Interface Vlan 'x' is up, line protocol is down [7:73428]
If I enable any vlan interface other than vlan 1 it will not enter an protocol up state unless a physical interface that has vlan 'x' assigned to it. Why is that? vlan database vlan 2 ! interface FastEthernet0/1 switchport access vlan 2 no shutdown ! interface Vlan2 ip address 2.2.2.2 255.0.0.0 no shutdown If I were to plug a device into interface f0/1, interface vlan 2 will come up/protocol up. I change the access vlan to another vlan, interface vlan 2 will go down. I would appreciate any comments. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73428&t=73428 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Is 'troubleshooting campus networks' enough for CIT [7:66045]
Yes, it is a retransmit. I have already taken the test and passed by the way! I have also used the book to pass a couple of Sniffer Test. I think it is great. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66045&t=66045 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Is 'troubleshooting campus netwroks' enough for CIT?? [7:66017]
I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66017&t=66017 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Is 'troubleshooting campus netwroks' enough for CIT?? [7:65780]
Let me clear up the last statement. I always read at least two books before taking any exam. So if there is a subject I don't feel confident in I can pop open another book and see how this author views the subject matter. I am just wondering has any one else used this book to study for the exam. -Original Message- From: Newell Ryan D SrA 18 CS/SCBT [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 7:11 PM To: [EMAIL PROTECTED] Subject: Is 'troubleshooting campus netwroks' enough for CIT?? [7:65732] I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65780&t=65780 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Is 'troubleshooting campus netwroks' enough for CIT?? [7:65732]
I have read a part of this book. It seems to line up with the CIT. Will this be enough reading material to pass the CIT? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65732&t=65732 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65379]
Reading the CDP vulnerability link, I cannot determine how a hacker can trigger the attack. Reading the email trail it seems that you are worried about the info displayed in the frame. If that is what your company is trying to avoid, here is an idea. Why not disable it on a per port basis. That is a lot of work but every one gets what they want. On the links between network devices enable it and on the links to host disable it. That why a hacker jus cant 'plug in' and get the info. I know cisco has a the 'set port host' macro commands for CATOS that disables a lot of stuff. I wish that it encompassed disabling cdp. D -Original Message- From: Pistone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 3:54 AM To: [EMAIL PROTECTED] Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65347] The NSA has an un-classified Securing Cisco Networks document that I found last year. I think it is linked off of www.nsa.gov somewhere. It is an excellent document dealing with all aspects of securing your network, including CDP I believe. >From what I remember, it was developed for their use, but decided to release it to increase the security of the countries infrastructure. I just looked up the link -- it's at http://www.nsa.gov/snac/index.html Mike ___ Mike Pistone NASA - Russian Services Group Marshall Space Flight Center Huntsville, AL 35806 Ph: (256) 544-2915 Em: [EMAIL PROTECTED] -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2003 12:17 AM To: [EMAIL PROTECTED] Subject: RE: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65251] chris kane wrote: > > It recently came to my attention that my company may plan to disable > all CDP in our network. The current vibe is that they see it as a > security risk. My > intent is to research this and provide a paper arguing for the > use of CDP. > The purpose for my post is to see if my opinions of the > benefits of CDP are > realistic (sanity check) and to see how others view CDP, > weighing it's > usefulness vs. any possible risk. > > I have already begun researching any security releases on CCO in > regards to CDP. Initial scan shows a 'vulnerability' notice that Cisco > most recently > updated on Feb 12, 2003. This information can be found at this > link: > http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09 > 186a0080093ef0.shtml > > Looking at CDP from a troubleshooting tool perspective, I am all for > it. I've personally been saved unknown hours tracing down a problem > because CDP > allowed me to bounce around the network quickly. Our network is > not small. > And as most people would agree, documentation is never what we > all would > like it to be. Therefore, I find that CDP's ability to display > the network > below Layer 3 is appreciated. So will a hacker appreciate CDP's ability to display information about the internetwork. I think that's the reasoning behind the security experts saying to turn it off. That is indeed the current vibe. I took a Cisco security class at the Usenix Security Symposium in August 2002. The instructor said to turn it off. Have you looked at the documents at the Center for Internet Security? They have benchmarks for Cisco security. They have 2 levels. Even with the less severe level, they say to turn off CDP. The Center for Internet Security tries to develop consensus on security measures. Their partners include The SANS Institute, the DoD Computer Emergency Response Team, NASA, National Institute of Standards and Technology, etc. Their Web site is here: http://www.cisecurity.org/ On the other hand, I think you could certainly make a good case for not disabling CDP. Being able to troubleshoot efficiently is just as important as security when considering network availability. A network that's broken and due to typical network problems is experiencing a denial of service just as bad as if a hacker had broken in. Good troubleshooting tools mean a more available network, there's no question. I hope others answer too. I know that all the security people say to turn it off and most people who actually work in the trenches say, "Hunh?" Priscilla > > Also from a tool perspective, I know CiscoWorks has tools to offer > that utilize CDP. And I've seen software from other companies that > does as well. > Think Layer 2 traceroute capability. > > Looking at CDP from a multi-vendor platform perspective, I realize > that it's often beneficial to turn off CDP on interfaces that connect > to non-Cisco > devices. No point in bothering a non-Cisco device with traffic > that it can't > process. But note, this is not turning off CDP globally per > router/switch, > but rather, disabling on an as-needed basis per interface. > > I'd like to hear other views and I'd appreciate feedback and opinions > about this. > > Thanks, > -chris Message Posted at: http://www
How to initiate a ssh from CATOS? [7:64556]
Trying to connect to another Cisco device via secure shell. I can do it from the IOS to CATOS. But I do not know the command to go from CATOS to any other device. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64556&t=64556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: FW: Ethernet Slot Time and Delay [7:63659]
Ms. Oppenheimer A Collegue of my pointed out to me that my wording my have seemed harsh. And that is why you slammed me for it. I did'nt think of it as a slamming just an expercience tech answering the newbie's questions. But if I offended you in any way, I apologize. I will also try and watch the way I word my questions. I know sometimes it seems I am being argrumentive. Its just when I have an understanding of a certain technology I tend to defend and back what I understand. I geuss I will work on that. Well thank you any way for answering by question! Thanks you too B.A. