RE: Network Monitoring [7:63532]
You may also want to look at netsaint or MRTG. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sonic Sent: February 21, 2003 3:29 PM To: [EMAIL PROTECTED] Subject: Re: Network Monitoring [7:63532] Whats up Gold by Ipswitch migh do it for you? http://www.ipswitch.com/Products/WhatsUp/index.html Brian Kevin Banifaz wrote in message news:[EMAIL PROTECTED] Does anyone know of any free or really cheap network monitoring tools, I work for a real cheap company and I can't get them to shell out for HP OV. I appreciate a response. Thanks in advance Kaveh _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63537t=63532 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: cisco router as DHCP server [7:58049]
Yes it can, but must be IOS 12.0(1)T or later DHCP: ip dhcp pool cisco (specifies cisco as the string used for the address pool) network 10.1.1.0 255.255.255.0(range of addresses for pool) default-router 10.1.1.254 (defines a default gateway to be leased out) lease 0 0 15 (0 days, 0 hours, 15 minute lease) dns-server x.x.x.x domain-name cisco.com (GLOBAL) ip dhcp excluded-address 10.1.1.1 (LAN interface addresses, etc) Rob Payne, CCIE #8325 Cisco Systems - AES (NSA) Cellular:479-366-0629 E-mail: [EMAIL PROTECTED] Pager: 1-888-342-7923 OR [EMAIL PROTECTED] Success is a Journey... Not a Destination -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of puro prasad Sent: Monday, November 25, 2002 1:07 PM To: [EMAIL PROTECTED] Subject: cisco router as DHCP server [7:58049] Hi all, can a cisco router act as a DHCP server by itself? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58055t=58049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RE: Block MSN Messenger [7:57595]
Yes and I have done it all via the PIX Where you run into problems is when they use port 80. Rob Rob H Mears III, CCNP, MCSE, NNCDS, NNCSS, CNE, A+ LAN Engineer and Technical Mercenary Valor Telecom 469.420.2656 -Original Message- From: vikramjskeer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 10:46 AM To: [EMAIL PROTECTED] Subject: Re: RE: Block MSN Messenger [7:57595] Hi All, Very rightly said that these messengers use so many servers and so many ports that it's kind of impossible to block them all. But you can very easily do it, right on the OS level. I know about the Win2K that you can set up some system policies with which you can directly block these exes themselves. Hope it helps: Regards, Vikram Lidiya White wrote: Try to block the login servers: http://acronymsonline.com/im_ips.htm -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Josh Green Sent: Monday, November 18, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: RE: Block MSN Messenger [7:57595] It is possible, however Messenger uses so many different ports on so many different servers that it's not worth your time. -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:36 AM To: [EMAIL PROTECTED] Subject: Re: Block MSN Messenger [7:57595] no. don't waste your time. Ahed Naimi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... gt; Dear All; gt; gt; Is there any way to block MSN Messenger by using the access-list statements gt; on an IOS Cisco router. gt; gt; Thanks All. Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in Change the way you talk. Indiatimes presents Valufon, Your PC to Phone service with clear voice at rates far less than the normal ISD rates. Go to http://www.valufon.indiatimes.com. Choose your plan. BUY NOW. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57717t=57595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what program can decrypte secret password? [7:55680]
Kenny The cisco passwords encrypted using Service Password Encryption (type 7) use an encrytion scheme known as Vigenier. Its been around since the 1600 (the date not the router), basically its a replacement algorithm and is easily cracked. The cisco secret is an MD5 digest of your password and is uncrackable. However, if you have a copy of the encrypted password you can use a brute force tool to determine the password. Look for a tool called Tomas , and add to the dictionary the most likely passwords that you may have used eg cisco regards Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55763t=55680 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: dhcp client cisco 2500 [7:52922]
I don't know about autoinstall, but version 12.2.x will support DHCP... I'm using it to grab my IP from my Cable Provider. Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52926t=52922 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Review of network design, any takers ? [7:52776]
I'd also be willing. Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52794t=52776 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
So true but ICQ is using port 80, which kills me -Original Message- From: Creighton Bill-BCREIGH1 [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 12:07 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] Make sure that you carefully figure out the correct side of the connection. ICQ server runs on port 4000, and the client chooses a random high-numbered port. That means you will see UDP packets FROM (inbound/source) port 4000 going to the random port. In other words, don't go looking in a port database trying to figure what that random, high-numbered port means. The significant port is the source. HTH Bill Creighton CCNP Senior System Engineer Motorola iDEN CNRC Packet Data -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 9:48 AM To: [EMAIL PROTECTED] Subject: ICQ and blocking the thing-PIX [7:52285] Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52606t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ICQ and blocking the thing-PIX [7:52285]
Yep all steps you stated have been covered, but Employees will be employees. What can I say? -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 3:49 PM To: [EMAIL PROTECTED] Subject: RE: ICQ and blocking the thing-PIX [7:52285] ICQ now has a web based version also, just go the web put in your ID and your on. Now being devils advocate I am aware of the trojans and viruses that get spread on ICQ, but if it is not interferring with work progress then why such the hassle. It seems as if your burning more cycles trying to block it when it almost seems to me that this is a loosing battle. The only recourse I think you have is to go to HR with your security plan have them put this in your computer ussage policy for work and then brief everyone of the employees why this is a no no. I have sniffed the web version with sniffer pro and it looks to me it strictly uses port 80. But just by blocking it and I do not know if you are notifying anyone or if this is in your security poilicy it just seems like you're a loose renegade on the network to implement your own security policy which will tick people off. I think if you take my approach above and people understand why your are doing it then it is less likely to turn whirlwinds into a hurricane of upset users especially if it was allowed in the past. NO BASHING please :) you may have took these steps already then if so the only thing to do is report them to HR especially if it is causing problems for you on the network and putting business assets at risk. -Original Message- From: Shawn Heisey [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 4:21 PM To: [EMAIL PROTECTED] Subject: Re: ICQ and blocking the thing-PIX [7:52285] I may be off my rocker, but I think it's possible that you could set up an IDS system that blocks access to any IP on the outside that sends packets to your network that look like ICQ. At the very least it could record the addresses for future inclusion into ACLs. This won't block the people who set up SSH tunnelling as described in other messages, but you can make it a violation of security policy to use that kind of back door. Thanks, Shawn Mears, Rob wrote: Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52607t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ICQ and blocking the thing-PIX [7:52285]
Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. HELP WANTED Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52285t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SolutionLabs [7:51753]
Doesn anyone have experience with the labs from SolutionLabs.com ? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51753t=51753 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
SolutionLabs [7:51754]
Doesn anyone have experience with the labs from SolutionLabs.com ? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51754t=51754 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Netscreen and Cisco PIX [7:51294]
Hello, Anyone have a working config example from a Ntescreen that is doing VPN to a Pix ? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51294t=51294 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Looking for the best storage strategy [7:48708]
Sounds like you need to look at a centralized data management facility consisting of some type of tape library (they range anywhere from 20 to several hundred tapes and 20+ drives with the ability to cascade them together). It all depends on what the size, demographics, and the backup/recovery requirements are of your systems. If you are considering a dedicated, centralized backup facility, you'll definitely need a dedicated network although I've seen many people sharing the network with their corporate network(which is not a recommended practice). If your budget allows and your requirements are such that you can justify a higher end solution, SAN is more recommended solution. For backup, Veritas has all kinds of solutions i.e DataCenter, BackupExec depending on your needs and scope. You may want to checkout www.backupcentral.com to get some more ideas on this. HTH Rob SCSA, SCNA, CCNA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven A. Ridder Sent: Saturday, July 13, 2002 7:38 AM To: [EMAIL PROTECTED] Subject: Re: Looking for the best storage strategy [7:48708] Legatio and a SAN. I probably spelled it wrong, but that's the best package. Firesox wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Folks, I searching for the best way to do the backup for servers. Currently we have local backup tape devices running Backup Exec. I need to find the best way to take this local backup to some kind of remote device. I understand there are many ways such as SAN, Fiber Channel, etc.. but would like to best way to do the automatic backup of servers remotely. Any thoughts would be greatly appreciated. Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.373 / Virus Database: 208 - Release Date: 7/1/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.373 / Virus Database: 208 - Release Date: 7/1/2002 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48740t=48708 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
Very well Thanks Rob -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:25 PM To: Mears, Rob; [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46194t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question about the 350 series AP [7:45971]
Mine has both -Original Message- From: Henry D. [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 1:18 PM To: [EMAIL PROTECTED] Subject: Re: Question about the 350 series AP [7:45971] Mine included everything. Roberts, Larry wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... OK, Can someone confirm/deny that the 350 will only accept in-line power? Does it come with the in-line power injector, or is this a separate item? I have read everything I can and all points say it only has in-line power, but none say whether this is included ( I can't image it wouldn't be ) Thanks Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46204t=45971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
Cisco People This is how u block Messenger access on a PIX firewall and it works Some might ask why not just block all and permit the other, and this is the way I would like to do it one day, But to encounter the least amount of down time I chose to apply in this fashion. To block chat programs, simply use access-list on PIX. Some of the common chat programs use following ports **common chat ports** tcp 6667 (irc) 6660- 6670 (the default being 6667). tcp 6665-6669 (common IRC) tcp 5190 (aol) tcp 5190, dyn =1024 (aol ICQ) tcp/udp 5190-5193 (aol) tcp 1863 (msn) tcp/udp 4020 (ichat) tcp 5000-5001 and udp 5000-5010 (Yahoo voice chat) tcp 5050 (Yahoo messages) tcp 5100 (Yahoo Webcams) Below you can get the config for the pix access-list acl_inside deny tcp any any eq aol access-list acl_inside deny tcp any any eq 1024 access-list acl_inside deny tcp any any eq 1863 access-list acl_inside deny tcp any any eq 4020 access-list acl_inside deny tcp any any eq 5050 access-list acl_inside deny tcp any any eq 5100 access-list acl_inside deny udp any any eq 4020 access-list acl_inside deny tcp any any range 6665 6669 access-list acl_inside deny udp any any range 5190 5193 access-list acl_inside deny tcp any any range 6660 6670 access-list acl_inside deny tcp any any range 5000 5001 access-list acl_inside permit tcp any any Hope this helps someone Thanks Rob -Original Message- From: Mears, Rob Sent: Monday, June 10, 2002 8:11 AM To: [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] Very well Thanks Rob -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 2:25 PM To: Mears, Rob; [EMAIL PROTECTED] Subject: RE: PIX525\Web Sense and Chat programs [7:46013] For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46207t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX525\Web Sense and Chat programs [7:46013]
Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46013t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - Why NO glaobal (outside) command [7:45676]
The statement NAT and GLOBAL is used for inside to outside communication. STATIC is used for outside to inside communication. No longer holds true but it is a good rule to keep you straight. Check out ios PIX 6.2, they have removed the rules as we know it. You can now do a satatic (outside,inside)or a nat 1 (outside) x.x.x.x Cool stuff Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: RE: PIX - Why NO glaobal (outside) command [7:45676] NAT and GLOBAL is used for inside to outside communication. STATIC is used for outside to inside communication. Since the device(s) we're talking about seems to be a server/service of some kind located on your inside network, you use the NAT 0 to let the server communicate outbound with the same (unNATed) IP address, and you use STATIC with the same IP for global and local so outside clients can access the services running on the server. Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Karagozian Sarkis [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: RE: PIX - Why NO glaobal (outside) command [7:45676] Thanks Ole, I just noticed the nat 0 Here is how this old PIX is configured: nat (inside) 0 216.119.xx.0 255.255.255.0 0 0 static (inside,outside) 216.119.xx.0 216.119.xx.0 netmask 255.255.255.0 0 0 -- why same IP for both?? static (websvers,oustide) 216.119.xx.240 216.119.xx.240 netmask 255.255.255.240 0 0 --- also same IP for both ?? Can u explain. more... Thanks Sarkis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45700t=45676 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Please confirm (conf#5c214c1a2179c93c3a80627ad4edc7b1) [7:45500]
Anyone knows what these messages are about? I've seeing them quite frequently over the last little while. Thanks. == RB == -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard L. Pickard Sent: Thursday, May 30, 2002 9:20 PM To: [EMAIL PROTECTED] Subject: RE: Please confirm (conf#5c214c1a2179c93c3a80627ad4edc7b1) [7:45493] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 11:01 AM To: [EMAIL PROTECTED] Subject: Please confirm (conf#5c214c1a2179c93c3a80627ad4edc7b1) Hi, You have tried to post to GroupStudy.com's Professional mailing list. Because the server does not recognize you as a confirmed poster, you will be required to authenticate that you are using a valid e-mail address and are not a spammer. By confirming this e-mail you certify that you are not sending Unsolicited Bulk Email (UBE). PLEASE DO NOT SEND YOUR ORIGINAL MESSAGE AGAIN! BY CONFIRMING THIS EMAIL YOUR ORIGINAL MESSAGE (WHICH IS NOW QUEUED IN THE SERVER) WILL BE POSTED. By confirming this e-mail you also certify the following: 1. The message does NOT break Cisco's Non-Disclosure requirements. 2. The message is NOT designed to advertise a commercial product. 3. You understand all postings become property of GroupStudy.com 4. You have searched the archives prior to posting. 5. The message is NOT inflammatory. 6. The message is NOT a test message. To confirm, simply reply to this message. No editing is necessary. Once confirmed, you will be able to post without additional confirmations. Welcome to GroupStudy.com! --ORIGINAL MESSAGE- From [EMAIL PROTECTED] Tue May 21 13:00:41 2002 Received: (from news@localhost) by groupstudy.com (8.9.3/8.9.3) id NAA10753 GroupStudy Mailer; Tue, 21 May 2002 13:00:41 -0400 To: [EMAIL PROTECTED] Path: not-for-mail From: nettable_walker Newsgroups: groupstudy.cisco Subject: council cable --- Cisco to Nortel/Bay Date: Tue, 21 May 2002 12:01:22 -0500 Organization: GroupStudy.com Discussion Groups Lines: 19 Message-ID: Reply-To: nettable_walker NNTP-Posting-Host: 12-248-131-235.client.attbi.com X-Trace: groupstudy.com 1022000441 10752 12.248.131.235 (21 May 2002 17:00:41 GMT) X-Complaints-To: [EMAIL PROTECTED] NNTP-Posting-Date: 21 May 2002 17:00:41 GMT X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. 5/21/200210:45am Tuesday Professionals, I have a Cisco terminal server controlling 15 Cisco routers/switches/PIXs I would like to add support for 4 Nortel routers. The Nortel council cable is DB9 female to BD 9 female strait thru. My plan is to plug plastic terminal adapters [ DB 9 to RJ 45 ] into the Nortel devices. Can anyone give me an idea for the pin out on this ? Thanks, Richard // Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.363 / Virus Database: 201 - Release Date: 5/21/2002 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45500t=45500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: telnet terminal [7:45397]
