Re: Logging ICMP on a PIX [7:73232]

[Patrick Donlon]

Yes I tried that and scared the sh!t out of myself as this produces quite a
bit of output to the console ;)
Even when the loggin is to to trap only see below. Any more ideas as I
thought I've had this working in the past but maybe on earlier versions of
software,

Cheers


PIX(config)# debu icmp trace
ICMP trace on
Warning: this may cause problems on busy networks
PIX4Internet(config)# 1: Outbound ICMP echo request (len 32 id 2 seq 46102)
172.16.6.91  172.16.6.91  194.#.#.2: Inbound  ICMP echo reply (len 32 id 2
seq 46102) 194.#.#.2  172.16.6.91  172.16.6.91
3: Outbound ICMP echo request (len 32 id 2 seq 46358) 172.16.6.91 
172.16.6.91  194.#.#.2: Inbound  ICMP echo reply (len 32 id 2 seq 46358)
194.#.#.2  172.16.6.91  172.16.6.91
no debu icmp trace5: Outbound ICMP echo request (len 32 id 2 seq 46614)
172.16.6.91  172.16.6.91  194.26.184.42
6: Inbound  ICMP echo reply (len 32 id 2 seq 46614) 194.#.#.2  172.16.6.91
 172.16.6.91

ICMP trace off
PIX4Internet(config)#

PIX(config)#  sh logg
Syslog logging: enabled
Facility: 19
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level debugging, 29320465 messages logged
Logging to inside 172.16.4.34
Logging to inside 172.16.4.159
History logging: disabled
PIX(config)#



 wrote in message
news:[EMAIL PROTECTED]
 Tried

 debug icmp trace

 And logged that information to console/syslog debugging level?

 Martijn

 6.2

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h
 tm#1028090
 level
  Specify the syslog message level as a number or string. The level you
 specify means that you want that level and those less than the level. For
 example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible
 number and string level values are:

 0-emergencies-System unusable messages
 1-alerts-Take immediate action
 2-critical-Critical condition
 3-errors-Error message
 4-warnings-Warning message
 5-notifications-Normal but significant condition
 6-informational-Information message
 7-debugging-Debug messages and log FTP commands and WWW URLs



 -Oorspronkelijk bericht-
 Van: Patrick Donlon [mailto:[EMAIL PROTECTED]
 Verzonden: woensdag 30 juli 2003 10:23
 Aan: [EMAIL PROTECTED]
 Onderwerp: Logging ICMP on a PIX [7:73232]


 Do anyone know how to log ICMP traffic that is allowed through a PIX?? I
can
 see denied ICMP no problem.

 I can log all my other traffic with logging trap debug set, but it can't
see
 ICMP traffic passing through the firewall. Is this normally behaviour for
 6.2(2)?

 Cheers

 Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73273t=73232
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Logging ICMP on a PIX [7:73232]

[Patrick Donlon]

I don't really want to see all ICMP traffic as it makes me cross eyed, I can
filter it on the syslog server though (if the disk isn't full). It's just
that when trouble shooting connections, e.g.. a vpn to an external company,
icmp is normally allowed through so it would be nice to see it when setting
up a connection.

George Murage  wrote in message
news:[EMAIL PROTECTED]
 Just out of curiosity, why do you want to log *all* ICMP traffic through
 your PIX? At logging level 4, you should see logs for selected ICMP
traffic
 that is characteristic of a reconnaissance attack.

 Anyway, I hope you have a large disk(s) on your Syslog server :-)

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Thursday, July 31, 2003 2:44 PM
 To: [EMAIL PROTECTED]
 Subject: RE: Logging ICMP on a PIX [7:73232]

 Tried

 debug icmp trace

 And logged that information to console/syslog debugging level?

 Martijn

 6.2

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h
 tm#1028090
 level
  Specify the syslog message level as a number or string. The level you
 specify means that you want that level and those less than the level. For
 example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible
 number and string level values are:

 0-emergencies-System unusable messages
 1-alerts-Take immediate action
 2-critical-Critical condition
 3-errors-Error message
 4-warnings-Warning message
 5-notifications-Normal but significant condition
 6-informational-Information message
 7-debugging-Debug messages and log FTP commands and WWW URLs



 -Oorspronkelijk bericht-
 Van: Patrick Donlon [mailto:[EMAIL PROTECTED]
 Verzonden: woensdag 30 juli 2003 10:23
 Aan: [EMAIL PROTECTED]
 Onderwerp: Logging ICMP on a PIX [7:73232]


 Do anyone know how to log ICMP traffic that is allowed through a PIX?? I
can
 see denied ICMP no problem.

 I can log all my other traffic with logging trap debug set, but it can't
see
 ICMP traffic passing through the firewall. Is this normally behaviour for
 6.2(2)?

 Cheers

 Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73281t=73232
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Logging ICMP on a PIX [7:73232]

[Patrick Donlon]

Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can
see denied ICMP no problem.

I can log all my other traffic with logging trap debug set, but it can't see
ICMP traffic passing through the firewall. Is this normally behaviour for
6.2(2)?

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=73232t=73232
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Content Switch and Secure Content Accelerator management [7:66144]

[Patrick Donlon]

Hi All

long time since I've been at groupstudy, I need to do some serious study too
and hopefully I can answer (or try too) some q's. First off I've this
problem with a content switch CSS and ssl accelerator SCA. I want to be able
to manage the SCA using the web interface, this works fine on port 80 but
for added security I want to use https. I've enabled the port on the SCA and
created a certificate too. My ssl server for web management is set up like
this

  1 _webManagement_ Server Type: Normal
I.P. Address: 192.168.1.1
SSL Port: 443
Clear-Text Port: 449
Transparent Mode: off
 Status: Enabled
Private Key: _webManagement_
Certificate: _webManagement_
Security Policy: default
Certificate Chain: N/A




On my CSS I've set up service for port 443 and 449. When I try to view the
page I get the Security Alert for the private cert then nothing happens. If
anyone would like to see the CSS config I can paste that too

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=66144t=66144
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

STP Managing Cat6 switches on the internet/intranet [7:58122]

[Patrick Donlon]

Hi All

I'm after some ideas on how I should configure the network to allow me to
manage some Cat6k's which  provide connectivity for internet and intranet
based equipment. I don't want routing on the switches as this may bypass the
firewalls, and I don't want the switches on the same VLAN as the internal
VLAN 1 where all the HPOV  Cw2000 systems are. A colleague had previously
connected two switches from VLAN1 to our internal VLAN1 with a Cat 2912
(running almost in default config) in between, spanning tree was set to
default and mls too. The big problem came  when two Cat6Ks were connected
from VLAN1 to VLAN1 on the internal LAN, same again with default spanning
tree and mls.

This caused major problems, stp looked OK, just, the core switches were
still the root bridge but I think mls may have been a factor. If anyone
would like to explain exactly how mls works with stp and how to avoid such
problems then let me know.

So I know want to know the best way to manage these from a separate VLAN
with no routing. What is everyone else doing out there?

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58122t=58122
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cat 6 upgrade [7:57551]

[Patrick Donlon]

what I meant was from the IOS from routing blade/rp/msfc (was probably
trying to save on typing!!) when running in hybrid mode, the 6k can't see
the flash. But when upgrading from the hybrid to native it can't see the
flash until the IOS images are loaded, so when the SP changes console
ownership to the RP and enters rommon mode that's where I got stuck.


MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a 6500 in both hybrid and native modes since we have customers
 doing both.  I am not sure what you mean when you say you can't see the
 RP in the cat running OS.  The RP and SP convention are particular to
 native mode.  When running catOS the RP is the MSFC and you
 session/switch console to it and frmm there look at it's flash.  In
 native there is no clear delineation between the two, it's one big
 router.


 Patrick Donlon wrote:
 
  I eventually worked it out. It seems that you can't see a flash card on
a
 RP
  on a 6000. I'd done a lot of testing with a loaned 6500 for upgrading
from
  Cat OS Hybrid IOS and back again, just in case. On the 65 you can see
the
  flash and so boot from it in rommon, which is great because I can leave
my
  old images on the bootflash. On the 6000 though, no go, so I had to
clear
  out my bootflash and hope that I didn't have to revert back and use all
x
  modem etc. Strange thing was though that I have 4 identical 6Ks, 2 with
Cat
  OS and the other 2 with native IOS, the Cat OS 6ks couldn't see the
flash
  card in the RP but could with the SP, the IOS ones could see it no
prob's.

 I have a 6500 in both hybrid and native modes since we have customers
 doing both.  I am not sure what you mean when you say you can't see the
 RP in the cat running OS.  The RP and SP convention are particular to
 native mode.  When running catOS the RP is the MSFC and you
 session/switch console to it and frmm there look at it's flash.  In
 native there is no clear delineation between the two, it's one big
 router.

 
  I couldn't find anything on the CCO about this, maybe it's not possible
on
  the 65 to see the flash from the RP - I don't have one to test, but my
  documentation was (at least I thought it was before Sat') pretty
  comprehensive on the upgrade process. I know there are issues with the
  naming in the SP and RP and adding  sup- to the device name.
  From you email it looks like you can, have you tried this running
hybrid
 or
  only native?

   Again what do you mean from the RP?  Here is what you can do from
 the router in native mode.  The dir bootflash looks at the RP
 bootflash, sup-bootflash and sup-slot0 are the sup cards bootflash and
 PCMCIA card respectively.  Slot0: is identical to the sup-slot0:.  Some
 of the others must be future stuff as the don't work


 Native6506#dir ?
   /all List all files
   /recursive   List files recursively
   all-filesystems  List files on all filesystems
   bootflash:   Directory or file name
   const_nvram: Directory or file name
   flash:   Directory or file name
   null:Directory or file name
   nvram:   Directory or file name
   slavebootflash:  Directory or file name
   slaveconst_nvram:Directory or file name
   slavenvram:  Directory or file name
   slavercsf:   Directory or file name
   slaveslot0:  Directory or file name
   slavesup-bootflash:  Directory or file name
   slot0:   Directory or file name
   sup-bootflash:   Directory or file name
   sup-image:   Directory or file name
   sup-microcode:   Directory or file name
   sup-slot0:   Directory or file name
   system:  Directory or file name


 Native6506#dir sup-image:
 %Error opening sup-image:/ (No such device)
 Native6506#Native6506#dir sup-image:

   dave

 
  Cheers
 
  Pat
 
  MADMAN  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   What are you typing?
  
   Native6506#dir bootflash:
   Directory of bootflash:/
  
   1  -rw- 7110024   Mar 29 2002 12:48:52  c6msfc2-js-mz.121-4.E1
   2  -rw- 1611604   Mar 29 2002 12:49:42
c6msfc2-boot-mz.121-4.E1
   3  -rw-  528259   Mar 28 2002 07:19:26
DRACO2_RM2.srec.121-4r.E
  
 shows the bootflash of the MSFC or RP in this case.
  
 a dir slot0: will show the contents of the PCMCIA card in the SUP
   module:
  
   Native6506#dir slot0:
   Directory of slot0:/
  
   1  -rw-14780268   Oct 14 2002 10:36:19
   c6sup12-js-mz.121-13.E.bin
  
     Dave
  
  
   Patrick Donlon wrote:
   
Hi
   
I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in
 the
route processor. I have another switch on CatOS and I can't see the
  flash
either, any tips???
   
Cheers
   
Pat
   --
   David Madland
   CCIE# 2016
   Sr. Network Engineer
   Qwest Communications
   612-664-3367
  
   You don't make the poor richer by making the rich poorer. --Wins

Re: Cat 6 upgrade [7:57551]

[Patrick Donlon]

I eventually worked it out. It seems that you can't see a flash card on a RP
on a 6000. I'd done a lot of testing with a loaned 6500 for upgrading from
Cat OS Hybrid IOS and back again, just in case. On the 65 you can see the
flash and so boot from it in rommon, which is great because I can leave my
old images on the bootflash. On the 6000 though, no go, so I had to clear
out my bootflash and hope that I didn't have to revert back and use all x
modem etc. Strange thing was though that I have 4 identical 6Ks, 2 with Cat
OS and the other 2 with native IOS, the Cat OS 6ks couldn't see the flash
card in the RP but could with the SP, the IOS ones could see it no prob's.

I couldn't find anything on the CCO about this, maybe it's not possible on
the 65 to see the flash from the RP - I don't have one to test, but my
documentation was (at least I thought it was before Sat') pretty
comprehensive on the upgrade process. I know there are issues with the
naming in the SP and RP and adding  sup- to the device name.
From you email it looks like you can, have you tried this running hybrid or
only native?


Cheers

Pat


MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What are you typing?

 Native6506#dir bootflash:
 Directory of bootflash:/

 1  -rw- 7110024   Mar 29 2002 12:48:52  c6msfc2-js-mz.121-4.E1
 2  -rw- 1611604   Mar 29 2002 12:49:42  c6msfc2-boot-mz.121-4.E1
 3  -rw-  528259   Mar 28 2002 07:19:26  DRACO2_RM2.srec.121-4r.E

   shows the bootflash of the MSFC or RP in this case.

   a dir slot0: will show the contents of the PCMCIA card in the SUP
 module:

 Native6506#dir slot0:
 Directory of slot0:/

 1  -rw-14780268   Oct 14 2002 10:36:19
 c6sup12-js-mz.121-13.E.bin

   Dave


 Patrick Donlon wrote:
 
  Hi
 
  I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in the
  route processor. I have another switch on CatOS and I can't see the
flash
  either, any tips???
 
  Cheers
 
  Pat
 --
 David Madland
 CCIE# 2016
 Sr. Network Engineer
 Qwest Communications
 612-664-3367

 You don't make the poor richer by making the rich poorer. --Winston
 Churchill




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57626t=57551
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cat 6 upgrade [7:57551]

[Patrick Donlon]

Hi

I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in the
route processor. I have another switch on CatOS and I can't see the flash
either, any tips???