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 9:21 AM To: [EMAIL PROTECTED] Subject: RE: FW: Ethernet Slot Time and Delay [7:63659] Newell Ryan D SrA 18 CS/SCBT wrote: > > > 500 Meters?? It's 2500 meters. In one example of such a > network, there can > > be 5 segments, 4 repeaters (hubs), but only 3 segments can > have end > > systems. That's the infamous 5-4-3 "rule." It makes a lot of > > assumptions. Really, the > > size of the network depends on round-trip propagation delay > for the > > particular equipment, cables, and cable lengths. > > Maybe I was wrong for thinking that. If my net was all 10 Base > T, then with > max 5 segments...500 meters. That's were I got that number > from. Measuring > the size of the collision domain is well under slot time. So I > could > technically extend the size of the network. The segment from the hub to the end station might be 100 meters, as that's how structured cabling is usually done. Between hubs probably isn't 100 meters, for what it's worth. In fact, it might be fiber-optic cabling. > > One of the things I ran into was the formula to use to > calculate the round > trip delay. With the formula in your book I came up with 210 > bit times round > trip for 500 meter 4 hub network. But with the definitive > guide's method I > got 362 bit times. When I was going back and forth between > books I think I > got lost somewhere. For a 100 meter cable they suggest 11.3 bit > times. While > you suggest 5 one-way or 10 round trip...very close. But they > start with a > base value. > Example First segment would be 26.55 bit times instead of 11.3. > The base > value is 15.25. 15.25+11.3=26.55 bit times for the first > segment. Technically, IEEE does say to add some DTE delay time, i.e. time at the stations themselves, both the sender and receiver. This is all documented in IEEE 802.3 documents, which are available for free from IEEE. It's not worth reading though (for this purpose I mean.) > > I think I understand the theory behind slot time. It takes a > station 51.2 > micro seconds to transmit the smallest frame. So station a > needs to be > notified by any other station if a collision was to happen > while it was > still transmitting. That's it. > So when the first bit of station a's > preamble hits > station z (at the other side of the network) rx pins while > station z was > transmitting, it's first bit hits the repeater. The repeater is > going to use > collision enforcement to make all stations including station a > is aware of > the collision. This must happen before station a finishes > transmitting the > smallest Ethernet frame. I think that is it. > > So should bit time be the time it takes to transmit the > preamble and 512 > bits? The preamble doesn't count. It's used to recover timing. A station or repeater might not catch all of the preamble. It just has to see the pattern and the start of frame delimiter. A repeater regenerates the preamble, by the way. > > One more thing... > > A proper preamble should look like 10101010 or AA. I'm sure I > read somewhere > that a collision would appear with all 5's or C's. We used to see 55s on old coax networks. Never saw Cs though. > How would > that be > possible if as soon as the repeater detects a collision it > sends out a jam > signal out all its ports? Then you would see alternating ones and zeros on the end of a frame. I have seen this, but not recently. My current NIC won't give me bad frames so even a sniffer doesn't give them to me. > Also a frame with a bad CRC is > suspect of a > collision. The frame got damaged when the collision occured. > How? If you know where I could get more reading on > this that > would be great! IEEE 802.3. > > Thanks for answering my questions! > > > > "We are what we repeatedly do. Excellence, then, is not an act, > but a > habit."--Aristotle Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63853&t=63659 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cant establish reverse telnet [7:63660]
Show users would have displayed the line. I think you piped in 'show session'. I think show session shows outgoing telnet connections. And show user shows connections on the lines...vty,aux,con and tty. -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 7:59 AM To: [EMAIL PROTECTED] Subject: RE: Cant establish reverse telnet [7:63660] I figured it out but dont really understand it. This is what I did line con 0 exec-timeout 0 0 logging synchronous line 97 112 no exec transport input all line aux 0 line vty 0 4 exec-timeout 0 0 password 7 060506324F41 login ! end TS#clear line 97 [confirm] [OK] Was it just the line 97 that was stuck? thx Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63666&t=63660 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Cant establish reverse telnet [7:63660]
Are you reverse telneting to the line the routers are connected to? -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 7:55 AM To: [EMAIL PROTECTED] Subject: Cant establish reverse telnet [7:63660] It appears that I cannot establish a telnet session to my routers from the term server. How can I clear the line TS#sh ses % No connections open TS#r1 Translating "r1" Trying r1 (1.1.1.1, 2097)... % Connection refused by remote host TS#r2 Translating "r2" Trying r2 (1.1.1.1, 2098)... % Connection refused by remote host TS#clear line ? Line number aux Auxiliary line console Primary terminal line tty Terminal controller vty Virtual terminal TS#clear line thanks Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63665&t=63660 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Ethernet Slot Time and Delay [7:63659]
> 500 Meters?? It's 2500 meters. In one example of such a network, there can > be 5 segments, 4 repeaters (hubs), but only 3 segments can have end > systems. That's the infamous 5-4-3 "rule." It makes a lot of > assumptions. Really, the > size of the network depends on round-trip propagation delay for the > particular equipment, cables, and cable lengths. Maybe I was wrong for thinking that. If my net was all 10 Base T, then with max 5 segments...500 meters. That's were I got that number from. Measuring the size of the collision domain is well under slot time. So I could technically extend the size of the network. One of the things I ran into was the formula to use to calculate the round trip delay. With the formula in your book I came up with 210 bit times round trip for 500 meter 4 hub network. But with the definitive guide's method I got 362 bit times. When I was going back and forth between books I think I got lost somewhere. For a 100 meter cable they suggest 11.3 bit times. While you suggest 5 one-way or 10 round trip...very close. But they start with a base value. Example First segment would be 26.55 bit times instead of 11.3. The base value is 15.25. 15.25+11.3=26.55 bit times for the first segment. I think I understand the theory behind slot time. It takes a station 51.2 micro seconds to transmit the smallest frame. So station a needs to be notified by any other station if a collision was to happen while it was still transmitting. So when the first bit of station a's preamble hits station z (at the other side of the network) rx pins while station z was transmitting, it's first bit hits the repeater. The repeater is going to use collision enforcement to make all stations including station a is aware of the collision. This must happen before station a finishes transmitting the smallest Ethernet frame. I think that is it. So should bit time be the time it takes to transmit the preamble and 512 bits? One more thing... A proper preamble should look like 10101010 or AA. I'm sure I read somewhere that a collision would appear with all 5's or C's. How would that be possible if as soon as the repeater detects a collision it sends out a jam signal out all its ports? Also a frame with a bad CRC is suspect of a collision. How? If you know where I could get more reading on this that would be great! Thanks for answering my questions! "We are what we repeatedly do. Excellence, then, is not an act, but a habit."--Aristotle Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63659&t=63659 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Ethernet Slot Time and Delay [7:63581]
