Re: Good network monitor prog. ??? [7:75081]
Steven, There's a great little program on SourceForge that's growing in popularity and IMHO is going to become a great NMS tool. It Integrates Syslog, Tacacs, RRDtool (Performance Graphs), Maps, Traps, TFTP, Autodiscovery, Sound Alerts, AAA, Modular and Extensible.It uses a database backend to store all the data as well (good for trend analysis). The documentation is pretty good and if you have/know how unix it's pretty easy to get up and running. There is also a windoze port for the non-*nix folks. http://sourceforge.net/projects/jffnms/ HTH Nigel -- Original Message - From: John Neiberger To: Sent: Tuesday, September 09, 2003 1:44 PM Subject: Re: Good network monitor prog. ??? [7:75081] Steven Aiello 9/9/03 11:18:51 AM Any one know of a good network monitor prog.? It doesn't have to be free but not to expensive. My budget is nill. Any recomendations? Thanks, Steve Wouldn't it _have_ to be free if your budget is nil? ;-) You might want to check out MRTG and WhatsUp Gold: http://mrtg.hdl.com/mrtg.html http://www.ipswitch.com/products/WhatsUp/index.html HTH, John **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=75121t=75081 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: OSPF BGP redistiribution question [7:66430]
Chuck, My first thought is what does the sh ip bgp for the routes that does not show up in BGP indicate. I believe there is a requirement not to disable sync which suggest that the routes not being added to the BGP, isn't sync'd with the IGP. Does any of this have route information being propagated from an IBGP neighbor. Nigel - Original Message - From: The Long and Winding Road To: Sent: Saturday, March 29, 2003 2:27 AM Subject: OSPF BGP redistiribution question [7:66430] NLI ( b..o..o..t..c..a..m..p.. lab 8 ) redistribution of OSPF and BGP I checked CCO and the answer key everything appears to be correct. So why is it that half my OSPF routes do not show up in the BGP table??? * 137.20.0.0 0.0.0.0 0 32768 ? * i137.20.40.16/28 137.20.25.2164100 0 i * 0.0.0.0110 32768 i * 137.20.100.33/32 0.0.0.0138 32768 i * 137.20.100.34/32 0.0.0.0 74 32768 i * 137.20.100.35/32 0.0.0.0 74 32768 i *i172.168.70.0/24 137.20.10.70 170100 0 3 i * 172.168.80.0/24 137.20.86.1 0 0 1 i R# O IA 200.200.200.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0 137.20.0.0/16 is variably subnetted, 12 subnets, 4 masks O E1137.20.200.16/28 [110/110] via 137.20.64.5, 02:27:46, Ethernet0 O IA137.20.30.0/24 [110/84] via 137.20.64.5, 02:27:46, Ethernet0 O IA137.20.25.0/24 [110/74] via 137.20.64.5, 02:27:46, Ethernet0 O IA137.20.20.0/24 [110/84] via 137.20.64.5, 02:27:46, Ethernet0 O E1137.20.40.16/28 [110/110] via 137.20.64.5, 02:27:46, Ethernet0 O IA137.20.88.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0 O IA137.20.100.33/32 [110/138] via 137.20.64.5, 02:19:42, Ethernet0 O IA137.20.100.35/32 [110/74] via 137.20.64.5, 02:19:42, Ethernet0 O IA137.20.100.34/32 [110/74] via 137.20.64.5, 02:19:42, Ethernet0 O IA137.20.100.0/24 [110/10] via 137.20.64.5, 02:19:42, Ethernet0 O IA 200.200.100.0/24 [110/75] via 137.20.64.5, 02:27:46, Ethernet0 lest you wonder, I am using the proper ( so I think ) form of the redistribute comand, covering OSPF internal and external ) router bgp 2 no synchronization bgp log-neighbor-changes network 137.20.20.0 mask 255.255.255.0 backdoor network 137.20.25.0 mask 255.255.255.0 backdoor network 137.20.30.0 mask 255.255.255.0 backdoor network 137.20.40.16 mask 255.255.255.240 network 137.20.88.0 mask 255.255.255.0 backdoor network 137.20.100.33 mask 255.255.255.255 network 137.20.100.34 mask 255.255.255.255 network 137.20.100.35 mask 255.255.255.255 network 137.20.100.0 mask 255.255.255.0 backdoor network 137.20.200.16 mask 255.255.255.240 backdoor network 200.200.100.0 backdoor network 200.200.200.0 backdoor redistribute ospf 239 match internal external 1 external 2 ((( ---SEE I told you so! neighbor 137.20.25.1 remote-as 2 neighbor 137.20.25.1 ebgp-multihop 3 neighbor 137.20.86.1 remote-as 1 any help appreciated Chuck! -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66474t=66430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PPP Problems - any ideas!!! [7:66486]
Matt, That's correct. Think about authentication in terms of cisco's 3 tier design model; Core(WAN) Distribution(Routed/Switched) Access(User) This is why you get the message you noted. 01:57:10: Se0 PPP: Treating connection as a dedicated line The use of authentication within ppp, is typically to provide user access authentication support whereas within the WAN authentication might be implemented thorugh the use of physical security, or within a routing protocol itself. Take a look at the Dial ISDN/Async configuration areas of CCO, this may help. Here's a link to using two routers in a back-to-back scanerio, using authentication. http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_examp le09186a00800a3b85.shtml watch the line wrap. The one exception here would be no need to use the multilink command if using one interface. This should however display the information yyou're trying to observe. HTH Nigel - Original Message - From: saunders1m To: Sent: Sunday, March 30, 2003 7:45 AM Subject: PPP Problems - any ideas!!! [7:66486] I have 2 routers connected back to back via a DTE - DCE crossover cable and i am trying to establish a ppp connection though i can't seem to make the connection and when i try using debug ppp authentication i get: 01:57:10: Se0 PPP: Treating connection as a dedicated line Is my config right??? Router 1 (r9) username r10 password cisco interface Serial0 ip address 10.0.1.1 255.255.255.0 no ip directed-broadcast encapsulation ppp no fair-queue ppp authentication pap Router 2 (r10) username r9 password cisco interface Serial0 ip address 10.0.1.2 255.255.255.0 no ip directed-broadcast encapsulation ppp no fair-queue clockrate 64000 ppp authentication pap Also when i try to debug using debug ppp authentication i dont seem to be seeing any outputs to the console, i have tried using terminal monitor though i plugged into the console directly. Using show logging gives me this output: r10#show logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 55 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 8 messages logged Trap logging: level informational, 50 message lines logged Under console logging it says 55 messages logged, how do i view these Cheers Matt Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66492t=66486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Route Reflectors [7:66488]
Ken, Technically speaking, even eBGP has the ability to peer with neighbors that aren't directly connected. Typically, eBGP peers will have diect physical connectivity, whereas iBGP peers are part of the same AS, as long as a route/path exist to that peer, connectivity shouldn't be a problem. When you address this issue, think of the requirement for BGP to be sync'd with the IGP for route information to be advertised. As well as the limitations/features of the peering relationship from one AS to another, or devices within the same AS. HTH Nigel - Original Message - From: To: Sent: Sunday, March 30, 2003 9:10 AM Subject: BGP Route Reflectors [7:66488] All, Please can someone clear this up for me, if you have the time. IBGP peers do not have to be physically connected to one another, as long as an IGP (most preferably) is running between them. On page 128 (paragraph 1) of the Routing TCP/IP Volume 2 book, it says the following about route reflectors and clients :- The clients have physical connections to each of the route reflectors, and they peer to each I assume that each client in a iBGP domain, does not need to share a physical data-link to each RR? Many thx. (maybe im just tired from studying all weekend). Regards, Ken For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66497t=66488 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sanity Check - ISDN and EIGRP [7:66016]
Folks, I'm sure this a pretty straight forward but as this ISDN connection relates to the lab requirements as a complete scenario should dictate how the requirements are interpreted. It seems strange that the ISDN link should stay up indefinitely. Another question here would be what broadcast packets are they referring to that could bring up the line. Nigel Dazed and confused :- - Original Message - From: David j To: Sent: Sunday, March 23, 2003 2:50 AM Subject: RE: Sanity Check - ISDN and EIGRP [7:66016] See below: The Long and Winding Road wrote: I'm working on a practice lab problem. there are two domains - OSPF and EIGRP The two domains can only communicate via ISDN OSPF---R1---ISDN--R2EIGRP R1 is where redistribution takes place. The ISDN link is in the EIGRP domain. Pretty much I've concluded that the only way this works is that here have to be static default routes on R1 and R2 pointing to eachother. The only other way I can see this working is for the ISDN link to be permanently up. Unfortunately, the lab instructions are not very clear on this point. The only relevant instructions are: 1) no broadcast packets should initiate a DDR session. Multicast packets should be able to traverse the ISDN link. 2) use an access-list 120 for any filters you may need for DDR 3) only IP traffic will need to traverse the link That multicast instruction is interesting. Am I on the right track thinking the test here is to let the link stay up forever by defining the EIGRP hellos as interesting ?? thoughts? I think so, in fact if the link were used as backup of a serial link it would be logical that eigrp multicast packets bring it up when the serial link is down. We have our backups defined more or less in that way ( on a eigrp - eigrp domain, but this is not so important here). We have defined as interesting traffic any ip packet, but I think you could fulfill all requirements of this lab doing some acl engineering, perhaps denying explicitly broadcast packets at the beginning of the acl. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66023t=66016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF Virtual link authentication - observations [7:65628]
Chuck, Let's see if I can make any sense in my reply to your comments. When I think of a virtual-link as it relates to opsf, I think of it in terms of being a tunnel. Also, short of being able to use a virtual-link, a tunnel is what's recommended to maintain connectivity for any non-area0 connected areas. Here's a excerpt from rfc 2328 which describes a virtual link. 12.4.1.3. Describing virtual links For virtual links, a link description is added to the router-LSA only when the virtual neighbor is fully adjacent. In this case, add a Type 4 link (virtual link) with Link ID set to the Router ID of the virtual neighbor, Link Data set to the IP interface address associated with the virtual link and cost set to the cost calculated for the virtual link during the routing table calculation (see Section 15). And then this excerpt from section 15.. The virtual link is treated as if it were an unnumbered point-to-point network belonging to the backbone and joining the two area border routers. An attempt is made to establish an adjacency over the virtual link. When this adjacency is established, the virtual link will be included in backbone router-LSAs, and OSPF packets pertaining to the backbone area will flow over the adjacency. Such an adjacency has been referred to in this document as a virtual adjacency. So as you noted it would be safe to say that a virtual-link is governed by the termination points of it's unnumbered p-2-p links. So where your transit-area uses MD5 authentication so must your virtual-link. Alex Zinin's Cisco IP Routing [pg. 489] clearly states that the virtual-link always belongs to the backbone. In saying this, the characteristics of the transit area to identify the peering ABR and then receive packets(encrypted/decrypted) would be the only things that associates the virtual-link to the transit area. HTH Nigel :-) - Original Message - From: The Long and Winding Road To: Sent: Tuesday, March 18, 2003 12:04 AM Subject: OSPF Virtual link authentication - observations [7:65628] Not sure I have this all sorted out correctly. Perhaps those with a bit more experience might add their wisdom, not to mention their corrections. The ospf virtual link being what it is, it follows rules similar to any other interface. It does appear, though, that in terms of structure, it looks something like this: ( commands under the ospf process ) area X authentication area X virtual-link y.y.y.y authentication area X virtual-link y.y.y.y authentication-key WORD where X is the non zero area number over which the virtual link transits. In other words, for purposes of structure, the virtual link is not really part of area 0. It is a point-to-point link that is part of the non zero transit area. Am I understanding this correctly? I have a setup working, where the area 0 authentication is simple and the transit area authentication is MD5, and no adjacency is formed across the virtual link with simple authentication, but comes up just fine with MD5. Any comments are appreciated. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65637t=65628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65376]
Chuck, There is a brief article which address those L2 vunerabilities you mention in the most recent publication of Packet Magazine Nigel - Original Message - From: The Long and Winding Road To: Sent: Thursday, March 13, 2003 2:50 AM Subject: Re: OT - CDP: Is it treated as a 'vulnerability' in yo [7:65279] Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED] chris kane wrote: It recently came to my attention that my company may plan to disable all CDP in our network. The current vibe is that they see it as a security risk. My intent is to research this and provide a paper arguing for the use of CDP. The purpose for my post is to see if my opinions of the benefits of CDP are realistic (sanity check) and to see how others view CDP, weighing it's usefulness vs. any possible risk. I have already begun researching any security releases on CCO in regards to CDP. Initial scan shows a 'vulnerability' notice that Cisco most recently updated on Feb 12, 2003. This information can be found at this link: http://www.cisco.com/en/US/partner/tech/tk648/tk362/technologies_tech_note09 186a0080093ef0.shtml Looking at CDP from a troubleshooting tool perspective, I am all for it. I've personally been saved unknown hours tracing down a problem because CDP allowed me to bounce around the network quickly. Our network is not small. And as most people would agree, documentation is never what we all would like it to be. Therefore, I find that CDP's ability to display the network below Layer 3 is appreciated. So will a hacker appreciate CDP's ability to display information about the internetwork. I think that's the reasoning behind the security experts saying to turn it off. That is indeed the current vibe. I took a Cisco security class at the Usenix Security Symposium in August 2002. The instructor said to turn it off. Have you looked at the documents at the Center for Internet Security? They have benchmarks for Cisco security. They have 2 levels. Even with the less severe level, they say to turn off CDP. The Center for Internet Security tries to develop consensus on security measures. Their partners include The SANS Institute, the DoD Computer Emergency Response Team, NASA, National Institute of Standards and Technology, etc. Their Web site is here: http://www.cisecurity.org/ On the other hand, I think you could certainly make a good case for not disabling CDP. Being able to troubleshoot efficiently is just as important as security when considering network availability. A network that's broken and due to typical network problems is experiencing a denial of service just as bad as if a hacker had broken in. Good troubleshooting tools mean a more available network, there's no question. I hope others answer too. I know that all the security people say to turn it off and most people who actually work in the trenches say, Hunh? Can't find the link off hand, but recently I read something on the Cisco web site about L2 vulnerabilities - mac flooding or something. In any case, what it comes down to is that the possibility exists that someone of evil intent could sniff a network and discover something useful that could be used to cause problems later. Why have OSPF authentication on internal links? Why have chap authentication on dial up lins? After all, who's out there tapping your telephones? What do you want - convenience or security? Cuz maybe you can't have both. Kinda like at the airport. Maybe you feel safer because they're searching people like me, who really do look like criminals, but do you feel safer if they're searching 80 year old ladies and 5 year old children? Could either one of those types pose a security risk? Interesting tradeoff, isn't it. particularly given certain incidents in a particular country of late. Priscilla Also from a tool perspective, I know CiscoWorks has tools to offer that utilize CDP. And I've seen software from other companies that does as well. Think Layer 2 traceroute capability. Looking at CDP from a multi-vendor platform perspective, I realize that it's often beneficial to turn off CDP on interfaces that connect to non-Cisco devices. No point in bothering a non-Cisco device with traffic that it can't process. But note, this is not turning off CDP globally per router/switch, but rather, disabling on an as-needed basis per interface. I'd like to hear other views and I'd appreciate feedback and opinions about this. Thanks, -chris Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65376t=65376 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL
Re: Cannot see Rip routes with route-tagging - Why? [7:63900]
Cisconuts, (Hint)My first question is where exactly is it that you identified what traffic is matched in the route-map :-) Some other questions: How is R6, R5, R4, and R2 all connected? serial, eth0, frame-relay, etc... This way folks on the list could be of more assistance once they understand what you're trying to do. Nigel - Original Message - From: Cisco Nuts To: Sent: Wednesday, February 26, 2003 2:37 PM Subject: Cannot see Rip routes with route-tagging - Why? [7:63900] Hello,I have R6, R5 and R4 running rip ver 2, network 178.1.10.0 subnetsR5, R4 and R2 running eigrp 2 network 181.16.2.0 subnets.R5 and R4 had mutual redistribution setup using route tagging.R6 correctly sees the eigrp redistributed routes but R2 is NOT seeing any rip redistributed routes. Any help is appreciated. Config. on R5 (ditto config on R4)R5#rbr router eigrp 2 redistribute rip metric 1 1 1 1 1 route-map r2e network 181.16.2.8 0.0.0.3 no auto-summary no eigrp log-neighbor-changes ! router rip version 2 redistribute eigrp 2 metric 2 route-map e2r network 172.31.0.0 network 178.1.0.0 no auto-summary route-map e2r deny 10 match tag 77 ! route-map e2r permit 20 set tag 88 ! route-map r2e deny 10 match tag 88 ! route-map r2e permit 20 set tag 77 Routing table on R2 ( Does not show any Rip routes)R2#r 181.16.0.0/30 is subnetted, 4 subnets C 181.16.2.4 is directly connected, Serial1 C 181.16.2.0 is directly connected, Ethernet0 D 181.16.2.12 [90/679936] via 181.16.2.6, 00:40:47, Serial1 C 181.16.2.8 is directly connected, Serial0.234 Config:R2#rbr router eigrp 2 network 181.16.2.0 0.0.0.3 network 181.16.2.4 0.0.0.3 network 181.16.2.8 0.0.0.3 no auto-summary no eigrp log-neighbor-changes R2 and R5 running FR with ip split-horizon enabled on. Add photos to your e-mail with MSN 8. Get 2 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64051t=63900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: strange ISDN problem [7:60409]
Ravi, Since this problem seem to be a problem on only this specific line it would suggest that the problem could be a line problem. The other devices that dial into the PRI (hub) would suggest that the central location physical layer and equipment, is operating fine. I would suggest that you have the company from which the line is provisioned check the line. I have a question.. Are you using the Provider's demarc or did you create an extended demarc? Sometimes in my past experiences depending on the how the provider made the connection. Check the wiring from that location all the way to your equipment. You could also ask to have the line checked by the provider, but there is a number of local testing(local loop testing) steps that you could perform before calling their tech support. HTH Nigel - Original Message - From: Ravi Tyagi To: Sent: Monday, January 06, 2003 1:52 AM Subject: strange ISDN problem [7:60409] Dear All, I am facing a strange problem. Around 6 PM every evening my isdn router(cisco 803) shows a lot of packet loss. Even I am not able to ping the directly connected WAN interface. Loss is 20% - 100%. Even extended ping don't help. Router is dialling to PRI. There are currently 4 routers dialling to PRI but the problem is with this router only. Router works fine during day time. PRI shows this router connected. Is this a interface heated up problem or this problem is due to electric or magnetic interference with the ISDN line. Any help is appreciated. Regards Ravi Catch all the cricket action. Download Yahoo! Score tracker Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60413t=60409 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Virtual-link and area range command [7:60408]
Neil, I'm a bit confused by your question. Your virtual-link should be part of the existing addressing scheme. The few things to note here will be as follows; Where in relation to the RIP domain is the virtual-link? What is the mask(/) of the points that identify the virtual-link I would need some more information and a better understanding of your design to be able to provide a real solution. HTH Nigel - Original Message - From: neil K. To: Sent: Monday, January 06, 2003 1:42 AM Subject: Virtual-link and area range command [7:60408] Guys, How do I summarize a virtual link using area range command so that I can see the routes in RIP domain. Thanks, neil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60415t=60408 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP data rates [7:56942]
Sebastien, Thanks a lot for the link! Very cool :- Nigel - Original Message - From: Sebastien Venturoso To: Sent: Wednesday, November 06, 2002 3:20 AM Subject: RE: VoIP data rates [7:56942] Here is a link for Voice Codec Bandwidth Calculator: http://tools.cisco.com/Support/VBC/jsp/Codec_Calc1.jsp (need CCO login) -Original Message- From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com] Sent: Wednesday, November 06, 2002 06:24 To: [EMAIL PROTECTED] Subject: RE: VoIP data rates [7:56942] Matthew Webster wrote: Hi Priscilla, thanks for the help. I have found the chart you referred to and made several calculations - it appears that the bandwidth almost triples when you don't compress the IP, UDP and RTP headers. Yes. The bandwidth requirement almost triples. (I didn't finish the arithmetic before I hit the Post button on my previous message.) Windows NetMeeting and other such applications might compress the IP/UDP/RTP headers. It's an RFC that's been out for a time (RFC 2508). I don't know for sure if they do, though. It might not be the right approach anyway. I think compressed IP/UDP/RTP is usually implemented at the end points of slow links and isn't meant to be used end-to-end by applications. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Here we're pretty certain that a typical dial up modem (either 33.6 or 56kbps) have enough upstream bandwidth to handle these codecs. However, we could greatly decrease our bandwidth requirements if we compress the IP, UDP and RTP headers (saving money and bandwidth). However we're not sure if winsock or whatever protocol stack unencapsulation tool on a Microsoft O/S will be able to uncompress the IP, UDP and RTP headers. We're going to try to set up an experiment here as well as check out the Microsoft and Cisco websites, but if you know the answer, then that would be great. cheers, Matthew. __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56977t=56942 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: how can I get the boot rom upgrade for mc3810 [7:56733]
Sometime back I upgraded a couple of MC3810's and this was the link I used. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2067212869 You'll get the boot rom and the 64 MB Dram chip. HTH Nigel - Original Message - From: Brad Ellis To: Sent: Sunday, November 03, 2002 2:38 PM Subject: Re: how can I get the boot rom upgrade for mc3810 [7:56733] I thought Cisco wasnt carrying boot-roms anymore and you had to call ingram or comwhore (or another one of their distributors) to get them. (At least with the 2500 boot roms you do) thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] www.optsys.net (Cisco hardware) Voice: 702-968-5100 FAX: 702-968-5104 James Willard wrote in message news:200211021744.RAA08263;groupstudy.com... You can order the bootROM's by calling Cisco's credit card orders department at 1-800-553-6387 and choosing the To place a credit card order, press ... option. The part number is BOOT-381V= and it's a zero-cost item, so they'll only charge you for shipping. Enjoy, James Willard [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com] On Behalf Of guest Sent: Saturday, November 02, 2002 10:21 AM To: [EMAIL PROTECTED] Subject: how can I get the boot rom upgrade for mc3810 [7:56733] I bought 2 mc3810, but I found I need to upgrade the boot rom first to support 64mb Dram, how can order this from Cisco, I am an end user.Is there some reseller can order this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56773t=56733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IS-IS simple config [7:56751]
Stephane, If you read a bit further in Doyle's Routing TCP/IP on page 654 you will understand the reasoning for the command within the configuration. It's important to remember as Doyle also points out earlier in his IS-IS chapter, that IS-IS was designed with the purpose of transitioning TCP/IP to OSI. Doyle gives a brief explanation of this on page 593-595. HTH Nigel - Original Message - From: Stephane Litkowski To: Sent: Saturday, November 02, 2002 1:21 PM Subject: IS-IS simple config [7:56751] Hi all, I see in Jeff Doyle's book (TCP/IP routing vol1) that for each ISIS router config (for IP routing only) there is the command clns routing. WHY ? I think this command is not necessary as long as we don't use clns router isis on interfaces : I already configured ISIS for IP routing on my 2500 routers without clns routing and it works fine ! Does this command bring something in IP only environment ? Thanks for clarifying this. -- Stephane LITKOWSKI Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56754t=56751 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Another Internet Draft of Interest [7:56560]
Howard, It would seem that there's something wrong with the links in that I'm unable to access either of the drafts you noted. It's also quite possible that I simply didn't click on the link hard enough :-) Oh, I know...much like a recent Cox communications commercial, maybe I simply reached the end of the Internet. :- thanks Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Thursday, October 31, 2002 1:14 AM Subject: Re: Another Internet Draft of Interest [7:56560] Nigel Taylor All, I just got through some of the presentations linked from the recent nanog meeting. The draft in question was presented by Henk Uijterwaal titled New Services from RIPE NCC. There is also this link on the nanog list to his latest draft. http://www.ripe.net/home/henk/draft-ietf-ippm-owmetric-as-01.txt I was just thinking about some of our current tools like ping, hping, and traceroute which measures round trip delay vs one-way delay. RFC 2679 discusses numerous reasons for calculating one-way delay, however would tools like ping and traceroute with the existence of ping6 and traceroute6 be rfc2679 compliant. I've not done any research at this point but, would operational tools in everyday use benefit from this new active measurement? Here's a pretty good link that explains the concept for the normal folks like myself. There are several problems with using timestamped measurement in the router itself. Some of these may be reduced with IPv6, but, for others, external passive hardware or special router hardware seems necessary. See our BGP convergence drafts, http://www.ietf.org/internet-drafts/draft-ietf-bgpconv-03.txt and http://www.ietf.org/internet-drafts/draft-ietf-bgpbas-00.txt First, routers may not give sufficient precision in measurement, because they rate-limit ICMP to protect against ICMP floods, or simply don't prioritize it highly. I mention IPv6 because authenticated source addresses may be used without fear of denial of service. Second, the router may or may not have the capacity to capture and store a statistically valid amount of data. NetFlow data export, for example, summarizes to a degree. If you could shoot debug to syslog, you'd have a much better chance as long as the router could keep up with it, using something like a SPAN port. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56581t=56560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Another Internet Draft of Interest [7:56560]
