.255.255.255 inside

what is the purpose for the command 
pdm location 165.12.55.12 255.255.255.255 inside

do we need both the commands to allow the workstation
be able to access PDM GUI ??


__
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49457&t=49450
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco IOS Docs Hardcopy? [7:49444]

[Mark W. Odette II]

Jason,

Funny you should mention it.

I just received my order of documentation, which I placed over a month
ago.

One thing for sure, I got more documentation than I realized I ordered-
and it was all free.  I did not find an indication of charge for
shipping or the docs themselves.  Now I have enough documentation to
fill 5 bookshelves!

... and yes, part of that documentation is the 12.2 docs-- config guide,
debug docs, command guide, Voice-Video-Fax docs, and the list goes on.

All of it is soft-cover though, so don't expect hard-cover.

I received 1 very large box, a medium sized box, several small boxes and
bubble envelopes... 11 pieces in all.

Some of that was Voice docs though... ICS 7750, IP Phones, Call Manager,
CiscoWorks for Voice, etc.

I figured, if it was free, and I want to familiarize myself with that
stuff for the future, why the heck not order it!

I believe my Reseller Status is what allowed me to order it all for free
though.

Good Luck!

Mark Odette II
StellarConnection Services
CCNP, MCSE, A+ Certified.

-Original Message-
From: Barbee Jason [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 10:37 AM
To: [EMAIL PROTECTED]
Subject: Cisco IOS Docs Hardcopy? [7:49444]

When logged in to CCO, I can go to the Product Upgrade tool, select
documentation, and see a large list of available documentation. I would
like
to order the documentation set for 12.2, but I do not see it on the
list.
Is there a way to order the complete set? or should I just enter
quantity 1
for all the IOS documenations.
And I'm concerned about billing too, it appears it will charge our Cisco
Reseller for the shipping and/or costs.
Do these documents cost anything or is it just the cost of shipping?

I thought I had read a thread that mentioned this somewhere, but I
couldn't
find it using the groupstudy google search engine, and the older archive
search engine gave a glimpse not found error. I apologize if some of the
questions here have already been answered.

Thanks everyone,
-Jason
[EMAIL PROTECTED]
www.cciewannabe.com - Remote Cisco Lab Access




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49451&t=49444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: pix quick help [7:49450]

[Mark W. Odette II]

Thanks for the clarification!

I figured I'd learn the truth to what I thought when I read up on the
PDM documentation, or the PIX doc for the CSS1.

-Mark

-Original Message-
From: Lidiya White [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 4:28 PM
To: [EMAIL PROTECTED]
Subject: RE: pix quick help [7:49450]

PDM location commands have no functionality. Think of them as PDM build
a map of networks/hosts around it based on the static, nat, global and
route statements you have configured on your PIX. You can remove those
commands if you wish, but next time you'll use PDM, they'll be back in
your config. 
Just pay no attention to them. Again, they have no functionality; they
do not allow or disallow anything...

-- Lidiya White

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 3:45 PM
To: [EMAIL PROTECTED]
Subject: Re: pix quick help [7:49450]

I was under the impression that the PDM command is just a pain in the
arse
cosmetic addition for use only within PDM.
I'm fairly certain it's nothing to do with access to PDM itself. I'll
try
deleting them next time I get chance and see what effect it has on PDM,
and
if PDM automatically puts them back (in the same way that it
automatically
put them there in the first place)

As always...let me know if I'm talking rubbish.

Gaz


""Mark W. Odette II""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I believe the answer is yes.
>
> The HTTP command specifies what node is allowed to hit the HTTP
Server,
> while the PDM command defines the host allowed to log into the PDM
App.
>
> I'm sure someone will rightly correct me if I'm wrong. :)
>
> -Mark
>
> -Original Message-
> From: John Green [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 23, 2002 11:35 AM
> To: [EMAIL PROTECTED]
> Subject: pix quick help [7:49450]
>
> to allow a workstation access so as to be able to use
> and configure via the PDM, we give the command
> http server enable
> http 165.12.55.12 255.255.255.255 inside
>
> what is the purpose for the command
> pdm location 165.12.55.12 255.255.255.255 inside
>
> do we need both the commands to allow the workstation
> be able to access PDM GUI ??
>
>
> __
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49491&t=49450
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passing score for 640-606 exam [7:49496]

[Mark W. Odette II]

776

-Original Message-
From: Charles McKnight [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 8:50 PM
To: [EMAIL PROTECTED]
Subject: Passing score for 640-606 exam [7:49496]

Does anyone know what the passing score for Cisco 640-606 Support
exam is? 


Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49513&t=49496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco IOS Docs Hardcopy? [7:49444]

[Mark W. Odette II]

I am the same way about having hard-copy to read from... I can't tell
you how many trees I've killed with printing docs out from the PDFs off
of CCO, and then tossed the print outs several months later because of
too much "loose" stuff on my desk.

I also spent 60.00 on the 6.1 PIX Docs from EBay, just to find out
several months later that the docs were available to me for free (thanks
to a post on this list many months back pointing out the "secret hiding
place" on CCO).

Indeed, you hit the nail on the head as to why I ordered all the Docs I
did: To have the resources to support just about anything I or my
engineers may come across.  But nothing replaces a properly placed TAC
call.

All of these Docs are in manual format with soft-cover though, so it's
not like we have a huge library of Cisco Press-style books to reference.
I still have pay for the hard-cover.

Also, as someone else mentioned in an earlier reply, depending on your
SmartNet, you too are probably able to order the same DOCs for free.