> A collision could happen at the other end of the network segment. I thought on 10BaseT net a NIC was notified of a collision by its RX pin getting data. So if Station A was transmitting and it was on bit 27 and station B started TX and by the time it got Station As first bit and was on bit 2. Is the collision said to happen at the location the data crossed on the 'bus' or at the NIC? Back to exampleNow that Station B knows of the collision it will finish its preamble and will send a jam signal. So will Station A. I can see how round trip would make sense. > News of the collision has to travel back to the senders. Would it be one of the senders sending jam signals? >The signal travels outwards; the collision news travels back. Not really sure what you mean. I have been reading your book and the Ethernet book. I have been trying to figure this out all weekend. If a bit is 17.7 meters long and the max of a distance of a 10BaseT net is 500 meters with 4 hubs (20 bit times) that gives a grand total of 105 bit times. Is this the propagation delay of the cable? I've been trying to compare this to the definitive guides method and it is just not making sense in my mind. Seems like I'm over complicating a simple process. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 4:51 AM To: [EMAIL PROTECTED] Subject: RE: Ethernet Slot Time and Delay [7:63581] Some descriptions of Ethernet refer to a segment as one side of a hub, i.e. just one link. The propagation delay information for a hubbed networks takes into account the small amount of time for a repeater to repeat. The repeater doesn't do much, but it does regenerate the preamble and signal. A set of link "segments" connected via hubs is all one collision domain. Anyway, read my book! Please! :-) It covers all of this in gory detail. An earlier version of the Ethernet chapter is also available at http://www.certificationzone.com/. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Priscilla Oppenheimer wrote: > > Newell Ryan D SrA 18 CS/SCBT wrote: > > > > If two 10 Base T Ethernet stations transmit at the same they > > receive data on > > their receive pins. Will both stations send out a 32 bit jam > > sequence? > > Yes. > > > If both stations do send a jam signal, why is the slot time > > closely related > > to round trip propagation delay? I would think it would be one > > way. > > A collision could happen at the other end of the network > segment. News of the collision has to travel back to the > senders. The signal travels outwards; the collision news > travels back. > > The goal is to make sure that the sender is still sending when > the news travels back, even if the news had to come from the > far end of the network segment. If the sender weren't still > sending, it wouldn't know that its transmission got damaged and > wouldn't back off and retransmit. You would lose the feature of > the NIC ensuring succussful transmission, which happens in a > microsecond time span, and have to depend on an upper layer > figuring out that there's a missing ACK, which happens in a > millisecond or worse time span. So, slot time is dependent on > round trip time because it considers the time for news of the > collision to travel back. > > Both senders transmit a jam signal to busy out the network for > another 32 bit times. At least one of them has to do it, but > they can't know that the other one did, so they both do it. > > Your question doesn't make sense, but hopefully there's some > info in that which will help you. > > > > > Ethernet, The Definitive Guide page 182 they have some values > > to use to > > figure out propagation delay on 10 MB networks. There is a > base > > value to > > start with and from there you add delay per meter. Why is the > > base value not > > zero? > > Even light in a vacuum takes some time to travel any distance. > It travels 299,792,458 meters per second to be exact, but > still, it's not zero. A signal on a network cable travels about > 2/3 the speed of light. > > I don't know what base value you are referring to, but zero > times anything is zero, so I doubt they could use a base value > of zero regardless. > > > Also between segments the numbers do not make any sense. > > Going from > > Base to Max I understand but between segments. > > A collision domain stops at the boundary between network > segments. A network segment is devices connected via hubs or > coax cable. In fact, it might help you to remember that > Ethernet was originally a long
Ethernet Slot Time and Delay [7:63581]
If two 10 Base T Ethernet stations transmit at the same they receive data on there receive pins. Will both stations send out a 32 bit jam sequence? If both stations do send a jam signal, why is the slot time closely related to round trip propagation delay? I would think it would be one way. Ethernet, The Definitive Guide page 182 they have some values to use to figure out propagation delay on 10 MB networks. There is a base value to start with and from there you add delay per meter. Why is the base value not zero? Also between segments the numbers do not make any sense. Going from Base to Max I understand but between segments. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63581&t=63581 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CEF on 6500 and ACLs [7:63175]
Do you have a good link. I would like to know more. Thanks. Why such a change from the PFC1/MSFC1. The concept you describe below seems to be a big change. I knew there were intergrating but I could still define the seperation between router and switch with the PFC1/MSFC1. GOTTA BE ON YOUR Ps and Qs or you get left behind. Thats why I love this job! -Original Message- From: Bob Sinclair [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 9:17 AM To: Newell Ryan D SrA 18 CS/SCBT; [EMAIL PROTECTED] Subject: Re: CEF on 6500 and ACLs [7:63175] Some comments in-line. It is becoming (has become?) very difficult if not impossible to tease out the "switch" from the "router" with PFC2/MSFC2. This box has the functions of both, and they are integrated in the hardware. For example, the Layer 2 switching engine, the Qos engine and the ACL engine are combined in the Lyra ASIC. > With CEF (PFC 2) if there is an adjacency for the destination host, to my > understanding, that packet will never be routed. It should just be rewritten > by the PFC 2 (SP). If this correct then these are my questions. The packet is still "routed", it just is never seen by the piece of hardware we call the MSFC > > 1. How does an IOS ACL affect the rewrite on the switch? > 2. Where on the switch (SP) can I see that it knows an IOS ACL is > there? On that part of the box (which is both switch and router) that we can view through the "IOS window" > 3. Is changing the flow mask on PFC 2(SP) just for Netflow stats. YES, exactly. > Applying an IOS ACL had no effect on the flow mask. YES, exactly > 4. Do MLS commands have on MSFC change anything? I believe the MSFC2 can act as an RP for a Cat 5000 doing MLS. I believe the MLS commands there are for that purpose. > > Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63193&t=63175 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CEF on 6500 and ACLs [7:63175]
With CEF (PFC 2) if there is an adjacency for the destination host, to my understanding, that packet will never be routed. It should just be rewritten by the PFC 2 (SP). If this correct then these are my questions. 1. How does an IOS ACL affect the rewrite on the switch? 2. Where on the switch (SP) can I see that it knows an IOS ACL is there? 3. Is changing the flow mask on PFC 2(SP) just for Netflow stats. Applying an IOS ACL had no effect on the flow mask. 4. Do MLS commands have on MSFC change anything? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63175&t=63175 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: CEF on 6500 and ACL?? [7:63138]
Also do MLS commands on the MSFC do anything for CEF? -Original Message- From: Newell Ryan D SrA 18 CS/SCBT Sent: Monday, February 17, 2003 12:42 PM To: '[EMAIL PROTECTED]' Subject: CEF on 6500 and ACL?? Running Hybrid mode SUPII/PFCII/MSFCII To my understanding with MLS (PFC 1), the IOS ACL determines the flow mask. And since it is route once switch many, any packets that match a deny statement will be denied and the enable packet will never make it. The full flow entry will not be in the MLS cache. With CEF (PFC 2) if there is an adjacency for the destination host, to my understanding, that packet will never be routed. It show just be rewritten by the PFC 2 (SP). If all this correct than these are my questions. 1. How does an IOS ACL affect the rewrite on the switch? 2. Where on the switch (SP) can I see that it knows an IOS ACL is there? 3. Is changing the flow mask on PFC 2(SP) just for Netflow stats. Applying an IOS ACL had no effect on the flow mask. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63138&t=63138 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CEF on 6500 and ACL?? [7:63136]
Running Hybrid mode SUPII/PFCII/MSFCII To my understanding with MLS (PFC 1), the IOS ACL determines the flow mask. And since it is route once switch many, any packets that match a deny statement will be denied and the enable packet will never make it. The full flow entry will not be in the MLS cache. With CEF (PFC 2) if there is an adjacency for the destination host, to my understanding, that packet will never be routed. It show just be rewritten by the PFC 2 (SP). If all this correct than these are my questions. 1. How does an IOS ACL affect the rewrite on the switch? 2. Where on the switch (SP) can I see that it knows an IOS ACL is there? 3. Is changing the flow mask on PFC 2(SP) just for Netflow stats. Applying an IOS ACL had no effect on the flow mask. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63136&t=63136 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Telnet SYN/ACK pkt reply on TCP source port 3-6!!?? [7:61661]