All, I just got through some of the presentations linked from the recent nanog meeting. The draft in question was presented by Henk Uijterwaal titled New Services from RIPE NCC. There is also this link on the nanog list to his latest draft. http://www.ripe.net/home/henk/draft-ietf-ippm-owmetric-as-01.txt I was just thinking about some of our current tools like ping, hping, and traceroute which measures round trip delay vs one-way delay. RFC 2679 discusses numerous reasons for calculating one-way delay, however would tools like ping and traceroute with the existence of ping6 and traceroute6 be rfc2679 compliant. I've not done any research at this point but, would operational tools in everyday use benefit from this new active measurement? Here's a pretty good link that explains the concept for the normal folks like myself. Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56560t=56560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: STP and Switching ! [7:56061]
Jimmy, I do not have the title you note in your post but a few things to consider when identifying and trying to configure the root device within your network. A MDF or Distribution switch as you mentioned depending on the network design will more than likely provide both L2 connectivity to the IDF and L3 connectivity to the network core. Try and think of the operation within the MDF switch as totally separate processes in which the switch speaks only L2 to the IDF, but then L3 to the network core. In this regard the MDF switch will be a part of STP calculations when designating a root device within the network. The fact that you see designated ports on the MDF switch is because it is the root, which suggest that it wining the STP election. A couple things to look at would be the election process of root bridges which goes as follows; 1. Lowest Root BID 2. Lowest path cost to Root Bridge 3. Lowest Sender BID 4. Lowest Port ID Can you confirm that The mdf switch(switch D) isn't winning the election through some other means(i.e a lower priority, use the set spanning-tree root command). Also, this would depend on the switches and at what point they were both powered onto the network. What exactly do you mean by smaller MAC address? Do you care to post the MAC address of the mdf switch and switch C. HTH Nigel - Original Message - From: Jimmy To: Sent: Tuesday, October 22, 2002 2:37 AM Subject: STP and Switching ! [7:56061] Hi, I am confused by the CCNP exam certification guide (Cisco Press). It mentioned that a switch in the Distribution layer would make a better Root Bridge choice than one in Access layer. I thought for distribution switch is of layer 3 so STP is not necessary for it unless it is a flat switched network. (Pg 178 of the book) In the Figure 5.8 (Pg 176), i couldn't understand how come Catalyst D is the DP for Catalyst E and F. I told Catalyst C has priority than D since the MAC address is smaller. Is there any mistake. Can anyone please advise. Where can i find the errata for the ciscopress book? I have went to ciscopress.com but couldn't find any. Can anyone give me the URL? Cheers! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56067t=56061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP IRDP Feature? [7:56063]
Robert, The first thing I would suggest reading is rfc 1256, which outlines the various extensions used by ICMP, which in turn is used by ICMP-RDP. http://www.ietf.org/rfc/rfc1256.txt?number=1256 Cisco makes notable use of IDRP in their MobileIP implementation. That would be a good place begin looking from an operational perspective. HTH Nigel - Original Message - From: Robert Massiache To: Sent: Tuesday, October 22, 2002 2:55 AM Subject: IP IRDP Feature? [7:56063] Hi, I do not understand where exactly and in what context do we enable this service on the interfaces. Could someone explain me... I would appreciate you help. thanks _ Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56069t=56063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: suppress-map with summary-only?? [7:55599]
Cisco Nuts, I don't believe you need to use the option keyword suppress-map to achieve your objective. Unless of course you're trying to find another what of achieving the same goal, for which you would still have no need for the summary-only keyword. Nonetheless, it would seem that keyword summary-only should work with the command as they perform the same function in generating a aggregate address, but by also suppressing the more specific routes. HTH Nigel P.S. Let us know what your testing proves. - Original Message - From: Cisco Nuts To: Sent: Monday, October 14, 2002 9:27 PM Subject: suppress-map with summary-only?? [7:55599] Hello, Does the suppress-map work along with the summary-only keyword? I would only like to see the summary 13.0.0.0/8 but I keep seeing the rest of the networks. Here is the config: R7-FR(config)#aggregate-address 13.0.0.0 255.0.0.0 suppress-map CHECK summary-only route-map CHECK permit 10 match ip address 21 access-list 21 permit 13.4.0.0 0.0.255.255 access-list 21 deny any This works as it should.denies netw 13.4.0.0/16 and permits the rest, 13.1.0.0/24, 13.2.1.0/24, 13.3.0.0/16 and 13.0.0.0 BUT I would only like to see the aggregate 13.0.0.0/8 Am I even asking the right thing here? :-) Just checking. Thank you. Sincerely. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55617t=55599 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Voice Equipment must have for any Home Lab. [7:55548]
All, I've listed two pieces of equipment from my Home lab for auction on ebay, here are the links. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2061687376 http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=2061687561 Additionally, these devices will give you everything you need to practice VoIP/VoFr/VoATM. The both devices are MC3810's with 64MB RAM / 16 MB Flash.(This is a must to load 12.2(11)T. I also have an expermental image that cam with the router which supports VoHDLC. For more infomation check the ebay listing. Thanks Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55548t=55548 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Nanog Post: redistribute bgp considered harmful [7:54961]
See Inline.. - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, October 13, 2002 4:31 PM Subject: Re: Nanog Post: redistribute bgp considered harmful [7:54961] At 4:13 PM + 10/13/02, Peter van Oene wrote: At 11:30 PM 10/12/2002 +, Zim wrote: I like this question. It seems to ponder the worth of a command based on the assumption that the command only exist to serve a purpose other than a real world application. Will an ISP ever need to redistribute bgp routes into the routing table of any IGP? Well like so much in Internetworking, it depends. But to take away something based solely on an assumption and perhaps a limited view from your side of the world makes no sense. In short the flexability should stay. Used or not, options are always good to have. Just my 4cents (adjusted for inflation) I would agree that options are nice to have, but ones that have a tendency to catastrophically effect one's entire network with a simple misconfiguration might demand some additional protection. Actually, I'd argue that more and more options, more and more feature creep, lead to less reliable systems. Personally, I'd rather have to jump through a few more hoops in configuration than be exposed to features that haven't gone through adequate regression testing -- involving their interactions with other features. NT: I agree that more features and options do translate into being less reliable from a code-level standpoint. However, within the developmental process theses options and features do tend to provide greater insight or possibly foresight into future levels of protocol development. Also, as Micro$oft has proven so many times in the past ..the best regression testing resides with the public at large. :-) In the Internet Research Task Force work on Future Domain Routing, one of the needs expressed for next-generation exterior routing is greater people scalability, better options for automatic checking and even proving of configurations, etc. There's no question that it is easier to prove routing policy at the more abstract level of RPSL than at the configuration language level. NT: Another good point here is the need for automatic checking. I do feel like this however will unlikely not become a reality. IMHO, much the same as with RPSL, in that the user must be somewhat proficient in order to fully appreciate/realize the benifits of the implementation. Another example is a recent thread on the nanog list that addressed complete source route verification. The need will stil have to be meet with engineers and administrators knowledgable on the implementation, whatever it may be. This is where those idiot knobs come in. Pro vs. Con. To answer the specific question, an ISP historically might have wanted to inject selected BGP routes into the IGP for purposes of best exit routing. I suggest, however, that best exit routing is probably better done with MPLS TE. NT: There is no doubt that MPLS TE has/can provide best exit routing to rivial any redistribution. Nonetheless, based on the recent thread on the list in regards to aggrewssive implementation and acceptance of MPLS the question now remains how much MPLS TE can one depend on. I'll point everyone to this article ; http://www.nwfusion.com/newsletters/frame/2002/01550372.html In watching a recent a episode of Business Center where the CEO of Sprint noted that of the 27 or so organizations in the Telecom/Data Sector, only two(ATT/Sprint) of the companies are said to be generating positive revenue. I know ATT is doing a lot of MPLS, so the question is.. TO MPLS or NOT! Protocol features become obsolete over time, although they may have seemed good ideas at the time: the OSPF Database Overflow feature, (E)IGRP link-loading taken as part of a metric, etc. Other features, which may be even more relevant here, are no longer called for in the market -- witness the exodus of desktop protocols, LANE, etc., in the CCIE exam. My one issue with the exodus of obsolete protocol features is how much of the obsolete code is actually removed form the code base. Furthermore, what effects will the user have endure in using software that is in effect a burial ground of unwanted features/options. Oh yes, regression testing.. I guess software development truely does have a life cycle :-) Nigel Nigel Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... All, This was a recent post on the Nanog list which I thought could get some interest on the list. Basically, the poster is questioning the relevance or real world requirements/need for certain commands, in this case it's the redistribute bgp command. Here's the original post... Sean Donelan wrote: Should the Service Provider version of routing software include the redistribute bgp command? Other than CCIE labs, I haven't seen a real-w
Re: Catalyst ATM blade to Marconi ASX-200WG [7:54948]
nettable_walker, here's a link that should shed some light on what you're trying to accomplish. http://www.cisco.com/en/US/tech/tk39/tk42/technologies_configuration_example 09186a0080093d65.shtml watch the line wrap... Since you have a Dual-PHY LANE module, you should identify the MAC address of ports(A/B) for the various LANE elements on your Cat5k. The command show lane default should get you this information. All you need from the output is the last 7 bytes which should be the devices MAC address and byte selector) This can be done by simply connecting to each port on the LANE module while they're active(issue the command preferred phy a/b, while connected to the LANE module). Once you have this information you should be able to follow the link in constructing the LANE(LECS) database as well as the sub-interfaces and vlan to ELAN bindings... A really good book on the topic called - Cisco ATM Solutions, authored by Galina Diker Pildush, ISBN 1578702135. HTH Nigel - Original Message - From: nettable_walker To: Sent: Saturday, October 05, 2002 10:45 PM Subject: Catalyst ATM blade to Marconi ASX-200WG [7:54948] 10/5/2002 9:50pm Saturday I would like to connect the ATM blade on my Catalyst 5505 to a Marconi/FORE ASX-200WG Can anyone guide me thru setting it up ? RLP_5505 (enable) sho module Mod Slot Ports Module-Type Model Sub Status --- - - --- --- 1 12 1000BaseX Supervisor IIIG WS-X5550no ok 2 22 MM OC-3 Dual-Phy ATM WS-X5158no ok 3 32410/100BaseTX Ethernet WS-X5224no ok 4 42410/100BaseTX Ethernet WS-X5224no ok 5 52410/100BaseTX Ethernet WS-X5224no ok Mod MAC-Address(es)Hw Fw Sw --- -- -- -- - -- -- 1 00-90-bf-23-ac-00 to 00-90-bf-23-af-ff 1.25.1(1) 6.3(9) 2 00-10-7b-42-b3-d6 2.11.3 12.0(22)W5(25) 3 00-10-7b-49-07-20 to 00-10-7b-49-07-37 1.43.1(1) 6.3(9) 4 00-10-7b-94-fb-30 to 00-10-7b-94-fb-47 1.43.1(1) 6.3(9) 5 00-10-7b-94-fc-20 to 00-10-7b-94-fc-37 1.43.1(1) 6.3(9) RLP_5505 (enable) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54960t=54948 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Nanog Post: redistribute bgp considered harmful [7:54961]
All, This was a recent post on the Nanog list which I thought could get some interest on the list. Basically, the poster is questioning the relevance or real world requirements/need for certain commands, in this case it's the redistribute bgp command. Here's the original post... Sean Donelan wrote: Should the Service Provider version of routing software include the redistribute bgp command? Other than CCIE labs, I haven't seen a real-world use for redistributing the BGP route table into any IGP. If the command was removed (or included a Are your sure? question) what would the affect be on ISPs, other than improving reliability by stopping network engineers from fubaring a backbone? Thoughts! Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54961t=54961 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off topic - Cisco's jazzy web site [7:54966]
Hey Chuck, Yep, I noticed this as well. The greatest addition to the new site is the button/link(image) that read Go to the old Site. After mastering where all the information is on CCO, it's going to take sometime to fimilarize myself with the new layout.. Nigel - Original Message - From: Chuck's Long Road To: Sent: Sunday, October 06, 2002 10:46 AM Subject: Off topic - Cisco's jazzy web site [7:54966] Apparently the elves were busy last night. CCO has a new look. www.cisco.com -- www.chuckslongroad.info like my web site? take the survey! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54973t=54966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AAA in console [7:54282]
Ryan, I noted your earlier post on this topic and my first question is..What's the problem you're trying to solve? Configuring AAA on the console should be very straight forward, however this could very easily change based on your identified or outlined requirements. A couple of question; 1. who will be typically accesing the console? 2. What will be authenticating the user? TACACS+/RADIUS/the Router etc.. 3. Do you plan on using the local database should tacacs fail? 4. Will you have redundant/secondary tacacs/radius device? I've seen some enterprises where they prefered not to have any passwords configured on the local device short of the enable secret, which should survive a password checker like Getpass. Of course the console password was left outside the scope of AAA, as it provided the only way to access the device if the tacacs/radius server(s) were unreachable. HTH Nigel - Original Message - From: Newell Ryan D SrA 18 CS/SCBT To: Sent: Thursday, September 26, 2002 5:53 PM Subject: AAA in console [7:54282] How can I configure authorization on the console port? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54290t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: password recovery on a Marconi/FORE ASX-200WG switch [7:52941]
Richard, Once the switch boots up you should be able to use the AMI account to get in without a password. It's a whole lot like the C5k on bootup and password recovery. You just need to use the account AMI on login. Nigel From: nettable_walker Reply-To: nettable_walker To: [EMAIL PROTECTED] Subject: password recovery on a Marconi/FORE ASX-200WG switch [7:52912] Date: Mon, 9 Sep 2002 07:31:43 GMT 9/9/2002 2:22am Monday Has anyone ever done this ? I was able to break in to it @ bootup it looks amazingly like a cisco router but I cannot figure out how to do it. Marconi's web site is actually more usless than Nortel's !!! Thanks, Richard // Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52912t=52912 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52941t=52941 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPsec - what is wrong with this config? [7:52865]
Neal, I you'll also need to have the crypto maps added to the physical interface through which the tunnels are built. Paste a copy of the complete configs without the debug output. However, what I noted seems to be the only thing that stands out! Watch the word wrap... http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur _c/scprt4/scipsec.htm#xtocid2141729 HTH Nigel - Original Message - From: Neal Rauhauser To: Sent: Saturday, September 07, 2002 7:41 PM Subject: IPsec - what is wrong with this config? [7:52865] I have two 1750s sharing an ethernet hub - just trying to get IPsec on a tunnel between ethernet interfaces and I am having trouble. This config seems close but I don't know what to do next Here is the error I am getting when I try to ping the opposite end of the tunnel 01:05:29: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE... 01:05:29: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 01:05:29: ISAKMP (1): sending packet to 192.168.6.50 (I) MM_NO_STATE. -- this router is at the bottom of a three router stack crypto isakmp policy 1 authentication pre-share crypto isakmp key duh address 192.168.6.51 ! ! crypto ipsec transform-set MIDDLE ah-sha-hmac esp-des ! crypto key pubkey-chain rsa named-key middle key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF 26BC7013 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1 12EEA345 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001 quit addressed-key 192.168.6.51 address 192.168.6.51 key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D081DF 26BC7013 448EA3D2 5C0853FA E0E01770 06D6C4FE A57B165A 4BC25F0E 5FD517B1 12EEA345 8C9CC44E DCDC705E AB6327F9 81868B14 CB2294F1 304611A2 A7020301 0001 quit ! crypto map MIDDLE2 local-address Tunnel0 crypto map MIDDLE2 10 ipsec-isakmp set peer 192.168.6.51 set transform-set MIDDLE match address middle interface Tunnel0 ip address 192.168.6.50 255.255.255.0 tunnel source 192.168.1.50 tunnel destination 192.168.1.51 tunnel mode ipip crypto map MIDDLE2 ! interface FastEthernet0 ip address 192.168.1.50 255.255.255.0 speed auto --- this router is in the middle of a three router stack crypto isakmp policy 1 authentication pre-share crypto isakmp key duh address 192.168.6.50 ! ! crypto ipsec transform-set BOTTOM ah-sha-hmac esp-des ! crypto key pubkey-chain rsa named-key bottom key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA 8C44F60C 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0 338E77AE F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001 quit addressed-key 192.168.1.50 address 192.168.1.50 key-string 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B941FA 8C44F60C 76199B3E DADDA933 F5EA1118 9F9410B0 E097836F 166FDC84 3FD06FA0 338E77AE F32142F4 D750F4F0 31844B70 099DD8B2 6F8753D7 70BD2BBA 03020301 0001 quit ! crypto map BOTTOM2 local-address Tunnel0 crypto map BOTTOM2 10 ipsec-isakmp set peer 192.168.6.50 set transform-set BOTTOM match address bottom interface Tunnel0 ip address 192.168.6.51 255.255.255.0 tunnel source 192.168.1.51 tunnel destination 192.168.1.50 tunnel mode ipip crypto map BOTTOM2 ! interface Serial0 ip address 192.168.3.1 255.255.255.0 clockrate 100 ! interface FastEthernet0 ip address 192.168.1.51 255.255.255.0 speed auto -- Neal Rauhauser CCNP, CCDP voice: 402-301-9555 mailto:[EMAIL PROTECTED] fcc : k0bsd I've seen the angels wearing their disguise, ordinary people leading ordinary lives - Tracy Chapman Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52890t=52865 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PDM [7:52870]
Kevin, In answering your question... Yes, there is a PDM for routers as well. I believe it's called Configmaker:-) Nigel - Original Message - From: Kevin O'Gilvie To: Sent: Saturday, September 07, 2002 9:44 PM Subject: PDM [7:52870] PDM PDM PDM.. I dont see why anyone uses PDM.. With 6.X you can create groups, objects etc..Which really reduces the lines in your config.. I am CLI all the way!!! Is there a PDM for routers too?? LOL!! Just my opinion.. CLI helps you learn the IOS much better then PDM.. Cheers, Kevin _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52874t=52870 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: What exactly is GRIP..! [7:52640]
All, I've been trying to obtain a greater understanding of cisco's newest protocol enhancements technologies/mechanism - GRIP. http://www.cisco.com/warp/public/732/Tech/grip/learn.shtml It seems very interesting but seems to address some of the same issues already identified by the IETF and the various working groups. Mainly what caught my attention is the technologies claim to provide faster convergence times for the Border Gateway Protocol(BGP). Here's a link to the pdf document that discusses a bit but really only makes note of the users(admins) responsibility to use existing IOS mechanisms to speed up convergence. http://www.cisco.com/warp/public/732/Tech/grip/docs/qa.pdf Based on my past reading of rfc's like 2918, 2439, and drafts like the Graceful Restart Mechanism, I couldn't find anything that identifies what GRIP implements to assist in convergence times. Has anyone looked at this or heard anything from the cisco camp on exactly what it does from the BGP standpoint. thanks Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52640t=52640 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RIP v2 authentication [7:52647]
Kelly, What does the debug of the RIPv2 MD5 error look like? Trying posting it (the debug of the authentication, I mean) to the list, I'm sure someone have seen the error before and can let you know if you've missed anything other than what you might have already covered. Nigel - Original Message - From: Kelly Cobean To: ccielab Sent: Tuesday, September 03, 2002 11:07 PM Subject: RIP v2 authentication All, I'm trying to use RIP v2 MD5 authentication and cannot seem to get it to work. I'm doing one of the FatKid labs and I've matched the RIP configuration that they list, but I continuously get the invalid authentication message when debugging RIP. I've got version 2 specified on both routers, and have the ip rip auth mode md5 and ip rip auth key test commands on the two joining interfaces, and I've got identical key-chains configured on both routersAm I missing anything? I've even tried plain-text authentication and can't make it work. Thanks. Kelly Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52647t=52647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RADB [7:51718]
Mohammed, To answer your question read this link.. http://www.radb.net/docs/servfaq.html#one then, I would sugget you check out the RADB home page. There's quite a bit of good information on the site, that will most likely answer your other questions. http://www.radb.net/docs/servfaq.html http://www.radb.net/ HTH Nigel - Original Message - From: Mohammed Saro To: Sent: Tuesday, August 20, 2002 3:23 AM Subject: RADB [7:51718] what is RADB ? and what is the importance to send updates for the BGP policies after updating the RIR like RIPE NCC Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51723t=51718 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
A case for De-Aggregation in lieu of CIDR... [7:51448]
All, I have a couple of questions in reference to a recent post on the nanog list about possbily using De-aggregating Routes. NOw it's understood that there are on some inherent flaws(thrashing and blackholing) associated with overpopulating the internet route tables through de-aggregation, When we consider the reasoning behind the creation and implemntation of CIDR. I recently revisted Avi Freedman's realaudio stream on Controlled De-Aggregation using MEDs and larger aggregates(nanog9905). This got me to thinking! Based on what we already know of CIDR and the knwon disadvantages of De-aggregation, there are some possible advantages in Avi's suggestion of controlled de-aggregation. Pointing back to W B. Norton's Internet Service Providers and Peering and The Art of Peering he makes some suggestions that cold-potato routing could be used to circumvent sub-optimal routing. There are a number of ways that cold-poato routing could be achieved, but as it relates to this discussion, wouldn't controlled de-aggregated routes and the use of MEDs provide another mechnisim to achieving this objective? Is this a case of the ends dosen't justify the mean?. Nigel Join the worlds largest e-mail service with MSN Hotmail. Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51448t=51448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Nanog thread - Routing Protocol Security [7:51335]
Priscilla, comments inline... - Original Message - From: Priscilla Oppenheimer To: Sent: Wednesday, August 14, 2002 2:40 PM Subject: RE: OT: Nanog thread - Routing Protocol Security [7:51335] Jeff Doyle is allowed to ask questions too. ;-) NT: I do beileve I've seen him ask questions.. if I'm not mistaken I think they were rehorical in nature..;-) Serisouly, what was the gist of the responses? Are NANOG types concerned about routing protocol security vulnerabilities? I know that that there's a lot of academic work going on in this area. If you search on routing protocol security in Google, for example, you'll come accross lots of references to academic work, IEEE papers, a DAPRA-sponsored Internet Infrastructure Protection project, etc. NT: I believe the concern stems from a number of different issues which relates to the overall problem of global routing failures. There is mention of using IGPs and it's services(http://www.phenoelit.de/irpas/index.html) to stage an attack on external protocols. I think the biggest issue is lack of standardization on authenticated routing information throughout the internet. There area number of papers that address the lack of these mechanisms(MD5) IR verification, secure route servers) being used and by major players(within the Default Free Zone). As noted by another avid nanog poster Sean Donelan, there are a number of various things currently being used (http://www.merit.edu/mail.archives/nanog/msg02502.html) to prevent the likes of AS7007 from being repeated. however, I was also unable to find anything along the lines of progress made by the rpsec WG. There's also an IETF Working Group for this topic, the Routing Protocol Security Requiremetns group or soemthing of that sort (rpsec for short). But I couldn't find any Internet drafts from them!? (just e-mail threads that didn't sound any more sophisticated than the wrangles we get into here! ;-) On a philosophical note, we have to realize that the bad guys aren't going to do the expected things, and if they do, we will have already designed protection for them. I heard Paul Kocher (one of the creators of SSL I think and a security luminary) say at a recent conference, somewhat sarcastically, that the real adversaries lack the propriety to limit themselves to tidy attacks such as brute force, factoring, and differential cryptanalysis (the things we tend to protect against with huge keys, etc.) NT: Yes, this does raise a good point, however I must mention that there are flaws in the methods used to ensure routing information being propagated globally as having been verified and/or authenticated. Nonetheless, with implementations like BGP/VPNs, PPVPNs and the constant growth of ISPs, W B Norton's papers - Internet Service Providers and Peering and The Art of Peering, suggest that with the exception of existing transit peering relationships, more and more providers will endeavor to enhance their services and attractiveness in an attempt to form direct peering relationships. This minimizes the access of predators intent on proving their ability to hack, crack and or assimilate (Resistance is Futile ;-)..) Nigel Priscilla Nigel Taylor wrote: All, I was doing my usual reading of the nanog mailing list and came across one of the more recent threads - Routing Protocol Security. What I found interesting was the name of the original poster, which noted, Jeff Doyle! Now, I'm sure there are quite a number of Jeff Doyle's on the planet, however this name does mean a lot to those of us who has had the privilege of owning Routing TCP/IP. Basically, I thought folks on the list would be interested in the question as it relates to the possible global affects based on current Internet routing policies, or lack thereof on Private-to-Private, IXP peering or external peering in general. As a side note after reading the recently presented paper(nanog0202 mtg) ISP Essentials Supp by Barry Raveendran Greene and Philip Smith, http://www.nanog.org/mtg-0206/ppt/barry.pdf I must say that BGPv4, the protocol has made great strides in it's operational enhancements. Possible vulnerabilities like the one noted in rfc1948, or the points raised by Tim Newsham's paper called The Problem With Random Increments are for the most part no longer valid/relevant possibilities. Furthermore, with the implementation of MD5 support and the possibility of BGP over IPSec the future looks bright for the security of global routing. Of course with the growing use of mostly layer 2 peering(between IXP peers) and MPLS/VPNs the need to implement even greater security within BGP the protocol itself might become a NON-issue. Thoughts anyone Nigel HI, Can any of you cite cases where an attack has been carried out against a network's routing protocol (BGP or OSPF in particular)? My apologies