Like you said, nothing beats paper in some cases. :)


-Original Message-
From: Thomas Larus [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 23, 2002 8:02 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco IOS Docs Hardcopy? [7:49444]

I believe it costs a fortune (over $1000) for us mere customers/end
users.
I imagine Cisco thinks you resellers need to have it to support your
customers, so they don't have to do as much of the support.  I love my
12.1
printed docs, which I paid $400 plus shipping (around 43 dollars, I
think)
on ebay.

My impression is that most people in this industry have no problem using
the
CD documentation and reading just about everything from a screen.  I
feel
like some sort of relic because I strongly favor reading from paper.

""Mark W. Odette II""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Jason,
>
> Funny you should mention it.
>
> I just received my order of documentation, which I placed over a month
> ago.
>
> One thing for sure, I got more documentation than I realized I
ordered-
> and it was all free.  I did not find an indication of charge for
> shipping or the docs themselves.  Now I have enough documentation to
> fill 5 bookshelves!
>
> ... and yes, part of that documentation is the 12.2 docs-- config
guide,
> debug docs, command guide, Voice-Video-Fax docs, and the list goes on.
>
> All of it is soft-cover though, so don't expect hard-cover.
>
> I received 1 very large box, a medium sized box, several small boxes
and
> bubble envelopes... 11 pieces in all.
>
> Some of that was Voice docs though... ICS 7750, IP Phones, Call
Manager,
> CiscoWorks for Voice, etc.
>
> I figured, if it was free, and I want to familiarize myself with that
> stuff for the future, why the heck not order it!
>
> I believe my Reseller Status is what allowed me to order it all for
free
> though.
>
> Good Luck!
>
> Mark Odette II
> StellarConnection Services
> CCNP, MCSE, A+ Certified.
>
> -Original Message-
> From: Barbee Jason [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 23, 2002 10:37 AM
> To: [EMAIL PROTECTED]
> Subject: Cisco IOS Docs Hardcopy? [7:49444]
>
> When logged in to CCO, I can go to the Product Upgrade tool, select
> documentation, and see a large list of available documentation. I
would
> like
> to order the documentation set for 12.2, but I do not see it on the
> list.
> Is there a way to order the complete set? or should I just enter
> quantity 1
> for all the IOS documenations.
> And I'm concerned about billing too, it appears it will charge our
Cisco
> Reseller for the shipping and/or costs.
> Do these documents cost anything or is it just the cost of shipping?
>
> I thought I had read a thread that mentioned this somewhere, but I
> couldn't
> find it using the groupstudy google search engine, and the older
archive
> search engine gave a glimpse not found error. I apologize if some of
the
> questions here have already been answered.
>
> Thanks everyone,
> -Jason
> [EMAIL PROTECTED]
> www.cciewannabe.com - Remote Cisco Lab Access




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49512&t=49444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Security Lab [7:17848]

[Mark W. Odette II]

May I ad this little edict that "Buggy/Unreliable OS's" is just a bad
wrap that the community has labeled to MS "WINDOWS"... without much
explanation of WHAT was the "unreliability".

Indeed, Security is a different story, and there is plenty of "reliable"
argument to that topic... but to constantly perpetuate this argument
that "Windows" is unreliable and buggy makes me ill.

What makes the story of it being buggy/unreliable has always been
related to device drivers that sloppy-a$$ programmers whip out for
sub-standard chipsets on the Intel platform running "Windows".  Not to
mention, the OS's that have been the most unreliable/buggy have been the
desktop OS's- NOT the Server platform Windows NT.  If you think that you
should use that Windows 98 box as your company's Server- it's your own
stupid fault for all the headaches that are derived from therein.

I've worked predominantly in the NT environment for over 8 years, going
through the NT 3.51, 4.0, and now Windows 2000 version of the server
platform, and I ONLY have had servers crash when a vendor-specific
device driver was updated (ahem, Intel ironically was the culprit, and
they were supposed to be the other half of the "Win-tel" agreement).
I've also maintained a fair share of different-flavored *nix boxes that
performed similar functions, for which they suffered the same ailments-
bad drivers for add-on hardware, whether it be NIC's, RAID Controllers,
Telephony boards, or power failure.  One thing for sure, the NT box
didn't spend 30 minutes spewing INODE errors all over the place once
power was restored... unlike the AT&T Unix brothers did... And yes, I
know, NT uses a journaling file system as opposed to the file system
Unix uses.  But for heaven's sake! The DB application on the *nix box
should have the corruption issues to worry about, NOT the OS!

Most of these Windows NT Servers under my command were Computer
Telephony systems, a.k.a., IVR's.  They ran like a champ for several
years without a reboot... the ones that ran for shorter periods were
maintenance reboots for Service Packs or because of Power Failure to the
location the box was residing.  These servers were both DEC Alpha's and
Intel-based OEM and Clone machines.

As I said before, just as much as it is a problem for the *nix platform,
the "things" that make the OS unreliable is the cheap hardware and
sloppy device drivers that are applied to the system.  Proper
installation, and hardening of the OS for the specific purpose it is
supporting (read don't use the same machine you've set up as your server
as your desktop too, installing all kinds of non-server related programs
on it like "free-ware" and demos of programs found in the center or back
of some periodical you got in the mail), and the Windows NT / 2000
Server will be just as stable as the next implementation of Solaris on a
Sparc station.