Never mind. I figured it out. Just had to write the problem out in an email to get my mind working. When I was capturing data the SYN/ACK source port would change from 1-6. That made me thank about how overloading works. The interface was configured as an outside interface. The overload IP was the IP of the interface I was attempting to telnet to. That's why layer 3 looked okay. But layer 4 threw me off. When my reply packets got subjected to the NAT translation process the router would change the source port according to the number of entires it had. That is why it would change from 1-6. Sorry for sending this in. I should of thought about it a little bit more :-( -Original Message- From: Newell Ryan D SrA 18 CS/SCBT Sent: Thursday, January 23, 2003 7:51 PM To: '[EMAIL PROTECTED]' Subject: Telnet SYN/ACK pkt reply on TCP source port 3-6!!?? I tried to telnet to a distant end 3660 router. Connection would timeout. I was able to ping the router from my PC. The router could telnet to the router that was between my PC and itself. Ran capture and the data yielded this IP Source 10.0.0.1 Destination 10.0.1.2 TCP SYN destination port 23 source port 2407 IP Source 10.0.1.2 Destination 10.0.0.1 TCP SYN/ACK destination port 2407 source port 6 IP Source 10.0.0.1 Destination 10.0.1.2 TCP RST destination port 6 source port 2407 10.0.0.1 is my PC and 10.0.1.2 is the distant end router. I believe the RST bit is set on the last packet because my PC is not listening to that port. So it closes this connections with the RST bit. We got it working. But the funny thing is. The user's 3660 had two interfaces. One on his LAN and one on my LAN. He was using NAT. He had ip nat outside on both interfaces. The inside interface was suppose to face my LAN. Once we removed NAT from the interface facing my LAN, I could telnet to that interface. The NAT string told the router to overload the interface facing my LAN. I understand that removing the misconfiguration fixed my first problem but why? - Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61661&t=61661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Telnet SYN/ACK pkt reply on TCP source port 3-6!!?? [7:61659]
I tried to telnet to a distant end 3660 router. Connection would timeout. I was able to ping the router from my PC. The router could telnet to the router that was between my PC and itself. Ran capture and the data yielded this IP Source 10.0.0.1 Destination 10.0.1.2 TCP SYN destination port 23 source port 2407 IP Source 10.0.1.2 Destination 10.0.0.1 TCP SYN/ACK destination port 2407 source port 6 IP Source 10.0.0.1 Destination 10.0.1.2 TCP RST destination port 6 source port 2407 10.0.0.1 is my PC and 10.0.1.2 is the distant end router. I believe the RST bit is set on the last packet because my PC is not listening to that port. So it closes this connections with the RST bit. We got it working. But the funny thing is. The user's 3660 had two interfaces. One on his LAN and one on my LAN. He was using NAT. He had ip nat outside on both interfaces. The inside interface was suppose to face my LAN. Once we removed NAT from the interface facing my LAN, I could telnet to that interface. The NAT string told the router to overload the interface facing my LAN. I understand that removing the misconfiguration fixed my first problem but why? - Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61659&t=61659 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NETBIOS on WAN [7:61237]
IP helper will send NETBIOS broadcast and change the packet to a unicast to the address given. But I not really sure it will solve your problem. I have a few questions before I try to answer your question. 1. Is there a DHCP server involved? 2. Do have Domain Controllers? 3. Do you want the browse list to contain both networks? Last question is for everybody. Can the helper address be a directed broadcast vs a single IP address? -Original Message- From: Amazing [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 10:19 AM To: [EMAIL PROTECTED] Subject: Re: NETBIOS on WAN [7:61237] ip helper address on the ethernet interface of the remote router. this will change the nbns broadcast to a unicast directed at the remote lan ""Frederico Madeira"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hellow, > > how i configure an 2600 router to permit acess for network neighborhood to > computers on the lan, in other words, how i make to see all computers of > my WAN in network neighborhood of windows explore ? > > Fred Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61246&t=61237 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: User Privilege Level [7:60469]
I know the thread is about dead but until you get TACACS+ server there are some commands you could implement to help the situation. The port is being disabled for a reason. You can configure the port to renable after 30 secs. using the command set errdisable-timeout enable all set errdisable-timeout interval 30 'All' would cover all the possible reason. If you knew what was causing the port to disable you could implement certain commands to cease the err-disable all together. For example if collision was the culprit then the following command would stop the error disable. set option errport enable Here is a link the will go into more detail. http://www.cisco.com/warp/public/473/20.html -Original Message- From: Williams, Dave [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 08, 2003 11:33 PM To: [EMAIL PROTECTED] Subject: RE: User Privilege Level [7:60469] Thanks for everyone's help. What I mean by "reset ports" is to re-enable the switch ports after they were err-disabled. These are Cisco 6500 series switches w/layer 3 blades. The switch is running Cat/OS 7.2(2) and on the layer 3 blade, IOS 12.1(11b). Since our technicians are in remote locations, if I can give them the ability to re-enable the ports without getting into config mode, they don't have to wait on one of our engineers to do it for them (which may take hours). I'll try to re-assign some set commands and see what happens. Dave Williams, CCDA, CCNA, CCSA Senior Network Engineer (402) 661-2143 -Original Message- From: Erick B. [mailto:[EMAIL PROTECTED]] Sent: Monday, January 06, 2003 9:37 PM To: Williams, Dave; [EMAIL PROTECTED] Subject: Re: User Privilege Level [7:60469] Dave, Priv. level 1 gives you basic show commands, etc. level 15 is full access like you mentioned. levels 2-14 don't have any special commands , but you re-assign commands to these levels for different users for example. Theres also a priv level 0 which gives you close to no commands on router IOS and you need to reduce the level 1 (default level) to 0 if you make the priv level 0 for line vty for example. I'm not sure if you can go to 0 on the switches. When you say reset ports, do you mean clean counters or shut/no shut the port? the latter would be config access. What type of switch is this and version of code? Awhile back when I was doing this for a client there was a minor bug with the priv commands and config mode for setting speed and duplex where the commands weren't saved properly. haven't checked that in quite awhile though. Erick --- "Williams, Dave" wrote: > I've been searching CCO most of the afternoon and > can't seem to find the > correct URL. I'm looking for a way to allow a > technician to reset ports on > a switch and look at interface stats, but not allow > configuration access. > > For example, I know that user level 15 is the same > as having the enable > password and user level 1 is the same as a generic > user, but I don't know > what the other levels do for me. > > Thanks in advance for your help. > > Dave Williams > Senior Network Engineer > (402) 661-2143 [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61239&t=60469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