OT: Nanog thread - Routing Protocol Security [7:51335]
All, I was doing my usual reading of the nanog mailing list and came across one of the more recent threads - Routing Protocol Security. What I found interesting was the name of the original poster, which noted, Jeff Doyle! Now, I'm sure there are quite a number of Jeff Doyle's on the planet, however this name does mean a lot to those of us who has had the privilege of owning Routing TCP/IP. Basically, I thought folks on the list would be interested in the question as it relates to the possible global affects based on current Internet routing policies, or lack thereof on Private-to-Private, IXP peering or external peering in general. As a side note after reading the recently presented paper(nanog0202 mtg) ISP Essentials Supp by Barry Raveendran Greene and Philip Smith, http://www.nanog.org/mtg-0206/ppt/barry.pdf I must say that BGPv4, the protocol has made great strides in it's operational enhancements. Possible vulnerabilities like the one noted in rfc1948, or the points raised by Tim Newsham's paper called The Problem With Random Increments are for the most part no longer valid/relevant possibilities. Furthermore, with the implementation of MD5 support and the possibility of BGP over IPSec the future looks bright for the security of global routing. Of course with the growing use of mostly layer 2 peering(between IXP peers) and MPLS/VPNs the need to implement even greater security within BGP the protocol itself might become a NON-issue. Thoughts anyone Nigel HI, Can any of you cite cases where an attack has been carried out against a network's routing protocol (BGP or OSPF in particular)? My apologies if this question is too far off-topic, but if anyone knows of such incidents it would be the members of this group. Jeff Doyle Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51335t=51335 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: * Routing/Subnetting question [7:51193]
James, See Inline.. - Original Message - From: James Wilson To: Sent: Sunday, August 11, 2002 12:34 PM Subject: * Routing/Subnetting question [7:51193] I have a 1750 with a /29 assigned to me, and I need to create a DMZ to put a DNS server on so that I can control access using CBAC. My FastEthernet interface is trunked to a Cat 2924. I'd like to have the /29 on one subinterface which talks to PacBell's router, and take a /30 out of the /29 and put it on another subinterface so that I can hang the DNS server off a port on that VLAN using a public IP address. NT: Why would you vlan traffic from you ISP instead of using the extra interface(eth0/0) You must consider a number of things when using your existing design. Firstly, the interface you're referring to as a FE interface is shown in the cisco catalog as a 10/100 ethernet interface. Secondly, please note that based on your current traffic utilization what kind of performance could be achieved/expected on the physical interface(the subs are technically part of the same physical NIC/transiciever). On the area of addressing you might want to take a look at the following links which could answer some of your questions as they apply to addressing(VLSM in particular). http://www.3com.com/other/pdfs/infra/corpinfo/en_US/501302.pdf (watch the wrap) http://www.ietf.org/rfc/rfc3021.txt?number=3021 I'd also like to use static NAT addresses out of the /29 including what would be an all zero or all one address out of the /30. My thought is that this would work since the NAT will take place via the subinterface on the /29 (ip nat outside), and the only time the /30 will come into play is with traffic destined to the DNS server, which is not NAT'ed. This would allow me to have routing and CBAC protection for the host on the /30 net and not lose the ability to use those addresses which would normally be lost from the /30 all zeros and all ones addresses by using them for static NAT entries for hosts on the private IP side of my network. When I go to assign an address out of the /30 to the subinterface facing the DMZ I get a message stating that the addresses overlap the other interface. Will this still work the way I believe it will? Would it make a difference if I use my currently shut down Eth0/0 interface instead of the trunked Fa0/0? IMHO, based on what you're trying to accomplish here's my recomendations... 1. Depending on the type of connection you make to your provider(10MB or 100MB) I would configure the port(and that port only) for connectivity to my provider. I'm not sure if you currently have a requirment to be connected to your provider at 100MB, but if you did, I would suggest you look into purshasing another device like the 2620/21 or 265x model. 2. I would again recomend that you follow the links I listed above. Also, please note most of your presumptions are incorrect. What you observed in the message overlap the other interface is correct. With a /29 of any address block you only have 2 bits to be used as subnet bits. Furthermore, if you were to use a /30 mask on the interface then the all 1s and all 0s are unusable using NAT or not. The emphasis here is that although the router's NAT configuration might(haven't comfirmed this) allow you to create the static mapping, the end host will not allow you to assign the 1s and 0s using the /30 mask. 3. Your options here are as follows.. Request your provider to allow you to make the /29 into /30(or even a /31[1]) on WAN connection. (Assuming you're not using any dynamic routing protocols, this would simply require a static route(for the /29) in the provider' edge device This would then allow you to make more efficient use of the /29 and provide address space to fill you DMZ requirement. So let's say you have the address 172.16.10.0/29, this would then allow the following; 172.16.10.0/30 with the valid IPs being .1, .2, and .3 for broadcast. 172.16.10.4/30 with the valid IPs being .4, .5, and .6 broadcast. Doing this now allows you to configure the ISP connection, and it allows for the use of an additional device on the DMZ apart from the DNS server you noted. Finally, you can now implement NAT (using rfc1918 compliant address) on what you determine to be the inside network connection/interface. Your NAT configurations would have to be configured for overlaping(makes use of port mappings) In this design you will not have a need to manually configure any static NAT mappings for services on the DMZ. As well, you should have no problem using CBAC as you noted to monitor and filter traffic to and from the DMZ. HTH Nigel [1] I'm not sure of how many providers(ISP) currently use or will allow their customers to use the /31 subnet. However, the /30 shouldn't be a problem. Thanks for your time/help! -- James D. Wilson, CCDA, MCP Sr. Network/Security Engineer non sunt multiplicanda entia praeter
Re: anyone ever tried to convert a 2502 to a 2501 ? [7:51201]
nettable_walker, The changes in the lab to remove token ring as Howard suggested now makes equipment affordable to just about anyone. The emphasis here being..token or ethernet, they all provide a way to test the theory and your understanding of protocol implementation. With the 3920 and some token ring NICs in you PC.. you should have the full lab complement. Question? why would you want to spend 100$(ea) to make the conversion, anyway! Nigel - Original Message - From: nettable_walker To: Sent: Sunday, August 11, 2002 3:03 PM Subject: anyone ever tried to convert a 2502 to a 2501 ? [7:51201] 8/11/2002 2:05pm Sunday Professional's, Like a lot of other people preparing for the CCIE lab I have several 2502's a Catalyst 3920 Now that token ring is OFF the CCIE R/S lab has anyone devised a way to replace that interface with a 10baseT interface ? Even if it were $100 per router, that would be cool to do . Richard // Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51204t=51201 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing with IP Unnumbered Loopback [7:50581]
Tunji, See Inline... - Original Message - From: Tunji Suleiman To: Sent: Saturday, August 03, 2002 5:20 AM Subject: Routing with IP Unnumbered Loopback [7:50581] Hi all, I am reposting this because there were no responses to the first post. I am trying to conserve IP addresses by using private IPs for dialin users. NT: Ok, so as you mentioned you're trying to conserve IP address by using private IPs for dialin users. Question? When you make use of those private(rfc1918) addresses are they routable? From clients I can dial in to network but cant get beyond 3640 NAS, cant even ping 3640 E0/0 LAN IP address. From 3640, I can ping Lo0 from E0/0 and vice versa; I can ping connected client on any Async sourcing Lo0, but not E0/0; and I can ping Internet hosts eg www.yahoo.com sourcing e0/0 but not loopback0. To answer part of the question; Yes the outbound packet will be routable only because you have a 0/0 route, that will route any packet to the next-hop based on the static default route. We all know routing is bi-directional(I'm hoping :-), which now begs the question, How does this private block of IPs you use get routed back to you(your network)? Will anyone in the Internet route these packets back to you? Once you answer these questions.. then check out this link! http://www.cisco.com/warp/public/556/12.html HTH Nigel From 2611 Internet gateway, I can ping 3640 E0/0 and Lo0, but not a connected dialin user on any Async with private IP address assigned by 3640 from IP pool. I have a routing issue that makes traffic in both directions get to and disappear at 3640 Lo0, but strangely all necessary routes (that I can think of) are installed in the route tables. Can somebody pls point out what I'm missing? Below are my configs and route tables: 3640-NAS Config: interface Loopback0 ip address 192.168.200.254 255.255.255.0 ! interface Ethernet0/0 ip address 216.199.175.12 255.255.255.224 ! interface Group-Async1 ip unnumbered Loopback0 peer default ip address pool PRIVATE ! router eigrp 10 network 192.168.1.0 network 192.168.200.0 network 216.199.175.0 no auto-summary ! ip local pool PRIVATE 192.168.200.41 192.168.200.88 ip classless ip route 0.0.0.0 0.0.0.0 216.199.175.1 3640-NAS Route Table: Gateway of last resort is 216.199.175.1 to network 0.0.0.0 216.199.175.0/27 is subnetted, 1 subnets C 216.199.175.0 is directly connected, Ethernet0/0 192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.200.52/32 is directly connected, Async101 C 192.168.200.0/24 is directly connected, Loopback0 192.168.1.0/30 is subnetted, 1 subnets D 192.168.1.0 [90/2195456] via 216.199.175.1, 00:58:16, E0/0 S* 0.0.0.0/0 [1/0] via 216.199.175.1 2611-Gateway Config: interface Ethernet0/0 ip address 216.199.175.1 255.255.255.224 ! interface Serial0/0 ip address 192.168.1.2 255.255.255.252 ! router eigrp 10 network 192.168.1.0 network 192.168.200.0 network 216.199.175.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.1.1 2611-Gateway Route Table: Gateway of last resort is 192.168.1.1 to network 0.0.0.0 216.199.175.0/27 is subnetted, 1 subnets C 216.199.175.0 is directly connected, Ethernet0/0 192.168.200.0/24 is subnetted, 1 subnets D 192.168.200.0 [90/409600] via 216.199.175.12, 07:51:45, Et0/0 192.168.1.0/30 is subnetted, 1 subnets C 192.168.1.0 is directly connected, Serial0/0 S* 0.0.0.0/0 [1/0] via 192.168.1.1 TIA Tunji _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50583t=50581 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing with IP Unnumbered Loopback [7:50581]
Tunji, I think the reasoning behind Ciaron's suggestion was to limit the propagation of the various host routes generated by the addition of every user that made a dailin connection. This would have quite impact depending on the size of your network. Based on the configs you posted, I was working on the assumption that the 3640 device, eth0 was on a globally routable IP segment. I must admit I'm a bit lost! I do have a few questions on which device act as your CE, and how does it connect to you ISP's PE device. You mentioned that the 2611(Internet gateway) has a rfc1918 compliant address assigned to the serial connection between you and your ISP, is this correct?. This is not a problem as some providers tend to use this option. There has been a number of different threads that discussed the pros and cons to this approach. You mentioned that NAT did not seem to work What debugs did you use to confirm or isolate the problem for what you observed. The 2611 at the moment is as you mentioned not the problem, however I would like to see the entire configuration of the 3640 NAS device. There is definitely something incorrectly configured that is responsible for any of the async connected devices inability to reach the e0(directly connected) interface Nigel - Original Message - From: Tunji Suleiman To: Sent: Saturday, August 03, 2002 2:22 PM Subject: Re: Routing with IP Unnumbered Loopback [7:50581] Thanks Ciaron and Nigel, I removed the route statements network 192.168.200.0 and network 192.168.1.0 from the 2611 and 3640 respectively, without any effect on the route tables. Apparently, the eigrp process informs the routers of the connected networks on the far sides of each other, making the network statements unnecessary. I posted the most relevant parts of the configs, assuming it will be obvious that my ppp config is ok, since I can dialin to the 3640. The 3640 is a production NAS connecting users b4 with a global IP pool. I would have configured NAT on the 2611 Internet gateway, but even that has rfc1918 address on the serial link to the Internet. What I did was configure NAT on the 3640, making the LoO the inside and E0/0 the outside. But even that is not working, with traffic both ways ending at Lo0. If I can get a dialin user on the async line to ping e0/0 of the 3640, then the issue should be resolved. TIA From: Nigel Taylor Reply-To: Nigel Taylor To: [EMAIL PROTECTED] Subject: Re: Routing with IP Unnumbered Loopback [7:50581] Date: Sat, 3 Aug 2002 10:17:44 GMT Tunji, See Inline... - Original Message - From: Tunji Suleiman To: Sent: Saturday, August 03, 2002 5:20 AM Subject: Routing with IP Unnumbered Loopback [7:50581] Hi all, I am reposting this because there were no responses to the first post. I am trying to conserve IP addresses by using private IPs for dialin users. NT: Ok, so as you mentioned you're trying to conserve IP address by using private IPs for dialin users. Question? When you make use of those private(rfc1918) addresses are they routable? From clients I can dial in to network but cant get beyond 3640 NAS, cant even ping 3640 E0/0 LAN IP address. From 3640, I can ping Lo0 from E0/0 and vice versa; I can ping connected client on any Async sourcing Lo0, but not E0/0; and I can ping Internet hosts eg www.yahoo.com sourcing e0/0 but not loopback0. To answer part of the question; Yes the outbound packet will be routable only because you have a 0/0 route, that will route any packet to the next-hop based on the static default route. We all know routing is bi-directional(I'm hoping :-), which now begs the question, How does this private block of IPs you use get routed back to you(your network)? Will anyone in the Internet route these packets back to you? Once you answer these questions.. then check out this link! http://www.cisco.com/warp/public/556/12.html HTH Nigel From 2611 Internet gateway, I can ping 3640 E0/0 and Lo0, but not a connected dialin user on any Async with private IP address assigned by 3640 from IP pool. I have a routing issue that makes traffic in both directions get to and disappear at 3640 Lo0, but strangely all necessary routes (that I can think of) are installed in the route tables. Can somebody pls point out what I'm missing? Below are my configs and route tables: 3640-NAS Config: interface Loopback0 ip address 192.168.200.254 255.255.255.0 ! interface Ethernet0/0 ip address 216.199.175.12 255.255.255.224 ! interface Group-Async1 ip unnumbered Loopback0 peer default ip address pool PRIVATE ! router eigrp 10 network 192.168.1.0 network 192.168.200.0 network 216.199.175.0 no auto-summary ! ip local pool PRIVATE 192.168.200.41 192.168.200.88 ip classless ip route 0.0.0.0 0.0.0.0 216.199.175.1 3640-NAS Route Table
Re: blocking spam with cisco routers [7:48971]
George, Priscilla brings up a good point in that this will not be easy. The most important issue here is as Priscilla pointed out, is going to revolve around the architecture of your networks or the network you use for connectivity(to the rest of the world). Some other questions that may apply are very specific to your email services. If you have your own domain and don't relay any mail for specific purposes, then this will help, however mail directly address to your domain's users will be delivered. The problem here is how do you determine who is allowed to send you email. This is somewhat of an impossible task because there's no real way of identifying your SMTP-specific Community of Interest (COI). The reason being that smtp(tcp) connections are made from any server-to-server(your server) for the delivery of mail. I'm sure your smtp requirements are much like the typical domain, in which filtering inbound mail falls outside the area of the routed network. It's one thing to filter a specific hosts or number of host to prevent the spread of a new virus. This would still only be accomplished through monitoring of existing smtp traffic flows, in which you could address the issue by resolving the source of the infected mail traffic. Again, the traffic is only identified based on a criteria which can now be tracked or filtered. Where I'm going with this is that the only effective way of containing spam is by identifying who is sending it and most importantly what subject lines are being used in the SPAM email received. This is important because you might not want to block or filter all mail inbound from hotmail.com so finding another way to identify the spam is very important. I'm not sure of the flexibility of Micro$oft's exchange to filter mail based on subject lines but, I know that sendmail(the best mail server) through the use of the cf file can aide in this process. There is assistance in the form of various programs that does do this type of filtering, however the need to providing the rules for the filter still falls within the area of monitoring and prevention Currently, we use Solaris on all of our mail servers(16 of them). We do relay mail for all or most of our users and with some scripting and MySql was able compile a database of the domains and subject lines of typical spam specific emails. All inbound email is processed through this script which will tag the spam email and forwards it into a separate mail server queue for profiling(to check the validity), before being forwarded to the user. We have just begun to use a program called SPAM Assassin which uses our daily updated list of spammers and subject lines. HTH Nigel P.S. Please note the use of Howard-isms in this email..:- - Original Message - From: Priscilla Oppenheimer To: Sent: Tuesday, July 16, 2002 10:50 PM Subject: Re: blocking spam with cisco routers [7:48971] Brad Ellis wrote: Yup, use an access list filtering IPs on port 25 (only allow yours through) Yes, but, other SMTP servers for legitimate reasons are also going to be opening TCP sessions to port 25 because they have e-mail to send to your users. It's not as easy as it sounds. I guess it depends on the ISP's network architecture too. We have a challenge where I work in that our users are on cable modems that connect to the cable provider (which isn't technically us). Their e-mail requests come into our network on the same interface that all Internet traffic comes in on. Priscilla thanks, -Brad Ellis CCIE#5796 (RS / Security) [EMAIL PROTECTED] Cisco home labs: www.optsys.net GEORGE wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all I have a question ,I configured my e-mail server to only accept local e-mail, and deny other relay , however im still vulnerable to spam. My question is how do the ips block other e-mail going to their smtp Do they do it by access-list? Allowing only the local network with port 25? Or just the e-mail server? If cisco routers have to be involved does anyone have some links. Im behind a pix and would like to allow only my network to use smtp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48994t=48971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Route Reflection with Multiple POPs [7:48509]
All, Being one of the folks currently reading Howard's most recent book titled - Building Service Provider Networks, I must say that I'm enjoying the various points being addressed by this thread. Also, this does remind me of an article in the 2nd Qtr edition of Packet Magazine titled, ISP Dial Network Design using BGP. http://www.cisco.com/warp/public/784/packet/techtips.html#1 Good article! Howard, I just wanted to be sure that I didn't misunderstand what you said... Could very well be. Remember, the core IGP routers are only interested in infrastructure, and, in a carrier environment, there is no excuse for having a very clean hierarchical addressing structure. Did you mean there is no excuse for [not] having a very clean hierarchical addressing structure or I'm I missing something, as always..:- TIA Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Wednesday, July 10, 2002 7:22 PM Subject: RE: Route Reflection with Multiple POPs [7:48509] At 10:27 PM + 7/10/02, Lupi, Guy wrote: I know that you can run confederations and reflectors, and seperate levels of reflection, which Cisco refers to as nested reflection. Now my question is, how would you set up your bgp peering? Due to financial constraints I would imagine that the best thing to do would be to have one circuit from POP router 1 to core router 1, and another circuit from POP router 2 to core router 2. Not sure what you are picturing as POP router. If you mean POP aggregation router, yes. There might be an outer core of reflectors connected to multiple POPs, and then a full iBGP mesh among the reflectors in the inner core. Assuming that you are only running BGP in the core, and that the clients have to have a session with each reflector, how would you communicate the loopback addresses of all the routers to each other? I tend to take the opposite view. In a network not using QoS, the core may or may not need to run BGP at all, or a relatively small number of BGP routes (e.g., the aggregate addresses for POPs). The critical thing to realize is the core is infrastructure, and its job is internal interconnection. Are static routes used in this situation? Could very well be. Remember, the core IGP routers are only interested in infrastructure, and, in a carrier environment, there is no excuse for having a very clean hierarchical addressing structure. Thanks to all of the people who responded by the way, I appreciate the direction. Ever feel like you know so much, only to read a book and find out that you know so little :)? *-Original Message- *From: Peter van Oene [mailto:[EMAIL PROTECTED]] *Sent: Wednesday, July 10, 2002 3:00 PM *To: [EMAIL PROTECTED] *Subject: Re: Route Reflection with Multiple POPs [7:48509] * * *Couple thoughts. First off, one can confederate and reflect *at the same *time (ie rr clusters inside sub-as's). Also, keep in mind that these *techniques deal with control, not forwarding and thus it is *possible, and *somewhat common, to have a RR hierarchy that does not map *directly to the *physical topology. I tend to see an arbitrary set of core *routers (from *2-20ish) that form the central IBGP mesh with the second level of the *hierarchy being formed by lead major pop routers, or dedicated route *servers (ie one armed routers that simply reflect routes). I *personally *try to keep the topology as flat as possible (ie less than 4 *levels in the *hierarchy) but I don't have any particular technical driver *for that other *than to minimize complexity and aid troubleshooting. * *Of note, this assumes you are reflecting full routes throughout your *backbone. I've seen providers try and reflect partial routes *to areas of *their backbone to allow for smaller routers where RR *topologies can lead to *blackholes. In general, if you are reflecting all routes, you *shouldn't run *into issues here. * *I * * * *At 04:42 PM 7/10/2002 +, Lupi, Guy wrote: *Let me preface this by saying that I am trying to learn more *about large *scale BGP design and operation. This question is on route *reflectors when *you have multiple POPs in seperate IGP domains. If you *currently have one *POP and are going to move to 2 within the same AS, you can *either run full *mesh (doesn't scale), reflectors, or confederations. *Assuming you don't *currently have a central core that the POPs connect back to, *how well does *reflection scale? I was reading Building Service Provider Networks *[Berkowitz], and it states that iBGP doesn't scale well once *you go above *15-20 sessions per router. It also states that most ISPs run *reflectors *instead of confederations, but I believe that statement is *being made under *the assumption that the ISP will have a central core to which *the POPs will *connect. This would indicate to me that assuming you don't *have a central *core, one could only connect 6 or
Re: Some IETF work of interest [7:48271]
Howard, Thanks for the links. I must say that this does clarify a lot things(about BGP definitions) and gives me so much to think about. I'll be reading this one a couple more times, before I start asking a bunch of questions..:- Very Nice draft. Now the simple folk can get a better understanding of what's really happening. With all this talk of planes lately, I wonder if anyone has defined the various planes on which the human brain works? In thinking about it.. I don't want to know. Thanks Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, July 07, 2002 12:38 PM Subject: Some IETF work of interest [7:48271] The BGP convergence team (including Cisco and Juniper) in the IETF has just posted the latest version of the BGP Benchmarking Terminology draft, which we think is about ready for Informational RFC -- it will go out for WG and IESG Last Call in the next couple of weeks. A good deal of the work clarified what we found to be ambiguous BGP terminology that is operationally important. It may help some of you with understanding. http://www.ietf.org/internet-drafts/draft-ietf-bmwg-conterm-02.txt There is a related draft for OSPF, in a little earlier phase of development: http://www.ietf.org/internet-drafts/draft-bmwg-ospfconv-term-00.txt There are also methodology drafts for both protocols. I've just started on an applicability protocol draft, which hopefully will be cross-protocol. As soon as I have something a little more together, I'll send it in as an I-D, and may have a rough draft mailed to the working group and posted on the Gett research website. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48283t=48271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3 T1s - 2 cisco routers - OSPF - configuration problems [7:48054]
James, I would have to say that depends. I don't know what you have in mind, so if you could provide more information as to what you're trying to accomplish. I'm sure any number of folks on the list would willing offer a solution to your problem. HTH Nigel - Original Message - From: James Montigny To: Sent: Wednesday, July 03, 2002 10:27 AM Subject: 3 T1s - 2 cisco routers - OSPF - configuration problems [7:47999] Can anyone explain how to get cisco routers running OSPF to load balance traffic on 3 or more T1s? As I understand it, OSPF load-balancing handles 4-6 simultanious connections. Yet I hear rumors that getting any more than 2 requires some creativity. Can anyone elaborate? = James D Montigny, MCSE, MCP+I, CCNA Network Engineer (913)205-6486 __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48054t=48054 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP community Q [7:48007]