And again, as Chuck pointed out, if the Applications developed to run on
the Windows NT / 2000 platform were developed properly, than the servers
would be reliable in that respect too.  I'm not a programmer by any
means, but from what I've observed, you can have just as many crashes
for building crappy DLL's as you can from improper handling/use of C
library modules on a *nix box.  Not to mention, both types of
programmers need to know how to program for Memory Address handling.


But who am I to argue... the whole slamming of "Windblows" is probably
just because some bull-headed *nix lackey is just pi$$ed off he can't go
rebuild the kernel half a dozen times to "tweak" the system on
"Windows".

And as a final note, I do maintain the argument that ALL of the OS's out
there have their own place in the industry; there isn't just ONE O.S.
that addresses all the use/needs of any particular business (keeping
Support in mind).

Now- Back to our regularly scheduled commentary on Cisco Studies.

-Mark

-Original Message-
From: nrf [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 25, 2002 12:07 AM
To: [EMAIL PROTECTED]
Subject: Re: CCIE Security Lab [7:17848]

Buggy/unreliable software is indeed the same anywhere.  But when
combined
with buggy/unreliable OS's, now we're talking about a solution that is
REALLY buggy and unreliable.  For example, if your software is only
guaranteed to run at 3 9's, and your OS is also only guaranteed to run
at 3
9's, then overall we're talking about a less-than-3-9's of a solution.

You can actually run packetized voice very reliably, and not just for
toll
bypass (although it is definitely true that toll-bypass  is the easiest
and
most mature kind of packetized voice to do).  The key is that you have
to
design things in  a certain way to maximize your reliability.  Many
carriers
like SBC use packetized voice with soft-switch signalling in certain
parts
of their network, and then you have packetized voice wholesalers like
Ibasis
that have massive available voice capacity and a good reputation for
reliability.  There was a huge amount of serious talk after 9-11 

RE: Anyone tried Huawei Routers ? [7:49670]

[Mark W. Odette II]

Where does one go to buy these units??  I did a search on Google and
Ingram Micro, but couldn't find a reseller or price list for anything.

I even checked the company website (datacomm.huawei.com), and it looked
like the company is set up in similar fashion to Cisco - No direct
purchase.

Just idle curiosity of their retail pricing structure.

mark

-Original Message-
From: cebuano [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 25, 2002 1:20 PM
To: [EMAIL PROTECTED]
Subject: RE: Anyone tried Huawei Routers ? [7:49670]

Yeah, this company even has its own stack of certs starting with
HCNE, HCSE, and last but not least, HCIE!!! Yikes, some more paper
Certs to hang on the wall :->
But on the serious note, if I can get this 3640 for $500 and load a
Cisco IOS, who cares?? Heck, buy the 3680.

Elmer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Ron Tan
Sent: Thursday, July 25, 2002 12:16 PM
To: [EMAIL PROTECTED]
Subject: OT: Anyone tried Huawei Routers ? [7:49670]

Hi group,

A piece of Huawei 3640 router just came in the office for evaluation.
The
whole box seems like a complete duplicate of Cisco's routers, even the
CLI
looks and feels like home.

Heard that the Huawei box has the ability to run EIGRP and HSRP together
with Cisco. Anyone tried running the 2 boxes parallel together ?

Comments welcome.

Regards,

Ron Tan
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49701&t=49670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Can get it to work (Pix 515 behind cable modem [7:49744]

[Mark W. Odette II]

>From what I can see, you've initiated NAT, but didn't define a NAT Pool
of addresses.  So, I can only deduce that the PIX is defaulting to PAT
operation rather than just not allowing traffic across the PIX at all.
(wasn't that nice of Cisco :-] )

I'm just starting to study the ins/outs of PIX, so I could be wrong.

Try defining a NAT Pool, and see what happens; let us know!

Mark

-Original Message-
From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 12:20 AM
To: [EMAIL PROTECTED]
Subject: Can get it to work (Pix 515 behind cable modem) [7:49744]

Dear All,

Below is my config.
Can someone tell me why ckients on the inside interface cant get to the 
internet (browwse, ping, nothing)
Yet show xlate shows clients Pat(ing) to outside address..
I am so frustrated, dont know whats the issue???!!!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.0.2
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:30:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
telnet 192.168.0.2 255.255.255.255 inside
telnet timeout 60
ssh timeout 5
dhcpd auto_config outside
terminal width 80
Cryptochecksum:0d7e04757f9b50f2a77acb163265e3ea
: end
[OK]

_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49785&t=49744
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Can get it to work (Pix 515 behind cable modem [7:49744]

[Mark W. Odette II]

Kevin- Disregard my last post... I read your message wayyy to quickly,
and interpreted it to be asking why you were getting PAT results rather
than NAT as expected.

In reflection, I realize what you are actually asking, and also realize
that the configuration is missing Access Lists or Conduits.  Without
those, you're going nowhere on the "NET".

The 515 should have come with a couple of PIX manuals (probably for 6.1,
but that's ok).  Look at the chapter on Access-lists, as this is where
Cisco is headed for primary/default config of the PIX.  It used to be
Conduits were used in place of the Access Lists, and so far, the 6.1 and
6.2 code are backwards compatible for Conduits usage.

If you are still confused after your reading, try firing up the PDM and
adding an access list for allowing ICMP echo reply packets back in the
outside interface, and ICMP any packets out the inside interface.

IIRC, the PDM will generate the explicit allow IP acl for the inside
interface by default.  Save your changes, get out of PDM, and go telnet
back to the PIX to study the changes.

At the same time, see if you can get to the net now!

Also, I'd verify you WAN configuration by issuing a Show Route command
in Exec Mode this will id your outside int. ip address, and its def.
gw., as well as the default route for 0.0.0.0 0.0.0.0 traffic.