It is amazing that the thread has gone for so long. I think some one has the answer. Angel's router does have a vcd. While the example from Cisco does not. How do you configure AAL protocol for this syntax? 'show version' -Original Message- From: Angel Leiva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 7:25 AM To: [EMAIL PROTECTED] Subject: RE: Cisco 3640 Router ATM PVC Problem [7:61077] Ken, I have two 3660 routers connected back to back via an OC3 link in a lab environment. They are using IOS 12.0(7)T, IP Enterprise Version. You seem to be missing the VCD ( Virtual Channel Descriptor) between the pvc and the vpi/vci command entries. Also, the vpi/vci syntax appears to be incorrect in your configuration: Take a look at the ATM interface configs on my working routers: Router A: ! interface ATM1/0 ip address 10.10.10.2 255.255.255.0 no ip directed-broadcast ip ospf network point-to-point atm clock INTERNAL atm ilmi-keepalive pvc Dallas 1/100 I am using a sample configuration from cisco that looks like this > > First command config t > Second command ip routing > Third command interface atm 1/0 > Fourth command no shutdown > Fifth command ip address 10.0.2.1 255.255.255.0 > Sixth command pvc 1 32 > Seventh command protocol ip 10.0.2.2 broadcast > > The sixth command is where it fails. It does not recognize the pvc. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Newell Ryan D SrA 18 CS/SCBT > Sent: Tuesday, January 14, 2003 11:32 PM > To: [EMAIL PROTECTED] > Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] > > What commands are you typing in? To create a PVC the syntax is > int atm 1 > atm pvc 6 0 106 aal5snap > I think you are missing the 'atm' before pvc. > > There are several ways to hook the 3640s back to back. If they are > within > fastethernet distance limitations you could use the fastethernet > interfaces. > > -Original Message- > From: Ken Chipps [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 1:40 PM > To: [EMAIL PROTECTED] > Subject: Cisco 3640 Router ATM PVC Problem [7:61077] > > > I am attempting to setup a PVC between two Cisco 3640 Routers connected > back > to back. The interface is an OC3 card. Whenever I issue the PVC command > on > the ATM interface it says a PVC is not supported. If I use the ? to see > for > supported commands for the interface, no PVC command is listed. Is there > some software upgrade I need for this? Or is there some other way to > conenct > two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61153&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
You said that you got the sample configuration from cisco. Do you have the link? I would like to look at something. My router supports both 'pvc' and 'atm pvc'. But 'pvc' has no vcd and only can operate with qsaal and ilmi. The 'atm pvc' does have a vcd and can support ilmi, qsaal, and all the atm adaptation layer protocols. Something else to look at! -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 5:59 AM To: [EMAIL PROTECTED] Subject: RE: Cisco 3640 Router ATM PVC Problem [7:61077] Thanks for the suggestions from everyone. I will check the software version tonight. I assumed this was the most recent version as we purchased these units only a few months ago, but perhaps not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Amar Sent: Wednesday, January 15, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 3640 Router ATM PVC Problem [7:61077] lation_guide_chapter09186a00800e4789.html#xtocid39 http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_ refe rence_chapter09186a00800ca7db.html#xtocid5 check the above links, they have the info u need. rgds ""Daniel Cotts"" a icrit dans le message de news: [EMAIL PROTECTED] > Here's a config from 11.3. Commands have changed quite a bit. > Note that clocking must be provided on one end. > If the cards are single-mode fiber he might have to attenuate the signal. > > interface ATM6/0 > description Location > no ip address > no ip route-cache optimum > atm clock INTERNAL > ! > interface ATM6/0.1 multipoint (could be point-to-point) > description pvc to Data Center via XYZ fiber > ip address aaa.bbb.7.250 255.255.255.252 secondary > ip address 10.1.19.2 255.255.255.0 > atm pvc 1 0 35 aal5snap > map-group TGN > appletalk cable-range 10119-10119 10119.2 > appletalk zone ATM > ! > > ! > map-list TGN > ip 10.1.19.1 atm-vc 1 broadcast > ip aaa.bbb.7.249 atm-vc 1 broadcast > appletalk 10119.1 atm-vc 1 broadcast > > > -Original Message- > > From: Newell Ryan D SrA 18 CS/SCBT [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 15, 2003 2:58 AM > > To: [EMAIL PROTECTED] > > Subject: RE: Cisco 3640 Router ATM PVC Problem [7:61077] > > > > > > I think your right. I know some IOS versions use the 'atm > > pvc' command. > > So I agreewhat IOS version he is running is a key > > component to know > > to resolve this problem. > > > > -Original Message- > > From: The Long and Winding Road > > [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 15, 2003 4:30 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Cisco 3640 Router ATM PVC Problem [7:61077] > > > > > > pvc x/y "should" work, which leads me to wonder about your > > IOS version. What > > are you running? what is the image name? > > > > I do not see an "atm pvc" command in the 12.1 command reference. > > > > also you mention something about connecting two 3640's back > > to back via an > > OC3 card? I'm not sure you can do that. someone smarter than > > I will provide > > a definitive answer, I'm sure. > > > > > > > > ""Ken Chipps"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I am using a sample configuration from cisco that looks like this > > > > > > First command config t > > > Second command ip routing > > > Third command interface atm 1/0 > > > Fourth command no shutdown > > > Fifth command ip address 10.0.2.1 255.255.255.0 > > > Sixth command pvc 1 32 > > > Seventh command protocol ip 10.0.2.2 broadcast > > > > > > The sixth command is where it fails. It does not recognize the pvc. > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > On Behalf Of > > > Newell Ryan D SrA 18 CS/SCBT > > > Sent: Tuesday, January 14, 2003 11:32 PM > > > To: [EMAIL PROTECTED] > > > Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] > > > > > > What commands are you typing in? To create a PVC the syntax is > > > int atm 1 > > > atm pvc 6 0 106 aal5snap > > > I think you are missing the 'atm' before pvc. > > > > > > There are several ways to hook the 3640s back to back. If they are > > > within > > > fastethernet distance limitations you could use the fastethernet > > > interfaces. > > > > > &
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
I think your right. I know some IOS versions use the 'atm pvc' command. So I agreewhat IOS version he is running is a key component to know to resolve this problem. -Original Message- From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 3640 Router ATM PVC Problem [7:61077] pvc x/y "should" work, which leads me to wonder about your IOS version. What are you running? what is the image name? I do not see an "atm pvc" command in the 12.1 command reference. also you mention something about connecting two 3640's back to back via an OC3 card? I'm not sure you can do that. someone smarter than I will provide a definitive answer, I'm sure. ""Ken Chipps"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am using a sample configuration from cisco that looks like this > > First command config t > Second command ip routing > Third command interface atm 1/0 > Fourth command no shutdown > Fifth command ip address 10.0.2.1 255.255.255.0 > Sixth command pvc 1 32 > Seventh command protocol ip 10.0.2.2 broadcast > > The sixth command is where it fails. It does not recognize the pvc. > > -----Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Newell Ryan D SrA 18 CS/SCBT > Sent: Tuesday, January 14, 2003 11:32 PM > To: [EMAIL PROTECTED] > Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] > > What commands are you typing in? To create a PVC the syntax is > int atm 1 > atm pvc 6 0 106 aal5snap > I think you are missing the 'atm' before pvc. > > There are several ways to hook the 3640s back to back. If they are > within > fastethernet distance limitations you could use the fastethernet > interfaces. > > -Original Message- > From: Ken Chipps [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 15, 2003 1:40 PM > To: [EMAIL PROTECTED] > Subject: Cisco 3640 Router ATM PVC Problem [7:61077] > > > I am attempting to setup a PVC between two Cisco 3640 Routers connected > back > to back. The interface is an OC3 card. Whenever I issue the PVC command > on > the ATM interface it says a PVC is not supported. If I use the ? to see > for > supported commands for the interface, no PVC command is listed. Is there > some software upgrade I need for this? Or is there some other way to > conenct > two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61087&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 3640 Router ATM PVC Problem [7:61077]