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57551t=57551
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco CSA 11000 [7:57047]

[Patrick Donlon]

Can someone enlighten me on the upgrade of a CSA 11000, I've read the doc's
and the file naming conventions are confusing. I want to upgrade to rid the
box of the Open SSL vulnerability

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57047t=57047
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access list on dialer interface [7:56584]

[Patrick Donlon]

Could be the direction of the traffic, your acl is applied to incoming
traffic only, try outgoing instead

cheers

Pat

Duncan  wrote in message
news:20021033.LAA31424;groupstudy.com...
 Hi all

 I am having a strange problem with an access-list on a dialer
interface.
 Although the access list is applied to the interface it does not seem to
be
 denying the packets. specified. Is there something odd about access-lists
on
 dialers that I have missed? Below us the config in question:

 interface Dialer2
  description X
  ip address 10.252.248.1 255.255.255.252
  ip access-group 101 in
  no ip directed-broadcast
  encapsulation ppp
  dialer in-band
  dialer idle-timeout 900
  dialer map ip 10.252.248.2 name XXX
  dialer load-threshold 20 either
  dialer-group 1
  no peer default ip address
  no cdp enable
  ppp authentication ms-chap chap
 !
 !
 access-list 101 permit tcp any host 10.7.1.1 eq telnet
 access-list 101 deny   ip any any log

 Any ideas?

 Duncan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56585t=56584
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FXO vs other Analog Voice Card [7:56536]

[Patrick Donlon]

Paul
you can use a prefix command and say prefix 333 when you've matched on that.
There is a forward-digits command also but you'll have to do a search to see
exactly how it works as I've not used

cheers

Pat


Paul Oh  wrote in message
news:200210301728.RAB17727;groupstudy.com...
 Hello All,

 When FXO receives a phone call, it strips out corresponding called-number
 that matches destination pattern settings.. For instance,

 If call string that matches 333 , it will strip 333 and pass on last
 four digit. IF there is next hop voip router only sees last four digit.
 (Isn't that correct?.

 Now, how can we make that happen for EM card? (VIC-2EM)?  digit-strip
is
 enabled by default, but next router only sees 333- instead of .

 Help me out. Thank you.

 -Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56593t=56536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Intermittant PIX error ... [7:56404]

[Patrick Donlon]

Have you any logging turned on to see what is going wrong when you try to
connect? Sounds like the authentication is failing somewhere not a
reachability problem. Good luck

Pat


Paul  wrote in message
news:200210281240.MAA32077;groupstudy.com...
 Yeah, thanks AMR ... what a great help you are !!!
 - Original Message -
 From: AMR
 To:
 Sent: Monday, October 28, 2002 12:02 PM
 Subject: Re: Intermittant PIX error ... [7:56404]


  This description is vague at best.
 
  Paul  wrote in message
  news:200210281035.KAA21202;groupstudy.com...
   Hi guys ...
  
   Intermittantly I get the following error when trying to telnet to a
Pix:
  
   Router_1#telnet 10.1.1.1
   Trying 10.1.1.1 ...
   % Connection refused by remote host
  
   I can ping the Pix fine when this happens, this usually lasts only for
   several
   minutes  (but worries me none the less) ... then all of a sudden
the
   telnet session works 
  
   I can't find much on the Cisco website 
  
   Does any have any ideas, or has anyone experienced this themselves ???
  
   Regards
  
   Paul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56409t=56404
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Config Cat 5K GBIC interfaces [7:56410]

[Patrick Donlon]

Doe anyone have experience connecting a Cat 5K g-bit interface to a Fluke's
g-bit interface? Can't seem to get any layer 3 comms, here's the the show
interface below. NOTE the interface is NOT connected, when it is though the
status is Connected and all the relevant LEDs light up and the cable tests
are passed on the fluke OK

Cheers

Pat


(enable) sh port 5/1
Port  Name   Status Vlan   Level  Duplex Speed Type
- -- -- -- -- -- - -
---
 5/1  FLUKE Optiview notconnect 1  normal   full  1000
1000BaseSX

Port   Trap  IfIndex
-    ---
 5/1   disabled  456

Port Broadcast-Limit Broadcast-Drop
 --- --
 5/1   -  0

Port   Send FlowControlReceive FlowControl   RxPause TxPause Unsupported
   adminoper   adminoper opcodes
-        --- --- ---
 5/1   desired  offoff  off  0   0   0


Port  Align-Err  FCS-ErrXmit-Err   Rcv-ErrUnderSize
- -- -- -- -- -
 5/1   0  0  0  0 0

Port  Single-Col Multi-Coll Late-Coll  Excess-Col Carri-Sen Runts Giants
- -- -- -- -- - - --
---
 5/1   0  0  0  0 0 0
0




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56410t=56410
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hate cisco's new site? [7:56236]

[Patrick Donlon]

It stinks, it doesn't even use the same look throughout, why bother?


Tim Metz  wrote in message
news:200210250414.EAA05528;groupstudy.com...
 I used to bitch about the old one and am now totally screwed... I guess
I'll
 learn to like it ;-(

 Tim

 sam sneed  wrote in message
 news:200210241956.TAA01985;groupstudy.com...
  Am I the only one that hates Cisco's new site? I can't find anything
that
  I'm looking for on the there. Its driving me up the wall.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56263t=56236
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Etherchannel [7:56284]

[Patrick Donlon]

Should I enable or disable spanning tree or set to port fast on fast
etherchannel ports connected to a windows server?

cheers




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56284t=56284
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Windows meltdown??? [7:56190]

[Patrick Donlon]

We had an interested situation develop yesterday, about mid morning the
helpdesk manager reported a major problem with the network. Checked the
network with HPOV and some basic stuff on the core switches to check cpu,
peaks, etc. All was fine. Spoke to the NT team and it seems two servers are
having problems, a file server and a BDC. After some investigation (event
log checking probably) they tell me that the problem is caused by a machine
becoming the master browser.

So a man hunt begins for a machine (a non standard one from the name found
for the machine) on a VLAN which was separate from the VLAN the servers sit
on. The machine was not responding to pings and was probably not even being
used! Eventually the user came back to his machine mid afternoon and we find
the port being used and the NT guys disable his Computer Browser.

In between finding the machine the two offending servers had to be re-booted
to fix their mystery problems.

From what I know about the browser this shouldn't cause a problem on the
network and if it does only with the windows machines in that subnet (
please correct feel free to correct me). Also XP has default registry
settings to prevent it becoming the master browser - yep the guy was using
XP (Japanese edition).

Has anyone else had such a meltdown on their Windows environment because of
such problems or is this just a case a apportioning blame to an outsider?

Cheers Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56190t=56190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX failover problem [7:56199]

[Patrick Donlon]

I think you've got your config correct, when any of the interfaces go down
on the active PIX it will switch into standby. So when you reboot the
standby it will cause this to happen, the documentation does say you should
use a separate switch for the failover NICs which should prevent this,
http://www.cisco.com/warp/customer/110/failover.html .  Do you use a
failover cable as well, I would have thought the primary would prevent the
failover but I'm not 100 percent sure.

Cheers

Pat

Vamsi Krishna  wrote in message
news:200210241235.MAA05012;groupstudy.com...
 Hi,
We are facing a strange problem with PIX failover. We have two PIX =
 525 (OS 6.0.1) in failover configuration. When the standby PIX is =
 rebooted for maintenance reasons, it came up and became the Active PIX =
 (which should not happen). The active PIX showed stateful failover link =
 failed and so the PIX was in failed state. Both the PIX are connected =
 through a stateful failover link (100Mbps) using a Crossover cable.=20
Is it a problem because both the PIX are connected using a crossover =
 cable? Is it recommended to connect through a switch? Has anyone faced a =
 similar problem?

 Regards,
 Vamsi
 **Disclaimer

 Information contained in this E-MAIL being proprietary to Wipro Limited is
 'privileged' and 'confidential' and intended for use only by the
individual
  or entity to which it is addressed. You are notified that any use,
copying
 or dissemination of the information contained in the E-MAIL in any manner
 whatsoever is strictly prohibited.


***




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56216t=56199
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ATT MPLS netwo rk ? [7:56187]

[Patrick Donlon]

We've been using their mpls service in europe for the past 3 months and it's
been great so far. Only problems have been with the telco's local tails.


Ryan Finnesey  wrote in message
news:200210240551.FAA23094;groupstudy.com...
 Is anyone using ATT MPLS ( it is also called eVPN or IP-enabled Frame
 Relay )network to link offices and also running VoIP ?  If so any
 problems ?  I am looking to link office in India, Mexico New York and
 also Boston.



 Ryan.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=56213t=56187
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CW2k ANI server [7:55790]

[Patrick Donlon]

Hi All

I in the process of setting up CW2k ANI server, it's version 3.1 running on
Solaris, and I can't get the front end apps in Campus Manager to load. I
think it's some sort of DNS problem but I'm lost as how to fix it, if it is
the problem at all. The server is running OK, I can check this in the
Diagnostics for ANI Server, I've tried to restart the server, run CW2k on
different machines (Netscape/Solaris  IE/XP) with the same results. I've
amended the local hosts file to have the first entry for the url on the
Solaris machine, after that I can't seem to find much info, any ideas??

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55790t=55790
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

AAA on a PIX [7:53076]

[Patrick Donlon]

I configured AAA on a number of PIX firewalls, ver 5.3(2), everything worked
great in initial testing so it was installed in the production. We use an
ACS and RSA to authenticate the administrators when they log in to PIX with
ssh, simple enough. However quite often we would find that the passcode
entered would be rejected, after the third failure you would then have to
re-sync your token with the server to be able to use it again. We have lots
of other Cisco equipment with and without ssh and it's only on the PIX that
we see this problem, has anyone else experience of these problems with the
combination of PIX and ACS

cheers
Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53076t=53076
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

7204vxr port adaptor [7:52974]

[Patrick Donlon]

Hi All

I'm configuring a 7204vxr to back up a leased line, I've inserted a port
adaptor card with 4E1 interfaces (PA-4E1G). I loaded a new version of IOS
that supported the interface, 12.1(1a)T1, so that the router now recognises
the card.

I'm trying to configure the interface for ISDN/E1 and I can't enter the
controller command to config the D channel. Looks like an unsupported
feature I thought so I've double checked and the features for isdn/dial all
seem to be supported by the IP version. I hope that I'm missing some very
simple and can avoid a reload, here's the show version, any ideas thanks


Pat

#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IS-M), Version 12.1(1a)T1,  RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Sat 01-Apr-00 02:20 by ccai
Image text-base: 0x60008900, data-base: 0x61526000

ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1)
BOOTFLASH: 7200 Software (C7200-BOOT-M), Version 12.0(13)S, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc1)

RouterX uptime is 2 days, 1 hour, 35 minutes
System returned to ROM by reload at 10:03:55 MEST1 Sun Sep 8 2002
System restarted at 10:02:17 MEST1 Sun Sep 8 2002
System image file is nmp:/c7200-is-mz.121-1a.T1.bin

cisco 7204VXR (NPE225) processor (revision A) with 122880K/8192K bytes of
memory.
Processor board ID 23673112
R527x CPU at 262Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache
4 slot VXR midplane, Version 2.3

Last reset from power-on
G.703/E1 software, Version 1.0.
G.703/JT2 software, Version 1.0.
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
6 Serial network interface(s)
125K bytes of non-volatile configuration memory.

46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
4096K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x102




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52974t=52974
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52528]

[Patrick Donlon]

I have a similar set-up, ACS on Win2k, what do error message do you see in
the event log?


Magdy H. Ibrahim  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Dear All,

 This is my second post regarding ACS2.6 bugs...
 The problem is:
 As you know;-) I have an acs2.6 server on W2k advanced server , My users
 Using it to connect to the internet and sometimes many of my users logged
 into my network through the acs and when they disconnected from my system,
I
 noticed that they still exist on the acs server , and since i made a
single
 session to my users , they cannot enter again till i make a purge to the
 user.
 Please this is a big problem for me so can u help me to solve it?

 Thanx in advance...

 Regards,,

 Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52528t=52528
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52532]

[Patrick Donlon]

If you check the user who is listed in the acs they will be in the group
. This is normal when you use NT to
authenticate users by mapping an external db. Why they are can't re-connect
should be in the logs (reports then failed attempts), if they have a
successful authentication then it's somewhere else like you NT
authentication.


Magdy H. Ibrahim  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Patrick,

 The problem not Why my users disconnected... this may happened because he
 ended the session stop using the internet.. etc.
 The problem is why that user still exist on the ACS server, preventing him
 from reconnecting again till I purge him from the ACS server
 So why ACS act such behave?? and how to fix this strange behave??

 Thanx

 Magdy


 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I have a similar set-up, ACS on Win2k, what do error message do you see
in
  the event log?
 
 
  Magdy H. Ibrahim  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Dear All,
  
   This is my second post regarding ACS2.6 bugs...
   The problem is:
   As you know;-) I have an acs2.6 server on W2k advanced server , My
users
   Using it to connect to the internet and sometimes many of my users
 logged
   into my network through the acs and when they disconnected from my
 system,
  I
   noticed that they still exist on the acs server , and since i made a
  single
   session to my users , they cannot enter again till i make a purge to
the
   user.
   Please this is a big problem for me so can u help me to solve it?
  
   Thanx in advance...
  
   Regards,,
  
   Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52532t=52532
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52533]

[Patrick Donlon]

Sorry some text dissappeared along the way the group should say Mapped by
External Authenticaror

Patrick Donlon  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 If you check the user who is listed in the acs they will be in the group
 . This is normal when you use NT to
 authenticate users by mapping an external db. Why they are can't
re-connect
 should be in the logs (reports then failed attempts), if they have a
 successful authentication then it's somewhere else like you NT
 authentication.


 Magdy H. Ibrahim  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Patrick,
 
  The problem not Why my users disconnected... this may happened because
he
  ended the session stop using the internet.. etc.
  The problem is why that user still exist on the ACS server, preventing
him
  from reconnecting again till I purge him from the ACS server
  So why ACS act such behave?? and how to fix this strange behave??
 
  Thanx
 
  Magdy
 
 
  Patrick Donlon  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I have a similar set-up, ACS on Win2k, what do error message do you
see
 in
   the event log?
  
  
   Magdy H. Ibrahim  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Dear All,
   
This is my second post regarding ACS2.6 bugs...
The problem is:
As you know;-) I have an acs2.6 server on W2k advanced server , My
 users
Using it to connect to the internet and sometimes many of my users
  logged
into my network through the acs and when they disconnected from my
  system,
   I
noticed that they still exist on the acs server , and since i made a
   single
session to my users , they cannot enter again till i make a purge to
 the
user.
Please this is a big problem for me so can u help me to solve it?
   
Thanx in advance...
   
Regards,,
   
Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52533t=52533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52545]

[Patrick Donlon]

This is probably a silly question but how do the users logout/disconnect. It
could be you need a idle-timeout setting to be applied to the users' group.
Also what version of acs are you running?