Annu, I'll provide a hint !Look at your as-path ACL.. the answer lies therein..:- Nigel - Original Message - From: Annu Roopa To: Sent: Wednesday, July 03, 2002 10:56 AM Subject: BGP community Q [7:48007] Group, I have a community related question and the scenario is as follows.What am i doing wrong ? Scenario is: (AS100) r11-r8-r10(AS 200) iBGPeBGP There are some Networks (196.196.10.0/175.10.10.0 etc)coming via R10 to R8.I want to add a community string of 100:88 to all routes containing AS 200 and send it to R11 from R8.But somehow its not adding it rather adding 100:900 when i see it on R11. Whats wrong with my logic ? Here are my configs and show commands. R8#sr Building configuration... Current configuration: hostname r8 ! router bgp 100 bgp router-id 8.1.1.1 network 8.1.1.0 mask 255.255.255.0 neighbor 11.1.1.1 remote-as 100 neighbor 11.1.1.1 update-source Loopback0 neighbor 11.1.1.1 next-hop-self neighbor 11.1.1.1 send-community neighbor 11.1.1.1 route-map address out neighbor 180.10.10.1 remote-as 200 neighbor 180.10.10.1 ebgp-multihop 255 neighbor 180.10.10.1 update-source Loopback0 ! ip bgp-community new-format ip as-path access-list 11 permit _200_ ip as-path access-list 11 deny .* ! route-map address permit 10 match as-path 11 set community 100:88 ! route-map address permit 20 set community 100:900 -- r8#sh ip bgp regexp _200_ BGP table version is 12, local router ID is 8.1.1.1 Status codes: s suppressed, d damped, h history, * valid, best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * 10.1.1.0/24 180.10.10.1 0 200 300 i *175.10.10.0/24 180.10.10.10 200 300 i * 180.10.10.0/24 180.10.10.1 0 0 200 i * 190.10.10.0/24 180.10.10.1 0 200 300 400 i* 192.168.1.0 180.10.10.1 0 200 300 i * 196.196.1.0 180.10.10.1 0 200 300 i --- R11#b 196.196.1.0 BGP routing table entry for 196.196.1.0/24, version 40 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 1.1.1.2 200 300 8.1.1.1 (metric 129) from 8.1.1.1 (8.1.1.1) Origin IGP, localpref 100, valid, internal, best Community:100:900 R11#b 175.10.10.0 BGP routing table entry for 175.10.10.0/24, version 38 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to non peer-group peers: 1.1.1.2 200 300 8.1.1.1 (metric 129) from 8.1.1.1 (8.1.1.1) Origin IGP, localpref 100, valid, internal, best Community: 100:900 --- Failed to troubleshoot it.Anyone with ideas. = Thanks in advance for ur time and replies. Annu. __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48055t=48007 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Confusion: Channelized and Unchannelized T1 [7:47844]
John, There's nothing wrong with your understanding of channelized vs. unchannelized. I believe your provider's tech dosen't understand or is completely mis-informed. Nigel - Original Message - From: John Neiberger To: Sent: Monday, July 01, 2002 12:10 PM Subject: Confusion: Channelized and Unchannelized T1 [7:47844] Just when I thought I understood the T1 world pretty well we've run into a situation that is thoroughly confusing me. I was under the impression that channelized T1 services used 24 timeslots. I call that 'channelized' because it has 24 distinct 'channels'. It's my understanding that unchannelized T1 doesn't use the 24 timeslots and instead sends one giant 192-bit frame. At one of our locations we are muxing voice and data traffic onto a single T1. At each end we split off certain channels to a router and other channels over to the PBX. To do this, wouldn't the T1 *have* to be channelized, since we're separating the channels at the CSU/DSU? According to our provider, that circuit is unchannelized. If a circuit is truly unchannelized, how would the CSU/DSU be able to accurately split the T1 into two separate streams based on channel information? To be more clear, let's say we have the CSU/DSU configured to split channels 1-12 to the router and 13-24 to the PBX. This splitting function is based on the assumption that channels exist on the incoming T1. If they don't exist and we have one giant frame instead of 24 smaller frames, how could this possibly be working?? Yowza...my head hurts. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47887t=47844 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Written DPT/SRT - huh? [7:47807]
Nick, A good place to begin your exploration of DPT and SRP in particular is always the rfc2892, but for a really cool overview check out hte following link.. http://grouper.ieee.org/groups/802/17/documents/presentations/tutorial/tutor ial.htm HTH Nigel P.S. there's so much info on this page don't let it overwhelm you..:- - Original Message - From: Nick Lesewski To: Sent: Sunday, June 30, 2002 8:59 PM Subject: CCIE Written DPT/SRT - huh? [7:47807] On the requirements for new CCIE Written Beta they listed DPT/SRT under the WAN section, but I can't find any references these in the groupstudy archives or on the Cisco website. Anybody have any idea what they might be asking about? NIC _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47818t=47807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Beta results [7:47144]
Folks, I'm trying to understand how cisco went about grading this exam. Much like everyone else I too was told by Prometric when I called in that I had passed the exam however, the score report I received had something totally different in mind( yes I failed!) What I thought was strange was the passing score which was 45%. I guess 44% leaves short of the mark. This beta reminds me of the CCIE Security beta in which not many folks on the list passed. Good thing this test didn't count as a recert credit. I guess I'll be thinking about taking the recert exam sometime next year...:- Nigel - Original Message - From: Michael L. Williams To: Sent: Sunday, June 23, 2002 6:44 PM Subject: Re: CCIE Beta results [7:47144] Are the scores starting to come in now? I still haven't received mine yet... =( Although, banking on the fact I would fail, I went ahead and took the current written and passed, so I'm not too worried about the beta results... just curious =) Mike W. Semiglia Bodero wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Did you receive the score?. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47258t=47144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
serial interface down/down or up/down - answers questions [7:47130]
John, All, Actually, both router interfaces(DCE or DTE) will show down/down if the both ports remain administratively down.:- Seriously, where I work since alot of our circuit are located in various locations within a number of our building we make use of what we call an Automatic Network Control Circuit (ANCC) system which logically maps our DCE devices from our Demarc to our NOC equipment area. Nonetheless, in answering Priscilla's question there is no one answer to the question. Basically, if the CSU/DSU is configured with a mismatch on the framing then the router port will come up/up. If the encoding is mismatched then this will cause the CSU/DSUs to lose SYNC. Technically this will cause the router port to continually flap(up/down). When the CSU/DSU is configured correctly with the bandwidth(the configuration of the DSO slots(Nx64)) mismatch, this will allow the equipment to SYNC and the router ports will indicate up/up, however no data will traverse the link. John, is very correct in that the DTR on the DTE device has to be asserted for the DCE device and obviously for the DTE device to indicate an up/up. Howard, also brings up a good point in that framing and encoding does relate to layer one. Question? If encoding and framing are thought of as sub-layers of layer1, then what parallel can be drawn to other layered tecnologies that would allow/indicate an active interface without all the requirements being met. (i.e ISDN, ATM, and an IP interface) Chuck, I took your comments to heart and took down a number of of T1 customers to prove my noted few points.:- I hope youre happy. Nigel From: John Neiberger Reply-To: John Neiberger To: [EMAIL PROTECTED] Subject: Re: serial interface down/down or up/down [7:47101] Date: Fri, 21 Jun 2002 01:42:20 -0400 This isn't quite true. For example, a DCE router interface will be down/down if DTR is not raised by the DTE device. I see this quite often at work and faulty cabling is generally not the culprit. It's almost always bad hardware in the DTE. John Michael L. Williams wrote: According to CCIE exam materials, the *only* time the serial will show down/down is when there is NO serial cable or a bad serial cable connected. So even if you have a misconfigured framing method, you should at least see up/down. Mike W. Bob Timmons wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...I can't say I've ever seen a down/up condition. Up/Down perhaps.I'm sure there are exceptions, but it's my belief that the router doesn't care about encoding, but rather a layer-1 connection to the dce/dte device. If the router can 'talk' to the device on the other end of the cable, you should get an up/x condition, where x would depend on the csu/dsu conditionof the line.I don't have a csu handy, otherwise I'd check that right now. I can do that tomorrow morning (10:30 pm est here), but you may have an answer prior to that...Hi Priscilla,I have actually had this scenario (multiple times), but due to the Telco'smisconfiguration. Specifically we were expecting b8zs/esf. Unfortunately I can't confirm which was configured incorrectly, but I can confirm that going through all of the different combinations available at the router you will get all combinations on the serial interface (up/up, down/up and down/down).I can also confirm, you will not establish connectivity, regardless. I believe either b8zs/esf or sf/ami are the only valid combinations. At least thatisall I've ever worked with.Hope this helps, -TV Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...Hi Group Study,While writing some questions for a practice test, I found myself questioning what I thought was the right answer. Here's the scenario:A Cisco router serial interface is correctly connected with a good V.35cable to the data port on the DSU side of a CSU/DSU. The CSU/DSU hasbeen misconfigured for the framing method (SF instead of ESF). The framing doesn't match what the provider is using. (The question refers to aCSU/DSUthat is external to the router, not one that is built into the router.)Will the Cisco router serial interface be down/down or up/down? And, would the answer be any different if the question has to do with misconfiguring the encoding (AMI versus B8ZS)?If you have real-world experience with this, that would help. I have readthe Cisco documentation and the troubleshooting charts, etc.ThanksPriscilla Priscilla Oppenheimer misconduct and Nondisclosure violations to [EMAIL PROTECTED] Send and receive Hotmail on your mobile device: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47130t=47130
serial interface down/down or up/down - answers questions [7:47132]
Get your FREE download of MSN Explorer at http://explorer.msn.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47132t=47132 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP w/ no synchronization [7:46707]
Hunt, Read this link and think about your scenario for a moment. What is the problem to be solved? http://www.cisco.com/warp/public/459/bgpfaq_5816.shtml#12 Then read this link. The emphasis here is that although RTA, RTB, RTC, RTD, and RTE are in the same confed AS1, RTB and RTC, and RTD and RTE, are in separate sub-ASs within the AS. What dies that mean? If RTB and RTD are propagating iBGP route information to RTC and RTE respectively then, the only way for these routes to be sync'd is by NLRI(through an IGP), route-reflectors or by using the cisco-specific knob - no sync. By, using the no sync you're allowing BGP to overlook the native requirements of the protocol, which will install the route into the RIB. http://www.cisco.com/warp/public/459/16.html#A23.0 You might want to also look at rfc1965 which laid the foundation for the use of confederation within BGP, however this is superceded by rfc3065. Of course there are a number of other options that could be used to achieve full mesh within an AS. Some of those options include rfc1966, and rfc1863 http://www.ietf.org/rfc/rfc1863.txt http://www.ietf.org/rfc/rfc1966.txt HTH Nigel - Original Message - From: Hunt Lee To: Sent: Sunday, June 16, 2002 6:42 AM Subject: BGP w/ no synchronization [7:46707] Okay folks, starting off some late nite studying and just noticed something weird. Got a Confederation setup like: 150.150.150.0/24---RTA ---RTB ---RTD---RTF | | RTC RTE RTA, B, C, D, E are in a Confederation called AS 1, in which:- RTA is sub-AS 65530 RTB RTC are both in sub-AS 65531 RTD RTE are both in sub-AS 65532 RTF is in AS 2 RTB, C, D E are running OSPF as IGP. And OSPF is being redistributed into BGP at RTB. The network 150.150.150.0/24 is being advertised into BGP by BGP network command on RTA. Ok, here is the thing. The 150.150.150.0/24 network is being seen by RTA, RTB, RTD, RTF. I could ping 150.150.150.1 from these four routers. However, it can't be seen by RTC RTE (shown as follows). But when I put no synchronization on the middle four routers (RTB, RTC, RTD, RTE), then everything becomes fine again...I thought since I used IGP (OSPF), and if the router can see the EBGP Next-Hop (193.16.0.2) in their routing table, then the synch. rule shouldn't apply anymore. Am I missing something here? RouterC#sh ip bgp BGP table version is 4, local router ID is 172.16.0.2 Status codes: s suppressed, d damped, h history, * valid, best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * i150.150.150.0/24 193.16.0.2 0100 0 (65530) i i172.16.0.0/30172.16.0.1 0100 0 ? * i172.16.0.12/30 172.16.0.18 30100 0 ? *i172.16.0.16/30 172.16.0.1 0100 0 ? *i193.16.0.0/30172.16.0.1 0100 0 ? * i193.16.0.8/30172.16.0.18 0100 0 (65532) i RouterC#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default U - per-user static route, o - ODR Gateway of last resort is not set 172.16.0.0/30 is subnetted, 3 subnets O 172.16.0.16 [110/128] via 172.16.0.1, 01:35:04, Serial1 O 172.16.0.12 [110/192] via 172.16.0.1, 01:35:04, Serial1 C 172.16.0.0 is directly connected, Serial1 193.16.0.0/30 is subnetted, 1 subnets O 193.16.0.0 [110/74] via 172.16.0.1, 01:35:04, Serial1 RouterC# RouterC#ping 193.16.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 193.16.0.2, timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/36 ms RouterC# Thanks all! Hunt Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46709t=46707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Split horizon behaviour - explain me this one! [7:46102]
Chuck, I did a search on CCO and found a few links which state the following.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c /ipcprt2/1cdigrp.htm watch the line wrap. Normally, routers that are connected to broadcast-type IP networks and that use distance-vector routing protocols employ the split horizon mechanism to reduce the possibility of routing loops. Split horizon blocks information about routes from being advertised by a router out of any interface from which that information originated. This behavior usually optimizes communications among multiple routers, particularly when links are broken. However, with nonbroadcast networks (such as Frame Relay and Switched Multimegabit Data Service [SMDS]), situations can arise for which this behavior is less than ideal. For these situations, you might want to disable split horizon. Split horizon for Frame Relay and SMDS encapsulation is disabled by default. Split horizon is not disabled by default for interfaces using any of the X.25 encapsulations. For all other encapsulations, split horizon is enabled by default. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_c /ipcprt2/1cdeigrp.htm By default, split horizon is enabled on all interfaces. So Chuck as you mentioned split-horizon is implemented IOS-wide by default on all interfaces with some exceptions as noted above. It seems that with the default implementation of split-horizon, once a DV-based protocol/process (as you mentioned) is configured on the device, the protocol and process adheres to the rules of the split-horizon mechanism versus being invoked. HTH Nigel - Original Message - From: Chuck To: Sent: Saturday, June 08, 2002 2:37 AM Subject: Split horizon behaviour - explain me this one! [7:46102] 179 days and counting. Going through my protocol by protocol review. 192.168.1.0/24 -- | || | R1 R2 R3R4 R2 redistributes IGRP into RIP the purpose of the exercise is to review the purpose and function of the default-metric command under RIP in a redistribution situation. Now consider that R2 learns certain routes from IGRP via the ethernet interface, and is supposed to redistribute those routes into RIP, and advertise those routes out the ethernet interface to R1. However, based on my observation, it would appear that split horizon is preventing this. Observe: IGRP on R2 01:48:12: RIP: build update entries 01:48:12: network 192.168.1.0 metric 1 01:48:12: network 192.168.10.0 metric 2 01:48:12: network 192.168.30.0 metric 5 01:48:12: network 192.168.40.0 metric 5 01:48:39 Router_1#ir C192.168.10.0/24 is directly connected, Loopback0 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:16, Ethernet0 C192.168.1.0/24 is directly connected, Ethernet0 Note that while R2 is creating the RIP routes, R1 does not receive them But if I disable split horizon on the ethernet interface, then observe: Router_1#ir R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0 C192.168.10.0/24 is directly connected, Loopback0 R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:12, Ethernet0 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:12, Ethernet0 C192.168.1.0/24 is directly connected, Ethernet0 Now before leaping to conclusions about the nature of split horizon, I did a sanity check using OSPF. Interesting difference: Router_1#ir R192.168.30.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0 C192.168.10.0/24 is directly connected, Loopback0 R192.168.40.0/24 [120/5] via 192.168.1.2, 00:00:14, Ethernet0 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:14, Ethernet0 C192.168.1.0/24 is directly connected, Ethernet0 no problem here. so let's try the last sanity check, using EIGRP: Router_2# 02:16:18: %SYS-5-CONFIG_I: Configured from console by console 02:16:28: RIP: sending v1 update to 255.255.255.255 via Ethernet0 (192.168.1.2) 02:16:28: RIP: build update entries 02:16:28: network 192.168.20.0 metric 1 02:16:28: RIP: sending v1 update to 255.255.255.255 via Loopback0 (192.168.20.1) 02:16:28: RIP: build update entries 02:16:28: network 192.168.1.0 metric 1 02:16:28: network 192.168.10.0 metric 2 02:16:28: network 192.168.30.0 metric 5 02:16:28: network 192.168.40.0 metric 5 02:16:28: RIP: received v1 update from 192.168.1.1 on Ethernet0 Router_1#ir C192.168.10.0/24 is directly connected, Loopback0 R192.168.20.0/24 [120/1] via 192.168.1.2, 00:00:09, Ethernet0 C192.168.1.0/24 is directly connected, Ethernet0 aha! no routes from R2 but when I disable split horizon on R2 Router_2(config)#int e 0 Router_2(config-if)#no ip
Re: NANOG 25 Meeting [7:46007]
Howard, I see that Sue Hares will be doing the moderation for the Panel: Smart Routing Technologies, but she's not listed as giving any of the BOF's. Based on your statement I was thinking Sue would be doing a BOF or presentation on the BGP convergence drafts, which you mention she was one of your co-authors. Will that be at this meeting or the fall meeting when the format change is suppose to take place. By the way I noticed that the Fall meeting will be a joint meeting with ARIN. What additional information or benefits could I look forward to at this meeting, and would this explain the format change then, versus the upcoming meeting this week. Thanks Nigel - Original Message - From: Howard C. Berkowitz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 11:27 AM Subject: Re: NANOG 25 Meeting [7:45933] All, I was browsing the NANOG 25 site and took a preview of the presentations that will be presented during the meeting. Based on my recent growing interest in Inter-Domain routing and policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list would be in attendance, also does anyone have any idea as to the timeline in which the presentations make their way to the web-site. I'm really looking forward to getting my hands on those presentations thanks Nigel Unfortunately I won't be able to make it in person, but I know of a couple of list members that are going. Susan Harris generally yells at presenters to have their presentations in at least a week before, because people often can see them better on their laptops than on the main screen. So, they'll probably be pretty much on the NANOG server by Saturday or Sunday. If you're not aware of it, NANOG normally has real-time Real Video or other streaming video of the actual conference available free. They also store the videos on the website after the conference. Incidentally, the Fall NANOG meeting will be especially worth attending, because there will be a new format: NANOG tutorials on Sunday, NANOG program on Monday and Tuesday, and ARIN public and member meetings on Wednesday-Friday. They don't always video the BOFs, which can be a shame -- Sue Hares is one of my coauthors on the BGP convergence drafts, and I'd like to hear it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46007t=46007 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NANOG 25 Meeting [7:46005]
Peter, Great! I'm thinking Juniper and the BearGear booth in such close proximity, may explain the cascading style format of the JunOS versus Cisco's left justified (non-hierarchal) based configuration. :- I'm sure Howard/Priscilla with their experience in software(system) development would care to provide some insight into the differences/relevance in output formatting as it relates to how the code is interpreted. Nigel P.S. I know BayRS is pretty similar and I must admit once I worked on it for a while, the interface was very fast and intuitive. Being a cisco-child can I dare say.. I really liked it without being flamed! :- - Original Message - From: Peter van Oene [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 2:02 PM Subject: Re: NANOG 25 Meeting [7:45933] The conference is 40 minutes from my house and I'll definitely be in attendance and likely hang around the Juniper Networks booth at the BeerGear. At 11:27 AM 6/6/2002 -0400, Howard C. Berkowitz wrote: All, I was browsing the NANOG 25 site and took a preview of the presentations that will be presented during the meeting. Based on my recent growing interest in Inter-Domain routing and policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list would be in attendance, also does anyone have any idea as to the timeline in which the presentations make their way to the web-site. I'm really looking forward to getting my hands on those presentations thanks Nigel Unfortunately I won't be able to make it in person, but I know of a couple of list members that are going. Susan Harris generally yells at presenters to have their presentations in at least a week before, because people often can see them better on their laptops than on the main screen. So, they'll probably be pretty much on the NANOG server by Saturday or Sunday. If you're not aware of it, NANOG normally has real-time Real Video or other streaming video of the actual conference available free. They also store the videos on the website after the conference. Incidentally, the Fall NANOG meeting will be especially worth attending, because there will be a new format: NANOG tutorials on Sunday, NANOG program on Monday and Tuesday, and ARIN public and member meetings on Wednesday-Friday. They don't always video the BOFs, which can be a shame -- Sue Hares is one of my coauthors on the BGP convergence drafts, and I'd like to hear it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46005t=46005 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NANOG 25 Meeting [7:45933]
Howard, I see that Sue Hares will be doing the moderation for the Panel: Smart Routing Technologies, but she's not listed as giving any of the BOF's. Based on your statement I was thinking Sue would be doing a BOF or presentation on the BGP convergence drafts, which you mention she was one of your co-authors. Will that be at this meeting or the fall meeting when the format change is suppose to take place. By the way I noticed that the Fall meeting will be a joint meeting with ARIN. What additional information or benefits could I look forward to at this meeting, and would this explain the format change then, versus the upcoming meeting this week. Thanks Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Thursday, June 06, 2002 11:27 AM Subject: Re: NANOG 25 Meeting [7:45933] All, I was browsing the NANOG 25 site and took a preview of the presentations that will be presented during the meeting. Based on my recent growing interest in Inter-Domain routing and policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list would be in attendance, also does anyone have any idea as to the timeline in which the presentations make their way to the web-site. I'm really looking forward to getting my hands on those presentations thanks Nigel Unfortunately I won't be able to make it in person, but I know of a couple of list members that are going. Susan Harris generally yells at presenters to have their presentations in at least a week before, because people often can see them better on their laptops than on the main screen. So, they'll probably be pretty much on the NANOG server by Saturday or Sunday. If you're not aware of it, NANOG normally has real-time Real Video or other streaming video of the actual conference available free. They also store the videos on the website after the conference. Incidentally, the Fall NANOG meeting will be especially worth attending, because there will be a new format: NANOG tutorials on Sunday, NANOG program on Monday and Tuesday, and ARIN public and member meetings on Wednesday-Friday. They don't always video the BOFs, which can be a shame -- Sue Hares is one of my coauthors on the BGP convergence drafts, and I'd like to hear it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45983t=45933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NANOG 25 Meeting [7:45933]
Peter, Great! I'm thinking Juniper and the BearGear booth in such close proximity, may explain the cascading style format of the JunOS versus Cisco's left justified (non-hierarchal) based configuration. :- I'm sure Howard/Priscilla with their experience in software(system) development would care to provide some insight into the differences/relevance in output formatting as it relates to how the code is interpreted. Nigel P.S. I know BayRS is pretty similar and I must admit once I worked on it for a while, the interface was very fast and intuitive. Being a cisco-child can I dare say.. I really liked it without being flamed! :- - Original Message - From: Peter van Oene To: Sent: Thursday, June 06, 2002 2:02 PM Subject: Re: NANOG 25 Meeting [7:45933] The conference is 40 minutes from my house and I'll definitely be in attendance and likely hang around the Juniper Networks booth at the BeerGear. At 11:27 AM 6/6/2002 -0400, Howard C. Berkowitz wrote: All, I was browsing the NANOG 25 site and took a preview of the presentations that will be presented during the meeting. Based on my recent growing interest in Inter-Domain routing and policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list would be in attendance, also does anyone have any idea as to the timeline in which the presentations make their way to the web-site. I'm really looking forward to getting my hands on those presentations thanks Nigel Unfortunately I won't be able to make it in person, but I know of a couple of list members that are going. Susan Harris generally yells at presenters to have their presentations in at least a week before, because people often can see them better on their laptops than on the main screen. So, they'll probably be pretty much on the NANOG server by Saturday or Sunday. If you're not aware of it, NANOG normally has real-time Real Video or other streaming video of the actual conference available free. They also store the videos on the website after the conference. Incidentally, the Fall NANOG meeting will be especially worth attending, because there will be a new format: NANOG tutorials on Sunday, NANOG program on Monday and Tuesday, and ARIN public and member meetings on Wednesday-Friday. They don't always video the BOFs, which can be a shame -- Sue Hares is one of my coauthors on the BGP convergence drafts, and I'd like to hear it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45984t=45933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NANOG 25 Meeting [7:45933]
