Re: Logging ICMP on a PIX [7:73232]
Yes I tried that and scared the sh!t out of myself as this produces quite a bit of output to the console ;) Even when the loggin is to to trap only see below. Any more ideas as I thought I've had this working in the past but maybe on earlier versions of software, Cheers PIX(config)# debu icmp trace ICMP trace on Warning: this may cause problems on busy networks PIX4Internet(config)# 1: Outbound ICMP echo request (len 32 id 2 seq 46102) 172.16.6.91 172.16.6.91 194.#.#.2: Inbound ICMP echo reply (len 32 id 2 seq 46102) 194.#.#.2 172.16.6.91 172.16.6.91 3: Outbound ICMP echo request (len 32 id 2 seq 46358) 172.16.6.91 172.16.6.91 194.#.#.2: Inbound ICMP echo reply (len 32 id 2 seq 46358) 194.#.#.2 172.16.6.91 172.16.6.91 no debu icmp trace5: Outbound ICMP echo request (len 32 id 2 seq 46614) 172.16.6.91 172.16.6.91 194.26.184.42 6: Inbound ICMP echo reply (len 32 id 2 seq 46614) 194.#.#.2 172.16.6.91 172.16.6.91 ICMP trace off PIX4Internet(config)# PIX(config)# sh logg Syslog logging: enabled Facility: 19 Timestamp logging: disabled Standby logging: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level debugging, 29320465 messages logged Logging to inside 172.16.4.34 Logging to inside 172.16.4.159 History logging: disabled PIX(config)# wrote in message news:[EMAIL PROTECTED] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73273t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Logging ICMP on a PIX [7:73232]
I don't really want to see all ICMP traffic as it makes me cross eyed, I can filter it on the syslog server though (if the disk isn't full). It's just that when trouble shooting connections, e.g.. a vpn to an external company, icmp is normally allowed through so it would be nice to see it when setting up a connection. George Murage wrote in message news:[EMAIL PROTECTED] Just out of curiosity, why do you want to log *all* ICMP traffic through your PIX? At logging level 4, you should see logs for selected ICMP traffic that is characteristic of a reconnaissance attack. Anyway, I hope you have a large disk(s) on your Syslog server :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Logging ICMP on a PIX [7:73232] Tried debug icmp trace And logged that information to console/syslog debugging level? Martijn 6.2 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.h tm#1028090 level Specify the syslog message level as a number or string. The level you specify means that you want that level and those less than the level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. Possible number and string level values are: 0-emergencies-System unusable messages 1-alerts-Take immediate action 2-critical-Critical condition 3-errors-Error message 4-warnings-Warning message 5-notifications-Normal but significant condition 6-informational-Information message 7-debugging-Debug messages and log FTP commands and WWW URLs -Oorspronkelijk bericht- Van: Patrick Donlon [mailto:[EMAIL PROTECTED] Verzonden: woensdag 30 juli 2003 10:23 Aan: [EMAIL PROTECTED] Onderwerp: Logging ICMP on a PIX [7:73232] Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73281t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Logging ICMP on a PIX [7:73232]
Do anyone know how to log ICMP traffic that is allowed through a PIX?? I can see denied ICMP no problem. I can log all my other traffic with logging trap debug set, but it can't see ICMP traffic passing through the firewall. Is this normally behaviour for 6.2(2)? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73232t=73232 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Content Switch and Secure Content Accelerator management [7:66144]
Hi All long time since I've been at groupstudy, I need to do some serious study too and hopefully I can answer (or try too) some q's. First off I've this problem with a content switch CSS and ssl accelerator SCA. I want to be able to manage the SCA using the web interface, this works fine on port 80 but for added security I want to use https. I've enabled the port on the SCA and created a certificate too. My ssl server for web management is set up like this 1 _webManagement_ Server Type: Normal I.P. Address: 192.168.1.1 SSL Port: 443 Clear-Text Port: 449 Transparent Mode: off Status: Enabled Private Key: _webManagement_ Certificate: _webManagement_ Security Policy: default Certificate Chain: N/A On my CSS I've set up service for port 443 and 449. When I try to view the page I get the Security Alert for the private cert then nothing happens. If anyone would like to see the CSS config I can paste that too Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66144t=66144 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
STP Managing Cat6 switches on the internet/intranet [7:58122]
Hi All I'm after some ideas on how I should configure the network to allow me to manage some Cat6k's which provide connectivity for internet and intranet based equipment. I don't want routing on the switches as this may bypass the firewalls, and I don't want the switches on the same VLAN as the internal VLAN 1 where all the HPOV Cw2000 systems are. A colleague had previously connected two switches from VLAN1 to our internal VLAN1 with a Cat 2912 (running almost in default config) in between, spanning tree was set to default and mls too. The big problem came when two Cat6Ks were connected from VLAN1 to VLAN1 on the internal LAN, same again with default spanning tree and mls. This caused major problems, stp looked OK, just, the core switches were still the root bridge but I think mls may have been a factor. If anyone would like to explain exactly how mls works with stp and how to avoid such problems then let me know. So I know want to know the best way to manage these from a separate VLAN with no routing. What is everyone else doing out there? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58122t=58122 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cat 6 upgrade [7:57551]
what I meant was from the IOS from routing blade/rp/msfc (was probably trying to save on typing!!) when running in hybrid mode, the 6k can't see the flash. But when upgrading from the hybrid to native it can't see the flash until the IOS images are loaded, so when the SP changes console ownership to the RP and enters rommon mode that's where I got stuck. MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a 6500 in both hybrid and native modes since we have customers doing both. I am not sure what you mean when you say you can't see the RP in the cat running OS. The RP and SP convention are particular to native mode. When running catOS the RP is the MSFC and you session/switch console to it and frmm there look at it's flash. In native there is no clear delineation between the two, it's one big router. Patrick Donlon wrote: I eventually worked it out. It seems that you can't see a flash card on a RP on a 6000. I'd done a lot of testing with a loaned 6500 for upgrading from Cat OS Hybrid IOS and back again, just in case. On the 65 you can see the flash and so boot from it in rommon, which is great because I can leave my old images on the bootflash. On the 6000 though, no go, so I had to clear out my bootflash and hope that I didn't have to revert back and use all x modem etc. Strange thing was though that I have 4 identical 6Ks, 2 with Cat OS and the other 2 with native IOS, the Cat OS 6ks couldn't see the flash card in the RP but could with the SP, the IOS ones could see it no prob's. I have a 6500 in both hybrid and native modes since we have customers doing both. I am not sure what you mean when you say you can't see the RP in the cat running OS. The RP and SP convention are particular to native mode. When running catOS the RP is the MSFC and you session/switch console to it and frmm there look at it's flash. In native there is no clear delineation between the two, it's one big router. I couldn't find anything on the CCO about this, maybe it's not possible on the 65 to see the flash from the RP - I don't have one to test, but my documentation was (at least I thought it was before Sat') pretty comprehensive on the upgrade process. I know there are issues with the naming in the SP and RP and adding sup- to the device name. From you email it looks like you can, have you tried this running hybrid or only native? Again what do you mean from the RP? Here is what you can do from the router in native mode. The dir bootflash looks at the RP bootflash, sup-bootflash and sup-slot0 are the sup cards bootflash and PCMCIA card respectively. Slot0: is identical to the sup-slot0:. Some of the others must be future stuff as the don't work Native6506#dir ? /all List all files /recursive List files recursively all-filesystems List files on all filesystems bootflash: Directory or file name const_nvram: Directory or file name flash: Directory or file name null:Directory or file name nvram: Directory or file name slavebootflash: Directory or file name slaveconst_nvram:Directory or file name slavenvram: Directory or file name slavercsf: Directory or file name slaveslot0: Directory or file name slavesup-bootflash: Directory or file name slot0: Directory or file name sup-bootflash: Directory or file name sup-image: Directory or file name sup-microcode: Directory or file name sup-slot0: Directory or file name system: Directory or file name Native6506#dir sup-image: %Error opening sup-image:/ (No such device) Native6506#Native6506#dir sup-image: dave Cheers Pat MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What are you typing? Native6506#dir bootflash: Directory of bootflash:/ 1 -rw- 7110024 Mar 29 2002 12:48:52 c6msfc2-js-mz.121-4.E1 2 -rw- 1611604 Mar 29 2002 12:49:42 c6msfc2-boot-mz.121-4.E1 3 -rw- 528259 Mar 28 2002 07:19:26 DRACO2_RM2.srec.121-4r.E shows the bootflash of the MSFC or RP in this case. a dir slot0: will show the contents of the PCMCIA card in the SUP module: Native6506#dir slot0: Directory of slot0:/ 1 -rw-14780268 Oct 14 2002 10:36:19 c6sup12-js-mz.121-13.E.bin Dave Patrick Donlon wrote: Hi I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in the route processor. I have another switch on CatOS and I can't see the flash either, any tips??? Cheers Pat -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Wins
Re: Cat 6 upgrade [7:57551]
I eventually worked it out. It seems that you can't see a flash card on a RP on a 6000. I'd done a lot of testing with a loaned 6500 for upgrading from Cat OS Hybrid IOS and back again, just in case. On the 65 you can see the flash and so boot from it in rommon, which is great because I can leave my old images on the bootflash. On the 6000 though, no go, so I had to clear out my bootflash and hope that I didn't have to revert back and use all x modem etc. Strange thing was though that I have 4 identical 6Ks, 2 with Cat OS and the other 2 with native IOS, the Cat OS 6ks couldn't see the flash card in the RP but could with the SP, the IOS ones could see it no prob's. I couldn't find anything on the CCO about this, maybe it's not possible on the 65 to see the flash from the RP - I don't have one to test, but my documentation was (at least I thought it was before Sat') pretty comprehensive on the upgrade process. I know there are issues with the naming in the SP and RP and adding sup- to the device name. From you email it looks like you can, have you tried this running hybrid or only native? Cheers Pat MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What are you typing? Native6506#dir bootflash: Directory of bootflash:/ 1 -rw- 7110024 Mar 29 2002 12:48:52 c6msfc2-js-mz.121-4.E1 2 -rw- 1611604 Mar 29 2002 12:49:42 c6msfc2-boot-mz.121-4.E1 3 -rw- 528259 Mar 28 2002 07:19:26 DRACO2_RM2.srec.121-4r.E shows the bootflash of the MSFC or RP in this case. a dir slot0: will show the contents of the PCMCIA card in the SUP module: Native6506#dir slot0: Directory of slot0:/ 1 -rw-14780268 Oct 14 2002 10:36:19 c6sup12-js-mz.121-13.E.bin Dave Patrick Donlon wrote: Hi I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in the route processor. I have another switch on CatOS and I can't see the flash either, any tips??? Cheers Pat -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57626t=57551 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cat 6 upgrade [7:57551]
Hi I'm upgrading a CAT6 from OS to IOS but I can't see my flash card in the route processor. I have another switch on CatOS and I can't see the flash either, any tips??? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57551t=57551 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco CSA 11000 [7:57047]
Can someone enlighten me on the upgrade of a CSA 11000, I've read the doc's and the file naming conventions are confusing. I want to upgrade to rid the box of the Open SSL vulnerability Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57047t=57047 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list on dialer interface [7:56584]
Could be the direction of the traffic, your acl is applied to incoming traffic only, try outgoing instead cheers Pat Duncan wrote in message news:20021033.LAA31424;groupstudy.com... Hi all I am having a strange problem with an access-list on a dialer interface. Although the access list is applied to the interface it does not seem to be denying the packets. specified. Is there something odd about access-lists on dialers that I have missed? Below us the config in question: interface Dialer2 description X ip address 10.252.248.1 255.255.255.252 ip access-group 101 in no ip directed-broadcast encapsulation ppp dialer in-band dialer idle-timeout 900 dialer map ip 10.252.248.2 name XXX dialer load-threshold 20 either dialer-group 1 no peer default ip address no cdp enable ppp authentication ms-chap chap ! ! access-list 101 permit tcp any host 10.7.1.1 eq telnet access-list 101 deny ip any any log Any ideas? Duncan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56585t=56584 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FXO vs other Analog Voice Card [7:56536]
Paul you can use a prefix command and say prefix 333 when you've matched on that. There is a forward-digits command also but you'll have to do a search to see exactly how it works as I've not used cheers Pat Paul Oh wrote in message news:200210301728.RAB17727;groupstudy.com... Hello All, When FXO receives a phone call, it strips out corresponding called-number that matches destination pattern settings.. For instance, If call string that matches 333 , it will strip 333 and pass on last four digit. IF there is next hop voip router only sees last four digit. (Isn't that correct?. Now, how can we make that happen for EM card? (VIC-2EM)? digit-strip is enabled by default, but next router only sees 333- instead of . Help me out. Thank you. -Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56593t=56536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Intermittant PIX error ... [7:56404]