Sorry for the knee-jerk response of my earlier post. :(

Mark
--
> From: "Kevin O'Gilvie" 
> Date: 2002/07/26 Fri AM 01:20:23 EDT
> To: [EMAIL PROTECTED]
> Subject: Can get it to work (Pix 515 behind cable modem) [7:49744]
> 
> Dear All,
> 
> Below is my config.
> Can someone tell me why ckients on the inside interface cant get to
the 
> internet (browwse, ping, nothing)
> Yet show xlate shows clients Pat(ing) to outside address..
> I am so frustrated, dont know whats the issue???!!!
> 
> PIX Version 6.2(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> no fixup protocol smtp 25
> names
> pager lines 24
> logging on
> logging trap debugging
> logging host inside 192.168.0.2
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 100full
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> ip address outside dhcp setroute
> ip address inside 192.168.0.1 255.255.255.0
> ip address dmz 127.0.0.1 255.255.255.255
> ip audit info action alarm
> ip audit attack action alarm
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> timeout xlate 0:30:00
> timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
> 0:05:00 si
> p 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> no sysopt route dnat
> telnet 192.168.0.2 255.255.255.255 inside
> telnet timeout 60
> ssh timeout 5
> dhcpd auto_config outside
> terminal width 80
> Cryptochecksum:0d7e04757f9b50f2a77acb163265e3ea
> : end
> [OK]
> 
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49788&t=49744
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Check this new command out [7:49717]

[Mark W. Odette II]

I was able to use it on my 2600's running 12.2(8), and only tried a
handful of commands, which DID work.

Ex:
Router-DAL-GateWay(config)#do ?
  LINE  Exec Command

Router-DAL-GateWay(config)#do show ?
LINE

Router-DAL-GateWay(config)#do sh ip int brie 
InterfaceIP-Address  OK? Method Status  Protocol
FastEthernet0/0  X.X.X.X YES NVRAMup
up  
Serial0/0unassigned  YES NVRAMup   up

Serial0/0.1  X.X.X.X YES NVRAMup
up  
Serial0/0.210192.168.100.1   YES NVRAMup   up

Serial0/0.310192.168.100.5   YES NVRAMup   up

Serial0/0.410192.168.100.9   YES NVRAMup   up

Router-DAL-GateWay(config)#

Do sh ver, do sh ip ro, do sh run, do sh ip ei top - all yielded
expected results... totally awesome for me.

It apparently applies to all exec commands, as shown by the following
example:

Router-DAL-GateWay(config)#do ping 198.6.1.2 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
Router-DAL-GateWay(config)#

I've have to get on my 1750s and 2514 to see if it works for them too.

-Mark

-Original Message-
From: Moffett, Ryan [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 10:47 AM
To: [EMAIL PROTECTED]
Subject: RE: Check this new command out [7:49717]

I have the "do" command in config mode (in c3640-i-mz.122-5d.bin), but
the
output is only:

router(config)#do ?
  .  Version number

-Original Message-
From: Dan Penn [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 11:19 AM
To: [EMAIL PROTECTED]
Subject: RE: Check this new command out [7:49717]


Yes, I'm not sure what platforms it does work on, I tried it on 2500's,
2600's and 4500's with no luck

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
MADMAN
Sent: Friday, July 26, 2002 8:16 AM
To: [EMAIL PROTECTED]
Subject: Re: Check this new command out [7:49717]

Priscilla Oppenheimer wrote:
> 
> MADMAN wrote:
> >
> > Thought this was pretty cool!!
> >
> > c7304(config)#do sh ver
> 
> Cool! Can you do stuff other than show version while in config mode??
> 

  Yes it appears you can do most anything, I tried a sh mem, sh config |
inclu, sh ip route, they all work.  I don't know when/if this will be
available in released IOS, I tried it on a 7200 running the latest
12.2.10a,
no cigar.

  Dave
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49790&t=49717
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 501 and enabling DES [7:49705]

[Mark W. Odette II]

NetEng-

If you just bought the 501, you should be under warranty, and can call
TAC for "Special Access" download code, and then go to the Software
Center and enter the code they gave you to gain access to downloading a
copy of the current software on your PIX... you might even get them to
allow you downloading the newer code for free.

Also, I think (haven't tried this myself) you can tftp the current flash
image OFF of the PIX for 'backup' purposes, and then tftp it back onto
it for your "re-installation" of the PIX OS, giving you the opportunity
to put in your DES key.

Since you get warranty support from TAC, I'd call them and have them
assist you on this matter.  I'm sure you'll be happy with their support
service.

I think the file you specify is 'flash:pix613.bin'

i.e., the command would be ' copy flash:pix613.bin tftp' or 'copy flash
tftp' and then answer the prompts as necessary.


Here is a list of the possible versions to choose from:

pix622.bin
Binary REQUIRES 32 MB RAM AND 8MB FLASH  6.2.2.ED 28-JUN-2002 1658880 
pix621.bin
Binary REQUIRES 32MB RAM AND 8MB FLASH  6.2.1.ED 19-APR-2002 1640448 
pix614.bin
Binary REQUIRES 32 MB RAM AND 8MB FLASH  6.1.4.GD 15-JUL-2002 2598912
pix613.bin
Binary REQUIRES 32MB RAM AND 8MB FLASH  6.1.3.ED 28-FEB-2002 2580480 
pdm-112.bin
Cisco PIX Device Manager  1.1.2 09-NOV-2001 3528136 
pdm-202.bin
Cisco PIX Device Manager  2.0.2 13-JUN-2002 4539600

HTH's

Mark

-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, July 27, 2002 10:32 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX 501 and enabling DES [7:49705]

The image comes with the Pix if you bought it legally from Cisco.
I'm sure they could sell all Pix's with encryption enabled and charge
more
for all of them.
I'd rather have the option to pay for Pix without encryption if I don't
need
it.