Try to add atm in front of that. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 3:23 PM To: 'Newell Ryan D SrA 18 CS/SCBT'; [EMAIL PROTECTED] Subject: RE: Cisco 3640 Router ATM PVC Problem [7:61077] I am using a sample configuration from cisco that looks like this First command config t Second command ip routing Third command interface atm 1/0 Fourth command no shutdown Fifth command ip address 10.0.2.1 255.255.255.0 Sixth command pvc 1 32 Seventh command protocol ip 10.0.2.2 broadcast The sixth command is where it fails. It does not recognize the pvc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Newell Ryan D SrA 18 CS/SCBT Sent: Tuesday, January 14, 2003 11:32 PM To: [EMAIL PROTECTED] Subject: FW: Cisco 3640 Router ATM PVC Problem [7:61077] What commands are you typing in? To create a PVC the syntax is int atm 1 atm pvc 6 0 106 aal5snap I think you are missing the 'atm' before pvc. There are several ways to hook the 3640s back to back. If they are within fastethernet distance limitations you could use the fastethernet interfaces. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Cisco 3640 Router ATM PVC Problem [7:61077] I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61080&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Cisco 3640 Router ATM PVC Problem [7:61077]
What commands are you typing in? To create a PVC the syntax is int atm 1 atm pvc 6 0 106 aal5snap I think you are missing the 'atm' before pvc. There are several ways to hook the 3640s back to back. If they are within fastethernet distance limitations you could use the fastethernet interfaces. -Original Message- From: Ken Chipps [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: Cisco 3640 Router ATM PVC Problem [7:61077] I am attempting to setup a PVC between two Cisco 3640 Routers connected back to back. The interface is an OC3 card. Whenever I issue the PVC command on the ATM interface it says a PVC is not supported. If I use the ? to see for supported commands for the interface, no PVC command is listed. Is there some software upgrade I need for this? Or is there some other way to conenct two 3640s back to back? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61078&t=61077 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Connecting DSL to Synchronous Serial Port [7:60930]
Yes there is. From my experience with this I know that ADC sells a modular SDSL modem. You can use either an ethernet, RS-530, V.35, or RS-449 interface with this modem. The serial card is FLEX module with two data ports and 1 DSX port. The data port interfaces are a mini-SCSI 26 pin port. ADC offers a conversion cable(DB-26RS-530,V.35, or RS-449). The DTE side is female though, so you would need the male adapter of whatever standard you wanted to convert it to. A cisco male RS-530 to DB-60 would suffice if wanted to use RS-530. 'UP AND COMING' -Original Message- From: Mahler David [mailto:[EMAIL PROTECTED]] Sent: Monday, January 13, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: Connecting DSL to Synchronous Serial Port [7:60930] Hi all, I'm trying to figure out if there is a way to connect SDSL service to a 2501 router through the Syncronous Serial port. If so what kind of cable is needed?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60991&t=60930 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: VTP modes Server/Client vs Transparent [7:57650]
Presently we run end to end vlans w/LANE. We are going to the gigabit ethernet design with end to end vlans. We plan for a slow migration to local vlans. Once the migration to local vlans is complete then a server/client model might be more efficient. Talking to another network professional, transparent mode seemed to be the only way during the transition period to local vlans. I really prefer transperent over the server/client model. But I don't want my ill advised emotions not to give the other side a fair chance. -Original Message- From: Zim [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 9:01 PM To: [EMAIL PROTECTED] Subject: Re: VTP modes Server/Client vs Transparent [7:57650] Like most networking problems it depends. How large is your switch domain? Are you doing End to End VLANs or Local? How large is your STP domain now? Will it grow larger? Here a link I would start with http://www.cisco.com/warp/customer/473/21.html ( stater for VTP) then hit this one http://www.cisco.com/warp/public/cc/so/neso/lnso/cpso/gcnd_wp.htm (covers GigE Design) Design solutions are usually need and resource driven...as for standards they change(some daily). JMHO ""Newell Ryan D SrA 18 CS/SCBT"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Network is migrating from ATM to Gigabit Ethernet. Transparent mode was > default VTP for all distribution layer switches. We had hubs for all access > layer switches. With the new migration to Gigabit switches would be at all > access layer buildings. Would it be beneficial to run transparent abroad or > a server/client model. > > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57736&t=57650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VTP modes Server/Client vs Transparent [7:57650]
Network is migrating from ATM to Gigabit Ethernet. Transparent mode was default VTP for all distribution layer switches. We had hubs for all access layer switches. With the new migration to Gigabit switches would be at all access layer buildings. Would it be beneficial to run transparent abroad or a server/client model. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57650&t=57650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Three 24 Gbps Switching Engines at 18 Mpps (Layer2)!?! [7:54833]
What does this mean. I was looking at table 21-112. The difference between supervisor engine I and supervisor engine II is that the I has 24 Gbps switching engine and the II has three 24 Gbps. Yet the pps remains the same(18Mpps). Is there a direct correlation between the switching fabric and the switching throughput. If there is reading online that would be great. Here is the link I was referring to. http://www.cisco.com/univercd/cc/td/doc/pcat/ca4000.htm Ryan Newell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54833&t=54833 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: AAA in console [7:54282]
Nigel, Your first question I think is very key to my situation. I wanted local administrators to have minimal control via telnet and console. I was able to tailor these commands on the vty ports. I tried to apply the same commands to console and it did not work. I was informed that there was a hidden command,aaa authorization console, only in implemanted certian IOS images. Answering your first question, I think they should not have access to the console. The reason why I pose this question is for general knowledge. Is the aaa authorization console command what I'm missing. -Original Message- From: Nigel Taylor [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 8:33 AM To: [EMAIL PROTECTED] Subject: Re: AAA in console [7:54282] Ryan, I noted your earlier post on this topic and my first question is.."What's the problem you're trying to solve? Configuring AAA on the console should be very straight forward, however this could very easily change based on your identified or outlined requirements. A couple of question; 1. who will be typically accesing the console? 2. What will be authenticating the user? TACACS+/RADIUS/the Router etc.. 3. Do you plan on using the local database should tacacs fail? 4. Will you have redundant/secondary tacacs/radius device? I've seen some enterprises where they prefered not to have any passwords configured on the local device short of the "enable secret", which should survive a password checker like "Getpass". Of course the console password was left outside the scope of AAA, as it provided the only way to access the device if the tacacs/radius server(s) were unreachable. HTH Nigel ----- Original Message - From: "Newell Ryan D SrA 18 CS/SCBT" To: Sent: Thursday, September 26, 2002 5:53 PM Subject: AAA in console [7:54282] > How can I configure authorization on the console port? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54292&t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: AAA in console [7:54282]
I think the link is missing? Thanks btw -Original Message- From: Duncan Wallace [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 7:49 AM To: [EMAIL PROTECTED] Subject: RE: AAA in console [7:54282] Ryan - This is a great link for that, and a great overall document to have... Thanks, Duncan Wallace 12835 SW Thunderhead Way Beaverton, Or. 97008 503-646-5707 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Newell Ryan D SrA 18 CS/SCBT Sent: Thursday, September 26, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: AAA in console [7:54282] How can I configure authorization on the console port? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54289&t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
AAA in console [7:54282]
How can I configure authorization on the console port? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54282&t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Routed interfaces vs. Switched interfaces on 6500 [7:54170]