Have you any logging turned on to see what is going wrong when you try to connect? Sounds like the authentication is failing somewhere not a reachability problem. Good luck Pat Paul wrote in message news:200210281240.MAA32077;groupstudy.com... Yeah, thanks AMR ... what a great help you are !!! - Original Message - From: AMR To: Sent: Monday, October 28, 2002 12:02 PM Subject: Re: Intermittant PIX error ... [7:56404] This description is vague at best. Paul wrote in message news:200210281035.KAA21202;groupstudy.com... Hi guys ... Intermittantly I get the following error when trying to telnet to a Pix: Router_1#telnet 10.1.1.1 Trying 10.1.1.1 ... % Connection refused by remote host I can ping the Pix fine when this happens, this usually lasts only for several minutes (but worries me none the less) ... then all of a sudden the telnet session works I can't find much on the Cisco website Does any have any ideas, or has anyone experienced this themselves ??? Regards Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56409t=56404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Config Cat 5K GBIC interfaces [7:56410]
Doe anyone have experience connecting a Cat 5K g-bit interface to a Fluke's g-bit interface? Can't seem to get any layer 3 comms, here's the the show interface below. NOTE the interface is NOT connected, when it is though the status is Connected and all the relevant LEDs light up and the cable tests are passed on the fluke OK Cheers Pat (enable) sh port 5/1 Port Name Status Vlan Level Duplex Speed Type - -- -- -- -- -- - - --- 5/1 FLUKE Optiview notconnect 1 normal full 1000 1000BaseSX Port Trap IfIndex - --- 5/1 disabled 456 Port Broadcast-Limit Broadcast-Drop --- -- 5/1 - 0 Port Send FlowControlReceive FlowControl RxPause TxPause Unsupported adminoper adminoper opcodes - --- --- --- 5/1 desired offoff off 0 0 0 Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize - -- -- -- -- - 5/1 0 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants - -- -- -- -- - - -- --- 5/1 0 0 0 0 0 0 0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56410t=56410 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hate cisco's new site? [7:56236]
It stinks, it doesn't even use the same look throughout, why bother? Tim Metz wrote in message news:200210250414.EAA05528;groupstudy.com... I used to bitch about the old one and am now totally screwed... I guess I'll learn to like it ;-( Tim sam sneed wrote in message news:200210241956.TAA01985;groupstudy.com... Am I the only one that hates Cisco's new site? I can't find anything that I'm looking for on the there. Its driving me up the wall. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56263t=56236 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Etherchannel [7:56284]
Should I enable or disable spanning tree or set to port fast on fast etherchannel ports connected to a windows server? cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56284t=56284 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Windows meltdown??? [7:56190]
We had an interested situation develop yesterday, about mid morning the helpdesk manager reported a major problem with the network. Checked the network with HPOV and some basic stuff on the core switches to check cpu, peaks, etc. All was fine. Spoke to the NT team and it seems two servers are having problems, a file server and a BDC. After some investigation (event log checking probably) they tell me that the problem is caused by a machine becoming the master browser. So a man hunt begins for a machine (a non standard one from the name found for the machine) on a VLAN which was separate from the VLAN the servers sit on. The machine was not responding to pings and was probably not even being used! Eventually the user came back to his machine mid afternoon and we find the port being used and the NT guys disable his Computer Browser. In between finding the machine the two offending servers had to be re-booted to fix their mystery problems. From what I know about the browser this shouldn't cause a problem on the network and if it does only with the windows machines in that subnet ( please correct feel free to correct me). Also XP has default registry settings to prevent it becoming the master browser - yep the guy was using XP (Japanese edition). Has anyone else had such a meltdown on their Windows environment because of such problems or is this just a case a apportioning blame to an outsider? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56190t=56190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX failover problem [7:56199]
I think you've got your config correct, when any of the interfaces go down on the active PIX it will switch into standby. So when you reboot the standby it will cause this to happen, the documentation does say you should use a separate switch for the failover NICs which should prevent this, http://www.cisco.com/warp/customer/110/failover.html . Do you use a failover cable as well, I would have thought the primary would prevent the failover but I'm not 100 percent sure. Cheers Pat Vamsi Krishna wrote in message news:200210241235.MAA05012;groupstudy.com... Hi, We are facing a strange problem with PIX failover. We have two PIX = 525 (OS 6.0.1) in failover configuration. When the standby PIX is = rebooted for maintenance reasons, it came up and became the Active PIX = (which should not happen). The active PIX showed stateful failover link = failed and so the PIX was in failed state. Both the PIX are connected = through a stateful failover link (100Mbps) using a Crossover cable.=20 Is it a problem because both the PIX are connected using a crossover = cable? Is it recommended to connect through a switch? Has anyone faced a = similar problem? Regards, Vamsi **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56216t=56199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ATT MPLS netwo rk ? [7:56187]
We've been using their mpls service in europe for the past 3 months and it's been great so far. Only problems have been with the telco's local tails. Ryan Finnesey wrote in message news:200210240551.FAA23094;groupstudy.com... Is anyone using ATT MPLS ( it is also called eVPN or IP-enabled Frame Relay )network to link offices and also running VoIP ? If so any problems ? I am looking to link office in India, Mexico New York and also Boston. Ryan. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56213t=56187 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CW2k ANI server [7:55790]
Hi All I in the process of setting up CW2k ANI server, it's version 3.1 running on Solaris, and I can't get the front end apps in Campus Manager to load. I think it's some sort of DNS problem but I'm lost as how to fix it, if it is the problem at all. The server is running OK, I can check this in the Diagnostics for ANI Server, I've tried to restart the server, run CW2k on different machines (Netscape/Solaris IE/XP) with the same results. I've amended the local hosts file to have the first entry for the url on the Solaris machine, after that I can't seem to find much info, any ideas?? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55790t=55790 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
AAA on a PIX [7:53076]
I configured AAA on a number of PIX firewalls, ver 5.3(2), everything worked great in initial testing so it was installed in the production. We use an ACS and RSA to authenticate the administrators when they log in to PIX with ssh, simple enough. However quite often we would find that the passcode entered would be rejected, after the third failure you would then have to re-sync your token with the server to be able to use it again. We have lots of other Cisco equipment with and without ssh and it's only on the PIX that we see this problem, has anyone else experience of these problems with the combination of PIX and ACS cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53076t=53076 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
7204vxr port adaptor [7:52974]
Hi All I'm configuring a 7204vxr to back up a leased line, I've inserted a port adaptor card with 4E1 interfaces (PA-4E1G). I loaded a new version of IOS that supported the interface, 12.1(1a)T1, so that the router now recognises the card. I'm trying to configure the interface for ISDN/E1 and I can't enter the controller command to config the D channel. Looks like an unsupported feature I thought so I've double checked and the features for isdn/dial all seem to be supported by the IP version. I hope that I'm missing some very simple and can avoid a reload, here's the show version, any ideas thanks Pat #sh ver Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-IS-M), Version 12.1(1a)T1, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Sat 01-Apr-00 02:20 by ccai Image text-base: 0x60008900, data-base: 0x61526000 ROM: System Bootstrap, Version 12.2(1r) [dchih 1r], RELEASE SOFTWARE (fc1) BOOTFLASH: 7200 Software (C7200-BOOT-M), Version 12.0(13)S, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) RouterX uptime is 2 days, 1 hour, 35 minutes System returned to ROM by reload at 10:03:55 MEST1 Sun Sep 8 2002 System restarted at 10:02:17 MEST1 Sun Sep 8 2002 System image file is nmp:/c7200-is-mz.121-1a.T1.bin cisco 7204VXR (NPE225) processor (revision A) with 122880K/8192K bytes of memory. Processor board ID 23673112 R527x CPU at 262Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache 4 slot VXR midplane, Version 2.3 Last reset from power-on G.703/E1 software, Version 1.0. G.703/JT2 software, Version 1.0. Bridging software. X.25 software, Version 3.0.0. 2 FastEthernet/IEEE 802.3 interface(s) 6 Serial network interface(s) 125K bytes of non-volatile configuration memory. 46976K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). 4096K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x102 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52974t=52974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52528]
I have a similar set-up, ACS on Win2k, what do error message do you see in the event log? Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, This is my second post regarding ACS2.6 bugs... The problem is: As you know;-) I have an acs2.6 server on W2k advanced server , My users Using it to connect to the internet and sometimes many of my users logged into my network through the acs and when they disconnected from my system, I noticed that they still exist on the acs server , and since i made a single session to my users , they cannot enter again till i make a purge to the user. Please this is a big problem for me so can u help me to solve it? Thanx in advance... Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52528t=52528 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52532]
If you check the user who is listed in the acs they will be in the group . This is normal when you use NT to authenticate users by mapping an external db. Why they are can't re-connect should be in the logs (reports then failed attempts), if they have a successful authentication then it's somewhere else like you NT authentication. Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Patrick, The problem not Why my users disconnected... this may happened because he ended the session stop using the internet.. etc. The problem is why that user still exist on the ACS server, preventing him from reconnecting again till I purge him from the ACS server So why ACS act such behave?? and how to fix this strange behave?? Thanx Magdy Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a similar set-up, ACS on Win2k, what do error message do you see in the event log? Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, This is my second post regarding ACS2.6 bugs... The problem is: As you know;-) I have an acs2.6 server on W2k advanced server , My users Using it to connect to the internet and sometimes many of my users logged into my network through the acs and when they disconnected from my system, I noticed that they still exist on the acs server , and since i made a single session to my users , they cannot enter again till i make a purge to the user. Please this is a big problem for me so can u help me to solve it? Thanx in advance... Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52532t=52532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52533]
Sorry some text dissappeared along the way the group should say Mapped by External Authenticaror Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If you check the user who is listed in the acs they will be in the group . This is normal when you use NT to authenticate users by mapping an external db. Why they are can't re-connect should be in the logs (reports then failed attempts), if they have a successful authentication then it's somewhere else like you NT authentication. Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Patrick, The problem not Why my users disconnected... this may happened because he ended the session stop using the internet.. etc. The problem is why that user still exist on the ACS server, preventing him from reconnecting again till I purge him from the ACS server So why ACS act such behave?? and how to fix this strange behave?? Thanx Magdy Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a similar set-up, ACS on Win2k, what do error message do you see in the event log? Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, This is my second post regarding ACS2.6 bugs... The problem is: As you know;-) I have an acs2.6 server on W2k advanced server , My users Using it to connect to the internet and sometimes many of my users logged into my network through the acs and when they disconnected from my system, I noticed that they still exist on the acs server , and since i made a single session to my users , they cannot enter again till i make a purge to the user. Please this is a big problem for me so can u help me to solve it? Thanx in advance... Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52533t=52533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52545]
This is probably a silly question but how do the users logout/disconnect. It could be you need a idle-timeout setting to be applied to the users' group. Also what version of acs are you running? Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Patrick, I am using ACS Dbase and when I check the error I found the following: exceeds maximum session So, I am wondering, this user not connected, then why he failed to reconnect and why he still exist in the connected users Dbase??? Thanx Magdy Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry some text dissappeared along the way the group should say Mapped by External Authenticaror Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... If you check the user who is listed in the acs they will be in the group . This is normal when you use NT to authenticate users by mapping an external db. Why they are can't re-connect should be in the logs (reports then failed attempts), if they have a successful authentication then it's somewhere else like you NT authentication. Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Patrick, The problem not Why my users disconnected... this may happened because he ended the session stop using the internet.. etc. The problem is why that user still exist on the ACS server, preventing him from reconnecting again till I purge him from the ACS server So why ACS act such behave?? and how to fix this strange behave?? Thanx Magdy Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a similar set-up, ACS on Win2k, what do error message do you see in the event log? Magdy H. Ibrahim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear All, This is my second post regarding ACS2.6 bugs... The problem is: As you know;-) I have an acs2.6 server on W2k advanced server , My users Using it to connect to the internet and sometimes many of my users logged into my network through the acs and when they disconnected from my system, I noticed that they still exist on the acs server , and since i made a single session to my users , they cannot enter again till i make a purge to the user. Please this is a big problem for me so can u help me to solve it? Thanx in advance... Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52545t=52545 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: voip [7:51729]