As I said though in version 6.2 onwards you don't need to reload the
image.
Just use "activation key"

Gaz

""NetEng""  wrote in message
news:[EMAIL PROTECTED]...
> So Cisco sells a firewall with no encryption and then forces you to
buy a
> smartnet contract so you can download the lastest IOS and install the
key?
> Thats sounds like Microsoft marketing.
>
> ""Brad Ellis""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Yes, re-install the same version of the OS, and enter a new
activiation
> key.
> > That's all ya got to do.
> >
> > thanks,
> > -Brad Ellis
> > CCIE#5796 (R&S / Security)
> > [EMAIL PROTECTED]
> > Cisco home labs:  www.optsys.net
> >
> > ""NetEng""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > I received my PIX 501 this afternoon! Hoowever I can not access it
via
> > PDM.
> > > I got the 56bit DES key from Cisco, but I can't figure out how to
> activate
> > > the thing. The documentation just goes through upgrading the FW
IOS
and
> at
> > > the end it will prompt you for the key. I don't want to upgrade
the
IOS,
> > > just install the key. Any ideas? Please note my versions (no
command
> > > activate-key). Thanks
> > >
> > > show version:
> > > Cisco PIX Firewall Version 6.1(3)
> > > Cisco PIX Device Manager Version 1.1(2)
> > >
> > > Compiled on Fri 22-Feb-02 08:15 by morlee
> > >
> > > pixfirewall up 45 mins 40 secs
> > >
> > > Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
> > > Flash E28F640J3 @ 0x300, 8MB
> > > BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
> > >
> > > 0: ethernet0: address is 000a.411e.f696, irq 9
> > > 1: ethernet1: address is 000a.411e.f697, irq 10
> > >
> > > Licensed Features:
> > > Failover:   Disabled
> > > VPN-DES:Disabled
> > > VPN-3DES:   Disabled
> > > Maximum Interfaces: 2




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49899&t=49705
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE Experiences? My Road Ahead... [7:50139]

[Mark W. Odette II]

Rob-

I think it is feasible without the 10 years experience working for an
ISP.  In fact, I've been working with Cisco equipment off and on at
first, but then more consistently for the past 6 years.  I took my time
in completing my CCNP (almost 2 years from the point of CCNA), and
probably could have gotten it sooner if I had really applied myself.

For the CCIE, this discussion has been mulled over at least 4 times in
the past 6 months.  The bottom line is, half of the CCIE preparation is
book-study... pure "Cisco" Academics.  But the other half is real
experience working on the equipment for a considerable amount of time,
whether it be more in production and less in lab racks, or vice versa.

One of the list contributors (NRF) I'm sure will comment on his
definition of "Lab Rat", and how he believes that a considerable amount
of employers are not interested in Lab Rats for CCIE's**.  It's a catch
22 in this respect, of which I'm sure you can already understand.

** no need to rehash this topic NRF :)

Personally, I think you can reasonably obtain the CCIE in 18 months, and
really be a well developed CCIE.  Do keep in mind though, the CCIE is
not the top of the mountain, but rather just one of the summits in your
career.  You WILL need to keep learning, and it is up to you if you
decide to continue participating in the Vendor Certification game.

Just my .0010

Good luck on your studies.

Mark Odette II
CCNP, MCSE 4.0/2K, A+ Certified.

-Original Message-
From: Robert D. Cluett [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 11:30 AM
To: [EMAIL PROTECTED]
Subject: CCIE Experiences? My Road Ahead... [7:50139]

All (CCIE's and CCIE Written)

I was wondering if you could help me understand what it is I am in for.
I
have 3 years of experience at tier 3 IP support with Verizon.  OSPF
mostly.
I have experience with various Cisco and Nortel routers and switches.
My
question is this, knowing OSPF and circuit troublshooting is excellent
knowledge, but I know that is only a fraction of what the CCIE demands.
I
recently passed the CCNA, and have jumped into the studying for the
routing
exam.  The only thing which seems tough is the BGP (I have not touched
it
before).  So, my question is, what can I expect from this road ahead.
Is it
feasable to eventually obtain my CCIE or is the CCIE for those people
who
have the 10 years of experience working for an ISP?  Any advice would
help!

Rob Cluett, CCNA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50146&t=50139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardware requirement for Cisco CallManager [7:50142]

[Mark W. Odette II]

IIRC, Cisco will only support the OEM Servers they have certified the CM
product to run on.

Currently, the only vendor certified is Compaq.  Other vendors are "in
the works" for certification, and include IBM and HP.  HP may not be
true anymore, based on a statement made from a colleague recently.  He
said that an HP Sales person paid a visit to his office, and summarized
what platforms were being discontinued as a result of their merger with
Compaq-- the HP Server platform was being dropped in favor of Compaq's
Proliant line.

I could contact Cisco Sales directly for a definitive answer.

The Compaq Server models that is will run on if you buy your server
separately are the DL320, DL360, and DL380's.  Cisco's label for these
machines is the MC?7800 series.  I think it's 7830, 7850, 7860
respectively.