Try PuTTY and/or TeraTerm. They are both free and they both are very easu to use. HTH. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Mandulak Sent: Wednesday, May 29, 2002 5:06 PM To: [EMAIL PROTECTED] Subject: Re: telnet terminal [7:45397] Here's a link for some shareware clients, http://cws.internet.com/telnet.html I think the only free one there is the Hyperterm Private Edition upgrade, It adds amongst other things TCP/IP (Winsock) support. - Original Message - From: . . To: Sent: Wednesday, May 29, 2002 5:54 PM Subject: telnet terminal [7:45397] what is a popular (and free) telnet terminal for all of you using? _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.363 / Virus Database: 201 - Release Date: 5/21/2002 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45408t=45397 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Number [7:44294]
i believe the first # issued was 1025... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44297t=44294 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ARP problems, anyone? [7:44108]
When PC2 attempts to send a response, it checks its routing table first. No default gateway, no route to host. Done. It won't check the arp table, because it the process stops at layer 3 (IP) when it can't find a route to PC1. Instead of adding a static arp entry, you could add just a static ip route entry, and still avoid having a default gateway on there. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44122t=44108 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Upgrade IOS on 2504, Please assist [7:44135]
Do you want to do it via x-modem for some reason? If not, I'd recommend pulling the image from a tftp server over the network instead. here is a link: http://www.cisco.com/warp/public/130/sw_upgrade_proc_flash.shtml Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44136t=44135 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Multihoming Policy [7:43962]
You'll probably need to use as prepends to control traffic in both directions from the ISP side... To control user's OUTBOUND traffic patterns: On the BGP connections to these users, for any of the less preferred routes (from AS2 and AS3), you want to setup a route-map to match those less preferred AS's and then do an as prepend to increase the ASPATH length, and thus make them less favorable from the user's perspective. This is cause the user's OUTBOUND traffic to prefer links through any AS that doesn't have the ASPATH increased. You could also use MEDs to accomplish the task, but you need to make sure that the user has his equipment configured to accept them. The as prepends can't really be ignored by the user's routers. To control user's INBOUND traffic patterns: --- On the BGP connections to less prefered AS's (AS2,AS3), you need to have a route-map on your outbound route announcements. This route-map needs to match any routes for your users and set an as prepend on these routes before announcing them. You might have to do more than one prepend to get the results you want, depending on how your provider connections are setup. But again, this step will increase the ASPATH length on user routes announced to the less prefered AS's. Hope this helps. Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43976t=43962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 1924 Switch: Takes long time to ping device af [7:43903]
PAgP (Etherchannel) negotiation can also take up about 15 seconds. Turn it off with: hostname(config)# port-channel mode off Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43941t=43903 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: R/S recert [7:43890]
I took the R/S IP Cert about a year ago. It was fairly straightforward. Cisco has the requirements on their website. If you feel you need to review, read through Routing TCP/IP Vol I by Jeff Doyle. You can also read the BGP and multicast sections in Routing TCP/IP Vol II. That should give you a pretty good review of everything. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43942t=43890 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Reg: OSPF [7:43726]
We ran OSPF on a realtively small network (15 sites, about 2-5 network devices per site). All 2500's with 4MB of RAM. Not even close to taxing the routers. This was at an ISP with about a /21 worth of class Cs spread out in a not-so-intelligent manner between the sites. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43945t=43726 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Multihoming Policy [7:43962]
on the user's router you'll want to have them apply a route-map to routes from AS1 that sets the local pref to 200 (or something higher than the default of 100). Those routes will then be used over any from the other AS's for outbound traffic from that user. If the user wants to control inbound traffic, have them use AS Prepends to make the ASPATH length longer on routers announced out less prefered paths. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43963t=43962 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Give up...Cannot ping from one spoke to anothe [7:43795]
Sounds like bootcamp lab #1 to me... heh. Try policy-based routing on the frame interfaces of the spokes. You want it to change the next hop to point back to the hub router's IP... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43808t=43795 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Classful Prefix-list [7:39113]
I believe this will do what you are looking for. I did a little testing and it seemed to work well: ip prefix-list classful seq 5 permit 0.0.0.0/1 ge 8 le 8 ip prefix-list classful seq 10 permit 128.0.0.0/2 ge 16 le 16 ip prefix-list classful seq 15 permit 192.0.0.0/3 ge 24 le 24 Hope that helps, Rob. CCIE 6922 William Lijewski wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone tell me how to create a Prefix-list to only alow classful routes for BGP. I know you can do the following with an extended access-list: access-list 100 permit ip 0.0.0.0 127.0.0.0 host 255.0.0.0 access-list 100 permit ip 128.0.0.0 63.255.0.0 host 255.255.0.0 access-list 100 permit ip 192.0.0.0 31.255.255.0 host 255.255.255.0 Is there way to do it? Any good reading material on Prefix-lists? Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39187t=39113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Classful Prefix-list [7:39113]
To better understand why this works: In the very first octet, the following applies: class A addresses start with the first bit = 0 class B addresses start with the first two bits = 10 class C addresses start with the first three bits = 110 So the 0.0.0.0/1 means look for a network address of 0.0.0.0, but only pay attention to the very first bit (and make sure that it is a zero). So 0.0.0.0/1 identifies all class A networks - from 0.0.0.0 to 127.255.255.255. The ge 8 le 8 says only accept routes with a mask of 255.0.0.0. The combination of these two identifies all classful class A networks (0.0.0.0/8 to 127.0.0.0/8). Same with the 128.0.0.0/2 - that means make sure the first two bits are 10, but then ignore everything else. So this includes all class B addresses - from 128.0.0.0 to 191.255.255.255. Rob. Rob Webber wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I believe this will do what you are looking for. I did a little testing and it seemed to work well: ip prefix-list classful seq 5 permit 0.0.0.0/1 ge 8 le 8 ip prefix-list classful seq 10 permit 128.0.0.0/2 ge 16 le 16 ip prefix-list classful seq 15 permit 192.0.0.0/3 ge 24 le 24 Hope that helps, Rob. CCIE 6922 William Lijewski wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone tell me how to create a Prefix-list to only alow classful routes for BGP. I know you can do the following with an extended access-list: access-list 100 permit ip 0.0.0.0 127.0.0.0 host 255.0.0.0 access-list 100 permit ip 128.0.0.0 63.255.0.0 host 255.255.0.0 access-list 100 permit ip 192.0.0.0 31.255.255.0 host 255.255.255.0 Is there way to do it? Any good reading material on Prefix-lists? Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39204t=39113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Appreciate Your Expertise On This Strange ARP Problem [7:38828]
Alec, This is quite an interesting scenario you ran into. I think I can explain what happened. As you mentioned Cisco enables proxy-arp by default. Usually this is a good thing - in this case it was the cause of the problems. Before the change when a 10.67.7.* DHCP client wanted to connect to a 10.67.1.* server, the client would issue an ARP request for the 10.67.1.* address. This ARP request would reach the actual server as well as the A router. The A router would see that the request was for an address that it believed was on a completely different subnet (10.67.1.0). Since proxy ARP was enabled (by default), the router would answer the ARP request using its own mac address as the destination mac address. At this point there would be a race between the server responding (correctly) to the ARP request and the A router responding to the ARP request. When the server's ARP response won that race, everything worked fine. When the A router won the ARP response race, it would receive the packets destined for the server from the client. The A router would then attempt to route those packets to the correct destination. Its default route said to route them to router B, which it would do. Router B would then know to forward those packets right back out the same interface to the server. In this scenario traffic was taking a strange path, but still working (its likely router B would actually also send an ICMP packet which may have taken router A out of the loop). When the default route for router A was removed, the same race still occurred. Except now when router A won the race it had no route to correctly send the packet. Thus the packets would never make it to router B and/or the server and communication was lost. You correctly fixed the problem, though it would have been interesting to see if disabling proxy arp on router A also would have fixed the problem. My guess is it would have... Rob. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi there This is my first time to post a question. Here is a real scenario which happened a few days ago. Though the problem has been resolved, i still cannot understand what the cause is. Customer A has a partner connection to B's network. due to lack of capability on B's Router/Firewall, one of A's router is plugged directly onto B's internal LAN(sounds silly, but it is true). B's LAN use 10.67.0.0/16 address, of which 10.67.1.x is for servers, 10.67.2.x for routers/switches, 10.67.7.x and 10.67.8.x for DHCP clients. B's router has 10.67.2.1 addr. A's router on B's LAN gets assigned an ip addr 10.67.2.2,but a wrong /24 mask was given by B. since A's users need to talk to B's server, a static route(ip route 10.67.1.0 255.255.255.0 10.67.2.1) was added. A default route is also configured(ip route 0.0.0.0 0.0.0.0 10.67.2.1) on the A's router. when this default route was taken off(no obvious reason to point a default route to B's default router), all B's dhcp clients cannot talk to their own servers(10.67.1.x) any more even they are on the same subnet. B's network support was called in, and they found that the A's router is incorrectly answering ARP requests(by default ip proxy-arp is enabled on the LAN interface). and somehow the arp respone reaches the client before the server's, so the client cannot talk to the servers. the problem later was resolved by rectifying the subnet mask on A's router. but i still cannot figure out what went wrong when the default route on A's router was removed. I'll be much appreciated if anyone can shed some lights on this. regards Alec Shi Senior Support Engineer Axon Computertime Auckland NZ -- The information contained in this e-mail message is intended only for the use of the person or entity to whom it is addressed and may contain information that is CONFIDENTIAL and may be exempt from disclosure under applicable laws. If you read this message and are not the addressee you are notified that use, dissemination, distribution, or reproduction of this message is prohibited. If you have received this message in error, please notify us immediately and delete the original message. You should scan this message and any attached files for viruses. Axon Computertime accepts no liability for any loss caused either directly or indirectly by a virus arising from the use of this message or any attached file. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38828t=38828 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cisco switches (with MSFC) arp timer question [7:38635]
For step 3, it depends whether the link between core 1 and core 2 is a routed link or a trunk (ISL or 802.1Q) link. If its a routed link (such as VLAN 3, with all VLANs running OSPF), core 1 will route the packet to core 2 and core 2 will route the packet to client 2. For step 4, client 2 will not ARP for client 1. Since client 1 and client 2 are on different VLANs, client 2 will ARP for its default gateway - core 2. When core 2 receives the packet it will send it via core 1. Again, depending on whether this is a routed or trunked link will dictate exactly how this packet is sent from core 2 to core 1. Anytime a router (MSFC) needs to forward a packet to a client, if it does not have an ARP entry, it will ARP for the client. If a switch ages a MAC address out from its CAM table, it will flood (to all ports on the VLAN) the very first frame that has a destination of the unknown MAC address. Due to the flooding, the frame will reach the correct destination. Once that station replies with the very first packet, the CAM table will be updated and no more flooding will occur. Hope that helps - Rob. CCIE 6922 z z wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi One interesting scenario here. Two core switches (with MSFC) running HSRP. Core 1 is the master for vlan 1, and core 2 is the master for vlan 2. Understand MSFC arp timer is 4 hours, but switch CAM timer is 300 seconds. So there will be one problem: 1. Client 1 (vlan 1) wants to talk to client 2 (vlan2). It will send one frame to client 2 using Core 1s mac address as the destination mac, because Core 1 is its gw. 2. Core 1 will check its routing table and forward the packet to client 2. Meantime, it will change the frames source mac address to its own mac and the des mac to client 2s mac address. 3. Core 2 will just simply switch the frame to client 2, because core 1 has done the routing. To core 2, its arp table and aft table wont contains client 1s mac address so far, since core 1 has translated the frames source mac address. 4. When client 2 wants to reply, it will send the replying packets to core 2. Core 2 will arp for client 1s mac address. When client 1 reply this arp request, core 2 will add its mac address to both its arp table and aft table. 5. this is working fine so far. 6. after 300 seconds, core 2s aft table time out. However its arp table is still valid, so it wont do any more arp request. When client 2 wants to talk to client 1, core 2 will do the routing correctly, but then flood the frames to all the switch ports. Is my theory correct? __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38701t=38635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is this possible? [7:38098]
As far as getting the PIX to prompt for authentication, it can be done, however it needs to be done by a browser (since the browser has the ability to pop up a username/password box, but Citrix doesn't have this capability). You can simply have them go to a static web page that you create which will ask for authentication. Once authenticated, they can (and only then) get to Citrix on 1494: In this example 10.20.10.51 would be your Citrix server and 10.20.10.4 would be your web server. Obviously they could be the same box... aaa authentication http inbound 10.20.10.4 255.255.255.255 0.0.0.0 0.0.0.0 tacacs+ aaa authorization tcp/1494 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 aaa authorization udp/1604 inbound 10.20.10.51 255.255.255.255 0.0.0.0 0.0.0.0 The TACACS+ or Radius server would then have a rule that states when address x.x.x.x authenticates via HTTP, it is allowed to connect to server y.y.y.y via 1494 and/or 1604. Rob. Johnson, Richard (NY Int) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, Is it possible to do the following.I have a Citrix server on my internal network which has an outside address via NAT. On the PIX port 1494, ICA client, is open and is obviously allowed to come in. The user is then prompted for a user name and password. Upon entering this information, they are then prompted for the pin and secure ID by our RSA server. My question is this, as opposed to having the Citrix server prompt them for their RSA info I would love for them to prompted by the firewall. Any ideas if it can? Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38427t=38098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking spanning tre ports [7:37663]
