Re: Good network monitor prog. ??? [7:75081]

[Nigel Taylor]

Steven,
  There's a great little program on SourceForge that's growing
in popularity and IMHO is going to become a great NMS tool.   It Integrates
Syslog, Tacacs, RRDtool (Performance Graphs), Maps, Traps, TFTP,
Autodiscovery, Sound Alerts, AAA, Modular and Extensible.It uses a
database backend to store all the data as well (good for trend analysis).


The documentation is pretty good and if you have/know how unix it's pretty
easy to get up and running.  There is also a windoze port for the non-*nix
folks.

http://sourceforge.net/projects/jffnms/


HTH

Nigel




-- Original Message -
From: John Neiberger 
To: 
Sent: Tuesday, September 09, 2003 1:44 PM
Subject: Re: Good network monitor prog. ??? [7:75081]


  Steven Aiello 9/9/03 11:18:51 AM 
 Any one know of a good network monitor prog.?  It doesn't have to be
 free but not to expensive.  My budget is nill.  Any recomendations?
 
 Thanks,
 Steve

 Wouldn't it _have_ to be free if your budget is nil?  ;-)  You might want
to
 check out MRTG and WhatsUp Gold:

 http://mrtg.hdl.com/mrtg.html

 http://www.ipswitch.com/products/WhatsUp/index.html

 HTH,
 John
 **Please support GroupStudy by purchasing from the GroupStudy Store:
 http://shop.groupstudy.com
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75121t=75081
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

Re: OSPF BGP redistiribution question [7:66430]

[Nigel Taylor]

Chuck,
My first thought is what does the sh ip bgp   for the
routes that does not show up in BGP indicate.

I believe there is a requirement not to disable sync which suggest that
the routes not being added to the BGP, isn't sync'd with the IGP.  Does any
of this have route information being propagated from an IBGP neighbor.

Nigel


  - Original Message -
From: The Long and Winding Road 
To: 
Sent: Saturday, March 29, 2003 2:27 AM
Subject: OSPF BGP redistiribution question [7:66430]


 NLI ( b..o..o..t..c..a..m..p.. lab 8 ) redistribution of OSPF and BGP

 I checked CCO and the answer key

 everything appears to be correct.

 So why is it that half my OSPF routes do not show up in the BGP table???

 * 137.20.0.0   0.0.0.0  0 32768 ?
 * i137.20.40.16/28  137.20.25.2164100  0 i
 *  0.0.0.0110 32768 i
 * 137.20.100.33/32 0.0.0.0138 32768 i
 * 137.20.100.34/32 0.0.0.0 74 32768 i
 * 137.20.100.35/32 0.0.0.0 74 32768 i
 *i172.168.70.0/24  137.20.10.70   170100  0 3 i
 * 172.168.80.0/24  137.20.86.1  0 0 1 i
 R#

 O IA 200.200.200.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0
  137.20.0.0/16 is variably subnetted, 12 subnets, 4 masks
 O E1137.20.200.16/28 [110/110] via 137.20.64.5, 02:27:46, Ethernet0
 O IA137.20.30.0/24 [110/84] via 137.20.64.5, 02:27:46, Ethernet0
 O IA137.20.25.0/24 [110/74] via 137.20.64.5, 02:27:46, Ethernet0
 O IA137.20.20.0/24 [110/84] via 137.20.64.5, 02:27:46, Ethernet0
 O E1137.20.40.16/28 [110/110] via 137.20.64.5, 02:27:46, Ethernet0
 O IA137.20.88.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0
 O IA137.20.100.33/32 [110/138] via 137.20.64.5, 02:19:42, Ethernet0
 O IA137.20.100.35/32 [110/74] via 137.20.64.5, 02:19:42, Ethernet0
 O IA137.20.100.34/32 [110/74] via 137.20.64.5, 02:19:42, Ethernet0
 O IA137.20.100.0/24 [110/10] via 137.20.64.5, 02:19:42, Ethernet0
 O IA 200.200.100.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0

 lest you wonder, I am using the proper ( so I think ) form of the
 redistribute comand, covering OSPF internal and external )

 router bgp 2
  no synchronization
  bgp log-neighbor-changes
  network 137.20.20.0 mask 255.255.255.0 backdoor
  network 137.20.25.0 mask 255.255.255.0 backdoor
  network 137.20.30.0 mask 255.255.255.0 backdoor
  network 137.20.40.16 mask 255.255.255.240
  network 137.20.88.0 mask 255.255.255.0 backdoor
  network 137.20.100.33 mask 255.255.255.255
  network 137.20.100.34 mask 255.255.255.255
  network 137.20.100.35 mask 255.255.255.255
  network 137.20.100.0 mask 255.255.255.0 backdoor
  network 137.20.200.16 mask 255.255.255.240 backdoor
  network 200.200.100.0 backdoor
  network 200.200.200.0 backdoor
  redistribute ospf 239 match internal external 1 external 2
  ((( ---SEE
 I told you so!
  neighbor 137.20.25.1 remote-as 2
  neighbor 137.20.25.1 ebgp-multihop 3
  neighbor 137.20.86.1 remote-as 1


 any help appreciated

 Chuck!

 --
 TANSTAAFL
 there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66474t=66430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PPP Problems - any ideas!!! [7:66486]

[Nigel Taylor]

Matt,
 That's correct.  Think about authentication in terms of  cisco's 3
tier design model;

Core(WAN)
Distribution(Routed/Switched)
Access(User)

This is why you get the message you noted.

 01:57:10: Se0 PPP: Treating connection as a dedicated line

The use of authentication within ppp,  is typically to provide user access
authentication support whereas within the WAN authentication might be
implemented thorugh the use of physical security, or within a routing
protocol itself.

Take a look at the Dial ISDN/Async configuration areas of CCO, this may
help.  Here's a link to using two routers in a back-to-back scanerio, using
authentication.

http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_examp
le09186a00800a3b85.shtml

watch the line wrap.

The one exception here would be no need to use the multilink command if
using one interface.  This should however display the information yyou're
trying to observe.


HTH

Nigel










- Original Message -
From: saunders1m 
To: 
Sent: Sunday, March 30, 2003 7:45 AM
Subject: PPP Problems - any ideas!!! [7:66486]


 I have 2 routers connected back to back via a DTE - DCE crossover cable
and
 i am trying to establish a ppp connection though i can't seem to make the
 connection and when i try using debug ppp authentication i get:

 01:57:10: Se0 PPP: Treating connection as a dedicated line

 Is my config right???

 Router 1 (r9)

 username r10 password cisco
 interface Serial0
  ip address 10.0.1.1 255.255.255.0
  no ip directed-broadcast
  encapsulation ppp
  no fair-queue
  ppp authentication pap

 Router 2 (r10)

 username r9 password cisco
 interface Serial0
  ip address 10.0.1.2 255.255.255.0
  no ip directed-broadcast
  encapsulation ppp
  no fair-queue
  clockrate 64000
  ppp authentication pap


 Also when i try to debug using debug ppp authentication i dont seem to be
 seeing any outputs to the console, i have tried using terminal monitor
 though i plugged into the console directly.

 Using show logging gives me this output:

 r10#show logging
 Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
 Console logging: level debugging, 55 messages logged
 Monitor logging: level debugging, 0 messages logged
 Buffer logging: level debugging, 8 messages logged
 Trap logging: level informational, 50 message lines logged

 Under console logging it says 55 messages logged, how do i view these

 Cheers

 Matt




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66492t=66486
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP Route Reflectors [7:66488]

[Nigel Taylor]

Ken,
Technically speaking, even eBGP has the ability to peer with
neighbors that aren't directly connected.  Typically, eBGP peers will have
diect physical connectivity, whereas iBGP peers are part of the same AS, as
long as a route/path exist to that peer, connectivity shouldn't be a
problem.

When you address this issue, think of the requirement for BGP to be sync'd
with the IGP for route information to be advertised. As well as the
limitations/features of the peering relationship from one AS to another, or
devices within the same AS.

HTH

Nigel



- Original Message -
From: 
To: 
Sent: Sunday, March 30, 2003 9:10 AM
Subject: BGP Route Reflectors [7:66488]


 All,

 Please can someone clear this up for me, if you have the time.

 IBGP peers do not have to be physically connected to one another, as long
as
 an IGP (most preferably) is running between them.

 On page 128 (paragraph 1) of the Routing TCP/IP Volume 2 book, it says the
 following about route reflectors and clients :-
 The clients have physical connections to each of the route reflectors,
and
 they peer to each

 I assume that each client in a iBGP domain, does not need to share a
 physical data-link to each RR?

 Many thx. (maybe im just tired from studying all weekend).

 Regards,
 Ken


 
 For more information about Barclays Capital, please
 visit our web site at http://www.barcap.com.


 Internet communications are not secure and therefore the Barclays
 Group does not accept legal responsibility for the contents of this
 message.  Although the Barclays Group operates anti-virus programmes,
 it does not accept responsibility for any damage whatsoever that is
 caused by viruses being passed.  Any views or opinions presented are
 solely those of the author and do not necessarily represent those of the
 Barclays Group.  Replies to this email may be monitored by the Barclays
 Group for operational or business reasons.

 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66497t=66488
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sanity Check - ISDN and EIGRP [7:66016]

[Nigel Taylor]

Folks,
   I'm sure this a pretty straight forward but as this ISDN
connection relates to the lab requirements as a complete scenario should
dictate how the requirements are interpreted.

It seems strange that the ISDN link should stay up indefinitely.

Another question here would be what broadcast packets are they referring
to that could bring up the line.

Nigel
Dazed and confused  :-

- Original Message -
From: David j 
To: 
Sent: Sunday, March 23, 2003 2:50 AM
Subject: RE: Sanity Check - ISDN and EIGRP [7:66016]


 See below:

 The Long and Winding Road wrote:
 
  I'm working on a practice lab problem.
 
  there are two domains - OSPF and EIGRP
 
  The two domains can only communicate via ISDN
 
  OSPF---R1---ISDN--R2EIGRP
 
  R1 is where redistribution takes place. The ISDN link is in the
  EIGRP
  domain.
 
  Pretty much I've concluded that the only way this works is that
  here have to
  be static default routes on R1 and R2 pointing to eachother.
  The only other
  way I can see this working is for the ISDN link to be
  permanently up.
 
  Unfortunately, the lab instructions are not very clear on this
  point. The
  only relevant instructions are:
 
  1) no broadcast packets should initiate a DDR session.
  Multicast packets
  should be able to traverse the ISDN link.
 
  2) use an access-list 120 for any filters you may need for DDR
 
  3) only IP traffic will need to traverse the link
 
  That multicast instruction is interesting. Am I on the right
  track thinking
  the test here is to let the link stay up forever by defining
  the EIGRP
  hellos as interesting ?? thoughts?

 I think so, in fact if the link were used as backup of a serial link it
 would be logical that eigrp multicast packets bring it up when the serial
 link is down. We have our backups defined more or less in that way ( on a
 eigrp - eigrp domain, but this is not so important here). We have defined
as
 interesting traffic any ip packet, but I think you could fulfill all
 requirements of this lab doing some acl engineering, perhaps denying
 explicitly broadcast packets at the beginning of the acl.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66023t=66016
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF Virtual link authentication - observations [7:65628]

[Nigel Taylor]

Chuck,
Let's see if I can make any sense in my reply to your comments.
When I think of a virtual-link as it relates to opsf, I think of it in
terms of being a tunnel.  Also, short of being able to use a virtual-link, a
tunnel is what's recommended to maintain connectivity for any non-area0
connected areas.

Here's a excerpt from rfc 2328 which describes a virtual link.

12.4.1.3.  Describing virtual links

For virtual links, a link description is added to the
router-LSA only when the virtual neighbor is fully
adjacent. In this case, add a Type 4 link (virtual link)
with Link ID set to the Router ID of the virtual
neighbor, Link Data set to the IP interface address
associated with the virtual link and cost set to the
cost calculated for the virtual link during the routing
table calculation (see Section 15).


And then this excerpt from section 15..

The virtual link is treated as if it were an unnumbered point-to-point
network belonging to the backbone and joining the two area border routers.
An attempt is made to establish an adjacency over the virtual link.  When
this adjacency is established, the virtual link will be included in backbone
router-LSAs, and OSPF packets pertaining to the backbone area will flow over
the adjacency.  Such an adjacency has been referred to in this document as a
virtual adjacency.

So as you noted it would be safe to say that a virtual-link is governed by
the termination points of it's unnumbered p-2-p links.  So where your
transit-area uses MD5 authentication so must your virtual-link.

Alex Zinin's Cisco IP Routing [pg. 489] clearly states that the virtual-link
always belongs to the backbone.  In saying this, the characteristics of the
transit area to identify the peering ABR and then receive
packets(encrypted/decrypted) would be the only things that associates the
virtual-link to the transit area.

HTH

Nigel :-)




- Original Message -
From: The Long and Winding Road 
To: 
Sent: Tuesday, March 18, 2003 12:04 AM
Subject: OSPF Virtual link authentication - observations [7:65628]


 Not sure I have this all sorted out correctly. Perhaps those with a bit
more
 experience might add their wisdom, not to mention their corrections.

 The ospf virtual link being what it is, it follows rules similar to any
 other interface.

 It does appear, though, that in terms of structure, it looks something
like
 this:

 ( commands under the ospf process )

 area X authentication
 area X virtual-link y.y.y.y authentication
 area X virtual-link y.y.y.y authentication-key WORD

 where X is the non zero area number over which the virtual link transits.

 In other words, for purposes of structure, the virtual link is not really
 part of area 0. It is a point-to-point link that is part of the non zero
 transit area.

 Am I understanding this correctly? I have a setup working, where the area
0
 authentication is simple and the transit area authentication is MD5, and
no
 adjacency is formed across the virtual link with simple authentication,
but
 comes up just fine with MD5.

 Any comments are appreciated.

 --
 TANSTAAFL
 there ain't no such thing as a free lunch




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65637t=65628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65376]

[Nigel Taylor]

Chuck,
There is a brief article which address those L2 vunerabilities
you mention in the most recent publication of Packet Magazine

Nigel

- Original Message -
From: The Long and Winding Road 
To: 
Sent: Thursday, March 13, 2003 2:50 AM
Subject: Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65279]


 Priscilla Oppenheimer  wrote in message
 news:[EMAIL PROTECTED]
  chris kane wrote:
  
   It recently came to my attention that my company may plan to
   disable all CDP
   in our network. The current vibe is that they see it as a
   security risk. My
   intent is to research this and provide a paper arguing for the
   use of CDP.
   The purpose for my post is to see if my opinions of the
   benefits of CDP are
   realistic (sanity check) and to see how others view CDP,
   weighing it's
   usefulness vs. any possible risk.
  
   I have already begun researching any security releases on CCO
   in regards to
   CDP. Initial scan shows a 'vulnerability' notice that Cisco
   most recently
   updated on Feb 12, 2003. This information can be found at this
   link:
  
 

http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09
   186a0080093ef0.shtml
  
   Looking at CDP from a troubleshooting tool perspective, I am
   all for it.
   I've personally been saved unknown hours tracing down a problem
   because CDP
   allowed me to bounce around the network quickly. Our network is
   not small.
   And as most people would agree, documentation is never what we
   all would
   like it to be. Therefore, I find that CDP's ability to display
   the network
   below Layer 3 is appreciated.
 
  So will a hacker appreciate CDP's ability to display information about
the
  internetwork.
 
  I think that's the reasoning behind the security experts saying to turn
it
  off. That is indeed the current vibe.
 
  I took a Cisco security class at the Usenix Security Symposium in August
  2002. The instructor said to turn it off.
 
  Have you looked at the documents at the Center for Internet Security?
They
  have benchmarks for Cisco security. They have 2 levels. Even with the
less
  severe level, they say to turn off CDP.
 
  The Center for Internet Security tries to develop consensus on security
  measures. Their partners include The SANS Institute, the DoD Computer
  Emergency Response Team, NASA, National Institute of Standards and
  Technology, etc.
 
  Their Web site is here:
 
  http://www.cisecurity.org/
 
  On the other hand, I think you could certainly make a good case for not
  disabling CDP. Being able to troubleshoot efficiently is just as
important
  as security when considering network availability. A network that's
broken
  and due to typical network problems is experiencing a denial of service
 just
  as bad as if a hacker had broken in. Good troubleshooting tools mean a
 more
  available network, there's no question.
 
  I hope others answer too. I know that all the security people say to
turn
 it
  off and most people who actually work in the trenches say, Hunh?


 Can't find the link off hand, but recently I read something on the Cisco
web
 site about L2 vulnerabilities - mac flooding or something.

 In any case, what it comes down to is that the possibility exists that
 someone of evil intent could sniff a network and discover something useful
 that could be used to cause problems later.

 Why have OSPF authentication on internal links? Why have chap
authentication
 on dial up lins? After all, who's out there tapping your telephones?

 What do you want - convenience or security? Cuz maybe you can't have both.

 Kinda like at the airport. Maybe you feel safer because they're searching
 people like me, who really do look like criminals, but do you feel safer
if
 they're searching 80 year old ladies and 5 year old children? Could either
 one of those types pose a security risk? Interesting tradeoff, isn't it.
 particularly given certain incidents in a particular country of late.



 
  Priscilla
 
 
  
   Also from a tool perspective, I know CiscoWorks has tools to
   offer that
   utilize CDP. And I've seen software from other companies that
   does as well.
   Think Layer 2 traceroute capability.
  
   Looking at CDP from a multi-vendor platform perspective, I
   realize that it's
   often beneficial to turn off CDP on interfaces that connect to
   non-Cisco
   devices. No point in bothering a non-Cisco device with traffic
   that it can't
   process. But note, this is not turning off CDP globally per
   router/switch,
   but rather, disabling on an as-needed basis per interface.
  
   I'd like to hear other views and I'd appreciate feedback and
   opinions about
   this.
  
   Thanks,
   -chris




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65376t=65376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL 

Re: Cannot see Rip routes with route-tagging - Why? [7:63900]

[Nigel Taylor]

Cisconuts,
 (Hint)My first question is where exactly is it that you
identified what traffic is matched in the route-map  :-)

Some other questions:

How is R6, R5, R4, and R2 all connected?  serial, eth0, frame-relay, etc...

This way folks on the list could be of more assistance once they understand
what you're trying to do.

Nigel




- Original Message -
From: Cisco Nuts 
To: 
Sent: Wednesday, February 26, 2003 2:37 PM
Subject: Cannot see Rip routes with route-tagging - Why? [7:63900]


 Hello,I have R6, R5 and R4 running rip ver 2, network 178.1.10.0
subnetsR5,
 R4 and R2 running eigrp 2 network 181.16.2.0 subnets.R5 and R4 had mutual
 redistribution setup using route tagging.R6 correctly sees the eigrp
 redistributed routes but R2 is NOT seeing any rip redistributed routes.
 Any help is appreciated. Config. on R5 (ditto config on R4)R5#rbr
 router eigrp 2
  redistribute rip metric 1 1 1 1 1 route-map r2e
  network 181.16.2.8 0.0.0.3
  no auto-summary
  no eigrp log-neighbor-changes
 !
 router rip
  version 2
  redistribute eigrp 2 metric 2 route-map e2r
  network 172.31.0.0
  network 178.1.0.0
  no auto-summary
 route-map e2r deny 10
  match tag 77
 !
 route-map e2r permit 20
  set tag 88
 !
 route-map r2e deny 10
  match tag 88
 !
 route-map r2e permit 20
  set tag 77 Routing table on R2 ( Does not show any Rip routes)R2#r
 181.16.0.0/30 is subnetted, 4 subnets
 C   181.16.2.4 is directly connected, Serial1
 C   181.16.2.0 is directly connected, Ethernet0
 D   181.16.2.12 [90/679936] via 181.16.2.6, 00:40:47, Serial1
 C   181.16.2.8 is directly connected, Serial0.234
 Config:R2#rbr
 router eigrp 2
  network 181.16.2.0 0.0.0.3
  network 181.16.2.4 0.0.0.3
  network 181.16.2.8 0.0.0.3
  no auto-summary
  no eigrp log-neighbor-changes R2 and R5 running FR with ip split-horizon
 enabled on.

 

 Add photos to your e-mail with MSN 8. Get 2 months FREE*.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=64051t=63900
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: strange ISDN problem [7:60409]

[Nigel Taylor]

Ravi,
Since this problem seem to be a problem on only this specific line
it would suggest that the problem could be a line problem.  The other
devices that dial into the PRI (hub) would suggest that the central location
physical layer and equipment, is operating fine.

I would suggest that you have the company from which the line is provisioned
check the line.  I have a question..

Are you using the Provider's demarc or did you create an extended demarc?

Sometimes in my past experiences depending on the how the provider made the
connection.  Check the wiring from that location all the way to your
equipment.
You could also ask to have the line checked by the provider, but there is a
number of local testing(local loop testing) steps that you could perform
before calling their tech support.

HTH

Nigel

- Original Message -
From: Ravi Tyagi 
To: 
Sent: Monday, January 06, 2003 1:52 AM
Subject: strange ISDN problem [7:60409]


 Dear All,

  I am facing a strange problem. Around 6 PM every evening my isdn
 router(cisco 803) shows a lot of packet loss. Even I am not able to ping
the
 directly connected WAN interface. Loss is 20% - 100%. Even extended
 ping don't help. Router is dialling to PRI. There are currently 4 routers
 dialling to PRI but the problem is with this router only. Router works
 fine during day time. PRI shows this router connected.

 Is this a interface heated up problem or this problem is due to
 electric or magnetic interference with the ISDN line.

 Any help is appreciated.

 Regards

 Ravi

 Catch all the cricket action. Download Yahoo! Score tracker




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60413t=60409
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Virtual-link and area range command [7:60408]

[Nigel Taylor]

Neil,
   I'm a bit confused by your question.  Your virtual-link should be
part of the existing addressing scheme.  The few things to note here will be
as follows;

Where in relation to the RIP domain is the virtual-link?
What is the mask(/) of the points that identify the virtual-link

I would need some more information and a better understanding of your design
to be able to provide a real solution.

HTH

Nigel

- Original Message -
From: neil K. 
To: 
Sent: Monday, January 06, 2003 1:42 AM
Subject: Virtual-link and area range command [7:60408]


 Guys,

 How do I summarize a virtual link using area range command so that I can
see
 the routes in RIP domain.

 Thanks,

 neil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60415t=60408
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VoIP data rates [7:56942]

[Nigel Taylor]

Sebastien,
Thanks a lot for the link!  Very cool :-

Nigel

- Original Message -
From: Sebastien Venturoso 
To: 
Sent: Wednesday, November 06, 2002 3:20 AM
Subject: RE: VoIP data rates [7:56942]


 Here is a link for Voice Codec Bandwidth Calculator:

 http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp

 (need CCO login)

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com]
 Sent: Wednesday, November 06, 2002 06:24
 To: [EMAIL PROTECTED]
 Subject: RE: VoIP data rates [7:56942]


 Matthew Webster wrote:
 
  Hi Priscilla,
 
  thanks for the help. I have found the chart you referred to and
  made several calculations - it appears that the bandwidth
  almost triples when you don't compress the IP, UDP and RTP
  headers.

 Yes. The bandwidth requirement almost triples. (I didn't finish the
 arithmetic before I hit the Post button on my previous message.)

 Windows NetMeeting and other such applications might compress the
IP/UDP/RTP
 headers. It's an RFC that's been out for a time (RFC 2508). I don't know
for
 sure if they do, though. It might not be the right approach anyway. I
think
 compressed IP/UDP/RTP is usually implemented at the end points of slow
links
 and isn't meant to be used end-to-end by applications.

 ___

 Priscilla Oppenheimer
 www.troubleshootingnetworks.com
 www.priscilla.com

 
  Here we're pretty certain that a typical dial up modem (either
  33.6 or 56kbps) have enough upstream bandwidth to handle these
  codecs. However, we could greatly decrease our bandwidth
  requirements if we compress the IP, UDP and RTP headers (saving
  money and bandwidth). However we're not sure if winsock or
  whatever protocol stack unencapsulation tool on a Microsoft O/S
  will be able to uncompress the IP, UDP and RTP headers. We're
  going to try to set up an experiment here as well as check out
  the Microsoft and Cisco websites, but if you know the answer,
  then that would be great.
 
  cheers,
  Matthew.
 __
 Do You Yahoo!?
 Sign up for SBC Yahoo! Dial - First Month Free
 http://sbc.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56977t=56942
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: how can I get the boot rom upgrade for mc3810 [7:56733]

[Nigel Taylor]

Sometime back I upgraded a couple of MC3810's and this was the link I used.

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2067212869

You'll get the boot rom and the 64 MB Dram chip.

HTH

Nigel


- Original Message -
From: Brad Ellis 
To: 
Sent: Sunday, November 03, 2002 2:38 PM
Subject: Re: how can I get the boot rom upgrade for mc3810 [7:56733]


 I thought Cisco wasnt carrying boot-roms anymore and you had to call
ingram
 or comwhore (or another one of their distributors) to get them.  (At least
 with the 2500 boot roms you do)

 thanks,
 -Brad Ellis
 CCIE#5796 (RS / Security)
 Network Learning Inc
 [EMAIL PROTECTED]
 www.optsys.net (Cisco hardware)
 Voice: 702-968-5100
 FAX: 702-968-5104

 James Willard  wrote in message
 news:200211021744.RAA08263;groupstudy.com...
  You can order the bootROM's by calling Cisco's credit card orders
  department at 1-800-553-6387 and choosing the To place a credit card
  order, press ... option.
 
  The part number is BOOT-381V= and it's a zero-cost item, so they'll only
  charge you for shipping.
 
  Enjoy,
 
  James Willard
  [EMAIL PROTECTED]
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com] On Behalf Of
  guest
  Sent: Saturday, November 02, 2002 10:21 AM
  To: [EMAIL PROTECTED]
  Subject: how can I get the boot rom upgrade for mc3810 [7:56733]
 
 
  I bought 2 mc3810, but I found I need to upgrade the boot rom first to
  support 64mb Dram, how can order this from Cisco, I am an end user.Is
  there some reseller can order this?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56773t=56733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IS-IS simple config [7:56751]

[Nigel Taylor]

Stephane,
If you read a bit further in Doyle's Routing TCP/IP on page
654 you will understand the reasoning for the command within the
configuration.  It's important to remember as Doyle also points out earlier
in his IS-IS chapter, that IS-IS was designed with the purpose of
transitioning TCP/IP to OSI.  Doyle gives a brief explanation of this on
page 593-595.

HTH

Nigel

- Original Message -
From: Stephane Litkowski 
To: 
Sent: Saturday, November 02, 2002 1:21 PM
Subject: IS-IS simple config [7:56751]


 Hi all,

 I see in Jeff Doyle's book (TCP/IP routing vol1) that for each ISIS router
 config (for IP routing only) there is the command clns routing. WHY ?
 I think this command is not necessary as long as we don't use clns router
 isis on interfaces : I already configured ISIS for IP routing on my 2500
 routers without clns routing and it works fine !
 Does this command bring something in IP only environment ?

 Thanks for clarifying this.

 --
 Stephane LITKOWSKI




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56754t=56751
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Another Internet Draft of Interest [7:56560]

[Nigel Taylor]

Howard,
  It would seem that there's something wrong with the links in
that I'm unable to access either of the drafts you noted.  It's also quite
possible that I simply didn't click on the link hard enough :-)  Oh, I
know...much like a recent Cox communications commercial,  maybe I simply
reached the end of the Internet. :-

thanks
Nigel

- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Thursday, October 31, 2002 1:14 AM
Subject: Re: Another Internet Draft of Interest [7:56560]


 Nigel Taylor All,
   I just got through some of the presentations linked from the recent
 nanog
 meeting.  The draft in question was presented by Henk Uijterwaal titled
 New
 Services  from RIPE NCC.
 