All, I was browsing the NANOG 25 site and took a preview of the presentations that will be presented during the meeting. Based on my recent growing interest in Inter-Domain routing and policies(IRR, RPSL), BGP, and MPLS/TE. I was wondering if anyone on the list would be in attendance, also does anyone have any idea as to the timeline in which the presentations make their way to the web-site. I'm really looking forward to getting my hands on those presentations thanks Nigel _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45933t=45933 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Building Service Provider Networks.. [7:45772]
All, I just received my copy of Howard's latest book and I'm excited to get started reading this title. However, I'm in the midst of finishing reading his previous book, WAN Survival Guide. Interesting enough this book's Introduction states, This book focuses on the service provider network, and ideally will be read in concern with the more customer-oriented. WAN Survival Guide. I'm truly looking forward to reading this book as all of us here on the list knows of Howard's inapt sense of humor and diverse experience in this field, among others. In browsing the book, I noticed Geoff Huston has a book titled ISP Survival Guide: Strategies for running a Competitive ISP and was wondering if anyone had the opportunity to read it and cares to comment. That's all folks... Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45772t=45772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Revised: Another BGP attribute question [7:45775]
After posting to this thread, I realized that no one responded to my post, so I decided to figure out why? As it would seem I was lost in my understanding of RIPE-181, now RPSL and boy do I feel stupid. After spending some time reading over RIPE-181, RFC2622, and RFC2650, I do now have a much better understanding of IRR's, their functionality and the continually effort to maintain the most accurate records possible. In my zeal to understand the various objects that make up the IRR database, I foolishly used my understanding of various terms to provide clarity. Terms like communities, ASXX, etc.. In realizing that these terms are not in any way associated to what I related them to be, with respects to terms of BGP attributes or values. In obtaining a much better understanding of the IRR and routing policy, I do now see the emphasis placed on determining the routing policy before trying to configure or implement the peering relationships. Well, this was another great learning experience. If this is where stupidity takes me, I look forward to my next encounter with stupidity. Nigel Still so much to learn... - Original Message - From: Nigel Taylor To: Sent: Sunday, June 02, 2002 4:24 PM Subject: Re: Another BGP attribute question [7:45619] See Inline... - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, June 02, 2002 11:17 AM Subject: Re: Another BGP attribute question [7:45619] At 7:00 AM -0400 6/2/02, Nigel Taylor wrote: All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. DPA keeps coming up, at least for end-to-end route selection. Its basic problem is that only ISPs with whom you have an economic relationship have any motivation to respect it. Geoff Huston's NOPEER is a simpler way to accomplish the same thing (probably coupled with class of service request communities). Howard, thanks a lot for the info/insight of DPA and specifically pointing me to the NOPEER attribute draft. I was able to briefly read over the draft and I must say this does seem like a solution to the present problem. However, I was also doing some reading of the APNIC's (http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13 minutes and it's noted some of the present problems with the IRRs. The one that seems to apply here would be the statement that, About 50% of full routes are not registered to public IRRs. I have a question? Do you see the NOPEER as having a directory class in the RPSL and if so in doing some recent reading of RPSL, and RPSLng, the enhancements RPSL on the same site wouldn't the NOPEER attribute be limited to representing what is known in the IRRs. With this being the case how effective can the attribute be, when representing at best 50% of the global BGP FIB. Of course then there is the ever present security issues which seems to being getting some attention through the RPSS(rfc2725). Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. You can really solve LOTS of operational issues with creative use of communities. While RFC2547 was one driver for creating an extended community attribute, there are various ideas floating around for other applications thereof. Do you care to mention some of the other ideas..floating aeround? Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? As far as I know, it's never been implemented in operations. I'm reasonably certain that some versions of Bay RS could generate it, but I don't know of anyone that listens for it. I remebered in reading Sam Halabi's book - Internet Routing architectures (Pg. 118, 1st ed) he noted cisco's lack of support for attributes 11(DPA). However, it is noted as bieng MCI defined. As you pointed out I've yet to come across anything that suggest anyone is making use of the DPA attribute. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 thanks Nigel
Another BGP attribute question [7:45619]
All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? thanks, Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45619t=45619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP questions Answered.. for the most part [7:45629]
All, I was do some research which led to the following link and I figured that some of you might find it useful. I know on the list Howard always tries to define his solutions by stating.. What is the problem, you're trying to solve? So I figured this would answer some of those questions which in turn may provide the solution. http://info.connect.com.au/docs/routing/general/multi-faq.shtml The last bookmark in the TOC on the page links to the sources like RFC2260 and RFC 2650 among others. Enjoy! Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45629t=45629 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Another BGP attribute question [7:45619]
See Inline... - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, June 02, 2002 11:17 AM Subject: Re: Another BGP attribute question [7:45619] At 7:00 AM -0400 6/2/02, Nigel Taylor wrote: All, I was reading the old RIPE(22nd meeting minutes) and was wondering, what ever became of the BGP proposal from Tony Bates and Enke Chen for the use of the Destination Preference Attribute (DPA) for multi-homed sites. DPA keeps coming up, at least for end-to-end route selection. Its basic problem is that only ISPs with whom you have an economic relationship have any motivation to respect it. Geoff Huston's NOPEER is a simpler way to accomplish the same thing (probably coupled with class of service request communities). Howard, thanks a lot for the info/insight of DPA and specifically pointing me to the NOPEER attribute draft. I was able to briefly read over the draft and I must say this does seem like a solution to the present problem. However, I was also doing some reading of the APNIC's (http://www.apnic.net/meetings/13/sigs/docs/irr-presentation.ppt)13 minutes and it's noted some of the present problems with the IRRs. The one that seems to apply here would be the statement that, About 50% of full routes are not registered to public IRRs. I have a question? Do you see the NOPEER as having a directory class in the RPSL and if so in doing some recent reading of RPSL, and RPSLng, the enhancements RPSL on the same site wouldn't the NOPEER attribute be limited to representing what is known in the IRRs. With this being the case how effective can the attribute be, when representing at best 50% of the global BGP FIB. Of course then there is the ever present security issues which seems to being getting some attention through the RPSS(rfc2725). Based on our preivous thread with the known and unknown implications of inconsistant routes, I would think this could've have been a step in the right direction. I did find a link where Enke Chen notes the use of the LOCLA_PREF attribute by many providers, since the lack of the DPA and rfc1998 also notes how the use of communities aid in this process. You can really solve LOTS of operational issues with creative use of communities. While RFC2547 was one driver for creating an extended community attribute, there are various ideas floating around for other applications thereof. Do you care to mention some of the other ideas..floating aeround? Anyone has any thoughts or suggestions on this as it applies to the use of DPA and where things stand on global/ISP-based implementation of this attribute? As far as I know, it's never been implemented in operations. I'm reasonably certain that some versions of Bay RS could generate it, but I don't know of anyone that listens for it. I remebered in reading Sam Halabi's book - Internet Routing architectures (Pg. 118, 1st ed) he noted cisco's lack of support for attributes 11(DPA). However, it is noted as bieng MCI defined. As you pointed out I've yet to come across anything that suggest anyone is making use of the DPA attribute. -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 thanks Nigel Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45637t=45619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP questions Answered.. for the most part [7:45629]
Howard, Thanks for the notice on rfc2260. I took a minute to read it and I can see the benefits in that the BGP metrics complied by the Routing Table Analysis(APNIC) shows that 25%(if I'm not mistaken) of the BGP FIB is made up of /24 prefixes. Rfc2270, does fall in line with rfc1930 assumptions of allowing only the provider's existing aggregate to be advertised upstream. the question is still relevant since the filtering by ISPs are based on IRRs information, which is at present not completely reliable. However, I remember reading recently(I can't remember the document), where the preference was to have the more specific route information as the primary whereas when this information no longer exist, then the aggregate prefix would provide NLRI to the desired network prefixes. For all interested.. here is another really good presentation on Multi-homed BGP. http://www.apnic.net/meetings/10/programme/presentations/4-Multihoming-6up.P DF you just gotta love the Internet and access to information of this kind. Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, June 02, 2002 3:16 PM Subject: Re: BGP questions Answered.. for the most part [7:45629] All, I was do some research which led to the following link and I figured that some of you might find it useful. I know on the list Howard always tries to define his solutions by stating.. What is the problem, you're trying to solve? So I figured this would answer some of those questions which in turn may provide the solution. http://info.connect.com.au/docs/routing/general/multi-faq.shtml The last bookmark in the TOC on the page links to the sources like RFC2260 and RFC 2650 among others. Enjoy! Nigel Good reference! Minor point -- 2270 updates 2260. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45640t=45629 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISP 30bit net question [7:45257]
Dre, Question? When did you ever find time to read all of these RFC's? I'm I to assume that both you and Howard have quite a bit more in common than you seemingly endless depth of knowledge in our field. Maybe the next time I speak with my mother, I'll talk to here about what possibilities existed if any, in bringing me into the world a whole lot sooner. :- Nigel - Original Message - From: dre To: Sent: Tuesday, May 28, 2002 12:59 PM Subject: Re: ISP 30bit net question [7:45257] Patrick Ramsey wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is there a specific reason why isp's do not use private addess space for their 30bit networks to customers? Because if those links somehow send ICMP messages back to sources (e.g. host-/net-/prot-/port- unreachables, squench, time exceeded, needs frag unreachables, etc), it looks a lot better if these are publically routable IP addresses. Some people also would end up blocking these messages more often if they had a deny filter for, say, 10-dot space (if that ISP used 10-dot space for their infrastructure addressing). This could end up affecting things like traceroutes, path MTU discovery, and other unfriendly things. http://www.ietf.org/rfc/rfc1191.txt RFC 1191 Path MTU discovery. J.C. Mogul, S.E. Deering. Nov-01-1990. (Format: TXT=47936 bytes) (Obsoletes RFC1063) (Status: DRAFT STANDARD) http://www.ietf.org/rfc/rfc2923.txt RFC 2923 TCP Problems with Path MTU Discovery. K. Lahey. September 2000. (Format: TXT=30976 bytes) (Status: INFORMATIONAL) http://www.ietf.org/rfc/rfc792.txt RFC 792 Internet Control Message Protocol. J. Postel. Sep-01-1981. (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950) (Also STD0005) (Status: STANDARD) So when you do a traceroute through an ISP, especially the time exceeded messages will come from publically routable IP space that not only is available in the BGP table and marked as owned by a particular ASN, but also available in the Internet routing registries (e.g. RADB) and regional internet registries (e.g. ARIN) as ISP-owned space that can be accounted for. This could be important for a number of reasons. Also, if you want to give those links DNS, in particular, Reverse DNS, there is no global authority for 10-dot or private address space as far as reverse DNS is concerned. There would be no way to update that type of information for any ISP. This would affect more things as well (esp. traceroutes again). For more information on the above, you might want to check out this Internet- Draft, http://www.ietf.org/internet-drafts/draft-ietf-dnsop-dontpublish-unreachable -03.txt Here is another Internet-Draft that somewhat covers these issues: http://www.ietf.org/internet-drafts/draft-iana-special-ipv4-03.txt You'll also note that a customer might find it difficult to set his next-hop (or default gateway) to an ISP infrastructure address that's made up of 10-dots, especially if that customer is already routing 10-dots on his/her internal network(s). You could eventually hit router-id problems, etc etc. This wouldn't work so well for routing protocols. I can't think of anything right off hand that would prevent an isp from being able to route properly using private addresses for serial links. Basically, because it breaks things and it is also ugly and unmanageable. I can't think of any reason that would allow an ISP to route properly using private addresses, yet somehow some ISP's in the past may have gotten away with it here and there. Consider all the reasons above before you implement something like that. I highly recommend that ISP's use PI public address space for their infrastructure addresses, including /30's and /32 loopback addresses. I also implore vendors and ISP's to implement RFC 3021 and use 31-bit prefixes instead of 30-bit prefixes for point-to-point interfaces. http://www.ietf.org/rfc/rfc3021.txt RFC 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links. A. Retana, R. White, V. Fuller, D. McPherson. December 2000. (Format: TXT=19771 bytes) (Status: PROPOSED STANDARD) I also suggest implementing correct ICMP operation for these devices (rate-limiting works well in the place of filtering outright). Here is a document concering that: http://www.cymru.com/~robt/Docs/Articles/icmp-messages.html Finally, I suggest registering these routes in an IRR system (e.g. RADB), the RIR system (e.g. ARIN) and having RFC 2142 or stdaddr correct SMTP addresses for contact information about these networks. Also making these routers a part of the global DNS system (both forward and reverse) completes a best practice reference architecture for routing in the Internet. http://www.ietf.org/rfc/rfc2142.txt RFC 2142 Mailbox Names for Common Services, Roles and Functions. D. Crocker. May 1997. (Format: TXT=12195 bytes) (Status: PROPOSED
Revised: OSPF problem - 2nd try [7:45129]
Mathias, I think your you're trying to hard and possibly reading too much into the requirements. I personally agreed with Jan's #1 option in which the area x range not-advertise command is used on R1, R2, and R4. Although your most recent solution may work try to think of a solution around the ISDN link remaining up in this configuration and what you could do to avid this problem. there is a very popular way of avoiding this occurrence. I think the emphasis here is the requirement which reads, The exercise is that the 10.x network must not be advertised into the Frame Relay network. As Jan noted when using the virtual links between R1-R4 and R2-R4 this will logically place R4 into area0, which is fine. This is fine because look at the logical drawing below once the virtual links are configured. 10.x..x.x/24 -Area0 | | | | | | lo0--(R1) (R2)--lo0 (R4)--lo0 | | | | area1| area1 | lo0--(R3)-(frame)/ | | area2 (E0)(R5) Using the #1 option allows use to clearly understand and meet the requirements in that although R1, R2, and R4 does have the 10.x.x.x network route in their RIBs, that route is not being advertised into the frame-relay network. Yes, I know that the R2-R4 connection is part of the frame connection, but the key word here is advertised. With the current logical design R4 as if it were connected to the backbone segment(10.x.x.x/24). If you had to go one step further which I don't think is necessary, a distribute-list x in on the R4 process would eliminate the 10.x.x.x from R4's RIB, to complete the illusion that the route was not being advertised across the R2-R4 or R1-R4 virtual links. HTH Nigel P.S. Elmer what do you think about this thread and which solution meets the requirement? - Original Message - From: Spoerr, Mathias To: Jan Gunnik Hope Cc: ; Nigel Taylor ; Sent: Monday, May 27, 2002 4:41 AM Subject: AW: OSPF problem - 2nd try Hello! I think I found the Solution for the wrxkrmpf OSPF problem. I configured tunnel interfaces at R1, R2 and R4 and bound the interfaces to OSPF area 2. I configured no virtual link. Now only R1 and R2 are in Area 0. Another advantage is the backup for Area 2. In the original setup I had the problem that after a link-down of FR R2-R4 Area 2 is no more reachable. When you want to configure a virtual link between R4 and R1 you will have the problem that the ISDN link is up the whole time. Any comments? Mathias -Urspr|ngliche Nachricht- Von: Jan Gunnik Hope [mailto:[EMAIL PROTECTED]] Gesendet: Samstag, 25. Mai 2002 23:12 An: Spoerr, Mathias Cc: [EMAIL PROTECTED]; Nigel Taylor; [EMAIL PROTECTED] Betreff: SV: OSPF problem - 2nd try Hello Mathias ! In my opinion these are the possible (elegant :-) solutions, in preferred order : 1. Use area 0 range 10.0.0.0 255.0.0.0 not-advertise on routers R1/R2/R4, virtual link R2/R4. You need it on R4 as well, because as you said yourself, R4 becomes member of area 0 when you add the virtual link. This removes 10.x.x.x from R3 and R5, and they are both connected thru F/R, in different areas. 2. Use area area-id filter-list prefix prefix-list-name out with prefix-list-name filtering net 10.0.0.0. Use it on R1/R2/R4, virtual link R2/R4 This command was introduced in 12.0(15)S, but unfortunately does not seem to be part of the main IOS train yet. I haven't been able to test this one, but it looks dead-on. We still see 10.x.x.x in R4 though, because of the virtual link. 3. Use a tunnel between r2/r4, totally stub areas 1 and 2. Tunnel endpoints in area 2. This is really a lab-only solution, as Nigel also remarked. But it works, and does not show the 10.x.x.x on R4... I clearly prefer #1, because I interpret your requirement : The exercise is that the 10.x network must not be advertised into the Frame Relay network. to mean that R3 and R5 should not see 10.x.x.x. R4 sees it as soon as we configure a virtual-link or a tunnel, because we then make R4 area 0 member. If you were to use no tunnels and have different OSPF processes, you could use one process per area, and do redistribution between them. That would make the filtering really easy, but you would essentially change your OSPF-execise to a redistribution exercise :-) My two cents... Jan Gunnik Hope CCIE # 8221 -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Pe vegne av Nigel Taylor Sendt: 25. mai 2002 15:42 Til: [EMAIL PROTECTED] Kopi: [EMAIL PROTECTED]; Spoerr, Mathias Emne: Re: OSPF problem - 2nd try MAthais, I'm not sure if the ASCII art made
Re: Revised: OSPF problem - 2nd try [7:45154]
Mathias, This is correct! When you configure the demand-circuit after the ISDN circuit goes down you should see DNA noted in the ospf database which suppresses the need for hello's to be sent. Since both R1, R2, and R4 are a part of area1, when the frame circuit between R2-R4 go down this will trigger the database recalculation and bring the ISDN link up. This would be fine since it will be how all connectivity would be maintained. This is why I suggested that the requirement calls for two virtual links or tunnels. You might want to brush up on your understanding of demand-circuit. Here are some really good links to explaining how effective demand-circuit can be while using the necessary filtering. http://www.cisco.com/warp/public/104/dc.html http://www.cisco.com/warp/public/104/dcprob.html What a great link.. I used this one when I prepared for the lab. It pays to browse this stuff once in a while. http://www.cisco.com/warp/public/104/index.shtml Nigel - Original Message - From: Spoerr, Mathias To: Nigel Taylor ; cebuano ; Jan Gunnik Hope Cc: ; Sent: Monday, May 27, 2002 2:55 PM Subject: AW: Revised: OSPF problem - 2nd try Nigel, I forgot to tell you that the second task is that the ISDN must not be up until the FR R4-R2 fails. R3 has to initiate the call and R1 must call back. There is another exercise regarding to this layout, where a backup link must exist for the area 2 connection. -10.x.x.x/24---Ethernet OSPF Area0 || R1---Lo0 R2---Lo0 || ISDN Area1FR Area1 || Lo0--R3--FR---R4--Lo0 |Area1 | -E0 FR Area2 | R5 (I hope this drawing can be identified) Although your most recent solution may work try to think of a solution around the ISDN link remaining up in this configuration and what you could do to avid this problem. there is a very popular way of avoiding this occurrence. Which solution do you mean? When you think about the demand circuit feature - it doesn't work with Virtual links, because R4 is sending hellos destined for the bri address of R1 when you configure a virtual link to R1. Thank's for responding, Mathias -Urspr|ngliche Nachricht- Von: Nigel Taylor [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 27. Mai 2002 12:59 An: cebuano; Jan Gunnik Hope; Spoerr, Mathias Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Betreff: Revised: OSPF problem - 2nd try Mathias, I think your you're trying to hard and possibly reading too much into the requirements. I personally agreed with Jan's #1 option in which the area x range not-advertise command is used on R1, R2, and R4. Although your most recent solution may work try to think of a solution around the ISDN link remaining up in this configuration and what you could do to avid this problem. there is a very popular way of avoiding this occurrence. I think the emphasis here is the requirement which reads, The exercise is that the 10.x network must not be advertised into the Frame Relay network. As Jan noted when using the virtual links between R1-R4 and R2-R4 this will logically place R4 into area0, which is fine. This is fine because look at the logical drawing below once the virtual links are configured. 10.x..x.x/24 -Area0 | | | | | | lo0--(R1) (R2)--lo0 (R4)--lo0 | | | | area1| area1 | lo0--(R3)-(frame)/ | | area2 (E0)(R5) Using the #1 option allows use to clearly understand and meet the requirements in that although R1, R2, and R4 does have the 10.x.x.x network route in their RIBs, that route is not being advertised into the frame-relay network. Yes, I know that the R2-R4 connection is part of the frame connection, but the key word here is advertised. With the current logical design R4 as if it were connected to the backbone segment(10.x.x.x/24). If you had to go one step further which I don't think is necessary, a distribute-list x in on the R4 process would eliminate the 10.x.x.x from R4's RIB, to complete the illusion that the route was not being advertised across the R2-R4 or R1-R4 virtual links. HTH Nigel P.S. Elmer what do you think about this thread and which solution meets the requirement? - Original Message - From: Spoerr, Mathias To: Jan Gunnik Hope Cc: ; Nigel Taylor ; Sent: Monday, May 27, 2002 4:41 AM Subject: AW: OSPF problem - 2nd try Hello! I think I found the Solution
Re: BGP addressing..i think i understand but i am not sure [7:45174]
Peter, It would seem that CableWireless and Above along with RIPE are the main culprits. It would seem to me that this inconsistent route issue would present problems, what I'm I missing? It maybe that I'm not totally clear on what constitutes an inconsistent route. RFC 1930 clearly states that one-prefix, one originating AS. I know it's been mentioned in this thread and I see it noted that the RSNG Project will notify peers of inconsistent policies registered in the IRR. So, how effective is this initiative if most of the community feels it's not something to be worried about. Anyone care to point me in a specific direction. thanks Nigel - Original Message - From: Peter van Oene To: Sent: Monday, May 27, 2002 6:31 PM Subject: Re: BGP addressing..i think i understand but i am not sure [7:45169] quick comment in line. At 04:53 PM 5/27/2002 -0400, Chuck wrote: I have a question, Howard - in line: Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This is one of those posts where the attributions have gotten very confused. Comments inline. snip for brevity It can be done, if both ISPs agree to it and coordinate their routing policies. A public AS, however, is justified in this circumstance. While doesn't quite describe this situation, look at RFC 2270 for the general strategy. Both ISPs have to remove private AS. This will also cause more than one ISP to appear to originate the route, which is a technical violation of BGP (i.e., it's an inconsistent route), but that isn't that uncommon and doesn't seem to break anything. Question: in an ideal world, what would happen when an inconsistant route shows up? idealy, would that route be black holed? Since it is common and since it doesn't seem to break anything in ral terms, what happens? BGP advertises reachability to other BGP routers, be they internal or external. But in terms of a packet traveling from my house to a destination that is inconsistant what happens? What matters? My packet continues to be passed from here to there until some directly connected router receives it. I'm assuming that inconsistant does not imply loop thanks. You are correct in that inconsistent advertisements do not represent looped routes. In the case of a prefix seemingly existing in two AS's, a remote router simply passes that prefix through the basic BGP path selection algorithm and selects the more preferable of the two for export to the main routing table. Once a route hits the routing table, transiting packets are forwarded as usual. Any potential concern lies in the handling of routes that show up as inconsistent. I have seen discussions from various communities (RIPE comes first to mind) about specifying a globally accepted behavior for such routes, but haven't seen a consensus on this issue other than to leave it alone. Howard probably has somewhat more detailed insight here. At present, inconsistent advertisements are accepted and many feel are valid and should not be handled differently from normal announcements. Customers who think that connecting to two providers is generally better than two pops from a single provider and providers who are too about nervous about losing customer revenue to force customers to properly multi-home (PI space/ASN) or not multi-home to different providers at all are likely the cause of this situation. So long as this continues to be the norm, we'll likely see more and more of these type announcements and the likelihood of routers dealing with them differently (dropping for example) will similarly decrease. Hit a route server (say route-server.exodus.net) and do a show ip bgp incon and you'll see just how many of these routes we are dealing with. Pete snip for brevity Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45174t=45174 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF problem - 2nd try [7:45025]