If I understand your topology correctly, switches 3 and 4 share an Ethernet segment. If I remember Spanning Tree correctly, one of these two will be the designated bridge for that segment. That bridge will be forwarding packets toward the root. All other bridges on that segment (in this case, the other switch) will block their link if it creates a loop. I believe the designated bridge is the one on that segment with the lowest priority. If the priority is the same, the one with the lowest bridge ID (mac address) becomes the designated bridge. Changing the path cost on the link between 3 and 4 shouldn't have much affect on the switch that is the designated bridge - it will be forwarding anyway. Changing the path cost on the other switch should affect which of its links are forwarding and which are blocked. My guess is you don't have to actually change the path cost on both switches on floor 1 and floor 4. I think if you change the path cost on one of those two switches (the designated bridge) it actually won't have any affect (and thus you really don't need to...). You can also try setting which bridge is the designated one by making its priority lower than the other one - but DON'T make its priority lower than the root! Rob. CCIE 6922 steve skinner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... guys, another question .. in on of my sites i have clusters of 3548 switches .. At each end of the cluster i have a link to the distribution layer... i have multiple uplink to each switch (6 in cluster).. and in the middle we have set the spanning-tree cost on one interface of the uplinks to much higher than default ...(that way switch 1 -3 use distribution link 1 and switch 4-6 use distribution link 6 )..what i am finding odd is that on switches 3 and 4 (the middle of my cluster) i have to increase the cost on both switches`uplinks sometimes and others just 1 switch, other times.(to force it into blocking)... floor 1 i had to do both floor 2 just switch 3 floor 4 both floor 5 just switch 3 floor 6 just switch 3 what i dont understand is why...??? i should have to set the uplink ports from 3 to 4 to both having high costs ... why does it sometimes work with just one... any idea`s.. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37879t=37663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP using AS_PATH attribute [7:37749]
I haven't seen the lab, either, but how did you perform the filtering of AS65000? When I read your post I was thinking of the neighbor remove-private-as command. That should allow R3's loopback network to propagate, just that R1 won't see the 65000 AS. Feel free to post your configs and anything else relevant, I'll take a look. Rob. CCIE 6922 Mike Sweeney wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I've been studying BGP using several books and papers. One of which is the Cisco Academy Semester 5 lab companion. So far it's been pretty good but Lab 8-3 drives me nuts. 3 routers.. 3 AS R1R2R3 AS100AS300 AS65000 The idea is to have everyone share routes(did that) and then to filter off the AS65000 number as the update is sent ot R1(did that) The kicker was I was *supposed* be able to ping R3 from R1 after this.. no way.. wasnt going to happen. The only network statements were the loopbacks for each router.. I was able to ping r3 AFTER I added the network statement to R2 that id'ed the interface IP between R2 and R1. That was not in the lab.. If someone who has this lab take a look and explain why the ping should or should not work? Thanks MikeS PS- I really am learning to dislike BGP right now ;) ---lab configs used hostname R1 ! ! memory-size iomem 10 ip subnet-zero ! interface Loopback0 ip address 201.1.1.1 255.255.255.0 ip directed-broadcast ! interface FastEthernet0/0 no ip address no ip directed-broadcast ! interface Serial0/0 ip address 192.168.1.5 255.255.255.252 no ip directed-broadcast no ip mroute-cache no fair-queue ! router bgp 100 no synchronization network 201.1.1.0 neighbor 192.168.1.6 remote-as 300 neighbor 202.2.2.2 remote-as 300 ! no ip classless no ip http server ! ! ! line con 0 transport input none line aux 0 line vty 0 4 login ! no scheduler allocate end R1# hostname R2 ! ! ip subnet-zero ! ! ! interface Loopback0 ip address 202.2.2.2 255.255.255.0 no ip directed-broadcast ! interface Ethernet0 no ip address no ip directed-broadcast shutdown media-type 10BaseT ! interface Serial0 ip address 172.24.1.17 255.255.255.252 no ip directed-broadcast no ip mroute-cache clockrate 56000 ! interface Serial3 ip address 192.168.1.6 255.255.255.252 no ip directed-broadcast clockrate 100 ! router bgp 300 no synchronization network 202.2.2.0 neighbor 172.24.1.18 remote-as 65000 neighbor 192.168.1.5 remote-as 100 neighbor 192.168.1.5 remove-private-AS ! !if I add network 192.168.1.0, I can ping R3 from R1. Without it..no go no ip classless ! ! line con 0 transport input none line aux 0 line vty 0 4 login ! end R2# hostname R3 ! ! no ip subnet-zero ! ! process-max-time 200 ! interface Loopback0 ip address 203.3.3.3 255.255.255.0 ip directed-broadcast ! interface Ethernet0 no ip address no ip directed-broadcast shutdown ! interface Serial0 ip address 172.24.1.18 255.255.255.252 no ip directed-broadcast ! router bgp 65000 no synchronization network 203.3.3.0 neighbor 172.24.1.17 remote-as 300 ! no ip classless ! ! line con 0 transport input none line aux 0 line vty 0 4 ! end R3# Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37881t=37749 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPLS in the Enterprise [7:36670]
I see your point on security, but I don't completely agree. Your current Frame Relay network is only as secure as your carrier. If someone at your carrier maps a PVC between you and company X, real traffic can flow (assuming your router picks it up and places on the physical interface, which it likely would). Granted, the only way someone could probably use this to hack into your network was if they had a route to you (which they could add) and if you had a route back to them (unlikely unless you are running a routing protocol and they pick up on it). It seems to me you could make MPLS fairly secure by using a routing protocol with authentication and a simple access list. To answer John's original question, I have only seen MPLS deployed in one organization - they are using Equant as their carrier. They are happy with it, but its hardly widespread. I'm curious why they said they could not give John any-any connectivity if he kept his addressing?? That's basically exactly what MPLS was meant to do...perhaps its an implementation issue...? It also curious why they even suggested changing the addressing. On a network as big as John's (100 site) its a ridiculous idea, and as Joseph mentioned they are going to add a unique VRF, so it doesn't matter if the carrier has 100 customers that all use 192.168.1.0... Rob. Joseph Brunner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... i was pitched this very thing recently by wcom and qwest.. basically it is only as secure as your carriers.. if some f*cks up and imports something into your VRF, either a default, another vpn, or whatever you security is finished.. plug banks are supposed to encrypt over IPSEC, so why bother running MPLS (come one how much diff-serv can do you on frac T-1's anyway) if you are just going to IPSEC the packets between pix's or vpn concentrators anyway.. MPLS right now for 100 sites, just can't be trusted. I used to work for ISP's, everyone there was a perp.. trust my vpn security to some loser ISP. No thanks read this http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/mxinf_ds.htm Joseph Brunner ASN 21572 MortgageIT MITLending New York, NY 10038 (212) 651 - 7695 Voice (212) 651 - 7795 Fax -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:24 PM To: [EMAIL PROTECTED] Subject: MPLS in the Enterprise [7:36670] Okay, I'm about to show how clueless I am when it comes to MPLS I've been getting calls from multiple providers lately all trying to suggest that I migrate our 100-site frame relay network to their MPLS network, suggesting that we'll have any-to-any connectivity and the ability to prioritize traffic classes within the MPLS network. Are any of you doing something like this? I'm going to read up on it but I'm having trouble visualizing it. Does this basically turn our network into a giant multipoint network? Do our branch routers need to be aware of MPLS or do providers make this transparent somehow? How does this affect routing? It seems that if we have any-to-any connectivity then the branch routers don't even need to run a routing protocol; every router would have one exit point to get to any destination. But, how would the MPLS cloud know where to route packets? The more I think about it it seems like our branch routers would have to participate in MPLS to provide the necessary destination info for the MPLS cloud. See how clueless I am? Ugh... Time to do some studying on this. Since we already do a little video conferencing over IP and are working on getting VoIP working, it might be beneficial to get away from the frame relay network. But since I don't understand this new technology, I don't know if it's a viable solution for us or not. Off to CCO I go! Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36694t=36670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Where is Bruce Caslow ECP1 Class? [7:36501]
Now called RS-NMC-1 (Routing and Switching Net Master Class) Rob. Will K. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know where information about this class can be found? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36513t=36501 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Where is Bruce Caslow ECP1 Class? [7:36501]
Oops - apparently the link did not come through for some reason. It is: www.netmasterclass.net/nmc/ Rob. Will K. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know where information about this class can be found? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36515t=36501 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TWO ISP AND ONE FAILURE [7:36371]
For the outbound connectivity, use the HSRP track feature. That watches an interface (the WAN link to your ISP). If that interface goes down, the HSRP priority of that router gets reduced, making the other router (with the good ISP link) the HSRP primary. HSRP will make it so no changes are required at your server. As mentioned if you have Internet facing servers (mail server, web server), you really need BGP. However many ISPs will now accept advertisements as small as /24. So if you have a class C of registered addresses (or if you can get that) you can advertise it to both ISPs via BGP (even if it was assigned to you by one of the ISPs). Rob. CCIE 6922 Chris Charlebois wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Depends alot on what kind of connection you want. If you are just talking about outbound access from your site, that isn't a problem. Setup the two routers on the same subnet and use HSRP. Best practive would be to set up two HSRP address; each router will be primarary for one address and backup for the other. That way you can direct traffic over a specific connection when it's all up, but traffic will failover to one connection if the other goes down. If, on the other hand, you want to maintain public services during an outage (ie, web pages, FTP sites, incoming e-mail), that is a gorilla of a completly different color. If you're site is big enough, you could justify a /19 public address, which can be routed via BGP. That would solve alot of you're problems, but it's unlikely that you'd be asking the question if you had a /19. Some protocols will allow you to specifiy a backup via DNS (I'm thinking SMTP), but that only helps with mail. Otherwise, you're options are co-locateing the equipment you always want available, or switching both your WAN connections to the same ISP. THere is no really easy solution. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36378t=36371 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fiber optic interface question [7:36366]
I am not completely sure, but I do not believe these two cards will interoperate. The PA-POS is a packet-over-Sonet module. Thus that box will look to frame the layer 2 frames as POS frames - and it will use the entire OC-3 for the one POS connection. The PA-A3 is an ATM module. It is looking to fill it with ATM 53-byte ATM cells, and it is expecting to divide the OC-3 bandwidth between whatever SVCs or PVCs have been created. Just my thoughts - Rob. Alejandro Acosta wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I am about to purchase a Fiber Optic Interface; because this kind of cards are pretty expensive I prefer to ask you in order do not buy the wrong interface. Can I connect this two cards: PA-POS-OC3SMI and PA-A3-OC3SMI?. We are going to use single mode fiber and it is Mid Range. Thanks in advanced. Alejandro Acosta Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36412t=36366 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TWO ISP AND ONE FAILURE [7:36371]
I agree that this configuration - with HSRP and tracking - could work well for connections that are initiaed outbound. You would not necessarily need BGP. R1 could do an outbound NAT to whatever IP address space had been assigned by ISP 1. R2 could do an outbound NAT to whatever IP address space had been assigned by ISP 2. The return traffic would use the correct ISP based on that address space - without any BGP. However if you do need inbound connections - and chances are you do, BGP is the most realistic way to do it. BGP on 2500's is fine. If you are only taking the default route its probably easier on the box than running OSPF. Rob. John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm not sure I understand your point. Assume the following topology: [R1] [R2] || || \--/ | [HOST] The two border routers are R1 and R2 and each have a connection to an ISP. HSRP is configured to track the WAN link. The default gateway on the host is the HSRP standby ip address. If either WAN link goes down, the relevant router--because it is tracking the WAN link--will notify the other router that it is no longer eligible and the other router will take over. Why are you saying that the perceived uptime to the host would not increase using this method? As I see it, unless both links go down, the downtime would be quite minimal. Thanks, John Hire, Ejay 2/25/02 11:24:23 AM Come on guys, Think about it for a minute. Do you really think the router is failing, or is his downtime caused by the wan link? HSRP won't significantly increase your uptime if the wan link is failing and he has to manually change his server's IP/default gateway to switch to the other link. A diferent way to think of it... If you had a car with no brakes and a broken tail-light, which would you fix first? -Ejay -Original Message- From: Ladrach, Daniel E. [mailto:[EMAIL PROTECTED]] Sent: Monday, February 25, 2002 11:48 AM To: [EMAIL PROTECTED] Subject: RE: TWO ISP AND ONE FAILURE [7:36371] Run HSRP between the two cisco routers and then point your default gateway to the VIP address. Daniel Ladrach CCNA, CCNP WorldCom -Original Message- From: Yassel Omar Izquierdo Souchay [mailto:[EMAIL PROTECTED]] Sent: Monday, February 25, 2002 10:11 AM To: [EMAIL PROTECTED] Subject: TWO ISP AND ONE FAILURE [7:36371] Hello i have a frecuent porblem with one of my isp, i have two cisco routers and each one to different isp. Frequentily i have to change the gateway of one of my servers, because one isp is failure. I want to know if with one of BGP, OSPF, RIP, NAT or other protocol i could do the change automatically to the other active isp. It happening me right now. And when i have to do that i have to reset one of my servers.. :S. Is a costs operatrion its a mail server. So if somebody knows how to resolve between routers with different isp each one, how to route accross the other good gateway. Thnx in advance Yassl Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36430t=36371 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX information [7:35294]
Any changes you make to the Pri PIX will be written to the SEC, no need to day anything. Good Idea to move the sec and do a Wr M Rob -Original Message- From: Evans, TJ [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 12:53 PM To: [EMAIL PROTECTED] Subject: RE: PIX information [7:35294] I believe it sync's them auto-magically, or perhaps on a timed basis. Regardless ... I always do a wr standby ... just to be sure. Thanks! TJ -Original Message- From: Hartnell, George [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 12:46 PM To: [EMAIL PROTECTED] Subject:RE: PIX information [7:35294] AND, am I to understand correctly, as the manual is quite vague, that an upgrade of the primary failover unit also updates the secondary? Or, must the hapless administrator do each individually? Best, G. -Original Message- From: Jose Celestino [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 13, 2002 7:12 AM To: [EMAIL PROTECTED] Subject: Re: PIX information [7:35294] PIX-FW1# copy ? usage: copy tftp[:[[//location][/pathname]]] flash For instance: copy tftp://192.168.2.2/configs/pix.cfg flash Thus spake BASSOLE Rock, on Wed, Feb 13, 2002 at 09:06:59AM -0500: Hello group, What command can I use to copy a configuraton form a tftp server to a PIX Firewall? I have look on the cisco web site for the command but couldn't find. Can somebody help. Thank you. Rock -- Jose Celestino - Little prigs and three-quarter madmen may have the conceit that the laws of nature are constantly broken for their sakes. -- Friedrich Nietzsche * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36117t=35294 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS 4210 help [7:35940]
You will need to connect to the console of the IDS. Log in as netrangr (note: NO e in netrangr). Default Passord: attack Then enter: #sysconfig-sensor You will see a menu: 1 - IP Address 2 - IP Netmask 3 - IP Host Name 4 - Default Route 5 - Network Access Control 6 - Communications Infrastructure 7 - Date/Time and Timezone 8 - Passwords 9 - Secure Communications x - Exit At a minimum you will need to configure 1, 2, 4, 5 and 6 (for #5 enter the network that the CSPM server resides on. If its 192.168.15.0/24, enter 192.168.15.) For #6, write down the info you assign the IDS. You will need this for the CSPM. You will need org. number (such as 1), Node # (such as 1) and org name (like your domain name). HTH, Rob. CCIE 6922 Shane Stockman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am currently setting up a IDS sensor 4210 and would like to know how to set up the command interface and the monitoring interface as I would like to manage it from my CSPM server. I need to get the command interface to talk to the switch but I don't know where to set an ip address for it so that my CSPM software cna find it. Thanks in advance. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35956t=35940 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CIT Test [7:34856]