 There is also this link on the nanog list to his latest draft.
 
 http://www.ripe.net/home/henk/draft-ietf-ippm-owmetric-as-01.txt
 
 I was just thinking about some of our current tools like ping, hping, and
 traceroute which measures round trip delay vs one-way delay.  RFC 2679
 discusses numerous reasons for calculating  one-way delay, however would
 tools
 like ping and traceroute with the existence of ping6 and traceroute6 be
 rfc2679 compliant.  I've not done any research at this point but, would
 operational tools in everyday use benefit from this new active
measurement?
 
 Here's a pretty good link that explains the concept for the normal
folks
 like myself.

 There are several problems with using timestamped measurement in the
 router itself.  Some of these may be reduced with IPv6, but, for
 others, external passive hardware or special router hardware seems
 necessary.  See our BGP convergence drafts,
 http://www.ietf.org/internet-drafts/draft-ietf-bgpconv-03.txt and
 http://www.ietf.org/internet-drafts/draft-ietf-bgpbas-00.txt

 First, routers may not give sufficient precision in measurement,
 because they rate-limit ICMP to protect against ICMP floods, or
 simply don't prioritize it highly.  I mention IPv6 because
 authenticated source addresses may be used without fear of denial of
 service.

 Second, the router may or may not have the capacity to capture and
 store a statistically valid amount of data. NetFlow data export, for
 example, summarizes to a degree. If you could shoot debug to syslog,
 you'd have a much better chance as long as the router could keep up
 with it, using something like a SPAN port.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56581t=56560
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Another Internet Draft of Interest [7:56560]

[Nigel Taylor]

All,
 I just got through some of the presentations linked from the recent
nanog
meeting.  The draft in question was presented by Henk Uijterwaal titled  New
Services  from RIPE NCC.

There is also this link on the nanog list to his latest draft.

http://www.ripe.net/home/henk/draft-ietf-ippm-owmetric-as-01.txt

I was just thinking about some of our current tools like ping, hping, and
traceroute which measures round trip delay vs one-way delay.  RFC 2679
discusses numerous reasons for calculating  one-way delay, however would
tools
like ping and traceroute with the existence of ping6 and traceroute6 be
rfc2679 compliant.  I've not done any research at this point but, would
operational tools in everyday use benefit from this new active measurement?

Here's a pretty good link that explains the concept for the normal folks
like myself.


Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56560t=56560
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: STP and Switching ! [7:56061]

[Nigel Taylor]

Jimmy,
 I do not have the title you note in your post but a few things to
consider when identifying and trying to configure the root device within
your network.

A MDF or Distribution switch as you mentioned depending on the network
design will more than likely provide both L2 connectivity to the IDF and  L3
connectivity to the network core. Try and think of the operation within the
MDF switch as totally separate
processes in which the switch speaks only L2 to the IDF, but then L3 to the
network core.  In this regard the MDF switch will be a part of STP
calculations when designating a root device within the network.   The fact
that you see designated ports on the MDF switch is because it is the root,
which suggest that it wining the STP election.

A couple things to look at would be the election process of root bridges
which goes as follows;

1. Lowest Root BID
2. Lowest path cost to Root Bridge
3. Lowest Sender BID
4. Lowest Port ID

Can you confirm that The mdf switch(switch D) isn't winning the election
through some other means(i.e a lower priority, use the set spanning-tree
root command).  Also, this would depend on the switches and at what point
they were both powered onto the network.  What exactly do you mean by
smaller MAC address? Do you care to post the MAC address of the mdf switch
and switch C.

HTH

Nigel


- Original Message -
From: Jimmy 
To: 
Sent: Tuesday, October 22, 2002 2:37 AM
Subject: STP and Switching ! [7:56061]


 Hi,
 I am confused by the CCNP exam certification guide (Cisco Press). It
 mentioned that a switch in the Distribution layer would make a better Root
 Bridge choice than one in Access layer. I thought for distribution switch
is
 of layer 3 so STP is not necessary for it unless it is a flat switched
 network. (Pg 178 of the book) In the Figure 5.8 (Pg 176),  i couldn't
 understand how come Catalyst D is the DP for Catalyst E and F. I told
 Catalyst C has priority than D since the MAC address is smaller. Is there
 any mistake. Can anyone please advise.

 Where can i find the errata for the ciscopress book? I have went to
 ciscopress.com but couldn't find any. Can anyone give me the URL?

 Cheers!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56067t=56061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IP IRDP Feature? [7:56063]

[Nigel Taylor]

Robert,
   The first thing I would suggest reading is rfc 1256, which
outlines the various extensions used by ICMP, which in turn is used by
ICMP-RDP.

http://www.ietf.org/rfc/rfc1256.txt?number=1256

Cisco makes notable use of IDRP in their MobileIP implementation.  That
would be a good place begin looking from an operational perspective.

HTH

Nigel

- Original Message -
From: Robert Massiache 
To: 
Sent: Tuesday, October 22, 2002 2:55 AM
Subject: IP IRDP Feature? [7:56063]


 Hi,
 I do not understand where exactly and in what context do we enable this
 service on the interfaces. Could someone explain me...

 I would appreciate you help.

 thanks

 _
 Unlimited Internet access for only $21.95/month.  Try MSN!
 http://resourcecenter.msn.com/access/plans/2monthsfree.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56069t=56063
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: suppress-map with summary-only?? [7:55599]

[Nigel Taylor]

Cisco Nuts,
  I don't believe you need to use the option keyword
suppress-map to achieve your objective.  Unless of course you're trying to
find another what of achieving the same goal, for which you would still have
no need for the summary-only keyword.  Nonetheless, it would seem that
keyword summary-only should work with the command as they perform the same
function in generating a aggregate address, but by also suppressing the more
specific routes.

HTH

Nigel

P.S. Let us know what your testing proves.


- Original Message -
From: Cisco Nuts 
To: 
Sent: Monday, October 14, 2002 9:27 PM
Subject: suppress-map with summary-only?? [7:55599]


 Hello,

 Does the suppress-map work along with the summary-only keyword?

 I would only like to see the summary 13.0.0.0/8 but I keep seeing the rest
 of the networks.

 Here is the config:

 R7-FR(config)#aggregate-address 13.0.0.0 255.0.0.0 suppress-map CHECK
 summary-only

 route-map CHECK permit 10
 match ip address 21

 access-list 21 permit 13.4.0.0 0.0.255.255
 access-list 21 deny   any

 This works as it should.denies netw 13.4.0.0/16 and permits the rest,
 13.1.0.0/24, 13.2.1.0/24, 13.3.0.0/16 and 13.0.0.0 BUT I would only like
to
 see the aggregate 13.0.0.0/8

 Am I even asking the right thing here? :-)
 Just checking.

 Thank you.

 Sincerely.











 _
 MSN Photos is the easiest way to share and print your photos:
 http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55617t=55599
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Voice Equipment must have for any Home Lab. [7:55548]

[Nigel Taylor]

All,
  I've listed two pieces of equipment from my Home lab for auction on
ebay, here are the links.

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2061687376

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2061687561

Additionally, these devices will give you everything you need to practice
VoIP/VoFr/VoATM.
The both devices are MC3810's with 64MB RAM / 16 MB Flash.(This is a must to
load 12.2(11)T. I also have an expermental image that cam with the router
which supports VoHDLC.

For more infomation check the ebay listing.

Thanks
Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55548t=55548
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Nanog Post: redistribute bgp considered harmful [7:54961]

[Nigel Taylor]

See Inline..

- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Sunday, October 13, 2002 4:31 PM
Subject: Re: Nanog Post: redistribute bgp considered harmful [7:54961]


 At 4:13 PM + 10/13/02, Peter van Oene wrote:
 At 11:30 PM 10/12/2002 +, Zim wrote:
 I like this question. It seems to ponder the worth of a command based on
 the
 assumption that the command only exist to serve a purpose other than a
real
 world application. Will an ISP ever need to redistribute bgp routes into
 the
 routing table of any IGP? Well like so much in Internetworking, it
depends.
 But to take away something based solely on an assumption and perhaps a
 limited view from your side of the world makes no sense.  In short the
 flexability should stay. Used or not, options are always good to have.
Just
 my 4cents (adjusted for inflation)
 
 I would agree that options are nice to have, but ones that have a
tendency
 to catastrophically effect one's entire network with a simple
 misconfiguration might demand some additional protection.

 Actually, I'd argue that more and more options, more and more feature
 creep, lead to less reliable systems. Personally, I'd rather have to
 jump through a few more hoops in configuration than be exposed to
 features that haven't gone through adequate regression testing --
 involving their interactions with other features.

NT:  I agree that more features and options do translate into being less
reliable from a code-level standpoint.  However, within the developmental
process theses options and features do tend to provide greater insight or
possibly foresight into future levels of protocol development.  Also, as
Micro$oft has proven so many times in the past ..the best regression
testing resides with the public at large. :-)

 In the Internet Research Task Force work on Future Domain Routing,
 one of the needs expressed for next-generation exterior routing is
 greater people scalability, better options for automatic checking
 and even proving of configurations, etc. There's no question that it
 is easier to prove routing policy at the more abstract level of RPSL
 than at the configuration language level.

NT:  Another good point here is the need for automatic checking. I do feel
like this however will unlikely not become a reality. IMHO, much the same as
with RPSL, in that the user must be somewhat proficient in order to fully
appreciate/realize the benifits of the implementation.  Another example is a
recent thread on the nanog list that addressed complete source route
verification.  The need will stil have to be meet with engineers and
administrators knowledgable on the implementation, whatever it may be. This
is where those idiot knobs come in. Pro vs. Con.

 To answer the specific question, an ISP historically might have
 wanted to inject selected BGP routes into the IGP for purposes of
 best exit routing.  I suggest, however, that best exit routing is
 probably better done with MPLS TE.

NT:  There is no doubt that MPLS TE has/can provide best exit routing to
rivial any redistribution. Nonetheless, based on the recent thread on the
list in regards to aggrewssive implementation and acceptance of MPLS the
question now remains how much MPLS TE can one depend on.  I'll point
everyone to this article ;
http://www.nwfusion.com/newsletters/frame/2002/01550372.html

In watching a recent a episode of Business Center where the CEO of Sprint
noted that of the 27 or so organizations in the Telecom/Data Sector, only
two(ATT/Sprint) of the companies are said to be generating positive
revenue. I know ATT is doing a lot of MPLS, so the question is.. TO MPLS or
NOT!


 Protocol features become obsolete over time, although they may have
 seemed good ideas at the time:  the OSPF Database Overflow feature,
 (E)IGRP link-loading taken as part of a metric, etc.  Other features,
 which may be even more relevant here, are no longer called for in the
 market -- witness the exodus of desktop protocols, LANE, etc., in the
 CCIE exam.

My one issue with the exodus of obsolete protocol features is how much of
the obsolete code is actually removed form the code base. Furthermore, what
effects will the user have endure in using software that is in effect a
burial ground of unwanted features/options.  Oh yes, regression testing.. I
guess software development truely does have a life cycle :-)

Nigel




 
 
 Nigel Taylor  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
All,
   This was a recent post on the Nanog list which I thought
could
 get
some interest on the list.  Basically, the poster is questioning the
relevance or real world requirements/need for certain commands, in
this
 case
it's the redistribute bgp command.
   
Here's the original post...
   
Sean Donelan wrote:
   
 Should the Service Provider version of routing software include the
  redistribute bgp command?  Other than CCIE labs, I haven't seen a
  real-w

Re: Catalyst ATM blade to Marconi ASX-200WG [7:54948]

[Nigel Taylor]

nettable_walker,
   here's a link that should shed some light on what
you're trying to accomplish.

http://www.cisco.com/en/US/tech/tk39/tk42/technologies_configuration_example
09186a0080093d65.shtml
watch the line wrap...

Since you have a Dual-PHY LANE module, you should identify the MAC address
of ports(A/B) for the various LANE elements on your Cat5k.  The command
show lane default should get you this information.  All you need from the
output is the last 7 bytes
which should be the devices MAC address and byte selector)  This can be done
by simply connecting to each port on the LANE module while they're
active(issue the command preferred phy a/b, while connected to the LANE
module).  Once you have this information you should be able to follow the
link in constructing the LANE(LECS) database as well as the sub-interfaces
and vlan to ELAN bindings...

A really good book on the topic called - Cisco ATM Solutions,  authored by
Galina Diker Pildush, ISBN 1578702135.

HTH

Nigel




- Original Message -
From: nettable_walker 
To: 
Sent: Saturday, October 05, 2002 10:45 PM
Subject: Catalyst ATM blade to Marconi ASX-200WG [7:54948]


 10/5/2002   9:50pm  Saturday


 I would like to connect the ATM blade on my Catalyst 5505 to a
Marconi/FORE
 ASX-200WG

 Can anyone guide me thru setting it up ?







 RLP_5505 (enable) sho module
 Mod Slot Ports Module-Type   Model   Sub Status
 ---  - - --- --- 
 1   12 1000BaseX Supervisor IIIG WS-X5550no  ok
 2   22 MM OC-3 Dual-Phy ATM  WS-X5158no  ok
 3   32410/100BaseTX Ethernet WS-X5224no  ok
 4   42410/100BaseTX Ethernet WS-X5224no  ok
 5   52410/100BaseTX Ethernet WS-X5224no  ok

 Mod MAC-Address(es)Hw Fw Sw
 --- -- -- -- -
--
 --
 1   00-90-bf-23-ac-00 to 00-90-bf-23-af-ff 1.25.1(1) 6.3(9)
 2   00-10-7b-42-b3-d6  2.11.3
12.0(22)W5(25)
 3   00-10-7b-49-07-20 to 00-10-7b-49-07-37 1.43.1(1) 6.3(9)
 4   00-10-7b-94-fb-30 to 00-10-7b-94-fb-47 1.43.1(1) 6.3(9)
 5   00-10-7b-94-fc-20 to 00-10-7b-94-fc-37 1.43.1(1) 6.3(9)
 RLP_5505 (enable)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54960t=54948
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Nanog Post: redistribute bgp considered harmful [7:54961]

[Nigel Taylor]

All,
   This was a recent post on the Nanog list which I thought could get
some interest on the list.  Basically, the poster is questioning the
relevance or real world requirements/need for certain commands, in this case
it's the redistribute bgp command.

Here's the original post...

Sean Donelan wrote:

 Should the Service Provider version of routing software include the
  redistribute bgp command?  Other than CCIE labs, I haven't seen a
  real-world use for redistributing the BGP route table into any IGP.

  If the command was removed (or included a Are your sure? question) what
  would the affect be on ISPs, other than improving reliability by
  stopping network engineers from fubaring a backbone?


Thoughts!

Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54961t=54961
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off topic - Cisco's jazzy web site [7:54966]

[Nigel Taylor]

Hey Chuck,
Yep, I noticed this as well.  The greatest addition to
the new site is the button/link(image) that read Go to the old Site.
After mastering where all the information is on CCO, it's going to take
sometime to fimilarize myself with the new layout..

Nigel

- Original Message -
From: Chuck's Long Road 
To: 
Sent: Sunday, October 06, 2002 10:46 AM
Subject: Off topic - Cisco's jazzy web site [7:54966]


 Apparently the elves were busy last night. CCO has a new look.

 www.cisco.com



 --

 www.chuckslongroad.info
 like my web site?
 take the survey!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54973t=54966
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AAA in console [7:54282]

[Nigel Taylor]

Ryan,
 I noted your earlier post on this topic and my first question
is..What's the problem you're trying to solve?  Configuring AAA on the
console should be very straight forward, however this could very easily
change based on your identified or outlined requirements.   A couple of
question;

1.  who will be typically accesing the console?
2.  What will be authenticating the user? TACACS+/RADIUS/the Router etc..
3.  Do you plan on using the local database should tacacs fail?
4.  Will you have redundant/secondary tacacs/radius device?

I've seen some enterprises where they  prefered not to have any passwords
configured on the local device short of the enable secret, which should
survive a password checker like Getpass.  Of course the console password
was left outside the scope of AAA, as it provided the only way to access the
device if the tacacs/radius server(s) were unreachable.

HTH

Nigel

- Original Message -
From: Newell Ryan D SrA 18 CS/SCBT 
To: 
Sent: Thursday, September 26, 2002 5:53 PM
Subject: AAA in console [7:54282]


 How can I configure authorization on the console port?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54290t=54282
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: password recovery on a Marconi/FORE ASX-200WG switch [7:52941]

[Nigel Taylor]

Richard,

Once the switch boots up you should be able to use the AMI
account to get in without a password.  It's a whole lot like the C5k on
bootup and password recovery.  You just need to use the account AMI on
login.

Nigel

 

From: nettable_walker Reply-To: nettable_walker To:
[EMAIL PROTECTED] Subject: password recovery on a Marconi/FORE
ASX-200WG switch [7:52912] Date: Mon, 9 Sep 2002 07:31:43 GMT 
9/9/2002 2:22am Monday  Has anyone ever done this ? I was able to
break in to it @ bootup  it looks amazingly like a cisco router but I
cannot figure out how to do it. Marconi's web site is actually more
usless than Nortel's !!!  Thanks,  Richard  // Message
Posted at: http://www.groupstudy.com/form/read.php?f=7i=52912t=52912
-- FAQ, list archives,
and subscription info: http://www.groupstudy.com/list/cisco.html Report
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Chat with friends online, try MSN Messenger: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52941t=52941
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IPsec - what is wrong with this config? [7:52865]

[Nigel Taylor]

Neal,
 I you'll also need to have the crypto maps added to the physical
interface through which the tunnels are built.  Paste a copy of the complete
configs without the debug output.   However, what I noted seems to be the
only thing that stands out! Watch the word wrap...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt4/scipsec.htm#xtocid2141729

HTH
Nigel

- Original Message -
From: Neal Rauhauser 
To: 
Sent: Saturday, September 07, 2002 7:41 PM
Subject: IPsec - what is wrong with this config? [7:52865]


 I have two 1750s sharing an ethernet hub - just trying to get IPsec on
 a tunnel between ethernet interfaces and I am having trouble. This
 config seems close but I don't know what to do next


 Here is the error I am getting when I try to ping the opposite end of
 the tunnel

 01:05:29: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
 01:05:29: ISAKMP (0:1): incrementing error counter on sa: retransmit
 phase 1
 01:05:29: ISAKMP (1): sending packet to 192.168.6.50 (I) MM_NO_STATE.

 -- this router is at the bottom of a three router stack
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key duh address 192.168.6.51
 !
 !
 crypto ipsec transform-set MIDDLE ah-sha-hmac esp-des
 !
 crypto key pubkey-chain rsa
  named-key middle
   key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF
 26BC7013
448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1
 12EEA345
8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001
   quit
  addressed-key 192.168.6.51
   address 192.168.6.51
   key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF
 26BC7013
448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1
 12EEA345
8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001
   quit
  !
  crypto map MIDDLE2 local-address Tunnel0
  crypto map MIDDLE2 10 ipsec-isakmp
  set peer 192.168.6.51
  set transform-set MIDDLE
  match address middle

 interface Tunnel0
  ip address 192.168.6.50 255.255.255.0
  tunnel source 192.168.1.50
  tunnel destination 192.168.1.51
  tunnel mode ipip
  crypto map MIDDLE2
 !
 interface FastEthernet0
  ip address 192.168.1.50 255.255.255.0
  speed auto


 --- this router is in the middle of a three router stack

 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key duh address 192.168.6.50
 !
 !
 crypto ipsec transform-set BOTTOM ah-sha-hmac esp-des
 !
 crypto key pubkey-chain rsa
  named-key bottom
   key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA
 8C44F60C
76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0
 338E77AE
F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001
   quit
  addressed-key 192.168.1.50
   address 192.168.1.50
   key-string
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA
 8C44F60C
76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0
 338E77AE
F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001
   quit
  !
  crypto map BOTTOM2 local-address Tunnel0
  crypto map BOTTOM2 10 ipsec-isakmp
  set peer 192.168.6.50
  set transform-set BOTTOM
  match address bottom
 interface Tunnel0
  ip address 192.168.6.51 255.255.255.0
  tunnel source 192.168.1.51
  tunnel destination 192.168.1.50
  tunnel mode ipip
  crypto map BOTTOM2
 !
 interface Serial0
  ip address 192.168.3.1 255.255.255.0
  clockrate 100
 !
 interface FastEthernet0
  ip address 192.168.1.51 255.255.255.0
  speed auto




 --
 Neal Rauhauser CCNP, CCDP voice: 402-301-9555
 mailto:[EMAIL PROTECTED] fcc  : k0bsd
 I've seen the angels wearing their disguise,
 ordinary people leading ordinary lives - Tracy Chapman




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52890t=52865
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PDM [7:52870]

[Nigel Taylor]

Kevin,
  In answering your question... Yes, there is a PDM for routers as
well.  I believe it's called Configmaker:-)

Nigel

- Original Message -
From: Kevin O'Gilvie 
To: 
Sent: Saturday, September 07, 2002 9:44 PM
Subject: PDM [7:52870]


 PDM
 PDM
 PDM..

 I dont see why anyone uses PDM..
 With 6.X you can create groups, objects etc..Which really reduces the
lines
 in your config..
 I am CLI all the way!!!
 Is there a PDM for routers too??
 LOL!!

 Just my opinion..

 CLI helps you learn the IOS much better then PDM..

 Cheers,

 Kevin

 _
 Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52874t=52870
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: What exactly is GRIP..! [7:52640]

[Nigel Taylor]

All,
 I've been trying to obtain a greater understanding of cisco's newest
protocol enhancements technologies/mechanism - GRIP.

http://www.cisco.com/warp/public/732/Tech/grip/learn.shtml

It seems very interesting but seems to address some of the same issues
already
identified by the IETF and the various working groups.  Mainly what caught my
attention is the technologies claim to provide faster convergence times for
the Border Gateway Protocol(BGP).  Here's a link to the pdf document that
discusses a bit but really only makes note of the users(admins)
responsibility
to use existing IOS mechanisms to speed up convergence.

http://www.cisco.com/warp/public/732/Tech/grip/docs/qa.pdf

Based on my past reading of rfc's like 2918, 2439, and drafts like the
Graceful Restart Mechanism,  I couldn't find anything that identifies what
GRIP implements to assist in convergence times.   Has anyone looked at this
or
heard anything from the cisco camp on exactly what it does from the BGP
standpoint.

thanks
Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52640t=52640
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: RIP v2 authentication [7:52647]

[Nigel Taylor]

Kelly,
  What does the debug of the RIPv2 MD5 error look like?  Trying
posting it (the debug of the authentication, I mean) to the list, I'm sure
someone have seen the error before and can let you know if you've missed
anything other than what you might have already covered.

Nigel

- Original Message -
From: Kelly Cobean 
To: ccielab 
Sent: Tuesday, September 03, 2002 11:07 PM
Subject: RIP v2 authentication


 All,
 I'm trying to use RIP v2 MD5 authentication and cannot seem to get it
to
 work. I'm doing one of the FatKid labs and I've matched the RIP
 configuration that they list, but I continuously get the invalid
 authentication message when debugging RIP.  I've got version 2 specified
on
 both routers, and have the ip rip auth mode md5 and ip rip auth key
test
 commands on the two joining interfaces, and I've got identical key-chains
 configured on both routersAm I missing anything?  I've even tried
 plain-text authentication and can't make it work. Thanks.

 Kelly




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52647t=52647
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: RADB [7:51718]

[Nigel Taylor]

Mohammed,
   To answer your question read this link..

http://www.radb.net/docs/servfaq.html#one

then, I would sugget you check out the RADB home page.  There's quite a bit
of  good information on the site,  that will most likely answer your other
questions.

http://www.radb.net/docs/servfaq.html
http://www.radb.net/

HTH
Nigel



- Original Message -
From: Mohammed Saro 
To: 
Sent: Tuesday, August 20, 2002 3:23 AM
Subject: RADB [7:51718]


 what is RADB ? and what is the importance to send updates for the BGP
 policies
 after updating the RIR like RIPE NCC




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51723t=51718
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

A case for De-Aggregation in lieu of CIDR... [7:51448]

[Nigel Taylor]

All,
I have a couple of questions in reference to a recent post on the
nanog list
about possbily using De-aggregating Routes. NOw it's understood that
there are
on some inherent flaws(thrashing and blackholing) associated with
overpopulating
the internet route tables through de-aggregation, When we consider the
reasoning
behind the creation and implemntation of CIDR.  I recently revisted Avi
Freedman's realaudio stream on Controlled De-Aggregation
using MEDs and larger aggregates(nanog9905). This got me to thinking!
Based on what
we already know of CIDR and the knwon disadvantages of De-aggregation,
there are
some possible advantages in Avi's suggestion of controlled
de-aggregation.   Pointing back to W B. Norton's Internet Service
Providers and Peering and The
Art of Peering he makes some suggestions that cold-potato routing could
be used
to circumvent sub-optimal routing.  There are a number of ways that
cold-poato
routing could be achieved, but as it relates to this discussion, wouldn't
controlled de-aggregated routes and the use of MEDs provide another
mechnisim to achieving this objective?  Is this a case of the ends
dosen't justify the mean?.
Nigel



Join the worlds largest e-mail service with MSN Hotmail. Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51448t=51448
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: Nanog thread - Routing Protocol Security [7:51335]

[Nigel Taylor]

Priscilla,
comments inline...

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Wednesday, August 14, 2002 2:40 PM
Subject: RE: OT: Nanog thread - Routing Protocol Security [7:51335]


 Jeff Doyle is allowed to ask questions too. ;-)

NT:  I do beileve I've seen him ask questions.. if I'm not mistaken I think
they were rehorical in nature..;-)


 Serisouly, what was the gist of the responses? Are NANOG types concerned
 about routing protocol security vulnerabilities? I know that that there's
a
 lot of academic work going on in this area. If you search on routing
 protocol security in Google, for example, you'll come accross lots of
 references to academic work, IEEE papers, a DAPRA-sponsored Internet
 Infrastructure Protection project, etc.

NT:  I believe the concern stems from a number of different issues which
relates to
the overall problem of global routing failures.  There is mention of using
IGPs and it's
services(http://www.phenoelit.de/irpas/index.html) to stage an attack on
external
protocols.  I think the biggest issue is lack of standardization on
authenticated routing
information throughout the internet.  There area number of papers that
address the lack of these mechanisms(MD5)
IR verification, secure route servers)  being used and by major
players(within the Default Free Zone).
As noted by another avid nanog poster Sean Donelan, there are a number of
various things
currently being used
(http://www.merit.edu/mail.archives/nanog/msg02502.html) to prevent the
likes of AS7007 from being repeated.   however, I was also unable to find
anything along the lines
of progress made by the rpsec WG.


 There's also an IETF Working Group for this topic, the Routing Protocol
 Security Requiremetns group or soemthing of that sort (rpsec for short).
But
 I couldn't find any Internet drafts from them!? (just e-mail threads that
 didn't sound any more sophisticated than the wrangles we get into here!
;-)

 On a philosophical note, we have to realize that the bad guys aren't going
 to do the expected things, and if they do, we will have already designed
 protection for them. I heard Paul Kocher (one of the creators of SSL I
think
 and a security luminary) say at a recent conference, somewhat
sarcastically,
 that the real adversaries lack the propriety to limit themselves to tidy
 attacks such as brute force, factoring, and differential cryptanalysis
 (the things we tend to protect against with huge keys, etc.)