Magdy H. Ibrahim  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Patrick,
 I am using ACS Dbase
 and when I check the error I found the following:
 exceeds maximum session

 So, I am wondering, this user not connected, then why he failed to
reconnect
 and why he still exist in the connected users Dbase???

 Thanx
 Magdy


 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Sorry some text dissappeared along the way the group should say Mapped
by
  External Authenticaror
 
  Patrick Donlon  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   If you check the user who is listed in the acs they will be in the
group
   . This is normal when you use NT to
   authenticate users by mapping an external db. Why they are can't
  re-connect
   should be in the logs (reports then failed attempts), if they have a
   successful authentication then it's somewhere else like you NT
   authentication.
  
  
   Magdy H. Ibrahim  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Patrick,
   
The problem not Why my users disconnected... this may happened
because
  he
ended the session stop using the internet.. etc.
The problem is why that user still exist on the ACS server,
preventing
  him
from reconnecting again till I purge him from the ACS server
So why ACS act such behave?? and how to fix this strange behave??
   
Thanx
   
Magdy
   
   
Patrick Donlon  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a similar set-up, ACS on Win2k, what do error message do
you
  see
   in
 the event log?


 Magdy H. Ibrahim  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Dear All,
 
  This is my second post regarding ACS2.6 bugs...
  The problem is:
  As you know;-) I have an acs2.6 server on W2k advanced server ,
My
   users
  Using it to connect to the internet and sometimes many of my
users
logged
  into my network through the acs and when they disconnected from
my
system,
 I
  noticed that they still exist on the acs server , and since i
made
 a
 single
  session to my users , they cannot enter again till i make a
purge
 to
   the
  user.
  Please this is a big problem for me so can u help me to solve
it?
 
  Thanx in advance...
 
  Regards,,
 
  Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52545t=52545
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: voip [7:51729]

[Patrick Donlon]

Don't know what RAI is, Steve?? but you can use a gatekeeper or just
configure dial peers on your gateway with the same matching digits and
different destinations, you can prioritise them too

Cheers

Pat

Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 h.323 can do it with RAI, or you could use SA Agents. THose are your two
 best options.

 --

 RFC 1149 Compliant.



 Jake  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Is there a way to tell a router (3810) , which is running voip, to
reroute
 a
  voip call if the destination router is down.  This is how I see it.  The
  call is made from a typical digital phone.  The pbx sends the digits to
 the
  router. The router processes the digits and sends them to the
destination
  router.  What happens if the destination router is down.  The PBX does
not
  know if the destination router is down , so it will send the digits to
the
  local router.  But,  how do I tell the local router to reroute the phone
  call?? If you need a more info please specify..
 
  Thanks
  Jake




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51895t=51729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cat 6k IOS upgrade failure [7:47282]

[Patrick Donlon]

I attempted to upgrade a Cat6K on Sunday with little success, shame as the
5Ks worked a treat. If I show the steps below if anyone can point out where
I went wrong.
Here's the IOS version I started with: IOS (tm) c6sup2_rp Software
(c6sup2_rp-IS-M), Version 12.1(3a)E4
I wanted the load this version of IOS c6sup12-is-mz.121-4.E3 which is an IP
image.

I copied the image into the bootflash of the Cat6k, here's the file below:
CAT6k#sh bootflash:
-#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name
1   .. image6031AC06  206DF4   25  1600884 Aug 02 2001 18:36:39
c6msfc2-boot-mz.121-3a.E4
2   .. image1F7C0C69  C20430   22  8977828 Jun 19 2002 08:12:06
c6sup12-is-mz.121-4.E3

I didn't place it in the sup-bootflash as I didn't have room for both
images. Also I didn't want to erase an image I new that worked and then go
through the laborious process of copying files via xmodem if the new image
wouldn't load. Here's the file on the sup-bootflash
CAT6k#sh sup-bootflash:
-#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name
1   .. imageB3497649  8C4B74   23  8932084 Aug 02 2001 18:33:46
c6sup12-is-mz.121-3a.E4

To load the image I placed the following line in the config
boot system flash bootflash:c6sup12-is-mz.121-4.E3.
Saved the config and checked the bootvar and all seemed OK.
I reloaded the switch and got the following error on bootup

System Bootstrap, Version 5.3(1)
Copyright (c) 1994-1999 by cisco Systems, Inc.
c6k_sup1 processor with 65536 Kbytes of main memory

Autoboot executing command: boot bootflash:c6sup12-is-mz.121-4.E3
open(): Open Error = -9
loadprog: error - on file open
boot: cannot load bootflash:c6sup12-is-mz.121-4.E3
Exit at the end of BOOT string
rommon 1 

Any obvious mistakes in my approach?

Cheers

Pat


--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47282t=47282
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Rogue Wireless LANs [7:47287]

[Patrick Donlon]

I've just found a wireless LAN set up by someone in the building, I found it
by chance when I was checking something with a colleague from another dept.
The WLAN has zero security which is not a surprise and lets the user into
the main LAN in the site with a DHCP address served up too! Does anyone have
any tips on preventing users and dept's who don't think about security from
plugging whatever they like into the network,

Cheers

Pat



--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47287t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

[Patrick Donlon]

Thanks Chris, I was thinking more about securing the switch ports by
authenticating mac's (probably a bit OTT) or using SNMP to check for new
devices, any other ideas?  I've already set up a wireless LAN here with WEP
with authentication on an ACS server, which is a waste of time when you have
people setting up there own kit,

Cheers

Pat


--

email me on : [EMAIL PROTECTED]

chris  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 WEP for starters, then you can set the acccess point to only accept
 connections from specific MAC addresses.  You can implement LEAP on the
 cisco AP, radius/tacacs+ requiring user/pass.  Then you could place the AP
 outside the LAN/Firewall and require VPN to access the LAN resources.

 Cisco has good whitepaper on securing wireless.  What you have experienced
 pretty common.

 Chris
 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I've just found a wireless LAN set up by someone in the building, I
found
 it
  by chance when I was checking something with a colleague from another
 dept.
  The WLAN has zero security which is not a surprise and lets the user
into
  the main LAN in the site with a DHCP address served up too! Does anyone
 have
  any tips on preventing users and dept's who don't think about security
 from
  plugging whatever they like into the network,
 
  Cheers
 
  Pat
 
 
 
  --
 
  email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47293t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco ACS db corrupt?? [7:46882]

[Patrick Donlon]

I have a problem with the local database on a 2.6(6) ACS server. All
users use an external database  for authentication (NT or RSA) but I
want to create a user with a password stored in the ACS server. I can
create a new user and assign all the correct attributes without any
errors, however when I try to login with the user they are rejected. The
logs show the user is rejected due to the CS password : CS password
invalid .
I have tried to create other users and also to change users account
setting so that they authenticate using the CS password, with no luck.
So I think there is a problem with the passwords stored in the ACS
server
We have upgraded the server twice in the past 8 months for new features
and bug fixes whether this has caused the problem I don't know. Any
ideas on how to verify or fix this?

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46882t=46882
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco ACS db corrupt?? [7:46882]

[Patrick Donlon]

Patrick Donlon wrote:

 I have a problem with the local database on a 2.6(6) ACS server. All
 users use an external database  for authentication (NT or RSA) but I
 want to create a user with a password stored in the ACS server. I can
 create a new user and assign all the correct attributes without any
 errors, however when I try to login with the user they are rejected. The
 logs show the user is rejected due to the CS password : CS password
 invalid .
 I have tried to create other users and also to change users account
 setting so that they authenticate using the CS password, with no luck.
 So I think there is a problem with the passwords stored in the ACS
 server
 We have upgraded the server twice in the past 8 months for new features
 and bug fixes whether this has caused the problem I don't know. Any
 ideas on how to verify or fix this?

 Cheers

 Pat
Here's the correct version info

CiscoSecure ACS v2.6 for Windows 2000/NT
Release 2.6(4) Build 4




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46883t=46882
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN problem from Pix to VPN concentrator 3030 [7:46343]

[Patrick Donlon]

I don't have both the isakmp statements in my PIX, why do I need it on both
interfaces when the crypto map is on only the outside? Also I have two other
PIX working OK with the only the one statement

Cheers

Pat






--

email me on : [EMAIL PROTECTED]

Brunner Joseph  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 on the 3030 make sure you are manually specifying lan to lan
 (Local Network and Remote Network) using USE IP ADDRESS/WILDCARD
 MASK BELOW).

 While you normally don't have to do this (you can autodiscover)
 Just do it to test if this is the problem.

 Also make sure you have both

 isakmp enable outside
 isakmp enable inside

 yes i mean both.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46440t=46343
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Works 2000 [7:46446]

[Patrick Donlon]

I've just started to use CW2000 after it had been installed by a
colleague. I have a Sun workstation and Netscape 4.78, the problem
I have is that Netscape doesn't display all the frames sometimes or the
data in a page. I do have a Windows machine and it does display the
pages but very slowly. What do other people use with CW2000??


Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46446t=46446
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VPN problem from Pix to VPN concentrator 3030 [7:46343]

[Patrick Donlon]

I have a problem with a ipsec tunnel across the internet from a PIX to a
3030 vpn concentrator. The tunnel occasionally  stops routing IP traffic and
then starts again without any intervention from anyone. The tunnel is still
up when I check both the 3030 and the pix but no IP traffic is sent across
the link.

I've checked the logs on the 3030 and see the following message :
Mismatch: Configured LAN-to-LAN proposal differs from negotiated
proposal.
Verify local and remote LAN-to-LAN connection lists.

I see this message when the tunnel is re-connected and traffic is or is not
routed, but it looks like it should be corrected.
Any ideas??


Cheers

Pat




--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46343t=46343
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

3600 10MB port duplex? [7:46250]

[Patrick Donlon]

Hi All

I've a dead simple question for anyone with a 3610 at their disposal, I'd
like to know whether the built in 10MB ethernet port will run at full
duplex. Reason why is I don't have a 3610 with one of these I can access and
I've been told by ATT that their router will only run at half-duplex and
10MB

Cheers

Pat


--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46250t=46250
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco ACS Server Problem [7:46193]

[Patrick Donlon]

Jimmy have you checked the ACS logs? Have you created an entry for the
router in the ACS server? Also it could just be the IP address of the router
if it has multiple interfaces,

Cheers



--

email me on : [EMAIL PROTECTED]

Jimmy  wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I am configuring a Cisco ACS server as a TACACS+
 server. I have a router will use ACS server for
 authentication. At the router, all parameters like
 tacacs host , tacacs key has been configured. ACS
 server is located inside the Firewall. Few username
 are created in ACS server.

From router , I am able to ping to the ACS server
 and able to telnet to ACS server port 49. Firewall log
 show that packets are accepted. However no
 authentication can be done. I got access denied.

I have done a debug aaa authentication.

  Jun 10 20:39:07: AAA/AUTHEN: create_user user=''
 ruser='' port='tty3' rem_addr='
 102.102.118.66' authen_type=1 service=1 priv=1
 Jun 10 20:39:07: AAA/AUTHEN/START (0): port='tty3'
 list='' action=LOGIN service=
 LOGIN
 Jun 10 20:39:07: AAA/AUTHEN/START (0): using default
 list
 Jun 10 20:39:07: AAA/AUTHEN/START (410787771):
 Method=TACACS+
 Jun 10 20:39:07: AAA/AUTHEN (410787771): status =
 ERROR
 Jun 10 20:39:07: AAA/AUTHEN/START (410787771):
 Method=LOCAL
 Jun 10 20:39:07: AAA/AUTHEN (410787771): status =
 GETUSER
 Jun 10 20:39:10: AAA/AUTHEN/CONT (410787771):
 continue_login
 Jun 10 20:39:10: AAA/AUTHEN (410787771): status =
 GETUSER
 Jun 10 20:39:10: AAA/AUTHEN/CONT (410787771):
 Method=LOCAL
 Jun 10 20:39:10: AAA/AUTHEN (410787771): status =
 GETPASS
 Jun 10 20:39:12: AAA/AUTHEN/CONT (410787771):
 continue_login
 Jun 10 20:39:12: AAA/AUTHEN (410787771): status =
 GETPASS
 Jun 10 20:39:12: AAA/AUTHEN/CONT (410787771):
 Method=LOCAL
 Jun 10 20:39:12: AAA/AUTHEN (410787771): password
 incorrect
 Jun 10 20:39:12: AAA/AUTHEN (410787771): status = FAIL
 Jun 10 20:39:14: AAA/AUTHEN: free user='test1'
 ruser='' port='tty3' rem_addr='10
 2.102.118.66' authen_type=1 service=1 priv=1
 Jun 10 20:39:14: AAA/AUTHEN: create_user user=''
 ruser='' port='tty3' rem_addr='
 102.102.118.66' authen_type=1 service=1 priv=1
 Jun 10 20:39:14: AAA/AUTHEN/START (0): port='tty3'
 list='' action=LOGIN service=
 LOGIN
 Jun 10 20:39:14: AAA/AUTHEN/START (0): using default
 list
 Jun 10 20:39:14: AAA/AUTHEN/START (440731952):
 Method=TACACS+
 Jun 10 20:39:14: AAA/AUTHEN (440731952): status =
 ERROR


Does anyone has any idea ?


 regards
 Jimmy


 __
 Do You Yahoo!?
 Yahoo! - Official partner of 2002 FIFA World Cup
 http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46205t=46193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX and MS Active Directory [7:44797]

[Patrick Donlon]

Thanks Brian, just in case any ones else is interested here's a useful link
for the microsoft stuff
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ittasks/t
asks/adrepfir.asp


Cheers

Pat

--

email me on : [EMAIL PROTECTED]

Brian Hill  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 John,

 SMTP only works if you have two sites in two different domains. In
addition,
 you have to have an exchange server with KMS and a CA to encrypt. Pat, I
 would suggest creating a tunnel from pix to pix and running the
replication
 through there. AD uses RPC, which doesn't translate due to the fact that
it
 uses random port numbers after the initial session establishment.