This test was not the hardest, maybe the 2nd hardest. You better study though. Use the Transcenders, they come close to crossing the line as far as the NDA goes. -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 1:30 PM To: [EMAIL PROTECTED] Subject: RE: CIT Test [7:34856] It sounds to me like everyone agree to it being either the easiest or hardest - so it probably won't help answering Joshua's answer very well. And Joshua, I can strongly recommend Priscilla's flash cards - they helped me pass the test; Thanks again for that Priscilla. Good luck on your exam, and have a great weekend, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 12:53 PM To: [EMAIL PROTECTED] Subject: Re: CIT Test [7:34856] CIT was by the far the easiest for me. I took the Foundation exam before that and it was much more challenging. Do you know about my CIT flash cards, just for fun? The URL is: http://www.priscilla.com/cit/toc.html Good luck. I think you will pass. Priscilla At 11:46 AM 2/8/02, Joshua Barnes wrote: I know that folks have asked about this test, but I am taking it Thursday, I would like to know of the people who thought that it was the hardest test, did you also feel it was equally hard to study for? I am studying through the book and BOSON, and quite honestly I think that this part comes natural to me. I certainly don't want to underestimate the test. ( I don't think I will) but I would like some feedback on this. Let me know if you guys remember how you felt. [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35298t=34856 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exam 640-900 and the CID exam [7:34752]
You go! Feel the FORCE Rob Mears III, CCNP, MCSE, MCP+I, NNCDS, NNCSS, CNE, A+ Valor Telecom LAN\WAN Engineer Technical Mercenary -Original Message- From: Ranma [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 7:57 PM To: [EMAIL PROTECTED] Subject: Re: Exam 640-900 and the CID exam [7:34752] 640-900 should be a easy task Mears, Rob wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello all I just finished the 640-900 exam yesterday for the CCIP cert, and it is a bitch!. If any one has any qiestion, I will take them off line, just email me. I am getting ready to take my CID exam, any advice? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34841t=34752 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Exam 640-900 and the CID exam [7:34752]
Hello all I just finished the 640-900 exam yesterday for the CCIP cert, and it is a bitch!. If any one has any qiestion, I will take them off line, just email me. I am getting ready to take my CID exam, any advice? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34752t=34752 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FW: Exam 640-900 and the CID exam [7:34753]
Hello all I just finished the 640-900 exam yesterday for the CCIP cert, and it is a bitch!. If any one has any question, I will take them off line, just email me. I am getting ready to take my CID exam, any advice? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34753t=34753 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Average afterwork time Tech learning commitmen [7:34634]
Here is one for you. I get up @ 0430, thats in the AM and study until i go to work, study @ lunch and then study @ night. I need a life Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 3:37 PM To: [EMAIL PROTECTED] Subject: RE: Average afterwork time Tech learning commitmen [7:34634] For me, my optimal study time was during my lunch break at work. I'd scarf a sandwich and spend 45 minutes completely distraction free sitting in my car in the parking lot. That 45 minutes 5 days a week is more effective than 2 hours a day trying to work on the lab with the kid, wife, honey-do's, tv and dog all vying for my attention. Note, do not become so engrossed in what you are reading that you sit in the car with the windows rolled up and cook yourself like a thanksgiving turkey. I think you're potentially describing an infinite loop, which, admittedly, might be a good troubleshooting scenario. If the sandwich you are scarfing is leftover Thanksgiving turkey, but the weather conditions exist to roast you like a turkey... Maybe it isn't a loop. It might be an infinite recursion or just the formation of a black hole. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34780t=34634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Exam 640-900 and the CID exam [7:34752]
I used the stuff for the Routing exam and then the RFC for IS IS. Good luck finding info on Cisco site. The two test are the same except for the ISIS, compare on Cisco web page. Advice? Study your Ars off! They take no prisoners Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary -Original Message- From: Tim Medley [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 10:33 AM To: 'Mears, Rob' Subject: RE: Exam 640-900 and the CID exam [7:34752] I'm getting ready to take the 640-900 exam. What did you use to study/prepare with. What kind of advice do you have for taking the test. tim Tim Medley - CCNP+Voice, CCDP Sr. Network Architect VoIP Group iReadyWorld p 704.943.3615 f 704.525.9119 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mears, Rob Sent: Thursday, February 07, 2002 10:31 AM To: [EMAIL PROTECTED] Subject: Exam 640-900 and the CID exam [7:34752] Hello all I just finished the 640-900 exam yesterday for the CCIP cert, and it is a bitch!. If any one has any qiestion, I will take them off line, just email me. I am getting ready to take my CID exam, any advice? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34781t=34752 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Reverse telnet [7:32206]
Try configuring speed 9600 under the line aux 0. I do not believe you can use a straight cable, I thiink it has to be rolled. Also, are you sure port 2065 is the right port number? It sounds high, but that may be correct... Rob. Joaquim Lopes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, i'm trying to configure a switch without ip remotely. I have the router AUX port connected to the switch Console port via Roll-cable When i try to connect i've got : RouterXPTO#1.1.1.1 2065 Trying 1.1.1.1, 2065 ... Open But i can't type anything (newbie problems ) -- Router configuration interface Loopback0 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast line aux 0 no exec no activation-character terminal-type VT100 transport preferred none transport input all One last thing, can i use a straigth cable to do the connectio ? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32236t=32206 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Exams Textbooks Required [7:27321]
Has anyone used the Managing Cisco Network Security by: Lusignan, Steudler, and Allison? ROb wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Theodore, In what order did you take the exams? PIX, MCNS, VPN and IDS? Thanks, Hugo Caye O__ c/ /'_ --- (*) \(*) -- ccna ccda mcne3 cne5 mcse (w2k, nt4) -Original Message- From: Theodore stout [mailto:[EMAIL PROTECTED]] Sent: quarta-feira, 28 de novembro de 2001 00:30 To: [EMAIL PROTECTED] Subject: Re: Security Exams Textbooks Required [7:27321] I totally agree with Fahim. You have got to have the MCNS books to pass. IT is like 40 of the PIX ADV and VPN tests. Get a PIX though. You won't pass some parts of the PIX ADV with just the book I think. You don't want to be a paper CSS1. Do IDS last. Read Northcutt, study the material and know how to install in, as the homepage states. I found this test to be the hardest. You need a rather high score to pass. Theo CCSE, CSS1, CCNP, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30516t=27321 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Study aids [7:30517]
Hi folks, Anyone have any experience with the Cisco CCNP Training Kit? Any info or comments will be very welcome and appreciated. Thanks, Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=30517t=30517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF or EIGRP [7:28966]
Hi All, To your question; we are, as all should be, a pure IP and Cisco shop (:. As to why we originally went Eigrp, who knows it was before my time but I would guess Cisco had some influence on it, but now we are growing and plan, no not plan but have bought the routers\switches for 400 locations and will be deploying @ the beginning of the year. I know EIGRP will scale well and will handle our growth for the time being. As my research points, we will be good with EIGRP for a long time and the differences I found between the two are really nominal. But since the network we are rolling out is in parallel to the present, we do not have to worry about the migration part, so we have the opportunity to do it right and impress people long after I am gone. So correct me where I am wrong and please show me the light OSPF or EIGRP. Thanks Rob -Original Message- From: Gregg Malcolm [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 3:40 PM To: [EMAIL PROTECTED] Subject: Re: OSPF or EIGRP [7:28966] Rob, Few questions. What routed protocols you plan to run? Just IP or IP/IPX/AT,etc.? Any other vendor equipment other than cisco? Firewalls running OSPF for failover? Why did you initially choose EIGRP? Does the network design lend itself well to a backbone area? Redundant links (including DDR) ? I think if you can answer some of these questions, it will help the group give you a better response. Gregg Mears, Rob wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, We are in the middle of building out a new ATM network for the Core and on the outside we are going to be running about 80 3640 or 2600. We are in a big debate about the routing protocol, we are currently EIGRP. I have collected lots of info off Cisco's Web site about the two but wanted to hear it from the Engineers in the trenches. What's your take on it? If it were you what would you run (EIGRP, OSPF) and why? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29105t=28966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OSPF or EIGRP [7:28966]
Hi all, We are in the middle of building out a new ATM network for the Core and on the outside we are going to be running about 80 3640 or 2600. We are in a big debate about the routing protocol, we are currently EIGRP. I have collected lots of info off Cisco's Web site about the two but wanted to hear it from the Engineers in the trenches. What's your take on it? If it were you what would you run (EIGRP, OSPF) and why? Thanks Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28966t=28966 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Comments in Running Config [7:25759]
[ The following text is in the iso-8859-1 character set. ] [ Your display is set for the US-ASCII character set. ] [ Some characters may be displayed incorrectly. ] access lists are good, but you could also use interface description fields as well as snmp chassis-id , location, contact etc.. Thanks, Rob Hopkins CCIE #7428, MCSE, MCNE [EMAIL PROTECTED] - Original Message - From: Rodgers Moore To: McCallum, Robert Cc: Cisco@Groupstudy. Com (E-mail) ; 'Ccielab' (E-mail) Sent: Friday, November 09, 2001 10:05 AM Subject: Re: Comments in Running Config Robert, A config TFTP'd into a router's flash will retain it's comments. I use named access lists to document info all the time. For example: ip access-list serialnumber remark 44408389291 Rodgers Moore, CCIE# 8153 McCallum, Robert wrote: Hi, Simple question but I can't find the answer. How do you add comments into your config. I have tried putting the command in then putting comments in after it with the ! statement but it doesn't work. I am sure you can do this but for the life of me can't find out how. I am sure I must have done this on the ICRC course or something that easy. And here I am attempting the lab when I can't even do this. As in homer speak Doh! Robert McCallum only 6 days left This messsage was sent using the trial version of the 1st Class Mail Server software. The 1st Class Mail Server 3.0 has lots of cool new features. Best of all, it's still free! To download the latest version, go to http://www.1cis.com/download/1cismail.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25759t=25759 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2000 professional hyperterminal [7:24171]
W2K hyperterminal did have problems displaying anything that scrolled into the buffer...it would get mangled. All that's required to fix is SP2. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of jimmy halbert Sent: Thursday, October 25, 2001 5:56 PM To: [EMAIL PROTECTED] Subject: 2000 professional hyperterminal [7:24171] Is there anything special that is required to get hyperterminal to work with 2000 professional Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24301t=24171 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2000 professional hyperterminal [7:24171]
Simple answer: NOPE!! - Original Message - From: jimmy halbert To: Sent: Thursday, October 25, 2001 3:56 PM Subject: 2000 professional hyperterminal [7:24171] Is there anything special that is required to get hyperterminal to work with 2000 professional _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24202t=24171 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2000 professional [7:24175]
Do you have the com port enabled on your notebook? Also make sure there's no conflict on the port with another device such as modem using it. Other than that, it's supposed to be it. Good luck! - Original Message - From: Gayathri To: Sent: Thursday, October 25, 2001 7:39 PM Subject: Re: 2000 professional [7:24175] yes, i also have the same problem with win2k server and hyperterminal, i just keep getting the error message , cant open the com port jimmy halbert wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am trying to get hyperminal to work wih 2000 Professionalno such luck _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24205t=24175 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Linux RPM equiv to Tera Term Pro? [7:21944]
I tend to differ on this. I use TT Pro with SSH 2 all the time. That's how I work on all our UNIX (Solaris RH ) boxes. BTW, it works like a charm. Just my $0.02 worth.. == Rob (SCSA, SCNA, CCNA) Brian Whalen wrote: tterm pro even with the addon for ssh i think only supports ssh1, not ssh2. This is proly unacceptable to a lot of folks. Brian Sonic Whalen Success = Preparation + Opportunity On Wed, 3 Oct 2001, Craig Columbus wrote: By far, my favorite windows based terminal emulator is Tera Term Pro. I'm toying with Linux on a laptop and am looking for a RedHat/Mandrake compatible terminal emulator that offers equivalent functionality to teraterm. Any suggestions? TIA, Craig [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22300t=21944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 'It's not the US they want to destroy. It's our arrogance' [7:19896]
No to agree or disagree with any sides of the arguments here, I commend our good friend Priscilla for this very insightful response. I couldn't agree with you more. As we all know, stress and anger will always drive humans to irresponsible statements and irrational decisions. Again, hopefully people can follow your blueprint here to cope with this tragedy and be the pillars of support for those in great need at this time rather than making premature judgments and justify actions that they otherwise wouldn't dare in a better state of mind. Just my $0.02 worth. No need to start another flame war, please! = Rob Priscilla Oppenheimer wrote: The original poster was trying to help us see the point of view of the terrorists. He didn't say that he agreed with them. Understanding their viewpoint will help us prepare for further evil deeds from them and help us defeat them. Know thy enemy. This is logical. What the poster didn't understand is that we are grieving and not ready for logic. According to Dr. Elisabeth Kubler-Ross, there are five stages of grief. 1. Denial 2. Anger 3. Bargaining 4. Depression 5. Acceptance Many people are still in the anger stage. This is not a good time to be sending e-mails. They come out all wrong. Let's avoid the topic until everyone calms down. Peace, Priscilla At 06:57 AM 9/13/01, [EMAIL PROTECTED] wrote: How lovely. Reeta, eloquent drivel disguised as intellectualism is still drivel. I'm saddened that you feel the need to rationalize and excuse murder on such a scale and by such means. I also find it puts you in the same category as those who would commit such atrocities. Interestingly enough, do you think you would be able to voice a similar tirade in other parts of the world? You speak of us and them, where is it you hail from Reeta? Perhaps you can advise us here in America how you handle such us versus them issues? Hmmm? Oh wait, based on your essay I think I see how you would handle such a quandary. Your ridiculous manifesto is nothing but a thinly veiled approval form for the human sewage that committed this act. Your attempt to rationalize it sickens me. It's always ever so much easier to cloak things like this in terms that make it all seem like an academic exercise. Terrorism is indeed about people, as you so stated, and when you have people in this world who will stop at nothing to destroy others, or to advance their own fanatical beliefs, there are going to be tragic consequences. I had no intention of responding to this long winded analysis of yours, it is flawed both logically and factually. As such I will cut short my reply. I would certainly hate to seem arrogant. mehrzee@vsnl .netTo: [EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19896t=19896 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: :-((( [7:19468]