MAthais, I'm not sure if the ASCII art made the journey. but based on what I believe you're trying to accomplish see Inline... Note: Questions like this you should post to the main ist( [EMAIL PROTECTED] ). You'll get a better response. FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Friday Follies of sorts - answering questions [7:44952]
Chuck, This is a very interesting post. I did some checking and I found this link that might address the requirement based on the design. This can be done by using 6500 switches instead of routers as depicted in your lovely ASCII art. http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/cat65_wp.htm They make the following note.. Configuring Policers The next step is to define a policer. The Catalyst 6500 supports microflow and aggregate policing. A Microflow policer defines the policing of a single flow, which is defined by a session with a unique SA/DA MAC address, SA/DA IP address and TCP/UDP port numbers. For each new flow that is initiated through a port of a VLAN, the microflow can be used to limit the amount of data received for that flow by the switch. I notice you're using the LX based fiber connection between your routers but the design does suggest a campus or MAN type architecture. In this design I'm guessing that the 6500 with dual MFSC's and PFC's as noted on the link would provide for redundancy in the design. In looking at the QoS requirements using a router (possibly using a 7500) the GEIP link does mention support for the following - Support for IP Quality of Service (QoS)/Class of Service (CoS), including CAR, ACL and MPLS/tag switching. A couple of questions here would be.. A couple of questions here would be 1. What is the problem you are trying to solve? (I've always wanted to say this...) :- 2. What type of analysis have been done to determine traffic flows(ftp, smtp, multicast..etc) 3. QoS based on destination subnets ( How are the subnets being determined)? 4 . The design suggest this is a P-t-P connection for an internal network. Is it? 5 . The traffic that would be given QoS to the DA subnet to what? An Application Server/Farm? I'm currently reading for the second time a book recommended by Priscilla on the list that I think may provide you some insight in what you're trying to accomplish. The book's author is James D. McCabe and the title is Practical Computer Network Analysis and Design - ISBN 1558604987 HTH Nigel - Original Message - From: Chuck To: Sent: Friday, May 24, 2002 10:59 AM Subject: Friday Follies of sorts - answering questions [7:44952] I got to thinking about this after posting a question to a company internal mailing list. Based on some of the responses I received from other engineers, I wondered at what point one has enough information to answer a question. At what point asking for further clarification is essentially a sign that you don't know the answer and you are just stalling. Please be assured, I am not looking for the answer. I have what I need, including some working configs, which I will post to the list if there is enough interest. I am more interested in the opinions of any number of you folks whose insight I appreciate. So.. here is the e-mail I sent internally. My question is - given what you see, do you have enough information to provide an answer? If not, why not? Start question: - have a complex QoS traffic shaping rate limiting question. internet---source_router---gigE_port---LX_fiber_connection---gigE _portdestination_router---multiple subnets the customer wants to rate limit traffic across the fiber link based on destination ip subnet. I'm racking my brain trying to figure out how to do this on something other than a frame or an ATM link. Can't seem to find the appropriate examples on CCO. Question - can one configure different QoS rate limits for different destination subnets over the same physical interface? All the example I find are for technologies that use PVC's. I had thought policy routing, using the route-maps to change TOS bits, and using map classes (?) to differentiate, but that severely limits the number of subnets I can manage. I have found some docs on CCO, but the examples center around MAC and IP precedence, not subnet. If you have reasonable expertise in QoS rate limiting, can you give me a call regarding the options I have? - end of question remember - I have what I need. I am just curious about the nature of questions and answers, and the clarification process required to provide answers. Call this a seminar in the design process, maybe? I look forward to your sage replies. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44977t=44952 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Some real theory [7:44491]
How about putting them up on the ftp site? Much Appreciated... Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Sunday, May 19, 2002 8:29 PM Subject: Re: Some real theory [7:44491] the link you provide is only a 10 meg document. ;- Bless .pdf. I downloaded .ps without looking. Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If anyone is interested, Radia Perlman's PhD dissertation on Byzantine robustness of routing protocols is finally on line. Do not do as I did and download the PostScript, which was almost 40 meg. PDF is BOUND to be smaller. http://www.lcs.mit.edu/publications/pubs/pdf/MIT-LCS-TR-429.pdf If there's interest, I can probably dig up some other formative dissertations, such as the original concepts of IP multicast routing (Steve Deering) and quite a bit on BGP stability. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44510t=44491 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
A good CLNS/ISIS link on CCO [7:43330]
All, I was just browsing around CCO and came across this link which has some good coverage of CLNS/ISIS. This link most likely isn't a secret, but for anyone wanting to get a better understanding of these protocols this seems like a good addition. http://www.cisco.com/warp/public/97/index.shtml Nigel - Original Message - From: nrf To: Sent: Sunday, May 05, 2002 3:40 AM Subject: Re: CCIE in 3-6 Months from cisco Interesting [7:43306] Michael L. Williams wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It's not in Cisco's best interest to crank out CCIEs and I doubt that's what they're doing (or going to do) After all, this is a job posting, and I doubt they're going to hire and train enough people to make an impact in the total number of CCIEs out there. (i.e. they may hire 5, 10, hell maybe even 50 people, say, and so you're only taking 5/10/50 more CCIEs on top of the 7400 existing CCIEs ... not enough to impact the overall market/demand for CCIEs, IMHO). I agree with another poster here that, even spending everyday at work for Cisco studying isn't enough to get through the new CCIE written, much less the lab. I agree with the premise that even TAC guys do not get as much hands-on as they would like, especially with expensive gear. From my friends who are and were at TAC, they have to fight for access to good equipment. As far as the devaluing of the CCIE, I've see ramblings of this ever since I joined Groupstudy, and I believe that it's mostly just alot of talk. Sure, CCIEs aren't pulling in as high a salary as they were 2 years ago, but most of that is due to the dot-bomb thing coming to an end as well as the job market/economy of the last year or so. Two things can devalue the cert: The number of CCIEs skyrocketing and/or people being able to attain the CCIE without being qualified. I don't think anyone will argue that the CCIE written/lab combo pretty much keeps paper CCIEs from becoming a reality. Bullshi*. There are a significant number of guys lately who've passed the lab who I wouldn't hesitate to call paper (heck, even they have honestly referred to themselves as paper, usually after getting a few drinks into them). But I do agree with the premise that the main reason for the devaluing of the cert is the bad economy, and the lab-rats are a lesser consideration (still important, but lesser). But on the other hand, I think it is the case that the CCIE will probably never attain the status that it once did, simply because the we will probably never see another huge network buildout orgy like the dotcom boom again in our lifetime. So while I believe the networking industry will get better, people who thinks it's going to get back to, say, 1999, are just deluding themselves. As far as the number of CCIEs skyrocketing, if I recall correctly, when I first started working on Cisco certification there were around 6000 CCIEs. Now there are around 7400 (worldwide). That's certainly not skyrocketing. Compare that to MSCEs where there was such a flood of new MSCEs on the market that simply supply/demand took over, and all of a sudden MSCEs were a dime a dozen (no offense to people with MSCEs, just making a point about the numbers). Also, I don't agree with the claim that the CCIEs best days are behind it. I believe this is definitely true - look at the salaries of CCIE's back in '99 compared to today. Obviously the main reason for this is the bad economy. But the proliferation of CCIE's (especially lab rats) doesn't help matters. Just ask Jon Kaberna who's written quite a bit on this subject. Again, the main reason is that I doubt the networking economy will ever get back to what it was during the boom ever again in our lifetime. Although many felt that the new one-day lab was going to open the floodgates for paper CCIEs, I don't recall reading any posts by people saying the new lab was a breeze. Also, any of the level of difficulty that may have been lost going to the one-day format is definitely going to be made up for by the new format of the written. As has been posted here more recently (by either Bernard or Dennis right after they took the beta), the failure rate of the written is definitely going to go up with this new exam. If that is true, then it is a long-overdue change. The fact is the old written was not getting the job done. I think not only should the new written be more difficult, but you should also only be able to attempt it a certain number of times per year (say, 3 times per year or something). Also, Cisco should emphatically state once-and-for-all that the CCIE-written is not a cert. Just my 2 cents Mike W. nwo wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If this is true then it represents an even worse devaluation of the CCIE than what has happened already. Not only
GroupStudy - Experts and Gurus.. [7:43062]
All, I typically try not to get involved in threads like this one, since it really serves no purpose. I've been a member of this list for some four plus years and this type of thread always seem to creep into the list. John's earlier post I think was truely funny and if anyone who read it didn't notice the humor, you missed out. In the time I've been on the list there have been a number of very knowledgable people of which Howard is most certainly one of the most notable. What I don't understand is why everyone on the list can't simply participate as part of the group for the collective good and not be concerned with Howard's abilty to prove himself. In perspective, I think one should see the benefit in Howard's limited experience not having personally taken the lab. This I would believe benefits everyone on the list. From another perspective, I think the desire to pressure Howard into taking the lab, is a feeble attempt to justify one's own belief. The fact that there is possibly something out there in this field that they might possibly have some experience in that Howard dosen't. Folks like Howard, Priscilla, and a number of others contribute so much more to this list if not for the fact that they can provide factual infomation based on their research, writing, experience, and working realtionship with some of the more prominent persons in this field. Lastly, as I mentioned before this thread will most likely not go away and if it does, I'm sure someone will see the need to reiterate what was said before. When this urge arises please think of the value a thread like this will bring to the group and then see if it's worth the 1-click of the send button..please clear this with Amazon first. Nigel _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43062t=43062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Home Lab Stuff [7:42804]
Some items I had in my home lab that I no longer need. I'm willing to let it all go to 1 buyer for $1200 If interested in individual pieces that's ok too. 1 Cisco 2517 - 16MB/8MB, 2 serial, 1 BRI(S/T), 1 Token Ring, 8-port MAU $300 1 Cisco 2521 - 6MB/8MB, 4 Serial(2Sync/2Async), 1 BRI(S/T), 1 token ring $400 1 AGS+ - CSC4 w/4 MB NVRAM, 8 Ethernet, 6 Serial(HD26) $550 I also have aanother 4-port V.35 serial applique with 10' cables, 3 HD26-HD26 DCE-DTE cables, and 3 HD26- HD60 DCE-DTE cables. IOS 11.26a - the last avialable code version Great FRame Switch The cables here alone cost about $350-$400. 2 MGS - (1st) 1 Serial, 1 ethernet, 1 token ring. $150 (2nd) 3 serial, 1 ethernet, 1 token ring. 1 Cisco STS-10x - 1 ethernet, 9-port(poor-man's) terminal server $100 all terminal cables(custom made) included Any questions contact me directly. please do not post to the list. Nigel Join the worlds largest e-mail service with MSN Hotmail. Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42804t=42804 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: token ring interface 3920 Catalyst [7:42766]
Richard, If I'm not mistaken the 3920 uses the default bridge (hex) number of 0x1. You most likely will want to make sure that the second 3920 isn't using the same default ring/bridge IDs. Here's a link that may ring through when trying to figure out these tokens :- http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3920/3920ug4/vlantut.htm HTH Nigel From: Mr. Richard L. Pickard Reply-To: Mr. Richard L. Pickard To: [EMAIL PROTECTED] Subject: token ring interface 3920 Catalyst [7:42766] Date: Sat, 27 Apr 2002 21:24:23 -0400 4/27/2002 8:30pm Saturday Professionals, I have a 4000-M router with 12.1.14 Enterprise+ It is populated as follows - dual token ring, dual ethernet, quad serial All interfaces are in use except S1 S2 Until a few hours ago each token ring interface was connected a different SynOptics LatttisRing 2705B, TR0 on the 180.x.x.x network TR1 on the 198.x.x.x network. Everything works fine. I moved all the users from the first MAU to a new Catalyst 3920 hooked up TR0 everything was still fine. I moved all the users from the second MAU to a second new Catalyst 3920 hooked up TR1. The users are good to go BUT line protocol on TR1 will not come up. I tried different ports on the 3920 then rebooted the router switch. TR1 will still not come up. I tried sho CDP neighbors the router does not see the second 3920. I put in back in the SynOptics guess what --- it comes up !!! I plugged a 2502 router in to the second 3920 it comes up fine. What am I overlooking ? Or is there a chipset limitation on the NP card of the 4000-M router ? misconduct and Nondisclosure violations to [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42775t=42766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
See inline From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 09:08:21 -0400 You can originate a 0.0.0.0 route from each of the ISP connected routers. Ideally, then each router on your internal network that receives both 0.0.0.0 routes from both originating routers will route traffic to the internet based on the the 0.0.0.0 route with the best metric. You're on the right track. But what characteristics must the default routes have to assure a degree of load sharing? (I'm thinking of something specific to OSPF) NT: On redistribution of the default-route using OSPF's default assigment of E2, with a standard metric XX value at both POP's will allow the both default routes to be equal-cost. Another option here would be to use the ospf cost or bandwidth configuration commands to balance the links. What is their effect on load balancing from the provider to you? I'm not sure about OSPF, but where I work we have 2 connections to the internet at difference POPs, and this is the method we use. Seems to give some load balancing, however, based on the number of users at each site i.e. we have twice as many users at one site (which chooses it's closest internet connection for exit to the net) as we do at the other, so we really get a lopsided load balance, but it's what we expect. We are soon going to be implementing BGP on the 2 routers that connect to the internet so what we can have inbound redunancy from the internet, but we'll still leave the lopsided load balancing in place as to really load balance across our internet connections would each bandwidth on our OC-12, which we don't want Mike W. - Original Message - From: Howard C. Berkowitz Newsgroups: groupstudy.cisco Sent: Saturday, April 20, 2002 2:51 PM Subject: (correction) Method and Process Scenario 5: OSPF Multihoming [7:42092] Your enterprise runs OSPF internally and only takes default from one ISP, but at multiple POPs. What would this suggest you could do to achieve a degree of load-sharing among the POPs? Assume you do not run BGP. What can you do and what are its limitations? Don't focus on the configuration commands as what mechanisms will be required. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42142t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
Yes, I forgot about the getting that default route into the enterprise from the CE. That would leave the default-information orginate . Nigel From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 12:37:52 -0400 See inline From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 09:08:21 -0400 You can originate a 0.0.0.0 route from each of the ISP connected routers. Ideally, then each router on your internal network that receives both 0.0.0.0 routes from both originating routers will route traffic to the internet based on the the 0.0.0.0 route with the best metric.You're on the right track. But what characteristics must the default routes have to assure a degree of load sharing? (I'm thinking of something specific to OSPF)NT: On redistribution of the default-route using OSPF's default assigment of E2, with a standard metric XX value at both POP's will allow the both default routes to be equal-cost. Another option here would be to use the ospf cost or bandwidth configuration commands to balance the links. That would make the links to the ISP load balanced, but it wouldn't necessarily equalize the load in getting to them from within the enterprise. Again, you are on the right track. What is their effect on load balancing from the provider to you?I'm not sure about OSPF, but where I work we have 2 connections to the internet at difference POPs, and this is the method we use. Seems to give some load balancing, however, based on the number of users at each site i.e. we have twice as many users at one site (which chooses it's closest internet connection for exit to the net) as we do at the other, so we really get a lopsided load balance, but it's what we expect. We are soon going to be implementing BGP on the 2 routers that connect to the internet so what we can have inbound redunancy from the internet, but we'll still leave the lopsided load balancing in place as to really load balance across our internet connections would each bandwidth on our OC-12, which we don't want Mike W. - Original Message - From: Howard C. Berkowitz Newsgroups: groupstudy.cisco Sent: Saturday, April 20, 2002 2:51 PM Subject: (correction) Method and Process Scenario 5: OSPF Multihoming [7:42092] Your enterprise runs OSPF internally and only takes default from oneISP, but at multiple POPs. What would this suggest you could do toachieve a degree of load-sharing among the POPs? Assume you do not run BGP. What can you do and what are its limitations? Don't focus on the configuration commands as what mechanisms will be required. _ MSN Photos is the easiest way to share and print your photos: misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42158t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
Howard, I think I see where you're going. The default on the DIO command is applying an E2 to the default as it is sent into the enterprise. It is also known that by order of preference that E2 routes are least preffered. So based on your hint.. I'm thinking making use of the metric-type parameter to make the default-route an E1 metric which would provide known route info into the ISP's network. Nope..this isn't it. In thinking about this even more when I was posting the very first time to this thread I taught..yes, that's it..but opt'd not to mention it. Now it dawns on me that the default nature of (cisco's)ospf is to use 4 equal-cost routes. So now maximum-paths 2 sounds like the way to go. the hint knocked me over the head..:- Nigel From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 15:31:29 -0400 At 2:19 PM -0400 4/21/02, Nigel Taylor wrote: Yes, I forgot about the getting that default route into the enterprise from the CE. That would leave the default-information orginate .Nigel Nigel, thanks for continuing this thread, because I'm finding the interaction very informative, and will try to start building it into practice things. I think it was you that mentioned that it can be hard to stop thinking about configuration commands and look a little more broadly about the problem. Yes, in this case, you could use default-information originate. But think on the protocol/functionality level for a moment. To get both internal and external (i.e., to the ISP) load balancing, what information does the default route have to convey into the enterprise's OSPF? [hint follows] Think about the parameters of default-information originate, especially the values it does by default (the other kind of default, that is). The answer lies in using a non-default value of one misconduct and Nondisclosure violations to [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42169t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
Based on chuck's diagram and the use of the E1 ospf route I think this would be a matter of how the enterprise is designed and what type of links interconnect the various locations/sites. Simply using the DIO metric-type could allow for suboptimal routing as chuck noted. I realize that I was thinking that the enterprise should have dual default routes out to the ISP, when in fact by using the E1 as howard pointed out, would allow each site to default to the nearest gateway based on the sum of the internal+external calculated by the E1 metric. So based on a well designed enterprise this would account for the individual traffic flows of each location/site to be balanced between the two ISP POPs. Wow.. this stuff is actually begining to make sense.. :- Nigel Reply-To: Chuck To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 21:57:36 -0400 I think I see what you are getting to, Howard, but for the purpose of your scenario, are you assuming that the enterprise backbone construction makes sense? for example, in your case, are you assuming something like Seattle---PortlandSanFran---SanJose---LosAngeles---SanDiego with the ISP connections in SanDiego and Seattle, or better yet Portland and LosAngeles? What I'm seeing no matter how I try to construct this is that, for example, half of Seattle's traffic traverses the entire network to get to the LosAngeles egress while at the same time, half of SanDiego's traffic is going past LosAngeles, and up to Portland. Maybe I'm digressing. Maybe this isn't necessarily a good design. OTOH, it is a design that saves the company money due to the various pricing issues involved, no matter what the transport decision. ( interstate, inter-lata, inter-telco, etc ) tell me if I am off topic with regard to your puzzle. Chuck Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... question embedded within: Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...Howard, I think I see where you're going. The default on the DIOcommand isapplying an E2 to the default as it is sent into the enterprise. It isalsoknown that by order of preference that E2 routes are least preffered.So based on your hint.. I'm thinking making use of the metric-type parameter tomakethe default-route an E1 metric which would provide known route infointo theISP's network. Nope..this isn't it. STOP! Using E1 is the answer, although I don't think you have thereason quite right. On the default-information originate command,use metric-type 1 and an equal metric on both routers.E1 considers the combined internal and external metric. If you makethe external metrics equal, traffic in your network will go to theclosest exit. If the network topology is reasonably well designedwith the placement of your gateways, this should give approximatesharing of both internal resources and the ISP links. hhhm. I'm wondering how many readers of this thread fooled themselves by thinking that the idea was to ensure per packet load sharing out the two ISP links? which no doubt leads to suboptimal routing for a significant portion of traffic, if my mental picture is correct. aren't the two goals - equal load sharing and optimal routing - mutually exclusive here? In practice, no, if you think carefully where you place the ISP gateways. Typically, they should be at opposite geographical ends of your network, near heavy concentrations of users. That often causes load sharing by pure use distribution. It's certainly not per-packet between multiple routers. It's more per-destination for individual routers, CEF of course giving even better results than fast switching. The optimal routing to which we are referring is internal, not external. It presupposes the ISP links are of equal capacity. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42192t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] MSN Photos is the easiest way to share and print your photos: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42196t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: (correction) Method and Process Scenario 5: OSPF [7:42139]
See Inline... From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Re: (correction) Method and Process Scenario 5: OSPF [7:42139] Date: Sun, 21 Apr 2002 18:03:20 -0400 Howard, I think I see where you're going. The default on the DIO command is applying an E2 to the default as it is sent into the enterprise. It is also known that by order of preference that E2 routes are least preffered. So based on your hint.. I'm thinking making use of the metric-type parameter to make the default-route an E1 metric which would provide known route info into the ISP's network. Nope..this isn't it. STOP! Using E1 is the answer, although I don't think you have the reason quite right. On the default-information originate command, use metric-type 1 and an equal metric on both routers. E1 considers the combined internal and external metric. If you make the external metrics equal, traffic in your network will go to the closest exit. If the network topology is reasonably well designed with the placement of your gateways, this should give approximate sharing of both internal resources and the ISP links. Again, this is outwards toward the ISP. Without BGP, you aren't going to influence inbound sharing. Since we're using OSPF between the ISP POPs and the enterprise couldn't a case be made here for the use of well design IP scheme. This would allow for geographic/location specific summarization with the use of route-tagging/filtering to provide some control over in-bound traffic from the ISP into the enterprise. Thoughts.. anyone? Nigel In thinking about this even more when I was posting the very first time to this thread I taught..yes, that's it..but opt'd not to mention it. Now it dawns on me that the default nature of (cisco's)ospf is to use 4 equal-cost routes. So now maximum-paths 2 sounds like the way to go. No, for a couple of reasons. First, OSPF will generate only one external route to the same destination in the same router. So load balancing on the same router, which uses maximum-paths, will never take place with OSPF default. Second, what you want is load-sharing with the scope of your OSPF _domain_, not the scope of one router. the hint knocked me over the head..:-Nigel -- What Problem are you trying to solve? ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Chief Technology Officer, GettLab/Gett Communications http://www.gettlabs.com Technical Director, CertificationZone.com http://www.certificationzone.com retired Certified Cisco Systems Instructor (CID) #93005 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42175t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Send and receive Hotmail on your mobile device: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42197t=42139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Method and Process Scenario 3: OSPF Multihoming [7:42088]