That being said... there are ways of running Call Manager on Clone
Servers... but that's a vendor secret.  I believe Dual-PIII is their
required minimum... but I could be wrong.  CPU's are in the 1.Ghz range.

Hope that helps!

Mark

-Original Message-
From: Thomas [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 12:00 PM
To: [EMAIL PROTECTED]
Subject: Hardware requirement for Cisco CallManager [7:50142]

Hi All,

Could anyone help me with question regarding the hardware specs required
by
Cisco Call Manager?  Do we have to buy the server from Cisco or we can
buy
the software and install it on any server?  Thanks!

Thomas




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50151&t=50142
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardware requirement for Cisco CallManager [7:50142]

[Mark W. Odette II]

As an addendum to my last post:
Statement should say-

I WOULD contact Cisco Sales directly for a definitive answer. :)

Funny... that W is sooo far up there on the keyboard, but yet I some how
hit the C key instead. Hmmm.

-Original Message-
From: Mark W. Odette II 
Sent: Tuesday, July 30, 2002 12:47 PM
To: [EMAIL PROTECTED]
Subject: RE: Hardware requirement for Cisco CallManager [7:50142]

IIRC, Cisco will only support the OEM Servers they have certified the CM
product to run on.

Currently, the only vendor certified is Compaq.  Other vendors are "in
the works" for certification, and include IBM and HP.  HP may not be
true anymore, based on a statement made from a colleague recently.  He
said that an HP Sales person paid a visit to his office, and summarized
what platforms were being discontinued as a result of their merger with
Compaq-- the HP Server platform was being dropped in favor of Compaq's
Proliant line.

I could contact Cisco Sales directly for a definitive answer.

The Compaq Server models that is will run on if you buy your server
separately are the DL320, DL360, and DL380's.  Cisco's label for these
machines is the MC?7800 series.  I think it's 7830, 7850, 7860
respectively.

That being said... there are ways of running Call Manager on Clone
Servers... but that's a vendor secret.  I believe Dual-PIII is their
required minimum... but I could be wrong.  CPU's are in the 1.Ghz range.

Hope that helps!

Mark

-Original Message-
From: Thomas [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 12:00 PM
To: [EMAIL PROTECTED]
Subject: Hardware requirement for Cisco CallManager [7:50142]

Hi All,

Could anyone help me with question regarding the hardware specs required
by
Cisco Call Manager?  Do we have to buy the server from Cisco or we can
buy
the software and install it on any server?  Thanks!

Thomas




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50156&t=50142
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: TCP sequence numbers question [7:49535]

[Mark W. Odette II]

I have the same problem, of which I'm still searching for an answer. :(

The "Client" is SBClient (a fancy GUI program for Telnet), and the
Server is Unidata DB server running on NT 4.0 with SP6a and the Unidata
server has its own Telnet Service that appears to be running on the
standard port.

Client connections are made across a Site-to-Site VPN (PIX to PIX/LAN to
LAN), only 1 or 2 users have their sessions terminated without request
from the Server Admin or the Client.  All information gathered seems to
indicate that after a period of idle time, the connection is dropped.
My problem is, I've placed a sniffer (Ethereal) on both ends of the
connection (but not simultaneously) with hopes of finding the root of
the disconnect, but am not able to do so thus far.  The weird thing is,
it seems like when the particular user that experiences these random
disconnects logs into the system, I see a Multicast Join advertisement
appear.  If they normally log out of the system (telnet app), I see a
Multicast Leave advertisement 

If anyone has a similar setup and can shed some light on where I can go
look to figure this out, I'd appreciate it.

For clarity, the ASCII art depicts the layout:


Telnet Server  (Unidata DB Server)
|
--PIX--
| |
- RouterA |
| |  V
--Internet--  |  P
| |  N
- RouterB |
| |
-- PIX   --
|
- SBClient (Win98 workstations)

Also, when the SBClient "gets suddenly disconnected", the Server still
thinks the user is connected.  When the user re-connects to the server
with the SBClient telnet app, the server starts a NEW session for the
same user id, and therefore eats up another license connection.  The now
"orphaned" old session has to be manually killed by the Admin on the
Server.  These disconnects only occur with users across the VPN- local
users are not affected.

Short of coming up with a selective debug (if its even possible) and
logging debug output for the specific users' telnet sessions over a
period of time, I'm at a loss as to how I can figure out and solve this
problem.

Note: ONLY 1 or 2 Users at each of four remote sites experience this
issue... and it's always the same users.  This whole setup did work
without a problem when the remote users were connected via Frame Relay
P-t-P connections... but has exhibited this issue since the topology
changed to VPNs and dropping the FR connections.

Also- I've opened a TAC case, but TAC pointed me back to the server, and
said "confirm whether or not the Server's Telnet service operates with
unicast, or broadcast/multicast and get back with us.  Also run a
sniffer to capture session traffic and check that for errors and then
get back with us.  The PIX does not pass broadcast or multicast traffic
by design of its ASA process.  If the server is using anything other
than unicast for communications, reconfigure application server for
unicast."

So far my determination is that the Unidata Application Server's
implementation of Telnet is TCP unicast.

Am I wrong to understand telnet uses TCP-based unicast communications??

TIA for any advice or ideas on how to solve this problem.