 Brian Hill
 CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0),
 MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
 Lead Technology Architect, TechTrain
 Author: Cisco, The Complete Reference
 http://www.alfageek.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44937t=44797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX and MS Active Directory [7:44797]

[Patrick Donlon]

The company I work for are looking to deploy Microsoft's Active Directory
across the intranet. Most sites have a PIX firewall running 5.3(2) and will
have many clients per site using AD. The problem seems to be that when
clients pass through the PIX and are assigned a global address/PAT AD is not
working. Static NAT translations work but due to the number of clients per
site it's not feasible to use static translations. Has anyone done this or
know any good links, can't find a thing on it at the CCO

Cheers

Pat


--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44797t=44797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX and MS Active Directory [7:44797]

[Patrick Donlon]

Brian
I've just found out from the guy testing the AD stuff that it doesn't even
work with static NAT translations, it'll only work with a static mapping
with the same address across the firewall. The bit that isn't working is the
replication between the servers

Cheers

Pat
--
email me on : [EMAIL PROTECTED]


Brian Hill  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Pat,

 Are the clients having the problem, or are the servers having the problem?
 If it's the servers, it's probably just RPC, but if it's the clients, it
 could be lots of things. What exactly isn't working?

 Brian Hill
 CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0),
 MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+
 Lead Technology Architect, TechTrain
 Author: Cisco, The Complete Reference
 http://www.alfageek.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44820t=44797
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switching and Keepalives [7:43141]

[Patrick Donlon]

Thanks for the info everyone, I tested it last night and it worked great, we
now have
load balancing and the keepalive running. Here's the config for one of the
services

Cheers
Pat


service portal2
  ip address 172.16.10.12
  string portal2
  protocol tcp
  keepalive port 81
  keepalive type http
  keepalive uri /index.html
  active

sam sneed wrote:

 There are 2 methods of keepalives, get and head.

 get:
 CSS gets the web page, computes a hash based on the page and stores it for
 reference. The next time the CSS gets the webpage it looks for 200 OK and
 stauts and compares the new hash with the hash stored for reference. If
they
 are different the CSS marks the service as down. So you can conclude this
 method only works well for static content on pages.

 Head:
 CSS only issues an HTTP head on the service and looks for 200 OK status ,
if
 it gets it service is marked up other wise its down. Less overhead than get
 method and good for Dynamic content as well.

 hope that helped a bit.

 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi Dave
 
  I've not had chance to test the keepalive yet but I see you mention using
  head or get
  can depend on the page type. Can you explain further or do you have any
  links?
 
  Cheers
 
  Pat
 
  David Harrison wrote:
 
   This is correct. The domain name is not necessary. Since the CSS knows
   the ip address of the box it's watching it doesn't have to rely on a
   domain name to find the location of the server.
  
   However it is important that the css know the path to reach the
   reference page.
  
   I've used the following:
   service blah_blah
 ip address 10.1.1.1
 keepalive frequency 8
 keepalive type http
 keepalive uri /.reference/arrowpoint-keepalive.html
 active
  
   I usually use the default head method vs the get. Depends on
whether
   the file you are watching is static or dynamic.
  
   Dave
  
   -Original Message-
   From: John Neiberger [mailto:[EMAIL PROTECTED]]
   Sent: Friday, May 03, 2002 12:19 PM
   To: [EMAIL PROTECTED]
   Subject: Re: Content Switching and Keepalives [7:43141]
  
   I'm not positive about this but I don't believe you're supposed to
   include the domain name in the URI.  We simply use 'keepalive uri
   /index.htm' and that works well.  Give that a shot and see if it
works
   for you.
  
   John
  
    Patrick Donlon  5/3/02 9:54:47 AM 
   Hi
  
   I tested it and for some reason it didn't work,  I configured the
   following
   on the
   service:
  
   keepalive port 81,
   keepalive method get,
   keepalive type http
   keepalive frequency 25,
   keepalive retry 25
   keepalive uri  www.blahblah.com/index.html
  
   I then activated the service (and re-activated it a few times just in
   case)
   Any thing
   obviously wrong and  what should I check in the log
  
   cheers
  
   Pat
  
   Patrick Donlon wrote:
  
Hi All
   
I have two web servers which are being load balanced behind a CSS,
   this
is working fine. Currently we're using the default ICMP keepalive,
   this
is OK if the failure is at this level but when the web services
   process
is stopped by the DBA the CSS thinks it's up and running. I've seen
   the
different options, tcp, http gets, etc, and would like to know
   anyone
else's experience in what is the best balance over performance and
detecting the lost of service
   
Cheers
   
Pat
   
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43475t=43141
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switching and Keepalives [7:43141]

[Patrick Donlon]

Hi Dave

I've not had chance to test the keepalive yet but I see you mention using
head or get
can depend on the page type. Can you explain further or do you have any
links?

Cheers

Pat

David Harrison wrote:

 This is correct. The domain name is not necessary. Since the CSS knows
 the ip address of the box it's watching it doesn't have to rely on a
 domain name to find the location of the server.

 However it is important that the css know the path to reach the
 reference page.

 I've used the following:
 service blah_blah
   ip address 10.1.1.1
   keepalive frequency 8
   keepalive type http
   keepalive uri /.reference/arrowpoint-keepalive.html
   active

 I usually use the default head method vs the get. Depends on whether
 the file you are watching is static or dynamic.

 Dave

 -Original Message-
 From: John Neiberger [mailto:[EMAIL PROTECTED]]
 Sent: Friday, May 03, 2002 12:19 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Content Switching and Keepalives [7:43141]

 I'm not positive about this but I don't believe you're supposed to
 include the domain name in the URI.  We simply use 'keepalive uri
 /index.htm' and that works well.  Give that a shot and see if it works
 for you.

 John

  Patrick Donlon  5/3/02 9:54:47 AM 
 Hi

 I tested it and for some reason it didn't work,  I configured the
 following
 on the
 service:

 keepalive port 81,
 keepalive method get,
 keepalive type http
 keepalive frequency 25,
 keepalive retry 25
 keepalive uri  www.blahblah.com/index.html

 I then activated the service (and re-activated it a few times just in
 case)
 Any thing
 obviously wrong and  what should I check in the log

 cheers

 Pat

 Patrick Donlon wrote:

  Hi All
 
  I have two web servers which are being load balanced behind a CSS,
 this
  is working fine. Currently we're using the default ICMP keepalive,
 this
  is OK if the failure is at this level but when the web services
 process
  is stopped by the DBA the CSS thinks it's up and running. I've seen
 the
  different options, tcp, http gets, etc, and would like to know
 anyone
  else's experience in what is the best balance over performance and
  detecting the lost of service
 
  Cheers
 
  Pat
 
  [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43380t=43141
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Content Switching and Keepalives [7:43141]

[Patrick Donlon]

Hi

I tested it and for some reason it didn't work,  I configured the following
on the
service:

keepalive port 81,
keepalive method get,
keepalive type http
keepalive frequency 25,
keepalive retry 25
keepalive uri  www.blahblah.com/index.html

I then activated the service (and re-activated it a few times just in case)
Any thing
obviously wrong and  what should I check in the log

cheers

Pat




Patrick Donlon wrote:

 Hi All

 I have two web servers which are being load balanced behind a CSS, this
 is working fine. Currently we're using the default ICMP keepalive, this
 is OK if the failure is at this level but when the web services process
 is stopped by the DBA the CSS thinks it's up and running. I've seen the
 different options, tcp, http gets, etc, and would like to know anyone
 else's experience in what is the best balance over performance and
 detecting the lost of service

 Cheers

 Pat

 [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43232t=43141
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Content Switching and Keepalives [7:43141]

[Patrick Donlon]

Hi All

I have two web servers which are being load balanced behind a CSS, this
is working fine. Currently we're using the default ICMP keepalive, this
is OK if the failure is at this level but when the web services process
is stopped by the DBA the CSS thinks it's up and running. I've seen the
different options, tcp, http gets, etc, and would like to know anyone
else's experience in what is the best balance over performance and
detecting the lost of service

Cheers

Pat


[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43141t=43141
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX and AAA [7:42302]

[Patrick Donlon]

Thanks again for the replies everyone it worked just fine




Patrick Donlon wrote:

 Thanks for the replies, I only want to authenticate admininistrators on the
 PIX, will let you know how I get on

 Cheers

 Pat

 --

 email me on : [EMAIL PROTECTED]

 nrf  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  In such a situation, authorization would be achieved by writing a bunch
of
  access-lists on the Pix.  Then, you designate those particular
 access-lists
  within the radius server for individual users.  For example, let's say
you
  have a user called billclinton, and you want to restrict his access to
  certain websites.  So you write an access-list that does that, and then
in
  his radius profile, you call that access-list.
 
  This works when you are doing straight authentication through the Pix
  directly.  I have never tried it through a VPN.
 
 
  Darren Mitchelmore  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   NRF.
  
   I am just about to setup a PIX 515 with the Cisco VPN client and the
ias
 (
   WIN2K RADIUS SERVER ). From my understanding the VPN client has a group
   login then the user will be prompted for a username/password that the
   PIX will pass to the IAS server using Radius. That will be
authenticated
   against the Win username / password database (used to be called SAM ??)
 on
   the IAS server.
  
   I believe that this is authentication. Not sure how authorisation is
   achieved. How do you tie in the access-list
   to that individual user ??
  
   Is this the setup you have got going ??
  
   Do you have any problems implementing it ??
  
   PS - I have setup PIXs before but only with simple policies...
  
   Best Regards,
   Darren M
  
  
  
  
-Original Message-
From: nrf [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, April 24, 2002 3:57 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX and AAA [7:42302]
   
Well, actually, the Pix does support a very limited amount of Radius
authorization.  It's only for users going through the Pix, not
administrators of the Pix.  And the authorization 'capabilities' only
allow
you to invoke existing access-lists on the Pix for certain users, so,
  like
I
said, it's very limited.  Still, the capability exists.
   
   
 
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn
ga
cl.htm#xtocid10
   
   
Georg Pauwen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Paul, Tim, Patrick,

 you guys are good ! You are right, I wasn4t specific enough in what
 I
said:
 PIX does support RADIUS, but it does NOT support RADIUS
 Authorization
  :)

 Regards,

 Georg


 From: Paul Borghese
 To: Georg Pauwen ,
 Subject: Re: PIX and AAA [7:42302]
 Date: Tue, 23 Apr 2002 10:03:43 -0400
 
 The pix does support radius.  I am using it for a small client to
 authenticate PPTP connections using the Microsoft 2000 Radius
 server.
 
 Paul Borghese
 - Original Message -
 From: Georg Pauwen
 To:
 Sent: Tuesday, April 23, 2002 7:16 AM
 Subject: RE: PIX and AAA [7:42302]
 
 
   Hi Patrick,
  
   yes, aaa is fully supported on the PIX (remember, though, that
 the
PIX
 does
   not support RADIUS). Follow this link for a command overview of
  aaa
on
 the
   PIX:
  
  

   
 
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a
b.
h
 tm#xtocid3
  
   Regards,
  
   Georg
 _
 Chat with friends online, try MSN Messenger:
 http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43143t=42302
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Questions about PIX firewall [7:24634]

[Patrick Donlon]

Hi
backing up what's already been posted, we've changed from Checkpoint on
Solaris to PIX.
For the last 6 months we have had a very stable environment with failover
implemented
too. The cli is excellent if your familiar with IOS, it doesn't have the
overhead and
terrible sluggish response of the Checkpoint GUI -try remote logging on
Checkpoints
GUI,

For most things PIX  check http://www.cisco.com/warp/customer/707/#pix


cheers

Pat

dovelet wrote:

 Hi all,

 Our company wants to use PIX 515 firewall but I never use it before. I have
 some questions and I hope someone can help me.

 1. To configure a PIX, is there any GUI interface or need to use Command
 Line Interface? If it has GUI interface, is it bundle with a PIX or need to
 purchase separately?
 2. We plan to use 2 PIX for HA solution. Is it stable?
 3. Is there any materials to describe the PIX failover?

 Regards,
 Dovelet




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42819t=24634
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX and AAA [7:42302]

[Patrick Donlon]

Thanks for the replies, I only want to authenticate admininistrators on the
PIX, will let you know how I get on

Cheers

Pat



--

email me on : [EMAIL PROTECTED]

nrf  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 In such a situation, authorization would be achieved by writing a bunch of
 access-lists on the Pix.  Then, you designate those particular
access-lists
 within the radius server for individual users.  For example, let's say you
 have a user called billclinton, and you want to restrict his access to
 certain websites.  So you write an access-list that does that, and then in
 his radius profile, you call that access-list.

 This works when you are doing straight authentication through the Pix
 directly.  I have never tried it through a VPN.


 Darren Mitchelmore  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  NRF.
 
  I am just about to setup a PIX 515 with the Cisco VPN client and the ias
(
  WIN2K RADIUS SERVER ). From my understanding the VPN client has a group
  login then the user will be prompted for a username/password that the
  PIX will pass to the IAS server using Radius. That will be authenticated
  against the Win username / password database (used to be called SAM ??)
on
  the IAS server.
 
  I believe that this is authentication. Not sure how authorisation is
  achieved. How do you tie in the access-list
  to that individual user ??
 
  Is this the setup you have got going ??
 
  Do you have any problems implementing it ??
 
  PS - I have setup PIXs before but only with simple policies...
 
  Best Regards,
  Darren M
 
 
 
 
   -Original Message-
   From: nrf [SMTP:[EMAIL PROTECTED]]
   Sent: Wednesday, April 24, 2002 3:57 AM
   To: [EMAIL PROTECTED]
   Subject: Re: PIX and AAA [7:42302]
  
   Well, actually, the Pix does support a very limited amount of Radius
   authorization.  It's only for users going through the Pix, not
   administrators of the Pix.  And the authorization 'capabilities' only
   allow
   you to invoke existing access-lists on the Pix for certain users, so,
 like
   I
   said, it's very limited.  Still, the capability exists.
  
  
 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn
   ga
   cl.htm#xtocid10
  
  
   Georg Pauwen  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Paul, Tim, Patrick,
   
you guys are good ! You are right, I wasn4t specific enough in what
I
   said:
PIX does support RADIUS, but it does NOT support RADIUS
Authorization
 :)
   
Regards,
   
Georg
   
   
From: Paul Borghese
To: Georg Pauwen ,
Subject: Re: PIX and AAA [7:42302]
Date: Tue, 23 Apr 2002 10:03:43 -0400

The pix does support radius.  I am using it for a small client to
authenticate PPTP connections using the Microsoft 2000 Radius
server.