This is interesting. I work in very operational enviroment so thinking of accomplishing this task from a standpoint other than configuration requirements leaves me blank. See Inline.. From: Howard C. Berkowitz Reply-To: Howard C. Berkowitz To: [EMAIL PROTECTED] Subject: Method and Process Scenario 3: OSPF Multihoming [7:42088] Date: Sat, 20 Apr 2002 15:47:06 -0400 Your enterprise runs OSPF internally and only takes default from one ISP, but at multiple POPs. What would this suggest you could do to achieve a degree of load-sharing among the POPs? Some questions I would ned answered would be.. - What is the routing policy of the ISP? - My second thought would be what is the IP scheme of the enterprise? - At what point upstream does the ISP aggregate it's route-space? - Look at using static/conditional routes or implement an IGP routing domain.(entISP) - Look at possible route summarization based on POP geographical location - Enterprise network can use VLSM to control return traffic by assigning specific traffic flows to primary/alternate designated POPs. I'm I totally lost.. :- Nigel Assume you do not run BGP. What can you do and what are its limitations? Don't focus on the configuration commands as what mechanisms will be misconduct and Nondisclosure violations to [EMAIL PROTECTED] Chat with friends online, try MSN Messenger: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42119t=42088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: accesslist.....bgp [7:42098]
Stanzin, Chuck, I had this happen to me the other day when one of our engineers made a change to the ACL on one of our BGP peer connections. Typically all the ACLs are the same on all of our BGP connections, so when trouble shooting the problem some assumtions were made. The problem ended up being that on a number of our connections we use the provider space to p-t-p connections. A few of the other connections are made using our own IP space. The engineer forgot to add a permit statement to the ACL to allow for the p-t-p links. Although there was a permit ip any any at the end of the list, the anti-spoofing part of the ACL that read deny ip 192.168.0.0 0.0.0.0 any denied the BGP peering relationship. This also filtered all icmp traffic as well. The other interesting thing here is the local interface could not be ping'd as well...:- We get to have to much fun I think.. P.S. Chuck what's been going on? Drop me a line.. Nigel From: Chuck Reply-To: Chuck To: [EMAIL PROTECTED] Subject: Re: accesslist.bgp [7:42098] Date: Sun, 21 Apr 2002 00:17:18 -0400 we give up. post the access-list Stanzin Takpa wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi , I came across a strange situation. I am running bgp b/w two routers(cisco). Whenever I configure access-list on one of the router,the bgp routes from the router on which I configure acl are getting disappearin 'sh ip routes ' and I am not able to ping from one n/w to the other . What could be the problem / Stanz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42118t=42098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Get your FREE download of MSN Explorer at http://explorer.msn.com. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42120t=42098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Summarization?? What's that? (bug report) [7:37093]
John, You might want to try using the aggregate-address command and see what magic happens. As a side note.. IGP's summarize, whereas BGP being an EGP aggregates. watch the word wrap.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr rp_r/bgp_r/1rfbgp1.htm#xtocid1 Nigel - Original Message - From: John Neiberger To: Sent: Sunday, March 03, 2002 12:30 AM Subject: Summarization?? What's that? (bug report) While attempting to summarize some prefixes in BGP I got the following: R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#router bgp 2010 R3(config-router)#summa? % Unrecognized command R3(config-router)#summar? % Unrecognized command R3(config-router)#summar ^ % Invalid input detected at '^' marker. R3(config-router)#? Router configuration commands: address-family Enter Address Family command mode aggregate-addressConfigure BGP aggregate entries auto-summary Enable automatic network number summarization bgp BGP specific commands default Set a command to its defaults default-information Control distribution of default information default-metric Set metric of redistributed routes distance Define an administrative distance distribute-list Filter networks in routing updates exit Exit from routing protocol configuration mode help Description of the interactive help system maximum-pathsForward packets over multiple paths neighbor Specify a neighbor router network Specify a network to announce via BGP no Negate a command or set its defaults redistribute Redistribute information from another routing protocol synchronization Perform IGP synchronization table-mapMap external entry attributes into routing table timers Adjust routing timers R3(config-router)# I'm thinking it might be tough to do summarization when the freaking command is missing!! This is a 2500 running 12.1(11) Enterprise Plus. Too weird. I didn't find a bug report for it on CCO but I can't be the only person to run into this. Since I don't feel like doing un upgrade right now, I'll skip that part. John _ Commercial lab list: http://www.groupstudy.com/list/commercial.html Please discuss commercial lab solutions on this list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37093t=37093 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: multicast / CGMP towards the multicast server [7:33964]
Priscilla, I had to search out the answer. I found myself getting up because I couldn't sleep. I believe I found what we were looking for..see Inline. - Original Message - From: Priscilla Oppenheimer To: Sent: Saturday, February 02, 2002 6:22 PM Subject: Re: multicast / CGMP towards the multicast server [7:33964] At 06:18 AM 2/2/02, Nigel Taylor wrote: Even in an design where the host and the server reside on the same VLAN(segment) IGMP and CGMP still provide the ability to control flooding of multicast traffic. Specifically, when the host multicasts the IGMP membership report to the group with the address 224.1.2.3(MAC 0x0100.5E01.0203) and there's no existing mapping in its CAM table, the switch will flood the report on all ports in the VLAN. It's not the membership reports we're concerned about. It's the multicast traffic from the source multicast server. The question can be boiled down to this: It would seem that in this case the membership reports is all that we would need to care about. When you enable CGMP does that mean the switch automatically stops flooding multicast traffic to all devices in the VLAN? Does the switch instead wait for the recipients to send their membership reports, which go to the router and then get converted into CGMP messages from the router to the switch? Only devices that have sent the membership report can receive the traffic. (There could be a problem if it works this way. The multicast server could start sending before anyone joined.) No, when CGMP is enabled on the switch it does not stop the flooding of multicast to all devices in the VLAN. However, as you mention the switch does not wait until the recipients send their membership reports. As you pointed out it's the multicast traffic from the source multicast server that's of interest. In reading what I found, if the switch has no information in it's CAM for the multicast group and the source multicast server begins sending multicast traffic, it hits the switch and does a lookup for the GDA, when it's not found the traffic is flooded out all ports in the VLAN. The question is not about basic IGMP and CGMP behavior. The question has to do with switch behavior in the special case where the source of the multicast traffic is on the same switch and in the same VLAN as the recipients. We're concerned because that sounds like it would cause normal multicast flooding to kick in. For that not to happen, the switch must be smarter than we're thinking. Unfortunately, the switch even with CGMP isn't that smart. The flooding of the multicast traffic would continue until a host, any host on that VLAN sends a IGMP report to the router. The router then create the CGMP packet that will inform the switch of which ports will receive the multicast traffic. All other ports would be blocked except thee router ports. However, any futher attempts to join that existing group would then be limited to port listed in the CAM table that are eligible to recieve the multicast traffic for the group. Once again we're not talking about the membership reports (joins), although what you say is probably true. I wonder if what's also true is that the first membership report causes the switch to then not forward the server's multicast traffic to any devices not listed in the port list in the CAM table for the multicast address. That would make sense. Devices have to send their joins in order to get on the list and get the traffic. Here's the reason for why the IGMP joins are instrumental to this process.. Multicast packets, coming from the source, don't trigger the router to send CGMP self-joins to the switch. Chptr 14, pgs 412-442 of Beau Williamson's book Developing IP Multicast Network provides some really good info on this issue. I couldn't find an answer to our question. Maybe you could?? Thanks. And to add to the question I've been wondering about more ordinary multicasts, like OSPF Hellos and even BPDUs. If you enabled CGMP, would these not get sent to any devices that didn't implement IGMP and sent their membership report? That seems kind of ugly. Maybe it's not an issue because you would only use CGMP on the edge in switches that connect end devices. I think the difference here is as someone posted earlier which defines the multicast well known MAC address as 0x0100.0cdd.. Also, with respect to IGMP capable host, they use the multicast address 224.0.0.2(AllRouter Mcast group) to send their leave messages. Of course this mechanism is that of IGMPv2, since under IGMPv1 there is no support for multicast leave messages. Here's the link to what I found.. http://www.cisco.com/warp/public/105/mcastguide8.html Nigel Priscilla The author does note that flat switched LAN designs will present major problems in gaining/maintaining control of multicast flooding. I guess this really comes down to the network design as with every other
Re: DHCP address with Cable on a Cisco router [7:34274]
Randy, Why are you hard coding the ip into the ethernet interface? I believe in the 12.2 code the command ip address dhcp should be all you need. I use this currently with the required NAT configurations and everything works fine. Here's a copy of my relevant config.. interface Ethernet0 ip address dhcp ip nat outside ! interface Ethernet1 ip address 192.168.2.1 255.255.255.0 ip nat inside ! ip nat inside source list 101 interface Ethernet0 overload ! access-list 101 permit ip 192.168.2.0 0.0.0.255 any HTH Nigel - Original Message - From: McHugh Randy To: Sent: Sunday, February 03, 2002 4:15 PM Subject: DHCP address with Cable on a Cisco router [7:34274] Can anyone please tell me if they have been able to make a Cisco 2514 Router hold a DHCP address to an ethernet interface so I can do NAT with overload for me cable internet connection? Once I get my dhcp address from my provider I hard code that on to eth 0 which is pluged into the cable modem. on the router along with static default route with the dns info but still cant ping out to the internet from the router. DSL works fine but cable does not. thanks Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34277t=34274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: multicast / CGMP towards the multicast server [7:33964]
Priscilla, You're correct in that Fears' real fear at this point has not been answered. ;- In doing some quick research, I found that as you mentioned IGMP(costly) and CGMP(a less costly solution) would assist in providing one the ability to control multicast flooding. This is what I found... Even in an design where the host and the server resides on the same VLAN(segment) IGMP and CGMP still provides the ability to control flooding of multicast traffic. Specifically, when the host multicasts the IGMP membership report to the group with the address 224.1.2.3(MAC 0x0100.5E01.0203) and there's no existing mapping in it's CAM table, the switch will flood the report on all ports in the VLAN. However, any futher attempts to join that existing group would then be limited to port listed in the CAM table that are eligible to recieve the multicast traffic for the group. Chptr 14, pgs 412-442 of Beau Williamson's book Developing IP Multicast Network provides some really good info on this issue. The author does note that flat switched LAN designs will present major problems in gaining/maintaining control of multicast flooding. I guess this really comes down to the network design as with every other aspect of building a scalable and efficient network. Thoughts.. Anyone! Nigel At 09:28 PM 2/1/02, Nigel Taylor wrote: Priscilla, You are correct. Thanks for the added insight. Nigel You are nice to say this, but you know what I realized?! My answer doesn't resolve the quandary either! ;-) I now think that Fears' real fears had to do with the recipients and the server being on the same VLAN. This might cause the switch to forward the multicast traffic before it even checks the results of CGMP. The switch may do its default multicast flooding to ports in a VLAN and just make use of CGMP to learn about other ports. Am I making any sense? It's late. ;-) My guess it that the answer is still that CGMP is smart. Once you configure it, the switch knows to not do its normal multicast flooding and instead wait to hear from the router regarding which ports should receive the multicast flow. Hopefully someone can confirm that. Priscilla - Original Message - From: Priscilla Oppenheimer To: Sent: Friday, February 01, 2002 2:03 PM Subject: Re: multicast / CGMP towards the multicast server [7:33964] No offence, but that answer doesn't remove the quandary. The entire switch is a segment from the router's point of view. The router receives the IGMP Join and now knows that packets for that multicast group must be sent out that interface to that Ethernet segment. All devices on the switch are out that interface, however. What Fears fears is that the router won't be smart enough to tell the switch that not all devices connected to the switch should receive the multicast stream. But fear not, Fears. CGMP is smarter than you might think. Here's how I understand it. Correct me if I'm wrong, please (anyone). As you know, when a host wants to join an IP multicast group, it sends an IGMP Join message. The Join specifies the host's MAC address and the IP multicast group that it wants to join. When a router receives the IGMP Join, it creates a CGMP message that contains the MAC address of the host and the multicast group address. The router sends the CGMP message to a well-known address that all switches listen to. When a Catalyst switch receives the CGMP message from the router, the supervisor engine responds by modifying the forwarding table automatically. In other words, it now knows the specific port that must receive the multicast stream. Other hosts on different ports may Join also, and the switch will add them to the table. This is different from IGMP Snooping, by the way. From what I understand, IGMP Snooping allows the switch to proactively snoop into IGMP packets and figure out which ones are Joins. IGMP Snooping requires more powerful (and more expensive) switching hardware (firmware). Priscilla At 10:18 PM 1/31/02, Nigel Taylor wrote: Michael, Of course this would depend on if the multicast server and the host connected on the same switch was assigned to the same vlan(broadcast domain). Just some quick points to mention.. Routers by default will not forward multicast traffic. However, if you enabled a multicast routing protocol(PIM, DVMRP) then this is possible. The important thing here is that IGMP is used by hosts to inform routers of their intent to become part of a multicast stream. This depends on your implementation of the multicast protocol. IGMPv2 has been improved to support leaves from a multicast group which is not supported in IGMPv1. This way the host is able to notify the source of it's intent to leave the multicast group. This is will allow the routers to prune
Re: Multicast in catalyst 6500 environment [7:34192]
Mitch, See Inline... - Original Message - From: Eve Mitch To: Sent: Saturday, February 02, 2002 7:18 AM Subject: Multicast in catalyst 6500 environment [7:34192] Hi all, Have 2 Catalyst 6509 with sup2 and MSFC2 modules in each switch in the core. And 4 Catalyst 6509 with sup2 in the access layer. Have about 10 VLAN using using ISL. There is a multicast server connecte to vlan 10 on CoreSwitch1. Is using pim dense mode on the MSFC2 and igmp snooping enable on all sup2 modules enough to allow PC1 connected to one of the access switches (AS1) in vlan 2 to receive multicast,or is CGMP configuration nececary? In a most recent thread (thanks Mike, Priscilla) I personally have been motivated to improve my understanding of multicast. Based on what you've mentioned since you have IGMP snooping enabled this would allow the switch to snoop on IGMP messages between the MSFC2 and any host Basically, as I understand it..IGMP and CGMP are mechanisms that provide similar control over the flooding of multicast traffic. The difference is that with CGMP, is the MSFC is now able to speak directly to the sup2 providing information about which ports will receive the multicast I don't want that if one user in vlan 2 is receiving multicast that all these multicast stream also past the trunks to AS2,AS3 and AS4. Is there a way to prevent this. In using dense-mode PIM this is the desired/normal behavior. If you're interested in limiting who and where the multicast traffic should sent/forwarded, maybe you should look at sparse-mode PIM. Any url or documentation where this issue are discussed clearly are appreciated. http://www.cisco.com/warp/public/473/22.html#IGMP%20%Snooping http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Mult icasts=Implementation_and_Configuration#Samples_%26_Tips watch the word wrap.. HTH Nigel Thanks for your help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34196t=34192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - CCIE LAB and NDA [7:34244]
Chuck, Thanks... for another great post. Maybe we could get Paul to make this standard reading for all who join the list, this way we avoid what we all fear...I dare not say the letters..for they spell fear themselves.. Of course the letter I refer to are NDA! This definitely is Food for Thought Nigel - Original Message - From: Chuck Larrieu To: Sent: Sunday, February 03, 2002 12:32 AM Subject: Off Topic - CCIE LAB and NDA [7:34244] before I shut down for the evening, a few random thoughts on the CCIE Lab and NDA. Inspired by several posts here of late from persons asking about topology, IOS versions, or speaking of rumors about equipment changes. 1) It is unclear what really constitutes NDA. Caslow? The ECP1 class? NLI's practice labs? Caslow's new prep class? Cisco's own ASET lab? All of these could be considered violations of NDA in many ways, from topic content to lab topology. Cisco's own ASET program used real but retired CCIE labs. 2) what is it Cisco really considers CCIE level skill? In the past, things like DecNet, Apollo, and Vines were core topics. Cisco has recently dropped those, plus ATM LANE, presumably in response to market conditions. Which leads one to ask - why token ring? The only real world token ring project I have been involved with the past couple of years is ripping them out and replacing them with ethernet. The apologia that there are still some major token ring networks around is a bit lame. There are still some major DecNet networks around, I'm sure. Until very recently ( and maybe they still are ), a major utility company out this way was still running Vines. As was the U.S Navy. 3) Is the CCIE a forward looking certification or not? Based on what I am seeing in the marketplace, the advanced skill levels that one needs to meet demand center around VPN, VoIP, wireless, security, and the underlying infrastructure required to support these technologies. that means lots of QoS, switching, L2-L3 interaction, ATM, giga-whatever, etc. I would purely love to see discussed good focused discussion on core competencies, core issues. But there is that awful specter of NDA that hangs over all of our heads. In a very strange way, NDA is kinda like Santa Claus and the Easter Bunny. We all know what's in the Lab. We all know what study materials are designed to model the Lab. But we don't dare speak the truth in front of the children ( those who haven't been yet ) for fear that some higher authority will trou nce on us if we do. I'm not sure if there is a real point to this message. Maybe what I want to say to all of those who keep asking about Lab equipment, Lab topology, Lab IOS versions, and the like, is that understanding of the core topics is the most important thing. If you have them down cold, the equipment and the topology will not matter. I'd like to comment on the rumor about changes in the equipment, but that damn NDA. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34248t=34244 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: multicast / CGMP towards the multicast server [7:33964]
Priscilla, You are correct. Thanks for the added insight. Nigel - Original Message - From: Priscilla Oppenheimer To: Sent: Friday, February 01, 2002 2:03 PM Subject: Re: multicast / CGMP towards the multicast server [7:33964] No offence, but that answer doesn't remove the quandary. The entire switch is a segment from the router's point of view. The router receives the IGMP Join and now knows that packets for that multicast group must be sent out that interface to that Ethernet segment. All devices on the switch are out that interface, however. What Fears fears is that the router won't be smart enough to tell the switch that not all devices connected to the switch should receive the multicast stream. But fear not, Fears. CGMP is smarter than you might think. Here's how I understand it. Correct me if I'm wrong, please (anyone). As you know, when a host wants to join an IP multicast group, it sends an IGMP Join message. The Join specifies the host's MAC address and the IP multicast group that it wants to join. When a router receives the IGMP Join, it creates a CGMP message that contains the MAC address of the host and the multicast group address. The router sends the CGMP message to a well-known address that all switches listen to. When a Catalyst switch receives the CGMP message from the router, the supervisor engine responds by modifying the forwarding table automatically. In other words, it now knows the specific port that must receive the multicast stream. Other hosts on different ports may Join also, and the switch will add them to the table. This is different from IGMP Snooping, by the way. From what I understand, IGMP Snooping allows the switch to proactively snoop into IGMP packets and figure out which ones are Joins. IGMP Snooping requires more powerful (and more expensive) switching hardware (firmware). Priscilla At 10:18 PM 1/31/02, Nigel Taylor wrote: Michael, Of course this would depend on if the multicast server and the host connected on the same switch was assigned to the same vlan(broadcast domain). Just some quick points to mention.. Routers by default will not forward multicast traffic. However, if you enabled a multicast routing protocol(PIM, DVMRP) then this is possible. The important thing here is that IGMP is used by hosts to inform routers of their intent to become part of a multicast stream. This depends on your implementation of the multicast protocol. IGMPv2 has been improved to support leaves from a multicast group which is not supported in IGMPv1. This way the host is able to notify the source of it's intent to leave the multicast group. This is will allow the routers to prune the multicast traffic from the segment removing the unnecessary traffic, providing no other host on the segment remains a member of the multicast stream A good title as recommended by a number of folks on the list is Developing IP Multicast Networks Author: Beau Williamson. ISBN: 157870779 HTH Nigel Original Message - From: Fears Michael S SSgt 50 CS/SCBBN To: Sent: Thursday, January 31, 2002 4:59 PM Subject: multicast / CGMP towards the multicast server [7:33964] If a multicast server is connected to a Cisco Switch running CGMP, and several hosts are connected to the same switch, will a router turn off the switch ports for the users that are not requesting the multicast? So, will CGMP work back towards the multicast server? Fears Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34159t=33964 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: multicast / CGMP towards the multicast server [7:33964]
Michael, Of course this would depend on if the multicast server and the host connected on the same switch was assigned to the same vlan(broadcast domain). Just some quick points to mention.. Routers by default will not forward multicast traffic. However, if you enabled a multicast routing protocol(PIM, DVMRP) then this is possible. The important thing here is that IGMP is used by hosts to inform routers of their intent to become part of a multicast stream. This depends on your implementation of the multicast protocol. IGMPv2 has been improved to support leaves from a multicast group which is not supported in IGMPv1. This way the host is able to notify the source of it's intent to leave the multicast group. This is will allow the routers to prune the multicast traffic from the segment removing the unnecessary traffic, providing no other host on the segment remains a member of the multicast stream A good title as recommended by a number of folks on the list is Developing IP Multicast Networks Author: Beau Williamson. ISBN: 157870779 HTH Nigel Original Message - From: Fears Michael S SSgt 50 CS/SCBBN To: Sent: Thursday, January 31, 2002 4:59 PM Subject: multicast / CGMP towards the multicast server [7:33964] If a multicast server is connected to a Cisco Switch running CGMP, and several hosts are connected to the same switch, will a router turn off the switch ports for the users that are not requesting the multicast? So, will CGMP work back towards the multicast server? Fears Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34001t=33964 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATM Sniffers [7:32624]
Gil, We use DS Sniffer Pro 4.5 with the ATM book and we also have the Wandel and Golterman Domino analyzer. Both are really good pieces of test equipment. HTH Nigel - Original Message - From: Gil Shulman To: Sent: Sunday, January 20, 2002 6:11 AM Subject: ATM Sniffers [7:32624] Hi all, I was wondering if anybody has a good experience with some kind of ATM sniffer for STM-1 or ATM over E1. Recently I tried working with the prismalight and I got less then satisfying results. Any inputs will be appreciated. Gil ** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to any one or make copies. ** eSafe scanned this email for viruses, vandals and malicious content ** ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32625t=32624 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static route loacd balancing? [7:31715]
Cisco Breaker, I was thinking. One route to guide them, One static route to override them, One floating static to load-balance them, And in the RIB make them all equal.. Just say the movie...:- forgive my waste of bandwidth. Nigel - Original Message - From: Cisco Breaker To: Sent: Saturday, January 12, 2002 7:05 AM Subject: Static route loacd balancing? [7:31715] Hi all, My customer wants load balancing solution to a branch office. He heard that it can be done with static routes, but as I know load balancing can't be done by deploying static routes. Any help about this? Can it be done or how effective will it be? Best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31717t=31715 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Exec Command [7:31713]
Ed, Here's a link that my help explain it all. Watch the word wrap. http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fdia l_c/fnsprt2/dafadmod.htm#998788 Nigel - Original Message - From: Ed Chuchaisri To: Sent: Saturday, January 12, 2002 5:45 AM Subject: Exec Command [7:31713] Could anyone help me clarify the Exec command and what does it actually do? I had some problem with the TTY lines and after I turned off the exec, everything works fine, but I still don't know what does this command do. Thanks, Ed www.router4u.com Affordable Router Lab Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31718t=31713 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: xmodem on a 4500 not working?? [7:31733]