-Mark

-Original Message-
From: sam sneed [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 25, 2002 11:17 AM
To: [EMAIL PROTECTED]
Subject: Re: TCP sequence numbers question [7:49535]

How does the other host know its a keepalive? I do not see any keepalive
fields in the TCP packet, perhaps a TCP option?
I think I was more confused by how the sequence #'s are incremented and
ack'd. I read in Stevens book
" Since every byte that is exchanged is numbered, the acknowledgement
number
contains the next sequence number that the sender of the acknowledgement
expects to receive. This is therefore the sequence number plus 1 of the
last
successfully received byte of data."
So using the example below (host A 192.168.133.21, B 10.10.10.12), A
sends 1
byte of data, last successful sent byte is 2653258021, shouldn't Host B
ack
(2653258021)+1 ?

The problem I'm trying to solve is a TCP connection that unexpectedly
terminates. Supposedly the client can detect this and reconnect to the
server but there are problems. I started the keepalive thread last week
related to the same issue. I thought our firewall may have droppped the
connection from its state table after its timeout but this is not the
case
since it seems keepalives are sent every 30 seconds.

17:56:46.563514 O 192.168.133.21.5055 > 10.10.10.12.1617: P
2653258020:2653258021(1) ack 808512610 win 8760 (DF)

17:56:46.604328 I 10.10.10.12.1617 > 192.168.133.21.5055: . ack
2653258021
win 17520 (DF)

17:58:20.327090 O 192.168.133.21.5055 > 10.10.10.12.1617: P
2653258020:2653258021(1) ack 808512610 win 8760 (DF)

17:58:20.368296 I 10.10.10.12.1617 > 192.168.133.21.5055: . ack
2653258021
win 17520 (DF)

17:59:54.090651 O 192.168.133.21.5055 > 10.10.10.12.1617: P
2653258020:2653258021(1) ack 808512610 win 8760 (DF)

17:59:54.132170 I 10.10.10.12.1617 > 

RE: IS-IS on CCNP routing exam ??? [7:49621]

[Mark W. Odette II]

Hinwoto-

Welcome to the list!

Obviously your question indicates you are new, as this question has been
posed many times over the last 9 months.  If you are not new, than might
I suggest the Archives as research - provided they are available. :)


To answer your question though:

The BSCI exam is interchangeable with the CCNP and the CCIP
certifications.  It was added to /developed for the new CCIP
designation, but was made applicable to the CCNP career track too,
seeing as the only difference between it and the Routing exam is the
IS-IS.

It is doubtful that the BSCI exam will replace the Routing exam in the
future, though it would make sense IMHO.

And yes, you only need take one of the two exams to apply towards your
CCIP or CCNP certifications.

Good luck on your studies!

-Mark Odette II
CCNP, MCSE 4.0/2K, CompTia A+

-Original Message-
From: hinwoto [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 25, 2002 1:05 AM
To: [EMAIL PROTECTED]
Subject: IS-IS on CCNP routing exam ??? [7:49621]

Hello guys,

According to CCO, Routing Exam 640-603 does not include IS-IS as exam
material and BSCI exam 640-901 includes it.
Please correct me if I'm wrong that we only need to take just one of
them
 either 640-603 or 640-901 ).
Can you guys taken BSCI exam share information about this exam ?
Is BSCI going to replace the Routing exam in the future ??
It is good that Cisco include the IS-IS on the routing exam which will
become tougher for CCNP candidate.

cheers
Hinwoto




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50168&t=49621
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Here we go again ( Pix 515) [7:49492]

[Mark W. Odette II]

... works fine on my 501 at the casa, but I've not put it into
production for a client.

Like you said, "right box for the job".

Mark

-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 24, 2002 5:37 PM
To: [EMAIL PROTECTED]
Subject: Re: Here we go again ( Pix 515) [7:49492]

What's everybody's view on using the Pix as a DHCP server?

I used it once, only because after arriving on site to install the Pix
the
customer mentioned that his old Firewall was doing DHCP and he had no
plans
to do it on anything else.
Seemed to go fine, but would like to know if people have come across
limitations/issues.

I tend to agree with the view "Right box for the job", i.e. don't make
the
Pix do things it's not made for, but if pushed into the situation, how
does
it compare.