Paul Borghese
- Original Message -
From: Georg Pauwen
To:
Sent: Tuesday, April 23, 2002 7:16 AM
Subject: RE: PIX and AAA [7:42302]


  Hi Patrick,
 
  yes, aaa is fully supported on the PIX (remember, though, that
the
   PIX
does
  not support RADIUS). Follow this link for a command overview of
 aaa
   on
the
  PIX:
 
 
   
  
 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a
   b.
   h
tm#xtocid3
 
  Regards,
 
  Georg
_
Chat with friends online, try MSN Messenger:
http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42417t=42302
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX and AAA [7:42302]

[Patrick Donlon]

Hi All

hopefully someone can help, is it possible to use AAA to authenticate users
on my PIX firewalls?

Cheers

Pat


--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42302t=42302
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VOIP billing [7:38756]

[Patrick Donlon]

You can use a radius platform for billing in your VoIP network. For small
scale you can use the CallManager or Cisco ACS server billing, for the
larger stuff you need to use Radius accounting and develop your own scripts
to process the records

Cheers
Pat


Kiran Kumar M  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Thanks for your reply. Any other external software that will compatible
 with cisco products also ??

 Thanks,
 Kiran


 On Tue, 19 Mar 2002, George Siaw wrote:

  Check out the Avvid product line. I think Cisco Call manager has some
  functionality for billing.
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
  Kiran Kumar M
  Sent: 19 March 2002 05:43
  To: [EMAIL PROTECTED]
  Subject: VOIP billing [7:38756]
 
  Hai,
 
  Is there any billing solution available for VOIP in cisco products.??
 
  Thanks,
  Kiran




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38761t=38756
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

7204 vxr boot rom [7:38777]

[Patrick Donlon]

Hi All

just wondered if anyone knows where I can find some information about boot
rom versions. I'm looking at loading an  image of IOS on a new 7204 and I'd
like to know what version I should use for the boot rom

cheers

Pat

--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38777t=38777
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN using DHCP [7:38670]

[Patrick Donlon]

I use a cable modem in Holland and it never changes, but now I've said
that.. Best thing would be to request an address then you know for sure

Cheers

--

email me on : [EMAIL PROTECTED]

sam sneed  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Has anyone ever created a VPN using a cable modem and DHCP? I am assuming
 that once you get the IP using DHCP it will not change for at least a
month.
 If it does change I realize reconfiguration is necessary, this is no big
 deal for me. I know it is not possible with checkpoint 4.1 but is it
 possible with a PIX 501 3DES? I want to connect my home network to the
 corporat network using a PIX 501 and IPSEC.

 Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38673t=38670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Etherchannel/ISL trunk failure [7:38085]

[Patrick Donlon]

Kelly great post and I do appreciate the help, I no think my englesh was
that bad (just kidding), been living in Europe too long obviously. Back to
the problem anyway, I removed the ISL trunk from the etherchannel and it's
all OK now, no errors for the past couple of days. Problem is it's at an
exhibition so it's fairly important it doesn't go down. The reasoning behind
the ISL trunk was an application that couldn't handle an address with any
zeros, so we needed an extra VLAN. The network requirements have a habit of
changing rapidly too so it made sense to implement it at the time.

My skill level? hmm  not sure either, but you're right keep it simple
works best for me too.

cheers Pat


--

email me on : [EMAIL PROTECTED]

Kelly Cobean  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'll make you a deal...I won't pose design questions in response to your
 fault questions when you can criticize me for trying to help you using
 something other than one big, fragmented run-on sentence.  Worse than my
 unsolicited design suggestions are the inability of most people to form a
 coherent thought in writing to convey their point.  It makes it difficult,
 if not impossible to HELP with the problem at hand when you must focus so
 hard on deciphering the broken sentence that you can't focus on the
 technology.

 Now, I certainly get your point that I'm not sticking strictly to the
 question at hand, but one of the best design philosophies (which
determines
 in part your troubleshooting methodologies) out there is Keep It Simple.
 There is no need to apply a technology if it's not going to be used.  I
 suggest this merely because I don't know you, your skill level, or your
 future plans for this network.  My suggesting that you not use ISL if
there
 are no plans for it in the future was an attempt to save you the
heart-ache
 of chasing down a problem that needn't exist, however educational the
answer
 may be.  I also caveated my statement with unless you are preparing for
 multiple VLAN's down the road, so be as scalable as you want, just don't
 assume that I know your future plans.  I'm merely analyzing the problem in
 front of me.  After all, you did say that you had to get this up very
 quickly.

 Also note that I DID included some other thoughts for you to check on if
 diagnosing the problem to resolution is the path you're on, so my message
 wasn't entirely wasted on babbling about my perceived over-engineering of
 your network.

 As with all lists, responses to questions are take it or leave it.  If
you
 don't like mine that's fine, but maybe someone else on the list was able
to
 benefit from it.  In the future, I'll refrain from any attempts to suggest
 alternatives to problematic implementations.

 Apparently Arrogant,
 Kelly Cobean



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Patrick Donlon
 Sent: Wednesday, March 13, 2002 10:46 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Etherchannel/ISL trunk failure [7:38085]


 I love this group, how's about scalability, new requirements, sorry for
 being sarcastic but it's not about the design, simple as it is, but a
fault

 cheers

 --

 email me on : [EMAIL PROTECTED]

 Kelly Cobean  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Based on the fact that you are only using a single VLAN, I would first
  question why you are using using ISL trunking?  Since ISL is used for
  Inter-VLAN routing, it's an unnecessary configuration, unless you are
  preparing for multiple VLAN's down the road.  Have you configured VTP
  appropriately?  Also, I would check for any ARP abnormalities in your
CAM
  and ARP tables.
 
  Kelly Cobean
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
  Patrick Donlon
  Sent: Wednesday, March 13, 2002 4:11 AM
  To: [EMAIL PROTECTED]
  Subject: Etherchannel/ISL trunk failure [7:38085]
 
 
  Hi everyone I have a strange problem I'd like to know if anyone can
 explain
  why it happened and how to prevent it happening again. I have two Cat
 5500s
  connected using four 10/100 MB port configured as an etherchannel, it
was
  also configured as an ISL trunk. It's a very simple network with these
two
  switches, a PIX and only VLAN 1 is used.
 
  The problem occurred when clients DNS requests failed. The DNS is an NT
  server which was connected to Switch B, the PIX was connected to Switch
A
  and the default gateway for VLAN 1 was on Switch A. From a PC on Switch
A
  you could ping the NT server and the default gateway and PIX etc, but
the
 NT
  server couldn't ping the default gateway. Moving a PC to Switch B
 replicated
  the problem, I could ping everything else on the network but not the
 default
  gateway. When I checked the switches I could see some errors on the
first
  port of the channel, a few align, fcs and runts, I then noticed the port
 was
  leaving and joining the spanning tree every 30 seconds

Etherchannel/ISL trunk failure [7:38085]

[Patrick Donlon]

Hi everyone I have a strange problem I'd like to know if anyone can explain
why it happened and how to prevent it happening again. I have two Cat 5500s
connected using four 10/100 MB port configured as an etherchannel, it was
also configured as an ISL trunk. It's a very simple network with these two
switches, a PIX and only VLAN 1 is used.

The problem occurred when clients DNS requests failed. The DNS is an NT
server which was connected to Switch B, the PIX was connected to Switch A
and the default gateway for VLAN 1 was on Switch A. From a PC on Switch A
you could ping the NT server and the default gateway and PIX etc, but the NT
server couldn't ping the default gateway. Moving a PC to Switch B replicated
the problem, I could ping everything else on the network but not the default
gateway. When I checked the switches I could see some errors on the first
port of the channel, a few align, fcs and runts, I then noticed the port was
leaving and joining the spanning tree every 30 seconds or so. Removing the
cable from the port fixed the problem immediately, when the cable was put
back the problem occurred after about 3 mins. I removed the ISL trunk and
put the cable back and it is working and error free for over 12 hours.

I'd love to know exactly what caused this, I think it was the VLAN
information not being passed down the trunk but I'm not sure and as the link
had to be up v.quickly I didn't have time to test a few things out.

cheers

Pat


--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38085t=38085
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Etherchannel/ISL trunk failure [7:38085]

[Patrick Donlon]

I love this group, how's about scalability, new requirements, sorry for
being sarcastic but it's not about the design, simple as it is, but a fault

cheers

--

email me on : [EMAIL PROTECTED]

Kelly Cobean  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Based on the fact that you are only using a single VLAN, I would first
 question why you are using using ISL trunking?  Since ISL is used for
 Inter-VLAN routing, it's an unnecessary configuration, unless you are
 preparing for multiple VLAN's down the road.  Have you configured VTP
 appropriately?  Also, I would check for any ARP abnormalities in your CAM
 and ARP tables.

 Kelly Cobean

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Patrick Donlon
 Sent: Wednesday, March 13, 2002 4:11 AM
 To: [EMAIL PROTECTED]
 Subject: Etherchannel/ISL trunk failure [7:38085]


 Hi everyone I have a strange problem I'd like to know if anyone can
explain
 why it happened and how to prevent it happening again. I have two Cat
5500s
 connected using four 10/100 MB port configured as an etherchannel, it was
 also configured as an ISL trunk. It's a very simple network with these two
 switches, a PIX and only VLAN 1 is used.

 The problem occurred when clients DNS requests failed. The DNS is an NT
 server which was connected to Switch B, the PIX was connected to Switch A
 and the default gateway for VLAN 1 was on Switch A. From a PC on Switch A
 you could ping the NT server and the default gateway and PIX etc, but the
NT
 server couldn't ping the default gateway. Moving a PC to Switch B
replicated
 the problem, I could ping everything else on the network but not the
default
 gateway. When I checked the switches I could see some errors on the first
 port of the channel, a few align, fcs and runts, I then noticed the port
was
 leaving and joining the spanning tree every 30 seconds or so. Removing the
 cable from the port fixed the problem immediately, when the cable was put
 back the problem occurred after about 3 mins. I removed the ISL trunk and
 put the cable back and it is working and error free for over 12 hours.

 I'd love to know exactly what caused this, I think it was the VLAN
 information not being passed down the trunk but I'm not sure and as the
link
 had to be up v.quickly I didn't have time to test a few things out.

 cheers

 Pat


 --

 email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=38104t=38085
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VoIP problem [7:36396]

[Patrick Donlon]

Mark

thanks for the post, yep both are identical, I've already decoded the error
and it tells me to contact Cisco, which I've done.

Cheers


Mark Odette II  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Pat-
 Question: Are both ends identical in Hardware and/or Software??  More
 importantly, Are both routers running the same version of IOS?  I've seen
 something very similar to this, and it wound up being a compound problem
of
 buggy version of IOS and a mixture of versions from end to end.

 If you can, you might think about rolling back a little on the version of
 IOS, to say, 12.2.1, or something like that but verify it won't break
 some other feature you're depending on first.

 Another wise action would be to go onto CCO and check their BugTraq to see
 if they have any known issues with 12.2.4T.

 Also, here's a tool that might help with the error message: Error message
 Decoder Ring!  It requires CCO access.
 http://www.cisco.com/cgi-bin/Support/Errordecoder/home.pl

 Hope this helps!

 Mark

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Patrick Donlon
 Sent: Monday, February 25, 2002 11:35 AM
 To: [EMAIL PROTECTED]
 Subject: VoIP problem [7:36396]


 Hi all

 I've a problem with a voice router I'm getting DSP timeout errors on the
far
 end (egress) router and I was wondering if anyone has any ideas. See the
 text below for the error, it appears after the call is disconnected with
 normal call clearing, we use E1s. A reboot will make the problem go away
 for a short while and we using 12.2(4)T on a 3640. The call routing is
fine
 and I can make csim calls from the far end router to my local router and
to
 my phone no problem, in the other direction I get DSP timeouts.

 Cheers

 Pat

 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP Disc
 (call mode=0)
 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP
error
 stats (call mode=1658181684), chnl info(1, 0, 0)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36620t=36396
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VoIP monitoring [7:36625]

[Patrick Donlon]

Hi

I'm after some tips for monitoring a couple of VoIP routers, as there are
only two routers buying tools isn't going to be very cost effective. I've
used the early versions of CVM (which was very funny), we use Cisco Works
2000, but don't have the add on CVM product, and Openview. I'm planning on
automatically re-route calls on failure, but I'd like to know about the
failure so we can react, any ideas or pointers?

Cheers
Pat

--

email me on : [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36625t=36625
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

VoIP problem [7:36396]

[Patrick Donlon]

Hi all

I've a problem with a voice router I'm getting DSP timeout errors on the far
end (egress) router and I was wondering if anyone has any ideas. See the
text below for the error, it appears after the call is disconnected with
normal call clearing, we use E1s. A reboot will make the problem go away
for a short while and we using 12.2(4)T on a 3640. The call routing is fine
and I can make csim calls from the far end router to my local router and to
my phone no problem, in the other direction I get DSP timeouts.

Cheers

Pat

10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP Disc
(call mode=0)
10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP error
stats (call mode=1658181684), chnl info(1, 0, 0)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36396t=36396
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: Serial DTE/DCE cables [7:35388]

[Patrick Donlon]

Hi

I'm after some serial cables for a home lab, anyone have any sources for
these in the UK and Europe, I'm looking to buy about 10 in total (1m or 3m
lengths)

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35388t=35388
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: [Re: VOIP Vic-2fx cards [7:34768]

[Patrick Donlon]

Sujal

thought it could be case, just couldn't remember as it was some time back,

Thanks


Sujal G. Ajmera  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Pat and Rich:

 I had a similar problem and got it solved just today.

 What we did was change the IOS and that made a difference.

 Sujal

  Richard
 
  I've had the very same problem some time ago, it was really annoying,
can
  you post the config, it'll probably jog my memory as to what was wrong
 
  Cheers
 
  Pat
  - Original Message -
  From: Richard Botham
  Newsgroups: groupstudy.cisco
  Sent: Thursday, February 07, 2002 6:13 PM
  Subject: VOIP  Vic-2fx cards [7:34768]
 
 
   Hi All,
  
   I have 2 x Cisco 2621 routers and each have a 2port fxs voice card -
   vic-2fxs installed.
  
   When I plug my phone into port 1/0/0 of a vic-2fxs card installed in a
  2621
   I get dial tone.
  
   When I use port 1/0/1 I do not get dial tone.
  
   Is there any reason for this and what am I doing wrong.
  