Well; I'm sure all the words have already been said, but I tried to refuse to believe my ears when I first woke up to news on the radio this morning. Unfortunately, that feeling of disbelief was very short-lived since it was all over the media. Although I don't personally know anyone from that area, but I feel that innocent lives have have been lost, and many others have been affected by that loss for years to come. My thoughts and feelings are with those who survived, and the ones who lost their loved ones. Trust me, the emotions were felt all day here in Vancouver, BC (Canada). Office buildings were shutdown mid-day. In closing, I just want to say that no matter what the religion, one belongs to, these are real human beings taken away from fathers, mothers, brothers, sisters, sons, and daughters. That is the issue, period!! Question: When will the human race learn to resolve their differences in more peaceful way??? Hope all is well with those in the middle of this crisis. Rob [EMAIL PROTECTED] wrote: Thank You Rene, and also Rita. I am in shock. There are many people on this list who worked in those buildings, and many more with friends and family there. I just heard from my first friend who was there and made it home. I'm sitting here watching my email and waiting for my phone to ring. Besides my friends and associates who are there, I can't help to think of the thousands and thousands of faces I've past in those hallways, escalators, offices, etc. -Erik Mintz Rene Schmid writes: best wishes from austria last week i have configured a serial connection between wtc new york and wtc vienna and today i'm very sad about this terrorist attack hope that most of the people are OK Rene [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19516t=19468 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FW: Off topic: check in for WTC, Pentagon survivors [7:19517]
Well; I'm sure all the words have already been said, but I tried to refuse to believe my ears when I first woke up to news on the radio this morning. Unfortunately, that feeling of disbelief was very short-lived since it was all over the media. Although I don't personally know anyone from that area, but I feel that innocent lives have have been lost, and many others have been affected by that loss for years to come. My thoughts and feelings are with those who survived, and the ones who lost their loved ones. Trust me, the emotions were felt all day here in Vancouver, BC (Canada). Office buildings were shutdown mid-day. In closing, I just want to say that no matter what the religion, one belongs to, these are real human beings taken away from fathers, mothers, brothers, sisters, sons, and daughters. That is the issue. Period!! Question: When will the human race learn to resolve their differences in more peaceful ways??? Hope all is well with those in the middle of this crisis. Rob Chuck Larrieu wrote: forwarding from another source: A web site has been set up where survivors of today's terrorist activities can post word a brief word that they are okay: http://www.shunn.net/okay/ If you care to publicize this, it may save some people some heartache. [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19517t=19517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Which IOS's support DSL? [7:18034]
Use Cisco web site for info like this. Feel the Force. c2600-is56i-mz.121-5.YB2 This works Rob Thank you, Rob Mears III, CCNA, MSCE, CNE, NNCDS, NNCSS, A+ Technical Mercenary Valor Telecom -Original Message- From: Matthew Wilkinson [mailto:[EMAIL PROTECTED]] Sent: Monday, September 03, 2001 10:08 PM To: [EMAIL PROTECTED] Subject: Re: Which IOS's support DSL? [7:18034] I have a 2600 witha DSL WIC and none of the newer IOS's I have install recognise the card. This is simply pluggd directly into the phone system, it is used in a home. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18424t=18034 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: I have a customer who... food for thought - static routes [7:18189]
As far as address conservation goes, they're better off addressing the wan links between the 7206 and the 827's as /30, and letting the 827's provide dhcp address to the home users. The home networks can all be the same network (and 1000 duplicate addresses, who cares). As far as the rest of the network is concerned, there's only one address for each home network, the unique nat outside address of the 827. Using IP unnumbered on the wan links is only going to eat up more addresses because they will have to advertise the networks on the home side of the 827's. They can burn up 1000 /30s or 1000 /28s. The 827s can be build with a cookie cutter config. The only thing that needs to be different on each one is the wan ip address. Nobody needs to keep track of what addresses are in use at what house, no static address database is needed (for these 1000 links anyway - I don't know what the rest of their network looks like), and the home pc's could be built cooke cutter, too. They could save a ton of money on man hours if layer 8 wasn't in the way. -Rob Fielding CCIE #7996 - Original Message - From: Chuck Larrieu To: Sent: Saturday, September 01, 2001 6:43 AM Subject: RE: I have a customer who... food for thought - static routes [7:18180] you know something? That's an interesting idea! May I think out loud here? core_network7200--827--home_ user routed NATinside_network subinterfaces global outside who cares what's inside? need an ip on the 7200 side and the 827 side - takes up two hosts of the /28 the customer is specifying... well, let's see... there is still the matter of the home user inside addressing. Care needs be taken because even though there is private addressing in place, there is still the possibility of overlap with other parts of the network. hhhmmm... on the 7200 side, all subnets are on directly connected interfaces. run the routing protocol of choice, and summarize the subnets into the core. eventually there will be several hundred /28's. at 16x28 per /24, that means a lot of /24's eventually. if the customer played their cards right, they could advertise what? a single /20 or so? maybe even a /19? for address conservation, the customer is insisting on ip unnumbered on the links. I'm pondering the relative merits - does NAT'ing create more or less work? Does it require more or fewer things to keep track of? on the other hand, it does answer a number of the customer expressed concerns and policies. You know, Rob, it would be a hell of a lot easier dealing with you than with the particular group I am dealing with. At least you have some creativity and some understanding of the alternatives. I'll bet the two of us could come up with a solution that would knock their socks off. So far I've had to listen to the bogus route flapping argument ( every time a DSL user turns off his equipment, we'll see route flaps in our core ) the bogus default route advertisement argument ( these guys will connect a router at home and start advertising a default that will screw up the entire company ) ok, so we put them in their own domain and redistribute with strict filtering. or we use On Demand Routing. well we don't want CDP running on these routers because it's insecure OK. I give up. well we don't understand why you have to do it this way anyway. when we were with X company all we did was use a static default yes but X company was an ISP and you were using a VPN with the associated overhead. our solution is equivalent to a frame relay network, and can be treated accordingly. and the final definitive argument, against which there is no counter - our policy does not allow routing to remote access users As I said someplace else, the real issue here lies somewhere above layer 7. Hey, Howard, at what layer are ignorance and lack of clue? ;- Chuck -Original Message- From: Rob Fielding [mailto:[EMAIL PROTECTED]] Sent: Friday, August 31, 2001 6:06 PM To: Chuck Larrieu; [EMAIL PROTECTED] Subject: Re: I have a customer who... food for thought - static routes [7:18108] Actually, when I mentioned bridging, I was only talking about the 827s. They should still have to route through the 7206 to reach each other. But, bridging is just a bad idea anyway. Instead, you could NAT the home side of the 827 to the address of the 827s wan interface. Each link between the 7206 and the 827s is a separate routed link, but the 7206 doesn't need to know about the networks behind the 827s. It only needs to know about the links that are directly connected. No bridging and no statics needed, and if the wan links are addressed properly, then they can all be summarized to the rest of the corporate network. Since security is a concern, then I would suggest an access list on the 827s to only allow established connections inbound. -Rob Fielding CCIE #7996
Re: I have a customer who... food for thought - static routes [7:18108]
I just quickly glanced at the 827 docs on cisco.com, so please correct me if I'm wrong about them. According to the docs, you can configure the 827's for bridging or NAT. You could avoid static routes on this edge of the customer's network entirely (except for defaults on the 827's). The 7206 would see all of the home networks as being directly connected. NAT overload would probably be my first choice because the 827 could assign addresses to the home pc's with DHCP, so the users wouldn't have to configure anything, and any number of home pc's would just share the 827's wan interface address. No need for statics at all. Does the customer have any issues about this type of config? -Rob Fielding CCIE #7996 - Original Message - From: Chuck Larrieu To: Sent: Thursday, August 30, 2001 10:38 PM Subject: RE: I have a customer who... food for thought - static routes [7:18038] There have been several good replies to my post. In addition to Tony's insight below, Leigh Anne and Jim both had excellent observations that covered issues my customer raised. The customer expressed concerns were with engineers who for any number of reasons, whether careless, inconsiderate, malicious, or as part of their jobs, might bring down various segments. this is something that apparently happens with some regularity in the customer production network. there were concerns with route flapping at the core. we are in California, after all, and we still live under the threat of rolling blackouts. plus many folks out here are doing their part by shutting things down at night, or when not in use. The flapping issue is bogus, as one could always advertise only the summaries into the core, but again, the customer engineer would not hear of it. the customer deliberately turns off CDP. I did not discuss this with him, but I suspect there is a bit of concern with revealing information that CDP transmits. my point in bringing up this situation was in part to stimulate thought about using various forms of routing as one means of enforcing policy. Static routing is not necessarily a bad thing. On the other hand, there are other ways to deal with the stated concerns other than massive static routing. enjoyed the comments. thanks, everyone. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Medeiros Sent: Thursday, August 30, 2001 12:23 AM To: [EMAIL PROTECTED] Subject: Re: I have a customer who... food for thought - static routes [7:17826] I'll bite: PROS: 1) If DSL user decides to change his network for some reason and it overlaps another on somewhere, dynamic routing will hose the core. (could prevent with route filtering but that would be an even bigger hassle). 2) 7206 might fold with that many routing protocol neigbors (depends on routing protocol) 3) Job security for the guy managing the network :) 4) ODR needs CDP and that many neighbors could fold the core too maybe ?? Don't know about that. 5) Less overhead in general. 6) Security, Don't want some guy to announce a boatload of bogus networks. 7) Unless the routing protocol of choice can only send a default route, Those little DSL routers would get killed with a big table. OSPF is would do it but would each little router would need to be in it's own area or the LS database would kill the little guys . RIP seems like a good choice, but again, there would be need for a lot of filtering to keep the table small. You could have a default static on all the little guys and filter ALL updates coming out of the core. But there is the security thing again. 8) Stability, The static way will be the most stable for sure, CONS: 1) Managment nightmare. I think I see their point already Chuck. I don't quite see why CDP wouldn't be allowed though. Am I close ? Tony M. - Original Message - From: Chuck Larrieu To: Sent: Wednesday, August 29, 2001 11:28 PM Subject: I have a customer who... food for thought - static routes [7:17819] I have a customer who... don't you love it when a post begins with those words? In my case, I am hoping this can serve as food for thought, a springboard for discussion. So here goes My customer is a high tech firm whose name you would all recognize, if I were to exhibit ill manners by revealing it. My project ( well, I'm just the junior assistant engineer ) is to develop and proof configurations for a private remote access network. DSL at the home, ATM at the central site. Not a VPN. This circuit does not touch the internet. In any case, the client is expecting 500-1000 home users on this network. Here's the kicker. the client refuses to allow routing protocols on either the home user routers ( Cisco 827's ) or the central site router ( Cisco 7206 ) That means how many static routes at the host site? :-0 Food for thought - what are some of the reasons the customer
Re: I have a customer who... food for thought - static routes [7:18152]
Actually, when I mentioned bridging, I was only talking about the 827s. They should still have to route through the 7206 to reach each other. But, bridging is just a bad idea anyway. Instead, you could NAT the home side of the 827 to the address of the 827s wan interface. Each link between the 7206 and the 827s is a separate routed link, but the 7206 doesn't need to know about the networks behind the 827s. It only needs to know about the links that are directly connected. No bridging and no statics needed, and if the wan links are addressed properly, then they can all be summarized to the rest of the corporate network. Since security is a concern, then I would suggest an access list on the 827s to only allow established connections inbound. -Rob Fielding CCIE #7996 - Original Message - From: Chuck Larrieu To: Rob Fielding ; Sent: Friday, August 31, 2001 5:07 PM Subject: RE: I have a customer who... food for thought - static routes [7:18108] yes - sheer numbers of devices in the shared bridging domain. we are talking 500 to a thousand home users, many of whom are technically savvy folks who may have reasons good or bad to connect multiple devices to the home part of the remote access network. not to mention the fact that bridging would mean direct and unrestricted access from each of these home guys to eachother. I can just see the little rascals Code Redding eachother! ;- Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rob Fielding Sent: Friday, August 31, 2001 9:58 AM To: [EMAIL PROTECTED] Subject: Re: I have a customer who... food for thought - static routes [7:18108] I just quickly glanced at the 827 docs on cisco.com, so please correct me if I'm wrong about them. According to the docs, you can configure the 827's for bridging or NAT. You could avoid static routes on this edge of the customer's network entirely (except for defaults on the 827's). The 7206 would see all of the home networks as being directly connected. NAT overload would probably be my first choice because the 827 could assign addresses to the home pc's with DHCP, so the users wouldn't have to configure anything, and any number of home pc's would just share the 827's wan interface address. No need for statics at all. Does the customer have any issues about this type of config? -Rob Fielding CCIE #7996 - Original Message - From: Chuck Larrieu To: Sent: Thursday, August 30, 2001 10:38 PM Subject: RE: I have a customer who... food for thought - static routes [7:18038] There have been several good replies to my post. In addition to Tony's insight below, Leigh Anne and Jim both had excellent observations that covered issues my customer raised. The customer expressed concerns were with engineers who for any number of reasons, whether careless, inconsiderate, malicious, or as part of their jobs, might bring down various segments. this is something that apparently happens with some regularity in the customer production network. there were concerns with route flapping at the core. we are in California, after all, and we still live under the threat of rolling blackouts. plus many folks out here are doing their part by shutting things down at night, or when not in use. The flapping issue is bogus, as one could always advertise only the summaries into the core, but again, the customer engineer would not hear of it. the customer deliberately turns off CDP. I did not discuss this with him, but I suspect there is a bit of concern with revealing information that CDP transmits. my point in bringing up this situation was in part to stimulate thought about using various forms of routing as one means of enforcing policy. Static routing is not necessarily a bad thing. On the other hand, there are other ways to deal with the stated concerns other than massive static routing. enjoyed the comments. thanks, everyone. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Medeiros Sent: Thursday, August 30, 2001 12:23 AM To: [EMAIL PROTECTED] Subject: Re: I have a customer who... food for thought - static routes [7:17826] I'll bite: PROS: 1) If DSL user decides to change his network for some reason and it overlaps another on somewhere, dynamic routing will hose the core. (could prevent with route filtering but that would be an even bigger hassle). 2) 7206 might fold with that many routing protocol neigbors (depends on routing protocol) 3) Job security for the guy managing the network :) 4) ODR needs CDP and that many neighbors could fold the core too maybe ?? Don't know about that. 5) Less overhead in general. 6) Security, Don't want some guy to announce a boatload of bogus networks. 7) Unless the routing protocol of choice can only send a default route, Those little