Don't know what RAI is, Steve?? but you can use a gatekeeper or just configure dial peers on your gateway with the same matching digits and different destinations, you can prioritise them too Cheers Pat Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... h.323 can do it with RAI, or you could use SA Agents. THose are your two best options. -- RFC 1149 Compliant. Jake wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is there a way to tell a router (3810) , which is running voip, to reroute a voip call if the destination router is down. This is how I see it. The call is made from a typical digital phone. The pbx sends the digits to the router. The router processes the digits and sends them to the destination router. What happens if the destination router is down. The PBX does not know if the destination router is down , so it will send the digits to the local router. But, how do I tell the local router to reroute the phone call?? If you need a more info please specify.. Thanks Jake Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51895t=51729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cat 6k IOS upgrade failure [7:47282]
I attempted to upgrade a Cat6K on Sunday with little success, shame as the 5Ks worked a treat. If I show the steps below if anyone can point out where I went wrong. Here's the IOS version I started with: IOS (tm) c6sup2_rp Software (c6sup2_rp-IS-M), Version 12.1(3a)E4 I wanted the load this version of IOS c6sup12-is-mz.121-4.E3 which is an IP image. I copied the image into the bootflash of the Cat6k, here's the file below: CAT6k#sh bootflash: -#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name 1 .. image6031AC06 206DF4 25 1600884 Aug 02 2001 18:36:39 c6msfc2-boot-mz.121-3a.E4 2 .. image1F7C0C69 C20430 22 8977828 Jun 19 2002 08:12:06 c6sup12-is-mz.121-4.E3 I didn't place it in the sup-bootflash as I didn't have room for both images. Also I didn't want to erase an image I new that worked and then go through the laborious process of copying files via xmodem if the new image wouldn't load. Here's the file on the sup-bootflash CAT6k#sh sup-bootflash: -#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name 1 .. imageB3497649 8C4B74 23 8932084 Aug 02 2001 18:33:46 c6sup12-is-mz.121-3a.E4 To load the image I placed the following line in the config boot system flash bootflash:c6sup12-is-mz.121-4.E3. Saved the config and checked the bootvar and all seemed OK. I reloaded the switch and got the following error on bootup System Bootstrap, Version 5.3(1) Copyright (c) 1994-1999 by cisco Systems, Inc. c6k_sup1 processor with 65536 Kbytes of main memory Autoboot executing command: boot bootflash:c6sup12-is-mz.121-4.E3 open(): Open Error = -9 loadprog: error - on file open boot: cannot load bootflash:c6sup12-is-mz.121-4.E3 Exit at the end of BOOT string rommon 1 Any obvious mistakes in my approach? Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47282t=47282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Rogue Wireless LANs [7:47287]
I've just found a wireless LAN set up by someone in the building, I found it by chance when I was checking something with a colleague from another dept. The WLAN has zero security which is not a surprise and lets the user into the main LAN in the site with a DHCP address served up too! Does anyone have any tips on preventing users and dept's who don't think about security from plugging whatever they like into the network, Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47287t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Rogue Wireless LANs [7:47287]
Thanks Chris, I was thinking more about securing the switch ports by authenticating mac's (probably a bit OTT) or using SNMP to check for new devices, any other ideas? I've already set up a wireless LAN here with WEP with authentication on an ACS server, which is a waste of time when you have people setting up there own kit, Cheers Pat -- email me on : [EMAIL PROTECTED] chris wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... WEP for starters, then you can set the acccess point to only accept connections from specific MAC addresses. You can implement LEAP on the cisco AP, radius/tacacs+ requiring user/pass. Then you could place the AP outside the LAN/Firewall and require VPN to access the LAN resources. Cisco has good whitepaper on securing wireless. What you have experienced pretty common. Chris Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I've just found a wireless LAN set up by someone in the building, I found it by chance when I was checking something with a colleague from another dept. The WLAN has zero security which is not a surprise and lets the user into the main LAN in the site with a DHCP address served up too! Does anyone have any tips on preventing users and dept's who don't think about security from plugging whatever they like into the network, Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47293t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco ACS db corrupt?? [7:46882]
I have a problem with the local database on a 2.6(6) ACS server. All users use an external database for authentication (NT or RSA) but I want to create a user with a password stored in the ACS server. I can create a new user and assign all the correct attributes without any errors, however when I try to login with the user they are rejected. The logs show the user is rejected due to the CS password : CS password invalid . I have tried to create other users and also to change users account setting so that they authenticate using the CS password, with no luck. So I think there is a problem with the passwords stored in the ACS server We have upgraded the server twice in the past 8 months for new features and bug fixes whether this has caused the problem I don't know. Any ideas on how to verify or fix this? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46882t=46882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco ACS db corrupt?? [7:46882]
Patrick Donlon wrote: I have a problem with the local database on a 2.6(6) ACS server. All users use an external database for authentication (NT or RSA) but I want to create a user with a password stored in the ACS server. I can create a new user and assign all the correct attributes without any errors, however when I try to login with the user they are rejected. The logs show the user is rejected due to the CS password : CS password invalid . I have tried to create other users and also to change users account setting so that they authenticate using the CS password, with no luck. So I think there is a problem with the passwords stored in the ACS server We have upgraded the server twice in the past 8 months for new features and bug fixes whether this has caused the problem I don't know. Any ideas on how to verify or fix this? Cheers Pat Here's the correct version info CiscoSecure ACS v2.6 for Windows 2000/NT Release 2.6(4) Build 4 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46883t=46882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN problem from Pix to VPN concentrator 3030 [7:46343]
I don't have both the isakmp statements in my PIX, why do I need it on both interfaces when the crypto map is on only the outside? Also I have two other PIX working OK with the only the one statement Cheers Pat -- email me on : [EMAIL PROTECTED] Brunner Joseph wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on the 3030 make sure you are manually specifying lan to lan (Local Network and Remote Network) using USE IP ADDRESS/WILDCARD MASK BELOW). While you normally don't have to do this (you can autodiscover) Just do it to test if this is the problem. Also make sure you have both isakmp enable outside isakmp enable inside yes i mean both. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46440t=46343 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Works 2000 [7:46446]
I've just started to use CW2000 after it had been installed by a colleague. I have a Sun workstation and Netscape 4.78, the problem I have is that Netscape doesn't display all the frames sometimes or the data in a page. I do have a Windows machine and it does display the pages but very slowly. What do other people use with CW2000?? Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46446t=46446 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN problem from Pix to VPN concentrator 3030 [7:46343]
I have a problem with a ipsec tunnel across the internet from a PIX to a 3030 vpn concentrator. The tunnel occasionally stops routing IP traffic and then starts again without any intervention from anyone. The tunnel is still up when I check both the 3030 and the pix but no IP traffic is sent across the link. I've checked the logs on the 3030 and see the following message : Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal. Verify local and remote LAN-to-LAN connection lists. I see this message when the tunnel is re-connected and traffic is or is not routed, but it looks like it should be corrected. Any ideas?? Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46343t=46343 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
3600 10MB port duplex? [7:46250]
Hi All I've a dead simple question for anyone with a 3610 at their disposal, I'd like to know whether the built in 10MB ethernet port will run at full duplex. Reason why is I don't have a 3610 with one of these I can access and I've been told by ATT that their router will only run at half-duplex and 10MB Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46250t=46250 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco ACS Server Problem [7:46193]
Jimmy have you checked the ACS logs? Have you created an entry for the router in the ACS server? Also it could just be the IP address of the router if it has multiple interfaces, Cheers -- email me on : [EMAIL PROTECTED] Jimmy wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am configuring a Cisco ACS server as a TACACS+ server. I have a router will use ACS server for authentication. At the router, all parameters like tacacs host , tacacs key has been configured. ACS server is located inside the Firewall. Few username are created in ACS server. From router , I am able to ping to the ACS server and able to telnet to ACS server port 49. Firewall log show that packets are accepted. However no authentication can be done. I got access denied. I have done a debug aaa authentication. Jun 10 20:39:07: AAA/AUTHEN: create_user user='' ruser='' port='tty3' rem_addr=' 102.102.118.66' authen_type=1 service=1 priv=1 Jun 10 20:39:07: AAA/AUTHEN/START (0): port='tty3' list='' action=LOGIN service= LOGIN Jun 10 20:39:07: AAA/AUTHEN/START (0): using default list Jun 10 20:39:07: AAA/AUTHEN/START (410787771): Method=TACACS+ Jun 10 20:39:07: AAA/AUTHEN (410787771): status = ERROR Jun 10 20:39:07: AAA/AUTHEN/START (410787771): Method=LOCAL Jun 10 20:39:07: AAA/AUTHEN (410787771): status = GETUSER Jun 10 20:39:10: AAA/AUTHEN/CONT (410787771): continue_login Jun 10 20:39:10: AAA/AUTHEN (410787771): status = GETUSER Jun 10 20:39:10: AAA/AUTHEN/CONT (410787771): Method=LOCAL Jun 10 20:39:10: AAA/AUTHEN (410787771): status = GETPASS Jun 10 20:39:12: AAA/AUTHEN/CONT (410787771): continue_login Jun 10 20:39:12: AAA/AUTHEN (410787771): status = GETPASS Jun 10 20:39:12: AAA/AUTHEN/CONT (410787771): Method=LOCAL Jun 10 20:39:12: AAA/AUTHEN (410787771): password incorrect Jun 10 20:39:12: AAA/AUTHEN (410787771): status = FAIL Jun 10 20:39:14: AAA/AUTHEN: free user='test1' ruser='' port='tty3' rem_addr='10 2.102.118.66' authen_type=1 service=1 priv=1 Jun 10 20:39:14: AAA/AUTHEN: create_user user='' ruser='' port='tty3' rem_addr=' 102.102.118.66' authen_type=1 service=1 priv=1 Jun 10 20:39:14: AAA/AUTHEN/START (0): port='tty3' list='' action=LOGIN service= LOGIN Jun 10 20:39:14: AAA/AUTHEN/START (0): using default list Jun 10 20:39:14: AAA/AUTHEN/START (440731952): Method=TACACS+ Jun 10 20:39:14: AAA/AUTHEN (440731952): status = ERROR Does anyone has any idea ? regards Jimmy __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46205t=46193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and MS Active Directory [7:44797]
Thanks Brian, just in case any ones else is interested here's a useful link for the microsoft stuff http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ittasks/t asks/adrepfir.asp Cheers Pat -- email me on : [EMAIL PROTECTED] Brian Hill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... John, SMTP only works if you have two sites in two different domains. In addition, you have to have an exchange server with KMS and a CA to encrypt. Pat, I would suggest creating a tunnel from pix to pix and running the replication through there. AD uses RPC, which doesn't translate due to the fact that it uses random port numbers after the initial session establishment. Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44937t=44797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX and MS Active Directory [7:44797]
The company I work for are looking to deploy Microsoft's Active Directory across the intranet. Most sites have a PIX firewall running 5.3(2) and will have many clients per site using AD. The problem seems to be that when clients pass through the PIX and are assigned a global address/PAT AD is not working. Static NAT translations work but due to the number of clients per site it's not feasible to use static translations. Has anyone done this or know any good links, can't find a thing on it at the CCO Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44797t=44797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and MS Active Directory [7:44797]
Brian I've just found out from the guy testing the AD stuff that it doesn't even work with static NAT translations, it'll only work with a static mapping with the same address across the firewall. The bit that isn't working is the replication between the servers Cheers Pat -- email me on : [EMAIL PROTECTED] Brian Hill wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Pat, Are the clients having the problem, or are the servers having the problem? If it's the servers, it's probably just RPC, but if it's the clients, it could be lots of things. What exactly isn't working? Brian Hill CCNP, CCDP, MCSE 2000 (Charter Member),MCSE+I (NT4.0), MCSA (Charter Member), MCP+I, MCP(21), Inet+, Net+, A+ Lead Technology Architect, TechTrain Author: Cisco, The Complete Reference http://www.alfageek.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44820t=44797 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Content Switching and Keepalives [7:43141]