NT: Yes, this does raise a good point, however I must mention that there are
flaws
in the methods used to ensure routing information being propagated globally
as having been
verified and/or authenticated.  Nonetheless, with implementations like
BGP/VPNs, PPVPNs
and the constant growth of ISPs, W B Norton's papers - Internet Service
Providers
and Peering and The Art of Peering, suggest that with the exception of
existing transit peering
relationships, more and more providers will endeavor to enhance their
services and attractiveness
in an attempt to form direct peering relationships.  This minimizes the
access of predators intent
on proving their ability to hack, crack and or assimilate (Resistance is
Futile ;-)..)

Nigel



 Priscilla

 Nigel Taylor wrote:
 
  All,
  I was doing my usual reading of the nanog mailing list and
  came across one
  of the more recent threads - Routing Protocol Security.
  What I found interesting was the name of the original poster,
  which noted,
  Jeff Doyle!  Now, I'm sure there are quite a number of Jeff
  Doyle's
  on the planet, however this name does mean a lot to those of us
  who has had
  the privilege of owning Routing TCP/IP.
 
  Basically, I thought folks on the list would be interested in
  the question as
  it relates to the possible global affects based on current
  Internet routing
  policies, or lack thereof on Private-to-Private,  IXP peering
  or external
  peering in general.
 
  As a side note after reading the recently presented
  paper(nanog0202 mtg) ISP
  Essentials Supp by Barry Raveendran Greene and Philip Smith,
  http://www.nanog.org/mtg-0206/ppt/barry.pdf  I must say that
  BGPv4, the
  protocol has made great strides in it's operational
  enhancements.
  Possible vulnerabilities like the one noted in rfc1948, or the
  points raised
  by Tim Newsham's paper called The Problem With Random
  Increments
  are for the most part no longer valid/relevant possibilities.
 
  Furthermore, with the implementation of MD5 support and the
  possibility of BGP
  over IPSec the future looks bright for the security of global
  routing. Of
  course with the growing use of mostly layer 2 peering(between
  IXP peers) and
  MPLS/VPNs the need to implement even greater security within
  BGP the protocol itself might become a NON-issue.
 
  Thoughts anyone
 
  Nigel
 
 
  HI,
 
  Can any of you cite cases where an attack has been carried out
  against a
  network's routing protocol (BGP or OSPF in particular)? My
  apologies

OT: Nanog thread - Routing Protocol Security [7:51335]

[Nigel Taylor]

All,
I was doing my usual reading of the nanog mailing list and came across
one
of the more recent threads - Routing Protocol Security.
What I found interesting was the name of the original poster, which noted,
Jeff Doyle!  Now, I'm sure there are quite a number of Jeff Doyle's
on the planet, however this name does mean a lot to those of us who has had
the privilege of owning Routing TCP/IP.

Basically, I thought folks on the list would be interested in the question as
it relates to the possible global affects based on current Internet routing
policies, or lack thereof on Private-to-Private,  IXP peering or external
peering in general.

As a side note after reading the recently presented paper(nanog0202 mtg) ISP
Essentials Supp by Barry Raveendran Greene and Philip Smith,
http://www.nanog.org/mtg-0206/ppt/barry.pdf  I must say that BGPv4, the
protocol has made great strides in it's operational enhancements.
Possible vulnerabilities like the one noted in rfc1948, or the points raised
by Tim Newsham's paper called The Problem With Random Increments
are for the most part no longer valid/relevant possibilities.

Furthermore, with the implementation of MD5 support and the possibility of
BGP
over IPSec the future looks bright for the security of global routing. Of
course with the growing use of mostly layer 2 peering(between IXP peers) and
MPLS/VPNs the need to implement even greater security within
BGP the protocol itself might become a NON-issue.

Thoughts anyone

Nigel


HI,

Can any of you cite cases where an attack has been carried out against a
network's routing protocol (BGP or OSPF in particular)? My apologies if this
question is too far off-topic, but if anyone knows of such incidents it
would
be the members of this group.

 Jeff Doyle




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51335t=51335
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: * Routing/Subnetting question [7:51193]

[Nigel Taylor]

James,
  See Inline..

- Original Message -
From: James Wilson 
To: 
Sent: Sunday, August 11, 2002 12:34 PM
Subject: * Routing/Subnetting question [7:51193]


 I have a 1750 with a /29 assigned to me, and I need to create a DMZ to put
 a DNS server on so that I can control access using CBAC.  My FastEthernet
 interface is trunked to a Cat 2924. I'd like to have the /29 on one
 subinterface which talks to PacBell's router, and take a /30 out of the
 /29 and put it on another subinterface so that I can hang the DNS server
 off a port on that VLAN using a public IP address.

NT:  Why would you vlan traffic from you ISP instead of using the extra
interface(eth0/0)
You must consider a number of things when using your existing design.
Firstly, the interface
you're referring to as a FE interface is shown in the cisco catalog as a
10/100 ethernet interface.
Secondly, please note that based on your current traffic utilization what
kind of performance
could be achieved/expected on the physical interface(the subs are
technically part of the same
physical NIC/transiciever).

On the area of addressing you might want to take a look at the following
links which could answer
some of your questions as they apply to addressing(VLSM in particular).
http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf (watch the
wrap)
http://www.ietf.org/rfc/rfc3021.txt?number=3021

I'd also like to use
 static NAT addresses out of the /29 including what would be an all zero or
 all one address out of the /30.  My thought is that this would work since
 the NAT will take place via the subinterface on the /29 (ip nat outside),
 and the only time the /30 will come into play is with traffic destined to
 the DNS server, which is not NAT'ed.  This would allow me to have routing
 and CBAC protection for the host on the /30 net and not lose the ability
 to use those addresses which would normally be lost from the /30 all zeros
 and all ones addresses by using them for static NAT entries for hosts on
 the private IP side of my network.  When I go to assign an address out of
 the /30 to the subinterface facing the DMZ I get a message stating that
 the addresses overlap the other interface.  Will this still work the way I
 believe it will?  Would it make a difference if I use my currently shut
 down Eth0/0 interface instead of the trunked Fa0/0?

IMHO, based on what you're trying to accomplish here's my recomendations...

1.  Depending on the type of connection you make to your provider(10MB or
100MB)
I would configure the port(and that port only) for connectivity to my
provider.  I'm not sure
if you currently have a requirment to be connected to your provider at
100MB, but if you
did, I would suggest you look into purshasing another device like the
2620/21 or 265x model.

2.  I would again recomend that you follow the links I listed above. Also,
please note most of your
presumptions are incorrect.  What you observed in the message overlap the
other interface
is correct.  With a /29 of any address block you only have 2 bits to be used
as
subnet bits. Furthermore, if you were to use a /30 mask on the interface
then the all 1s and all 0s
are unusable using NAT or not.  The emphasis here is that although the
router's NAT configuration
might(haven't comfirmed this) allow you to create the static mapping, the
end host will not allow
 you to assign the 1s and 0s using the /30 mask.

3.  Your options here are as follows..
 Request your provider to allow you to make the /29 into /30(or even a
/31[1]) on WAN connection.
 (Assuming you're not using any dynamic routing protocols, this would
simply require a static
 route(for the /29) in the provider' edge device  This would then allow
you to make more
 efficient use of the /29 and provide address space to fill you DMZ
requirement.
 So let's say you have the address 172.16.10.0/29, this would then allow
the following;

 172.16.10.0/30  with the valid IPs being .1, .2,  and .3 for broadcast.
 172.16.10.4/30  with the valid IPs being .4, .5,  and  .6 broadcast.

Doing this now allows you to configure the ISP connection, and it allows for
the use of
an additional device on the DMZ apart from the DNS server you noted.

Finally, you can now implement NAT (using rfc1918 compliant address) on what
you determine
to be the inside network connection/interface. Your NAT configurations would
have to be configured
for overlaping(makes use of port mappings) In this design you will not have
a need to manually
configure any static NAT mappings for services on the DMZ. As well, you
should have no problem
using CBAC as you noted to monitor and filter traffic to and from the DMZ.


HTH

Nigel

[1]  I'm not sure of how many providers(ISP) currently use or will allow
their customers to
use the /31 subnet. However, the /30 shouldn't be a problem.


 Thanks for your time/help!

 --
 James D. Wilson, CCDA, MCP
 Sr. Network/Security Engineer
 non sunt multiplicanda entia praeter 

Re: anyone ever tried to convert a 2502 to a 2501 ? [7:51201]

[Nigel Taylor]

nettable_walker,
   The changes in the lab to remove token ring as
Howard suggested now makes
equipment affordable to just about anyone.  The emphasis here being..token
or ethernet, they all provide
a way to test the theory and your understanding of protocol implementation.
With the 3920 and some
token ring NICs in you PC.. you should have the full lab complement.

Question? why would you want to spend 100$(ea) to make the conversion,
anyway!

Nigel

- Original Message -
From: nettable_walker 
To: 
Sent: Sunday, August 11, 2002 3:03 PM
Subject: anyone ever tried to convert a 2502 to a 2501 ? [7:51201]


 8/11/2002   2:05pm  Sunday

 Professional's,  Like a lot of other people preparing for the CCIE lab I
 have several 2502's  a Catalyst 3920
 Now that token ring is OFF the CCIE R/S lab has anyone devised a way to
 replace that interface with a 10baseT  interface ?

 Even if it were $100 per router, that would be cool to do .

 Richard

 //




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51204t=51201
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routing with IP Unnumbered Loopback [7:50581]

[Nigel Taylor]

Tunji,
See Inline...

- Original Message -
From: Tunji Suleiman 
To: 
Sent: Saturday, August 03, 2002 5:20 AM
Subject: Routing with IP Unnumbered Loopback [7:50581]


 Hi all,

 I am reposting this because there were no responses to the first post. I
am
 trying to conserve IP addresses by using private IPs for dialin users.

NT:  Ok, so as you mentioned you're trying to conserve IP address by using
private IPs for dialin users.  Question?  When you make use of those
private(rfc1918) addresses are they routable?

From
 clients I can dial in to network but cant get beyond 3640 NAS, cant even
 ping 3640 E0/0 LAN IP address. From 3640, I can ping  Lo0 from E0/0 and
vice
 versa; I can ping connected client on any Async sourcing Lo0, but not
E0/0;
 and I can ping Internet hosts eg www.yahoo.com sourcing e0/0 but not
 loopback0.

To answer part of the question; Yes the outbound packet will be routable
only
because you have a 0/0 route, that will route any packet to the next-hop
based on
the static default route.  We all know routing is bi-directional(I'm hoping
:-), which
now begs the question, How does this private block of IPs you use get
routed back to
you(your network)?  Will anyone in the Internet route these packets back to
you?

Once you answer these questions.. then check out this link!
http://www.cisco.com/warp/public/556/12.html


HTH

Nigel


From 2611 Internet gateway, I can ping 3640 E0/0 and Lo0, but not
 a connected dialin user on any Async with private IP address assigned by
 3640 from IP pool. I have a routing issue that makes traffic in both
 directions get to and disappear at 3640 Lo0, but strangely all necessary
 routes (that I can think of) are installed in the route tables. Can
somebody
 pls point out what I'm missing? Below are my configs and route tables:

 3640-NAS Config:
 interface Loopback0
 ip address 192.168.200.254 255.255.255.0
 !
 interface Ethernet0/0
 ip address 216.199.175.12 255.255.255.224
 !
 interface Group-Async1
 ip unnumbered Loopback0
 peer default ip address pool PRIVATE
 !
 router eigrp 10
 network 192.168.1.0
 network 192.168.200.0
 network 216.199.175.0
 no auto-summary
 !
 ip local pool PRIVATE 192.168.200.41 192.168.200.88
 ip classless
 ip route 0.0.0.0 0.0.0.0 216.199.175.1

 3640-NAS Route Table:
 Gateway of last resort is 216.199.175.1 to network 0.0.0.0

   216.199.175.0/27 is subnetted, 1 subnets
 C   216.199.175.0 is directly connected, Ethernet0/0
   192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
 C   192.168.200.52/32 is directly connected, Async101
 C   192.168.200.0/24 is directly connected, Loopback0
   192.168.1.0/30 is subnetted, 1 subnets
 D   192.168.1.0 [90/2195456] via 216.199.175.1, 00:58:16, E0/0
 S*   0.0.0.0/0 [1/0] via 216.199.175.1


 2611-Gateway Config:
 interface Ethernet0/0
 ip address 216.199.175.1 255.255.255.224
 !
 interface Serial0/0
 ip address 192.168.1.2 255.255.255.252
 !
 router eigrp 10
 network 192.168.1.0
 network 192.168.200.0
 network 216.199.175.0
 no auto-summary
 !
 ip classless
 ip route 0.0.0.0 0.0.0.0 192.168.1.1

 2611-Gateway Route Table:
 Gateway of last resort is 192.168.1.1 to network 0.0.0.0

   216.199.175.0/27 is subnetted, 1 subnets
 C   216.199.175.0 is directly connected, Ethernet0/0
   192.168.200.0/24 is subnetted, 1 subnets
 D   192.168.200.0 [90/409600] via 216.199.175.12, 07:51:45, Et0/0
   192.168.1.0/30 is subnetted, 1 subnets
 C   192.168.1.0 is directly connected, Serial0/0
 S*   0.0.0.0/0 [1/0] via 192.168.1.1

 TIA

 Tunji


 _
 Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50583t=50581
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Routing with IP Unnumbered Loopback [7:50581]

[Nigel Taylor]

Tunji,
  I think the reasoning behind Ciaron's suggestion was to limit the
propagation
of the various host routes generated by the addition of every user that made
a
dailin connection.  This would have quite impact depending on the size of
your network.

Based on the configs you posted, I was working on the assumption that the
3640 device, eth0 was on a globally routable IP segment.  I must admit I'm a
bit lost!
I do have a few questions on which device act as your CE, and how does it
connect to you ISP's
PE device.  You mentioned that the 2611(Internet gateway) has a rfc1918
compliant
address assigned to the serial connection between you and your ISP, is this
correct?.

This is not a problem as some providers tend  to use this option.  There has
been a
number of different threads that discussed the pros and cons to this
approach.

You mentioned that NAT did not seem to work  What debugs did you use to
confirm
or isolate the problem for what you observed.   The 2611 at the
moment is as you mentioned not the problem, however I would like to see the
entire
configuration of the 3640 NAS device.  There is definitely something
incorrectly
configured that is responsible for any of the async connected devices
inability to reach
the e0(directly connected) interface

Nigel

- Original Message -
From: Tunji Suleiman 
To: 
Sent: Saturday, August 03, 2002 2:22 PM
Subject: Re: Routing with IP Unnumbered Loopback [7:50581]


 Thanks Ciaron and Nigel, I removed the route statements

 network 192.168.200.0 and
 network 192.168.1.0

 from the 2611 and 3640 respectively, without any effect on the route
tables.
 Apparently, the eigrp process informs the routers of the connected
networks
 on the far sides of each other, making the network statements unnecessary.

 I posted the most relevant parts of the configs, assuming it will be
obvious
 that my ppp config is ok, since I can dialin to the 3640. The 3640 is a
 production NAS connecting users b4 with a global IP pool.

 I would have configured NAT on the 2611 Internet gateway, but even that
has
 rfc1918 address on the serial link to the Internet. What I did was
configure
 NAT on the 3640, making the LoO the inside and E0/0 the outside. But even
 that is not working, with traffic both ways ending at Lo0.

 If I can get a dialin user on the async line to ping e0/0 of the 3640,
then
 the issue should be resolved.

 TIA




 From: Nigel Taylor
 Reply-To: Nigel Taylor
 To: [EMAIL PROTECTED]
 Subject: Re: Routing with IP Unnumbered Loopback [7:50581]
 Date: Sat, 3 Aug 2002 10:17:44 GMT
 
 Tunji,
  See Inline...
 
 - Original Message -
 From: Tunji Suleiman
 To:
 Sent: Saturday, August 03, 2002 5:20 AM
 Subject: Routing with IP Unnumbered Loopback [7:50581]
 
 
   Hi all,
  
   I am reposting this because there were no responses to the first post.
I
 am
   trying to conserve IP addresses by using private IPs for dialin users.
 
 NT:  Ok, so as you mentioned you're trying to conserve IP address by
using
 private IPs for dialin users.  Question?  When you make use of those
 private(rfc1918) addresses are they routable?
 
  From
   clients I can dial in to network but cant get beyond 3640 NAS, cant
even
   ping 3640 E0/0 LAN IP address. From 3640, I can ping  Lo0 from E0/0
and
 vice
   versa; I can ping connected client on any Async sourcing Lo0, but not
 E0/0;
   and I can ping Internet hosts eg www.yahoo.com sourcing e0/0 but not
   loopback0.
 
 To answer part of the question; Yes the outbound packet will be
routable
 only
 because you have a 0/0 route, that will route any packet to the
next-hop
 based on
 the static default route.  We all know routing is bi-directional(I'm
hoping
 :-), which
 now begs the question, How does this private block of IPs you use get
 routed back to
 you(your network)?  Will anyone in the Internet route these packets back
to
 you?
 
 Once you answer these questions.. then check out this link!
 http://www.cisco.com/warp/public/556/12.html
 
 
 HTH
 
 Nigel
 
 
 From 2611 Internet gateway, I can ping 3640 E0/0 and Lo0, but not
   a connected dialin user on any Async with private IP address assigned
by
   3640 from IP pool. I have a routing issue that makes traffic in both
   directions get to and disappear at 3640 Lo0, but strangely all
necessary
   routes (that I can think of) are installed in the route tables. Can
 somebody
   pls point out what I'm missing? Below are my configs and route tables:
  
   3640-NAS Config:
   interface Loopback0
   ip address 192.168.200.254 255.255.255.0
   !
   interface Ethernet0/0
   ip address 216.199.175.12 255.255.255.224
   !
   interface Group-Async1
   ip unnumbered Loopback0
   peer default ip address pool PRIVATE
   !
   router eigrp 10
   network 192.168.1.0
   network 192.168.200.0
   network 216.199.175.0
   no auto-summary
   !
   ip local pool PRIVATE 192.168.200.41 192.168.200.88
   ip classless
   ip route 0.0.0.0 0.0.0.0 216.199.175.1
  
   3640-NAS Route Table

Re: blocking spam with cisco routers [7:48971]

[Nigel Taylor]

George,
 Priscilla brings up a good point in that this will not be easy.
The most important issue here
is as Priscilla pointed out, is going to revolve around the architecture of
your networks or the network
you use for connectivity(to the rest of the world). Some other questions
that may apply are very specific
to your email services.  If you have your own domain and don't relay any
mail for specific purposes, then
this will help, however mail directly address to your domain's users will be
delivered.  The problem here
is how do you determine who is allowed to send you email.  This is somewhat
of an impossible task because
there's no real way of identifying your SMTP-specific Community of
Interest (COI).

 The reason being that smtp(tcp) connections are made from any
server-to-server(your server) for the
delivery of mail.  I'm sure your smtp requirements are much like the typical
domain, in which filtering inbound mail
falls outside the area of the routed network.  It's one thing to filter a
specific hosts or number of host to
prevent the spread of a new virus. This would still only be accomplished
through monitoring of existing smtp
traffic flows,  in which you could address the issue by resolving the source
of the infected mail traffic.
Again, the traffic is only identified based on a criteria which can now be
tracked or filtered.

Where I'm going with this is that the only effective way of containing
spam is by identifying who is sending it and
most importantly what subject lines are being used in the SPAM email
received.  This is important because you might
not want to block or filter all mail inbound from hotmail.com so finding
another way to identify the spam is very
important. I'm not sure of the flexibility of  Micro$oft's exchange to
filter mail based on subject lines but,  I know
that sendmail(the best mail server) through the use of the cf file can
aide in this process.  There is assistance in the
form of various programs that does do this type of filtering, however the
need to providing the rules for the filter still
falls within the area of monitoring and prevention

Currently, we use Solaris on all of our mail servers(16 of them).  We do
relay mail for all or most of our users and
with some scripting and MySql was able compile a database of the domains and
subject lines of typical spam specific
emails. All inbound email is processed through this script which will tag
the spam email and forwards it into a separate
mail server queue for profiling(to check the validity), before being
forwarded to the user.  We have just begun to use a program
called SPAM Assassin which uses our daily updated list of spammers and
subject lines.

HTH

Nigel

P.S.  Please note the use of Howard-isms in this email..:-



- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Tuesday, July 16, 2002 10:50 PM
Subject: Re: blocking spam with cisco routers [7:48971]


 Brad Ellis wrote:
 
  Yup, use an access list filtering IPs on port 25 (only allow
  yours through)

 Yes, but, other SMTP servers for legitimate reasons are also going to be
 opening TCP sessions to port 25 because they have e-mail to send to your
 users. It's not as easy as it sounds.

 I guess it depends on the ISP's network architecture too. We have a
 challenge where I work in that our users are on cable modems that connect
to
 the cable provider (which isn't technically us). Their e-mail requests
come
 into our network on the same interface that all Internet traffic comes in
on.

 Priscilla


 
  thanks,
  -Brad Ellis
  CCIE#5796 (RS / Security)
  [EMAIL PROTECTED]
  Cisco home labs:  www.optsys.net
  GEORGE  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hi all I have a question ,I configured my e-mail server to
  only accept
   local e-mail, and deny other relay , however im still
  vulnerable to
   spam. My question is how do the ips block other e-mail going
  to their
   smtp
   Do they do it by access-list? Allowing only the local network
  with port
   25?
   Or just the e-mail server?
   If cisco routers have to be involved does anyone have some
  links. Im
   behind a pix and would like to allow only my network to use
  smtp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48994t=48971
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Route Reflection with Multiple POPs [7:48509]

[Nigel Taylor]

All,
  Being one of the folks currently reading Howard's most recent book
titled - Building Service Provider Networks, I must say that I'm enjoying
the various points being addressed by this thread.

Also, this does remind me of an article in the 2nd Qtr edition
of Packet Magazine titled, ISP Dial Network Design using BGP.
http://www.cisco.com/warp/public/784/packet/techtips.html#1
Good article!

Howard, I just wanted to be sure that I didn't misunderstand what you
said...

 Could very well be. Remember, the core IGP routers are only
 interested in infrastructure, and, in a carrier environment, there is
 no excuse for having a very clean hierarchical addressing structure.

Did you mean there is no excuse for [not] having a very clean
hierarchical addressing structure or I'm I missing something, as always..:-

TIA
Nigel


- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Wednesday, July 10, 2002 7:22 PM
Subject: RE: Route Reflection with Multiple POPs [7:48509]


 At 10:27 PM + 7/10/02, Lupi, Guy wrote:
 I know that you can run confederations and reflectors, and seperate
levels
 of reflection, which Cisco refers to as nested reflection.  Now my
 question is, how would you set up your bgp peering?  Due to financial
 constraints I would imagine that the best thing to do would be to have
one
 circuit from POP router 1 to core router 1, and another circuit from POP
 router 2 to core router 2.

 Not sure what you are picturing as POP router. If you mean POP
 aggregation router, yes. There might be an outer core of reflectors
 connected to multiple POPs, and then a full iBGP mesh among the
 reflectors in the inner core.

 Assuming that you are only running BGP in the
 core, and that the clients have to have a session with each reflector,
how
 would you communicate the loopback addresses of all the routers to each
 other?

 I tend to take the opposite view.  In a network not using QoS, the
 core may or may not need to run BGP at all, or a relatively small
 number of BGP routes (e.g., the aggregate addresses for POPs). The
 critical thing to realize is the core is infrastructure, and its job
 is internal interconnection.

 Are static routes used in this situation?

 Could very well be. Remember, the core IGP routers are only
 interested in infrastructure, and, in a carrier environment, there is
 no excuse for having a very clean hierarchical addressing structure.

 Thanks to all of the
 people who responded by the way, I appreciate the direction.  Ever feel
like
 you know so much, only to read a book and find out that you know so
little
 :)?
 
 *-Original Message-
 *From: Peter van Oene [mailto:[EMAIL PROTECTED]]
 *Sent: Wednesday, July 10, 2002 3:00 PM
 *To: [EMAIL PROTECTED]
 *Subject: Re: Route Reflection with Multiple POPs [7:48509]
 *
 *
 *Couple thoughts.  First off, one can confederate and reflect
 *at the same
 *time (ie rr clusters inside sub-as's).  Also, keep in mind that these
 *techniques deal with control, not forwarding and thus it is
 *possible, and
 *somewhat common, to have a RR hierarchy that does not map
 *directly to the
 *physical topology.  I tend to see an arbitrary set of core
 *routers (from
 *2-20ish) that form the central IBGP mesh with the second level of the
 *hierarchy being formed by lead major pop routers, or dedicated route
 *servers (ie one armed routers that simply reflect routes).  I
 *personally
 *try to keep the topology as flat as possible (ie less than 4
 *levels in the
 *hierarchy) but I don't have any particular technical driver
 *for that other
 *than to minimize complexity and aid troubleshooting.
 *
 *Of note, this assumes you are reflecting full routes throughout your
 *backbone.  I've seen providers try and reflect partial routes
 *to areas of
 *their backbone to allow for smaller routers where RR
 *topologies can lead to
 *blackholes. In general, if you are reflecting all routes, you
 *shouldn't run
 *into issues here.
 *
 *I
 *
 *
 *
 *At 04:42 PM 7/10/2002 +, Lupi, Guy wrote:
 *Let me preface this by saying that I am trying to learn more
 *about large
 *scale BGP design and operation.  This question is on route
 *reflectors when
 *you have multiple POPs in seperate IGP domains.  If you
 *currently have one
 *POP and are going to move to 2 within the same AS, you can
 *either run full
 *mesh (doesn't scale), reflectors, or confederations.
 *Assuming you don't
 *currently have a central core that the POPs connect back to,
 *how well does
 *reflection scale?  I was reading Building Service Provider Networks
 *[Berkowitz], and it states that iBGP doesn't scale well once
 *you go above
 *15-20 sessions per router.  It also states that most ISPs run
 *reflectors
 *instead of confederations, but I believe that statement is
 *being made under
 *the assumption that the ISP will have a central core to which
 *the POPs will
 *connect.  This would indicate to me that assuming you don't
 *have a central
 *core, one could only connect 6 or 

Re: Some IETF work of interest [7:48271]

[Nigel Taylor]

Howard,
 Thanks for the links.  I must say that this does clarify a lot
things(about BGP
definitions) and gives me so much to think about.  I'll be reading this one
a couple more times,
before I start asking a bunch of questions..:-

Very Nice draft.

Now the simple folk can get a better understanding of what's really
happening.
With all this talk of planes lately,  I wonder if anyone has defined the
various planes
on which the human brain works?  In thinking about it.. I don't want to
know.

Thanks
Nigel


- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Sunday, July 07, 2002 12:38 PM
Subject: Some IETF work of interest [7:48271]


 The BGP convergence team (including Cisco and Juniper) in the IETF
 has just posted the latest version of the BGP Benchmarking
 Terminology draft, which we think is about ready for Informational
 RFC -- it will go out for WG and IESG Last Call in the next couple of
 weeks.

 A good deal of the work clarified what we found to be ambiguous BGP
 terminology that is operationally important.  It may help some of you
 with understanding.

 http://www.ietf.org/internet-drafts/draft-ietf-bmwg-conterm-02.txt

 There is a related draft for OSPF, in a little earlier phase of
development:

 http://www.ietf.org/internet-drafts/draft-bmwg-ospfconv-term-00.txt

 There are also methodology drafts for both protocols. I've just
 started on an applicability protocol draft, which hopefully will be
 cross-protocol.  As soon as I have something a little more together,
 I'll send it in as an I-D, and may have a rough draft mailed to the
 working group and posted on the Gett research website.