RE: BMC Patrol [7:17794]
It not BMC patrol that is the question but Patrol DashBoard and Patrol Visualis, any word??? Thanks Thank you, Rob Mears III, CCNA, MSCE, CNE, NNCDS, NNCSS, A+ Technical Mercenary Valor Telecom -Original Message- From: Patrick Donlon [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 30, 2001 2:55 AM To: [EMAIL PROTECTED] Subject: Re: BMC Patrol [7:17794] BMC patrol was used at the last company I worked at, an ISP based in the Netherlands, it wasn't a project I was working on, as it was used to monitor the applications and not the network but if you want to email me offline then send you the company's details so you can get some info or dirt on it cheers Pat 350mhz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Cisco Geeks, We are evaluating a new product from BMC called Patrol DashBoard and Patrol Visualis. I am told by the Sales Geeks that this product is fairly new; therefore it's been rough getting feed back. So I turn to you. What is the word? Who has used it, what are the Pro and Cons? Is this company worth dealing with? They are cutting us a good deal and the CIO is about to go for it unless I can dig up some dirt. Thank Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17934t=17794 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hello all....terminal emulation software... [7:17968]
I believe TeraTerm Pro will also give you the same thing. You can also us ssh by installing TTSSH extension for it, and it's all free. Baker, Jason wrote: try secure CRT -Original Message- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Friday, 31 August 2001 8:33 am To: [EMAIL PROTECTED] Subject: hello allterminal emulation software... [7:17968] I am trying to locate a freeware terminal emulation software that will allow me to select com ports 5 and 6...hyperterm doesn't support anything beyond com4. I've installed a serial card that utilizes com5 and com6 only. I will be using these two ports to console into my routers. Anyhelp in finding a terminal software that does this is greatly appreciated. [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18005t=17968 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ospf [7:18002]
Do Not Age. Those are routes that don't age out. They were probably learned across an ISDN backup link, or a virtual link. If the router has an isdn interface, check for the 'ip ospf demand-circuit' command. Otherwise, look for a virtual link configured on a router. There's good info about this on cisco.com, and on the doc cd. -Rob Fielding CCIE #7996 - Original Message - From: Dwayne Saunders To: Sent: Thursday, August 30, 2001 6:41 PM Subject: ospf [7:18002] Hi all, is any one able to direct me in the right direction or be able to explain what the (DNA) is in the sh ip ospf database Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 172.16.11.100 172.16.11.100 19700x8008 0x776B 5 172.26.1.49 172.26.1.49 5 (DNA) 0x8158 0xD943 1 192.168.101.101 192.168.101.101 1895 (DNA) 0x815E 0xDCE3 1 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.26.1.17 172.26.1.49 678 (DNA) 0x8155 0x23F1 172.26.1.33 172.26.1.49 678 (DNA) 0x8155 0x8282 172.26.1.49 172.26.1.49 678 (DNA) 0x8155 0xE113 192.168.1.16172.16.11.100 19710x8006 0x9708 192.168.1.16172.26.1.49 1 (DNA) 0x815C 0x1B5F 192.168.1.16192.168.101.101 1895 (DNA) 0x800A 0x97FB 192.168.1.48172.16.11.100 19710x8007 0x542A 192.168.1.48172.26.1.49 1 (DNA) 0x8003 0x8530 192.168.1.48192.168.101.101 1895 (DNA) 0x8005 0x6A0D 192.168.1.64172.16.11.100 19710x8005 0xC1AD 192.168.1.64172.26.1.49 678 (DNA) 0x8155 0x3D15 192.168.1.64192.168.101.101 1895 (DNA) 0x8008 0xCD95 192.168.101.101 192.168.101.101 1895 (DNA) 0x8007 0x527B any help will be appreciated D'Wayne Saunders Network Admin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18015t=18002 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN from 2600 routers to PIX 525 Question [7:17700]
I am looking for someone who is running VPN's between 2621 routers and PIX 525 on IOS 6.0 to campare notes with. How are they working for You? Thanks Thank you, Rob Mears III, CCNA, MSCE, CNE, NNCDS, NNCSS, A+ Technical Mercenary Valor Telecom Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17700t=17700 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Offtopic: Sun Solaris Admin [7:17684]
Try solcert on yahoo. There are a couple of sun related lists on Yahoo, but solcert is a good starting point. Rob Admin wrote: hi all, do you know of a similar discussion group dedicated to Unix/Sun Solaris Admin certification ? have to get solaris admin cert to retain my job. thanks [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17783t=17684 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Prep Guides [7:17584]
I used the CCBootcamp labs. Certificationzone has a couple of good labs. Their frame-relay lab is pretty good. I haven't seen any of their new stuff. The CCBootcamp labs are big scenarios, most of which will take all day to do. I used them for studying and practice at first, and for speed drills later. Get on the Groupstudy CCIE Lab list, buy the bootcamp labs, and get some routers to practice on. Go to the ECP1 class if you can. Good luck to you. -Rob Fielding CCIE #7996 - Original Message - From: To: Sent: Tuesday, August 28, 2001 11:19 PM Subject: CCIE Lab Prep Guides [7:17584] Does anyone have any feedback on the CCIE lab prep workbooks from CCBootcamp (Network Learning, Inc.) vs. CertificationZone ? Just curious as to how valuable these may be. So far, I have been utilizing the generic books (Caslow, Satterlee, Halabi, Doyle...) for scenarios and practice. Thanks, Duncan Duncan Wallace Sr. Network Engineer 800.COM Inc. 1516 NW Thurman St Portland, OR 97209-2517 Direct: 503.944.3671 Cell: 503.969.8248 Fax: 503.943.9371 Web: http://800.com Email: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17717t=17584 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Great Mortgage Rates [7:17354]
Is this list no moderated How do people get away with this type of non-sense?? Rob [EMAIL PROTECTED] wrote: fs756d Whether a new home loan is what you seek or to refinance your current home loan at a lower interest rate, we can help! Mortgage rates haven't been this low in the last 12 months, take action now! Refinance your home with us and include all of those pesky credit card bills or use the extra cash for that pool you've always wanted... Where others say NO, we say YES!!! Even if you have been turned down elsewhere, we can help! Easy terms! Our mortgage referral service combines the highest quality loans with the most economical rates and the easiest qualifications! Take just 2 minutes to complete the following form. There is no obligation, all information is kept strictly confidential, and you must be at least 18 years of age. Service is available within the United States only. This service is fast and free. Free information request form: PLEASE VISIT http://www.freewebdirect.net/mortgagezone Since you have received this message you have either responded to one of our offers in the past or your address has been registered with us. If you wish to be removed please reply to: mailto:[EMAIL PROTECTED]@yahoo.com?subject=remove fsda0uio *** [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17356t=17354 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: banner motd [7:17204]
Have you tried a code upgrade? We had a situation where a 4906 Switch displayed the same behavior...only displayed the partial banner. It's code version only allowed a certain number of characters in the banner. Upgrade to latest IOS fixed it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lupi, Guy Sent: Saturday, August 25, 2001 3:20 PM To: [EMAIL PROTECTED] Subject: RE: banner motd [7:17204] Should have done that in the first email, here it is. Like I said, works on all my other routers, just not on the ones running Version 12.0(3)T3. Thanks. banner motd x * ! WARNING !* * * * This is a private system. Unauthorized access is prohibited by law. * * * * Violators may be prosecuted. If you are not authorized* * * *to access this system, please disconnect now. * * * x Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17267t=17204 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS, DHCP, UNIX, FTP help [7:15164]
For best materials on any of these topics or any other UNIX related topics, I would suggest checking out Oreilly's (www.ora.com). They are absolutely outstanding!! And I don't work for them or get paid to say any of this. RSB (SCSA, SCNA, CCNA) Brian wrote: hmm, a broad question. for unix stuff, i'd go with this. http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0130206016vm=c It will give you a lot of dirt on the other items also, as anyone into unix should get how that stuff works. Brian - Original Message - From: mike rose To: Sent: Tuesday, August 07, 2001 2:47 PM Subject: DNS, DHCP, UNIX, FTP help [7:15164] Any one know any good books for the folliowing topics DHCP, DNS, UNIX and FTP Any input will be greatly appreciated. Thanks Mike [GroupStudy.com removed an attachment of type text/x-vcard which had a name of rbains.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15204t=15164 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Age Challenge for Oldest CCNP/DP on Earth!! [7:14167]
Offline please. - Original Message - From: Greg Macaulay To: Sent: Monday, July 30, 2001 5:13 PM Subject: FW: Age Challenge for Oldest CCNP/DP on Earth!! [7:14167] -Original Message- From: Greg Macaulay [mailto:[EMAIL PROTECTED]] Sent: Monday, July 30, 2001 4:55 PM To: [EMAIL PROTECTED] Subject: RE: Age Challenge for Oldest CCNP/DP on Earth!! [7:14167] 56 -- and I can prove it -- 8 grandchildren -- can't recall their b-dates -- and I have white hair!!! Gosh, I really didn't think that many folks on the list had so much time on their hands to contribute to this nonsense (and fun!). Greg Macaulay Oldest CCNP/CCDP on Earth (recount in progress) Lifetime Member of AARP Retired Attorney/Law Professor -Original Message- From: William Gragido [mailto:[EMAIL PROTECTED]] Sent: Monday, July 30, 2001 4:10 PM To: 'Greg Macaulay'; [EMAIL PROTECTED] Subject: RE: Age Challenge for Oldest CCNP/DP on Earth!! [7:14167] I can't resist, how old are you? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Macaulay Sent: Monday, July 30, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: Age Challenge for Oldest CCNP/DP on Earth!! [7:14167] I need proof -- date of birth, place of birth, whether you are left-or right-handed or ambidextrous, etc. Without that -- I still claim the title. In fact, I am taking on the Republicans spin in Florida on this. My age has been broadcast over this list for months and no one successfully came forth and refuted my claim to the title. Thus, there has been an age count, and an age recount and even a recount on the age recount -- and there has not been anyone who can prove BRD (lawyers shorthand for Beyond a Reasonable Doubt!) that I am not the duly self-appointed and self-anointed oldest (albeit I concede not the wisest) CCNP/CCDP on this earth!! If necessary, I will call upon Ms. Katherine Harris (from Florida) to mediate this issue!!! See, we old folks have nothing on our plates so we can engage in this nonsensical, time-wasting behavior (at least while I'm having my first cuppa' tea this a.m. Then its on to work!!! Greg Macaulay Oldest CCNP/CCDP on Earth (pending recount!) Lifetime Member of AARP Retired Attorney/Law Professor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 28, 2001 8:57 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: For those studying VoIP/CVoice! [7:14061] Greg, Good post on a reference URL for VoIP. I will be taking Cisco IP Voice class next week and will refer to some of these links. TNX Note: However, you'll have to revise your signature as I think for the moment I am most likely the Oldest and Bald CCIE wannabe ;-) at age 59 3/4 Ray Oldest CCNP/CCDP on Earth FYI I discovered this page on CCO by accident. Hope it helps those who are preparing for CVoice http://www.cisco.com/warp/public/788/voip/voip.shtml Greg Macaulay Oldest CCNP/CCDP on Earth Lifetime Member of AARP Retired Attorney/Law Professor Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=14269t=14167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3660 router-----Finished [7:12135]
Greeting to all, This problem proved to be a real bitch, and I thank you for all the advice. Here is the fix, and I am almost ashamed to say, but I want to pass this on so none of you all fall into the same trap as I did. As I said, in one post before, I kept getting the same error messages even after TAC sent me new memory and a new router. The 3rd TAC engineer was the charm, because he asked me if this was a TELCO version of the 3660. That was a real good question cuss I had no idea, as I have never worked on one. Well, that was the problem, it takes a TELCO FEATURE SET IOS. One telltail clue is that their is not a plastic front on the Telco version. I saw this right off the bat, but thought Cisco had just redesigned it. Man what a day. The other way to see if the router is an Enterprise version or Telco is to run the SN numbers. I can think off all the times i do this before I install an IOS. Maybe i should. Good news is I got it fixed and got a new Router out of the deal (thanks you TAC). And as TAC goes, they have pulled my Butt out of the sling more then once, so I have nothing but good to say for them. Yes I have gotten some DORKS before, but I have the option to tell them to get lost and give me a new Engineer. We pay a lot for this service. Hope this has been as educational for you all as it has been for me. Look below at link for the difference in the two. http://www.cisco.com/warp/public/cc/pd/rt/3600/prodlit/36kmp_ds.htm -Original Message- From: Charlie Hartwell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 9:15 AM To: Mears, Rob Subject: Re: 3660 router [7:11917] Hi Rob, I didn't want to send this out to the whole group but I sympathise with your problem - I used to work on TAC and I see this sort of thing happening more and more. Unfortunately TAC have a new policy of employing people without much real technical experience (even pre-CCNA level people) and they put them on the bread and butter TAC teams to break them in. It will be one of those teams dealing with your problem - probably euro-config. I know a lot of those guys and, although they all work hard, they don't have the experience to deal with a case that gets over complicated. If you have had an RMA already and you are still no nearer to solving the problem then the next step is to have the case escalated. I expect this case has been going on for a few days already and has probably passed the P3 SLA so the TAC can escalate to a more technical team to get you a speedy fix. I hope this helps and I would appreciate it if you kept this under your hat. Regards Charlie --- Mears, Rob wrote: Any one ever had a problem loading IOS on a 3660 right out of the box? I have one with 64meg flash and 256 ram and the damn thing will not come out of RMMON. I have set the confreg to boot correctly still RMMON. I have flashed it with two different IOS (12112.2), swapped out Flash, MEM, even sent the chassis back to Cisco and the new one had the same problem. TAC has no clue, they have been sending me part and giving me to different Engineer with no luck. What gives? Rob [EMAIL PROTECTED] Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=12135t=12135 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3660 router-----Finished [7:12135]