Sort ofThe 6500 has two modes it can operate in. Hybrid Mode or Native IOS Mode. The Hybrid Mode allows the user to interface with the "switch" side using the catalyst XDI/CatOS image. So all ports are switched ports. I think this allows the caching method you speak of to take place. The Native IOS mode gives the user an all IOS feel. The interfaces default to routed interfaces. You have issue the "switch mode access" command to turn the interface into a port. The diagram in the book and I think something else I read before leads me to believe that MLS will not work between switched and routed interface on a 6500 running in Native IOS Mode. Just trying to clarify. Thanks for ANY input. Ryan -Original Message- From: Robert Edmonds [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 1:59 PM To: [EMAIL PROTECTED] Subject: Re: Routed interfaces vs. Switched interfaces on 6500 [7:54170] Ryan, If I understand your question, then I think I may be able to help. I believe what it means when it talks about caching flows, is that it caches the information about the flow -- particularly the path the flow will take. This makes it so the layer 2 portion of the switch doesn't have to send every packet to the router to make the layer 3 decision to route the packet. The basic process for MLS is like this. A stream of data comes into the router interface that is destined for a network other than the one it came in on, another VLAN. The switch sends the first packet in the flow to the MSFC (in the case of the 6500) to determine the path that should be taken to the remote network. The MSFC figures out how it should get to the remote network, sends the information to the switch, and the rest of the packets are switched using the information provided by the MSFC. Depending on the flow mask used, the next flow that comes through with the same destination address, may be able to be fast-switched (hope I used the right term) directly to the destination in question. Did I answer your question? Hope I have helped. ""Newell Ryan D SrA 18 CS/SCBT"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Referencing LAN Switching I have a question concerning routed vs. switched > interfaces on the 6500 running in native IOS mode. > If the diagram on page 832 is correct I'm confused about MLS. Does the > PFC/NFFC have the ability of caching flows between > an interface configured as a switched/routed interface?? > > > Ryan Newell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54185&t=54170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Routed interfaces vs. Switched interfaces on 6500 [7:54170]
Referencing LAN Switching I have a question concerning routed vs. switched interfaces on the 6500 running in native IOS mode. If the diagram on page 832 is correct I'm confused about MLS. Does the PFC/NFFC have the ability of caching flows between an interface configured as a switched/routed interface?? Ryan Newell Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54170&t=54170 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exec Shell + Console [7:53661]
That would be nice but we have over 400 switches any several LAN admins who could t'shoot hubs but know they need minimal configuration control for t'shooting. -Original Message- From: nettable_walker [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: Re: Exec Shell + Console [7:53661] 9/19/2002 9:40pm Thursday You could just tell your LAN admins not to change anything on the switches. ""Newell Ryan D SrA 18 CS/SCBT"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Evening group, > > What I have a TACACS server and the setup we are trying to achieve goes as > follows: > I want the LAN admins to have minimal control on there switches in there > area. We have > accomplished that one the vty ports. Here is the config: > > Server > user=test > password=test12 > service-shell > set priv-level=15 > service=shell > default cmd=(permit/deny)And the commands we want are here. > prohibit cmd=x > cmd=y{ > > Switch > > aaa new-model > aaa authentication login telnet group tacacs+ line none > aaa authorization exec privilege group tacacs+ none > aaa authorization commands 15 cmd group tacacs+ none > line con 0 > exec-timeout 5 0 > password 7 x > authorization commands 15 cmd > authorization exec privilege > login authentication telnet > transport input telnet > stopbits 1 > line vty 0 4 > exec-timeout 5 0 > authorization commands 15 cmd > authorization exec privilege > login authentication telnet > transport input telnet > > It works great for vty but not for console. I read somewhere about a hidden > authorization command for console but it is not working. Here is a debug. > xxx#debug aaa authorization > *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 > *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 > port=0 channel=0 > *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted > *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 > *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' > port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 > Failed attempts for console > *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 > *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 > port=2 channel=0 > *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' > port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1 > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' > list='privilege' service=EXEC > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" > *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ > (tacacs+) > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell > *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* > *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = > PASS_ADD > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 > *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful > Passed attempts for console > I think my understanding of exec shell is what's hurting me. Any comments or > advice would be greatly appreciated. > > > > > > > Ryan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53684&t=53661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Exec Shell + Console [7:53661]
Evening group, What I have a TACACS server and the setup we are trying to achieve goes as follows: I want the LAN admins to have minimal control on there switches in there area. We have accomplished that one the vty ports. Here is the config: Server user=test password=test12 service-shell set priv-level=15 service=shell default cmd=(permit/deny)And the commands we want are here. prohibit cmd=x cmd=y{ Switch aaa new-model aaa authentication login telnet group tacacs+ line none aaa authorization exec privilege group tacacs+ none aaa authorization commands 15 cmd group tacacs+ none line con 0 exec-timeout 5 0 password 7 x authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet stopbits 1 line vty 0 4 exec-timeout 5 0 authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet It works great for vty but not for console. I read somewhere about a hidden authorization command for console but it is not working. Here is a debug. xxx#debug aaa authorization *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 Failed attempts for console *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' list='privilege' service=EXEC *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ (tacacs+) *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = PASS_ADD *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful Passed attempts for console I think my understanding of exec shell is what's hurting me. Any comments or advice would be greatly appreciated. Ryan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53661&t=53661 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Exec shell+console+AAA [7:53602]
Evening group, What I have a TACACS server and the setup we are trying to achieve goes as follows: I want the LAN admins to have minimal control on there switches in there area. We have accomplished that one the vty ports. Here is the config: Server user=test password=test12 service-shell set priv-level=15 service=shell default cmd=(permit/deny)And the commands we want are here. prohibit cmd=x cmd=y{ Switch aaa new-model aaa authentication login telnet group tacacs+ line none aaa authorization exec privilege group tacacs+ none aaa authorization commands 15 cmd group tacacs+ none line con 0 exec-timeout 5 0 password 7 x authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet stopbits 1 line vty 0 4 exec-timeout 5 0 authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet It works great for vty but not for console. I read somewhere about a hidden authorization command for console but it is not working. Here is a debug. xxx#debug aaa authorization *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 Failed attempts for console *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' port='tty2' rem_addr='1x.1x.6x.2x' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' list='privilege' service=EXEC *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ (tacacs+) *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = PASS_ADD *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful Passed attempts for console I think my understanding of exec shell is what's hurting me. Any comments or advice would be greatly appreciated. SrA Ryan Newell 18th Communications Squadron Infrastructure Engineer CCNA, SCP 634-7999 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53602&t=53602 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Recall: Exec shell+console+AAA [7:53601]