 --
 What Problem are you trying to solve?
 ***send Cisco questions to the list, so all can benefit -- not
 directly to me***



 Howard C. Berkowitz  [EMAIL PROTECTED]
 Chief Technology Officer, GettLab/Gett Communications
http://www.gettlabs.com
 Technical Director, CertificationZone.com http://www.certificationzone.com
 retired Certified Cisco Systems Instructor (CID) #93005




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48283t=48271
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3 T1s - 2 cisco routers - OSPF - configuration problems [7:48054]

[Nigel Taylor]

James,
   I would have to say that depends.  I don't know what you have in
mind, so if you could provide more information as to what you're trying to
accomplish.

I'm sure any number of folks on the list would willing offer a solution to
your problem.
HTH

Nigel

- Original Message -
From: James Montigny 
To: 
Sent: Wednesday, July 03, 2002 10:27 AM
Subject: 3 T1s - 2 cisco routers - OSPF - configuration problems [7:47999]


 Can anyone explain how to get cisco routers running
 OSPF to load balance traffic on 3 or more T1s?

 As I understand it, OSPF load-balancing handles 4-6
 simultanious connections. Yet I hear rumors that
 getting any more than 2 requires some creativity.
 Can anyone elaborate?



 =
 James D Montigny, MCSE, MCP+I, CCNA
  Network Engineer
  (913)205-6486

 __
 Do You Yahoo!?
 Sign up for SBC Yahoo! Dial - First Month Free
 http://sbc.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48054t=48054
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP community Q [7:48007]

[Nigel Taylor]

Annu,
I'll provide a hint !Look at your as-path ACL.. the answer
lies therein..:-

Nigel

- Original Message -
From: Annu Roopa 
To: 
Sent: Wednesday, July 03, 2002 10:56 AM
Subject: BGP community Q [7:48007]


 Group,

 I have a community related question and the scenario
 is as follows.What am i doing wrong ? Scenario is:


  (AS100)
  r11-r8-r10(AS 200)
   iBGPeBGP

 There are some Networks (196.196.10.0/175.10.10.0
 etc)coming via R10 to R8.I want to add a community
 string of 100:88 to all routes containing AS 200 and
 send it to R11 from R8.But somehow its not adding it
 rather adding 100:900 when i see it on R11. Whats
 wrong with my logic ?

 Here are my configs and show commands.

 R8#sr
 Building configuration...
 Current configuration:
 hostname r8
 !
 router bgp 100
 bgp router-id 8.1.1.1
 network 8.1.1.0 mask 255.255.255.0
 neighbor 11.1.1.1 remote-as 100
 neighbor 11.1.1.1 update-source Loopback0
 neighbor 11.1.1.1 next-hop-self
 neighbor 11.1.1.1 send-community
 neighbor 11.1.1.1 route-map address out
 neighbor 180.10.10.1 remote-as 200
 neighbor 180.10.10.1 ebgp-multihop 255
 neighbor 180.10.10.1 update-source Loopback0
 !
 ip bgp-community new-format
 ip as-path access-list 11 permit _200_
 ip as-path access-list 11 deny .*
 !
 route-map address permit 10
 match as-path 11
 set community 100:88
 !
 route-map address permit 20
 set community 100:900

 --
 r8#sh ip bgp regexp _200_
 BGP table version is 12, local router ID is 8.1.1.1
 Status codes: s suppressed, d damped, h history, *
 valid,  best, i - internal
 Origin codes: i - IGP, e - EGP, ? - incomplete

Network  Next Hop Metric LocPrf
 Weight Path
 * 10.1.1.0/24  180.10.10.1 0 200 300 i
 *175.10.10.0/24 180.10.10.10 200 300 i
 * 180.10.10.0/24   180.10.10.1 0 0 200 i
 * 190.10.10.0/24   180.10.10.1 0 200 300 400
 i* 192.168.1.0 180.10.10.1 0 200 300 i
 * 196.196.1.0  180.10.10.1  0 200 300 i
 ---
 R11#b 196.196.1.0
 BGP routing table entry for 196.196.1.0/24, version 40
 Paths: (1 available, best #1, table
 Default-IP-Routing-Table)
   Advertised to non peer-group peers:
   1.1.1.2
   200 300
 8.1.1.1 (metric 129) from 8.1.1.1 (8.1.1.1)
   Origin IGP, localpref 100, valid, internal, best
   Community:100:900

 R11#b 175.10.10.0
 BGP routing table entry for 175.10.10.0/24, version 38
 Paths: (1 available, best #1, table
 Default-IP-Routing-Table)
   Advertised to non peer-group peers:
   1.1.1.2
   200 300
 8.1.1.1 (metric 129) from 8.1.1.1 (8.1.1.1)
   Origin IGP, localpref 100, valid, internal, best
   Community: 100:900
 ---

 Failed to troubleshoot it.Anyone with ideas.





 =
 Thanks in advance for ur time and replies.
 Annu.

 __
 Do You Yahoo!?
 Sign up for SBC Yahoo! Dial - First Month Free
 http://sbc.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=48055t=48007
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Confusion: Channelized and Unchannelized T1 [7:47844]

[Nigel Taylor]

John,
 There's nothing wrong with your understanding of channelized vs.
unchannelized.  I believe your provider's tech dosen't understand or is
completely mis-informed.

Nigel

- Original Message -
From: John Neiberger 
To: 
Sent: Monday, July 01, 2002 12:10 PM
Subject: Confusion: Channelized and Unchannelized T1 [7:47844]


 Just when I thought I understood the T1 world pretty well we've run into
  a situation that is thoroughly confusing me.

 I was under the impression that channelized T1 services used 24
 timeslots.  I call that 'channelized' because it has 24 distinct
 'channels'.  It's my understanding that unchannelized T1 doesn't use the
 24 timeslots and instead sends one giant 192-bit frame.

 At one of our locations we are muxing voice and data traffic onto a
 single T1.  At each end we split off certain channels to a router and
 other channels over to the PBX.  To do this, wouldn't the T1 *have* to
 be channelized, since we're separating the channels at the CSU/DSU?
 According to our provider, that circuit is unchannelized.  If a circuit
 is truly unchannelized, how would the CSU/DSU be able to accurately
 split the T1 into two separate streams based on channel information?

 To be more clear, let's say we have the CSU/DSU configured to split
 channels 1-12 to the router and 13-24 to the PBX.  This splitting
 function is based on the assumption that channels exist on the incoming
 T1.  If they don't exist and we have one giant frame instead of 24
 smaller frames, how could this possibly be working??

 Yowza...my head hurts.

 John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47887t=47844
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Written DPT/SRT - huh? [7:47807]

[Nigel Taylor]

Nick,
   A good place to begin your exploration of DPT and SRP in
particular is always the rfc2892, but
for a really cool overview check out hte following link..

http://grouper.ieee.org/groups/802/17/documents/presentations/tutorial/tutor
ial.htm

HTH

Nigel

P.S. there's so much info on this page don't let it overwhelm you..:-





- Original Message -
From: Nick Lesewski 
To: 
Sent: Sunday, June 30, 2002 8:59 PM
Subject: CCIE Written DPT/SRT - huh? [7:47807]


 On the requirements for new CCIE Written Beta they listed DPT/SRT under
the
 WAN section, but I can't find any references these in the groupstudy
 archives or on the Cisco website.  Anybody have any idea what they might
be
 asking about?

 NIC



 _
 Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47818t=47807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Beta results [7:47144]

[Nigel Taylor]

Folks,
 I'm trying to understand how cisco went about grading this exam.
Much like everyone else
I too was told by Prometric when I called in that I had passed the exam
however, the score report
I received had something totally different in mind( yes I failed!)

What I thought was strange was the passing score which was 45%.   I guess
44% leaves short of the mark.
This beta reminds me of the CCIE Security beta in which not many folks on
the list passed.

Good thing this test didn't count as a recert credit.  I guess I'll be
thinking about taking the
recert exam sometime next year...:-

Nigel

- Original Message -
From: Michael L. Williams 
To: 
Sent: Sunday, June 23, 2002 6:44 PM
Subject: Re: CCIE Beta results [7:47144]


 Are the scores starting to come in now?  I still haven't received mine
 yet... =(

 Although, banking on the fact I would fail, I went ahead and took the
 current written and passed, so I'm not too worried about the beta
 results... just curious =)

 Mike W.

 Semiglia Bodero  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Did you receive the score?.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47258t=47144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

serial interface down/down or up/down - answers questions [7:47130]

[Nigel Taylor]

John, All,

Actually, both router interfaces(DCE or DTE) will

show down/down if the both ports remain administratively down.:-

Seriously, where I work since alot of our circuit are located in

various locations within a number of our building we make use

of what we call an Automatic Network Control Circuit (ANCC)

system which logically maps our DCE devices from our Demarc

to our NOC equipment area.

Nonetheless, in answering Priscilla's question there is no

one answer to the question. Basically, if the CSU/DSU is

configured with a mismatch on the framing then the router

port will come up/up. If the encoding is mismatched then

this will cause the CSU/DSUs to lose SYNC. Technically

this will cause the router port to continually flap(up/down).

When the CSU/DSU is configured correctly with the

bandwidth(the configuration of the DSO slots(Nx64))

mismatch, this will allow the equipment to SYNC and

the router ports will indicate up/up, however no data

will traverse the link.

 

John, is very correct in that the DTR on the DTE device

has to be asserted for the DCE device and obviously for

the DTE device to indicate an up/up.

Howard, also brings up a good point in that framing and

encoding does relate to layer one. Question? If encoding

and framing are thought of as sub-layers of layer1, then

what parallel can be drawn to other layered tecnologies

 that would allow/indicate an active interface without all the

requirements being met. (i.e ISDN, ATM, and an IP interface)

 

Chuck, I took your comments to heart and took down a

number of of T1 customers to prove my noted few points.:-

I hope youre happy.

Nigel

 From: John Neiberger Reply-To: John Neiberger To:
[EMAIL PROTECTED] Subject: Re: serial interface down/down or up/down
[7:47101] Date: Fri, 21 Jun 2002 01:42:20 -0400  This isn't quite
true. For example, a DCE router interface will be down/down if DTR is
not raised by the DTE device. I see this quite often at work and faulty
cabling is generally not the culprit. It's almost always bad hardware in
the DTE.  John  Michael L. Williams wrote:   According to CCIE exam
materials, the *only* time the serial will show   down/down is when
there is NO serial cable or a bad serial cable connected.   So even if
you have a misconfigured framing method, you should at least see  
up/down. Mike W. Bob Timmons wrote in message  
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...I can't say I've
ever seen a down/up condition. Up/Down perhaps.I'm sure there
are exceptions, but it's my belief that the router doesn't  care about
encoding, but rather a layer-1 connection to the dce/dte device.
   If the router can 'talk' to the device on the other end of the
cable, you  should get an up/x condition, where x would depend on the
csu/dsu conditionof the line.I don't have a
csu handy, otherwise I'd check that right now. I can do that  
 tomorrow morning (10:30 pm est here), but you may have an answer
prior to  that...Hi Priscilla,I have
actually had this scenario (multiple times), but due to the
Telco'smisconfiguration.  Specifically we were expecting
b8zs/esf. Unfortunately I can't confirm  which was configured
incorrectly, but I can confirm that going through  all of the
different combinations available at the router you will  get all
combinations on the serial interface (up/up, down/up and   
down/down).I can also confirm, you will not establish
connectivity, regardless. I  believe  either b8zs/esf or sf/ami
are the only valid combinations. At least thatisall
I've  ever worked with.Hope this helps,  -TV   
  Priscilla Oppenheimer wrote in message 
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...Hi Group
Study,While writing some questions for a practice test, I
found myself  questioning what I thought was the right answer.
Here's the scenario:A Cisco router serial interface is
correctly connected with a good V.35cable to the
data port on the DSU side of a CSU/DSU. The CSU/DSU hasbeen 
  misconfigured for the framing method (SF instead of ESF). The
framing  doesn't match what the provider is using. (The question
refers to aCSU/DSUthat is external to the
router, not one that is built into the router.)Will
the Cisco router serial interface be down/down or up/down?   
And, would the answer be any different if the question has to do with
 misconfiguring the encoding (AMI versus B8ZS)?If you
have real-world experience with this, that would help. I have   
readthe Cisco documentation and the troubleshooting charts,
etc.ThanksPriscilla   
Priscilla Oppenheimer 
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Send and receive Hotmail on your mobile device: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47130t=47130

serial interface down/down or up/down - answers questions [7:47132]

[Nigel Taylor]

Get your FREE download of MSN Explorer at http://explorer.msn.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47132t=47132
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP w/ no synchronization [7:46707]

[Nigel Taylor]

Hunt,
 Read this link and think about your scenario for a moment.  What
is the problem to be solved?

http://www.cisco.com/warp/public/459/bgpfaq_5816.shtml#12

Then read this link.  The emphasis here is that although RTA, RTB, RTC, RTD,
and RTE are in the same confed AS1,  RTB and RTC,
and RTD and RTE, are in separate sub-ASs within the AS.  What dies that
mean?  If RTB and RTD are propagating iBGP route information
to RTC and RTE respectively then, the only way for these routes to be sync'd
is by NLRI(through an IGP), route-reflectors or by using
the cisco-specific knob - no sync.  By, using the no sync you're
allowing BGP to overlook the native requirements of the protocol, which
will install the route into the RIB.

http://www.cisco.com/warp/public/459/16.html#A23.0


You might want to also look at rfc1965 which laid the foundation for the use
of confederation within
BGP, however this is superceded by rfc3065.  Of course there are a number of
other options that could be used to achieve full mesh
within an AS. Some of those options include rfc1966, and rfc1863

http://www.ietf.org/rfc/rfc1863.txt
http://www.ietf.org/rfc/rfc1966.txt


HTH

Nigel


- Original Message -
From: Hunt Lee 
To: 
Sent: Sunday, June 16, 2002 6:42 AM
Subject: BGP w/ no synchronization [7:46707]


 Okay folks, starting off some late nite studying and just noticed
something
 weird.  Got a Confederation setup like:

 150.150.150.0/24---RTA ---RTB ---RTD---RTF
  | |
   RTC  RTE

 RTA, B, C, D,  E are in a Confederation called AS 1, in which:-

 RTA is sub-AS 65530
 RTB  RTC are both in sub-AS 65531
 RTD  RTE are both in sub-AS 65532

 RTF is in AS 2

 RTB, C, D  E are running OSPF as IGP.  And OSPF is being redistributed
into
 BGP at RTB.

 The network 150.150.150.0/24 is being advertised into BGP by BGP network
 command on RTA.

 Ok, here is the thing.  The 150.150.150.0/24 network is being seen by RTA,
 RTB, RTD,  RTF.  I could ping 150.150.150.1 from these four routers.
 However, it can't be seen by RTC  RTE (shown as follows).  But when I put
 no synchronization on the middle four routers (RTB, RTC, RTD,  RTE),
then
 everything becomes fine again...I thought since I used IGP (OSPF), and
 if the router can see the EBGP Next-Hop (193.16.0.2) in their routing
table,
 then the synch. rule shouldn't apply anymore.

 Am I missing something here?

 RouterC#sh ip bgp
 BGP table version is 4, local router ID is 172.16.0.2
 Status codes: s suppressed, d damped, h history, * valid,  best, i -
 internal
 Origin codes: i - IGP, e - EGP, ? - incomplete

Network  Next HopMetric LocPrf Weight Path
 * i150.150.150.0/24 193.16.0.2   0100  0 (65530) i
 i172.16.0.0/30172.16.0.1   0100  0 ?
 * i172.16.0.12/30   172.16.0.18 30100  0 ?
 *i172.16.0.16/30   172.16.0.1   0100  0 ?
 *i193.16.0.0/30172.16.0.1   0100  0 ?
 * i193.16.0.8/30172.16.0.18  0100  0 (65532) i
 RouterC#sh ip route
 Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate
 default
U - per-user static route, o - ODR

 Gateway of last resort is not set

  172.16.0.0/30 is subnetted, 3 subnets
 O   172.16.0.16 [110/128] via 172.16.0.1, 01:35:04, Serial1
 O   172.16.0.12 [110/192] via 172.16.0.1, 01:35:04, Serial1
 C   172.16.0.0 is directly connected, Serial1
  193.16.0.0/30 is subnetted, 1 subnets
 O   193.16.0.0 [110/74] via 172.16.0.1, 01:35:04, Serial1
 RouterC#
 RouterC#ping 193.16.0.2

 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 193.16.0.2, timeout is 2 seconds:
 !
 Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/36 ms
 RouterC#


 Thanks all!

 Hunt




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46709t=46707
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Split horizon behaviour - explain me this one! [7:46102]

[Nigel Taylor]

Chuck,
   I did a search on CCO and found a few links which state the
following..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c
/ipcprt2/1cdigrp.htm
watch the line wrap.
Normally, routers that are connected to broadcast-type IP networks and that
use distance-vector routing protocols employ the split horizon mechanism to
reduce the possibility of routing loops. Split horizon blocks information
about routes from being advertised by a router out of any interface from
which that information originated. This behavior usually optimizes
communications among multiple routers, particularly when links are broken.
However, with nonbroadcast networks (such as Frame Relay and Switched
Multimegabit Data Service [SMDS]), situations can arise for which this
behavior is less than ideal. For these situations, you might want to disable
split horizon.

Split horizon for Frame Relay and SMDS encapsulation is disabled by default.
Split horizon is not disabled by default for interfaces using any of the
X.25 encapsulations. For all other encapsulations, split horizon is enabled
by default.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c
/ipcprt2/1cdeigrp.htm

By default, split horizon is enabled on all interfaces.

So Chuck as you mentioned split-horizon is implemented IOS-wide by default
on all interfaces with some exceptions as noted above.  It seems that with
the default implementation of split-horizon, once a DV-based
protocol/process (as you mentioned) is configured on the device, the
protocol and process adheres to the rules of the split-horizon mechanism
versus being invoked.



HTH

Nigel





- Original Message -
From: Chuck 
To: 
Sent: Saturday, June 08, 2002 2:37 AM
Subject: Split horizon behaviour - explain me this one! [7:46102]


 179 days and counting. Going through my protocol by protocol review.

 192.168.1.0/24
 --
  |   ||
 |
R1 R2  R3R4


 R2 redistributes IGRP into RIP

 the purpose of the exercise is to review the purpose and function of the
 default-metric command under RIP in a redistribution situation.

 Now consider that R2 learns certain routes from IGRP via the ethernet
 interface, and is supposed to redistribute those routes into RIP, and
 advertise those routes out the ethernet interface to R1.

 However, based on my observation, it would appear that split horizon is
 preventing this. Observe:

 IGRP on R2

 01:48:12: RIP: build update entries
 01:48:12:   network 192.168.1.0 metric 1
 01:48:12:   network 192.168.10.0 metric 2
 01:48:12:   network 192.168.30.0 metric 5
 01:48:12:   network 192.168.40.0 metric 5
 01:48:39

 Router_1#ir

 C192.168.10.0/24 is directly connected, Loopback0
 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:16, Ethernet0
 C192.168.1.0/24 is directly connected, Ethernet0


 Note that while R2 is creating the RIP routes, R1 does not receive them

 But if I disable split horizon on the ethernet interface, then observe:

 Router_1#ir

 R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0
 C192.168.10.0/24 is directly connected, Loopback0
 R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0
 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:12, Ethernet0
 C192.168.1.0/24 is directly connected, Ethernet0

 Now before leaping to conclusions about the nature of split horizon, I did
a
 sanity check using OSPF. Interesting difference:

 Router_1#ir

 R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0
 C192.168.10.0/24 is directly connected, Loopback0
 R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0
 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:14, Ethernet0
 C192.168.1.0/24 is directly connected, Ethernet0

 no problem here. so let's try the last sanity check, using EIGRP:

 Router_2#
 02:16:18: %SYS-5-CONFIG_I: Configured from console by console
 02:16:28: RIP: sending v1 update to 255.255.255.255 via Ethernet0
 (192.168.1.2)
 02:16:28: RIP: build update entries
 02:16:28:   network 192.168.20.0 metric 1
 02:16:28: RIP: sending v1 update to 255.255.255.255 via Loopback0
 (192.168.20.1)

 02:16:28: RIP: build update entries
 02:16:28:   network 192.168.1.0 metric 1
 02:16:28:   network 192.168.10.0 metric 2
 02:16:28:   network 192.168.30.0 metric 5
 02:16:28:   network 192.168.40.0 metric 5
 02:16:28: RIP: received v1 update from 192.168.1.1 on Ethernet0

 Router_1#ir

 C192.168.10.0/24 is directly connected, Loopback0
 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:09, Ethernet0
 C192.168.1.0/24 is directly connected, Ethernet0

 aha! no routes from R2

 but when I disable split horizon on R2

 Router_2(config)#int e 0
 Router_2(config-if)#no ip 

Re: NANOG 25 Meeting [7:46007]

[Nigel Taylor]

Howard,
   I see that Sue Hares will be doing the moderation for the
 Panel: Smart Routing Technologies, but she's
 not listed as giving any of the BOF's.  Based on your statement I was
 thinking Sue would be doing a BOF or
 presentation on the BGP convergence drafts, which you mention she was one
of
 your co-authors. Will that be at
 this meeting or the fall meeting when the format change is suppose to take
 place.

 By the way I noticed that the Fall meeting will be a joint meeting with
 ARIN.  What additional information or benefits
 could I look forward to at this meeting, and would this explain the format
 change then, versus the upcoming meeting
 this week.

 Thanks
 Nigel

 - Original Message -
 From: Howard C. Berkowitz [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Thursday, June 06, 2002 11:27 AM
 Subject: Re: NANOG 25 Meeting [7:45933]


  All,
   I was browsing the NANOG 25 site and took a preview of the
  presentations
  that will be presented during the meeting.

  Based on my recent growing interest in Inter-Domain routing and
  policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the
 list
  would be in attendance, also does anyone have any idea as to the timeline
 in
  which the presentations make their way to the web-site.  I'm really
  looking forward to getting my hands on those presentations

  thanks
  Nigel

  Unfortunately I won't be able to make it in person, but I know of a
  couple of list members that are going.  Susan Harris generally yells
  at presenters to have their presentations in at least a week before,
  because people often can see them better on their laptops than on the
  main screen.  So, they'll probably be pretty much on the NANOG server
  by Saturday or Sunday.

  If you're not aware of it, NANOG normally has real-time Real Video or
  other streaming video of the actual conference available free.  They
  also store the videos on the website after the conference.

  Incidentally, the Fall NANOG meeting will be especially worth
  attending, because there will be a new format:  NANOG tutorials on
  Sunday, NANOG program on Monday and Tuesday, and ARIN public and
  member meetings on Wednesday-Friday.

  They don't always video the BOFs, which can be a shame -- Sue Hares
  is one of my coauthors on the BGP convergence drafts, and I'd like to
  hear it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46007t=46007
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NANOG 25 Meeting [7:46005]

[Nigel Taylor]

Peter,
  Great!  I'm thinking Juniper and the BearGear booth in such close
proximity, may explain
the cascading style format of the JunOS versus Cisco's left justified
(non-hierarchal) based configuration. :-
I'm sure Howard/Priscilla with their experience in software(system)
development would care to provide some
insight into the differences/relevance in output formatting as it relates to
how the code is interpreted.


Nigel

P.S.  I know BayRS is pretty similar and I must admit once I worked on it
for a while, the interface was very fast and intuitive. Being a cisco-child
can I dare say.. I really
liked it without being flamed! :-




- Original Message -
From: Peter van Oene [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 06, 2002 2:02 PM
Subject: Re: NANOG 25 Meeting [7:45933]


  The conference is 40 minutes from my house and I'll definitely be in
  attendance and likely hang around the Juniper Networks booth at the
  BeerGear.

  At 11:27 AM 6/6/2002 -0400, Howard C. Berkowitz wrote:
   All,
I was browsing the NANOG 25 site and took a preview of the
  presentations
   that will be presented during the meeting.

   Based on my recent growing interest in Inter-Domain routing and
   policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the
  list
   would be in attendance, also does anyone have any idea as to the
 timeline
  in
   which the presentations make their way to the web-site.  I'm really
   looking forward to getting my hands on those presentations

   thanks
   Nigel

  Unfortunately I won't be able to make it in person, but I know of a
  couple of list members that are going.  Susan Harris generally yells
  at presenters to have their presentations in at least a week before,
  because people often can see them better on their laptops than on the
  main screen.  So, they'll probably be pretty much on the NANOG server
  by Saturday or Sunday.

  If you're not aware of it, NANOG normally has real-time Real Video or
  other streaming video of the actual conference available free.  They
  also store the videos on the website after the conference.

  Incidentally, the Fall NANOG meeting will be especially worth
  attending, because there will be a new format:  NANOG tutorials on
  Sunday, NANOG program on Monday and Tuesday, and ARIN public and
  member meetings on Wednesday-Friday.

  They don't always video the BOFs, which can be a shame -- Sue Hares
  is one of my coauthors on the BGP convergence drafts, and I'd like to
  hear it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46005t=46005
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NANOG 25 Meeting [7:45933]

[Nigel Taylor]

Howard,
  I see that Sue Hares will be doing the moderation for the
Panel: Smart Routing Technologies, but she's
not listed as giving any of the BOF's.  Based on your statement I was
thinking Sue would be doing a BOF or
presentation on the BGP convergence drafts, which you mention she was one of
your co-authors. Will that be at
this meeting or the fall meeting when the format change is suppose to take
place.

By the way I noticed that the Fall meeting will be a joint meeting with
ARIN.  What additional information or benefits
could I look forward to at this meeting, and would this explain the format
change then, versus the upcoming meeting
this week.

Thanks
Nigel

- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Thursday, June 06, 2002 11:27 AM
Subject: Re: NANOG 25 Meeting [7:45933]


 All,
  I was browsing the NANOG 25 site and took a preview of the
 presentations
 that will be presented during the meeting.
 
 Based on my recent growing interest in Inter-Domain routing and
 policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the
list
 would be in attendance, also does anyone have any idea as to the timeline
in
 which the presentations make their way to the web-site.  I'm really
 looking forward to getting my hands on those presentations
 
 thanks
 Nigel

 Unfortunately I won't be able to make it in person, but I know of a
 couple of list members that are going.  Susan Harris generally yells
 at presenters to have their presentations in at least a week before,
 because people often can see them better on their laptops than on the
 main screen.  So, they'll probably be pretty much on the NANOG server
 by Saturday or Sunday.

 If you're not aware of it, NANOG normally has real-time Real Video or
 other streaming video of the actual conference available free.  They
 also store the videos on the website after the conference.

 Incidentally, the Fall NANOG meeting will be especially worth
 attending, because there will be a new format:  NANOG tutorials on
 Sunday, NANOG program on Monday and Tuesday, and ARIN public and
 member meetings on Wednesday-Friday.

 They don't always video the BOFs, which can be a shame -- Sue Hares
 is one of my coauthors on the BGP convergence drafts, and I'd like to
 hear it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45983t=45933
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: NANOG 25 Meeting [7:45933]

[Nigel Taylor]

Peter,
 Great!  I'm thinking Juniper and the BearGear booth in such close
proximity, may explain
the cascading style format of the JunOS versus Cisco's left justified
(non-hierarchal) based configuration. :-
I'm sure Howard/Priscilla with their experience in software(system)
development would care to provide some
insight into the differences/relevance in output formatting as it relates to
how the code is interpreted.


Nigel
P.S.  I know BayRS is pretty similar and I must admit once I worked on it
for a while, the interface
was very fast and intuitive. Being a cisco-child can I dare say.. I really
liked it without being flamed! :-





- Original Message -
From: Peter van Oene 
To: 
Sent: Thursday, June 06, 2002 2:02 PM
Subject: Re: NANOG 25 Meeting [7:45933]


 The conference is 40 minutes from my house and I'll definitely be in
 attendance and likely hang around the Juniper Networks booth at the
 BeerGear.