that is! that's the one. Damn Telco stuff. You know it was said if they were to burn (Telco Routers), it would not put off toxic fumes (no plastic an telco requirment) . I looked around the CO and wondered about the billions little blue and white analog wires we have form ceiling to floor and wondered what's the point. Smoke from the router won't kill me, but the plastic from the wires will. Man rob -Original Message- From: Peter Slow [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 12, 2001 12:26 PM To: [EMAIL PROTECTED] Subject: RE: 3660 router-Finished [7:12135] Uhh, they do! c3660-telcoent-mz.121-5.T9.bin -Original Message- From: Bob Johnson [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 12, 2001 12:34 PM To: [EMAIL PROTECTED] Subject: RE: 3660 router-Finished [7:12135] Telco requirements are quite strict There are Bellcore standards that are used at all central offices. It has nothing to do with the goverment but will Bell ensurring that any third party equipment will: 1) Fit in telco racks 2) No physically interfer with other equipment in telco racks 3) Not add to the fire load 4) Not cause any undue electrical problems (NEBS grounding, etc) It's all really for infrastructure protection Too bad they didn't have a Telco version of the IOS. Bob -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 12, 2001 8:29 AM To: [EMAIL PROTECTED] Subject: RE: 3660 router-Finished [7:12135] This brings up a point: why is there a telco version in the first place? What are these telco requirements and why are they there? I've been hearing little snippets about this but I don't know the details. From what I've read so far, it sounds like some government agency had too much time on its hands and felt like being even more intrusive than usual. Who cares if there is a plastic cover or not? Who cares if the rack is 19 or 24 wide? Who cares if the equipment is more than 12 deep? Someone please explain this to me, and please tell me there are good reasons for these requirements. Otherwise, it will just annoy me and ruin my day. ;-) Besides, I have a feeling I'll be running into situations where equipment that I provision has to meet these requirements so I might as well know what they are, right? Thanks, John (who is just starting his 2nd cup of coffee...be gentle.) Mears, Rob 7/12/01 8:55:12 AM Greeting to all, This problem proved to be a real bitch, and I thank you for all the advice. Here is the fix, and I am almost ashamed to say, but I want to pass this on so none of you all fall into the same trap as I did. As I said, in one post before, I kept getting the same error messages even after TAC sent me new memory and a new router. The 3rd TAC engineer was the charm, because he asked me if this was a TELCO version of the 3660. That was a real good question cuss I had no idea, as I have never worked on one. Well, that was the problem, it takes a TELCO FEATURE SET IOS. One telltail clue is that their is not a plastic front on the Telco version. I saw this right off the bat, but thought Cisco had just redesigned it. Man what a day. The other way to see if the router is an Enterprise version or Telco is to run the SN numbers. I can think off all the times i do this before I install an IOS. Maybe i should. Good news is I got it fixed and got a new Router out of the deal (thanks you TAC). And as TAC goes, they have pulled my Butt out of the sling more then once, so I have nothing but good to say for them. Yes I have gotten some DORKS before, but I have the option to tell them to get lost and give me a new Engineer. We pay a lot for this service. Hope this has been as educational for you all as it has been for me. Look below at link for the difference in the two. http://www.cisco.com/warp/public/cc/pd/rt/3600/prodlit/36kmp_ds.htm -Original Message- From: Charlie Hartwell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 9:15 AM To: Mears, Rob Subject: Re: 3660 router [7:11917] Hi Rob, I didn't want to send this out to the whole group but I sympathise with your problem - I used to work on TAC and I see this sort of thing happening more and more. Unfortunately TAC have a new policy of employing people without much real technical experience (even pre-CCNA level people) and they put them on the bread and butter TAC teams to break them in. It will be one of those teams dealing with your problem - probably euro-config. I know a lot of those guys and, although they all work hard, they don't have the experience to deal with a case that gets over complicated. If you have had an RMA already and you are still no nearer to solving the problem then the next step is to have the case escalated. I expect this case has been going on for a few days already and has probably passed the P3 SLA so the TAC can escalate to a more technical team to get you a speedy fix. I hope this helps and I would
3660 router [7:11917]
Any one ever had a problem loading IOS on a 3660 right out of the box? I have one with 64meg flash and 256 ram and the damn thing will not come out of RMMON. I have set the confreg to boot correctly still RMMON. I have flashed it with two different IOS (12112.2), swapped out Flash, MEM, even sent the chassis back to Cisco and the new one had the same problem. TAC has no clue, they have been sending me part and giving me to different Engineer with no luck. What gives? Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11917t=11917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3660 router [7:11917]
You can flash it via Xmodem -Original Message- From: Peter Slow [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 8:59 AM To: [EMAIL PROTECTED] Subject: RE: 3660 router [7:11917] open up hyperterm, connect to console, log the session, flick the power switch, and let it drop into ROMMON. then you need to post the text file IN LINE with your next email. THEN we can help you. -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: 3660 router [7:11917] Any one ever had a problem loading IOS on a 3660 right out of the box? I have one with 64meg flash and 256 ram and the damn thing will not come out of RMMON. I have set the confreg to boot correctly still RMMON. I have flashed it with two different IOS (12112.2), swapped out Flash, MEM, even sent the chassis back to Cisco and the new one had the same problem. TAC has no clue, they have been sending me part and giving me to different Engineer with no luck. What gives? Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11948t=11917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3660 router [7:11917]
I hope u can help. With the message below it would appear the it has bad mem, but I replace it. I got this error message on both router, the old and the new. The only thing that was left in common was the IOS so I got a different version and still the same problem. Here is the error message WARNING: All existing data in flash will be lost! Invoke this application only for disaster recovery. Do you wish to continue? y/n [n]: y Ready to receive file c3660-jk8s-mz.122-1b.bin ... Erasing flash at 0x3000sector erase failed at location 0x3000, status 0x 20202020 flash sector will NOT erase...aborting rommon 2 -Original Message- From: Peter Slow [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 8:59 AM To: [EMAIL PROTECTED] Subject: RE: 3660 router [7:11917] open up hyperterm, connect to console, log the session, flick the power switch, and let it drop into ROMMON. then you need to post the text file IN LINE with your next email. THEN we can help you. -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 11, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: 3660 router [7:11917] Any one ever had a problem loading IOS on a 3660 right out of the box? I have one with 64meg flash and 256 ram and the damn thing will not come out of RMMON. I have set the confreg to boot correctly still RMMON. I have flashed it with two different IOS (12112.2), swapped out Flash, MEM, even sent the chassis back to Cisco and the new one had the same problem. TAC has no clue, they have been sending me part and giving me to different Engineer with no luck. What gives? Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11950t=11917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 5.25 ftp Passive-non Passive [7:10306]
Question for the gods, We have a requirement to retrieve data from a client's FTP server which is not Passive in natures, meaning it does not support. My pix box has no problems getting to FTP sites that support Passive mode. I am 90% sure the problem is with the client and not me. I have researched this and have found, in order to allow my users to the FTP I would have to open a range of ports on the Fwall. Has anyone run into this and does anyone have a easy fix? I am about to tell the client to (##$%^) just submit and upgrade their FTP but who knows how long this will take. How about some help. Thanks Thank you, Rob Mears III, CCNA, MSCE, CNE, NNCDS, NNCSS, A+ Technical Mercenary Valor Telecom Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10306t=10306 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Firewall [7:9295]
I wouldn't recommend a direct termination with a cross-over. They should be plugged into a switch. I have had problems in the past with 7200 series Routers plugged directly into the PIX, interfaces tend to go up and down. If I am not mistaken you can have only one default gateway. You can specify traffic to other networks using Routes on the interface, the Pix is a Firewall, not a router or switch. You could also get an ASN number and run BGP to your ISPs, do a little subnetting and specify that traffic coming from the lower half goes out one t-1 and the upper out the other. This would be based on your static from the Pix. Something I have done in the past is set up 2 PIX and split the network out. One out PIX1 and the other out Pix 2. If anyone else has suggestion please let me know, I am very interested as well. Robert C. Smyth - Original Message - From: sanjeev tyagi To: Sent: Thursday, June 21, 2001 5:17 AM Subject: PIX Firewall [7:9295] Dear All, I am having PIX-515UR with 3-10/100 Ethernet ports, I have 2-ISP's which are connected to 2-different 2500 series Routers.Can I terminate RJ-45 interfaces from Router on PIX Firewall, how will Pix decide on which Router the packets are to be send. Please Help. Thanks in advance Sanjeev Tyagi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9337t=9295 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Could someone give me an example config of adsl+router? [7:6762]
Hi, we are running ADSL at our ROBO around the US, we also use a VPN to get them back to HQ. I will include a config that might help. This is a 2621 router Thank you, Rob Mears III, CCNA, MSCE, CNE, NNCDS, NNCSS, A+ Technical Mercenary Valor Telecom ** version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Amardsl001 ! logging rate-limit console 10 except errors enable secret 5 $1$Onlr$fH2gcC0tDCI9hEpkC2/Nq. ! ! ! memory-size iomem 10 ip subnet-zero ! ! no ip finger ip name-server XXX.XXX.1.8 ! no ip dhcp-client network-discovery no mgcp timer receive-rtcp ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key X address XXX.XXX.37.5 ! ! crypto ipsec transform-set rtpset esp-des esp-md5-hmac ! crypto map rtp local-address BVI1 crypto map rtp 1 ipsec-isakmp set peer XXX.XXX.37.5 set security-association lifetime seconds 28800 set transform-set rtpset match address amarillo ! call rsvp-sync ! ! ! ! ! bridge irb ! ! ! ! interface FastEthernet0/0 ip address XXX.XXX.102.1 255.255.255.224 ip helper-address XXX.xX.6.31 ip nat inside no ip route-cache no ip mroute-cache duplex auto speed auto ! interface ATM0/1 description ADSL SWB XXX-3xxx-1600 Trouble 800-net-help no ip address no ip mroute-cache atm vc-per-vp 256 no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap ! bundle-enable dsl operating-mode auto no fair-queue bridge-group 1 hold-queue 224 in ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface BVI1 ip address XXX.XXX.XXX.49 255.255.255.248 ip nat outside no ip route-cache no ip mroute-cache crypto map rtp ! ip nat pool Net-XXX.xxX.218.126.50 XXX.xXX.126.50 netmask 255.255.255.248 ip nat inside source route-map nonat pool Net-64 overload ip classless ip route 0.0.0.0 0.0.0.0 xxx no ip http server ! ! ip access-list extended amarillo permit ip x permit ip x permit ip x logging 10.x access-list 1 permit xxx access-list 120 deny ip xxx access-list 120 permit ip xxx ! ! route-map nonat permit 10 match ip address 120 ! snmp-server community RO snmp-server community RW snmp-server packetsize 4096 bridge 1 protocol ieee bridge 1 route ip ! dial-peer cor custom ! ! ! ! ! line con 0 transport input none line aux 0 line vty 0 4 password xxx login ! no scheduler allocate end Amardsl001# -Original Message- From: Steve Smith [mailto:[EMAIL PROTECTED]] Sent: Friday, June 01, 2001 8:47 AM To: [EMAIL PROTECTED] Subject: RE: Could someone give me an example config of adsl+router? [7:6756] I use a 827 router. This will go step by step to config one. You need CCO. http://www.cisco.com/warp/customer/794/827_faq.html Steve -Original Message- From: Leo Shen [mailto:[EMAIL PROTECTED]] Sent: Friday, June 01, 2001 4:05 AM To: [EMAIL PROTECTED] Subject: Could someone give me an example config of adsl+router? [7:6732] it neednot dial,thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6762t=6762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: entry in the ospf database but not in the route table ? Is [7:5067]
This is not a direct answer to your question, but you might be interested to read this. This paper describes one strange situation in which ospf routes don't get into the routing table: http://www.cisco.com/warp/public/104/10.html -Rob Fielding - Original Message - From: Padhu (LFG) To: Sent: Friday, May 18, 2001 10:53 AM Subject: entry in the ospf database but not in the route table ? Is that p ossible ? I am trying to locate an email thread that was talking about having an entry in the ospf database but not in the route table ? Is that possible ? Cheers,Padhu **Please read:http://www.groupstudy.com/list/posting.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5067t=5067 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Study Partner in San Jose [7:4391]
Hi gang, I've taken (and failed) the CCIE lab exam once. I'm scheduled for December 2001. I'd like to find anyone in the San Jose, CA area (hopefully with a similar lab date) who would be interested in putting together a staged attack. I have a good collection of books and scenarios, lots of experience, and some home equipment. Please let me know. Thanks! -Rob Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4391t=4391 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: best location for ccie lab - rtp [7:2149]
what hotel would you recommend ? thanks Urooj's Hi-speed Internet wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have only been to the Halifax site. It has cheap hotels (if you are spending in US $$), five-minute walk to the CCIE lab, very fair and friendly Proctors, plus a historical city to see (for which one may not have the time). And if you manage to pass, you can celebrate with a feast of fine lobsters. Aziz S. Islam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rob Sent: Thursday, April 26, 2001 2:13 PM To: [EMAIL PROTECTED] Subject: best location for ccie lab - rtp [7:2149] what's the best location to take the CCIE lab exam? I realize that the exams are standardized worldwide but I'm looking for the overall picture, the friendlieness, good cheap hotels, easy commute to the lab facility etc.. I'm considering NC, halifax and maybe CA.. thanks FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2291t=2149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
best location for ccie lab - rtp [7:2149]
what's the best location to take the CCIE lab exam? I realize that the exams are standardized worldwide but I'm looking for the overall picture, the friendlieness, good cheap hotels, easy commute to the lab facility etc.. I'm considering NC, halifax and maybe CA.. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2149t=2149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3COM - CISCO interoperability
3Com's gig trunking protocol is proprietary. Its a load sharing method similar to Cisco's fast etherchannel concept. The 6506 won't know what to do with it. Their gig modules will talk to each other, and both support 802.1q, but you cannot load share links between them. -Rob Fielding - Original Message - From: "freddy moreno" [EMAIL PROTECTED] Newsgroups: groupstudy.cisco To: [EMAIL PROTECTED] Sent: Tuesday, March 13, 2001 1:52 PM Subject: 3COM - CISCO interoperability do any of you have experience connecting a 3com Corebuilder 9000 to a Cisco 6506 using Gig Trunking? any gotchas, special things that need to be done. please let me know than you thank you very much _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Firewall Vlan Problem update: Still a problem
Update: I know that the Firewall does not know that the 10.25.192.0 /19 exists. I tried to put in a route statement on the pix but it would not accept it. This was the command: "route inside 10.25.192.0 255.255.224.0 10.25.223.2 1" When I put in a route to the secondary Address of VLAN 1, it accepted it, but I still could not ping anything in the 10 network from the firewall. This was the command:"route inside 155.102.0.0 255.255.0.0 155.102.127.26 1" I am completely stumped! These were some of the previous comments I received and my original statement is below. Thank you for amy insight you ma have on this! Rob comment: "It sounds like your PIX doesn't know about 10.25.192.0/19 subnets. It knows about the directly-connected 155 subnet, but not any past the 6506. It seems like you'll need some routes on the PIX (but I'm not really familiar with those boxes). Your PIX is probably defaulting to its outside interface. You need a route for 10.25.192.0/19 to 155.102.127.26 (if that is the 6506) on the PIX." comment: "First, you have to understand that the PIX, out of the box, will not route any packets. So you have to add static route statements pointing at interfaces so packets get to their destination. Example: route inside 10.0.0.0 255.0.0.0 10.1.1.1 1 route outside 1.2.3.4 255.255.255.0 5.6.7.8 1 The PIX probably doesn't know how to get to the other VLAN. What are your route statements in the PIX?" Original: Overview. I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is flat. I have implemented a new IP Scheme to be used in several VLAN's and am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken up into several /24's. There are 600 devices. Now to the nitty gritty. Network Description The 6506 has seven VLAN's configured as follows: VLAN 1 - 10.25.223.2 /24 Primary 155.102.127.26 /16 secondary. VLAN 2 - 10.25.215.254 /24 VLAN 3 - 10.25.216.254 /24 to - VLAN 7 - 10.25.220.254 /24 There are 2 2600's which are routing to an ASP. Their addresses are router A - 10.25.223.3 B - .4 with .5 as HSRP. There is a Pix 515 using address 155.102.18.191 Nating to the internet. The 2600's have an extended access list on them which directs Port 80 traffic from the 159.102.x.x network between the ASP WAN and the internet. They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24. Problem I cannot ping the firewall interface from the MFSC or the 6506 or from any workstation that is using ANY of the VLAN default gateways. I have full connectivity to the asp wan. I have full connectivity to the other VLAN's. When devices use the 2600's HSRP address as default gateway, they have access to the firewall, the asp and the VLAN's. I have no access to the 2600's as they do not belong to us. I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate it because they could not find our service contract that we purchased. They were anxious to close the case. The trick to this migration is to maintain connectivity to all devices as they are being migrated to the new IP scheme. I will be very grateful to any serious replies to this situation. Thanks for your expertise! Rob _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help!, because Cisco says they can't. Firewall Vlan problem.