Cisco Nuts, Short of using the X-modem feature on the 4500's cisco simply states that you would need another router of the same model. I'm not sure if this procedure works but it's worth a try. http://www.cisco.com/warp/public/471/76.html Nigel - Original Message - From: Cisco Nuts To: Sent: Saturday, January 12, 2002 11:43 AM Subject: xmodem on a 4500 not working?? [7:31733] Hello,I am trying to upgrade a c4500 router running ver. 10.3 At the rommon prompt when I type the command xmodem -c , it gives me a command not found error msg. When I do a ? at the prompt, I do not see xmodem or the ymodem command listed. Would someone advise me as to how I can upgrade this puppy?Thank you. Join the worlds largest e-mail service with MSN Hotmail. Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31737t=31733 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]
Paul, I believe at one time cisco support the 2500's much like the older 1004/1005 router where they used the PCMCIA as the flash upgrade method of choice. I have a couple of 2500's with the PCMCIA slot and after trying a number of different cards I gave up my quest to use the slot. This is what CCO has to say about it.. http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/cis2500/2500c fig/59375.htm Nigel - Original Message - From: Paul Borghese To: Sent: Saturday, January 12, 2002 1:26 PM Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729] Hey as a side note. Does anyone know what that PCMCIA slot inside the 25xx routers are used for? It looks as if you can add Flash via a PCMCIA card. It is not worth it as Flash is so inexpensive, but it would be neat to try. Paul - Original Message - From: Brad Ellis To: Sent: Saturday, January 12, 2002 11:31 AM Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729] I would highly recommend AGAINST using it. We used to use it and had all sorts of strange problems with the newly created compressed IOS. You also have to have an extra amount of DRAM available for the created image to be decompressed into RAM. Flash and DRAM are soo cheap these days, you'd be better off upgrading the memory. Also, MZMaker is only applicable with uncompressed run-from-flash IOS (ie, 2500 series routers and the old 1600 series routers). Again, I'd highly recommend against it. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] used Cisco gear: www.optsys.net CCIE Labs, racks, and classes: http://www.ccbootcamp.com/quicklinks.html Circusnuts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes- the program is called MZMaker and can only be applied to IOS that is run from RAM only. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Sent: Saturday, January 12, 2002 2:57 AM To: [EMAIL PROTECTED] Subject: Compresses Cisco IOS to fit onto a smaller flash size. [7:31710] I wonder if anyone has tried to compress a larger Cisco IOS to fit onto a router with a smaller flash. If so, I'd appreciated for some pointers. Thanks _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31738t=31729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729]
Paul, I believe at one time cisco support the 2500's much like the older 1004/1005 router where they used the PCMCIA as the flash upgrade method of choice. I have a couple of 2500's with the PCMCIA slot and after trying a number of different cards I gave up my quest to use the slot. This is what CCO has to say about it.. http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/cis2500/2500c fig/59375.htm Nigel - Original Message - From: Paul Borghese To: Sent: Saturday, January 12, 2002 1:26 PM Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729] Hey as a side note. Does anyone know what that PCMCIA slot inside the 25xx routers are used for? It looks as if you can add Flash via a PCMCIA card. It is not worth it as Flash is so inexpensive, but it would be neat to try. Paul - Original Message - From: Brad Ellis To: Sent: Saturday, January 12, 2002 11:31 AM Subject: Re: Compresses Cisco IOS to fit onto a smaller fla [7:31729] I would highly recommend AGAINST using it. We used to use it and had all sorts of strange problems with the newly created compressed IOS. You also have to have an extra amount of DRAM available for the created image to be decompressed into RAM. Flash and DRAM are soo cheap these days, you'd be better off upgrading the memory. Also, MZMaker is only applicable with uncompressed run-from-flash IOS (ie, 2500 series routers and the old 1600 series routers). Again, I'd highly recommend against it. thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc [EMAIL PROTECTED] used Cisco gear: www.optsys.net CCIE Labs, racks, and classes: http://www.ccbootcamp.com/quicklinks.html Circusnuts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes- the program is called MZMaker and can only be applied to IOS that is run from RAM only. All the best !!! Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Sent: Saturday, January 12, 2002 2:57 AM To: [EMAIL PROTECTED] Subject: Compresses Cisco IOS to fit onto a smaller flash size. [7:31710] I wonder if anyone has tried to compress a larger Cisco IOS to fit onto a router with a smaller flash. If so, I'd appreciated for some pointers. Thanks _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31738t=31729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Howard Berkowitz to speak at EveCon 19 [7:30121]
Chuck, You'll get my vote on being the Saruman! Howard, is it possible that there might be a few copies of your new book on hand for sale. I got to thinking a signed copy would do nicely for all of us who haven't seen the movie yet...Imagine that, a book signed by the Gandalf of Networking Priscilla thanks for the thought. Sounds like ebay material to me... :- Nigel - Original Message - From: Chuck Larrieu To: Sent: Wednesday, December 26, 2001 8:33 PM Subject: Re: Howard Berkowitz to speak at EveCon 19 [7:30121] who's the Balrog of networking? who's the Saruman? Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... So, completely OT, but has anyone seen the first LOTR movie yet? Is it any good? I think Howard could be considered the Gandalf of networking. ;-) Priscilla At 04:53 PM 12/26/01, Bruce Evry wrote: Dear Friends, Howard Berkowitz will be doing a presentation this coming weekend, where he will combine his knowledge of Network Design with his expertise at all things Monty Python. Should be fascinating! EveCon 19 is a Science Fiction and Fact convention, that in addition to several other talks on computer topics (and routing...) has such things as Costume workshops, Chainmail lessons, 24 hour movies on a 180 inch projection tv, and the traditional drummers and belly dancers. Place is the Sheraton Reston Hotel in sunny Reston, Virginia. The convention runs from Friday until Sunday, non-stop. Cost $30. Howard's presentation will be at 3 pm in the Video Room. Bring your own Parrot! Yours Truly - Bruce Evry Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30141t=30121 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Latest Hackers Target: Routers - thoughts! [7:29917]
I was hoping that the minutes/discussion notes from the IDR working group was going to be made available on the web or through a list-server. I briefly read through Sandra Murphy's Draft and based on security model(for origination/adjacency protection), it sounds somewhat like the model in place for ssl based security. I have been reading William Stallings Cryptography and Network Security and he makes some of what I think (having limited knowledge) are some good suggestions in appending the information (key or signatures) of peers to the FCS. His example draw upon peer-to-peer connections, which allows the TCP header to become a another level of security based on it's ability to sequence packets and it's use of a checksum Stallings also addresses another issue mentioned in Sandra Murphy's Draft known to MD5, collisions. Based on the performance issues with implementing suitable security for the information exchanged between peers are there currently any discussions on possibly implementing any other forms of security beyond MD5 and IPSec. Nigel - Original Message - From: Howard C. Berkowitz To: Sent: Friday, December 21, 2001 11:27 AM Subject: Re: Latest Hackers Target: Routers [7:29844] Chuck and Andreas, I take note on the fact that authentication can add major increases to the time taken in forming neighbor peer relationships. Yes, MD5 based authentication as I suggested in my original post is currently the operational model, but it was noted in rfc 2385 that the MD5 was considered weak. Nigel . I guess this issue just spells out MPLS/VPN... But MPLS inherently offers no more security than BGP. RFC2547 and RFC2547 bis, as well as several other proposals, use BGP to distribute reachability information. The various link setup protocols have no particular security. The problem becomes more tractable if you look at the main place for security, QoS, etc., being at the edge. If a hacker has managed to crack a major interprovider link or a major core link, you have even more serious problems with sniffing. Encrypting, even with IPsec, the connections from customers to their first upstream is much more feasible. Most customers don't get full routes anyway. Other precautions can be used at the edge, such as ingress filtering of source addresses/unicast reverse path verification, peer count limits, and traffic shaping directed against DoS attacks. There is a current discussion in the IDR working group that resurrects and updates Sandy Murphy's BGP security analysis. Not a very first step, but in the BMWG work on BGP convergence, we do plan to have an option for measuring the overhead of MD5. - Original Message - From: Chuck Larrieu To: Sent: Friday, December 21, 2001 3:16 AM Subject: RE: Latest Hackers Target: Routers [7:29844] I know from my studies that there is BGP neighbor md5 authentication. Somewhere in my reading I seem to recall that employing authentication can add 50-100% to the time it takes a neighbor relationship to form. Fine for lab work. maybe not so fine in the world of the production ISP. phrak, this is all we need. ISP's start preventing BGP packets from any but known and trusted sources to cross their networks and there go the internet BGP practice labs. damn anarchists. Chuck --- neighbor password To enable Message Digest 5 (MD5) authentication on a TCP connection between two Border Gateway Protocol (BGP) peers, use the neighbor password router configuration command. To disable this function, use the no form of this command. neighbor {ip-address | peer-group-name} password string --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andras Bellak Sent: Thursday, December 20, 2001 9:59 PM To: [EMAIL PROTECTED] Subject: RE: Latest Hackers Target: Routers [7:29844] Nigel- If you dig back through the NANOG archives, there was a rather in depth and discouraging discussion of encrypting / authorizing BGP session neighbors. The general result was that almost nobody supported it, and many in the ISP groups that offer BGP connectivity didn't even know what it was. While it might or might not be on the CCIE exams, having some form of authentication between routing partners is a good thing to practice in your test labs, and put into production in your networks. Andras -Original Message- From: Nigel Taylor [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 8:33 PM To: [EMAIL PROTECTED] Subject: Re: Latest Hackers Target: Routers [7:29844] Chuck, Yes, I got the thread on this today and forwarded a copy to some of my co-workers. I hope folks are making use of the various IOS implementations to limit the damage done by a prospective attacker
Re: Latest Hackers Target: Routers [7:29844]
Chuck and Andreas, I take note on the fact that authentication can add major increases to the time taken in forming neighbor peer relationships. Yes, MD5 based authentication as I suggested in my original post is currently the operational model, but it was noted in rfc 2385 that the MD5 was considered weak. Nigel . I guess this issue just spells out MPLS/VPN... - Original Message - From: Chuck Larrieu To: Sent: Friday, December 21, 2001 3:16 AM Subject: RE: Latest Hackers Target: Routers [7:29844] I know from my studies that there is BGP neighbor md5 authentication. Somewhere in my reading I seem to recall that employing authentication can add 50-100% to the time it takes a neighbor relationship to form. Fine for lab work. maybe not so fine in the world of the production ISP. phrak, this is all we need. ISP's start preventing BGP packets from any but known and trusted sources to cross their networks and there go the internet BGP practice labs. damn anarchists. Chuck --- neighbor password To enable Message Digest 5 (MD5) authentication on a TCP connection between two Border Gateway Protocol (BGP) peers, use the neighbor password router configuration command. To disable this function, use the no form of this command. neighbor {ip-address | peer-group-name} password string --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Andras Bellak Sent: Thursday, December 20, 2001 9:59 PM To: [EMAIL PROTECTED] Subject: RE: Latest Hackers Target: Routers [7:29844] Nigel- If you dig back through the NANOG archives, there was a rather in depth and discouraging discussion of encrypting / authorizing BGP session neighbors. The general result was that almost nobody supported it, and many in the ISP groups that offer BGP connectivity didn't even know what it was. While it might or might not be on the CCIE exams, having some form of authentication between routing partners is a good thing to practice in your test labs, and put into production in your networks. Andras -Original Message- From: Nigel Taylor [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 20, 2001 8:33 PM To: [EMAIL PROTECTED] Subject: Re: Latest Hackers Target: Routers [7:29844] Chuck, Yes, I got the thread on this today and forwarded a copy to some of my co-workers. I hope folks are making use of the various IOS implementations to limit the damage done by a prospective attacker. Things like CBAC, rate-limit could go a long way in simply providing the needed time to identify a serious attack and implement more specific filtering techniques to identify or completely block the attacker. As it applies to the sniffing of BGP packets to gain route information, I was wondering where do things stand now on the implementation of encrypted authentication within BGP. If I'm not mistaken, isn't this suppose to happen along with support for IPv6.This document references authentication which sounds like the existing support for MD5 based authentication. http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg 9(a) ) Now this document does seem to address current issues with respects to the flaws/vulnerabilities inherent to all TCP based protocols. The important thing to note is this can be done without the presence of a MPLS aware backbone based on the model identified by RFC2547bis (MPLS/VPN). http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.t xt Thoughts anyone.. Nigel . - Original Message - From: Chuck Larrieu To: Sent: Thursday, December 20, 2001 10:14 PM Subject: RE: Latest Hackers Target: Routers [7:29810] anyone see a thread about this on NANOG today? The archives are not up to date with today's topics. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Rogers Sent: Thursday, December 20, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: OT: Latest Hackers Target: Routers [7:29810] Paste into your browser: dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29871t=29844 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Subject: OT: Call Manager and Military DSN [7:29805]
John, When I suggested the solution we used to implement VoiP support with DSN, I was only making reference to the operational configuration required to support VoIP itself. Having been in the military(AF) for some eight years I do know of the information Paul mentioned. In our implementation we had access to the Government Demarc(switch) which was already supporting DSN. The question then would be if the solution you're providing is going to interface with a switch that already supports existing DSN calling. In this case the trunk that is used for DSN service is pretty much transparent like allthe other trunks.In that case the 8 prefix used in dialing DSN would pretty much identify the calls that will ride the trunk designated for DSN. Nigel former SSgt(seperated) :- From: John Kaberna Reply-To: John Kaberna To: [EMAIL PROTECTED] Subject: Re: Subject: OT: Call Manager and Military DSN [7:29805] Date: Fri, 21 Dec 2001 13:59:05 -0500 Thanks for the great info Paul. 1. Is the Call Manager a DSN compliant switch? 2. Do you have to order a separate DSN compliant trunk from the Telco? John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm Paul Werner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... DSN is not exactly what I would refer to as tapping into the local telco. DSN (Defense Switched Network) replaced AUTOVON (Automatic Voice network in the mid to late 1980s and through the early 90s). AUTOVON was set up to principally be a voice only network, and in many case over analog switch facilities. DSN converted it over to all diigital, and included voice, video, and data over the same trunks. The key difference between DSN and a regular commercial call is they go over different trunks and they terminate at DSN compliant switches. There are several things different about DSN compliant switches, but the key difference is the use of precedence, and precedence codes. They have no real counterpart in a commercial trunk, other than an operator interrupt for an emergency. With DSN, the end user can preempt a trunk and knock another user off the line with the proper precedence level. Some folks out there who know their RFCs and remember the early 760 series standards may recognize those precedence levels. They are: FLASH OVERRIDE (FO) -FO takes precedence over and preempts all calls on the DSN and is not preemptible. FO is reserved for the President of the United States, Secretary of Defense, Chairman of the Joint Chiefs of Staff, chiefs of military services, and others as specified by the President. FLASH (F) -FLASH calls override lower precedence calls and can be preempted by FLASH OVERRIDE only. Some of the uses for FLASH are initial enemy contact, major strategic decisions of great urgency, and presidential action notices essential to national survival during attack or preattack conditions. IMMEDIATE (1) -IMMEDIATE precedence preempts PRIORITY and ROUTINE calls and is reserved for calls pertaining to situations that gravely affect the security of the United States. Examples of IMMEDIATE calls are enemy contact, intelligence essential to national security, widespread civil disturbance, and vital information concerning aircraft, spacecraft, or missile operations. PRIORITY (P) -PRIORITY precedence is for calls requiring expeditious action or furnishing essential information for the conduct of government operations. Examples of PRIORITY calls are intelligence; movement of naval, air, and ground forces; and important information concerning administrative military support functions. ROUTINE (R) -ROUTINE precedence is for official government communications that require rapid transmission by telephone. These calls do not require preferential handling. When I was involved in DSN communications in Europe, my unit had a Flash precedence phone line, mainly because we had a special mission (which is about all I can say). We had the capability of bumping everybody off the DSN network save for the CINC US Army Europe and a few other folks. You will most likely have to deal with the issue of precedence. Also, access to a commercial line is normally done with dialing a 9 first (typical for trunk access); DSN usually uses an 8 - Your mileage may vary; check your local listings. Finally, DSN uses a slightly different dial plan than the rest of the universe (go figure:-) While you may be able to access the US with a country code of 001, or Germany with a country code of 49, that's not how it's done with DSN. Access is determined by regions, and each region has its own country code. The regions are: Canadian Section Caribbean Section CONUS Section European Section Pacific/Alaska Section
Re: Call Manager and Military DSN [7:29805]
That's pretty much it.. John Nigel - Original Message - From: John Kaberna To: Sent: Thursday, December 20, 2001 3:42 PM Subject: OT: Call Manager and Military DSN [7:29805] I am working on an IP telephony solution and I need to hook in to the DSN. From my current understanding DSN is sent out to the local telco via the PSTN and is routed from there. This would make for a fairly simple dial plan in Call Manager. Has anybody heard anything different about how DSN is setup to work? John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29831t=29805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Latest Hackers Target: Routers [7:29844]
Chuck, Yes, I got the thread on this today and forwarded a copy to some of my co-workers. I hope folks are making use of the various IOS implementations to limit the damage done by a prospective attacker. Things like CBAC, rate-limit could go a long way in simply providing the needed time to identify a serious attack and implement more specific filtering techniques to identify or completely block the attacker. As it applies to the sniffing of BGP packets to gain route information, I was wondering where do things stand now on the implementation of encrypted authentication within BGP. If I'm not mistaken, isn't this suppose to happen along with support for IPv6.This document references authentication which sounds like the existing support for MD5 based authentication. http://search.ietf.org/internet-drafts/draft-ietf-idr-bgp4-16.txt (pg 9(a) ) Now this document does seem to address current issues with respects to the flaws/vulnerabilities inherent to all TCP based protocols. The important thing to note is this can be done without the presence of a MPLS aware backbone based on the model identified by RFC2547bis (MPLS/VPN). http://search.ietf.org/internet-drafts/draft-declercq-bgp-ipsec-vpn-01.txt Thoughts anyone.. Nigel . - Original Message - From: Chuck Larrieu To: Sent: Thursday, December 20, 2001 10:14 PM Subject: RE: Latest Hackers Target: Routers [7:29810] anyone see a thread about this on NANOG today? The archives are not up to date with today's topics. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Rogers Sent: Thursday, December 20, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: OT: Latest Hackers Target: Routers [7:29810] Paste into your browser: dailynews.yahoo.com/h/cmp/20011217/tc/inw20011217s0004_1.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29844t=29844 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Call Manager and Military DSN [7:29805]
John, We implemented this solution a little more than a year ago and if my memory serves me right the dial pan on the call manager should be all that is needed.I also think we made use of a dialer peer on the router that connected to the lucent G3 switch(PBX) Nigel - Original Message - From: John Kaberna To: Sent: Thursday, December 20, 2001 8:59 PM Subject: Re: Call Manager and Military DSN [7:29805] Have you done this already Nigel? Any problems with calling routing for the DSN? John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm Nigel Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That's pretty much it.. John Nigel - Original Message - From: John Kaberna To: Sent: Thursday, December 20, 2001 3:42 PM Subject: OT: Call Manager and Military DSN [7:29805] I am working on an IP telephony solution and I need to hook in to the DSN. From my current understanding DSN is sent out to the local telco via the PSTN and is routed from there. This would make for a fairly simple dial plan in Call Manager. Has anybody heard anything different about how DSN is setup to work? John Kaberna CCIE #7146 NETCG Inc. www.netcginc.com (415) 750-3800 Instructor for CCBootcamp 5-day class www.ccbootcamp.com __ CCIE Security Training www.netcginc.com/training.htm Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29848t=29805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
More Friday Follies - and then some [7:29717]
John, On one of your most recent test scanerios I had posted what you noticed here and made some assumptions based on what we know of the routing protocols behavior. Here's my reply from what I saw duiring that test... --- Paste Begin --- John, This surely peeked my interest as to why the secondary address solution wouldn't work so I mocked it up and as you noted nothing... I think my chain of thought made me think that as long as the secondary address was on the mask of the route being propagated to R1 then it should work. However, in the setup all the subnets(172.16.1/2/3.x) when defined under IGRP would be summarized back to the classful boundary 172.16.0.0. When this happens the router simply does not broadcast the update since the networks being advertised fall into the connected interface classful boundary. 00:53:38: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.1.2) - (to R1) 00:53:38: IGRP: Update contains 0 interior, 0 system, and 0 exterior routes. 00:53:38: IGRP: Total routes in update: 0 - suppressing null update 00:53:38: IGRP: sending update to 255.255.255.255 via Serial1 (172.16.2.2) - (to R3) 00:53:38: subnet 172.16.3.0, metric=8476 00:53:38: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes. 00:53:38: IGRP: Total routes in update: 1 once this is/was identified your only option to get the route to R1 is to disable split-horizon on R2's S0 interface that's connected to R1. This now allows the routes that would otherwise be filtered be advertised to R1. 01:02:51: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.1.2) - (to R1) 01:02:51: subnet 172.16.1.0, metric=8476 01:02:51: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes. 01:02:51: IGRP: Total routes in update: 1 01:02:51: IGRP: sending update to 255.255.255.255 via Serial0 (172.16.3.2) - (to R3) 01:02:51: subnet 172.16.2.0, metric=8476 01:02:51: subnet 172.16.3.0, metric=8476 01:02:51: IGRP: Update contains 2 interior, 0 system, and 0 exterior routes. 01:02:51: IGRP: Total routes in update: 2 However, I observed a strange occurrence in that R2 generates a 172.16.1.0/28 route that is also advertised to R1. How and Why? I'm looking into it.. When this happens then another requirement would be to use no ip classless (note: there is no 0/0, candidate defaults, etc..) to avoid the 172.16.1.0/28 route from being used so to avoid the obvious routing loop between R1 and R2. Very interesting results from the question as to why we had the 172.16.1.0/28 route generated from R2 to R1. Well after thinking about it things become somewhat clear as to why the route was created. Simply put, although the 172.16.3.0/28 was configured on the R1 - R2 link in order for R1 to accept routes on the /28 mask.. the Primary interface still quite possibly would not pass that (/28) route information without being associated as having a /28 mask itself. I came to this conclusion by the debugs from R1.. R1# 01:06:27: IGRP: broadcasting request on Serial0 01:06:27: IGRP: received update from 172.16.1.2 on Serial0 01:06:27: subnet 172.16.1.0, metric 10476 (neighbor 8476) *** 01:06:27: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes. 01:06:27: IGRP: Total routes in update: 1 R1# Notice the 172.16.1.0 route that was sent from R2 it the only route that R1 receives. this is that same /28 route that now allows R1 to also see the 172.16.2.0/28. R1# 01:08:20: RT: add 172.16.1.0/24 via 0.0.0.0, connected metric [0/0] 01:08:20: RT: network 172.16.0.0 is now variably masked 01:08:20: RT: add 172.16.3.0/28 via 0.0.0.0, connected metric [0/0] 01:08:20: IGRP: broadcasting request on Serial0 01:08:20: IGRP: received update from 172.16.1.2 on Serial0 01:08:20: subnet 172.16.1.0, metric 10476 (neighbor 8476) 01:08:20: RT: add 172.16.1.0/28 via 172.16.1.2, igrp metric [100/10476] 01:08:20: IGRP: Update contains 1 interior, 0 system, and 0 exterior routes. 01:08:20: IGRP: Total routes in update: 1 R1# The R1 RIB eventually ends up as follows.. R1# Gateway of last resort is not set 172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks I 172.16.1.0/28 [100/10476] via 172.16.1.2, 00:00:14, Serial0 C 172.16.1.0/24 is directly connected, Serial0 I 172.16.2.0/28 [100/10476] via 172.16.3.2, 00:00:14, Serial0 C 172.16.3.0/28 is directly connected, Serial0 R1# NOTE: Although everything looked and suggest that a ping/trace to a host within the 172.16.1.0/28 mask(172.16.1.10) should be sent to R2 and then back to R1 causing a routing looping(before using the ip classless command). However, this did not happen instead when the packet returned to R1 it then timed out.. R1#trace 172.16.1.10 Type escape sequence to abort. Tracing the route to 172.16.1.10 1 172.16.1.2 136 msec 16 msec 16 msec 2 172.16.1.1 32 msec 28 msec 32 msec 3 * * * 4 * * * 5 * * * Well this was interesting.. I hope