Thanks for the info everyone, I tested it last night and it worked great, we now have load balancing and the keepalive running. Here's the config for one of the services Cheers Pat service portal2 ip address 172.16.10.12 string portal2 protocol tcp keepalive port 81 keepalive type http keepalive uri /index.html active sam sneed wrote: There are 2 methods of keepalives, get and head. get: CSS gets the web page, computes a hash based on the page and stores it for reference. The next time the CSS gets the webpage it looks for 200 OK and stauts and compares the new hash with the hash stored for reference. If they are different the CSS marks the service as down. So you can conclude this method only works well for static content on pages. Head: CSS only issues an HTTP head on the service and looks for 200 OK status , if it gets it service is marked up other wise its down. Less overhead than get method and good for Dynamic content as well. hope that helped a bit. Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Dave I've not had chance to test the keepalive yet but I see you mention using head or get can depend on the page type. Can you explain further or do you have any links? Cheers Pat David Harrison wrote: This is correct. The domain name is not necessary. Since the CSS knows the ip address of the box it's watching it doesn't have to rely on a domain name to find the location of the server. However it is important that the css know the path to reach the reference page. I've used the following: service blah_blah ip address 10.1.1.1 keepalive frequency 8 keepalive type http keepalive uri /.reference/arrowpoint-keepalive.html active I usually use the default head method vs the get. Depends on whether the file you are watching is static or dynamic. Dave -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 12:19 PM To: [EMAIL PROTECTED] Subject: Re: Content Switching and Keepalives [7:43141] I'm not positive about this but I don't believe you're supposed to include the domain name in the URI. We simply use 'keepalive uri /index.htm' and that works well. Give that a shot and see if it works for you. John Patrick Donlon 5/3/02 9:54:47 AM Hi I tested it and for some reason it didn't work, I configured the following on the service: keepalive port 81, keepalive method get, keepalive type http keepalive frequency 25, keepalive retry 25 keepalive uri www.blahblah.com/index.html I then activated the service (and re-activated it a few times just in case) Any thing obviously wrong and what should I check in the log cheers Pat Patrick Donlon wrote: Hi All I have two web servers which are being load balanced behind a CSS, this is working fine. Currently we're using the default ICMP keepalive, this is OK if the failure is at this level but when the web services process is stopped by the DBA the CSS thinks it's up and running. I've seen the different options, tcp, http gets, etc, and would like to know anyone else's experience in what is the best balance over performance and detecting the lost of service Cheers Pat [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43475t=43141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Content Switching and Keepalives [7:43141]
Hi Dave I've not had chance to test the keepalive yet but I see you mention using head or get can depend on the page type. Can you explain further or do you have any links? Cheers Pat David Harrison wrote: This is correct. The domain name is not necessary. Since the CSS knows the ip address of the box it's watching it doesn't have to rely on a domain name to find the location of the server. However it is important that the css know the path to reach the reference page. I've used the following: service blah_blah ip address 10.1.1.1 keepalive frequency 8 keepalive type http keepalive uri /.reference/arrowpoint-keepalive.html active I usually use the default head method vs the get. Depends on whether the file you are watching is static or dynamic. Dave -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 12:19 PM To: [EMAIL PROTECTED] Subject: Re: Content Switching and Keepalives [7:43141] I'm not positive about this but I don't believe you're supposed to include the domain name in the URI. We simply use 'keepalive uri /index.htm' and that works well. Give that a shot and see if it works for you. John Patrick Donlon 5/3/02 9:54:47 AM Hi I tested it and for some reason it didn't work, I configured the following on the service: keepalive port 81, keepalive method get, keepalive type http keepalive frequency 25, keepalive retry 25 keepalive uri www.blahblah.com/index.html I then activated the service (and re-activated it a few times just in case) Any thing obviously wrong and what should I check in the log cheers Pat Patrick Donlon wrote: Hi All I have two web servers which are being load balanced behind a CSS, this is working fine. Currently we're using the default ICMP keepalive, this is OK if the failure is at this level but when the web services process is stopped by the DBA the CSS thinks it's up and running. I've seen the different options, tcp, http gets, etc, and would like to know anyone else's experience in what is the best balance over performance and detecting the lost of service Cheers Pat [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43380t=43141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Content Switching and Keepalives [7:43141]
Hi I tested it and for some reason it didn't work, I configured the following on the service: keepalive port 81, keepalive method get, keepalive type http keepalive frequency 25, keepalive retry 25 keepalive uri www.blahblah.com/index.html I then activated the service (and re-activated it a few times just in case) Any thing obviously wrong and what should I check in the log cheers Pat Patrick Donlon wrote: Hi All I have two web servers which are being load balanced behind a CSS, this is working fine. Currently we're using the default ICMP keepalive, this is OK if the failure is at this level but when the web services process is stopped by the DBA the CSS thinks it's up and running. I've seen the different options, tcp, http gets, etc, and would like to know anyone else's experience in what is the best balance over performance and detecting the lost of service Cheers Pat [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43232t=43141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Content Switching and Keepalives [7:43141]
Hi All I have two web servers which are being load balanced behind a CSS, this is working fine. Currently we're using the default ICMP keepalive, this is OK if the failure is at this level but when the web services process is stopped by the DBA the CSS thinks it's up and running. I've seen the different options, tcp, http gets, etc, and would like to know anyone else's experience in what is the best balance over performance and detecting the lost of service Cheers Pat [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43141t=43141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Thanks again for the replies everyone it worked just fine Patrick Donlon wrote: Thanks for the replies, I only want to authenticate admininistrators on the PIX, will let you know how I get on Cheers Pat -- email me on : [EMAIL PROTECTED] nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In such a situation, authorization would be achieved by writing a bunch of access-lists on the Pix. Then, you designate those particular access-lists within the radius server for individual users. For example, let's say you have a user called billclinton, and you want to restrict his access to certain websites. So you write an access-list that does that, and then in his radius profile, you call that access-list. This works when you are doing straight authentication through the Pix directly. I have never tried it through a VPN. Darren Mitchelmore wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... NRF. I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( WIN2K RADIUS SERVER ). From my understanding the VPN client has a group login then the user will be prompted for a username/password that the PIX will pass to the IAS server using Radius. That will be authenticated against the Win username / password database (used to be called SAM ??) on the IAS server. I believe that this is authentication. Not sure how authorisation is achieved. How do you tie in the access-list to that individual user ?? Is this the setup you have got going ?? Do you have any problems implementing it ?? PS - I have setup PIXs before but only with simple policies... Best Regards, Darren M -Original Message- From: nrf [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 3:57 AM To: [EMAIL PROTECTED] Subject: Re: PIX and AAA [7:42302] Well, actually, the Pix does support a very limited amount of Radius authorization. It's only for users going through the Pix, not administrators of the Pix. And the authorization 'capabilities' only allow you to invoke existing access-lists on the Pix for certain users, so, like I said, it's very limited. Still, the capability exists. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn ga cl.htm#xtocid10 Georg Pauwen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Paul, Tim, Patrick, you guys are good ! You are right, I wasn4t specific enough in what I said: PIX does support RADIUS, but it does NOT support RADIUS Authorization :) Regards, Georg From: Paul Borghese To: Georg Pauwen , Subject: Re: PIX and AAA [7:42302] Date: Tue, 23 Apr 2002 10:03:43 -0400 The pix does support radius. I am using it for a small client to authenticate PPTP connections using the Microsoft 2000 Radius server. Paul Borghese - Original Message - From: Georg Pauwen To: Sent: Tuesday, April 23, 2002 7:16 AM Subject: RE: PIX and AAA [7:42302] Hi Patrick, yes, aaa is fully supported on the PIX (remember, though, that the PIX does not support RADIUS). Follow this link for a command overview of aaa on the PIX: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a b. h tm#xtocid3 Regards, Georg _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43143t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Questions about PIX firewall [7:24634]
Hi backing up what's already been posted, we've changed from Checkpoint on Solaris to PIX. For the last 6 months we have had a very stable environment with failover implemented too. The cli is excellent if your familiar with IOS, it doesn't have the overhead and terrible sluggish response of the Checkpoint GUI -try remote logging on Checkpoints GUI, For most things PIX check http://www.cisco.com/warp/customer/707/#pix cheers Pat dovelet wrote: Hi all, Our company wants to use PIX 515 firewall but I never use it before. I have some questions and I hope someone can help me. 1. To configure a PIX, is there any GUI interface or need to use Command Line Interface? If it has GUI interface, is it bundle with a PIX or need to purchase separately? 2. We plan to use 2 PIX for HA solution. Is it stable? 3. Is there any materials to describe the PIX failover? Regards, Dovelet Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42819t=24634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and AAA [7:42302]
Thanks for the replies, I only want to authenticate admininistrators on the PIX, will let you know how I get on Cheers Pat -- email me on : [EMAIL PROTECTED] nrf wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In such a situation, authorization would be achieved by writing a bunch of access-lists on the Pix. Then, you designate those particular access-lists within the radius server for individual users. For example, let's say you have a user called billclinton, and you want to restrict his access to certain websites. So you write an access-list that does that, and then in his radius profile, you call that access-list. This works when you are doing straight authentication through the Pix directly. I have never tried it through a VPN. Darren Mitchelmore wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... NRF. I am just about to setup a PIX 515 with the Cisco VPN client and the ias ( WIN2K RADIUS SERVER ). From my understanding the VPN client has a group login then the user will be prompted for a username/password that the PIX will pass to the IAS server using Radius. That will be authenticated against the Win username / password database (used to be called SAM ??) on the IAS server. I believe that this is authentication. Not sure how authorisation is achieved. How do you tie in the access-list to that individual user ?? Is this the setup you have got going ?? Do you have any problems implementing it ?? PS - I have setup PIXs before but only with simple policies... Best Regards, Darren M -Original Message- From: nrf [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 3:57 AM To: [EMAIL PROTECTED] Subject: Re: PIX and AAA [7:42302] Well, actually, the Pix does support a very limited amount of Radius authorization. It's only for users going through the Pix, not administrators of the Pix. And the authorization 'capabilities' only allow you to invoke existing access-lists on the Pix for certain users, so, like I said, it's very limited. Still, the capability exists. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/mn ga cl.htm#xtocid10 Georg Pauwen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Paul, Tim, Patrick, you guys are good ! You are right, I wasn4t specific enough in what I said: PIX does support RADIUS, but it does NOT support RADIUS Authorization :) Regards, Georg From: Paul Borghese To: Georg Pauwen , Subject: Re: PIX and AAA [7:42302] Date: Tue, 23 Apr 2002 10:03:43 -0400 The pix does support radius. I am using it for a small client to authenticate PPTP connections using the Microsoft 2000 Radius server. Paul Borghese - Original Message - From: Georg Pauwen To: Sent: Tuesday, April 23, 2002 7:16 AM Subject: RE: PIX and AAA [7:42302] Hi Patrick, yes, aaa is fully supported on the PIX (remember, though, that the PIX does not support RADIUS). Follow this link for a command overview of aaa on the PIX: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/a b. h tm#xtocid3 Regards, Georg _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42417t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX and AAA [7:42302]
Hi All hopefully someone can help, is it possible to use AAA to authenticate users on my PIX firewalls? Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42302t=42302 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VOIP billing [7:38756]
You can use a radius platform for billing in your VoIP network. For small scale you can use the CallManager or Cisco ACS server billing, for the larger stuff you need to use Radius accounting and develop your own scripts to process the records Cheers Pat Kiran Kumar M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks for your reply. Any other external software that will compatible with cisco products also ?? Thanks, Kiran On Tue, 19 Mar 2002, George Siaw wrote: Check out the Avvid product line. I think Cisco Call manager has some functionality for billing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kiran Kumar M Sent: 19 March 2002 05:43 To: [EMAIL PROTECTED] Subject: VOIP billing [7:38756] Hai, Is there any billing solution available for VOIP in cisco products.?? Thanks, Kiran Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38761t=38756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