   Regards
   Richard
  _
  Do You Yahoo!?
  Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35276t=34768
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 6000 Hybrid vs Native [7:35216]

[Patrick Donlon]

Sorry to spoil the party but I've had a problem with IOS on 6Ks. With
version 12.1(3a)E4, using the console port would put the switch into rommon
mode, the switch would keep running but you couldn't config it, it's a
recognised bug I think. Apart from that though I think it simplifies things
by having just the one set of commands and will be upgrading the Cat OS 6Ks
to IOS

Cheers

Pat


Michelle Loechel  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Can anyone comment on having used the native mode IOS feature on the 6000
 series switches?  Like/dislikes?  Stability?  Supportability, etc?
 Preference of hybrid or native? Compatibility issues with future Cisco
 features?

 Thanks

 Michelle Loechel
 Network Analyst
 Exempla Healthcare
 [EMAIL PROTECTED]
 Any views or opinions presented in this email are solely
 those of the author and do not necessarily represent those
 of Exempla Healthcare.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35278t=35216
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VOIP Vic-2fx cards [7:34768]

[Patrick Donlon]

Richard

I've had the very same problem some time ago, it was really annoying, can
you post the config, it'll probably jog my memory as to what was wrong

Cheers

Pat
- Original Message -
From: Richard Botham 
Newsgroups: groupstudy.cisco
Sent: Thursday, February 07, 2002 6:13 PM
Subject: VOIP  Vic-2fx cards [7:34768]


 Hi All,

 I have 2 x Cisco 2621 routers and each have a 2port fxs voice card -
 vic-2fxs installed.

 When I plug my phone into port 1/0/0 of a vic-2fxs card installed in a
2621
 I get dial tone.

 When I use port 1/0/1 I do not get dial tone.

 Is there any reason for this and what am I doing wrong.

 Regards
 Richard
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34832t=34768
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IPSec tunnels [7:34742]

[Patrick Donlon]

Hi All

I'm looking for some information on how to verify the configuration of a PIX
with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps
bouncing, I think that instabilities across the internet could be causing
some of the problems as I see the path changing quite a lot from the
Netherlands to Dubai. I can't find the command(s), or understand the ones
I've used, which tells me whether the tunnel is up on the PIX, I can see
from the concentrator that it's down but I want to know about the PIX too.
Any other advise is appreciated

Cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34742t=34742
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PBX [7:34499]

[Patrick Donlon]

Tom

it all depends on what interfaces you have in your router and PBX, do you
need info' on the PBX or the Cisco? I can send you some general configs for
E1 interfaces, otherwise checkout the cco
http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VoX:V
oIPs=Implementation_and_Configuration

or for the as5300 (most commands can be used on the smaller 2600 or 3600)
http://www.cisco.com/univercd/cc/td/doc/product/access/nubuvoip/voip5300/ind
ex.htm

cheers

Pat



- Original Message -
From: Tom Richs 
Newsgroups: groupstudy.cisco
Sent: Tuesday, February 05, 2002 8:47 PM
Subject: PBX [7:34499]


 How can I connect a router to a PBX to get it to talk.  In specific I'm
 implementing VoIP and want to connect it to my PBX.  Do you use a specific
 PRI, EM or what type card and cabling between the two.

 Thanks.

 Tom

 _
 Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34598t=34499
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Renting Cisco Equipment [7:34531]

[Patrick Donlon]

Yes, Cisco can arrange loan or demo equipment for all sorts of uses, go ask
you rep

cheers

Pat


Greg Harper  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Greetings,

 Does anybody on the list know of any companies that will
 rent or short-term lease Cisco equipment?  I need an AS5400
 temporarily to minimize the downtime of an ISP migration,
 and am having trouble finding companies that handle this
 type of thing.

 Thanks,
 Greg




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34599t=34531
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN problems... [7:34324]

[Patrick Donlon]

Stuart

180 seconds is normal, it depends if you have a minimum call charge from
your telco. To see what causing the interface to dial use the debug dialer
command:
debug dialer [events | packets] - Displays DDR debugging information about
the packets received on a dialer interface.
Some more info' here
http://www.cisco.com/warp/customer/793/access_dial/ddr_9347.html

Regards

Pat




Laubstein, Stuart  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 The dialer list command seems to be gone...I am going to add


 dialer-list 1 protocol ip permit

 This should work(at least to let everything threw). Or is there another
way
 to do this which is more secure? I am also trying the debug command--they
 will not help this problem but have shown me another problem with the
serial
 interfaces so thanks for that suggestion. Actually any suggestion on
 dialer-lists would alsom be welcome--ie what would it be a good idea and
 what kind of timeout is normal--I am using 50 seconds right now.

 stu


 -Urspr|ngliche Nachricht-
 Von: McCallum, Robert [mailto:[EMAIL PROTECTED]]
 Gesendet am: Monday, February 04, 2002 3:53 PM
 An: [EMAIL PROTECTED]
 Betreff: RE: ISDN problems... [7:34324]

 If the router is not seeing interesting traffic within your idle period
then
 it should drop the line.  What is in your dialer-list to define what is
 interesting traffic?

 -Original Message-
 From: Stuart Laubstein [mailto:[EMAIL PROTECTED]]
 Sent: 04 February 2002 14:20
 To: [EMAIL PROTECTED]
 Subject: ISDN problems... [7:34324]


 I have  a 3620 that has a problem with timing out. I have set the dialer
 idle-timoue to 180 seconds--the router will keep the interface open for
180
 seconds and then drop it for 9 seconds. I set it to 55 seconds and it did
 the same timeout after 55 seconds--9 second drop. This only seems to
happen
 when the  remote router is a cisco router. I have tried debug isdn
 events--but can only see the interface coming back up. Any idea on things
I
 can try would be much appreciated or on debug options that would narrow it
 for me...

 thanks



 stuart




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=3t=34324
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MAJOR OT: Free CCNPtraining for convicts [7:34039]

[Patrick Donlon]

This could be the biggest load of crap I've read for some time, is your boss
planning on getting you convicted? It may be cheaper on his training budget.





steve skinner  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 guys,

 my boss has just told me that cisco are trailing a few prisons where they
 are offering free CCNP training to convicts

 man does that just bite the buscuit.

 i worked long and hard to pay for my exams.get some work experience
 and at my expence (bieng a tax payer)i am funding a convict to learn
 about cisco.

 i know about re-abilitation.but it is just a bit sick that i as an
 individual,could

 a) been robbed by this man ... my house is trashed and my insurence goes
up
 (i pay )
 b) funding him in prison to learn Cisco (i pay)
 c) comes out of prison and de-vaules a cert becuse he has no experience (i
 pay)


 does cisco want to have a useless cert system(except ofcourse the
 CCIE)because the more people who BLANTENTLY DONT have any experience
 witht these certs ...the less they mean...


 i`m  sorry to rantbut sometimes i wish company`s would consider there
 future..

 FACT (from Cisco) there will always be more jobs for NA/NP than IE`s

 1)i get exams to be employable...
 2)in order to get these exams i push the company`s kit ..

 i have recently installed some 4000`s over another companies kit,even
 thought the other kit is more than capable of doing the job..because i get
a
 side benefit of learning about the equipment and increasing my CV value
 

 3)if i am working at a company and i dont want a cisco cert because it is
 worthless..why would i push that companies products..

 i would simply push another company`s products to get my certs in the
there
 equipment ,to keep my employability

 4) cisco dont sell as much equipment 
 5) certs become even more worthless..
 6) cisco sells even less equipment as no-one is trained anymore
 7) cisco becomes Novell(my appologies to all novell staff)...

 a little for-thought is all that required...

 as my boss says...

  one of my main reson for buying kit is the amount of tech staff
availible
 to install/fix the kit...if there`s no staff there no kit

 in a job market that is already depressed that last thing that is needed
is
 a flood of Certified but unexperienced people on the market..

 the it industry is like no other ,in that fact that we have to CONSTANTLY
 update our skills ...that takes time,money and personal
 sacrfisesomething i dont think cisco is at all concernd with...

 ahh welll.

 no chance of a [EMAIL PROTECTED] list starting any time soon...??

 Sorry for the downer

 steve



 _
 Join the worlds largest e-mail service with MSN Hotmail.
 http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34069t=34039
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ethernet errors explained [7:33687]

[Patrick Donlon]

Hi Everyone

 I trying to find some information on some Ethernet errors that I see on a
 port, see the text below. The machine is an RS6000 and was experiencing
some
 performance problems, the NIC was set to auto negotiation and there were
the
 usual errors. The port and NIC are now both fixed and the errors are
 increasing steadily, I've had a good search on the CCO but I can't find any
 explanation of what causes the errors, any advice will be appreciated

 Regards

 Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33687t=33687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ethernet errors explained [7:33687]

[Patrick Donlon]

Positive, if you look at the show port (on the other mail) you'll see there
are no collisions

Thanks


Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Are you sure switch and NIC are the same speed and duplex?  Looks like
port
 speed/duplex mismatch.
 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi Everyone
 
   I trying to find some information on some Ethernet errors that I see on
a
   port, see the text below. The machine is an RS6000 and was experiencing
  some
   performance problems, the NIC was set to auto negotiation and there
were
  the
   usual errors. The port and NIC are now both fixed and the errors are
   increasing steadily, I've had a good search on the CCO but I can't find
 any
   explanation of what causes the errors, any advice will be appreciated
 
   Regards
 
   Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33692t=33687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ethernet errors explained [7:33687]

[Patrick Donlon]

It's a RS6000 not a PC, I think it's running AIX


Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Then try switching ports, shutting it down, different PC, etc,.  It's
 probably the PC then
 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Positive, if you look at the show port (on the other mail) you'll see
 there
  are no collisions
 
  Thanks
 
 
  Steven A. Ridder  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Are you sure switch and NIC are the same speed and duplex?  Looks like
  port
   speed/duplex mismatch.
   Patrick Donlon  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi Everyone
   
 I trying to find some information on some Ethernet errors that I
see
 on
  a
 port, see the text below. The machine is an RS6000 and was
 experiencing
some
 performance problems, the NIC was set to auto negotiation and there
  were
the
 usual errors. The port and NIC are now both fixed and the errors
are
 increasing steadily, I've had a good search on the CCO but I can't
 find
   any
 explanation of what causes the errors, any advice will be
appreciated
   
 Regards
   
 Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33701t=33687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ethernet errors explained [7:33687]

[Patrick Donlon]

Dave tried that one first as I thought it was the most interesting, but
sadly

(enable) set port inline 2/26 off
Feature not supported on module 2.

I'll go back to basics first Ole.

Thanks for the replies

Pat

MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 You appear to have the inline power module for ip phones.  I had a
 problem once on a server where I disabled the power on the port and this
 resolved the errors.

 C6509 (enable) set port inlinepower 2/26 off

   Dave

 Patrick Donlon wrote:
 
  And here's the show port I forgot!!
 
  (enable) sh port 2/26
  Port  Name   Status Vlan   Duplex Speed Type
  - -- -- -- -- - 
   2/26 Temp Driver server connected  990  full   100 10/100BaseTX
 
  Port  AuxiliaryVlan AuxVlan-Status InlinePowered PowerAllocated
 Admin Oper   Detected mWatt mA @42V
  - - -- - --  - 
   2/26 none  none   - -  -- -
 
  Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap
IfIndex

 -  - -    ---
   2/26 disabled  shutdown 001 disabled
51
 
  Port  Num-Addr Secure-Src-Addr   Age-Left Last-Src-Addr
  Shutdown/Time-Left
  -  -  -
 
  --
   2/26
   -- -- -
 
  Port Broadcast-Limit Broadcast-Drop
   --- 
   2/26  -0
 
  Port   Send FlowControlReceive FlowControl   RxPause TxPause
 Unsupported
 adminoper   adminoper opcodes
  -        --- ---
 ---
   2/26  off  offoff  off  0   0   0
 
  Port  Status Channel  Admin Ch
   Mode Group Id
  - --  - -
   2/26 connected  auto silent 68 0
 
  Port  Align-Err  FCS-ErrXmit-Err   Rcv-ErrUnderSize
  - -- -- -- -- -
   2/26 154661 138931  0  0  6246
 
  Port  Single-Col Multi-Coll Late-Coll  Excess-Col Carri-Sen Runts
 Giants
  - -- -- -- -- - -
 --
  ---
   2/26  0  0  0  0 0 30531
  1
 
  Port  Last-Time-Cleared
  - --
  Patrick Donlon  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hi Everyone
  
I trying to find some information on some Ethernet errors that I see
on
 a
port, see the text below. The machine is an RS6000 and was
experiencing
   some
performance problems, the NIC was set to auto negotiation and there
were
   the
usual errors. The port and NIC are now both fixed and the errors are
increasing steadily, I've had a good search on the CCO but I can't
find
  any
explanation of what causes the errors, any advice will be appreciated
  
Regards
  
Patrick
 --
 David Madland
 Sr. Network Engineer
 CCIE# 2016
 Qwest Communications Int. Inc.
 [EMAIL PROTECTED]
 612-664-3367

 Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33707t=33687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VOIP dial plan [7:31487]

[Patrick Donlon]

No, not if you specify how many digits will follow the 2.
Check this link for some general voip stuff
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
t/120t3/voip5300/voip53_1.htm

cheers Pat


Jim Bond  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hello,

 I've got a question on dial plan. We've got (208)
 472- as DID numbers in our campus, I'd like to use
 the last 5 digits: 2 in our campus VOIP and 7
 digits (no area code) in other offices. In our NY
 office, we have (845) 288- as regular DID numbers.
 Is it possible to make 288- goes to NY and 2
 stays in our campus? Will the beginning number 2
 create any conflict?

 Thanks in advance.