 At 11:27 AM 6/6/2002 -0400, Howard C. Berkowitz wrote:
  All,
   I was browsing the NANOG 25 site and took a preview of the
 presentations
  that will be presented during the meeting.
  
  Based on my recent growing interest in Inter-Domain routing and
  policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the
 list
  would be in attendance, also does anyone have any idea as to the
timeline
 in
  which the presentations make their way to the web-site.  I'm really
  looking forward to getting my hands on those presentations
  
  thanks
  Nigel
 
 Unfortunately I won't be able to make it in person, but I know of a
 couple of list members that are going.  Susan Harris generally yells
 at presenters to have their presentations in at least a week before,
 because people often can see them better on their laptops than on the
 main screen.  So, they'll probably be pretty much on the NANOG server
 by Saturday or Sunday.
 
 If you're not aware of it, NANOG normally has real-time Real Video or
 other streaming video of the actual conference available free.  They
 also store the videos on the website after the conference.
 
 Incidentally, the Fall NANOG meeting will be especially worth
 attending, because there will be a new format:  NANOG tutorials on
 Sunday, NANOG program on Monday and Tuesday, and ARIN public and
 member meetings on Wednesday-Friday.
 
 They don't always video the BOFs, which can be a shame -- Sue Hares
 is one of my coauthors on the BGP convergence drafts, and I'd like to
 hear it.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45984t=45933
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NANOG 25 Meeting [7:45933]

[Nigel Taylor]

All,
I was browsing the NANOG 25 site and took a preview of the presentations 
that will be presented during the meeting.

Based on my recent growing interest in Inter-Domain routing and 
policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list 
would be in attendance, also does anyone have any idea as to the timeline in 
which the presentations make their way to the web-site.  I'm really 
looking forward to getting my hands on those presentations

thanks
Nigel

_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45933t=45933
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Building Service Provider Networks.. [7:45772]

[Nigel Taylor]

All,
I just received my copy of Howard's latest book and I'm excited to get
started
reading this title.  However, I'm in the midst of finishing reading his
previous book, WAN Survival Guide.  Interesting enough this book's
Introduction states,
This book focuses on the service provider network, and ideally will be read
in concern with the more customer-oriented. WAN Survival Guide.

I'm truly looking forward to reading this book as all of us here on the list
knows of Howard's inapt sense of humor and diverse experience in this field,
among others.

In browsing the book, I noticed Geoff Huston has a book titled ISP Survival
Guide: Strategies for running a Competitive ISP and was wondering if anyone
had the opportunity to read it and cares to comment.

That's all folks...

Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45772t=45772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Revised: Another BGP attribute question [7:45775]

[Nigel Taylor]

After posting to this thread, I realized that no one responded to my post,
so I decided to figure out why?  As it
would seem I was lost in my understanding of RIPE-181, now RPSL and boy do I
feel stupid.  After spending
some time reading over RIPE-181, RFC2622, and RFC2650,  I do now have a much
better understanding
of IRR's, their functionality and the continually effort to maintain the
most accurate records possible.

In my zeal to understand the various objects that make up the IRR database,
I foolishly used my understanding
of various terms to provide clarity.  Terms like communities, ASXX, etc..
In realizing that these terms are not in
any way associated to what I related them to be, with respects to terms of
BGP attributes or values.

In obtaining a much better understanding of the IRR and routing policy, I do
now see the emphasis placed on
determining the routing policy before trying to configure or implement the
peering relationships.

Well, this was another great learning experience.  If this is where
stupidity takes me, I look forward to my next
encounter with stupidity.

Nigel
Still so much to learn...



- Original Message -
From: Nigel Taylor 
To: 
Sent: Sunday, June 02, 2002 4:24 PM
Subject: Re: Another BGP attribute question [7:45619]


 See Inline...

  - Original Message -
 From: Howard C. Berkowitz
 To:
 Sent: Sunday, June 02, 2002 11:17 AM
 Subject: Re: Another BGP attribute question [7:45619]


  At 7:00 AM -0400 6/2/02, Nigel Taylor wrote:
  All,
 I was reading the old RIPE(22nd meeting minutes) and was
 wondering,
  what
  ever became of the BGP
  proposal from Tony Bates and Enke Chen for the use of the Destination
  Preference Attribute (DPA) for multi-homed sites.
 
  DPA keeps coming up, at least for end-to-end route selection. Its
  basic problem is that only ISPs with whom you have an economic
  relationship have any motivation to respect it.  Geoff Huston's
  NOPEER is a simpler way to accomplish the same thing (probably
  coupled with class of service request communities).

 Howard, thanks a lot for the info/insight of DPA and specifically pointing
 me to the NOPEER
 attribute draft.   I was able to briefly read over the draft and I must
say
 this does seem
 like a solution to the present problem.  However, I was also doing some
 reading of the
 APNIC's
(http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13
 minutes
 and it's noted some of the present problems with the IRRs. The one that
 seems to apply
 here would be the statement that, About 50% of full routes are not
 registered to public
 IRRs.

 I have a question?  Do you see the NOPEER as having a directory class in
 the RPSL
 and if so in doing some recent reading of RPSL, and RPSLng, the
enhancements
 RPSL on the
 same site wouldn't the NOPEER attribute be limited to representing what
is
 known in
 the IRRs. With this being the case how effective can the attribute be,
when
 representing
 at best 50% of the global BGP FIB.

 Of course then there is the ever present security issues which seems to
 being getting some
 attention through the RPSS(rfc2725).

 
  Based on our preivous thread with the known and unknown implications of
  inconsistant routes, I would think
  this could've have been a step in the right direction.
  
  I did find a link where Enke Chen notes the use of the LOCLA_PREF
  attribute
  by many providers, since the
  lack of the DPA and rfc1998 also notes how the use of communities aid
 in
  this process.
 
  You can really solve LOTS of operational issues with creative use of
  communities.  While RFC2547 was one driver for creating an extended
  community attribute, there are various ideas floating around for
  other applications thereof.

 Do you care to mention some of the other ideas..floating aeround?

 
  
  Anyone has any thoughts or suggestions on this as it applies to the use
 of
  DPA
  and where things stand on
  global/ISP-based implementation of this attribute?
 
 
  As far as I know, it's never been implemented in operations.  I'm
  reasonably certain that some versions of Bay RS could generate it,
  but I don't know of anyone that listens for it.

 I remebered in reading Sam Halabi's book - Internet Routing architectures
 (Pg. 118, 1st ed)
 he noted cisco's lack of support for attributes 11(DPA). However, it is
 noted as bieng MCI defined.
 As you pointed out I've yet to come across anything that suggest anyone is
 making use of the DPA
 attribute.

 
  --
  What Problem are you trying to solve?
  ***send Cisco questions to the list, so all can benefit -- not
  directly to me***
 


 
  Howard C. Berkowitz  [EMAIL PROTECTED]
  Chief Technology Officer, GettLab/Gett Communications
 http://www.gettlabs.com
  Technical Director, CertificationZone.com
http://www.certificationzone.com
  retired Certified Cisco Systems Instructor (CID) #93005

 thanks
 Nigel

Another BGP attribute question [7:45619]

[Nigel Taylor]

All,
  I was reading the old RIPE(22nd meeting minutes) and was wondering,
what
ever became of the BGP
proposal from Tony Bates and Enke Chen for the use of the Destination
Preference Attribute (DPA) for multi-homed sites.

Based on our preivous thread with the known and unknown implications of
inconsistant routes, I would think
this could've have been a step in the right direction.

I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute
by many providers, since the
lack of the DPA and rfc1998 also notes how the use of communities aid in
this process.

Anyone has any thoughts or suggestions on this as it applies to the use of
DPA
and where things stand on
global/ISP-based implementation of this attribute?

thanks,
Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45619t=45619
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP questions Answered.. for the most part [7:45629]

[Nigel Taylor]

All,
   I was do some research which led to the following link and I figured
that some of you might find it useful.

I know on the list Howard always tries to define his solutions by stating..
What is the problem, you're trying to solve?   So I figured this would
answer some of those questions which in turn may provide the solution.

http://info.connect.com.au/docs/routing/general/multi-faq.shtml

The last bookmark in the TOC on the page links to the sources like RFC2260
and
RFC 2650 among others.

Enjoy!

Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45629t=45629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Another BGP attribute question [7:45619]

[Nigel Taylor]

See Inline...

 - Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Sunday, June 02, 2002 11:17 AM
Subject: Re: Another BGP attribute question [7:45619]


 At 7:00 AM -0400 6/2/02, Nigel Taylor wrote:
 All,
I was reading the old RIPE(22nd meeting minutes) and was
wondering,
 what
 ever became of the BGP
 proposal from Tony Bates and Enke Chen for the use of the Destination
 Preference Attribute (DPA) for multi-homed sites.

 DPA keeps coming up, at least for end-to-end route selection. Its
 basic problem is that only ISPs with whom you have an economic
 relationship have any motivation to respect it.  Geoff Huston's
 NOPEER is a simpler way to accomplish the same thing (probably
 coupled with class of service request communities).

Howard, thanks a lot for the info/insight of DPA and specifically pointing
me to the NOPEER
attribute draft.   I was able to briefly read over the draft and I must say
this does seem
like a solution to the present problem.  However, I was also doing some
reading of the
APNIC's (http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13
minutes
and it's noted some of the present problems with the IRRs. The one that
seems to apply
here would be the statement that, About 50% of full routes are not
registered to public
IRRs.

I have a question?  Do you see the NOPEER as having a directory class in
the RPSL
and if so in doing some recent reading of RPSL, and RPSLng, the enhancements
RPSL on the
same site wouldn't the NOPEER attribute be limited to representing what is
known in
the IRRs. With this being the case how effective can the attribute be, when
representing
at best 50% of the global BGP FIB.

Of course then there is the ever present security issues which seems to
being getting some
attention through the RPSS(rfc2725).


 Based on our preivous thread with the known and unknown implications of
 inconsistant routes, I would think
 this could've have been a step in the right direction.
 
 I did find a link where Enke Chen notes the use of the LOCLA_PREF
 attribute
 by many providers, since the
 lack of the DPA and rfc1998 also notes how the use of communities aid
in
 this process.

 You can really solve LOTS of operational issues with creative use of
 communities.  While RFC2547 was one driver for creating an extended
 community attribute, there are various ideas floating around for
 other applications thereof.

Do you care to mention some of the other ideas..floating aeround?


 
 Anyone has any thoughts or suggestions on this as it applies to the use
of
 DPA
 and where things stand on
 global/ISP-based implementation of this attribute?


 As far as I know, it's never been implemented in operations.  I'm
 reasonably certain that some versions of Bay RS could generate it,
 but I don't know of anyone that listens for it.

I remebered in reading Sam Halabi's book - Internet Routing architectures
(Pg. 118, 1st ed)
he noted cisco's lack of support for attributes 11(DPA). However, it is
noted as bieng MCI defined.
As you pointed out I've yet to come across anything that suggest anyone is
making use of the DPA
attribute.


 --
 What Problem are you trying to solve?
 ***send Cisco questions to the list, so all can benefit -- not
 directly to me***



 Howard C. Berkowitz  [EMAIL PROTECTED]
 Chief Technology Officer, GettLab/Gett Communications
http://www.gettlabs.com
 Technical Director, CertificationZone.com http://www.certificationzone.com
 retired Certified Cisco Systems Instructor (CID) #93005

thanks
Nigel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45637t=45619
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP questions Answered.. for the most part [7:45629]

[Nigel Taylor]

Howard,
   Thanks for the notice on rfc2260.  I took a minute to read it
and I can see the benefits in that
the BGP metrics complied by the Routing Table Analysis(APNIC) shows that
25%(if I'm not mistaken)
of the BGP FIB is made up of /24 prefixes.  Rfc2270, does fall in line with
rfc1930 assumptions of allowing
only the provider's existing aggregate to be advertised upstream. the
question is still relevant since the filtering
by ISPs are based on IRRs information, which is at present not completely
reliable.  However, I remember
reading recently(I can't remember the document), where the preference was to
have the more specific route
information as the primary whereas when this information no longer exist,
then the aggregate prefix would
provide NLRI to the desired network prefixes.

For all interested.. here is another really good presentation on Multi-homed
BGP.
http://www.apnic.net/meetings/10/programme/presentations/4-Multihoming-6up.P
DF

you just gotta love the Internet and access to information of this kind.

Nigel

- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Sunday, June 02, 2002 3:16 PM
Subject: Re: BGP questions Answered.. for the most part [7:45629]


 All,
 I was do some research which led to the following link and I
figured
 that some of you might find it useful.
 
 I know on the list Howard always tries to define his solutions by
 stating..
 What is the problem, you're trying to solve?   So I figured this would
 answer some of those questions which in turn may provide the solution.
 
 http://info.connect.com.au/docs/routing/general/multi-faq.shtml
 
 The last bookmark in the TOC on the page links to the sources like
RFC2260
 and
 RFC 2650 among others.
 
 Enjoy!
 
 Nigel

 Good reference! Minor point -- 2270 updates 2260.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45640t=45629
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISP 30bit net question [7:45257]

[Nigel Taylor]

Dre,
 Question?  When did you ever find time to read all of these RFC's?
I'm I to assume
that both you and Howard have quite a bit more in common than you
seemingly endless
depth of knowledge in our field.

Maybe the next time I speak with my mother, I'll talk to here about what
possibilities existed
if any, in bringing me into the world a whole lot sooner. :-

Nigel


- Original Message -
From: dre 
To: 
Sent: Tuesday, May 28, 2002 12:59 PM
Subject: Re: ISP 30bit net question [7:45257]


 Patrick Ramsey  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Is there a specific reason why isp's do not use private addess space for
  their 30bit networks to customers?

 Because if those links somehow send ICMP messages back to sources
 (e.g. host-/net-/prot-/port- unreachables, squench, time exceeded, needs
 frag unreachables, etc), it looks a lot better if these are publically
 routable
 IP addresses.  Some people also would end up blocking these messages
 more often if they had a deny filter for, say, 10-dot space (if that ISP
 used
 10-dot space for their infrastructure addressing).  This could end up
 affecting
 things like traceroutes, path MTU discovery, and other unfriendly things.

 http://www.ietf.org/rfc/rfc1191.txt
 RFC 1191 Path MTU discovery. J.C. Mogul, S.E. Deering. Nov-01-1990.
  (Format: TXT=47936 bytes) (Obsoletes RFC1063) (Status: DRAFT
  STANDARD)
 http://www.ietf.org/rfc/rfc2923.txt
 RFC 2923 TCP Problems with Path MTU Discovery. K. Lahey. September 2000.
  (Format: TXT=30976 bytes) (Status: INFORMATIONAL)
 http://www.ietf.org/rfc/rfc792.txt
 RFC 792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
  (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
  (Also STD0005) (Status: STANDARD)

 So when you do a traceroute through an ISP, especially the time exceeded
 messages will come from publically routable IP space that not only is
 available
 in the BGP table and marked as owned by a particular ASN, but also
available
 in the Internet routing registries (e.g. RADB) and regional internet
 registries (e.g.
 ARIN) as ISP-owned space that can be accounted for.  This could be
important
 for a number of reasons.

 Also, if you want to give those links DNS, in particular, Reverse DNS,
 there
 is no global authority for 10-dot or private address space as far as
reverse
 DNS
 is concerned.  There would be no way to update that type of information
for
 any
 ISP.  This would affect more things as well (esp. traceroutes again).

 For more information on the above, you might want to check out this
 Internet-
 Draft,

http://www.ietf.org/internet-drafts/draft-ietf-dnsop-dontpublish-unreachable
 -03.txt

 Here is another Internet-Draft that somewhat covers these issues:
 http://www.ietf.org/internet-drafts/draft-iana-special-ipv4-03.txt

 You'll also note that a customer might find it difficult to set his
next-hop
 (or default
 gateway) to an ISP infrastructure address that's made up of 10-dots,
 especially if
 that customer is already routing 10-dots on his/her internal network(s).
 You could
 eventually hit router-id problems, etc etc.  This wouldn't work so well
for
 routing
 protocols.

  I can't think of anything right off hand that would prevent an isp from
  being able to route properly using private addresses for serial links.

 Basically, because it breaks things and it is also ugly and unmanageable.

 I can't think of any reason that would allow an ISP to route properly
using
 private addresses, yet somehow some ISP's in the past may have gotten away
 with it here and there.  Consider all the reasons above before you
implement
 something like that.

 I highly recommend that ISP's use PI public address space for their
 infrastructure
 addresses, including /30's and /32 loopback addresses.  I also implore
 vendors and
 ISP's to implement RFC 3021 and use 31-bit prefixes instead of 30-bit
 prefixes for
 point-to-point interfaces.

 http://www.ietf.org/rfc/rfc3021.txt
 RFC 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links. A. Retana, R.
  White, V. Fuller, D. McPherson. December 2000. (Format: TXT=19771
  bytes) (Status: PROPOSED STANDARD)

 I also suggest implementing correct ICMP operation for these devices
 (rate-limiting
 works well in the place of filtering outright).  Here is a document
 concering that:
 http://www.cymru.com/~robt/Docs/Articles/icmp-messages.html

 Finally, I suggest registering these routes in an IRR system (e.g. RADB),
 the RIR
 system (e.g. ARIN) and having RFC 2142 or stdaddr correct SMTP addresses
 for contact information about these networks.  Also making these routers a
 part
 of the global DNS system (both forward and reverse) completes a best
 practice
 reference architecture for routing in the Internet.

 http://www.ietf.org/rfc/rfc2142.txt
 RFC 2142 Mailbox Names for Common Services, Roles and Functions. D.
  Crocker. May 1997. (Format: TXT=12195 bytes) (Status: PROPOSED
   

Revised: OSPF problem - 2nd try [7:45129]

[Nigel Taylor]

Mathias,
I think your you're trying to hard and possibly reading too much
into the requirements.
I personally agreed with Jan's #1 option in which the area x range
not-advertise command is used
on R1, R2, and R4.  Although your most recent solution may work try to think
of a solution
around the ISDN link remaining up in this configuration and what you could
do
to avid this problem.  there is a very popular way of avoiding this
occurrence.

I think the emphasis here is the requirement which reads,
 The exercise is that the 10.x network must not be advertised into the
Frame Relay network.

As Jan noted when using the virtual links between R1-R4 and R2-R4 this will
logically place R4
into area0, which is fine. This is fine because look at the logical drawing
below once the virtual
links are configured.

  10.x..x.x/24
 -Area0
  |   | |
  |   | |
   lo0--(R1) (R2)--lo0   (R4)--lo0
  |   | |
  |  area1|  area1   |
   lo0--(R3)-(frame)/
  |  |  area2
   (E0)(R5)

Using the #1 option allows use to clearly understand and meet the
requirements in that although R1, R2, and R4 does have the 10.x.x.x
network route in their RIBs, that route is not being advertised into the
frame-relay network. Yes, I know that the R2-R4 connection is part
of the frame connection, but the key word here is advertised. With the
current logical design R4 as if it were connected to the backbone
segment(10.x.x.x/24).   If you had to go one step further which I don't
think is necessary, a distribute-list x in on the R4 process would
eliminate
the 10.x.x.x from R4's RIB, to complete the illusion that the route was not
being advertised across the R2-R4 or R1-R4 virtual links.


HTH
Nigel

P.S. Elmer what do you think about this thread and which solution meets the
requirement?

- Original Message -
From: Spoerr, Mathias 
To: Jan Gunnik Hope 
Cc: ; Nigel Taylor ;

Sent: Monday, May 27, 2002 4:41 AM
Subject: AW: OSPF problem - 2nd try


 Hello!

 I think I found the Solution for the wrxkrmpf OSPF problem.
 I configured tunnel interfaces at R1, R2 and R4 and bound the interfaces
to OSPF area 2. I configured no virtual link. Now only R1 and R2 are in Area
0.
 Another advantage is the backup for Area 2. In the original setup I had
the problem that after a link-down of FR R2-R4 Area 2 is no more reachable.
When you want to configure a virtual link between R4 and R1 you will have
the problem that the ISDN link is up the whole time.

 Any comments?


 Mathias

 -Urspr|ngliche Nachricht-
 Von: Jan Gunnik Hope [mailto:[EMAIL PROTECTED]]
 Gesendet: Samstag, 25. Mai 2002 23:12
 An: Spoerr, Mathias
 Cc: [EMAIL PROTECTED]; Nigel Taylor; [EMAIL PROTECTED]
 Betreff: SV: OSPF problem - 2nd try


 Hello Mathias !

 In my opinion these are the possible (elegant :-) solutions,
 in preferred order :
 1. Use
 area 0 range 10.0.0.0 255.0.0.0 not-advertise
 on routers R1/R2/R4, virtual link R2/R4.
 You need it on R4 as well, because as you said yourself,
 R4 becomes member of area 0 when you add the virtual link.

 This removes 10.x.x.x from R3 and R5, and they are both
 connected thru F/R, in different areas.

 2. Use
 area area-id filter-list prefix prefix-list-name out
 with prefix-list-name filtering net 10.0.0.0.
 Use it on R1/R2/R4, virtual link R2/R4
 This command was introduced in 12.0(15)S, but unfortunately
 does not seem to be part of the main IOS train yet.
 I haven't been able to test this one, but it looks dead-on.

 We still see 10.x.x.x in R4 though, because of the virtual link.

 3. Use a tunnel between r2/r4, totally stub areas 1 and 2.
 Tunnel endpoints in area 2.
 This is really a lab-only solution, as Nigel also remarked.
 But it works, and does not show the 10.x.x.x on R4...

 I clearly prefer #1, because I interpret your requirement :
 The exercise is that the 10.x network must not be advertised into the
Frame Relay network.
 to mean that R3 and R5 should not see 10.x.x.x.  R4 sees it as soon as we
 configure a virtual-link or a tunnel, because we then make R4 area 0
member.

 If you were to use no tunnels and have different OSPF processes, you
 could use one process per area, and do redistribution between them.
 That would make the filtering really easy, but you would essentially
change
 your OSPF-execise to a redistribution exercise :-)

 My two cents...

 Jan Gunnik Hope
 CCIE # 8221




 -Opprinnelig melding-
 Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Pe vegne av
 Nigel Taylor
 Sendt: 25. mai 2002 15:42
 Til: [EMAIL PROTECTED]
 Kopi: [EMAIL PROTECTED]; Spoerr, Mathias
 Emne: Re: OSPF problem - 2nd try


 MAthais,

  I'm not sure if the ASCII art made

Re: Revised: OSPF problem - 2nd try [7:45154]

[Nigel Taylor]

Mathias,
   This is correct!  When you configure the demand-circuit
after the ISDN circuit goes down you should see DNA
noted in the ospf database which suppresses the need for hello's to be sent.
Since both R1, R2, and R4 are a part
of area1, when the frame circuit between R2-R4 go down this will trigger the
database recalculation and bring the
ISDN link up.  This would be fine since it will be how all connectivity
would be maintained. This is why I suggested that
the requirement calls for two virtual links or tunnels.  You might want to
brush up on your understanding of demand-circuit.

Here are some really good links to explaining how effective demand-circuit
can be while using the necessary filtering.

http://www.cisco.com/warp/public/104/dc.html
http://www.cisco.com/warp/public/104/dcprob.html

What a great link.. I used this one when I prepared for the lab.  It pays to
browse this stuff once in a while.
http://www.cisco.com/warp/public/104/index.shtml

Nigel

- Original Message -
From: Spoerr, Mathias 
To: Nigel Taylor ; cebuano
; Jan Gunnik Hope 
Cc: ; 
Sent: Monday, May 27, 2002 2:55 PM
Subject: AW: Revised: OSPF problem - 2nd try


 Nigel,

 I forgot to tell you that the second task is that the ISDN must not be up
until the FR R4-R2 fails.
 R3 has to initiate the call and R1 must call back.
 There is another exercise regarding to this layout, where a backup link
must exist for the area 2 connection.

 -10.x.x.x/24---Ethernet OSPF Area0
  ||
 R1---Lo0  R2---Lo0
  ||
 ISDN Area1FR Area1
  ||
 Lo0--R3--FR---R4--Lo0
  |Area1   |
 -E0   FR Area2
   |
   R5
 (I hope this drawing can be identified)


  Although your most recent solution may work try to think
  of a solution around the ISDN link remaining up in this configuration
and what you could
  do to avid this problem.  there is a very popular way of avoiding this
  occurrence.

 Which solution do you mean?
 When you think about the demand circuit feature - it doesn't work with
Virtual links, because R4 is sending hellos destined for the bri address of
R1 when you configure a virtual link to R1.

 Thank's for responding,
 Mathias


 -Urspr|ngliche Nachricht-
 Von: Nigel Taylor [mailto:[EMAIL PROTECTED]]
 Gesendet: Montag, 27. Mai 2002 12:59
 An: cebuano; Jan Gunnik Hope; Spoerr, Mathias
 Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Betreff: Revised: OSPF problem - 2nd try


 Mathias,
 I think your you're trying to hard and possibly reading too
much
 into the requirements.
 I personally agreed with Jan's #1 option in which the area x range
 not-advertise command is used
 on R1, R2, and R4.  Although your most recent solution may work try to
think
 of a solution
 around the ISDN link remaining up in this configuration and what you could
 do
 to avid this problem.  there is a very popular way of avoiding this
 occurrence.

 I think the emphasis here is the requirement which reads,
  The exercise is that the 10.x network must not be advertised into the
 Frame Relay network.

 As Jan noted when using the virtual links between R1-R4 and R2-R4 this
will
 logically place R4
 into area0, which is fine. This is fine because look at the logical
drawing
 below once the virtual
 links are configured.

   10.x..x.x/24
  -Area0
   |   | |
   |   | |
lo0--(R1) (R2)--lo0   (R4)--lo0
   |   | |
   |  area1|  area1   |
lo0--(R3)-(frame)/
   |  |  area2
(E0)(R5)

 Using the #1 option allows use to clearly understand and meet the
 requirements in that although R1, R2, and R4 does have the 10.x.x.x
 network route in their RIBs, that route is not being advertised into the
 frame-relay network. Yes, I know that the R2-R4 connection is part
 of the frame connection, but the key word here is advertised. With the
 current logical design R4 as if it were connected to the backbone
 segment(10.x.x.x/24).   If you had to go one step further which I don't
 think is necessary, a distribute-list x in on the R4 process would
 eliminate
 the 10.x.x.x from R4's RIB, to complete the illusion that the route was
not
 being advertised across the R2-R4 or R1-R4 virtual links.


 HTH
 Nigel

 P.S. Elmer what do you think about this thread and which solution meets
the
 requirement?

 - Original Message -
 From: Spoerr, Mathias 
 To: Jan Gunnik Hope 
 Cc: ; Nigel Taylor ;
 
 Sent: Monday, May 27, 2002 4:41 AM
 Subject: AW: OSPF problem - 2nd try


  Hello!
 
  I think I found the Solution

Re: BGP addressing..i think i understand but i am not sure [7:45174]

[Nigel Taylor]

Peter,
 It would seem that CableWireless and Above along with RIPE are the
main culprits.

It would seem to me that this inconsistent route issue would present
problems, what I'm I missing? It maybe that I'm not totally
clear on what constitutes an inconsistent route.  RFC 1930 clearly states
that one-prefix, one originating AS. I know it's been
mentioned in this thread and I see it noted that the RSNG Project will
notify peers of inconsistent policies registered in the IRR.
So, how effective is this initiative if most of the community feels it's not
something to be worried about.

Anyone care to point me in a specific direction.

thanks
Nigel

- Original Message -
From: Peter van Oene 
To: 
Sent: Monday, May 27, 2002 6:31 PM
Subject: Re: BGP addressing..i think i understand but i am not sure
[7:45169]


 quick comment in line.