Cheers,

Gaz

""Kevin O'Gilvie""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi Kelly,
>
> You are absolutely right, and I love your strategy.
> That is the way I did it 2 years ago, but the only thing now is
finding a
> vpn solution for the Macs. I used Pix for the PC's last time round but
never
> had to do this for the Mac's. Any ideas?
>
>
> >From: "Kelly Cobean"
> >Reply-To: "Kelly Cobean"
> >To: [EMAIL PROTECTED]
> >Subject: RE: Here we go again ( Pix 515) [7:49492]
> >Date: Wed, 24 Jul 2002 02:18:38 GMT
> >
> >Man, you aren't asking much, are you? ;-)
> >
> >Ok, here's the order I'd do things in...
> >
> >First things first, get that firewall in place.  You don't list what
their
> >internet connectivity is, but if they bought a PIX, it's safe to
assume
> >that
> >they have a persistent connection, and that being true, they're
really
> >hanging it out there for someone to cut off, so to speak.  Network
security
> >is always a primary concern, and the firewall won't take alot of time
to
> >set
> >up.  Not setting it up could be very costly.  If they already have a
> >light(er)-weight firewall like a Linux host running IP chains or IP
tables,
> >replacing this first will save your users down-time later because you
can
> >pre-configure your internet rulebase/access in preparation for your
private
> >addressing.
> >
> >Next, I'd do the DHCP and Private Addressing.  These go hand in hand,
and
> >since your firewall is now in place, you can do the NAT/PAT
translations
as
> >needed and not have to rethink these later.
> >
> >Third, get Exchange up and running.  If it's going on a different
system
> >than Quick mail is running on, great!  Now you can get them running
in
> >parallel, and move users accounts over one at a time or in batches.
There
> >are probably tools out there to do the mailbox format conversion.
Now
that
> >your network is secure at layer3/4, you can focus on the nitty-gritty
of
> >the
> >user data. (Oh yeah, don't forget that backup!!!)
> >
> >It's a 10,000 foot view, but that's how I'd do it.  I'm not really a
MAC
> >guy, but I'd venture a guess that most or all of your MAC's run
TCP/IP
and
> >support DHCP, so from an L3/4 standpoint, they're really no different
than
> >your PC's.
> >
> >When doing multiple projects like this, I tend to work along the OSI
model.
> >If the wiring is horrible, or the NIC's are all old 10Base2 nics and
have
> >transceivers to hook them to your BaseT network, take care of the
layer 1
> >stuff first.  Next, if the network is all unmanaged hubs, and your
network
> >is one gigantic broadcast domain, start installing switches to quiet
down
> >the network.  Next, get VLANs/routing/security in place for Layer3/4.
> >Next,
> >work on the "upper layers" where all of your apps and data live and
talk.
> >Just my $0.02 worth.
> >
> >HTH,
> >Kelly Cobean, CCNP, CCSA, ACSA, MCSE, MCP+I
> >Network Engineer
> >AT&T Government Solutions, Inc.
> >
> >-Original Message-
> >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of
> >Kevin O'Gilvie
> >Sent: Tuesday, July 23, 2002 9:07 PM
> >To: [EMAIL PROTECTED]
> >Subject: Here we go again ( Pix 515) [7:49492]
> >
> >
> >Dear All,
> >
> >I am jumping into a similar mess as when I started at my current
company,
> >but this time the Macs out number the PC's. Well here is the scoop:
> >180 Macs
> >50 PC's
> >Static Ip's
> >No DHCP
> >No FW
> >Quick Mail Server
> >and a whole bunch of other nasty things..
> >- They just purchases a Pix 515
> >- They just bought Exchange 5.5
> >
> >My projects are:
> >Set up DHCP
> >Set up Pix
> >Set up Private Addressing
> >Set up Exchange
> >Migrate them from Quick Mail
> >etc etc
> >I have done this before but maybe you guys can help as to how I
should go
> >about this the quickest.
> >
> >Thanks,
> >
> >Kevin
> >
> >
> >_
> >Send and receive Hotmail on your mobile device: http://mobile.msn.com
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50167&t=4

What's the deal?? [7:50178]

[Mark W. Odette II]

What's the deal with messages submitted a several days ago finally being
posted now, while others have been posted on time??

I just saw 3 messages (replies to others' posts) I submitted last Wed.
and Thurs. get sent to me from GroupStudy.

Somebody just do an online restore to the GroupStudy Server??

Mark




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50178&t=50178
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IS-IS on CCNP routing exam ??? [7:49621]

[Mark W. Odette II]

That would be correct.  BSCN does NOT count towards the CCIP Certs.

Good luck on your studies!

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 6:32 PM
To: [EMAIL PROTECTED]
Subject: Re: IS-IS on CCNP routing exam ??? [7:49621]

"Mark W. Odette II" wrote:
> 

> The BSCI exam is interchangeable with the CCNP and the CCIP
> certifications.  It was added to /developed for the new CCIP
> designation, but was made applicable to the CCNP career track too,
> seeing as the only difference between it and the Routing exam is the
> IS-IS.
> 

> And yes, you only need take one of the two exams to apply towards your
> CCIP or CCNP certifications.
> 

I just wanted to clarify this.  You only need to take the BCSI exam for
the routing part of CCNP and CCIP. However BSCN will not count towards
the CCIP cert.


Peter Walker




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50297&t=49621
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: cisco's exams [7:50295]

[Mark W. Odette II]

Pulled from a pool of around 1000 questions (the number may not be
correct, but its quite a large pool).

-Original Message-
From: kim miroy [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 31, 2002 1:53 PM
To: [EMAIL PROTECTED]
Subject: cisco's exams [7:50295]

Hi,

Does anyone know if Cisco's exams are pulled from a pool of questions or
if
all the questions on one particular exam will be the exact same set of
questions for someone else writing the same exam?

Thanks in advance.

:-) k




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50300&t=50295
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Anyone took EVODD (9E0-411)? [7:50340]

[Mark W. Odette II]

I don't know how "easy" the exam is, as I've not taken it.

What I have heard though is that it was/may still be an open-book test.

Also, the study material for it is apparently web-based, as there isn't
anything in hard-copy...  at least that is what I've been told- have not
been able to confirm for sure.

Maybe someone else will have a more definitive answer.  At least I hope
so.

Mark

-Original Message-
From: blitzlight [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, August 01, 2002 9:40 AM
To: [EMAIL PROTECTED]
Subject: Anyone took EVODD (9E0-411)? [7:50340]

Hi all,

I've completed DQoS (a badly written exam) and would like to move on to
IPT
Design Specialist.

I've been searching high and low for the study guide or other self-study
material, but couldn't find it.
CCO doesn't help either. Whenever I do keyword search based on exam
topics,
CCO search results only points me back to the Exam Description/Topics
Page.

I wrote to Boson asking whether or not they have it, they replied that
they
have no author for this exam.

Anyone took EVODD 9e0-411 exam yet? What did you use for study &
preparation? PEC?
I can't afford to go for the full-blown training. 
Some suggest that this exam is an easy one ... a walk in the park ... is
this true?

Regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=50387&t=50340
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]