7204 vxr boot rom [7:38777]
Hi All just wondered if anyone knows where I can find some information about boot rom versions. I'm looking at loading an image of IOS on a new 7204 and I'd like to know what version I should use for the boot rom cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38777t=38777 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN using DHCP [7:38670]
I use a cable modem in Holland and it never changes, but now I've said that.. Best thing would be to request an address then you know for sure Cheers -- email me on : [EMAIL PROTECTED] sam sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone ever created a VPN using a cable modem and DHCP? I am assuming that once you get the IP using DHCP it will not change for at least a month. If it does change I realize reconfiguration is necessary, this is no big deal for me. I know it is not possible with checkpoint 4.1 but is it possible with a PIX 501 3DES? I want to connect my home network to the corporat network using a PIX 501 and IPSEC. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38673t=38670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Etherchannel/ISL trunk failure [7:38085]
Kelly great post and I do appreciate the help, I no think my englesh was that bad (just kidding), been living in Europe too long obviously. Back to the problem anyway, I removed the ISL trunk from the etherchannel and it's all OK now, no errors for the past couple of days. Problem is it's at an exhibition so it's fairly important it doesn't go down. The reasoning behind the ISL trunk was an application that couldn't handle an address with any zeros, so we needed an extra VLAN. The network requirements have a habit of changing rapidly too so it made sense to implement it at the time. My skill level? hmm not sure either, but you're right keep it simple works best for me too. cheers Pat -- email me on : [EMAIL PROTECTED] Kelly Cobean wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'll make you a deal...I won't pose design questions in response to your fault questions when you can criticize me for trying to help you using something other than one big, fragmented run-on sentence. Worse than my unsolicited design suggestions are the inability of most people to form a coherent thought in writing to convey their point. It makes it difficult, if not impossible to HELP with the problem at hand when you must focus so hard on deciphering the broken sentence that you can't focus on the technology. Now, I certainly get your point that I'm not sticking strictly to the question at hand, but one of the best design philosophies (which determines in part your troubleshooting methodologies) out there is Keep It Simple. There is no need to apply a technology if it's not going to be used. I suggest this merely because I don't know you, your skill level, or your future plans for this network. My suggesting that you not use ISL if there are no plans for it in the future was an attempt to save you the heart-ache of chasing down a problem that needn't exist, however educational the answer may be. I also caveated my statement with unless you are preparing for multiple VLAN's down the road, so be as scalable as you want, just don't assume that I know your future plans. I'm merely analyzing the problem in front of me. After all, you did say that you had to get this up very quickly. Also note that I DID included some other thoughts for you to check on if diagnosing the problem to resolution is the path you're on, so my message wasn't entirely wasted on babbling about my perceived over-engineering of your network. As with all lists, responses to questions are take it or leave it. If you don't like mine that's fine, but maybe someone else on the list was able to benefit from it. In the future, I'll refrain from any attempts to suggest alternatives to problematic implementations. Apparently Arrogant, Kelly Cobean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Wednesday, March 13, 2002 10:46 AM To: [EMAIL PROTECTED] Subject: Re: Etherchannel/ISL trunk failure [7:38085] I love this group, how's about scalability, new requirements, sorry for being sarcastic but it's not about the design, simple as it is, but a fault cheers -- email me on : [EMAIL PROTECTED] Kelly Cobean wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Based on the fact that you are only using a single VLAN, I would first question why you are using using ISL trunking? Since ISL is used for Inter-VLAN routing, it's an unnecessary configuration, unless you are preparing for multiple VLAN's down the road. Have you configured VTP appropriately? Also, I would check for any ARP abnormalities in your CAM and ARP tables. Kelly Cobean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Wednesday, March 13, 2002 4:11 AM To: [EMAIL PROTECTED] Subject: Etherchannel/ISL trunk failure [7:38085] Hi everyone I have a strange problem I'd like to know if anyone can explain why it happened and how to prevent it happening again. I have two Cat 5500s connected using four 10/100 MB port configured as an etherchannel, it was also configured as an ISL trunk. It's a very simple network with these two switches, a PIX and only VLAN 1 is used. The problem occurred when clients DNS requests failed. The DNS is an NT server which was connected to Switch B, the PIX was connected to Switch A and the default gateway for VLAN 1 was on Switch A. From a PC on Switch A you could ping the NT server and the default gateway and PIX etc, but the NT server couldn't ping the default gateway. Moving a PC to Switch B replicated the problem, I could ping everything else on the network but not the default gateway. When I checked the switches I could see some errors on the first port of the channel, a few align, fcs and runts, I then noticed the port was leaving and joining the spanning tree every 30 seconds
Etherchannel/ISL trunk failure [7:38085]
Hi everyone I have a strange problem I'd like to know if anyone can explain why it happened and how to prevent it happening again. I have two Cat 5500s connected using four 10/100 MB port configured as an etherchannel, it was also configured as an ISL trunk. It's a very simple network with these two switches, a PIX and only VLAN 1 is used. The problem occurred when clients DNS requests failed. The DNS is an NT server which was connected to Switch B, the PIX was connected to Switch A and the default gateway for VLAN 1 was on Switch A. From a PC on Switch A you could ping the NT server and the default gateway and PIX etc, but the NT server couldn't ping the default gateway. Moving a PC to Switch B replicated the problem, I could ping everything else on the network but not the default gateway. When I checked the switches I could see some errors on the first port of the channel, a few align, fcs and runts, I then noticed the port was leaving and joining the spanning tree every 30 seconds or so. Removing the cable from the port fixed the problem immediately, when the cable was put back the problem occurred after about 3 mins. I removed the ISL trunk and put the cable back and it is working and error free for over 12 hours. I'd love to know exactly what caused this, I think it was the VLAN information not being passed down the trunk but I'm not sure and as the link had to be up v.quickly I didn't have time to test a few things out. cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38085t=38085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Etherchannel/ISL trunk failure [7:38085]
I love this group, how's about scalability, new requirements, sorry for being sarcastic but it's not about the design, simple as it is, but a fault cheers -- email me on : [EMAIL PROTECTED] Kelly Cobean wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Based on the fact that you are only using a single VLAN, I would first question why you are using using ISL trunking? Since ISL is used for Inter-VLAN routing, it's an unnecessary configuration, unless you are preparing for multiple VLAN's down the road. Have you configured VTP appropriately? Also, I would check for any ARP abnormalities in your CAM and ARP tables. Kelly Cobean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Wednesday, March 13, 2002 4:11 AM To: [EMAIL PROTECTED] Subject: Etherchannel/ISL trunk failure [7:38085] Hi everyone I have a strange problem I'd like to know if anyone can explain why it happened and how to prevent it happening again. I have two Cat 5500s connected using four 10/100 MB port configured as an etherchannel, it was also configured as an ISL trunk. It's a very simple network with these two switches, a PIX and only VLAN 1 is used. The problem occurred when clients DNS requests failed. The DNS is an NT server which was connected to Switch B, the PIX was connected to Switch A and the default gateway for VLAN 1 was on Switch A. From a PC on Switch A you could ping the NT server and the default gateway and PIX etc, but the NT server couldn't ping the default gateway. Moving a PC to Switch B replicated the problem, I could ping everything else on the network but not the default gateway. When I checked the switches I could see some errors on the first port of the channel, a few align, fcs and runts, I then noticed the port was leaving and joining the spanning tree every 30 seconds or so. Removing the cable from the port fixed the problem immediately, when the cable was put back the problem occurred after about 3 mins. I removed the ISL trunk and put the cable back and it is working and error free for over 12 hours. I'd love to know exactly what caused this, I think it was the VLAN information not being passed down the trunk but I'm not sure and as the link had to be up v.quickly I didn't have time to test a few things out. cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38104t=38085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP problem [7:36396]
Mark thanks for the post, yep both are identical, I've already decoded the error and it tells me to contact Cisco, which I've done. Cheers Mark Odette II wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Pat- Question: Are both ends identical in Hardware and/or Software?? More importantly, Are both routers running the same version of IOS? I've seen something very similar to this, and it wound up being a compound problem of buggy version of IOS and a mixture of versions from end to end. If you can, you might think about rolling back a little on the version of IOS, to say, 12.2.1, or something like that but verify it won't break some other feature you're depending on first. Another wise action would be to go onto CCO and check their BugTraq to see if they have any known issues with 12.2.4T. Also, here's a tool that might help with the error message: Error message Decoder Ring! It requires CCO access. http://www.cisco.com/cgi-bin/Support/Errordecoder/home.pl Hope this helps! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Donlon Sent: Monday, February 25, 2002 11:35 AM To: [EMAIL PROTECTED] Subject: VoIP problem [7:36396] Hi all I've a problem with a voice router I'm getting DSP timeout errors on the far end (egress) router and I was wondering if anyone has any ideas. See the text below for the error, it appears after the call is disconnected with normal call clearing, we use E1s. A reboot will make the problem go away for a short while and we using 12.2(4)T on a 3640. The call routing is fine and I can make csim calls from the far end router to my local router and to my phone no problem, in the other direction I get DSP timeouts. Cheers Pat 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP Disc (call mode=0) 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP error stats (call mode=1658181684), chnl info(1, 0, 0) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36620t=36396 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VoIP monitoring [7:36625]
Hi I'm after some tips for monitoring a couple of VoIP routers, as there are only two routers buying tools isn't going to be very cost effective. I've used the early versions of CVM (which was very funny), we use Cisco Works 2000, but don't have the add on CVM product, and Openview. I'm planning on automatically re-route calls on failure, but I'd like to know about the failure so we can react, any ideas or pointers? Cheers Pat -- email me on : [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36625t=36625 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VoIP problem [7:36396]
Hi all I've a problem with a voice router I'm getting DSP timeout errors on the far end (egress) router and I was wondering if anyone has any ideas. See the text below for the error, it appears after the call is disconnected with normal call clearing, we use E1s. A reboot will make the problem go away for a short while and we using 12.2(4)T on a 3640. The call routing is fine and I can make csim calls from the far end router to my local router and to my phone no problem, in the other direction I get DSP timeouts. Cheers Pat 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP Disc (call mode=0) 10w5d: %VTSP-3-DSP_TIMEOUT: DSP timeout on event 0x6: DSP ID=0x1: DSP error stats (call mode=1658181684), chnl info(1, 0, 0) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36396t=36396 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Serial DTE/DCE cables [7:35388]
Hi I'm after some serial cables for a home lab, anyone have any sources for these in the UK and Europe, I'm looking to buy about 10 in total (1m or 3m lengths) Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35388t=35388 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: [Re: VOIP Vic-2fx cards [7:34768]
Sujal thought it could be case, just couldn't remember as it was some time back, Thanks Sujal G. Ajmera wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Pat and Rich: I had a similar problem and got it solved just today. What we did was change the IOS and that made a difference. Sujal Richard I've had the very same problem some time ago, it was really annoying, can you post the config, it'll probably jog my memory as to what was wrong Cheers Pat - Original Message - From: Richard Botham Newsgroups: groupstudy.cisco Sent: Thursday, February 07, 2002 6:13 PM Subject: VOIP Vic-2fx cards [7:34768] Hi All, I have 2 x Cisco 2621 routers and each have a 2port fxs voice card - vic-2fxs installed. When I plug my phone into port 1/0/0 of a vic-2fxs card installed in a 2621 I get dial tone. When I use port 1/0/1 I do not get dial tone. Is there any reason for this and what am I doing wrong. Regards Richard _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35276t=34768 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 6000 Hybrid vs Native [7:35216]