 At 04:53 PM 5/27/2002 -0400, Chuck wrote:
 I have a question, Howard - in line:
 
 
 Howard C. Berkowitz  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   This is one of those posts where the attributions have gotten very
   confused. Comments inline.
  
 snip for brevity
  
   It can be done, if both ISPs agree to it and coordinate their routing
   policies. A public AS, however, is justified in this circumstance.
  
   While doesn't quite describe this situation, look at RFC 2270 for the
   general strategy. Both ISPs have to remove private AS.  This will
   also cause more than one ISP to appear to originate the route, which
   is a technical violation of BGP (i.e., it's an inconsistent route),
   but that isn't that uncommon and doesn't seem to break anything.
  
 
 Question: in an ideal world, what would happen when an inconsistant
route
 shows up? idealy, would that route be black holed?
 Since it is common and since it doesn't seem to break anything in ral
 terms, what happens? BGP advertises reachability to other BGP routers, be
 they internal or external. But in terms of a packet traveling from my
house
 to a destination that is inconsistant what happens? What matters? My
 packet continues to be passed from here to there until some directly
 connected router receives it. I'm assuming that inconsistant does not
 imply loop
 
 thanks.

 You are correct in that inconsistent advertisements do not represent
looped
 routes. In the case of a prefix seemingly existing in two AS's, a remote
 router simply passes that prefix through the basic BGP path selection
 algorithm and selects the more preferable of the two for export to the
main
 routing table.   Once a route hits the routing table, transiting packets
 are forwarded as usual.

 Any potential concern lies in the handling of routes that show up as
 inconsistent.  I have seen discussions from various communities (RIPE
comes
 first to mind) about specifying a globally accepted behavior for such
 routes, but haven't seen a consensus on this issue other than to leave it
 alone.  Howard probably has somewhat more detailed insight here.  At
 present, inconsistent advertisements are accepted and many feel are valid
 and should not be handled differently from normal announcements.

 Customers who think that connecting to two providers is generally better
 than two pops from a single provider and providers who are too about
 nervous about losing customer revenue to force customers to properly
 multi-home (PI space/ASN) or not multi-home to different providers at all
 are likely the cause of this situation.   So long as this continues to be
 the norm, we'll likely see more and more of these type announcements and
 the likelihood of routers dealing with them differently (dropping for
 example) will similarly decrease.

 Hit a route server (say route-server.exodus.net) and do a show ip bgp
incon
 and you'll see just how many of these routes we are dealing with.

 Pete





  snip for brevity




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45174t=45174
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF problem - 2nd try [7:45025]

[Nigel Taylor]

MAthais,

 I'm not sure if the ASCII art made the journey. but based on
what I believe you're trying to accomplish see Inline...

Note: Questions like this you should post to the main
ist( [EMAIL PROTECTED] ).  You'll get a better response.

FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Friday Follies of sorts - answering questions [7:44952]

[Nigel Taylor]

Chuck,
   This is a very interesting post.  I did some checking and I found
this link that might address the requirement based on the design.  This can
be done by using 6500 switches instead of routers as depicted in your lovely
ASCII art.

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/cat65_wp.htm

They make the following note..
Configuring Policers
The next step is to define a policer. The Catalyst 6500 supports microflow
and aggregate policing. A Microflow policer defines the policing of a single
flow, which is defined by a session with a unique SA/DA MAC address, SA/DA
IP address and TCP/UDP port numbers. For each new flow that is initiated
through a port of a VLAN, the microflow can be used to limit the amount of
data received for that flow by the switch.

I notice you're using the LX based fiber connection between your routers
but the design does suggest  a campus or MAN type architecture.  In this
design I'm guessing that the 6500 with dual MFSC's and PFC's as noted on the
link would provide for redundancy in the design.

In looking at the QoS requirements using a router (possibly using  a 7500)
the GEIP link does mention support for the following - Support for IP
Quality of Service (QoS)/Class of Service (CoS), including CAR, ACL and
MPLS/tag switching.

A couple of questions here would be..

A couple of questions here would be

1.  What is the problem you are trying to solve?  (I've always wanted to say
this...)  :-
2.  What type of analysis have been done to determine traffic flows(ftp,
smtp, multicast..etc)
3.  QoS based on destination subnets ( How are the subnets being
determined)?
4 .  The design suggest this is a P-t-P connection for an internal network.
Is it?
5 .  The traffic that would be given QoS to the DA subnet to what? An
Application Server/Farm?

I'm currently reading for the second time a book recommended by Priscilla on
the list that I think may
provide you some insight in what you're trying to accomplish.  The book's
author is James D. McCabe
and the title is Practical Computer Network Analysis and Design - ISBN
1558604987

HTH

Nigel


- Original Message -
From: Chuck 
To: 
Sent: Friday, May 24, 2002 10:59 AM
Subject: Friday Follies of sorts - answering questions [7:44952]


 I got to thinking about this after posting a question to a company
internal
 mailing list. Based on some of the responses I received from other
 engineers, I wondered at what point one has enough information to answer a
 question. At what point asking for further clarification is  essentially a
 sign that you don't know the answer and you are just stalling.

 Please be assured, I am not looking for the answer. I have what I need,
 including some working configs, which I will post to the list if there is
 enough interest.


 I am more interested in the opinions of any number of you folks whose
 insight I appreciate.

 So.. here is the e-mail I sent internally. My question is - given what
 you see, do you have enough information to provide an answer? If not, why
 not?


 Start question:
 -


   have a complex QoS traffic shaping rate limiting question.

  internet---source_router---gigE_port---LX_fiber_connection---gigE
 _portdestination_router---multiple subnets

  the customer wants to rate limit traffic across the fiber link based on
  destination ip subnet. I'm racking my brain trying to figure out how to
do
  this on something other than a frame or an ATM link. Can't seem to find
  the appropriate examples on CCO.

  Question - can one configure different QoS rate limits for different
  destination subnets over the same physical interface? All the example I
  find are for technologies that use PVC's. I had thought policy routing,
  using the route-maps to change TOS bits, and using map classes (?) to
  differentiate, but that severely limits the number of subnets I can
  manage.

  I have found some docs on CCO, but the examples center around MAC and IP
  precedence, not subnet.

  If you have reasonable expertise in QoS rate limiting, can you give me a
  call regarding the options I have?

 -
 end of question


 remember - I have what I need. I am just curious about the nature of
 questions and answers, and the clarification process required to provide
 answers. Call this a seminar in the design process, maybe?

 I look forward to your sage replies.

 Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44977t=44952
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Some real theory [7:44491]

[Nigel Taylor]

How about putting them up on the ftp site?

Much Appreciated...
Nigel

- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Sunday, May 19, 2002 8:29 PM
Subject: Re: Some real theory [7:44491]


 the link you provide is only a 10 meg document. ;-

 Bless .pdf.  I downloaded .ps without looking.

 
 
 Howard C. Berkowitz  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   If anyone is interested, Radia Perlman's PhD dissertation on
   Byzantine robustness of routing protocols is finally on line.  Do not
   do as I did and download the PostScript, which was almost 40 meg. PDF
   is BOUND to be smaller.
 
http://www.lcs.mit.edu/publications/pubs/pdf/MIT-LCS-TR-429.pdf

 If there's interest, I can probably dig up some other formative
 dissertations, such as the original concepts of IP multicast routing
 (Steve Deering) and quite a bit on BGP stability.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44510t=44491
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

A good CLNS/ISIS link on CCO [7:43330]

[Nigel Taylor]

All,
I was just browsing around CCO and came across this link which has some
good coverage of CLNS/ISIS.   This link most likely isn't a secret, but for
anyone wanting to get a better understanding of these protocols this seems
like a good addition.

http://www.cisco.com/warp/public/97/index.shtml

Nigel



- Original Message -
From: nrf 
To: 
Sent: Sunday, May 05, 2002 3:40 AM
Subject: Re: CCIE in 3-6 Months from cisco Interesting [7:43306]


 Michael L. Williams  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  It's not in Cisco's best interest to crank out CCIEs and I doubt that's
 what
  they're doing (or going to do)  After all, this is a job posting,
and
 I
  doubt they're going to hire and train enough people to make an impact in
 the
  total number of CCIEs out there.  (i.e. they may hire 5, 10, hell maybe
 even
  50 people, say, and so you're only taking 5/10/50 more CCIEs on top of
the
  7400 existing CCIEs ... not enough to impact the overall market/demand
for
  CCIEs, IMHO).  I agree with another poster here that, even spending
 everyday
  at work for Cisco studying isn't enough to get through the new CCIE
  written, much less the lab.

 I agree with the premise that even TAC guys do not get as much hands-on as
 they would like, especially with expensive gear.  From my friends who are
 and were at TAC, they have to fight for access to good equipment.

 
  As far as the devaluing of the CCIE, I've see ramblings of this ever
since
 I
  joined Groupstudy, and I believe that it's mostly just alot of talk.
 Sure,
  CCIEs aren't pulling in as high a salary as they were 2 years ago, but
 most
  of that is due to the dot-bomb thing coming to an end as well as the job
  market/economy of the last year or so.  Two things can devalue the cert:
  The number of CCIEs skyrocketing and/or people being able to attain the
 CCIE
  without being qualified.  I don't think anyone will argue that the CCIE
  written/lab combo pretty much keeps paper CCIEs from becoming a
reality.

 Bullshi*.  There are a significant number of guys lately who've passed the
 lab who I wouldn't hesitate to call paper (heck, even they have honestly
 referred to themselves as paper, usually after getting a few drinks into
 them).

 But I do agree with the premise that the main reason for the devaluing of
 the cert is the bad economy, and the lab-rats are a lesser consideration
 (still important, but lesser).  But on the other hand, I think it is the
 case that the CCIE will probably never attain the status that it once did,
 simply because the we will probably never see another huge network
buildout
 orgy  like the dotcom boom again in our lifetime.  So while I believe the
 networking industry will get better, people who thinks it's going to get
 back to, say, 1999, are just deluding themselves.

  As far as the number of CCIEs skyrocketing, if I recall correctly, when
I
  first started working on Cisco certification there were around 6000
CCIEs.
  Now there are around 7400 (worldwide).  That's certainly not
 skyrocketing.
  Compare that to MSCEs where there was such a flood of new MSCEs on the
  market that simply supply/demand took over, and all of a sudden MSCEs
were
 a
  dime a dozen (no offense to people with MSCEs, just making a point about
 the
  numbers).
 
  Also, I don't agree with the claim that the CCIEs best days are behind
it.

 I believe this is definitely true - look at the salaries of CCIE's back in
 '99 compared to today.  Obviously the main reason for this is the bad
 economy.  But the proliferation of CCIE's (especially lab rats) doesn't
help
 matters.  Just ask Jon Kaberna who's written quite a bit on this subject.
 Again, the main reason is that I doubt the networking economy will ever
get
 back to what it was during the boom ever again in our lifetime.

  Although many felt that the new one-day lab was going to open the
 floodgates
  for paper CCIEs, I don't recall reading any posts by people saying the
 new
  lab was a breeze.  Also, any of the level of difficulty that may have
been
  lost going to the one-day format is definitely going to be made up for
by
  the new format of the written.  As has been posted here more recently
(by
  either Bernard or Dennis right after they took the beta), the failure
rate
  of the written is definitely going to go up with this new exam.

 If that is true, then it is a long-overdue change.  The fact is the old
 written was not getting the job done.  I think not only should the new
 written be more difficult, but you should also only be able to attempt it
a
 certain number of times per year (say, 3 times per year or something).
 Also, Cisco should emphatically state once-and-for-all  that the
 CCIE-written is not a cert.

 
  Just my 2 cents
 
  Mike W.
 
  nwo  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   If this is true then it represents an even worse devaluation of the
CCIE
   than what has happened already.  Not only 

GroupStudy - Experts and Gurus.. [7:43062]

[Nigel Taylor]

All,
 I typically try not to get involved in threads like this one, since it 
really serves no purpose.  I've been a member of this list for some four 
plus years and this type of thread always seem to creep into the list.

John's earlier post I think was truely funny and if anyone who read it 
didn't notice the humor, you missed out.  In the time I've been on the list 
there have been a number of very knowledgable people of which Howard is 
most certainly one of the most notable.

What I don't understand is why everyone on the list can't simply participate 
as part of the group for the collective good and not be concerned with 
Howard's abilty to prove himself.  In perspective, I think one should see 
the benefit in Howard's limited experience not having personally taken the 
lab. This I would believe benefits everyone on the list.

From another perspective, I think the desire to pressure Howard into taking 
the lab, is a feeble attempt to justify one's own belief. The fact that 
there is possibly something out there in this field that they might possibly 
have some experience in that Howard dosen't.

Folks like Howard, Priscilla, and a number of others contribute so much more 
to this list if not for the fact that they can provide factual infomation 
based on their research, writing, experience, and working realtionship with 
some of the more prominent persons in this field.

Lastly, as I mentioned before this thread will most likely not go away and 
if it does, I'm sure someone will see the need to reiterate what was said 
before. When this urge arises please think of the value a thread like this 
will bring to the group and then see if it's worth the 1-click of the send 
button..please clear this with Amazon first.


Nigel





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43062t=43062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Home Lab Stuff [7:42804]

[Nigel Taylor]

Some items I had in my home lab that I no longer need.  I'm willing to
let it
all go to 1 buyer for $1200  If interested in individual pieces that's ok
too.

1 Cisco 2517 - 16MB/8MB, 2 serial, 1 BRI(S/T), 1 Token Ring, 8-port MAU  
$300

1 Cisco 2521 - 6MB/8MB, 4 Serial(2Sync/2Async), 1 BRI(S/T), 1 token ring 
$400

1 AGS+ -  CSC4 w/4 MB NVRAM, 8 Ethernet, 6 Serial(HD26)  
$550
  I also have aanother 4-port V.35 serial applique
  with 10' cables, 3 HD26-HD26 DCE-DTE cables, and
  3 HD26- HD60 DCE-DTE cables.
  IOS 11.26a - the last avialable code version
  Great FRame Switch

  The cables here alone cost about $350-$400.
 
2 MGS  -  (1st) 1 Serial, 1 ethernet, 1 token ring.  
$150
  (2nd) 3 serial, 1 ethernet, 1 token ring.

1 Cisco STS-10x - 1 ethernet, 9-port(poor-man's) terminal server 
$100
  all terminal cables(custom made) included

Any questions contact me directly. please do not post to the list.

Nigel



Join the worlds largest e-mail service with MSN Hotmail. Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42804t=42804
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: token ring interface 3920 Catalyst [7:42766]

[Nigel Taylor]

Richard,

   If I'm not mistaken the 3920 uses the default bridge (hex)
number of 0x1.  You most likely will want to make sure that the second
3920 isn't using the same default ring/bridge IDs.

Here's a link that may ring through when trying to figure out these
tokens :-

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3920/3920ug4/vlantut.htm

HTH

Nigel

From: Mr. Richard L. Pickard Reply-To: Mr. Richard L. Pickard To:
[EMAIL PROTECTED] Subject: token ring interface  3920 Catalyst
[7:42766] Date: Sat, 27 Apr 2002 21:24:23 -0400  4/27/2002 8:30pm
Saturday  Professionals,  I have a 4000-M router with 12.1.14
Enterprise+ It is populated as follows - dual token ring, dual
ethernet, quad serial All interfaces are in use except S1  S2 Until a
few hours ago each token ring interface was connected a different
SynOptics LatttisRing 2705B, TR0 on the 180.x.x.x network  TR1 on the
198.x.x.x network. Everything works fine. I moved all the users from
the first MAU to a new Catalyst 3920  hooked up TR0  everything was
still fine. I moved all the users from the second MAU to a second new
Catalyst 3920  hooked up TR1. The users are good to go BUT line
protocol on TR1 will not come up. I tried different ports on the 3920 
then rebooted the router  switch. TR1 will still not come up. I tried
sho CDP neighbors  the router does not see the second 3920. I put in
back in the SynOptics  guess what --- it comes up !!! I plugged a 2502
router in to the second 3920  it comes up fine. What am I overlooking ?
Or is there a chipset limitation on the NP card of the 4000-M router ? 
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Chat with friends online, try MSN Messenger: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42775t=42766
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: (correction) Method and Process Scenario 5: OSPF [7:42139]

[Nigel Taylor]

See inline


From: Howard C. Berkowitz 
Reply-To: Howard C. Berkowitz 
To: [EMAIL PROTECTED]
Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
Date: Sun, 21 Apr 2002 09:08:21 -0400

 You can originate a 0.0.0.0 route from each of the ISP connected routers.
 Ideally, then each router on your internal network that receives both
 0.0.0.0 routes from both originating routers will route traffic to the
 internet based on the the 0.0.0.0 route with the best metric.

You're on the right track. But what characteristics must the default
routes have to assure a degree of load sharing? (I'm thinking of
something specific to OSPF)

NT: On redistribution of the default-route using OSPF's default assigment of 
E2, with a standard metric XX value at both POP's will allow the both 
default routes to be equal-cost. Another option here would be to use the 
ospf cost or bandwidth configuration commands to balance the links.


What is their effect on load balancing from the provider to you?

 
 I'm not sure about OSPF, but where I work we have 2 connections to the
 internet at difference POPs, and this is the method we use.  Seems to 
give
 some load balancing, however, based on the number of users at each 
site
 i.e. we have twice as many users at one site (which chooses it's closest
 internet connection for exit to the net) as we do at the other, so we 
really
 get a lopsided load balance, but it's what we expect.  We are soon going 
to
 be implementing BGP on the 2 routers that connect to the internet so what 
we
 can have inbound redunancy from the internet, but we'll still leave the
 lopsided load balancing in place as to really load balance across our
 internet connections would each bandwidth on our OC-12, which we don't
 want
 
 Mike W.
 - Original Message -
 From: Howard C. Berkowitz
 Newsgroups: groupstudy.cisco
 Sent: Saturday, April 20, 2002 2:51 PM
 Subject: (correction) Method and Process Scenario 5: OSPF Multihoming
 [7:42092]
 
 
   Your enterprise runs OSPF internally and only takes default from one
   ISP, but at multiple POPs.  What would this suggest you could do to
   achieve a degree of load-sharing among the POPs?
 
   Assume you do not run BGP. What can you do and what are its 
limitations?
 
   Don't focus on the configuration commands as what mechanisms will be
 required.
_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42142t=42139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: (correction) Method and Process Scenario 5: OSPF [7:42139]

[Nigel Taylor]

Yes,

   I forgot about the getting that default route into the enterprise
from the CE.  That would leave the default-information orginate .

Nigel   

From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To:
[EMAIL PROTECTED] Subject: Re: (correction) Method and Process
Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 12:37:52 -0400  
See inline  From: Howard C. Berkowitz  Reply-To: Howard
C. Berkowitz  To: [EMAIL PROTECTED]  Subject: Re: (correction)
Method and Process Scenario 5: OSPF [7:42139]  Date: Sun, 21 Apr 2002
09:08:21 -0400 You can originate a 0.0.0.0 route from each of
the ISP connected routers.   Ideally, then each router on your
internal network that receives both   0.0.0.0 routes from both
originating routers will route traffic to the   internet based on the
the 0.0.0.0 route with the best metric.You're on the right
track. But what characteristics must the default  routes have to
assure a degree of load sharing? (I'm thinking of  something specific
to OSPF)NT: On redistribution of the default-route using OSPF's
default assigment of  E2, with a standard metric XX value at both
POP's will allow the both  default routes to be equal-cost. Another
option here would be to use the  ospf cost or bandwidth
configuration commands to balance the links.  That would make the links
to the ISP load balanced, but it wouldn't necessarily equalize the load
in getting to them from within the enterprise. Again, you are on the
right track.   What is their effect on load balancing from
the provider to you?I'm not sure about OSPF, but where
I work we have 2 connections to the   internet at difference POPs,
and this is the method we use. Seems to  give   some load
balancing, however, based on the number of users at each  site 
 i.e. we have twice as many users at one site (which chooses it's
closest   internet connection for exit to the net) as we do at the
other, so we  really   get a lopsided load balance, but it's what
we expect. We are soon going  to   be implementing BGP on the 2
routers that connect to the internet so what  we   can have
inbound redunancy from the internet, but we'll still leave the  
lopsided load balancing in place as to really load balance across our 
 internet connections would each bandwidth on our OC-12, which we
don't   want  Mike W.   - Original Message
-   From: Howard C. Berkowitz   Newsgroups:
groupstudy.cisco   Sent: Saturday, April 20, 2002 2:51 PM  
Subject: (correction) Method and Process Scenario 5: OSPF Multihoming 
 [7:42092]  Your enterprise runs OSPF internally
and only takes default from oneISP, but at multiple POPs. What
would this suggest you could do toachieve a degree of
load-sharing among the POPs?   Assume you do not run BGP.
What can you do and what are its  limitations?   Don't
focus on the configuration commands as what mechanisms will be  
required. 
_  MSN
Photos is the easiest way to share and print your photos: 
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Get your FREE download of MSN Explorer at http://explorer.msn.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42158t=42139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: (correction) Method and Process Scenario 5: OSPF [7:42139]

[Nigel Taylor]

Howard,
   I think I see where you're going.  The default on the DIO
command is
applying an E2 to the default as it is sent into the enterprise.  It is
also
known that by order of preference that E2 routes are least preffered. 
So based
on your hint.. I'm thinking making use of the metric-type parameter to
make
the default-route an E1 metric which would provide known route info
into the
ISP's network.  Nope..this isn't it.

In thinking about this even more when I was posting the very first
time to this thread I taught..yes, that's it..but opt'd not to mention
it.
Now it dawns on me that the default nature of (cisco's)ospf is to use 4
equal-cost
routes.  So now maximum-paths 2 sounds like the way to go.

the hint knocked me over the head..:- 

Nigel

 

From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To:
[EMAIL PROTECTED] Subject: Re: (correction) Method and Process
Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 15:31:29 -0400  At
2:19 PM -0400 4/21/02, Nigel Taylor wrote:  Yes, I forgot about
the getting that default route into the enterprise  from the CE. That
would leave the default-information orginate .Nigel  Nigel,
thanks for continuing this thread, because I'm finding the interaction
very informative, and will try to start building it into practice
things.  I think it was you that mentioned that it can be hard to stop
thinking about configuration commands and look a little more broadly
about the problem. Yes, in this case, you could use default-information
originate.  But think on the protocol/functionality level for a moment.
To get both internal and external (i.e., to the ISP) load balancing,
what information does the default route have to convey into the
enterprise's OSPF?

 

[hint follows] 
 Think about the parameters of default-information
originate, especially the values it does by default (the other kind of
default, that is). The answer lies in using a non-default value of one
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Chat with friends online, try MSN Messenger: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42169t=42139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: (correction) Method and Process Scenario 5: OSPF [7:42139]

[Nigel Taylor]

Based on chuck's diagram and the use of the E1 ospf route I think this
would be a matter
of how the enterprise is designed and what type of links interconnect the
various
locations/sites.  Simply using the DIO metric-type could allow for
suboptimal routing as
chuck noted. 

I realize that I was thinking that the enterprise should have dual
default
routes out to the ISP, when in fact by using the E1 as howard pointed
out, would allow
each site to default to the nearest gateway based on the sum of the
internal+external
calculated by the E1 metric.  So based on a well designed enterprise this
would account
for the individual traffic flows of each location/site to be balanced
between the two ISP POPs.

Wow.. this stuff is actually begining to make sense..  :-

Nigel  

Reply-To: Chuck To: [EMAIL PROTECTED] Subject: Re: (correction)
Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002
21:57:36 -0400  I think I see what you are getting to, Howard, but for
the purpose of your scenario, are you assuming that the enterprise
backbone construction makes sense?  for example, in your case, are you
assuming something like
Seattle---PortlandSanFran---SanJose---LosAngeles---SanDiego with the
ISP connections in SanDiego and Seattle, or better yet Portland and
LosAngeles?  What I'm seeing no matter how I try to construct this is
that, for example, half of Seattle's traffic traverses the entire
network to get to the LosAngeles egress while at the same time, half of
SanDiego's traffic is going past LosAngeles, and up to Portland. 
Maybe I'm digressing. Maybe this isn't necessarily a good design. OTOH,
it is a design that saves the company money due to the various pricing
issues involved, no matter what the transport decision. ( interstate,
inter-lata, inter-telco, etc )  tell me if I am off topic with regard
to your puzzle.  Chuck   Howard C. Berkowitz wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...   question embedded
within: Howard C. Berkowitz wrote in message  
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...Howard,  I
think I see where you're going. The default on the DIOcommand
isapplying an E2 to the default as it is sent into the
enterprise. It   isalsoknown that by order of
preference that E2 routes are least preffered.So based   
on your hint.. I'm thinking making use of the metric-type parameter
tomakethe default-route an E1 metric which would
provide known route infointo theISP's network.
Nope..this isn't it.   STOP! Using E1 is the answer, although
I don't think you have thereason quite right. On the
default-information originate command,use metric-type 1 and an
equal metric on both routers.E1 considers the combined
internal and external metric. If you makethe external metrics
equal, traffic in your network will go to theclosest exit. If the
network topology is reasonably well designedwith the placement of
your gateways, this should give approximatesharing of both
internal resources and the ISP links.  hhhm.   
  I'm wondering how many readers of this thread fooled themselves by
thinking   that the idea was to ensure per packet load sharing out
the two ISP links?   which no doubt leads to suboptimal routing for a
significant portion of   traffic, if my mental picture is correct.  
   aren't the two goals - equal load sharing and optimal routing -
mutually   exclusive here? In practice, no, if you think
carefully where you place the ISP   gateways. Typically, they should be
at opposite geographical ends of   your network, near heavy
concentrations of users. That often causes   load sharing by pure use
distribution. It's certainly not per-packet   between multiple routers.
It's more per-destination for individual   routers, CEF of course
giving even better results than fast switching. The optimal
routing to which we are referring is internal, not   external. It
presupposes the ISP links are of equal capacity. Message Posted
at: http://www.groupstudy.com/form/read.php?f=7i=42192t=42139
-- FAQ, list archives,
and subscription info: http://www.groupstudy.com/list/cisco.html Report
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



MSN Photos is the easiest way to share and print your photos: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42196t=42139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: (correction) Method and Process Scenario 5: OSPF [7:42139]

[Nigel Taylor]

See Inline...

From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To:
[EMAIL PROTECTED] Subject: Re: (correction) Method and Process
Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 18:03:20 -0400  
Howard,   I think I see where you're going. The default on the DIO 
command is  applying an E2 to the default as it is sent into the
enterprise. It is  also  known that by order of preference that E2
routes are least preffered.  So based  on your hint.. I'm thinking
making use of the metric-type parameter to  make  the default-route
an E1 metric which would provide known route info  into the  ISP's
network. Nope..this isn't it.  STOP! Using E1 is the answer, although I
don't think you have the reason quite right. On the default-information
originate command, use metric-type 1 and an equal metric on both
routers.  E1 considers the combined internal and external metric. If
you make the external metrics equal, traffic in your network will go to
the closest exit. If the network topology is reasonably well designed
with the placement of your gateways, this should give approximate
sharing of both internal resources and the ISP links.  Again, this is
outwards toward the ISP. Without BGP, you aren't going to influence
inbound sharing.

Since we're using OSPF between the ISP POPs and the enterprise couldn't a
case be made here for the use of well design IP scheme. This would allow
for
geographic/location specific summarization with the use of
route-tagging/filtering
to provide some control over in-bound traffic from the ISP into the
enterprise.

Thoughts.. anyone?