 Jim

 __
 Do You Yahoo!?
 Send FREE video emails in Yahoo! Mail!
 http://promo.yahoo.com/videomail/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31522t=31487
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ACS radius attributes [7:29043]

[Patrick Donlon]

Hi

just a quick question does anyone know who to set the radius attribute 80 in
the ACS server. I can't find it anywhere in the web configuration tool,

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29043t=29043
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP and memory allocation errros [7:28819]

[Patrick Donlon]

Hi All

I have a problem with a router running BGP. I have two 7204vxr's running BGP
connecting to two different service providers, I upgraded the IOS of one the
routers with version 12.1(5)T10 (IP PLUS IPSEC 3DES) and the boot image, it
ran for a week with no problems. I upgraded the other router with the same
images and as got memory allocation errors when it established adjacency
with the BGP neighbours, see the output below. I'm no BGP expert and I
believe there is enough memory in the router, so any suggestions will be
appreciated

Regards

Pat

*Nov 25 15:55:29: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up
*Nov 25 15:55:31: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up
*Nov 25 15:55:41: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up
*Nov 25 15:56:07: %SYS-2-MALLOCFAIL: Memory allocation of 65496 bytes failed
from

0x606BE0F4, pool Processor, alignment 0
-Process= BGP Router, ipl= 0, pid= 118
-Traceback= 606C1450 606C38B0 606BE0FC 606BE8F0 6082D330 6082D578 6082EA84

609FA5EC 609FB2B8 61476248 609FB35C 609D61F0 606B7DA4 606B7D90
*Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.* Down No memory
*Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.* Down No memory
*Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.*Down No memory
*Nov 25 15:56:11: %BGP-3-NOTIFICATION: sent to neighbor *.*.*.* 3/1 (update

malformed) 0 bytes
*Nov 25 15:56:37: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up
*Nov 25 15:56:37: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up
*Nov 25 15:56:51: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28819t=28819
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

3rd party Flash memory [7:28823]

[Patrick Donlon]

Hi everyone

I am looking at purchasing flash memory cards for Cat6Ks from Kingston, I'd
just like to hear from anyone who has done the same and whether the flash
cards worked OK

cheers




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28823t=28823
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN DDR Question [7:28257]

[Patrick Donlon]

dialer idle-timeout seconds



Have a look at this link it's got lots of info on PPP and multilink

http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:PPPs
=Implementation_and_Configuration



Cheers

Pat

Sam Deckert  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 hey all,

 just wondering if anyone knows how to extend the amount of time it takes
 before the second channel comes down after the traffic level drops below
the
 load threshold, when using multilink isdn with 2 channels?

 Any help would be great!!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28265t=28257
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VoIP Problem: Billing Triggered Before Authentication [7:28273]

[Patrick Donlon]

What billing system are you using? Is it based on the PSTN Switches or do
you use Radius accounting?

cheers Pat


Chong Chun Wei (Central)  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,
 Pls help.

 Scenario:

 2 AS 5300 acting as the originating and terminating gateway on each
 side of the network. The originating AS5300 is connected to the PSTN
switch
 ( SW A ) using PRI signaling while the terminating AS 5300 is connected to
 the PSTN switch ( SW B) using R2 signaling. The customer will dial a
 specific number to access the SW A and then enter the account and pin
 number. After the authentication, there will a beep tone follow by the
 message which prompt the user to enter the destination phone number.


 For a normal scenario,

 After the entering of the destination phone number, there will be ringing
 tone. When B-party picked up the phone, there will be a second beep tone
 which will trigger the billing system to start the billing.

 However, what actually happens is that,

 After the entering of the destination phone number, just right before the
 ringing tone, there is a click sound immediately before the ringing tone
 which undesirably, trigger the billing system. This creates problem
because
 even before the call get connected, the customer has already been charged.

 The Attempted Solutions include
 1. Program the progress indicator at the terminating gateway's dial-peer
 2. check the output of the debug isdn a931 (looks fine)

 However, the problem still haven't been solved. Please help.

 rgds
 Alvin Chong
 CCNA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28273t=28273
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IP telephony [7:27533]

[Patrick Donlon]

Anil

First thing, are you connecting you PBX to the routers via fxs/fxo ports?
are they already in place?
As for MGCP and H323, I don't know too much about MGCP and I think it's used
for controlling gateways and higher layers features than H323 ( anyone
please feel free to comment), so go for H323 as you just want to originate
and terminate H323 traffic between your routers and CMs.

Have a look at this url on the cco for config's
http://www.cisco.com/univercd/cc/td/doc/product/access/nubuvoip/voip5300/ind
ex.htm
it's mainly about AS5300s but the platform doesn't really matter once the
interfaces are configured. Let me know if you need more info,

cheers

Pat


Anil Kumar  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 This is the Voice network  i am implementing.
 Voip on this network is working.

 Analog PhoneAnalog Phone
   |  |
   |  |
   |  |

 IPtelphone-CCM3.0-3660 Router--3640 Router--IPtelephone
With NM-HDVWith NM-HDV
   (Main Office)  (Remote Office)



 The problem which i am facing is the call routing between
 the IP telephone  the Analog phones to both locations.
 I am bit confused, and not sure to use which type of
 Gateway Types ( MGCP, or H.323) for the 3660 Routers.
 I read that MGCP is being used for mainly FXS/ FXO ports.

 I am using an R2 Digital Signalling for the NM-HDV card.
 I have enclosed the config of the main location, the same
 carries for the remote location too.

 Request your sugesstion / Comments on this.

 Regards.. Anil



 Current configuration:
 !
 version 12.1
 service timestamps debug datetime msec
 service timestamps log uptime
 no service password-encryption
 service udp-small-servers max-servers no-limit
 !

 !
 enable secret 5 $1$QdNt$.YqZyaiFoHfFW.ZP1yHzG/

 !
 !
 !
 !
 !
 memory-size iomem 10
 voice-card 2
 !
 ip subnet-zero
 ip dhcp ping timeout 2000
 ip dhcp relay information option
 !
 ip dhcp-server 179.65.51.20
 lane client flush
 isdn switch-type primary-net5
 cns event-service server
 !
 !
 voice class permanent 10
 signal pattern idle transmit 0001
 signal pattern idle receive 0001
 !
 !
 !
 !
 !
 !
 controller E1 1/0
  framing NO-CRC4
  clock source internal
  channel-group 1 timeslots 1-31
  description connected to Branch
 !
 controller E1 2/0
  framing NO-CRC4
  clock source internal
  ds0-group 0 timeslots 1-15,17-31 type r2-digital dtmf dnis
  description CONNECTED TO NORTEL EPABX
 !
 !
 !
 interface Multilink1
  ip address 192.168.0.2 255.255.255.252
  ip helper-address 179.65.51.20
  ip directed-broadcast
  ip tcp header-compression iphc-format
  no ip mroute-cache
  fair-queue 2048 2048 1000
  no cdp enable
  ppp multilink
  ppp multilink fragment-delay 20
  ppp multilink interleave
  multilink-group 1
  ip rtp header-compression iphc-format
  ip rtp priority 16384 16383 1488
 !
 interface FastEthernet0/0
  ip address 179.65.51.1 255.255.0.0
  ip helper-address 179.65.51.20
  ip directed-broadcast
  no ip mroute-cache
  speed auto
  half-duplex
  no cdp enable
 !
 interface Serial1/0:1
  no ip address
  ip helper-address 179.65.51.20
  ip directed-broadcast
  encapsulation ppp
  ip mroute-cache
  no fair-queue
  ppp multilink
  multilink-group 1
 !
 ip classless
 ip route 0.0.0.0 0.0.0.0 192.168.0.1
 no ip http server
 !
 dialer-list 1 protocol ip permit
 dialer-list 1 protocol ipx permit
 no cdp advertise-v2
 !
 snmp-server engineID local 000902024B24BF30
 snmp-server community public RO
 snmp-server packetsize 2048
 !
 voice-port 2/0:0
  no modem passthrough
  cptone GB
 !
 dial-peer voice 100 voip
  destination-pattern 125T
  session target ipv4:192.168.0.1
  codec g711alaw
  ip precedence 5
 !
 dial-peer voice 10 pots
  destination-pattern 116T
  port 2/0:0
  forward-digits all
 !
 !
 line con 0
  transport input none
 line aux 0
 line vty 0 4
  exec-timeout 20 0
  login
 !
 end

 HO#


 __
 Do You Yahoo!?
 Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
 http://geocities.yahoo.com/ps/info1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27781t=27533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IP telephony [7:27533]

[Patrick Donlon]

As Matthew said looks like you've got every thing already, all you have to
do is set up the call routing, simple

Cheers

Anil Kumar  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi All,

 For a customer i have implemented an Voip and Ip telephony
 between two office with Cisco Call Manager 3.0. I need to
 intergrate the CCM with Normal PBX phones, so that users
 can dail to the normal telephone to Ip telephone.

 For the Voip i am using Cisco 3640 and 3660 Routers with
 NM-HDV cards and both the HDV cards are connected to Nortel
 PBX.

 Need help/sugesstion on this.

 Thanks in Advance.

 Regards.. Anil


 =
 Thanks  Regards

 V Anil Kumar

 __
 Do You Yahoo!?
 Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
 http://geocities.yahoo.com/ps/info1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27661t=27533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AS5300 problem [7:27432]

[Patrick Donlon]

See my comments below

cheers
Pat


Chong Chun Wei (Central)  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,

 I'm facing some problems with the AS5300 gateway. I suspect there is some
 problem when i try to monitor the resource statistic from the gateway.
Below
 is the output that i get.

 Cisco# sh call resource voice stats

 DSP statistics:
 total channels: 120
 inuse channels: 34
 disabled channels: 0
 pending channels; 0
 free channels: 86

 DS0 Statistics:
 total channels: 124
 addresable channels: 90
 inuse channels: 10
 disabled channels: 0
 free channels: 80

 There are few questions pertaining to the above:

 1. why is the inuse channels of DS0 so low compared to the inuse channels
of
 DSP?
 2. why is the addressable channels for DS0 is 90 only since the total
 channels are 120???
Have you checked the capabilty of the voice cards, you can get medium and
high complexity cards which support different numbers of channels.

 3. why is the total channels of DS0 is 124, shouldn't it be 120???

Presumably the 4 channels are used for signalling



 Cheers,
 Alvin Chong
 CCNA




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27435t=27432
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE bootcamps [7:27180]

[Patrick Donlon]

Hi everyone

can anyone recommend a boot camp for the UK, I'm thinking about taking one
for the written exam to kick start my studies,

cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=27180t=27180
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS PROBLEM!! [7:26978]

[Patrick Donlon]

Suleman

your IOS probably doesn't support Eigrp, go to the Cisco IOS feature
navigator and do a search on EIGRP and you'll get a list of the IOS that
support EIGRP, if your IOS version is not in there then you'll have to
download a new IOS

Cheers
Pat
suleman ibrahim aboo  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi All,

 just a quick question, I have a small cisco 800 series at
 home, with 4 port hub and a BRI, I've just started to go through the
config
 exercises in the books and one question has cropped up from last night.
 When I try and enable IGRP, 'router(config)#router igrp 20' it tells me
 this is an unknown protocol, what have I done, or what is missing? RIP
 config works, no problem.

 I know your going to ask what ver of IOS, as I'm not in front of the
console
 but I know its above 12.

 Please advise,

 -suleman




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26986t=26978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OFF TOPIC SHIPPING LAB KIT FROM U.S. TO U.K. [7:26987]

[Patrick Donlon]

Micheal

I've not exactly had the same experience but I've had equipment shipped
before from the US where EU duty had to be paid before customs would release
it, the goods were purchased for the company's own use. I had this in
Holland and Germany and  customs won't release it until they get the funds
in their bank or a cheque in hand, hope this helps

cheers

Pat

Michael Ibidunni  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Folks,
   I was wondering if any one in the U.K. has bought any cisco kit for
 Lab purposes from the states and had it shipped down here? I want to find
 out what happens at this end with customs.

 Thanx in advance
 Michael Ibidunni
 Senior Systems Engineer
 Business Data Services
 City  M25 Team
 NTL:
 Tel:0207 562 5800
 Mobile: 07866 625922
 Email:   [EMAIL PROTECTED]





 The contents of this email and any attachments are sent for the personal
 attention
 of the addressee(s) only and may be confidential.  If you are not the
 intended
 addressee, any use, disclosure or copying of this email and any
attachments
 is
 unauthorised - please notify the sender by return and delete the message.
 Any
 representations or commitments expressed in this email are subject to
 contract.

 ntl Group Limited




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26990t=26987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco ACS and Radius Proxy [7:26826]

[Patrick Donlon]

Hi All

has any configured a Cisco ACES server proxy with a Radius server? I've had
a search on the CCO and can't seem to find any useful reading and
configurations, any tips or advice welcome

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26826t=26826
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Pix question [7:26832]

[Patrick Donlon]

Ramesh

No you don't need to config NAT, secondly to open up all ports for a host,
as a source to any where, try this acl
access-list acl_inside permit tcp host 192.10.1.1 any

For some more info have a look at the CCO
http://www.cisco.com/warp/customer/707/

cheers Pat

Ramesh c  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 1) I got a pix in test(all internal) environment (configured as
 outside,inside and DMZ).Do I need to use NAT to connect to the outside
 segment from inside  or vice versa.Since Pix can act as a router ,will
 enabling routing solve this purpose without use of NAT.Applying access
list
 later  for security.

 2)I want to open all the ports of TCP connection for a particular host.How
 do I go about?


 cheers
 Ramesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26833t=26832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco TACACS+ Problem [7:26783]

[Patrick Donlon]

Have you checked the keys are the same in the server and router, also check
the source IP address the router is using and that which is in your server's
entry for the router. Check the logs on your TACACS server, otherwise I
think more info is needed

cheers


 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have configured a number of routers to authenticate to the TACACS+
 server we have on site.  some routers get the login prompt and some dont
 and at time others do.

 Has anyone got any ideas to this.

 *** Thomas Jreige
 *** Communications Engineer
 *** CSC Network Services, Wollongong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26834t=26783
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

What IOS to choose? [7:26852]

[Patrick Donlon]

Hi All

I'm looking at upgrading the IOS for a couple of 7204 routers so that they
can support SSH, I'm after a bit of info' on a good method of selecting the
IOS to upgrade to.
I've searched the CCO and found that I need an IPSec version, say the
Enterprise IPsec with 3Des, I then get a list of IOS to choose from, easy
enough. I would like the most stable IOS possible for our situation, so I
picked out an IOS 12.1(5)T9, I choose this on the basis of memory
requirements alone and the presumption that the earlier versions (T - T8)
may have had more bugs. I've then done a search on the bug tool to check for
known bugs, and I didn't get any with this specific version. Can anyone else
help me with the selection of the IOS, like what else to search for or check
before deploying it

cheers

Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26852t=26852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing with Win2k and Cat6k [7:24494]

[Patrick Donlon]

Thanks George I'll watch out for that,


George Murphy CCNP, CCDP  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Just an FYI, last week our server guys at the campus fired up a Win2k
 load balancing scenario and it was spewing multicasts like a bat out of
 hell and made parts of the network inaccessible, like printers, an ISDN
 128k link, etc. We were using Observer to sniff. Now we have put the
 little monsters in there own VLAN. the highway is smooth now with
 the HOV lane in operation ;-)

 Jonathan Hays wrote:

 Patrick Donlon wrote:
 
 had a look on the CCO, m'soft and HPs site but I can't see much relevant
 info, can any provide some info or experience on this
 
 
 Really? I searched www.microsoft.com/technet with the phrase network
 interface load
 balancing and came up with quite a few hits discussing load balancing
 (e.g.,
 Configuring Network Load Balancing Q240997).
 