Sorry to spoil the party but I've had a problem with IOS on 6Ks. With version 12.1(3a)E4, using the console port would put the switch into rommon mode, the switch would keep running but you couldn't config it, it's a recognised bug I think. Apart from that though I think it simplifies things by having just the one set of commands and will be upgrading the Cat OS 6Ks to IOS Cheers Pat Michelle Loechel wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can anyone comment on having used the native mode IOS feature on the 6000 series switches? Like/dislikes? Stability? Supportability, etc? Preference of hybrid or native? Compatibility issues with future Cisco features? Thanks Michelle Loechel Network Analyst Exempla Healthcare [EMAIL PROTECTED] Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Exempla Healthcare. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35278t=35216 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VOIP Vic-2fx cards [7:34768]
Richard I've had the very same problem some time ago, it was really annoying, can you post the config, it'll probably jog my memory as to what was wrong Cheers Pat - Original Message - From: Richard Botham Newsgroups: groupstudy.cisco Sent: Thursday, February 07, 2002 6:13 PM Subject: VOIP Vic-2fx cards [7:34768] Hi All, I have 2 x Cisco 2621 routers and each have a 2port fxs voice card - vic-2fxs installed. When I plug my phone into port 1/0/0 of a vic-2fxs card installed in a 2621 I get dial tone. When I use port 1/0/1 I do not get dial tone. Is there any reason for this and what am I doing wrong. Regards Richard _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34832t=34768 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPSec tunnels [7:34742]
Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34742t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PBX [7:34499]
Tom it all depends on what interfaces you have in your router and PBX, do you need info' on the PBX or the Cisco? I can send you some general configs for E1 interfaces, otherwise checkout the cco http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VoX:V oIPs=Implementation_and_Configuration or for the as5300 (most commands can be used on the smaller 2600 or 3600) http://www.cisco.com/univercd/cc/td/doc/product/access/nubuvoip/voip5300/ind ex.htm cheers Pat - Original Message - From: Tom Richs Newsgroups: groupstudy.cisco Sent: Tuesday, February 05, 2002 8:47 PM Subject: PBX [7:34499] How can I connect a router to a PBX to get it to talk. In specific I'm implementing VoIP and want to connect it to my PBX. Do you use a specific PRI, EM or what type card and cabling between the two. Thanks. Tom _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34598t=34499 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Renting Cisco Equipment [7:34531]
Yes, Cisco can arrange loan or demo equipment for all sorts of uses, go ask you rep cheers Pat Greg Harper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greetings, Does anybody on the list know of any companies that will rent or short-term lease Cisco equipment? I need an AS5400 temporarily to minimize the downtime of an ISP migration, and am having trouble finding companies that handle this type of thing. Thanks, Greg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34599t=34531 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN problems... [7:34324]
Stuart 180 seconds is normal, it depends if you have a minimum call charge from your telco. To see what causing the interface to dial use the debug dialer command: debug dialer [events | packets] - Displays DDR debugging information about the packets received on a dialer interface. Some more info' here http://www.cisco.com/warp/customer/793/access_dial/ddr_9347.html Regards Pat Laubstein, Stuart wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The dialer list command seems to be gone...I am going to add dialer-list 1 protocol ip permit This should work(at least to let everything threw). Or is there another way to do this which is more secure? I am also trying the debug command--they will not help this problem but have shown me another problem with the serial interfaces so thanks for that suggestion. Actually any suggestion on dialer-lists would alsom be welcome--ie what would it be a good idea and what kind of timeout is normal--I am using 50 seconds right now. stu -Urspr|ngliche Nachricht- Von: McCallum, Robert [mailto:[EMAIL PROTECTED]] Gesendet am: Monday, February 04, 2002 3:53 PM An: [EMAIL PROTECTED] Betreff: RE: ISDN problems... [7:34324] If the router is not seeing interesting traffic within your idle period then it should drop the line. What is in your dialer-list to define what is interesting traffic? -Original Message- From: Stuart Laubstein [mailto:[EMAIL PROTECTED]] Sent: 04 February 2002 14:20 To: [EMAIL PROTECTED] Subject: ISDN problems... [7:34324] I have a 3620 that has a problem with timing out. I have set the dialer idle-timoue to 180 seconds--the router will keep the interface open for 180 seconds and then drop it for 9 seconds. I set it to 55 seconds and it did the same timeout after 55 seconds--9 second drop. This only seems to happen when the remote router is a cisco router. I have tried debug isdn events--but can only see the interface coming back up. Any idea on things I can try would be much appreciated or on debug options that would narrow it for me... thanks stuart Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=3t=34324 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MAJOR OT: Free CCNPtraining for convicts [7:34039]
This could be the biggest load of crap I've read for some time, is your boss planning on getting you convicted? It may be cheaper on his training budget. steve skinner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... guys, my boss has just told me that cisco are trailing a few prisons where they are offering free CCNP training to convicts man does that just bite the buscuit. i worked long and hard to pay for my exams.get some work experience and at my expence (bieng a tax payer)i am funding a convict to learn about cisco. i know about re-abilitation.but it is just a bit sick that i as an individual,could a) been robbed by this man ... my house is trashed and my insurence goes up (i pay ) b) funding him in prison to learn Cisco (i pay) c) comes out of prison and de-vaules a cert becuse he has no experience (i pay) does cisco want to have a useless cert system(except ofcourse the CCIE)because the more people who BLANTENTLY DONT have any experience witht these certs ...the less they mean... i`m sorry to rantbut sometimes i wish company`s would consider there future.. FACT (from Cisco) there will always be more jobs for NA/NP than IE`s 1)i get exams to be employable... 2)in order to get these exams i push the company`s kit .. i have recently installed some 4000`s over another companies kit,even thought the other kit is more than capable of doing the job..because i get a side benefit of learning about the equipment and increasing my CV value 3)if i am working at a company and i dont want a cisco cert because it is worthless..why would i push that companies products.. i would simply push another company`s products to get my certs in the there equipment ,to keep my employability 4) cisco dont sell as much equipment 5) certs become even more worthless.. 6) cisco sells even less equipment as no-one is trained anymore 7) cisco becomes Novell(my appologies to all novell staff)... a little for-thought is all that required... as my boss says... one of my main reson for buying kit is the amount of tech staff availible to install/fix the kit...if there`s no staff there no kit in a job market that is already depressed that last thing that is needed is a flood of Certified but unexperienced people on the market.. the it industry is like no other ,in that fact that we have to CONSTANTLY update our skills ...that takes time,money and personal sacrfisesomething i dont think cisco is at all concernd with... ahh welll. no chance of a [EMAIL PROTECTED] list starting any time soon...?? Sorry for the downer steve _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34069t=34039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ethernet errors explained [7:33687]
Hi Everyone I trying to find some information on some Ethernet errors that I see on a port, see the text below. The machine is an RS6000 and was experiencing some performance problems, the NIC was set to auto negotiation and there were the usual errors. The port and NIC are now both fixed and the errors are increasing steadily, I've had a good search on the CCO but I can't find any explanation of what causes the errors, any advice will be appreciated Regards Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33687t=33687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ethernet errors explained [7:33687]
Positive, if you look at the show port (on the other mail) you'll see there are no collisions Thanks Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Are you sure switch and NIC are the same speed and duplex? Looks like port speed/duplex mismatch. Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone I trying to find some information on some Ethernet errors that I see on a port, see the text below. The machine is an RS6000 and was experiencing some performance problems, the NIC was set to auto negotiation and there were the usual errors. The port and NIC are now both fixed and the errors are increasing steadily, I've had a good search on the CCO but I can't find any explanation of what causes the errors, any advice will be appreciated Regards Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33692t=33687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ethernet errors explained [7:33687]
It's a RS6000 not a PC, I think it's running AIX Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Then try switching ports, shutting it down, different PC, etc,. It's probably the PC then Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Positive, if you look at the show port (on the other mail) you'll see there are no collisions Thanks Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Are you sure switch and NIC are the same speed and duplex? Looks like port speed/duplex mismatch. Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone I trying to find some information on some Ethernet errors that I see on a port, see the text below. The machine is an RS6000 and was experiencing some performance problems, the NIC was set to auto negotiation and there were the usual errors. The port and NIC are now both fixed and the errors are increasing steadily, I've had a good search on the CCO but I can't find any explanation of what causes the errors, any advice will be appreciated Regards Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33701t=33687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ethernet errors explained [7:33687]
Dave tried that one first as I thought it was the most interesting, but sadly (enable) set port inline 2/26 off Feature not supported on module 2. I'll go back to basics first Ole. Thanks for the replies Pat MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You appear to have the inline power module for ip phones. I had a problem once on a server where I disabled the power on the port and this resolved the errors. C6509 (enable) set port inlinepower 2/26 off Dave Patrick Donlon wrote: And here's the show port I forgot!! (enable) sh port 2/26 Port Name Status Vlan Duplex Speed Type - -- -- -- -- - 2/26 Temp Driver server connected 990 full 100 10/100BaseTX Port AuxiliaryVlan AuxVlan-Status InlinePowered PowerAllocated Admin Oper Detected mWatt mA @42V - - -- - -- - 2/26 none none - - -- - Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex - - - --- 2/26 disabled shutdown 001 disabled 51 Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left - - - -- 2/26 -- -- - Port Broadcast-Limit Broadcast-Drop --- 2/26 -0 Port Send FlowControlReceive FlowControl RxPause TxPause Unsupported adminoper adminoper opcodes - --- --- --- 2/26 off offoff off 0 0 0 Port Status Channel Admin Ch Mode Group Id - -- - - 2/26 connected auto silent 68 0 Port Align-Err FCS-ErrXmit-Err Rcv-ErrUnderSize - -- -- -- -- - 2/26 154661 138931 0 0 6246 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants - -- -- -- -- - - -- --- 2/26 0 0 0 0 0 30531 1 Port Last-Time-Cleared - -- Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone I trying to find some information on some Ethernet errors that I see on a port, see the text below. The machine is an RS6000 and was experiencing some performance problems, the NIC was set to auto negotiation and there were the usual errors. The port and NIC are now both fixed and the errors are increasing steadily, I've had a good search on the CCO but I can't find any explanation of what causes the errors, any advice will be appreciated Regards Patrick -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33707t=33687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VOIP dial plan [7:31487]
No, not if you specify how many digits will follow the 2. Check this link for some general voip stuff http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 t/120t3/voip5300/voip53_1.htm cheers Pat Jim Bond wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I've got a question on dial plan. We've got (208) 472- as DID numbers in our campus, I'd like to use the last 5 digits: 2 in our campus VOIP and 7 digits (no area code) in other offices. In our NY office, we have (845) 288- as regular DID numbers. Is it possible to make 288- goes to NY and 2 stays in our campus? Will the beginning number 2 create any conflict? Thanks in advance. Jim __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31522t=31487 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ACS radius attributes [7:29043]
Hi just a quick question does anyone know who to set the radius attribute 80 in the ACS server. I can't find it anywhere in the web configuration tool, Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29043t=29043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP and memory allocation errros [7:28819]
Hi All I have a problem with a router running BGP. I have two 7204vxr's running BGP connecting to two different service providers, I upgraded the IOS of one the routers with version 12.1(5)T10 (IP PLUS IPSEC 3DES) and the boot image, it ran for a week with no problems. I upgraded the other router with the same images and as got memory allocation errors when it established adjacency with the BGP neighbours, see the output below. I'm no BGP expert and I believe there is enough memory in the router, so any suggestions will be appreciated Regards Pat *Nov 25 15:55:29: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up *Nov 25 15:55:31: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up *Nov 25 15:55:41: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up *Nov 25 15:56:07: %SYS-2-MALLOCFAIL: Memory allocation of 65496 bytes failed from 0x606BE0F4, pool Processor, alignment 0 -Process= BGP Router, ipl= 0, pid= 118 -Traceback= 606C1450 606C38B0 606BE0FC 606BE8F0 6082D330 6082D578 6082EA84 609FA5EC 609FB2B8 61476248 609FB35C 609D61F0 606B7DA4 606B7D90 *Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.* Down No memory *Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.* Down No memory *Nov 25 15:56:08: %BGP-5-ADJCHANGE: neighbor *.*.*.*Down No memory *Nov 25 15:56:11: %BGP-3-NOTIFICATION: sent to neighbor *.*.*.* 3/1 (update malformed) 0 bytes *Nov 25 15:56:37: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up *Nov 25 15:56:37: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up *Nov 25 15:56:51: %BGP-5-ADJCHANGE: neighbor *.*.*.* Up Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28819t=28819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