Newell Ryan D SrA 18 CS/SCBT would like to recall the message, "Exec shell+console+AAA". Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53601&t=53601 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Exec shell+console+AAA [7:53590]
Evening group, What I have a TACACS server and the setup we are trying to achieve goes as follows: I want the LAN admins to have minimal control on there switches in there area. We have accomplished that one the vty ports. Here is the config: Server user=test password=test12 service-shell set priv-level=15 service=shell default cmd=(permit/deny)And the commands we want are here. prohibit cmd=x cmd=y{ Switch aaa new-model aaa authentication login telnet group tacacs+ line none aaa authorization exec privilege group tacacs+ none aaa authorization commands 15 cmd group tacacs+ none line con 0 exec-timeout 5 0 password 7 x authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet stopbits 1 line vty 0 4 exec-timeout 5 0 authorization commands 15 cmd authorization exec privilege login authentication telnet transport input telnet It works great for vty but not for console. I read somewhere about a hidden authorization command for console but it is not working. Here is a debug. KAD-UE-1474-D#debug aaa authorization *Mar 1 00:15:22: AAA/MEMORY: free_user (0x6B451C) user='test' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:24: AAA: parse name=tty0 idb type=-1 tty=-1 *Mar 1 00:15:24: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0 *Mar 1 00:15:24: AAA/MEMORY: create_user (0x69BC24) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:15:37: AAA/AUTHOR: authenticated console user is permitted *Mar 1 00:15:50: AAA/MEMORY: free_user (0x528F70) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 *Mar 1 00:16:05: AAA/MEMORY: free_user (0x6B4478) user='' ruser='' port='tty0' rem_addr='async' authen_type=ASCII service=ENABLE priv=15 Failed attempts for console *Mar 1 00:16:27: AAA: parse name=tty2 idb type=-1 tty=-1 *Mar 1 00:16:27: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0 *Mar 1 00:16:27: AAA/MEMORY: create_user (0x4D4CE4) user='' ruser='' port='tty2' rem_addr='132.15.64.27' authen_type=ASCII service=LOGIN priv=1 *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Port='tty2' list='privilege' service=EXEC *Mar 1 00:16:35: AAA/AUTHOR/EXEC: tty2 (3125102166) user='test' *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV service=shell *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): send AV cmd* *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): found list "privilege" *Mar 1 00:16:35: tty2 AAA/AUTHOR/EXEC (3125102166): Method=tacacs+ (tacacs+) *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): user=test *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/TAC+: (3125102166): send AV cmd* *Mar 1 00:16:35: AAA/AUTHOR (3125102166): Post authorization status = PASS_ADD *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV service=shell *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV cmd* *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 *Mar 1 00:16:35: AAA/AUTHOR/EXEC: Authorization successful Passed attempts for console I think my understanding of exec shell is what's hurting me. Any comments or advice would be greatly appreciated. SrA Ryan Newell 18th Communications Squadron Infrastructure Engineer CCNA, SCP 634-7999 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53590&t=53590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Duplicate packets with same SEQ #'s... [7:53024]
Is it possible that you are doing a dump on a link that the packet must transverse to and fro to get to the destination. You stated that you did this dump off of one of your core switches. I'm assuming your spanning or port mirroring the port or vlan possibly. If these PC's are on separate networks..see what I'm saying. Well if you don't here goes. If you have a switch connected to a router using some kind of trunking capability(or internal router) and the user's are on separate VLAN/subnets. They must cross the router to get to each other. Thus when you do a dump you will see the same packet come across twice. If you have a protocol analyzer you should see the mac address change as it crosses the router. I only believe my theory to be true if the PC's are on separate sub networks. Hope this helps D -Original Message- From: Neil Desai [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 11:59 AM To: [EMAIL PROTECTED] Subject: Re: Duplicate packets with same SEQ #'s... [7:53024] We have a similar situation in our network. We have proxy arp turned on and it is causing the same thing. Neil ""r34rv13wm1rr0r"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This is from a tcpdump off of one of my core switches. It appears that it is > logging a duplicate packet with the same SEQ #. Does any one have any idea > why this is occuring? > > Thanks, > > A > > 11:18:04.688408 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > 11:18:04.688409 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > > 11:18:04.688643 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > 158405518:158405625(107) ack 1210141117 win 8608NBT Packet (DF) > 11:18:04.688644 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P 0:107(107) ack > 1 win 8608NBT Packet (DF) > > 11:18:04.688645 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > 11:18:04.688646 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > > 11:18:04.63 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > 11:18:04.65 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > > 11:18:04.66 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > 3194256684:3194256844(160) ack 95965178 win 7515NBT Packet (DF) > 11:18:04.67 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P 0:160(160) ack > 1 win 7515NBT Packet (DF) > > 11:18:04.68 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > 11:18:04.69 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > > 11:18:04.688890 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > 11:18:04.688891 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > > 11:18:04.689183 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > 11:18:04.689185 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > > 11:18:04.689186 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > 11:18:04.689187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > > 11:18:04.689188 172.X.15.151.ssh > 172.X.53.186.1219: P > 2849560709:2849560801(92) ack 2980294350 win 9648 (DF) [tos 0x10] > 11:18:04.689189 172.X.15.151.ssh > 172.X.53.186.1219: P 0:92(92) ack 1 win > 9648 (DF) [tos 0x10] > > 11:18:04.689192 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > 11:18:04.689193 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > > 11:18:04.689608 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > 11:18:04.689609 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 4096314569 win > 2144 > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 1 win 2144 > > 11:18:04.689611 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > 11:18:04.689612 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > > 11:18:04.689614 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 294:343(49) > ack > 363 win 7380NBT Packet (DF) [tos 0x4] > 11:18:04.718183 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 6762:6811(49) > ack 8223 win 8397NBT Packet (DF) [tos 0x4] > > 11:18:04.718187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > 11:18:04.718188 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > > 11:18:04.718423 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8287:8341(54)
CCNP okinawa japan [7:51329]
Are there any people in the Okinawa area going for CCNP? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51329&t=51329 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test [7:51328]
Test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=51328&t=51328 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]