Nigel

 In thinking about this even more when I was posting the very first

 time to this thread I taught..yes, that's it..but opt'd not to mention
 it.  Now it dawns on me that the default nature of (cisco's)ospf is
to use 4  equal-cost  routes. So now maximum-paths 2 sounds like
the way to go.   No, for a couple of reasons.  First, OSPF will
generate only one external route to the same destination in the same
router. So load balancing on the same router, which uses maximum-paths,
will never take place with OSPF default.  Second, what you want is
load-sharing with the scope of your OSPF _domain_, not the scope of one
router. the hint knocked me over the head..:-Nigel  
 -- What Problem are you trying to solve? ***send Cisco questions
to the list, so all can benefit -- not directly to me***

Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer,
GettLab/Gett Communications http://www.gettlabs.com Technical Director,
CertificationZone.com http://www.certificationzone.com retired
Certified Cisco Systems Instructor (CID) #93005 Message Posted
at: http://www.groupstudy.com/form/read.php?f=7i=42175t=42139
-- FAQ, list archives,
and subscription info: http://www.groupstudy.com/list/cisco.html Report
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Send and receive Hotmail on your mobile device: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42197t=42139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Method and Process Scenario 3: OSPF Multihoming [7:42088]

[Nigel Taylor]

This is interesting.  I work in very operational enviroment so thinking
of accomplishing this task from a standpoint other than configuration
requirements leaves me blank. See Inline..

From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To:
[EMAIL PROTECTED] Subject: Method and Process Scenario 3: OSPF
Multihoming [7:42088] Date: Sat, 20 Apr 2002 15:47:06 -0400  Your
enterprise runs OSPF internally and only takes default from one ISP, but
at multiple POPs. What would this suggest you could do to achieve a
degree of load-sharing among the POPs?

Some questions I would ned answered would be..

- What is the routing policy of the ISP?
- My second thought would be what is the IP scheme of the enterprise?
- At what point upstream does the ISP aggregate it's route-space?
- Look at using static/conditional routes or implement an IGP routing
domain.(entISP)
- Look at possible route summarization based on POP geographical location
- Enterprise network can use VLSM to control return traffic by
  assigning specific traffic flows to primary/alternate
  designated POPs.

I'm I totally lost.. :-

Nigel

Assume you do not run BGP. What can you do and what are its limitations?
 Don't focus on the configuration commands as what mechanisms will be
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Chat with friends online, try MSN Messenger: Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42119t=42088
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: accesslist.....bgp [7:42098]

[Nigel Taylor]

Stanzin,  Chuck,
   I had this happen to me the other day when one of our
engineers made a change to the ACL on one of our BGP peer
connections.  Typically all the ACLs are the same on all of our BGP
connections, so when trouble shooting the problem some assumtions were
made.   The problem ended up being that on a number of our connections we
use the provider space to p-t-p connections. A few of the other
connections are made using our own IP space. The engineer forgot to add a
permit statement to the ACL to allow for the p-t-p links.  Although there
was a permit ip any any at the end of the list, the anti-spoofing part
of the ACL that read deny ip 192.168.0.0 0.0.0.0 any denied the BGP
peering relationship.  This also filtered all icmp traffic as well.  The
other interesting thing here is the local interface could not be ping'd
as well...:-

We get to have to much fun I think.. 

P.S. Chuck what's been going on?  Drop me a line..

Nigel

From: Chuck Reply-To: Chuck To: [EMAIL PROTECTED] Subject: Re:
accesslist.bgp [7:42098] Date: Sun, 21 Apr 2002 00:17:18 -0400  we
give up. post the access-list   Stanzin Takpa wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...   Hi ,   I came across
a strange situation.   I am running bgp b/w two routers(cisco).
Whenever I configure access-list   on one of the router,the bgp routes
from the router on which I configure acl   are getting disappearin 'sh
ip routes '   and I am not able to ping from one n/w to the other .  
  What could be the problem /   Stanz Message Posted
at: http://www.groupstudy.com/form/read.php?f=7i=42118t=42098
-- FAQ, list archives,
and subscription info: http://www.groupstudy.com/list/cisco.html Report
misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Get your FREE download of MSN Explorer at http://explorer.msn.com.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42120t=42098
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Summarization?? What's that? (bug report) [7:37093]

[Nigel Taylor]

John,
You might want to try using the aggregate-address command and see
what magic happens.  As a side note.. IGP's summarize, whereas BGP being an
EGP aggregates.

watch the word wrap..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
rp_r/bgp_r/1rfbgp1.htm#xtocid1

Nigel

- Original Message -
From: John Neiberger 
To: 
Sent: Sunday, March 03, 2002 12:30 AM
Subject: Summarization?? What's that? (bug report)


 While attempting to summarize some prefixes in BGP I got the
 following:

 R3#conf t
 Enter configuration commands, one per line.  End with CNTL/Z.
 R3(config)#router bgp 2010
 R3(config-router)#summa?
 % Unrecognized command
 R3(config-router)#summar?
 % Unrecognized command
 R3(config-router)#summar
^
 % Invalid input detected at '^' marker.

 R3(config-router)#?
 Router configuration commands:
   address-family   Enter Address Family command mode
   aggregate-addressConfigure BGP aggregate entries
   auto-summary Enable automatic network number
 summarization
   bgp  BGP specific commands
   default  Set a command to its defaults
   default-information  Control distribution of default
 information
   default-metric   Set metric of redistributed routes
   distance Define an administrative distance
   distribute-list  Filter networks in routing updates
   exit Exit from routing protocol configuration
 mode
   help Description of the interactive help
 system
   maximum-pathsForward packets over multiple paths
   neighbor Specify a neighbor router
   network  Specify a network to announce via BGP
   no   Negate a command or set its defaults
   redistribute Redistribute information from another
 routing protocol
   synchronization  Perform IGP synchronization
   table-mapMap external entry attributes into
 routing table
   timers   Adjust routing timers

 R3(config-router)#

 I'm thinking it might be tough to do summarization when the
 freaking command is missing!!

 This is a 2500 running 12.1(11) Enterprise Plus.  Too weird.  I
 didn't find a bug report for it on CCO but I can't be the only
 person to run into this.

 Since I don't feel like doing un upgrade right now, I'll skip
 that part.  

 John
 _
 Commercial lab list: http://www.groupstudy.com/list/commercial.html
 Please discuss commercial lab solutions on this list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37093t=37093
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: multicast / CGMP towards the multicast server [7:33964]

[Nigel Taylor]

Priscilla,
I had to search out the answer.  I found myself getting up
because I couldn't sleep. I believe I found what we were looking for..see
Inline.

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Saturday, February 02, 2002 6:22 PM
Subject: Re: multicast / CGMP towards the multicast server [7:33964]


 At 06:18 AM 2/2/02, Nigel Taylor wrote:

 Even in an design where the host and the server reside on the same
 VLAN(segment) IGMP and CGMP still provide the ability to control flooding
 of multicast traffic.  Specifically, when the host multicasts the IGMP
 membership report to the group with the address 224.1.2.3(MAC
 0x0100.5E01.0203) and there's no existing mapping in its CAM table, the
 switch will flood the report on all ports in the VLAN.

 It's not the membership reports we're concerned about. It's the multicast
 traffic from the source multicast server. The question can be boiled down
 to this:

   It would seem that in this case the membership reports is all that we
would
need to care about.

 When you enable CGMP does that mean the switch automatically stops
flooding
 multicast traffic to all devices in the VLAN? Does the switch instead wait
 for the recipients to send their membership reports, which go to the
router
 and then get converted into CGMP messages from the router to the switch?
 Only devices that have sent the membership report can receive the traffic.
 (There could be a problem if it works this way. The multicast server could
 start sending before anyone joined.)

No, when CGMP is enabled on the switch it does not stop the flooding of
multicast
to all devices in the VLAN.  However, as you mention the switch does not
wait until
the recipients send their membership reports.  As you pointed out it's the
multicast traffic
from the source multicast server that's of interest.  In reading what I
found, if the switch
has no information in it's CAM for the multicast group and the source
multicast server
begins sending multicast traffic, it hits the switch and does a lookup for
the GDA, when
it's not found the traffic is flooded out all ports in the VLAN.


 The question is not about basic IGMP and CGMP behavior. The question has
to
 do with switch behavior in the special case where the source of the
 multicast traffic is on the same switch and in the same VLAN as the
 recipients. We're concerned because that sounds like it would cause normal
 multicast flooding to kick in. For that not to happen, the switch must be
 smarter than we're thinking.

Unfortunately, the switch even with CGMP isn't that smart. The flooding of
the multicast
traffic would continue until a host, any host on that VLAN sends a IGMP
report to the router.
The router then create the CGMP packet that will inform the switch of which
ports
will receive the multicast traffic.  All other ports would be blocked except
thee router ports.


 However, any futher
 attempts to join that existing group would then be limited to port listed
in
 the CAM table that are  eligible to recieve the multicast traffic for the
 group.

 Once again we're not talking about the membership reports (joins),
although
 what you say is probably true.

 I wonder if what's also true is that the first membership report causes
the
 switch to then not forward the server's multicast traffic to any devices
 not listed in the port list in the CAM table for the multicast address.
 That would make sense. Devices have to send their joins in order to get on
 the list and get the traffic.

Here's the reason for why the IGMP joins are instrumental to this process..
Multicast packets, coming from the source, don't trigger the router to send
CGMP self-joins to the switch.


Chptr 14, pgs 412-442 of Beau Williamson's book Developing IP
 Multicast Network provides some really good info on this issue.

 I couldn't find an answer to our question. Maybe you could?? Thanks.

 And to add to the question I've been wondering about more ordinary
 multicasts, like OSPF Hellos and even BPDUs. If you enabled CGMP, would
 these not get sent to any devices that didn't implement IGMP and sent
their
 membership report? That seems kind of ugly. Maybe it's not an issue
because
 you would only use CGMP on the edge in switches that connect end devices.

I think the difference here is as someone posted earlier which defines the
multicast well known
MAC address as 0x0100.0cdd..  Also, with respect to IGMP capable host,
they use
the multicast address 224.0.0.2(AllRouter Mcast group) to send their leave
messages.  Of course this
mechanism is that of IGMPv2, since under IGMPv1 there is no support for
multicast leave messages.

Here's the link to what I found..

http://www.cisco.com/warp/public/105/mcastguide8.html

Nigel

 Priscilla

 The author
 does note that flat switched LAN designs will present major problems in
 gaining/maintaining control of multicast flooding.
 
 I guess this really comes down to the network design as with every other

Re: DHCP address with Cable on a Cisco router [7:34274]

[Nigel Taylor]

Randy,
  Why are you hard coding the ip into the ethernet interface?  I
believe in the 12.2 code the command
ip address dhcp should be all you need.  I use this currently with the
required NAT configurations and everything works fine.   Here's a copy of my
relevant config..

interface Ethernet0
 ip address dhcp
 ip nat outside
!
interface Ethernet1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 101 interface Ethernet0 overload
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

HTH

Nigel

- Original Message -
From: McHugh Randy 
To: 
Sent: Sunday, February 03, 2002 4:15 PM
Subject: DHCP address with Cable on a Cisco router [7:34274]


 Can anyone please tell me if they have been able to make a Cisco 2514
Router
 hold a DHCP address to an ethernet interface so I can do NAT with overload
 for me cable internet connection?  Once I get my dhcp address from my
 provider I hard code that on to eth 0 which is pluged into the cable
modem.
 on the router along with static default route with the dns info but still
 cant ping out to the internet from the router. DSL works fine but cable
does
 not.


 thanks
 Randy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34277t=34274
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: multicast / CGMP towards the multicast server [7:33964]

[Nigel Taylor]

Priscilla,
  You're correct in that Fears' real fear at this point has not
been answered. ;-  In doing some quick research, I found that as you
mentioned IGMP(costly) and CGMP(a less costly solution) would assist in
providing one the ability to control multicast flooding. This is what I
found...

Even in an design where the host and the server resides on the same
VLAN(segment) IGMP and CGMP still provides the ability to control flooding
of multicast traffic.  Specifically, when the host multicasts the IGMP
membership report to the group with the address 224.1.2.3(MAC
0x0100.5E01.0203) and there's no existing mapping in it's CAM table, the
switch will flood the report on all ports in the VLAN.  However, any futher
attempts to join that existing group would then be limited to port listed in
the CAM table that are  eligible to recieve the multicast traffic for the
group.   Chptr 14, pgs 412-442 of Beau Williamson's book Developing IP
Multicast Network provides some really good info on this issue.   The author
does note that flat switched LAN designs will present major problems in
gaining/maintaining control of multicast flooding.

I guess this really comes down to the network design as with every other
aspect of building a scalable and efficient network.

Thoughts.. Anyone!

Nigel




 At 09:28 PM 2/1/02, Nigel Taylor wrote:
 Priscilla,
  You are correct.  Thanks for the added insight.
 
 Nigel

 You are nice to say this, but you know what I realized?! My answer doesn't
 resolve the quandary either! ;-)

 I now think that Fears' real fears had to do with the recipients and the
 server being on the same VLAN. This might cause the switch to forward the
 multicast traffic before it even checks the results of CGMP. The switch
may
 do its default multicast flooding to ports in a VLAN and just make use of
 CGMP to learn about other ports. Am I making any sense? It's late. ;-)

 My guess it that the answer is still that CGMP is smart. Once you
configure
 it, the switch knows to not do its normal multicast flooding and instead
 wait to hear from the router regarding which ports should receive the
 multicast flow. Hopefully someone can confirm that.

 Priscilla


 - Original Message -
 From: Priscilla Oppenheimer
 To:
 Sent: Friday, February 01, 2002 2:03 PM
 Subject: Re: multicast / CGMP towards the multicast server [7:33964]
 
 
   No offence, but that answer doesn't remove the quandary. The entire
 switch
   is a segment from the router's point of view. The router receives the
 IGMP
   Join and now knows that packets for that multicast group must be sent
out
   that interface to that Ethernet segment. All devices on the switch are
 out
   that interface, however.
  
   What Fears fears is that the router won't be smart enough to tell the
   switch that not all devices connected to the switch should receive the
   multicast stream.
  
   But fear not, Fears. CGMP is smarter than you might think. Here's how
I
   understand it. Correct me if I'm wrong, please (anyone).
  
   As you know, when a host wants to join an IP multicast group, it sends
an
   IGMP Join message. The Join specifies the host's MAC address and the
IP
   multicast group that it wants to join.
  
   When a router receives the IGMP Join, it creates a CGMP message that
   contains the MAC address of the host and the multicast group address.
The
   router sends the CGMP message to a well-known address that all
switches
   listen to. When a Catalyst switch receives the CGMP message from the
   router, the supervisor engine responds by modifying the forwarding
table
   automatically. In other words, it now knows the specific port that
must
   receive the multicast stream. Other hosts on different ports may Join
 also,
   and the switch will add them to the table.
  
   This is different from IGMP Snooping, by the way. From what I
understand,
   IGMP Snooping allows the switch to proactively snoop into IGMP packets
 and
   figure out which ones are Joins. IGMP Snooping requires more powerful
 (and
   more expensive) switching hardware (firmware).
  
   Priscilla
  
   At 10:18 PM 1/31/02, Nigel Taylor wrote:
   Michael,
 Of course this would depend on if the multicast server
and
 the
   host connected on the same switch was assigned to the same
 vlan(broadcast
   domain).  Just some quick points to mention..
   
   Routers by default will not forward multicast traffic.  However, if
you
   enabled a multicast routing protocol(PIM, DVMRP) then this is
possible.
 The
   important thing here is that IGMP is used by hosts to inform routers
of
   their intent to become part of a multicast stream.  This depends on
your
   implementation of the multicast protocol.  IGMPv2 has been improved
to
   support leaves from a multicast group which is not supported in
IGMPv1.
   This way the host is able to notify the source of it's intent to
leave
 the
   multicast group.  This is will allow the routers to prune

Re: Multicast in catalyst 6500 environment [7:34192]

[Nigel Taylor]

Mitch,
 See Inline...

- Original Message -
From: Eve Mitch 
To: 
Sent: Saturday, February 02, 2002 7:18 AM
Subject: Multicast in catalyst 6500 environment [7:34192]


 Hi all,

 Have 2 Catalyst 6509 with sup2 and MSFC2 modules in each switch in the
core.
 And 4 Catalyst 6509 with sup2 in the access layer.
 Have about 10 VLAN using using ISL. There is a multicast server connecte
to
 vlan 10 on CoreSwitch1.

 Is using pim dense mode on the MSFC2 and igmp snooping enable on all sup2
 modules enough to allow PC1 connected to one of the
 access switches (AS1) in vlan 2 to receive multicast,or is CGMP
 configuration nececary?

In a most recent thread (thanks Mike, Priscilla) I personally have been
motivated to improve my understanding of multicast. Based on what you've
mentioned since you have IGMP snooping enabled
this would allow the switch to snoop on IGMP messages between the MSFC2
and any host
Basically, as I understand it..IGMP and CGMP are mechanisms that provide
similar control over
the flooding of multicast traffic. The difference is that with CGMP, is the
MSFC is now able to speak directly to the sup2 providing information about
which ports will receive the multicast


 I don't want that if one user in vlan 2 is receiving multicast that all
 these multicast stream also past the trunks to AS2,AS3 and AS4.
 Is there a way to prevent this.

In using dense-mode PIM this is the desired/normal behavior.  If you're
interested in limiting who and where the multicast traffic should
sent/forwarded, maybe you should look at sparse-mode PIM.


 Any url or documentation where this issue are discussed clearly are
 appreciated.

http://www.cisco.com/warp/public/473/22.html#IGMP%20%Snooping

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Mult
icasts=Implementation_and_Configuration#Samples_%26_Tips

watch the word wrap..

HTH

Nigel

 Thanks for your help.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34196t=34192
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - CCIE LAB and NDA [7:34244]

[Nigel Taylor]

Chuck,
   Thanks... for another great post.  Maybe we could get Paul to
make this standard reading for all who join the list, this way we avoid what
we all fear...I dare not say the letters..for they spell fear themselves..
Of course the letter I refer to are NDA!

This definitely is Food for Thought

Nigel

- Original Message -
From: Chuck Larrieu 
To: 
Sent: Sunday, February 03, 2002 12:32 AM
Subject: Off Topic - CCIE LAB and NDA [7:34244]


 before I shut down for the evening, a few random thoughts on the CCIE Lab
 and NDA. Inspired by several posts here of late from persons asking about
 topology, IOS versions, or speaking of rumors about equipment changes.

 1) It is unclear what really constitutes NDA. Caslow? The ECP1 class?
NLI's
 practice labs? Caslow's new prep class? Cisco's own ASET lab? All of these
 could be considered violations of NDA in many ways, from topic content to
 lab topology. Cisco's own ASET program used real but retired CCIE labs.

 2) what is it Cisco really considers CCIE level skill? In the past, things
 like DecNet, Apollo, and Vines were core topics. Cisco has recently
dropped
 those, plus ATM LANE, presumably in response to market conditions. Which
 leads one to ask - why token ring? The only real world token ring project
I
 have been involved with the past couple of years is ripping them out and
 replacing them with ethernet. The apologia that there are still some major
 token ring networks around is a bit lame. There are still some major
DecNet
 networks around, I'm sure. Until very recently ( and maybe they still
are ),
 a major utility company out this way was still running Vines. As was the
U.S
 Navy.

 3) Is the CCIE a forward looking certification or not? Based on what I am
 seeing in the marketplace, the advanced skill levels that one needs to
meet
 demand center around VPN, VoIP, wireless, security, and the underlying
 infrastructure required to support these technologies. that means lots of
 QoS, switching, L2-L3 interaction, ATM, giga-whatever, etc.

 I would purely love to see discussed good focused discussion on core
 competencies, core issues. But there is that awful specter of NDA that
hangs
 over all of our heads.

 In a very strange way, NDA is kinda like Santa Claus and the Easter Bunny.
 We all know what's in the Lab. We all know what study materials are
designed
 to model the Lab. But we don't dare speak the truth in front of the
children
 ( those who haven't been yet ) for fear that some higher authority will
trou
 nce on us if we do.

 I'm not sure if there is a real point to this message. Maybe what I want
to
 say to all of those who keep asking about Lab equipment, Lab topology, Lab
 IOS versions, and the like, is that understanding of the core topics is
the
 most important thing. If you have them down cold, the equipment and the
 topology will not matter.

 I'd like to comment on the rumor about changes in the equipment, but that
 damn NDA.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34248t=34244
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: multicast / CGMP towards the multicast server [7:33964]

[Nigel Taylor]

Priscilla,
You are correct.  Thanks for the added insight.

Nigel

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Friday, February 01, 2002 2:03 PM
Subject: Re: multicast / CGMP towards the multicast server [7:33964]


 No offence, but that answer doesn't remove the quandary. The entire switch
 is a segment from the router's point of view. The router receives the IGMP
 Join and now knows that packets for that multicast group must be sent out
 that interface to that Ethernet segment. All devices on the switch are out
 that interface, however.

 What Fears fears is that the router won't be smart enough to tell the
 switch that not all devices connected to the switch should receive the
 multicast stream.

 But fear not, Fears. CGMP is smarter than you might think. Here's how I
 understand it. Correct me if I'm wrong, please (anyone).

 As you know, when a host wants to join an IP multicast group, it sends an
 IGMP Join message. The Join specifies the host's MAC address and the IP
 multicast group that it wants to join.

 When a router receives the IGMP Join, it creates a CGMP message that
 contains the MAC address of the host and the multicast group address. The
 router sends the CGMP message to a well-known address that all switches
 listen to. When a Catalyst switch receives the CGMP message from the
 router, the supervisor engine responds by modifying the forwarding table
 automatically. In other words, it now knows the specific port that must
 receive the multicast stream. Other hosts on different ports may Join
also,
 and the switch will add them to the table.

 This is different from IGMP Snooping, by the way. From what I understand,
 IGMP Snooping allows the switch to proactively snoop into IGMP packets and
 figure out which ones are Joins. IGMP Snooping requires more powerful (and
 more expensive) switching hardware (firmware).

 Priscilla

 At 10:18 PM 1/31/02, Nigel Taylor wrote:
 Michael,
   Of course this would depend on if the multicast server and
the
 host connected on the same switch was assigned to the same vlan(broadcast
 domain).  Just some quick points to mention..
 
 Routers by default will not forward multicast traffic.  However, if you
 enabled a multicast routing protocol(PIM, DVMRP) then this is possible.
The
 important thing here is that IGMP is used by hosts to inform routers of
 their intent to become part of a multicast stream.  This depends on your
 implementation of the multicast protocol.  IGMPv2 has been improved to
 support leaves from a multicast group which is not supported in IGMPv1.
 This way the host is able to notify the source of it's intent to leave
the
 multicast group.  This is will allow the routers to prune the multicast
 traffic from the segment removing the unnecessary traffic, providing no
 other host on the segment remains a member of the multicast stream
 
 A good title as recommended by a number of folks on the list is
Developing
 IP Multicast Networks
 Author: Beau Williamson.  ISBN: 157870779
 
 HTH
 
 Nigel
 
 
 
  Original Message -
 From: Fears Michael S SSgt 50 CS/SCBBN
 To:
 Sent: Thursday, January 31, 2002 4:59 PM
 Subject: multicast / CGMP towards the multicast server [7:33964]
 
 
   If a multicast server is connected to a Cisco Switch running CGMP, and
   several hosts are connected to the same switch, will a router turn off
 the
   switch ports for the users that are not requesting the multicast?
  
   So, will CGMP work back towards the multicast server?
  
   Fears
 

 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34159t=33964
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: multicast / CGMP towards the multicast server [7:33964]

[Nigel Taylor]

Michael,
 Of course this would depend on if the multicast server and the
host connected on the same switch was assigned to the same vlan(broadcast
domain).  Just some quick points to mention..

Routers by default will not forward multicast traffic.  However, if you
enabled a multicast routing protocol(PIM, DVMRP) then this is possible.  The
important thing here is that IGMP is used by hosts to inform routers of
their intent to become part of a multicast stream.  This depends on your
implementation of the multicast protocol.  IGMPv2 has been improved to
support leaves from a multicast group which is not supported in IGMPv1.
This way the host is able to notify the source of it's intent to leave the
multicast group.  This is will allow the routers to prune the multicast
traffic from the segment removing the unnecessary traffic, providing no
other host on the segment remains a member of the multicast stream

A good title as recommended by a number of folks on the list is Developing
IP Multicast Networks
Author: Beau Williamson.  ISBN: 157870779

HTH

Nigel



 Original Message -
From: Fears Michael S SSgt 50 CS/SCBBN 
To: 
Sent: Thursday, January 31, 2002 4:59 PM
Subject: multicast / CGMP towards the multicast server [7:33964]


 If a multicast server is connected to a Cisco Switch running CGMP, and
 several hosts are connected to the same switch, will a router turn off the
 switch ports for the users that are not requesting the multicast?

 So, will CGMP work back towards the multicast server?

 Fears




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34001t=33964
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ATM Sniffers [7:32624]

[Nigel Taylor]

Gil,
We use DS Sniffer Pro 4.5 with the ATM book and we also have the Wandel
and Golterman Domino
analyzer.  Both are really good pieces of test equipment.

HTH

Nigel

- Original Message -
From: Gil Shulman 
To: 
Sent: Sunday, January 20, 2002 6:11 AM
Subject: ATM Sniffers [7:32624]


 Hi all,

 I was wondering if anybody has a good experience with some kind of ATM
 sniffer for STM-1 or ATM over E1.
 Recently I tried working with the prismalight and I got less then
satisfying
 results.

 Any inputs will be appreciated.

 Gil


**
 The contents of this email and any attachments are confidential.
 It is intended for the named recipient(s) only.
 If you have received this email in error please notify the system manager
 or  the
 sender immediately and do not disclose the contents to any one or make
 copies.

 ** eSafe scanned this email for viruses, vandals and malicious content **


**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32625t=32624
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Static route loacd balancing? [7:31715]

[Nigel Taylor]

Cisco Breaker,
   I was thinking.

One route to guide them,
One static route to override them,
One floating static to load-balance them,
And in the RIB make them all equal..

Just say the movie...:-   forgive my waste of bandwidth.

Nigel

- Original Message -
From: Cisco Breaker 
To: 
Sent: Saturday, January 12, 2002 7:05 AM
Subject: Static route loacd balancing? [7:31715]


 Hi all,

 My customer wants load balancing solution to a branch office. He heard
that
 it can be done with static routes, but as I know load balancing can't be
 done by deploying static routes. Any help about this? Can it be done or
how
 effective will it be?

 Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31717t=31715
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Exec Command [7:31713]

[Nigel Taylor]

Ed,
 Here's a link that my help explain it all. Watch the word wrap.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fdia
l_c/fnsprt2/dafadmod.htm#998788


Nigel


- Original Message -
From: Ed Chuchaisri 
To: 
Sent: Saturday, January 12, 2002 5:45 AM
Subject: Exec Command [7:31713]


 Could anyone help me clarify the Exec command and what does it actually
do?
 I had some problem with the TTY lines and after I turned off the exec,
 everything works fine, but I still don't know what does this command do.

 Thanks,

 Ed
 www.router4u.com
 Affordable Router Lab




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31718t=31713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: xmodem on a 4500 not working?? [7:31733]

[Nigel Taylor]

Cisco Nuts,
  Short of using the X-modem feature on the 4500's cisco
simply states that you would need another router of the same model.  I'm not
sure if this procedure works but it's worth a try.

http://www.cisco.com/warp/public/471/76.html

Nigel

- Original Message -
From: Cisco Nuts 
To: 
Sent: Saturday, January 12, 2002 11:43 AM
Subject: xmodem on a 4500 not working?? [7:31733]


 Hello,I am trying to upgrade a c4500 router running ver. 10.3 At the
 rommon prompt when I type the command xmodem -c , it gives
 me a command not found error msg. When I do a ? at the prompt, I do not
 see xmodem or the ymodem command listed. Would someone advise me as to
 how I can upgrade this puppy?Thank you.