3rd party Flash memory [7:28823]
Hi everyone I am looking at purchasing flash memory cards for Cat6Ks from Kingston, I'd just like to hear from anyone who has done the same and whether the flash cards worked OK cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28823t=28823 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN DDR Question [7:28257]
dialer idle-timeout seconds Have a look at this link it's got lots of info on PPP and multilink http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:PPPs =Implementation_and_Configuration Cheers Pat Sam Deckert wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... hey all, just wondering if anyone knows how to extend the amount of time it takes before the second channel comes down after the traffic level drops below the load threshold, when using multilink isdn with 2 channels? Any help would be great!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28265t=28257 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIP Problem: Billing Triggered Before Authentication [7:28273]
What billing system are you using? Is it based on the PSTN Switches or do you use Radius accounting? cheers Pat Chong Chun Wei (Central) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Pls help. Scenario: 2 AS 5300 acting as the originating and terminating gateway on each side of the network. The originating AS5300 is connected to the PSTN switch ( SW A ) using PRI signaling while the terminating AS 5300 is connected to the PSTN switch ( SW B) using R2 signaling. The customer will dial a specific number to access the SW A and then enter the account and pin number. After the authentication, there will a beep tone follow by the message which prompt the user to enter the destination phone number. For a normal scenario, After the entering of the destination phone number, there will be ringing tone. When B-party picked up the phone, there will be a second beep tone which will trigger the billing system to start the billing. However, what actually happens is that, After the entering of the destination phone number, just right before the ringing tone, there is a click sound immediately before the ringing tone which undesirably, trigger the billing system. This creates problem because even before the call get connected, the customer has already been charged. The Attempted Solutions include 1. Program the progress indicator at the terminating gateway's dial-peer 2. check the output of the debug isdn a931 (looks fine) However, the problem still haven't been solved. Please help. rgds Alvin Chong CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28273t=28273 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP telephony [7:27533]
Anil First thing, are you connecting you PBX to the routers via fxs/fxo ports? are they already in place? As for MGCP and H323, I don't know too much about MGCP and I think it's used for controlling gateways and higher layers features than H323 ( anyone please feel free to comment), so go for H323 as you just want to originate and terminate H323 traffic between your routers and CMs. Have a look at this url on the cco for config's http://www.cisco.com/univercd/cc/td/doc/product/access/nubuvoip/voip5300/ind ex.htm it's mainly about AS5300s but the platform doesn't really matter once the interfaces are configured. Let me know if you need more info, cheers Pat Anil Kumar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This is the Voice network i am implementing. Voip on this network is working. Analog PhoneAnalog Phone | | | | | | IPtelphone-CCM3.0-3660 Router--3640 Router--IPtelephone With NM-HDVWith NM-HDV (Main Office) (Remote Office) The problem which i am facing is the call routing between the IP telephone the Analog phones to both locations. I am bit confused, and not sure to use which type of Gateway Types ( MGCP, or H.323) for the 3660 Routers. I read that MGCP is being used for mainly FXS/ FXO ports. I am using an R2 Digital Signalling for the NM-HDV card. I have enclosed the config of the main location, the same carries for the remote location too. Request your sugesstion / Comments on this. Regards.. Anil Current configuration: ! version 12.1 service timestamps debug datetime msec service timestamps log uptime no service password-encryption service udp-small-servers max-servers no-limit ! ! enable secret 5 $1$QdNt$.YqZyaiFoHfFW.ZP1yHzG/ ! ! ! ! ! memory-size iomem 10 voice-card 2 ! ip subnet-zero ip dhcp ping timeout 2000 ip dhcp relay information option ! ip dhcp-server 179.65.51.20 lane client flush isdn switch-type primary-net5 cns event-service server ! ! voice class permanent 10 signal pattern idle transmit 0001 signal pattern idle receive 0001 ! ! ! ! ! ! controller E1 1/0 framing NO-CRC4 clock source internal channel-group 1 timeslots 1-31 description connected to Branch ! controller E1 2/0 framing NO-CRC4 clock source internal ds0-group 0 timeslots 1-15,17-31 type r2-digital dtmf dnis description CONNECTED TO NORTEL EPABX ! ! ! interface Multilink1 ip address 192.168.0.2 255.255.255.252 ip helper-address 179.65.51.20 ip directed-broadcast ip tcp header-compression iphc-format no ip mroute-cache fair-queue 2048 2048 1000 no cdp enable ppp multilink ppp multilink fragment-delay 20 ppp multilink interleave multilink-group 1 ip rtp header-compression iphc-format ip rtp priority 16384 16383 1488 ! interface FastEthernet0/0 ip address 179.65.51.1 255.255.0.0 ip helper-address 179.65.51.20 ip directed-broadcast no ip mroute-cache speed auto half-duplex no cdp enable ! interface Serial1/0:1 no ip address ip helper-address 179.65.51.20 ip directed-broadcast encapsulation ppp ip mroute-cache no fair-queue ppp multilink multilink-group 1 ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.0.1 no ip http server ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit no cdp advertise-v2 ! snmp-server engineID local 000902024B24BF30 snmp-server community public RO snmp-server packetsize 2048 ! voice-port 2/0:0 no modem passthrough cptone GB ! dial-peer voice 100 voip destination-pattern 125T session target ipv4:192.168.0.1 codec g711alaw ip precedence 5 ! dial-peer voice 10 pots destination-pattern 116T port 2/0:0 forward-digits all ! ! line con 0 transport input none line aux 0 line vty 0 4 exec-timeout 20 0 login ! end HO# __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27781t=27533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP telephony [7:27533]
As Matthew said looks like you've got every thing already, all you have to do is set up the call routing, simple Cheers Anil Kumar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, For a customer i have implemented an Voip and Ip telephony between two office with Cisco Call Manager 3.0. I need to intergrate the CCM with Normal PBX phones, so that users can dail to the normal telephone to Ip telephone. For the Voip i am using Cisco 3640 and 3660 Routers with NM-HDV cards and both the HDV cards are connected to Nortel PBX. Need help/sugesstion on this. Thanks in Advance. Regards.. Anil = Thanks Regards V Anil Kumar __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27661t=27533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AS5300 problem [7:27432]
See my comments below cheers Pat Chong Chun Wei (Central) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I'm facing some problems with the AS5300 gateway. I suspect there is some problem when i try to monitor the resource statistic from the gateway. Below is the output that i get. Cisco# sh call resource voice stats DSP statistics: total channels: 120 inuse channels: 34 disabled channels: 0 pending channels; 0 free channels: 86 DS0 Statistics: total channels: 124 addresable channels: 90 inuse channels: 10 disabled channels: 0 free channels: 80 There are few questions pertaining to the above: 1. why is the inuse channels of DS0 so low compared to the inuse channels of DSP? 2. why is the addressable channels for DS0 is 90 only since the total channels are 120??? Have you checked the capabilty of the voice cards, you can get medium and high complexity cards which support different numbers of channels. 3. why is the total channels of DS0 is 124, shouldn't it be 120??? Presumably the 4 channels are used for signalling Cheers, Alvin Chong CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27435t=27432 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE bootcamps [7:27180]
Hi everyone can anyone recommend a boot camp for the UK, I'm thinking about taking one for the written exam to kick start my studies, cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27180t=27180 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS PROBLEM!! [7:26978]
Suleman your IOS probably doesn't support Eigrp, go to the Cisco IOS feature navigator and do a search on EIGRP and you'll get a list of the IOS that support EIGRP, if your IOS version is not in there then you'll have to download a new IOS Cheers Pat suleman ibrahim aboo wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, just a quick question, I have a small cisco 800 series at home, with 4 port hub and a BRI, I've just started to go through the config exercises in the books and one question has cropped up from last night. When I try and enable IGRP, 'router(config)#router igrp 20' it tells me this is an unknown protocol, what have I done, or what is missing? RIP config works, no problem. I know your going to ask what ver of IOS, as I'm not in front of the console but I know its above 12. Please advise, -suleman Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26986t=26978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OFF TOPIC SHIPPING LAB KIT FROM U.S. TO U.K. [7:26987]
Micheal I've not exactly had the same experience but I've had equipment shipped before from the US where EU duty had to be paid before customs would release it, the goods were purchased for the company's own use. I had this in Holland and Germany and customs won't release it until they get the funds in their bank or a cheque in hand, hope this helps cheers Pat Michael Ibidunni wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Folks, I was wondering if any one in the U.K. has bought any cisco kit for Lab purposes from the states and had it shipped down here? I want to find out what happens at this end with customs. Thanx in advance Michael Ibidunni Senior Systems Engineer Business Data Services City M25 Team NTL: Tel:0207 562 5800 Mobile: 07866 625922 Email: [EMAIL PROTECTED] The contents of this email and any attachments are sent for the personal attention of the addressee(s) only and may be confidential. If you are not the intended addressee, any use, disclosure or copying of this email and any attachments is unauthorised - please notify the sender by return and delete the message. Any representations or commitments expressed in this email are subject to contract. ntl Group Limited Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26990t=26987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco ACS and Radius Proxy [7:26826]
Hi All has any configured a Cisco ACES server proxy with a Radius server? I've had a search on the CCO and can't seem to find any useful reading and configurations, any tips or advice welcome Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26826t=26826 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix question [7:26832]
Ramesh No you don't need to config NAT, secondly to open up all ports for a host, as a source to any where, try this acl access-list acl_inside permit tcp host 192.10.1.1 any For some more info have a look at the CCO http://www.cisco.com/warp/customer/707/ cheers Pat Ramesh c wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 1) I got a pix in test(all internal) environment (configured as outside,inside and DMZ).Do I need to use NAT to connect to the outside segment from inside or vice versa.Since Pix can act as a router ,will enabling routing solve this purpose without use of NAT.Applying access list later for security. 2)I want to open all the ports of TCP connection for a particular host.How do I go about? cheers Ramesh Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26833t=26832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco TACACS+ Problem [7:26783]
Have you checked the keys are the same in the server and router, also check the source IP address the router is using and that which is in your server's entry for the router. Check the logs on your TACACS server, otherwise I think more info is needed cheers wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have configured a number of routers to authenticate to the TACACS+ server we have on site. some routers get the login prompt and some dont and at time others do. Has anyone got any ideas to this. *** Thomas Jreige *** Communications Engineer *** CSC Network Services, Wollongong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26834t=26783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
What IOS to choose? [7:26852]
Hi All I'm looking at upgrading the IOS for a couple of 7204 routers so that they can support SSH, I'm after a bit of info' on a good method of selecting the IOS to upgrade to. I've searched the CCO and found that I need an IPSec version, say the Enterprise IPsec with 3Des, I then get a list of IOS to choose from, easy enough. I would like the most stable IOS possible for our situation, so I picked out an IOS 12.1(5)T9, I choose this on the basis of memory requirements alone and the presumption that the earlier versions (T - T8) may have had more bugs. I've then done a search on the bug tool to check for known bugs, and I didn't get any with this specific version. Can anyone else help me with the selection of the IOS, like what else to search for or check before deploying it cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26852t=26852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing with Win2k and Cat6k [7:24494]
Thanks George I'll watch out for that, George Murphy CCNP, CCDP wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Just an FYI, last week our server guys at the campus fired up a Win2k load balancing scenario and it was spewing multicasts like a bat out of hell and made parts of the network inaccessible, like printers, an ISDN 128k link, etc. We were using Observer to sniff. Now we have put the little monsters in there own VLAN. the highway is smooth now with the HOV lane in operation ;-) Jonathan Hays wrote: Patrick Donlon wrote: had a look on the CCO, m'soft and HPs site but I can't see much relevant info, can any provide some info or experience on this Really? I searched www.microsoft.com/technet with the phrase network interface load balancing and came up with quite a few hits discussing load balancing (e.g., Configuring Network Load Balancing Q240997). You may get more help on your problem from a Microsoft newsgroup. It's hard to see how this is a Cisco ACS problem; it seems more like a Microsoft Windows problem. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24766t=24494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load balancing with Win2k and Cat6k [7:24494]