 You may get more help on your problem from a Microsoft newsgroup. It's
hard
 to see how
 this is a Cisco ACS problem; it seems more like a Microsoft Windows
problem.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24766t=24494
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load balancing with Win2k and Cat6k [7:24494]

[Patrick Donlon]

Thanks George I'll watch out for that,


George Murphy CCNP, CCDP [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Just an FYI, last week our server guys at the campus fired up a Win2k
 load balancing scenario and it was spewing multicasts like a bat out of
 hell and made parts of the network inaccessible, like printers, an ISDN
 128k link, etc. We were using Observer to sniff. Now we have put the
 little monsters in there own VLAN. the highway is smooth now with
 the HOV lane in operation ;-)

 Jonathan Hays wrote:

 Patrick Donlon wrote:
 
 had a look on the CCO, m'soft and HPs site but I can't see much relevant
 info, can any provide some info or experience on this
 
 
 Really? I searched www.microsoft.com/technet with the phrase network
 interface load
 balancing and came up with quite a few hits discussing load balancing
 (e.g.,
 Configuring Network Load Balancing Q240997).
 
 You may get more help on your problem from a Microsoft newsgroup. It's
hard
 to see how
 this is a Cisco ACS problem; it seems more like a Microsoft Windows
problem.




 Message Posted at:
 http://www.groupstudy.com/form/read.php?f=7i=24680t=24494
 --
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Load balancing with Win2k and Cat6k [7:24494]

[Patrick Donlon]

Hi everyone

I'm trying to setup a ACS server for fault tolerance/load balancing (I'm not
sure if they are separate features or work together) connected to two Cat
6Ks. The ACS is a HP netserver and was already set up with two NICs and a
virtual interface before I got my hands on it. The nics are connected to
separate switches each in the same vlan, with a trunk between the switches.
When I plug the two interfaces into the switch only one of the interfaces
actually works, any frames sent to the other nic are lost I presume. I've
had a look on the CCO, m'soft and HPs site but I can't see much relevant
info, can any provide some info or experience on this

Cheers Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24494t=24494
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN Calls from Pots? [7:21738]

[Patrick Donlon]

Mike's correct, I'm sure you need digital modems to allow an ISDN interface
to access analogue calls, as in an access server.

regards


Mike Sweeney  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Dont you need digital modems for the for the ISDN circuit to carry the
 voice(pots) connection?  IE.. PRI configured to use both ISDN and POTS has
a
 digital modem card for the conversion. I would imagine that a BRI line
needs
 the same type of conversion.. ie.. VoIP..

 Here is one link that talks about it.. but it's noted that DoV lines can
be
 corrupted since not all ISDN switches cna handle this properly..

 http://www.cisco.com/warp/public/793/access_dial/8.html

 Anyone else that can add to this.. please do!!!

 MikeS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=22018t=21738
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CVOICE [7:22000]

[Patrick Donlon]

Congrats, what sort of questions did you get? I've been thinking of taking
the voice exam for sometime but haven't because I thought the exams are only
for Cisco partners and I'm working for a end user at the moment.

Regards

Patrick

Cisco Breaker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Passed . Questions about ports on 36xx and 26xx series was hard.

 best regards,


 Cisco Breaker  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I am taking CVOICE exam in a few hours. Any last minute advice would be
  appraciated.
 
  Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=22062t=22000
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cat 6000 [7:21845]

[Patrick Donlon]

We have a couple of Cat 6Ks running IOS, when CRT terminal software is
starting from a PC with the console cable connected it goes into rom monitor
mode. Anyone know the reason for this, I haven't found anything on the CCO
yet

regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21845t=21845
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VoIp over 64K leased line [7:21532]

[Patrick Donlon]

Yes over the internet, but not over 64k lines in production. The principle's
the same but you've just got less capacity and you'll be more reliant on qos
and queuing. What exactly do you want to know?

regards

Pat

MJ  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hello everyone ,

 Has anyone here has implmented VoIp over 64K digital leased lines over the
 internet ?

 Would you like to share your experience here .. ?


 Mukul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21545t=21532
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TCP H.225 [7:21519]

[Patrick Donlon]

Matthew here's a little info on the ports used in h323:

To set up a voice connection, the initiator starts a H.225 connection over
TCP to the destination entity (normally the gatekeeper) at port number 1720.
In this session a port number for the following H.245 connection is
exchanged.  The initiator opens in the next step a H.245 connection to the
gatekeeper over TCP (ephemeral port), in which ports for the actual voice
traffic between two H.323 terminals are exchanged.  While the H.225
connection could be torn down after the H.245 ports have been exchanged, it
will in practice stay up until the call is over.
The gatekeeper itself will also open connections to the terminating H.323
terminal in order to be able to negotiate the ports that should be used
between the initiating and the terminating H.323 terminal.
Other TCP ports used for RAS services are 1718 (H.323 gatekeeper discovery)
and 1719 (H.323 gatekeeper registration and status).


regards Pat

Matthew Webster  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,

 I am a recent CCNA graduate, and am about to tackle the challenges of the
 CCNP Routing 2.0 exam. Look forward to asking/providing help where
possible!

 Anyway, I have a question - does anyone know the ITU spec, or RFC that
deals
 with TCP ports for H.225 RAS messages. I know that port 1719 is used for
 ARQ's and ARC's, but am not sure what port 1720 is used for...here is part
 of the Etherpeek trace:

 TCP - Transport Control Protocol
   Source Port:  64642
   Destination Port: 1720  RAS  Transport Layer Service Access Point

 can anyone help?

 cheers,
 Matthew.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21546t=21519
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VoIp over 64K leased line [7:21532]

[Patrick Donlon]

Hardware, we used AS5300 as PSTN gateways located in various countries to
terminate off-net traffic, they had up to 4 x E1s and were connected to, or
close to, the backbone which had v.high throughput. For the on-net traffic
1750, 2600, 3600  as5300s were used. The local tail connections to the
internet were fairly high capacity again, no less than 2MB, we tested much
lower speeds in the lab though.
QOS is very difficult across the internet so only the local tail was worked
on, had to rely on bandwidth after that. The best qos results in testing
were with cbwfq/llq BUT in most places the routers the CPE connects to don't
support these features and you only have the tos bit to place with.
Codecs used were g711 (80k or 65k per call) as standard and g729 (24k or 12k
per call), if asked for. We never had any major problems with quality of
calls, most people couldn't tell the difference with g711. Generally if
there were problems it occurred in the call set up.
For call set up we used a 3rd party gatekeeper solution, don't bother, it
was a very good idea, i.e.. not being tied to one supplier and using open
standards as much as you can with voip, but it didn't always work. Cisco's
gatekeeper was a joke about a year ago, it may be better now, but you can do
it all manually if you haven't got to many sites as a last resort.

Hope this answers some questions


Regards

MJ  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Just wanted to ask you what hardware you have implemented ?
 What is the bandwidth ?
 How many channels ?

 Any please tell us about your experience to us since I am also looking to
 implement the same.


 Mukul


 Patrick Donlon  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Yes over the internet, but not over 64k lines in production. The
 principle's
  the same but you've just got less capacity and you'll be more reliant on
 qos
  and queuing. What exactly do you want to know?
 
  regards
 
  Pat
 
  MJ  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hello everyone ,
  
   Has anyone here has implmented VoIp over 64K digital leased lines over
 the
   internet ?
  
   Would you like to share your experience here .. ?
  
  
   Mukul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21550t=21532
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Wireless NICs [7:21568]

[Patrick Donlon]

I'm testing out a Cisco Aironet 340 access point, it's working fine with
Win2k and a handheld Ipaq. However when I try to set-up an NT machine I
don't get an IP address from the dhcp server. The client tells me it's
associated, the only difference I can see on the status between the Win2K
and NT is that the NT machine has ETSI as the channel set whereas win2k has
North America. I've tried different NICs and NT drivers, also occasionally I
see a message saying that WEP is not purchased or enabled in the Network
security tab on the ACU properties, help!!


regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21568t=21568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP network design [7:21019]

[Patrick Donlon]

The firewalls are for the internet and the intranet. At the moment I
thinking of using statics on the outside of internet firewall and possible
using RIPv2 for the inside. For the intranet I'm considering using RIP on
both sides, but statics haven't been ruled out for either firewall

regards

Chuck Larrieu  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 my question was the design itself - why are there firewalls at all these
 branches if this is an internal network? firewalls generally would be
placed
 at network edges? Is this a VPN solution?

 otherwise, if this is an issue of placing security zones throughout a
 corporate network, I would make each zone self contained, with static
routes
 into the other zones. I'm not so sure I would want to be running routing
 protocols through a firewall, if for no other reason than that the routing
 updates could be sniffed, and would reveal more that should be revealed
 about network structure.

 Chuck

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Priscilla Oppenheimer
 Sent: Wednesday, September 26, 2001 10:08 AM
 To: [EMAIL PROTECTED]
 Subject: Re: EIGRP network design [7:21019]


 RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use
UDP
 port 520. Both the source and dest ports are 520.

 Are you sure static routes wouldn't be the best bet, though? I haven't
 followed the entire discussion, so if that's off the wall, just ignore it.

 Priscilla


 At 09:09 AM 9/26/01, Carroll Kong wrote:
 Hm.  If you are that worried about internal security, you should probably
 make an ACL that allows only the redistributing router's ip, deny all
other
 udp port 520 reqs (for ripv1, or multicast 224.0.0.5?  re-check what it
 uses).  Also, you might need to write some no nat rules to avoid nat.
That
 might be more work than statics.
 
 Yes, IPs are spoofable, and so are MAC addresses.  If your internal
 security helps avoid this (easy to do), then an ACL for Rip updates
should
 be fairly secure.
 
 At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote:
  Yes the firewalls are all PIX. For the PIX can I set up the PIX to
 receive
  RIP routes redistributed from the EIGRP routers? If so this will save a
 lot
  of admin work, but will this be a security risk, ie. someone being able
 to
  inject routes into the PIX?
  
  regards
  
  Carroll Kong  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
What kind of firewalls?  Pix?  If so, try RIP v2 with redistribution
 into
your routers.  As for discontiguous networks, there are many ways
 around
that, with a different cost associated of course.
   
At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote:
Hi everyone

I've got a project where I have to design and implement EIGRP in a
 small
  to
medium sized network of about 50 to 70 routers. One of my main
 problems
  is
what to do with routing updates at the firewalls at each site,
should
  they
be allowed to pass through the firewall or should statics be used
 either
side of the firewalls. Another problem I can see is the routes on
the
firewalls, is there a way to avoid having to type all those route
 entries
  in
them, the network has many discontiguous networks. And one last
point
 is
  the
redistribution to the BGP routers at the edge of the network I'm
 after
  some
tips, experiences and URLs so I can read around the subject myself

Regards Pat
-Carroll Kong
 -Carroll Kong
 

 Priscilla Oppenheimer
 http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21269t=21019
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Voice over IP specific [7:21031]

[Patrick Donlon]

Looking at what your doing you should be able to dial only once and reach
the client on the other side. From my experience you would never have to
dial an access code at each stage. I've got some sample config's with pots
ports and lots of isdn configs, if you have any more specific questions let
me know,

regards

Cisco Breaker  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi All,

 We have a customer that wants a implementation of voice over ip. Their
dial
 plan will be like this.

 A-clients --pbx--router--voip--router--pbx--Bclients
|
|
   router
   |
PBX
   |
   Cclients

 Normally if an A client want to reach a client from B, they dial 66 and
from
 PBX or FXS they get a line and dial 76 and reach the corresponding route
 rfrom voip and dial 86 to reach PBX and the last step they dial the
Bclients
 expansion number 801. My question is this, Is it possible to only dial
once
 and reach the corresponding Bclient from A without PLar (cause A client
will
 Cclients too)? I want to appoint   ony one number and make it dial all
 66,76,86,801 with  commas ofcourse cause there is a waiting time over
PBXs.

 Best regards,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21113t=21031
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: EIGRP network design [7:21019]

[Patrick Donlon]

Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive
RIP routes redistributed from the EIGRP routers? If so this will save a lot
of admin work, but will this be a security risk, ie. someone being able to
inject routes into the PIX?

regards

Carroll Kong  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What kind of firewalls?  Pix?  If so, try RIP v2 with redistribution into
 your routers.  As for discontiguous networks, there are many ways around
 that, with a different cost associated of course.

 At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote:
 Hi everyone
 
 I've got a project where I have to design and implement EIGRP in a small
to
 medium sized network of about 50 to 70 routers. One of my main problems
is
 what to do with routing updates at the firewalls at each site, should
they
 be allowed to pass through the firewall or should statics be used either
 side of the firewalls. Another problem I can see is the routes on the
 firewalls, is there a way to avoid having to type all those route entries
in
 them, the network has many discontiguous networks. And one last point is
the
 redistribution to the BGP routers at the edge of the network I'm after
some
 tips, experiences and URLs so I can read around the subject myself
 
 Regards Pat
 -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21114t=21019
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Aironet 340 [7:20978]

[Patrick Donlon]

Hi All

I've a Cisco Aironet 340 access point and I have a current association from
the AP to the LAN card in my laptop. However I am not getting a DHCP address
from the LAN which the AP is connected to. I'm using Win 2K and I've read a
URL about the aironet drivers needing to be 16bit not 32 bit, could this be
an issue? Also the AP gets a DHCP address for it's own interface without any
problems, can anyone help?

Regards

Patrick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=20978t=20978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

EIGRP network design [7:21019]

[Patrick Donlon]

Hi everyone

I've got a project where I have to design and implement EIGRP in a small to
medium sized network of about 50 to 70 routers. One of my main problems is
what to do with routing updates at the firewalls at each site, should they
be allowed to pass through the firewall or should statics be used either
side of the firewalls. Another problem I can see is the routes on the
firewalls, is there a way to avoid having to type all those route entries in
them, the network has many discontiguous networks. And one last point is the
redistribution to the BGP routers at the edge of the network I'm after some
tips, experiences and URLs so I can read around the subject myself

Regards Pat




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21019t=21019
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]