The subnet masks on the pix and secondary address of the msfc is 255.255.0.0. Since the ASP routers are using an access list to direct traffic to and from the internet, it may be filtering the route from the msfc. Then we would be sol. I like your idea af switching the primary and secondary ip's on the msfc. Also, there is no gateway of last resort. my default gateway is pointing to the asp routers, and we are using the same eigrp ##. Thanks for your insight. Any further thoughts will be appreciated. Rob -Original Message- From: Moe Tavakoli [mailto:[EMAIL PROTECTED]] Sent: Friday, March 02, 2001 0043 To: Rob Cabeca; groupstudy Subject: Re: Help!, because Cisco says they can't. Firewall Vlan problem. Back to basics: Check your subnet mask on the interfaces connecting the MSFC and the PIX (on the 155.102/16 net) If you can;t ping the inside address of the PIX then your SOL (make sure nothing is filtering the ping) once you have this established (also check wirring and the such and maybe even go to the extent of making your secondary address the primary on the MSFC) After that you should look into the routing table of your MSFC. Make sure the gateway of last reort (0 0 route) is point to the inside interface of the PIX, and the selective route for the subnet pointing to the ASP routers. Be the packet know your source and destination and follow it at every hop and make sure it can find out wehre to go and how to get back (i.e. an internal route on the PIX for the internal range to the MSFC.) Moe. --- Rob Cabeca [EMAIL PROTECTED] wrote: You guys have always been on target for me. I am hoping you give some insight to this. (the following addresses have been slightly altered for obvious reasons but they are true to the real ones). Overview. I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is flat. I have implemented a new IP Scheme to be used in several VLAN's and am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken up into several /24's. There are 600 devices. Now to the nitty gritty. Network Description The 6506 has seven VLAN's configured as follows: VLAN 1 - 10.25.223.2 /24 Primary 155.102.127.26 /16 secondary. VLAN 2 - 10.25.215.254 /24 VLAN 3 - 10.25.216.254 /24 to - VLAN 7 - 10.25.220.254 /24 There are 2 2600's which are routing to an ASP. Their addresses are router A - 10.25.223.3 B - .4 with .5 as HSRP. There is a Pix 515 using address 155.102.18.191 Nating to the internet. The 2600's have an extended access list on them which directs Port 80 traffic from the 159.102.x.x network between the ASP WAN and the internet. They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24. Problem I cannot ping the firewall interface from the MFSC or the 6506 or from any workstation that is using ANY of the VLAN default gateways. I have full connectivity to the asp wan. I have full connectivity to the other VLAN's. When devices use the 2600's HSRP address as default gateway, they have access to the firewall, the asp and the VLAN's. I have no access to the 2600's as they do not belong to us. I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate it because they could not find our service contract that we purchased. They were anxious to close the case. The trick to this migration is to maintain connectivity to all devices as they are being migrated to the new IP scheme. I will be very grateful to any serious replies to this situation. Thanks for your expertise! Rob _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = _ Moe Tavakoli __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help!, because Cisco says they can't. Firewall Vlan problem.
Thanks for responding. I may not be understnading something here. If the firewall is on the same subnet and it's inside interface is connected to the 6506, what type of routing statement would it need? I am able to ping the inside interface of the firewall when the workstation is assigned to vlan 1 and is using 155.102.127.26 as the default gateway. once I asign the workstation to another vlan, it can ping everything in the 155 network EXCEPT for the firewall. Obviously I am confused. Thanks for your help. Any further thoughts would be appreciated. rob -Original Message- From: Darren Crawford [mailto:[EMAIL PROTECTED]] Sent: Friday, March 02, 2001 1211 To: Nabil Fares; Rob Cabeca; groupstudy Subject: RE: Help!, because Cisco says they can't. Firewall Vlan problem. You should be able to Ping the inside interface of your PIX. You can not ping an outside interface. There must be route statements in your PIX so that it knows where to send the reply. At 08:52 AM 03/02/2001 -0500, Nabil Fares wrote: Rob, By default PIX does not allow pings! You can have connectivity though it but, you can't ping it. You have to create an access list allowing icmp. Of course thing assuming its not a subnetting issue. Cisco recommends this access-list be used for testing purposes only, remove when done. HTH, Nabil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rob Cabeca Sent: Thursday, March 01, 2001 9:37 PM To: groupstudy Subject: Help!, because Cisco says they can't. Firewall Vlan problem. You guys have always been on target for me. I am hoping you give some insight to this. (the following addresses have been slightly altered for obvious reasons but they are true to the real ones). Overview. I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is flat. I have implemented a new IP Scheme to be used in several VLAN's and am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken up into several /24's. There are 600 devices. Now to the nitty gritty. Network Description The 6506 has seven VLAN's configured as follows: VLAN 1 - 10.25.223.2 /24 Primary 155.102.127.26 /16 secondary. VLAN 2 - 10.25.215.254 /24 VLAN 3 - 10.25.216.254 /24 to - VLAN 7 - 10.25.220.254 /24 There are 2 2600's which are routing to an ASP. Their addresses are router A - 10.25.223.3 B - .4 with .5 as HSRP. There is a Pix 515 using address 155.102.18.191 Nating to the internet. The 2600's have an extended access list on them which directs Port 80 traffic from the 159.102.x.x network between the ASP WAN and the internet. They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24. Problem I cannot ping the firewall interface from the MFSC or the 6506 or from any workstation that is using ANY of the VLAN default gateways. I have full connectivity to the asp wan. I have full connectivity to the other VLAN's. When devices use the 2600's HSRP address as default gateway, they have access to the firewall, the asp and the VLAN's. I have no access to the 2600's as they do not belong to us. I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate it because they could not find our service contract that we purchased. They were anxious to close the case. The trick to this migration is to maintain connectivity to all devices as they are being migrated to the new IP scheme. I will be very grateful to any serious replies to this situation. Thanks for your expertise! Rob _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Darren S. Crawford - CCNA Lucent Technologies Worldwide Services 2377 Gold Meadow WayPhone: (916) 859-5200 x310 Suite 230 Fax: (916) 859-5201 Sacramento, CA 95670Pager: (800) 467-1467 Email: [EMAIL PROTECTED] Epager: [EMAIL PROTECTED] http://www.lucent.com Network Systems Consultant _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Help!, because Cisco says they can't. Firewall Vlan problem.
You guys have always been on target for me. I am hoping you give some insight to this. (the following addresses have been slightly altered for obvious reasons but they are true to the real ones). Overview. I am upgrading a network which has a 155.102.0.0 255.255.0.0 network. It is flat. I have implemented a new IP Scheme to be used in several VLAN's and am trying to migrate to it. IP range is 10.25.192.0 - 10.25.223.254 broken up into several /24's. There are 600 devices. Now to the nitty gritty. Network Description The 6506 has seven VLAN's configured as follows: VLAN 1 - 10.25.223.2 /24 Primary 155.102.127.26 /16 secondary. VLAN 2 - 10.25.215.254 /24 VLAN 3 - 10.25.216.254 /24 to - VLAN 7 - 10.25.220.254 /24 There are 2 2600's which are routing to an ASP. Their addresses are router A - 10.25.223.3 B - .4 with .5 as HSRP. There is a Pix 515 using address 155.102.18.191 Nating to the internet. The 2600's have an extended access list on them which directs Port 80 traffic from the 159.102.x.x network between the ASP WAN and the internet. They are also doing NAT from the ASP to the 155.102.x.x network. 1 class C NAT pool for each router. A- 10.25.213.0 /24, B - 10.25.214.0 /24. Problem I cannot ping the firewall interface from the MFSC or the 6506 or from any workstation that is using ANY of the VLAN default gateways. I have full connectivity to the asp wan. I have full connectivity to the other VLAN's. When devices use the 2600's HSRP address as default gateway, they have access to the firewall, the asp and the VLAN's. I have no access to the 2600's as they do not belong to us. I spoke with the Cisco TAC a few times. They gave up and wouldn't escalate it because they could not find our service contract that we purchased. They were anxious to close the case. The trick to this migration is to maintain connectivity to all devices as they are being migrated to the new IP scheme. I will be very grateful to any serious replies to this situation. Thanks for your expertise! Rob _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what is the average age of people in this stuff?
I bet you know plenty of 40 year olds that are just as smart. As well as those that are 20 and aren't that intelligent. The age thing, although very important on one lever, should not be the determining factor. The excess energy of youth sometimes manifest itself in a way that can cause quite a bit of harm to something as delicate as an enterprise network. The reason that some may view your youth as a bad thing is that through experience they have seen and in fact have done a few things in haste that may have needed a bit more thought. Being almost right can be worst then being absolutely wrong in some instances. And the one thing that age SOMETIMES gives you is patience. So, use your youth and the knowledge you have. Let us old folks continue to mentor you. It makes us feel better and will only serve to help you in the long run. ANd it certainly will not help you if you continue to push the fact that you know more then we do in our faces. We currently have the seats of power. hang on. Your turn is coming fast. Rob Denis A. Baldwin wrote: I find myself in much of the same situation Dale is in. At 20, I am busting with energy most of the time. I know how to fix the problems and I have the desire to, but I often get the "you're not old enough and experienced enough" excuse from people who haven't seen my work. A lot of people assume that experience and ability comes with age. I agree with that point to a degree. However, I know a lot of teenagers who are brilliant and a lot of people in their 40s who don't have sense enough to get out of the rain. :-) Denis Denis A. Baldwin - Network Administrator A+ / Network + / I-Net+ / MCP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert Padjen Sent: Monday, February 26, 2001 1:17 PM To: Dale Frohman; Mel Chandler PMI Cc: [EMAIL PROTECTED] Subject: RE: what is the average age of people in this stuff? Contrary to Mr. Reagan, sometimes youth is a positive. I have two years on Mel, and I'm just finally getting out of the 'you're so young...' Govern your enthusiasm and impatience in meetings and kick (*$. --- Dale Frohman [EMAIL PROTECTED] wrote: If they think you are young, they will probably think I am still a baby being only 19. I have my CCNA, 1/4 CCNP and actively seeking MCSE 2k. I also have an AA degree and also seeking my bachelor degree in computer science. I plan on getting my CCIE within the next few years. I have worked with an internet company for more than three years now. I have been told that I am impatient and immature, but I am not one to just sit around. If anyone can help me dispel some of these notions I would be greatly thankful. Also if someone veterans can give some pointers/tips on how to make it in this industry, that would also be helpful. I hope all this hard work pays off! Dale On Mon, 26 Feb 2001, Mel Chandler PMI wrote: I'm 29 and all I ever hear about is how young I am (I guess youth is automatically associated with inexperience) But I've been around. I've done a four year tour in the Navy in the Advanced Electronics field as a Sonar Technician on a Submarine. I've worked for some fortune 500 companies like Airtouch, IBM, Boeing, AST, Bergen Brunswick. I have some certs to back me up, but no matter what I do, it just never seems to be enough... Oh well, maybe after I have a PhD and CCIE I'll get someone to listen to me. Mel L. Chandler, A+, Network+, MCNE, MCP+I, MCSE, CCNA [EMAIL PROTECTED] Network Analyst Information Services PMI Delta Dental (562) 467-6627 -Original Message- From: John Hardman [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 24, 2001 9:30 AM To: [EMAIL PROTECTED] Subject: Re: what is the average age of people in this stuff? LOL! I am 36, and have the same problem, thank Cisco that they put a ? in the IOS. Don't worry about it, most of the people I work (worked) with in the network business are between 20-60 with the majority being in their 40's. They say that memory is the first thing to go, I just wish would have told my body that! -- John Hardman CCNP MCSE+I ""rtc"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm 40--am I getting too old for this stuff? Cant remember anything worth a damn, especially the commands nd command syntax _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___
Re: Cisco Product line
For the CCDA, it's not that you need to know exact port densities. You must know what product is best suited for what application. And where in the scheme of the network the product fits. Be it at the core, distribution, or access layers. Hunt Lee wrote: Does anyone knows what extent of Cisco product line knowledge is required for the CCDA exam? For example: the number of ports, the difference between 3620 and 3640 router etc? I know a few like 2524, 1004, 3600 etc... but there are too many to look up. Any help would be greatly appreciated. Regards, Hunt Lee IP Solution Analyst Cable and Wireless (Sydney) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: SAMPLE QUESTIONS FOR CCNA.
http://www.cisco.com/cgi-bin/front.x/wwtraining/colt/ColtLogin.pl Vishweshwaran wrote: WHERE CAN I GET THE SAMPLE QUESTION PAPERS FOR CCNA? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Last Nights DC Cisco Meeting
Yeah, no doubt. If they think about it, since CCO gives all the answers to the exams, aren't they breaking their own agreement? - Original Message - From: "William E. Gragido" [EMAIL PROTECTED] To: "'Ehab Mohamad Abdullah'" [EMAIL PROTECTED]; "'Billy Monroe'" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, January 28, 2001 6:33 AM Subject: RE: Last Nights DC Cisco Meeting Is that who they are going after? Certification Zone? I have been the site, and I have not seen anything that really compromises the NDA, in fact, most the papers that are there seem like interpretations of the cisco.com site. That's a shame. Next it will be Coriolis and Sybex! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ehab Mohamad Abdullah Sent: Sunday, January 28, 2001 2:44 AM To: 'Billy Monroe' Cc: '[EMAIL PROTECTED]' Subject: RE: Last Nights DC Cisco Meeting Hi, It is the Certification Zone Ehab CCNP, ASE, MCSE, CNE -Original Message- From: Billy Monroe [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 28, 2001 11:41 AM To: [EMAIL PROTECTED] Subject: Re: Last Nights DC Cisco Meeting ? "Nathan Casassa" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Think Cisco will get upset if I forward this info on? To pass the CCIE lab exam you must know this: "configure terminal" "Christine Johnson, CCNP" wrote: Last night I attended a meeting where one of the Cisco vice presidents stated that Cisco is investing 50 million dollars in protecting the Cisco CCIE. They are going after any person that has an NDA agreement and posts things considered a violation and publishes the information on a website or book. They stated that they were going after a guy named Howard Berkowitz for having a website that has 168 violations. They are sending him a letter stating he is no longer certified by Cisco and suing him down to a Volkwagen. Does anyone know what website he has? Christine Johnson, CCNP ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Certifications on resumes
That sounds like a very good compromise. I think it is a good way to go. Craig Columbus wrote: I've actually seen more than one post that said CCIE required, CCNA preferred. Go figure. In my experience, CCNP doesn't get a lot of play in HR departments. HR recognizes CCNA, but doesn't understand CCNP. I've also seen a fair number of recruiters/HR confuse CCNA with CNA. Bottom line? I don't put any letters after my name, but I have a certifications section on my resume where I list each certification, spell it out, and put the date achieved...even an HR person should be able to see that the CCNA = Cisco Certified Network Associate, and that it was earned prior to my CCNP. Craig At 10:08 AM 1/26/2001 +, you wrote: Robert, You will find that some jobs advertised in a way that they are looking for people who are CCNA or CCIE ( so where is CCNP ) . It seems that some recruitment agency do not know the difference between CCIE and CCNA. I will put it the CCNA somewhere in your resume just to avoid that . Robert Padjen [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I was asked an interesting question this morning by a friend who just passed their CCNP. Basically they wanted to know if they should now remove the CCNA from their resume or list both CCNA and CCNP. I took the position that (as I do) the CCNP implies the CCNA, and therefore one would only list their 'highest' within a track. A number of co-workers said no, list it all. Please chime in with your position - unicast if your just sending a vote and multicast if you are raising a discussion. Sorry to those who feel this is an improper use of the board. Thanks. = Robert Padjen __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Certifications on resumes
It's been my experience that a lot of head hunters and HR have no clue as to what the job requirments are for certian positions and wouldn't know that a CCNA is a prerequist for a CCNP. So I would leave it on for that reason, also if someone does a resume search on monster for CCNA, you want to make sure that your resume pops up. - Original Message - From: "Robert Padjen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 26, 2001 3:27 AM Subject: Certifications on resumes I was asked an interesting question this morning by a friend who just passed their CCNP. Basically they wanted to know if they should now remove the CCNA from their resume or list both CCNA and CCNP. I took the position that (as I do) the CCNP implies the CCNA, and therefore one would only list their 'highest' within a track. A number of co-workers said no, list it all. Please chime in with your position - unicast if your just sending a vote and multicast if you are raising a discussion. Sorry to those who feel this is an improper use of the board. Thanks. = Robert Padjen __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]