Thanks George I'll watch out for that, George Murphy CCNP, CCDP [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Just an FYI, last week our server guys at the campus fired up a Win2k load balancing scenario and it was spewing multicasts like a bat out of hell and made parts of the network inaccessible, like printers, an ISDN 128k link, etc. We were using Observer to sniff. Now we have put the little monsters in there own VLAN. the highway is smooth now with the HOV lane in operation ;-) Jonathan Hays wrote: Patrick Donlon wrote: had a look on the CCO, m'soft and HPs site but I can't see much relevant info, can any provide some info or experience on this Really? I searched www.microsoft.com/technet with the phrase network interface load balancing and came up with quite a few hits discussing load balancing (e.g., Configuring Network Load Balancing Q240997). You may get more help on your problem from a Microsoft newsgroup. It's hard to see how this is a Cisco ACS problem; it seems more like a Microsoft Windows problem. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24680t=24494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Load balancing with Win2k and Cat6k [7:24494]
Hi everyone I'm trying to setup a ACS server for fault tolerance/load balancing (I'm not sure if they are separate features or work together) connected to two Cat 6Ks. The ACS is a HP netserver and was already set up with two NICs and a virtual interface before I got my hands on it. The nics are connected to separate switches each in the same vlan, with a trunk between the switches. When I plug the two interfaces into the switch only one of the interfaces actually works, any frames sent to the other nic are lost I presume. I've had a look on the CCO, m'soft and HPs site but I can't see much relevant info, can any provide some info or experience on this Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24494t=24494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN Calls from Pots? [7:21738]
Mike's correct, I'm sure you need digital modems to allow an ISDN interface to access analogue calls, as in an access server. regards Mike Sweeney wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dont you need digital modems for the for the ISDN circuit to carry the voice(pots) connection? IE.. PRI configured to use both ISDN and POTS has a digital modem card for the conversion. I would imagine that a BRI line needs the same type of conversion.. ie.. VoIP.. Here is one link that talks about it.. but it's noted that DoV lines can be corrupted since not all ISDN switches cna handle this properly.. http://www.cisco.com/warp/public/793/access_dial/8.html Anyone else that can add to this.. please do!!! MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22018t=21738 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CVOICE [7:22000]
Congrats, what sort of questions did you get? I've been thinking of taking the voice exam for sometime but haven't because I thought the exams are only for Cisco partners and I'm working for a end user at the moment. Regards Patrick Cisco Breaker wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Passed . Questions about ports on 36xx and 26xx series was hard. best regards, Cisco Breaker wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am taking CVOICE exam in a few hours. Any last minute advice would be appraciated. Best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22062t=22000 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cat 6000 [7:21845]
We have a couple of Cat 6Ks running IOS, when CRT terminal software is starting from a PC with the console cable connected it goes into rom monitor mode. Anyone know the reason for this, I haven't found anything on the CCO yet regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21845t=21845 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIp over 64K leased line [7:21532]
Yes over the internet, but not over 64k lines in production. The principle's the same but you've just got less capacity and you'll be more reliant on qos and queuing. What exactly do you want to know? regards Pat MJ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello everyone , Has anyone here has implmented VoIp over 64K digital leased lines over the internet ? Would you like to share your experience here .. ? Mukul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21545t=21532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP H.225 [7:21519]
Matthew here's a little info on the ports used in h323: To set up a voice connection, the initiator starts a H.225 connection over TCP to the destination entity (normally the gatekeeper) at port number 1720. In this session a port number for the following H.245 connection is exchanged. The initiator opens in the next step a H.245 connection to the gatekeeper over TCP (ephemeral port), in which ports for the actual voice traffic between two H.323 terminals are exchanged. While the H.225 connection could be torn down after the H.245 ports have been exchanged, it will in practice stay up until the call is over. The gatekeeper itself will also open connections to the terminating H.323 terminal in order to be able to negotiate the ports that should be used between the initiating and the terminating H.323 terminal. Other TCP ports used for RAS services are 1718 (H.323 gatekeeper discovery) and 1719 (H.323 gatekeeper registration and status). regards Pat Matthew Webster wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I am a recent CCNA graduate, and am about to tackle the challenges of the CCNP Routing 2.0 exam. Look forward to asking/providing help where possible! Anyway, I have a question - does anyone know the ITU spec, or RFC that deals with TCP ports for H.225 RAS messages. I know that port 1719 is used for ARQ's and ARC's, but am not sure what port 1720 is used for...here is part of the Etherpeek trace: TCP - Transport Control Protocol Source Port: 64642 Destination Port: 1720 RAS Transport Layer Service Access Point can anyone help? cheers, Matthew. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21546t=21519 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VoIp over 64K leased line [7:21532]
Hardware, we used AS5300 as PSTN gateways located in various countries to terminate off-net traffic, they had up to 4 x E1s and were connected to, or close to, the backbone which had v.high throughput. For the on-net traffic 1750, 2600, 3600 as5300s were used. The local tail connections to the internet were fairly high capacity again, no less than 2MB, we tested much lower speeds in the lab though. QOS is very difficult across the internet so only the local tail was worked on, had to rely on bandwidth after that. The best qos results in testing were with cbwfq/llq BUT in most places the routers the CPE connects to don't support these features and you only have the tos bit to place with. Codecs used were g711 (80k or 65k per call) as standard and g729 (24k or 12k per call), if asked for. We never had any major problems with quality of calls, most people couldn't tell the difference with g711. Generally if there were problems it occurred in the call set up. For call set up we used a 3rd party gatekeeper solution, don't bother, it was a very good idea, i.e.. not being tied to one supplier and using open standards as much as you can with voip, but it didn't always work. Cisco's gatekeeper was a joke about a year ago, it may be better now, but you can do it all manually if you haven't got to many sites as a last resort. Hope this answers some questions Regards MJ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Just wanted to ask you what hardware you have implemented ? What is the bandwidth ? How many channels ? Any please tell us about your experience to us since I am also looking to implement the same. Mukul Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes over the internet, but not over 64k lines in production. The principle's the same but you've just got less capacity and you'll be more reliant on qos and queuing. What exactly do you want to know? regards Pat MJ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello everyone , Has anyone here has implmented VoIp over 64K digital leased lines over the internet ? Would you like to share your experience here .. ? Mukul Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21550t=21532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Wireless NICs [7:21568]
I'm testing out a Cisco Aironet 340 access point, it's working fine with Win2k and a handheld Ipaq. However when I try to set-up an NT machine I don't get an IP address from the dhcp server. The client tells me it's associated, the only difference I can see on the status between the Win2K and NT is that the NT machine has ETSI as the channel set whereas win2k has North America. I've tried different NICs and NT drivers, also occasionally I see a message saying that WEP is not purchased or enabled in the Network security tab on the ACU properties, help!! regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21568t=21568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
The firewalls are for the internet and the intranet. At the moment I thinking of using statics on the outside of internet firewall and possible using RIPv2 for the inside. For the intranet I'm considering using RIP on both sides, but statics haven't been ruled out for either firewall regards Chuck Larrieu wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... my question was the design itself - why are there firewalls at all these branches if this is an internal network? firewalls generally would be placed at network edges? Is this a VPN solution? otherwise, if this is an issue of placing security zones throughout a corporate network, I would make each zone self contained, with static routes into the other zones. I'm not so sure I would want to be running routing protocols through a firewall, if for no other reason than that the routing updates could be sniffed, and would reveal more that should be revealed about network structure. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, September 26, 2001 10:08 AM To: [EMAIL PROTECTED] Subject: Re: EIGRP network design [7:21019] RIPv1 sends to 255.255.255.255. RIPv2 sends to 224.0.0.9. They both use UDP port 520. Both the source and dest ports are 520. Are you sure static routes wouldn't be the best bet, though? I haven't followed the entire discussion, so if that's off the wall, just ignore it. Priscilla At 09:09 AM 9/26/01, Carroll Kong wrote: Hm. If you are that worried about internal security, you should probably make an ACL that allows only the redistributing router's ip, deny all other udp port 520 reqs (for ripv1, or multicast 224.0.0.5? re-check what it uses). Also, you might need to write some no nat rules to avoid nat. That might be more work than statics. Yes, IPs are spoofable, and so are MAC addresses. If your internal security helps avoid this (easy to do), then an ACL for Rip updates should be fairly secure. At 04:41 AM 9/26/01 -0400, Patrick Donlon wrote: Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong -Carroll Kong Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21269t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Voice over IP specific [7:21031]
Looking at what your doing you should be able to dial only once and reach the client on the other side. From my experience you would never have to dial an access code at each stage. I've got some sample config's with pots ports and lots of isdn configs, if you have any more specific questions let me know, regards Cisco Breaker wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, We have a customer that wants a implementation of voice over ip. Their dial plan will be like this. A-clients --pbx--router--voip--router--pbx--Bclients | | router | PBX | Cclients Normally if an A client want to reach a client from B, they dial 66 and from PBX or FXS they get a line and dial 76 and reach the corresponding route rfrom voip and dial 86 to reach PBX and the last step they dial the Bclients expansion number 801. My question is this, Is it possible to only dial once and reach the corresponding Bclient from A without PLar (cause A client will Cclients too)? I want to appoint ony one number and make it dial all 66,76,86,801 with commas ofcourse cause there is a waiting time over PBXs. Best regards, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21113t=21031 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: EIGRP network design [7:21019]
Yes the firewalls are all PIX. For the PIX can I set up the PIX to receive RIP routes redistributed from the EIGRP routers? If so this will save a lot of admin work, but will this be a security risk, ie. someone being able to inject routes into the PIX? regards Carroll Kong wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of firewalls? Pix? If so, try RIP v2 with redistribution into your routers. As for discontiguous networks, there are many ways around that, with a different cost associated of course. At 12:52 PM 9/25/01 -0400, Patrick Donlon wrote: Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21114t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Aironet 340 [7:20978]
Hi All I've a Cisco Aironet 340 access point and I have a current association from the AP to the LAN card in my laptop. However I am not getting a DHCP address from the LAN which the AP is connected to. I'm using Win 2K and I've read a URL about the aironet drivers needing to be 16bit not 32 bit, could this be an issue? Also the AP gets a DHCP address for it's own interface without any problems, can anyone help? Regards Patrick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20978t=20978 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
EIGRP network design [7:21019]
Hi everyone I've got a project where I have to design and implement EIGRP in a small to medium sized network of about 50 to 70 routers. One of my main problems is what to do with routing updates at the firewalls at each site, should they be allowed to pass through the firewall or should statics be used either side of the firewalls. Another problem I can see is the routes on the firewalls, is there a way to avoid having to type all those route entries in them, the network has many discontiguous networks. And one last point is the redistribution to the BGP routers at the edge of the network I'm after some tips, experiences and URLs so I can read around the subject myself Regards Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21019t=21019 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]