 

 Join the worlds largest e-mail service with MSN Hotmail. Click Here




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31737t=31733
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]

[Nigel Taylor]

Paul,
   I believe at one time cisco support the 2500's much like the older
1004/1005 router where they used the PCMCIA as the flash upgrade method of
choice.  I have a couple of 2500's with the PCMCIA slot and after trying a
number of different cards I gave up my quest to use the slot.
This is what CCO has to say about it..

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/cis2500/2500c
fig/59375.htm

Nigel


- Original Message -
From: Paul Borghese 
To: 
Sent: Saturday, January 12, 2002 1:26 PM
Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]


 Hey as a side note.  Does anyone know what that PCMCIA slot inside the
25xx
 routers are used for?  It looks as if you can add Flash via a PCMCIA card.
 It is not worth it as Flash is so inexpensive, but it would be neat to
try.

 Paul
 - Original Message -
 From: Brad Ellis
 To:
 Sent: Saturday, January 12, 2002 11:31 AM
 Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]


  I would highly recommend AGAINST using it.  We used to use it and had
all
  sorts of strange problems with the newly created compressed IOS.  You
also
  have to have an extra amount of DRAM available for the created image to
be
  decompressed into RAM.
 
  Flash and DRAM are soo cheap these days, you'd be better off upgrading
the
  memory.  Also, MZMaker is only applicable with uncompressed
run-from-flash
  IOS (ie, 2500 series routers and the old 1600 series routers).  Again,
I'd
  highly recommend against it.
 
  thanks,
  -Brad Ellis
  CCIE#5796 (RS / Security)
  Network Learning Inc
  [EMAIL PROTECTED]
  used Cisco gear:  www.optsys.net
  CCIE Labs, racks, and classes:
http://www.ccbootcamp.com/quicklinks.html
  Circusnuts  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Yes- the program is called MZMaker and can only be applied to IOS that
   is run from RAM only.
  
   All the best !!!
   Phil
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
   Richard
   Sent: Saturday, January 12, 2002 2:57 AM
   To: [EMAIL PROTECTED]
   Subject: Compresses Cisco IOS to fit onto a smaller flash size.
   [7:31710]
  
   I wonder if anyone has tried to compress a larger Cisco IOS to fit
onto
   a
   router with a smaller flash. If so, I'd appreciated for some pointers.
  
  
   Thanks
   _
   Do You Yahoo!?
   Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31738t=31729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]

[Nigel Taylor]

Paul,
   I believe at one time cisco support the 2500's much like the older
1004/1005 router where they used the PCMCIA as the flash upgrade method of
choice.  I have a couple of 2500's with the PCMCIA slot and after trying a
number of different cards I gave up my quest to use the slot.
This is what CCO has to say about it..

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/cis2500/2500c
fig/59375.htm

Nigel


- Original Message -
From: Paul Borghese 
To: 
Sent: Saturday, January 12, 2002 1:26 PM
Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]


 Hey as a side note.  Does anyone know what that PCMCIA slot inside the
25xx
 routers are used for?  It looks as if you can add Flash via a PCMCIA card.
 It is not worth it as Flash is so inexpensive, but it would be neat to
try.

 Paul
 - Original Message -
 From: Brad Ellis
 To:
 Sent: Saturday, January 12, 2002 11:31 AM
 Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]


  I would highly recommend AGAINST using it.  We used to use it and had
all
  sorts of strange problems with the newly created compressed IOS.  You
also
  have to have an extra amount of DRAM available for the created image to
be
  decompressed into RAM.
 
  Flash and DRAM are soo cheap these days, you'd be better off upgrading
the
  memory.  Also, MZMaker is only applicable with uncompressed
run-from-flash
  IOS (ie, 2500 series routers and the old 1600 series routers).  Again,
I'd
  highly recommend against it.
 
  thanks,
  -Brad Ellis
  CCIE#5796 (RS / Security)
  Network Learning Inc
  [EMAIL PROTECTED]
  used Cisco gear:  www.optsys.net
  CCIE Labs, racks, and classes:
http://www.ccbootcamp.com/quicklinks.html
  Circusnuts  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Yes- the program is called MZMaker and can only be applied to IOS that
   is run from RAM only.
  
   All the best !!!
   Phil
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
   Richard
   Sent: Saturday, January 12, 2002 2:57 AM
   To: [EMAIL PROTECTED]
   Subject: Compresses Cisco IOS to fit onto a smaller flash size.
   [7:31710]
  
   I wonder if anyone has tried to compress a larger Cisco IOS to fit
onto
   a
   router with a smaller flash. If so, I'd appreciated for some pointers.
  
  
   Thanks
   _
   Do You Yahoo!?
   Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31738t=31729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Howard Berkowitz to speak at EveCon 19 [7:30121]

[Nigel Taylor]

Chuck,
You'll get my vote on being the Saruman!  Howard, is it possible
that there might be a few copies of your new book on hand for sale.  I got
to thinking a signed copy would do nicely for all of us who haven't seen the
movie yet...Imagine that, a book signed by the Gandalf of Networking

Priscilla thanks for the thought.  Sounds like ebay material to me... :-

Nigel

- Original Message -
From: Chuck Larrieu 
To: 
Sent: Wednesday, December 26, 2001 8:33 PM
Subject: Re: Howard Berkowitz to speak at EveCon 19 [7:30121]


 who's the Balrog of networking? who's the Saruman?


 Priscilla Oppenheimer  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  So, completely OT, but has anyone seen the first LOTR movie yet? Is it
any
  good? I think Howard could be considered the Gandalf of networking. ;-)
 
  Priscilla
 
 
  At 04:53 PM 12/26/01, Bruce Evry wrote:
  Dear Friends,
  
   Howard Berkowitz will be doing a presentation this coming
 weekend,
  where he will combine his knowledge of Network Design with his
expertise
  at all things Monty Python. Should be fascinating!
  
   EveCon 19 is a Science Fiction and Fact convention, that in
  addition to several other talks on computer topics (and routing...) has
  such things as Costume workshops, Chainmail lessons, 24 hour movies on
a
  180 inch projection tv, and the traditional drummers and belly dancers.
  
   Place is the Sheraton Reston Hotel in sunny Reston, Virginia.
   The convention runs from Friday until Sunday, non-stop. Cost
 $30.
   Howard's presentation will be at 3 pm in the Video Room.
   Bring your own Parrot!
  
   Yours Truly - Bruce Evry
  
 
  Priscilla Oppenheimer
  http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30141t=30121
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Latest Hackers Target: Routers - thoughts! [7:29917]

[Nigel Taylor]

I was hoping that the minutes/discussion notes from the IDR working group
was going
to be made available on the web or through a list-server.  I briefly read
through Sandra
Murphy's Draft and based on security model(for origination/adjacency
protection),  it sounds somewhat like the model in place for ssl based
security.

I have been reading William Stallings Cryptography and Network Security
and he
makes some of what I think (having limited knowledge) are some good
suggestions in
 appending the information (key or signatures) of peers to the FCS.  His
example draw
upon peer-to-peer connections, which allows the TCP header to become a
another level
 of security based  on it's ability to sequence packets and it's use of a
checksum

 Stallings also addresses another issue mentioned in Sandra Murphy's Draft
known to
MD5, collisions.   Based on the performance issues with implementing
suitable security
for the information exchanged between peers are there currently any
discussions on
possibly implementing any other forms of security beyond MD5 and IPSec.

Nigel


- Original Message -
From: Howard C. Berkowitz 
To: 
Sent: Friday, December 21, 2001 11:27 AM
Subject: Re: Latest Hackers Target: Routers [7:29844]


 Chuck and Andreas,
I take note on the fact that
authentication
 can add major increases to the time taken in forming neighbor peer
 relationships.  Yes, MD5 based authentication as I suggested in my
original
 post is currently the operational model, but it was noted in rfc 2385
that
 the MD5 was considered weak.
 
 Nigel .
 
 I guess this issue just spells out MPLS/VPN...


 But MPLS inherently offers no more security than BGP. RFC2547 and
 RFC2547 bis, as well as several other proposals, use BGP to
 distribute reachability information.  The various link setup
 protocols have no particular security.

 The problem becomes more tractable if you look at the main place for
 security, QoS, etc., being at the edge.  If a hacker has managed to
 crack a major interprovider link or a major core link, you have even
 more serious problems with sniffing.

 Encrypting, even with IPsec, the connections from customers to their
 first upstream is much more feasible. Most customers don't get full
 routes anyway. Other precautions can be used at the edge, such as
 ingress filtering of source addresses/unicast reverse path
 verification, peer count limits, and traffic shaping directed against
 DoS attacks.

 There is a current discussion in the IDR working group that
 resurrects and updates Sandy Murphy's BGP security analysis.

 Not a very first step, but in the BMWG work on BGP convergence, we do
 plan to have an option for measuring the overhead of MD5.

 
 
 - Original Message -
 From: Chuck Larrieu
 To:
 Sent: Friday, December 21, 2001 3:16 AM
 Subject: RE: Latest Hackers Target: Routers [7:29844]
 
 
   I know from my studies that there is BGP neighbor md5 authentication.
 
   Somewhere in my reading I seem to recall that employing authentication
 can
   add 50-100% to the time it takes a neighbor relationship to form. Fine
 for
   lab work. maybe not so fine in the world of the production ISP.
 
   phrak, this is all we need. ISP's start preventing BGP packets from
any
 but
   known and trusted sources to cross their networks and there go the
 internet
   BGP practice labs.
 
   damn anarchists.
 
   Chuck
 
   ---
   neighbor password
   To enable Message Digest 5 (MD5) authentication on a TCP connection
 between
   two Border Gateway Protocol (BGP) peers, use the neighbor password
router
   configuration command. To disable this function, use the no form of
this
   command.
 
   neighbor {ip-address | peer-group-name} password string
   ---
 
 
 
 
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
   Andras Bellak
   Sent: Thursday, December 20, 2001 9:59 PM
   To: [EMAIL PROTECTED]
   Subject: RE: Latest Hackers Target: Routers [7:29844]
 
 
   Nigel-
 
   If you dig back through the NANOG archives, there was a rather in
depth
   and discouraging discussion of encrypting / authorizing BGP session
   neighbors. The general result was that almost nobody supported it, and
   many in the ISP groups that offer BGP connectivity didn't even know
what
   it was.
 
   While it might or might not be on the CCIE exams, having some form of
   authentication between routing partners is a good thing to practice in
   your test labs, and put into production in your networks.
 
   Andras
 
   -Original Message-
   From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
   Sent: Thursday, December 20, 2001 8:33 PM
   To: [EMAIL PROTECTED]
   Subject: Re: Latest Hackers Target: Routers [7:29844]
 
 
   Chuck,
Yes, I got the thread on this today and forwarded a copy
to
   some of my co-workers.  I hope folks are making use of the various IOS
   implementations to limit the damage done by a prospective attacker

Re: Latest Hackers Target: Routers [7:29844]

[Nigel Taylor]

Chuck and Andreas,
  I take note on the fact that authentication
can add major increases to the time taken in forming neighbor peer
relationships.  Yes, MD5 based authentication as I suggested in my original
post is currently the operational model, but it was noted in rfc 2385 that
the MD5 was considered weak.

Nigel .

I guess this issue just spells out MPLS/VPN...


- Original Message -
From: Chuck Larrieu 
To: 
Sent: Friday, December 21, 2001 3:16 AM
Subject: RE: Latest Hackers Target: Routers [7:29844]


 I know from my studies that there is BGP neighbor md5 authentication.

 Somewhere in my reading I seem to recall that employing authentication can
 add 50-100% to the time it takes a neighbor relationship to form. Fine for
 lab work. maybe not so fine in the world of the production ISP.

 phrak, this is all we need. ISP's start preventing BGP packets from any
but
 known and trusted sources to cross their networks and there go the
internet
 BGP practice labs.

 damn anarchists.

 Chuck

 ---
 neighbor password
 To enable Message Digest 5 (MD5) authentication on a TCP connection
between
 two Border Gateway Protocol (BGP) peers, use the neighbor password router
 configuration command. To disable this function, use the no form of this
 command.

 neighbor {ip-address | peer-group-name} password string
 ---





 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Andras Bellak
 Sent: Thursday, December 20, 2001 9:59 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Latest Hackers Target: Routers [7:29844]


 Nigel-

 If you dig back through the NANOG archives, there was a rather in depth
 and discouraging discussion of encrypting / authorizing BGP session
 neighbors. The general result was that almost nobody supported it, and
 many in the ISP groups that offer BGP connectivity didn't even know what
 it was.

 While it might or might not be on the CCIE exams, having some form of
 authentication between routing partners is a good thing to practice in
 your test labs, and put into production in your networks.

 Andras

 -Original Message-
 From: Nigel Taylor [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, December 20, 2001 8:33 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Latest Hackers Target: Routers [7:29844]


 Chuck,
  Yes, I got the thread on this today and forwarded a copy to
 some of my co-workers.  I hope folks are making use of the various IOS
 implementations to limit the damage done by a prospective attacker.
 Things
 like CBAC, rate-limit could go a long way in simply providing the needed
 time to identify a serious attack and implement more specific filtering
 techniques to identify or completely block the attacker.

 As it applies to the sniffing of BGP packets to gain route information,
 I
 was wondering where do things stand now on the implementation of
 encrypted
 authentication within BGP.  If I'm not mistaken, isn't this suppose to
 happen along with support for IPv6.This document references
 authentication which sounds like the existing support for MD5 based
 authentication.

 http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt  (pg
 9(a) )


 Now this document does seem to address current issues with respects to
 the
 flaws/vulnerabilities inherent to all TCP based protocols. The important
 thing to note is this can be done without the presence of a MPLS aware
 backbone based on the model identified by RFC2547bis (MPLS/VPN).

 http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t
 xt


 Thoughts anyone..

 Nigel .

 - Original Message -
 From: Chuck Larrieu
 To:
 Sent: Thursday, December 20, 2001 10:14 PM
 Subject: RE: Latest Hackers Target: Routers [7:29810]


  anyone see a thread about this on NANOG today? The archives are not up
 to
  date with today's topics.
 
  Chuck
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
  Eric Rogers
  Sent: Thursday, December 20, 2001 1:29 PM
  To: [EMAIL PROTECTED]
  Subject: OT: Latest Hackers Target: Routers [7:29810]
 
 
  Paste into your browser:
 
  dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29871t=29844
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Subject: OT: Call Manager and Military DSN [7:29805]

[Nigel Taylor]

John,
  When I suggested the solution we used to implement VoiP support with 
DSN, I was only making reference to the operational configuration required 
to support VoIP itself.  Having been in the military(AF) for some eight 
years I do know of the information Paul mentioned.  In our implementation we 
had access to the Government Demarc(switch) which was already supporting 
DSN.

The question then would be if the solution you're providing is going to 
interface with a switch that already supports existing DSN calling.

In this case the trunk that is used for DSN service is pretty much 
transparent like allthe other trunks.In that case the 8 prefix used in 
dialing DSN would pretty much identify the calls that will ride the trunk 
designated for DSN.


Nigel
former SSgt(seperated) :-

From: John Kaberna 
Reply-To: John Kaberna 
To: [EMAIL PROTECTED]
Subject: Re: Subject: OT:  Call Manager and Military DSN [7:29805]
Date: Fri, 21 Dec 2001 13:59:05 -0500

Thanks for the great info Paul.

1.  Is the Call Manager a DSN compliant switch?
2.  Do you have to order a separate DSN compliant trunk from the Telco?

John Kaberna
CCIE #7146
NETCG Inc.
www.netcginc.com
(415) 750-3800

Instructor for CCBootcamp 5-day class www.ccbootcamp.com
__
CCIE Security Training
www.netcginc.com/training.htm


Paul Werner  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  DSN is not exactly what I would refer to as tapping into the
  local telco.  DSN (Defense Switched Network) replaced AUTOVON
  (Automatic Voice network in the mid to late 1980s and through
  the early 90s).  AUTOVON was set up to principally be a voice
  only network, and in many case over analog switch facilities.
  DSN converted it over to all diigital, and included voice,
  video, and data over the same trunks.
 
  The key difference between DSN and a regular commercial call is
  they go over different trunks and they terminate at DSN
  compliant switches.  There are several things different about
  DSN compliant switches, but the key difference is the use of
  precedence, and precedence codes.  They have no real
  counterpart in a commercial trunk, other than an operator
  interrupt for an emergency.  With DSN, the end user can preempt
  a trunk and knock another user off the line with the proper
  precedence level.  Some folks out there who know their RFCs and
  remember the early 760 series standards may recognize those
  precedence levels.  They are:
 
  FLASH OVERRIDE (FO) -FO takes precedence over and preempts all
  calls on the DSN and is not preemptible. FO is reserved for the
  President of the United States, Secretary of Defense, Chairman
  of the Joint Chiefs of Staff, chiefs of military services, and
  others as specified by the President.
 
  FLASH (F) -FLASH calls override lower precedence calls and can
  be preempted by FLASH OVERRIDE only. Some of the uses for FLASH
  are initial enemy contact, major strategic decisions of great
  urgency, and presidential action notices essential to national
  survival during attack or preattack conditions.
 
  IMMEDIATE (1) -IMMEDIATE precedence preempts PRIORITY and
  ROUTINE calls and is reserved for calls pertaining to
  situations that gravely affect the security of the United
  States. Examples of IMMEDIATE calls are enemy contact,
  intelligence essential to national security, widespread civil
  disturbance, and vital information concerning aircraft,
  spacecraft, or missile operations.
 
  PRIORITY (P) -PRIORITY precedence is for calls requiring
  expeditious action or furnishing essential information for the
  conduct of government operations. Examples of PRIORITY calls
  are intelligence; movement of naval, air, and ground forces;
  and important information concerning administrative military
  support functions.
 
  ROUTINE (R) -ROUTINE precedence is for official government
  communications that require rapid transmission by telephone.
  These calls do not require preferential handling.
 
 
  When I was involved in DSN communications in Europe, my unit
  had a Flash precedence phone line, mainly because we had a
  special mission (which is about all I can say).  We had the
  capability of bumping everybody off the DSN network save for
  the CINC US Army Europe and a few other folks.  You will most
  likely have to deal with the issue of precedence.  Also, access
  to a commercial line is normally done with dialing a 9 first
  (typical for trunk access); DSN usually uses an 8 - Your
  mileage may vary; check your local listings.
 
  Finally, DSN uses a slightly different dial plan than the rest
  of the universe (go figure:-)  While you may be able to access
  the US with a country code of 001, or Germany with a country
  code of 49, that's not how it's done with DSN.  Access is
  determined by regions, and each region has its own country
  code.  The regions are:
 
  Canadian Section
  Caribbean Section
  CONUS Section
  European Section
  Pacific/Alaska Section
  

Re: Call Manager and Military DSN [7:29805]

[Nigel Taylor]

That's pretty much it.. John

Nigel

- Original Message -
From: John Kaberna 
To: 
Sent: Thursday, December 20, 2001 3:42 PM
Subject: OT: Call Manager and Military DSN [7:29805]


 I am working on an IP telephony solution and I need to hook in to the DSN.
 From my current understanding DSN is sent out to the local telco via the
 PSTN and is routed from there. This would make for a fairly simple dial
plan
 in Call Manager.  Has anybody heard anything different about how DSN is
 setup to work?

 John Kaberna
 CCIE #7146
 NETCG Inc.
 www.netcginc.com
 (415) 750-3800

 Instructor for CCBootcamp 5-day class www.ccbootcamp.com
 __
 CCIE Security Training
 www.netcginc.com/training.htm




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29831t=29805
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Latest Hackers Target: Routers [7:29844]

[Nigel Taylor]

Chuck,
 Yes, I got the thread on this today and forwarded a copy to
some of my co-workers.  I hope folks are making use of the various IOS
implementations to limit the damage done by a prospective attacker.  Things
like CBAC, rate-limit could go a long way in simply providing the needed
time to identify a serious attack and implement more specific filtering
techniques to identify or completely block the attacker.

As it applies to the sniffing of BGP packets to gain route information, I
was wondering where do things stand now on the implementation of encrypted
authentication within BGP.  If I'm not mistaken, isn't this suppose to
happen along with support for IPv6.This document references
authentication which sounds like the existing support for MD5 based
authentication.

http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt  (pg
9(a) )


Now this document does seem to address current issues with respects to the
flaws/vulnerabilities inherent to all TCP based protocols. The important
thing to note is this can be done without the presence of a MPLS aware
backbone based on the model identified by RFC2547bis (MPLS/VPN).

http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.txt


Thoughts anyone..

Nigel .

- Original Message -
From: Chuck Larrieu 
To: 
Sent: Thursday, December 20, 2001 10:14 PM
Subject: RE: Latest Hackers Target: Routers [7:29810]


 anyone see a thread about this on NANOG today? The archives are not up to
 date with today's topics.

 Chuck

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Eric Rogers
 Sent: Thursday, December 20, 2001 1:29 PM
 To: [EMAIL PROTECTED]
 Subject: OT: Latest Hackers Target: Routers [7:29810]


 Paste into your browser:

 dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29844t=29844
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Call Manager and Military DSN [7:29805]

[Nigel Taylor]

John,
We implemented this solution a little more than a year ago and if my
memory serves me
right the dial pan on the call manager should be all that is needed.I
also think we made use of a dialer peer on the router that connected to the
lucent G3 switch(PBX)

Nigel

- Original Message -
From: John Kaberna 
To: 
Sent: Thursday, December 20, 2001 8:59 PM
Subject: Re: Call Manager and Military DSN [7:29805]


 Have you done this already Nigel?  Any problems with calling routing for
the
 DSN?

 John Kaberna
 CCIE #7146
 NETCG Inc.
 www.netcginc.com
 (415) 750-3800

 Instructor for CCBootcamp 5-day class www.ccbootcamp.com
 __
 CCIE Security Training
 www.netcginc.com/training.htm


 Nigel Taylor  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  That's pretty much it.. John
 
  Nigel
 
  - Original Message -
  From: John Kaberna
  To:
  Sent: Thursday, December 20, 2001 3:42 PM
  Subject: OT: Call Manager and Military DSN [7:29805]
 
 
   I am working on an IP telephony solution and I need to hook in to the
 DSN.
   From my current understanding DSN is sent out to the local telco via
the
   PSTN and is routed from there. This would make for a fairly simple
dial
  plan
   in Call Manager.  Has anybody heard anything different about how DSN
is
   setup to work?
  
   John Kaberna
   CCIE #7146
   NETCG Inc.
   www.netcginc.com
   (415) 750-3800
  
   Instructor for CCBootcamp 5-day class www.ccbootcamp.com
   __
   CCIE Security Training
   www.netcginc.com/training.htm




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29848t=29805
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

More Friday Follies - and then some [7:29717]

[Nigel Taylor]

John,
   On one of your most recent test scanerios I had posted what you
noticed here and made some assumptions based on what we know of the routing
protocols behavior.  Here's my reply from what I saw duiring that test...

--- Paste Begin ---

John,
 This surely peeked my interest as to why the secondary address
solution wouldn't work so I mocked it up and as you noted nothing...
I think my chain of thought made me think that as long as the secondary
address was on the mask of the route being propagated to R1 then
it should work.  However, in the setup all the subnets(172.16.1/2/3.x)
when defined under IGRP would  be summarized back to the classful boundary
172.16.0.0.  When this happens the router simply does not broadcast the
update since the networks being advertised fall into the connected interface
classful boundary.

00:53:38: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.1.2) -
(to R1)
00:53:38: IGRP: Update contains 0 interior, 0 system, and 0 exterior routes.
00:53:38: IGRP: Total routes in update: 0 - suppressing null update
00:53:38: IGRP: sending update to 255.255.255.255 via Serial1 (172.16.2.2) -
(to R3)
00:53:38:   subnet 172.16.3.0, metric=8476
00:53:38: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.
00:53:38: IGRP: Total routes in update: 1

once this is/was identified your only option to get the route to R1 is to
disable split-horizon on R2's S0 interface that's connected to R1. This
now allows
the routes that would otherwise be filtered be advertised to R1.

01:02:51: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.1.2) -
(to R1)
01:02:51:   subnet 172.16.1.0, metric=8476
01:02:51: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.
01:02:51: IGRP: Total routes in update: 1
01:02:51: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.3.2) -
(to R3)
01:02:51:   subnet 172.16.2.0, metric=8476
01:02:51:   subnet 172.16.3.0, metric=8476
01:02:51: IGRP: Update contains 2 interior, 0 system, and 0 exterior routes.
01:02:51: IGRP: Total routes in update: 2


However, I observed a strange occurrence in that R2 generates a
172.16.1.0/28 route that is also advertised to R1.  How and Why?  I'm
looking into it..  When
this happens then another requirement would be to use no ip classless
(note: there is
no 0/0, candidate defaults, etc..) to avoid the 172.16.1.0/28 route from
being used
so to avoid the obvious routing loop between R1 and R2.

Very interesting results from the question as to why we had the
172.16.1.0/28 route generated from R2 to R1.  Well after thinking about it
things become
somewhat clear as to why the route was created.  Simply put, although the
172.16.3.0/28 was
configured on the R1 - R2 link in order for R1 to accept routes on the /28
mask.. the Primary
interface still quite possibly would not pass that (/28) route information
without
being associated as having a /28 mask itself.  I came to this conclusion by
the
debugs from R1..

R1#
01:06:27: IGRP: broadcasting request on Serial0
01:06:27: IGRP: received update from 172.16.1.2 on Serial0
01:06:27:   subnet 172.16.1.0, metric 10476 (neighbor 8476)  ***
01:06:27: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.
01:06:27: IGRP: Total routes in update: 1
R1#

Notice the 172.16.1.0 route that was sent from R2 it the only route that R1
receives. this is that same /28 route that now allows R1 to also see the
172.16.2.0/28.

R1#
01:08:20: RT: add 172.16.1.0/24 via 0.0.0.0, connected metric [0/0]
01:08:20: RT: network 172.16.0.0 is now variably masked
01:08:20: RT: add 172.16.3.0/28 via 0.0.0.0, connected metric [0/0]
01:08:20: IGRP: broadcasting request on Serial0
01:08:20: IGRP: received update from 172.16.1.2 on Serial0
01:08:20:   subnet 172.16.1.0, metric 10476 (neighbor 8476)
01:08:20: RT: add 172.16.1.0/28 via 172.16.1.2, igrp metric [100/10476]
01:08:20: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes.
01:08:20: IGRP: Total routes in update: 1
R1#

The R1 RIB eventually ends up as follows..

R1#
Gateway of last resort is not set

 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
I   172.16.1.0/28 [100/10476] via 172.16.1.2, 00:00:14, Serial0
C   172.16.1.0/24 is directly connected, Serial0
I   172.16.2.0/28 [100/10476] via 172.16.3.2, 00:00:14, Serial0
C   172.16.3.0/28 is directly connected, Serial0
R1#

NOTE: Although everything looked and suggest that a ping/trace to a host
within the 172.16.1.0/28 mask(172.16.1.10) should be sent to R2 and then
back to R1
causing a routing looping(before using the ip classless command). However,
this did
not happen instead when the packet returned to R1 it then timed out..


R1#trace 172.16.1.10

Type escape sequence to abort.
Tracing the route to 172.16.1.10

  1 172.16.1.2 136 msec 16 msec 16 msec
  2 172.16.1.1 32 msec 28 msec 32 msec
  3  *  *  *
  4  *  *  *
  5  *  *  *


Well this was interesting..   I hope